Discover how cybercriminals use 'Infrastructure Laundering' to exploit AWS and Azure for scams, phishing, and money laundering. Learn about FUNNULL CDN's tactics and their global impact on businesses and cybersecurity.

Cybersecurity firm Silent Push has identified a new cybercriminal tactic called “Infrastructure Laundering.” Researchers say this technique is becoming more common in the cybercrime world. According to Silent Push’s Threat Analysis team’s investigation, shared with Hackread.com, through this tactic cybercriminals are exploiting mainstream cloud providers like Amazon Web Services (AWS) and Microsoft Azure.

This method allows threat actors to mask their illicit activities by renting IP addresses from these legitimate providers and linking them to their criminal websites. The FUNNULL content delivery network (CDN) extensively uses this tactic, revealing a direct connection to money laundering, retail phishing schemes, and various online scams.

For your information, infrastructure laundering is a form of cybercrime that involves criminals blending their malicious activities with legitimate web traffic, making it difficult for defenders to block access without disrupting legitimate users. This differs from traditional “bulletproof hosting” services, which operate in lax regulations.

FUNNULL’s operation involves renting thousands of IP addresses from major cloud providers, and then constantly cycling through them to stay ahead of detection.  FUNNULL, reportedly, rented over 1,200 IPs from Amazon and nearly 200 from Microsoft. Most of these have already been taken down, but new IPs are continually acquired. 

Silent Push observed that FUNNULL likely uses stolen or fraudulent accounts to secure these IPs, a process that remains largely invisible to outside observers. The connection between FUNNULL and money laundering services, retail phishing, and “pig butchering” scams, all hosted via this infrastructure laundering, emphasizes the real-world impact of this cybercrime tactic.

A supply chain attack earlier this year, where FUNNULL compromised the popular JavaScript library polyfillio, impacting over 110,000 websites, showcases the sophisticated methods employed by these criminal networks.

Further probing revealed a large cluster of malicious infrastructure, facilitating extensive cybercriminal activities, many orchestrated by Chinese Triad groups. This aligns with the UNODC’s 2024 Report on Transnational Organized Crime, which highlights “the convergence of cyber-enabled fraud, underground banking, and technological innovation in Southeast Asia,” researchers noted.

Moreover, the FUNNULL network of scam/money laundering websites is hosted on a combination of Western IP addresses owned by US companies and Asian hosting providers.

“FUNNULL CDN has been identified as hosting over 200,000 unique hostnames, of which approximately 95% are generated through Domain Generation Algorithms (DGAs),” Silent Push’s blog post revealed.

Infrastructure of the entire campaign (left) – b69885com hosted on Microsoft infrastructure (Via Silent Push)

Researchers noted that Bwin, an online gambling portal, is being abused by FUNNULL with dozens of “Bwin-impersonated sites” found on Microsoft infrastructure. A spokesperson from Bwin’s parent company Entain has confirmed that these are fake sites. However, around a dozen other major online gambling brands’ trademarks are also being abused across tens of thousands of shell gambling websites.

Silent Push investigation into fraudulent IP rentals and the ease with which organizations like FUNNULL can repeatedly rent new IPs despite being linked to known malicious activity raises concerns. Researchers suggest that providers must track the specific CNAME chains used by FUNNULL and actively monitor newly rented IPs being mapped to those CNAMEs to effectively combat this tactic

Amazon, in a public statement, acknowledged the issue and confirmed they were suspending fraudulently acquired accounts. They refuted claims of enabling or profiting from such activity, emphasizing their commitment to investigating and stopping abuse.

FUNNULL Unmasked: AWS, Azure Abused for Global Cybercrime Operations

No ransomware groups have yet to claim responsibility for either attack, and both institutions have yet to reveal what may have been stolen.

Source: NicoElNino via Alamy Stock Photo

Two healthcare institutions, Frederick Health and New York Blood Center Enterprises (NYBCe), are grappling with disruptions from separate ransomware attacks they faced this past week.

Frederick Health posted an update to its website on Jan. 27 noting that it "recently identified a ransomware event" and is working to contain it with third-party cybersecurity experts to get its systems back online.

Though most of its facilities remain open and are still providing patient care, Frederick Health reported that its Village Laboratory is closed and that patients may experience some operational delays.

New York Blood Center Enterprises, a nonprofit made up of a collection of independent blood centers, first identified suspicious activity affecting its IT systems on Jan. 26. On Jan. 29, it alerted the public that it took its systems offline in an effort to contain the threat, which was attributed to a ransomware attack. NYBCe is working to restore its systems; however, it remains unclear when it will be fully operational again. The organization expects processing times for blood donations at its centers and offsite blood drives may take longer than usual.

Neither institutions has released any information regarding who breached them or if any information was stolen; no ransomware groups have yet to take responsibility for the attacks.

**A Never-Ending List**

Ransomware attacks have become a harsh reality in healthcare. Unlike other industrial sectors that face similar threats, it's not just reputational damage or financial strain — in the medical field it's patients' lives at stake.

According to a 2024 Microsoft study, nearly 400 US healthcare organizations were infected with ransomware, with the average reported payment as high as $4.4 million. The downtime these facilities experience while getting back on their feet can cost up to $900,000. 

Healthcare institutions offer a plethora of information and data types, ranging from medical records to financial details, and a variety of personally identifiable information.

"Many healthcare organizations operate with limited cybersecurity funding and staffing, prioritizing patient care over IT security investments," Heath Renfrow, co-founder of Fenix24, tells Dark Reading. "The vast number of endpoints, third-party vendors, and interconnected systems create a broad attack surface, while the inability to routinely take systems offline for maintenance exacerbates vulnerabilities."

