Plus: A mysterious hacking group’s secret client is exposed, Signal takes a swipe at Microsoft Recall, Russian hackers target security cameras to spy on aid to Ukraine, and more.

This week, WIRED launched our Rogues issue—which included going a bit rough ourselves. WIRED senior correspondent Andy Greenberg flew to Louisiana to see how easy it would be to recreate the 3D-printed gun authorities say they found on Luigi Mangione when they arrested him for the murder of UnitedHealthcare's CEO. The result? It was both easy and legal.

On Wednesday, US, European, and Japanese authorities announced the disruption of one of the world's most widely used infostealer malware. Known as Lumma, the malware was used to steal sensitive information from victims around the world, including passwords, banking information, and cryptocurrency wallets details, according to authorities. Microsoft's Digital Crime Unit aided in the operation, taking down some 2,300 URLs that served as the Lumma infrastructure.

A mysterious database containing more than 184 million records was taken down this week following its discovery by security researcher Jeremiah Fowler. The database contained 47 GB of data, which included information related to Amazon, Apple, Discord, Facebook, Google, Instagram, Microsoft, Netflix, Nintendo, PayPal, Snapchat, Spotify, Twitter, WordPress, Yahoo, and more.

In other news, the US charged 16 Russian nationals for allegedly operating the DanaBot malware, which authorities say was used in a wide variety of attacks, from ransomware to espionage. And a recent webinar revealed how a major venture capitalist helped get Starlink satellite internet activated for Israel following the October 7, 2023 attack by Hamas.

But that's not all. Each week, we round up the security and privacy news we didn't cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

The US intelligence community is looking to create a marketplace where private information gathered by data brokers under the guise of marketing can be purchased by American spies, The Intercept reports. Contracting data shows the US spy agencies intend to create a “Intelligence Community Data Consortium” that uses AI tools to sift through people’s personal data; information that the Office of the Director of National Intelligence has previously acknowledged “could facilitate blackmail, stalking, harassment, and public shaming.” In addition to providing insight into Americans’ behaviors and religious and political beliefs, commercial data frequently includes precise location information, offering the US government the ability to surveil people’s movements without acquiring a warrant—exploiting a widely recognized loophole in US privacy law.

Federal lawmakers attempted to ban the US government from buying what it calls “commercially accessible information” last year, with the Republican-controlled House passing a version of a law known as the “Fourth Amendment Is Not For Sale Act.” However, the US Senate, then controlled by the Democratic Party, rejected the legislation.

Reporting by WIRED has repeatedly demonstrated how such data can offer US adversaries the ability to monitor the movements of US military and intelligence personnel, including in and around sensitive facilities that house nuclear arms.

**A Mysterious Hacking Group Is Revealed to Work for the Spanish Government**

Back in 2014, Russian security firm Kaspersky announced it had discovered a sophisticated hacking group it called Careto, Spanish for “Ugly Face” or “Mask,” that had targeted victims across Europe and Cuba. Now, more than a decade later, former employees of the company have finally confirmed what Kaspersky wouldn’t spell out at the time: That they believe Careto was a rare sighting of hackers working on behalf of the Spanish government. Careto’s targets included energy companies, research institutions, and activists, but it particularly focused on Cuba, likely due to the island nation’s giving refuge to members of a Spanish separatist group designated as terrorists by several European countries. Kaspersky’s researchers found a Spanish phrase in the hackers’ malware code that translates to “I shit in the sea,” an expletive phrase typically used by Spaniards but not other Spanish speakers. Given the sophistication of Careto’s hacking, the public confirmation of Kaspersky’s attribution to Spain adds another known player to the game of high-level state-sponsored hacking.

**Signal Introduces New Feature to Block Screenshots by Microsoft Recall**

Microsoft’s Recall feature, which constantly takes and archives screenshots of Windows users’ activity, still represents a serious privacy problem—even after Microsoft significantly walked back its rollout in response to criticism. So the encrypted messaging app Signal has gone so far as to exploit a digital rights management feature of Windows typically used to protect copyrighted materials to block Recall from taking screenshots of the app by default on Windows machines. After all, the Recall feature—which will likely be required for some corporate or government users—will essentially remove any privacy promise from Signal’s disappearing messages feature for both Recall users and anyone communicating with them. The screenshot-prevention feature can be turned off in Signal’s settings, but it will be turned on by default in Windows. “Microsoft has simply given us no other option,” Signal wrote in a blog post.

