**What is the version information for this release?**

Microsoft Edge Channel

Microsoft Edge Version

Based on Chromium Version

Date Released

Stable

127.0.2651.98

127.0.6533.99/.100

8/8/2024

CVE-2024-38218: Microsoft Edge (HTML-based) Memory Corruption Vulnerability

The ransomware strain known as BlackSuit has demanded as much as $500 million in ransoms to date, with one individual ransom demand hitting $60 million.
That's according to an updated advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).
"BlackSuit actors have exhibited a willingness to negotiate payment amounts," the

Critical Infrastructure / Malware

The ransomware strain known as BlackSuit has demanded as much as $500 million in ransoms to date, with one individual ransom demand hitting $60 million.

That's according to an updated advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).

"BlackSuit actors have exhibited a willingness to negotiate payment amounts," the agencies said. "Ransom amounts are not part of the initial ransom note, but require direct interaction with the threat actor via a .onion URL (reachable through the Tor browser) provided after encryption."

Attacks involving ransomware have targeted several critical infrastructure sectors spanning commercial facilities, healthcare and public health, government facilities, and critical manufacturing.

An evolution of the Royal ransomware, it leverages the initial access obtained via phishing emails to disarm antivirus software and exfiltrate sensitive data before ultimately deploying the ransomware and encrypting the systems.

Other common infection pathways include the use of Remote Desktop Protocol (RDP), exploitation of vulnerable internet-facing applications, and access purchased via initial access brokers (IABs).

BlackSuit actors are known to use legitimate remote monitoring and management (RMM) software and tools like SystemBC and GootLoader malware to maintain persistence in victim networks.

"BlackSuit actors have been observed using SharpShares and SoftPerfect NetWorx to enumerate victim networks," the agencies noted. "The publicly available credential stealing tool Mimikatz and password harvesting tools from Nirsoft have also been found on victim systems. Tools such as PowerTool and GMER are often used to kill system processes."

CISA and FBI have warned of an uptick in cases where victims receive telephonic or email communications from BlackSuit actors regarding the compromise and ransom, a tactic that's increasingly being adopted by ransomware gangs to ramp up pressure.

"In recent years, threat actors appear to be increasingly interested in not merely threatening organizations directly, but also secondary victims," cybersecurity firm Sophos said in a report published this week. "For instance, as reported in January 2024, attackers threatened to 'swat' patients of a cancer hospital, and have sent threatening text messages to a CEO's spouse."

That's not all. Threat actors have also claimed to assess stolen data for evidence of illegal activity, regulatory non-compliance, and financial discrepancies, even going to the extent of stating that an employee at a compromised organization had been searching for child sexual abuse material by posting their web browser history.

Such aggressive methods can not only be used as further leverage to coerce their targets into paying up, they also inflict reputational damage by criticizing them as unethical or negligent.

The development comes amid the emergence of new ransomware families like Lynx, OceanSpy, Radar, Zilla (a Crysis/Dharma ransomware variant), and Zola (a Proton ransomware variant) in the wild, even as existing ransomware groups are constantly evolving their modus operandi by incorporating new tools into their arsenal.

A case example is Hunters International, which has been observed using a new C#-based malware called SharpRhino as an initial infection vector and a remote access trojan (RAT). A variant of the ThunderShell malware family, it's delivered through a typosquatting domain impersonating the popular network administration tool Angry IP Scanner.

It's worth pointing out that malvertising campaigns have been spotted delivering the malware as recently as January 2024, per eSentire. The open-source RAT is also called Parcel RAT and SMOKEDHAM.

"On execution, it establishes persistence and provides the attacker with remote access to the device, which is then utilized to progress the attack," Quorum Cyber researcher Michael Forret said. "Using previously unseen techniques, the malware is able to obtain a high level of permission on the device in order to ensure the attacker is able to further their targeting with minimal disruption."