And when threat actors do decide to breach these healthcare organizations' networks, they steal this information, holding it for ransom while knowing that their efforts will pay off because these healthcare systems have everything to lose. For them, these malicious events only add to the intensity of the life-and-death situations they experience every day.

Ultimately, this is why the reported ransom payments are often so high, since healthcare institutions have a known track record for their willingness to pay bad actors whatever's necessary in order to get their patients the care they need.

**Strategizing Against Wayward Morals**

Combating the ransomware scourge has tested lots of organizations and security professionals. The ransomware groups have shown themselves adept at evolving their use of technology to circumvent new fixes; their business models are constantly evolving with affiliates, commissions, and even referral programs.

"Some ransomware groups claim to have ethical boundaries, stating they won't target hospitals, but history has shown that these promises are often empty, with critical care facilities still falling victim," Renfrow says. "On the other side, healthcare organizations have an ethical duty to protect patient data and ensure operational resilience. However, constrained budgets and competing priorities often force tough decisions between investing in cybersecurity and funding direct patient care."

But changes must be made to cybersecurity practices in the healthcare industry if patient care is going to prevail in the long run.

In May 2024, the Advanced Research Projects Agency for Health (ARPA-H), a funding agency created by the Biden administration, committed $50 million to help create software for making hospitals more cyber resilient.

The program, called Universal Patching and Remediation for Autonomous Defense (Upgrade), is focused on areas such as vulnerability management, auto-detection, defense, and more, and seeks to bring together hospital IT staff, equipment managers, and cybersecurity experts to uncover cybersecurity vulnerabilities.

And even the Department of Health and Human Services (HHS) saw the importance of bolstering healthcare cybersecurity programs after a United Healthcare subsidiary was targeted by the BlackCat ransomware group early last year, leading to disarray and outages in what was one of the worst breaches the healthcare sector has ever seen.

As for what healthcare institutions themselves can do, Renfrow says that "immutable backups with guaranteed return-to-operations (RTO) must be their top priority — not just assumed, but tested and proven" as this "ensures that when — not if — an attack happens, healthcare organizations can restore operations immediately, without disruption, without ransom."

"In today's world," he says, "true resilience is the only security guarantee."

Healthcare Sector Charts 2 More Ransomware Attacks

Martin discusses how defenders can use threat intelligence to equip themselves against AI-based threats. Plus check out his introductory course to threat intelligence.

Thursday, January 30, 2025 14:05

Welcome to this week’s edition of the Threat Source newsletter. 

You don’t need me to tell you that security is constantly changing and that more change is on its way. The enthusiastic adoption of new AI systems will inevitably lead to more demands on cybersecurity teams. Not only will these systems need protecting against the same threats which affect current systems, but also against new types of threats that target AI models. We can only expect that attacks designed to subvert AI models and get them to function in ways detrimental to their operators’ interests will become more effective and beneficial to attackers over time. 

The good news is that we can expect AI enabled security systems to help protect against attacks, detect incursions, and orchestrate the remediation of affected systems. However, we must not overlook the fact that people will remain involved and invested in the outcome. Within this AI powered future will be CISOs who will be held responsible for the security of systems. There will also be many analysts tasked with keeping systems operating correctly while trying to anticipate and protect against forthcoming malicious campaigns.

Although we may not be able to predict the nature of attacks in this distant future, we can predict some of the skills that will be necessary to beat these attacks. Threat intelligence skills will be vital to equip future cyber security professionals not only to understand the goals of the threat actors that they face but to situate their attacks within the context of these goals. Armed with this understanding, security teams will be able to make better decisions regarding the allocation and prioritization of resources to best defend against attacks. 

Developing threat intelligence skills within the cyber security professionals of tomorrow begins today. Training up people who are early in their careers and students yet to begin their careers is one of the best investments we can make to build resilience against future threats.

To help skill up future analysts, my colleagues and myself in collaboration with Cisco’s Networking Academy have developed an introductory course to threat intelligence. This course is free for all, only registration is required, and is intended to give an overview of the domain for someone without prior knowledge which can be used as a starting point for further study or employment.

For those looking to develop a threat intelligence program as part of their cyber security strategy, we are hosting a technical seminar at Cisco Live EMEA on Sunday February 9th. The session, “Establishing a Threat Intelligence Program, Why its Necessary, What to Expect and How to Go about it \[TECSEC-2003\]”, will present how managers can set-up a threat intelligence team as part of their arsenal against the bad guys and what can reasonably be expected.

**The one big thing**

One pointer to the nature of future threats against AI systems is a technique used in spam that Talos recently blogged about. Hiding the nature of the content displayed to the recipient from anti-spam systems is not a new technique. Spammers have included hidden text or used formatting rules to camouflage their actual message from anti-spam analysis for decades. However, we have seen increase in the use of such techniques during the second half of 2024.

**Why do I care?**

Parsers which are required for computers to understand text content, view the world very differently from humans. The human eye ignores text in miniscule font or can’t detect black letters on a black background, but this is not necessarily the case for parsers. Where the human eye sees readily readable text, the parser can see the gibberish that spammers have included to confuse them. Potentially the opposite is also true with humans seeing gibberish, but language parsing software seeing readable text.

Being able to disguise and hide content from machine analysis or from human oversight is likely to become a more important vector of attack against AI systems as they become a larger part of our lives. 

**So now what?**

Fortunately, the techniques to detect this kind of obfuscation are well known and already integrated into spam detection systems such as Cisco Email Threat Defense. Conversely, the presence of attempts to obfuscate content in this manner makes it obvious that a message is malicious and can be classed as spam.

