AI is being used by shock call spammers to emulate the voice of a loved one claiming to be involved in an accident.

The San Francisco Chronicle tells a story about a family that almost got scammed when they heard their son’s voice telling them he’d been in a car accident and hurt a pregnant woman.

Sadly, this is becoming more common. Scammers want to spread panic among their victims, and to do this, they feign an emergency situation. That may be a car accident, unexpected hospitalization, or any other scenarios which instantly cause concern and cause victims to act quickly.

Sometimes it’s a pregnant woman who is hurt, sometimes it’s a diplomat.

In earlier days of scams like these, success depended a great deal on the criminal’s skills at social engineering, but rapid advancements in Artificial Intelligence (AI) mean scammers can now easily and convincingly fake the “voice” of the relative that is the supposed victim of the accident.

What better way to make the victim believe that something bad has happened than hearing their loved one cry out for help in their own voice. With the help of various AI powered tools, criminals can easily compose fragments based on a short voice clip they found online.

FBI Special Agent Robert Tripp said:

> “Now criminals can fabricate a voice using AI tools that are available either in the public domain for free, or at a very low cost.”

The criminals will keep that part of the communication short, so the target is unable to ask the relative any questions about what happened. While it is possible to fake entire conversations with the help of AI, the tools that can do that are much harder to operate. The criminal would have to type out the responses very quickly and the target might get suspicious. In the story from the San Francisco Chronicle, the phone was “taken over” by the so-called police officer at the scene of the accident, who told the parents that their son would be taken into custody.

This was later followed a cold call by someone posing as legal representative for their son, asking for money to for bail. The intended victims got suspicious when the so-called lawyer said he’d send a courier to pick up the bail money.

The FBI says it has received more than 195 complaints about this type of scam that it refers to as “grandparent scams.” It reports nearly $1.9 million in losses, from January through September of 2023.

**How to avoid scams like this**

One of the main tools for the imposters is the amount of information they can round up about the target. Their main sources will include social media and phishing.

There are a few simple precautions to lessen the chances of falling victim to such scams:

*   Avoid letting third parties know too many personal details about you.
*   Do not answer telephone calls from numbers you do not recognize or calls from private numbers.
*   Ask for the caller’s telephone number and check it.
*   If necessary, try to reach your allegedly implicated family member by phone. If you can’t reach them directly, call someone else who might know where they are.
*   Hang up if in doubt and never give financial or personal information to the caller.
*   If you receive or have received such a call, please notify the police immediately and under no circumstances respond to the perpetrators’ demands.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 AI used to fake voices of loved ones in “I’ve been in an accident” scam 

Once, drug dealers and money launderers saw cryptocurrency as perfectly untraceable. Then a grad student named Sarah Meiklejohn proved them all wrong—and set the stage for a decade-long crackdown.

How a 27-Year-Old Codebreaker Busted the Myth of Bitcoin’s Anonymity

Cybersecurity researchers have identified a "lightweight method" called iShutdown for reliably identifying signs of spyware on Apple iOS devices, including notorious threats like NSO Group's Pegasus, QuaDream's Reign, and Intellexa's Predator. 
Kaspersky, which analyzed a set of iPhones that were compromised with Pegasus, said the infections left traces in a file

Spyware / Forensic Analysis

Cybersecurity researchers have identified a "lightweight method" called **iShutdown** for reliably identifying signs of spyware on Apple iOS devices, including notorious threats like NSO Group's Pegasus, QuaDream's Reign, and Intellexa's Predator.

Kaspersky, which analyzed a set of iPhones that were compromised with Pegasus, said the infections left traces in a file named "Shutdown.log," a text-based system log file available on all iOS devices and which records every reboot event alongside its environment characteristics.

"Compared to more time-consuming acquisition methods like forensic device imaging or a full iOS backup, retrieving the Shutdown.log file is rather straightforward," security researcher Maher Yamout said. "The log file is stored in a sysdiagnose (sysdiag) archive."

The Russian cybersecurity firm said it identified entries in the log file that recorded instances where "sticky" processes, such as those associated with the spyware, caused a reboot delay, in some cases observing Pegasus-related processes in over four reboot delay notices.

What's more, the investigation revealed a the presence of a similar filesystem path that's used by all the three spyware families – "/private/var/db/" for Pegasus and Reign, and "/private/var/tmp/" for Predator – thereby acting as an indicator of compromise.

