Companies are showing customers different prices for the same goods and services based what data they have on them, including details like their precise location or browser history.

Companies are showing customers different prices for the same goods and services based what data they have on them, including details like their precise location or browser history.

The name for this method is surveillance pricing, and the FTC has just released initial findings of a report looking into that practice. In July 2024, the FTC requested information from eight companies offering surveillance pricing products and services that incorporate data about consumers’ characteristics and behavior.

The goal was to get a better understanding of the “shadowy market” that third-party intermediaries use to set individualized prices for products and services based on consumers’ characteristics and behaviors, like location, demographics, browsing patterns, and shopping history.

Speaking to staff at these firms, the FTC found that behaviors ranging from mouse movements on a webpage to the type of products that consumers leave in an online shopping cart without clicking Buy can be tracked and used by retailers to tailor consumer pricing.

The intermediaries claimed they used advanced algorithms, artificial intelligence, and other technologies, along with personal information about consumers to determine targeted prices.

FTC chair Lina M. Khan said:

>  “Americans deserve to know whether businesses are using detailed consumer data to deploy surveillance pricing, and the FTC’s inquiry will shed light on this shadowy ecosystem of pricing middlemen.”

The first priorities to investigate are:

*   The types of products and services engaged in surveillance pricing
*   Data sources and who collected them
*   Who the potential customers are
*   How surveillance pricing impacted the prices offered to these customers.

This is nothing new, we’ve seen numerous times that insurance companies are very interested in our lifestyle and will happily charge more or even refuse to take us in as customers if they think we’re too much of a risk.

But, needless to say, surveillance pricing can have serious consequences, not only for our privacy, but also for fair competition and for consumer protection.

Probably the most shocking thing is the type of information that could be involved. The FTC notes that some of these companies even created lists of people suffering from diseases for the purpose of targeting them with offers for ineffective or worthless cures. This makes the introduction of a bill saying data brokers should stop trading health and location data perfectly understandable.

**What can you do?**

When it comes to sharing data online, we’ve all heard someone say, “What’s the big deal when I have nothing to hide?”

Well, this is exactly the deal: By exposing their private data online, they might well end up with companies charging them more. It’s a no brainer that we should all be sharing as little as possible. Here’s how:

*   Limit what you share on social media as much as possible, and try to keep personal data out of photos and written posts
*   Only tell companies the information that they need for the service or product they’re providing. Use false information as much as possible
*   If you are asked to share your location data with an app and there’s no clear reason why you might need to, deny the app that permission
*   If you have to share your location—for example, when using a map app—choose the “Allow only while using the app” option, so that it will be unable to continuously track your location and movement
*   Read privacy policies, however boring they are. Understand how the company will be using your data
*   Block web tracking wherever you can. Malwarebytes Browser Guard automatically declines the cookie consent banners you see on websites, opting you out of data collection performed by tracking cookies (and it’s free).

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Your location or browsing habits could lead to price increases when buying online 

As the digital world becomes more complicated, the lines between national security and cybersecurity are starting to fade. Recent cyber sanctions and intelligence moves show a reality where malware and fake news are used as tools in global politics. Every cyberattack now seems to have deeper political consequences. Governments are facing new, unpredictable threats that can't be fought with

⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips [20 January]

Sneaky 2FA: New Phishing-as-a-Service targets Microsoft 365, leveraging sophisticated evasion techniques and a Telegram-based platform to steal credentials.…

Sneaky 2FA: New Phishing-as-a-Service targets Microsoft 365, leveraging sophisticated evasion techniques and a Telegram-based platform to steal credentials.

In December 2024, during routine threat hunting activities, Sekoia.io uncovered a new Adversary-in-the-Middle (AiTM) phishing kit specifically targeting Microsoft 365 accounts. This phishing kit, dubbed Sneaky 2FA, has been circulating since at least October 2024, with potential compromises identified through Sekoia.io telemetry.

Further probing revealed that Sneaky 2FA is being offered as a Phishing-as-a-Service (PhaaS) by the cybercrime service “Sneaky Log,” which operates through a fully-featured bot on Telegram.

The modus operandi of the entire campaign includes customers receiving access to a licensed and obfuscated source code version, allowing them to independently deploy phishing pages, typically hosted on compromised infrastructure, frequently involving WordPress websites and other domains controlled by the attackers.

Sneaky 2FA’s on Telegram and blurred background images that it uses (Via Sekoia)

In addition, the Sneaky 2FA phishing kit incorporates elements from the W3LL Panel OV6, another AiTM phishing kit previously reported by Group-IB. This connection suggests a possible lineage and development within the cybercriminal infrastructure.

****Characteristics of Sneaky 2FA****

According to Sekoia’s report, the Sneaky 2FA phishing kit employs several techniques to evade detection and enhance its success. It utilizes URL patterns, such as “mysilverfox.commy/00/#victimexamplecom,” to automatically prefill the phishing page with the victim’s email address.

These phishing URLs are generated using 150 alphanumeric characters, followed by the path /index, /verify, and /validate. This pattern offers opportunities for tracking. Most customers deploy the server in a dedicated repository, named /auth/ by default.

To further enhance its stealth, Sneaky 2FA integrates anti-bot and anti-analysis features. Cloudflare Turnstile pages are employed to differentiate human users from bots. These pages often present seemingly benign content before loading the actual challenge. Additionally, the phishing kit incorporates anti-debugging techniques to hinder analysis using web browser developer tools.  

The phishing pages themselves utilize a variety of obfuscation methods, including HTML and JavaScript code obfuscation, the embedding of text as images, and the inclusion of junk data within the HTML code. These techniques aim to make phishing pages more difficult to detect by security tools.

