A suspected South Asian cyber espionage threat group known as Bitter targeted a Turkish defense sector organization in November 2024 to deliver two C++-malware families tracked as WmRAT and MiyaRAT.
"The attack chain used alternate data streams in a RAR archive to deliver a shortcut (LNK) file that created a scheduled task on the target machine to pull down further payloads," Proofpoint

Bitter APT Targets Turkish Defense Sector with WmRAT and MiyaRAT Malware

SUMMARY Cicada3301, a ransomware group, has claimed responsibility for a data breach targeting Concession Peugeot (concessions.peugeot.fr), a prominent…

****SUMMARY****

*   **Cicada3301 ransomware group claims to have breached Concession Peugeot, stealing 35GB of sensitive data.**

*   **The group operates a Ransomware-as-a-Service (RaaS) model with a 20% commission.**

*   **First observed in June 2024, their ransomware targets Windows and Linux/ESXi systems.**

*   **Cicada3301 shares similarities with BlackCat, using ChaCha20 encryption and similar tactics.**

*   **Leaked data includes invoices, passport copies, and internal communications.**

Cicada3301, a ransomware group, has claimed responsibility for a data breach targeting Concession Peugeot (concessions.peugeot.fr), a prominent French automotive dealership linked to the Peugeot brand. The group claims to have stolen 35GB of sensitive data, marking a continuation of their aggressive cyber campaigns.

Screenshot from cicada3301 Ransomware’s dark web leak site (Screenshot: Hackread.com)

The alleged breach was announced by the group over the weekend (Sunday, December 15, 2024) on its official dark web leak site. It is also worth noting that the name Cicada3301 was historically associated with **cryptographic puzzles** in the early 2010s, it has since been co-opted by the ransomware group operating under a Ransomware-as-a-Service (RaaS) model.

This model enables affiliates to carry out attacks by renting the ransomware infrastructure and splitting the proceeds with the operators. Check Point’s **report** in September 2024, also discusses Cicada3301 who posted an advertisement on a Russian-language underground forum offering ransomware-as-a-service. The group demands a 20% commission on successful attacks and even provides negotiation mechanisms for disputes among partners.

The Cicada3301 ransomware group was first identified by cybersecurity firm Truesec and observed in June 2024. Written in Rust, the ransomware can target both Windows and Linux/ESXi systems, showcasing its cross-platform capabilities.

Cicada3301 has notable similarities to **ALPHV/BlackCat ransomware**, including the use of ChaCha20 encryption, identical commands to shut down virtual machines, and the -ui commands that provide graphic output for encryption. Both groups also share a similar file-naming pattern and key parameters used to decrypt ransom notes. These overlaps suggest a shared connection or the adoption of proven techniques to maximize efficiency and impact.

The attack on Concession Peugeot aligns with Cicada3301’s strategy of targeting high-value organizations to maximize impact. The theft of 35GB of data is particularly concerning, as a screenshot of the leaked files, reviewed by Hackread.com, reveals official and internal communications, invoices, passport copies, and even recipes.

Screenshot from cicada3301 Ransomware’s dark web leak site (Screenshot: Hackread.com)

**Editor’s Note**

The fact that Concession Peugeot operates under the official subdomain concessions.peugeot.fr creates a closer association with the larger Peugeot brand. Big companies like Peugeot often let their authorized dealerships use subdomains to maintain a consistent online presence and make it easier for customers to trust their services.

However, this setup means that an attack on a dealership can easily look like an attack on the main company. While this breach only targeted the dealership, the use of Peugeot’s domain could lead to confusion and raise questions about security across the brand.

1.  **13GB Data of Automobile Insurance Giant AA Exposed Online**
2.  **French automobile Citroën breached, user login details leaked**
3.  **Hackers Can Access Mazda Vehicle Controls Via System Flaws**
4.  **Contractor Database Exposes Irish Police Vehicle Seizure Records**
5.  **Nissan Confirms Data Breach Affected 100K Customers, Employees**
6.  **ALPHV Ransomware Used Vishing to Scam MGM Resorts Employee**

Cicada3301 Ransomware Claims Attack on French Peugeot Dealership

Artificial intelligence capabilities are coming to a desktop near you — with Microsoft 365 Copilot, Google Gemini with Project Jarvis, and Apple Intelligence all arriving (or having arrived). But what are the risks?

Source: 'Who is Danny' via Shutterstock

Artificial intelligence has come to the desktop.

Microsoft 365 Copilot, which debuted last year, is now widely available. Apple Intelligence just reached general beta availability for users of late-model Macs, iPhones, and iPads. And Google Gemini will reportedly soon be able to take actions through the Chrome browser under an in-development agent feature dubbed Project Jarvis.

The integration of large language models (LLMs) that sift through business information and provide automated scripting of actions — so-called "agentic" capabilities — holds massive promise for knowledge workers but also significant concerns for business leaders and chief information security officers (CISOs). Companies already suffer from significant issues with the oversharing of information and a failure to limit access permissions — 40% of firms delayed their rollout of Microsoft 365 Copilot by three months or more because of such security worries, according to a Gartner survey.

The broad range of capabilities offered by desktop AI systems, combined with the lack of rigorous information security at many businesses, poses a significant risk, says Jim Alkove, CEO of Oleria, an identity and access management platform for cloud services.

"It's the combinatorics here that actually should make everyone concerned," he says. "These categorical risks exist in the larger \[native language\] model-based technology, and when you combine them with the sort of runtime security risks that we've been dealing with — and information access and auditability risks — it ends up having a multiplicative effect on risk."

