Microsoft on Friday said it will disable its much-criticized artificial intelligence (AI)-powered Recall feature by default and make it an opt-in.
Recall, currently in preview and coming exclusively to Copilot+ PCs on June 18, 2024, functions as an "explorable visual timeline" by capturing screenshots of what appears on users' screens every five seconds, which are subsequently analyzed and

Microsoft Revamps Controversial AI-Powered Recall Feature Amid Privacy Concerns

A security vulnerability in Ariane Allegro Hotel Check-In Kiosks exposed guest data and potentially compromised room access. However,…

A security vulnerability in Ariane Allegro Hotel Check-In Kiosks exposed guest data and potentially compromised room access. However, a patch has been developed and is now available to address this issue, enhancing the security of the system

Pentagrid, a Swiss cybersecurity firm, recently uncovered a vulnerability in Ariane Allegro Scenario Player, a widely used software program in hotel check-in kiosks. The vulnerability could allow someone to exit the kiosk’s intended use (kiosk mode) and access the underlying Windows Desktop OS. 

The software vendor, Ariane Systems, is a world leader in self-check-in and out solutions, serving 3,000 hotels and 500,000 rooms in over 25 countries. 

During a threat modelling workshop at a hospitality brand in Liechtenstein and Switzerland, Pentagrid’s Martin Schobert revealed that the app crashed in Kiosk mode after entering a single quote character into the guest search. 

The hotel brand uses this check-in terminal, likely a type Ariane Duo 6000 series, for smaller locations to facilitate room booking/check-in, initiate payment via a POS terminal, provision RFID transponders to open the booked hotel room, and print invoices.

Schobert found that guests/users have to search for room reservations by entering booking code or surname. If the name contains a single-quote, such as “O’YOLO,” the application hangs, the Windows OS prompts the user to wait or stop the task, and selecting stop terminates the kiosk mode application.

Screenshot: Pentagrid

When stopped, the Windows OS becomes accessible, which may have adverse consequences. such as allowing hotel network attacks, access to data stored on the terminal, including PII, reservations, and invoices, and RFID transponder allowing room keys to be created for other rooms. However, to exploit the flaw, the user must have physical access to the system, and the terminal must be in a self-service state, which hotels typically enable during specific times.

A CVE for the vulnerability is yet to be assigned whereas Kiosk Mode Bypass severity has been given as 6.3 (Medium). The vulnerability, discovered in March 2024, was promptly communicated to the vendor.

Ariane Systems clarified that these are “legacy systems,” in which the USB ports are disabled and “no PII or exploitable data can be retrieved from the kiosk.” Moreover, it believed the hotel must be using an outdated version of the software. However, Pentagrid asserted that the system’s design lets “the kiosk produces and keeps accessible invoice files.”  

Nevertheless, Ariane Systems confirmed the issue has been fixed. However, the exact version fixing the issue isn’t publicly known. Hackread suggests contacting the vendor directly for clarification and installing the latest version immediately to stay protected. 

John Bambenek, President of Cybersecurity and Threat Intelligence Consulting firm Bambenek Consulting commented on the issue emphasising the dangers of the potential access to victims’ rooms in domestic violence cases, theft of credit card data due to terminals doubling as POS devices.

_“_The biggest risk involves various domestic violence and stalking scenarios where unwanted guests could get keys to open a victim’s room. As these devices are also used as POS terminals to facilitate payments of hotel rooms, presumably the biggest risk there is stolen credit card information._“_

_“_The underlying issue seems to be that the specific terminals at this specific location had the vulnerability (albeit, a very simple one to find) and later versions did not. Kiosks tend to be “set and forget” devices which means operators may not know they need to be updated on a routine basis…or if they are updated at all,_“_ he added.

_“_These devices probably cannot be completely isolated from the main hotel network as part of the point is to issue keys and handle room management, however, the devices should be limited to sending only required machines and ports with everything else filtered,_“_ Bambenek advised.

1.  Vietnamese Group Hacks and Sells Bedroom Camera Footage
2.  Hotel reservation platform leaked data from online booking sites
3.  Vulnerability Exposed Ibis Budget Guest Room Codes to Hackers

Hotel Kiosks Vulnerability Exposed Guest Data, Room Access

Google is urging third-party Android app developers to incorporate generative artificial intelligence (GenAI) features in a responsible manner.
The new guidance from the search and advertising giant is an effort to combat problematic content, including sexual content and hate speech, created through such tools.
To that end, apps that generate content using AI must ensure they don't create

The AI Debate: Google's Guidelines, Meta's GDPR Dispute, Microsoft's Recall Backlash

Synopsys warns of a new prompt injection hack involving a security vulnerability in EmailGPT, a popular AI email…

Synopsys warns of a new prompt injection hack involving a security vulnerability in EmailGPT, a popular AI email assistant. Learn how a security flaw in EmailGPT could allow hackers to steal your data or cause financial losses. Discover what you can do to protect yourself and why security is crucial in AI-powered tools.

