Talos researchers have disclosed three vulnerabilities in OpenPLC, a popular open-source programmable logic controller.

Wednesday, September 25, 2024 12:00

Cisco Talos’ Vulnerability Research team recently disclosed two vulnerabilities in Microsoft products that have been patched by the company over the past two Patch Tuesdays. 

One is a vulnerability in the High-Definition Audio Bus Driver in Windows systems that could lead to a denial of service, while the other is a memory corruption issue that exists in a multicasting protocol in Windows 10. 

Additionally, Talos researchers have disclosed three vulnerabilities in OpenPLC, a popular open-source programmable logic controller.  

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website. 

**Microsoft High-Definition Audio Bus Driver denial-of-service vulnerability **

_Discovered by Marcin “Icewall” Noga._ 

TALOS-2024-2008 (CVE-2024-45383) is a vulnerability in the Microsoft HD Audio Bus Driver that could allow an attacker to cause a denial of service. 

The driver allows the Windows operating system to communicate with external audio devices that play sound, including those that are integrated into machines’ motherboards or connected via HD audio interfaces.  

A mishandling of IRP requests in the driver’s interface could allow an attacker to send multiple IRP Complete requests to the driver, causing the DoS and forcing the operating system into the “Blue Screen of Death.” 

**Stale memory dereference in Microsoft Pragmatic General Multicast Server **

_Discovered by a Cisco Talos researcher._ 

A memory corruption vulnerability exists in the Pragmatic General Multicast server in the Microsoft Windows 10 Kernel.  

The Pragmatic General Multicast protocol is an IP-based multicasting protocol that is implemented by Microsoft as part of the Message Queueing service available in different versions of Windows. 

A specially crafted network packet can lead to the access of stale memory structure, resulting in memory corruption. An attacker can send a sequence of malicious packets to trigger TALOS-2024-2062 (CVE-2024-38140). 

Talos independently discovered this issue and reported it to Microsoft prior to their patch release earlier this year. However, Microsoft informed us that an internal researcher had already discovered this issue. 

**Three vulnerabilities in OpenPLC **

_Discovered by Jared Rittle_.

Talos recently discovered three vulnerabilities in OpenPLC, an open-source programmable logic controller designed to provide a low-cost option for automation in many manufacturing and logistics settings. 

Two of the issues — TALOS-2024-2004 (CVE-2024-36980, CVE-2024-36981) and TALOS-2024-2016 (CVE-2024-39589, CVE-2024-39590) — can lead to a denial-of-service on the targeted device. An adversary could exploit these vulnerabilities by sending a series of specially crafted Ethernet/IP requests. 

Another stack-based buffer overflow vulnerability, TALOS-2024-2005 (CVE-2024-34026), can also be exploited in this way. However, in this case, it could lead to remote code execution.

Talos discovers denial-of-service vulnerability in Microsoft Audio Bus; Potential remote code execution in popular open-source PLC

DragonForce ransomware is expanding its RaaS operation and becoming a global cybersecurity threat against businesses. Companies must implement…

DragonForce ransomware is expanding its RaaS operation and becoming a global cybersecurity threat against businesses. Companies must implement strong cybersecurity strategies to defend against this growing ransomware attack and avoid becoming victims.

**Ransomware attacks** are growing, leaving organizations vulnerable to new and more sophisticated threats. According to Group-IB’s Hi-Tech Crime Trends 2023/2024 report, ransomware incidents could cause even greater damage in 2024.

One of the most significant emerging threats is the DragonForce ransomware group, which leverages a Ransomware-as-a-Service (**RaaS**) affiliate program, employing variants of well-known ransomware families to wreak havoc on targeted industries.

****DragonForce: A Dual-Ransomware Threat****

The DragonForce ransomware group emerged in August 2023, deploying a variant based on **LockBit 3.0**, a notorious ransomware strain. However, by July 2024, the group introduced a second variant, initially claimed to be their original creation but later found to be a fork of **ContiV3 ransomware**. These dual ransomware versions are used to exploit vulnerabilities in companies, particularly in sectors like manufacturing, real estate, and transportation.

Screenshot of the LockBit version of the DragonForce ransomware

DragonForce’s attack strategy revolves around double extortion—encrypting data and threatening to leak it unless a ransom is paid. This adds immense pressure on victims to comply, fearing not only operational disruption but also the reputational damage that could arise from exposed sensitive information.

****Advanced Tactics for Maximum Damage****

According to Group-IB’s research shared with Hackread.com ahead of publication on Wednesday, the DragonForce ransomware gang’s operations are highly customizable, allowing affiliates to configure attacks based on the type of victim.

With its RaaS affiliate program, launched on June 26, 2024, DragonForce ransomware offers attackers the ability to personalize ransomware payloads. Affiliates can disable security features, set encryption parameters, and even customize ransom notes. In return, affiliates receive 80% of any ransom collected.

DragonForce employs a variety of advanced techniques for evasion and persistence. One of their key tactics is “Bring Your Own Vulnerable Driver” (**BYOVD**), where affiliates use vulnerable drivers to disable security processes and evade detection. Additionally, they clear Windows Event Logs after encryption to hinder forensic investigations.

For lateral movement, the group uses tools like **Cobalt Strike** and **SystemBC**, both of which allow them to harvest credentials and persist in networks. They also use network scanning tools like SoftPerfect Network Scanner to map out networks, helping spread the ransomware to as many devices as possible.

