Cybersecurity researchers discovered 270,000+ lines of American National Insurance customer data leaked online, potentially linked to the 2023…

Cybersecurity researchers discovered 270,000+ lines of American National Insurance customer data leaked online, potentially linked to the 2023 MOVEit breach. Learn about the exposed data and how to protect yourself.

SafetyDetectives’ Cybersecurity Team discovered a forum post on Breach Forums, a clear web platform for data breaches, where a threat actor shared a link to a database containing 279,332 lines of sensitive data allegedly belonging to the American National Insurance Company (ANICO). This data, apparently from the 2023 data breach, includes customer and some employee information.

For your information, American National Insurance Company, headquartered in Galveston, Texas, employs over 4,600 people and generates over $1.1 billion in annual revenue through its subsidiaries. The leaked data, available in a .CSV file, is still available on the forum to download. The exposed information includes:

*   Customer Data: Account ID, Status, Email Address, Full Name, Date of Birth, Age, Gender, Marital Status, Generation, Occupation, Phone, Language, Full physical address, Inforce Premium Amount, Inforce Premium Amount Annuity, Type of Policy.

*   Employee Data: Years In Force, Agent Name, Agent Email, MLGA/RGA Name, MLGA/RGA Email. 

SafetfyDetectives research suggests a strong connection between the 2023 MOVEit breach and the recent data exposure of American National Insurance Company. ANICO has publicly acknowledged being impacted by a cyberattack involving MOVEit, a file transfer application developed by Progress Software.

This indicates that the company’s systems were vulnerable to exploitation through the MOVEit vulnerability. The Cl0p ransomware group, known for exploiting the MOVEit vulnerability in numerous attacks, was specifically mentioned in ANICO’s investigation. In August 2023, the Cl0p ransomware group had listed the company as a victim. 

“Thus, it is possible that American National’s recent filing with the Texas Attorney General is referring to a MOVEit breach. However, this has not yet been confirmed by the American National,” SafetyDetectives’ blog post read.

While a separate report from data breach lawyers at Console & Associates, P.C., suggests the exposure of Social Security Numbers, financial account information, and medical information during the 2023 breach, the data shared on the forum does not explicitly confirm this.

Nevertheless, the exposure of this sensitive information poses significant risks to individuals. Malicious actors could use personal information like Social Security numbers and financial details to impersonate individuals and commit fraud.

In contrast, the disclosure of medical information could lead to discrimination or misuse. Moreover, the exposed data could be used to launch targeted phishing attacks, tricking victims into revealing more personal information or clicking on malicious links.

Considering these dire consequences, it is recommended that individuals change passwords for compromised accounts and enable two-factor authentication. It is also essential to remain cautious of phishing attempts, review privacy settings on social media, and closely monitor bank accounts and credit reports for unauthorized activity.

If you suspect identity theft or fraud, report the incident to local law enforcement and relevant authorities. Also, check out this article to stay protected from online fraud.

1.  **US Auto Insurance Price Site RateForce Leaks PII Data**
2.  **Cl0p Ransomware Exploits Cleo Flaw, Threatens Data Leaks**
3.  **13GB Data of Automobile Insurance Giant AA Exposed Online**
4.  **66K Affected in SIM-Swapping Attacks on US Insurance Giants**
5.  **3 Billion National Public Data Records with SSNs Leaked Online**

American National Insurance Company (ANICO) Data Leaked in MOVEit Breach

Plus: A hacker finds an issue with Cloudflare’s systems that could reveal app users’ rough locations, and the Trump administration puts a wrench in a key cybersecurity investigation.

This week started off with a bang and just kept going. In the wee hours of Saturday night, TikTok cut off access to users in the United States ahead of Sunday’s deadline that forced Apple and Google to remove the video-sharing app from their app stores. While TikTok was dark, US users raced to get around the TikTok ban while several other unexpected apps saw their access to Americans severed as well. By midday on Sunday, however, TikTok access was already coming back in the US. By Monday night, newly inaugurated US president Donald Trump had signed an executive order delaying the TikTok ban by 75 days.

On Tuesday, Trump made good on his promise to free Ross Ulbricht, the imprisoned creator of the Silk Road dark-web market, where users sold drugs, guns, and worse. Ulbricht had spent more than 11 years behind bars after he was arrested by the FBI in 2013 and later sentenced to life in prison. Trump’s decision to pardon Ulbricht is largely seen as linked to the support he’s received from the libertarian cryptocurrency community, which has long considered the Silk Road creator a martyr.

As the world enters the second Trump era, WIRED sat down with Jen Easterly, who recently left her top spot as director of the Cybersecurity and Infrastructure Security Agency to discuss the cyber threats facing the US and CISA’s uncertain future as the frontline watchdog against nation-state hackers and other digital security threats facing the US.