****Sneaky Log’s Operations****

The Sneaky Log service operates through a sophisticated Telegram bot that allows customers to purchase the phishing kit, manage subscriptions, and receive support. The bot offers a user-friendly interface and supports multiple cryptocurrency payment options, including Bitcoin, Ethereum, and Tether.  

Analysis of cryptocurrency transactions revealed potential money laundering activities, with users instructed to pay a 10% premium and subsequent transfers occurring between various addresses.

****Detection and Tracking Opportunities****

Detecting Sneaky 2FA attacks can be achieved by analysing authentication logs for anomalies. The phishing kit utilizes inconsistent User-Agent strings for different stages of the authentication process, which can be identified as “impossible device shifts” and flagged as suspicious activity.  Furthermore, the analysis of phishing page URLs, including patterns and domain registrations, can help track and identify campaigns associated with Sneaky 2FA.

Sneaky 2FA is a growing threat in Microsoft 365 phishing attacks, offering sophisticated features and a user-friendly PhaaS platform. To mitigate risks, organizations must continuously monitor and share threat intelligence apart from improving cybersecurity measures.

Stephen Kowski, Field CTO at Pleasanton, Calif.-based SlashNext Email Security+ commented on this urging Microsoft 365 to remain alert. _“_This kit’s ‘sneaky’ aspects include its sophisticated ability to populate victim email addresses automatically, its evasion of detection through Cloudflare Turnstile challenges, and its clever redirection of security tools to Wikipedia pages._“_

_“_The kit is a full-featured PhaaS platform with real-time credential and session cookie theft capabilities, making it particularly dangerous for Microsoft 365 environments,_“_ Stephen warned. _“_Protection requires phishing-resistant authentication methods like FIDO2/WebAuthn, real-time URL scanning at the time of click that completely bypasses Cloudflare Turnstile protection and proactive detection of newly registered phishing domains before they become active threats._“_

1.  **Malware Bypasses MS Defender, 2FA to Steal $24K in Crypto**
2.  **Rockstar 2FA Phishing-as-a-Service Kit Hits MS 365 Accounts**
3.  **Dark Web Anti-Bot Services Let Phishers Bypass Google’s Red Page**
4.  **New Telekopye Scam Toolkit Targeting Booking.com and Airbnb Users**
5.  **Malware Exploits Avast Anti-Rootkit Driver to Disable Security Software**

Telegram-Based “Sneaky 2FA” Phishing Kit Targets Microsoft 365 Accounts

Confidential Containers (CoCo) are containers deployed within an isolated hardware enclave protecting data and code (data in use) from privileged users such as cloud administrators. Red Hat OpenShift confidential containers are available from OpenShift sandboxed containers 1.7.0 as a tech-preview on Azure cloud and as a tech-preview on Azure Red Hat OpenShift.In this article we introduce confidential containers on bare metal which is now available as a preview using Assisted Installer for OpenShift. We cover a number of use cases for CoCo bare metal, explain how it works with different trusted

Confidential Containers **(CoCo)** are containers deployed within an isolated hardware enclave protecting data and code (data in use) from privileged users such as cloud administrators. Red Hat OpenShift confidential containers are available from OpenShift sandboxed containers 1.7.0 as a tech-preview on Azure cloud and as a tech-preview on Azure Red Hat OpenShift.

In this article we introduce confidential **containers on bare metal** which is now available as a preview using Assisted Installer for OpenShift. We cover a number of use cases for CoCo bare metal, explain how it works with different trusted execution environment (TEE) technologies (Intel TDX and AMD SEV-SNP) and third party attestation services such as Intel Trust Authority (ITA). We provide a high level overview of how this solution is deployed today, using an on-premises environment as an example. Additionally we briefly discuss the future roadmap and known issues in this preview release. 

We finish up with a demonstration of deploying CoCo bare metal and using it with Red Hat OpenShift AI.

**OpenShift confidential containers for bare metal **

The OpenShift confidential containers solution is based on deploying 2 operators:

*   OpenShift sandboxed containers operator—based on the Kata Containers open source project running pods inside virtual machines (VMs) for isolation workloads. This operator has been enhanced to also support the CNCF Confidential Containers (CoCo) open source project when deployed in environments that support **TEE** infrastructure such as Intel TDX and AMD SEV-SNP. For simplicity we refer to this operator in diagrams as “**OpenShift confidential containers**.”
*   Confidential compute attestation operator—based on the Trustee project (also part of the CNCF CoCo open source project) providing remote attestation capability. It’s responsible for performing the attestation operations and delivering secrets after successful attestation. A key point for this operator is to be deployed in a **trusted environment**

For additional details on the building blocks each operator consists of, their interaction and the key problems they solve (workload secret, signed container image, encrypted container image), we recommend reading Exploring the OpenShift confidential containers solution and Use cases and ecosystem for OpenShift confidential containers.

In this article our starting point is the following diagram showing the overall OpenShift confidential containers deployed for secrets retrieval by the workload use case: 

CoCo integrates TEE infrastructure with the cloud-native world. A TEE is at the heart of a confidential computing solution. TEEs are isolated environments with enhanced security (e.g. runtime memory encryption, integrity protection), provided by confidential computing-capable hardware. A special **virtual machine (VM)** called a **confidential virtual machine (CVM)** that executes inside the TEE is the foundation for OpenShift CoCo solution.

For CoCo bare metal, our focus is around TEEs provided by Intel TDX and AMD SEV-SNP.

The primary driver for CoCo bare metal solution has been for on-prem environments.

