The security vulnerability tracked as CVE-2024-50603, which rates 10 out of 10 on the CVSS scale, enables unauthenticated remote code execution on affected systems, which cyberattackers are using to plant malware.

Source: Everett Collection Historical via Alamy Stock Photo

Multiple threat actors are actively targeting a recently disclosed maximum-severity security bug in the Aviatrix Controller centralized management platform for cloud networking.

In a worst-case scenario, the vulnerability, identified as CVE-2024-50603 (CVSS 10) could allow an unauthenticated remote adversary to run arbitrary commands on an affected system and take full control of it. Attackers are currently exploiting the flaw to deploy XMRig cryptomining malware and the Sliver backdoor on vulnerable targets.

**CVE-2024-50603: A High-Impact Vulnerability**

The vulnerability presents an especially severe risk in Amazon Web Services (AWS) cloud environments, where Aviatrix Controller allows privilege escalation by default, researchers at Wiz Security warned in a blog on Jan. 10.

"Based on our data, around 3% of cloud enterprise environments have Aviatrix Controller deployed," the researchers noted. "In 65% of such environments, the virtual machine hosting Aviatrix Controller has a lateral movement path to administrative cloud control plane permissions."

Hundreds of large companies use Aviatrix's technology to manage cloud networking across AWS, Azure, Google Cloud Platform (GCP), and other multi-cloud environments. Common use cases include automating the deployment and management of cloud network infrastructure, and managing security, encryption, and connectivity policies. The company lists organizations such as Heineken, Raytheon, Yara, and IHG Hotels and Resorts among its customers.

Related:In Appreciation: Amit Yoran, Tenable CEO, Passes Away

CVE-2024-50603 stems from Aviatrix Controller not properly checking or validating the data that users send through its application programming interface (API). It is the latest bug to highlight the security risks tied to the growing use of APIs among organizations of all sizes. Other common API-related risks include those stemming from configuration errors, lack of visibility, and inadequate security testing.

The flaw is present in all supported versions of Aviatrix Controller before 7.2.4996 or 7.1.4191. Aviatrix has issued a patch for the bug and recommends that organizations apply it or upgrade to either versions 7.1.4191 or 7.2.4996 of the Controller.

"In certain circumstances the patch is not fully persistent across controller upgrades and must be re-applied, even if the controller status is displayed as 'patched,'" the company noted. One such circumstance is applying the patch on non-supported versions of the controller, Aviatrix said.

**Hackers Mount Opportunistic Cloud Attacks**

Security researcher Jakub Korepta of SecuRing, who discovered and reported the bug to Aviatrix, publicly disclosed details of the flaw on Jan. 7. Just one day later, a proof-of-concept exploit for the bug became available on GitHub, triggering near-immediate exploit activity.

Related:Managing Cloud Risks Gave Security Teams a Big Headache in 2024

"Since the proof-of-concept release, Wiz observed that most of the vulnerable instances were specifically targeted by attackers looking for unpatched Aviatrix deployments," says Alon Schindel, vice president of AI & Threat Research at Wiz. "The overall volume of exploitation attempts has been steady. However, we see customers patching their systems and preventing attackers from targeting them."

Schindel characterizes the exploit activity so far as largely opportunistic in nature, and emanating from scanners and automated tool sets combing the Internet for unpatched Aviatrix instances.

"Although some of the payloads and infrastructure used suggest higher sophistication in a few cases, most of the attempts appear to be broad sweeps rather than highly customized or targeted attacks on specific organizations," he says.

Available telemetry suggests that multiple threat actors, including organized criminal gangs, are leveraging the flaw in various ways. So far at least, there is no evidence pointing to any single group as dominating the exploitation activity, Schindel says. "Depending on the environment's setup, an attacker might exfiltrate sensitive data, access other parts of the cloud or on-prem infrastructure, or disrupt normal operations," he notes.

Related:DDoS Attacks Surge as Africa Expands Its Digital Footprint

**A Reminder of API-Based Cyber-Risks**

Ray Kelly, a fellow at Black Duck, says the Aviatrix Controller vulnerability is another reminder of both the growing risks associated with API endpoints and the challenges involved in addressing them. The vulnerability shows how a server can be compromised via a simple Web call to an API, and highlights the need for thorough testing of APIs. But such testing can be daunting, given the size, complexity, and interdependence of APIs and the fact that many APIs are developed and managed by external software and service providers.

