VulnCheck initially disclosed the critical command-injection vulnerability (CVE-2024-40891) six months ago, but Zyxel has yet to mention its existence or offer users a patch to mitigate threats.

Source: Timon Schneider via Alamy Stock Photo

NEWS BRIEF

A command-injection vulnerability in Zyxel CPE Series devices is being targeted by threat actors, and there's no patch available.

The bug, tracked as CVE-2024-40891, was first discovered by VulnCheck, a vulnerability intelligence firm, and disclosed to the vendor last July. Half a year later, Zyxel has yet to fix or even mention the vulnerability.

If successfully exploited, CVE-2024-40891 could allow threat actors to execute arbitrary commands on infected devices, ultimately potentially leading to system compromise, network infiltration, and data leaks, according to VulnCheck.

Researchers at GreyNoise meanwhile have been coordinating with the researchers at VulnCheck regarding exploitation of the vulnerability, and decided to disclose it publicly this week due to the "large number of attacks" they have been observing.

They also noted that CVE-2024-40891 is very similar to a known issue tracked as CVE-2024-40890, with the primary difference between the two being one is telnet-based and the other HTTP-based. Both, however, allow unauthenticated attackers to execute arbitrary commands using service accounts, whether in the "supervisor" or "zyuser" roles.

The lack of a patch could be a significant issue: Censys is reporting more than 1,500 vulnerable devices online, and it looks like some botnet operators have built exploits for the bug into their code, according to GreyNoise.

"After identifying a significant overlap between IPs exploiting CVE-2024-40891 and those classified as Mirai, the team investigated a recent variant of Mirai and confirmed that the ability to exploit CVE-2024-40891 has been incorporated into some Mirai strains," the researchers noted.

Since there is no current fix, GreyNoise recommended that users filter traffic for unusual requests to Zyxel CPE management interfaces, monitor Zyxel's security updates to be aware if a patch is made available, restrict administrative interface access to trusted IPs, and disable unused remote management features.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers

Yet another spinoff of the infamous DDoS botnet is exploiting a known vulnerability in active attacks, while its threat actors are promoting it on Telegram for other attackers to use as well, in a DDoS-as-a-service model.

Source: Kirill Ivanov via Alamy Stock Photo

Yet another Mirai botnet variant is making the rounds, this time offering distributed denial-of-service (DDoS) as-a-service by exploiting flaws in Mitel SIP phones. It also features a unique capability to communicate with attacker command-and-control (C2).

Researchers at the Akamai Security Intelligence and Response Team (SIRT) identified the variant of the infamous botnet, dubbed Aquabot, that actively exploits CVE-2024-41710, a command-injection vulnerability that affects various Mitel models that are used in corporate environments, they revealed in a blog post published Jan. 29. The vulnerability relies on an input sanitization flaw, and exploitation can lead to root access of the device, SIRT researchers Kyle Lefton and Larry Cashdollar wrote in the post.

The variant is the third version of Aquabot (Akamai calls it Aquabotv3) to appear on the scene; the first version was built off the Mirai framework with the ultimate goal of DDoS, discovered in November 2023, and it was first reported by Antiy Labs. The second version of the bot "tacked on concealment and persistence mechanisms, such as preventing device shutdown and restart" that remain present in v3, the researchers wrote.

The new variant is distinct from the previous versions for a couple of reasons, the researchers said. One is a unique feature appearing first in Aquabotv3: a function named "report\_kill" that reports back to the C2 when a kill signal is caught on the infected device. So far, however, researchers have not seen any response to the function from the attacker C2.

Related:Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers

Another notable aspect of v3 of Aquabot is that the threat actors behind it have been advertising the botnet as DDoS as-a-service through platforms such as Telegram. The bot is advertised under several different names — including Cursinq Firewall, The Eye Services, and The Eye Botnet — offering Layer 4 and Layer 7 DDoS, the researchers noted.

**Active Exploitation of Mitel Phone Security Flaw**

Akamai SIRT detected exploit attempts targeting CVE-2024-41710 through its global network of honeypots in early January using a payload almost identical to a proof-of-concept (PoC) developed and released on GitHub in mid-August by Packetlabs' researcher Kyle Burns.

Burns discovered that the Mitel 6869i SIP phone, firmware version 6.3.0.1020, failed to sanitize user-supplied input properly, with multiple endpoints vulnerable to the flaw. His PoC demonstrated that an attacker could smuggle in entries otherwise blocked by the application's sanitization checks by sending a specially crafted HTTP POST request.

Related:Super Bowl LIX Could Be a Magnet for Cyberattacks

The exploitation activity that Akamai SIRT observed delivered a payload that attempts to fetch and execute a shell script called :bin.sh, which will in turn fetch and execute Mirai malware on the target system, the researchers wrote. The malware has support for a variety of different architectures, including x86 and ARM.

"Based on our analysis of the malware samples, we determined that this is a version of the Aquabot Mirai variant," specifically the latest evolution of the malware, Aquabotv3, the researchers wrote in the post.

In addition to being used in DDoS attacks, threat actors also are hawking Aquabot for DDoS-as-a-service, though they are trying to disguise the activity as "purely testing" for DDoS mitigation. However, the same domain featured in the ad promoting testing is actively spreading Mirai malware, the researchers noted.

"Threat actors will claim it's just a \[proof of concept\] or something educational, but a deeper analysis shows that they are in fact advertising DDoS as a service, or the owners are boasting about running their own botnet on Telegram," they wrote in the post.

