Alan Filion, believed to have operated under the handle “Torswats,” admitted to making more than 375 fake threats against schools, places of worship, and government buildings around the United States.

In perhaps the largest swatting case to ever be prosecuted, an 18-year-old from Lancaster, California, has pleaded guilty to federal charges stemming from a nationwide spree of hundreds of shooting and bomb threat hoaxes that sent police scrambling to high schools, courthouses, and the homes of law enforcement officials and prominent politicians.

Alan Winston Filion now faces a maximum penalty of five years in prison for each of four counts of making interstate threats to injure the person of another, according to the United States Department of Justice.

Early this year, Filion was arrested and extradited to Seminole County, Florida. At the time, state prosecutors charged Filion with four state-level felony counts stemming from a single incident in which, prosecutors allege, Filion told a Sanford Police Department dispatcher that he was armed with pipe bombs and an AR-15 rifle and was walking into Masjid Al Hayy Mosque to kill everyone he saw.

Filion, whom authorities believe operated online as “Torswats,” has been in jail without a trial for nearly a year. He entered a plea of not guilty to the state charges.

The federal charges announced on Wednesday, along with interviews from people connected to the investigation—and Filion himself—allege his swatting activities reached far beyond Florida’s borders.

Between approximately August 2022 to January 2024 Filion made more than 375 swatting calls, according to the plea agreement. These included incidents where he claimed to have planted bombs or threatened to conduct mass shootings at targeted locations that included religious institutions, high schools, and historically black colleges and universities.

“This prosecution and today’s guilty plea reaffirm the Justice Department’s commitment to using all tools to hold accountable every individual who endangers our communities through swatting and hoax threats,” deputy attorney general Lisa Monaco said in a statement. “For well over a year, Alan Filion targeted religious institutions, schools, government officials, and other innocent victims with hundreds of false threats of imminent mass shootings, bombings, and other violent crimes. He caused profound fear and chaos and will now face the consequences of his actions.”

According to court records, Filion was also part of a high-profile international swatting group that targeted several prominent figures between December 2023 and January 2024. Among the victims were US Homeland Security secretary Alejandro Mayorkas, Cybersecurity and Infrastructure Security Agency director Jen Easterly, Republican US representative Marjorie Taylor Greene of Georgia, and Republican senator Rick Scott of Florida. Investigators say they linked the scheme to roughly 100 calls, one of which targeted an unnamed former president of the United States.

In August, the Department of Justice charged two European men, Tomasz Szabo and Nemanja Radovanovic, in connection with the widespread swatting operation, which led to at least one car accident with injuries. During interviews with the US Secret Service in January and February, both men admitted their roles in the scheme. Radovanovic, however, claimed that he was directed by a third party who provided detailed scripts and selected the targets.

According to the plea agreement, Filion admitted to orchestrating the operation, supplying the names, addresses, and phone numbers of many of the targeted individuals.

“I shot my wife in the head with my AR-15,” a man identifying himself as "James" said in one such call. He told dispatchers in Georgia that he caught his wife sleeping with another man and, after killing her, had taken the man hostage. “I’ll release him for $10,000 in cash,” he added, threatening to detonate pipe bombs and blow up the house if his demands weren’t met. This call targeted the home of Georgia state senator John Albers.

The case against Filion, first reported by WIRED, was built on a trail of digital evidence left across platforms like Telegram, YouTube, and Discord, and pieced together by Brad “Cafrozed” Dennis, a private investigator. Dennis had been hired by two high-profile Twitch stars, both victims of Torswats’ calls, to find the person responsible.

For months, Dennis had posed online as a vengeful ex-husband looking to troll and harass his former wife. He used this persona to infiltrate private Discord servers and Telegram groups where Torswats and affiliates hung out. These were chats dedicated to extortion plots and racist memes; channels filled with child sexual abuse material, self-harm, and animal abuse—some of the worst content he'd ever seen, Dennis told WIRED.

On New Year's Eve 2022, Dennis sent Torswats a private message on Telegram: “You wanna make some real cash? Add me on Tox,” he wrote, referring to the peer-to-peer messaging service, under the pretense of arranging a swatting.

Using network monitoring tools, Dennis then captured the IP address linked to the Torswats account and uncovered a new username: "Paimon Arnum." In January 2023, Dennis handed this critical piece of evidence, along with other usernames and active Discord servers he had tracked over several months, over to the FBI.

According to emails reviewed by WIRED, that information was central to how the FBI broke the case and was the basis of subpoenas sent to Discord and Google in April of 2023 seeking information on accounts Dennis had identified. By early May, the FBI had successfully pinpointed Torswats’ identity and location.

That month, Torswats privately took responsibility for swatting incidents in Telegram chats reviewed by WIRED. These incidents affected up to 25 schools in Washington state, impacting approximately 18,116 students and costing taxpayers an estimated $271,173 in lost instructional time, according to Don Beeler, CEO of TDR Technology Solutions, a company specializing in school surveillance and threat analysis.

Additionally, 911 audio and other police records obtained by WIRED corroborate that the same individual made the calls for more than a dozen of these swatting incidents. In some instances, the caller told dispatchers he had been commanded by Satan to kill students. In others, he said he had been mistreated because he was gay. In others, he seemed to have become bored enough with the game that he didn’t bother to make up a reason.

On July 12, the Torswats handle announced a new swatting operation dubbed the “Grand Offensive,” targeting a dozen senators. Three days later, the FBI raided Filion’s home and seized his electronic devices.

But the raid didn’t stop the swatting.

On November 6, 2023, someone using the Torswats handle took responsibility for a bomb threat aimed at North Beach High School in Ocean Shores, Washington, through a Telegram message. According to police reports and call records obtained by WIRED, the caller impersonated a drug dealer who wanted to report his client to the police because he had said he had placed pipe bombs around the school and was planning a mass shooting. That same month, a person going by Torswats also admitted to swatting an investigator and cybercrime expert named Keven Hendricks in private Telegram communications.

Both threats could be attributed to the same individual, according to a law enforcement official who reviewed the recordings for WIRED but requested anonymity because they were unauthorized to speak to the press.

Details about Filion’s life outside his online activities remain sparse. Enrollment records from Lancaster’s Antelope Valley Community College show that Filion began pursuing a degree in mathematics in the fall of 2022. A former classmate, who requested anonymity due to fears of retaliation, described Filion as quiet and “forgettable.”

“He didn’t appear to have many friends,” they said.

In January 2024, an individual affiliated with the Torswats Telegram account and claiming to be a friend of Filion suggested that he was part of a group aiming to incite racial violence and that he sought money to “buy weapons and commit a mass shooting.” The allegation aligns with a written tip, placed to the FBI’s Internet Crime Complaint Center in April 2023 and obtained by WIRED, alleging that the person behind the Torswats account was involved in a neo-Nazi cult known as the Order of Nine Angles.