A security vulnerability discovered by Synopsys’ Cybersecurity Research Center (CyRC) has exposed a potential pitfall for users of EmailGPT, a popular AI-powered email writing assistant and Google Chrome extension.

This vulnerability, tracked as CVE-2024-5184 and dubbed prompt injection, could allow malicious threat actors to manipulate the service and potentially compromise sensitive information.

****What is EmailGPT?****

EmailGPT leverages OpenAI’s GPT models to assist users in crafting emails within Gmail. Users can receive AI-generated suggestions for composing emails more efficiently by providing prompts and context. However, the recent discovery highlights a potential security flaw in this functionality.

****The Prompt Injection Threat****

EmailGPT uses an API service that allows a malicious user to inject a direct prompt and take over the service logic. Attackers can exploit this by forcing the AI service to leak standard system prompts or execute unwanted prompts.

When submitting a malicious prompt, the system provides the requested data, making it vulnerable to exploitation by anyone having access to the service. The vulnerability has a CVSS score of 6.5, indicating medium severity.

****Possible Dangers****

A malicious user could create a prompt that injects unintended functionality, potentially leading to data extraction, spam campaigns using compromised accounts, and generating misleading email content, contributing to disinformation campaigns. Apart from causing intellectual property leakage, this vulnerability can lead to denial-of-service, and financial loss when exploited. 

As per Synopsys’ blog post, researchers reached out to the developers of EmailGPT before publicizing the details, adhering to their responsible disclosure policy, but did not receive a response yet. Researchers recommend immediately removing EmailGPT from any installations as no workaround is currently available.

Users should stay informed about updates and patches to ensure continued secure use of the service. As AI technology continues to evolve, vigilance and robust security practices will be crucial to mitigate potential risks.

> _“The CyRC reached out to the developers but has not received a response within the 90-day timeline dictated by our responsible disclosure policy. The CyRC recommends removing the applications from networks immediately.”_
> 
> Synopsys

Patrick Harr, CEO at Pleasanton, Calif.- based SlashNext Email Security commented on the issue and emphasised the importance of strong governance and security measures for AI models to prevent vulnerabilities and exploits, stating that businesses should require proof of security from AI model suppliers before integrating them into their operations.

_“_This latest research by the Synopsys Cybersecurity Research Center further highlights the importance of strong governance on building, securing and red-teaming the AI models themselves. At its core, AI is code that can be exploited like any other code and the same processes need to be put in place to secure that code to prevent these unwanted prompt exploits,_“_ Patrik said. 

_“_Security and governance of the AI models are paramount as part of the culture and hygiene of companies building and proving the AI models either through applications or APIs. Customers particularly businesses need to demand proof of how the suppliers of these models are securing themselves including data access BEFORE they incorporate them into their business,_“_ he added.

****REALTED TOPICS** **

1.  New LLMjacking Attack Lets Hackers Hijack AI Models
2.  Flaws Exposed Hugging Face to AI Supply Chain Attacks
3.  AI Generated Fake Obituary Websites Target Grieving Users
4.  AI-Powered Scams, Human Trafficking Fuel Global Crime Surge
5.  ShadowRay Campaign Targets Ray AI Framework in Global Attack

New EmailGPT Flaw Puts User Data at Risk: Remove the Extension NOW

The number of alleged hacks targeting the customers of cloud storage firm Snowflake appears to be snowballing into one of the biggest data breaches of all time.

A hack against customers of the cloud storage company Snowflake looks like it may turn into one of the biggest-ever data breaches. Last week, Snowflake, which allows companies to store huge datasets on its servers, revealed that criminal hackers had been attempting to access its customers’ accounts using stolen login details. Data breaches targeting Ticketmaster and Santander have been linked to the attacks.

In the days since Snowflake first said a “limited number” of customer accounts had been accessed, however, cybercriminals have publicly claimed to be selling stolen data from two other major firms and alleged the information was taken from Snowflake accounts. At the same time, TechCrunch has reported that hundreds of Snowflake customer passwords have been found online and are accessible to cybercriminals.

Amid the claims, there remains uncertainty about the scope and scale of the attempted attack against Snowflake customers, who the attackers may be, and how an attack tool callously named “rapeflake” operates. It also highlights the growth in the use of infostealer malware in recent years and underscores the need for third-party software providers and companies to turn on multifactor authentication to reduce the chances of accounts being compromised.

**Snowballing**

A large proportion of the Snowflake drama has, so far, played out on the notorious cybercrime marketplace BreachForums. The FBI seized the forum in mid May, but another version quickly appeared, and its owners, hacker group ShinyHunters, claimed to be selling 560 million records from Ticketmaster and 30 million from Santander. Both companies have said they have suffered from data breaches, with Ticketmaster directly linking the incident to Snowflake while Santander said it had seen unauthorized access to one of its databases “hosted by a third-party provider.” Neither company has confirmed the size of the breaches.

In recent days, a BreachForums account going by the handle Sp1d3r has posted two more companies whose data it claims is related to the Snowflake incident: automotive giant Advance Auto Parts, which Sp1d3r claims to have 380 million customer details from, and financial services company LendingTree and subsidiary QuoteWizard, from which it claims to have data linked to 190 million people.

