Cyberattackers injected the NFL Wild Card team's online Pro Shop with malicious code to steal credit card data from 8,500 fans.

Source: Cal Sport Media via Alamy Stock Photo

Fans of the Green Bay Packers football franchise have been tackled by a payment-card skimmer; people who bought merch at the Packers Pro Shop website last fall may have had their personal data harvested.

In a data-breach notification letter to the 8,514 "cheeseheads" affected, the NFL juggernaut noted that its security staff was alerted to the code on Oct. 23, just as the team was gearing up to play the Jacksonville Jaguars in Week 8 of the 2024 season.

"We were alerted to the presence of malicious code inserted on the Pro Shop website by a third-party threat actor," reads the notice, which added that the team immediately asked the outside vendor that hosts the store to take the e-commerce site offline. "The malicious code may have allowed an unauthorized third party to view or acquire certain customer information entered at the checkout that used a limited set of payment options on the Pro Shop website."

Fortunately, the skimmer was active in only two windows: Between Sept. 23-24, and Oct. 3-23, 2024. And, fans who used a gift card, a Pro Shop website account, PayPal, or Amazon Pay weren't exposed.

Cybercriminals were able to score on everyone else though, collecting names, addresses (billing and shipping), emails, and full payment-card information, according to the notice.

Related:Hacking Group 'Silk Typhoon' Linked to US Treasury Breach

According to an analysis from Sansec, a Dutch e-commerce security company that notified Green Bay about the attack, the threat actors abused a JSONP callback and YouTube's oEmbed feature, which allows users to embed content from one website into another website. Ultimately, the skimmers were able to bypass the Content Security Policy (CSP) for the Pro Shop website, and "a script was injected from https://js-stats.com/getInjector. This script harvested data from input, select, and text area fields on the site, exfiltrating the captured information."

**A Pick 6 for Magecart & Other Cybercrime Carders?**

While there's no public attribution available for the incident, the cyberattack has all the hallmarks of a classic "Magecart" attack. Magecart is an umbrella term for a loose confederation of groups that steal credit cards by exploiting a vulnerability within a website to inject a malicious piece of code, which simply exfiltrates any data the users put into checkout pages on e-commerce sites.

Lately, these types of attacks have been on the rise, with scores of groups beyond classic Magecart actors running skimmer plays, researchers warn; the Packers are just the latest victim in the pass rush of maliciousness.

Related:Ransomware Targeting Infrastructure Hits Telecom Namibia

"There's no solid theory about why there's been an uptick in skimmer attacks,” says Javvad Malik, lead security awareness advocate at KnowBe4. "It could be a case of low-hanging fruit, a lot of e-commerce transactions over the holiday period when people are searching for deals, and also the ease through which some third parties can be compromised without triggering alarms."

According to the Recorded Future Payment Fraud Intelligence group, digital e-skimming will remain a top threat to e-commerce going forward, with bad actors relying on easy-to-use skimmer kits and persistent CMS security vulnerabilities. Plus, smaller security organizations (including those used by many sports franchises) are at particular risk.

"Payment Card Industry Data Security Standard (PCI DSS) requirements will continue aiming to improve security, but the impact will remain limited as many small and medium-sized retailers fail to adhere," said Boris Ivanov, principal malware researcher at Recorded Future, via email. "This gap will worsen the already serious problem of attackers exploiting vulnerable platforms and compromising payment data."

Meanwhile, Malik notes that sports teams might be in the cybercrime sites as a top target in part due to fan exuberance.

Related:CISA: Third-Party Data Breach Limited to Treasury Dept.

"Technically, sports organizations probably don't have any different challenges than others," he says. "What makes them attractive to criminals though is the fact that they have a loyal fan base that is willing to spend money on tickets and merchandise. Often during busy periods when tickets are released, there is a rush, so people will often ignore any security warnings in a bid to complete their purchase."

**The Payment-Skimmer Ground Game Is Hard to Defend Against**

Skimmers are also having a moment because the back-end complexity of the code running e-stores is on the rise, which offers cover for malware infestation and makes defense more porous.

"These are difficult to detect by nature, especially when these attacks take place by compromising third-party components, which can end up in organizations' blind spots," explains Malik. "Complexity and the reliance on many third parties is perhaps the biggest challenge to keep modern Web applications secure."

In the Packers' case, the Pro Shop is hosted by a third party, which complicates things even further.

"In the case of organizations outsourcing many components and hosting, security responsibility cannot be outsourced, so many organizations end up with a lack of skilled resources within the organization to keep an eye over the end-to-end security — something that is often fueled by budget constraints," Malik notes.

Ultimately, e-commerce organizations of all stripes, including those catering to Wisconsin NFL fans, need to balance security with business agility and the user experience, which creates a series of challenges. Technical complexity, resource constraints, skills shortages, and organizational culture can all affect how organizations approach Web security, Malik cautions.