“He believes he is doing his part to bring about the end of days by ‘bleeding the finances and man hours of the system,’” the tipster wrote.

Filion’s family could not be immediately reached for comment. A sentencing date for the teenager has not yet been set.

_Updated at 10:45 am EST, November, 2024: Added additional details about Filion’s involvement in swatting attacks against prominent US government officials and others._

Teen Behind Hundreds of Swatting Attacks Pleads Guilty to Federal Charges

The tech giant fixed privilege-escalation and model-exfiltration vulnerabilities in Vertex AI that could have allowed attackers to steal or poison custom-built AI models.

Source: Krot Studio via Alamy Stock Photo

Google has fixed two flaws in Vertex AI, its platform for custom development and deployment of large language models (LLMs), that could have allowed attackers to exfiltrate proprietary enterprise models from the system. The flaw highlights once again the danger that malicious manipulation of artificial intelligence (AI) technology present for business users.

Researchers at Palo Alto Networks Unit 42 discovered the flaws in Google's Vertex AI platform, a machine learning (ML) platform that allows enterprise users to train and deploy ML models and AI applications. The platform is aimed at allowing for custom development of LLMs for use in an organization's AI-powered applications.

Specifically, the researchers discovered a privilege escalation flaw in the "custom jobs" feature of the platform, and a model exfiltration flaw in the "malicious model" feature, Unit 42 revealed in a blog post published on Nov. 12.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

Related:Cloud Ransomware Flexes Fresh Scripts Against Web Apps

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

The first bug allowed for exploitation of custom job permissions to gain unauthorized access to all data services in the project. The second could have allowed an attacker to deploy a poisoned model in Vertex AI, leading to "the exfiltration of all other fine-tuned models, posing a serious proprietary and sensitive data exfiltration attack risk," Palo Alto Networks researchers wrote in the post.

Unit 42 shared its findings with Google, and the company has "since implemented fixes to eliminate these specific issues for Vertex AI on the Google Cloud Platform (GCP)," according to the post.

While the imminent threat has been mitigated, the security vulnerabilities once again demonstrate the inherent danger that occurs when LLMs are exposed and/or manipulated with malicious intent, and how quickly the issue can spread, the researchers said.

"This research highlights how a single malicious model deployment could compromise an entire AI environment," the researchers wrote. "An attacker could use even one unverified model deployed on a production system to exfiltrate sensitive data, leading to severe model exfiltration attacks."

Related:5 Ways to Save Your Organization From Cloud Security Threats

**Poisoning Custom LLM Development**

The key for exploiting the flaws that were discovered lies within a feature of Vertex AI called Vertex AI Pipelines, which allow users to tune their models using custom jobs, also referred to as "custom training jobs." "These custom jobs are essentially code that runs within the pipeline and can modify models in various ways," the researchers explained.

However, while this flexibility is valuable, it also opens the door to potential exploitation, they said. In the case of the vulnerabilities, Unit 42 researchers were able to abuse permissions within what's called a "service agent" identity of a "tenant project" — connected through the project pipeline to the "source project," or fine-tuned AI model created within the platform. A service agent has excessive permissions to many permissions within a Vertex AI project.

From this position, the researchers could either inject commands or create a custom image to create a backdoor that allowed them to gain access to the custom model development environment. They then deployed a poisoned model for testing within Vertex AI that allowed them to gain further access to steal other AI and ML models from the test project.

Related:2 Zero-Day Bugs in Microsoft's Nov. Update Under Active Exploit

"In summary, by deploying a malicious model, we were able to access resources in the tenant projects that allowed us to view and export all models deployed across the project," the researchers wrote. "This includes both ML and LLM models, along with their fine-tuned adapters."

This method presents "a clear risk for a model-to-model infection scenario," they explained. "For example, your team could unknowingly deploy a malicious model uploaded to a public repository," the researchers wrote. "Once active, it could exfiltrate all ML and fine-tuned LLM models in the project, putting your most sensitive assets at risk."

**Mitigating AI Cybersecurity Risk**

Organizations are just beginning to have access to tools that can allow them to build their own in-house, custom LLM-based AI systems, and thus the potential security risks and solutions to mitigate them are still very much uncharted territory. However, it's become clear that gaining unauthorized access to LLMs created within an organization is one surefire way to expose that organization to compromise.

At this stage, key to securing any custom-built models is to limit the permissions of those in the enterprise that have access to it, the Unit 42 researchers noted. "The permissions required to deploy a model might seem harmless, but in reality, that single permission could grant access to all other models in a vulnerable project," they wrote in the post.

To protect against such risks, organizations also should implement strict controls on model deployments. A fundamental way to do this is to ensure an organization's development or test environments are separate from its live production environment.

"This separation reduces the risk of an attacker accessing potentially insecure models before they are fully vetted," Balassiano and Shaty wrote. "Whether it comes from an internal team or a third-party repository, validating every model before deployment is vital."

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 am ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Google AI Platform Bugs Leak Proprietary Enterprise LLMs

Three technologists in India used a homemade Faraday cage and a microwave oven to get around Apple’s location blocks.

When Apple released a software update at the start of November that enabled its new hearing aid features in AirPods Pro 2 earbuds, Rithwik Jayasimha immediately went out with his dad to buy a pair for his grandma. “We came back home, we took them out of the case, and I was looking for the feature and it was just missing,” Jayasimha says. India, where Jayasimha and his family live, is not one of the many countries where Apple’s hearing aid features are available. “It was a huge bummer,” Jayasimha says.

Instead of abandoning the headphones, Jayasimha and two friends, Arnav Bansal and Rithvik Vibhu—both of whom say they have grandmas who use hearing aids as well—hacked a way to bypass Apple’s location restrictions and enable their hearing aids in Bangalore.

To dodge Apple’s geolocation restrictions, the trio built a rudimentary, signal-blocking Faraday cage on top of a microwave with aluminum foil, which ultimately allowed them to enable the hearing aid settings. “We don’t even think it’s Apple’s fault. The feature is amazing,” Jayasimha says.

One of the older hearing aids that was replaced with an Apple’s AirPods Pro 2.Photograph: Lagrange Point/Rithwik Jayasimha

The group members, who have a mix of hardware and software skills and first detailed their hack as part of a technology collective called Lagrange Point, say a couple of dozen people have contacted them asking for help with their AirPods. “We’ve got a huge amount of interest from folks in India who have these AirPods or whose grandparents need them and they’ve not been able to use them,” Jayasimha says. Others have documented the same issue in social media posts.

The researchers demonstrated that they could bypass Apple’s geographic restrictions with a set of AirPods Pro 2 connected to a 10th generation Wi-Fi-only iPad. They note that it would be possible to do the workaround on an iPhone or iPad connected to a mobile carrier as well, but it would be more involved.