That said, the success of this approach hinges on a caveat that the target user reboots their device as often as possible, the frequency for which varies according to their threat profile.

Kaspersky has also published a collection of Python scripts to extract, analyze, and parse the Shutdown.log in order to extract the reboot stats.

"The lightweight nature of this method makes it readily available and accessible," Yamout said. "Moreover, this log file can store entries for several years, making it a valuable forensic artifact for analyzing and identifying anomalous log entries."

The disclosure comes as SentinelOne revealed information stealers targeting macOS such as KeySteal, Atomic, and JaskaGo (aka CherryPie or Gary Stealer) are quickly adapting to circumvent Apple's built-in antivirus technology called XProtect.

"Despite solid efforts by Apple to update its XProtect signature database, these rapidly evolving malware strains continue to evade," security researcher Phil Stokes said. "Relying solely on signature-based detection is insufficient as threat actors have the means and motive to adapt at speed."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New iShutdown Method Exposes Hidden Spyware Like Pegasus on Your iPhone

By Deeba Ahmed
Another day, another zero-day flaw driving the cybersecurity world crazy.
This is a post from HackRead.com Read the original post: Ivanti VPN Zero-Day Flaws Fuel Widespread Cyber Attacks

The vulnerabilities in Ivanti VPN devices enable remote, unauthenticated hackers to compromise targeted devices, execute arbitrary commands, infiltrate internal networks, and steal sensitive data.

Threat intelligence firm Volexity has discovered a rise in attacks exploiting two Ivanti zero-day vulnerabilities discovered in the second week of December 2023.

According to Volexity, at least 20 organizations using Ivanti Connect Secure VPN appliances have been compromised in cyberattacks leveraging Ivanti zero-day flaws, CVE-2023-46805 and CVE-2024-21887. Volexity has confirmed with “medium confidence” that the number of compromised systems is likely higher than what it discovered. 

The flaws, discovered by Volexity researchers, impacted Ivanti Connect Secure VPN and Policy Secure NAS appliances and were disclosed last week by Avanti.

On January 10, Volexity warned that a group UTA0178, supposedly affiliated with China, exploited these vulnerabilities to gain access to internal networks and steal information. On January 11, the company observed a series of targeted attacks on Ivanti VPN appliances, causing widespread exploitation of these flaws.

For your information, CVE-2023-46805 is an authentication bypass flaw with a CVSS rating of 8.2), impacting Ivanti ICS 9.x, 22.x, and Ivanti Policy Secure. The second flaw, CVE-2024-21887, is a command injection vulnerability with a CVSS score of 9.1, impacting Ivanti Connect Secure 9.x, 22.x, and Ivanti Policy Secure.

If exploited, these allow remote, unauthenticated attackers to compromise targeted devices by executing arbitrary commands, infiltrating internal networks, and stealing sensitive data.

Volexity noted that an unknown APT group launched initial attacks on ICS VPN appliances in December 2023, downloading malware tool kits for espionage. Multiple threat actors have since attacked hundreds of appliances and backdoored targets’ systems using a GIFTEDVISITOR webshell variant.

As of January 14, 2023, over 1,700 ICS VPN appliances were compromised, researchers revealed after scanning 50,000 Ivanti VPN-linked IPs. The highest percentage of victims were found in the US and Europe, impacting small-scale businesses to Fortune 500 companies in government, military, telecom, defence, tech, banking, finance, accounting, aerospace, aviation, and engineering sectors.

Mandiant also observed that a suspected state-sponsored threat actor dubbed UNC5221 leveraged these flaws last month to deploy up to five custom malware families. These include the ZIPLINE backdoor, WARPWIRE credential harvester, THINSPOOL shell script dropper, and LIGHTWIRE web shell. 

Mandiant noted in its report that threat actors UNC5221 launched “opportunistic attacks” to maintain persistence on high-priority targets that it had compromised “after a patch was inevitably released.”

Ivanti plans to release patches to fix these flaws by January 22, 2024, with final patches expected on February 19, 2024. A workaround is available to prevent exploitation until the patches are released. Organizations using vulnerable products should implement it immediately.