Related:Citizen Development Moves Too Fast for Its Own Good

Desktop AI will likely take off in 2025. Companies are already looking to rapidly adopt Microsoft 365 Copilot and other desktop AI technologies, but only 16% have pushed past initial pilot projects to roll out the technology to all workers, according to Gartner's "The State of Microsoft 365 Copilot: Survey Results." The overwhelming majority (60%) are still evaluating the technology in a pilot project, while a fifth of businesses haven't even reached that far and are still in the planning stage.

Most workers are looking forward to having a desktop AI system to assist them with daily tasks. Some 90% of respondents believe their users would fight to retain access to their AI assistant, and 89% agree that the technology has improved productivity, according to Gartner.

**Bringing Security to the AI Assistant**

Unfortunately, the technologies are black boxes in terms of their architecture and protections, and that means they lack trust. With a human personal assistant, companies can do background checks, limit their access to certain technologies, and audit their work — measures that have no analogous control with desktop AI systems at present, says Oleria's Alkove.

Related:Cleo MFT Zero-Day Exploits Are About to Escalate, Analysts Warn

AI assistants — whether they are on the desktop, on a mobile device, or in the cloud — will have far more access to information than they need, he says.

"If you think about how ill-equipped modern technology is to deal with the fact that my assistant should be able to do a certain set of electronic tasks on my behalf, but nothing else," Alkove says. "You can grant your assistant access to email and your calendar, but you cannot restrict your assistant from seeing certain emails and certain calendar events. They can see everything."

This ability to delegate tasks needs to become part of the security fabric of AI assistants, he says.

**Cyber-Risk: Social Engineering Both Users & AI**

Without such security design and controls, attacks will likely follow.

Earlier this year, a prompt injection attack scenario highlighted the risks to businesses. Security researcher Johann Rehberger found that an indirect prompt injection attack through email, a Word document, or a website could trick Microsoft 365 Copilot into taking on the role of a scammer, extracting personal information, and leaking it to an attacker. Rehberger initially notified Microsoft of the issue in January and provided the company with information throughout the year. It's unknown whether Microsoft has a comprehensive fix for the issue.

Related:Generative AI Security Tools Go Open Source

The ability to access the capabilities of an operating system or device will make desktop AI assistants another target for fraudsters who have been trying to get a user to take actions. Instead, they will now focus on getting an LLM to take actions, says Ben Kilger, CEO of Zenity, an AI agent security firm.

"An LLM gives them the ability to do things on your behalf without any specific consent or control," he says. "So many of these prompt injection attacks are trying to social engineer the system — trying to go around other controls that you have in your network without having to socially engineer a human."

**Visibility Into AI's Black Box**

Most companies lack visibility into and control of the security of AI technology in general. To adequately vet the technology, companies need to be able to examine what the AI system is doing, how employees are interacting with the technology, and what actions are being delegated to the AI, Kilger says.

"These are all things that the organization needs to control, not the agentic platform," he says. "You need to break it down and to actually look deeper into how those platforms actually being utilized, and how do people build and interact with those platforms."

The first step to evaluating the risk of Microsoft 365 Copilot, Google's purported Project Jarvis, Apple Intelligence, and other technologies is to gain this visibility and have the controls in place to limit an AI assistant's access on a granular level, says Oleria's Alkove.

Rather than a big bucket of data that a desktop AI system can always access, companies need to be able to control access by the eventual recipient of the data, their role, and the sensitivity of the information, he says.

"How do you grant access to portions of your information and portions of the actions that you would normally take as an individual, to that agent, and also only for a period of time?" Alkove asks. "You might only want the agent to take an action once, or you may only want them to do it for 24 hours, and so making sure that you have those kind of controls today is critical."

Microsoft, for its part, acknowledges the data-governance challenges, but argues that they are not new, just made more apparent due to AI’s arrival.

"AI is simply the latest call to action for enterprises to take proactive management of controls their unique, respective policies, industry compliance regulations, and risk tolerance should inform – such as determining which employee identities should have access to different types of files, workspaces, and other resources," a company spokesperson said in a statement.

The company pointed to its Microsoft Purview portal as a way that organizations can continuously manage identities, permission, and other controls. Using the portal, IT admins can help secure data for AI apps and proactively monitor AI use though a single management location, the company said. Google declined to comment about its forthcoming AI agent.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Does Desktop AI Come With a Side of Risk?

Task scams are a new type of scams where victims are slowly tricked into paying to get paid for repetitive simple tasks

An unfamiliar type of scam has surged against everyday people, with a year-over-year increase of some 400%, putting job seekers at risk of losing their time and money.

The emerging threat is delivered in “task scams” or “gamified job scams.” While these scams were virtually non-existent in 2020, the FTC reported 5,000 cases in 2023 and a whopping 20,000 cases in the first half of 2024.

In these scams, online criminals prey on people looking for remote jobs by offering them simple repetitive tasks such as liking videos, optimizing apps, boosting product interest, or rating product images. These tasks are usually organized in sets of 40 tasks that will take the victim to a “next level” once they are completed.

Sometimes the victim will get a so-called double task that earns a bigger commission. The trick is that the scammers will make the victim think they are earning money to raise trust in the system. The money can be fake and only displayed in the system, but some victims report actually receiving small sums.

But at some point, the scammers will tell the victims, they have to make a deposit to get the next set of tasks or get your earnings out of the app. So, victims are likely to make that deposit, or all their work will have been for naught.