"One effective approach to mitigating these risks is by establishing clear 'rules of governance' for third-party software," Kelly says. "This includes implementing thorough vetting processes for third-party providers, enforcing consistent security measures, and maintaining continuous monitoring of software performance and vulnerabilities."

Wiz's Schindel says the best recourse for organizations affected by the new Aviatrix bug is to apply the company's patch for it as soon as possible. Organizations that are unable to patch immediately should restrict network access to the Aviatrix Controller via an IP allowlist so only trusted sources can reach it, Schindel advises. They should also monitor logs and system behavior closely for suspicious activity or known exploit indicators, set up alerts for abnormal behavior associated with Aviatrix, and reduce unnecessary lateral movement paths between their cloud identities.

Jessica MacGregor, spokeswoman for Aviatrix says the company issued an emergency patch for the vulnerability back in November 2024 given its potential severity. The security patch applied to all supported releases and also for versions of Aviatrix Controller for which support had ended two years ago. The company also reached out privately to customers via multiple targeted campaigns to make sure affected organizations applied the patch, MacGregor says.

While a significant portion of affected customers have applied the patch and recommended hardening measures, some organizations have not. And it is these customers that are experiencing the current attacks, she notes. "While we strongly recommend that customers remain current in their software, customers on Controller version 6.7+ who have applied the Security Patch can be protected even if they have not upgraded to the latest versions with the permanent fixes," she says.

 MacGregor says Aviatrix wants anyone unable to upgrade or patch their systems to reach out so the company can work with them to harden their configuration based on best practices. "We will also work closely with customers that believe they been exploited to restore their Aviatrix software to a clean state."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Cloud Attackers Exploit Max-Critical Aviatrix RCE Flaw

Threat actors are targeting people searching for pirated or cracked software with fake downloaders that include infostealing malware such as Lumma and Vidar.

Source: Bits and Splits via Shutterstock

Attackers are targeting people interested in pirated and cracked software downloads by abusing YouTube and Google search results.

Researchers from Trend Micro uncovered the activity on the video-sharing platform, on which threat actors are posing as "guides" offering legitimate software installation tutorials to lure viewers into reading the video descriptions or comments, where they then include links to fake software downloads that lead to malware, they revealed in a recent blog post.

On Google, attackers are seeding search results for pirated and cracked software with links to what appear to be legitimate downloaders, but which in reality also include infostealing malware, the researchers said.

Moreover, the actors "often use reputable file hosting services like Mediafire and Mega.nz to conceal the origin of their malware, and make detection and removal more difficult," Trend Micro researchers Ryan Maglaque, Jay Nebre, and Allixon Kristoffer Francisco wrote in the post.

**Evasive & Anti-Detection Built Into the Campaign**

The campaign appears to be similar to one that surfaced about a year ago spreading Lumma Stealer — a malware-as-a-service (MaaS) commonly used to steal sensitive information like passwords and cryptocurrency-wallet data — via weaponized YouTube channels. At the time, the campaign was thought to be ongoing.

Related:Fake CrowdStrike 'Job Interviews' Become Latest Hacker Tactic

Though the Trend Micro did not mention if the campaigns are related, if they are, the recent activity appears to up the ante in terms of the variety of malware being spread and advanced evasion tactics, as well as the addition of malicious Google search results.

The malicious downloads spread by attackers often are password-protected and encoded, which complicates analysis in security environments such as sandboxes and allows malware to evade early detection, the researchers noted.

After infection, the malware lurking in the downloaders collects sensitive data from Web browsers to steal credentials, demonstrating "the serious risks of exposing your personal information by unknowingly downloading fraudulent software," the researchers wrote.

In addition to Lumma, other infostealing malware observed being distributed via fake software downloads on links posted on YouTube include PrivateLoader, MarsStealer, Amadey, Penguish, and Vidar, according to the researchers.

Overall, the campaign exploits the trust that people have in platforms such as YouTube and file-sharing services, the researchers wrote; it especially can affect people looking for pirated software who think they are downloading legitimate installers for popular programs, they said.

Related:Russia Carves Out Commercial Surveillance Success Globally

**Shades of a GitHub Campaign**

The thinking behind the campaign also is similar to one recently found abusing GitHub, in which attackers exploited the trust that developers have in the platform to hide the Remcos RAT in GitHub repository comments.

Though the attack vector is different, comments play a big role in spreading malware, the researchers explained. In one attack they observed, a video post purports to be advertising a free "Adobe Lightroom Crack" and includes a comment with a link to the software downloader.