"It's about embedding security into the very fabric of the business, rather than treating it as an afterthought," he says. "Some of the things you can do include implementing robust content security policies, undertaking regular security audits and penetration testing, employing real-time monitoring that can detect unusual code or behavior patterns, and finally, educating staff and fostering a culture of cybersecurity."

Dane Sherrets, staff innovation architect at HackerOne, notes that, from a coding standpoint, user input should be considered suspect until proven otherwise.

"Firstly, it's important to remind everyone never to explicitly trust user input and to treat all such inputs as potentially malicious," he says. "The Green Bay Packers incident, in particular, highlights the threat of exploiting a loophole in the site's CSP."

The Green Bay Packers did not immediately return a request for comment.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Green Bay Packers' Online Pro Shop Sacked by Payment Skimmer

"Where Warlocks Stay Up Late" project speaks to hackers who have played pivotal roles in shaping the field of cybersecurity. The video interviews are complemented by an encyclopedia and an anthropological map.

Nathan Sportsman, the CEO of offensive security company Praetorian, had a grim epiphany in the summer of 2023: We're beginning to lose some of the hackers and visionaries who laid the foundation of the cybersecurity industry.

"When Kevin Mitnick passed, I realized that he would never be able to tell his story again," Sportsman says. "We're running out of time to tell these stories."

So he decided to document the history of hackers and preserve the stories of those early trailblazers and their groundbreaking contributions. The title of his docuseries project, "Where Warlocks Stay Up Late," pays homage to Katie Hafner and Matthew Lyon's 1996 book, Where Wizards Stay Up Late, which chronicles the origins of the Internet and spotlights the stories of the pioneers responsible for shaping it.

Each month, two long-form video interviews will be released on the Warlocks project's YouTube channel, featuring candid conversations in which cybersecurity pioneers share their technical achievements, as well as their personal journeys, challenges, and ethical dilemmas they faced along the way.

Sportsman and his team — Emmy-winning producer Matthew Wallis, filmmaker Tyson Culver, anthropologist Gabriella Coleman, and historian Matt Goerzen — plan to capture the stories of over 200 cybersecurity pioneers who helped shape the hacking scene of the 1980s and 1990s. These were the hackers who testified before the US Congress in 1998 and claimed they could take down the Internet in 30 minutes. They also exposed vulnerabilities in early wireless networks and were early advocates for encryption. Some of their stories have never been told before, Sportsman says.

Related:Black Hat 2024: Praetorian CEO Teases 'Warlock' Series on Cyber Pioneers

"This is going to be a three- to five-year commitment," Sportsman notes.

The list features prominent groups like L0pht Heavy Industries, Germany's Chaos Computer Club, w00w00, and the Legion of Doom. Smaller yet interesting groups, such as TESO and ADM, will also be represented. Some of the hackers from these groups went on to build successful careers in cybersecurity, becoming CISOs or CEOs, while others found roles in policymaking or intelligence.

Each interviewee is encouraged to bring along a historical artifact that represents their journey or contributions to hacking culture.

"It could be anything," Sportsman says. "It could be an old version of Phrack magazine. It could be a floppy disk, a motherboard."

The goal is to donate the artifacts to a physical museum at some point, maybe the Smithsonian, he says.

"Maybe they create a cyber wing where these stories can be held and all these artifacts can be kept," Sportsman adds.

**Mapping Hacking Groups**

The overall goal of the Warlocks project is to create a 360-degree view on the origins of the cybersecurity industry. The video interviews will be supplemented by an encyclopedia, which will provide context, and an anthropological map, which will offer a visual representation of the underground groups and the connections among them. By selecting a hacker's name, viewers will be able to access a wealth of information, including biographical details and contributions to the field.

Coleman, a professor in the Department of Anthropology at Harvard University, was "instantly drawn to the Warlocks, like a moth to flame," she says, because the project complements her focus on the politics and cultures of hacking and online activism. Over the years, she has studied distinct hacker communities, such as Anonymous.

"Combining visual data \[maps, videos, and pictures\] with written and oral histories allows us to make more sturdy, sound, or compelling arguments," Coleman says.

To capture the full picture of the hacking scene, the team plans to talk to all kinds of pioneers "from the no-malicious yet unorthodox underground scene," as Coleman puts it, regardless of where they are located.

"Those studying hackers know there were important waypoints in the transition from underground hacking to professional security, but the full stories of their members still need to be charted," Coleman adds.

Although she has studied hacker communities for over two decades, Coleman admits that some of the names that appear on the anthropological map were initially unfamiliar to her — a reflection of the secrecy that has long shrouded the scene.

"This terra incognita reminds us of the power and importance of what some philosophers call 'epistemic humility,'" she says. "This map both charts known territory and reveals what still needs to be studied."

