The firewall specialist has patched the security flaw, which was responsible for a series of attacks reported earlier this month that compromised FortiOS and FortiProxy products exposed to the public Internet.

Source: Lutsenko via Oleksandr via Shutterstock

Fortinet has patched an actively exploited zero-day authentication bypass flaw affecting its FortiOS and FortiProxy products, which attackers have been exploiting to gain super-administrative access to devices to conduct nefarious activities, including breaching corporate networks.

Fortinet characterized the flaw, rated as critical and tracked as CVE-2024-55591 (CVSS 9.6), as an "authentication bypass using an alternate path or channel vulnerability" that "may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module," according to a FortiGuard Labs security advisory last week.

Fortinet observed threat actors performing various malicious operations by exploiting the flaw. These activities included: creating an admin account on the device with a random user name; creating a local user account on the device with a random user name; creating a user group or adding a local user to an existing SSL VPN user group; adding and/or changing other settings, including firewall policy and/or firewall address; and logging in to the SSL VPN to get a tunnel to the internal network.

Fortinet recommended that customers using affected products follow the recommended upgrade path on its website to mitigate the flaw. It also offered workaround options in its advisory.

Related:For $50, Cyberattackers Can Use GhostGPT to Write Malicious Code

**First Signs of Fortinet Zero-Day Exploitation**

The first signs that something was amiss came earlier this month, when researchers at Arctic Wolf revealed that a zero-day flaw was likely to blame for a series of recent attacks on FortiGate firewall devices with management interfaces exposed on the public Internet. Attackers were targeting the devices to create unauthorized administrative logins and make other configuration changes, create new accounts, and perform SSL VPN authentication.

Fortinet quietly informed its customer base of the issue before revealing the patch and extent of the situation late last week; this low-key revelation is how Arctic Wolf got wind of it, according to a blog post analyzing the flaw by watchTowr Labs published on Jan. 27. However, security researchers did not yet know exactly what the flaw was or what the exploitation entailed.

That's become clearer now. The flaw resided within the jsconsole functionality, which is a graphical user interface (GUI) feature to execute command line interface (CLI) commands inside FortiOS's management interface, according to watchTowr Labs. "Specifically, the weakness in this functionality allowed attackers to add a new administrative account," according to the post.

Related:Change Healthcare Breach Impact Doubles to 190M People

Jsconsole is a WebSocket-based Web console to the CLI of the affected Fortinet appliances. "This CLI is all-powerful, since it is effectively the same as the actual provided CLI that is used by legitimate administrators to configure the device," according to watchTowr Labs. Therefore, if an attacker gains access to the Web console, the appliance itself should be considered compromised.

The researchers took a deep dive into the vulnerability and found that it was actually a chain of issues combined into one critical vulnerability that allowed attackers to follow four key steps to achieve super administrative access.

Those steps are: creating a WebSocket connection from a pre-authenticated HTTP request; using a special parameter local\_access\_token to skip session checks; exploiting a race condition in the WebSocket Telnet CLI to send authentication before the server does; and picking the access profile that an attacker wishes to assume, which in the case of the researchers' proof-of-concept was to become a super administrator.

**Mitigation & Protection Against CVE-2024-55591**

Fortinet devices are a popular target for threat actors, with vulnerabilities found in the products often widely exploited to breach not only devices but also act as a point of entry to attack corporate networks.

Related:The Case for Proactive, Scalable Data Protection

Organizations using the devices affected by the flaw are advised to follow the appropriate update path or apply the workaround provided by Fortinet.

Fortinet also noted in its advisory that an attacker generally would need to know an admin account's username to perform the attack and log in to the CLE to exploit the flaw. "Therefore, having a non-standard and non-guessable username for admin accounts does offer some protection, and is, in general, a best practice," according to the advisory.

However, the company added, since the targeted WebSocket is not itself an authentication point, attackers still have the possibility of brute-forcing the username to exploit the flaw.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Actively Exploited Fortinet Zero-Day Gives Attackers Super-Admin Privileges

Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor targeting users, predominantly in Poland and Germany.

Tuesday, January 28, 2025 06:00

*   Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor since as early as July 2024 targeting users, predominantly in Poland and Germany, based on the phishing email language. 
*   The actor has delivered different payloads, including Agent Tesla, Snake Keylogger, and a new undocumented backdoor we are calling TorNet, dropped by PureCrypter malware.  
*   The actor is running a Windows scheduled task on victim machines—including on endpoints with a low battery—to achieve persistence.  
*   The actor also disconnects the victim machine from the network before dropping the payload and then connects it back to the network, allowing them to evade detection by cloud antimalware solutions.  
*   We also found that the actor connects the victim’s machine to the TOR network using the TorNet backdoor for stealthy command and control (C2) communications and detection evasion. 

**The campaign **

The intrusions start with a phishing email as the initial infection vector. The actor is impersonating financial institutions and manufacturing and logistics companies by sending fake money transfer confirmations and fake order receipts, respectively. The phishing emails are predominantly written in Polish and German, indicating actor’s intent to primarily target users in those countries. We also found some phishing email samples from the same campaign written in English. We assess with medium confidence that the actor is financially motivated, based on the phishing email themes and the filenames of the email attachments.  