Lastly, we detailed new research that revealed how trivial bugs had exposed Subaru’s system for tracking the locations of its customers’ vehicles. The researchers found they could access a web portal for Subaru employees that allowed them to pinpoint up to a years’ worth of a car’s location—down to the parking spots they use. The flaws are now patched, but Subaru employees still have access to sensitive driver location data.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Judge Says Controversial FBI Searches Require a Warrant**

A US judge in New York this week found that the FBI’s practice of searching data on US persons under Section 702 of the Foreign Intelligence Surveillance Act without obtaining a warrant is unconstitutional. FISA gives the US government the authority to collect the communications of foreign entities through internet providers and companies like Apple and Google. Once this data was collected, the FBI could perform “backdoor searches” for information on US citizens or residents who communicated with foreigners, and it did so without first obtaining a warrant. Judge DeArcy Hall found that these searches do require a warrant. “To hold otherwise would effectively allow law enforcement to amass a repository of communications under Section 702—including those of US persons—that can later be searched on demand without limitation,” the judge wrote.

**Cloudflare Function Could Expose App Users’ Rough Location**

An “issue” with the basic functionality of internet infrastructure company Cloudflare’s content delivery network, or CDN, can reveal the coarse location of people using apps, including those meant for protecting privacy, according to findings from an independent security researcher. Cloudflare has servers in hundreds of cities and more than 100 countries around the world. Its CDN works by caching peoples’ internet traffic across its servers then delivering that data from the server closest to a person’s location. The security researcher, who goes by Daniel, found a way to send an image to a target, collect the URL, then use a custom-built tool to query Cloudflare to find out which data center delivered the image—and thus the state or possibly the city the target is in. Fortunately, Cloudflare tells 404 Media that it fixed the issue after Daniel reported it.

**Trump Administration Disbands Review Board Investigating China’s Salt Typhoon Attacks**

In one of its first moves after Trump took office on Monday, the Department of Homeland Security let go everyone on the agency’s advisory committees. This includes the Cyber Safety Review Board, which was investigating widespread attacks on the US telecommunications system by the China-backed hacker group Salt Typhoon. US authorities revealed in mid-November that Salt Typhoon had embedded itself in at least nine US telecoms for espionage purposes, potentially exposing anyone using unencrypted calls and text message to surveillance by Beijing. While the future of the CSRB remains uncertain, sources tell reporter Eric Geller that their investigation into Salt Typhoon’s attacks is effectively “dead.”

US Privacy Snags a Win as Judge Limits Warrantless FBI Searches

A departmentwide initiative has now led to five major law enforcement actions, in an attempt to curb the increasingly common trend of North Korean hackers posing as IT job applicants.

Source: Sean Hawkey via Alamy Stock Photo

Two Americans, two North Koreans, and a Mexican man have been indicted for their roles in an IT worker scam.

According to the Department of Justice (DoJ), Pak Jin-Song, Jin Sung-Il, and other North Korean co-conspirators secured IT jobs with at least 64 different American companies. They managed it using fake identities facilitated by Pedro Ernesto Alonso De Los Reyes, a Mexican citizen living in Sweden, and carried out their jobs with the help of laptop farms maintained by US citizens Emanuel Ashtor and Erick Ntekereze Prince.

The ruse lasted from April 2018 to last August. For a sense of how lucrative it was, the DoJ noted that earnings from just 10 of the 64 affected companies yielded the scammers $866,255.

**Breakdown of a North Korean IT Scam**

The IT worker scam, now tried and true, developed as a workaround for trade and economic sanctions imposed by the US on the Democratic People's Republic of Korea (DPRK). North Koreans under the employ of sanctioned DPRK government ministries, under assumed identities and relocated in places like China and Russia, apply for remote jobs in America's lucrative tech industry. They perform their jobs adequately enough, but funnel their earnings back to their shriveled government. And some portion of that money, inevitably, ends up funding its notorious nuclear and missile development programs.

Related:CISOs Are Gaining C-Suite Swagger, but Has It Come With a Cost?

But getting a high-paying tech job is no simple, overnight process. To facilitate these scams, by trick or by trade, North Korea recruits Americans and other foreign nationals to help them implement the plan. In this case, the help came from a few central individuals.

In some cases, Alonso lent the hungry job seekers his identity, which they presented as their own in job applications and interview processes. In other cases, the North Koreans stole real US citizens' government identification documents, then superimposed their own headshots on them. In other cases, they solicited help with forgeries from the Web.

After securing sometimes six-figure gigs, the North Korean workers would have company laptops delivered to Ashtor or Prince. By a certain point, the Americans were running full-on laptop farms from their homes in North Carolina. To enable North Koreans in China to work from laptops on the US East Coast, they covertly downloaded and installed remote access software onto these corporate devices. And to conceal where the salaries were actually going, they used their own registered companies to invoice employers. Payments would then be laundered through Chinese bank accounts.