To find the workaround, the researchers first looked at the different ways that iOS establishes where a device is in the world. For Wi-Fi-only devices, there are a few checks. The server looks at which Apple Store region the device is connected to, as well as the time zone, language, and region the device is set to. Additionally, the operating system sends a simple web request to an Apple web service that then responds with the country code of the country the device appears to be in based on the location associated with its IP address.

The researchers first tried manually changing the time zone and region settings for the iPad, but it ultimately wasn’t clear whether this impacted their ability to hide the iPad’s true location. When masking the iPad’s IP address so it would appear to be connected in the United States didn’t work, the researchers assessed other metrics the device might be using to establish its geographic location. It turns out that iOS also examines Wi-Fi “service set identifiers,” or SSIDs, that help devices connect to the right Wi-Fi network when there are many network signals in the air—like in an apartment building or at a coffee shop.

The operating system also uses GPS triangulation and device identifier “MAC addresses” of nearby devices, including routers, to establish a device’s location. In other words, even if a person in Bangalore uses a proxy to make it seem like their iPad has a US-based IP address, all the nearby routers and devices are associated with India-located IP addresses that give the real location away.

To deal with this, the researchers rigged up a Faraday cage, which blocks electromagnetic signals, to isolate the iPad from the other devices and wireless networks around it. They built their aluminum-foil-clad enclosure on top of a regular kitchen microwave and then turned on the microwave whenever they wanted to block signals to the iPad. The setup worked because consumer microwaves heat food using electromagnetic waves that are at the same frequency as Wi-Fi signals—2.4 GHz. Essentially, the researchers had turned their microwave oven into a Wi-Fi jammer.

The hackers first built a Faraday cage using a cardboard box and several sheets of aluminum foil, and placed it on top of a microwave to further block wireless signals.Photograph: Lagrange Point/Rithwik Jayasimha

“We put several layers of aluminum inside and outside \[a cardboard box\] and we’d see some signal strength drop,” Bansal says. “Of course, it’s not going to be great, but combined with the microwave, it worked.”

Ultimately, the researchers designed a less ingenious, but simpler and more reliable Faraday cage to make their manipulation more practical. With the iPad placed in its own shielded bubble, the researchers used an open source Wi-Fi location database and Wi-Fi SSID cycling tool to trick iOS into locating the iPad in California. With this complete, the AirPods could work as hearing aids in India.

Apple offers the hearing aid features in more than 100 countries, and it has great promise as a tool for making hearing aid tech more accessible—and more palatable—to millions of people around the world. But the company isn’t able to offer the feature everywhere and restricts access in certain countries, like India, likely because of regulatory hurdles related to medical devices. The fact that it’s possible to circumvent these restrictions may offer a solution, at least temporarily, for people in blocked countries who are looking for a workaround.

Apple did not return WIRED’s request for comment about the findings, but the researchers note that it seems like it would be possible for Apple to close the loophole they discovered fairly easily. They say they haven’t heard from the company.

Alan Woodward, a cybersecurity professor at the University of Surrey, says their work is “very interesting” and demonstrates how there may often be ways around “safeguards” put in place by Big Tech. “It shows that those with the technical understanding can bypass the geofencing of apps relatively simply,” Woodward says. “Not that everyone could do it, but they probably know someone that can.”

“I’m not sure how many people realize the number of variants in something like iOS even on what is apparently the same version—the build number is what really matters,” Woodward says. “It’s more a lesson to people that you have more than you realize on your phone.”

The second version of the Faraday cage, which the researchers plan to use to run more experiments.Photograph: Lagrange Point/Rithwik Jayasimha

Services offered by Big Tech companies such as Apple and Google often have had staggered launches around the world as lawmakers have introduced regulations to control technology companies’ power and protect people’s rights. In the EU, for instance, several AI products have been delayed or not launched due to strict privacy laws. Apple has also been required to allow alternative App Stores due to EU rules. At the same time, right-to-repair movements have grown in popularity, and people have increasingly been hacking into the products they buy.

While the three researchers in India believe that it is likely Apple’s hearing aid features will officially come to the country in the coming months, they plan in the meantime to help the dozens of people they say have reached out to them about their own headphones. They also plan on using the second version of the Faraday cage to set up people’s AirPods. From their own grandmas’ experiences, the hearing aid features appear to be valuable in their everyday lives.

Bansal says his grandma has some hearing loss and other health challenges, but has typically worn hearing aids while watching television. “She used to wear her old clunky hearing aids, and they were really problematic because they had these tiny little buttons on them,” Bansal says. “But now she uses the AirPods, we’ve set it up with her hearing profile, and she can use it to watch the TV just fine and it’s a lot nicer. She doesn’t feel like a patient wearing it.”

These Guys Hacked AirPods to Give Their Grandmas Hearing Aids

Where there’s a gift to be bought, there’s also a scammer out to make money. Here's how to stay safe this shopping season.

It’s that time of year again. Thanksgiving will pass just as quickly as it arrived, and the festive season will soon hit full swing as countless people go online for some gift shopping. But where there’s a gift to be bought, there’s also a scammer out to make money.

And make money they do. In the last five years, the Internet Crime Complaint Center (IC3) said it has received 3.79 million complaints for a wide range of internet scams, resulting in $37.4 billion in losses. 

Today, we’re warning of several online threats that could target you over the next few weeks and months: brand impersonation and fakes, credit card skimming, and malvertising. 

**1\. **Brand impersonation scams** **

This Black Friday and beyond, you’re likely to see scammers ripping off big name brands. Here are a few fakes you should look out for. 

****Temu ads offer discounted PS5s** **

Scrolling through Facebook, we were presented with a couple of posts advertising discounted PS5s. 

> “Quit overspending on PS5! This one I got off TEMU is AWESOME and is much cheaper. I’d highly recommend picking this up!” 

Of course, it’s tempting to get a discount on high-value items like a PlayStation 5, but Temu doesn’t actually sell PS5s.

If you click the play button on the “video,” you are instead redirected to a Temu page selling various PlayStation accessories that are not official or in any way approved by Sony.  

****Fake Amazon offers you great deals this Black Friday** **

Amazon is relatively low cost, it’s convenient, and you can look at someone’s wish list on there. Except in this scam we caught online, the website isn’t really Amazon—check out the URL. 

Fake online stores like this use Amazon’s branding to sell counterfeit products. Even if you take the risk and buy a knock off product (which we think is a bad idea), you have no guarantee of receiving the merchandise, and definitely no buyer protection. 

****Walmart makes it easy for you to buy gift cards** **

Nothing says “I saw this and thought of you” like a Walmart gift card on Christmas day. But make sure you are buying from the right website.  

Again, in this example, check out the URL—this website might look Walmart, but it’s a fake that will happily take your money in exchange for nothing. 