**CoCo bare metal business use cases for on-prem environments**

Whether to use CoCo on-prem or CoCo public cloud depends on the **area of trust to be established:**

*   **Public cloud is useful when a zone of trust between two or more partners in an untrusted area is required**
*   **On-prem is useful when increased isolation from other services is required**— deploying a workload which must be run inside of a company's trusted environment in order to give partners a safe haven. In this case, the company deploying the workload provides the servers and the host systems. Therefore, this environment usually consists of bare metal installations. The purpose here is to provide an extra level of security to either partners or (internal/external) customers within an on-prem datacenter

Let's look at some actual CoCo on-prem business use cases.

**IP protection / IP integrity**

Let's say a supplier is interested in providing a service to a customer. This service includes running workloads in the customer’s environment, and these workloads include proprietary business logic the supplier owns (its secret sauce).

By using confidential containers, the supplier can run its workloads in the customer’s on-prem environment and still protect its business logic from the customer even though the customer has full control of the on-prem environment. And with the use of a confidential container and its use of a CVM allows for further isolation of that workload from the rest of the datacenter infrastructure.

**Total tenant isolation / Service provider**

From talking to several public organizations, we've found that consolidating OpenShift services on a central infrastructure helps solve several problems. This includes reducing the number of administrators and providing dynamic load balancing between the tenants with higher utilization. This does, however, reduce the isolation between the different tenants, which many organizations are not comfortable with. Such organizations require a strict separation between the OpenShift tenants to better prevent data leaks.

With confidential computing we are able to deploy all OpenShift services shared between tenants as confidential objects, helping prevent unauthorized tenants or users from obtaining the confidential data in use. This makes it possible for additional organizations to move to these consolidated services.

Aside from public organizations, specialized service providers (focusing on specific industries such as financial services) are also interested in a similar solution. We have seen use cases where a specialized service provider acts like a public cloud provider for their clients. In order to do this, they need to provide an environment to their customers while maintaining the isolation of each customer and adhering to regulations and laws.

**Advanced use cases**

We are seeing traction on two additional use cases for CoCo on public cloud and CoCo on-prem: **support for confidential GPUs** and **secure cloud-bursting deployments**.

For additional information on those use cases we recommend reading our previous articles on secure cloud bursting and CoCo with confidential GPUs for AI workloads.

**CoCo and third party attestation solutions**

As we are concentrating on deploying the solution in an on-prem bare metal environment, the importance of remote attestation remains. The confidential compute attestation operator provides the remote attestation functionality. It has built-in support for Intel TDX and AMD SEV-SNP TEEs. Additionally, it can work with external third-party attestation services.

**Working with external attestation services**

The confidential compute attestation operator can also use external attestation services (AS) supported by Trustee as shown in the following diagram: 

As you can see, instead of Trustee providing the attestation service, it’s relying on an external attestation service. 

The value that the confidential compute attestation operator brings for such deployments is the abstraction of third-party attestation services from OpenShift confidential containers. The same interfaces are used between the Trustee agent and key broker service (KBS) regardless of the backend attestation service being used.

**Intel Trust Authority for OpenShift attestation **

The Trustee project supports Intel Trust Authority (ITA) providing attestation services for Intel TDX, AMD SEV-SNP and accelerated compute infrastructure such as those provided by NVIDIA. The confidential compute attestation operator now provides support for using ITA in OpenShift clusters: 

The following diagram shows how the different components we’ve described come together when using Intel TDX and ITA: 

It should be noted that similar to Trustee working with external attestation servers, it can work with external key managers as explained in this article. 

**Deploying CoCo bare metal**

The CoCo bare metal deployment relies on the following parts:

*   Assisted Installer for OpenShift—used for deploying OpenShift along with the **OpenShift sandboxed containers (OSC)** operator which includes OpenShift confidential containers support
*   Attestation operator install helper—helper script to install and configure confidential compute attestation operator
*   Confidential container install helper—helper script for setting up CoCo on bare metal OpenShift worker nodes using the OSC operator

**Assisted installer for installing OSC**

Assisted installer for OpenShift is a user-friendly installation solution offered on the Red Hat Hybrid Cloud Console. We leverage it for deploying OSC on bare metal servers. 

The following diagram shows how to choose the OpenShift sandboxed containers operator via Assisted installer:

**Attestation operator install helper**

In the general case, there are a number of deployment considerations that should be addressed when deciding where to deploy the attestation operator:

*   How do you bootstrap, verify and trust the TEE in an untrusted environment?
*   What are the components of your trusted environment?
*   What are the workload (pod) requirements when deployed in the TEE environment?

These questions relate to the topic of **Trusted Computing Base (TCB)** which includes hardware, firmware and software components for the CoCo solution and should be constructed when deploying the OpenShift CoCo solution. For additional details on this topic, we recommend reading Deployment considerations for Red Hat OpenShift Confidential Containers solution.

For simplicity, when testing and experimenting, we recommend installing this operator on the same bare metal deployment where your OpenShift cluster has been installed.

The install helper script takes care of deploying and configuring the confidential compute attestation operator.

**Confidential container install helper**

Once your OSC operator and confidential compute attestation operator have been installed, this script will take care everything else you require, including:

*   Deploying on Intel TDX machines
*   Deploying on AMD SEV-SNP machines
*   Etc

**Future releases and consolidation on assisted installer**

As the CoCo bare metal releases progress, we expect to gradually move all additional steps described here (confidential compute attestation operator and CoCo helper script) into an assisted installer to help simplify deployment.