**Russia’s Fancy Bear Hackers Targeted Security Cameras to Spy on Ukraine Aid**

The hacker group within Russia’s GRU military intelligence agency known as APT28 or Fancy Bear first rose to infamy for its targeting of the 2016 US election, but it’s no surprise that the group has more recently focused on Ukraine. According to a new assessment from no fewer than 11 countries’ intelligence agencies, the hacker group has been targeting a broad array of technology and logistics firms involved in providing aid to Ukraine. “Dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail” have been targeted in the campaign, the advisory reads. Perhaps most notable about the agencies’ accusations is that the hackers targeted 10,000 security cameras in countries bordering Ukraine, including at border crossings, military facilities, and train stations. According to the agencies, the GRU hackers also carried out reconnaissance of the network of at least one producer of industrial control system components for railway systems—suggesting a possible intention to attempt sabotage—but didn’t actually succeed in breaching the company.

**US Indicts Russian National Over Qakbot Malware**

The US Department of Justice on Thursday indicted a Russian national, Rustam Gallyamov, on allegations that he designed software that was widely used by ransomware gangs and is known to have infected hundreds of thousands of computers, netting the gangs roughly $8.6 million in profit, according to DOJ figures. Prosecutors say more than $24 million was seized from Gallyamov, 48, over the course of its investigation. Federal charges unsealed this week allege that Gallyamov himself gained access to victims’ computers and provided it to an array of cybercriminal organizations, including Dopplepaymer, REvil, Black Basta, and Cactus, among others.

The investigation into the now disrupted malware, known as Qakbot, was announced in August 2023 under former US attorney general Merrick Garland, who credited a multinational operation that included Europol and prosecutors and law enforcement agencies in France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom. Agencies of Canada and Denmark have also been credited in the investigation that targeted Gallyamov.

The US Is Building a One-Stop Shop for Buying Your Data

Operation Endgame takes down DanaBot malware network; 300 servers neutralized, €21.2M in crypto seized, 16 charged, 20 international warrants.

In a major international operation coordinated by Europol and Eurojust, law enforcement agencies and private sector partners have successfully dismantled the DanaBot malware network.

This global effort, part of the ongoing Operation Endgame, led to federal charges against 16 individuals, the neutralization of approximately 300 servers and 650 domains worldwide between May 19 and 22, 2025, and the issuance of international arrest warrants for 20 targets. Over EUR 21.2 million in cryptocurrency has also been seized in total during Operation Endgame, including EUR 3.5 million during this latest action week.

The DanaBot malware, controlled by a Russia-based cybercrime organization, infected over 300,000 computers globally, causing at least an estimated $50 million in damages through fraud and ransomware. Among those charged by the US Department of Justice (DoJ) are Aleksandr Stepanov, 39, and Artem Aleksandrovich Kalinkin, 34, both from Novosibirsk, Russia, who remain at large.

****DanaBot’s Evolution Tactics****

DanaBot, first identified in May 2018, operated as a _malware-as-a-service_ (MaaS), renting its capabilities to other criminals. It was highly versatile, stealing banking credentials, browsing history, and even cryptocurrency wallet information, while also offering remote access, keylogging, and screen recording. Initial infections often came via spam emails. Hackread.com notably reported on DanaBot’s emergence in 2019, when Proofpoint researchers first detailed its spread.

ESET, which has carefully tracked DanaBot since 2018, confirmed its evolution into a top banking malware, noting that countries like Poland, Italy, Spain, and Turkey were historically among its most targeted.

ESET researcher Tomáš Procházka added, “Apart from exfiltrating sensitive data, we have observed that Danabot is also used to deliver further malware, which can include ransomware, to an already compromised system.”

More recently, a new version of DanaBot has been found hidden in pirated software keys for “free VPN, anti-virus software and pirated games,” tricking users downloading from bogus sites.

DanaBot Infrastructure (Source: ESET)

Beyond financial crime, the investigation revealed DanaBot’s sinister dual purpose. A variant, tracked by CrowdStrike as SCULLY SPIDER, targeted military, diplomatic, and government entities in North America and Europe for espionage, and was observed by ESET launching DDoS attacks against targets like Ukraine’s Ministry of Defense following the Russian invasion.

According to Europol’s press release, this massive takedown is an evidence to extensive international cooperation. The investigation was spearheaded by the FBI’s Anchorage Field Office and the Defense Criminal Investigative Service (DCIS), with significant assistance from Germany’s Bundeskriminalamt (BKA), the Netherlands National Police, and the Australian Federal Police.

Europol and Eurojust provided crucial coordination, with a command post at Europol HQ involving investigators from Canada, Denmark, France, Germany, Netherlands, UK, and US.