**Top security headlines of the week**

Another incident of an undersea telecommunications cable being cut in the Baltic was encountered. (CNN). Organisations need to plan for the effects of a major telecommunications outage or internet bandwidth restriction affecting their business.

Three members of Russia’s GRU have been placed under sanctions for their suspected role in conducting cyber attacks against Estonia in 2020 (SecurityAffairs). Threat actors might try to hide their identities but eventually they will be discovered and held to account for their actions.

A botnet consisting of infected IoT devices is behind the largest ever DDoS attack (Help Net Security). Small network connected devices can easily be overlooked as part of a cyber security strategy, but they can be compromised by threat actors and used for nefarious purposes.

**Can't get enough Talos?**

Today we released the new Cisco Talos Quarterly Trends Report - covering incidents from October to December 2024. The big call out? Threat actors are increasingly deployed web shells against vulnerable web applications. They primarily exploited vulnerable or unpatched public-facing applications to gain initial access, a notable shift from previous quarters.

Watch Hazel, Joe and Craig break down the report - they discuss hunting down web shells, the Interlock ransomware, and the increasing use of remote access tools within ransomware attacks.

**Upcoming events where you can find Talos**

Talos team members: Martin LEE, Thorsten ROSENDAHL, Yuri KRAMARZ, Giannis TZIAKOURIS, and Vanja SVAJCER will be speaking at Cisco Live EMEA. Amsterdam, Netherlands, 9-14 February.  (Cisco Live EMEA)

**Most prevalent malware files of the week**

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**VirusTotal:**https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**Typical Filename:** VID001.exe  
**Detection Name:** Simple\_Custom\_DetectionClaimed Product: 

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
**MD5:** 71fea034b422e4a17ebb06022532fdde  
**VirusTotal:** https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Coinminer:MBT.26mw.in14.Talos

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**VirusTotal:** https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

Defeating Future Threats Starts Today

### Impact
A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. 

The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.

### Patches
A patch for this vulnerability is available in the following Argo CD versions:
- v2.13.4
- v2.12.10
- v2.11.13

### Workarounds
There is no workaround other than upgrading.

### References
Fixed with commit https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107 & https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca


Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-274v-mgcv-cm8j

**Argo CD GitOps Engine does not scrub secret values from patch errors**

**Package**

gomod github.com/argoproj/gitops-engine (Go)

**Affected versions**

<= 0.7.3

**Description**

**Impact**

A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository.

The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.

**Patches**

A patch for this vulnerability is available in the following Argo CD versions:

*   v2.13.4
*   v2.12.10
*   v2.11.13

**Workarounds**

There is no workaround other than upgrading.

**References**

Fixed with commit argoproj/argo-cd@6f5537b & argoproj/gitops-engine@7e21b91

**References**

*   GHSA-47g2-qmh2-749v
*   GHSA-274v-mgcv-cm8j
*   argoproj/argo-cd@6f5537b
*   argoproj/gitops-engine@7e21b91

Published to the GitHub Advisory Database

Jan 30, 2025

**EPSS score**

GHSA-274v-mgcv-cm8j: Argo CD GitOps Engine does not scrub secret values from patch errors

In an effort to blend in and make their malicious traffic tougher to block, hosting firms catering to cybercriminals in China and Russia increasingly are funneling their operations through major U.S. cloud providers. Research published this week on one such outfit -- a sprawling network tied to Chinese organized crime gangs and aptly named "Funnull" -- highlights a persistent whac-a-mole problem facing cloud services.

Image: Shutterstock, ArtHead.

In an effort to blend in and make their malicious traffic tougher to block, hosting firms catering to cybercriminals in China and Russia increasingly are funneling their operations through major U.S. cloud providers. Research published this week on one such outfit — a sprawling network tied to Chinese organized crime gangs and aptly named “**Funnull**” — highlights a persistent whac-a-mole problem facing cloud services.

In October 2024, the security firm **Silent Push** published a lengthy analysis of how **Amazon AWS** and **Microsoft Azure** were providing services to Funnull, a two-year-old Chinese content delivery network that hosts a wide variety of fake trading apps, pig butchering scams, gambling websites, and retail phishing pages.

Funnull made headlines last summer after it acquired the domain name **polyfill\[.\]io**, previously the home of a widely-used open source code library that allowed older browsers to handle advanced functions that weren’t natively supported. There were still tens of thousands of legitimate domains linking to the Polyfill domain at the time of its acquisition, and Funnull soon after conducted a supply-chain attack that redirected visitors to malicious sites.

Silent Push’s October 2024 report found a vast number of domains hosted via Funnull promoting gambling sites that bear the logo of the **Suncity Group**, a Chinese entity named in a 2024 UN report (PDF) for laundering millions of dollars for the North Korean Lazarus Group.

In 2023, Suncity’s CEO was sentenced to 18 years in prison on charges of fraud, illegal gambling, and “triad offenses,” i.e. working with Chinese transnational organized crime syndicates. Suncity is alleged to have built an underground banking system that laundered billions of dollars for criminals.

It is likely the gambling sites coming through Funnull are abusing top casino brands as part of their money laundering schemes. In reporting on Silent Push’s October report, _TechCrunch_ obtained a comment from Bwin, one of the casinos being advertised en masse through Funnull, and Bwin said those websites did not belong to them.

Gambling is illegal in China except in Macau, a special administrative region of China. Silent Push researchers say Funnull may be helping online gamblers in China evade the Communist party’s “Great Firewall,” which blocks access to gambling destinations.