Some Advance Auto Parts staff and customer email addresses listed in sample data by the hacker appear to be legitimate accounts; emails WIRED sent to those addresses did not bounce nor were they otherwise rejected. BleepingComputer reports it has verified customer data from Advance Auto Parts.

“We are aware of reports that Advance may be involved in a security incident related to Snowflake,” Darryl Carr, a spokesperson from the company, tells WIRED. “We are investigating the matter and do not have further information to share at this time. We have not experienced any impact to our operations or systems.”

LendingTree has not responded to multiple requests from WIRED about the alleged breaches sent in the past few days. Neither LendingTree nor Advance Auto Parts has filed breach notifications with the Securities and Exchange Commission at the time of writing. Both companies have been listed by Snowflake as customers previously.

Since Snowflake acknowledged that accounts had been targeted, it has provided some more information about the incident. Brad Jones, Snowflake’s chief information security officer, said in a blog post that threat actors used login details to accounts that had been “purchased or obtained through infostealing malware,” which is designed to pull usernames and passwords from devices that have been compromised. The incident appears to be a “targeted campaign directed at users with single-factor authentication,” Jones added.

Jones’ post said Snowflake, alongside cybersecurity companies CrowdStrike and Mandiant, which it employed to investigate the incident, did not find evidence showing the attack was “caused by compromised credentials of current or former Snowflake personnel.” However, it has found one former employee's demo accounts were accessed, claiming they did not contain sensitive data.

When asked about potential breaches of specific companies’ data, a Snowflake person pointed to Jones’ statement: “We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform.” The company did not provide an on-record comment clarifying what was meant by a “breach.” (Security company Hudson Rock said it removed a research post including various unverified claims about the Snowflake incident after receiving a legal letter from Snowflake).

The US Cybersecurity and Infrastructure Security Agency has issued an alert about the Snowflake incident, while Australia's Cyber Security Center said it is “aware of successful compromises of several companies utilizing Snowflake environments.”

**Unclear Origins**

Little is known about the Sp1d3r account advertising data on BreachForums, and it is not clear whether ShinyHunters obtained the data it was selling from another source or directly from victims’ Snowflake accounts—information about a Ticketmaster and Santander breach was originally posted on another cybercrime forum by a new user called SpidermanData.

The Sp1d3r account posted on BreachForums that the 2 terabytes of alleged LendingTree and QuoteWizard data was for sale for $2 million; while 3 TB of data allegedly from Advance Auto Parts would cost someone $1.5 million. “The price set by the threat actor appears extremely high for a typical listing posted to BreachForums,” says Chris Morgan, a senior cyber-threat intelligence analyst at security firm ReliaQuest.

Morgan says the legitimacy of Sp1d3r is not clear; however, he points out there is a nod to teenage hacking group Scattered Spider. “Interestingly, the threat actor's profile picture is taken from an article referencing the threat group Scattered Spider, although it is unclear whether this is to make an intentional association with the threat group.”

While the exact source of the alleged data breaches is unclear, the incident highlights how interconnected companies can be when relying on products and services from third-party providers. “I think a lot of this is just a recognition of how interdependent these services now are and how hard it is to control the security posture of third parties,” security researcher Tory Hunt told WIRED when the incidents first emerged.

As part of its response to the attacks, Snowflake has told all customers to make sure they enforce multifactor authentication on all accounts and allow traffic only from authorized users or locations. Companies that have been impacted should also reset their Snowflake login credentials. Enabling multifactor authentication vastly reduces the chances that online accounts will be compromised. As mentioned, TechCrunch reported this week that it has seen “hundreds of alleged Snowflake customer credentials'' taken by infostealing malware from computers of people who have accessed Snowflake accounts.

In recent years, coinciding with more people working from home since the Covid-19 pandemic, there has been a rise in the use of infostealer malware. “Infostealers have become more popular because they’re in high demand and pretty easy to create,” says Ian Gray, the vice president of intelligence at security company Flashpoint. Hackers have been seen to be copying or modifying existing infostealers and selling them on for as little as $10 for all the login details, cookies, files, and more from one infected device.

“This malware can be delivered in different ways and targets sensitive info like browser data (cookies and credentials), credit cards, and crypto wallets,” Gray says. “Hackers might comb through the logs for enterprise credentials to break into accounts without permission.”

The Snowflake Attack May Be Turning Into One of the Largest Data Breaches Ever

Ubuntu Security Notice 6567-2 - USN-6567-1 fixed vulnerabilities QEMU. The fix for CVE-2023-2861 was too restrictive and introduced a behavior change leading to a regression in certain environments. This update fixes the problem. Gaoning Pan and Xingwei Li discovered that QEMU incorrectly handled the USB xHCI controller device. A privileged guest attacker could possibly use this issue to cause QEMU to crash, leading to a denial of service. Various other issues were also addressed.