****_RELATED ARTICLES_****

1.  **APTs Exploiting WinRAR 0day Flaw Despite Patch Availability**
2.  **CACTUS ransomware evades exploits VPN flaws to hack networks**
3.  **Windows Defender SmartScreen Flaw Exploited with Phemedrone Stealer**
4.  **Flashpoint Uncovers 100,000+ Hidden Vulnerabilities, Including Zero-Days**
5.  **UAC-0099 Hackers Using Old WinRAR Flaw in New Cyberattack on Ukraine**

Ivanti VPN Zero-Day Flaws Fuel Widespread Cyber Attacks

Patching every device affected by the LeftoverLocals vulnerability—which includes some iPhones, iPads, and Macs—may prove difficult.

As more companies ramp up development of artificial intelligence systems, they are increasingly turning to graphics processing unit (GPU) chips for the computing power they need to run large language models (LLMs) and to crunch data quickly at massive scale. Between video game processing and AI, demand for GPUs has never been higher, and chipmakers are rushing to bolster supply. In new findings released today, though, researchers are highlighting a vulnerability in multiple brands and models of mainstream GPUs—including Apple, Qualcomm, and AMD chips—that could allow an attacker to steal large quantities of data from a GPU’s memory.

The silicon industry has spent years refining the security of central processing units, or CPUs, so they don’t leak data in memory even when they are built to optimize for speed. However, since GPUs were designed for raw graphics processing power, they haven’t been architected to the same degree with data privacy as a priority. As generative AI and other machine learning applications expand the uses of these chips, though, researchers from New York–based security firm Trail of Bits say that vulnerabilities in GPUs are an increasingly urgent concern.

“There is a broader security concern about these GPUs not being as secure as they should be and leaking a significant amount of data,” Heidy Khlaaf, Trail of Bits’ engineering director for AI and machine learning assurance, tells WIRED. “We’re looking at anywhere from 5 megabytes to 180 megabytes. In the CPU world, even a bit is too much to reveal.”

To exploit the vulnerability, which the researchers call LeftoverLocals, attackers would need to already have established some amount of operating system access on a target’s device. Modern computers and servers are specifically designed to silo data so multiple users can share the same processing resources without being able to access each others’ data. But a LeftoverLocals attack breaks down these walls. Exploiting the vulnerability would allow a hacker to exfiltrate data they shouldn’t be able to access from the local memory of vulnerable GPUs, exposing whatever data happens to be there for the taking, which could include queries and responses generated by LLMs as well as the weights driving the response.

In their proof of concept, as seen in the GIF below, the researchers demonstrate an attack where a target—shown on the left—asks the open source LLM Llama.cpp to provide details about WIRED magazine. Within seconds, the attacker’s device—shown on the right—collects the majority of the response provided by the LLM by carrying out a LeftoverLocals attack on vulnerable GPU memory. The attack program the researchers created uses less than 10 lines of code.

An attacker (right) exploits the LeftoverLocals vulnerability to listen to LLM conversationsVideo: Trail of Bits

Last summer, the researchers tested 11 chips from seven GPU makers and multiple corresponding programming frameworks. They found the LeftoverLocals vulnerability in GPUs from Apple, AMD, and Qualcomm, and launched a far-reaching coordinated disclosure of the vulnerability in September in collaboration with the US-CERT Coordination Center and the Khronos Group, a standards body focused on 3D graphics, machine learning, and virtual and augmented reality.

The researchers did not find evidence that Nvidia, Intel, or Arm GPUs contain the LeftoverLocals vulnerability, but Apple, Qualcomm, and AMD all confirmed to WIRED that they are impacted. This means that well-known chips like the AMD Radeon RX 7900 XT and devices like Apple’s iPhone 12 Pro and M2 MacBook Air are vulnerable. The researchers did not find the flaw in the Imagination GPUs they tested, but others may be vulnerable.

An Apple spokesperson acknowledged LeftoverLocals and noted that the company shipped fixes with its latest M3 and A17 processors, which it unveiled at the end of 2023. This means that the vulnerability is seemingly still present in millions of existing iPhones, iPads, and MacBooks that depend on previous generations of Apple silicon. On January 10, the Trail of Bits researchers retested the vulnerability on a number of Apple devices. They found that Apple’s M2 MacBook Air was still vulnerable, but the iPad Air 3rd generation A12 appeared to have been patched.

A Flaw in Millions of Apple, AMD, and Qualcomm GPUs Could Expose AI Data

The FTC forced a data broker to stop selling “sensitive location data.” But most companies can avoid such scrutiny by doing the bare minimum, exposing the lack of protections Americans truly have.