**Current limitations**

*   Self-signed certificate authority (CA) certificates for the container registry are not supported, so the container registry must use public CA signed certificates. This is important if you are using private registries. Container registries like quay.io, ghcr.io, hub.docker.com, etc. use public CA signed certificates and we recommend using any of these container registries for this release
*   There is no support for encrypted container images while signed container images are supported
*   Container image double pull—the container image is downloaded and executed inside the confidential VM that executes inside the TEE. Currently, this container image is also downloaded on the worker node

**Demo: CoCo bare metal and Red Hat OpenShift AI**

**Wrap up**

In this article we introduced the confidential containers bare metal solution and some of the use cases it addresses, specifically for on-prem environments. We’ve also provided a short overview of how it’s deployed in practice and have shown a video of using the CoCo bare metal for deploying OpenShift AI workloads. In upcoming articles we will provide hands-on instructions for trying out confidential containers on bare metal.

Introducing confidential containers on bare metal

Hacker IntelBroker claims to have breached Hewlett Packard Enterprise (HPE), exposing sensitive data like source code, certificates, and…

Hacker IntelBroker claims to have breached Hewlett Packard Enterprise (HPE), exposing sensitive data like source code, certificates, and PII, now available for sale online.

The notorious IntelBroker hacker along with their associates have claimed responsibility for breaching Hewlett Packard Enterprise (**HPE**), a Houston, TX, United States-based global company that provides technology solutions to businesses.

The hacker, who was previously linked to several high-profile data breaches, is now selling the allegedly stolen data, demanding payment in Monero (XML) cryptocurrency to remain anonymous and untraceable.

This was revealed to Hackread.com by the hacker himself and later announced on Breach Forums, a cybercrime and data breach forum administered by the hacker. In an exclusive conversation with Hackread.com, IntelBroker claimed that the breach was the result of a direct attack on HPE’s infrastructure and did not involve compromising a third party for access, as has been **common in recent attacks**.

****What’s in the Allegedly Stolen Data?****

IntelBroker also shared a data tree and two screenshots allegedly taken from the company’s internal infrastructure. The data tree, analyzed by Hackread.com, appears to reference a development or system environment involving both open-source software and proprietary package management systems.

Additionally, the hacker claims to have extracted sensitive data, including source code, private GitHub repositories, Docker builds, certificates (both private and public keys), product source code belonging to Zerto and iLO, user data such as old PII related to deliveries, and access to APIs, WePay, self-hosted GitHub repositories, and more.

IntelBroker on Breach Forums claiming Hewlett Packard Enterprise (HPE) breach Credit: Hackread.com

During Hackread.com’s initial analysis of the alleged data tree, several findings align with the hacker’s claims. The directory structure includes private keys and certificates, such as ca-signed.key and hpe_trusted_certificates.pem, suggesting possible exposure to sensitive cryptographic material.

Source code for HPE products like iLO and Zerto is present, with files such as ilo_client.py and zerto_bootstrapper.py hinting at leaked proprietary implementations. References to .github directories and .tar archives for private repositories further point to compromised development assets.

Additionally, the presence of files like VMW-esx-7.0.0-hpe-zertoreplication.zip and ZertoRunner.exe suggests the possible leak of compiled software packages and deployment files. If verified by HP, this could be a major security incident.

The following image combines two screenshots shared by the hacker, providing detailed insights into Hewlett Packard Enterprise’s internal systems. The first screenshot shared by the hacker shows details of Hewlett Packard Enterprise’s internal SignonService web service. The image displays the service’s endpoint address, WSDL link, and implementation class, potentially exposing sensitive infrastructure information.

The second screenshot reveals sensitive configuration details from Hewlett Packard Enterprise’s internal systems. The image exposes credentials for Salesforce and QIDs integrations, internal URLs for SAP S/4 HANA quoting services, and placeholder email addresses for error logging, potentially highlighting serious security vulnerabilities within HPE’s infrastructure.”

Credit: Hackread.com

****HPE and HP, What’s the Difference?****

While the names Hewlett-Packard Enterprise (HPE) and HP Inc. are often used interchangeably, they are two different companies with different focuses. In 2015, Hewlett-Packard **split** into two separate entities. HP Inc. continues to specialize in consumer products like laptops, desktops, and printers, while Hewlett-Packard Enterprise (HPE) focuses on providing enterprise-level IT solutions, including servers, storage, networking, and cloud computing.

Both companies are separate with independent ownership and management. The mention of this distinction is important, as the reported breach specifically targets HPE, not HP Inc.

****Right After the CICSO Incident****

Intel Broker is known for high-profile data breaches. In October 2024, the hacker announced **breaching Cisco** and stealing terabytes of data. Cisco later confirmed that the stolen data originated from a misconfigured, public-facing DevHub resource exposed without password protection, allowing hackers to download it.

In November 2024, the hackers claimed to have **breached Nokia** through a third-party contractor. The data was being sold for $20,000. The same hackers boasted about **breaching AMD** (Advanced Micro Devices, Inc.), and stealing employee and product information.

_This is a developing story. Hackread.com is closely monitoring the situation and will provide updates as new information becomes available. Stay tuned for further details._

1.  **Hacker Leak Over 10,000 DELL Employee Details**
2.  **Acer Data Breach: Hacker Sells 160GB of Stolen Data**
3.  **Dell Discloses Data Breach As Hacker Sells 49M User Data**
4.  **3 Billion National Public Data Records with SSNs Dumped Online**
5.  **Trello Data Breach: Hacker Dumps Personal Info of Millions of Users**
6.  **Hackers Steal Call and Text Records for “Nearly All” AT&T Customers  
    **

Hackers Claim Breach of Hewlett Packard Enterprise, Lists Data for Sale

Plus: New details emerge about China’s cyber espionage against the US, the FBI remotely uninstalls malware on 4,200 US devices, and victims of the PowerSchool edtech breach reveal what hackers stole.