****Targeted Attacks and Global Reach****

Between August 2023 and August 2024, DragonForce listed 82 victims on its **dark web** leak site. Most attacks were concentrated in the U.S. (52.4%), followed by the U.K. and Australia. The manufacturing sector suffered the highest number of attacks, with real estate and transportation industries close behind.

In addition to their use of ContiV3 and LockBit variants, DragonForce’s ability to adapt to new affiliate demands makes them a rapidly growing threat. By targeting high-revenue companies and critical sectors, they continue to increase their foothold in the cybercrime infrastructure.

****What Can Businesses Do?****

To combat these sophisticated attacks, businesses need to adopt more proactive and layered security measures. Here are some critical steps:

*   **Multi-Factor Authentication (MFA):** Adding additional authentication layers makes it harder for attackers to compromise credentials.
*   **Early Detection:** Use behavioural detection tools such as Endpoint Detection and Response (EDR) to identify suspicious activity early.
*   **Backup Strategy:** Regular backups reduce the impact of ransomware by ensuring data can be recovered without paying ransom.
*   **Patch Vulnerabilities:** Regularly patching known vulnerabilities prevents ransomware from exploiting outdated systems.
*   **Employee Training:** Training employees to recognize phishing and other malicious tactics can prevent initial infiltration.
*   **Avoid Paying the Ransom:** Paying ransom often leads to more attacks, as it signals vulnerability to other cybercriminals.

While DragonForce ransomware expands its RaaS operation, businesses must remain alert and implement proper cybersecurity strategies to avoid becoming victims of this and other dangerous threats.

1.  New Kransom Ransomware Disguised as Game
2.  $75 Million Ransom Paid to Dark Angels Ransomware Group
3.  Play Ransomware Variant Targeting Linux ESXi Environments
4.  PythonAnywhere Cloud Platform Abused for Hosting Ransomware
5.  Qilin Ransomware Upgrades – Now Steals Google Chrome Credentials

DragonForce Ransomware Expands RaaS, Targets Firms Worldwide

Vienna-based privacy non-profit noyb (short for None Of Your Business) has filed a complaint with the Austrian data protection authority (DPA) against Firefox maker Mozilla for enabling a new feature called Privacy Preserving Attribution (PPA) without explicitly seeking users' consent.
"Contrary to its reassuring name, this technology allows Firefox to track user behavior on websites," noyb said

Data Protection / Online Tracking

Vienna-based privacy non-profit noyb (short for None Of Your Business) has filed a complaint with the Austrian data protection authority (DPA) against Firefox maker Mozilla for enabling a new feature called Privacy Preserving Attribution (PPA) without explicitly seeking users' consent.

"Contrary to its reassuring name, this technology allows Firefox to track user behavior on websites," noyb said. "In essence, the browser is now controlling the tracking, rather than individual websites."

Noyb also called out Mozilla for allegedly taking a leaf out of Google's playbook by "secretly" enabling the feature by default without informing users.

PPA, which is currently enabled in Firefox version 128 as an experimental feature, has its parallels in Google's Privacy Sandbox project in Chrome.

The initiative, now abandoned by Google, sought to replace third-party tracking cookies with a set of APIs baked into the web browser that advertisers can talk to in order to determine users' interests and serve targeted ads.

Put differently, the web browser acts as a middleman that stores information about the different categories that users can be slotted into based on their internet browsing patterns.

PPA, per Mozilla, is a way for sites to "understand how their ads perform without collecting data about individual people," describing it as a "non-invasive alternative to cross-site tracking."

It's also similar to Apple's Privacy Preserving Ad Click Attribution, which allows advertisers to measure the effectiveness of their ad campaigns on the web without compromising on user privacy.

The way PPA works is as follows: Websites that serve ads can ask Firefox to remember the ads in the form of an impression that includes details about the ads themselves, such as the destination website.

If a Firefox user ends up visiting the destination website and performs an action that's deemed valuable by the business – e.g., making an online purchase by clicking on the ad, also called "conversion" – that website can prompt the browser to generate a report.

The generated report is encrypted and submitted anonymously using the Distributed Aggregation Protocol (DAP) to an "aggregation service," after which the results are combined with other similar reports to create a summary such that it makes it impossible to learn too much about any individual.

This, in turn, is made possible by a mathematical framework called differential privacy that enables the sharing of aggregate information about users in a privacy-preserving manner by adding random noise to the results to prevent re-identification attacks.

"PPA is enabled in Firefox starting in version 128," Mozilla notes in a support document. "A small number of sites are going to test this and provide feedback to inform our standardization plans, and help us understand if this is likely to gain traction."

"PPA does not involve sending information about your browsing activities to anyone. Advertisers only receive aggregate information that answers basic questions about the effectiveness of their advertising."

It's this aspect that noyb has found fault with, as it's in violation of the European Union's (E.U.) stringent data protection regulations by enabling PPA by default without seeking users' permissions.

"While this may be less invasive than unlimited tracking, which is still the norm in the US, it still interferes with user rights under the E.U.'s GDPR," the advocacy group said. "In reality, this tracking option doesn't replace cookies either, but is simply an alternative - additional - way for websites to target advertising."

It further noted that a Mozilla developer justified the move by claiming that user's cannot make an informed decision and that "explaining a system like PPA would be a difficult task."