Numerous private cybersecurity companies provided critical technical assistance, including Amazon, CrowdStrike, ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Team Cymru, and ZScaler. ESET Research specifically contributed technical analysis of the malware and its backend infrastructure, along with identifying DanaBot’s command and control servers.

German authorities will add 18 suspects to the EU Most Wanted list from May 23, 2025. This coordinated action is a major blow to cybercriminal networks, showing the power of global partnerships against growing cybersecurity threats.

Operation Endgame is aimed at breaking the “ransomware kill chain.” So far authorities have neutralised initial access malware like Bumblebee, Latrodectus, Qakbot, Hijackloader, Trickbot and Warmcookie.

Operation Endgame Takes Down DanaBot Malware, Neutralizes 300 Servers

Talos analyzed six months of PowerShell network telemetry and found that rare domains are over three times more likely to be malicious compared to frequently contacted ones.

Friday, May 23, 2025 06:00

_By Darin Smith and John Arneson_

*   Cisco Talos reviewed six months of network connection telemetry logs spanning June 1, 2024 – Dec. 31, 2024, containing 3,220,829 log events and 742 unique base domains, to explore if domains that PowerShell rarely contacts are more likely to be malicious. 
*   Key findings reveal that the odds of a rare domain being malicious were 3.18 times higher than for frequently contacted domains (95% CI: 0.39–25.9), suggesting a trend towards higher risk in rare domains. 
*   Notably, the non-rare domain ‘githubusercontent.com’ was flagged as malicious due to activity from its subdomain ‘raw.githubusercontent.com’. This is an example of why subdomains should be considered when looking for malicious network traffic, especially for cloud services where the service itself is legitimate, but the content hosted on it is not guaranteed to be.  

**Research Methodology ****Hypothesis**

At a sufficiently high volume of telemetry, domain names that PowerShell rarely connects to are more likely to be malicious than domains that are frequently connected to, regardless of PowerShell module. 

**Data Collection **

Talos queried telemetry for PowerShell network connection logs from a time period of June 1, 2024 to Dec. 31, 2024. This dataset included the following processes: ‘powershell.exe’, ‘powershell studio.exe’, ‘powershell\_ise.exe’, ‘powershelltools.exe’, ‘powershelltoolsx64.exe’, ‘pwsh’, and ‘pwsh.exe’. All of these processes are different versions of PowerShell. Talos excluded non-public top-level domains (TLDs), such as internal domains, to focus on external connections.  

**Data Processing**

Using the tldextract library, Talos extracted base domains (e.g., ‘automox.com’ from ‘api.automox.com’), resulting in 742 unique base domains. Rarity was defined as an average of ≤5 average contacts per full domain, calculated by dividing the total contacts by the number of unique full domains per base domain. This threshold identified 550 rare domains (74.1% of the total).  

**Threat Intelligence and Manual Review **

Talos assessed domain reputation using ReversingLabs (RL), which flagged a domain as malicious if any third-party source indicated so. To mitigate false positives (e.g., ‘adobe.com’), 29 domains were manually reviewed and overridden as benign, and their process arguments were documented. For subdomains such as ‘raw.githubusercontent.com’ under ‘githubusercontent.com’, the process arguments in those logs were manually reviewed, flagging 5 out of 10 connections as malicious based on commands like downloading PowerSploit or executing Invoke-Mimikatz, ensuring comprehensive threat detection.

**Findings & Analysis ****Domain Contact Distribution **

The distribution of contacts was heavily skewed: 

*   **Percentiles**: 60th percentile at 5.0 contacts, 90th at 82.0, 95th at 321.55, and 99th at 7,925.87 
*   **Top Domains**: ‘automox.com’ (2,282,308 contacts), ‘launchdarkly.com’ (493,812), and ‘amazonaws.com’ (166,536) accounted for most activity.
    *   Automox is a service for automated endpoint configuration and patch management.
    *   LaunchDarkly is a software development platform for managing feature flags and context-aware targeting of features.
    *   Amazon Web Services (AWS) is the largest cloud service provider. 
*   **Rare Domains**: 550 of 742 domains fell into the rare category.

Figure 1. Cumulative distribution of domain contact frequencies. 

**Malicious Domain Statistics **

*   **Rare Domains**: 9 malicious out of 550 (1.64%, 95% CI: 0.86%–3.08%)
*   **Non-Rare Domains**: 1 malicious out of 192 (0.52%, 95% CI: 0.09%–2.89%), notably ‘githubusercontent.com’
*   **Odds Ratio**: 3.18 (95% CI: 0.39–25.9), indicating a trend towards higher risk in rare domains, though not statistically significant (chi-square p=0.4291, Fisher’s exact p=0.4668), likely due to small sample sizes (9 rare, 1 non-rare) 

Figure 2. Malicious rates by domain rarity.