Silent Push’s **Zach Edwards** said that upon revisiting Funnull’s infrastructure again this month, they found dozens of the same Amazon and Microsoft cloud Internet addresses still forwarding Funnull traffic through a dizzying chain of auto-generated domain names before redirecting malicious or phishous websites.

Edwards said Funnull is a textbook example of an increasing trend Silent Push calls “infrastructure laundering,” wherein crooks selling cybercrime services will relay some or all of their malicious traffic through U.S. cloud providers.

“It’s crucial for global hosting companies based in the West to wake up to the fact that extremely low quality and suspicious web hosts based out of China are deliberately renting IP space from multiple companies and then mapping those IPs to their criminal client websites,” Edwards told KrebsOnSecurity. “We need these major hosts to create internal policies so that if they are renting IP space to one entity, who further rents it to host numerous criminal websites, all of those IPs should be reclaimed and the CDN who purchased them should be banned from future IP rentals or purchases.”

A Suncity gambling site promoted via Funnull. The sites feature a prompt for a Tether/USDT deposit program.

Reached for comment, Amazon referred this reporter to a statement Silent Push included in a report released today. Amazon said AWS was already aware of the Funnull addresses tracked by Silent Push, and that it had suspended all known accounts linked to the activity.

Amazon said that contrary to implications in the Silent Push report, it has every reason to aggressively police its network against this activity, noting the accounts tied to Funnull used “fraudulent methods to temporarily acquire infrastructure, for which it never pays. Thus, AWS incurs damages as a result of the abusive activity.”

“When AWS’s automated or manual systems detect potential abuse, or when we receive reports of potential abuse, we act quickly to investigate and take action to stop any prohibited activity,” Amazon’s statement continues. “In the event anyone suspects that AWS resources are being used for abusive activity, we encourage them to report it to AWS Trust & Safety using the report abuse form. In this case, the authors of the report never notified AWS of the findings of their research via our easy-to-find security and abuse reporting channels. Instead, AWS first learned of their research from a journalist to whom the researchers had provided a draft.”

Microsoft likewise said it takes such abuse seriously, and encouraged others to report suspicious activity found on its network.

“We are committed to protecting our customers against this kind of activity and actively enforce acceptable use policies when violations are detected,” Microsoft said in a written statement. “We encourage reporting suspicious activity to Microsoft so we can investigate and take appropriate actions.”

**Richard Hummel** is threat intelligence lead at **NETSCOUT**. Hummel said it used to be that “noisy” and frequently disruptive malicious traffic — such as automated application layer attacks, and “brute force” efforts to crack passwords or find vulnerabilities in websites — came mostly from botnets, or large collections of hacked devices.

But he said the vast majority of the infrastructure used to funnel this type of traffic is now proxied through major cloud providers, which can make it difficult for organizations to block at the network level.

“From a defenders point of view, you can’t wholesale block cloud providers, because a single IP can host thousands or tens of thousands of domains,” Hummel said.

In May 2024, KrebsOnSecurity published a deep dive on Stark Industries Solutions, an ISP that materialized at the start of Russia’s invasion of Ukraine and has been used as a global proxy network that conceals the true source of cyberattacks and disinformation campaigns against enemies of Russia. Experts said much of the malicious traffic  traversing Stark’s network (e.g. vulnerability scanning and password brute force attacks) was being bounced through U.S.-based cloud providers.

Stark’s network has been a favorite of the Russian hacktivist group called **NoName057(16)**, which frequently launches huge distributed denial-of-service (DDoS) attacks against a variety of targets seen as opposed to Moscow. Hummel said NoName’s history suggests they are adept at cycling through new cloud provider accounts, making anti-abuse efforts into a game of whac-a-mole.

“It almost doesn’t matter if the cloud provider is on point and takes it down because the bad guys will just spin up a new one,” he said. “Even if they’re only able to use it for an hour, they’ve already done their damage. It’s a really difficult problem.”

Edwards said Amazon declined to specify whether the banned Funnull users were operating using compromised accounts or stolen payment card data, or something else.

“I’m surprised they wanted to lean into ‘We’ve caught this 1,200+ times and have taken these down!’ and yet didn’t connect that each of those IPs was mapped to \[the same\] Chinese CDN,” he said. “We’re just thankful Amazon confirmed that account mules are being used for this and it isn’t some front-door relationship. We haven’t heard the same thing from Microsoft but it’s very likely that the same thing is happening.”

Funnull wasn’t always a bulletproof hosting network for scam sites. Prior to 2022, the network was known as **Anjie CDN**, based in the Philippines. One of Anjie’s properties was a website called **funnull\[.\]app**. Loading that domain reveals a pop-up message by the original Anjie CDN owner, who said their operations had been seized by an entity known as **Fangneng CDN** and **ACB Group**, the parent company of Funnull.

A machine-translated message from the former owner of Anjie CDN, a Chinese content delivery network that is now Funnull.

“After I got into trouble, the company was managed by my family,” the message explains. “Because my family was isolated and helpless, they were persuaded by villains to sell the company. Recently, many companies have contacted my family and threatened them, believing that Fangneng CDN used penetration and mirroring technology through customer domain names to steal member information and financial transactions, and stole customer programs by renting and selling servers. This matter has nothing to do with me and my family. Please contact Fangneng CDN to resolve it.”

In January 2024, the **U.S. Department of Commerce** issued a proposed rule that would require cloud providers to create a “Customer Identification Program” that includes procedures to collect data sufficient to determine whether each potential customer is a foreign or U.S. person.

According to the law firm **Crowell & Moring LLP**, the Commerce rule also would require “infrastructure as a service” (IaaS) providers to report knowledge of any transactions with foreign persons that might allow the foreign entity to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.