"It's a shame that an organization like Mozilla believes that users are too dumb to say yes or no," Felix Mikolasch, data protection lawyer at noyb, said. "Users should be able to make a choice and the feature should have been turned off by default."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Mozilla Faces Privacy Complaint for Enabling Tracking in Firefox Without User Consent

To maintain AI leadership, Congress and regulatory agencies must recognize that our foreign competitors are working to surpass us.

Haiman Wong, Fellow, Cybersecurity & Emerging Threats, R Street Institute

September 25, 2024

3 Min Read

Source: NicoElNino via Alamy Stock Photo

COMMENTARY

As a global leader in artificial intelligence (AI) innovation, the United States currently enjoys a significant competitive advantage economically, militarily, and technologically. To maintain this leadership, Congress and federal regulatory agencies must avoid complacency and recognize that our foreign competitors are diligently working to surpass us.

According to a recent report by the United Nations World Intellectual Property Organization, China filed more than 38,000 generative AI patents between 2014 and 2023, demonstrating its aggressive push to dominate AI advancement. This surge in patent activity underscores the critical need for the United States to accelerate its ongoing research and development efforts to maintain our global AI leadership.

To meet the demands of this moment, the US federal government must focus on three strategic AI research and development priorities that enhance our cyber resilience and national defense:

**1\. Clarifying the Definitions of Key AI-Related Terms**

Ambiguity and inconsistency in AI terminology continue to pose significant risks and challenges. Without precise and consistent definitions for key AI-related terms like "open source AI," "AI security," and "trustworthy AI," our country faces challenges in ensuring the responsible use of AI. Focused research and development efforts toward closing this gap can help create a more comprehensive and nuanced taxonomy, mapping out potential varying definitions and detailing parameters. For example, standardizing the term "AI security" could not only help promote secure development practices but also address emerging challenges like prompt injections and ensuring visibility into AI usage across organizations to prevent data leaks.

By systematically analyzing and standardizing terminology through collaborative efforts across academia, industry, and government stakeholders, the United States can lay a foundation for developing robust strategies that protect our national security and promote cyber resilience.

**2\. Developing a Scientific Understanding of AI**

A comprehensive scientific understanding of AI's limitations and capabilities is vital for assessing its impact and countering adversarial threats. The recent Private and Civil Liberties Oversight Board (PCLOB) AI Forum emphasized the importance of continuous research to measure AI's safety and reliability throughout its life cycle. To address this need, focused and strategically aligned research and development efforts are essential.

By developing ways to measure, test, audit, and evaluate AI capabilities, we can establish reliable methods to quantify AI's performance. These methods are critical for conducting accurate risk assessments and for our ability to continually improve AI systems and uses. Building a scientific understanding of AI, led by agencies like the National Institute of Standards and Technology (NIST) in collaboration with industry, academia, and other federal partners, will bolster our national and cybersecurity defenses by ensuring that AI systems are safe, reliable, and effective under various conditions and adversarial scenarios.

**3\. Developing AI Standards Adhering to US Mission and Values**

Establishing AI standards that reflect our mission and values, such as transparency and accountability, is crucial for maintaining national security. The PCLOB AI Forum also highlighted the importance of developing clear standards that guide acceptable and non-acceptable uses of AI, particularly in the intelligence community.

Research and development can support this effort by identifying best practices and creating robust frameworks that ensure AI technologies are deployed ethically and securely. By focusing on these priorities, we can ensure that AI advancements align with American values and strengthen our national security and cybersecurity. This makes the development of AI standards an urgent and essential aspect of AI research and development.

Recognizing AI's pivotal role in national security, policymakers have already made significant investments in its advancement. To ensure these efforts remain focused and strategically aligned, Congress must consider targeted legislative measures while empowering federal agencies to facilitate coordination, promote public-private partnerships, and set actionable research and development priorities that encourage innovation within these established guidelines.

By prioritizing the clarification of key AI-related terms, building a scientific understanding of AI, and establishing AI standards that adhere to our mission and values, the United States can maintain the momentum of our advancements in AI and meet our cyber resilience and national defense imperatives.

**About the Author**

Fellow, Cybersecurity & Emerging Threats, R Street Institute

Haiman Wong is a fellow for the R Street Institute’s Cybersecurity and Emerging Threats team. Outside of R Street, she serves as a co-chair in the AI Safety, Cybersecurity, and Inclusion Through Advanced Text Analytics minitrack at the Hawaii International Conference on System Sciences (HICSS). 

Before joining R Street, Haiman was a cyber threat intelligence associate and data scientist at Northern Trust, where she used NLP techniques to analyze more than a million cybersecurity logs. She also advised executive leadership on emerging cyber threat activities to shape the firm’s global cyber defense strategy. 

Haiman is a doctoral candidate at Purdue University, exploring the intersection of technology leadership in innovation and the influence of emerging technologies on the democratic exchange of digital information. She holds a master’s degree in data science with a cybersecurity concentration, and a bachelor’s degree in interdisciplinary studies (communications, legal institutions, economics, and government) from American University.

US May Be Losing the Race for Global AI Leadership

LMS training is vital for modern education and corporate learning, enabling efficient course delivery and progress tracking. To…

LMS training is vital for modern education and corporate learning, enabling efficient course delivery and progress tracking. To succeed, focus on creating engaging content, clear learning objectives, personalized paths, and social learning elements. Ensure prompt feedback, easy accessibility, and data analysis for continuous improvement.