Upon accessing the link, a separate post on YouTube opens, revealing the download link for the fake installer, which leads to a download of the malicious file that includes infostealing malware from the Mediafire file hosting site.

Another attack discovered by Trend Micro planted a shortened link to a malicious fake installer file from OpenSea, the NFT marketplace, as the third result in a search for an Autodesk download.

"The entry contains a shortened link that redirects to the actual link," the researchers wrote. "One assumption is that they use shortened links to prevent scraping sites from accessing the download link."

The link prompts the user for the actual download link and the zip file's password, presumably because "password-protecting the files can help prevent sandbox analysis of the initial file upon arrival, which can be a quick win for an adversary," they noted.

Related:Banshee 2.0 Malware Steals Apple's Encryption to Hide on Macs

**Protect Your Organization From Malware**

As shown by the threat activity, attackers continue to use social engineering tactics to target victims and apply a variety of methods to avoid security defenses, including: using large installer files, password-protected zip files, connections to legitimate websites, and creating copies of files and renaming them to appear benign, the researchers noted.

To defend against these attacks, organizations should "stay updated on current threats and to remain vigilant regarding detection and alert systems," the researchers wrote. "Visibility is important because solely relying on detection can result in many malicious activities going unnoticed."

Employee training, as security experts often note, also goes a long way in ensuring employees don't fall for socially engineered attacks or try to download pirated software.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

This week on the Lock and Code podcast, we speak with Mallory Knodel about whether AI assistants are compatible with encrypted messaging apps.

_This week on the Lock and Code podcast…_

The era of artificial intelligence everything is here, and with it, come everyday surprises into exactly where the next AI tools might pop up.

There are major corporations pushing customer support functions onto AI chatbots, Big Tech platforms offering AI image generation for social media posts, and even Google has defaulted to include AI-powered overviews into everyday searches.

The next gold rush, it seems, is in AI, and for a group of technical and legal researchers at New York University and Cornell University, that could be a major problem.

But to understand their concerns, there’s some explanation needed first, and it starts with Apple’s own plans for AI.

Last October, Apple unveiled a service it is calling Apple Intelligence (“AI,” get it?), which provides the latest iPhones, iPads, and Mac computers with AI-powered writing tools, image generators, proof-reading, and more.

One notable feature in Apple Intelligence is Apple’s “notification summaries.” With Apple Intelligence, users can receive summarized versions of a day’s worth of notifications from their apps. That could be useful for an onslaught of breaking news notifications, or for an old college group thread that won’t shut up.

The summaries themselves are hit-or-miss with users—one iPhone customer learned of his own breakup from an Apple Intelligence summary that said: “No longer in a relationship; wants belongings from the apartment.”

What’s more interesting about the summaries, though, is how they interact with Apple’s messaging and text app, Messages.

Messages is what is called an “end-to-end encrypted” messaging app. That means that only a message’s sender and its recipient can read the message itself. Even Apple, which moves the message along from one iPhone to another, cannot read the message.

But if Apple cannot read the messages sent on its own Messages app, then how is Apple Intelligence able to summarize them for users?

That’s one of the questions that Mallory Knodel and her team at New York University and Cornell University tried to answer with a new paper on the compatibility between AI tools and end-to-end encrypted messaging apps.

Make no mistake, this research isn’t into whether AI is “breaking” encryption by doing impressive computations at never-before-observed speeds. Instead, it’s about whether or not the promise of end-to-end encryption—of confidentiality—can be upheld when the messages sent through that promise can be analyzed by separate AI tools.

And while the question may sound abstract, it’s far from being so. Already, AI bots can enter digital Zoom meetings to take notes. What happens if Zoom permits those same AI chatbots to enter meetings that users have chosen to be end-to-end encrypted? Is the chatbot another party to that conversation, and if so, what is the impact?

Today, on the Lock and Code podcast with host David Ruiz, we speak with lead author and encryption expert Mallory Knodel on whether AI assistants can be compatible with end-to-end encrypted messaging apps, what motivations could sway current privacy champions into chasing AI development instead, and why these two technologies cannot co-exist in certain implementations.

> “An encrypted messaging app, at its essence is encryption, and you can’t trade that away—the privacy or the confidentiality guarantees—for something else like AI if it’s fundamentally incompatible with those features.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 The new rules for AI and encrypted messaging, with Mallory Knodel (Lock and Code S06E01) 

Behind the scenes, companies and governments are feeding a trove of data about international travelers into opaque AI tools that aim to predict who’s safe—and who’s a threat.

