Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Telegram Chatter, De ...

 Cyber News

Disinformation, deepfakes and threats have gone into overdrive in the final days of the 2024 U.S. presidential election campaign, and Cyble threat researchers have detected a number of new campaigns attempting to sway the outcome. Cyble’s findings confirm a warning issued yesterday by CISA, the FBI and the Office of   show more ...

the Director of National Intelligence (ODNI) that disinformation efforts are growing in the campaign’s final days, with Russia the biggest threat, followed by Iran. Russia in particular is focused on spreading claims of election fraud to stoke division in the coming days, despite repeated assurances by government security officials and independent observers that it would be nearly impossible for malicious actors, even insiders, to alter election results due to the isolation of voting machines from the internet and paper backups in all but Louisiana and parts of Texas. Russian efforts to disrupt election day voting included bomb threats targeting polling places and a text campaign aiming to divide Democratic voters over the Israel-Hamas war in Gaza. The warning from U.S. intelligence agencies was followed a short while later by a CNN article that said a U.S. social media influencer had admitted he was paid $100 by a pro-Kremlin propagandist to post a fake video of Haitian immigrants claiming to vote in the U.S. presidential election, one of several the man said he received from a registered Russian agent. Telegram Chatter: Election Fraud Claims, Influence Campaigns Here is some of the election chatter Cyble researchers have noted in recent days on the company’s dark web monitoring platform. Claims of election fraud continue, but recent efforts have expanded to amplify any perceived irregularity and finding new ways to suppress turnout. The tone of some communications have turned more militant in recent days, while stopping short of calling for violence. One new campaign is focused on amplifying a recent appearance by Sen. John Fetterman (D-Pa.) on Joe Rogan’s podcast. One Telegram post claimed that “Democratic Senator John Fetterman agrees with Joe Rogan's claim that Democrats are manipulating elections by allowing millions of illegal immigrants into the U.S. and strategically positioning them in swing states.” That claim is false. Fetterman – who represents the critical swing state of Pennsylvania – wasn’t at his most articulate on Rogan’s show, but even the right-leaning Real Clear Politics reports Fetterman saying, “if I thought there was any kinds of issues and I've been very vigilant throughout, I've been actively involved in those kinds of things and I've never witnessed those kinds of a thing” in an article that seems aimed at muddying the issue. But given the importance of Pennsylvania in the 2024 election, it’s not surprising that the interview was widely distorted in disinformation efforts. Alleged pro-Palestinian Telegram accounts have been urging voters to reject both the Republican and Democratic parties and vote third party. As Democratic nominee Kamala Harris is likely to be more sympathetic to Palestinian interests in the war with Israel than Republican nominee Donald Trump, this widespread campaign is likely to be a disinformation operation. Here’s one Telegram post from the ongoing campaign: “The Popular Front for the Liberation of Palestine calls on all the free people of America, especially supporters of the Palestinian people, Palestinian and Arab communities, as well as Black organizations and other minorities, to boycott the Democratic and Republican parties in the U.S. elections scheduled for tomorrow, as both share clear colonial objectives aimed at the genocide of our people and the reinforcement of the zionist settler project.” In addition to widespread claims that the election will be rigged or stolen – coming almost exclusively from right-leaning accounts – some dark web chatter has warned of violence while stopping short of calling for violence. Two examples from Telegram: “We did not come to this place and point in history because of people like me. We were dragged here by a system built upon division and perpetual angst. We are now in a cocked gun presidential election that will go off no matter how the race is called. People are going to kill each other. People are going to burn things. We cannot stop any of that, but we also cannot avoid the disruptive impacts of it either. As soon as America falls into revolt, every one of our enemies is going to attack us at the same time.” “This time it’s different. We don’t have to tolerate their BS. Not that violence is the answer. But like you said. Refuse be bullied. If enough folks thumb their noses at them and calmly state ‘Nope. And you can’t make us, either. So piss off.’ Violence won’t be needed.” [caption id="attachment_92477" align="aligncenter" width="500"] Telegram election chatter warns of violence (Cyble dark web monitoring)[/caption] Given the insurrection that followed the 2020 election, any divisive rhetoric on the part of the losing candidate in the 2024 election may gain traction with groups that are already on high alert. Applying a Reality Check to Election Information In looking at any information about the election, readers are urged to apply two tests: Does the information make sense, and who stands to benefit from its dissemination? In the Fetterman and Palestinian examples above, the statements allegedly attributed to them wouldn’t benefit them, but they would benefit the Trump campaign and its Russian supporters. For those and other reasons, Cyble has concluded that those posts are likely aimed at spreading disinformation, intentionally or otherwise. Cyble researchers found that election chatter on the dark web has more than doubled in the final two months of the election campaign, and has been displaying increasing signs of both sophistication and militance as the election nears, mirroring concerns expressed privately by U.S. intelligence officials.

image for Canadian Hacker Behi ...

 Firewall Daily

Canadian law enforcement authorities have arrested a suspect allegedly responsible for a cyberattack on Snowflake Inc., a major cloud data warehousing company. Alexander "Connor" Moucka, also known by the online aliases Judische and Waifu, was apprehended on October 30, 2024, following an arrest request from U.   show more ...

S. authorities. The arrest was made under a provisional warrant, and Moucka is set to appear in Canadian court to face potential extradition, reported Bloomberg.  The Snowflake data breach and the subsequent attacks highlighted the vulnerabilities in cloud platforms, with Moucka accused of executing multiple breaches affecting at least 165 customers. While the exact charges against him have not been disclosed, multiple sources familiar with the situation have identified him as the key figure behind the cyberattack on Snowflake.  A Series of Cyberattacks Linked to Snowflake Data Breach  Moucka's alleged hacking campaign began earlier in 2024 and escalated in April, when he targeted over 100 organizations, causing widespread disruption. Cybersecurity experts have described Moucka as one of the most damaging cybercriminals of the year. Moucka’s attacks resulted in "significant data loss" and extortion attempts. The attacks were characterized by the use of infostealing malware, which compromised user credentials, allowing the hacker to infiltrate critical systems.  The Snowflake cyberattack was just one part of a larger campaign, as Moucka also targeted well-known companies like AT&T, Live Nation Entertainment, and Advance Auto Parts. These companies disclosed in June and July that they had been affected by the breach, with some falling victim to extortion attempts. In these cases, the hacker threatened to sell stolen data on dark web forums unless the companies paid a ransom. This method of cyber extortion, where attackers use sensitive data as leverage, is a growing concern for organizations worldwide.  The data breach at Snowflake specifically involved the exploitation of a former employee's compromised credentials. The hacker accessed Snowflake's demo accounts, which were not protected by robust security measures like multi-factor authentication (MFA). These demo accounts were isolated from the main production systems, but they still held value for cybercriminals, who sought to exploit the breach for media attention and potential profit.  Attack Path and Methods  The attackers gained initial access to Snowflake’s systems by exploiting compromised credentials obtained through infostealing malware. According to Mandiant’s investigation, the malware variants used in the attacks included well-known tools such as Vidar, Redline, RisePro, Raccoon Stealer, Lumma, and Metastealer. These types of malware are commonly used to steal user credentials, which are then used to infiltrate various online platforms.  The breach was notable for its scale and the fact that Snowflake's core systems were not directly affected. As confirmed by Snowflake’s Chief Information Security Officer, Brad Jones, the company’s cloud platform was not breached due to vulnerabilities in the system itself. Snowflake had implemented strong security measures, including Okta and MFA, to protect critical infrastructure. However, the demo accounts, which were not safeguarded in the same manner, provided an easy point of entry for the attackers.  Snowflake's Response and Security Measures  Snowflake, a leading provider of cloud-based data storage and analytics services, has over 9,800 global customers, including some of the world's biggest corporations like Adobe, AT&T, Capital One, and Mastercard. Due to its prominence in the cloud data industry, Snowflake has long been a target for cybercriminals. Despite the cyberattack on Snowflake, the company has repeatedly emphasized that the breach was not due to inherent flaws in its platform.  In its official response, Snowflake clarified that its core systems, protected by MFA and other advanced security protocols, remained secure. The attack exploited a weak link in the company’s demo accounts, which were used for testing and training purposes. Although these accounts contained no sensitive production data, they still provided attackers with a foothold in the company’s ecosystem, leading to the breach.  The company has since worked closely with forensic experts to investigate the extent of the breach and determine any potential impact on its customers. Preliminary results from this investigation indicated that the hackers accessed customer accounts via single-factor authentication (SFA), which lacked the additional layer of protection provided by MFA. The compromised employee account was identified as the entry point, although it was isolated from Snowflake’s production systems, minimizing the overall risk.  The Broader Implications of the Snowflake Cyberattack  The Snowflake data breach and the subsequent arrest of Alexander Moucka underscore the evolving threat landscape in cybersecurity. As cloud-based services like Snowflake become increasingly integral to businesses across the globe, the importance of robust security measures becomes ever more critical.  While Snowflake’s core platform proved resilient in the face of this attack, the breach highlights the importance of securing all aspects of a cloud service, including lesser-protected areas such as demo accounts and test environments. For organizations using cloud platforms, the breach serves as a reminder of the need to implement comprehensive security protocols, including MFA, regular audits, and vigilant monitoring for signs of suspicious activity.  As the investigation into Moucka's activities continues, experts are watching closely to see if further details emerge about his methods and potential accomplices. This case is also likely to have broader implications for how companies approach cybersecurity and how law enforcement handles cybercrime on a global scale. 