****“USPS” now delivers you fraud** **

If you’re taking advantage of Black Friday sales and buying many things at once, it can be tricky to keep track of what you’ve ordered. Even if you do know what’s coming, you often don’t know which package service will deliver it to your door. Scammers take advantage of this and will send fake delivery notice emails that encourage you to click on them. 

With this fake USPS site, you are asked to pay a small fee to have your delivery processed. However, once you hand over your card details the scammers can take whatever amount they like and sell your details to other criminals. 

These scams are very common. In fact, when we looked, we saw 50 fake USPS sites set up in only a day: 

**2\. **Credit card skimmers** **

We’re seeing a lot of online stores hosting credit card skimmers, especially smaller retailers.  

A credit card skimmer is a piece of malware that is injected into a website, often through vulnerabilities in the content management system (CMS) or the plugins that the site owner uses. 

When visiting a site that has a card skimmer on it, you’ll likely have no idea it’s even there. However, a single script injection is enough to steal your credit card data. 

Last year, we saw a large uptick in card skimmers just before the holiday season. One particular campaign that we tracked peaked in April 2023, but then really slowed down during the summer months. Across months, cybercriminals had infected multiple websites and built custom templates to trick victims into handing over their credit card details. By October, the same campaign had increased to its highest volume yet, and it is highly likely that this year will be the same. 

When looking at compromised websites, it can be hard to tell what—if anything—is wrong. However, if a site looks like it hasn’t been maintained in a while (for example, it displays outdated information, such as ‘Copyright 2022′) you should avoid entering in your card details. Most compromises happen because a website’s CMS and its plugins are outdated and vulnerable. 

Our free browser extension Malwarebytes Browser Guard blocks credit card skimmers by default. If you visit a compromised store you’ll be shown a warning like this: 

Access to the store isn’t blocked, we just block the skimmer code so it can’t load. And while you could in theory still shop safely, we’d still advise you to avoid buying anything from there. 

Malvertising—or malicious advertising—is a favorite of scammers, who use online ads and sponsored search results to deliver malware to their unsuspecting victims.  

Malvertising doesn’t require that criminals know a victim’s email address, login credentials, or personal information to deliver them malware. All the scammers need to do is fool someone into clicking on an ad that looks legitimate.  

Last fall, Malwarebytes tracked a 42% increase month-over-month in malvertising incidents in the US. This year we’re seeing a similar uptick, with a 41% increase from July to September as we head into the holiday shopping season. 

In terms of the actual advertiser accounts that are used in malvertising campaigns, most are based in the US and are set up using a combination of fake identities or hijacked accounts. However, according to our research findings, ads originating in Pakistan and Vietnam account for 90% of the fraud. 

Most (77%) of the accounts are used once only—created quickly and then burned. Once that account is dead, cybercriminals spin up the next one and on it goes.  

No brand is safe from malvertisers. We’ve tracked campaigns that spoof Google, Amazon, eBay, Walmart, Lowe’s—and even Malwarebytes.  

Our advice: It’s not always easy to tell a real ad from a scam, so it’s best to avoid clicking on sponsored ads at all. Use genuine search results or navigate directly to the site yourself. 

****How to shop safely this holiday season**  **

*   **Remember: If it’s too good to be true then it probably is.** Discounted items are tempting—especially at a time of year when lots of spending takes place—but these offers often amount to nothing. Instead, research the best deal at reputable retailers. 

*   **Don’t get rushed into making decisions.** Scammers will use a sense of urgency to pressure you into performing quick actions before you can properly think things through. Take your time before doing anything like clicking links or entering card details. 

*   **Get an ad and malicious content blocker like** **Malwarebytes Browser Guard.** If you’re blocking ads then you can’t be tricked into clicking on them. Browser Guard (which is free!) also protects against credit card skimming and other online threats. 

*   **Keep an eye on your financial statements:** An uptick in online shopping deserves an uptick in vigilance with checking online bank accounts, credit card statements, investment portfolios—in fact, any financial account data. Flag anything that seems suspicious with your provider. 

*   **Protect your online accounts.** Use a different password for every account (a password manager is super helpful in generating and storing all your passwords), and set up multi-factor authentication (MFA) wherever you can.  

*   **Protect your devices:** Most security products offer some kind of web protection that detects malicious domains and IP addresses, including Malwarebytes Premium which offers web and phishing protection. 

*   **Clean up your personal data online:** Cybercriminals use publicly available information in their scams, so check what information is available about you online using our free Digital Footprint scan. You can also take the first step in removing your personal information from the network of data brokers online with our Personal Data Remover. 

_Thanks to Jerome Segura for his research on this piece._

 Warning: Online shopping threats to avoid this Black Friday and Cyber Monday  

The November 2024 Patch Tuesday update contains a substantially high percentage of remote code execution (RCE) vulnerabilities (including a critical issue in Windows Kerberos), and two other zero-day bugs that have been previously disclosed and could soon come under attack.

Source: Rix Pix Photography via Shutterstock

Attackers are already actively exploiting two vulnerabilities for which Microsoft issued patches on Nov. 12 as part of its monthly security update. And they could soon begin targeting two other publicly disclosed, but as yet unexploited, flaws.

The four zero-day bugs are among a set of 89 common vulnerabilities and exposures (CVEs) that Microsoft addressed in November's Patch Tuesday. The batch contains a substantially high percentage of remote code execution (RCE) vulnerabilities, in addition to the usual collection of elevation of privileges flaws, spoofing vulnerabilities, security bypass, denial-of-service issues, and other vulnerability classes. Microsoft identified eight of the flaws as issues that attackers are more likely to exploit, though researchers pointed to other flaws as well that are of likely of high interest to adversaries.

**Microsoft Adopts CSAF Standard**

Along with the November security update, Microsoft also announced its adoption of Common Security Advisory Framework (CSAF), an OASIS standard for disclosing vulnerabilities in machine-readable form. "CSAF files are meant to be consumed by computers more so than by humans," Microsoft said in a blog post. It should help organizations accelerate their vulnerability response and remediation processes, the company noted.

"This is a huge win for the security community and a welcome addition to Microsoft’s security pages," said Tyler Reguly, associate director of security R&D at Fortra, via email. "This is a standard that has been adopted by many software vendors and it is great to see that Microsoft is following suit."

**Zero-Day Bugs Under Active Exploit**

One of the zero-day bugs that attackers are already actively exploiting is CVE-2024-43451 (CVSS 6.5 out of 10), a flaw that discloses a user's NTLMv2 hash for validating credentials in Windows environments. The hashes allow attackers to authenticate as legitimate users, and access applications and data to which they have permissions. The vulnerability affects all Windows versions and requires minimal user interaction to exploit. Merely selecting or inspecting a file could trigger the vulnerability, Microsoft warned.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

"To my knowledge, it's the third such vulnerability that can disclose a user's NTLMv2 hash that was exploited in the wild in 2024," Satnam Narang, senior staff engineer at Tenable, wrote in an emailed comment. The other two are CVE-2024-21410 in Microsoft Exchange Server from February, and CVE-2024-38021 in Microsoft Office from July.