Related:War Game Pits China Against Taiwan in All-Out Cyberwar

Ashtor and Prince were arrested in North Carolina, and Alonso in the Netherlands. All five men are now charged with conspiracy to cause damage to a protected computer, conspiracy to commit wire fraud and mail fraud, conspiracy to commit money laundering, and conspiracy to transfer false identification documents. The two named North Koreans have earned a bonus charge of conspiracy to violate the International Emergency Economic Powers Act. Convictions could entail prison sentences of up to 20 years.

**Are Recent Arrests Having an Impact on Cybercrime?**

Last March, the DoJ launched its DPRK RevGen: Domestic Enabler Initiative, focused on shutting down the laptop farms crucial to facilitating North Korean IT worker scams. In the time since, authorities have made notable arrests and seizures on four separate occasions.

"They've been warned about this for two years, and we're finally just now starting to see the United States government starting to form a defensive policy, \[with\] routine arrests and sanctions," says Roger Grimes, data-driven defense evangelist at KnowBe4, a company that accidentally hired a North Korean employee last year.

Grimes hasn't yet observed any noticeable decline in these scams since the DoJ initiative began. In fact, he reports, KnowBe4 has received applications from fake IT workers even since its first, widely publicized incident. Any Americans joined up with Kim might consider, though, that besides the threat of arrest, the gig isn't always as lucrative as it seems.

Related:84% of Healthcare Organizations Spotted a Cyberattack in the Late Year

"A lot of them have been cheated," Grimes notes. While cases have varied widely, he claims, "Many \[Americans have been\] promised a lot more, and either only got paid partially, or some of them didn't get paid at all. So they were really cheated."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

DoJ Busts Up Another Multinational DPRK IT Worker Scam

Third-party API security requires a tailored approach for different scenarios. Learn how to adapt your security strategy to outbound data flows, inbound traffic, and SaaS-to-SaaS interconnections.

Source: Elena Uve via Alamy Stock Photo

COMMENTARY

API security often involves third-party, rather than first-party, APIs, and each use case can have different requirements. Rather than trying to make one technological approach work for all instances, security and risk management leaders must adapt their approach to the specific use case.

According to a recent Gartner survey, 71% of IT leaders report using third-party application programming interfaces (APIs) in their organizations. Many security and risk management leaders must focus on API security when dealing with consumption and integration with third-party APIs, rather than exposure of first-party APIs. 

In addition, when it comes to third-party APIs, many remediation measures, such as patching for exposures, are not under the organization's direct control. Therefore, the approach will have to be fundamentally different as compared to first-party APIs. 

Three use cases should be top of mind for these security leaders.

**Use Case 1: Discover and Manage Outbound Data Flows to Third-Party APIs**

In this first use case, the enterprise sends data to third parties via APIs, typically by invoking them from homegrown applications. In an e-commerce scenario, for instance, the service providing the API could be a payment gateway. In this example, the outgoing traffic would contain payment data used to process a payment. There are different ways to invoke the API from within the application, such as direct integration, using a software development kit or a webhook.

A main risk is that sensitive data may be sent toward the API. This activity may conflict with enterprise policies or industry regulations. Third-party APIs may also put the data, or the data of customers, in danger. For example, an attacker may be able to steal payment data from customers by using a vulnerable payment API. Depending on the scenario, injecting a malicious payload could also corrupt the database of a business partner.

In this scenario, security leaders should discover third-party APIs by performing traffic inspection, code repository inspection, and software composition analysis, as certain third-party APIs may be invoked via third-party libraries, not homegrown code.

Security leaders should also liaise with the team that manages sourcing, procurement, and vendor management (SPVM) and third-party cyber-risk to ensure software-as-a-service (SaaS) applications are vetted and comply with organizational policies.

Security leaders must also identify sensitive data exfiltration by monitoring the outgoing traffic in these API exchanges. This is typically achieved by implementing data loss prevention (DLP) capabilities. Disparate tools could apply—for example, security service edge (SSE), DLP, and API protection tools all have certain DLP capabilities.

*   Differentiators could include whether the tool can categorize data while in transit (“on the fly”) or whether it can perform remediation actions, such as blocking the exchange, anonymizing, or encrypting the data.
    
*   The monitoring point may also matter, as some tools may already be installed or have access to unencrypted traffic.
    
*   Most importantly, the way security leaders have configured a tool matters. If it is set up to act as a choke point, it could be a better option than a tool configured to process only specific types of traffic or incoming traffic, for example.
    
*   Internal considerations, such as which team owns and operates each tool, will also play a role in determining which tool to choose.
    

Finally, security leaders can implement proper authentication and authorization of the API client (in this scenario, the application) using the mechanisms offered by the API provider. At a minimum, favor tokens over API keys for authorization. Assess how opaque and proof-of-possession tokens (or at least frequently rotated access credentials) and certificate pinning may efficiently mitigate token leakage and interception risks in specific use cases. Be mindful of the technical burdens they may require to set them up and issues with traffic inspection.