The phishing email has attachments with the file extension “.tgz”, indicating that the actor has used GZIP to compress the TAR archive of the malicious attachment file to disguise the actual malicious content of the attachment and evade email detections. 

Sample phishing email in Polish. 

Sample phishing email in German. 

When a user opens the compressed email attachment and manually unzips it and runs a .NET loader executable, it eventually downloads encrypted PureCrypter malware from a compromised staging server. The Loader decrypts the PureCrypter malware and runs it in the system memory.  

In a few intrusions in this campaign, we found that the PureCrypter malware drops and runs the TorNet backdoor. The TorNet backdoor establishes connection to the C2 server and also connects the victim machine to the TOR network. It has the capabilities to receive and run arbitrary .NET assemblies in the victim machine’s memory, downloaded from the C2 server, increasing the attack surface for further intrusions. 

**.NET loader implants PureCrypter **

Talos found that the compressed attachment files contain a large .NET executable file. The actor has instrumented the .NET executable to either download the next-stage malicious executables from a remote staging server or to reflectively load an embedded malicious binary.  

Some of the loader samples we analyzed in this campaign download the AES-encrypted binary of the PureCrypter malware hosted on compromised websites in paths “/filescontentgalleries/pictorialcoversoffiles/” and “/post-postlogin/” using a hardcoded URL. The encrypted PureCrypter binaries were stored with the arbitrary filenames using different file extensions, including .pdf, .dat, .wav, .vdf, .mp3 and .mp4. The loader decrypts the PureCrypter binary and loads reflectively. 

Snippet of the loader program that downloads the encrypted PureCrypter malware.

Network traffic showing the encrypted PureCrypter malware downloaded from the hosting site. 

In a few other loader samples, we found that the encrypted PureCrypter sample was embedded in the loader, which is decrypted using the AES algorithm and reflectively loaded into the victim machine’s memory.  

Snippet of the loader with embedded PureCrypter binary. 

**PureCrypter drops the TorNet backdoor **

The PureCrypter malware found in this intrusion is a Windows dynamic-link library obfuscated with Eziriz’s .NET Reactor obfuscator. It has resources of encrypted binaries of legitimate DLLs, including Protobuf-net and Microsoft task scheduler DLL along with the TorNet backdoor.  

PureCrypter initially creates a mutex on the victim machine and executes the command to release the currently assigned DHCP IP address of the victim machine, establishes persistence, performs various anti-analysis and detections tasks, drops and runs the payload, and finally executes a command to renew the IP address of the victim machine.  

Cmd /c ipconfig /release 
Cmd /c ipconfig /renew 

The threat actor is likely using this technique to evade detections from the cloud-based anti-malware programs by disconnecting the victim machine from the network and connects back to the network after dropping and running the backdoor.  

The PureCrypter malware performs various anti-debugger, anti-analysis, anti-VM, and anti-malware checks on the victim machine as described below: 

*   It checks if the process is debugged using the function “CheckRemoteDebuggerPresent”. 
*   It checks for the Sandboxie and Cuckoo sandbox environments by enumerating processes to look for “sbieDLL.dll” and “cuckoomon.dll”. 
*   It checks if the DLL is running in the virtual environment by executing the WMI queries and searches for the strings “VMware”, “VIRTUAL”, “AMI”, and “Xen”.  

Select \* from Win32\_BIOS 
Select \* from Win32\_ComputerSystem 

*   It also checks if the process running is associated with “vmGuestLib.dll” to detect the VMWare environment. 
*   It checks if the victim machine username is “john” or “anna” or “xxxxxxxx”.  
*   It checks for the strings “amsi.dll” and “amsiscanbuffer” in the running processes modules of the victim machine.  
*   It checks if the Event Tracing for Windows (ETW) is configured for the victim machine by attempting to check if any processes point to the function “EtwEventWrite” of “ntdll.dll”.  
*   It modifies the Windows Defender settings by executing the PowerShell commands to add its process and the path of the dropped backdoor to the exclusion lists.

Add-MpPreference –ExclusionPath 
Add-MpPreference –ExclusionProcess 

After the evasion checks, PureCrypter decrypts the encrypted backdoor from its resource and drops it to the user profile application temporary folder with a random file name. It also decrypts another file resource using a custom string decryption algorithm, generating the arbitrary filename strings and the task name strings for the Windows Task scheduler.  

PureCrypter establishes the persistence in the Run registry key by adding the path of the loader. It also creates a Windows task using a task name gained by decrypting the strings from the resource file and executes the loader every two to four minutes with no execution time limit. The task can run if the machine switches to battery power and will not stop if it runs on a low battery power. The threat actor has instrumented this technique to possibly ensure an uninterrupted infection avoiding the victim machine operating system to deprioritize the process when a victim machine is running on low battery power mode.  

Code snippet of creating the Windows schedule task. 

PureCrypter drops a Visual Basic script in the Windows startup folder with the instructions to load and execute the dropped backdoor. 

Code Snippet showing the command to drop and execute a VB Script.

After establishing persistence, PureCrypter loads the dropped backdoor by accessing it through a URL scheme “file\[://\]<Path of the dropped backdoor>” and injects the backdoor into the .NET runtime executable process in the victim machine. The threat actor is using this technique to possibly masquerade the file access activity as a web request in the victim machine logs and to bypass detections for loading a file from suspicious file paths on the victim machine.  