"One thing is certain," according to Narang. "Attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes."

The second bug under active exploit in Microsoft's latest update is CVE-2024-49039 (CVSS 8.8), a Windows Task Scheduler elevation of privilege bug that allows an attacker to execute remote procedure calls (RPC) normally available only to privileged accounts.

"In this case, a successful attack could be performed from a low privilege AppContainer," Microsoft said. "The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment."

The fact that it was Google's Threat Analysis Group that discovered and reported this flaw to Microsoft suggests that the attackers currently exploiting the flaw are either a nation-state-backed group or other advanced persistent threat actor, Narang said.

"An attacker can perform this exploit as a low-privileged AppContainer and effectively execute RPCs that should be available only to privileged tasks," added Ben McCarthy, lead cybersecurity engineer at Immersive Labs, via email. "It is unclear what RPCs are affected here, but it could give an attacker access to elevate privileges and execute code on a remote machine, as well as the machine in which they are executing the vulnerability."

**Previously Disclosed but Unexploited Zero-Days**

One of the two already disclosed — but not yet exploited — zero-days is CVE-2024-49019 (CVSS 7.8), an elevation-of-privilege vulnerability in Active Directory Certificate Services that attackers could use to gain domain administrator access. Microsoft's advisory listed several recommendations for organizations to secure certificate templates, including removing overly broad enrollment rights for users or groups, removing unused templates, and implementing additional measures to secure templates that allow users to specify a subject in the request.  

Microsoft is tracking the other publicly disclosed but unexploited flaw as CVE-2024-49040 (CVSS 7.5), a Windows Exchange Server spoofing flaw. "The primary issue lies in how Exchange processes ... headers, enabling attackers to construct emails that falsely appear to be from legitimate sources," Mike Walters, president and co-founder of Action1, wrote in a blog post. "This capability is particularly useful for spear phishing and other forms of email-based deception."

**RCE Security Bugs Have a Big Month**

Nearly 60% of the bugs — 52 of 89 — that Microsoft disclosed in its November update are RCE vulnerabilities that allow remote attackers to execute arbitrary code on vulnerable systems. Some allow for unauthenticated RCE, while others require an attacker to have authenticated access to exploit the bug. Most of the RCEs in Microsoft's latest update affect various versions of MS SQL Server. Other impacted technologies include MS Office 2016, MS Defender for iOS, MS Excel 2016, and Windows Server 2012, 2022, and 2025, said Will Bradle, security consultant at NetSPI, in an emailed statement.

Among the most critical of the RCEs, according to Walters, is CVE-2024-43639 in Windows Kerberos. The bug has a near-maximum CVSS severity score of 9.8 of 10 because, among other things, an unauthenticated attacker can exploit it remotely. Microsoft itself has assessed the bug as something that attackers are less likely to exploit. But putting it on the back burner for that reason could be a mistake.

"Kerberos is a fundamental component of Windows environments, crucial for authenticating user and service identities," Walters added. "This vulnerability turns Kerberos into a high-value target, allowing attackers to exploit the truncation flaw to craft messages that Kerberos fails to process securely, potentially enabling the execution of arbitrary code."

Bradle pointed to CVE-2024-49050 in Visual Studio Code Python Extension as another RCE in this month's set that merits priority attention. "The extension currently has over 139 million downloads and is affected by an RCE vulnerability with a base CVSS score of 8.8," he said. "Microsoft has patched the VSCode extension, and updates should be installed immediately."

Immersive Labs' McCarthy also identified multiple other flaws that organizations would do well to address quickly. They include the critical CVE-2024-43498 (CVSS 9.8), an RCE in .NET and Visual Studio; CVE-2024-49019 (CVSS 7.8), an Active Directory privilege escalation flaw; CVE-2024-49033 (CVSS 7.5), a Microsoft Word security bypass flaw; and CVE-2024-43623 (CVSS 7.8), a privilege escalation flaw in the Windows NT OS kernel that enables attacker to gain system level access on affected systems. Importantly, Microsoft has assessed the latter vulnerability as one that attackers are more likely to exploit.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

2 Zero-Day Bugs in Microsoft's Nov. Update Under Active Exploit

Microsoft today released updates to plug at least 89 security holes in its Windows operating systems and other software. November's patch batch includes fixes for two zero-day vulnerabilities that are already being exploited by attackers, as well as two other flaws that were publicly disclosed prior to today.

**Microsoft** today released updates to plug at least 89 security holes in its **Windows** operating systems and other software. November’s patch batch includes fixes for two zero-day vulnerabilities that are already being exploited by attackers, as well as two other flaws that were publicly disclosed prior to today.

The zero-day flaw tracked as CVE-2024-49039 is a bug in the **Windows Task Scheduler** that allows an attacker to increase their privileges on a Windows machine. Microsoft credits Google’s **Threat Analysis Group** with reporting the flaw.

The second bug fixed this month that is already seeing in-the-wild exploitation is CVE-2024-43451, a spoofing flaw that could reveal Net-NTLMv2 hashes, which are used for authentication in Windows environments.

**Satnam Narang**, senior staff research engineer at **Tenable**, says the danger with stolen NTLM hashes is that they enable so-called “pass-the-hash” attacks, which let an attacker masquerade as a legitimate user without ever having to log in or know the user’s password. Narang notes that CVE-2024-43451 is the third NTLM zero-day so far this year.

“Attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes, as they can be used to authenticate to systems and potentially move laterally within a network to access other systems,” Narang said.

The two other publicly disclosed weaknesses Microsoft patched this month are CVE-2024-49019, an elevation of privilege flaw in **Active Directory Certificate Services** (AD CS); and CVE-2024-49040, a spoofing vulnerability in **Microsoft Exchange Server**.

**Ben McCarthy**, lead cybersecurity engineer at **Immersive Labs**, called special attention to CVE-2024-43639, a remote code execution vulnerability in **Windows Kerberos**, the authentication protocol that is heavily used in Windows domain networks.

“This is one of the most threatening CVEs from this patch release,” McCarthy said. “Windows domains are used in the majority of enterprise networks, and by taking advantage of a cryptographic protocol vulnerability, an attacker can perform privileged acts on a remote machine within the network, potentially giving them eventual access to the domain controller, which is the goal for many attackers when attacking a domain.”

McCarthy also pointed to CVE-2024-43498, a remote code execution flaw in **.NET** and **Visual Studio** that could be used to install malware. This bug has earned a CVSS severity rating of 9.8 (10 is the worst).