**A (Digital) Museum of Hackers**

One of Sportsman's first interviews for the Warlocks project was with Mike Schiffman, editor-in-chief of hacker e-zine Phrack. During the taping, Schiffman and Sportsman reminisced about the early days of IRC channels where hackers hung out to share ideas and cutting-edge research. They discussed how hacker culture has evolved over the years.

"Back then, \[Shiffman\] would just kick/ban me out of the channel because I was a kid and I was annoying, but I looked up to him because of everything he had already done to that point," Sportsman says.

Schiffman recalls a bizarre incident from his youth, when his phone switch was hijacked and all of his calls were forwarded to a bridge. Anyone trying to reach him was told he had died. While doing some research for the project, Schiffman was able to identify the exact person who hacked his phone switch 25 years ago.

"I'll be interviewing him for Warlocks in February," Schiffman says.

For Schiffman, working on the Warlocks project has been both nostalgic and thought-provoking. He serves as a producer, interviewer, and planner, making sure the project authentically captures the "rich cultural history of the hacking scene."

The motivation to talk about the old days is deeply personal.

"I want my children to know my story," Schiffman says. "They're currently quite young, and I expect them to get different things from this as they watch it at different ages."

**More Than Just Hacker Nostalgia**

The stories hackers will share on camera offer glimpses into their personal journeys, but they also weave together a collective narrative that will help the next generation understand how everything started.

"There's not a single person in this industry that achieved any type of long-term success without the help of others," says cybersecurity expert Ralph Logan, an adviser to the project.

The desire to tap into the collective memory of the cybersecurity community and capture the stories for the new generation of people entering the cybersecurity workforce is deep-seated. In the past few years, a number of projects have been developed to tell the background stories of major cybersecurity events — an oral history of L0pht and a book on the Cult of the Dead Cow, to name a few. The Computer History Museum and the International Spy Museum also have exhibits highlighting cybersecurity researchers and stories.

The collective aspect of the narrative resonates deeply with Harvard's Coleman, who views hackers as collaborative individuals who embrace partnerships that further their goals. This is why their stories should be told in a way that highlights the intricate web of interactions, collaborations, and shared ambitions that define the community, she says.

"While many industry histories, like those of Walter Isaacson, elevate individual 'tech heroes,' this project showcases how diverse, interconnected hacker collectives worldwide transformed security from an afterthought into a critical priority," Coleman says.

The anthropologist hopes the project will also serve as a template for other areas of technology, including hacktivism, a topic she holds close to her heart. By applying the same methods, researchers could one day uncover groundbreaking insights into the inner workings, cultural dynamics, and broader impacts of groups like the Cult of the Dead Cow, the Electronic Disturbance Theater, or the Xnet collective.

"Like the underground, much material connected to hacktivist circles has either remained historically hidden, is hard to access, or is precariously stored," Coleman says, noting that this is an ideal time for projects like this. "Many \[hackers\] are seeking and willing to publicize their past. Many have expressed interest in ensuring this history does not get lost to time, while we still have access to firsthand accounts."

New Docuseries Spotlights Hackers Who Shaped Cybersecurity

Attackers are abusing a Microsoft 365 feature to send payment requests to users, tricking them into logging in to their accounts so attackers can seize control over them.

Source: Robert Wilkinson via Alamy Stock Photo

An unconventional phishing campaign convincingly impersonates online payments service PayPal to try to trick users into logging in to their accounts to make a payment; in reality, the login allows attackers to take over an account. The novel part of the attack is the abuse of a legitimate feature within Microsoft 365 to create a test domain, which then allows the attackers to create an email distribution list that makes the payment-request messages appear to be legitimately sent from PayPal.

Carl Windsor, CISO for Fortinet Labs, discovered the campaign when he himself was targeted by it, he revealed in a blog post published today.

Windsor received a request in his inbox from a sender with a nonspoofed PayPal email address seeking a payment of $2,185.96. The person requesting the money was someone called Brian Oistad, and aside from the "to" address not being Windsor's email address —  it was addressed to Billingdepartments1\[@\]gkjyryfjy876.onmicrosoft.com —  there were few obvious signs it was not a genuine email, he said.

"What's interesting about this attack is that it doesn’t use traditional phishing methods," Windsor wrote. "The email, the URLs, and everything else are perfectly valid."

That validity might persuade an average email user to click on the link in the email, which redirects them to a PayPal login page showing a request for payment.

Related:PhishWP Plug-in Hijacks WordPress E-Commerce Checkouts

At this point, "some folks might be tempted to log in with their account details, however, this would be extremely dangerous," he wrote. That's because the login page links the target's PayPal account address with the address it was sent to — Billingdepartments1\[@\]gkjyryfjy876.onmicrosoft.com, controlled by the attacker — not their own email address.