Scammers use cryptocurrency like USDT (a digital stable-coin with a value tied to the value of the US dollar) to make their payments.

Task scams typically begin with unsolicited text messages or messages via platforms like WhatsApp, Telegram, or other messaging apps. These messages often come from unknown numbers or profiles that may appear professional to gain trust. Reportedly, these scams like to impersonate legitimate companies such as Deloitte, Amazon, McKinsey and Company, and Airbnb.

Scammers count on the urge that victims do not want to “cut their losses” and will try to pull victims in even deeper, sometimes inviting them into groups where newcomers can learn and hear success stories from (fake) experienced workers.

**How to avoid task scams**

Once you know the red flags, it is easier to shy away from task scams.

*   Do not respond to unsolicited job offers via text messages or messaging apps.
*   Never pay to get paid.
*   Verify the legitimacy of the employer through official channels.
*   Don’t trust anyone who offer to pay for something illegal such as rating or liking things online.

It’s also important to keep in mind that legitimate employers do not ask employees to pay for the opportunity to work. And as with most scams, if it sound to good to be true, it probably is.

If you run into a task scam, please report them to the FTC at ReportFraud.ftc.gov.

 Task scams surge by 400%, but what are they? 

This week on the Lock and Code podcast, we speak with Ron de Jesus about the work of achieving user privacy while balancing company goals.

_This week on the Lock and Code podcast…_

Privacy is many things for many people.

For the teenager suffering from a bad breakup, privacy is the ability to stop sharing her location and to block her ex on social media. For the political dissident advocating against an oppressive government, privacy is the protection that comes from secure, digital communications. And for the California resident who wants to know exactly how they’re being included in so many targeted ads, privacy is the legal right to ask a marketing firm how they collect their data.

In all these situations, privacy is being provided to a person, often by a company or that company’s employees.

The decisions to disallow location sharing and block social media users are made—and implemented—by people. The engineering that goes into building a secure, end-to-end encrypted messaging platform is done by people. Likewise, the response to someone’s legal request is completed by either a lawyer, a paralegal, or someone with a career in compliance.

In other words, privacy, for the people who spend their days with these companies, is _work_. It’s their expertise, their career, and their to-do list.

But what does that work actually entail?

Today, on the Lock and Code podcast with host David Ruiz, we speak with Transcend Field Chief Privacy Officer Ron de Jesus about the responsibilities of privacy professionals today and how experts balance the privacy of users with the goals of their companies.

De Jesus also explains how everyday people can meaningfully judge whether a company’s privacy “promises” have any merit by looking into what the companies provide, including a legible privacy policy and “just-in-time” notifications that ask for consent for any data collection as it happens.

> “When companies provide these really easy-to-use controls around my personal information, that’s a really great trigger for me to say, hey, this company, really, is putting their money where their mouth is.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 A day in the life of a privacy pro, with Ron de Jesus (Lock and Code S05E26) 

A 20-year-old Tucson man was arrested for horrific CSAM and cyberstalking linked to the dangerous online extremist group 764.

****SUMMARY****

*   **Arrest and Charges**: Baron Martin, 20, arrested for producing child sexual abuse material and cyberstalking, linked to extremist networks 764 and CVLT.

*   **Disturbing Crimes**: Accused of coercing minors into self-mutilation, creating abuse material, and plotting violence against victims and their families.

*   **764 Network**: The extremist group uses child exploitation to normalize violence and promote societal collapse, flagged as a major threat by the DoJ.

*   **Potential Penalties**: Martin faces up to 40 years in prison for his crimes, alongside fines and possible lifetime supervised release.

*   **Law Enforcement Response**: FBI and DoJ emphasize vigilance and programs like Project Safe Childhood to combat online child exploitation.

A 20-year-old Tucson man, Baron Martin, has been arrested for producing child sexual abuse material (CSAM) and cyberstalking offences linked to his involvement in online violent extremist networks known as 764 and CVLT, reveals an unsealed complaint by the Department of Justice (DoJ).

The complaint details a disturbing pattern of behaviour by 764 members. They allegedly target vulnerable youth online, force them into self-harm, and spread the abuse to desensitize victims and normalize violence. Martin, who allegedly used the online alias “Convict,” is accused of:

*   **Creating a guide on how to identify, groom, and extort children:** Martin is accused of creating child sex abuse content on Discord in September 2022 by having two minors self-mutilate for him, with one child having his name cut into their chest, stomach, and thighs, and directing them to cut swastikas and satanic symbols.

*   **Forcing two minors (aged 13 and 16) to self-mutilate on Discord:** Martin allegedly directed a 16-year-old victim on Discord to self-injury, drawing blood, and pouring alcohol over the wounds. Martin sent three videos of the abuse to another user

*   **Cyberstalking a 13-year-old by threatening her grandmother and soliciting her murder**: Martin is accused of cyberstalking a 13-year-old girl in September 2022, threatening her grandmother, and soliciting her murder. He agreed to pay $3,000 for the kidnapping and murder, and in a separate chat, posted the girl’s and her grandmother’s phone numbers for harassment.

If convicted, Martin faces up to 30 years in prison for producing CSAM and up to 10 years for cyberstalking, along with significant fines and potential lifetime supervised release.

****764 Network Described as “Dangerous” by DoJ****

According to the DoJ’s press release, it considers the 764 network a huge threat. “764 is a dangerous network of violent extremists who systematically target children and use child sexual abuse material to further their agenda of societal collapse,” said Assistant Attorney General for National Security Matthew G. Olsen.