**Mirai Botnet Remains Key Conduit for DDoS**

As the majority of botnets responsible for DDoS attacks are based on Mirai, "they predominantly target Internet of Things (IoT) devices, which makes spreading the malware relatively easy to do," the researchers noted in the post. Indeed, a recent wave of global DDoS attacks were attributed to Mirai botnet spinoffs, demonstrating that attackers aiming to leverage Mirai show no signs of slowing down.

Related:Apple Patches Actively Exploited Zero-Day Vulnerability

That's likely because "the \[return on investment\] of Mirai for an aspiring botnet author is high," because it's not only one of the most successful botnet families in the world, it's also one of the more simple ones to modify, the researchers noted.

Moreover, many IoT devices often lack proper security features, are at the end of service, or are left with default configurations and passwords either from neglect or lack of knowledge about the dangers, making them low-hanging fruit for Mirai and its variants, the researchers wrote.

No matter what an attacker's intentions are, the researchers recommended that organizations take action to secure IoT devices through discovery or changing default credentials to protect against DDoS threats.

"Many of these botnets rely on common password libraries for authentication," they wrote in the post. "Find out where your known IoT devices are, and check for rogue ones, too. Check the login credentials and change them if they are default or easy to guess."

Akamai SIRT also included a list of indicators of compromise (IoCs) as well as Snort and Yara rules in the post to aid defenders.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Mirai Variant 'Aquabot' Exploits Mitel Device Flaws

Cisco Talos’ Vulnerability Research team recently disclosed three vulnerabilities in Observium, three vulnerabilities in Offis, and four vulnerabilities in Whatsup Gold.   
These vulnerabilities exist in Observium, a network observation and monitoring system; Offis DCMTK, a collection of libraries and applications implementing DICOM (Digital Imaging and Communications

Wednesday, January 29, 2025 11:45

Cisco Talos’ Vulnerability Research team recently disclosed three vulnerabilities in Observium, three vulnerabilities in Offis, and four vulnerabilities in Whatsup Gold.   

These vulnerabilities exist in Observium, a network observation and monitoring system; Offis DCMTK, a collection of libraries and applications implementing DICOM (Digital Imaging and Communications in Medicine) standard formats; and WhatsUp Gold, an IT infrastructure management product.  

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.  

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.   

**Observium Vulnerabilities  **

_Discovered by Marcin "Icewall" Noga._   

Two cross-site scripting vulnerabilities exist in Observium, which can lead to arbitrary JavaScript code execution, as well as one HTML code injection vulnerability. All three can be triggered by an authenticated user clicking a malicious link crafted by the attacker.  

*   TALOS-2024-2090 (CVE-2024-47140) 
*   TALOS-2024-2091 (CVE-2024-47002) 
*   TALOS-2024-2092 (CVE-2024-45061) 

**Offis Vulnerabilities  **

_Discovered by Emmanuel Tacheau._   

Three vulnerabilities were found in the Offis DCMTK libraries that support the DICOM standard format. TALOS-2024-1957 (CVE-2024-28130) is an incorrect type conversion vulnerability that can lead to arbitrary code execution, and TALOS-2024-2121 (CVE-2024-52333) and TALOS-2024-2122 (CVE-2024-47796) are improper array index validation vulnerabilities that can lead to out-of-bounds write capabilities. All can be triggered with specially crafted malicious DICOM files.  

**Whatsup Gold Vulnerabilities  **

_Discovered by Marcin "Icewall" Noga._   

Two Whatsup Gold vulnerabilities include a risk of information disclosure (TALOS-2024-1932 (CVE-2024-5017) and TALOS-2024-2089 (CVE-2024-12105)), which can be triggered by an attacker making an authenticated HTTP request. 

There is also a risk of disclosure of sensitive information (TALOS-2024-1933 (CVE-2024-5010)), and denial of service (TALOS-2024-1934 (CVE-2024-5011)). These two vulnerabilities can be triggered by an attacker making an unauthenticated HTTP request.

Whatsup Gold, Observium and Offis vulnerabilities

Atomwaffen Division cofounder and alleged Terrorgram Collective member Brandon Russell is facing a potential 20-year sentence for an alleged plot on a Baltimore electrical station. His case is only the beginning.

Brandon Russell, arguably one of the most influential figures in the American neofascist revival of the past decade, is on trial this week over an alleged plot to knock out Baltimore’s power grid and trigger a race war.

The 29-year-old cofounder of the Atomwaffen Division, a neo-Nazi guerrilla organization that was responsible for five homicides and a number of bomb plots before the FBI dismantled it in 2020, Russell was arrested by federal agents in February 2023 along with his girlfriend, Sarah Clendaniel. If convicted of his charges of conspiring to destroy an energy facility, Russell could face 20 years behind bars thanks to a prior conviction and the potential penalty for his current charges.

Russell’s case represents one of the last gasps of the Biden administration’s hard-charging approach to tackling violent far-right extremism that is all but guaranteed to change during US president Donald Trump’s second term in office. It also offers a unique look inside federal law enforcement’s investigation into an insidious accelerationist propaganda network that mixes neo-Nazi ideology with nihilist, Columbine-style violence to inspire mass casualty events in the United States and beyond.

Russell allegedly hatched the plot to black out Baltimore while, according to prosecutors, participating in a noxious, prolific propaganda network hellbent on fomenting violence and chaos. The Terrorgram Collective, which took its name following a massive influx of neo-Nazis to Telegram at the end of the last decade, ran several channels on the messaging​​ app and developed a series of “how-to” domestic terrorism manuals that sought to inspire disaffected young men and women into committing mass casualty events. Terrorgram is currently designated a “tier one” extremism threat by the US Department of Justice.