**Use Case 2: Protect From Inbound Traffic From Third-Party APIs**

In this use case, the organization consumes the third-party API, and the data is incoming. A typical example could be an enterprise application that makes an API call to obtain data from a commercial SaaS provider or a business partner.

One risk in this use case is receiving potentially harmful input from the API. Malicious input from third-party APIs may endanger applications, its users, or the infrastructure hosting applications. For example, if an API response with a malicious payload is sent to a database, it could result in an injection attack.

Data exfiltration is still a risk for this use case, and many of the recommendations from the first use case still apply here. If the outgoing API request contains sensitive data, that data could be intercepted. For example, if an API call requests a list of restaurants based on GPS coordinates, said GPS coordinates could be intercepted if the connection is not secure. Most importantly, the third-party API could be fetching the specific data of the enterprise. (Think, for example, of an API fetching data about customers from specific instances of a CRM SaaS application.)

Security leaders should perform input validation. Ask developers to add input validation controls when ingesting any input, including input from third-party APIs. This will prevent a large spectrum of attacks from malicious input, such as SQL injection attacks. Application security testing (AST) tools can help automate these checks.

Use Web application firewall functionality from a Web application and API protection tool in-line to add contingencies against injection attacks and other types of malicious input.

Finally, vet the input with an antivirus, sandboxing, or content disarm and reconstruction solution by integrating applications typically via Internet content adaptation protocol or APIs with one or more of these tools.

**Use Case 3: Discover, Vet and Manage the Data for Third-Party Apps That Communicate via APIs**

Many security leaders are focused on API security but describe a scenario where one or more SaaS applications typically communicate via APIs, exchanging enterprise data. This issue can be exacerbated because users may be able to interconnect SaaS applications without having administrative privileges. While the underlying communication may be API-based, this problem's solution is closer to the best practices for SaaS security.

This situation is particularly challenging when an authorized SaaS application user connects it via API to an unauthorized SaaS app. Many organizations will have little to no visibility of the connection's existence, let alone of any data transfers across it. Second, visibility is limited to what SaaS providers reveal through their own management APIs, as there's no clear place to insert an in-line control. The main risk with this scenario is that the SaaS application may expose sensitive enterprise data via the API, and that data may be transferred to an unapproved and even unknown location that security has not vetted.

Security leaders should discover the SaaS applications used by performing a census, releasing a policy, and inspecting traffic. Use SSE, firewalls, SaaS management platforms, or other tools to identify the SaaS applications users are accessing, especially those housing sensitive data. Until they know what applications users are accessing, they cannot check for SaaS-to-SaaS connectivity

Discover rogue SaaS access tokens by querying the SaaS applications used, where supported. Create and promote policy to users about connecting SaaS apps via OAuth.

For the previous use cases, liaise with the team that manages SPVM and third-party cyber-risk to ensure SaaS applications are vetted and comply with organizational policies, such as data security and third-party sharing ones. In addition, inventory SaaS-to-SaaS interconnections; automated tooling, such as SSPM offerings, can help ensure this is a continuous process.

By adapting their approaches to these three specific use cases and their possible variations, security leaders can address the risks that third-party APIs present for their organizations.

**About the Author**

VP Analyst, Gartner

Dionisio Zumerle is a VP Analyst at Gartner, where he is currently focused on application and mobile security topics. Zumerle's coverage includes API security, mobile application security, DevSecOps, and mobile threat defense.

3 Use Cases for Third-Party API Security

US prosecutors charged five, including North Koreans, for tricking firms into hiring fake IT workers, sending $866K+ to…

US prosecutors charged five, including North Koreans, for tricking firms into hiring fake IT workers, sending $866K+ to fund weapons programs. Stay alert, and report fraud.

Federal prosecutors in the United States have charged five individuals, including two North Korean nationals, for their roles in a scheme that tricked U.S. companies into **hiring North Korean IT workers**.

According to the Department of Justice (DOJ), the operation funneled hundreds of thousands of dollars to the North Korean government, which, other than **using hackers to steal cryptocurrency**, has been using such tactics to evade sanctions and fund its weapons programs.

The indicted individuals include North Korean nationals Jin Sung-Il and Pak Jin-Song, Mexican national Pedro Ernesto Alonso De Los Reyes, and U.S. citizens Erick Ntekereze Prince and Emanuel Ashtor. They are accused of using stolen identities and fraudulent documents to **pose as legitimate US-based IT professionals**, securing remote jobs with at least 64 American companies.

In a **detailed indictment** (PDF), the DOJ outlined that the group operated from April 2018 to August 2024, using fake identities and falsified documents to bypass hiring checks. Once employed, they allegedly transferred payments amounting to at least $866,255 from ten companies through a Chinese bank account to cover the money trail.