    ==========================================================================Ubuntu Security Notice USN-6567-2June 06, 2024qemu regression==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:USN-6567-1 introduced a regression in QEMU.Software Description:- qemu: Machine emulator and virtualizerDetails:USN-6567-1 fixed vulnerabilities QEMU. The fix for CVE-2023-2861 was toorestrictive and introduced a behaviour change leading to a regression incertain environments. This update fixes the problem.Original advisory details:  Gaoning Pan and Xingwei Li discovered that QEMU incorrectly handled the  USB xHCI controller device. A privileged guest attacker could possibly use  this issue to cause QEMU to crash, leading to a denial of service. This  issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2020-14394)   It was discovered that QEMU incorrectly handled the TCG Accelerator. A  local attacker could use this issue to cause QEMU to crash, leading to a  denial of service, or possibly execute arbitrary code and esclate  privileges. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-24165)   It was discovered that QEMU incorrectly handled the Intel HD audio device.  A malicious guest attacker could use this issue to cause QEMU to crash,  leading to a denial of service. This issue only affected Ubuntu 22.04 LTS.  (CVE-2021-3611)   It was discovered that QEMU incorrectly handled the ATI VGA device. A  malicious guest attacker could use this issue to cause QEMU to crash,  leading to a denial of service. This issue only affected Ubuntu 20.04 LTS.  (CVE-2021-3638)   It was discovered that QEMU incorrectly handled the VMWare paravirtual RDMA  device. A malicious guest attacker could use this issue to cause QEMU to  crash, leading to a denial of service. (CVE-2023-1544)   It was discovered that QEMU incorrectly handled the 9p passthrough  filesystem. A malicious guest attacker could possibly use this issue to  open special files and escape the exported 9p tree. This issue only  affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04.  (CVE-2023-2861)   It was discovered that QEMU incorrectly handled the virtual crypto device.  A malicious guest attacker could use this issue to cause QEMU to crash,  leading to a denial of service, or possibly execute arbitrary code. This  issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04.  (CVE-2023-3180)   It was discovered that QEMU incorrectly handled the built-in VNC server.  A remote authenticated attacker could possibly use this issue to cause QEMU  to stop responding, resulting in a denial of service. This issue only  affected Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2023-3255)   It was discovered that QEMU incorrectly handled net device hot-unplugging.  A malicious guest attacker could use this issue to cause QEMU to crash,  leading to a denial of service. This issue only affected Ubuntu 22.04 LTS  and Ubuntu 23.04. (CVE-2023-3301)   It was discovered that QEMU incorrectly handled the built-in VNC server.  A remote attacker could possibly use this issue to cause QEMU to crash,  resulting in a denial of service. This issue only affected Ubuntu 20.04  LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. (CVE-2023-3354)   It was discovered that QEMU incorrectly handled NVME devices. A malicious  guest attacker could use this issue to cause QEMU to crash, leading to a  denial of service. This issue only affected Ubuntu 23.10. (CVE-2023-40360)   It was discovered that QEMU incorrectly handled NVME devices. A malicious  guest attacker could use this issue to cause QEMU to crash, leading to a  denial of service, or possibly obtain sensitive information. This issue  only affected Ubuntu 23.10. (CVE-2023-4135)   It was discovered that QEMU incorrectly handled SCSI devices. A malicious  guest attacker could use this issue to cause QEMU to crash, leading to a  denial of service. This issue only affected Ubuntu 23.04 and Ubuntu 23.10.  (CVE-2023-42467)   It was discovered that QEMU incorrectly handled certain disk offsets. A  malicious guest attacker could possibly use this issue to gain control of  the host in certain nested virtualization scenarios. (CVE-2023-5088)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS   qemu-system                     1:6.2+dfsg-2ubuntu6.21   qemu-system-arm                 1:6.2+dfsg-2ubuntu6.21   qemu-system-mips                1:6.2+dfsg-2ubuntu6.21   qemu-system-misc                1:6.2+dfsg-2ubuntu6.21   qemu-system-ppc                 1:6.2+dfsg-2ubuntu6.21   qemu-system-s390x               1:6.2+dfsg-2ubuntu6.21   qemu-system-sparc               1:6.2+dfsg-2ubuntu6.21   qemu-system-x86                 1:6.2+dfsg-2ubuntu6.21   qemu-system-x86-microvm         1:6.2+dfsg-2ubuntu6.21   qemu-system-x86-xen             1:6.2+dfsg-2ubuntu6.21Ubuntu 20.04 LTS   qemu-system                     1:4.2-3ubuntu6.29   qemu-system-arm                 1:4.2-3ubuntu6.29   qemu-system-mips                1:4.2-3ubuntu6.29   qemu-system-misc                1:4.2-3ubuntu6.29   qemu-system-ppc                 1:4.2-3ubuntu6.29   qemu-system-s390x               1:4.2-3ubuntu6.29   qemu-system-sparc               1:4.2-3ubuntu6.29   qemu-system-x86                 1:4.2-3ubuntu6.29   qemu-system-x86-microvm         1:4.2-3ubuntu6.29   qemu-system-x86-xen             1:4.2-3ubuntu6.29After a standard system update you need to restart all QEMU virtualmachines to make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6567-2   https://ubuntu.com/security/notices/USN-6567-1   https://launchpad.net/bugs/2065579Package Information:   https://launchpad.net/ubuntu/+source/qemu/1:6.2+dfsg-2ubuntu6.21   https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.29