The FBI is leading the investigation. The case is being prosecuted by the U.S. Attorney’s Office for the District of Arizona and the National Security Division’s Counterterrorism Section. 

It is worth noting that Martin is not the only alleged member of the notorious 764 network to face legal action. In November 2024, Richard Anthony Reyna Densmore, 47, of Kaleva, Michigan, was **sentenced** to 30 years in prison on charges related to child sexual abuse material (CSAM).

The arrest of Baron Martin shows the problematic reality of online extremism and grooming and its devastating impact on vulnerable youth. This issue extends beyond the U.S., with the U.K. facing similar challenges, particularly on platforms like Snapchat. According to a **report** by a U.K. charity, half of all online child grooming cases now occur on Snapchat.

The 764 network’s calculated targeting of children and their use of child sexual abuse material to further their extremist ideology emphasises the urgent need for increased vigilance and law enforcement efforts to combat such threats. 

US Attorney Gary Restaino for the District of Arizona stressed the importance of **Project Safe Childhood** (PCS), a US-based initiative targeting child sexual exploitation, and encouraged parents and children to seek help if they encounter online predators.

1.  **Man sought dark web hitman to murder child abuse victim**
2.  **Op protected childhood: 113 online child predators arrested**
3.  **How Facebook Helped FBI Capture a Notorious Child Abuser**
4.  **9 risky apps that you must monitor on your kids’ smartphone**
5.  **Microsoft’s tool detects, reports pedophiles from online chats**

FBI Targets 764 Network: Man Faces 30 Years for Cyberstalking, CSAM

Find out the key security risks of firmware security: Identify threats, and learn best practices and protection methods…

Find out the key security risks of firmware security: Identify threats, and learn best practices and protection methods against modern hacker attacks.

Firmware is low-level software that builds the interaction between the hardware and the operating system. It contains important instructions for the operation of electronic devices such as routers, IoT sensors, smartphones, and even cars. However, these instructions are often invisible to the user, making firmware less secure. This article will reveal the principal risks of firmware security and best practices for protecting against hackers.

****Key security risks in firmware development****

Ensuring the safety of firmware systems is paramount. Firmware serves as the bridge between hardware and software, making it a prime target for malicious attacks. According to Lemberg Solutions, a firmware development firm, firmware vulnerabilities have seen a notable rise, with security researchers estimating a 7.5-fold increase compared to three years ago. This is a result of vulnerabilities introduced during coding, lack of encryption, inadequate authentication mechanisms, and insufficient security updates.

Handling these challenges early in development is crucial to protecting devices and preventing potential breaches. Nevertheless, firmware attacks come in many forms. Let’s have a look at a few of them:

*   **Firmware modification.** Hackers modify a device’s firmware to introduce malicious code or “backdoors” which can cause significant damage.
*   **Firmware extraction.** Hackers extract firmware from a device to analyze it for vulnerabilities. By reverse engineering the firmware, they can identify weaknesses and develop targeted exploits to compromise the device’s security. 
*   **Remote update attacks.** If hackers manage to intercept and manipulate updates, they can inject spyware or make unauthorized changes to the firmware, potentially compromising the entire system. For example, in the case of the Internet of Things (IoT), a device with poorly secured access can be compromised and used for DDoS attacks.
*   **Integration of unverified code**. Using open or unverified code can introduce hidden vulnerabilities.
*   **Physical attacks.** If a device is not physically secured, attackers can access its internal components through JTAG, UART, or other debug ports. For example, attackers can read the microcontroller memory through the JTAG interface and access sensitive data.

By understanding the methods hackers use, users can take steps to protect their devices, such as regularly updating firmware and implementing robust security practices. On the other hand, manufacturers should prioritize firmware security during the development process, conduct thorough testing, and implement strong security measures to reduce the risk of attacks or entrust security issues to a firmware development company.

****Best practices for protecting firmware****

By following a few simple steps, organizations can secure their devices’ firmware, making them more resistant to attack and less likely to be compromised. Let’s examine firmware security best practices. 

****Buffer and stack overflow protection****

Buffer and stack overflow protection is vital for firmware security, preventing unauthorized access from data overrun vulnerabilities. Effective mechanisms, such as stack canaries and address space layout randomization, are essential for improving memory safety.

Firmware must integrate overflow protections from the design phase. Regular audits and testing are required to address buffer vulnerabilities promptly. By prioritizing these safeguards, organizations can enhance device security and protect user data against evolving cyber threats.

****Capture security exceptions****

To identify and address potential threats in firmware operations, we must secure exceptions, which involves logging incidents and anomalies to enable quick responses to risks. Exception-handling protocols ensure that deviations from normal operations trigger alerts for security teams. Organizations should establish clear guidelines for managing and reviewing security exceptions regularly to maintain operational integrity and prevent incidents. 

****Input validation****

Input validation is a cornerstone in firmware security; by accepting only authorized data, organizations can effectively prevent unauthorized or malicious inputs that threaten to exploit system vulnerabilities. Validation protocols must be regularly updated to confront the ever-evolving landscape of security threats. Furthermore, investing in personnel training about the significance of input validation reinforces an organization’s commitment to safeguarding devices against cyber risks. 

****Secure boot mechanisms****

Secure boot ensures that only trusted firmware and software run when a device starts. It uses cryptographic checks to confirm the firmware hasn’t been tampered with. If the software isn’t signed with a trusted key, it won’t load, blocking malicious code from sneaking in during startup. For example, your laptop only works with an official operating system signed by the manufacturer. If someone tries to install fake software or modify the boot process, the system refuses to start, keeping your device safe.