The US Federal Trade Commission (FTC) reached a settlement last week with an American data broker known to sell location data gathered from hundreds of phone apps to the US government, among others. According to the agency, the company ignored in some cases the requests of consumers not to do so, and more broadly failed to ensure that users were notified of how their harvested data would be used.

News that the settlement requires the company, formerly known as X-Mode, to stop selling people's “sensitive location data” was met with praise from politicians calling the outcome “historic” and reporters who deemed the settlement a “landmark” win for the American consumer. This “major privacy win,” as one outlet put it, will further require the company, rebranded as Outlogic after its activities were exposed, to delete all of the data it has illicitly gathered so far.

Outlogic, for its part, offered a drastically different take, denying any wrongdoing and vowing that the FTC order would “not require any significant changes” to its practices or products. While the company is potentially downplaying the cost to its business, it is certainly true that any ripples from the settlement will be imperceptible to consumers and Outlogic's industry at large—one which profits by selling Americans' secrets to spy agencies, police, and the US military, helping the government to dodge the supervision of the courts and all its pesky warrant requirements.

The FTC's crackdown on X-Mode's activities may indeed be historic, but from a consumer standpoint, it’s for all the wrong reasons. First, it's important to understand that the order concerns what the FTC is calling “sensitive location data,” a term of art impressively deluding and redundant at the same time. Any data that exhaustively chronicles a person’s physical presence—every moment of every day—is inherently sensitive.

There is no question that persistently tracking people’s whereabouts reveals political, religious, and even sexual associations. The act of collecting this data is a sweeping form of surveillance no matter the target. While it is easier, perhaps, to imagine how guests of “medical and reproductive health clinics, places of religious worship and domestic abuse shelters” are especially vulnerable to commercial forms of stalking, there are myriad ways in which people's whereabouts, once exposed, can endanger or ruin their lives.

Location data is inherently sensitive—so says society, an overwhelming consensus of privacy experts, and the highest court in the land.

One need only look to Congress to understand the level of fear that this precise form of surveillance inspires in those who’ve never been battered, stalked, or unhoused. Members of the House Intelligence Committee—most of whom lack an internal reproductive system—are vying at this very moment to shield federal lawmakers alone from this invasive and omnipresent tracking.

Given the current political climate, it’s not hard to imagine why politicians are afraid of surrendering their location data, leaving it accessible to virtually anyone on the cheap. But they are relatively few in number, and hardly any of them fall into the category of “most at-risk” for violence or discrimination. Unlike those who do, members of Congress have the unique power to change the law and protect themselves. Given the opportunity, that’s precisely what many have opted to do—just as they did a year earlier for federal judges.

Protection against persistent tracking is something we can definitively say is being sought after by a privileged few. But citing law enforcement needs and nebulous national security concerns, protecting anyone other than themselves is a matter that apparently demands more discussion, more caution, and more delay.

If America is creating a new protected class to shield federal lawmakers alone from surveillance, then it must accept that, unlike the vast majority of citizens who’ve never been accused of a crime, this class would be historically replete with criminals. US lawmakers have faced charges and convictions for bribery, perjury, and felony theft, not to mention obstruction of justice, withholding evidence of secret arms sales, and the possession of child sexual abuse material.

The FTC's victory in the Outlogic case is even more piddling in light of the commission today being led by one of the most vocal privacy protection advocates it has ever had, chairperson Lina Khan. That the company is still in business and touting how little the settlement matters underscores how truly underpowered and ill-equipped the FTC is for the job it's been asked to perform. It is not actually armed to protect Americans from being relentlessly surveilled, nor is that even technically its mission. Under the current regime, the agency is permitted at best to hold surveillants to a standard of “notice and choice,” one both illusory and enabling corporations (and the US government by proxy) to right now track Americans’ whereabouts at any time, all of the time, with no real legal concern.

The FTC’s principle regulatory weapon in privacy cases is known as Section Five, and it largely targets companies in privacy cases for lying. The case against Outlogic, for example, is based in part on its failure to disclose how people’s location data would ultimately be used. It did not, the FTC says, notify users that their data might be sold to government agencies for “national security purposes.” Here, the FTC's job is to ensure consumers receive “notice” of how their data is being used. But the job is a sham, and everyone who's ever clicked “I agree” on a privacy policy knows it.

Before the Outlogic case, only a small number of Americans even knew the company existed. An even smaller number had ever glanced at its terms of service, and even fewer—we’re now approaching zero—could be said to have actually read and understood what it said. Commissioners at the agency have long acknowledged as much.