Hunters International is assessed to be a rebrand of the now-defunct Hive ransomware group. First detected in October 2023, it has claimed responsibility for 134 attacks in the first seven months of 2024.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

FBI and CISA Warn of BlackSuit Ransomware That Demands Up to $500 Million

A critical security flaw impacting Progress Software WhatsUp Gold is seeing active exploitation attempts, making it essential that users move quickly to apply the latest.
The vulnerability in question is CVE-2024-4885 (CVSS score: 9.8), an unauthenticated remote code execution bug impacting versions of the network monitoring application released before 2023.1.3.
"The

Vulnerability / Network Security

A critical security flaw impacting Progress Software WhatsUp Gold is seeing active exploitation attempts, making it essential that users move quickly to apply the latest.

The vulnerability in question is CVE-2024-4885 (CVSS score: 9.8), an unauthenticated remote code execution bug impacting versions of the network monitoring application released before 2023.1.3.

"The WhatsUp.ExportUtilities.Export.GetFileWithoutZip allows execution of commands with iisapppool\\\\nmconsole privileges," the company said in an advisory released in late June 2024.

According to security researcher Sina Kheirkhah of the Summoning Team, the flaw resides in the implementation of the GetFileWithoutZip method, which fails to perform adequate validation of user-supplied paths prior to its use.

An attacker could take advantage of this behavior to execute code in the context of the service account. A proof-of-concept (PoC) exploit has since been released by Kheirkhah.

The Shadowserver Foundation said it has observed exploitation attempts against the flaw since August 1, 2024. "Starting Aug 1st, we see /NmAPI/RecurringReport CVE-2024-4885 exploitation callback attempts (so far 6 src IPs)," it said in a post on X.

WhatsUp Gold version 2023.1.3 addresses two more critical flaws CVE-2024-4883 and CVE-2024-4884 (CVSS scores: 9.8), both of which also enable unauthenticated remote code execution through NmApi.exe and Apm.UI.Areas.APM.Controllers.CommunityController, respectively.

Also addressed by Progress Software is a high-severity privilege escalation issue (CVE-2024-5009, CVSS score: 8.4) that allows local attackers to elevate their privileges on affected installations by taking advantage of the SetAdminPassword method.

With flaws in Progress Software regularly being abused by threat actors for malicious purposes, it's essential that admins apply the latest security updates and allow traffic only from trusted IP addresses to mitigate potential threats.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Security Flaw in WhatsUp Gold Under Active Attack - Patch Now

Attackers can craft a malicious prompt that coerces the language model into executing arbitrary JavaScript in the context of the web page.

**Open WebUI Stored Cross-Site Scripting Vulnerability**

Moderate severity GitHub Reviewed Published Aug 8, 2024 to the GitHub Advisory Database • Updated Aug 8, 2024

GHSA-5jp3-wp5v-5363: Open WebUI Stored Cross-Site Scripting Vulnerability

Invisible authentication mechanisms in Microsoft allow any attacker to escalate from privileged to super-duper privileged in cloud environments, paving the way for complete takeover.

Source: Sergey Nivens via Alamy Stock Photo

BLACK HAT USA – Las Vegas – Wednesday, Aug. 7 – An obscure issue with Microsoft's Entra ID identity and access management service could allow a hacker to access every corner of an organization's cloud environment.

Crucially, the attack requires that a hacker already have access to an admin-level account. With that in hand, though, the possibilities are limitless. At 4:20 p.m. local time today at Black Hat, Eric Woodruff, senior cloud security architect at Semperis, will describe how an attacker in such a position could take advantage of layered authentication mechanisms in Entra ID to gain all-powerful global administrator privileges.

An attacker with global administrator privileges can do anything in an organization's cloud environment to any of its connected services, including but not limited to accessing sensitive data and planting malware. As Woodruff explains, "It's like being a domain administrator in the cloud. As a global administrator, you can literally do anything: You could get into people's emails in Microsoft 365, you could move into any application that's tied to Azure, etc."

Entra ID is central to any organization using Microsoft 365 and Azure, managing and securing access and permissions across cloud applications and services.

Within each tenant (organization), Entra ID represents users, groups, and applications as "service principals," which can be assigned roles and permissions of one kind or another.

The problem identified by Woodruff begins with the fact that users with privileged Application Administrator or Cloud Application Administrator roles can assign credentials directly to a service principal. An attacker with such privileges can use this system quirk to effectively act as their targeted application when interfacing with Entra ID.