To date, Terrorgram has released four publications—a blend of ideological motivation, mass-murder worship, neofascist indoctrination, and how-to manuals for chemical weapons attacks, infrastructure sabotage, and ethnic cleansing. Court records indicate there are at least three unreleased Terrorgram Collective compendiums, including “The Saint Encyclopedia” of the far-right mass killers they venerate, including Anders Breivik, Brenton Tarrant, and Timothy McVeigh; and “The List,” a collection of politicians, government officials, business leaders, journalists, activists, and other people deemed legitimate assassination targets.

The screeds appear to have directly inspired a series of ideologically motivated attacks around the world, including a 2022 mass shooting at an LGBTQ bar in Bratislava, Slovakia, successful attacks on power infrastructure in North Carolina and similar failed plots in Baltimore and New Jersey, and a stabbing spree in the Turkish city of Eskisehir. There are currently more than a dozen separate federal prosecutions around the United States that involve people alleged to be core Terrorgram Collective members or individuals allegedly inspired toward violent attacks on infrastructure or civilians.

In one of the Biden administration’s last policy moves against right-wing extremism, on January 13, the State Department formally classified the Terrorgram Collective as a Foreign Terrorist Organization, a listing usually reserved for militant groups that hold territory and have a formal real-world paramilitary structure as opposed to a loose propaganda network that seeks to inspire mass casualty events. While it is not unique—the British Home Office formally proscribed Terrorgram as an extremist organization last May, and Russell’s Atomwaffen Division was banned by the UK, Australia, and Canada—it is likely to be the last such action taken toward neo-Nazi groups by the United States government for the foreseeable future.

The Trump administration appears to be engaged in a wholesale shift away from violent far-right extremism, best illustrated by the unprecedented pardons given to more than 1,500 individuals charged or convicted of crimes during the failed insurrection of January 6, 2021, as well as the reassignment of senior Justice Department attorneys in the National Security Division.

In a set of pretrial hearings and motions over the limits of evidence in Russell’s trial, federal prosecutors convinced US District Court judge James K. Bredar to allow in evidence of Russell’s deep neo-Nazi indoctrination, including background about his founding role in the Atomwaffen Division. Russell’s alleged involvement in the Terrorgram Collective is bolstered by a pendant allegedly recovered by FBI agents in a search of his home after his February 2023 arrest: The necklace is made of swastika-bearing beads that contains a larger golden swastika pendant with “Terrorgram” inscribed along the side.

The court is taking extra precautions as the US attempts to convict Russell. Journalists’ use of phones and laptops in the courtroom is forbidden, and the judge granted some witnesses permission to testify anonymously over fears of retaliation by Russell's compatriots, some of whom have indicated in Terrorgram chats cited in court filings that they have sought to identify informants and agents involved in their cases. Clendaniel, Russell’s girlfriend, pleaded guilty in May and was later sentenced to 18 years in federal prison. It is unclear whether she will be one of the witnesses testifying against Russell.

The prosecution of Russell also offers insight to how American law enforcement and intelligence agencies collaborate with their foreign counterparts to combat the transnational far-right milieu that spawned the Terrorgram Collective.

In an unusual alliance over the past two years, lawyers from the American Civil Liberties Union’s National Security Project weighed in on Russell’s behalf during pretrial motions in an effort to reveal evidence of warrantless surveillance of the fascist figurehead by either the National Security Agency or its counterparts. Although Judge Bredar ultimately denied the ACLU’s efforts on the grounds that the material was classified, the government’s response spoke volumes about the intelligence community’s role in surveilling Russell. American intelligence documents reviewed by WIRED show the Five Eyes alliance of American, Canadian, British, Australian and New Zealander intelligence agencies were keeping tabs on the Terrorgram Collective as far back as 2021.

The presence of Terrorgram Collective members in Croatia, Denmark, Slovakia, South Africa, Canada, and elsewhere overseas, coupled with the State Department’s designation of the propaganda network as a foreign terrorist organization, also point to additional reasons the group would be subjected to the highest level of official surveillance.

Russell was on court supervision when he was picked up for the Baltimore plot nearly two years ago. In 2018, he was convicted on federal charges for possession of homemade hexamethylene triperoxide diamine, a highly unstable compound. He served a little over three years in prison and was released in August 2021. Russell’s arrest, in 2017, on illegal explosives charges, stemmed from a macabre internecine squabble within the Atomwaffen Division and a double homicide at the Tampa, Florida, apartment Russell shared with three other extremist comrades.

_Updated 7:35 am EST, January 29, 2025: Corrected the maximum sentence Russell could receive if convicted._

The Trial at the Tip of the Terrorgram Iceberg

The impetus for CrowdStrike's new professional services came from last year's Famous Chollima threat actors, which used fake IT workers to infiltrate organizations and steal data.

Source: Andrea Danti via Shutterstock

When CrowdStrike alerted 200 customers last summer that its OverWatch managed threat-hunting service discovered endpoint telemetry indicating that the company might have at least one fake IT employee working for it, many were initially doubtful that they were among those affected.

Upon further investigation, though, it turned out that 40% of them were victims of a North Korean APT group that recruits people to apply for open tech jobs and, when hired, use their network access to deploy malware and steal data. The spike in activity by the group, known as Famous Chollima, was the impetus for last week's launch of CrowdStrike's Insider Risk Service, a set of professional services for detecting rogue IT workers and improving hiring practices.