“The proposed rulemaking has garnered global attention, as its cross-border data collection requirements are unprecedented in the cloud computing space,” Crowell wrote. “To the extent the U.S. alone imposes these requirements, there is concern that U.S. IaaS providers could face a competitive disadvantage, as U.S. allies have not yet announced similar foreign customer identification requirements.”

It remains unclear if the new White House administration will push forward with the requirements. The Commerce action was mandated as part of an executive order President Trump issued a day before leaving office in January 2021.

Infrastructure Laundering: Blending in with the Cloud

Just days after we uncovered a campaign targeting Google Ads accounts, a similar attack has surfaced, this time aimed at Microsoft...

Just days after we uncovered a campaign targeting Google Ads accounts, a similar attack has surfaced, this time aimed at Microsoft advertisers. These malicious ads, appearing on Google Search, are designed to steal the login information of users trying to access Microsoft’s advertising platform.

Microsoft does purchase ad space on its rival’s dominant search engine; however, we found Google sponsored results for “Microsoft Ads” (formerly known as Bing Ads) that contained malicious links created by impostors.

Through shared artifacts, we were able to identify additional phishing infrastructure targeting Microsoft accounts going back to a couple of years at least. We have reported these incidents to Google.

**Fake Microsoft Ads caught on Google Search**

Microsoft made an estimated $12.2 billion in search and news advertising revenues (including Bing) in 2023, which pales in comparison to its rival, Google, holding a much larger share of the search engine market.

Since the advertising ecosystem allows for an open competition between brands, Microsoft is trying to get traffic and earn clicks from Google searches. During our investigation, we saw sponsored results for Microsoft Ads and Bing Ads that managed to slip through Google’s security checks:

Figure 1: A Google search for ‘microsoft ads’

**Redirection, cloaking and Cloudflare**

The threat actors are using different techniques to evade detection and drop traffic from bots, security scanners and crawlers. Unwanted IP addresses (_e.g._ VPNs) are immediately redirected to a bogus marketing website (_Figure 2_). This is also known as a “white page”, meaning it looks innocent and hides its maliciousness.

Figure 2: Cloaking page

Users that appear to be genuine are presented with a Cloudflare challenge to verify they are human. This is a legitimate instance of Cloudflare, unlike the “ClickFix” type-of-attacks that have become very common place and trick people into pasting and executing malicious code.

Figure 3: Cloudflare verification

**Rickroll for the cheaters**

After a successful Cloudflare check, users are redirected to the final phishing page via a special URL, that acts as some sort of entry point for the malicious domain _ads\[.\]mcrosoftt\[.\]com_. You can see the network requests related to this redirection chain in _Figure 4_ below.

Figure 4: Network traffic for full redirection

If you were to visit that domain directly instead of going through the proper ad click you’d be greeted with a rickroll, an internet meme designed to make fun of someone. The sandbox for the web urlscan.io has several examples of crawl requests for URLs on that server (_37.120.222\[.\]165_) that all went to the rickroll.

Figure 5: Rickroll redirect

**Phishing page**

After much subversion, real victims finally see the phishing page for the Microsoft Advertising platform. The full URL in the address bar is meant to imitate the legitimate one (_ads.microsoft.com_).

Figure 6: Microsoft Advertising phishing page

The phishing page gives user a fake error message enticing them to reset their password and seemingly tries to get past 2-Step verification as well. Handling 2FA has become a standard feature in most phishing kits, due to the rise in user adoption of this additional security layer.

Figure 7: Phishing steps

**Larger campaign**

Going back to _urlscanio_, we fed it the special entry URL and it was able to navigate to the phishing page. From there, we can look at the various web requests and find something to pivot on in order to identify additional infrastructure.

The _favicon.ico_ file is one starting point and we can query for any scans that match its hash, excluding the official Microsoft domain. The results show that in the past week, there were several other domains that appear to be related to the theft of Microsoft Ads accounts.

But this campaign appears to go back further at least a couple of years and maybe more, although it becomes somewhat tricky to know if the malicious infrastructure is tied to the same threat actors. It’s worth noting that several of the domains are either hosted in Brazil or have the ‘_.com.br_‘ Brazilian top-level domain.

What we discovered may only be the tip of the iceberg; by starting to investigate compromised advertiser accounts we may very well have opened Pandora’s box. This isn’t only Google or Microsoft ad accounts we are talking about, but potentially for Facebook, and many others. Of course, our scope so far has been Google Search, but we know that other platforms are rife with such phishing attacks.

These recent malvertising campaigns highlight the ongoing threat of phishing through online advertising. While tech companies like Google work to combat these issues, users must remain vigilant. Here are some key steps you can take to protect yourself:

*   **Verify URLs:** Always carefully examine the URL in your browser’s address bar before entering any credentials. Scrutinize URLs for inconsistencies or misspellings.
*   **Use 2-Step verification wisely:** it adds an extra layer of security to your accounts, but you still need to pay attention to requests before granting them access.
*   **Regularly monitor your accounts:** Check your advertising accounts for any suspicious activity such as changes in administrator accounts.
*   **Report Ads:** If you encounter a suspicious ad, report it to for the benefit of other users.

**We don’t just report on threats—we block them**

_Malwarebytes Browser Guard offers traditional ad-blocking augmented with advanced heuristic detection. Download it today._

**Indicators of Compromise**

The following IOCs are comprised of domains that shared attributes with our initial phishing page, including the favicon and images. Some of them go back further but are provided for threat hunters who may wish to further investigate these campaigns.

30yp\[.\]com  
aboutadvertselive\[.\]com  
aboutblngmicro\[.\]cloud  
account-microsoft\[.\]online  
account-microsoft\[.\]site  
account-mircrosoft-ads\[.\]com  
account\[.\]colndcx-app\[.\]com  
accounts-ads\[.\]site  
accounts-mircrosoft-ads\[.\]online  
acount-exchang\[.\]store  
admicrosoft\[.\]com  
admicrsdft\[.\]com  
ads-adversitingb\[.\]com  
ads-dsas\[.\]site  
ads-microsoft\[.\]click  
ads-microsoft\[.\]coachb-learning\[.\]com  
ads-microsoft\[.\]live  
ads-microsoft\[.\]lubrine\[.\]com\[.\]br  
ads-microsoft\[.\]online  
ads-microsoft\[.\]shop  
ads-microsoftz\[.\]online  
ads-miicrosoft\[.\]com  
ads-mlcrosft\[.\]com  
ads-mlcrosoft-com\[.\]blokchaln\[.\]com  
ads\[.\]microsoft\[.\]com\[.\]euroinvest\[.\]ge  
ads\[.\]mlcr0soft\[.\]com  
ads\[.\]mlcrosoft\[.\]com\[.\]ciree\[.\]com\[.\]br  
ads\[.\]mlcrosoft\[.\]com\[.\]poezija\[.\]com\[.\]hr  
ads\[.\]rnlcrosoft\[.\]com\[.\]euroinvest\[.\]ge  
adslbing\[.\]com  
adsmicro\[.\]exchangefastex\[.\]cloud  
adsmicrosoft\[.\]shop  
adsverstoni\[.\]com  
advertiseliveonline\[.\]com  
advertising-bing\[.\]site  
advertising-mlcrosoft\[.\]org  
adverts2023\[.\]online  
advertsingsinginbing\[.\]com  
agency-wasabi\[.\]com  
app\[.\]beefylswap\[.\]top  
bîlkub\[.\]com  
bing-ads\[.\]com  
bing\[.\]login-acount\[.\]me  
bitmax-us\[.\]com  
blngad\[.\]online  
blseaccount\[.\]cloud  
bltrue\[.\]colnhouse-fr\[.\]us  
côinlíst\[.\]online  
colneex-plalform\[.\]cloud  
connec-exchan\[.\]site  
digitechmedia\[.\]agency  
forteautomobile\[.\]com  
global-verifications\[.\]com  
global-verify\[.\]com  
homee-acount\[.\]com  
itlinks\[.\]com\[.\]cn  
krakeri-login\[.\]com  
login-adsmicrosoft\[.\]helpexellent\[.\]com  
login\[.\]adsadvertising\[.\]online  
login\[.\]microsofttclicks\[.\]live  
micrasofit\[.\]xyz  
microosft\[.\]accounts-ads\[.\]site  
microsoft-ads\[.\]website  
microsoftadss\[.\]com  
microsoftadversiting\[.\]cloud  
microsoftbingads\[.\]com  
microsofyt\[.\]adversing-publicidade\[.\]pro  
mictrest\[.\]mnws\[.\]ru  
mlcrosoft-bing-acces\[.\]click  
mlcrosoftadvertlsing\[.\]online  
mudinhox\[.\]site  
ndnet\[.\]shop  
phlyd\[.\]com  
portfoliokrakenus\[.\]com  
portfoliolkraken\[.\]com  
portfoliopro-us\[.\]com  
portfolioskranen\[.\]com  
portofolioprospots\[.\]com  
potfoliokeiolenen\[.\]com  
potfoliokelaken\[.\]com  
potfoliokelaneken\[.\]com  
potfoliokenaiken\[.\]com  
potfoliokenkren\[.\]com  
potfolioketonelen\[.\]com  
potfolioskaneken\[.\]com  
potfolioskenaken\[.\]com  
potfolioskraineken\[.\]com  
potfolioskranaken\[.\]com  
potfolioskraneken\[.\]com  
pro-digitalus\[.\]com  
prokrakenportfolio\[.\]com  
rnlcrosoft\[.\]smartlabor\[.\]it  
sig-in-mlcrosoft-advertisings\[.\]site  
uiiadvertise\[.\]online  
wvvw-microsoft\[.\]xyz  
www-bingads\[.\]com  
www-microsoftsads\[.\]com  
www-v\[.\]userads\[.\]digital  
www34\[.\]con-webs\[.\]com  
www55\[.\]con-webs\[.\]com

 Microsoft advertisers phished via malicious Google ads 

DevDojo Voyager through version 1.8.0 is vulnerable to reflected XSS via /admin/compass. By manipulating an authenticated user to click on a link, arbitrary Javascript can be executed.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-mm49-4f2g-c3wf: DevDojo Voyager vulnerable to reflected Cross-site Scripting

DevDojo Voyager through 1.8.0 is vulnerable to path traversal at the /admin/compass.

GHSA-j63m-2vr6-fv7m: DevDojo Voyager vulnerable to path traversal

The rate of evolution has been glacial, but tools now understand cloud environments and can target Web applications.

Alex Haynes, Chief Information Security Officer, IBS Software

January 30, 2025

4 Min Read

Source: Rancz Andrei via Alamy Stock Photo

COMMENTARY

When automated pen-testing tools appeared a few years ago they prompted an interesting question: How close are they to replacing human pen testers? While the short answer was "not that close — yet," they definitely had potential and were worth keeping an eye on.

As I've just had the chance to review the latest iteration of these tools, it's interesting to see how they've evolved and how close are they now are to replacing the human pen tester for offensive security work.

When I test an automated pen tester, I compare it with a human one, in terms of speed, capability, and capacity, as well as output (i.e., the resulting report). The big problems earlier automated pen testers suffered from included:

*   Difficulty exploiting or seeing certain things that are obvious to human pen testers, including taking advantage of vulnerabilities that have publicly released exploits
    
*   Did not understand Web applications, at all 
    
*   Could only be used from "inside" the network; they couldn't pen test from the outside (mainly due to the aforementioned ignorance of Web applications)
    

**How Have Automated Pen Testers Changed Since Then?**

New pen testers finally understand Web applications — hooray! They can attack them both from inside and outside the perimeter. This is a welcome development, but they still have teething issues. Due to a very mature market in Web application scanners they would need to be able to both detect vulnerabilities with a low false positive ratio and be able to exploit them to pivot to other assets.

Unfortunately, they don't do this well enough to be distinctive in their own right — they'll find vulnerabilities that are obvious enough, but on a vulnerable box weren't able to detect even blatant SQLi or validate potential XSS vulnerabilities to weed out false positives. There are flashes of brilliance, however. An internal Web endpoint had a file upload vulnerability that was previously undetected by any other tool (this wasn't even found by human pen testers), but overall, it's underwhelming. Today's offerings in Web application scanners will do much better than this.

The second big improvement is cloud environments. As most pen testers will tell you, navigating an on-premises Active Directory-based environment is markedly different from pivoting in a native Amazon Web Services (AWS) environment, as the assets and the exploits you will use are completely different. Privilege escalation now relies on leveraging poorly configured cloud assets to abuse an identity and access management (IAM) role or grab some AWS keys to go further. Naturally, you'll also find the traditional vulnerabilities that include unpatched machines and misconfigured ports and services. Here, again, automated pen-testing tools have evolved, and can navigate and understand these environments. This puts them on par with CNAPP-type offerings, since they aren't bound by the traditional VM- or IP-bound asset.

As the cloud is a relatively new sphere for these tools, they can struggle. Unless they are given an assumed role, they won't find much at all. What's worse, they will flag the fact that they've assumed an IAM role a vulnerability itself — this would be like giving pen testers local admin abilities so they can begin a pen test and them pointing out your security is bad because you've just given them local admin.

Automated pen testers also struggle to enumerate their own network when they are given access — machines that are obviously on the same virtual private cloud (VPC) or virtual LAN (VLAN) will be ignored or scanned haphazardly. This is better than some automated pen testing tools that still don't even work in cloud environments unless they can reach an Active Directory machine. 

**Automated Pen Testers' Advantages**

All of the other advantages you'd expect from these tools remain, however. They can run through an iteration of a pen test quickly — in a matter of hours if you wish (this is configurable). The reports they produce are top-notch and comparable to any report a human pen tester would produce. If you were to hand this to a qualified security assessor (QSA), they would have a hard time distinguishing the difference.

Naturally, due to their automated nature, you can propagate these on huge environments and repeat them on a daily basis if you wish. This is where automated pen testers leave humans in the dust — no company can repeat daily pen tests on large environments, even with significant budgets, nor would the human team be able to complete it in this time and write up a report with verifiable actions to make it meaningful enough. (Keep one thing in mind: These tools aren't cheap.)

Overall, it's good to see these tools evolve. The rate of change is glacial, but they now understand cloud environments and can target Web applications, though they are still temperamental, costly, and miss a few things. One could argue humans are the same. For now, however, humans maintain the advantage — but they aren't mutually exclusive. Just like crowdsourced security and traditional pen testing, automated pen testing is now another tool that can be layered onto your offensive security testing, where it can help you find the exploits that matter to your organization.

**About the Author**

Chief Information Security Officer, IBS Software

Alex Haynes is a former pen tester with a background in offensive security and is credited for discovering vulnerabilities in products by Microsoft, Adobe, Pinterest, Amazon Web Services and IBM. He is a former top 10 ranked researcher on Bugcrowd and a member of the Synack Red Team. He is currently CISO at IBS Software. Alex has contributed to United States Cyber Security Magazine, Cyber Defense Magazine, Infosecurity Magazine, and IAPP tech blog. He also has spoken at security conferences including OWASP and ISC Security Summits.

Automated Pen Testing Is Improving — Slowly

Palo Alto, USA, 30th January 2025, CyberNewsWire

**Palo Alto, USA, January 30th, 2025, CyberNewsWire**

SquareX discloses a new attack technique that shows how malicious extensions can be used to completely hijack the browser, and eventually, the whole device.

**PALO ALTO, Calif., Jan. 30, 2025** — Browser extensions have been under the spotlight in enterprise security news recently due to the wave of OAuth attacks on Chrome extension developers and data exfiltration attacks. However, until now, due to the limitations browser vendors place on the extension subsystem and extensions, it was thought to be impossible for extensions to gain full control of the browser, much less the device.

SquareX researchers Dakshitaa Babu, Arpit Gupta, Sunkugari Tejeswara Reddy and Pankaj Sharma debunked this belief by demonstrating how attackers can use malicious extensions to escalate privileges to conduct a full browser and device takeover, all with minimal user interaction. Critically, the malicious extension only requires read/write capabilities present in the majority of browser extensions on the Chrome Store, including common productivity tools like Grammarly, Calendly and Loom, desensitizing users from granting these permissions. This revelation suggests that virtually any browser extension could potentially serve as an attack vector if created or taken over by an attacker. To the best of our understanding, extensions submitted to the Chrome Store requesting these capabilities are not put through additional security scrutiny at the time of this writing.