**Case Study: githubusercontent.com **

The non-rare domain ‘githubusercontent.com’ (38 contacts, 2 full domains: ‘raw.githubusercontent.com’ and ‘objects.githubusercontent.com’, average 19.00 contacts per full domain) was flagged as malicious due to 5 manually identified malicious contacts from ‘raw.githubusercontent.com’. These contacts involved potentially malicious PowerShell commands, such as downloading and executing scripts like PowerSploit or Invoke-Mimikatz. The other subdomain, ‘objects.githubusercontent.com’ (28 contacts), showed no malicious activity. This finding illustrates that even frequently contacted domains can host malicious subdomains, emphasizing the need for subdomain-level analysis in threat detection.

**Comparison to other Processes **

Another research question investigated was how the domains contacted by other similar processes would compare to those contacted by PowerShell. For the purposes of this research, Talos chose the following processes for analysis: 

*   ‘rundll32.exe’ 
*   Python (including macOS and Windows versions) 
*   ‘cmd.exe’ 
*   ‘cscript.exe’ 
*   ‘wscript.exe’ 
*   ‘bash’ 
*   ‘zsh’

These processes are primarily other command line or script interpreters, as well as ‘rundll32.exe’, which allows executing Dynamically Linked Libraries (DLLs) from the command line.

When the same heuristics as were utilized for PowerShell were applied to the domains contacted by these processes, the results varied somewhat. Across 156,203 total connection records for ‘rundll32.exe’, 940 unique domains were contacted. Of these, 722 of these domains were “rare,” using the same heuristic applied to PowerShell (i.e., they were contacted at most five times). Only one of the domains contacted was found to be malicious, either among the rare domains or the non-rare domains.

Similarly, among 795,346 total connection records for Python, 825 unique domains were contacted and 616 were rare using the same criteria. None of the rare domains were malicious, while 1 of the non-rare domains was. The processes cscript, cmd, zsh and csh had similar results, with no or single digit numbers of malicious domains contacted. However, wscript was much more interesting. It had a much smaller amount of total utilization in the dataset investigated, with just 6,936 connection events and 82 unique domains contacted. Of these, 58 domains were rare (or roughly 71%), and 5 were found to be malicious.

**Recommendations **

*   **Prioritize Rare Domains**: Security teams should focus investigations on rare domains due to their higher likelihood of being malicious, despite statistical non-significance. This finding applies primarily to PowerShell and wscript among the processes considered in this research.  
*   **Subdomain Analysis**: For frequently contacted domains, analyze subdomains and process arguments to detect malicious activity, as demonstrated with ‘githubusercontent.com’. 
*   **Integrate Manual Review**: Combine automated threat intelligence with manual reviews to reduce false positives and identify nuanced threats, particularly in high-contact domains. 
*   **Investigate Anomalous Utilization of ‘wscript.exe’:** Some environments may still commonly utilize wscript. However, this research suggests that in environments where it is rare, it has the highest likelihood to be used to connect to malicious domains of the processes researched.

**Future Work **

This research presents several opportunities for future research. One opportunity is temporal analysis to determine if there were time-based patterns for contacting domains, and if so, determining if these patterns could be used to identify malicious activity. This could potentially include seeing increased contacts of malicious domains during weekends or off-hours. Time-series analysis could be applied to the data to test this hypothesis.

Another opportunity is the behavioral analysis of process arguments, focusing on identifying recurring patterns tied to malicious activity, such as downloading PowerShell scripts from a remote host, or exfiltration of data. This could be used to refine the current rarity to malicious correlation of 1.64% for rare domains versus 0.52% for non-rare domains. This may spotlight behavioral red flags and give actionable insights for more precision detection logic.

Finally, future research can develop a risk scoring system that integrates multiple factors such as contact frequency, malicious rate, TLDs and even ReversingLabs’ network threat intelligence. This can provide a scalable and practical tool for security teams to prioritize high-risk domains, whether rare or non-rare like ‘githubusercontent.com’. This builds on the current analysis but also paves the way for more robust, data-driven strategies to combat threats, ensuring this research delivers lasting value to the security community.

Scarcity signals: Are rare activities red flags?

A stalkerware company that recently leaked millions of users' personal information online has taken all of its assets offline without any explanation.

A stalkerware company that recently leaked millions of users’ personal information online has taken all of its assets offline without any explanation. Now Malwarebytes has learned that the company has taken down other apps too.