Code snippet showing the process injection.

**Payload TorNet creates a backdoor on the victim machine **

Talos discovered a new .NET backdoor as the payload in the recent intrusions of this campaign, which we call TorNet. TorNet backdoor is also obfuscated with Eziriz’s .NET Reactor obfuscator and has hash values for the compilation time. This could be the artifact that was created when the samples were compiled in Visual Studio with the “/deterministic” parameter. When Visual Studio is configured to generate deterministic binaries, the compiled date/time field of the binaries will be replaced by a hash of the compilation options. Talos had previously seen, and reported this technique used by other threat actors to disguise the actual compilation time of the malware binaries.    

TorNet initially decodes a base64-encoded string to obtain the C2 domain, port number, and an alphanumeric string of 16 characters (5e7a81857a353068). It then performs the anti-debugging, anti-malware, anti-VM, and sandbox evasion checks similar to PureCrypter we discussed in the previous section.  

Code snippet showing the base64 string decoding to obtain the string, C2 domain, and port number. 

After the evasion checks, TorNet establishes a TCP socket connection to the C2 server by resolving the IP address of the C2 domain decoded from the base64-encoded string. The connection uses one of the port numbers 8194, 7890, or 8410. We observed that the C2 domains used by the backdoor were resolving to the IP address 104\[.\]168\[.\]7\[.\]37 during the period of our research. 

TorNet backdoor sample connecting to the C2 using the domain and port number.

After establishing the connection to the C2 server, TorNet sends the gained string “5e7a81857a353068” by decoding the base64-encoded strings to the C2 server, creating a hexadecimal byte stream of length 20 and writes it to a memory stream by compressing it using the GzipStream function.  

HEX stream: “3A 12 12 10 35 65 37 61 38 31 38 35 37 61 33 35 33 30 36 38” 

ASCII equivalent: “:<2-byte place holder>\\n5e7a81857a353068” 

TorNet then generates an MD5 hash value of the string “5e7a81857a353068” and uses it as a key to encrypt the compressed 20-byte hexadecimal data stream using the triple DES algorithm. Using the Bitconverter function, TorNet splits the encrypted byte stream and sends it to the C2 server by writing it to the TCP stream through the socket.  

Code snippet of TorNet showing the data exfiltration to the C2 server through sockets. 

The C2 server may send an arbitrary encrypted .NET assembly as a response to a TorNet’s request. TorNet will decrypt the arbitrary binary and reflectively run it. During our research, we were unable to receive a response from the C2, still analyzing the TorNet binary allowed us to assess that the received response will be an arbitrary .NET assembly code, enabling the attack surface for further attack.  

Code snippet for running the received arbitrary .NET assembly. 

TorNet also connects the victim machine to the TOR network. It downloads the TOR expert bundle from the TOR Project archive site, unpacks it and runs the “tor\[.\]exe” as a background process to connect to TOR.  

Code snippet shows the download and execution of tor\[.\]exe. 

Once TOR is running, TorNet connects to the TOR network using the TOR SocksPort (127\[.\]0\[.\]0\[.\]1:9050), and with the “socket.Poll” function, it routes all traffic from the backdoor process on the victim machine through the TOR network. The threat actor is leveraging the TOR network to anonymize the C2 communication and evade detection.  

Connections from TorNet on analysis machine to the TOR nodes.

****Coverage** **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64440, 64439, 64437, 64438 and 301115. 

ClamAV detections are also available for this threat: 

Win.Backdoor.TorNet-10041435-0    
Win.Downloader.TorNet-10041463-0    
Win.Malware.TorNet-10041565-0    
Win.Malware.TorNet-10041601-0    
Win.Trojan.TorNet-10041734-0 

**Indicators of Compromise  **

IOCs for this threat can be found in our GitHub repository here.

New TorNet backdoor seen in widespread campaign

Subaru STARLINK flaw exposed a critical security vulnerability, enabling unauthorized access to vehicle tracking, remote control, and sensitive…

Subaru STARLINK flaw exposed a critical security vulnerability, enabling unauthorized access to vehicle tracking, remote control, and sensitive customer data.

A vulnerability was recently discovered by cybersecurity researchers Shubham Shah and Sam Curry in Subaru’s STARLINK-connected vehicle system, enabling them to remotely start, stop, and track vehicles. The vulnerability in Subaru’s Starlink in-vehicle service, allowed attackers to remotely control and track connected vehicles. 

The vulnerability, an arbitrary account takeover flaw in the Starlink admin portal, enabled the duo to compromise a Subaru employee account. This flaw could let them target vehicles and customer accounts across the United States, Canada, and Japan.

Exploiting this flaw, Curry and Shah could gain unauthorized access to sensitive customer and vehicle data, and even remotely control targeted vehicles. According to a blog post published by researchers, the issue originated from a flaw in the Subaru STARLINK admin portal, a system intended for employee use.

This portal had a critical vulnerability that allowed attackers to reset employee passwords without requiring any confirmation. This meant that by simply knowing an employee’s email address, an attacker could gain access to their account.