Modern education and corporate learning now heavily rely on LMS (Learning Management System) training as a component of their program’s success trajectory. It offers a way for organizations to distribute courses efficiently, handle content management seamlessly, monitor progress effectively, and evaluate performance accurately. However, attaining outcomes from LMS training necessitates a strategic mindset. In this article, we will delve into strategies that can guarantee fruitful LMS training sessions and elevate the overall quality of the learning journey.

****Craft Compelling Content****

For desired LMS training outcomes, it’s important to create interesting content that grabs the learners’ attention. Captivating content should be showcased in a visually attractive way with easy-to-follow directions and user-friendly interfaces. Incorporating multimedia components such as videos, interactive quizzes, and simulations can also boost engagement levels and improve retention of knowledge. 

****Provide Clear Learning Objectives****

One crucial element of LMS training involves ensuring that learners are presented with well-defined learning goals from the beginning of the course to help them understand what the course aims to accomplish and how it relates to their personal or professional aspirations. This aids them in maintaining their motivation and concentration during the training process. 

****Explore Customized Learning Journeys****

Each learner begins their journey with starting points and preferences for learning styles that differ from one another. To meet these requirements effectively, it is important to incorporate personalized learning tracks into your LMS training curriculum. This can be achieved by offering choices tailored to skill levels and enabling learners to set their tempo for acquiring knowledge.

When students work together and interact with each other in their learning process, it can significantly enhance their learning experience. The inclusion of social learning components in your Learning Management System (LMS) can facilitate communication among students via platforms such as discussion boards, live chats, or virtual classrooms, allowing them to share thoughts and provide mutual assistance. 

****Ensure Feedback and Evaluations are Given Promptly** **

Constructive feedback is essential for enhancing development in LMS training programs. It enables learners to track their advancement and pinpoint areas for enhancement promptly by integrating frequent assessments into the course content to strengthen educational objectives effectively. 

****Guarantee Everyone Can Access and Use It Effectively****

It’s crucial to guarantee that your LMS platform is accessible and user-friendly to meet the needs of various learners. Ensure the content works well on devices and screen sizes to support learners accessing the platform from different gadgets. Moreover, it incorporates navigation routes and user-friendly interfaces for a smooth user experience. 

****Provide Assistance and Guidance****

Support services are essential for keeping learners engaged during training sessions. They include features like forums and chat support to respond quickly to learners’ questions and provide access to experts for guidance and assistance. 

****Analyze Learner Data****

Learner analytics can offer insights into how effective your LMS training program is by examining learner performance data and engagement levels to pinpoint areas for enhancement and adjust your training materials accordingly. 

****Encourage Educational Opportunities****

Continuous learning is essential for growth and development within an LMS training program, as it offers opportunities for learners to expand their knowledge and skills continuously. To further enrich their learning experience, motivate learners to explore courses or modules aligned with their personal interests or professional goals. Offering a variety of resources, like e-books, webinars, and industry-focused articles, can also contribute significantly to enhancing their expertise and capabilities. 

****Ways to Make Learning Fun and Engaging****

Using gamification in LMS training can boost learner motivation and engagement by adding game features, like badges and points, to make the learning experience more fun and foster friendly competition among learners. This approach encourages participation and helps learners retain knowledge better. 

****Conclusion****

By following these strategies for LMS training enhancement, you can significantly improve the effectiveness of your educational programs and achieve better results for learners. Crafting materials, setting clear goals, tailoring learning paths to individuals, integrating social learning elements, giving prompt feedback ensuring ease of access and use, providing continuous support services, and effectively analyzing learner data are all crucial steps organizations can take to deliver meaningful LMS training experiences for their staff or students.

1.  Maximizing Roi With The Best LMS For Elearning
2.  Efficient Document Merging Strategies for Professionals
3.  Technology and Software Redefine Business Operations
4.  Optimizing LMS Integration: 7 Strategies for Enhanced Learning
5.  Essential Features of Cybersecurity Management Software for MSPs

Top LMS Training Tips for Effective Learning

Instagram users are sharing a hoax in enormous numbers in an attempt at preventing Meta from harvesting their posts and photos to train its AI.

A new variation of a hoax that has been doing the rounds on Facebook for years has crossed over to Instagram.

We’re seeing this post on Instagram Stories a lot suddenly over the last few days. The post is usually posted as a shareable screenshot on Instagram Stories, but it’s also been spotted on Facebook and Threads as a copy-and-paste text.

> “Repub
> 
> Goodbye Meta AI. Please note an attorney has advised us to put this on, failure to do so may result in legal consequences. As Meta is now a public entity all members must post a similar statement. If you do not post at least once it will be assumed you are okay with them using your information and photos. I do not give Met or anyone else permission to use any of my personal data, profile information or photos.”

The fact that this post has been shared by some celebrities is a possible explanation for the sudden popularity. And, as is often the case, true stories about Facebook scraping photos to train its Artificial Intelligence (AI) can rekindle the popularity and urgency to post this type of useless notifications.

Instagram has started to flag versions of the post as false information which means people need to click ‘see post’ to view it. But what happens often is that somebody will start fresh with a slightly revamped version that will not be flagged.

While some may think it doesn’t hurt to share these posts just to be sure, it really isn’t a good idea. It spreads the false posts further, and people may feel they have opted out of their images being used after posting this, when in reality they haven’t. In many cases it would even be contradictory to the terms and conditions they agreed on.