“It is no wonder,” Commissioner Rebecca Slaughter said in 2019, that “98 percent” of people in one study clicked “I agree” to privacy policies that “disclosed sharing with the NSA and paying for the service by signing away your first-born child.”

The same study, out of York University, labeled the “notice” aspect of privacy regulation “the biggest lie on the internet,” detailing how research showed over 75 percent of users opted to skip reading privacy policies altogether. Those who didn’t, on average, spent roughly a minute skimming policies that would’ve taken an ordinary person 15-17 minutes to actually read, let alone comprehend.

Famously, a decade ago, researchers out of Carnegie Mellon determined that it would take an average person roughly 76 working days to consume all of the privacy policies they encounter in a year. The use of “gotcha clauses” has also been repeatedly used to demonstrate that people _do not read_ the terms of service. To wit, in July 2010, it was reported that more than 7,500 people had unknowingly sold their souls to a video game company.

These facts demonstrate unequivocally that the crime for which Outlogic is accused—failing to give consumers notice of how their data would be used—is not one of greed or opportunity, but sheer stupidity. The law is all but performative, so companies have nothing to lose by complying. Users can be counted on to agree to basically anything (up to and including being enslaved for all eternity).

People cannot “consent” to something they do not understand, just as consent cannot really be called “consent” when it involves a metaphorical gun to the head.

The truth is that even if users were strapped to a chair and forced to spend the 600 hours a year it would take to devour all of the purposely dense legal terms they agree to, many of those agreements are patently coerced, as the Supreme Court has said. So ubiquitous now is the technology tracking our movements, in “no meaningful sense” are people voluntarily accepting the risks of allowing companies to access and share that information. It is a matter of participating in society or not; of being employed or not.

It is also the FTC’s job to protect consumers from harm. But the definition of “harm”—like “notify” and “consent”—is watered down to the point of creating a serious gap between what it means and how most people actually use it. Companies are effectively free to harm people anyway, so long as it’s deemed "reasonably" avoidable by the agency and beneficial to competition on the whole.

Should the FTC fail to act, consumers have little recourse but to sit and suffer. It is nearly impossible for an individual to obtain standing in federal court to sue a corporation after their privacy is violated, assuming they can even afford to try. Merely exposing personal information is not enough. A test created by two recent Supreme Court rulings requires victims to demonstrate “concrete harm” to bring a case, even if tying any one company to an act of identity theft, harassment, or financial loss is, in nearly every instance, a fantastical objective.

Congress's last big push to pass a comprehensive privacy bill—the American Data Privacy and Protection Act of 2022—ironically would have exempted Outlogic’s activities altogether. Fearful of fighting a war on two fronts, its authors choose to purposefully avoid going after companies contracting with intelligence and law enforcement agencies. But there is one bill floating in Congress right now aimed at ending the government’s ongoing practice of buying location data from Outlogic-like companies and circumventing the courts.

The Fourth Amendment Is Not For Sale Act was introduced and passed by the House Judiciary Committee last month as part of a bigger package aiming to reauthorize and reform the problematic US intelligence program known as Section 702. The bill is slated to be taken up again this year, likely in February, sparking one of the fiercest fights over US privacy law Americans have seen in years.

Outlawing a pervasive practice that helped transform domestic surveillance into a windfall industry is a move that would be actually historic—for all the right reasons.

The Sad Truth of the FTC's Location Data Privacy Settlement

By Deeba Ahmed
Anonymous Sudan is a pro-Russia hacktivist group, and their emergence aligns with the rise of other pro-Russian cyber actors since the beginning of the Ukraine war.
This is a post from HackRead.com Read the original post: Anonymous Sudan Claims London Internet Exchange Attack Over Yemen Strikes

Anonymous Sudan claimed responsibility for the cyber attacks on the London Internet Exchange (LINX) on Telegram.

Anonymous Sudan, a Russia-affiliated hacktivist group comprising members from various backgrounds, has claimed responsibility for a cyberattack on the London Internet Exchange (LINX). It is one of the world’s largest exchange points.

The London Internet Exchange (LINX) is a mutually governed Internet exchange point (IXP) based in London, UK. It provides peering services and public policy representation to network operators within the UK and beyond.