Inside the Black Box of Predictive Travel Surveillance

With the advent of virtual reality, everyone got scared that the life we ​​know will disappear, and only…

With the advent of **virtual reality**, everyone got scared that the life we ​​know will disappear, and only those who understand new technologies will be able to find work. Remember what they said about newspapers. And about television. Radio. It seems likely that the same will play out in real life. Just consider what’s already unfolding in virtual reality, within metaverses like Fortnite, Roblox, Holiverse, and Decentraland.

****What does the “reality disappearance” mean?****

The disappearance of reality in the context of the popularity of the **metaverse** does not mean the disappearance of the physical world. It is rather a transformation of our perception and the usage of the real world. Here is how such transformation can happen. 

****Psychological disappearancе****

Let’s start with a simple example. Remember how, as children, we used to play the console for hours, forgetting about lunch? Or look at your children. How many times do you have to say it before they finally sit at the table? Now imagine this feeling, but taken to a new level, where the virtual world feels more interesting and important than the real one.

But haven’t you noticed that we’ve been living this way for the past ten years? Tinder, Facebook, Instagram, and TikTok are gradually consuming several hours of our time every day.

Here’s an example of how a man psychologically disappears in a game. There is a character in World of Warcraft. In virtual reality, this person is a hero, an idol who is looked up to. And what about real life?

There is an ordinary office worker in glasses in a cool unit, whom sometimes even the cleaning lady does not notice. Where would this person be more comfortable? Of course, where he or she is a role model. It’s like choosing what to have for tea: a sweet cake with thick whipping cream or sauerkraut. Well, obviously, in terms of psychology, the man will choose the virtual world in the given situation.

Now imagine that all your communication, work, and even cultural events have shifted to the digital world, the metaverse. Without leaving home, you arrange business meetings, go to concerts, and have fun with friends. It seems like science fiction but it is already a reality.

Travis Scott has collected 12 million viewers in Fortnite. Why go to a real stadium if you can go to a popular rapper’s concert without leaving your home? And without being afraid of a crowd of fans or risking being trampled. Convenient, right?

More and more people understand that there is no point in wasting time in traffic jams if you can solve everything online. And this is just the beginning.

****Economic disappearancе****

Now imagine that money also goes into the virtual world. No, it’s not just about cryptocurrency. People buy virtual land for millions of dollars, sew clothes for avatars, and collect NFTs, like previous stamps or coins.

Here’s an example. Someone bought a Gucci bag in Roblox for $4,000. Although it cost more than in real life, it was still bought. For some, this bag is a way to show status, even in the game.

****Land in Decentraland, avatars in Holiverse and turning tеxt into vidео** **

If you look closely, the “disappearance of reality” has already begun. The only thing is that it’s not as bright as in science fiction movies. We do not connect wires to our heads to get into the virtual world, but, it looks like, we are gradually disappearing there. 

****People buy plots of virtual land for millions of dollars and hope****

For example, in 2021, someone bought a plot of land in Decentraland for $2 million. This is virtual land, you can’t even touch it! Tomorrow the server will burn out, the Internet will be turned off, and no one will remember it. However, for such people, this is not a game, but an investment. They believe that tomorrow virtual real estate will become even more valuable.

The same thing with clothes, which we love to buy in reality. Now imagine that you are buying not a jacket or sneakers, but a skin for your avatar. You do not understand why, but thousands of people around the world do this. In games like Fortnite or Holiverse, this is completely normal because people pursue their own goals there.

For the buyer, this is a matter of status. Because this bag makes his avatar authentic. And that’s cool.

Why is this cool? Here’s an example. A virtual character under the nickname Lil Мiquelа lives only on the Internet. In reality, no one fully understands how she appeared.

Although Miquela does not exist in real life, millions of subscribers follow her on Instagram. She advertises brands, stars in campaigns, and even releases music. Her creators earn millions, and for subscribers, she is “more than real.”

**Holiverse: аvatar as a digital twin**

Just imagine: you take a sample of your DNA at home, and within a couple of days, you receive a digital copy of yourself, an avatar that lives in a virtual world, mimics your behaviour, and adapts to reflect any changes. This avatar does not just copy your body, it knows exactly how your body will react to different physical loads, food products and even cosmetics. This concept is being developed by the **Holiverse** startup, led by Lado Okhotnikov.