Next, the attacker can follow the OAuth 2.0 client credential grant flow, exchanging credentials for tokens that grant access to resources. This is where the second major issue comes into play. During his research, Woodruff identified three application service principals capable of performing actions they didn't appear to have permission to enact:

*   In the enterprise social networking service Viva Engage (formerly Yammer), the ability to permanently delete users, including Global Administrators.
    
*   In the Microsoft Rights Management Service, the ability to add users.
    
*   For the Device Registration Service, the ability to elevate privileges to the Global Administrator level
    

The Microsoft Security Response Center (MSRC) assigned these vulnerabilities medium, low, and high severity ratings, respectively.

Woodruff emphasizes that the issue with the Device Registration Service is far more significant than the others. "Generally, you would delegate Admin roles to people doing more day-to-day, mundane things \[in your organization\]. They don't have the power to do whatever. But if they happen to know of this path we found, they could go give themselves that role," he explains.

**Dealing With Cloud Permissions**

When Woodruff went to Microsoft with his findings, the company explained that, in fact, he was allowed to do what he did thanks to hidden authentication mechanisms "behind the scenes."

Dark Reading reached out to Microsoft for more information about how these layered, unseen authentication mechanisms work, and why they exist in the first place. A Microsoft spokesperson replied with no further details.

For now, Microsoft has been patching over the issue with new controls that limit the use of credentials on service principals. Now, when one attempts privilege escalation using the Device Registration Service, Microsoft Graph returns an error.

It's unclear whether this issue has ever been exploited in the wild. To determine that, Woodruff says, organizations can review Entra ID audit logs, or look out for leftover attacker credentials. Neither method is foolproof, however, as logs tend to expire after a certain period of time, and attackers can always retroactively hide their paper trails.

"Having worked in the whole Microsoft ecosystem awhile, I've run a lot of security assessments and would find that a lot of organizations have relatively lax security around application administrators. You see it in the news these days: Someone targets the help desk, and the next thing you know, they're a domain admin, because of some privilege chain," he says.

This latest discovery, though part of the same pattern, was nonetheless a bit of a shock. "It was sort of like: Oh, these app admins at a lot of orgs aren't really guarded the way they should be," he says.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Hazy Issue in Entra ID Allows Privileged Users to Become Global Admins

From tricking companies into handing over victims’ personal data to offering violence as a service, the online doxing ecosystem is not just still a problem—it’s getting more extreme.

Since the early 1990s, people have used doxing as a toxic way to strike digital revenge—stripping away someone’s anonymity by unmasking their identity online. But in recent years, the poisonous practice has taken on new life, with people being doxed and extorted for cryptocurrency and, in the most extreme cases, potentially facing physical violence.

For the past year, security researcher Jacob Larsen—who was a victim of doxing around a decade ago when someone tried to extort him for a gaming account—has been monitoring doxing groups, observing the techniques used to unmask people, and interviewing prominent members of the doxing community. Doxing actions have led to incomes of “well over six figures annually,” and methods include making fake law enforcement requests to get people’s data, according to Larsen’s interviews.

“The primary target of doxing, particularly when it involves a physical extortion component, is for finance,” says Larsen, who leads an offensive security team at cybersecurity company CyberCX but conducted the doxing research in a personal capacity with the support of the company.

Over several online chat sessions last August and September, Larsen interviewed two members of the doxing community: “Ego” and “Reiko.” While neither of their offline identities is publicly known, Ego is believed to have been a member of the five-person doxing group known as ViLe, and Reiko last year acted as an administrator of the biggest public doxing website, Doxbin, as well as being involved in other groups. (Two other ViLe members pleaded guilty to hacking and identity theft in June.) Larsen says both Ego and Reiko deleted their social media accounts since speaking with him, making it impossible for WIRED to speak with them independently.