Finally, at least 29 of the updates released today tackle memory-related security issues involving **SQL server**, each of which earned a threat score of 8.8. Any one of these bugs could be used to install malware if an authenticated user connects to a malicious or hacked SQL database server.

For a more detailed breakdown of today’s patches from Microsoft, check out the SANS Internet Storm Center’s list. For administrators in charge of managing larger Windows environments, it pays to keep an eye on Askwoody.com, which frequently points out when specific Microsoft updates are creating problems for a number of users.

As always, if you experience any problems applying any of these updates, consider dropping a note about it in the comments; chances are excellent that someone else reading here has experienced the same issue, and maybe even has found a solution.

Microsoft Patch Tuesday, November 2024 Edition

The essays are to focus on the impact that artificial intelligence will have on European policy.

Source: Deco via Alamy Stock Photo

The Munich Security Conference is partnering with the European Cyber Conflict Research Initiative's Binding Hook on the AI-Cybersecurity Essay Prize Competition to explore the intersection of cybersecurity and artificial intelligence (AI).

As cyber threats rapidly evolve, AI is at the forefront, shaping the next generation of cyber defenses and bringing new challenges and opportunities, said Max Smeets, co-director of the European Cyber Conflict Research Initiative (ECCRI) and the European Cyber Conflict Research Incubator, in a statement. Researchers are invited to submit essays on how AI will change cybersecurity, its implications for Europe, and actionable recommendations for policymakers. Essays can reference previously published research, but the content should be reworked to provide new insights.

"Launching this competition is, for me, about opening the door to voices from a range of disciplines - encouraging contributions that speak to both the opportunities and risks AI presents for cybersecurity," Smeets said. "I also hope we will see not just analysis but ideas that policymakers can consider seriously; thoughtful pieces that get at the heart of what AI could mean for cybersecurity policy in Europe."

Essays will be reviewed by a board led by co-chairs Kersti Kaljulaid, former president of Estonia, and Shashank Joshi, defense editor at The Economist. Board members include Heather Adkins, vice president of security engineering and head of office of cybersecurity resilience at Google; Klaus Hommels, founder of Lakestar and chair of the board of directors at the NATO Innovation Fund; Mikko Hyppönen, a security and privacy expert; Maria Markstedter, founder of Azeria Labs; Eva Maydell, member of the European Parliament; and ECCRI's Smeets. Prizes will be awarded for the top five essays, starting at €10,000 (US$10,628) for the top prize and €5,000 (US$5314) for the runner-up. The winning author will also be invited to attend the 2025 Munich Security Conference.

Essays should be 800 to 1,200 words. The deadline for submissions is Jan. 2, 2025. 

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

New Essay Competition Explores AI's Role in Cybersecurity

Adaptive Shield is the third security posture management provider the company has acquired in the last 14 months as identity-based attacks continue to rise.

Source: Artemis Diana via Alamy Stock Photo

CrowdStrike's spending spree for security posture management capabilities continued with a deal to buy Adaptive Shield, an Israeli startup  that specializes in securing organizations' SaaS ecosystems and protecting against identity-based attacks.

Last week's deal calls for CrowdStrike to pay cash and stock for Adaptive Shield; CrowdStrike expects to complete the transaction by the end of January 2025. Press reports estimate the value of the deal at around $300 million.

Founded in 2019, Adaptive Shield is one of many companies in the SaaS security posture management (SSPM) sector; others include AppOmni, DoControl, Obsidian, and Reco. 

Adaptive Shield's platform supports more than 150 SaaS applications including Adobe, Google Workspace, Microsoft 365, Salesforce, Slack, and Zoom. It monitors for misconfigurations and identity threats, and offers a no-code tool for custom SaaS applications called Integration Builder.

**Competitive Impact?**

Omdia senior principal analyst Rik Turner wonders whether the deal will prompt CrowdStrike's competitors like Cisco, Palo Alto Networks, and Sentinal One to follow suit with their own deals. Overall, it's been an active time for acquisitions of cloud and data security posture management (DSPM) startups, he noted. 

Adaptive Shield is CrowdStrike's third security posture management provider in the last 18 months. In October 2023, CrowdStrike bought Bionic, an early provider of application security posture management (ASPM), extending security risk visibility from code development to cloud deployment. 

Earlier this year, CrowdStrike bought Flow Security, another DSPM cloud platform that protects data at rest and in motion. "In contrast, there has been no such buying frenzy with SSPMs. CrowdStrike's acquisition of Adaptive Shield is the first deal of this kind, raising the question of whether it might start a trend among the purchaser’s competitors," Turner note in a recent report.

CrowdStrike emphasizes that the addition of Adaptive Shield will boost the capability of its Falcon platform to protect organizations against identity-based attacks by adding SaaS applications to the mix. 

Once integrated into Falcon, Adaptive Shield's SSPM platform will give organizations visibility into misconfigurations, unnecessary or rogue privileges, and activities undertaken among accounts of on-premises and cloud identity providers as well as SaaS security applications. The addition "provides organizations with granular visibility into their growing cloud environments, enables them to manage and secure their SaaS security posture and their human and non-human identities, and helps them detect and prevent identity-centric, cloud-focused cyberattacks," CrowdStrike president Michael Sentonas explained in a blog post.

CrowdStrike senior product manager for identity Ryan Terry buttressed that message at a company meeting last week in Amsterdam. "Our vision is to unify identity protection across the entire Falcon security platform that includes cloud security," he said. "That will bring ISPM, CIEM, and ITDR together in an integrated way, in one single platform to help you address today's modern identity challenges."

**Keying in on Identity**

SaaS connectors will improve visibility into threat activity and precursors to identity-based attacks, says Forrester Research principal analyst Andras Cser. And he believes adding SSPM to CrowdStrike Falcon will fill a gap in the platform's identity protection module.

"Identity-wise, CrowdStrike claims they have ITDR, but in reality, it's mainly cloud infrastructure entitlement management, addressing how admins have access to policies that drive privileges on things like \[AWS\] S3 buckets and Azure Blobs and things like that," Cser says. "It's not true \[identity and access management\] in the sense of user account provisioning-deprovisioning, federation, token service, and all these other types of things."

The Adaptive Shield SSPM and ITDR platform promises to provide a broad range of protection against such attacks by providing unified, hybrid identity management for SaaS-based apps and on-premises authentication, notably Microsoft's Active Directory.

Adaptive Shield's platform also continuously monitors generative AI-based SaaS applications for configuration shifts and enforces security standards and privileges. And it's designed to prevent data exfiltration and discover unauthorized AI applications. "Beyond identities, it also provides visibility into misconfigurations and other risks affecting SaaS applications so organizations can better manage these issues and detect and respond to threats," Sentonas added.