The idea looks fresh. Instead of wasting time and money on trying different medicines, you can use your virtual double. For example, you can:

*   find out how your physical condition will change if you add new workouts;
*   try which products will improve your life and which ones you better exclude;
*   test supplements or medicine that you are planning to take.

Lado Okhotnikov and his team emphasize user accessibility. To create a digital copy, you just need to take a DNA test at home, using a test kit that can be purchased at a pharmacy near your home or on a marketplace. Then you will need to send this sample to the lab, and after a short period, you will receive an exact copy of yourself: an avatar that can predict your body’s reactions with incredible accuracy.

The main advantage of Holiverse is the cost of the service. Lado Okhotnikov aims to make this technology available to everyone, turning personalized medicine from luxury into a necessity.

**Luma: turns text into video**

**Luma AI** presented Dream Machine; a service that “brings the text to life.” In terms of quality, the neural network is almost as good as Sora, one of the most powerful generative models. But this startup has a big advantage; Dream Machine is available to everyone. The neural network works on a new architecture and is already bypassing competitors like Runway Gen-2 or Pika. The video is realistic: without jerks, and the characters look natural and are not distorted.

Although the videos are short, a year ago this was considered science fiction. In a year or two, the service may be able to offer something truly significant. For example, tools for generating full-fledged virtual worlds.

Who knows, maybe in a few years we will be able to design entire virtual cities at home in a couple of minutes, simply by describing them in words. Or turn our ideas into animated films available to a million audience in metaverses.

****And what’s next?****

Being scared of technology is the same as trying to stop progress. However, even with the advent of that very virtual reality which everyone is talking about, real life will not go anywhere. You will still go to stores, equipment will still break down, and someone will still come to fix it. The virtual world can captivate, but it will not replace everything. It will not be possible to give up reality quickly and painlessly.

1.  **What is the Fediverse?**
2.  **Google Wants to Put Our Memories in a Database**
3.  **What Is Programmatic Advertising And How To Use It**
4.  **Microsoft patent reveals chatbot to talk to dead people**
5.  **What is Blockchain Gaming and its Play-to-Earn Model?**

The Metaverse Will Become More Popular Than the Real World: Will Reality Disappear?

SUMMARY Cybercriminals are deploying a tricky new phishing campaign impersonating the cybersecurity firm CrowdStrike‘s recruiters to distribute a…

****SUMMARY****

*   **Phishing Scam Targets Job Seekers: Cybercriminals impersonate CrowdStrike recruiters to distribute cryptominer malware via fake job offers.**

*   **Malware Delivery: Victims are tricked into downloading a malicious app from a fake CrowdStrike website, and installing XMRig to mine Monero cryptocurrency.**

*   **Evasion Tactics: The malware limits CPU usage, scans for security tools, and uses startup scripts to remain undetected and persistent.**

*   **Rising Fake Job Scams: Similar tactics are increasingly common, with groups like Lazarus using fake job offers to deploy malware.**

*   **Safety Tips: Verify job offers through official channels, avoid unsolicited software downloads, and use endpoint protection to detect threats.**

Cybercriminals are deploying a tricky new phishing campaign impersonating the cybersecurity firm CrowdStrike‘s recruiters to distribute a cryptominer on unsuspecting job seekers’ devices. This malicious scheme leverages the allure of employment at a reputable cybersecurity firm to trick victims into downloading malware.

According to CrowdStrike’s blog post, the attack was detected on 7 January 2025 and began with a phishing email that appears to be part of CrowdStrike’s recruitment process. The email entices the target with the prospect of a junior developer interview and provides a link to schedule the meeting. Clicking the link directs the victim to a cleverly designed imposter website that mimics CrowdStrike’s branding.

This deceptive website offers downloadable “employee CRM applications” for both Windows and macOS users. Regardless of the chosen platform, downloading the application triggers the installation of a malicious Windows executable written in Rust. This executable acts as a downloader for XMRig, a well-known cryptominer, which starts mining Monero cryptocurrency. This privacy coin is a popular choice for cybercriminals because it is hard to trace.

The screenshot shows the malicious phishing site containing download links for the fake CRM application (Via CrowdStrike)

The executable is designed to evade detection by scanning the system’s processes for malware analysis tools or virtualization software, verifying the presence of at least two CPU cores, and checking for debuggers. If successful, it displays a fake error message to lull the victim into a false sense of security, while downloading additional payloads to establish persistence on the infected device and initiate the XMRig cryptomining process.

However, in this attack, XMRig’s power consumption has been limited to 10% to avoid detection. Moreover, attackers added a batch script in the Start Menu Startup directory to ensure it runs on boot. 