People can be doxed for a full range of reasons—from harassment in online gaming, to inciting political violence. Doxing can “humiliate, harm, and reduce the informational autonomy” of targeted individuals, says Bree Anderson, a digital criminologist at Deakin University in Australia who has researched the subject with colleagues. There are direct “first-order” harms, such as risks to personal safety, and longer-term “second-order harms,” including anxiety around future disclosures of information, Anderson says.

Larsen’s research mostly focused on those doxing for profit. Doxbin is central to many doxing efforts, with the website hosting more than 176,000 public and private doxes, which can contain names, social media details, Social Security numbers, home addresses, places of work, and similar details belonging to people’s family members. Larsen says he believes most of the doxing on Doxbin is driven by extortion activities, although there can be other motivations and doxing for notoriety. Once information is uploaded, Doxbin will not remove it unless it breaks the website’s terms of service.

“It is your responsibility to uphold your privacy on the internet,” Reiko said in one of the conversations with Larsen, who has published the transcripts. Ego added: “It’s on the users to keep their online security tight, but let’s be real, no matter how careful you are, someone might still track you down.”

**Impersonating Police, Violence as a Service**

Being entirely anonymous online is almost impossible—and many people don’t try, often using their real names and personal details in online accounts and sharing information on social media. Doxing tactics to gather people’s details, some of which were detailed in charges against ViLe members, can include reusing common passwords to access accounts, accessing public and private databases, and social engineering to launch SIM swapping attacks. There are also more nefarious methods.

Emergency data requests (EDR) can also be abused, Larsen says. EDRs allow law enforcement officials to ask tech companies for people’s names and contact details without any court orders as they believe there may be danger or risks to people’s lives. These requests are made directly to tech platforms, often through specific online portals, and broadly need to come from official law enforcement or government email addresses.

Inside the Dark World of Doxing for Profit

The number of additions to the Known Exploited Vulnerabilities catalog is growing quickly, but even silent changes to already-documented flaws can help security teams prioritize.

CVE age distribution of KEV by groupSource: GreyNoise Intelligence

B-SIDES LAS VEGAS – Las Vegas – Wednesday, Aug. 7 – Organizations that use the Known Exploited Vulnerabilities (KEV) catalog to prioritize patching are likely missing silent changes to the list that could indicate that an issue's severity has changed, according to an analysis presented at the BSides Las Vegas conference on Aug. 7.

The KEV catalog — which currently consists of more than 1,140 vulnerabilities that are known to have been exploited in the wild — tracks software flaws by their Common Vulnerabilities and Exposures (CVE) identifier, records the date when the vulnerability was confirmed in the wild and has a flag that indicates whether ransomware groups are using the security issues.

Yet, specific changes to the data — such as uncommonly short times to remediate vulnerabilities and changes to the ransomware status — can give security teams valuable information, the analysis stated.

Unfortunately, the Cybersecurity and Infrastructure Security Agency (CISA), which manages the list, does not often call out these changes and outliers, says Glenn Thorpe, senior director of security research and detection engineering at GreyNoise Intelligence.

"We who are not bound by its directives forget that this is actually a to-do list," he says, adding: "So, if folks are actually using this to prioritize remediation or some kind of process, they need to know \[when\] it is updated silently."

The KEV catalog, introduced in November 2021 with 290 exploited vulnerabilities, is maintained by CISA and gives organizations the information necessary to prioritize patching flaws that are currently under attack. The list, however, does not rank the severity of issues, and vulnerabilities are often not added until well after the initial evidence of exploitation comes to light.

**Surge From a Cyber Conflict**

While less than 3 years old, the KEV catalog has already passed through three periods, Thorpe says. The original catalog had 287 vulnerabilities, which had an average age — the time between the release of the CVE and the vulnerability's addition to the KEV list — of 591 days. Then, during a 109-day period in early 2022 and the initial months of Russia's invasion of Ukraine, a massive stockpile of vulnerabilities was exploited, encompassing 396 issues with an average age of 1,898 days.

Starting in mid- to late 2023, CISA started changing its policies on the KEV catalog, providing additional signals as to the severity of a vulnerability. Source: GreyNoise Intelligence

Since mid-2022, 453 newly exploited vulnerabilities have been discovered, with an average age of 567 days.