Fake documents used in the scam (Via US DoJ)

A key element of the operation, according to the DOJ’s **press release**, involved “laptop farms,” where company-issued computers were received at U.S. locations and set up with remote access software. This allowed North Korean operatives to control the devices from abroad, creating the impression that the workers were based in the United States.

The scheme came to light following an FBI investigation that led to the recent arrests of Prince and Ashtor in the U.S., while Alonso was apprehended in the Netherlands earlier this month.

All five defendants face charges that include conspiracy to commit wire fraud, identity theft, and money laundering. If convicted, they could face up to 20 years in prison.

****Repeated Pattern****

North Korea has long relied on cyber operations to generate revenue for its government. Thousands of IT workers, primarily based in China and Russia, have been deployed to secure freelance work under false identities. According to U.S. officials, these workers can earn up to $300,000 per year, collectively bringing in millions to support the country’s military ambitions.

To achieve this, they take advantage of online job platforms, social media, and payment services, often using unsuspecting individuals in the U.S. to help move money and avoid detection. In July 2024, cybersecurity firm **KnowBe4 was tricked** by a North Korean hacker posing as an IT worker whose next step was to load malware on a company-issued Macbook.

In response, the U.S. government has issued several warnings to businesses about the risks associated with hiring remote IT workers. The FBI and other agencies have **published guidelines** to help companies spot red flags and protect themselves from falling victim to similar scams.

Authorities are also urging businesses to stay alert when hiring remote workers and to report any unusual activity to the FBI. They emphasize the importance of protecting company data and following international sanctions to help stop this type of fraud.

1.  **Feds Bust N. Korean Identity Theft Ring Targeting US Firms**
2.  **Russian hacker tried hiring Tesla worker for malware attack**
3.  **Hackers used fake job website to scam jobless US veterans**
4.  **Fake LinkedIn job offers scam spreading More\_eggs backdoor**
5.  **Employee Duped by AI-Generated CFO in $25.6M Deepfake Scam**

US Charges Five in North Korean IT Worker Hiring Scam

Crooks pwning crooks – Hackers exploit script kiddies with XWorm RAT, compromising 18,000+ devices globally and stealing sensitive…

Crooks pwning crooks – Hackers exploit script kiddies with XWorm RAT, compromising 18,000+ devices globally and stealing sensitive data via Telegram-based C&C.

CloudSEK has discovered a new campaign involving a Trojanized version of the **XWorm RAT** builder. The malware spread through various channels, including file-sharing services (like Mega and Upload.ee), Github repositories (such as LifelsHex/FastCryptor and FullPenetrationTesting/888-RAT), Telegram channels (including HAX\_CRYPT and inheritedeu), and even Youtube and other websites. 

This campaign resulted in compromising over 18,459 devices globally. The stolen data included sensitive information like browser credentials, Discord tokens, Telegram data, and system information from the compromised devices.

“This builder provides attackers with a streamlined tool to deploy and operate a highly capable RAT, which features advanced capabilities like system reconnaissance, data exfiltration, and command execution,” CloudSEK’s **blog post** authored by the company’s Threat Intelligence Researcher, Vikas Kundu, revealed.

Threat actors specifically distributed a modified XWorm RAT builder to target inexperienced attackers (aka **Script Kiddies**). Once installed, the malware exfiltrated sensitive data like browser credentials, Discord tokens, Telegram data, and system information from the victim’s device. It also boasted advanced features like virtualization checks, the ability to modify the registry, and extensive command and control capabilities.

Furthermore, this malware relies on Telegram for its command and control functionality. It used bot tokens and Telegram API calls to receive commands from the attacker and exfiltrate stolen data.

Researchers were able to identify and leverage a “kill switch” functionality within the malware. This functionality was used to disrupt operations on active devices infected with the malware. However, this approach had limitations. Offline machines and Telegram’s rate limiting mechanisms prevented complete disruption.

Based on the investigation, researchers were able to link the threat actor to aliases “@shinyenigma” and “@milleniumrat.” Additionally, they were able to identify associated GitHub accounts and a ProtonMail address.

It is worth noting that XWorm has become a persistent threat with Ukraine’s State Service of Special Communications and Information Protection (SSSCIP) **reporting** its usage in Russian cyber operations against Ukraine in the first half of 2024. 

To protect against such threats, organizations and individuals should use Endpoint Detection and Response (EDR) solutions to detect suspicious network activity and even malware identification.

Additionally, network monitoring using Intrusion Detection and Prevention Systems (IDPS) can block communication between infected devices and the malicious C&C server on Telegram. Proactive measures like blocking access to known malicious URLs and enforcing application whitelisting can prevent malware from being downloaded and executed.