Meta, the company that owns Facebook and Instagram published new terms and conditions, effective on June 26, 2024, which specifically allow it to use posts, images and online tracking data to train its AI large language model called LLaMa 3.

On inspection of the links in the notification, it became clear that the company will use years of personal posts, private images or online tracking data for a “AI technology” that can ingest personal data from any source and share any information with undefined “third parties.”

European and UK users can opt out of this. For others, sadly, it’s not so easy.

Logged in citizens of the EU and the UK can visit the Meta Privacy Center from either their Facebook account or their Instagram account.

**How to opt out of Meta using your data to train AI on Facebook**

*   Tap on your profile picture after logging in
*   Tap **Settings and Privacy**
*   Scroll down to the **Privacy Center**
*   Under **Privacy topics**, tap **AI at Meta**
*   Tap **Information you’ve shared on Meta products and services**
*   From there you’ll be presented with a form to fill out and **Submit** when you’re done.

AI at Meta in the Privacy Center

**How to opt out of Meta using your data to train AI on Instagram**

*   Tap on the hamburger menu from your profile (three stacked lines)
*   Scroll down to the **Privacy Center**
*   Under **Privacy topics**, tap **AI at Meta**
*   Tap **Information you’ve shared on Meta products and services**
*   From there you’ll be presented with a form to fill out and **Submit** when you’re done.

Whether you use Facebook or Instagram to opt out, you should then receive both an email and a notification on your account confirming whether your request has been successful.

Users in the US or other countries without national data privacy laws don’t have any foolproof ways to prevent Meta from using their data to train AI.

My advice: insist that your politicians make some noise and get you similar opt-out options.

 Don&#8217;t share the viral Instagram Meta AI &#8220;legal&#8221; post 

A Malwarebytes survey has found 66 percent of people were targeted by a romance scam, with 10 percent of victims losing $10,000 or more.

Romance scams continue to plague users, but their costs have risen to staggering heights, according to a Malwarebytes survey carried out last month via our weekly newsletter.

More than 66 percent of 850 respondents have been targeted by a romance scam, and those that were ensnared paid a hefty price, with 10 percent of victims losing $10,000 and up. A shocking 3 percent parted with $100,000 or more. The vast majority of those who lost money were unable to recover it, highlighting the need for increased awareness of evolving romance scam tactics and aggressive new methods of manipulation.

Romance scams, also known as confidence or dating scams, typically involve people being targeted online, with the scammers building their victim’s trust over several months. Victims are led to believe they’re in a committed relationship before being tricked into sending money, valuables, and personal information, or to launder money on the perpetrator’s behalf. In addition, some scammers convince their targets into investing in fraudulent cryptocurrency schemes, a method known as pig butchering.

While these scams are nothing new, their popularity has risen since the pandemic and ensuing loneliness epidemic, driven by an increasing reliance on the internet to connect. However, with the return to in-person gatherings, our survey results show romance scams have hardly petered out. Rather, they’re as pervasive as ever, with 52 percent of respondents targeted in the last year alone. And they’ve advanced, as cybercriminals now tap into global scamming networks for scripts, training, and technology to squeeze more money from victims.

As David Ruiz, Senior Privacy Advocate at Malwarebytes, puts it:

> “Romance and dating scams are run by sophisticated cybercriminals who know what they’re doing. They conduct research, and follow a playbook. The more we can remove the stigma surrounding victims and provide education and resources, the faster we can minimize the devastating effects of these scams.”

According to the Federal Trade Commission (FTC), over 64,000 people reported romance scams in 2023, with losses totaling $1.1 billion. The Federal Bureau of Investigation (FBI) received 17,823 complaints last year, costing victims nearly $653 million. However, that data doesn’t capture the recent trend of pig butchering, as romance scammers increasingly incorporate crypto investment fraud for higher payouts. Financial losses from investment fraud totaled $4.6 billion in 2023, the costliest internet crime for consumers.

For a full breakdown of survey results, including demographics, scammer tactics, and financial and emotional impacts, read below.

****Demographics of romance scams****

The majority of survey respondents were subject to romance scam advances within the last year, with 37 percent saying it happened within the last six months, and an additional 15 percent saying it happened between six months and one year ago.

The majority of targets are over the age of 55 (74 percent) and male (56 percent), a pattern consistent with previous trends. As with most scams, older users are targeted because they typically have more assets but are perhaps less familiar with online security. The Department of Homeland Security says cybercriminals zero in on recently widowed or divorced seniors for their vulnerability and access to cash.

However, 26 percent of victims are between 18 and 54 years old. In fact, the FTC asserts that the most common victims of romance scam sextortion are 18–29 years old.

Perhaps not surprisingly, the vast majority of phony romantic overtures took place on social media and online dating apps, with 38 and 31 percent of survey respondents targeted on those platforms, respectively. In fact, the proliferation of scams is one reason noted for the decline in social media and dating app use over the last two years. A recent Barclays survey found one third of Brits avoid online dating and dating apps due to romance scam fears.

Romance scams that start on social media end up costing the most. The FTC found from January 2021 to June 2023, more money was lost to scams originating on social media than by any other contact method. Consumers lost $2.7 billion in social media fraud, with crypto investment and romance scams resulting in the steepest costs, accounting for 67 percent of total losses. In the first six months of 2023, half of those who lost money to romance scams said it began on Facebook, Instagram, or Snapchat.