image for SETU Confirms Cybera ...

 Cyber News

Ireland’s South East Technological University (SETU) has disclosed a cybersecurity incident affecting its Waterford campus, temporarily halting classes and disrupting IT services. The university’s internal IT team, alongside external cybersecurity experts, is working to resolve issue related to the SETU   show more ...

cyberattack and minimize disruptions. In a statement released on SETU’s website, students were advised that classes on the Waterford campuses would be postponed on Monday, November 4, to allow faculty to adjust their plans amid the outage. Classes are set to resume on Tuesday, November 5, but students and staff may continue to experience limited access to certain services. “Following Monday’s class postponement, we can confirm that classes on our Waterford campuses will resume on Tuesday, November 5,” SETU said. “However, staff and students may still experience some disruptions as we continue our efforts to resume normal services.” SETU Cyberattack: No Specific Details Disclosed Although the specific nature of the SETU cyberattack has not been disclosed, SETU’s statement reassures the community that they identified the incident “at the earliest possible stage.” An email from the university’s Vice-President for Student Experience, David Denieffe, informed staff that ongoing investigations have shown no evidence of data compromise. However, national broadcaster RTÉ reported that the full extent of the impact remains uncertain and may not be known until the end of next week. As a result of the incident, SETU’s Waterford campus is facing extensive IT disruptions. Staff and students have been left without access to campus internet, email, file-sharing services, and other digital resources necessary for teaching and administration. The Teachers’ Union of Ireland (TUI) branch in Waterford sent an email to its members, warning that the campus might remain offline throughout the week. It advised faculty to print materials from home if possible, as on-campus systems remain largely inaccessible. The statement on SETU’s website reiterated the collaborative efforts with cybersecurity specialists and relevant authorities to manage the situation. “Our internal IT team is working closely with external cybersecurity experts to address the situation and minimize any potential impact,” the statement reads. Why Cybercriminals Target Educational Institutes The cyberattack on SETU’s IT infrastructure is part of a troubling trend of cyber incidents targeting educational institutions. In July 2024, Frankfurt University of Applied Sciences also faced a similar cyberattack, leading to a total shutdown of its IT systems. According to a statement from Frankfurt University, hackers struck at approximately 8 p.m. on July 6, causing significant disruption to its operations. Similarly, in June 2024, Germany’s Christian Democratic Union (CDU) suffered a major cyber assault, which forced the political party to shut down parts of its IT infrastructure temporarily. These incidents underscore the growing threat of cyberattacks on organizations with extensive data assets. Recent studies show that cybercriminals are increasingly targeting universities for the rich stores of sensitive data they hold. In particular, ransomware, phishing scams, and credential theft have become common tactics. Universities often store large amounts of research data, student records, and financial information, making them lucrative targets for cybercriminals. According to Verizon’s 2024 Data Breach Investigations Report, the education sector experienced 1,780 cyber incidents in 2023, with 1,537 involving confirmed data disclosure. This represents a 258% increase in the number of incidents and a significant 545% rise in the amount of exposed data compared to the previous year. Many of these incidents were linked to vulnerabilities like the MOVEit transfer exploit, which affected 900 U.S. schools. While no data breaches have been reported in SETU’s case so far, this incident serves as a stark reminder of the urgent need for robust cybersecurity measures within educational institutions. For now, SETU is prioritizing the restoration of its Waterford campus’s IT systems and ensuring that staff and students can resume academic activities with minimal disruption. The university’s internal IT team, in collaboration with external cybersecurity experts, is continuing its investigation while closely monitoring the system for any potential signs of further compromise.

image for Schneider Electric C ...

 Ransomware News

Schneider Electric, a French multinational renowned globally for its energy and industrial automation products, confirmed to The Cyber Express that hackers gained access to one of its internal systems. The confirmation followed claims of a data breach on the dark web, where hackers reportedly offered to cut the ransom   show more ...

in half if Schneider's newly appointed CEO publicly acknowledged the breach. "Schneider Electric is investigating a cybersecurity incident involving unauthorized access to one of our internal project execution tracking platforms which is hosted within an isolated environment," a company spokesperson told The Cyber Express. "Our Global Incident Response team has been immediately mobilized to respond to the incident." HellCat Ransomware Claims Breach News of the breach first came to light when a newly emerged ransomware group "HellCat," listed the energy giant on its leak site and claimed the entry point of the breach to be its Atlassian Jira system. [caption id="attachment_92432" align="aligncenter" width="613"] Post on the leak site of Schneider Electric[/caption] HellCat said they allegedly stole 40 gigabytes worth of data including projects, issues, plugins, and over 400,000 rows of user data from the Atlassian Jira breach. As the common modus operandi that nearly all financially motivated ransomware gangs follow, HellCat demanded a ransom of $125,000 in XMR from Schneider Electric to not make the data public. Some X (formerly known as Twitter) users have shared proof about the Schneider Electric breach and although the veracity of these details could not be verified, by the looks of it, the data seems highly sensitive as it exposes details such as full names, email address, access rights and application names of the internal developers of Schneider Electric. The company did not reveal any further clarification regarding these claims in its statement but said: "Schneider Electric´s products and services remain unaffected." HellCat ransomware group emerged late last month and has since claimed two other victims: the College of Business Education in Tanzania and Ministry of Education in Jordan. [caption id="attachment_92437" align="aligncenter" width="600"] HellCat leak site claims three victims till date[/caption] Hackers Leave a Welcome Note for New CEO Incidentally, on the day that hackers claimed the breach, Schneider Electric announced the unanimous appointment of Olivier Blum as its new chief executive officer. The energy and automation giant in a surprising move ousted its now Ex-CEO Peter Herweck after only a year and a half in charge, citing disagreements with the board. "The Board of Directors decided to remove from office Peter Herweck as Chief Executive Officer due to divergences in the execution of the company roadmap at a time of significant opportunities," the official statement said. [caption id="attachment_92435" align="aligncenter" width="600"] Olivier Blum, CEO of Schneider Electric. (Source: Schneider Electric on X)[/caption] Olivier Blum, is a 54-year-old French national, who will now lead Schneider Electric's rapidly growing Energy Management business across all markets, including datacenters. A member of the Executive Committee since 2014, Blum has held key roles within Schneider, including Group Chief Strategy & Sustainability Officer, Chief Human Resources Officer, and Country President of Greater India for five years. He also spent five years as a strategic and business leader in China. Likely as a welcome gesture to Blum and for media publicity, HellCat said that they will give a 50% discount if the new CEO admits to being breached. "Its your choice Olivier," the hackers said. Not the First Whammy Schneider Electric had previously fallen victim to Cl0p and Cactus ransomware too. While Cl0p exposure was likely part of the larger MoveIT breach the Cactus ransomware gang claimed to exfiltrate 1.5 terabytes of data, according to the threat intel of Cyble's Research and Intelligence Labs. Cactus published the folder tree structure of the compromised data and also leaked sample documents containing passport images, NDA, backup information, audit details, and financial details. Also read: Complexity Mounts in Schneider Electric Data Breach: Cactus Ransomware Claims Responsibility

image for Nigeria Arrests 130 ...