**RELATED ARTICLES**

1.  **P2PInfect: Self-Replicating Worm Hits Redis Instances**
2.  **FBI Warns of HiatusRAT Malware Targeting Webcams and DVRs**
3.  **Fake 7-Zip Exploit Code Traced to AI-Generated Misinterpretation**
4.  **NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT**
5.  **Black Basta-Style Attack Hits Inboxes with 1,165 Emails in 90 Minutes**

Hackers Use XWorm RAT to Exploit Script Kiddies, Pwning 18,000 Devices

PRESS RELEASE

WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the Defense Advanced Research Projects Agency (DARPA), the Office of the Under Secretary of Defense for Research and Engineering (OUSD R&E), and the National Security Agency (NSA), published Closing the Software Understanding Gap that calls for decisive and coordinated action by the U.S. government to obtain a deep, scalable understanding of software-controlled systems. Specifically, the report calls for software-controlled systems that can be assessed to verify functionality, safety, and security across all conditions, which is currently not available.

Mission owners and operators lack adequate capabilities for software understanding because technology manufacturers build software that greatly outstrips the ability to understand it. The inadequate understanding leads to exploited software vulnerabilities because technology manufacturers create software that is not secure by design.

“Recent discoveries of adversarial state-sponsored activity in US critical infrastructure – primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems – pose imminent threats to US national security. The software understanding gap exacerbates the risk to this threat activity,” said CISA Technical Director Chris Butera. “Mission owners and operators have an enormous and accelerating dependence on the software underwriting U.S. critical infrastructure. With our partners, we urge the USG to close this gap before other nations and urge software manufactures to align to Secure by Design principles.” 

The report highlights potential solutions to change the security posture of legacy and future software. One example is the application of mathematically rigorous techniques known as formal methods. For a long time, formally verified software has seemed hopelessly out of reach, but advances by DARPA and others over the past decade have made formal approaches more accessible for mainstream practice.

“We have the tools today to greatly reduce the number of software vulnerabilities that plague our software infrastructure,” said DARPA’s Information Innovation Office Director, Kathleen Fisher. “Rapid action to implement these tools in legacy and future systems can dramatically reduce the United States’ cyber vulnerabilities ahead of future global conflicts.”

This report also provides recommendations to obtain a deep, scalable understanding of software-controlled systems, including AI-based systems. By providing an adequate capacity for software understanding, the United States will secure an advantage in geopolitics for the foreseeable future and will help harden critical infrastructure against state-sponsored activity.

This report highlights the enduring broad government coordination required to create the capabilities to address these threats.

For more information on Secure by Design, visit Secure by Design webpage.

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

You May Also Like

CISA Calls For Action to Close the Software Understanding Gap

Attackers can use a zero- or one-click flaw to send a malicious image to targets — an image that can deanonymize a user within seconds, posing a threat to journalists, activists, hackers, and others whose locations are sensitive.

Source: Brian Jackson via Alamy Stock Photo

A flaw in the widely used Cloudflare content delivery network (CDN) can expose someone's location by sending them an image on platforms like Signal and Discord, deanonymizing them in seconds without their knowledge.

That's according to a 15-year-old security researcher who goes by only "Daniel," who published research on GitHub Gist about the flaw — which he discovered three months ago — as a warning for journalists, activists, and hackers, who could be at physical risk.

The flaw allows an attacker to grab the location of any target within a 250-mile radius when a vulnerable app is installed on a target's phone, or even as a background application on their laptop. Using either a one-click or zero-click approach, an attacker can use the app to "send a malicious payload and deanonymize you within seconds — and you wouldn't even know," Daniel wrote.

**Cloudflare Content Caching Is the Cyber Culprit**

The core of the flaw lies in one of Cloudflare's most used features: caching, Daniel explained. Cloudflare's cache stores copies of frequently accessed content, such as images, videos, or webpages, in its datacenters, ostensibly to reduce server load and improve website performance.

When a device sends a request for a resource that can be cached, Cloudflare retrieves the resource from its local data center storage, if possible, or from the origin server. It then caches it locally, and returns it. "By default, some file extensions are automatically cached but site operators can also configure new cache rules," Daniel explained.

Related:War Game Pits China Against Taiwan in All-Out Cyberwar

Because of this process flow, if an attacker can get a user's device to load a resource on a Cloudflare-backed site, causing it to be cached in their local datacenter, they can then enumerate all Cloudflare data centers to identify which one cached the resource. "This would provide an incredibly precise estimate of the user's location," Daniel explained.

Daniel did have to overcome a hurdle to this attack flow in that someone "can't simply send HTTP requests to individual Cloudflare datacenters," he wrote. However, he discovered a bug via a forum post that demonstrates how someone can send requests to specific Cloudflare datacenters with Cloudflare Workers, and created a tool called Cloudflare Teleport, a proxy powered by Cloudflare Workers that redirects HTTP requests to specific datacenters.