****Secure firmware updates****

Implementing firmware updates with cryptographic signatures is vital for ensuring their authenticity and integrity. It guarantees that only verified updates are applied, reducing the risk of malicious modifications.

Cryptographic signatures validate updated sources, preventing vulnerabilities from unverified patches. By incorporating cryptographic signatures, companies can shield their systems from counterfeit updates, ensuring that only legitimate enhancements are deployed. 

****Role of AI and machine learning in threat detection****

AI and machine learning play a critical role in threat detection. They enable the creation of automated systems that quickly and accurately respond to modern challenges, such as malware, cyberattacks, and other threats. Let’s explore this in more detail:

1.  **AI identifies unusual activities** and anomalies in device behavior by analyzing network traffic, log files, and system interactions. For example, a system might monitor a company’s network traffic. If a device that typically transmits small amounts of data suddenly sends large data packets to an external server, the system flags this as an anomaly and blocks the transmission.
2.  Machine learning models can detect malware in code by identifying patterns that indicate malicious behavior. This is especially valuable for identifying new types of malware that traditional methods might miss.
3.   AI **can use data** from past attacks to forecast future threats. It analyzes attackers’ tactics, techniques, and procedures (TTPs) from previous incidents. For instance, a monitoring system might receive data about similar cyberattacks targeting companies within a specific industry. Based on this data, it could predict that your company might be the next target and recommend strengthening the security of particular systems.
4.  **AI analyzes** text messages and emails’ vocabulary, style, and domains to prevent phishing attacks. For example, it identifies suspicious phrasing, unusual sender domains, or inconsistencies in the email’s language that may indicate a phishing attempt.

This proactive and intelligent approach demonstrates the growing importance of AI in enhancing cybersecurity and mitigating evolving threats.

****Ensuring compliance and standards in firmware security****

Ensuring compliance and standards in firmware security is critical to protecting devices from vulnerabilities and threats. Below are key aspects of ensuring compliance and standards in firmware security.

**Aspect**

**Details**

Adopting industry standards

NIST Guidelines (e.g., NIST SP 800-193) provide a framework for protecting firmware against unauthorized modification, detecting security breaches, and recovering to a secure state.ISO/IEC 27001 ensures information security management practices, including firmware integrity, aligns with globally accepted standards. Trusted platform module (TPM) for secure boot and firmware measurement to ensure integrity.

Secure Firmware development lifecycle (FDLC)

NIST Guidelines (e.g., NIST SP 800-193) provide a framework for protecting firmware against unauthorized modification, detecting security breaches, and recovering to a secure state.ISO/IEC 27001 ensures information security management practices, including firmware integrity, aligns with globally accepted standards. Trusted platform module (TPM) for secure boot and firmware measurement to ensure integrity.

Cryptographic protections

Threat modellingRegularly review firmware code for compliance with secure coding standards. Use tools to verify firmware binaries against secure policies.

Compliance audits and certifications

Third-party auditsCertifications like Common Criteria (CC) or FIPS 140-2 for assurance.

Supply chain security

Code signing.  Ensures only authenticated and authorized firmware updates are installed.Encryption. Protects firmware data in transit and at rest. Secure Boot, validates firmware signatures during the boot process, preventing tampering.

****Future of firmware security****

Due to technological advancements and evolving threats, the future of firmware security will be more dynamic and resilient. As artificial intelligence and machine learning become integrated into firmware, new attack vectors emerge that need addressing. 

The rise of IoT and edge devices will demand standardized and scalable security frameworks. Enhanced global threat intelligence sharing and blockchain technology will improve defences against vulnerabilities. With a focus on secure, self-healing firmware and stricter regulations, organizations will emphasize security by design and education, making the firmware ecosystem safer and more privacy-oriented.

Image via PixaBay/Nanoslavic

1.  **Intel Responds to ‘Downfall’ Attack with Firmware Updates**
2.  **New Firmware Version of Nintendo Switch Hacked in 4 Hours**
3.  **Cheap Android Smartphones Shipped with Malicious Firmware**
4.  **Zero-day Flaws Exposed EV Chargers to Shutdowns, Data Theft**
5.  **Professions That Are the Most Exposed to Cybersecurity Threats**

Firmware Security: Identifying Risks to Implement Best Cybersecurity Practices

Cybercriminals are targeting YouTube creators with sophisticated phishing attacks disguised as brand collaborations. Learn how to identify these scams, protect your data, and safeguard your online presence

****summary****

*   **Phishing Attack**: Cybercriminals use fake brand collaboration emails to target YouTube creators.

*   **Malware Disguise**: Malicious files are hidden in password-protected attachments like contracts or promotional materials.

*   **Cloud Hosting**: Attackers leverage platforms like OneDrive to host malware, adding a layer of credibility.

*   **Sensitive Data Theft**: Malware steals login credentials, financial information, and grants remote access.

*   **Wide Reach**: Over 200,000 creators targeted globally, with thousands of phishing emails sent via automated tools.

CloudSEK’s threat research team has disclosed details of an advanced new phishing campaign targeting YouTube creators. According to CloudSEK’s investigation, shared exclusively with _Hackread.com_, scammers are using fake brand collaboration emails to steal accounts and spread scams to millions of followers.

****Campaign Analysis****

Report author Mayank Sahariya notes that this sophisticated phishing campaign involves impersonating trusted brands to distribute malware through fake collaboration offers. 