Famous Chollima — threat actors from North Korea — used rogue IT workers to infiltrate over 300 companies, according to a May announcement by the US Department of Justice. Several perpetrators were charged with allegedly defrauding US companies using online job sites and payment platforms with locally hosted proxy computers. Victims discovered malicious IT employees installed malware, notably BeaverTail or InvisibleFerret, or exfiltrated data.

According to the Justice Department, it was the largest criminal act using IT workers, resulting in an estimated $6.8 million in losses.

"I think it's significantly higher than $6.8 million; I would say it's on the order of tens of millions of dollars," Adam Meyers, CrowdStrike's senior VP for counter adversary operations, told attendees at the company's annual Fal.Con customer event in September.

**Customers Initially Dubious**

CrowdStrike's chief global services officer, Thomas Etheridge, recalls customers' initial skepticism that they may have unwittingly hired fake IT workers.

"We had many organizations that absolutely said, 'Thank you, but we don't have that problem,' and then they later reached back out to us and said, 'We realize you were absolutely spot on,'" Etheridge tells Dark Reading.

According to 467 cybersecurity professionals surveyed for Securonix's "2024 Insider Threat Report," insider attacks rose from 66% of organizations in 2019 to 76% last year. Moreover, 90% said insider attacks are equally or more challenging to discover than external attacks.

CrowdStrike cites research from the Ponemon Institute, which found that 71% of organizations experienced between 21 and 41 insider incidents in 2023 — up from 67% over the previous year. The report also found that the annual cost of insider threats averaged $16.2 million per organization.

Data from 1,542 security decision-makers responding to Forrester Research's 2024 Security Survey indicated that 23% of data breaches resulted from internal incidents. Joseph Blankenship, VP and research director for Forrester's Security & Risk practice, says addressing insider risk is more complex than external threats.

"It's difficult to discern normal insider behavior from potentially malicious or accidentally harmful behavior," Blankenship says. "Insider risk services help to test the technology and processes organizations use to detect and respond to insider incidents."

**CrowdStrike's New Services Portfolio**

CrowdStrike's Insider Risk Service provides assessments to determine overall security gaps that enable both malicious and unintentional internal threats and HR hiring processes.

"We have some really rich telemetry around identity, around what threat actors are doing and the tooling they're using to remain persistent and undetectable in an environment, and we use those same techniques and tools to uncover insider activity," Etheridge says. "Putting a lot of these things together and bringing the people and process aspect to it really can help an organization up level and mature their insider-risk program."

The offering consists of a program in which CrowdStrike's consultants examine an organization's approach to insider risk and perform technical reviews to discover gaps and recommend improvements. The services also include tabletop exercises and red team simulations to test what defenses are in place and explore ways to discover vulnerabilities.

Not surprisingly, the services rely on threat intelligence and telemetry gathered from CrowdStrike's flagship Falcon platform and its OverWatch 24x7 threat-hunting service team. While major IT consulting firms like Accenture, EY, and smaller service providers offer risk assessment services, Etheridge touts CrowdStrike's platform as an advantage.

"These organizations are coming to us because we have a lot of the telemetry that they would need to understand the difference between normal activity occurring in the organization and non-normal activity," Etheridge says.

Meanwhile, activity from Famous Chollima is off from last year's peak, though Etheridge expects variations in this insider threat type to continue.

"It's not out of the realm of possibilities for other threat actors to try to either mimic or come up with another creative way to try to infiltrate companies," he says.

Forrester's Blankenship agrees.

"I believe threat actors like Famous Chollima will continue to be a risk," he says. "Without measures in place to confirm the identities of employees and contractors, organizations will continue to be vulnerable to threat actors posing as legitimate workers. Ongoing monitoring for suspicious insider behavior is also necessary to detect these threat actors."

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

CrowdStrike Highlights Magnitude of Insider Risk

Concerns include everything from ransomware, malware, and phishing attacks on the game's infrastructure to those targeting event sponsors and fans.

Source: Steve Cukrov via Shutterstock

Sporting events like the upcoming Super Bowl LIX in New Orleans are prime targets for cyberattacks due to their massive audiences, extensive digital infrastructure, and the potential for high financial and reputational impact. Experts say organizers should be prepared for an onslaught of attacks leading up to and on game day, which is Feb. 9 this year.

Securing such events can be particularly challenging due to the vast array of potential attack surfaces, including ticketing systems, livestreaming platforms, in-stadium Internet of Things (IoT) devices, and valuable fan data. The New Year's Day terrorist attack in the city has only added to the concerns, and has prompted greater physical security measures in the form of increased surveillance, a significantly larger police presence than initially planned, and the use of drones and extra cameras to monitor for threats.

**High-Stakes Cybersecurity Playbook for the Big Game**

James DeMeo, faculty member with Tulane University's School of Professional Advancement, is an expert in sport event security, facilities, and venue risk assessment. The Super Bowl, he reminds, is a mega event that the Department of Homeland Security has designated as a Special Event Assessment Rating 1 (SEAR 1), which is the highest rating from a threat assessment standpoint. Following the Jan. 1 vehicle ramming incident in New Orleans' French Quarter, event security concerns are sure to have only heightened, he says.

The top cybersecurity concerns will include those around ransomware, malware, and phishing threats directed at critical infrastructure for the games and communication networks. "Command center controls will be tasked with averting bad actors from infiltrating CCTV, access controls, and wireless networks while ensuring a seamless fan experience," DeMeo says.