**Abusing Microsoft 365 Test Domains for Cybercrime**

The campaign works because the scammer appears to have registered a Microsoft 365 test domain — which is free for three months — and then created a distribution list containing target emails. This allows any messages sent from the domain to bypass standard email security checks, Windsor explained in the post.

Then, "on the PayPal Web portal, they simply request the money and add the distribution list as the address," he wrote.

This money request is then distributed to the targeted victims, and the Microsoft 365 Sender Rewrite Scheme (SRS) rewrites the sender to, for example, "bounces+SRS=onDJv=S6\[@\]5ln7g7.onmicrosoft.com, which will pass the SPF/DKIM/DMARC check," Windsor added.

"Once the panicking victim logs in to see what is going on, the scammer’s account (Billingdepartments1\[@\]gkjyryfjy876.onmicrosoft.com) gets linked to the victim’s account," he wrote. "The scammer can then take control of the victim's PayPal account — a neat trick … \[that\] would sneak past even PayPal’s own phishing check instructions."

Related:Thousands of BeyondTrust Systems Remain Exposed

Indeed, abusing a vendor feature to deliver the phishing message does give the attackers a stealthy advantage when it comes to bypassing typical email security, a security expert notes.

"The emails are sent from a verified source and follow an identical template to legitimate messages, such as a standard PayPal payment request," says Elad Luz, head of research at Oasis Security, a provider of non-human identity management. "This makes them difficult for mailbox providers to distinguish from genuine communications."

**Cyber Defense: Create a "Human Firewall" Against Phishing**

Because the attack appears to be a genuine email, the best solution to avoid falling prey to it is what Windsor calls the "human firewall," or "someone who has been trained to be aware and cautious of any unsolicited email, regardless of how genuine it may look," he wrote in the post.

"This, of course, highlights the need to ensure your workforce is receiving the training they need to spot threats like this to keep themselves — and your organization — safe," Windsor noted.

Related:Recorded Future: Russia's 'Undesirable' Designation Is a Compliment

It is also possible to create a rule within email security scanners to "look for multiple conditions that indicate that this email is being sent via a distribution list," to help detect a campaign that uses this vector, he added.

Another potential mitigation is to use artificial intelligence (AI)-based security tools that use neural networks to analyze social graph patterns, among other techniques, "to help spot these hidden interactions by analyzing user behaviors more deeply than static filters," Stephen Kowski, field chief technology officer (CTO) at SlashNext Email Security+, tells Dark Reading.

"That kind of proactive detection engine recognizes unusual group messaging patterns or requests that slip through basic checks," he says. "A thorough inspection of user interaction metadata will catch even this sneaky approach."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Unconventional Cyberattacks Aim to Take Over PayPal Accounts

The southern African telco is the latest entity on the continent to have its critical infrastructure hacked, and attackers release sensitive info online when Telecom Namibia refuses to negotiate.

Source: Golden Dayz via Shutterstock

The telecommunications provider for the African nation of Namibia suffered a significant ransomware attack late last year, becoming a visible symbol of the merging of two trends in the region: increasing attacks on critical infrastructure and the growing threat of ransomware.

Last month, Telecom Namibia alerted customers that a successful attack by the ransomware-as-a-service (RaaS) group Hunters International led to users' information being leaked online. The company is working with law enforcement agencies and third-party incident responders to uncover additional details, CEO Stanley Shanapinda said in a Dec. 16 statement.

"Initially, it appeared that no sensitive information was compromised, but recent analyses confirmed that some customer data was compromised," he said. "The threat was contained about three weeks ago and further attacks on our systems and third parties were prevented, \[but the exposed information\] was leaked on the dark web ... after we refused to negotiate to pay any ransom that may have been demanded."

Namibia is not alone in becoming a target for cyberattackers focused on profiting off of compromised infrastructure systems. In June, South Africa's National Health Laboratory Service (NHLS) suffered a ransomware attack that disrupted systems, deleted backups, and took weeks for the government-run network of healthcare testing laboratories to recover. In July, Hunters International exfiltrated more than 18GB of data from the Kenyan Urban Roads Authority (KURA). The same month, the Nigerian Computer Emergency Response Team (ngCERT) warned that the Phobos RaaS group had targeted critical cloud services serving the country's organizations, with at least one successful compromise.

**Telecoms, Critical Infrastructure in the Crosshairs**

Overall, ransomware accounted for a third of successful attacks in the region, including attacks on energy firm Eneo in Cameroon in January 2024 and industrial organizations in Egypt and South Africa throughout the year, according to data from Positive Technologies, a cybersecurity firm that operates in the region.

The telecommunications and manufacturing sectors were also heavily targeted, with each sector accounting for 10% of successful attacks, says Alexey Lukatsky, managing director and cybersecurity business consultant at Positive Technologies.