The group claims its cyber attack to be a response to Britain’s support to Israel and the launching of air attacks on Yemen. Anonymous Sudan has also threatened to cause a major setback to the UK with a big cyberattack in the coming days.

On January 12, 2023, on its Telegram channel, the group posted about the attack on LINX, but this claim is yet to be confirmed. However, according to a tweet from OSINT specialists at CyberKnow, LINX’s website remained online amid the group’s claims, leaving questions about the authenticity of the claims or if they are merely speculation.

Screenshot: Sergey Shykevich, cyber threat intelligence manager at Check Point

For your information, the UK and the USA launched air strikes against Houthi military targets in Yemen. The UK targeted 30 Houthi military sites using 150 precision-guided munitions, killing five militants. UK Prime Minister Rishi Sunak approved the military action.

Britain’s move was a response to Houthi attacks on international maritime vessels in the Red Sea. US officials reportedly fired over 80 Tomahawk cruise missiles from three destroyers and a submarine. The action also involved 22 jets from the USS Eisenhower aircraft carrier.

Anonymous Sudan is known for using massive DDoS attacks, targeting both anti-Russian and anti-Muslim groups/entities. Lately, they have been launching attacks almost weekly, targeting airlines, governments, banks, large enterprises, airports, and telcos.

In November 2023, the same group also claimed responsibility for DDoS attacks on ChatGPT and caused service disruptions. They were previously involved in cyber attacks on Microsoft’s flagship office suite, including popular applications like Outlook and OneDrive, as well as its Azure cloud computing platform back in June 2023.

Since its inception, Anonymous Sudan has been active on Telegram, warning about potential attacks and updating them live. Its key targets include Israeli Prime Minister Benjamin Netanyahu’s websites, Mossad, and also collaborated with Killnet.

****_RELATED ARTICLES_****

1.  **Russian Killnet Hackers Claim Data Theft of FBI Agents**
2.  **KillNet Claims Creating Gay Dating Profiles with NATO Logins**
3.  **Pro-Russian Killnet group hits UK organizations with DDoS attacks**
4.  **Russian Hackers Employ Telekopye Toolkit in Broad Phishing Attacks**
5.  **Russian APT29 Hacked US Biomedical Giant in TeamCity-Linked Breach**

Anonymous Sudan Claims London Internet Exchange Attack Over Yemen Strikes

By Deeba Ahmed
The attacks, potentially linked to Russian APT Sandworm, exploited vulnerabilities in Zyxel firewalls.
This is a post from HackRead.com Read the original post: Forescout Report Uncovers New Details in Danish Energy Hack

The potential involvement of Sandworm, the wider threat beyond attribution, the vulnerability of Zyxel firewalls and the focus on European energy firms call for improved cybersecurity posture and threat intelligence.

Forescout, a global cybersecurity leader, has provided new evidence about two attacks on the Danish energy sector in May 2023 (PDF). Their report, ‘Clearing the Fog of War,’ highlights the need for better network monitoring and incident response plans and analyzes the potential involvement of an advanced persistent threat (APT) group called Sandworm.

For your information, SektorCERT, Denmark’s critical infrastructure CERT, reported a significant cyber-related attack on 22 Danish energy sector companies between May 11-30, 2023. The attacks, linked to Russian APT Sandworm, exploited vulnerabilities in Zyxel firewalls. Despite SektorCERT’s swift response, some companies were forced into island mode, allowing attackers to access industrial control systems.

Forescout Research-Vedere Labs report shed light on this incident. Reportedly, the first wave of attacks started on May 11, 2023, exploiting CVE-2023-28771, a pre-authentication OS command injection vulnerability in unpatched Zyxel firewalls.

A second wave occurred on May 22, 2023, where attackers downloaded MIPS binaries from 45.89.106147 to Zyxel firewalls in an energy sector organization containing Mirai variants with Moobot flavour indicators. The firewalls participated in DDoS and SSH brute-force attacks against targets in Hong Kong, the U.S., and Canada.

Zyxel firewalls at other SektorCERT member organizations were also observed downloading Mirai variants from staging servers, historically associated with malware distribution, adware, ransomware, and Log4j exploitation attempts.

 “After the second incident, further attacks targeted exposed devices within critical infrastructure worldwide in the ensuing months,” the report read.

Researchers couldn’t fully attribute the attacks to Sandworm given the difference between the two waves. The first wave targeted a limited number of targets using a PoC-less n-day while the second wave involved Zyxel firewalls infected by staging servers with a history of mass exploitation and crimeware, explained Elisa Costante, VP of Research at Forescout Research–Vedere Labs.