As the Biden administration comes to a close, the White House released a 40-page executive order on Thursday aimed at shoring up federal cybersecurity protections and placing guardrails on the US government’s use of AI. WIRED also spoke with outgoing US ambassador for cyberspace and digital policy, Nathaniel Fick, about the urgency that the Trump administration not cow to Russia and China in the global race for technical dominance. Outgoing FCC chair Jessica Rosenworcel details to WIRED the threats facing US telecoms, at least nine of which were recently breached by China’s Salt Typhoon hackers. Meanwhile, US officials are still scrambling to get a handle on multiple espionage campaigns and other data breaches, with new revelations this week that a breach of AT&T disclosed last summer compromised FBI call and text logs that could reveal the identity of anonymous sources.

Huione Guarantee, the massive online marketplace that researchers say provides an array of services to online scammers, is expanding its offerings to include a messaging app, stablecoin, and crypto exchange and has facilitated a whopping $24 billion in transactions, according to new research. New findings indicate that GitHub’s efforts to crack down on the use of deepfake porn software are falling short. And WIRED did a deep dive into the opaque world of predictive travel surveillance and the companies and governments that are pumping data about international travelers into AI tools meant to detect people who might be a “threat.”

But wait, there's more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**US Names One of the Chinese Hackers Allegedly Behind Massive Salt Typhoon Intrusions**

China spies, the US spies, everybody spies. Mutual espionage is a geopolitical game played by virtually every nation in the world. So when the US government singles out a single hacker for espionage-focused intrusions, naming him and targeting him with sanctions, he must have spied aggressively—or effectively—enough to have made powerful people very angry.

The US Treasury on Friday imposed sanctions on Yin Kecheng, a 39-year old Chinese man accused of being involved in both the breach of nine US telecommunications companies carried out by the Chinese hacker group known as Salt Typhoon, as well as another recent breach of the US Treasury. In a statement about the news, Treasury alleges that Yin is affiliated with China’s Ministry of State Security and has been a “cyber actor” for over a decade. It also imposed sanctions on Sichuan Juxinhe Network Technology, a company that Treasury says is also associated with Salt Typhoon.

Salt Typhoon’s breach of US telecoms gave Chinese hackers enormous access to the real-time texts and phone calls of Americans, and was reportedly used to spy on president-elect Donald Trump and vice president-elect JD Vance, among other targets. FBI director Christopher Wray has called the telecom breaches China’s "most significant cyberespionage campaign in history.”

**China’s Silk Typhoon Hackers Targeted Sanctions and Intelligence in Treasury Breach**

As the Treasury hits back at China’s spy operations, it’s also still working to determine the scope of the intrusion some of those same hackers carried out inside its network. An internal Treasury report obtained by Bloomberg found that hackers had penetrated at least 400 of the agency’s PCs and stolen more than 3,000 files in a recent breach. The espionage-focused intrusion appears to have gone after sanctions and law-enforcement related information, the report found, as well as other intelligence materials. Despite that vast access, the intruders didn’t gain access to Treasury’s emails or classified portions of its network, the report states, nor did they leave behind malware that would suggest an attempt at maintaining longer-term access.

**FBI Uninstalls Chinese PlugX Malware From Thousands of Machines**

The Justice Department revealed this week that the FBI carried out an operation to delete a specimen of malware known as PlugX from 4,200 computers around the world. The malware, which was typically transmitted to computers via infected USB drives, has persisted for at least a decade and been used at times by Chinese state-sponsored hacker groups to target Chinese dissidents. In July of last year, cybersecurity firm Sekoia and French law enforcement took over the command-and-control server behind the malware. This week, the FBI obtained a court order that allowed the bureau to send a self-destruct command to the software on infected machines.

**Victims of “PowerSchool” Edtech Data Breach Say “All” of Their Student and Teacher Info Was Stolen**

After news earlier this week of a cyberattack in December that breached the US education technology platform PowerSchool, school districts targeted in the intrusion told TechCrunch on Thursday that attackers gained access to “all” stored student and teacher data in their accounts. PowerSchool is used by more than 60 million K-12 students in the US. Hackers gained access to the information by stealing login credentials that gave them access to the company’s customer support portal. The attack has not yet been publicly linked to a specific perpetrator. PowerSchool has not yet disclosed the exact number of victim schools nor whether all of its customers were affected.

US Names One of the Hackers Allegedly Behind Massive Salt Typhoon Breaches

The propensity for users to enter customer data, source code, employee benefits information, financial data, and more into ChatGPT, Copilot, and others is racking up real risk for enterprises.

Source: Marcos Alvarado via Alamy Stock Photo

A wide spectrum of data is being shared by employees through generative AI (GenAI) tools, researchers have found, legitimizing many organizations' hesitancy to fully adopt AI practices.

Every time a user enters data into a prompt for ChatGPT or a similar tool, the information is ingested into the service's LLM data set as source material used to train the next generation of the algorithm. The concern is that the information could be retrieved at a later date via savvy prompts, a vulnerability, or a hack, if proper data security isn't in place for the service.

That's according to researchers at Harmonic, who analyzed thousands of prompts submitted by users into GenAI platforms such as Microsoft, Copilot, OpenAI ChatGPT, Google Gemini, Anthropic's Clause, and Perplexity. In their research, they discovered that though in many cases employee behavior in using these tools was straightforward, such as wanting to summarize a piece of text, edit a blog, or some other relatively simple task, there were a subset of requests that were much more compromising. In all, 8.5% of the analyzed GenAI prompts included sensitive data, to be exact.