**How to Exploit the Cloudflare Location Flaw**

Daniel went on to demonstrate how he could send images via both Signal and Discord that would expose the recipient's location. For Signal, which is an app favored by journalists and activists due to its privacy features, a one-click attack allows someone to send either an attachment or an avatar to a user that exploits the cache geolocation method to pinpoint the recipient's location.

Related:84% of Healthcare Organizations Spotted a Cyberattack in the Late Year

An attacker also could use a zero-click attack in Signal by taking advantage of push notifications, which occur when a message is sent to a user while they are not actively using the app. In this case, the recipient doesn't even have to open the Signal conversation for their device to download the attachment, he said.

Attackers can exploit the flaw similarly in Discord, with potentially wider impact, using a custom emoji that's loaded from Discord's CDN and configured to be cached on Cloudflare, he explained.

"So, instead of sending an attachment in a Discord channel, an attacker can display a custom emoji in their user status and simply wait for the target to open their profile to run a deanonymization attack," Daniel wrote. A one-click attack vector also is possible in Discord by changing a user's avatar and sending a friend request to someone, which triggers a push notification, he added.

**Signal, Discord, Cloudflare Response & Mitigation**

Daniel contacted Signal, Discord, and Cloudflare about the bug. The first two companies did nothing to mitigate it, with Signal claiming users are responsible for protecting their own identities, and Discord claiming it was Cloudflare's responsibility.

Related:Trump Overturns Biden Rules on AI Development, Security

For its part, Cloudflare did fix the Cloudflare Workers bug that allowed Daniel to create the Teleport tool. The bug was reported to its HackerOne program a year ago by another researcher, but the company had not responded to the report. It reopened the case after Daniel's report and mitigated the issue, awarding him a $200 bug bounty in the process.

However, even after the mitigation, Daniel was able to exploit the flaw by reprogramming his Cloudflare Teleport tool to use a VPN instead, choosing a VPN provider with more than 3,000 servers located in various locations across 31 different countries worldwide. "Using this new method, I'm able to reach about 54% of all Cloudflare datacenters again," he explained.

At this time, "any app using a CDN for content delivery and caching can still be vulnerable if the proper precautions aren’t taken," Daniel wrote.

And this can be especially dangerous for people who need to protect their location for various reasons, such as a woman who may be hiding from a violent boyfriend or husband, or a political dissident who is being targeted by a hostile government, says Roger Grimes, data-driven defense evangelist at KnowBe4.

“At first glance, the flaw seems really innocuous and barely relevant, but there are scenarios … where it could be a problem," he tells Dark Reading. Moreover, Grimes suspects that Cloudflare CDN is not the only CDN affected by such a flaw, as "the attack is just generic enough that I think it can be applied to more CDNs," he says.

Daniel advised that people concerned about their privacy should limit their exposure on the affected apps, which "can make a significant difference" when it comes to protecting their location data.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cloudflare CDN Bug Outs User Locations on Signal, Discord

Cybersecurity firm ESET uncovers PlushDaemon, a previously unknown APT group targeting South Korea, deploying a SlowStepper backdoor. This…

Cybersecurity firm ESET uncovers PlushDaemon, a previously unknown APT group targeting South Korea, deploying a SlowStepper backdoor. This article analyses the attack techniques, the capabilities of the SlowStepper malware, and the growing threat posed by this sophisticated APT group. 

Cybersecurity firm ESET has identified a new China-aligned Advanced Persistent Threat (APT) group, dubbed “PlushDaemon,” behind a cyber espionage operation targeting South Korea.

The attack camaign nvolved a **supply chain compromise**, where attackers infiltrated the legitimate update channels of IPany, a popular South Korean VPN software. PlushDaemon then replaced genuine installers with trojanized versions, which upon download and execution, deployed both the legitimate IPany VPN software and a custom backdoor named SlowStepper.

This means, by replacing the genuine installer with a trojanized version, PlushDaemon successfully embedded a malicious backdoor within the software. As per ESET’s **research**, SlowStepper is a feature-rich backdoor boasting over 30 modules. It is designed for extensive surveillance and data collection.

Written in C++, Python, and Go, the malware possesses a wide range of capabilities, including stealing sensitive data such as system information, user credentials, and network configurations, recording audio and video, enabling attackers to monitor their targets’ activities, and gathering detailed information about the victim’s network environment.

Webpage on the IPany site where the malicious installer was available for download (Via ESET)

In addition, the backdoor features advanced persistence mechanisms, such as deploying files that ensure the continued presence of SlowStepper on infected systems and utilizing legitimate tools to sideload malicious code. The trojanized installer utilize advanced communication methods to connect with command-and-control (C&C) servers.

Instead of embedding IP addresses directly within the malware, SlowStepper crafts DNS queries to retrieve TXT records containing base64-encoded, AES-encrypted C&C server addresses. This multi-layered approach makes detection more challenging.