The study found numerous IP addresses exploiting the Zyxel vulnerability CVE-2023-28771, first reported by TRAPA Security in June 2023 and added to the CISA KEV catalogue in May 2023 with a 9.8 severity rating.

In April 2023, Zyxel announced patches for impacted firewalls, including USG Flex, ATP, ZyWALL/USG, and VPN. However, FortiGuard Labs reported a rise in DDoS botnets exploiting the Zyxel vulnerability, which persisted as late as October 2023 and spread across various devices, including Zyxel firewalls.

In May 2023, Hackread reported how a variant of the Mirai botnet, IZ1H9, successfully hacked Zyxel Firewalls using a patched command injection vulnerability, potentially leading to DDoS attacks. Researchers from Palo Alto Networks’ Unit 42 identified it as the most active Mirai variant.

Europe faces high exploitation attempts, with 80% of publicly identifiable and potentially vulnerable firewalls located there. Six European power companies are at risk of exploitation by malicious actors due to their use of Zyxel firewalls, highlighting the need for prioritizing threat intelligence in the energy sector.

Living off the land (LotL) attacks offer stealth benefits, allowing attackers to abstract away from legacy/proprietary protocols. Energy firms and critical infrastructure organizations must remain alert to attacks on unpatched network infrastructure devices.

Exposed Zyxel firewalls

**Expert Opinions**

For insight into the new development, we reached out to John Gallagher, Vice President of Viakoo Labs at Viakoo who praised Forescout for “digging deeper into exploits against critical infrastructure, and getting closer to the truth of what is behind these attacks.”

“Getting a more accurate assessment of these attack vectors, and getting to that truth more quickly as Forescout has provided, is crucial in protecting these critical assets. Disrupting cyber adversaries in their efforts is one form of defence; that’s why getting specific as to who is the threat actor is critical to defending ICS infrastructure,” he said.

“Forescout’s analysis points to the spillover from nation-state-directed cyber exploits to mass exploitation campaigns, which is an alarming trend. As “mass market” threat actors become more skilled at working within the unique languages and protocols of ICS systems it dramatically increases the risk of non-affiliated threat actors providing “as a service” ICS exploitation,” John added.

“In addition, this means organizations who depend on IoT/OT/ISC systems will be direct targets at some point to the same threats being launched against national critical infrastructure.”

Jose Seara, CEO and founder at DeNexus emphasizes the need for companies to “strengthen their cybersecurity posture” by understanding their cyber risks, identifying them, and quantifying them in monetary terms.

“Critical infrastructure and industrial sites have been increasingly targeted by threat actors and they all need to strengthen their cybersecurity posture. It is imperative for these companies to better understand their cyber risks, identify them and quantify them in monetary terms to drive data-driven decisions on cybersecurity investments,” said Jose.

“Additionally, new SEC regulations on cybersecurity reporting in the U.S. and the NIS2 in Europe are mandating the reporting cyber risk management, expanding the associated consequences of attacks beyond standard security concerns and putting organizations who do not comply at risk of potential legal and financial implications,” he added.

****_RELATED ARTICLES_****

1.  **Mirai botnet exploiting Azure OMIGOD vulnerabilities**
2.  **DDoS Attacks Hit Denmark Central Bank and 7 Private Banks**
3.  **Attacker builds malware variant with leaked Mirai source code**
4.  **Denmark’s largest train operator hit by service crippling DDoS attack**
5.  **Mirai-based NoaBot Botnet Targeting Linux Systems with Cryptominer**

Forescout Report Uncovers New Details in Danish Energy Hack

Plus: Chinese officials tracked people using AirDrop, Stuxnet mole’s identity revealed, AI chatbot hacking, and more.

“EBay's actions against us had a damaging and permanent impact on us—emotionally, psychologically, physically, reputationally, and financially—and we strongly pushed federal prosecutors for further indictments to deter corporate executives and board members from creating a culture where stalking and harassment is tolerated or encouraged,” Ina and David Steiner say in a victim statement published online. The couple also highlighted that EcommerceBytes has filed a civil lawsuit against eBay and its former employees that is set to be heard in 2025.