> _“It appeared that there was a “resetPassword.json” endpoint that would reset employees’ accounts without a confirmation token. If this worked how it was written in the JavaScript, then an attacker could simply enter any valid employee email and take over their account.”_
> 
> Sam Curry

Researchers further bypassed two-factor authentication (2FA) by manipulating the website’s code, effectively disabling the security measure. With unauthorized access to the admin portal, the researchers demonstrated the ability to, start, stop, lock, and unlock any Subaru vehicle, and access a year’s worth of detailed location history for any vehicle, including stops and engine starts, providing precise locations with updates every time the engine started. 

Furthermore, they could retrieve the personal information of any customer, including contact details, addresses, billing information (partially masked), and vehicle PINs. They could also add themselves as authorized users to other vehicles, effectively taking control of them without the owner’s knowledge.

Researchers reported this vulnerability to Subaru on November 20, 2024, and the company in response promptly addressed the issue, patching it within 24 hours. The findings were publicly disclosed on January 23, 2025.

****Previous Hacks by the Duo****

Sam Curry and Shubham Shah are well-known for their creative and innovative methods of uncovering security vulnerabilities and responsibly disclosing them to companies.

One of their notable discoveries involved exploiting vulnerabilities in the globally used Points.com loyalty system. This flaw allowed unauthorized access to sensitive user data, including names, addresses, email addresses, phone numbers, and transaction details.

In December 2022, Sam Curry identified a critical app flaw that compromised Honda and Nissan vehicles through their VINs. Attackers could exploit this vulnerability to unlock doors, honk horns, and flashlights, and even start the vehicle remotely.

In September 2024, Sam Curry and three other security researchers found a way to control Kia vehicles by exploiting vulnerabilities linked to their license plates.

1.  **How Hackers Can Remotely Unlock/Start Honda Cars**
2.  **Cybercriminals Exploit CAN Injection Hack to Steal Cars**
3.  **Critical Intel chip flaw left cars and IoT devices vulnerable**
4.  **Self-driving cars can be fooled by displaying virtual objects**
5.  **Tesla cars can be remotely hacked using drone, WIFI dongle**

Subaru STARLINK Flaw Enabled Remote Tracking and Control of Vehicles

The popularity of the TF2 gaming and trading scene attracts scammers with phishing, fake trades, and malicious tools.…

The popularity of the TF2 gaming and trading scene attracts scammers with phishing, fake trades, and malicious tools. Stay safe with verified trades, Steam Guard, 2FA, and market price checks.

Team Fortress 2 (TF2) has appealed to millions of players worldwide. It features a dynamic society and an exclusive trading ecosystem. Regarding TF2, from collectable hats to rare weapons, the in-game economy often functions similarly to real markets, so fraudsters are drawn to it as the scamming locale.

TF2 is a community infested with hackers and scammers who use extremely advanced methods to steal valuable items and accounts. In fact, security experts have seen the emergence of counterfeit gaming accessories embedded with malware and phishing links as additional risks.

This article concisely explains TF2 item scams, their operation, and users’ insights into staying safe.

****Tips for Safe Buying and Trading in TF2****

As a buyer, implementing good security practices and being watchful is the key to evading such scams. You can use the actionable tips:

****1\. Always Verify The Trading System****

According to TF2 Trading, fake seller profiles are the biggest scam these days. That’s why, when buying items, the buyer should see the seller’s profile. You should mainly look for a high number of positive reviews, a stable trading history, and community members’ support. Be ready to spurn new profiles or those with fewer activities.

The buyer should see the seller’s profile. You should mainly look for a high number of positive reviews, a stable trading history, and community members’ support. Be ready to spurn new profiles or those with fewer activities.

****2\. Avoid Links from Unverified Sources****

If the permission to a trade attaches to a link, operate under the feel of dread. Let the URL be in line with the official Steam site or any other trustable site. Linking drives to phishing pages mostly.

****3\. Enable Steam Guard and Two-Factor Authentication (2FA)****

Turning on two-factor authentication will significantly enhance the security of your Steam account. Even if someone finds out your password, 2FA weakens their access by a lot.

****4\. Research Market Prices****

Those who do not know the price of an item are the ones usually cheated by scammers. Verify the market prices at the moment by using reliable platforms to prevent going over the top and being fooled by “deals” that are too good to be true.

****5\. Inspect Trade Offers Carefully****

Scammers may offer you a trade deal with a few underhanded methods. Always re-read the item descriptions, the prospects, and the values before you accept a trade. Spot for details like fancy names or absent items.

****The Anatomy of a TF2 Scam****

It is crucial to know how scams are executed to be able to prevent them. The following are the most frequent scams that TF2 players are exposed to:

****1\. Phishing Scams****

Even though phishing is still the number one strategy, it is also one of the methods that dominate worldwide. Scammers may send links that display from the links that spam the item. 

The terrible things that are causing mayhem in the trade are the fake Steam login pages the scammer sent players to, and on these malicious pages, the players’ credentials are stolen.

****2\. Fake Trades****

To be fair, almost everyone has been fooled, as sellers have also been faked innumerable times. The tricksters can access your account when you click on the link or type in your credentials on a fake web page.

**3\. Duplication Promises**

The “item duplication” scam has been around for years. Scammers claim they can duplicate rare items and ask buyers to send their valuable items first. Of course, the items are never returned.

****4\. Counterfeit Marketplaces****

Larcenous third-party marketplaces are professional in looking like genuine ones. These sites may offer unbeatable deals at the cost of user data or just take your money and run.

****5\. Malicious Tools and Software****

Our partner’s researchers noticed a profound surge in counterfeited tools and/or software, which falsely suggests a heightened gaming experience and increased performance in trades. Many of these have harmful software comprising personal and financial information.

****6\. Overpayment Scams****

On their heads, these are scams where the buyer says: “I am going to overpay for an item. Therefore, can I get a refund, or should I get something else as a bonus?” Then, they are gone getting you out of your money or they have just canceled the transaction.

****Advanced Strategies****

False reviews made by scammers are a widespread fraud method. Make sure that the reviews are from real users and match the profiles to ensure that they are not imitations.

Scammers very often mislead potential buyers with trade offers that sound too impressive to refuse. It is requested that trades are where the other party offers an additional amount of money that is not the value of the item.

Refrain from sharing your Steam account information, email, or payment details with other gamers. Fraudsters may manipulate you psychologically using social engineering techniques to further their cause.

****Broader Security Practices for Gamers****

It must be noted that the TF2 scams form only a tiny dot under a larger cyberattack direction of fraudsters toward gamers. With the constant increase in online gaming communities, there is an equally roaring nature of cyber risks that come with them. Here are general security tips for staying safe across all gaming platforms:

*   **Keep Your Software Updated:** Frequently, updates of your operating system, antivirus software, and Steam client can fix vulnerabilities that scammers and hackers exploit.
*   **Use Strong and Unique Passwords:** The golden rule is to avoid copying the same password across all accounts. Instead, consider using a password manager, which generates and saves complex, unique passwords for each platform.
*   **Install Anti-Malware Protection:** One way to prevent the device from being infected with the virus is to use reliable anti-malware software, which will block malicious downloads, phishing attempts, and spyware.
*   **Regularly Check Account Activity:** Check your Steam account for unauthorized logins or grim trade activity. Review the issues you find with Steam Support.
*   **Educate Yourself and Others:** Along with fellow players, share tips and resources to form a more informed and resilient group. Scam awareness and common sense are the most powerful defense tools.

****Signs of a Scam to Watch Out For****

*   Pushy salesmen that force you into making quick decisions.
*   Errors in grammar in the messages that are sent to you.
*   Transactions off Steam’s built-in mechanisms only.
*   Sellers are not committed to verifying their identity or reputation
*   They may falsely claim an item’s value is higher even though the only right price is listed on the most trustful marketplaces.

****What to Do If You’re Scammed****

*   Report the Scammer: Using Steam’s reporting tools, flag the scammer account that way.
*   Change Your Passwords: Make your Steam and email accounts safe by changing the passwords immediately.
*   Enable Account Recovery: Contact the Steam support center to restore control of compromised accounts.
*   Warn the Community: Share your experience to stop others from becoming victims of the same scam.

1.  **Secure Gaming During the Holidays**
2.  **Guntech 2.5 to Launch in Upland’s Gaming Ecosystem**
3.  **Exploring Data Privacy and Security in B2B Gaming Data**
4.  **The Rise of Blockchain Gaming and Secure Marketplaces**
5.  **Gaming Firms + Community Members Hit by Dark Frost Botnet**

In Gaming Item Scams and How to Avoid Them?

One of the largest data breaches in history was apparently twice as impactful as previously thought, with PII belonging to hundreds of millions of people sitting in the hands of cybercriminals.

Source: Pavel Kapish via Alamy Stock Photo

New evidence suggests that more than half of the US population was touched by the ransomware attack(s) against UnitedHealth subsidiary Change Healthcare.

One of the largest data breaches ever recorded struck Change Healthcare last year. Change's technology services reach hundreds of vendors and laboratories, thousands of hospitals, tens of thousands of pharmacies, and hundreds of thousands of physicians and dentists, including "nearly all government and commercial payers," according to company documentation. These services necessarily sweep up loads of patients' personally identifying information (PII), which ended up in the hands of multiple ransomware actors.

Later last year, it was reported that the incident affected around 100 million Americans. Now, UnitedHealth has updated that number to approximately 190 million. A company spokesperson confirmed this in an emailed statement to Dark Reading, adding, "the vast majority of those people have already been provided individual or substitute notice."

**Change's Changing Cyberattack Story**

Last February, in concert, pharmacies around the US experienced significant delays to prescription orders. Behind it all was Change Healthcare, which processes billions of transactions every year, representing trillions of dollars worth of medical claims.

Related:Actively Exploited Fortinet Zero-Day Gives Attackers Super-Admin Privileges

The company first stated that it had suffered a nation-state cyber intrusion. In fact, it was a regular old ransomware attack (for which it would later pay a whopping $22 million ransom). And this wasn't the only crucial detail it got wrong.

In June, Change Healthcare finally sent out notices of data compromise, revealing that affected customers totaled around 100 million. On Friday, however, UnitedHealth Group publicly adjusted that figure to include 90 million more.

In its updated online notice of data breach, the company admitted that hackers may have obtained a variety of personally identifying information (PII) about patients and guarantors, including their first and last names, dates of birth, phone numbers, home addresses, and email addresses. Social security numbers, it noted, were only lost in "rare instances," and in an email to Dark Reading, a spokesperson claimed that Change Healthcare "has not seen electronic medical record databases appear in the data during the analysis."

The spokesperson also emphasized that "Change Healthcare is not aware of any misuse of individuals' information as a result of this incident."

However, Paul Bischoff, consumer privacy advocate at Comparitech, warns that "every press release I ever see about a data release says 'there's no evidence that your information has been abused or misused in any way.' But, obviously, they're not really looking for that for those instances of abuse, and they would never know if it actually happened. And the people that it happens to can't attribute the identity theft that they're suffering back to the data breach that caused it."

Related:For $50, Cyberattackers Can Use GhostGPT to Write Malicious Code

**When Data Breach Disclosures Go Wrong**

The Securities and Exchange Commission (SEC) data breach disclosure rules require that publicly traded companies disclose "material" cybersecurity incidents within four days of becoming alerted to them. The same rule applies to material updates to breach disclosures, such as when an attack is found to have affected nearly twice as many victims as once thought.

Despite these rules, companies have managed to take extensive time in investigating and addressing critical aspects of their breaches. For instance, it took Change Healthcare four months to notify customers of its incident, nine months to admit that 100 million people were affected, and nearly a year to update that figure to 190 million.

Bischoff hesitates, though, before suggesting that what's needed is even stricter regulation. "It's a complicated subject, because it gets to a point where you put such a burden on companies. Companies are also victims in these situations, so I don't want to penalize them for reporting things incorrectly," he says.

Related:The Case for Proactive, Scalable Data Protection

At the same time, he adds, "What we see a lot is that these companies take way too long to finish their investigations and notify victims. Sometimes it's up to a year or more before we're notified that people's data is out there on the Dark Web, being used for who knows what. And that's after they're most likely to get hit with identity fraud, and other sorts of fraud, because cybercriminals want that information when it's as fresh as possible. That's when it's most valuable. So I think we do need more strict standards about the timeliness of these notifications."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Change Healthcare Breach Impact Doubles to 190M People

Amid ongoing fears over TikTok, Chinese generative AI platform DeepSeek says it’s sending heaps of US user data straight to its home country, potentially setting the stage for greater scrutiny.

The United States’ recent regulatory action against the Chinese-owned social video platform TikTok prompted mass migration to another Chinese app, the social platform “Rednote.” Now, a generative artificial intelligence platform from the Chinese developer DeepSeek is exploding in popularity, posing a potential threat to US AI dominance and offering the latest evidence that moratoriums like the TikTok ban will not stop Americans from using Chinese-owned digital services.

DeepSeek, an AI research lab created by a prominent Chinese hedge fund, recently gained popularity after releasing its latest open source generative AI model that easily competes with top US platforms like those developed by OpenAI. However, to help avoid US sanctions on hardware and software, DeepSeek created some clever workarounds when building its models. On Monday, DeepSeek’s creators limited new sign-ups after claiming the app had been overrun with a “large-scale malicious attack.”

While DeepSeek has several AI models, some of which can be downloaded and run locally on your laptop, the majority of people will likely access the service through its iOS or Android apps or its web chat interface. Like with other generative AI models, you can ask it questions and get answers; it can search the web; or it can alternatively use a reasoning model to elaborate on answers.

DeepSeek, which does not appear to have established a communications department or press contact yet, did not return a request for comment from WIRED about its user data protections and the extent to which it prioritizes data privacy initiatives.

As people clamor to test out the AI platform, though, the demand brings into focus how the Chinese startup collects user data and sends it home. Users have already reported several examples of DeepSeek censoring content that is critical of China or its policies. The AI setup appears to collect a lot of information—including all your chat messages—and send it back to China. In many ways, it’s likely sending more data back to China than TikTok has in recent years, since the social media company moved to US cloud hosting to try to deflect US security concerns

“It shouldn’t take a panic over Chinese AI to remind people that most companies in the business set the terms for how they use your private data” says John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab. “And that when you use their services, you’re doing work for them, not the other way around.”

**What DeepSeek Collects About You**

To be clear, DeepSeek is sending your data to China. The English-language DeepSeek privacy policy, which lays out how the company handles user data, is unequivocal: “We store the information we collect in secure servers located in the People's Republic of China.”

In other words, all the conversations and questions you send to DeepSeek, along with the answers that it generates, are being sent to China or can be. DeepSeek’s privacy policies also outline the information it collects about you, which falls into three sweeping categories: information that you share with DeepSeek, information that it automatically collects, and information that it can get from other sources.

The first of these areas includes “user input,” a broad category likely to cover your chats with DeepSeek via its app or website. “We may collect your text or audio input, prompt, uploaded files, feedback, chat history, or other content that you provide to our model and Services,” the privacy policy states. Within DeepSeek’s settings, it is possible to delete your chat history. On mobile, go to the left-hand navigation bar, tap your account name at the bottom of the menu to open settings, and then click “Delete all chats.”

This collection is similar to that of other generative AI platforms that take in user prompts to answer questions. OpenAI’s ChatGPT, for example, has been criticized for its data collection although the company has increased the ways data can be deleted over time. Regardless of these types of protections, privacy advocates emphasize that you should not disclose any sensitive or personal information to AI chat bots.