 Cyber News

A police crackdown in Abuja unveiled a web of cybercrime operations involving foreign nationals and Nigerian collaborators, exposing a serious threat to Nigeria’s national security. The Nigeria Police Force reported the arrest of 130 individuals, including 113 foreign nationals primarily from China and Malaysia,   show more ...

alongside 17 Nigerians, in a sting operation in the city’s Next Cash and Carry area. Uncovering a Criminal Network Led by Assistant Inspector-General Benneth Igweh, the operation targeted a building where suspects allegedly engaged in cybercrime and hacking activities, using advanced computing devices to conduct their illicit work. This coordinated raid reflects Nigeria’s increased commitment to addressing cybercrime amid its ranking as the fifth most prolific source of cybercrime worldwide, following nations like Russia, Ukraine, China, and the United States. According to ACP Olumuyiwa Adejobi, the Nigeria Police’s spokesperson, investigators are conducting a “scientific” analysis of the seized devices and data. “We are investigating the matter and scientifically analyzing the exhibits recovered from them,” Adejobi said, signaling that suspects will be charged following the probe. Also read: One of the Largest Cybercriminal Operations in West Africa Dismantled National Cybercrime Surge and Global Ties This raid highlights Nigeria’s struggle with cybercriminal activities, which often see local offenders working in concert with international players. Recent research underscores this trend: A "World Cybercrime Index" published by researchers from Oxford and the University of New South Wales ranks Nigeria as a significant hub for cybercrime, alongside eight other countries, including North Korea, the United Kingdom, Brazil, and India. [caption id="attachment_92489" align="aligncenter" width="600"] Source: World Cybercrime Index[/caption] The report identifies key drivers of cybercrime in Nigeria, including economic incentives and limited law enforcement resources. The surveyed experts analyzed cybercrime by categories such as technical services, data theft, phishing, and money laundering. Nigeria’s appearance in the top ten of each category suggests the pervasive nature of cyber threats stemming from the country, despite ongoing efforts to curb them. [caption id="attachment_92488" align="aligncenter" width="600"] Half of the world's scams originate from Nigeria. (Source: World Cybercrime Index)[/caption] Also read: More than $250M Seized in Global Online Scam Crackdown The Anatomy of Nigeria’s Cybercrime Ecosystem With global cybercrime projected to cost $12 trillion by 2025, understanding the makeup of Nigeria’s cybercriminal ecosystem is essential. Dr. Jonathan Lusthaus, one of the report’s authors, explained that cybercriminals evade detection by hiding behind anonymized networks and complex infrastructures. This anonymity challenges law enforcement agencies worldwide, making operations like the recent raid in Abuja vital. Dr. Miranda Bruce, co-author of the index, highlighted the importance of shedding light on these cybercrime hotspots. "This research will help remove the veil of anonymity around cybercriminal offenders,” Bruce said, adding that early interventions in at-risk countries could help prevent cybercrime from escalating further. Rising Threats and National Security Concerns This high-profile bust adds pressure on Nigerian authorities to intensify cybersecurity measures and safeguard its digital infrastructure. The arrested individuals face charges under Nigeria’s cybersecurity laws, and their activities underscore the role of global networks in facilitating cybercrime within Nigerian borders. The incident has prompted concerns about whether similar networks are operating undetected, posing a potential security risk to both Nigeria and the global cyber landscape. As Nigeria aims to crack down on its cybercrime hotspots, incidents like this highlight the need for cross-border cooperation and technology-driven investigations. With support from international bodies, the Nigeria Police Force is tasked with a significant role in preventing the escalation of cyber threats across the region.

image for Critical ICS Vulnera ...

 Vulnerabilities

Cyble Research & Intelligence Labs (CRIL) has released a new report focusing on critical Industrial Control System (ICS) vulnerabilities, with insights derived from recent advisories issued by the Cybersecurity and Infrastructure Security Agency (CISA).   The report highlights key flaws in several prominent ICS   show more ...

products, urging immediate action to mitigate potential risks that could have devastating consequences for organizations dependent on these systems.  During the reporting period, CISA issued four security advisories that address vulnerabilities in various ICS products used across industries such as manufacturing, energy, transportation, and utilities. The affected systems include those from renowned vendors like ICONICS, Mitsubishi Electric, VIMESA, iniNet Solutions, and Deep Sea Electronics.   The vulnerabilities identified range from path traversal issues to improper access control and even authentication flaws, all of which pose online risks to the integrity and confidentiality of ICS networks.   The report also highlights a particularly concerning vulnerability in SpiderControl SCADA, as well as a configuration disclosure issue in the Deep Sea Electronics DSE855, which could enable unauthorized access to sensitive data and credentials.  Detailed Breakdown of Key ICS Vulnerabilities  The CRIL analysis has identified several high-priority vulnerabilities that organizations need to address immediately to protect their ICS environments from exploitation. These vulnerabilities range in severity but all require prompt action to mitigate potential risks.  One of the most critical vulnerabilities is CVE-2024-7587, which affects the ICONICS Suite, including products such as GENESIS64 and Hyper Historian. This vulnerability stems from incorrect default permissions, which can lead to unauthorized access to key control systems like SCADA (Supervisory Control and Data Acquisition), DCS (Distributed Control Systems), and BMS (Building Management Systems).   Unauthorized access to these critical systems poses a serious threat to operational safety and security. ICONICS has already released a patch to resolve this vulnerability, and it is strongly recommended that organizations using affected products update their systems immediately to avoid potential exploitation.  Another vulnerability is CVE-2024-9692, which impacts the VIMESA Blue Plus Transmitter. This vulnerability is categorized as medium severity and involves improper access control, affecting communication units and transmitters used in industrial environments. If left unaddressed, this flaw could allow attackers to gain unauthorized access to vital communication infrastructure. Fortunately, a patch is available, and organizations are advised to apply it without delay to mitigate the risk.  A high-severity vulnerability is also present in the SpiderControl HMI Editor from iniNet Solutions. This vulnerability, identified as CVE-2024-10313, is a path traversal issue, which allows attackers to access files and directories outside of their intended scope. This could expose sensitive configuration files and system data, making it a significant threat to the integrity of the system. A patch has been released to address this flaw, and it is critical that organizations implement the fix as soon as possible to protect their systems from unauthorized access and potential data breaches.  Lastly, CVE-2024-5947 affects the DSE855 unit from Deep Sea Electronics. This vulnerability arises from missing authentication controls and primarily impacts communication units and transmitters. Attackers could bypass authentication and gain unauthorized access to sensitive system settings, which could compromise the security and functionality of the system. Deep Sea Electronics has issued a patch to correct this vulnerability, and it is recommended that organizations apply the patch immediately to prevent exploitation.  The vulnerabilities identified in this week's report fall into medium and high severity categories, with all requiring urgent attention. The risks associated with these ICS vulnerabilities are significant, as they could be exploited by attackers to disrupt operations, steal sensitive data, or even gain control of critical infrastructure. This highlights the importance of addressing these vulnerabilities promptly to safeguard operational technology (OT) systems and ensure continuity of critical services.  Conclusion  To effectively address the identified ICS vulnerabilities and prevent exploitation, organizations must adopt a proactive cybersecurity strategy. Timely patch deployment is crucial. Staying informed about security advisories from vendors and regulatory bodies, and quickly applying patches for vulnerabilities like CVE-2024-7587 and CVE-2024-9692, can significantly reduce the risk of exploitation.   Organizations should also actively monitor CISA’s Known Exploited Vulnerabilities (KEV) Catalog to identify vulnerabilities being actively exploited and take swift action. Network segmentation is vital to protect critical ICS assets, and regularly conducting vulnerability assessments and penetration testing will help identify weaknesses before attackers can exploit them. Implementing strong physical security controls will prevent unauthorized access to ICS devices and networks.  An updated incident response plan is essential, outlining procedures for detecting and recovering from security incidents. Ongoing cybersecurity training for employees, especially those working with OT systems, is necessary to reduce human errors and maintain a strong security posture. 

image for How Cyble is Leading ...