Back in February, news emerged of a stalkerware app compromise. Reporters at Techcrunch revealed a vulnerability in three such apps: Spyzie, Cocospy, and Spyic. The flaw exposed data from the victim’s devices, rendering their messages, photos, and location data visible to whomever wanted them. It also gave up approximately 3.2 million email addresses entered by the customers that bought and installed these apps on their targets’ devices.

The bug was so easy to exploit that Techcrunch and the researcher involved wouldn’t divulge it, to protect the compromised details.

Now, the apps have gone dark. Techcrunch revealed that the software has stopped working, and the websites advertising it have disappeared. The spyware’s Amazon Web Services storage has also been deleted. The publication speculated that the apps, which were branded separately but looked nearly identical, were possibly shut down to avoid legal repercussions over the data leak.

Stalkerware apps are designed to hide themselves once installed on a person’s phone. They collect data including the location of the device, messages sent by the user, and their contacts.

Spyzie’s web site, now no longer available, marketed the software as a tool to keep an eye on your kids. It advertised itself as “100% hidden and invisible so you never get caught”. It also offered to collect their browser history, WhatsApp messages (including deleted ones), Facebook messages, and call logs. Spyzie claimed to have over a million users in more than 190 countries.

These aren’t the only three apps that the same organization took down. According to archived records of the Spyzie site, it was operated by FamiSoft Limited. That company also produced another app targeting kids called Teensafe (its website is also now down). Other apps now taken down that the company claimed to have operated include Spyier, Neatspy, Fonemonitor, Spyine, and Minspy.

Stalkerware is typically installed by those with direct access to a user’s phone or computer, and typically doesn’t need you to root or jailbreak the device. Spyzie targeted both Android and iPhone platforms. While frequently marketed as a way to keep children safe, theses are also frequently used by abusive partners or ex-partners, as explained by the Federal Trade Commission. The Coalition against Stalkerware, of which Malwabytes is a founding member, offers advice on what to do if you’re being targeted by a stalker.

There have been several instances over the years of stalkerware apps leaking data. It’s especially pernicious because in many cases it isn’t just the email addresses of the stalkerware’s customers that is compromised; it’s the personal details of the people whose phones are being spied upon.

Those people may often not be aware that they’re being surveilled, or might have been forced to install the software against their wishes. They are victimized twice: once when an individual invades their privacy, and twice when crummy infrastructure exposes their information more widely. If a customer really is using such software as a way of protecting their children, they might want to reconsider their choices.

Are you a victim of domestic abuse, or are you worried that someone else is? If you’re in the US, you can contact the National Domestic Abuse Hotline. If you’re in the UK, the government has a useful resource page to help victims and the charity Refuge operates a hotline.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Stalkerware apps go dark after data breach 

The trove has now been taken down but included users’ logins for platforms including Apple, Google, and Meta, plus services from multiple governments.

The possibility that data could be inadvertently exposed in a misconfigured or otherwise unsecured database is a longtime privacy nightmare that has been difficult to fully address. But the new discovery of a massive trove of 184 million records—including Apple, Facebook, and Google logins and credentials for accounts connected to multiple governments—underscores the risks of recklessly compiling sensitive information in a repository that could become a single point of failure.

In early May, longtime data-breach hunter and security researcher Jeremiah Fowler discovered an exposed Elastic database containing 184,162,718 records across more than 47 GB of data. Typically, Fowler says, he is able to gather clues about who controls an exposed database from its contents—details about the organization, data related to its customers or employees, or other indicators that suggest why the data is being collected. This database, however, didn’t include any clues about who owns the data or where it may have been gathered from.

The sheer range and massive scope of the login details, which include accounts connected to a large array of digital services, indicate that the data is some sort of compilation, possibly kept by researchers investigating a data breach or other cybercriminal activity or owned directly by attackers and stolen by infostealer malware.

“This is probably one of the weirdest ones I’ve found in many years,” Fowler says. “As far as the risk factor here, this is way bigger than most of the stuff I find, because this is direct access into individual accounts. This is a cybercriminal’s dream working list.”

Each record included an ID tag for the type of account, a URL for each website or service, and then usernames and plaintext passwords. Fowler notes that the password field was called “Senha,” the Portuguese word for password.

In a sample of 10,000 records analyzed by Fowler, there were 479 Facebook accounts, 475 Google accounts, 240 Instagram accounts, 227 Roblox accounts, 209 Discord accounts, and more than 100 each of Microsoft, Netflix, and PayPal accounts. That sample—just a tiny fraction of the total exposure—also included Amazon, Apple, Nintendo, Snapchat, Spotify, Twitter, WordPress, and Yahoo logins, among many others. A keyword search of the sample by Fowler returned 187 instances of the word “bank” and 57 of “wallet.”