**Customer Data Most Often Leaked to GenAI**

The sensitive data that employees are sharing often falls into one of five categories: customer data, employee data, legal and finance, security, and sensitive code, according to Harmonic.

Customer data holds the biggest share of sensitive data prompts, at 45.77%, according to the researchers. An example of this is when employees submit insurance claims containing customer information into a GenAI platform to save time in processing claims. Though this might be effective in making things more efficient, inputting this kind of private and highly detailed information poses a high risk of exposing customer data such as billing information, customer authentication, customer profile, payment transactions, credit cards, and more.

Employee data makes up 27% of sensitive prompts in Harmonic's study, indicating that GenAI tools are increasingly used for internal processes. This could mean performance reviews, hiring decisions, and even decisions regarding yearly bonuses. Other information that ends up being offered up for potential compromise includes employment records, personally identifiable information (PII), and payroll data.

Legal and finance information is not as frequently exposed, at 14.88%, however, when it is, it can lead to great corporate risk, according to the researchers. Unfortunately, when GenAI is used in these fields, it's for simple tasks such as spell checks, translation, or summarizing legal texts. For something so small, the consequences are incredibly high, risking a variety of data such as sales pipeline details, mergers and acquisition information, and financial data. 

Security information and security code each compose the smallest amount of leaked sensitive data, at 6.88% and 5.64%, respectively. However, though these two groups fall short compared to those previously mentioned, they are some of the fastest growing and most concerning, according to the researchers. Security data inputted into GenAI includes penetration test results, network configurations, backup plans, and more, providing exact guidelines and blueprints as to how bad actors can exploit vulnerabilities and take advantage of their victims. Code inputted into these tools could put technology companies at a competitive disadvantage, exposing vulnerabilities and allowing competitors to replicate unique functionalities.

**Balancing GenAI Cyber-Risk & Reward**

If the research shows that GenAI offers high-risk potential consequences, should businesses continue to use it? Experts say they might not have a choice.

"Organizations risk losing their competitive edge of if they expose sensitive data," said the researchers in the report. "Yet at the same time, they also risk losing out if they don't adopt GenAI and fall behind."

Stephen Kowski, field chief technology officer (CTO) at SlashNext Email Security+, agrees. "Companies that don’t adopt generative AI risk losing significant competitive advantages in efficiency, productivity, and innovation as the technology continues to reshape business operations," he said in an emailed statement to Dark Reading. "Without GenAI, businesses face higher operational costs and slower decision-making processes, while their competitors leverage AI to automate tasks, gain deeper customer insights, and accelerate product development."

Others, however, disagree that GenAI is necessary, or that an organization needs any artificial intelligence at all.

"Utilizing AI for the sake of using AI is destined to fail," said Kris Bondi, CEO and co-founder of Mimoto, in an emailed statement to Dark Reading. "Even if it gets fully implemented, if it isn't serving an established need, it will lose support when budgets are eventually cut or reappropriated."

Though Kowski believes that not incorporating GenAI is risky, success can still be achieved, he notes.

"Success without AI is still achievable if a company has a compelling value proposition and strong business model, particularly in sectors like engineering, agriculture, healthcare, or local services where non-AI solutions often have greater impact," he said.

If organizations do want to pursue incorporating GenAI tools but want to mitigate the high risks that come along with it, the researchers at Harmonic have recommendations on how to best approach this. The first is to move beyond "block strategies" and implement effective AI governance, including deploying systems to track input into GenAI tools in real time, identifying what plans are in use and ensuring that employees are using paid plans for their work and not plans that use inputted data to train systems, gaining full visibility over these tools, sensitive data classification, creating and enforcing workflows, and training employees on best practices and risks of responsible GenAI use.

Employees Enter Sensitive Data Into GenAI Prompts Far Too Often

The stolen firewall data is thorough but more than 2 years old now, meaning that most organizations following even basic security practices face minimal risk, hopefully.

Source: JHVEPhoto via Alamy Stock Photo

Dated configuration data and virtual private network (VPN) credentials for 15,474 Fortinet devices have been posted for free to the Dark Web.

On Jan. 14, Fortinet disclosed a severe authentication bypass vulnerability in its FortiOS operating system and FortiProxy Web gateway, CVE-2024-55591. For a model of what the aftermath of such a vulnerability could look like, one need only look to a parallel bug from October 2022 that's still making waves today.

Back then, Fortinet published an urgent security warning regarding CVE-2022-40684, an equivalent authentication bypass vulnerability affecting FortiOS, FortiProxy, and the autological FortiSwitchManager. Earning a "critical" 9.8 rating in the Common Vulnerability Scoring System (CVSS), it allowed any unauthenticated attacker to perform administrative operations on vulnerable devices via specially crafted HTTP requests. In the wake of that disclosure, security researchers developed a proof-of-concept (PoC) exploit, a template for scanning for vulnerable devices, and watched as exploitation attempts climbed and climbed.

On the same day CVE-2024-55591 was disclosed this week, a threat actor with the nom de guerre "Belsen Group" released data belonging to more than 15,000 Fortinet devices. In a blog post, the CloudSEK researchers who spotted it assessed that the data had been stolen thanks to CVE-2022-40684, likely when that bug was still a zero-day. Now, they wrote, "Once they exhausted its use for themselves (either by selling or using the access), the threat actor(s) decided to leak it in 2025."

Related:Extension Poisoning Campaign Highlights Gaps in Browser Security

**Possible Clues to Belsen Group's Origins**

"2025 will be a fortunate year for the world," the Belsen Group wrote in its post to the cybercrime site BreachForums (while conveniently omitting that its data had been gathered more than two years ago). The 1.6GB file it dumped on its onion website is accessible free of charge, and organized neatly in folders first by country, then by IP address and firewall port number.