Identity-Based Attacks Continue to Mount

Vendor focus on identity isn't happening in a vacuum. Threat actors such as Scattered Spider and Cozy Bear (also known as APT29 and Midnight Blizzard) have actively exploited identity through various techniques, including password spraying, phishing, stealing legitimate credentials, and exploiting misconfigurations. 

After managing to get global administrator rights to MGM Resorts' Azure instances last year, Scattered Spider was able to exfiltrate data and disrupt its operations. Earlier this year, Microsoft was among the victims of a password spray attack by Russia-based Midnight Blizzard, compromising its corporate email systems. Overall, CrowdStrike has claimed that 80% of breaches now have an identity component.  

At the RSA Conference earlier in the year, Sentonas and CrowdStrike co-founder and CEO George Kurtz demonstrated how hackers exploit identity provider misconfigurations with phish-able authentication factors to gain access to highly privileged accounts. "They move laterally once they're inside an organization to achieve their outcome," Sentonas said.

**More Identity Features in the Wings**

Ross Penny, a principal technical strategist for CrowdStrike, said the company plans to roll out several tools to bolster CrowdStrike Falcon Identity by February 2025. Among recent and current deliverables include integration with AWS Identity Center, which reports on the "full picture" of risks associated with federated AWS accounts. 

"If you're only looking within AWS because it's federated, you lack a lot of information about it," Penny explained. "The fact that we know where that account lives and originates means you have a much wider variety of risk that you're able to use to calculate those access decisions and detections."

Penny said that CrowdStrike is also readying a policy management API that can be integrated into external workflows. CrowdStrike developed this API because many of its customers also use ServiceNow.

Early next year, CrowdStrike will extend integration with other identity providers, including Okta Universal Directory, Google Workspace, and AWS permission usage analysis. CrowdStrike also plans to add attack path detection across those multiple identity providers in 2025.

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 am ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, Dr. Max Smeets from ETH Zurich, and Elvia Finalle from Omdia. Register now!

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

CrowdStrike Spends to Boost Identity Threat Detection

Aftermath of MOVEit vulnerability: Data vigilante ‘Nam3L3ss’ leaks nearly 8 million employee records from industry giants like Amazon,…

Aftermath of MOVEit vulnerability: Data vigilante ‘Nam3L3ss’ leaks nearly 8 million employee records from industry giants like Amazon, 3M, HP, and Delta, exposing cybersecurity flaws across major firms.

A “Data Vigilante” using the alias Nam3L3ss has leaked millions of employee records from global industry giants, in connection with the widespread **MOVEit vulnerability**. For your information, the MOVEit flaw is a security vulnerability in the MOVEit file transfer software, which many organizations use to share sensitive data.

Nam3L3ss, who denies being a hacker, began leaking the data on Friday, November 8, 2024. So far, sensitive and non-sensitive records from 27 companies, totalling 7,952,414 employee records, have been exposed. This includes 2,861,111 records from Amazon employees, a breach acknowledged by the company.

“Amazon and AWS systems remain secure, and we have not experienced a security event. We were notified about a security event at one of our property management vendors that impacted several of its customers including Amazon,” Amazon spokesperson Adam Montgomery told Hackread.com. “The only Amazon information involved was employee work contact information, for example, work email addresses, desk phone numbers, and building locations.”

****Data Analysis****

The Hackread.com research team conducted an in-depth analysis of each file leaked by Nam3L3ss, revealing that the data includes full names, email addresses, phone numbers, office addresses, residential addresses, company names, location coordinates, and more.

****List of Affected Companies and Employee Counts****

    3M: 48,630 employees
    
    HP: 104,119 employees
    
    Delta: 57,317 employees
    
    MetLife: 585,130 employees
    
    Amazon: 2,861,111 employees
    
    McDonald's: 3,295 employees
    
    Lenovo: 45,522 employees
    
    TIAA: 2,464,625 employees
    
    CalSTRS: 422,311 employees
    
    BT: 15,347 employees
    
    URBN: 17,553 employees
    
    Leidos: 52,610 employees
    
    UBS: 20,462 employees
    
    HSBC: 280,693 employees
    
    Firmenich: 13,248 employees
    
    U.S. Bank: 114,076 employees
    
    Canada Post: 69,860 employees
    
    Westinghouse: 18,193 employees
    
    Rush University: 15,853 employees
    
    Omnicom Group: 37,320 employees
    
    Charles Schwab: 49,356 employees
    
    City National Bank: 9,358 employees
    
    Applied Materials: 53,170 employees
    
    Cardinal Health: 407,437 employees
    
    Bristol-Myers Squibb: 37,497 employees
    
    TIAA (additional listing): 23,857 employees
    
    Fidelity Investments: 124,464 employees

List of targeted companies (Screenshot credit: Hackread.com)

****Nam3L3ss’s Manifesto: Motivation and Methodology****

In a post on Breach Forums, Nam3L3ss outlined their “manifesto” to explain who they are and why they’re leaking data. According to the post, they monitor misconfigured and unsecured cloud databases across various services, including AWS Buckets, Azure, Digital Ocean, Google, and FTP and MongoDB servers, to extract and make this data public.

Nam3L3ss also claims to monitor ransomware groups, analyze stolen data, clean it by removing duplicates and irrelevant information, and then release it online. For example, the leaked MetLife employee directory originated from MetLife, a global financial services firm that suffered a ransomware attack in 2023.

Nam3L3ss intro and Manifesto (Screenshot credit: Hackread.com)

The Cl0p ransomware gang exploited MOVEit extensively, targeting hundreds of organizations worldwide. They even **created clear web websites to leak** the stolen data in July 2024.

**Ferhat Dikbiyik**, chief research and intelligence officer at Black Kite, weighed in on the recent Amazon data breach, explaining, that Amazon’s recent data breach traced back to a third-party vendor’s use of the MOVEit tool, is another wake-up call for the supply chain’s hidden vulnerabilities.

“Amazon’s recent data breach traced back to a third-party vendor’s use of the MOVEit tool, is another wake-up call for the supply chain’s hidden vulnerabilities. The MOVEit flaw initially hit hundreds, but the shockwave extended across 2,700+ organizations as the ripple effects reached third and even fourth-party vendors,” Ferhat said.

“We’ve identified over 600 MOVEit servers that were likely caught in this “spray” attack—leaving a vast field of potential targets,” he explained. “CL0P ransomware, the group exploiting this flaw, named 270 victims within three months, and the count is still rising.”

“With 200 to 400 organizations speculated to have paid ransoms, the real impact stretches far beyond these numbers. This breach emphasizes that ransomware risk doesn’t stop at your company’s doorstep. In today’s ecosystem, exposure management must extend across the entire supply chain to truly defend against the next big attack.”

****Data Vigilante?****

Although the term Data Vigilante is debatable, Nam3L3ss expresses frustration with companies and government institutions for failing to secure their networks. By leaking this data, they aim to raise awareness about data security and encourage better cybersecurity practices.