"There is this thought that maybe the numbers have gone down, because the Russia-Ukraine conflict has dragged on so long," he says. "But I \[feel that\] when it ends, each side will looking for vulnerabilities and stockpiling once again."

Five organizations — Microsoft, Apple, Cisco, Adobe, and Google — account for about half of all vulnerabilities on the list, demonstrating cyberattackers' penchant for major software platforms.

**Pay Attention to Friday Updates**

While any vulnerability in the KEV catalog should likely be patched as soon as possible, companies may want to prioritize those being used in ransomware campaigns. The list has a flag designating whether CISA has confirmed use of a particular flaw by ransomware gangs. However, at least 41 times, that flag has been changed to "known" — indicating ransomware use — after the vulnerability's addition to the list without explicit notification.

Perhaps more critical for prioritization is the "due date" for fixing a vulnerability, which informs federal agencies of the date by which the issue must be remediated. While the vast majority of vulnerabilities have a 21-day requirement, since late 2023, CISA has set shorter remediation deadlines for specific vulnerabilities. The shorter patching deadlines are typically for more critical appliances that are connected to a networks, such as the severe Ivanti vulnerabilities, as well as issues in Juniper routers and Cisco devices and Atlassian's Confluence server, GreyNoise's Thorpe says.

In fact, another data point suggests that CISA made other changes to how it handles KEV-catalog announcements in late 2023. Around the same time that CISA had assigned shorter deadlines, the agency also began foregoing the release of any list updates on Fridays, except in two specific cases, the analysis found.

"Either there was a decision made to prioritize these a little differently, or they ... were kind of figuring out how to prioritize these differently, because the list is getting big," Thorpe says.

Organizations can use the policy changes inferred from the way CISA updates the KEV catalog to understand which issues the agency considers most critical. A KEV update released on a Friday should be considered significant, as should a vulnerability with a due date less than 21 days away. Finally, Thorpe says, updates to the known ransomware usage field are another signal that security teams should pay attention to.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Monitoring Changes in KEV List Can Guide Security Teams

The security vendor has also implemented several changes to protect against the kind of snafu that crashed 8.5 million Windows computers worldwide last month.

Source: Ascannio via Shutterstock

CrowdStrike will give customers more control over how they deploy content updates to the company's Falcon sensor endpoint security technology following the recent incident that saw a faulty update crash more than 8.5 million Windows systems worldwide.

The beleaguered security vendor — which is the target of two lawsuits over the incident already — has implemented new features to its platform to support the capability with additional functionality planned for the future.

**Multiple Changes**

The update is one of several changes CrowdStrike has implemented following the completion of a root cause analysis (RCA) of the July 19 incident. In an Aug. 7 update, CrowdStrike announced other changes it has made to ensure something similar does not happen in the future. The changes include new content configuration system test procedures, additional deployment layers and acceptance checks for its content configuration system, and new validation checks for its updates.

CrowdStrike has also asked two independent third-party security vendors to review the code for its Falcon sensor technology and of the company's quality control and release processes for the product. "We are using the lessons learned from this incident to better serve our customers," CrowdStrike CEO George Kurtz said in a statement that accompanied its RCA. "To this end, we have already taken decisive steps to help prevent this situation from repeating and to help ensure that we — and you — become even more resilient."

CrowdStrike's problems started with a July 19 content update for a new Falcon sensor capability that the security vendor first rolled out in February 2024. The automatically deployed update caused Windows systems worldwide to crash and created enormous disruptions for organizations across multiple sectors, including airlines, financial services, healthcare, manufacturing, and government. In many cases, systems admins had to manually restart computers, which meant that it took days for numerous organizations to restore services fully.

CrowdStrike has already become the target of at least two class-action lawsuits over the incident — one on behalf of the company's shareholders and the other on behalf of affected businesses. Many others, including Delta Air Lines, are expected to sue CrowdStrike over related outage costs in coming days and months.

**Parameter Count Mismatch**

The security vendor has identified a parameter count mismatch between what its Falcon sensor product expected and what the July 19 content configuration update actually contained as the root cause for the problems. The update was for a Falcon sensor feature that CrowdStrike rolled out in February to detect and provide insights into new attack techniques that exploit specific Windows mechanisms. Falcon sensor uses a specific template with a predefined set of 20 separate input fields to deliver this specific capability.

CrowdStrike's content configuration update on July 19 provided 21 input fields rather than the 20 fields the sensor expected. "In this instance, the mismatch resulted in an out-of-bounds memory read, causing a system crash," CrowdStrike said.

While the security vendor introduced the template with the mismatched parameter count in February, its analysis showed it slipped past multiple layers of build validation and testing.  No one caught the discrepancy during the sensor release test process, during stress tests of the template, or even during initial real-world deployments. In part, this was because the test processes and initial deployments used a "wildcard matching criteria" — meaning they accepted any value or no value at all — for the extra input field's parameter.

The July 19 update used a non-wildcard matching criterion for the July 21 parameter, which meant the sensor had to contend with data for a field it did not expect. "The Content Interpreter expected only 20 values," CrowdStrike said. "Therefore, the attempt to access the 21st value produced an out-of-bounds memory read beyond the end of the input data array and resulted in a system crash."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

CrowdStrike Will Give Customers Control Over Falcon Sensor Updates

In January, KrebsOnSecurity wrote about rapper Punchmade Dev, whose music videos sing the praises of a cybercrime lifestyle. That story showed how Punchmade's social media profiles promoted Punchmade-themed online stores selling bank account and payment card data. Now the Kentucky native is suing his financial institution after it blocked a $75,000 wire transfer and froze his account, citing an active law enforcement investigation.

A partial selfie posted by Puchmade Dev to his Twitter account. Yes, that is a functioning handheld card skimming device, encrusted in diamonds. Underneath that are more medallions, including a diamond-studded bitcoin and payment card.

In January, KrebsOnSecurity wrote about rapper **Punchmade Dev**, whose music videos sing the praises of a cybercrime lifestyle. That story showed how Punchmade’s social media profiles promoted Punchmade-themed online stores selling bank account and payment card data. The subject of that piece, a 22-year-old Kentucky man, is now brazenly suing his financial institution after it blocked a $75,000 wire transfer and froze his account, citing an active law enforcement investigation.

With memorable hits such as “Internet Swiping” and “Million Dollar Criminal” earning millions of views, Punchmade Dev has leveraged his considerable following to peddle tutorials on how to commit financial crimes online. But until recently, there wasn’t much to support a conclusion that Punchmade was actually doing the cybercrime things he promotes in his songs.

That changed earlier this year when KrebsOnSecurity showed how Punchmade’s social media handles were promoting Punchmade e-commerce shops online that sold access to **Cashapp** and **PayPal** accounts with balances, software for printing checks, as well as personal and financial data on Americans.

Punchmade Dev’s previous online shop (now defunct). His Telegram channel has more than 75,000 followers.

The January story traced Punchmade’s various online properties to a 22-year-old **Devon Turner** from Lexington, Ky. Reached via his profile on X/Twitter, Punchmade Dev said they were not affiliated with the lawsuit filed by Turner \[Punchmade’s X account provided this denial even though it has still not responded to requests for comment from the first story about him in January\]. Meanwhile, Mr. Turner has declined multiple requests to comment for this story.

On June 26, Turner filed a _pro se_ lawsuit against **PNC Bank**, alleging “unlawful discriminatory and tortuous action” after he was denied a wire transfer in the amount of $75,000. PNC Bank did not respond to a request for comment.

Turner’s complaint states that a follow-up call to his bank revealed the account had been closed due to “suspicious activity,” and that he was no longer welcome to patronize PNC Bank.

“The Plaintiff is a very successful African-American business owner, who has generated millions of dollars with his businesses, has hired 30 plus people to work for his businesses,” Turner wrote.

As reported in January, among Turner’s businesses is a Lexington entity called **OBN Group LLC** (assumed name **Punchmade LLC**). Business incorporation documents from the Kentucky Secretary of State show he also ran a record label called **DevTakeFlightBeats Inc.**

Turner’s lawsuit alleges that bank staff made disparaging remarks about him, suggesting the account was canceled because it would be unusual for a person like him to have that kind of money.