 Deepfake

Imagine a video surfaces online, showing a high-profile executive saying things they would never say. The video looks real, sounds real, and spread across social media at lightning speed—impacting reputations, business decisions, and public trust. In today’s digital age, deepfakes like this aren’t just science   show more ...

fiction; they’re a very real threat that can be weaponized against individuals and organizations alike. Recognizing the urgency to protect executives from these risks, Cyble Inc. has launched its Deepfake Detection & Takedown Tool. This tool, integrated within Cyble’s Executive Monitoring Module, is designed to detect and neutralize deepfake content quickly and effectively. By combining advanced AI with real-time alerting, Cyble offers a powerful safeguard for those most vulnerable to manipulated media. So how does Cyble’s tool tackle this rising threat? Let’s explore how this cutting-edge solution works to shield digital identities from the perils of deepfakes. Understanding Cyble's Deepfake Detection Module The Deepfake Detection Module focuses on identifying and addressing fake media content. Deepfakes—videos altered to make someone appear to say or do things they haven’t—have become increasingly convincing and damaging. Cyble’s tool uses advanced algorithms to analyze videos and determine if deepfake technology has been applied, offering a crucial layer of protection for executives and high-profile individuals whose reputations are at risk. Key Features of Cyble’s Deepfake Detection Tool Cyble's deepfake detection module offers several innovative features that empower users to stay vigilant: Deepfake Identification: At its core, this module detects alterations in videos to identify deepfakes with remarkable accuracy. By analyzing digital fingerprints left by manipulation, it can swiftly differentiate between authentic and altered content. Takedown Requests: Beyond detection, Cyble gives users the power to request the takedown of identified deepfake content. This added step enhances the module’s proactive stance, allowing users to protect their digital presence actively. Executive Details Submission: For comprehensive monitoring, executives can submit their personal details securely within the platform. This step enables Cyble’s tool to track and detect unauthorized use of their identity across various media. Advanced AI Technology: Cyble’s module uses cutting-edge AI models trained on a vast dataset of deepfake and authentic videos, enabling it to keep up with the latest manipulation techniques. This AI-driven approach ensures that Cyble's detection capabilities remain robust, even as deepfake technology evolves. Timely Alerts: As soon as any content flagged as a potential deepfake is detected, Cyble immediately sends an alert to the user. This feature ensures that executives can quickly respond to potential misinformation, minimizing damage to their reputation or corporate image. Social Media Integration: Currently focused on major platforms like YouTube, Cyble’s vision includes gradually expanding its monitoring capabilities to all major social media networks. As deepfakes are commonly distributed on these platforms, Cyble’s focus on comprehensive social media coverage is a crucial addition. Access and Requirements Cyble’s Deepfake Detection Module is an extension of the Executive Monitoring Module, a platform that provides a broader approach to monitoring text, image, and now video content. This requirement ensures a unified, comprehensive approach to digital surveillance, allowing users to keep an eye on any potentially harmful information across multiple content types. Why Cyble’s Deepfake Detection Matters The rise of deepfake content has amplified risks for individuals and organizations alike. Inaccurate video portrayals can lead to reputational harm, financial losses, and even legal ramifications. Cyble’s tool isn’t just about detecting fakes; it’s about preserving the integrity of information in the digital age. By offering real-time detection and prompt takedown options, Cyble’s module aims to prevent the spread of misinformation before it can harm its subjects. This approach supports broader goals of personal privacy, corporate integrity, and social trust, reinforcing Cyble's commitment to tackling complex cybersecurity threats. Cyble’s Role in Protecting Digital Environments As cyber threats continue to evolve, Cyble is committed to staying at the forefront of security solutions. Their Deepfake Detection Module represents a significant step forward in fighting manipulated media. Executives and organizations now have access to an invaluable tool for maintaining their digital reputation, preserving the truth, and minimizing potential disruptions caused by deepfake technology. With this module, Cyble is not only protecting its users but also contributing to a more secure and transparent digital landscape.

image for CISA Flags Critical ...

 Cyber News

The Cybersecurity and Infrastructure Security Agency (CISA) has added two newly discovered vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog following confirmed reports of active exploitation. These vulnerabilities, identified as CVE-2024-8957 and CVE-2024-8956, impact PTZOptics PT30X-SDI/NDI   show more ...

cameras and pose substantial security risks, particularly to federal agencies and enterprises. These vulnerabilities are a significant concern due to the ease with which attackers can exploit them to gain unauthorized control, potentially leading to severe data breaches and system compromises. CISA has urged federal agencies and users to apply vendor-provided mitigations promptly or discontinue using the affected devices if mitigations are unavailable. The deadline for remediation actions is set for November 25, 2024. CVE-2024-8957: OS Command Injection Vulnerability Overview CVE-2024-8957, an OS command injection vulnerability, exists in PTZOptics PT30X-SDI/NDI cameras running firmware versions earlier than 6.3.40. This flaw enables a remote, authenticated attacker to escalate privileges to root by injecting a crafted payload into the ntp_addr parameter of the /cgi-bin/param.cgi CGI script. Technical Details In affected PTZOptics cameras, the OS command injection vulnerability is caused by insufficient validation of the ntp_addr configuration value. During the ntp_client startup, an attacker’s payload may be executed as a system command, granting root access. This escalation of privileges allows the attacker to gain complete control over the device, and if combined with CVE-2024-8956, an unauthenticated attacker could remotely execute arbitrary OS commands on the device. The vulnerability is identified under CWE-78 (OS Command Injection). Although it is not currently known to be associated with ransomware campaigns, the potential for misuse remains high. The combination of command injection and authentication bypass (CVE-2024-8956) increases the risk significantly, as it allows attackers to exploit the device with minimal authentication barriers. Action Required Users are advised to update their devices to the latest firmware version, 6.3.40, following the vendor’s mitigation steps. If updating is not feasible, discontinuing the use of the product is strongly recommended to prevent unauthorized access and potential data compromise. Date Added to CISA KEV Catalog: November 4, 2024 Remediation Due Date: November 25, 2024 CVE-2024-8956: Authentication Bypass Vulnerability Overview The second vulnerability, CVE-2024-8956, is an authentication bypass issue that allows unauthorized access to sensitive camera functions. PTZOptics PT30X-SDI/NDI cameras running firmware versions before 6.3.40 are affected. By exploiting this vulnerability, attackers can bypass authentication controls on the /cgi-bin/param.cgi script, enabling them to access and manipulate device configurations without requiring credentials. Technical Details CVE-2024-8956 stems from an insecure direct object reference (IDOR) vulnerability. In this case, the camera does not enforce proper authentication protocols, specifically when requests are sent without an HTTP Authorization header. This flaw allows attackers to retrieve sensitive data, such as usernames, password hashes, and configuration details. Furthermore, attackers could modify individual configuration values or overwrite the entire file, effectively hijacking control of the device. Listed under CWE-287 (Improper Authentication), this vulnerability poses a risk of remote access and tampering with device settings. Combined with CVE-2024-8957, it enables attackers to achieve full remote code execution on affected devices. The absence of adequate authentication opens the door to potential data leakage and unauthorized adjustments to camera settings, underscoring the need for immediate remediation. Action Required CISA recommends that users apply the latest firmware patch from PTZOptics, which addresses this issue. If this mitigation cannot be implemented, discontinuing the use of the vulnerable devices is advised. Taking prompt action is crucial to prevent unauthorized access and potential breaches in sensitive environments. Date Added to CISA KEV Catalog: November 4, 2024 Remediation Due Date: November 25, 2024 Broader Implications and Security Recommendations The recent addition of these vulnerabilities to CISA’s KEV Catalog highlights the escalating security challenges faced by devices within the Internet of Things (IoT) space, including surveillance cameras, networked sensors, and other connected devices. IoT devices, such as PTZOptics cameras, are increasingly becoming primary targets for cybercriminals due to their access to sensitive data and limited built-in security measures. In cases like CVE-2024-8957 and CVE-2024-8956, attackers can potentially gain control over cameras, bypass authentication, exfiltrate data, or even alter device configurations remotely. These actions could have far-reaching consequences for enterprises, from unauthorized access to video feeds to potential data breaches. Given the high risk posed by command injection and authentication bypass vulnerabilities, organizations should implement the following best practices: Patch Management Regularly update firmware for IoT devices, particularly those with known security flaws. Ensure devices operate on the latest, most secure firmware versions to prevent vulnerabilities from being exploited. Network Segmentation Isolate IoT devices on separate networks from critical assets to limit exposure. This reduces the impact of a potential breach by containing it within a smaller, controlled environment. Monitoring and Logging Establish comprehensive monitoring and logging protocols for IoT devices. Continuous monitoring can help detect suspicious activities, while logging provides insights into abnormal behavior that might indicate an exploit attempt. Authentication Controls Enhance authentication requirements for accessing sensitive systems and ensure all configuration changes require verified credentials. Implement strong password policies and multifactor authentication wherever possible. Vendor Communication Maintain open communication with device vendors to stay informed of security updates and vulnerabilities. Many vendors provide timely alerts and recommended actions when new vulnerabilities are discovered. CISA’s proactive approach in cataloging known exploited vulnerabilities and setting mandatory remediation timelines emphasizes the importance of safeguarding IoT devices against evolving cyber threats. As the use of IoT technology continues to grow, staying updated with the latest security advisories and practicing diligent network hygiene will be essential in minimizing exposure to cyber risks.