Attackers begin by scraping email addresses from YouTube channels, likely using a specialized parser tool. This allows them to target creators and organizations directly. With email addresses in hand, attackers use browser automation tools to send bulk phishing emails.

Next, the attackers send cleverly crafted emails that appear to be legitimate business proposals from well-known brands. These emails entice recipients with lucrative collaboration deals and include enticing compensation structures based on subscriber count. The malware is cleverly disguised within attachments such as Word documents, PDFs, or Excel files, often masquerading as promotional materials, contracts, or business proposals.

“At the end of the email, the threat actor includes instructions and a OneDrive link to access a zip file containing the agreement and promotional materials, secured with the password,” the report read.

The extracted files reveal four files, including Digital Agreement Terms and Payments Comprehensive Evaluation.exe, which is a malicious payload. Once downloaded and extracted, the zip file unleashes a malicious script disguised as a harmless file format, such as “webcams.pif.” This script leverages AutoIt3 automation software to execute further malware hidden within the archive.

To further bypass detection, the attackers host these malicious attachments on cloud storage platforms like OneDrive (form this ID- \[email protected\] created on August 15, 2024), protected by passwords. This tactic adds a layer of legitimacy, as recipients might expect collaboration agreements and promotional materials to be password-protected.

Once a curious YouTuber downloads the attachment, the malware installs itself on the victim’s system. This malware is designed to steal sensitive information, including login credentials, financial data, and intellectual property. In some cases, it can even grant remote access to the attacker, compromising the entire system.

Attack flow and malicious email used in the scam (Via CloudSec)

****Who are the Targets?****

According to CloudSec’s blog post, this global campaign primarily targets businesses and individuals involved in marketing, sales, and executive positions. These individuals are more likely to engage with brand collaborations and promotions, making them prime targets for this phishing scheme.  

So far, this campaign has targeted over 2 lakh YouTube creators, involving 500-1,000 phishing emails sent from a single email account and around 340+ SMTP servers have been weaponized for attacks.

To stay protected, YouTube creators should be cautious of unsolicited collaboration offers, especially password-protected attachments. Always double-check email addresses, and contact brands directly to confirm the legitimacy of collaboration offers. Also, avoid downloading attachments from unknown senders, even if password-protected to protect valuable data.

1.  **Scammers Rake in $600K with YouTube Deepfakes**
2.  **YouTube Channels Hacked to Spread Lumma Stealer**
3.  **Fake YouTube Android Apps Used to Distribute CapraRAT**
4.  **New YouTube phishing scam using authentic email address**
5.  **Get Paid to Like Videos YouTube Scam Empties Your Wallets**

Malware Hidden in Fake Business Proposals Hits YouTube Creators

Staffers at the Cybersecurity and Infrastructure Security Agency tell WIRED they fear the new administration will cut programs that keep the US safe—and “persecution.”

Donald Trump helped create the US government’s cybersecurity agency during his first term as president. Six years later, employees of that agency are afraid of what he’ll do with it once he retakes office.

Trump’s alliances with libertarian-minded billionaires like Elon Musk and his promises to cut government spending and corporate oversight have alarmed staffers at the Cybersecurity and Infrastructure Security Agency, the component of the Department of Homeland Security that defends US government computer systems from hackers and helps state and local governments, private companies, and nonprofit groups protect themselves.

CISA, which the Trump administration and Congress created in 2018 by reorganizing an existing DHS wing, became a target of right-wing vitriol after its Trump-appointed director rebuffed the president’s election conspiracy theories in 2020 (prompting Trump to fire him) and after it worked with tech companies to combat online misinformation during the 2022 election.

The incidents turned a once-obscure agency with bipartisan credibility into a conservative bogeyman. House Republicans have accused CISA of spying on and censoring Americans, and the GOP senator who will soon oversee the agency wants to eliminate it.

Now, with Trump returning to office vowing to purge disloyal civil servants and turn DHS into an immigration-crackdown machine, CISA employees are acutely worried about the fate of their still-fledgling agency, according to interviews with four current staffers and another US cyber official, all of whom requested anonymity to speak candidly about a sensitive subject.

“We believe it's our responsibility to help those who don't really have the ability to help themselves,” says one CISA employee. “We take our missions seriously, which is why we are all concerned, to a T, about if any decisions are going to affect our mission negatively.”

**Scaling Back Corporate Accountability**

CISA is bracing for change in several areas that were key to US president Joe Biden’s cybersecurity agenda.

Biden’s cyber strategy called for companies to take more responsibility for the security of their products and services, and CISA led that effort with its campaign encouraging companies to make their systems “secure by design” and “secure by default.” Agency officials pushed tech firms to make security features free and automatic and to pay closer attention to the quality of their code. Hundreds of companies have signed CISA’s secure-by-design pledge and vowed to take cybersecurity more seriously.

CISA employees and Biden administration officials expect the Trump team to kill Biden’s corporate responsibility initiatives. “They do not think it's the role of the US government to make \[the\] private sector act in a certain way,” says a US cyber official.

A second CISA employee predicts that “compliance efforts like secure-by-design may not have the support that they currently benefit from.”

That retreat from corporate oversight will be a top priority of Musk and other tech billionaires who have flocked to Trump. “The tech influence here, assuming Elon Musk stays in Trump's good graces, is going to be significant,” the cyber official says.