A snippet from Turner’s lawsuit vs. PNC.

Incredibly, Turner acknowledges that _PNC told him his account was flagged for attention from law enforcement officials_.

“The PNC Bank customer service representative also explained that there was a note on the account that law enforcement would be contacted at some point in time,” the lawsuit reads.

“The Plaintiff, who was not worried at all about law enforcement being involved because nothing illegal occurred, informed the PNC Bank representative that this was one big mistake and asked him what his options were,” the complaint states.

Devon Turner, a.k.a. “Punchmade Dev,” in an undated photo, wearing a diamond-covered Visa card. Image: tiktok.com/brainjuiceofficial

Turner’s lawsuit said PNC told him they would put a note on his account allowing him to withdraw the funds from any branch, but that when he visited a PNC branch and asked to withdraw the entire amount in his account — $500,000 — PNC refused, saying the money had been seized.

“Ultimately, PNC bank not only refused his request to release his funds but informed him that his funds would be seized indefinitely as \[sic\] PNC Bank,” Turner lawsuit recounts.

The Punchmade shops selling financial data that were profiled in the January story are long gone, but Punchmade’s Instagram account now promotes **punchmade\[.\]cc**, which behaves and looks the same as his older shop.

Punchmade’s current shop, which DomainTools says was registered to a Lexington, Ky. phone number used by accounts under the name of Devon Turner at multiple online retailers.

The breach tracking service Constella Intelligence finds the email address associated with Turner’s enterprise OBN Group LLC — **obndevpayments@gmail.com** — was used by a Devon Turner from Lexington to purchase software online. That record includes the Lexington, Ky. mobile phone number **859-963-6243**, which Constella also finds was used to register accounts for Devon Turner at the retailer Neiman Marcus, and at the home decor and fashion site poshmark.com.

A search on this phone number at DomainTools shows it is associated with two domain names since 2021. The first is the aforementioned punchmade\[.\]cc. The other is foreverpunchmade\[.\]com, which is registered to a Devon Turner in Lexington, Ky. A copy of this site at archive.org indicates it once sold Punchmade Dev-branded t-shirts and other merchandise.

Mr. Turner included his contact information at the bottom of his lawsuit. What phone number did he leave? Would you believe **859-963-6243?**

The closing section of Mr. Turner’s complaint includes a phone number that was used to register a popular online fraud shop named after Punchmade.

Is Punchmade Dev a big-time cybercriminal enabler, as his public personna would have us believe? Or is he some two-bit nitwit who has spent so much on custom medallions that he can’t afford a lawyer? It’s hard to tell.

But he definitively has a broad reach: His Instagram account has ~860k followers, and his Telegram channel has more than 75,000 subscribers, all no doubt seeking that sweet “C@sh App sauce,” which apparently has something to do with moving cryptocurrencies through Cash App in a way that financially rewards people able and willing to open up new accounts.

It’s incredibly ironic that Punchmade sells tutorials on how to have great “opsec,” a reference to “operational security,” which in the cybercriminal context means the ability to successfully separate one’s cybercriminal identity from one’s real-life identity: This guy can’t even register a domain name anonymously.

A copy of Turner’s complaint is available here (PDF).

For more on Punchmade, check out the TikTok video How Punchmade Dev Got Started Scamming.

Cybercrime Rapper Sues Bank over Fraud Investigation

During a "Shark Tank"-like final, each startup's representative spent five minutes detailing their company and product, with an additional five minutes to take questions from eight judges from Omdia, investment firms, and top companies in cyber.

Founder and CTO of Knostic, Sounil Yu, runs to the stage to collect his award after being announced the winner of the 2024 Startup Spotlight competition.Source: Kristina Beek

BLACK HAT USA – Las Vegas – Wednesday, Aug. 7 – Eitan Worcel, CEO of Mobb Security, last year's Startup Spotlight winner, last night announced that the torch would be passed to the 2024 winner: Knostic, an LLM access-control company. Sounil Yu, Knostic founder and CTO, was present to accept.