While ESET telemetry revealed manual downloads of the compromised software, suggesting a broad targeting strategy, the attack specifically focused on entities within South Korea’s critical semiconductor and software industries. The timely intervention of ESET, which alerted IPany to the compromised installer, prevented further widespread infection. 

Although only recently discovered, researchers believe the PlushDaemon APT has been active since 2019, consistently building a diverse and powerful arsenal of tools. The sophistication of SlowStepper and the successful execution of this supply chain attack highlight the growing threat posed by this actor. 

To stay safe from these cyber espionage groups there is an urgent need for continuous monitoring. Organizations must prioritize software update channel security and implement stringent verification procedures to ensure the integrity of all updates. Additionally, proactive **threat intelligence** sharing are vital for identifying and mitigating such attacks before they inflict damage.

1.  **Hackers cloned NordVPN website to drop banking trojan**
2.  **Hackers clone ProtonVPN website with password stealer**
3.  **Fake VPN website delivering password-stealing malware**
4.  **N. Korean APT37 Unleashes Dolphin Backdoor on S. Korea**
5.  **Dark web hackers selling S. Korean, US payment card data**

Chinese PlushDaemon APT Targets S. Korean IPany VPN with Backdoor

Abnormal Security uncovers GhostGPT, an uncensored AI chatbot built for cybercrime. Learn how it boosts cybercriminals’ abilities, makes…

Abnormal Security uncovers GhostGPT, an uncensored AI chatbot built for cybercrime. Learn how it boosts cybercriminals’ abilities, makes malicious activities easier to execute, and creates serious challenges for cybersecurity experts.

Artificial intelligence (AI) has revolutionized countless industries, but its potential for misuse is undeniable. While **AI models like ChatGPT** have shown immense promise in various fields, their power can be easily exploited by threat actors through malicious AI chatbots like GhostGPT.

In late 2024, AI-powered email security solutions provider Abnormal Security uncovered this new AI chatbot designed specifically for cybercriminal activities. Dubbed GhostGPT, this malicious AI tool, readily available through platforms like Telegram, empowers cybercriminals with unprecedented capabilities, from crafting sophisticated phishing emails to developing sophisticated malware.

Unlike **traditional AI models** constrained by ethical guidelines and safety measures, GhostGPT operates without such restrictions. This unfettered access to powerful AI capabilities allows cybercriminals to generate malicious content, such as sophisticated phishing emails and malicious code, with unprecedented speed and ease. 

According to Abnormal Security’s analysis, GhostGPT is likely designed using a wrapper to connect to a **jailbroken version of ChatGPT** or an open-source LLM, removing ethical safeguards. This allows GhostGPT to provide direct, unfiltered answers to sensitive or harmful queries that traditional AI systems would block or flag.

This tool significantly lowers the barrier to entry for cybercrime. No longer requiring specialized skills or extensive technical knowledge, even less experienced actors can leverage the power of AI for malicious activities and launch more sophisticated and impactful attacks with greater efficiency.

Furthermore, GhostGPT prioritizes user anonymity, claiming that user activity is not recorded. This feature appeals to cybercriminals seeking to conceal their illegal activities and evade detection.

“GhostGPT is marketed for a range of malicious activities, including coding, malware creation, and exploit development. It can also be used to write convincing emails for business email compromise (BEC) scams, making it a convenient tool for committing cybercrime,” Abnormal Security’s **blog post** revealed.

GhostGPT’s easy availability on Telegram makes it highly convenient for cybercriminals. With a simple subscription, they can immediately start using the tool without the need for complex setups or technical expertise.

Abnormal Security researchers tested GhostGPT’s capabilities by creating a convincing **Docusign phishing** email template. The chatbot demonstrated its ability to trick potential victims, making it a powerful tool for anyone intending to use AI for malicious purposes.

GhostGPT on Telegram (left) – GhostGPT’s ad (right) – (Credit: Abnormal Security)

This is not the first time a chatbot has been created for malicious purposes. In 2023, researchers identified two other harmful chatbots, **WormGPT** and **FraudGPT**, which were used for criminal activities and caused serious concerns within the cybersecurity community.

Nevertheless, the rise in GhostGPT popularity, evidenced by thousands of views on online forums, indicates a growing **interest in AI by cybercriminals**, and the need for innovative cybersecurity measures. The cybersecurity community must continuously innovate and evolve its defences to stay ahead of the curve.

1.  **Malicious Abrax666 AI Chatbot Exposed as Potential Scam**
2.  **AI Generated Fake Obituary Websites Target Grieving Users**
3.  **Malicious Ads Infiltrate Bing AI Chatbot in Malvertising Attack**
4.  **Facebook Phishing Scam: Messenger Chatbots Stealing Logins**
5.  **Mozilla 0Din Warns of ChatGPT Flaws Enabling Python Execution**

Tag

#web