For your information, cryptominers are a type of malware that surreptitiously hijack a computer’s processing power to mine cryptocurrency for the attacker’s benefit. This unauthorized use of resources can cause the device to overheat, potentially leading to hardware damage and a shortened lifespan.

This isn’t a new trend, as fake job scams are becoming more prevalent online, with North Korean group Lazarus persistently using this method to trick unsuspecting users. Hackread recently reported Lazarus group deploying a new macOS trojan called “RustyAttr” since May 2024 to carry out its operations undetected.

Remember, legitimate recruiters rarely request candidates to download software or conduct interviews through unconventional channels. Always verify the authenticity of any job offer before proceeding and rely on official company websites for career opportunities and application processes.

CrowdStrike advises job seekers to be cautious of unsolicited interview offers, including those conducted via instant messaging or group chat, requests for product purchases or payment processing, and software download requirements. 

> _“Organizations can reduce the risk of such attacks by educating employees on phishing tactics, monitoring for suspicious network traffic and employing endpoint protection solutions to detect and block malicious activity.”_
> 
> CrowdStrike

To verify the legitimacy of any communication from CrowdStrike, job seekers should contact the company’s recruiting team at \[email protected\].

1.  **World’s Leading Cybersecurity Firm Kaspersky Hacked**
2.  **X Account of Google Cybersecurity Firm Mandiant Hacked**
3.  **U.S. Sanctions Chinese Cybersecurity Firm Over Cyberattacks**
4.  **Cybersecurity Firm KnowBe4 Hired North Korean Hacker as IT Pro**
5.  **Cybersecurity Firm Hacks Itself, Finds DNS Flaw Leak AWS Credentials**

Fake CrowdStrike Recruiters Distribute Malware Via Phishing Emails

A fake proof-of-concept (PoC) exploit designed to lure cybersecurity researchers into downloading malicious software. This deceptive tactic leverages a recently patched critical vulnerability in Microsoft's Windows LDAP service (CVE-2024-49113), which can cause denial-of-service attacks.

****SUMMARY****

*   **Fake PoC Exploit for CVE-2024-49113**: A malicious exploit, “LDAPNightmare,” targets researchers by disguising it as a PoC for a patched Windows LDAP vulnerability.

*   **Data Theft**: The malware steals computer and network information, sending it to attackers’ servers.

*   **Sophisticated Attack**: A fake repository mimics a legitimate one, using malicious files and scripts to deploy the malware.

*   **High-Profile Target**: Attackers aim to compromise security researchers for valuable intelligence.

*   **Precautions**: Researchers should verify repository authenticity, prioritize official sources, and check for suspicious activity.

According to the latest research from Trend Micro, a fake Proof-of-Concept (PoC) exploit has been identified for CVE-2024-49113, a denial-of-service (DoS) vulnerability previously found in Microsoft’s Windows Lightweight Directory Access Protocol (LDAP). Both vulnerabilities were originally identified by Safebreach.

The attackers have set up a malicious repository containing the fake PoC, leading to the exfiltration of sensitive computer and network information. This attack, known as LDAPNightmare, is designed to lure security researchers into downloading and executing information-stealing malware.

Repository containing “poc.exe” (Via Trendmicro)

When unsuspecting researchers download/execute this harmless-looking code, they inadvertently unleash an information-stealing malware. This malware stealthily collects sensitive data from the infected machine, including computer information, running processes, network details, and installed updates. It then transmits this stolen data to a remote server controlled by the attackers.

The attackers have employed a sophisticated technique to deliver the malware. The malicious repository appears to be a legitimate fork of an original repository, making it difficult to immediately identify as malicious.

The genuine Python files in the repository have been replaced with a malicious executable, which, upon execution, drops and executes a PowerShell script. This script then establishes a scheduled task that downloads and executes another malicious script from Pastebin. This final script collects the victim’s public IP address and exfiltrates stolen data to an external FTP server.

It is worth noting that the vulnerability was addressed in Microsoft’s December 2024 Patch Tuesday release, which addressed two other critical vulnerabilities in LDAP. The first, CVE-2024-49112, is a remote code execution bug that attackers can exploit by sending specially crafted LDAP requests. The second, CVE-2024-49113, is a DoS vulnerability that can be exploited to crash the LDAP service, causing service disruptions. 