In the first phases of the competition, each group submitted a five-minute video pitch on behalf of their cybersecurity startup to present their company and the products and solutions it provides, whether it be in the development, launch, or newly launched stage.

After that, the selection dwindled to a select, top four finalists: LeakSignal, RAD Security, DryRun Security, and Knostic. Each made a final pitch on behalf of their companies in last night's event at Black Hat USA, in a Shark Tank\-style competition.

The panel of judges included Omdia analysts Ketaki Borade, Hollie Hennessy, and Rik Turner; Coleen Coolidge of Twilio; Trey Ford of Deepwatch; Maria Markstedter of Azeria Labs; Lucas Nelson of VC firm Lytical Ventures; and Robert J. Stratton III of startup accelerator MACH37.

**4 Unique Cyber Startups, Pitching to the Judges**

LeakSignal is an openly distributed data governance solution that aims to classify and protect sensitive data, allowing customers to set limits on internal API data access and focus on data classification. The platform blocks sensitive data before it’s logged, and redacts that data during calls to outbound third-party APIs.

The platform is built with Rust, and is designed to integrate with an organization's existing architecture. Its team's next-stage focus is to expand the support LeakSignal provides to more complex AI models, and to refine its data classification algorithms to provide a more accurate and comprehensive protection. 

RAD Security meanwhile focuses on tackling security issues surrounding cloud native development. According to the company, "For teams to achieve true resilience against emerging threats, detection and response solutions must evolve their approach beyond signature-based, one-size-fits-all solutions."

To that end, the company aims to provide customers with a custom view of what should and shouldn’t be happening in their cloud infrastructure, providing a unique and more accurate detection-and-response plan for malicious behavior. By creating fingerprints of the good behavior an enterprise is experiencing across its software supply chain, cloud native infrastructure, and workloads, RAD Security is better able to detect anomalies to that — and thus any cyberattacks the company faces. 

The third finalist, DryRun Security, is an application security company that provides automated, behavioral code reviews by interrogating code changes based on static patterns and behaviors. Ken Johnson, CTO and co-founder of DryRun, explained that after he and CEO James Wickett realized that the security industry had been anaylzing software in the same manner for years on end, they decided to build their company to create not only a developer-first tool, but also a new way of analyzing and detecting risk. The company currently conducts more than 10,000 secure code reviews for its customers, using an approach that it explains is grounded in the principles of contextual security analysis (CSA).

Rounding out the group is winning startup Knostic, comprised of 12 employees, with a pre-seed funding of $4.4 million, and which aims to ensure that internal generative AI (GenAI) tools aren't leaking sensitive data to users that shouldn't have access to it.

As GenAI tools like ChatGPT continue to gain popularity, organizations are learning that connecting a large language model (LLM) to its internal systems comes with a serious risk of exposing sensitive data. Knostic creates a knowledge control layer based on employees' permissions for accessing content.

In a demonstration during the presentation, Yu showed the audience a mock interface of an HR department user sending a message to an internal chatbot inquiring about quarterly sales revenue. Knostic's platform ensured that the actual numerical value — sensitive financial information — was not revealed, but provided additional useful information instead outlining which departments contributed the most toward the company's profitability. The same query made by a CEO however returned the actual dollar figure, as the CEO has higher clearance.

"What differentiates the two is need to know," said Yu during the presentation.

The company's product works with Copilot for Microsoft 365 for now, but the next phase is to expand support to all software-as-a-service (SaaS) tools that incorporate LLMs.

**Winner's High**

When asked how it felt to present to the crowd amongst fellow finalists, Yu tells Dark Reading that he "was preparing for disappointment" after he completed his presentation.

"It's a high stress environment," Yu says. "Your perception of time completely changes, right? I was like 'Oh, I got this in four minutes and thirty seconds. No problem.'" During his presentation, however, Yu was cut short by the five-minute timer. In hindsight, he says, the experience was great.

"I think the opportunity \[to present\] to this sort of audience is a very legitimate validation," Yu says. "All finalists deserve attention, because it means there's real value that we're producing. I'm fortunate that we were able to win, but I think we should recognize all the other contestants for the value that they brought."

Latest News