“I would not input personal or private data in any such an AI assistant,” says Lukasz Olejnik, independent researcher and consultant, affiliated with King's College London Institute for AI. Olejnik notes, though, that if you install models like DeepSeek’s locally and run them on your computer, you can interact with them privately without your data going to the company that made them. Additionally, AI search company Perplexity says it has added DeepSeek to its platforms but claims it is hosting the model in US and EU data centers.

Other personal information that goes to DeepSeek includes data that you use to set up your account, including your email address, phone number, date of birth, username, and more. Likewise, if you get in touch with the company, you’ll be sharing information with it.

Bart Willemsen, a VP analyst focusing on international privacy at Gartner, says that, generally, the construction and operations of generative AI models is not transparent to consumers and other groups. People don’t know exactly how they work or the exact data they have been built upon. For individuals, DeepSeek is largely free, although it has costs for developers using its APIs. “So what do we pay with? What do we usually pay with: data, knowledge, content, information,” Willemsen says.

As with all digital platforms—from websites to apps—there can also be a large amount of data that is collected automatically and silently when you use the services. DeepSeek says it will collect information about what device you are using, your operating system, IP address, and information such as crash reports. It can also record your “keystroke patterns or rhythms,” a type of data more widely collected in software built for character-based languages. Additionally, if you purchase DeepSeek’s premium services, the platform will collect that information. It also uses cookies and other tracking technology to “measure and analyze how you use our services.”

A WIRED review of the DeepSeek website's underlying activity shows the company also appears to send data to Baidu Tongji, Chinese tech giant Baidu's popular web analytics tool, as well as Volces, a Chinese cloud infrastructure firm. In a social media post, Sean O'Brien, founder of Yale Law School's Privacy Lab, said that DeepSeek is also sending “basic” network data and “device profile” to TikTok owner ByteDance “and its intermediaries.

The final category of information DeepSeek reserves the right to collect is data from other sources. If you create a DeepSeek account using Google or Apple sign-on, for instance, it will receive some information from those companies. Advertisers also share information with DeepSeek, its policies say, and this can include “mobile identifiers for advertising, hashed email addresses and phone numbers, and cookie identifiers, which we use to help match you and your actions outside of the service.”

**How DeepSeek Uses Information**

Huge volumes of data may flow to China from DeepSeek’s international user base, but the company still has power over how it uses the information. DeepSeek’s privacy policy says the company will use data in many typical ways, including keeping its service running, enforcing its terms and conditions, and making improvements.

Crucially, though, the company’s privacy policy suggests that it may harness user prompts in developing new models. The company will “review, improve, and develop the service, including by monitoring interactions and usage across your devices, analyzing how people are using it, and by training and improving our technology,” its policies say.

DeepSeek’s privacy policy also says the company will also use information to “comply with \[its\] legal obligations”—a blanket clause many companies include in their policies. DeepSeek’s privacy policy says data can be accessed by its “corporate group,” and it will share information with law enforcement agencies, public authorities, and more when it is required to do so.

While all companies have legal obligations, those based in China do have notable responsibilities. Over the past decade, Chinese officials have passed a series of cybersecurity and privacy laws meant to allow state officials to demand data from tech companies. One 2017 law, for instance, says that organizations and citizens should “cooperate with national intelligence efforts.”

These laws, alongside growing trade tensions between the US and China and other geopolitical factors, fueled security fears about TikTok. The app could harvest huge amounts of data and send it back to China, those in favor of the TikTok ban argued, and the app could also be used to push Chinese propaganda. (TikTok has denied sending US user data to China’s government.) Meanwhile, several DeepSeek users have already pointed out that the platform does not provide answers for questions about the 1989 Tiananmen Square massacre, and it answers some questions in ways that sound like propaganda.

Willemsen says that, compared to users on a social media platform like TikTok, people messaging with a generative AI system are more actively engaged and the content can feel more personal. In short, any influence could be larger. “Risks of subliminal content alteration, conversation direction steering, in active engagement ought by that logic to lead to more concern, not less,” he says, “especially given how the inner workings of the model are widely unknown, its thresholds, borders, controls, censorship rules, and intent/personae largely left unscrutinized, and it being already so popular in its infancy stage.”

Olejnik, of King's College London, says that while the TikTok ban was a specific situation, US law makers or those in other countries could act again on a similar premise. “We can’t rule out that 2025 will bring an expansion: direct action against AI firms,” Olejnik says. “Of course, data collection may again be named as the reason.”

_Updated 5:27 pm EST, January 27, 2025: Added additional details about the DeepSeek website's activity._

_Updated 10:05 am EST, January 29, 2025: Added additional details about DeepSeek's network activity._

DeepSeek’s Popular AI App Is Explicitly Sending US Data to China

Attackers aim to steal people's personal and payment-card data in the campaign, which dangles the threat of an undelivered package and has the potential to reach organizations in more than 50 countries.

Source: Francis Vachon via Alamy Stock Photo

Attackers impersonating the US Postal Service (USPS) are striking again, this time in a widescale mobile phishing campaign that taps people's trust in PDF files. This time it uses a novel evasion tactic to steal credentials and compromise sensitive data in SMS phishing (smishing) attacks.