For your information, PoC exploits are non-harmful attacks that reveal software security weaknesses, aiding companies in patching vulnerabilities. However, if used incorrectly, PoCs can provide attackers with a blueprint for exploiting a system before users can install fixes, potentially causing harm.

This attack method, as per Trendmicro’s report, while not entirely novel, threatens the cybersecurity community because by exploiting a high-profile vulnerability and targeting security researchers – individuals who are often highly aware of security threats – attackers can gain valuable intelligence and potentially compromise critical security systems.

Therefore, security researchers should be cautious when downloading and executing code from online repositories. They should prioritize official sources, scrutinize repositories for suspicious content, and verify the authenticity of the repository owner or organization.

Moreover, it is essential to consider community feedback for repositories with minimal activity and look for red flags within the repository that may indicate potential security risks. This will help them stay protected from potential threats and ensure their security.

1.  Hackers Use Fake PoCs on GitHub to Steal AWS Keys
2.  Warning: Fake GitHub Repos Delivering Malware as PoCs
3.  Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!
4.  How to Conduct a Cybersecurity Proof of Concept with a Vendor
5.  Fake 7-Zip Exploit Code Traced to AI-Generated Misinterpretation

Fake PoC Exploit Targets Cybersecurity Researchers with Malware

Cybercriminals are luring victims into downloading the XMRig cryptomining malware via convincing emails, inviting them to schedule fake interviews using a malicious link.

Source: ImageBroker.com GmbH & Co. KG via Alamy Stock Photo

NEWS BRIEF

Cybercriminals have picked up a new tactic, impersonating CrowdStrike recruiters in order to distribute a cryptominer on their victims' devices.

This malicious campaign starts with an email, inviting the victim to schedule an interview with a recruiter for a position as a junior developer.

The illegitimate email contains a link, alleging that it will take the recipient to a site so they can schedule their interview, but in reality, takes the victim to a malicious website containing links to download a purported "CRM application."

"While interview and job-related phishing emails are not uncommon, this is a very targeted campaign that goes beyond the vast majority of malicious campaigns we see with this theme," said Chance Caldwell, senior director of the Phishing Defense Center at Cofense, in an emailed statement. "The campaign uses URLs that were created to look like they might actually belong to CrowdStrike, and the downloaded malware provides a pop-up that directs users to the real CrowdStrike support portal. Most of the use cases we see are lucky to have proper branding, much less the extended work done here to really portray themselves as CrowdStrike."

**Malicious Recruiter Lures Target Both Windows & Mac**

The site offers options for both Windows and macOS, and regardless of which option the victim chooses, once selected, it will download a Windows executable written in Rust. The executable will then download the cryptominer XMRig.

The executable runs several environmental checks to analyze the device and evade detection, such as scanning the running processes, verifying the CPU, and more.

If the checks are passed, the executable will display a false error message pop-up for the user, while downloading additional payloads needed to run the XMRig miner.

CrowdStrike, which identified the campaign just days ago, is warning job seekers to be vigilant, as this is not the only scam involving fake employment offers that's circulating out there.

It recommended avoiding any interviews carried out through instant message or email, and refusing to download any software for an interview, and it stressed the importance of verifying the authenticity of any CrowdStrike hiring communications by contacting \[email protected\].

"It is very unlikely that a recruiter will direct someone to download an executable as part of the interview process," Caldwell noted. "Any suspicious requests, such as this one, should be sufficiently verified before downloading anything, and contact information should be verified through the legitimate company website."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Fake CrowdStrike 'Job Interviews' Become Latest Hacker Tactic

Growing sales of the System for Operative Investigative Activities (SORM), a Russian wiretapping platform, in Central Asia and Latin American suggests increasing risks for Western businesses.

Source: Golden Dayz via Shutterstock

A half-dozen governments in Central Asia and Latin American have purchased the System for Operative Investigative Activities (SORM) wiretapping technology from Russian providers, expanding their — and potentially Russian intelligence's — ability to intercept communications.

The technology includes monitoring equipment placed inside a telecommunications provider's facility, which delivers information to the client government's intelligence agency, including mobile numbers, phones identifiers, geolocation, names, email addresses, and IP addresses. That's according to threat intelligence firm Recorded Future, which found in an analysis that the former Soviet territories of Belarus, Kazakhstan, Kyrgyzstan, and Uzbekistan, and the Latin American nations of Cuba and Nicaragua, have very likely acquired the technology to wiretap citizens.

Western companies and citizens should take measures to protect their communications and to understand the risks of surveillance when traveling to countries that have lax civil protections against wiretapping, says a threat analyst with Recorded Future's Insikt threat intelligence group, who asked to remain anonymous due to the sensitivity of the topic.