Ubuntu Security Notice USN-6567-2

Sophos uncovers “Operation Crimson Palace, a long-term cyberespionage effort targeting a Southeast Asian government. Learn how attackers used…

Sophos uncovers “Operation Crimson Palace, a long-term cyberespionage effort targeting a Southeast Asian government. Learn how attackers used DLL sideloading and VMware exploits to steal sensitive military, economic, and South China Sea data. Discover how Southeast Asia can defend against future cyberattacks.

Cybersecurity firm Sophos has shared details of a large-scale espionage campaign dubbed “Crimson Palace.” This Chinese state-sponsored effort targeted a government agency in Southeast Asia for nearly two years, through tactics like DLL sideloading and VMware exploitation.

As per Sophos MDR’s human-led threat-hunting service, multiple Chinese state-sponsored actors have been active since early 2022, and despite a few weeks of dormancy, intrusion activity continues targeting the organization, which Sophos categorizes as “mixed estate.”

Sophos initially discovered activity in March 2022 with the detection of NUPAKAGE malware, attributed to Earth Preta and again in December 2022, intrusion activity was discovered using DLL-stitching to deploy malicious backdoors on domain controllers.

During the investigation, Sophos researchers found three distinct clusters of activity named Cluster Alpha, Cluster Bravo, and Cluster Charlie, targeting the same organization. These clusters overlap with multiple Chinese nation-state groups, including Worok, the APT41 subgroup Earth Longzhi, BackdoorDiplomacy, REF5961, TA428 and a relatively new threat group, Unfading Sea Haze that was reported in May 2024 to be carrying out extensive cyberattacks against military targets in the South China Sea.

Cluster Alpha focused on sideloading malware and establishing persistent C2 channels, while Cluster Bravo focused on using valid accounts to spread laterally. Cluster Charlie prioritized access management and aimed to exfiltrate sensitive information for espionage purposes.

These clusters used a mix of custom malware and publicly available tools to gather sensitive political, economic, and military information. These include CCoreDoor, PocoProxy, an updated variant of Cobalt Strike, PowHeartBeat backdoor, EAGERBEE malware, NUPAKAGE, Merlin C2 Agent, PhantomNet backdoor, RUDEBIRD malware, and an LSASS logon credential interceptor.

> _“Sophos MDR has observed the actors attempting to collect documents with file names that indicate they are of intelligence value, including military documents related to strategies in the South China Sea.”_
> 
> Sophos

Sophos believes the campaign’s primary aim is to maintain cyberespionage access for safeguarding Chinese state interests, including accessing critical IT systems, performing reconnaissance, collecting sensitive information, and deploying malware implants for command-and-control communications.

The campaign as per Sophos’ blog post, also included over 15 distinct DLL sideloading scenarios, most of which abused Windows Services, legitimate Microsoft binaries, and AV vendor software.

****Threat Actors Collaborating Worldwide****

This marks the first instance where Chinese threat groups are actively collaborating to target an entity, each with its own working hours and scheduling activities, directed by a central authority.

Last month, cybersecurity researchers at Check Point reported that several Iranian state-sponsored hacker groups are teaming up for large-scale attacks. Similarly, a report from Flashpoint last month highlighted that Russian state-sponsored hacker groups are changing tactics. They are now partnering up and increasingly relying on malicious paid tools instead of the custom-made tools they previously used.

1.  China-Linked Spyware Found in Play Store Apps, 2m Downloads
2.  China’s insidious surveillance against Uyghurs with Android malware
3.  Muddling Meerkat Suspected of Espionage via Great Firewall of China
4.  Chinese Blackwood APT Deploys NSPX30 Backdoor in Cyberespionage
5.  Cyberattacks Surge 325% in Philippines Amid South China Sea Standoff

Crimson Palace: Chinese Hackers Steal Military Secrets Over 2 Years

Eliot Higgins and his 28,000 forensic foot soldiers at Bellingcat have kept a miraculous nose for truth—and a sharp sense of its limits—in Gaza, Ukraine, and everywhere else atrocities hide online.

How to Lead an Army of Digital Sleuths in the Age of AI

Financially motivated sextortion of teenage boys is the fastest-growing global cybercrime, according to the FBI and Homeland Security.

“Hey there!” messaged Savannah, someone 16-year-old Charlie had never met before, but looked cute in her profile picture. She had long blonde hair, blue eyes, and an adorable smile, so he decided to DM with her on Instagram. Soon their flirty exchanges grew heated, and Savannah was sending Charlie explicit photos. When she asked him for some in return, he thought nothing of taking a quick snap of himself naked and sending it her way.

Within seconds, “Savannah” morphed from vixen to vice, threatening Charlie with posting his nude picture all over social media—unless he sent $500. Then she gave Charlie three days to get her the money, otherwise she’d share the compromising photos with his friends and family.