Affected devices appear to be spread across every continent, with the highest concentration in Belgium, Poland, the US, and the UK, each with more than 20 victims.

On the flip side, security researcher Kevin Beaumont (aka GossiTheDog) noted in a blog post that every country in which Fortinet has a presence is represented in the data, except one: Iran, despite the fact that Shodan shows nearly 2,000 reachable Fortinet devices in that country today. Furthermore, there is just one affected device in the entirety of Russia, and technically it's in Ukraine's annexed Crimea region.

Related:Trend Micro and Intel Innovate to Weed Out Covert Threats

These points of data may be unimportant, or they may hold clues for attributing the Belsen Group. It appears to have popped up this month, though CloudSEK concluded "with high confidence" that it has been around for at least three years now, and that "They were likely part of a threat group that exploited a zero day in 2022, although direct affiliations have not been established yet."

**What's the Cyber-Risk?**

The leaked listings contain two types of folders. The first, "config.conf," contains affected device configurations: IP addresses, usernames and passwords, device management certificates, and all of the affected organization's firewall rules. This data was stolen via CVE-2022-40684. In the other folder, "vpn-password.txt," are SSL-VPN credentials. According to Fortinet, these credentials were sourced from devices via an even older path traversal vulnerability, CVE-2018-13379.

Though the data is all rather aged by now, Beaumont wrote, "Having a full device config including all firewall rules is … a lot of information." CloudSEK, too, cited the risk that leaked firewall configurations can reveal information about organizations' internal network structures that may still apply today.

Related:Zivver Report Reveals Critical Challenges in Email Security for 2025

Organizations also often don't cycle out usernames and passwords, allowing old ones to continue to cause problems. In examining a device included in the dump, Beaumont reported that the old authentications matched those still in use.

Fortinet, for its part, tried to quell concerns in a security analysis published on Jan. 16. "If your organization has consistently adhered to routine best practices in regularly refreshing security credentials and taken the recommended actions in the preceding years, the risk of the organization’s current config or credential detail in the threat actor's disclosure is small," it explained.

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

15K Fortinet Device Configs Leaked to the Dark Web

Explore how AI tools like OpenAI’s Sora face restrictions in Europe due to GDPR, with insights on bypassing…

Explore how AI tools like OpenAI’s Sora face restrictions in Europe due to GDPR, with insights on bypassing geo-restrictions and the impact on innovation and users.

Artificial intelligence tools are being widely integrated with many tools and activities as people begin noticing their benefits. The majority of companies around the world are using AI actively or exploring its use in some form. This means many startups and big corporations are actively testing new forms of AI and applying them to make life easier for everyone often except for Europe (in this article, don’t associate the word with continental Europe, as we discuss the circumstances within the European Union).

Many popular AI tools like OpenAI’s Sora and Meta AI are not available to European users. The main reasons behind their unavailability are due to regulatory frameworks and operational constraints. But does this mean European users are completely left out of using AI tools? Not really.

In this blog, we are going to look at why many new AI tools aren’t available in Europe and some tips to access them. 

****Bypassing The Geo-Restrictions****

AI tools are not available in Europe and the only way to access them is by using a strong proxy or third-party service. It can be quite surprising for people outside Europe to be denied access to popular AI tools since they are available elsewhere. For example, people from around the world, including Europe can use US-based proxies to get access to these platforms and enjoy using AI without any difficulties.

The proxy will act as a middleman between your device and the website and make it look like you are using the AI from the US itself. This not only improves accessibility but also has additional benefits of enhanced connection and improved security. This means businesses or even individuals who travel frequently and still require uninterrupted access to popular AI tools like Sora can use the help of proxies.

****Why Are AI Tools Restricted In Europe?****

Most AI tools are restricted in Europe due to the regulations the continent has, mainly in the form of the General Data Protection Regulation (GDPR). The GDPR ensures that all citizens and users within Europe are protected from unnecessary data tampering and misuse, but it also puts a heavy burden on tech companies. Since an AI platform requires data to be used for machine learning, the GDPR prevents tech companies from processing data in the traditional way which can harm the user’s privacy. This results in a delay in deploying the AI and hence the unavailability.

Take OpenAI’s Sora as an example. It has recently come into the news regarding its unavailability in Europe, and that is mainly due to compliance issues. Sora is a platform that uses advanced immersive AI to create hyper-realistic videos with simple prompts. This can create a revolution in terms of education and digital marketing. However, concerns regarding how the user data is collected, processed, and stored have delayed its deployment.

****What Europe Is Missing Out On****

With these restrictions, Europe is missing out on several advanced AI tools that are popular elsewhere. OpenAI’s Sora comes to mind first since it’s a relatively new AI that is available in most countries as of now and offers some hyper-realistic visuals with real-time prompts. Meta AI is also popular as it offers an entire suite for developers and consumers alike to enhance their social media experience and recommendations.

Some AI models are still available in Europe, like Jasper AI. The platform works similarly to ChatGPT but has more of a creative edge making it perfect for creative tasks like writing or brainstorming. JasperAI was initially unavailable due to GDPR laws, but after three years of continuous negotiations, the platform is now approved under the AI Act. This goes to show that Europe still has the potential to allow AI systems to run for European marketers.

****How AI Restrictions Affect Innovation****

Europe is pretty rigorous about its data regulation laws and user privacy; it’s a good thing to protect users but it also has its negative sides with companies unable to operate as they could. These restrictions can result in technological gaps between regions where businesses in the US can gain a competitive edge to streamline operations and enhance productivity. This not only results in a global challenge but also forces companies within Europe to look at less-productive alternatives.