Without high-level White House backing, CISA’s secure-by-design campaign “becomes toothless,” says the first CISA employee. “Some companies will be less inclined to follow these \[guidelines\] if they don't believe that the executive branch is going to support them.”

CISA employees are also watching uneasily to see if Trump officials pressure the cyber agency to water down its draft regulation requiring critical infrastructure operators to report cyber incidents. Congress mandated the rule in a 2022 spending bill, but groups representing infrastructure operators have complained that the draft requirements—which must be finalized by late 2025—are too onerous. Trump could force CISA to scale back the rules in order to appease the private sector.

Trump and his allies want to “get rid of anybody who can enforce the rules, because then the rules don't matter,” the cyber official says. “In CISA’s instance, that's going to be pretty significant.”

CISA is also bracing for changes to its election security mission. The agency has already dramatically scaled back conversations with social media companies about online misinformation following a right-wing backlash, but Trump’s team could force CISA to abandon even more of its election security work. CISA staffers worry that Trump will block the agency from participating in state and local election officials’ “Trusted Info” initiative, which encourages Americans to listen to their local election supervisors instead of provocative online claims.

“I think that work is probably dead,” says a third CISA employee.

South Dakota governor Kristi Noem, Trump’s pick to lead the Department of Homeland Security, embraced election conspiracies after Biden’s win in 2020. “Kristi Noem is a Trump loyalist who has backed him in election denial claims, and now she's going to be in charge of the agency that oversees \[CISA\],” says the cyber official. “I have a lot of questions about what happens there.”

The third CISA employee expects to see the “persecution of those who have done election security work” once Trump takes office.

**Weakening Authorities**

Trump’s victory could also have serious consequences for other CISA missions.

Under Biden, CISA gained broader authority and new funding to monitor other agencies’ networks for suspicious activity, turning it into the centralized defender of federal networks that many experts always hoped it would become. That could change under Trump, especially if senior officials close to Trump bristle at CISA’s oversight.

“I can absolutely see the new administration coming in and saying, ‘Hey, you guys are not letting agencies do what they need to do. You have … too much power \[to look\] at how the agencies do things. We're going to reduce your power,’” says the first CISA employee. “That will prevent us from doing the very necessary work that we need to do to protect the American people.”

One of CISA’s most formidable powers over other agencies could be watered down for an unexpected reason.

CISA can order the rest of the government to rapidly patch vulnerabilities and make other security improvements, and it has repeatedly used this authority in response to emerging digital crises. But while these directives only apply to federal agencies, some businesses treat them like unofficial government dictates and push their security teams to implement them.

If corporate leaders complain about these directives’ effects on their bottom lines, Trump’s team could force CISA to scale back its use of this authority.

The Trump administration could also try to cut costs at CISA by slashing the free services that it provides to state and local governments and critical infrastructure providers.

“My concern would be that some of those programs would just kind of fall to the wayside,” says the first CISA employee, who also fears that CISA’s “ability to express to the nation what we do and what services we offer” will “come under attack.”

**Dimming the Stars**

Trump’s influence on CISA could also undermine the agency’s long-running uphill battle to attract talented experts away from lucrative industry jobs and into public service.

Multiple CISA employees say they worry that Trump’s election will mean the end of what one called “star hires” like senior advisers Bob Lord and Jack Cable, the corporate cyber veteran and young security whiz, respectively, who lead CISA’s secure-by-design program.

“I can absolutely see guys like Bob Lord and Jack Cable—big, well-respected individuals in the security community—deciding that they want to take their stuff elsewhere if they don't believe that the administration is serious about helping companies be more secure,” says the first CISA employee. Lord and Cable declined WIRED’s request to comment.

“This country has gotten so much more politicized over the past eight years to where it gets in the way of us doing our jobs,” the first CISA employee adds.

Trump’s promised changes to civil-service rules, which would expose more government workers to politically motivated firings, are also alarming CISA employees. “I worry about getting weaponized,” says the third CISA employee.

**Political Tensions**

When it comes to CISA’s fate, much will depend on whom Trump picks to lead the agency and how they navigate broader DHS politics.

The main contenders for CISA director—Karen Evans, a former Energy Department cyber official and White House IT official; Matt Hayden, who served as DHS’s assistant secretary for cyber policy during Trump’s first term; and Brian Harrell, who led CISA’s infrastructure protection wing under Trump—have cyber experience and bipartisan credibility. But if Trump passes over them, it’s not clear who will end up leading CISA.

“There’s not really a ton of star, right-leaning info security people out there who want to risk their credibility as a political appointee,” says the third CISA employee.

Even if CISA gets competent, well-liked senior officials, they will still be at the mercy of DHS leadership. Kristi Noem has touted her work on cybersecurity as South Dakota’s governor, including in an op-ed after her nomination that referenced CISA. But Noem was the only governor to reject money from a DHS cyber grant program for state and local governments in 2023, suggesting that she won’t support the program, which expires in late 2025.

A fourth CISA employee says they hope that once Noem and other Trump appointees “are briefed on the full extent of our nation’s cybersecurity problems, they will recognize the value of our work and its critical importance to national security.”

But even if Noem mostly leaves CISA to its own devices, her department’s leading role in Trump’s controversial immigration agenda—including promised mass deportations of undocumented immigrants—will likely inflame longstanding tensions between DHS and CISA.

“People within CISA don't want to be considered part of DHS,” says the first CISA employee. “They believe that CISA should be its own realm.”

Amid a migration surge during Trump’s first term, DHS asked CISA employees to volunteer to help safeguard the US-Mexico border. “I do not believe that people \[will\] want to be considered part of DHS if that type of stuff is going to continue,” the first CISA employee says.