image for Global Crackdown Lea ...

 Cyber News

Interpol has coordinated a major international takedown of cybercrime infrastructure that was in operation around the globe. Dubbed "Operation Synergia II," the action led to the takedown of more than 22,000 malicious IP addresses and servers. The large-scale global operation, spanning April to August 2024 and   show more ...

announced today, targeted phishing schemes, information-stealing malware, and ransomware—some of today’s most aggressive cyber threats. Malicious IPs Targeted in Coordinated Takedown The operation involved a collaborative effort between Interpol, private cybersecurity partners, and law enforcement agencies from 95 countries. Nearly 30,000 suspicious IP addresses came under scrutiny, with Interpol seizing 59 servers and taking down 76% of identified malicious addresses. Authorities apprehended 41 suspects, while 65 more remain under investigation. Interpol coordinated with private sector experts from Group-IB, Trend Micro, Kaspersky, and Team Cymru, drawing on their cyber-tracking capabilities to identify illegal activities across thousands of servers. This partnership fueled targeted actions in countries worldwide, leading to data seizures, house searches, and infrastructure takedowns. Also read: INTERPOL Authorities Recover Over $40 Million from International Email Scam In Hong Kong, police removed over 1,000 servers tied to cybercrimes, while Mongolia’s investigators seized equipment and identified 93 suspects. Macau and Madagascar also contributed by deactivating hundreds of servers and seizing electronic devices. Neal Jetton, Interpol’s Cybercrime Directorate Director, stated, “The global nature of cybercrime requires a global response... Together, we’ve dismantled malicious infrastructure and protected countless potential victims.” Rising Threats: Phishing, Infostealers, and Ransomware Operation Synergia II specifically targeted three critical cyber threats. Phishing remains the most commonly reported initial attack vector. Cybercriminals increasingly use generative AI to craft more convincing, multilingual phishing emails, making detection harder for traditional defenses. In phishing attacks, hackers use deception to steal data, install malware, or gain further network access. Another growing threat, information stealers (infostealers), are designed to extract sensitive data like login credentials and financial information from victims. Cybercriminals often use stolen data to execute ransomware attacks. Interpol noted a surge in 2023 in dark web logs from infostealers—a 40% increase—indicating the demand for stolen credentials. Meanwhile, ransomware has hit a grim milestone, with attacks spiking globally by 70% across multiple sectors. Attackers have widened their focus across industries and geographic regions, forcing organizations to ramp up defenses. Ransomware, a malicious code that locks or encrypts victims’ files until a ransom is paid, has become a weapon of choice for cybercriminals. Global Collaboration Key to Fighting Cybercrime Operation Synergia II marks a concerted effort to halt the rising tide of transnational cybercrime, as the professionalization of cyberattacks poses escalating risks to individuals and businesses worldwide. Interpol’s network of member countries and cybersecurity firms played a critical role in the crackdown, setting a precedent for future collaborative actions.

image for Security and privacy ...

 Privacy

Weve already discussed how most tracking apps provide minimal protection for your personal data by default. Routes and workout times, your fitness data and photos from your runs are usually publicly available online unless you explicitly block them. The consequences, as weve written, can be disastrous — ranging from   show more ...

leaks of secret facility locations to stalking and even attempted murder. To avoid this, you need to configure both your smartphone in general and running apps in particular. You can find our instructions for the most popular running trackers via these links: Strava, Nike Run Club, MapMyRun, adidas Running. Today, wrapping up our review of training-app privacy settings, well explain how to properly configure ASICS Runkeeper (for both Android and iOS). Like other major sportswear brands like Nike and adidas, the Japanese company ASICS, well-known for its running shoes, didnt try to reinvent the wheel. Instead, it just acquired the popular running tracking app Runkeeper, and didnt even rename it — simply adding its brand name to give us ASICS Runkeeper. The privacy settings in ASICS Runkeeper — like in the other running apps — are not so easy to find. If you click on the gear icon in the upper left corner of the main screen, you wont find them there — those are activity settings. Instead, click Me in the lower left corner, then click the gear icon in the upper right corner, and on the next page, select Privacy Settings. Where to find privacy settings in ASICS Runkeeper: Me -> Settings -> Privacy Settings These settings are basic — there are only three items on the page. The key thing to do here is to make sure the switch next to Public Account is turned off. I also recommend going into the Maps and Activities sections and changing the visibility from Followers to Only Me (in Runkeeper, the Everyone option appears only for public accounts). ASICS Runkeepers privacy settings are quite minimal Its also a good idea to adjust the types of notifications ASICS Runkeeper can send you (there are many in the settings) by going back to Settings and choosing Push Notifications. Next to that option, theres an Email Notifications section where you can turn off email notifications from the app. Finally, if you decide to stop using Runkeeper, dont forget to delete your data from the app. You can do this by going to Settings -> Account Settings -> Delete Account. You can also download your data before deleting it. If you use other tracking apps for your workouts, you can configure their privacy settings using our guides: Strava Nike Run Club MapMyRun adidas Running To learn how to configure privacy in other apps — from social networks to browsers — visit our website Privacy Checker. And Kaspersky Premium will maximize your privacy protection and prevent digital identity theft across all your devices. Dont forget to subscribe to our blog to get more instructions and useful articles so that scammers will always… eat your dust.

image for Canadian Man Arreste ...

 A Little Sunshine

A 26-year-old man in Ontario, Canada has been arrested for allegedly stealing data from and extorting more than 160 companies that used the cloud data service Snowflake. Image: https://www.pomerium.com/blog/the-real-lessons-from-the-snowflake-breach On October 30, Canadian authorities arrested Alexander Moucka, a.k.a.   show more ...