"These attacks are driven by factors such as rapid digital transformation, geopolitical tensions, and inadequate cybersecurity measures protecting critical infrastructure," he says. "The increasing volume of user data and expanding digital networks make sectors like telecommunications particularly attractive targets for cybercriminals seeking financial gain or engaging in cyber espionage."

The trend will continue in 2025, because the rapid digitization across multiple industries continues to outpace implementation of cybersecurity measures, Lukatsky says. The result: a growing attack surface area that remains vulnerable.

"Sectors such as energy, telecommunications, and manufacturing will continue to be prime targets for cybercriminals and APT groups, motivated by financial gain, data theft, or geopolitical objectives," he says.

**The Age of RaaS**

The rise of ransomware-as-a-service offerings has also accelerated attacks on critical infrastructure, says Avinash Singh, a computer science lecturer and head of the Intelligent Cyber Forensics Lab at the University of Pretoria in South Africa. RaaS has taken off in Africa, partly because some ransomware gangs appear to be using African organizations as testbeds for their latest attacks, according to an October 2024 report.

"The RaaS model allows attackers to focus on high-value targets, such as large corporations or critical infrastructure providers, where the potential ransom payout is significantly higher," Singh says. "Cyberattacks on critical infrastructure remain among the most lucrative for cybercriminals, as these systems provide essential public services, and their disruption can cause significant societal and economic damage."

In addition, ransomware groups are not targeting just African businesses and government agencies, but also those organizations' third-party suppliers, Singh says. Distributing malicious versions of popular software has become a popular way to infect personal and business devices in the region. A March 2024 attack targeting members of a popular Discord community, for example, infected developers with information-stealing malware by compromising a developer's account and poisoning the repository.

Many of the threats affecting African developers are the same as those affecting the global cyber landscape, he says.

"Over the years, threat actors have demonstrated a broad array of tactics, techniques, and procedures, including hijacking GitHub accounts, malicious Python packages, setting up fake Python infrastructures, and employing sophisticated social engineering strategies," Singh adds.

African organizations need to work to improve the cyber awareness of their employees and customers and establish secure practices while pursuing digitization, he recommends. The risks posed by cyberattacks will likely only increase, as the geopolitical tensions rise in the region and worldwide, according to Singh.

"While Africa may not be a prime target compared to other continents," he says, "many geopolitical factors can influence cyber threat activities, particularly when state-sponsored actors are involved."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Ransomware Targeting Infrastructure Hits Telecom Namibia

AI-supported spear phishing emails tricked 54% of users in a controlled study that compared AI and human cybercriminal success rates.

One of the first things everyone predicted when artificial intelligence (AI) became more commonplace was that it would assist cybercriminals in making their phishing campaigns more effective.

Now, researchers have conducted a scientific study into the effectiveness of AI supported spear phishing, and the results line up with everyone’s expectations: AI is making it easier to do crimes.

The study, titled Evaluating Large Language Models’ Capability to Launch Fully Automated Spear Phishing Campaigns: Validated on Human Subjects, evaluates the capability of large language models (LLMs) to conduct personalized phishing attacks and compares their performance with human experts and AI models from last year.

To this end the researchers developed and tested an AI-powered tool to automate spear phishing campaigns. They used AI agents based on GPT-4o and Claude 3.5 Sonnet to search the web for available information on a target and use this for highly personalized phishing messages.

With these tools, the researchers achieved a click-through rate (CTR) that marketing departments can only dream of, at 54%. The control group received arbitrary phishing emails and achieved a CTR of 12% (roughly 1 in 8 people clicked the link).

Another group was tested against an email generated by human experts which proved to be just as effective as the fully AI automated emails and got a 54% CTR. But the human experts did this at 30 times the cost of the AI automated tools.

The AI tools with human assistance outperformed the CTR of these groups by scoring 56% at 4 times the cost of the AI automated tools. This means that some (expert) human input can improve the CTR, but is it enough to invest the time? Cybercriminals are proverbially lazy, which means they often exhibit a preference for efficiency and minimal effort in their operations, so we don’t expect them to think the extra 2% to be worth the investment.

The research also showed a significant improvement of the deceptive capabilities of AI models compared to last year, where studies found that AI models needed human assistance to perform on par with human experts.

The key to the success of a phishing email is the level of personalization that can be achieved by the AI assisted method and the base for that personalization can be provided by an AI web-browsing agent that crawls publicly available information.

_Example from the paper showing how collected information is used to write a spear phishing email_

Based on information found online about the target, they are invited to participate in a project that aligns with their interest and presented with a link to a site where they can find more details.

The AI-gathered information was accurate and useful in 88% of cases and only produced inaccurate profiles for 4% of the participants.

Other bad news is that the researchers found that the guardrails which are supposed to stop AI models from assisting cybercriminals are not a noteworthy barrier for creating phishing mails with any of the tested models.