"Obviously, in countries that don't employ SORM — even Western countries — surveillance frameworks are not immune to abuse, but it's important to look holistically at this when there's evidence of these systems being built with Russian-company inputs in a country with a history of state surveillance operations," the analyst says. "Particularly, human rights defenders, activists, journalists, members of civil society, but also foreign travelers, \[could all be targets\]."

Related:Fake CrowdStrike 'Job Interviews' Become Latest Hacker Tactic

The expansion of Russia's SORM kit highlights the gains of digital surveillance technology worldwide. The companies behind the spyware tools used by authoritarian governments — such as NSO Group's Pegasus and Intellexa Consortium's Predator — have made inroads globally, as the companies refine their ability to evade roadblocks on sales to sanctioned nations, according to an in-depth report published by the Atlantic Council in September. Overall, 41% of the 195 countries worldwide have licensed commercial spyware, including 14 of the 27 countries in the European Union, according to the Atlantic Council.

Wiretapping technology and spyware are often used for legitimate reasons, whether that be law enforcement investigations of suspected criminals or intelligence gathering against nation-state rivals. However, in countries with few protections for civil liberties, or poor regulation of digital surveillance technologies, abuses inevitably follow for governments that deploy it without adequate oversight, according to the Atlantic Council analysts.

Related:Banshee 2.0 Malware Steals Apple's Encryption to Hide on Macs

"Spyware makes it easier for states to penetrate even the most robust commercial technologies, cell phones, computers, and communications services; makes it far easier to act against citizens beyond state borders; and even provides governments with the ability to target senior officials, both domestically and abroad, where they might otherwise have no means to do so," the Atlantic Council analysts stated in the report. "Where that information is used to facilitate repression and abuse, its harms are untenable."

**The Spyware Nexus: An R Joins the Three I's**

The Atlantic Council identified 435 "entities" — companies and people associated with commercial spyware — and found that two-thirds lead back to three nations: Israel, Italy, and India. Now, Russia has become a major provider of surveillance technology as well.

Existing law in Russia requires that telecommunications providers install and maintain monitoring devices that meet SORM regulations, but the firms are not authorized to access the capabilities of the devices nor audit communications collection, according to Recorded Future's report. Countries in Russia's sphere of influence have passed similar laws mandating SORM-compliant technology, which is typically installed and serviced by Russian providers, likely giving Russia the ability to access intercepted communications.

Related:Unconventional Cyberattacks Aim to Take Over PayPal Accounts

Record Future used a variety of indicators for the adoption of SORM, including marketing materials and the websites of the providers of SORM technologies. The largest providers of SORM technology are companies called Citadel, Norsi-Trans, and Protei, who — along with five other identified technology firms — are likely exporting SORM products and services to at least 15 telecommunications companies, the firm found.

The risks of illicit digital surveillance are growing, argues Vitor Ventura, manager for EMEA and Asia at Cisco's Talos threat intelligence group.

"In certain countries, it might just be legal to do certain kind of interceptions for reasons that are not allowed in other countries, or because you have a law that says that if national security is at risk, you can do whatever you want," he says, adding that there has been a global boom in surveillance technology over the past few years.

"I don't think that the law is changing that much — I just think that there is a bigger appetite, and there's a lot more being offered," he says. "The prices eventually came down, and everyone that has the money for \[surveillance technology\] will actually go for it."

**Know Your Telecom Tech, Wiretapping Laws**

Companies that have employees based in nations with weaker civil liberty protections should note that adopting privacy and encryption tools can help mitigate the risk, but providers of virtual private network (VPN) services often are subject to the same laws as telecommunications providers, according to the Recorded Future report, and might also be turning over intelligence to government agencies.

In many ways, the cyber-risks mirror those argued by the US government in regards to Russian cybersecurity firm Kaspersky, whose antivirus products were banned in mid-2024, the Recorded Future analyst says.

"These \[telecom\] companies might be able to go into systems and have access to such a vast range of data — there's definitely a high intelligence value there," the analyst says. "The same risks that apply to Kaspersky are equally as applicable to Russian SORM providers."

Companies should keep apprised of the spread of the technology in the future. For example, one Russian provider, Protei, markets SORM in trade shows in Africa, the Middle East, and Latin America, raising the likelihood that countries in those regions will adopt the wiretapping platform at some time in the future.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Tag

#mac