Other focus areas for the security team at the Super Bowl will include protecting fan payment data and monitoring social media networks for signs of potential physical threat activity. "Law enforcement will be sharing relative and timely information with governmental stakeholders like the JTTF and the Secret Service," DeMeo says. Expect the DHS to monitor posts on social media platforms in real time before and during the games for conversations that indicate a threat to the event.

DeMeo expects drones will play a key role on the physical security side of things as well. "Drones are an effective risk mitigation tool for key Super Bowl security stakeholders," he says. "This technology can be implemented for properly monitoring crowds, crowd management, crowd ingress/egress, and reconnaissance for potential nefarious bad actors on the exterior perimeters of the venue."  

Additionally, such technologies as biometrics and iris scans can be utilized as an effective risk mitigation tool by event security leads, he says.

**A Collaborative Defensive Effort**

Mike Storm, distinguished engineer at Cisco, says preparation for an event like the Super Bowl actually begins years in advance, with collaboration between a number of entities, including the host venue, the local city, a wide network of tech vendors, and government entities like the FBI. "In the years, months and weeks leading up to the event, the cross-functional team engages in a wide variety of scenario and role-playing exercises so that should any issues arise during the event, responses are swift, coordinated, and ideally resolve the problem before it can impact the game or the fan experience."

As the primary network provider for the Super Bowl, Cisco has partnered with the NFL in a collaborative approach to manage threats to the game. "This playbook," he says, "is built on a few core attributes that are essential to successfully protecting an event of this magnitude — simplicity, visibility, reliability, and protection." As part of the effort, Cisco has deployed a range of technologies to secure the game network, including Cisco Secure Firewall, Cisco Umbrella, Cisco Security Malware Analytics, Cisco XDR with Meraki, and Splunk Enterprise.

The NFL is also tapping Cisco's Talos threat intelligence service for real-time intelligence pertinent to the event. The goal is to safeguard game day operations and respond to potential threats during the event to prevent disruptions, Storm says. "When it comes to large sporting events, we are looking for all types of attacks, at volume," he says. Many attacks are often focused on trying to degrade the experience of fans or on the misuse of data of viewers, guests, or participants of the game. "These events are targeted by a variety of different actors, which can include ideologically or politically motivated hacktivists and state-sponsored threat actors." These actors employ a variety of tactics, which can include targeting sponsors to disrupt the game or misusing branding to lure viewers to click something on something malicious.  

Storm points to the rising use of artificial intelligence as impacting Cisco's approach to protecting high-profile events like the Super Bowl. For instance, it adds complexity, he says: "The stakes of something going wrong with AI are incredibly high. On the other hand, it unlocks opportunities for faster, smarter security."

**The Threat from Unmonitored Service Accounts & APIs**

Meanwhile. the proliferation of automated systems and services like "just walk out" payment methods and frictionless checkout systems at events like the Super Bowl present a new attack vector that security teams need to guard against. The growing digitization has enabled faster retail transactions and a host of other benefits for fans. But it also led to an explosion of non-human identities (NHIs) and shared multiuse service accounts, APIs, tokens, and access keys that are often poorly monitored or completely unmonitored, says Tim Eades, CEO and co-founder of Anetac.

"Anetac's research indicates that large-scale events like the Super Bowl represent a perfect storm for NHI vulnerabilities," Eades says. "The combination of reliance on automated systems, rapid deployment, and the expansive network of NHIs required to support modern stadiums \[has\] significantly \[increased\] the attack surface," at events like the Super Bowl.

Eades perceives the targeting of NHIs as presenting a threat for event organizers in New Orleans and remote locations, "Bad actors recognize that automated accounts are gateways to critical infrastructure and sensitive data such as customer information, employee data, and more," he says. Securing such accounts, Eades notes, is important because they enable attackers to potentially gain control over stadium systems, from payment processing to manipulating environmental controls and emergency systems.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Super Bowl LIX Could Be a Magnet for Cyberattacks

IntelBroker targets Hewlett-Packard Enterprise (HPE) again, claiming to have access to the company’s internal infrastructure and the possibility…

IntelBroker targets Hewlett-Packard Enterprise (HPE) again, claiming to have access to the company’s internal infrastructure and the possibility of selling to access rather than selling data.

**IntelBroker**, a notorious hacker linked to prior high-profile cyberattacks, has announced an alleged new data breach of Hewlett-Packard Enterprise (HPE). The hacker claims to have accessed and cloned new data from HPE’s repositories.

Although the claimed data is 500 MB in size, a relatively smaller size than usual, screenshots shared exclusively with Hackread.com provide insights into what looks like the compromised infrastructure, revealing exposed credentials, internal configurations, and proprietary source code.

This latest breach is the second time IntelBroker has targeted Hewlett Packard Enterprise. In January 2025, as **reported by Hackread.com**, IntelBroker publicly claimed responsibility for compromising HPE’s infrastructure in an earlier attack. That breach, disclosed via Breach Forums and in an exclusive conversation with Hackread.com, involved a substantial exfiltration of sensitive data.

****Latest Claims****

A quick analysis of the data tree and internal screenshots seen by Hackread.com points out at possible extraction of some sensitive data including private keys and certificates, proprietary source code for HPE products, including iLO and Zerto systems, Internal Git repositories and Docker builds.

Additionally, the data tree shows that hackers also allegedly managed to access exposed infrastructure configurations including internal services and endpoints, such as SignonService and Salesforce integrations, Internal DNS and deployment pipelines for microservices, MongoDB credentials, QIDs integrations and more.

Screenshots provided to Hackread.com by IntelBroker

****Plans to Sell Access****

In the first alleged HPE breach, IntelBroker offered the stolen data for sale, demanding payment in Monero cryptocurrency to stay anonymous. This time, however, the hacker claims they plan to release the entire data set for free and sell the access.