Connor Riley Moucka of Kitchener, Ontario, on a provisional arrest warrant from the United States. Bloomberg first reported Moucka’s alleged ties to the Snowflake hacks on Monday. At the end of 2023, malicious hackers learned that many large companies had uploaded huge volumes of sensitive customer data to Snowflake accounts that were protected with little more than a username and password (no multi-factor authentication required). After scouring darknet markets for stolen Snowflake account credentials, the hackers began raiding the data storage repositories used by some of the world’s largest corporations. Among those was AT&T, which disclosed in July that cybercriminals had stolen personal information and phone and text message records for roughly 110 million people — nearly all of its customers. Wired.com reported in July that AT&T paid a hacker $370,000 to delete stolen phone records. A report on the extortion attacks from the incident response firm Mandiant notes that Snowflake victim companies were privately approached by the hackers, who demanded a ransom in exchange for a promise not to sell or leak the stolen data. All told, more than 160 Snowflake customers were relieved of data, including TicketMaster, Lending Tree, Advance Auto Parts and Neiman Marcus. Moucka is alleged to have used the hacker handles Judische and Waifu, among many others. These monikers correspond to a prolific cybercriminal whose exploits were the subject of a recent story published here about the overlap between Western, English-speaking cybercriminals and extremist groups that harass and extort minors into harming themselves or others. On May 2, 2024, Judische claimed on the fraud-focused Telegram channel Star Chat that they had hacked Santander Bank, one of the first known Snowflake victims. Judische would repeat that claim in Star Chat on May 13 — the day before Santander publicly disclosed a data breach — and would periodically blurt out the names of other Snowflake victims before their data even went up for sale on the cybercrime forums. 404 Media reports that at a court hearing in Ontario this morning, Moucka called in from a prison phone and said he was seeking legal aid to hire an attorney. KrebsOnSecurity has learned that Moucka is currently named in multiple indictments issued by U.S. prosecutors and federal law enforcement agencies. However, it is unclear which specific charges the indictments contain, as all of those cases remain under seal. TELECOM DOMINOES Mandiant has attributed the Snowflake compromises to a group it calls “UNC5537,” with members based in North America and Turkey. Sources close to the investigation tell KrebsOnSecurity the UNC5537 member in Turkey is John Erin Binns, an elusive American man indicted by the U.S. Department of Justice (DOJ) for a 2021 breach at T-Mobile that exposed the personal information of at least 76.6 million customers. In a statement on Moucka’s arrest, Mandiant said UNC5537 aka Alexander ‘Connor’ Moucka has proven to be one of the most consequential threat actors of 2024. “In April 2024, UNC5537 launched a campaign, systematically compromising misconfigured SaaS instances across over a hundred organizations,” wrote Austin Larsen, Mandiant’s senior threat analyst. “The operation, which left organizations reeling from significant data loss and extortion attempts, highlighted the alarming scale of harm an individual can cause using off-the-shelf tools.” Sources involved in the investigation said UNC5537 has focused on hacking into telecommunications companies around the world. Those sources told KrebsOnSecurity that Binns and Judische are suspected of stealing data from India’s largest state-run telecommunications firm Bharat Sanchar Nigam Ltd (BNSL), and that the duo even bragged about being able to intercept or divert phone calls and text messages for a large portion of the population of India. Judische appears to have outsourced the sale of databases from victim companies who refuse to pay, delegating some of that work to a cybercriminal who uses the nickname Kiberphant0m on multiple forums. In late May 2024, Kiberphant0m began advertising the sale of hundreds of gigabytes of data stolen from BSNL. “Information is worth several million dollars but I’m selling for pretty cheap,” Kiberphant0m wrote of the BSNL data in a post on the English-language cybercrime community Breach Forums. “Negotiate a deal in Telegram.” Also in May 2024, Kiberphant0m took to the Russian-language hacking forum XSS to sell more than 250 gigabytes of data stolen from an unnamed mobile telecom provider in Asia, including a database of all active customers and software allowing the sending of text messages to all customers. On September 3, 2024, Kiberphant0m posted a sales thread on XSS titled “Selling American Telecom Access (100B+ Revenue).” Kiberphant0m’s asking price of $200,000 was apparently too high because they reposted the sales thread on Breach Forums a month later, with a headline that more clearly explained the data was stolen from Verizon‘s “push-to-talk” (PTT) customers — primarily U.S. government agencies and first responders. 404Media reported recently that the breach does not appear to impact the main consumer Verizon network. Rather, the hackers broke into a third party provider and stole data on Verizon’s PTT systems, which are a separate product marketed towards public sector agencies, enterprises, and small businesses to communicate internally. INTERVIEW WITH JUDISCHE Investigators say Moucka shared a home in Kitchener with other tenants, but not his family. His mother was born in Chechnya, and he speaks Russian in addition to French and English. Moucka’s father died of a drug overdose at age 26, when the defendant was roughly five years old. A person claiming to be Judische began communicating with this author more than three months ago on Signal after KrebsOnSecurity started asking around about hacker nicknames previously used by Judische over the years (Waifu, Ned, Nedral Onfroy, Noctuliuss, and November). Judische admitted to stealing and ransoming data from Snowflake customers, but he said he’s not interested in selling the information, and that others have done this with some of the data sets he stole. “I’m not really someone that sells data unless it’s crypto [databases] or credit cards because they’re the only thing I can find buyers for that actually have money for the data,” Judische told KrebsOnSecurity. “The rest is just ransom.” Judische has sent this reporter dozens of unsolicited and often profane messages from several different Signal accounts, all of which claimed to be an anonymous tipster sharing different identifying details for Judische. This appears to have been an elaborate effort by Judische to “detrace” his movements online and muddy the waters about his identity. Judische frequently claimed he had unparalleled “opsec” or operational security, a term that refers to the ability to compartmentalize and obfuscate one’s tracks online. On several occasions, he shared screenshots and other information indicating someone with access to intelligence gathered by Mandiant had given him the company’s assessment of who and where they thought he was. But in a conversation with KrebsOnSecurity on October 26, Judische acknowledged it was likely that the authorities were closing in on him, and said he would seriously answer certain questions about his personal life. “They’re coming after me for sure,” he said. In several previous conversations, Judische referenced suffering from an unspecified personality disorder, and when pressed said he has a condition called “schizotypal personality disorder” (STPD). According to the Cleveland Clinic, schizotypal personality disorder is marked by a consistent pattern of intense discomfort with relationships and social interactions: “People with STPD have unusual thoughts, speech and behaviors, which usually hinder their ability to form and maintain relationships.” Judische said he was prescribed medication for his psychological issues, but that he doesn’t take his meds. Which might explain why he never leaves his home. “I never go outside,” Judische allowed. “I’ve never had a friend or true relationship not online nor in person. I see people as vehicles to achieve my ends no matter how friendly I may seem on the surface, which you can see by how fast I discard people who are loyal or [that] I’ve known a long time.” Judische later admitted he doesn’t have an official STPD diagnosis from a physician, but said he knows that he exhibits all the signs of someone with this condition. “I can’t actually get diagnosed with that either,” Judische shared. “Most countries put you on lists and restrict you from certain things if you have it.” Asked whether he has always lived at his current residence, Judische replied that he had to leave his hometown for his own safety. “I can’t live safely where I’m from without getting robbed or arrested,” he said, without offering more details. A source familiar with the investigation said Moucka previously lived in Quebec, which he allegedly fled after being charged with harassing others on the social network Discord. Judische claims to have made at least $4 million in his Snowflake extortions. Judische said he and others frequently targeted business process outsourcing (BPO) companies, staffing firms that handle customer service for a wide range of organizations. They also went after managed service providers (MSPs) that oversee IT support and security for multiple companies, he claimed. “Snowflake isn’t even the biggest BPO/MSP multi-company dataset on our networks, but what’s been exfiltrated from them is well over 100TB,” Judische bragged. “Only ones that don’t pay get disclosed (unless they disclose it themselves). A lot of them don’t even do their SEC filing and just pay us to fuck off.” INTEL SECRETS The other half of UNC5537 — 24-year-old John Erin Binns — was arrested in Turkey in late May 2024, and currently resides in a Turkish prison. However, it is unclear if Binns faces any