The good news is that LLMs are also getting better at recognizing phishing emails. Claude 3.5 Sonnet scored well above 90% with only a few false alarms and detected several emails that passed human detection. Although it struggles with some phishing emails that are clearly suspicious to most humans.

If you’re looking for some guidance how to recognize AI assisted phishing emails, we’d like you to read: How to recognize AI-generated phishing mails. But the best way is to always remember the general advice not to click on any links in unsolicited emails.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 AI-supported spear phishing fools more than 50% of targets 

Philadelphia, Pennsylvania, 7th January 2025, CyberNewsWire

**Philadelphia, Pennsylvania, January 7th, 2025, CyberNewsWire**

Security Risk Advisors today announced it has become a member of the Microsoft Intelligent Security Association (MISA), an ecosystem of independent software vendors (ISVs) and managed security service providers (MSSPs) that have integrated their solutions with Microsoft Security technology to better defend mutual customers against a world of increasing cyber threats.

Security Risk Advisors (SRA) is a leading cybersecurity firm dedicated to providing comprehensive security solutions to businesses worldwide. With a commitment to maintaining the highest ethical standards, SRA offers a range of services including security testing, security program development, 24×7 monitoring and response. Joining MISA represents a significant milestone, demonstrates the company’s ability to deliver impactful security solutions while increasing adoption of their SCALR XDR offering and helping clients maximize their investment in Microsoft Security technologies.

Security Risk Advisors’ SCALR™ XDR is both a platform, built on Microsoft Azure and a 24×7 monitoring service with Microsoft Sentinel. SCALR™ uses a security data lake architecture to minimize SIEM costs, maximizing the user’s ability to store security events, and accelerate search and hunting capabilities. The SCALR™ XDR service is enhanced by SRA’s distinctive Purple Teams & Threat Resilience Benchmarks powered by VECTR™.

> “We are honored that Microsoft has recognized SRA’s expertise and proven track record by welcoming us into the Microsoft Intelligent Security Association (MISA). This achievement further energizes our commitment to empowering clients to adopt and optimize Microsoft Security technologies, enhancing their threat management programs and overall security posture.”

– Tim Wainwright, CEO, Security Risk Advisors

> “I am pleased to have Security Risk Advisors join us as a member of the Microsoft Intelligent Security Association (MISA). By including our strategic Managed Security Services Providers (MSSPs) in MISA, we help enable further collaboration between cybersecurity industry leaders in protecting and supporting our joint customers.”

– Parri Munsell, Senior Director, Security Partner Marketing

Established in 2018 to bring together Microsoft leaders, ISVs, and MSSPs, MISA focuses on collaborating to combat security threats and create a safer environment for all. Its mission is to provide intelligent, industry-leading security solutions that work together to help protect organizations at the speed and scale of AI in an ever-increasing threat landscape.

Partners who are interested in learning more can visit the MISA Website: Microsoft Intelligent Security Association.

**About Security Risk Advisors:**

Security Risk Advisors offers Purple and Red Teams, Cloud Security, Penetration Testing, OT Security and 24x7x365 Cybersecurity Operations. Based in Philadelphia, SRA operates across the USA, Ireland and Australia. To learn more: https://sra.io.

**Contact**

**Marketing Lead**  
**Kim Sandberg**  
**Security Risk Advisors**  
**\[email protected\]**

Security Risk Advisors joins the Microsoft Intelligent Security Association

Ramat Gan, Israel, 7th January 2025, CyberNewsWire

**Ramat Gan, Israel, January 7th, 2025, CyberNewsWire**

CyTwist, a leader in advanced next-generation threat detection solutions, has launched its patented detection engine to combat the insidious rise of AI-generated malware.

The cybersecurity landscape is evolving as attackers harness the power of artificial intelligence (AI) to develop advanced and evasive threats. The rise of AI-generated malware and AI-enhanced cyberattacks has escalated the threat landscape, leaving traditional defenses struggling to keep up. Businesses now face the critical challenge of adapting to this new era of cyber warfare, characterized by speed, sophistication, and adaptability.

**The Threat of AI-Driven Cyberattacks**

AI has altered the dynamics of cyber conflict, enabling attackers to execute sophisticated operations previously associated with state-sponsored entities. AI-generated phishing emails, adaptive botnets, and automated reconnaissance tools are now common components of cybercriminal tactics. These technologies bypass signature-based defenses and mimic legitimate behavior, making detection more challenging.

For example, in a recent attack on French corporates and government agencies, an AI-engineered malware exploited advanced techniques like COM hijacking and encrypted payloads, enabling attackers to remain undetected for extended periods, exfiltrate sensitive data, and establish long-term persistence within the network. This incident highlights three key risks of AI-driven attacks:

·      Sophistication: AI allows attacks to evolve in real-time, rendering static defenses obsolete.

·      Speed: Automated reconnaissance and attack execution drastically reduce the time needed to breach networks and execute the attack.