Romance scammers prefer using social media and dating apps to reach their targets because they can easily create fake profiles and tailor their personas to content victims share and like. Criminals can even use advertising tools to methodically select targets based on personal details such as age, interests, or past purchases. More recent trends involve romance scammers using AI to draft convincing emails, create fake photos in the likeness of their target’s recently-departed spouse, or develop deepfake videos of celebrities endorsing their investment scheme.

In addition, despite having strong anti-scam controls, nearly 16 percent of surveyed romance scam targets were initially contacted by email. Just over 10 percent were reached via text, a popular contact method for pig butchering.

****How long does the scam last?****

If survey results are an indication, the majority of those targeted by romance scams have become savvy to their ways—though Malwarebytes newsletter subscribers may be particularly well-informed. 55 percent knew it was a scam right away and never responded. Almost 19 percent figured out the scam within one week, meaning nearly three-quarters of respondents demonstrated excellent cybersecurity awareness.

Unfortunately, that leaves 26 percent engaging with romance scammers for more than two weeks, with 12 percent spending several months talking to pretend paramours, and 5 percent in a faux relationship for one year or more. In general, the longer a respondent was “together” with their scammer, the more money they lost. The exceptions were those who recognized the scam immediately, but spent weeks or months leading them on to waste their time. While this might seem like poetic justice, many romance scammers themselves are victims of human trafficking, forced to work up to 15 hours a day extracting enough money from victims to meet impossibly high quotas.

****Money lost****

User awareness wins the day again, preventing nearly three quarters of those targeted by a romance scam from losing money. However, the majority of those who did part with cash lost a lot of it—10 percent lost $10,000 or more, and 3 percent reported losses in the six figures. An additional 7 percent of survey respondents were scammed out of $1,000–$9,999, and 5 percent lost between $200 and $999. Just 3 percent of victims were scammed out of less than $200.

This means a full 22.5 percent of those targeted by a romance scam end up losing $1,000 and up—enough to make a significant impact on finances, especially for those with lower incomes. In 2023, romance scam victims—not counting those who reported crypto investment fraud—lost a median of $2,000 per person, the highest reported losses for any form of imposter scam, according to the FTC. Romance scams were also the third costliest fraud type reported to the FTC by older Americans (age 60 and over).

The FBI 2023 Internet Crimes Report noted financial losses to investment scams rose from $3.3 billion in 2022 to $4.6 billion in 2023—a 38 percent increase over the 183 percent gained the previous year. Combined, romance and investment scams were the costliest and second-most common internet crimes reported to the FBI last year as well, a fact reflected in Malwarebytes’ survey results and participant testimonials.

Tellingly, 94 percent of those who lost money were unable to recover it. Those who wish to recover cryptocurrency should be aware of additional scams by fraudulent businesses promising to trace and return funds. No private sector company can recover crypto—only legal or internal processes can compel cryptocurrency exchanges to release money back to victims.

****Reporting the scam****

Stigma is still a problem in dealing with the aftermath of a romance scam. Victims report heightened feelings of betrayal and shame on top of their financial burden. Yet 40 percent of surveyed romance scam victims didn’t tell another soul about what happened. An additional 30 percent only opened up to their closest confidantes. And while research suggests individuals impacted by the stress and trauma of romance scams benefit from counseling or support groups, just 4 percent sought out therapy after their experience.

However, there does appear to be a larger portion of romance scam targets willing to speak out than in the past. One quarter of our survey respondents said they told many others about their ordeal, with 11 percent submitting reports to law enforcement and/or nonprofit organizations. Data obtained by the BBC shows there were 7,660 cases processed in England and Wales by a self-reporting tool last year, up from 4,842 in 2019.

**How to spot and avoid a romance scam**

Romance scams aren’t going away, so here’s how to spot signs that someone isn’t who they say they are.

*   Their profile and picture seem too good to be true
*   They profess love and affection very quickly
*   They share a lot about themselves in the first meeting
*   They claim to be overseas and cannot stay in one place for long
*   They try to lure you from whatever platform you are on to talk to you via email or video chat
*   They claim to need money for something

Here’s what you can do to keep yourself safe:

*   Don’t give scammers the information they need. Scammers rely on what you volunteer about yourself online to tweak their script and lure you in. Use tools such as the Malwarebytes Personal Data Remover to minimize the amount of data accessible through search engine results, spam lists, and people search sites.
*   Perform an image search of the photo and the name of the person you’re in touch with. Scammers often steal someone else’s image to use as bait, and stolen identities are rife.
*   Go slow. Scammers tend to rush, building rapport with their victims as quickly as possible before moving in for the money-themed kill.
*   Never give money to anyone you’ve met online
*   Get a second opinion from someone you trust
*   If in doubt, back away and report the account.

If you’ve been impacted by a romance scam, pig butchering, or crypto investment fraud, you can report the crime to the Internet Crimes Complaint Center (IC3), which is run by the FBI, or the FTC on its reporting and resources page.

To talk with other romance scam victims in safe online forums, go to the reddit thread r/Romancescam, or apply to the private Facebook Support Group for Romance Scam Victims.

 Romance scams costlier than ever: 10 percent of victims lose $10,000 or more 

Malwarebytes is simplifying your security and privacy with the release of our new Personal Data Remover.

There’s an awful lot about you online that some awful groups want to exploit.  