The browser syncjacking attack can be broken up into three parts: how the extension silently adds a profile managed by the attacker, hijacks the browser and eventually gains full control of the device.

**Profile Hijacking**

The attack begins with an employee installing any browser extension – this could involve publishing one that masquerades as an AI tool or taking over existing popular extensions that may have up to millions of installations in aggregate. The extension then “silently” authenticates the victim into a Chrome profile managed by the attacker’s Google Workspace. This is all done in an automated manner in a background window, making the whole process almost imperceptible to the victim. Once this authentication occurs, the attacker has full control over the newly managed profile in the victim’s browser, allowing them to push automated policies such as disabling safe browsing and other security features.

Using a very clever social engineering attack that exploits trusted domains, the adversary can then further escalate the profile hijacking attack to steal passwords from the victim’s browser. For example, the malicious extension can open and modify Google’s official support page on how to sync user accounts to prompt the victim to perform the sync with just a few clicks. Once the profile is synced, attackers have full access to all credentials and browsing history stored locally. As this attack only leverages legitimate sites and has no visible sign that it has been modified by the extension, it will not trigger any alarm bells in any security solutions monitoring the network traffic.

**Browser Takeover**

To achieve a full browser takeover, the attacker essentially needs to convert the victim’s Chrome browser into a managed browser. The same extension monitors and intercepts a legitimate download, such as a Zoom update, and replaces it with the attacker’s executable, which contains an enrollment token and registry entry to turn the victim’s Chrome browser into a managed browser. Thinking that they downloaded a Zoom updater, the victim executes the file, which ends up installing a registry entry that instructs the browser to become managed by the attacker’s Google Workspace. This allows the attacker to gain full control over the victim’s browser to disable security features, install additional malicious extensions, exfiltrate data and even silently redirect users to phishing sites. This attack is extremely potent as there is no visual difference between a managed and unmanaged browser. For a regular user, there is no telltale sign that a privilege escalation has occurred unless the victim is highly security aware and goes out of their way to regularly inspect their browser settings and look for associations with an unfamiliar Google Workspace account.

**Device Hijacking**

With the same downloaded file above, the attacker can additionally insert registry entries required for the malicious extension to message native apps. This allows the extension to directly interact with local apps without further authentication. Once the connection is established, attackers can use the extension in conjunction with the local shell and other available native applications to secretly turn on the device camera, capture audio, record screens and install malicious software – essentially providing full access to all applications and confidential data on the device.

The browser syncjacking attack exposes a fundamental flaw in the way remote-managed profiles and browsers are managed. Today, anyone can create a managed workspace account tied to a new domain and a browser extension without any form of identity verification, making it impossible to attribute these attacks. Unfortunately, most enterprises currently have zero visibility into the browser – most do not have managed browsers or profiles, nor any visibility to the extensions employees are installing often based on trending tools and social media recommendations.

What makes this attack particularly dangerous is that it operates with minimal permissions and nearly no user interaction, requiring only a subtle social engineering step using trusted websites – making it almost impossible for employees to detect. While recent incidents like the Cyberhaven breach have already compromised hundreds, if not thousands of organizations, those attacks required relatively complex social engineering to operate. The devastatingly subtle nature of this attack – with an extremely low threshold of user interaction – not only makes this attack extremely potent, but also sheds light on the terrifying possibility that adversaries are already using this technique to compromise enterprises today.

Unless an organization chooses to completely block browser extensions via managed browsers, the browser syncjacking attack will completely bypass existing blacklists and permissions-based policies. SquareX’s founder Vivek Ramachandran says “This research exposes a critical blind spot in enterprise security. Traditional security tools simply can’t see or stop these sophisticated browser-based attacks. What makes this discovery particularly alarming is how it weaponizes seemingly innocent browser extensions into complete device takeover tools, all while flying under the radar of conventional security measures like EDRs and SASE/SSE Secure Web Gateways. A Browser Detection-Response solution isn’t just an option anymore – it’s a necessity. Without visibility and control at the browser level, organizations are essentially leaving their front door wide open to attackers. This attack technique demonstrates why security needs to ‘shift up’ to where the threats are actually happening: in the browser itself.”

SquareX has been conducting pioneering security research on browser extensions, including the DEF CON 32 talk Sneaky Extensions: The MV3 Escape Artists that revealed multiple MV3 compliant malicious extensions. This research team was also the first to discover and disclose the OAuth attack on Chrome extension developers one week before the Cyberhaven breach. SquareX was also responsible for the discovery of Last Mile Reassembly attacks, a new class of client-side attacks that exploits architectural flaws and completely bypasses all Secure Web Gateway solutions. Based on this research, SquareX’s industry-first Browser Detection and Response solution protects enterprises against advanced extension-based attacks including device hijacking attempts by conducting dynamic analysis on all browser extension activity at runtime, providing a risk score to all active extensions across the enterprise and further identifying any attacks that they may be vulnerable to.

For more information about the browser syncjacking attack, additional findings from this research are available at **sqrx.com/research**.

**About SquareX**

SquareX helps organizations detect, mitigate and threat-hunt client-side web attacks happening against their users in real time.

SquareX’s industry-first Browser Detection and Response (BDR) solution, takes an attack-focused approach to browser security, ensuring enterprise users are protected against advanced threats like malicious QR Codes, Browser-in-the-Browser phishing, macro-based malware and other web attacks encompassing malicious files, websites, scripts, and compromised networks.

Additionally, with SquareX, enterprises can provide contractors and remote workers with secure access to internal applications, enterprise SaaS, and convert the browsers on BYOD / unmanaged devices into trusted browsing sessions.

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

Tag

#web