While the above scene is fictional, it’s indicative of what the FBI and Department of Homeland Security agree is the fastest-growing cybercrime of the last three years. It’s called financially motivated sextortion, or financial sextortion, and its victims are mainly teenage boys between the ages of 14 and 17.

Financial sextortion happens when adult criminals create fake accounts posing as young women on social media, gaming platforms, or messaging apps, and coerce victims into sending explicit photos. Scammers then threaten victims into sending payment, usually in the form of cryptocurrency, wire transfer, or gift cards, otherwise they’ll post the images online for all to see.

In an emerging trend, some sextortion scammers are now using artificial intelligence to manipulate photos from victims’ social media accounts into sexually graphic content. The predators then threaten to share the content on public forums and pornographic websites, as well as report victims to the police, claiming they’re in possession of child pornography. Demands for money immediately follow.

In 2023 alone, the National Center for Missing and Exploited Children (NCMEC) received 26,718 reports of financial sextortion of minors, more than double the 10,731 incidents reported in 2022. Sadly, these figures are likely far understated, since they rely on kids or their parents calling in the crime. A January 2024 threat intelligence report from Network Contagion Research Institute (NCRI) found children in the United States, Canada, and Australia are being targeted at an alarming rate, with a massive 1,000 percent surge in financial sextortion incidents in the last 18 months.

To illustrate how quickly the digital landscape has changed, a 2018 national survey found just 5 percent of US teens reported being victims of sextortion. Fast forward to June 2023, and 51 percent of Generation Z respondents said they or their friends were catfished in sextortion scams—47 percent in the last three months.

**The Yahoo Boys**

Financial sextortion has been linked to scammers in West Africa, particularly Nigeria and the Ivory Coast, as well as the Philippines. However, NCRI notes virtually all sextortion scams targeting minors can be directly linked to a distributed West African gang known as the Yahoo Boys. The Yahoo Boys mainly go after English-speaking minors and young adults on Instagram, Snapchat, and Wizz, an online dating platform for teens. They’re the original Nigerian Princes, but have changed tactics in recent years to elder fraud, romance scams, fake job scams—and now the sexual extortion of children for profit.

NCRI credits the tenfold increase in financial sextortion cases directly to the Yahoo Boys’ distribution of instructional videos and scripts on TikTok, YouTube, and Scribd, which are encouraging and enabling other threat actors to engage in financial sextortion as well. The videos have been viewed more than half a million times, and comments are filled with cybercriminals eager to download the scripts and get started.

The sextortion guides provide step-by-step instructions on how to create convincing fake social media profiles and “bomb” high schools, universities, and youth sports teams. The Yahoo Boys use this term to describe friending/following as many kids in a school or other location as possible to convince victims they could be an unknown classmate or peer from a nearby town.

While the payment amounts requested by the Yahoo Boys vary, they can range from as little as a couple hundred dollars to a few thousand. But predators employ ruthless tactics to intimidate their victims into paying, which can inflict lasting trauma and immense distress on children. Offenders often continue demanding more money after receiving the initial sum and may release victims’ sexually explicit images regardless of whether or not they were paid.

Indeed, the financial fallout may not be as daunting as the millions demanded by ransomware actors, but the emotional cost to teenage boys can be devastating. Anxiety. Humiliation. Shame. Despair. Feeling completely alone and afraid to ask for help. According to the FBI, financial sextortion has even been linked to fatalities. To their knowledge, at least 20 teens between January 2021 and July 2023 committed suicide when faced with the threat of nude photos that could ruin their lives.

****What to do if you or your child is financially sextorted****

Parents of teenage boys—or all teens for that matter—should have a conversation with their child about the pitfalls of financial sextortion. Remind them to be selective about what they share online and who they connect with, and if a stranger reaches out to them demanding payment or sexually explicit images, they should speak to a trusted adult before sending anything, be it money, photos, or more messages. In fact, open lines of communication can be the difference between life or death, so if your child doesn’t feel comfortable going to you, ask that they bookmark this article or one of the references listed below.

If you or your child are a victim of financially motivated sextortion, the most important advice to remember is this: You are not alone. You are not in trouble. Your child should not be in trouble. There is a way forward after this.

There are several resources you or your child can access to report the crime to law enforcement, speak to a caring counselor or peer, and request that harmful images be taken down. Here’s what we suggest:

*   Block the scammer from contacting you again, but save all chats and profile information because that will help law enforcement identify them.
*   Report the scammer’s account on the platform where the crime took place. Facebook and Instagram parent company Meta unveiled new tools last month to combat financial sextortion, and Snapchat has a reporting feature for nudity or sexual content, which now includes the option: “They leaked/are threatening to leak my nudes.”
*   Report the crime to NCMEC at Cybertipline.org or directly to the FBI at tips.fbi.gov or the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov. FBI Victim Services also has a Child Exploitation Notification Program. Canadian victims can access the Canadian Centre for Child Protection for resources, and report crimes to Cybertip.ca.
*   Seek emotional support, whether from a trusted adult, friend, or through professional services. NCMEC offers assistance for sextortion victims and their families, such as crisis intervention and referrals to local counseling professionals, and their Team Hope volunteer program connects victims to other who’ve experienced financial sextortion.
*   If you prefer a more anonymous support experience, the moderated Reddit forum r/Sextortion is a safe haven for victims to share their experiences and get advice from those who’ve already been through it.
*   Victims looking to remove sexually explicit images from the internet can go to Take It Down for help or Project Arachnid, which uses automated detection methods along with a team of analysts to quickly send removal notices to electronic service providers.
*   Ask for help. Problems from financial sextortion can be complex and require assistance from adults and professionals. If you don’t feel you have adults who can help, reach out to NCMEC at gethelp@ncmec.org or call 1-800-THE-LOST.

For more information and resources, visit the FBI’s page on financially motivated sextortion.

 Financial sextortion scams on the rise 

This post was authored by Kalpesh Mantri. 

Cisco Talos is actively tracking a recent increase in activity from malicious email campaigns containing a suspicious Microsoft Excel attachment that, when opened, infected the victim's system with the DarkGate malware. 
These campaigns, active since the second week of

Wednesday, June 5, 2024 08:00

_This post was authored by Kalpesh Mantri._ 

*   Cisco Talos is actively tracking a recent increase in activity from malicious email campaigns containing a suspicious Microsoft Excel attachment that, when opened, infected the victim's system with the DarkGate malware. 
*   These campaigns, active since the second week of March, leverage tactics, techniques, and procedures (TTPs) that we have not previously observed in DarkGate attacks. 
*   These campaigns rely on a technique called “Remote Template Injection” to bypass email security controls and to deceive the user into downloading and executing malicious code when the Excel document is opened.  
*   DarkGate has used AutoIT scripts as part of the infection process for a long time. However, in these campaigns, AutoHotKey scripting was used instead of AutoIT.  
*   The final DarkGate payload is designed to execute in-memory, without ever being written to disk, running directly from within the AutoHotKey.exe process. 

The DarkGate malware family is distinguished by its covert spreading techniques, ability to steal information, evasion strategies, and widespread impact on both individuals and organizations. Recently, DarkGate has been observed distributing malware through Microsoft Teams and even via malvertising campaigns. Notably, in the latest campaign, AutoHotKey scripting was employed instead of AutoIT, indicating the continuous evolution of DarkGate actors in altering the infection chain to evade detection. 

**Email campaigns **

This research began when a considerable number of our clients reported receiving emails, each containing a Microsoft Excel file attachment that followed a distinct pattern in its naming convention. 

Talos’ intent analysis of these emails revealed that the primary purpose of the emails primarily pertained to financial or official matters, compelling the recipient to take an action by opening the attached document. 

This peculiar trend prompted us to conduct an in-depth investigation into this widespread malspam activity. Our initial findings linked the indicators of compromise (IOCs) to the DarkGate malware.  

The table below includes some of the observed changes in attachment naming convention patterns over time.  

End Date 

Format 

Examples 

March 12, 2024 

March 19, 2024 

march-D%-2024.xlsx 

march-D5676-2024.xlsx 

march-D3230-2024.xlsx 

march-D2091-2024.xlsx 

March 15, 2024 

March 20, 2024 

ACH-%March.xlsx 

ACH-5101-15March.xlsx 

ACH-5392-15March.xlsx 

ACH-4619-15March.xlsx 

March 18, 2024 

March 19, 2024 

attach#%-2024.xlsx 

attach#4919-18-03-2024.xlsx 

attach#8517-18-03-2024.xlsx 

attach#4339-18-03-2024.xlsx 

March 19, 2024 

March 20, 2024 

march19-D%-2024.xlsx 

march19-D3175-2024.xlsx 

march19-D5648-2024.xlsx 

march19-D8858-2024.xlsx 

March 26, 2024 

March 26, 2024 

re-march-26-2024-%.xls? 

re-march-26-2024-4187.xlsx 

re-march-26-2024-7964.xlsx 

re-march-26-2024-4187.xls 

April 3, 2024 

April 5, 2024 

april2024-%.xlsx 

april2024-2032.xlsx 

april2024-3378.xlsx 

april2024-4268.xlsx 

April 9, 2024 

April 9, 2024 

statapril2024-%.xlsx 

statapril2024-9505.xlsx 

statapril2024-9518.xlsx 

statapril2024-9524.xlsx 

April 10, 2024 

April 10, 2024 

4\_10\_AC-%.xlsx\* 

4\_10\_AC-1177.xlsx 

4\_10\_AC-1288.xlsx 

4\_10\_AC-1301.xlsx 

_\*Variant redirecting to JavaScript file instead of VBS._ 

**Victimology **

Based on Cisco Talos telemetry, this campaign targets the U.S. the most often compared to other geographic regions.

Healthcare technologies and telecommunications were the most-targeted sectors, but campaign activity was observed targeting a wide range of industries. 