****Implications of the Data Leak and Advice to Employees****

Although passwords and financial details weren’t included in the leaked files, the exposure poses significant risks to companies and employees. Threat actors, especially state-sponsored groups like **North Korea’s Lazarus Group**, are known to exploit such data to initiate phishing scams, steal cryptocurrency, and access financial information that could aid their **country’s economy**.

If you work for one of the affected companies, be on the lookout for phishing scams via email, SMS phishing (smishing), and voice phishing (vishing) attempts, as attackers may try to exploit this data for further scams.

1.  Hacker Leaks Thousands of Microsoft and Nokia Employee Details
2.  Hackers Calling Employees to Steal VPN Credentials from US Firms
3.  Hacker Leaks Data of 33K Accenture Employees in 3rd-Party Breach
4.  Shadow IT: Personal GitHub Repos Expose Employee Cloud Secrets
5.  Indian Ex-Employee Jailed for Wiping 180 Virtual Servers in Singapore

Data Vigilante Leaks 8 Million Employee Records from Amazon, HP and Others

CISA should make its recommended goals mandatory and perform audits to ensure compliance.

Gary Barlet, Public Sector Chief Technology Officer, Illumio

November 12, 2024

5 Min Read

Source: Zoonar GmbH via Alamy Stock Photo

COMMENTARY  
Companies across the country are lining up to join the latest cybersecurity trend: the Cybersecurity and Infrastructure Security Agency's (CISA) Secure by Design pledge, a commitment aimed at software manufacturers that compels them to keep up with fundamental cybersecurity strategies. Companies such as Lenovo, Google, AWS, Cloudflare, and Microsoft have already signed on. 

On the face of it, the Secure by Design pledge is a good thing. Its seven goals each encourage manufacturers to adopt or increase the usage of a key cybersecurity strategy within one year. The goals, such as "implement multifactor authentication (MFA)" are worthy, if basic, and CISA encourages companies to document their progress. If they fall short, they are also encouraged to report that failure to CISA. 

The problem is that this pledge is entirely voluntary. Companies are free to sign it — or not — as they wish. And there's no regulatory compliance factored in. This means that if a company does sign the pledge and falls short of one or more goals, no one may ever know and no action will be taken. It will be as if the pledge never existed in the first place.   

Without teeth, the pledge is essentially worthless. Outside of highlighting the low-bar steps major companies should take to ensure their infrastructure is secured from the most common attacks (which, admittedly, is a good thing), it takes no steps to ensure that companies will actually do so. And it provides no repercussions if they fail.    

**Is the Honor System Good Enough?**

With data breaches up 72% in 2023 and the average cost of a breach estimated at $4.88 million, can we afford for our nation's technological infrastructure to be governed by the honor system? What happens when the next big cyberattack takes down a pillar of our society because the company responsible failed to implement MFA?  

I'd argue for a much more aggressive approach from our federal government. Given the potential for widespread disruptions inherent with any cybersecurity failure, we can't afford to take such a lax attitude toward securing our systems. The sanctity of our nation's airlines, power grids, and other critical infrastructure relies on stringent cybersecurity measures. Merely "suggesting" that companies institute basic protocols is not enough. We need to mandate it — and punish those who fail. 

**The EU's Higher Standard**

I look at the European Union's approach to setting standards for its electronic devices. In 2022,  the EU passed a law mandating electronics manufacturers move to a standardized charging port for their mobile devices. The EU's stance toward Apple, which famously used a proprietary Lightning charging port for its iPhones, was simply: Adapt or die. Apple adapted. As a result, iPhones in Europe are now sold with the standardized USB-C charging port, alongside every other mobile device. 

The EU did not fool around with vague suggestions or pledges. It saw the value to consumers of a standardized charging port and demanded that manufacturers make the change. Those that failed to comply were not allowed to sell their devices in Europe. Simple. Effective. 

You can also look closer to home, to California, for an example of this kind of confident action by the government. The government of California adopted the Zero Emissions Vehicle requirements in 1990, and has adjusted the rules over the ensuing decades as technology has evolved. The purpose was to protect the state's air from automotive pollution. The result has been a near industrywide reduction in auto emissions for the past 30 years. 

For vehicle manufacturers that want to sell cars in California, the largest economy in the United States, the equation was the same one facing Apple in the EU: Adapt or die. They could either engineer their vehicles to produce fewer emissions or simply not sell them in California. Most elected for the former option, and, as a result, automotive emission control technology has advanced further in the past 30 years than at any point since the automobile was introduced. 

**Adopting a Similar Approach**

To protect our cyber infrastructure, we need to adopt a similar approach. Instead of simply making recommendations, our nation's cybersecurity agency should be empowered to make regulations.  

CISA should begin by making its recommended goals mandatory, forcing software companies to do the following: 

●      Increase the use of MFA 

●      Reduce default passwords 

●      Enable a significant measurable reduction in the prevalence of one or more vulnerability classes 

●      Increase the installation of security patches by customers 

●      Publish a vulnerability disclosure policy 

●      Demonstrate transparency in vulnerability reporting. 

●      Increase the ability for customers to gather evidence of cybersecurity intrusions 

Next, CISA should perform audits to ensure compliance. Relying on companies to self-report is no different from giving them permission not to report. Look closely at CISA's list of pledgees and come back in a year to see how many of these vaunted companies will have willingly admitted they aren't taking the most basic steps toward protecting their users' data. 

Finally, CISA should be empowered to make a simple statement to software manufacturers that want to sell products in the US similar to what the EU said to electronics manufacturers and what California said to automobile manufacturers: Adapt or die. 

If you want to sell software in the US, you should have to follow basic principles that will ensure your software is safe. This should not be a "nice to have." It should be mandatory. The stakes are as high if not higher than with charging ports and automobile emissions. As we witnessed with the recent failure of cybersecurity software, the impact was felt across entire industries and resulted in billions of dollars in lost productivity. This is not a realm for timidity.    

Hi all -- please add this to all of your content at the bottom between now and Thursday -- I'm adding it to this week's news items now. Rashid, Fahmida Donahue, Jim Bracken, Becky Spiegelman, Karen Beek, Kristina

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Public Sector Chief Technology Officer, Illumio

Gary Barlet has nearly three decades of cloud, cybersecurity, and network experience in the US federal government leading security and IT teams in both civilian agencies and the Department of Defense (DoD). At Illumio, Gary works with government agencies, contractors, and the broader ecosystem to build in zero-trust segmentation as a strategic component of the government’s zero-trust architecture. Before joining Illumio, Gary served as the chief information officer at the Office of the Inspector General for the US Postal Service and served in the Air Force in several technology leadership capacities, retiring from his role as cyber operations officer.

Tag

#google