immediate threat of extradition to the United States, where he is currently wanted on criminal hacking charges tied to the 2021 breach at T-Mobile. A person familiar with the investigation said Binns’s application for Turkish citizenship was inexplicably approved after his incarceration, leading to speculation that Binns may have bought his way out of a sticky legal situation. Under the Turkish constitution, a Turkish citizen cannot be extradited to a foreign state. Turkey has been criticized for its “golden passport” program, which provides citizenship and sanctuary for anyone willing to pay several hundred thousand dollars. This is an image of a passport that Binns shared in one of many unsolicited emails to KrebsOnSecurity since 2021. Binns never explained why he sent this in Feb. 2023. Binns’s alleged hacker alter egos — “IRDev” and “IntelSecrets” — were at once feared and revered on several cybercrime-focused Telegram communities, because he was known to possess a powerful weapon: A massive botnet. From reviewing the Telegram channels Binns frequented, we can see that others in those communities — including Judische — heavily relied on Binns and his botnet for a variety of cybercriminal purposes. The IntelSecrets nickname corresponds to an individual who has claimed responsibility for modifying the source code for the Mirai “Internet of Things” botnet to create a variant known as “Satori,” and supplying it to others who used it for criminal gain and were later caught and prosecuted. Since 2020, Binns has filed a flood of lawsuits naming various federal law enforcement officers and agencies — including the FBI, the CIA, and the U.S. Special Operations Command (PDF), demanding that the government turn over information collected about him and seeking restitution for his alleged kidnapping at the hands of the CIA. Binns claims he was kidnapped in Turkey and subjected to various forms of psychological and physical torture. According to Binns, the U.S. Central Intelligence Agency (CIA) falsely told their counterparts in Turkey that he was a supporter or member of the Islamic State (ISIS), a claim he says led to his detention and torture by the Turkish authorities. However, in a 2020 lawsuit he filed against the CIA, Binns himself acknowledged having visited a previously ISIS-controlled area of Syria prior to moving to Turkey in 2017. A segment of a lawsuit Binns filed in 2020 against the CIA, in which he alleges U.S. put him on a terror watch list after he traveled to Syria in 2017. Sources familiar with the investigation told KrebsOnSecurity that Binns was so paranoid about possible surveillance on him by American and Turkish intelligence agencies that his erratic behavior and online communications actually brought about the very government snooping that he feared. In several online chats in late 2023 on Discord, IRDev lamented being lured into a law enforcement sting operation after trying to buy a rocket launcher online. A person close to the investigation confirmed that at the beginning of 2023, IRDev began making earnest inquiries about how to purchase a Stinger, an American-made portable weapon that operates as an infrared surface-to-air missile. Sources told KrebsOnSecurity Binns’ repeated efforts to purchase the projectile earned him multiple visits from the Turkish authorities, who were justifiably curious why he kept seeking to acquire such a powerful weapon. WAIFU A careful study of Judische’s postings on Telegram and Discord since 2019 shows this user is more widely known under the nickname “Waifu,” a moniker that corresponds to one of the more accomplished “SIM swappers” in the English-language cybercrime community over the years. SIM swapping involves phishing, tricking or bribing mobile phone company employees for credentials needed to redirect a target’s mobile phone number to a device the attackers control — allowing thieves to intercept incoming text messages and phone calls. Several SIM-swapping channels on Telegram maintain a frequently updated leaderboard of the 100 richest SIM-swappers, as well as the hacker handles associated with specific cybercrime groups (Waifu is ranked #24). That list has long included Waifu on a roster of hackers for a group that called itself “Beige.” The term “Beige Group” came up in reporting on two stories published here in 2020. The first was in an August 2020 piece called Voice Phishers Targeting Corporate VPNs, which warned that the COVID-19 epidemic had brought a wave of targeted voice phishing attacks that tried to trick work-at-home employees into providing access to their employers’ networks. Frequent targets of the Beige group included employees at numerous top U.S. banks, ISPs, and mobile phone providers. The second time Beige Group was mentioned by sources was in reporting on a breach at the domain registrar GoDaddy. In November 2020, intruders thought to be associated with the Beige Group tricked a GoDaddy employee into installing malicious software, and with that access they were able to redirect the web and email traffic for multiple cryptocurrency trading platforms. Other frequent targets of the Beige group included employees at numerous top U.S. banks, ISPs, and mobile phone providers. Judische’s various Telegram identities have long claimed involvement in the 2020 GoDaddy breach, and he didn’t deny his alleged role when asked directly. Judische said he prefers voice phishing or “vishing” attacks that result in the target installing data-stealing malware, as opposed to tricking the user into entering their username, password and one-time code. “Most of my ops involve malware [because] credential access burns too fast,” Judische explained. CRACKDOWN ON HARM GROUPS? The Telegram channels that the Judische/Waifu accounts frequented over the years show this user divided their time between posting in channels dedicated to financial cybercrime, and harassing and stalking others in harm communities like Leak Society and Court. Both of these Telegram communities are known for victimizing children through coordinated online campaigns of extortion, doxing, swatting and harassment. People affiliated with harm groups like Court and Leak Society will often recruit new members by lurking on gaming platforms, social media sites and mobile applications that are popular with young people, including Discord, Minecraft, Roblox, Steam, Telegram, and Twitch. “This type of offence usually starts with a direct message through gaming platforms and can move to more private chatrooms on other virtual platforms, typically one with video enabled features, where the conversation quickly becomes sexualized or violent,” warns a recent alert from the Royal Canadian Mounted Police (RCMP) about the rise of sextortion groups on social media channels. “One of the tactics being used by these actors is sextortion, however, they are not using it to extract money or for sexual gratification,” the RCMP continued. “Instead they use it to further manipulate and control victims to produce more harmful and violent content as part of their ideological objectives and radicalization pathway.” Some of the largest such known groups include those that go by the names 764, CVLT, Kaskar, 7997, 8884, 2992, 6996, 555, Slit Town, 545, 404, NMK, 303, and H3ll. On the various cybercrime-oriented channels Judische frequented, he often lied about his or others’ involvement in various breaches. But Judische also at times shared nuggets of truth about his past, particularly when discussing the early history and membership of specific Telegram- and Discord-based cybercrime and harm groups. Judische claimed in multiple chats, including on Leak Society and Court, that they were an early member of the Atomwaffen Division (AWD), a white supremacy group whose members are suspected of having committed multiple murders in the U.S. since 2017. In 2019, KrebsOnSecurity exposed how a loose-knit group of neo-Nazis, some of whom were affiliated with AWD, had doxed and/or swatted nearly three dozen journalists at a range of media publications. Swatting involves communicating a false police report of a bomb threat or hostage situation and tricking authorities into sending a heavily armed police response to a targeted address. Judsiche also told a fellow denizen of Court that years ago he was active in an older harm community called “RapeLash,” a truly vile Discord server known for attracting Atomwaffen members. A 2018 retrospective on RapeLash posted to the now defunct neo-Nazi forum Fascist Forge explains that RapeLash was awash in gory, violent images and child pornography. A Fascist Forge member named “Huddy” recalled that RapeLash was the third incarnation of an extremist community also known as “FashWave,” short for Fascist Wave. “I have no real knowledge of what happened with the intermediary phase known as ‘FashWave 2.0,’ but FashWave 3.0 houses multiple known Satanists and other degenerates connected with AWD, one of which got arrested on possession of child pornography charges, last I heard,” Huddy shared. In June 2024, a Mandiant employee told Bloomberg that UNC5537 members have made death threats against cybersecurity experts investigating the hackers, and that in one case the group used artificial intelligence to create fake nude photos of a researcher to harass them. Allison Nixon is chief research officer with the New York-based cybersecurity firm Unit 221B. Nixon is among several researchers who have faced harassment and specific threats of physical violence from Judische. Nixon said Judische is likely to argue in court that his self-described psychological disorder(s) should somehow excuse his long career in cybercrime and in harming others. “They ran a misinformation campaign in a sloppy attempt to cover up the hacking campaign,” Nixon said of Judische. “Coverups are an acknowledgment of guilt, which will undermine a mental illness defense in court. We expect that violent hackers from the [cybercrime community] will experience increasingly harsh sentences as the crackdown continues.”