The right combination of personal data points could help an identity thief fool a bank into opening a new, fraudulent line of credit in your name. Your alma mater, salary, and email address could help an online scammer craft the perfect phishing lure to trick you into donating to a bogus school fund. Your new address could be vulnerable to obsessive stalkers, your phone number could attract countless robocalls, and even your recent divorce status could make you a target for romance scammers.  

There’s now a way to fight back, with Malwarebytes Personal Data Remover. 

For years, the public have had few defenses to evolving online scams, as sensitive, personal details are all too easy to find online. Some of this data gets exposed through the major, corporate data breaches that now punctuate our lives, but some of this data isn’t “exposed” at all.  

Instead, it’s traded through a bustling network of “data brokers” that work tirelessly to collect and sell people’s names, addresses, phone numbers, bankruptcy records, salaries, marital statuses, and more. This can generate easy money though hyper-precise online advertising, or it can be done to power “people search” sites that leave nearly nothing to a scammer’s imagination.  

People deserve better.  

Today, Malwarebytes is simplifying your security and privacy with the release of our new Personal Data Remover.  

For people in the United States, Malwarebytes Personal Data Remover provides:   

*   Immediate, deep scans across roughly 175 databases to find your personal data. 
*   Personalized, in-depth reports on what data is being sold and who is selling it.  
*   Automatic data removal requests for subscribers, which can save 300+1 hours of manual work in wiping sensitive details off the internet, along with free DIY guides to tackle each site individually.  
*   Recurring scans and data removal requests that will make it harder for invasive websites to rebuild their digital portraits of you.2  

Malwarebytes Personal Data Remover represents our latest advancement in extending cybersecurity beyond antivirus.  

The truth is that modern threats to your privacy and your security have changed dramatically in a few short years, as cybercriminals are no longer focused only on infecting and controlling your device with viruses and malware. Rather, online scammers and thieves can glean relevant, personal details about your life to make it easier to steal your identity, take your money, or frighten you with empty ransom demands.  

This is why, almost a year ago, we launched Identity Theft Protection to help people prevent and recover from online identity theft, followed by the release of our free Digital Footprint Portal that provides free, in-depth reports about what data of yours is currently exposed online.  

With Malwarebytes Personal Data Remover, we hope to provide security and privacy beyond your device and into your entire experience online.  

Try Malwarebytes Personal Data Remover today.  Take back control of your data.

1\. Based on historical user data on the average time it takes to search, remove, and monitor re-exposure.  

2\. Available for paid subscribers in the United States only.

 Malwarebytes Personal Data Remover: A new way to help scrub personal data online  

Crafty bad actors can infect all of an organization's virtual machines at once, rendering tier-one applications useless.

Morey Haber, Chief Security Officer, BeyondTrust

September 25, 2024

5 Min Read

Source: Panther Media via Alamy Stock Photo

COMMENTARY

For at least the past 20 years, virtual machines and enterprise-ready hypervisors were marketed, sold, and adopted as the future of server-based computing. Dedicated power-hungry servers sitting in racks on a raised floor were replaced by systems architected to host multiple virtual servers simultaneously and to optimize resources based on load. The time of idle RAM, underutilized networks, and free hard disk storage was transformed by load-balancing technology, shared resources, and CPU prioritization to minimize costs, energy, and footprint. The goals were achieved, and the technology worked.

When organizations began shifting their tier-one mission-critical servers to virtual machines, the need to provide redundancy and high availability to meet uptime service-level agreements became paramount. Virtual machine hypervisors introduced redundancy technology, mirroring, real-time backups, cold spares, and myriad other solutions to mitigate the risks of an outage both in hardware and software. This technology even included mitigations for the hypervisor itself, just in case it became fully unavailable.

However, what happens if all of your hypervisors become unavailable — in essence, if all of your virtual data centers went offline, including all redundancy? This risk was not a consideration in the past, based on the maturity of virtualization, but today it poses a real threat and is why tier-one applications should no longer be virtualized. Why? Read on.

**Hypervisor Attacks on the Rise**

In the past few years, hypervisors have been targeted in high-profile malware and ransomware attacks. Instead of just attacking the data on a server, or a server or workstation operating system, threat actors have become brazen in attacking hypervisors and encrypting all the virtual machines hosted by the system. And if the attack vector is crafty enough, it can infect all virtual machines and hypervisors, regardless of their geolocation and backup status, simultaneously. This essentially renders all technology hosted as a virtual machine — including your tier-one applications — useless and unable to complete their mission.

So how did this change come about? Vulnerabilities, exploits, poor identity security, malware, social engineering, and, of course, ransomware. To understand this risk, let us look at some exploits that affected VMware, a leading enterprise virtualization technology, and some of its key components.

According to CVE Details, since Jan. 1, 2020, there have been 334 reported vulnerabilities for all VMware solutions. Of those, 19% were critical and, if exploited, could lead to a compromise of the affected VMware solution.

However, at least two are especially important to this discussion, despite their age: CVE-2021-21974 and CVE-2020-3992. Each could lead to a full hypervisor outage if exploited. The obvious answer from many security professionals is to patch. However, when patching these vulnerabilities, the entire hypervisor generally needs to be taken offline and all virtual machines paused or stopped to complete the upgrade. If the environment is large, potentially dozens or even hundreds of virtual machines may need to come offline. That type of outage is typically lengthy and unacceptable for tier-one applications.