Fowler, who did not download the data, says he contacted a sample of the exposed email addresses and heard back from some that they were genuine accounts.

Aside from individuals, the exposed data also presented potential national security risks, Fowler says. In the 10,000 sample records there were 220 email addresses with .gov domains. These were linked to at least 29 countries, including the United States, Australia, Canada, China, India, Israel, New Zealand, Saudi Arabia, and the United Kingdom.

While Fowler could not identify who had put the database together or where the login details originally came from, he reported the data exposure to World Host Group, the hosting company it was linked to. Access to the database was quickly shut down, Fowler says, although World Host Group did not respond to the researcher until after it was contacted by WIRED.

Seb de Lemos, CEO of World Host Group, tells WIRED in a statement that the company operates systems for more than 2 million websites. The database Fowler found, though, is “an unmanaged server” hosted on World Host Group’s infrastructure and fully controlled by a customer.

“It appears a fraudulent user signed up and uploaded illegal content to their server,” de Lemos wrote in the statement. “The system has since been shut down. Our legal team is reviewing any information we have that might be relevant for law enforcement.”

De Lemos says that the company is in touch with Fowler and has made improvements to its reporting system. “Whilst we cannot share customer-specific details with WIRED, we will fully cooperate with the appropriate law enforcement authorities and, where appropriate, share all relevant customer data with them.”

Though the database has now been secured—and ultimately taken down entirely—it is not clear whether anyone other than Fowler accessed the trove while it was still live. As with any exposed database, the concern is that sensitive data could be stolen and abused. And in this case, there is a particularly urgent risk of logins being exploited in fraud, to steal additional information, or even to breach other organizations.

Fowler says that while he does not know for certain, he suspects that the data was compiled by attackers using an infostealer.

“It is highly possible that this was a cybercriminal,” he says. “It’s the only thing that makes sense, because I can’t think of any other way you would get that many logins and passwords from so many services all around the world.”

Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials

In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-vrpq-qp53-qv56: Eclipse JGit XML External Entity (XXE) Vulnerability

A threat actor known as Hazy Hawk has been observed hijacking abandoned cloud resources of high-profile organizations, including Amazon S3 buckets and Microsoft Azure endpoints, by leveraging misconfigurations in the Domain Name System (DNS) records.
The hijacked domains are then used to host URLs that direct users to scams and malware via traffic distribution systems (TDSes), according to

Hazy Hawk Exploits DNS Records to Hijack CDC, Corporate Domains for Malware Delivery

Infoblox reveals Hazy Hawk, a new threat exploiting abandoned cloud resources (S3, Azure) and DNS gaps since Dec…

Infoblox reveals Hazy Hawk, a new threat exploiting abandoned cloud resources (S3, Azure) and DNS gaps since Dec 2023. Learn about their tactics and how to protect your organization and users.

Cybersecurity researchers at Infoblox Threat Intelligence have released critical findings on a recently identified threat, dubbed Hazy Hawk, which has been actively hijacking forgotten cloud resources since at least December 2023.

In its report, shared exclusively with Hackread.com. researchers noted that this advanced group is known for its DNS-savvy tactics and exploits gaps in Domain Name System (DNS) records to redirect unsuspecting internet users to fraudulent websites and malware.

This revelation comes as the Federal Trade Commission (FTC) reports a significant 25% increase in scam-related losses from 2023, totalling a whopping $12.5 billion.

****The Attack****

Infoblox first detected Hazy Hawk’s activities in February 2025, when the group successfully took control of subdomains belonging to the US Centers for Disease Control (CDC). Cybersecurity journalist Brian Krebs was the first to notice suspicious activity on the CDC’s domain.

Further investigation revealed that global government agencies, including alabama.gov and health.gov.au, major universities like berkeley.edu and ucl.ac.uk, and international companies including Deloitte.com and PwC.com, have also been targeted.

Hazy Hawk’s method involves finding dangling DNS records, which are CNAME records pointing to abandoned cloud resources like Amazon S3 buckets, Azure endpoints, Akamai, Cloudflare CDN, and GitHub. They register these resources, gain control, and use them to host numerous malicious URLs. Infoblox dubbed the group Hazy Hawk due to their unusual methods of locating and hijacking specific cloud resources.

****How Victims Are Lured and Defenses Evaded****

Hazy Hawk employs various tactics to deceive victims, including fake browser notifications and fraudulent applications, using URL obfuscation to hide link destinations, and repurposing code from legitimate websites to make their initial pages appear trustworthy. They also alter AWS S3 bucket URLs or redirect to the University of Bristol’s website.