**Technical analysis **

Our telemetry indicates that malspam emails were the primary source of delivery for this campaign. It is an active campaign using attached Excel documents attempting to lure users to download and execute remote payloads.  

As shown below, the Excel spreadsheet has an embedded object with an external link to an attacker-controlled Server Message Block (SMB) file share. 

The overall infection process associated with this campaign is shown below. 

The infection process begins when the malicious Excel document is opened. These files were specially crafted to utilize a technique, called “Remote Template Injection,” to trigger the automatic download and execution of malicious contents hosted on a remote server. 

Remote Template Injection is an attack technique that exploits a legitimate Excel functionality wherein templates can be imported from external sources to expand a document’s functions and features. By exploiting the inherent trust users place in document files, this method skilfully evades security protocols that may not be as stringent for document templates compared to executable files. It represents a refined tactic for attackers to establish a presence within a system, sidestepping the need for conventional executable malware.  

When the Excel file is opened, it downloads and executes a VBS file from an attacker-controlled server. 

The VBS file is appended with a command that executes a PowerShell script from the DarkGate command and control (C2) server. 

This PowerShell script retrieves the next stage’s components and executes them, as shown below. 

**Payload analysis **

On March 12, 2024, the DarkGate campaign transitioned from deploying AutoIT scripts to employing AutoHotKey scripts. 

AutoIT and AutoHotKey are scripting languages designed for automating tasks on Windows. While both languages serve similar purposes, their differences lie in their syntax complexity, feature sets and community resources. AutoHotKey offers more advanced text manipulation features, extensive support for hotkeys, and a vast library of user-contributed scripts for various purposes. While both AutoIT and AutoHotKey have legitimate purposes, they are often abused by adversaries to run malicious scripts, consistent with other scripting languages often observed in infection chains. 

As shown in the screenshot above, one of the files retrieved is ‘test.txt.’ Within this file, there is base64-encoded blob that, when decoded, transforms into binary data. This binary data is then processed to execute the DarkGate malware payload directly within memory on infected systems. 

As shown in the previous PowerShell code, payloads are initially saved to disk within a directory (C:\\rimz\\) on the system. The directory name changes across infection chains that were analyzed. 

In this case, the attacker was using a legitimate copy of the AutoHotKey binary (AutoHotKey.exe) to execute a malicious AHK script (script.ahk). 

The executed AHK script reads content from the text file (test.txt), decodes it in memory, and executes it without ever saving the decoded DarkGate payload to disk. This file also contains shellcode that is loaded and executed by the AHK script, as shown below. 

**Persistence mechanisms **

Components used during the final stage of the infection process are stored at the following directory location: 

*   C:\\ProgramData\\cccddcb\\AutoHotKey.exe 
*   C:\\ProgramData\\cccddcb\\hafbccc.ahk 
*   C:\\ProgramData\\cccddcb\\test.txt 

Persistence across reboots is established through the creation of a shortcut file within the Startup directory on the infected system. 

C:\\Users\\<USERNAME>\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\DfAchhd.lnk 

C:\\ProgramData\\cccddcb\\AutoHotkey.exe  C:\\ProgramData\\cccddcb"C:\\ProgramData\\cccddcb\\hafbccc.ahk 

Talos’ threat intelligence and detection response teams have successfully developed detection for these campaigns and blocked them as appropriate on Cisco Secure products. However, because of the evolving nature of recent DarkGate campaigns — as demonstrated by the shift from AutoIT to AutoHotKey scripts and use of remote template injection — serves as a stark reminder of the continuous arms race in cybersecurity. 

**Coverage **

 Ways our customers can detect and block this threat are listed below.  

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The following Snort SIDs apply to this threat:  

*   **Snort 2 SIDs:** 3, 12, 11192, 13667, 15306, 16642, 19187, 23256, 23861, 44484, 44485, 44486, 44487, 44488, 63521, 63522, 63523, 63524 
*   **Snort 3 SIDs:** 1, 16, 260, 11192, 15306, 36376, 44484, 44486, 44488, 63521, 63522, 63523, 63524 

The following ClamAV detections are also available for this threat:  

*   Doc.Malware.DarkGateDoc 
*   Ps1.Malware.DarkGate-10030456-0 
*   Vbs.Malware.DarkGate-10030520-0 

**Indicators of Compromise (IOCs) **

Indicators of Compromise (IOCs) associated with this threat can be found here.  

Below is an example of the configuration parameters extracted from one of the DarkGate payloads analyzed.  

hxxp://badbutperfect\[.\]com 

hxxp://withupdate\[.\]com 

hxxp://irreceiver\[.\]com 

hxxp://backupitfirst\[.\]com 

hxxp://goingupdate\[.\]com 

hxxp://buassinnndm\[.\]net 

anti\_analysis = true 

anti\_debug = false 

anti\_vm = true 

c2\_port = 80 

internal\_mutex (Provides the XOR key/maker used for DarkGate payload decryption) = WZqqpfdY 

ping\_interval = 60 

startup\_persistence = true 

username = admin

Tag

#intel