> _“I am not sure about selling the data, maybe I will just leak it for free this time, I don’t know yet but my team could be selling the access we have to HPE infrastructure, to interested parties.”_
> 
> IntelBroker told Hackread.com.

Nevertheless, the claims of the new HPE data breach show the urgency for organizations to secure their infrastructure, regularly audit access controls, and monitor for suspicious activity. If validated, this breach represents a major incident for HPE, with long-term implications for their operations and customer trust.

****HPE is NOT HP Inc.****

Hewlett-Packard Enterprise (HPE) and HP Inc. are two separate entities that originated from the **split** of Hewlett-Packard in 2015. HPE focuses on enterprise-level IT solutions, including servers, storage, networking, cloud computing, and software services tailored for businesses.

In contrast, HP Inc. specializes in personal computing devices and printers, targeting consumers and small businesses. While they share a common origin, their operations and focus areas are entirely different.

Hackread.com has reached out to HPE for a statement. Any response from the company will be added to this article as soon as it is received. Stay tuned for updates!

1.  **Hacker Leak Over 10,000 DELL Employee Details**
2.  **Acer Data Breach: Hacker Sells 160GB of Stolen Data**
3.  **Dell Discloses Data Breach As Hacker Sells 49M User Data**
4.  **3 Billion National Public Data Records with SSNs Dumped Online**
5.  **Trello Data Breach: Hacker Dumps Personal Info of Millions of Users**

Hackers Claim 2nd Breach at HP Enterprise, Plan to Sell Access

DeepSeek, the Chinese AI startup that has captured much of the artificial intelligence (AI) buzz in recent days, said it's restricting registrations on the service, citing malicious attacks.
"Due to large-scale malicious attacks on DeepSeek's services, we are temporarily limiting registrations to ensure continued service," the company said in an incident report page. "Existing users can log in

Top-Rated Chinese AI App DeepSeek Limits Registrations Amid Cyberattacks

President Trump last week issued a flurry of executive orders that upended a number of government initiatives focused on improving the nation's cybersecurity posture. The president fired all advisors from the Department of Homeland Security's Cyber Safety Review Board, called for the creation of a strategic cryptocurrency reserve, and voided a Biden administration action that sought to reduce the risks that artificial intelligence poses to consumers, workers and national security.

Image: Shutterstock. Greg Meland.

**President Trump** last week issued a flurry of executive orders that upended a number of government initiatives focused on improving the nation’s cybersecurity posture. The president fired all advisors from the Department of Homeland Security’s Cyber Safety Review Board, called for the creation of a strategic cryptocurrency reserve, and voided a Biden administration action that sought to reduce the risks that artificial intelligence poses to consumers, workers and national security.

On his first full day back in the White House, Trump dismissed all 15 advisory committee members of the Cyber Safety Review Board (CSRB), a nonpartisan government entity established in February 2022 with a mandate to investigate the causes of major cybersecurity events. The CSRB has so far produced three detailed reports, including an analysis of the Log4Shell vulnerability crisis, attacks from the cybercrime group LAPSUS$, and the 2023 Microsoft Exchange Online breach.

The CSRB was in the midst of an inquiry into cyber intrusions uncovered recently across a broad spectrum of U.S. telecommunications providers at the hands of Chinese state-sponsored hackers. One of the CSRB’s most recognizable names is **Chris Krebs** (no relation), the former director of the **Cybersecurity and Infrastructure Security Agency** (CISA). Krebs was fired by President Trump in November 2020 for declaring the presidential contest was the most secure in American history, and for refuting Trump’s false claims of election fraud.

South Dakota Governor **Kristi Noem**, confirmed by the U.S. Senate last week as the new director of the DHS, criticized CISA at her confirmation hearing, _TheRecord_ reports.

Noem told lawmakers CISA needs to be “much more effective, smaller, more nimble, to really fulfill their mission,” which she said should be focused on hardening federal IT systems and hunting for digital intruders. Noem said the agency’s work on fighting misinformation shows it has “gotten far off mission” and involved “using their resources in ways that was never intended.”

“The misinformation and disinformation that they have stuck their toe into and meddled with, should be refocused back onto what their job is,” she said.

**Moses Frost**, a cybersecurity instructor with the SANS Institute, compared the sacking of the CSRB members to firing all of the experts at the **National Transportation Safety Board** (NTSB) while they’re in the middle of an investigation into a string of airline disasters.

“I don’t recall seeing an ‘NTSB Board’ being fired during the middle of a plane crash investigation,” Frost said in a recent SANS newsletter. “I can say that the attackers in the phone companies will not stop because the review board has gone away. We do need to figure out how these attacks occurred, and CISA did appear to be doing some good for the vast majority of the federal systems.”

Speaking of transportation, _The Record_ notes that Transportation Security Administration chief **David Pekoske** was fired despite overseeing critical cybersecurity improvements across pipeline, rail and aviation sectors. Pekoske was appointed by Trump in 2017 and had his 5-year tenure renewed in 2022 by former President Joe Biden.

**AI & CRYPTOCURRENCY**

Shortly after being sworn in for a second time, Trump voided a Biden executive order that focused on supporting research and development in artificial intelligence. The previous administration’s order on AI was crafted with an eye toward managing the safety and security risks introduced by the technology. But a statement released by the White House said Biden’s approach to AI had hindered development, and that the United States would support AI systems that are “free from ideological bias or engineered social agendas,” to maintain leadership.