The unavailability of AI tools in Europe is a pressing issue that is still being negotiated between lawmakers and developers. Even though AI has its share of downsides regarding data use, Europe needs to find a solution that aligns it with the globe in terms of AI. Since many things in our digitized world are connected, the unavailability of the latest technologies in the EU member countries may have an impact on digital nomads too, who choose to work from Europe.

As the EU also has initiatives to attract nomads, it will likely loosen some restrictions in the future, particularly those applicable in the early stages of new technology releases, while keeping user privacy at the forefront.

Top/Featured Image via FreePik

Why Many New AI Tools Aren’t Available In Europe – And How To Access Them

A highly targeted cyber-intelligence campaign adds fuel to the increasingly complex relationship between the two former Soviet states.

Source: Daniren via Alamy Stock Photo

A suspected Russia-nexus threat actor has been executing convincing spear phishing attacks against diplomatic entities in Kazakhstan.

UAC-0063, active since at least 2021, was first documented by Ukraine's Computer Emergency Response Team (CERT-UA) in 2023. With medium confidence, CERT-UA tied it to APT28 (aka Fancy Bear, Forest Blizzard, Strontium, Sofacy), from the General Staff Main Intelligence Directorate (GRU) Military Unit 26165. APT28 is best known for its high-profile attacks against Western governments: the Democratic National Committee (DNC) hack of 2016, campaigns against parliamentary bodies in Germany, Norway, and the Netherlands, and much more.

UAC-0063, specifically, has used cyber operations to collect intelligence from government entities, nongovernmental organizations (NGOs), academic institutions, and energy and defense organizations in Eastern Europe — most notably Ukraine — as well as Central Asia, including Kazakhstan, Kyrgyzstan, Tajikistan, and other countries in the vicinity, including Israel and India.

Its latest ongoing campaign, which, in a blog post, researchers from Sekoia date back to at least 2022, may fold into a broader effort by Vladimir Putin's government to gain strategic insights into, and advantage over, a former Soviet state that has sought to broaden its diplomatic horizons in recent years.

**Phishing Kazakh Diplomats**

On Oct. 16, 2024 — one month after it'd been deployed in the wild — researchers spotted a diplomatic document uploaded to VirusTotal. It appeared to be a legitimate draft of a joint declaration between the chancellor of Germany and heads of Central Asian countries.

"The first step, when you open this document, is that it asks you to enable macros," recalls Amaury Garçon, cyber threat intelligence (CTI) analyst at Sekoia Threat Detection & Research (TDR), adding that the document was obscured by "shapes" at first sight. "Some phishing documents look really ugly or have a bad shape \[at first\] — they prompt the user to enable macros, because if you don't enable macros you can't write text in the document, can't move images, etc.," he notes.

Clicking "enable" would trigger various malicious, unseen commands on a target device. While the user was made privy to the full, unadulterated lure document, in the background their security settings would be downgraded so as to remove the need for future "enable macros" prompts. Next a second, blank document was created and opened by a hidden instance of Microsoft Word. The Visual Basic (VB) code associated with this hidden document — now enabled by default, of course — dropped and executed a malicious HTML application (HTA) containing a backdoor named "HatVibe."

The purpose of HatVibe is to receive and execute code from a remote server. Though Sekoia couldn't identify the payloads associated with this phishing campaign, CERT-UA has previously observed HatVibe downloading and executing a more complex Python backdoor named "CherrySpy."

**What This Means for Kazakhstan and Russia**

Six weeks after researchers spotted the first VirusTotal upload associated with this campaign, on Nov. 27, Putin went on a two-day state visit to the country he deemed Russia's "true ally," Kazakhstan. He and Kazakhstan's president, Kassym-Jomart Tokayev, used the opportunity afforded by the Collective Security Treaty Organization (CSTO) summit to discuss various areas for economic partnership — particularly around the energy sector — and signed agreements over energy, education, and transportation.

"Central Asia is a real point of interest for Russian influence," Maxime Arquillière, senior CTI analyst at Sekoia TDR explains. "We know that Kazakhstan is a close ally, but since the beginning of the Ukraine war, Kazakhstan has distanced itself a little bit from Russia, trying to develop new connections with both Western states and also China."

Kazakhstan's centrality in the Asian continent positions it nicely as a trade bridge between China and Europe, particularly while Ukraine and Russia are consumed by war. And as Sekoia notes in its blog, the country's gradually broadening geopolitical ties are evident in recent agreements with Mongolia and Afghanistan's new Taliban government, and, most notably, its balanced position on the war in Ukraine — supporting Ukraine's right to territorial integrity without outright condemning Russia's invasion.

This latest cyber campaign, then, fits neatly into Russia's broader initiatives with regard to its Central Asian neighbor. Sekoia identified 11 lure documents in all, each one legitimate and likely having originated with Kazakhstan's Ministry of Foreign Affairs, pertaining to diplomatic business between Kazakhstan and potential partner nations.

Exactly how the threat actor obtained these documents is not known. They include, for example:

*   Letters from Kazakhstan's embassies in Afghanistan and Belgium, regarding diplomatic and economic developments.
    
*   A draft of a joint statement between Germany and Central Asian states, following a Sept. 16, 2024, summit in Astana.
    
*   Administrative reports and briefings on the Kazakh president's visits to Mongolia and New York.
    

"It's really coherent with the \[need for\] Russian intelligence to conduct this kind of cyber espionage, to know about the strategic interests between Kazakhstan and European states," Arquillière says.

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Tag

#intel