Discovered by researchers at Zimperium zLabs, the smishing campaign uses malicious SMS messages informing people that their package can't be delivered because of "incomplete address information," they revealed in a blog post published Jan. 27. The messages direct people to click on a PDF file that contains a malicious phishing link, leading them to a landing page that asks them to provide personal details, including name, address, email, and phone number. A further redirection collects people's payment-card data, claiming to require service fees for successful delivery of the package.

"This tactic leverages the perception of PDFs as safe and trusted file formats, making recipients more likely to open them," Zimperium researcher Fernando Ortega wrote in the post.

ZLabs researchers uncovered more than 630 phishing pages, 20 malicious PDF files, and a malicious infrastructure of landing pages related to the campaign, demonstrating a significant scale that potentially could impact organizations across more than 50 countries, he said.

Related:Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers

Moreover, attackers use "a complex and previously unseen technique to hide clickable elements" of the campaign, making it difficult for most endpoint security solutions to properly analyze the hidden links and thus detect the threat, Ortega wrote.

"This strategy highlights the evolving tactics of cybercriminals, who exploit both trusted file formats and advanced evasion methods to deceive users and compromise their data," he wrote.

**Manipulating PDFs to Escape Detection**

Attackers use their knowledge of the back-end composition of PDF files to create a novel evasion tactic that makes the malicious campaign harder for automated security systems to detect as suspicious, the researchers found.

In PDF files, links are typically represented using the /URI tag, which is part of an Action Dictionary object, specifically within a Go-To-URI action, Ortega explained in the post. This instructs a PDF viewer to navigate to a uniform resource identifier (URI), which is usually a Web address (URL).

The PDFs used in this campaign embed clickable links without utilizing the standard /URI tag, "making it more challenging to extract URLs during analysis," Ortega wrote.

"Our researchers verified that this method enabled known malicious URLs within PDF files to bypass detection by several endpoint security solutions," he added. In contrast, these solutions detect the same URLs when the standard /URI tag was used.

Related:Mirai Variant 'Aquabot' Exploits Mitel Device Flaws

"This highlights the effectiveness of this technique in obscuring malicious URLs," Ortega explained.

**Package-Themed Phishing Not New, But Evolving**

Campaigns that impersonate the USPS and other trusted brands are hardly new, as attackers often leverage the urgency that comes with a person waiting for a package or piece of mail as a convincing lure for phishing attacks. One USPS-anchored campaign in October 2023 was linked to Iranian attackers and used close to 200 different domains as infrastructure for the attacks, as an example.

However, the scale and sophisticated evasion tactic used in the latest USPS impersonation effort makes it a notable threat, and part of a disturbing trend to take advantage of "limited mobile device security worldwide," threatening corporate users, one security experts says.

"While organizations have robust email security, the critical tension between finance, HR, and technology teams around mobile devices has created a significant and dangerous gap in protection, leading to underinvestment in web and mobile messaging security despite these becoming primary attack vectors," says Stephen Kowski, field chief technology officer (CTO) at SlashNext Email Security+.

Related:Super Bowl LIX Could Be a Magnet for Cyberattacks

Indeed, organizations need to get a handle on the issue of unsecured mobile devices in the workplace, another expert says. To do this, notes Darren Guccione, CEO and co-founder at Keeper Security, they should adopt a layered security approach that combines employee education with the use of multifactor authentication (MFA) to prevent credential compromise even if a corporate user falls for an attack.

As far as enterprise security goes, he explains, employing zero-trust security frameworks that use privileged access management (PAM) solutions can serve to further mitigate risks "by restricting access to sensitive systems, ensuring only authorized users can interact with critical data."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

USPS Impersonators Tap Trust in PDFs in Smishing Attack Wave

About Authentication Bypass – FortiOS (CVE-2024-55591) vulnerability. A critical flaw allows remote attackers to gain super-admin privileges via crafted requests to the Node.js websocket module. Affected systems include Fortinet devices running FortiOS (e.g., FortiGate NGFW) and FortiProxy. 🔹 On January 10, Arctic Wolf reported attacks on Fortinet devices that began in November 2024. Attackers create […]

**About Authentication Bypass – FortiOS (CVE-2024-55591) vulnerability.** A critical flaw allows remote attackers to gain super-admin privileges via crafted requests to the Node.js websocket module. Affected systems include Fortinet devices running FortiOS (e.g., FortiGate NGFW) and FortiProxy.

🔹 On January 10, Arctic Wolf reported attacks on Fortinet devices that began in November 2024. Attackers create accounts with random names, modify device settings, and gain access to internal systems.

🔹 The vendor advisory was published on January 14. The vulnerability was added to the CISA KEV.

🔹 A public exploit has been available on GitHub since January 21.

🔹 As of January 26, Shadow Server reports around 45,000 vulnerable devices accessible from the Internet.

The vendor recommends updating FortiOS and FortiProxy to secure versions and restricting or disabling administrative HTTP/HTTPS interfaces.

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Authentication Bypass – FortiOS (CVE-2024-55591) vulnerability

A cross-site scripting (XSS) vulnerability in the Events/Agenda module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-2v3r-gvq5-qqgh: Dolibarr Cross-site Scripting vulnerability

A cross-site scripting (XSS) vulnerability in the Product module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter.

Tag

#web