Once a user clicks on a malicious link, they are routed through multiple redirection sites like Blogspot or link shorteners like TinyURL, Bitly and traffic distribution systems (TDSs) before reaching viralclipnow.xyz.

Attack Sequence (Source: Infoblox)

These systems are designed to maximize scammers’ profits and make it difficult for security experts to trace attacks by dynamically changing content, leading victims to scams like tech support fraud or gift card schemes.

The research reveals that push notifications are a key component of scams, where the threat actor can receive a 70-90 percent revenue share from the affiliate who obtained the victim’s approval, with services like RollerAds, enabling repeated victim targeting.

To prevent such hijackings, organizations should use well-managed DNS, including removing DNS CNAME records when cloud resources are retired. End-users can protect themselves through protective DNS solutions that block access to malicious domains, even when threat actors change website names, and be careful about website notification requests

Hazy Hawk Attack Spotted Targeting Abandoned Cloud Assets Since 2023

Cybersecurity researchers have discovered risky default identity and access management (IAM) roles impacting Amazon Web Services that could open the door for attackers to escalate privileges, manipulate other AWS services, and, in some cases, even fully compromise AWS accounts.
"These roles, often created automatically or recommended during setup, grant overly broad permissions, such as full S3

AWS Default IAM Roles Found to Enable Lateral Movement and Cross-Service Exploitation

Cisco Talos built on Tenable’s discovery of a Google Cloud Platform vulnerability to uncover how attackers could exploit similar techniques across AWS and Azure.

Tuesday, May 20, 2025 06:00

**Summary and background**

Google Cloud Platform (GCP) Cloud Functions are event-triggered, serverless functions that automatically scale and execute code in response to specific events like Hypertext Transfer Protocol (HTTP) requests or data changes. Tenable Research published an article discussing a vulnerability they discovered within GCP’s Cloud Functions serverless compute service and its Cloud Build continuous integration and continuous delivery or deployment (CI/CD) pipeline service.

“When a GCP user creates or updates a Cloud Function, a multi-step backend process is triggered,” Tenable author Liv Matan writes. “This process, among other things, attaches a default Cloud Build service account to the Cloud Build instance that is created as part of the function’s deployment.” This default Cloud Build Service Account (SA) previously gave users excessive Cloud Function permissions. An attacker who has gained the ability to create or update a cloud function could utilize the function’s deployment process to escalate privileges to the default Cloud Build service account or assign a higher privileged SA. Google has since partially addressed Tenable’s discovery to ensure the default Cloud Build service account no longer provides users with excessive permissions.

Based on Tenable’s research, Cisco Talos conducted a series of offensive tests within Cisco’s Google Cloud Platform (GCP) to identify additional threats that may affect customer environments.

During its research, Talos discovered that the technique Tenable identified could be adapted to perform other malicious activities. By implementing different malicious console commands into the Node Package Manager (NPM) ‘package.json’ file used in this technique, threat actors could execute behaviors such as environment enumeration.

Talos furthered this research by attempting to replicate similar behaviors in Amazon Web Services (AWS) and Microsoft Azure to determine if these techniques could be employed to perform similar malicious activities in other cloud-based environments.

**Research****Prerequisites**

To utilize this attack vector, certain prerequisites must be met. Talos set up a Debian Linux server within the GCP environment with Node Package Manager (NPM) and Ngrok installed. However, the virtual machine for this research can be created in any cloud environment.

After installing NPM and Ngrok, Talos configured both tools to function as intended.

Once NPM and Ngrok were configured, a Python server was created to output the data received from the cloud function.

With NPM, Ngrok, and the Python server set up and configured, the next step was to create and modify the NPM package.

Talos then replaced the content of the package.json file with the following code:

Finally, once all the necessary files are created and configured, Talos set up the environment to visually display the data output from deploying the functions. To achieve this, Talos activated both the Ngrok server and the Python server created earlier.

To replicate the GCP behavior discussed in Tenable’s article, Talos created/updated an SA with function build and cloud build permissions. This SA was then assigned to the GCP Cloud Run Function to allow the code to be executed with privileged access.

Once the servers and service accounts were online and configured to receive and output data, the emulation of the behavior could begin.

**Emulation**

With the package.json file configured to be utilized by the build function, Talos began emulating the technique described in Tenable’s research article.

The first step in Talos’ replication involved the utilizing a misconfigured GCP function to extract the default Cloud Build service account token. To initiate this process, the "malicious" package.json was updated on the virtual machine, ensuring that it contains code similar to that used by Tenable.