The Trump administration issued its own executive order on AI, which calls for an “AI Action Plan” to be led by the assistant to the president for science and technology, the White House “AI & crypto czar,” and the national security advisor. It also directs the White House to revise and reissue policies to federal agencies on the government’s acquisition and governance of AI “to ensure that harmful barriers to America’s AI leadership are eliminated.”

Trump’s AI & crypto czar is **David Sacks**, an entrepreneur and Silicon Valley venture capitalist who argues that the Biden administration’s approach to AI and cryptocurrency has driven innovation overseas. Sacks recently asserted that non-fungible cryptocurrency tokens and memecoins are neither securities nor commodities, but rather should be treated as “collectibles” like baseball cards and stamps.

There is already a legal definition of collectibles under the U.S. tax code that applies to things like art or antiques, which can be subject to high capital gains taxes. But **Joe Hall**, a capital markets attorney and partner at Davis Polk, told _Fortune_ there are no market regulations that apply to collectibles under U.S. securities law. Hall said Sacks’ comments “suggest a viewpoint that it would not be appropriate to regulate these things the way we regulate securities.”

The new administration’s position makes sense considering that the Trump family is deeply and personally invested in a number of recent memecoin ventures that have attracted billions from investors. President Trump and First Lady Melania Trump each launched their own vanity memecoins this month, dubbed **$TRUMP** and **$MELANIA**.

_The Wall Street Journal_ reported Thursday the market capitalization of $TRUMP stood at about $7 billion, down from a peak of near $15 billion, while $MELANIA is hovering somewhere in the $460 million mark. Just two months before the 2024 election, Trump’s three sons debuted a cryptocurrency token called **World Liberty Financial**.

Despite maintaining a considerable personal stake in how cryptocurrency is regulated, Trump issued an executive order on January 23 calling for a working group to be chaired by Sacks that would develop “a federal regulatory framework governing digital assets, including stablecoins,” and evaluate the creation of a “strategic national digital assets stockpile.”

Translation: Using taxpayer dollars to prop up the speculative, volatile, and highly risky cryptocurrency industry, which has been marked by endless scams, rug-pulls, 8-figure cyber heists, rampant fraud, and unrestrained innovations in money laundering.

**WEAPONIZATION & DISINFORMATION**

Prior to the election, President Trump frequently vowed to use a second term to exact retribution against his perceived enemies. Part of that promise materialized in an executive order Trump issued last week titled “Ending the Weaponization of the Federal Government,” which decried “an unprecedented, third-world weaponization of prosecutorial power to upend the democratic process,” in the prosecution of more than 1,500 people who invaded the U.S. Capitol on Jan. 6, 2021.

On Jan. 21, Trump commuted the sentences of several leaders of the Proud Boys and Oath Keepers who were convicted of seditious conspiracy. He also issued “a full, complete and unconditional pardon to all other individuals convicted of offenses related to events that occurred at or near the United States Capitol on January 6, 2021,” which include those who assaulted law enforcement officers.

The New York Times reports “the language of the document suggests — but does not explicitly state — that the Trump administration review will examine the actions of local district attorneys or state officials, such as the district attorneys in Manhattan or Fulton County, Ga., or the New York attorney general, all of whom filed cases against President Trump.”

Another Trump order called “Restoring Freedom of Speech and Ending Federal Censorship” asserts:

“Over the last 4 years, the previous administration trampled free speech rights by censoring Americans’ speech on online platforms, often by exerting substantial coercive pressure on third parties, such as social media companies, to moderate, deplatform, or otherwise suppress speech that the Federal Government did not approve,” the Trump administration alleged. “Under the guise of combatting ‘misinformation,’ ‘disinformation,’ and ‘malinformation,’ the Federal Government infringed on the constitutionally protected speech rights of American citizens across the United States in a manner that advanced the Government’s preferred narrative about significant matters of public debate.”

Both of these executive orders have potential implications for security, privacy and civil liberties activists who have sought to track conspiracy theories and raise awareness about disinformation efforts on social media coming from U.S. adversaries.

In the wake of the 2020 election, Republicans created the **House Judiciary Committee’s Select Subcommittee on the Weaponization of the Federal Government**. Led by GOP **Rep. Jim Jordan** of Ohio, the committee’s stated purpose was to investigate alleged collusion between the Biden administration and tech companies to unconstitutionally shut down political speech.

The GOP committee focused much of its ire at members of the short-lived Disinformation Governance Board, an advisory board to DHS created in 2022 (the “combating misinformation, disinformation, and malinformation” quote from Trump’s executive order is a reference to the board’s stated mission). Conservative groups seized on social media posts made by the director of the board, who resigned after facing death threats. The board was dissolved by DHS soon after.

In his first administration, President Trump created a special prosecutor to probe the origins of the FBI’s investigation into possible collusion between the Trump campaign and Russian operatives seeking to influence the 2016 election. Part of that inquiry examined evidence gathered by some of the world’s most renowned cybersecurity experts who identified frequent and unexplained communications between an email server used by the **Trump Organization** and **Alfa Bank**, one of Russia’s largest financial institutions.

Trump’s Special Prosecutor **John Durham** later subpoenaed and/or deposed dozens of security experts who’d collected, viewed or merely commented on the data. Similar harassment and deposition demands would come from lawyers for Alfa Bank. Durham ultimately indicted **Michael Sussman**, the former federal cybercrime prosecutor who reported the oddity to the FBI. Sussman was acquitted in May 2022. Last week, Trump appointed Durham to lead the U.S. attorney’s office in Brooklyn, NY.