China’s Judicial Bureau has claimed a privately run research institution, the Beijing Wangshendongjian Judicial Appraisal Institute, has created a way to identify people using Apple’s AirDrop tool, including determining phone numbers, email addresses, and device names. Police have been able to identify suspects using the technique, according to reports and a post from the Institute. Apple’s wireless AirDrop communication and file-sharing method has previously been used in China to protest the leadership of President Xi Jinping, and Apple introduced a 10-minute time limit sharing period in China, before later rolling it out globally.

In a blog post analyzing the incident, Johns Hopkins University cryptographer Matthew Green says the attack was initially discovered by researchers at Germany’s Technical University of Darmstadt in 2019. In short, Green says, Apple doesn’t use a secure private set intersection that can help mask people’s identity when communicating with other phones using AirDrop. It’s unclear if Apple plans to make any changes to stop AirDrop being abused in the future.

It’s been more than 15 years since the Stuxnet malware was smuggled into Iran’s Natanz uranium enrichment plant and destroyed hundreds of centrifuges. Despite the incident happening over a decade ago, there are still plenty of details that remain unknown about the attack, which is believed to have been coordinated by the US and Israel. That includes who may have delivered the Stuxnet virus to the nuclear facility—a USB thumb drive was used to install the worm into the nuclear plant’s air-gapped networks. In 2019, it was reported that Dutch intelligence services had recruited an insider to help with the attack. This week, the Dutch publication _Volkskrant_ claimed to identify the mole as Erik van Sabben. According to the report, van Sabben was recruited by Dutch intelligence service AIVD in 2005, and politicians in the Netherlands did not know about the operation. Van Sabben is said to have left Iran shortly after the sabotage began. However, he died two weeks later, on January 16, 2009, after being involved in a motorcycle accident in Dubai.

The rapid advances in generative AI systems, which use machine learning to create text and produce images, has seen companies scrambling to incorporate chatbots or similar technologies into their products. Despite the progress, traditional cybersecurity practices of locking down systems from unauthorized access and making sure apps can’t access too much data still apply. This week, 404 Media reported that Chattr, a company creating an “AI digital assistant” to help with hiring, exposed data through an incorrect Firebase configuration and also revealed how its systems work. This includes the AI appearing to have the ability to “accept or deny job applicants.” The pseudonymous security researcher behind the finding, MrBruh, shared a video with 404 Media showing the chatbot appearing to automatically make decisions about job applications. Chattr secured the exposed systems after being contacted by the researchers but did not comment on the incident.

A Bloody Pig Mask Is Just Part of a Wild New Criminal Charge Against eBay

A 29-year-old Ukrainian national has been arrested in connection with running a “sophisticated cryptojacking scheme,” netting them over $2 million (€1.8 million) in illicit profits.
The person was apprehended in Mykolaiv, Ukraine, on January 9 by the National Police of Ukraine with support from Europol and an unnamed cloud service provider following “months of intensive collaboration.”
“A cloud

Cryptojacking / Cloud Security

A 29-year-old Ukrainian national has been arrested in connection with running a "sophisticated cryptojacking scheme," netting them over $2 million (€1.8 million) in illicit profits.

The person was apprehended in Mykolaiv, Ukraine, on January 9 by the National Police of Ukraine with support from Europol and an unnamed cloud service provider following "months of intensive collaboration."

"A cloud provider approached Europol back in January 2023 with information regarding compromised cloud user accounts of theirs," Europol said, adding it shared the intelligence with the Ukrainian authorities.

As part of the probe, three properties were searched to unearth evidence against the suspect.

Cryptojacking refers to a type of cyber crime that entails the unauthorized use of a person's or organization's computing resources to mine cryptocurrencies.

On the cloud, such attacks are typically carried out by infiltrating the infrastructure via compromised credentials obtained through other means and installing miners that use the infected host's processing power to mine crypto without their knowledge or consent.

"If the credentials do not have the threat actors' desired permissions, privilege escalation techniques are used to obtain additional permissions," Microsoft noted in July 2023. "In some cases, threat actors hijack existing subscriptions to further obfuscate their operations."

The core idea is to avoid paying for necessary infrastructure required to mine cryptocurrencies, either by taking advantage of free trials or compromising legitimate tenants to conduct cryptojacking attacks.

In October 2023, Palo Alto Networks Unit 42 detailed a cryptojacking campaign in which threat actors were found stealing Amazon Web Services (AWS) credentials from GitHub repositories within five minutes of their public disclosure to mine Monero.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel