Censys uncovers the hidden infrastructure of Fox Kitten, an Iranian cyberespionage group. It reveals unique patterns, potential new…

Censys uncovers the hidden infrastructure of Fox Kitten, an Iranian cyberespionage group. It reveals unique patterns, potential new IOCs, and actionable recommendations to protect your organization from Fox Kitten attacks.

Censys, a threat hunting and attack surface management platform has released new details regarding the infrastructure of the Iranian cyberespionage group called Fox Kitten using data from a joint Cybersecurity Advisory (CSA) by the FBI, CISA, and DC3. Censys identified a significant number of additional hosts that likely belong to the Fox Kitten infrastructure, expanding the scope of the threat.

In its report, shared with Hackread.com ahead of its publication on Wednesday, Censys illuminated the unique patterns and potentially new indicators of compromise used by Fox Kitten, which is known for targeting organizations worldwide.

Using these patterns, Censys could find previously undiscovered active hosts that boasted matching patterns and Autonomous Systems (ASs) such as Hosts D, E, and G, which could be part of the same infrastructure and may be used in future attacks. Matching domain IOCs were used to identify Host G, and matching ASs were used to identify Hosts J & C.

The data was analyzed using techniques like Host Profiling, Pattern Recognition, Link Analysis, and Historical Analysis. Host profiling involves analyzing individual hosts’ characteristics, pattern recognition identifies recurring patterns, link analysis examines relationships between infrastructure elements, and historical analysis compares current data with historical records to identify trends.

Further probing revealed that the attackers used various techniques to obfuscate their infrastructure, such as using dynamic IP addresses, distributing infrastructure across multiple Autonomous Systems (ASNs), and using misleading certificate names to disguise malicious activity.

Censys found two domain IOCs (api.gupdate.net and githubapp.net) on active IPs not listed in the CSA. Some domain IOCs were found on Fox Kitten IPs before or after the CSA timeframe. All domain IOCs were found in 64 valid certificates, requiring further monitoring.

Further research revealed commonalities such as geolocation in London, Stockholm, Frankfurt, Tel Aviv, and Los Angeles, shared Autonomous Systems (AS) numbers, unique patterns in Hosts D, E, and G, timeframe discrepancies on some hosts outside the CSA timeframe, and 38,862 additional potentially malicious hosts with similar characteristics. These findings suggest a honeypot-like design and a potential connection between the hosts.

By delving deeper into the Fox Kitten infrastructure, Censys has provided valuable insights into the group’s operations and tactics. These patterns and commonalities can be used to identify other active hosts and certificates that may be part of the same Fox Kitten infrastructure.

Defenders can use IOCs and known periods of nefarious activity to study host and certificate profiles before, during, and after reported attacks, conduct dynamic searches across public scan datasets like Censys to observe how threats may set up new infrastructure, and stay ahead of threat actors.

1.  **Iranian State Hackers Partner Up for Large-Scale Attacks, Report**
2.  **Iran’s MuddyWater Hits Saudis and Israelis with BugSleep Backdoor**
3.  **Iranian Hackers Team Up with Ransomware Gangs in Attacks on US**
4.  **Iran’s Peach Sandstorm Deploy FalseFont Backdoor in Defense Sector**
5.  **Iran’s Mint Sandstorm APT Hits Universities with Hamas-Israel Phishing**

Censys Uncovers Hidden Infrastructure of Iranian Fox Kitten Group

A server misconfiguration exposed a trove of documents belonging to FleetPanda, a leading petroleum and fuel industry software…

A server misconfiguration exposed a trove of documents belonging to FleetPanda, a leading petroleum and fuel industry software provider. Sensitive data including invoices, driver applications, and personal information was exposed. Learn about the potential risks and how to protect yourself.

A major server misconfiguration exposed nearly one million documents belonging to FleetPanda, a leading software provider serving the petroleum and fuel industry. The exposed data included sensitive information such as invoices, driver applications, license images, and background checks in.PDF, .jpg, and other image formats.

The incident was discovered by cybersecurity researcher Jeremiah Fowler, who reported the incident to WebsitePlanet. The exposed database, which was left unprotected without any password or security authentication, contained 780,191 documents with a size of 193 GB. The documents revealed shipments of fuel and petroleum to and from numerous companies, industries, and even pipelines.

Fowler also discovered documents containing fuel and petroleum shipments, invoices, delivery tickets, and other business-related records in folders from 2019 to August 2024 and linked to various states including delivery details from California, Oregon, Texas, Colorado, and Oklahoma. The files included drivers, licenses, stores, synctrucks, vehicles, and workers. 

Further probing according to WebsitePlanet’s report shared with Hackread.com ahead of publishing, revealed that the database contained potentially sensitive information, including high-resolution images of driver’s licenses and employment applications with SSN (Social Security Numbers) and PII. The exposed business records and personal data could raise security and privacy concerns. However, it is unclear whether FleetPanda managed the database or a third party.

For your information, FleetPanda is a California-based company providing dispatch management, driver app, reporting and analytics, invoicing, and other services to the petroleum and fuel industry. 

The exposure of sensitive data can lead to a wide range of risks. Personal information, such as social media and driver’s license details, can be used for identity theft, causing financial loss and reputation damage. Criminals can create fraudulent invoices using the exposed invoices and trick organizations into making unauthorized payments. 

The server misconfiguration could potentially disrupt the supply chain of the petroleum and fuel industry, leading to shortages and price increases. Moreover, the exposed data could be used to launch targeted cyberattacks against FleetPanda’s customers or other organizations in the industry.

For instance, a sample screenshot shows an invoice for 9,900 gallons of diesel fuel, valued at $41,000, due to the high retail cost of diesel fuel in the US. This high value of money could make the industry a potential target for criminals in the high-value market.

Fowler recommends organizations should store “important employee data separately from standard operating and business documents” like invoices. In addition, organizations should implement strong access controls, regularly update software and systems, educate employees on cybersecurity best practices, and monitor networks and systems for signs of unauthorized access or server misconfiguration to protect against such incidents.

1.  **Data Leak Exposes Business Leaders and Top Celebrity Data**
2.  **2 TB of ServiceBridge Data Exposed in Cloud Misconfiguration**
3.  **Unsecured Database Exposed 39 Million Sensitive Legal Records**
4.  **Millions of US Voter Data Exposed in 13 Misconfigured Databases**
5.  **Mexico’s Largest ERP Provider ClickBalance Exposes 769M Records**
6.  **Database Mess: Aussie Food Giant Patties Foods Leak Trove of Data**

Server Misconfiguration at Fuel Industry Software Provider Exposes SSNs, PII Data

Austin, TX, 18th September 2024, CyberNewsWire

**Austin, TX, September 18th, 2024, CyberNewsWire**

Research indicates that an infostealer malware infection is often a precursor to a ransomware attack

SpyCloud, the leader in Cybercrime Analytics, today announced new cybersecurity research highlighting the growing and alarming threat of infostealers – a type of malware designed to exfiltrate digital identity data, login credentials, and session cookies from infected devices. SpyCloud’s latest findings reveal the staggering scale of identity exposure caused by infostealers, the influence this type of malware has had on the surge in ransomware incidents, and the profound implications for businesses worldwide.

****Massive scale of identity exposure creates new risks****

According to SpyCloud, 61% of all data breaches in the past year were malware-related, with infostealers responsible for the theft of 343.78 million credentials. These stolen credentials are then sold in criminal communities for use in further attacks.

The research also found that one in five individuals has been a victim of an infostealer infection. Each infection, on average, exposes 10-25 third-party business application credentials, creating fertile ground for further access and exploitation, particularly by ransomware operators.

> “Our latest findings reveal a critical shift in the cybersecurity landscape,” said Damon Fleury, chief product officer at SpyCloud. “Infostealers have become the go-to tool for cybercriminals, with their ability to exfiltrate valuable data in a matter of seconds, creating a runway for cyberattacks like ransomware off the vast amounts of stolen access to SSO, VPN, admin panels, and other critical applications.” 

****Infostealers: The precursor to ransomware attacks****

The link between infostealers and ransomware is becoming increasingly evident. Through deep analysis of recaptured infostealer logs, SpyCloud discovered a worrying trend: companies with employees and contractors who are infected with infostealer malware are significantly more likely to experience a ransomware attack. In fact, nearly one-third of companies that suffered a ransomware attack last year had previously experienced an infostealer infection. According to the report, this is based on publicly known incidents and confirmed ransomware events. The true exposure is potentially even higher as not all ransomware incidents are made publicly available. 

> “The correlation between infostealer infections and subsequent ransomware attacks is a wake-up call for businesses,” said Trevor Hilligoss, vice president of SpyCloud Labs, SpyCloud. “However, this field is incredibly complex and fast-moving. This year, we’re seeing new infostealers families that make use of expanded capabilities such as advanced encryption to stay stealthy or the ability to restore expired authentication cookies for more persistent access.” 

****The rise of Malware-as-a-Service and account takeover attacks****

The infostealer threat is further exacerbated by the rise of Malware-as-a-Service (MaaS). This off-the-shelf model allows even low-skilled cybercriminals to purchase and deploy sophisticated malware, including infostealers, with ease. Through MaaS, these criminals can acquire fresh and accurate identity data in bulk, fueling the cycle of cybercrime.

SpyCloud’s findings also shed light on the evolution of account takeover (ATO) attacks, powered by infostealers. Unlike traditional ATO, which relies on stolen credentials (username and password combinations), next-generation ATO leverages stolen session cookies to sidestep traditional authentication methods in what is known as session hijacking. By taking over these already-authenticated sessions, cybercriminals can mimic legitimate users and infiltrate networks undetected. This method significantly increases the success rate of attacks and poses a severe threat to organizational security.

> “The sheer volume of credentials and session cookies being siphoned by infostealers is staggering,” said Hilligoss. “In the last 90 days alone, SpyCloud has recaptured over 5.4 billion stolen cookie records – with an average of nearly 2,000 exposed records per infected device. This vast trove of data is increasingly used by ransomware operators and initial access brokers to facilitate their attacks, highlighting the need for advanced defense strategies.”

****Antivirus, MFA and traditional defenses are no longer enough****

At least 54% of devices infected with infostealers in the first half of 2024 had antivirus or endpoint detection and response (EDR) solutions installed, underscoring the limitations of traditional cybersecurity measures in combating the techniques used by modern cybercriminals. 

Furthermore, infostealers and session hijacking attacks render multi-factor authentication (MFA) and passwordless authentication methods like passkeys ineffective. By hijacking already-authenticated sessions, cybercriminals can impersonate legitimate users and side-step even the most robust authentication methods.

****The call for next-generation cybersecurity****

The findings from SpyCloud make it clear: traditional malware mitigation is no longer sufficient and ignoring the problem only exacerbates the impact on businesses. Organizations must move beyond merely removing infections and focus on remediating the long-term risks posed by exposed data. This includes resetting compromised application credentials and invalidating session cookies siphoned by infostealers.

By understanding the risks posed by infostealers and working to mitigate the data that has been exfiltrated, organizations are able to limit the likelihood of devastating cyberattacks such as ransomware that stem from this stolen data. SpyCloud remains committed to helping organizations navigate these challenges and safeguard their digital assets.

Readers can download the full 2024 Malware and Ransomware Defense Report.

To learn more about how SpyCloud helps organizations defend against ransomware, readers can visit https://spycloud.com/use-case/ransomware-prevention/. 

**About the SpyCloud 2024 Malware and Ransomware Defense Report**

For this fourth annual report, SpyCloud surveyed 510 individuals in active cybersecurity roles within organizations in the US and the UK with at least 500 employees. The report examines the top concerns and real-life impacts of ransomware, including popular entry points, ransom payments, and the cumulative costs of these attacks to the business. It also highlights key cyber threat prevention strategies and future security priorities identified by these experts.

**About SpyCloud**

SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated identity threat protection solutions leverage advanced analytics to proactively prevent ransomware and account takeover, safeguard employee and consumer accounts, and accelerate cybercrime investigations. SpyCloud’s data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include more than half of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.

To learn more and see insights on their company’s exposed data, readers can visit spycloud.com

**Contact**

**EVP, Public Relations**  
**Katie Hanusik**  
**REQ on behalf of SpyCloud**  
**\[email protected\]**

SpyCloud Unveils Massive Scale of Identity Exposure Due to Infostealers, Highlighting Need for Advanced Cybersecurity Measures

Cary, North Carolina, 18th September 2024, CyberNewsWire

**Cary, North Carolina, September 18th, 2024, CyberNewsWire**

INE Security is proud to announce that it has been named a winner in the prestigious 2024 SC Awards, named Best IT Security-Related Training Program. This designation underscores INE Security’s commitment to excellence and leadership in the cybersecurity industry.

The SC Awards, now in its 27th year, recognize the solutions, organizations, and individuals that have demonstrated outstanding achievement in advancing the security of information systems. This year’s awards were presented across 33 categories, celebrating both established industry leaders and emerging innovators.

INE Security stood out among a competitive field of entries, demonstrating its innovation in addressing the evolving cybersecurity landscape. The Best IT Security-Related Training Program award highlights INE Security’s efforts to deliver practical, effective solutions that safeguard against today’s complex threats.

> “We are thrilled to receive the 2024 SC Excellence Award for Best IT Security-Related Training Program. This recognition highlights our relentless pursuit of excellence and innovation in cybersecurity training,” said Dara Warn, CEO of INE Security. “At INE Security, we are committed to empowering professionals and organizations with the skills they need to defend against the ever-evolving cybersecurity threats. This accolade not only reflects our commitment to the highest standards of training but also motivates us to continue advancing the field of cybersecurity education.”

The SC Awards are presented by SC Media, a trusted cybersecurity resource, and evaluated by a panel of independent industry experts. Winners are selected based on their contributions to innovation, their ability to address the cybersecurity industry’s critical challenges, and their demonstrated impact on protecting organizations.

> “These award recipients represent the very best of what the cybersecurity community has to offer,” said Tom Spring, Editorial Director at SC Media. “Each winner has shown a commitment to advancing the industry with forward-thinking solutions and an ability to adapt to new challenges. Their contributions help drive progress in securing our digital environments.”

 INE Security has been recognized among the best cybersecurity training platform in 2024 by numerous organizations including:

*   G2 as an online course provider and technical training provider
*   G2’s 2024 Best Software Awards for Education Products 
*   Security Boulevard’s list of the Top 10 Hacking Certifications for both the Certified Professional Penetration Tester (eCPPT) and Web Application Penetration Tester eXtreme (eWPTX) certifications

The SC Awards were evaluated by a distinguished panel of judges, including cybersecurity professionals, industry leaders, and members of the CyberRisk Alliance community from sectors such as healthcare, financial services, education, and technology.

The full list of 2024 SC Awards winners: https://www.scmagazine.com/sc-awards

**About INE Security:**

INE Security is the premier provider of online networking and cybersecurity training and certification. Harnessing a powerful hands-on lab platform, cutting-edge technology, a global video distribution network, and world-class instructors, INE Security is the top training choice for Fortune 500 companies worldwide for cybersecurity training in business and for IT professionals looking to advance their careers. INE Security’s suite of learning paths offers an incomparable depth of expertise across cybersecurity and is committed to delivering advanced technical training while also lowering the barriers worldwide for those looking to enter and excel in an IT career.

**About CyberRisk Alliance**

CyberRisk Alliance provides business intelligence that helps the cybersecurity ecosystem connect, share knowledge, accelerate careers, and make smarter and faster decisions. Through their trusted information brands, network of experts, and more than 250 innovative annual events we provide cybersecurity professionals with actionable insights and act as a powerful extension of cybersecurity marketing teams. Their brands include SC Media, the Official Cybersecurity Summits, Security Weekly, InfoSec World, Identiverse, CyberRisk Collaborative, ChannelE2E, MSSP Alert, LaunchTech Communications and TECHEXPO Top Secret.

**Contact**

**Director of Global Strategic Communication and Events**  
**Kathryn Brown**  
**INE Security**  
**\[email protected\]**

INE Security Wins 2024 SC Excellence Award

Discover the RAMBO attack, a groundbreaking method that uses electromagnetic waves to steal data from air-gapped systems. Learn…

Discover the RAMBO attack, a groundbreaking method that uses electromagnetic waves to steal data from air-gapped systems. Learn how hackers exploit isolated networks using electromagnetic emissions to extract sensitive information securely.

Researchers at the Ben-Gurion University of the Negev, Israel have identified a new method to compromise the security of air-gapped systems. For your information, air-gapped systems are physically disconnected from the wider network and internet, limiting the transmission of sensitive data. Even if a user introduces malware through a compromised USB device, the malware cannot transmit the data to the outside world. 

However, according to university researcher Mordechai Guri, malware can tamper with RAM components and the newly discovered attack method dubbed “RAMBO” (Radiation of Air-gapped Memory Bus for Offense) exploits the electromagnetic emissions from the computer’s memory buses to transmit sensitive information.

It makes sense because RAM data transfer generates electromagnetic fields, radiating energy at a frequency influenced by clock speed, data width, and architecture, and a transmitter can modulate memory access patterns to create an electromagnetic covert channel, Guri noted in a recently published paper.

****How the Attack Works****

The attack involves deploying malware on an isolated system, either through an infected USB drive, an insider, or by compromising the supply chain. The malware will manipulate memory operations to generate radio signals that encode sensitive data such as files, images, keystrokes, biometric information, and even encryption keys. 

These signals, transmitted through the air, can then be intercepted by an attacker using a simple software-defined radio (SDR) device and a basic, off-the-shelf antenna. RAMBO will then exfiltrate encoded files, exposing the data at 1,000 bits per second. Tests were conducted from up to 7 meters distance.

The method is slow and requires a person to be relatively close, and file transfer is slower than dial-up. Keylogging can be done in real-time with 16 bits per key (Unicode), and a 4096-bit RSA encryption key can be exfiltrated at 41.96 sec at low speed and 4.096 bits at high speed.

However, biometric information, small files, and documents take 400 seconds at low speed to a few seconds at fast speeds. While it may not be suitable for stealing large files or databases, it can still be used to steal keystrokes, passwords, or other data that doesn’t take up too much space.

> “By precisely controlling the memory-related instructions, arbitrary information can be encoded and modulated on the electromagnetic wave. An attacker with a software-defined radio (SDR) can receive the information, demodulate it, and decide.”
> 
> Mordechai Guri

****The Threat to Security****

In his previous research, Dr. Guri and his team demonstrated how attackers can steal data from air-gapped PCs through SATA Cables. Another research released by Dr. Guri demonstrated how an air-gapped PC could be compromised by turning its RAM into Wi-Fi card.

Now RAMBO can have significant implications given that Air-gapped systems are often used in highly sensitive environments, such as military installations, financial institutions, and critical infrastructure. The ability to exfiltrate data from these isolated systems poses a serious threat to national security, privacy, and economic stability.

The researcher proposes countermeasures such as physical isolation techniques like Faraday cades, advanced intrusion detection systems, and external radio monitoring. However, these measures may have limitations or introduce additional overhead. Further research is needed to develop more effective countermeasures and develop new techniques for detecting and preventing such attacks.

1.  Malware can extract data from air-gapped PC via power supply
2.  Night Vision Enabled Security Cameras Secretly Transfer Your Data
3.  Hackers can steal data from air-gapped PC using screen brightness
4.  Malware can Convert your Headphones into Microphone for Hackers
5.  Hackers can steal data from Air-Gapped PCs with microphones, speakers

RAMBO Attack: Electromagnetic Waves Steal Data from Air-Gapped Systems

RansomHub ransomware group leaks alleged 487 GB of sensitive data stolen from Kawasaki Motors Europe (KME), following a…

RansomHub ransomware group leaks alleged 487 GB of sensitive data stolen from Kawasaki Motors Europe (KME), following a cyberattack. The breach includes business documents and financial data, raising cybersecurity concerns for global firms.

The notorious RansomHub ransomware group has leaked 487 gigabytes of data it allegedly stole from Kawasaki Motors Europe (KME). This cyberattack was publicly **disclosed** by Kawasaki last week, though the company emphasized that the attack had not been successful in its aims.

As a preventive measure, Kawasaki temporarily isolated its servers and initiated a thorough “cleansing process” to detect any potential infections. However, despite Kawasaki’s recovery efforts, RansomHub went ahead with the data release. On September 5, 2024, the group listed the stolen information on the dark web, utilizing its official dark web leak sites to dump the data.

As seen by the Hackread.com research team, among the exposed files are critical business documents, including financial information, banking records, dealership details, and internal communications.

A partial list of the leaked data includes directories titled “Dealer Lists,” “Financing Kawasaki,” “COVID,” “Trading Terms,” and more, with timestamps showing activity as recent as early September.

Screenshot from the dark web leak site of the RansomHub Ransomware Group (Screenshot credit: Hackread.com)

**Kawasaki’s Response and Cybersecurity Strategy**

While Kawasaki Motors Europe disclosed the breach to its customers, it appears that the company opted not to engage with the ransom demands. **Jason Soroko**, Senior Fellow at Sectigo, speculated that Kawasaki may have prioritized system restoration over paying the ransom.

He suggested that this decision reflects Kawasaki’s readiness to deal with the potential fallout of a data breach, emphasizing the importance of having strong cybersecurity systems in place to avoid financial damage through ransom payments.

_“_Kawasaki Motors Europe’s official statement claimed they could take the hit with the data versus the financial hit of paying the ransom, however, the RansomHub group released 487 GB of allegedly stolen data. This suggests, but does not prove, Kawasaki chose not to negotiate with the attackers, prioritizing system restoration and data cleansing._“_

Soroko added that Kawasaki’s stance might serve as a model for other companies: instead of negotiating with cybercriminals, businesses should focus on recovery and work to fortify their systems against future attacks.

He also pointed out the need for organizations, especially in the United States, to enhance their cybersecurity infrastructure, prepare for such incidents, and collaborate with government authorities to better handle ransomware threats.

_“_Given RansomHub’s increased activity, US companies should bolster cybersecurity measures, prepare robust incident response plans, and avoid paying ransoms, aligning with government advisories. Staying informed about such threats and collaborating with authorities can mitigate risks and protect sensitive data,_“_ he explained.

**The Role of RansomHub**

RansomHub is a notorious player in cybercrime especially ransomware attacks, having made headlines recently for its involvement in other major breaches. Earlier this month, the group claimed responsibility for **hacking Planned Parenthood** and stealing 93 gigabytes of sensitive data.

This trend of increased activity exposes the growing threat posed by ransomware groups, which often target high-profile organizations in sectors ranging from healthcare to manufacturing.

1.  **PythonAnywhere Cloud Platform Abused for Hosting Ransomware**
2.  **Qilin Ransomware Upgrade: Now Steals Google Chrome Credentials**
3.  **Russian Hackers Hit Mail Servers in Europe for Political, Military Intel**
4.  **Xplain Hack: Play Ransomware Leaks Sensitive Swiss Government Data**
5.  **Hackers hit Europe’s largest healthcare provider with Snake ransomware**

RansomHub Ransomware Gang Leaks 487GB of Alleged Kawasaki Europe Data

Flare, the layer-1 blockchain for data, has introduced the Flare Time Series Oracle version 2 (FTSOv2) on its…

Flare, the layer-1 blockchain for data, has introduced the Flare Time Series Oracle version 2 (FTSOv2) on its mainnet. This upgrade builds on the robust foundation of FTSOv1, which has provided consistent, decentralized data feeds since its launch two years ago. FTSOv2 aims to improve the latency, scalability and cost-effectiveness of the original system, which has experienced zero downtime or failures since inception.

FTSOv2 is enshrined into Flare’s core architecture, benefiting from the network’s full economic security. This ensures that every data feed is as secure as the blockchain itself. One of the key enhancements of FTSOv2 is its reduced latency. FTSOv2 updates with every new block on Flare, roughly every 1.8 seconds. This provides developers and users with more immediate and reliable access to data, which is crucial for a range of applications.

FTSOv2 achieves this speed without sacrificing decentralization. Each feed is supported by around 100 independent data providers, selected by users who delegate their stake, imposing a strict economic cost for misbehaviour. Currently, around 67% of the FLR’s circulating supply is used to secure FTSO.

The upgrade also introduces a significant increase in scalability. FTSOv2 can now support up to 1,000 feeds across various asset classes, including cryptocurrencies, equities, and commodities. FTSOv2 achieves this while remaining highly cost-effective, with all crypto feeds being free to query onchain!

****Real-world use case****

Lending and borrowing platforms can benefit from improved speed to ensure more efficient collateral usage and protect users against bad liquidations. In the area of perpetual futures and options, faster Oracle inputs can improve risk management for the entire platform. Cross-chain order books can also benefit from accurate pricing data provided by FTSOv2, ensuring smooth and secure transactions across different blockchain networks.

Moreover, the system can be applied to real-world assets, such as on-chain treasury yields, enabling further integration between traditional finance and blockchain technology.

**Under the hood**

FTSOv2 operates using a manipulation-resistant randomness algorithm to select data providers every 1.8 seconds, allowing them to submit fixed incremental updates to feeds. To ensure the long-term accuracy of the feeds, a commit-reveal process is run across all data providers every 90 seconds. In times of high market volatility, the system can increase the number of data providers submitting updates to ensure timely responses to price fluctuations.

Developers looking to integrate FTSOv2 into their applications can do so with ease, requiring fewer than 10 lines of code to query real-time data, such as FLR/USD prices. Flare offers resources and support through the Flare Developer Hub, as well as a community on Discord for ongoing discussions and assistance.

****About Flare Network****

Flare is the blockchain for data: an EVM smart contract platform specifically designed to support data-intensive use cases, including Machine Learning/AI, RWA tokenization, gaming and social.

With decentralized, enshrined oracles secured at the network layer, Flare is the only smart contract platform optimized for decentralized data acquisition – price & time series data, blockchain event & state data, and web2 API data.

By giving developers trustless access to the broadest range of data and data proofs at scale and for minimal cost, Flare expands the utility of blockchain and supports the development of new and improved use cases.

Flare’s FTSOv2 Launch Sets A New Standard For Decentralized Data

Boston, USA, 16th September 2024, CyberNewsWire

**Boston, USA, September 16th, 2024, CyberNewsWire**

Analysis of millions of real-world NHI secrets by Entro Security Labs reveals widespread, significant risks, emphasizes need for improved Secrets Management security practices   

Entro Security, pioneer of the award-winning Non-Human Identity (NHI) and Secrets Management platform, today released its research report, “2025 State of Non-Human Identities and Secrets in Cybersecurity.” The Entro Security Lab found that 97% of NHIs have excessive privileges increasing unauthorized access and broadening the attack surface, and 92% of organizations are exposing NHIs to third parties, also resulting in unauthorized access if third-party security practices are not aligned with organizational standards. Surprisingly, 44% of tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, code commits and more. Such practices put sensitive information at serious risk of being intercepted and exposed–the root of all secrets and non-human identity breaches. 

Entro Security Labs’ research reveals alarming trends in the handling of both human and NHIs, with significant misconfigurations and risks prevalent across organizations. Key findings include: 

*   For each human identity, there are an average of 92 non-human identities. An overwhelming number of non-human identities increases the complexity of identity management and the potential for security vulnerabilities 
*   91% of former employee tokens remain active, leaving organizations vulnerable to potential security breaches 
*   50% of organizations are onboarding new vaults without proper security approval which can introduce vulnerabilities and misconfigurations from the outset 
*   73% of vaults are misconfigured, also leading to unauthorized access and exposure of sensitive data and compromised systems 
*   60% of NHIs are being overused, with the same NHI being utilized by more than one application, increasing the risk of a single point of failure and widespread compromise if exposed 
*   62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure 
*   71% of non-human identities are not rotated within the recommended time frames, increasing the risk of compromise over time 

Additional findings are discussed in the report and reveal a critical need for organizations to reassess their NHIs and secrets management practices.  

Data from this report has been collected using a mixed-methods approach, integrating quantitative data analysis with qualitative insights derived from industry observations. The quantitative component focuses on statistical analysis of security incidents and vulnerabilities, while the qualitative aspect provides context and interpretation of these findings within the broader cybersecurity landscape. The data sources include proprietary data from Entro’s cybersecurity infrastructure, secondary data from publicly available industry reports and survey data from IT and security professionals. 

Entro’s complete research report on non-human identities is available on their website. 

To learn more or schedule a demo, please visit https://entro.security/demo/.  

**About Entro Security** 

An award-winning pioneer platform, Entro Security provides Non-Human Identity Lifecycle Management, Secrets Security and Non-Human Identity Detection and Response. Unlike traditional methods that reactively scan for exposed secrets, Entro integrates seamlessly within an organization’s existing vaults, and secret creation and exposure locations, offering a single pane of glass to securely use and manage non-human identities and secrets at scale. Headquartered in Boston and backed by top cybersecurity VCs, Entro was named a Cool Vendor by Gartner, Venafi’s Most Promising Machine Identity startup and is a 2023 Globee Awards Winner for Startup Achievement of the Year. For more information, please visit https://www.entro.security. 

**Contact**

**Senior Account Executive**  
**Hannah Sather**  
**Montner Tech PR**  
**\[email protected\]**

Entro Security Labs Releases Non-Human Identities Research Security Advisory

DeltaPrime DeFi platform suffers a $5.98M hack on the Arbitrum chain due to a private key leak. The attack compromised several liquidity pools, and the team is working on asset recovery and minimizing user losses.

In the early hours of September 16, 2024, DeltaPrime, a prominent decentralized finance (**DeFi**) platform, announced that its Arbitrum-based protocol, DeltaPrime Blue, was exploited in a cyber attack that drained approximately $5.98 million.

According to an official tweet from DeltaPrime at 9:55 AM, the exploit occurred at 6:14 AM CET and was traced to a compromised private key. The team reassured users that the issue is limited to the **Arbitrum chain**, with the Avalanche-based DeltaPrime Red unaffected due to its use of multisig wallets and cold storage for added security.

The company emphasized that they are actively working on asset retrieval and that the platform’s insurance pool is expected to cover losses where possible. Additionally, DeltaPrime is exploring further measures to minimize user losses, pledging ongoing updates through social media and Discord.

> DeltaPrime Blue exploited, this is the current status:
> 
> At 6:14 AM CET DeltaPrime Blue (Arbitrum) was attacked and drained for $5.98M. This was due to a compromised private key, the source of which is currently under investigation.
> 
> DeltaPrime Red (Avalanche) is not vulnerable…
> 
> — DeltaPrime (@DeltaPrimeDefi) September 16, 2024

The attack was first flagged by Cyvers Alerts, a blockchain security platform, which detected suspicious transactions related to DeltaPrime Blue on the Arbitrum chain. In a tweet at 7:36 AM, Cyvers reported multiple suspicious transactions draining liquidity pools, such as DPUSDC, DPARB, and DPBTCb.

They noted that the attacker had already swapped large amounts of USDC for ETH, with the total loss estimated at $4.5 million at the time. An hour later, Cyvers updated their estimate, stating that the losses had increased to $5.93 million, confirming that the attacker had taken control of the private key for DeltaPrime’s admin wallet, allowing them to upgrade proxy contracts and direct them to malicious ones.

> 🚨ALERT🚨@DeltaPrimeDefi has faced a security incident on their admin keys.  
> Attacker had control on the private key of 0x40e4ff9e018462ce71fa34abdfa27b8c5e2b1afb  
> then he upgraded the proxy!
> 
> So far $5.93M has been drained!
> 
> Want to keep your company off our alerts radar? Learn… https://t.co/yOmNZJyp5l pic.twitter.com/lztFvXVmfI
> 
> — 🚨 Cyvers Alerts 🚨 (@CyversAlerts) September 16, 2024

In a comment to Hackread.com, **Meir Dolev,** CTO of CyVers stated _“_The hacker took control of the admin wallet for DeltaPrime’s proxy contracts, later upgrading these contracts to point to his malicious contract, which enabled the draining of the pools on the Arbitrum chain. The total loss is around $5.9 million USD._“_

As the investigation continues, DeltaPrime assures users that their funds on Avalanche remain secure, while they focus on resolving the situation on Arbitrum. Stay tuned, this article will be updated accordingly.

1.  **6 of the Best Crypto Bug Bounty Programs**
2.  **Crypto Scammer Returns $9.27M Out of $24M Crypto Theft**
3.  **Crypto Exchange FixedFloat Hacked: $26M in BTC, ETH Stolen**
4.  **Hackers Stole $59M of Crypto Via Malicious Google and X Ads**
5.  **Crypto losses reach $1.75 Billion in 2023; CeFi and Hacks Blamed**

DeltaPrime Suffers $5.98M Loss as Hacker Exploits Admin Key on Arbitrum

A hacker known as IntelBroker claims to have breached the UK-based company Experience Engine, allegedly exposing sensitive data.…

A hacker known as IntelBroker claims to have breached the UK-based company Experience Engine, allegedly exposing sensitive data. The hacker is selling the data on an online forum, raising concerns about data security for affected clients and businesses.

The notorious IntelBroker hacker has claimed responsibility for breaching Experience Engine, a UK-based company that provides experiential marketing and promotional staffing services. The hacker, who was previously linked to several high-profile data breaches, is now selling the allegedly stolen data on Breach Forums, demanding payment in **Monero** (XML) cryptocurrency to remain anonymous and untraceable.

****Who is Experience Engine?****

Experience Engine, founded over 20 years ago, specializes in creating experiential marketing and promotional staffing solutions. With a global reach and a client base that includes major corporations; they work across sectors such as tech, public sectors, and fast-moving consumer goods (FMCG) brands, offering a network of over 1,200 “Experience Engineers™.”

These professionals are tech-trained to help businesses engage with customers through activations, events, and brand ambassador roles. The company claims to offer access to over 200,000 properties worldwide, focusing on integrating campaigns and humanizing complex technological messages for brands.

Screenshot from Experience Engine’s website highlighting its portfolio

****The Alleged Breach****

According to IntelBroker, the breach occurred in September and involves a trove of sensitive data. The hacker is also offering to sell entire .bak database files, which contain a large amount of client and transactional information. IntelBroker has even provided sample data, which includes details from tables such as dbo.invoice and dbo.booking_backup, containing thousands of rows of sensitive records.

One of the notable tables, dbo.invoice, includes 31,000 rows of data, with fields such as InvoiceID, InvoiceNumber, and InvoiceDate, alongside client-specific information such as contact details and invoice amounts. For instance, one invoice dated October 3, 2006, references Thomas Cook, a now-defunct global travel group, headquartered in the United Kingdom with payment details and banking information related to a booking at the now permanently closed Thirty Thirty New York City Hotel.

InterBorken hacker on Breach Forums (Screenshot: Hackread.com)

Another table, dbo.booking_backup, contains 784,000 rows of data, featuring sensitive customer information such as names, addresses, emails, booking histories, and revenue data. Among the entries are details of clients from the UK, United States, and Saint Lucia, with personal information, email addresses, and booking records all included.

The data sample provided by IntelBroker reveals alarming details of the alleged breach. The exposed data includes highly sensitive information, including financial transactions, customer contact details, and bank account numbers.

For instance, a sample from the dbo.invoice table analyzed by the Hackread.com research team shows details of an invoice amounting to $4699.36, with full banking details for the recipient. The booking records reveal customer names, addresses, and even room revenue from bookings, which can put individuals’ privacy and financial security at risk.

Moreover, the nature of the alleged data breach suggests that Experience Engine’s security protocols may have been insufficient to prevent this large-scale leak. Given that the company manages promotional staffing and experiential campaigns for global brands, the impact on their reputation could be severe.

****IntelBroker’s Dark History****

IntelBroker is no stranger to the hacking world. The hacker has been linked to several high-profile breaches, including the following organisations:

*   **Europol**
*   **Tech in Asia**
*   **Space-Eyes**
*   **Home Depot**
*   **Facebook Marketplace**
*   **U.S. contractor Acuity Inc.**
*   **Staffing giant Robert Half**
*   **Los Angeles International Airport**
*   **Alleged breaches of HSBC and Barclays Bank**

Although the hacker’s origins and affiliates are unknown, according to the United States government, IntelBroker is alleged to be the perpetrator behind one of the **T-Mobile data breaches**.

(Screenshot: Hackread.com)

The alleged breach of Experience Engine adds another company to IntelBroker’s cybercrime portfolio. With millions of sensitive records potentially exposed, the fallout from this breach could have long-lasting consequences.

Hackread.com has reached out to Experience Engine for comment. If and when the company responds the article will be updated accordingly. Stay tuned!

1.  **UK’s Freecycle Data Breach Impacts 7 Million Users**
2.  **Exposed ICS in the US, and UK Threaten Water Supplies**
3.  **NCA Arrests Teenager in Walsall Over TfL Cyber Attack**
4.  **IntelBroker Apple Breach: Steals Source Code for Internal Tools**
5.  **UK Criminal Records Office Down in Potential Ransomware Attack**

Source

HackRead