**Quinta Jurecic** at _Lawfare_ notes that while the executive actions are ominous, they are also vague, and could conceivably generate either a campaign of retaliation, or nothing at all.

“The two orders establish that there will be investigations but leave open the questions of what kind of investigations, what will be investigated, how long this will take, and what the consequences might be,” Jurecic wrote. “It is difficult to draw firm conclusions as to what to expect. Whether this ambiguity is intentional or the result of sloppiness or disagreement within Trump’s team, it has at least one immediate advantage as far as the president is concerned: generating fear among the broad universe of potential subjects of those investigations.”

On Friday, Trump moved to fire at least 17 inspectors general, the government watchdogs who conduct audits and investigations of executive branch actions, and who often uncover instances of government waste, fraud and abuse. Lawfare’s **Jack Goldsmith** argues that the removals are probably legal even though Trump defied a 2022 law that required congressional notice of the terminations, which Trump did not give.

“Trump probably acted lawfully, I think, because the notice requirement is probably unconstitutional,” Goldsmith wrote. “The real bite in the 2022 law, however, comes in the limitations it places on Trump’s power _to replace_ the terminated IGs—limitations that I believe are constitutional. This aspect of the law will make it hard, but not impossible, for Trump to put loyalists atop the dozens of vacant IG offices around the executive branch. The ultimate fate of IG independence during Trump 2.0, however, depends less on legal protections than on whether Congress, which traditionally protects IGs, stands up for them now. Don’t hold your breath.”

Among the many Biden administration executive orders revoked by President Trump last week was an action from December 2021 establishing the **United States Council on Transnational Organized Crime**, which is charged with advising the White House on a range of criminal activities, including drug and weapons trafficking, migrant smuggling, human trafficking, cybercrime, intellectual property theft, money laundering, wildlife and timber trafficking, illegal fishing, and illegal mining.

So far, the White House doesn’t appear to have revoked an executive order that former President Biden issued less than a week before President Trump took office. On Jan. 16, 2025, Biden released a directive that focused on improving the security of federal agencies and contractors, and giving the government more power to sanction the hackers who target critical infrastructure.

A Tumultuous Week for Federal Cybersecurity Efforts

Subaru STARLINK flaw exposed a critical security vulnerability, enabling unauthorized access to vehicle tracking, remote control, and sensitive…

Subaru STARLINK flaw exposed a critical security vulnerability, enabling unauthorized access to vehicle tracking, remote control, and sensitive customer data.

A vulnerability was recently discovered by cybersecurity researchers Shubham Shah and Sam Curry in Subaru’s STARLINK-connected vehicle system, enabling them to remotely start, stop, and track vehicles. The vulnerability in Subaru’s Starlink in-vehicle service, allowed attackers to remotely control and track connected vehicles. 

The vulnerability, an arbitrary account takeover flaw in the Starlink admin portal, enabled the duo to compromise a Subaru employee account. This flaw could let them target vehicles and customer accounts across the United States, Canada, and Japan.

Exploiting this flaw, Curry and Shah could gain unauthorized access to sensitive customer and vehicle data, and even remotely control targeted vehicles. According to a blog post published by researchers, the issue originated from a flaw in the Subaru STARLINK admin portal, a system intended for employee use.

This portal had a critical vulnerability that allowed attackers to reset employee passwords without requiring any confirmation. This meant that by simply knowing an employee’s email address, an attacker could gain access to their account.

> _“It appeared that there was a “resetPassword.json” endpoint that would reset employees’ accounts without a confirmation token. If this worked how it was written in the JavaScript, then an attacker could simply enter any valid employee email and take over their account.”_
> 
> Sam Curry

Researchers further bypassed two-factor authentication (2FA) by manipulating the website’s code, effectively disabling the security measure. With unauthorized access to the admin portal, the researchers demonstrated the ability to, start, stop, lock, and unlock any Subaru vehicle, and access a year’s worth of detailed location history for any vehicle, including stops and engine starts, providing precise locations with updates every time the engine started. 

Furthermore, they could retrieve the personal information of any customer, including contact details, addresses, billing information (partially masked), and vehicle PINs. They could also add themselves as authorized users to other vehicles, effectively taking control of them without the owner’s knowledge.

Researchers reported this vulnerability to Subaru on November 20, 2024, and the company in response promptly addressed the issue, patching it within 24 hours. The findings were publicly disclosed on January 23, 2025.

****Previous Hacks by the Duo****

Sam Curry and Shubham Shah are well-known for their creative and innovative methods of uncovering security vulnerabilities and responsibly disclosing them to companies.

One of their notable discoveries involved exploiting vulnerabilities in the globally used Points.com loyalty system. This flaw allowed unauthorized access to sensitive user data, including names, addresses, email addresses, phone numbers, and transaction details.

In December 2022, Sam Curry identified a critical app flaw that compromised Honda and Nissan vehicles through their VINs. Attackers could exploit this vulnerability to unlock doors, honk horns, and flashlights, and even start the vehicle remotely.

In September 2024, Sam Curry and three other security researchers found a way to control Kia vehicles by exploiting vulnerabilities linked to their license plates.

1.  **How Hackers Can Remotely Unlock/Start Honda Cars**
2.  **Cybercriminals Exploit CAN Injection Hack to Steal Cars**
3.  **Critical Intel chip flaw left cars and IoT devices vulnerable**
4.  **Self-driving cars can be fooled by displaying virtual objects**
5.  **Tesla cars can be remotely hacked using drone, WIFI dongle**

Tag

#intel