**Migrate to a More Fitting Solution**

Most organizations will avoid patching due to the downtime alone, instead using other mitigations to avoid exploitation. This, however, does not solve the problem. If the hypervisor or any of its components are exposed to the Internet, these vulnerabilities are ticking time bombs. Not patching critical vulnerabilities will lead to exploitation at some point. The rise in hypervisor-based vulnerabilities is increasing and will continue to escalate, as shown by CVE Details data.

Therefore, organizations have four potential solutions:

1.  Continue to include tier-one applications as virtual machines but ensure maintenance is up to date, accept downtime, and continue running as originally designed.
    
2.  Do not include tier-one applications in virtual environments. Deploy them as physical hardware and plan to patch them regularly as physical implementations to remediate the risks.
    
3.  Stop hosting tier-one applications in virtual environments and using dedicated hardware on-premises altogether. Move them to the cloud and let the provider maintain the application and hypervisor, as well as manage back-end risks like upgrades, for you.
    
4.  Modernize your ecosystem and migrate the tier-one application to a software-as-a-service (SaaS) solution.
    

Choosing your path requires some analysis and decisions before taking down your unpatched virtualized tier-one applications. First, categorize all applications by mission criticality. Is it a tier-one application, where any outage is unacceptable to the business, or a tier-two application, where downtime is acceptable (if it's minimal) for hypervisor patching? Next, which tier-one applications can be cloud-washed — that is, directly moved to a hypervisor in the cloud and maintained by the provider — or replaced by a modern SaaS solution? Most organizations prefer a SaaS solution because it does not need virtual machine maintenance like their on-premises counterparts. That is one of the biggest benefits of SaaS.

Once you have made these decisions, your organization needs to separate tier-one applications from on-premises hypervisors. Like any other technology migration, document all planning, testing, requirements, service-level agreements, and so forth so that you can measure success. In the end, however, the risk mitigation is priceless, since the business no longer has to accept the risk of unpatched hypervisors and the potential for mass exploitation of ransomware.

In my opinion, tier-one applications should not depend on hypervisors to ensure availability. Points of failure for such applications should be minimized. In recent years, attacks against hypervisors have proved that the risks are real and may no longer be acceptable to a business. This is why I believe tier-one applications should no longer be implemented using on-premises virtual machines.

**About the Author**

Chief Security Officer, BeyondTrust

With more than 20 years of IT industry experience and author of Privileged Attack Vectors and Asset Attack Vectors, Morey Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees the vision for BeyondTrust technology encompassing intelligent identity and access security solutions, as well as BeyondTrust's own internal information security strategies.

Keep Tier-One Applications Out of Virtual Environments

Cybersecurity researchers have flagged the discovery of a new post-exploitation red team tool called Splinter in the wild.
Palo Alto Networks Unit 42 shared its findings after it discovered the program on several customers' systems.
"It has a standard set of features commonly found in penetration testing tools and its developer created it using the Rust programming language," Unit 42's Dominik

Penetration Testing / Cyber Threat

Cybersecurity researchers have flagged the discovery of a new post-exploitation red team tool called **Splinter** in the wild.

Palo Alto Networks Unit 42 shared its findings after it discovered the program on several customers' systems.

"It has a standard set of features commonly found in penetration testing tools and its developer created it using the Rust programming language," Unit 42's Dominik Reichel said. "While Splinter is not as advanced as other well-known post-exploitation tools like Cobalt Strike, it still presents a potential threat to organizations if it is misused."

Penetration testing tools are often used for red team operations to flag potential security issues in a company's network. However, such adversary simulation tools can also be weaponized by threat actors to their advantage.

Unit 42 said it has not detected any threat actor activity associated with the Splinter tool set. There is no information as yet on who developed the tool.

Artifacts unearthed by the cybersecurity firm reveal that they are "exceptionally large," coming in around 7 MB, primarily owing to the presence of 61 Rust crates within it.

Splinter is no different than other post-exploitation frameworks in that it comes with a configuration that includes information about the command-and-control (C2) server, which is parsed in order to establish contact with the server using HTTPS.

"Splinter implants are controlled by a task-based model, which is common among post-exploitation frameworks," Reichel noted. "It obtains its tasks from the C2 server the attacker has defined."

Some of the functions of the tool include executing Windows commands, running modules via remote process injection, uploading and downloading files, collecting cloud service account info, and deleting itself from the system.

"The increasing variety underscores the importance of staying up to date on prevention and detection capabilities, since criminals are likely to adopt any techniques that are effective for compromising organizations," Reichel said.

The disclosure comes as Deep Instinct detailed two attack methods that could be exploited by threat actors to achieve stealthy code injection and privilege escalation by leveraging an RPC interface in Microsoft Office and a malicious shim, respectively.

"We applied a malicious shim in a process without registering an SDB file on the system," researchers Ron Ben-Yizhak and David Shandalov said. "We effectively bypassed EDR detection by writing to a child process and loading the target DLL from the suspended child process before any EDR hook can be established."

In July 2024, Check Point also shed light on a new process injection technique called Thread Name-Calling that allows to implant of a shellcode into a running process by abusing the API for thread descriptions while bypassing endpoint protection products.

"As new APIs are added to Windows, new ideas for injection techniques are appearing," security researcher Aleksandra "Hasherezade" Doniec said.

"Thread Name-Calling uses some of the relatively new APIs. However, it cannot avoid incorporating older well-known components, such as APC injections – APIs which should always be taken into consideration as a potential threat. Similarly, the manipulation of access rights within a remote process is a suspicious activity."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Latest News