When using the `??` operator, output escaping was missing for the expression on the left side of the operator.


Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-3xg3-cgvq-2xwr: Twig security issue where escaping was missing when using null coalesce operator

Data analysis has shown which 4-digit pin codes offer the best chances for an attacker. Are you using one of them?

Australian news outlet ABC NEWS analyzed a data set of 29 million 4-digit PIN numbers that people actually used to secure their devices, ATM withdrawals, building access, and more.

What the outlet discovered is both expected and disappointing: Too many people use insecure PIN codes to protect important parts of their lives.

Now, I feel compelled to add that I’ve always considered any four-digit string of numbers as simply too few numbers to secure anything important. It takes only 10,000 tries in a worst-case scenario for the attacker, which is not an awful lot for a determined—and sometimes machine-assisted—attacker.

My (Dutch) bank uses a five-digit number to access the app, although it still uses four digits for payments or to make withdrawals from an ATM. But that might be because that’s how the machines are programmed to work. Also, in those cases, entering the PIN itself could be considered a second factor in a multi-factor authentication (MFA) procedure since you already need to have possession of the card.

That said, ABC’s research shows that many of us are predictable when it comes to picking out our PINs. For example, it should come as no surprise that 0000 is popular since it is the default PIN code for many devices—and apparently many people don’t see the importance of changing it.

Whether this reflects our doubt in our own memory or it reflects a certain degree of laziness would require a deeper psychological analysis, but as with passwords, people tend to pick easy-to-remember options that are, for instance, the same digit repeated four times over, or a predictable sequence of four digits, such as 1234. They also prefer numbers that are easy to type, like the figure “2580” which goes straight down the numberpad.

2580 is ranked 28

Other predictable numbers stem from the fact that we use birthdays and birth-years so we can easily remember the PIN code. This is why we see a lot of pin numbers that start with 19 for a year or where the first digit of a month is either a 0 or a 1 which comes in the first or third place of the code, depending on the way you format your dates.

The worrying part is that by trying the first the options in the list ranked by popularity, an attacker can raise his chances of a breach to 11.7 %.

In some cases the attacker may only have five chances, so guess which ones they will be trying.

I have copied the top 10 PIN codes, so you can get an idea of which codes to avoid or change to improve the security level of them.

**Ranking**

**Code**

**Popularity**

1

**1234**

9.0%

2

**1111**

1.6%

3

**0000**

1.1%

4

**1342**

0.6%

5

**1212**

0.4%

6

**2222**

0.3%

7

**4444**

0.3%

8

**1122**

0.3%

9

**1986**

0.3%

10

**2020**

0.3%

As in many situations, it’s prudent to remember that the option that is easiest to use is almost never the most secure.

 These are the 10 worst PIN codes 

Yet another spinoff of the infamous DDoS botnet is exploiting a known vulnerability in active attacks, while its threat actors are promoting it on Telegram for other attackers to use as well, in a DDoS-as-a-service model.

Source: Kirill Ivanov via Alamy Stock Photo

Yet another Mirai botnet variant is making the rounds, this time offering distributed denial-of-service (DDoS) as-a-service by exploiting flaws in Mitel SIP phones. It also features a unique capability to communicate with attacker command-and-control (C2).

Researchers at the Akamai Security Intelligence and Response Team (SIRT) identified the variant of the infamous botnet, dubbed Aquabot, that actively exploits CVE-2024-41710, a command-injection vulnerability that affects various Mitel models that are used in corporate environments, they revealed in a blog post published Jan. 29. The vulnerability relies on an input sanitization flaw, and exploitation can lead to root access of the device, SIRT researchers Kyle Lefton and Larry Cashdollar wrote in the post.

The variant is the third version of Aquabot (Akamai calls it Aquabotv3) to appear on the scene; the first version was built off the Mirai framework with the ultimate goal of DDoS, discovered in November 2023, and it was first reported by Antiy Labs. The second version of the bot "tacked on concealment and persistence mechanisms, such as preventing device shutdown and restart" that remain present in v3, the researchers wrote.

The new variant is distinct from the previous versions for a couple of reasons, the researchers said. One is a unique feature appearing first in Aquabotv3: a function named "report\_kill" that reports back to the C2 when a kill signal is caught on the infected device. So far, however, researchers have not seen any response to the function from the attacker C2.

Related:Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers

Another notable aspect of v3 of Aquabot is that the threat actors behind it have been advertising the botnet as DDoS as-a-service through platforms such as Telegram. The bot is advertised under several different names — including Cursinq Firewall, The Eye Services, and The Eye Botnet — offering Layer 4 and Layer 7 DDoS, the researchers noted.

**Active Exploitation of Mitel Phone Security Flaw**

Akamai SIRT detected exploit attempts targeting CVE-2024-41710 through its global network of honeypots in early January using a payload almost identical to a proof-of-concept (PoC) developed and released on GitHub in mid-August by Packetlabs' researcher Kyle Burns.

Burns discovered that the Mitel 6869i SIP phone, firmware version 6.3.0.1020, failed to sanitize user-supplied input properly, with multiple endpoints vulnerable to the flaw. His PoC demonstrated that an attacker could smuggle in entries otherwise blocked by the application's sanitization checks by sending a specially crafted HTTP POST request.

Related:Super Bowl LIX Could Be a Magnet for Cyberattacks

The exploitation activity that Akamai SIRT observed delivered a payload that attempts to fetch and execute a shell script called :bin.sh, which will in turn fetch and execute Mirai malware on the target system, the researchers wrote. The malware has support for a variety of different architectures, including x86 and ARM.

"Based on our analysis of the malware samples, we determined that this is a version of the Aquabot Mirai variant," specifically the latest evolution of the malware, Aquabotv3, the researchers wrote in the post.

In addition to being used in DDoS attacks, threat actors also are hawking Aquabot for DDoS-as-a-service, though they are trying to disguise the activity as "purely testing" for DDoS mitigation. However, the same domain featured in the ad promoting testing is actively spreading Mirai malware, the researchers noted.

"Threat actors will claim it's just a \[proof of concept\] or something educational, but a deeper analysis shows that they are in fact advertising DDoS as a service, or the owners are boasting about running their own botnet on Telegram," they wrote in the post.

**Mirai Botnet Remains Key Conduit for DDoS**

As the majority of botnets responsible for DDoS attacks are based on Mirai, "they predominantly target Internet of Things (IoT) devices, which makes spreading the malware relatively easy to do," the researchers noted in the post. Indeed, a recent wave of global DDoS attacks were attributed to Mirai botnet spinoffs, demonstrating that attackers aiming to leverage Mirai show no signs of slowing down.

Related:Apple Patches Actively Exploited Zero-Day Vulnerability

That's likely because "the \[return on investment\] of Mirai for an aspiring botnet author is high," because it's not only one of the most successful botnet families in the world, it's also one of the more simple ones to modify, the researchers noted.

Moreover, many IoT devices often lack proper security features, are at the end of service, or are left with default configurations and passwords either from neglect or lack of knowledge about the dangers, making them low-hanging fruit for Mirai and its variants, the researchers wrote.

No matter what an attacker's intentions are, the researchers recommended that organizations take action to secure IoT devices through discovery or changing default credentials to protect against DDoS threats.

"Many of these botnets rely on common password libraries for authentication," they wrote in the post. "Find out where your known IoT devices are, and check for rogue ones, too. Check the login credentials and change them if they are default or easy to guess."

Akamai SIRT also included a list of indicators of compromise (IoCs) as well as Snort and Yara rules in the post to aid defenders.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Mirai Variant 'Aquabot' Exploits Mitel Device Flaws

The North Korean threat actor known as the Lazarus Group has been observed leveraging a "web-based administrative platform" to oversee its command-and-control (C2) infrastructure, giving the adversary the ability to centrally supervise all aspects of their campaigns.
"Each C2 server hosted a web-based administrative platform, built with a React application and a Node.js API," SecurityScorecard's

Lazarus Group Uses React-Based Admin Panel to Control Global Cyber Attacks

Cisco Talos’ Vulnerability Research team recently disclosed three vulnerabilities in Observium, three vulnerabilities in Offis, and four vulnerabilities in Whatsup Gold.   
These vulnerabilities exist in Observium, a network observation and monitoring system; Offis DCMTK, a collection of libraries and applications implementing DICOM (Digital Imaging and Communications

Wednesday, January 29, 2025 11:45

Cisco Talos’ Vulnerability Research team recently disclosed three vulnerabilities in Observium, three vulnerabilities in Offis, and four vulnerabilities in Whatsup Gold.   

These vulnerabilities exist in Observium, a network observation and monitoring system; Offis DCMTK, a collection of libraries and applications implementing DICOM (Digital Imaging and Communications in Medicine) standard formats; and WhatsUp Gold, an IT infrastructure management product.  

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.  

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.   

**Observium Vulnerabilities  **

_Discovered by Marcin "Icewall" Noga._   

Two cross-site scripting vulnerabilities exist in Observium, which can lead to arbitrary JavaScript code execution, as well as one HTML code injection vulnerability. All three can be triggered by an authenticated user clicking a malicious link crafted by the attacker.  

*   TALOS-2024-2090 (CVE-2024-47140) 
*   TALOS-2024-2091 (CVE-2024-47002) 
*   TALOS-2024-2092 (CVE-2024-45061) 

**Offis Vulnerabilities  **

_Discovered by Emmanuel Tacheau._   

Three vulnerabilities were found in the Offis DCMTK libraries that support the DICOM standard format. TALOS-2024-1957 (CVE-2024-28130) is an incorrect type conversion vulnerability that can lead to arbitrary code execution, and TALOS-2024-2121 (CVE-2024-52333) and TALOS-2024-2122 (CVE-2024-47796) are improper array index validation vulnerabilities that can lead to out-of-bounds write capabilities. All can be triggered with specially crafted malicious DICOM files.  

**Whatsup Gold Vulnerabilities  **

_Discovered by Marcin "Icewall" Noga._   

Two Whatsup Gold vulnerabilities include a risk of information disclosure (TALOS-2024-1932 (CVE-2024-5017) and TALOS-2024-2089 (CVE-2024-12105)), which can be triggered by an attacker making an authenticated HTTP request. 

There is also a risk of disclosure of sensitive information (TALOS-2024-1933 (CVE-2024-5010)), and denial of service (TALOS-2024-1934 (CVE-2024-5011)). These two vulnerabilities can be triggered by an attacker making an unauthenticated HTTP request.

Whatsup Gold, Observium and Offis vulnerabilities

RuoYi v4.8.0 was discovered to allow unauthorized attackers to view the session ID of the admin in the system monitoring. This issue can allow attackers to impersonate Admin users via using a crafted cookie.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-v664-qgx9-wf79: RuoYi allowed unauthorized attackers to view the session ID of the admin in the system monitoring

Insecure permissions in RuoYi v4.8.0 allows authenticated attackers to escalate privileges by assigning themselves higher level roles.

GHSA-h5jh-rp76-q242: RuoYi has insecure permissions

An issue in the reset password interface of ruoyi v4.8.0 allows attackers with Admin privileges to cause a Denial of Service (DoS) by duplicating the login name of the account.

GHSA-qq5h-rjj9-q9qg: RuoYi vulnerable to Denial of Service by attackers with admin privileges

Managing third-party risk in the SaaS era demands a proactive, data-driven approach beyond checkbox compliance.

Source: Olekcii Mach via Alamy Stock Photo

COMMENTRY

In June 2023, the MOVEit supply chain attack served as a harsh reminder of the vulnerabilities in our software-as-a-service (SaaS) ecosystem. Third-party risk management (TPRM) in today's world of SaaS applications is no longer just about ticking boxes on a checklist. The old methods, with their static questionnaires and outdated ISO 27001 and System and Organization Controls (SOC) — SOC 1, SOC 2, and SOC 3 — reports are simply not efficient anymore. With cyber threats, such as supply chain attacks and third-party integration exploits, becoming more sophisticated, organizations need a dynamic approach to managing SaaS vendors. Embracing automation, real-time visibility, and targeted assessments are crucial steps to stay ahead of potential risks.

Let's explore how organizations that rely heavily on SaaS apps can evolve their TPRM strategies to face modern security challenges head-on.

**The Growing Complexity of SaaS Oversight**

SaaS adoption is growing rapidly, bringing organizations convenience and flexibility. According to B2BSaaS estimates, the SaaS market was valued at $273.5 billion in 2023 and is expected to grow to $1.2 trillion by 2032. However, this growth also comes with an expanded attack surface and more complex data flows. For organizations handling sensitive customer data and navigating strict regulations, these challenges are critical.

Two trends amplify these challenges:

*   Explosion of SaaS apps: Companies use hundreds of SaaS and cloud apps, many introduced without official approval, complicating security oversight. Shadow IT often results in blind spots, making it harder to assess overall security.
    
*   Evolving threat landscape: Attackers increasingly target third-party vendors. Generative AI (GenAI) has further complicated the landscape, enabling attackers to enhance tactics and exploit integration points, misconfigured cloud services, and stolen credentials. The Okta breach of 2023 demonstrated the potential scale of damage from a supply chain attack.
    

These challenges highlight the inadequacy of relying solely on traditional security questionnaires and annual SOC 2 reports. Continuous visibility into vendors' security practices is essential for effective risk management.

**The Problem With Traditional Third-Party Risk Reviews**

Traditional risk reviews involve substantial manual effort and fall short in addressing modern threats:

*   Inefficient manual processes: Manually sending, tracking, and analyzing vendor questionnaires consumes excessive time and energy and delays the resolution of security issues.
    
*   Superficial questions: Generic Yes/No queries (e.g., "Do your developers follow secure coding practices?") fail to assess the effectiveness of vendors' security measures. More specific questions, tied to real-world scenarios, often yield actionable insights.
    
*   Outdated reports: Reports like ISO 27001 and SOC 2 quickly become obsolete in evolving SaaS environments. The emergence of GenAI has further accelerated the pace of change, necessitating updated, dynamic assessments.
    

**Evolving TPRM to Handle Modern SaaS Challenges**

To tackle these issues, organizations must adopt agile, data-centric approaches to vendor security:

1.  Embrace real-time assurance through trust centers. SOC 2 reports are a starting point, but critical vendors should offer ongoing visibility through automated trust centers. Tools like Sprinto, Drata, and Vento provide real-time insights into security controls and compliance, enabling proactive decisions.
    

1.  Make questionnaires smarter. Replace generic questionnaires with tailored assessments that probe deeper. Focus on how controls are implemented and monitored. For example, shift from "Do you secure ABC?" to "How do you secure ABC, and how do you verify its effectiveness?" Questions that examine metrics and outcomes help uncover the true state of security.
    
2.  Address talent gaps and boost technical expertise. Invest in developing skills in cloud security, SaaS configuration, and API management. Training internal teams or partnering with specialized vendors can bridge expertise gaps. The SolarWinds breach of 2020 underscores the need for visibility into supply chain vulnerabilities. Workshops and certifications can enhance team capabilities, keeping them informed of evolving risks.
    
3.  Include shadow IT and "free" tools. Review unpaid apps, open source tools, and browser extensions — often overlooked but risky. Shadow IT tools, while offering productivity, introduce unknown risks. Assessing these apps before they integrate into workflows reduces unexpected exposure. Include them in audits to ensure they meet baseline security standards.
    
4.  Use modern tools, not spreadsheets. Transition from spreadsheets to SaaS security posture management (SSPM) tools, which monitor misconfigurations, excessive permissions, and suspicious activities. AI-powered tools can further analyze vendor responses and highlight inconsistencies. Leveraging these tools saves time and enhances accuracy.
    

**What Can You Do When Revamping Your TPRM Strategy**

Evolving TPRM processes isn't easy. Avoid common pitfalls:

*   Avoid risky inaction: Delaying updates to vendor management increases exposure. Start with small, impactful improvements and scale gradually.
    
*   Avoid overcommitting resources: Implement changes incrementally, prioritizing high-impact areas. This ensures resource efficiency without overwhelming teams.
    
*   Set realistic expectations for AI: Leverage AI where it adds value while recognizing its limitations. AI tools should complement, not replace, human oversight.
    
*   Ensure team alignment: Align team skills with new vendor security goals. Equip teams to manage technical assessments effectively. Feedback loops can ensure continuous improvement and alignment with organizational objectives.
    

**What We Can Take From This**

Managing third-party risk in the SaaS era demands a proactive, data-driven approach. Organizations must go beyond checkbox compliance by leveraging real-time assurance, tailored assessments, and automation. Modernizing TPRM is essential to address the complexities of SaaS security.

While challenging, particularly for smaller organizations, the benefits of preventing breaches and protecting reputations outweigh the costs. Organizations can manage expenses effectively by prioritizing critical vendors and adopting phased changes while enhancing third-party risk management. The commitment to proactive strategies ensures resilience against an ever-evolving threat landscape.

**About the Author**

Information Security Officer, IMC Trading

Jatin Mannepalli, CISSP, CCSP is an information security officer (ISO) at IMC Trading, where he brings a deep commitment to managing security and risk across organizations. With more than 10 years of experience in the InfoSec space, he has built and led information security and risk management teams, and has also worked as a security consultant for major consulting firms like McKinsey & Company. Jatin is passionate about security governance and risk management, as well as developing technology-driven, customer-focused strategies that prioritize both organizational success and client satisfaction. Known for his holistic approach, he is dedicated to fostering a culture of security that aligns with the organization’s broader goals. In addition to his professional accomplishments, Jatin is recognized as one of the top voices in Information Security on LinkedIn. In his leisure time, he volunteers to promote security awareness in local communities and contributes to the cybersecurity community by helping develop exams for ISC2.

The Old Ways of Vendor Risk Management Are No Longer Good Enough

Atomwaffen Division cofounder and alleged Terrorgram Collective member Brandon Russell is facing a potential 20-year sentence for an alleged plot on a Baltimore electrical station. His case is only the beginning.

Brandon Russell, arguably one of the most influential figures in the American neofascist revival of the past decade, is on trial this week over an alleged plot to knock out Baltimore’s power grid and trigger a race war.

The 29-year-old cofounder of the Atomwaffen Division, a neo-Nazi guerrilla organization that was responsible for five homicides and a number of bomb plots before the FBI dismantled it in 2020, Russell was arrested by federal agents in February 2023 along with his girlfriend, Sarah Clendaniel. If convicted of his charges of conspiring to destroy an energy facility, Russell could face 20 years behind bars thanks to a prior conviction and the potential penalty for his current charges.

Russell’s case represents one of the last gasps of the Biden administration’s hard-charging approach to tackling violent far-right extremism that is all but guaranteed to change during US president Donald Trump’s second term in office. It also offers a unique look inside federal law enforcement’s investigation into an insidious accelerationist propaganda network that mixes neo-Nazi ideology with nihilist, Columbine-style violence to inspire mass casualty events in the United States and beyond.

Russell allegedly hatched the plot to black out Baltimore while, according to prosecutors, participating in a noxious, prolific propaganda network hellbent on fomenting violence and chaos. The Terrorgram Collective, which took its name following a massive influx of neo-Nazis to Telegram at the end of the last decade, ran several channels on the messaging​​ app and developed a series of “how-to” domestic terrorism manuals that sought to inspire disaffected young men and women into committing mass casualty events. Terrorgram is currently designated a “tier one” extremism threat by the US Department of Justice.

To date, Terrorgram has released four publications—a blend of ideological motivation, mass-murder worship, neofascist indoctrination, and how-to manuals for chemical weapons attacks, infrastructure sabotage, and ethnic cleansing. Court records indicate there are at least three unreleased Terrorgram Collective compendiums, including “The Saint Encyclopedia” of the far-right mass killers they venerate, including Anders Breivik, Brenton Tarrant, and Timothy McVeigh; and “The List,” a collection of politicians, government officials, business leaders, journalists, activists, and other people deemed legitimate assassination targets.

The screeds appear to have directly inspired a series of ideologically motivated attacks around the world, including a 2022 mass shooting at an LGBTQ bar in Bratislava, Slovakia, successful attacks on power infrastructure in North Carolina and similar failed plots in Baltimore and New Jersey, and a stabbing spree in the Turkish city of Eskisehir. There are currently more than a dozen separate federal prosecutions around the United States that involve people alleged to be core Terrorgram Collective members or individuals allegedly inspired toward violent attacks on infrastructure or civilians.

In one of the Biden administration’s last policy moves against right-wing extremism, on January 13, the State Department formally classified the Terrorgram Collective as a Foreign Terrorist Organization, a listing usually reserved for militant groups that hold territory and have a formal real-world paramilitary structure as opposed to a loose propaganda network that seeks to inspire mass casualty events. While it is not unique—the British Home Office formally proscribed Terrorgram as an extremist organization last May, and Russell’s Atomwaffen Division was banned by the UK, Australia, and Canada—it is likely to be the last such action taken toward neo-Nazi groups by the United States government for the foreseeable future.

The Trump administration appears to be engaged in a wholesale shift away from violent far-right extremism, best illustrated by the unprecedented pardons given to more than 1,500 individuals charged or convicted of crimes during the failed insurrection of January 6, 2021, as well as the reassignment of senior Justice Department attorneys in the National Security Division.

In a set of pretrial hearings and motions over the limits of evidence in Russell’s trial, federal prosecutors convinced US District Court judge James K. Bredar to allow in evidence of Russell’s deep neo-Nazi indoctrination, including background about his founding role in the Atomwaffen Division. Russell’s alleged involvement in the Terrorgram Collective is bolstered by a pendant allegedly recovered by FBI agents in a search of his home after his February 2023 arrest: The necklace is made of swastika-bearing beads that contains a larger golden swastika pendant with “Terrorgram” inscribed along the side.

The court is taking extra precautions as the US attempts to convict Russell. Journalists’ use of phones and laptops in the courtroom is forbidden, and the judge granted some witnesses permission to testify anonymously over fears of retaliation by Russell's compatriots, some of whom have indicated in Terrorgram chats cited in court filings that they have sought to identify informants and agents involved in their cases. Clendaniel, Russell’s girlfriend, pleaded guilty in May and was later sentenced to 18 years in federal prison. It is unclear whether she will be one of the witnesses testifying against Russell.

The prosecution of Russell also offers insight to how American law enforcement and intelligence agencies collaborate with their foreign counterparts to combat the transnational far-right milieu that spawned the Terrorgram Collective.

In an unusual alliance over the past two years, lawyers from the American Civil Liberties Union’s National Security Project weighed in on Russell’s behalf during pretrial motions in an effort to reveal evidence of warrantless surveillance of the fascist figurehead by either the National Security Agency or its counterparts. Although Judge Bredar ultimately denied the ACLU’s efforts on the grounds that the material was classified, the government’s response spoke volumes about the intelligence community’s role in surveilling Russell. American intelligence documents reviewed by WIRED show the Five Eyes alliance of American, Canadian, British, Australian and New Zealander intelligence agencies were keeping tabs on the Terrorgram Collective as far back as 2021.

The presence of Terrorgram Collective members in Croatia, Denmark, Slovakia, South Africa, Canada, and elsewhere overseas, coupled with the State Department’s designation of the propaganda network as a foreign terrorist organization, also point to additional reasons the group would be subjected to the highest level of official surveillance.

Russell was on court supervision when he was picked up for the Baltimore plot nearly two years ago. In 2018, he was convicted on federal charges for possession of homemade hexamethylene triperoxide diamine, a highly unstable compound. He served a little over three years in prison and was released in August 2021. Russell’s arrest, in 2017, on illegal explosives charges, stemmed from a macabre internecine squabble within the Atomwaffen Division and a double homicide at the Tampa, Florida, apartment Russell shared with three other extremist comrades.

_Updated 7:35 am EST, January 29, 2025: Corrected the maximum sentence Russell could receive if convicted._

Latest News