With DHS leaning harder than ever before into immigration crackdowns, CISA employees are longing for a separation—with even the conservative Project 2025’s unorthodox reorganization proposal sounding appealing to some.

“DHS is gonna be a real awful place the next four years,” says the third CISA employee. “Maybe we should move to Transportation.”

**Quiet Concerns**

While they wait for Trump to signal his approach to cybersecurity, CISA employees are quietly exchanging worries about what’s next for their workplace.

“There have been unspoken concerns about what's going to happen once the administration changes,” says the first CISA employee. “Anything that we do is going to affect the American public in one way or another, so we need to know … what's going to be coming down the pike.”

The mood inside the agency is “uncertain,” says the second CISA employee.

“CISA’s staff isn’t interested in getting politicized,” says the third CISA employee. “We just want to do good work for the American public that makes things more secure and resilient.”

CISA director Jen Easterly said in a statement that she “could not be prouder” of the agency’s achievements.

“CISA’s been able to accomplish its mission thanks to a talented and dedicated workforce, bipartisan support in Congress, and partnerships across government and industry,” Easterly said. “It’s important this work continues as the nation’s critical infrastructure faces an ever evolving and complex threat environment.”

For now, agency employees are distracting themselves by doubling down on that work.

“We kind of bury ourselves into the day to day, just trying to do as much as we can until we get the call that this position or this branch is going to be eliminated,” says the first CISA employee. “We don't have any control over things right now, and I think that's what makes things scary for a lot of us.”

The Top Cybersecurity Agency in the US Is Bracing for Donald Trump

A thwarted attack demonstrates that threat actors using yet another delivery method for the malware, which already has been spread using phishing emails, malvertising, hijacking of instant messages, and SEO poisoning.

Source: Brian Jackson via Alamy Stock Photo

The DarkGate remote access Trojan (RAT) has a new attack vector: A threat actor targeted a Microsoft Teams user via a voice call to gain access to their device.

The attack adds to the other methods for spreading the RAT, which previously has been propagated using phishing emails, malvertising, hijacking of Skype and Teams messages, and search engine optimization (SEO) poisoning, researchers said.

Researchers at Trend Micro discovered the voice phishing, or vishing, attack, in which an attacker initially tried to install a Microsoft remote support application to gain access to the user's device, they revealed in a recent blog post. While this failed, the cyberattackers then used social engineering to convince the victim to download the AnyDesk tool for remote access, which they eventually achieved.

The attacker loaded multiple "suspicious files" onto the victim's machine via a connection that was established to a command-and-control (C2) server, one of which was DarkGate, according to Trend Micro. The RAT, distributed as usual via an AutoIt script, enabled remote control over the user's machine, executed malicious commands, gathered system information, and connected to a command-and-control (C2) server.

**A Multistage Vishing Cyberattack**

The multistage attack started off in a more typical DarkGate way, through a flood of thousands of phishing emails sent to the victim's inbox. The emails were followed up with a Microsoft Teams call purportedly for technical support, which kicked off the vishing attack.

The caller claimed to be an employee of an external supplier of the victim's company needing assistance, and instructed the victim to download the Microsoft Remote Support application.

"However, the installation via the Microsoft Store failed," Trend Micro researchers Catherine Loveria, Jovit Samaniego, and Gabriel Nicoleta wrote in the post. "The attacker then instructed the victim to download AnyDesk via browser and manipulate the user to enter her credentials to AnyDesk."

The attacker used AnyDesk to set up a communication channel to C2 and initiate various malicious scripts and eventually a PowerShell command to drop DarkGate using the Autoit legitimate Windows automation and scripting tool favored by attackers for obfuscation and defense evasion. After installation, the attack also loaded files and a registry entry for persistence.

**Another Channel for Spreading DarkGate Malware**

While ultimately the attack was stopped before data could be exfiltrated from the victim's machine, it demonstrates DarkGate actors using yet another means to spread the formidable RAT, adding to a long list of previously used delivery methods, the researchers said.

DarkGate has been used to target users around the world since at least 2017 and integrates multiple diverse and malicious functions. Among its capabilities are executing commands for gathering system information, mapping networks, and doing directory traversal, as well as launching Remote Desktop Protocol (RDP), hidden virtual network computing, AnyDesk, and other remote access software.

DarkGate also has features to support cryptocurrency mining, keylogging, privilege escalation, and stealing information from browsers, and is even known to carry additional payloads, including other RATs like Remcos.

**How to Protect Against Sophisticated Vishing Attacks**

Vishing attacks are becoming ever more psychologically sophisticated, with attackers even resorting to physical intimidation to coerce victims into complying with demands. Training employees on signs of a vishing attack, including staying up to date on the latest tactics, is becoming increasingly important as these attacks escalate.

"Well-informed employees are less likely to fall victim to social engineering attacks, strengthening the organization’s overall security posture," the researchers wrote.

Organizations also should "thoroughly vet third-party technical support providers" to "ensure that any claims of vendor affiliation are directly verified before granting remote access to corporate systems, the researchers wrote. Moreover, they should establish cloud-vetting processes to evaluate and approve remote access tools, such as AnyDesk to assess security compliance and vendor reputation before putting them in use.

Whitelisting approved remote access tools and blocking any unverified applications as well as integrating multifactor authentication (MFA) on remote access tools also reduce "the risk of malicious tools being used to gain control over internal machines," the researchers wrote.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#mac