·      Evasion: AI-generated threats mimic human behavior, complicating detection for security teams.

In response to this growing challenge, CyTwist has developed a patented detection engine that identifies stealthy, AI-driven attack campaigns and malware that bypass traditional security tools, including leading EDR and XDR solutions. By leveraging advanced behavioral analysis, CyTwist Profiler identifies new and emerging threats in real time, stopping attackers before they can cause harm.

**CyTwist: Advanced Defense Against AI-Generated Threats**

CyTwist recently demonstrated its advanced detection capabilities during a red team simulation with a major telecommunications provider. The exercise mirrored the sophisticated techniques observed in the recent attack on French organizations and government agencies, employing AI-generated malware with encryption and evasion tactics. While the existing security tools failed to detect the attack, CyTwist’s solution identified malicious activity within minutes.

The head of incident response at the telecom operator highlighted the tool’s value, stating “We were impressed by CyTwist’s capability of detecting sophisticated, AI-generated malware that our EDR had failed to pick up. CyTwist provided the critical insights we needed to detect the attack in time, adding a valuable security layer against AI-generated threats.”

This simulation underscored the importance of adopting advanced technologies to address modern cyber challenges.

> “The use of AI in cyberattacks is reshaping the threat landscape, enabling attackers to operate elusively and at speed, capable of gliding past traditional security solutions. Our patented detection engine is specifically engineered to address these challenges.” Said Eran Orzel, CEO of CyTwist.

**Strategies for Mitigating AI-Generated Threats**

As organizations face increasing threats from AI-driven attacks, proactive strategies are essential. Key recommendations include:

**1\. Adopting Advanced Detection Technologies:** Traditional detection tools are not always sufficient defense against the dynamic nature of modern cyber threats. Modern detection tools that leverage AI, machine learning, behavioral analytics, and anomaly detection are needed to uncover threats missed by traditional approaches.

**2\. Prioritized Rapid Detection and Response:** Speed is critical when responding to AI-driven threats. Continuous monitoring and automated response systems enable swift containment of threats and real-time triage tools help security teams focus on critical alerts and ignore the noise.

**3\. Enhanced Resilience Through Security Frameworks:** Building adaptive security frameworks that integrate advanced detection tools will enable a response to emerging threats in real time. Regular training for security teams is needed to build the skills to counter the latest AI-driven attack methods.

CyTwist’s patented detection engine represents a significant advancement in addressing AI-enhanced cyber threats, providing organizations with the tools needed to navigate this increasingly complex landscape.

To learn more about CyTwist’s cutting-edge solutions, users can visit cytwist.com or reach out via \[email protected\].

**About CyTwist**

CyTwist is an advanced cybersecurity solution, specializing in next-generation threat detection and response. Its patented detection engine enables organizations to stay ahead of evolving threats, providing unmatched protection against stealthy, AI-generated attacks and novel malware. CyTwist was founded by a team of experienced cybersecurity professionals and former intelligence officers who bring extensive expertise in counterintelligence and cybersecurity.

In an era where attackers leverage AI to outpace traditional defenses, CyTwist Profiler provides a critical layer of security, enabling organizations to detect, investigate, and neutralize threats before they cause harm.

**Contact**

**CEO**  
**Eran Orzel**  
**CyTwist**  
**\[email protected\]**

CyTwist Launches Advanced Security Solution to identify AI-Driven Cyber Threats in minutes

US sanctions Beijing-based Integrity Technology Group for aiding “Flax Typhoon” hackers in cyberattacks on American infrastructure, freezing assets…

US sanctions Beijing-based Integrity Technology Group for aiding “Flax Typhoon” hackers in cyberattacks on American infrastructure, freezing assets and banning US dealings.

The US Treasury Department has **sanctioned** Integrity Technology Group, a Beijing-based company, accusing it of involvement in cyberattacks against American infrastructure. The decision, announced on January 3, 2025, has escalated tensions between the US and China over cybersecurity issues.

****What’s Behind the Sanctions?****

Integrity Technology Group, also known as Yongxin Zhicheng Technology Group, is alleged to have worked closely with the Chinese state-sponsored hacking group “**Flax Typhoon**.” US officials claim the company played a key role in cyber activities targeting government systems, businesses, and critical infrastructure. Over 250,000 devices worldwide were reportedly compromised in these incidents.

The sanctions freeze the company’s assets in the US and prohibit American entities from doing business with it. By cutting off financial ties, the US aims to limit the group’s resources for continuing cyber operations.

****Official Statements and Responses****

The US government has **stated** that these actions are part of ongoing efforts to protect national security and hold cyber offenders accountable. Treasury Secretary Janet Yellen commented, “This sends a clear message to entities enabling malicious cyber activity: we will not tolerate these actions.”