image for Docusign API Abused ...

 Feed

Attackers are exploiting the "Envelopes: create API" of the enormously popular document-signing service to flood corporate inboxes with convincing phishing emails aimed at defrauding organizations. It's an unusual attack vector with a high success rate.

image for Dark Reading Confide ...

 Feed

Episode #4: NIST's new post-quantum cryptography standards are here, so what comes next? This episode of Dark Reading Confidential digs the world of quantum computing from a cybersecurity practitioner's point of view -- with guests Matthew McFadden, vice president, Cyber, General Dynamics Information Technology (GDIT) and Thomas Scanlon, professor, Heinz College, Carnegie Mellon University.

 Feed

Scapy is a powerful interactive packet manipulation tool, packet generator, network scanner, network discovery tool, and packet sniffer. It provides classes to interactively create packets or sets of packets, manipulate them, send them over the wire, sniff other packets from the wire, match answers and replies, and   show more ...

more. Interaction is provided by the Python interpreter, so Python programming structures can be used (such as variables, loops, and functions). Report modules are possible and easy to make. It is intended to do the same things as ttlscan, nmap, hping, queso, p0f, xprobe, arping, arp-sk, arpspoof, firewalk, irpas, tethereal, tcpdump, etc.

 Feed

A vulnerability was identified in a ABB Cylon Aspect version 3.08.00 where an off-by-one error in array access could lead to undefined behavior and potential denial of service. The issue arises in a loop that iterates over an array using a less than or equals to condition, allowing access to an out-of-bounds index.   show more ...

This can trigger errors or unexpected behavior when processing data, potentially crashing the application. Successful exploitation of this vulnerability can lead to a crash or disruption of service, especially if the script handles large data sets.

 Feed

GnuTLS is a secure communications library implementing the SSL and TLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols, as well as APIs to parse and write X.509, PKCS #12, OpenPGP, and other required structures. It is intended to be portable and efficient with a focus on security and interoperability.

 Feed

Ubuntu Security Notice 7091-1 - It was discovered that Ruby incorrectly handled parsing of an XML document that has specific XML characters in an attribute value using REXML gem. An attacker could use this issue to cause Ruby to crash, resulting in a denial of service. This issue only affected in Ubuntu 22.04 LTS and   show more ...

Ubuntu 24.04 LTS. It was discovered that Ruby incorrectly handled parsing of an XML document that has many entity expansions with SAX2 or pull parser API. An attacker could use this issue to cause Ruby to crash, resulting in a denial of service.

 Feed

Red Hat Security Advisory 2024-8887-03 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.13. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available   show more ...

for each vulnerability from the CVE link in the References section. Issues addressed include bypass and denial of service vulnerabilities.

 Feed

Ubuntu Security Notice 7083-1 - It was discovered that OpenJPEG incorrectly handled certain memory operations when using the command line "-ImgDir" in a directory with a large number of files, leading to an integer overflow vulnerability. An attacker could potentially use this issue to cause a denial of   show more ...

service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that OpenJPEG incorrectly handled decompressing certain .j2k files in sycc420_to_rgb, leading to a heap-based buffer overflow vulnerability. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to execute arbitrary code.

 Feed

Red Hat Security Advisory 2024-8886-03 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.12. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available   show more ...

for each vulnerability from the CVE link in the References section. Issues addressed include bypass and denial of service vulnerabilities.

 Feed

Ubuntu Security Notice 7089-2 - Chenyuan Yang discovered that the USB Gadget subsystem in the Linux kernel did not properly check for the device to be enabled before writing. A local attacker could possibly use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

 Feed

Red Hat Security Advisory 2024-8885-03 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.14. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available   show more ...

for each vulnerability from the CVE link in the References section. Issues addressed include bypass and denial of service vulnerabilities.

 Feed

Ubuntu Security Notice 7088-2 - Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

 Feed

Red Hat Security Advisory 2024-8884-03 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.15. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available   show more ...

for each vulnerability from the CVE link in the References section. Issues addressed include bypass and denial of service vulnerabilities.

 Feed

Red Hat Security Advisory 2024-8874-03 - An update for haproxy is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

 Feed

Red Hat Security Advisory 2024-8870-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 8. Issues addressed include buffer overflow, null pointer, and out of bounds access vulnerabilities.

 Feed

Red Hat Security Advisory 2024-8856-03 - An update for kernel is now available for Red Hat Enterprise Linux 8. Issues addressed include buffer overflow, null pointer, and out of bounds access vulnerabilities.

 Feed

The U.S. Federal Bureau of Investigation (FBI) has sought assistance from the public in connection with an investigation involving the breach of edge devices and computer networks belonging to companies and government entities. "An Advanced Persistent Threat group allegedly created and deployed malware (CVE-2020-12271) as part of a widespread series of indiscriminate computer intrusions designed

 Feed

Over 1,500 Android devices have been infected by a new strain of Android banking malware called ToxicPanda that allows threat actors to conduct fraudulent banking transactions. "ToxicPanda's main goal is to initiate money transfers from compromised devices via account takeover (ATO) using a well-known technique called on-device fraud (ODF)," Cleafy researchers Michele Roviello, Alessandro Strino

 Feed

Zero Trust security changes how organizations handle security by doing away with implicit trust while continuously analyzing and validating access requests. Contrary to perimeter-based security, users within an environment are not automatically trusted upon gaining access. Zero Trust security encourages continuous monitoring of every device and user, which ensures sustained protection after

 Feed

Taiwanese network-attached storage (NAS) appliance maker Synology has addressed a critical security flaw impacting DiskStation and BeePhotos that could lead to remote code execution. Tracked as CVE-2024-10443 and dubbed RISK:STATION by Midnight Blue, the zero-day flaw was demonstrated at the Pwn2Own Ireland 2024 hacking contest by security researcher Rick de Jager. RISK:STATION is an "

 Feed

An ongoing campaign is targeting npm developers with hundreds of typosquat versions of their legitimate counterparts in an attempt to trick them into running cross-platform malware. The attack is notable for utilizing Ethereum smart contracts for command-and-control (C2) server address distribution, according to independent findings from Checkmarx, Phylum, and Socket published over the past few

 Feed

Canadian law enforcement authorities have arrested an individual who is suspected to have conducted a series of hacks stemming from the breach of cloud data warehousing platform Snowflake earlier this year. The individual in question, Alexander "Connor" Moucka (aka Judische and Waifu), was apprehended on October 30, 2024, on the basis of a provisional arrest warrant, following a request by the

 Feed

Google has warned that a security flaw impacting its Android operating system has come under active exploitation in the wild. The vulnerability, tracked as CVE-2024-43093, has been described as a privilege escalation flaw in the Android Framework component that could result in unauthorized access to "Android/data," "Android/obb," and "Android/sandbox" directories, and their respective

 AI

In episode 23 of The AI Fix, an AI finds a new way to make life difficult for women in STEM, Graham reveals his brilliant idea for treating any medical emergency, a beloved chat show host returns from the grave, and our hosts learn that computer viruses were almost called computer weeds. Graham tells Mark a story   show more ...

involving a murder, a moth, and an AI journalist, and Mark pits his co-host against the world's most advanced computer program in a maths Olympiad. All this and much more is discussed in the latest edition of "The AI Fix" podcast by Graham Cluley and Mark Stockley.

2024-11
Aggregator history
Tuesday, November 05
FRI
SAT
SUN
MON
TUE
WED
THU
NovemberDecemberJanuary