China, however, has rejected the accusations. A spokesperson for the Chinese Foreign Ministry called the sanctions “baseless” and accused the US of deflecting blame for its own cybersecurity issues. Integrity Technology Group has denied the allegations, claiming it operates within legal bounds and condemning the sanctions as damaging to its reputation.

****What This Means for Businesses****

The sanctions warn international companies and organizations about the risks of associating with entities involved in cyber activities. US companies, in particular, are urged to reassess their supply chains and partnerships to avoid unintentional involvement with blacklisted groups.

The case also highlights the growing use of economic measures to address cybersecurity threats, signaling a shift in how nations respond to cyber attacks.

As cyber threats are evolving, such measures will likely become more common. Businesses and governments worldwide are expected to increase their focus on building stronger cybersecurity protection. For individuals and organizations, staying informed about these developments is more important than ever to protect against similar risks.

This story is developing, and further updates will be provided as more information becomes available.

1.  **US Sanctions Chinese Cybersecurity Firm over Firewall Exploit**
2.  **U.S. Treasury Imposes Sanctions on ISIS Cybersecurity Experts**
3.  **US Sanctions Intellexa Spyware Network Over National Security**
4.  **Linux Kernel Project Drops 11 Russian Developers Amid Sanctions**
5.  **China’s Salt Typhoon Hacks AT&T, Verizon, Accessing Wiretap Data**

U.S. Sanctions Chinese Cybersecurity Firm Over Cyberattacks

The ABB BMS/BAS controller suffers from an SQL injection through the key and user parameters. These inputs are not properly sanitized and do not utilize stored procedures, allowing attackers to manipulate SQL queries and potentially gain unauthorized access to the database or execute arbitrary SQL commands.

Title: ABB Cylon Aspect 3.08.02 (CookieDB) SQL Injection  
Advisory ID: ZSL-2025-5899  
Type: Local/Remote  
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data  
Risk: (5/5)  
Release Date: 06.01.2025

**Summary**

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

**Description**

The ABB BMS/BAS controller suffers from an SQL injection through the key and user parameters. These inputs are not properly sanitized and do not utilize stored procedures, allowing attackers to manipulate SQL queries and potentially gain unauthorized access to the database or execute arbitrary SQL commands.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
Firmware: <=3.08.02

**Tested On**

GNU/Linux 3.15.10 (armv7l)  
GNU/Linux 3.10.0 (x86\_64)  
GNU/Linux 2.6.32 (x86\_64)  
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
PHP/7.3.11  
PHP/5.6.30  
PHP/5.4.16  
PHP/4.4.8  
PHP/5.3.3  
AspectFT Automation Application Server  
lighttpd/1.4.32  
lighttpd/1.4.18  
Apache/2.2.15 (CentOS)  
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86\_64)  
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)  
ErgoTech MIX Deployment Server 2.0.0

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[03.12.2024\] Vendor releases version 3.08.03 to address this issue.  
\[06.01.2025\] Coordinated public security advisory released.

**PoC**

abb\_aspect\_sqli1.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch  
\[2\] https://www.cve.org/CVERecord?id=CVE-2024-48843

**Changelog**

\[06.01.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon Aspect 3.08.02 (CookieDB) SQL Injection

The ABB BMS/BAS controller suffers from a weak password policy, allowing users to set overly simplistic or blank passwords and usernames without restrictions. This vulnerability significantly reduces account security, enabling attackers to exploit weak credentials for unauthorized access to the system.

Title: ABB Cylon Aspect 3.07.02 (userManagement.php) Weak Password Policy  
Advisory ID: ZSL-2025-5898  
Type: Local/Remote  
Impact: Security Bypass, Weak Policy  
Risk: (3/5)  
Release Date: 06.01.2025

**Summary**

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

**Description**

The ABB BMS/BAS controller suffers from a weak password policy, allowing users to set overly simplistic or blank passwords and usernames without restrictions. This vulnerability significantly reduces account security, enabling attackers to exploit weak credentials for unauthorized access to the system.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
Firmware: <=3.07.02

**Tested On**

GNU/Linux 3.15.10 (armv7l)  
GNU/Linux 3.10.0 (x86\_64)  
GNU/Linux 2.6.32 (x86\_64)  
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
PHP/7.3.11  
PHP/5.6.30  
PHP/5.4.16  
PHP/4.4.8  
PHP/5.3.3  
AspectFT Automation Application Server  
lighttpd/1.4.32  
lighttpd/1.4.18  
Apache/2.2.15 (CentOS)  
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86\_64)  
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)  
ErgoTech MIX Deployment Server 2.0.0

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[13.10.2023\] Vendor releases version 3.08.00 to address this issue.  
\[06.01.2025\] Coordinated public security advisory released.

**PoC**

abb\_aspect\_weakpwd1.html

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch  
\[2\] https://www.cve.org/CVERecord?id=CVE-2024-48845

**Changelog**

\[06.01.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Tag

#intel