Once the package.json file was modified as desired, it needed to be published to the public NPM registry. To do this, Talos executed the following command:

With the package.json file uploaded to the NPM public registry, it was time to deploy the GCP Cloud Run Function so that the package.json can execute the provided code. To do this, the user must to navigate to their GCP Cloud Run Functions page and select or create a Cloud Run Function, ensuring it is assigned a service account with Cloud Build permissions.

Figure 1. Google Cloud Run Function displaying the assigned service account.

As Talos created or selected our existing GCP Cloud Run Function, we navigated to the source page of the cloud function. Here, Talos modified the package.json file to install the malicious package uploaded to NPM.

Figure 2. Google Cloud Run Function’s Source page.

Once Talos updated the package.json file with the correct name and version of the NPM package, we selected "Deploy" or "Save and Redeploy" to initiate the build process. During this process, the function sends the requested data to the Ngrok server, which was then output on the Python server.

Talos confirmed that the exfiltration of GCP service account access tokens can no longer be achieved using this method, due to Google's response and patching of the issue. We further verified this by executing the same command provided to our NPM-uploaded package.json from a separate virtual machine. The command executed successfully, confirming our suspicion that this specific technique for obtaining privileged service account tokens has been patched out.

**Original Research**

Cisco Talos' research extended Tenable’s original behavior concept by applying it to other cloud environments through modifications to their respective cloud services. AWS Lambda and Azure Functions are serverless compute services that allow users to run code without provisioning or managing servers. By creating a Lambda function or an Azure function with a Node.js 20.x runtime, a package.json file can be created with dependencies set to execute a malicious package uploaded to NPM’s public repository. These malicious packages may contain harmful console commands that provide a threat actor with valuable enumeration information.

Although this specific vector of threat actor behavior is no longer possible, other commands have proven useful in providing adversaries with valuable enumeration capabilities. These commands can be used on cloud platforms beyond GCP Cloud Build Function, such as AWS Lambda and Azure Functions.

Some examples of the types of enumeration a threat actor can perform using this method include the following.

**ICMP Discovery**

Internet Control Message Protocol (ICMP) Discovery is utilized to gather information about network devices and their configurations. By analyzing ICMP responses, adversaries can infer the network's structure, including the presence of routers, gateways, and the pathways between devices. This information can be crucial for planning attacks.

**Existence of .dockerenv**

Identifying the presence of a .dockerenv file indicates that a process is running inside a Docker container. By checking for this file, threat actors can confirm whether they are operating within a Docker environment. This information can influence their selection of tools and techniques, as containers often possess different security boundaries compared to host systems.

**CPU Scheduling**

Enumerating CPU Scheduling provides detailed scheduling and status information about the process with process identifier (PID) 1, which is typically the init system or main process in a containerized environment. Threat actors can determine the init system in use, such as systemd or sysvinit. This information helps them understand the system's configuration and identify potential vulnerabilities associated with the specific init system.

CPU Scheduling Data Output Plain Text

**Control Group Container ID**

Enumerating Control Group Container ID provides detailed information about current mount points. Threat actors can use this information to identify critical or sensitive filesystems that might be targeted for data exfiltration. By examining mount options, they can look for insecure configurations, such as filesystems mounted with exec permissions in directories where malicious binaries could be introduced. In containerized environments, understanding mount namespaces can aid in developing container escape techniques, enabling attackers to break out of the container and access the host system.

Control Group Container ID Plain Text 1 & Control Group Container ID Plain Text 2

**Initial Server Overview**

For Initial Server Overview enumeration, combining the following commands provides comprehensive details about the system's kernel, architecture and distribution, which are critical for understanding the environment and planning potential exploits. Knowing the exact OS and kernel version enables threat actors to choose the most effective exploits, as many vulnerabilities are version-specific.

**User and Permission Enumeration**

The following User and Permission commands provides insights into user accounts, privileges and group memberships, which are crucial for planning privilege escalation and lateral movement within a system.

**Network Discovery**

The following Network and Discovery commands help gather detailed insights into the system's operating environment and network setup, which can be used to identify vulnerabilities and plan attacks.

**Detailed System Commands**

The ‘cat /etc/os-release’ command reveals the operating system distribution and version. Knowing the exact OS helps attackers identify specific vulnerabilities and tailor their exploits to the target's environment.

**User Related Commands**

The ‘/etc/shadow’ file contains hashed passwords for user accounts, which, if accessed, can be used to crack passwords and gain elevated access to the system.

User Related Commands Data Output Plain Text

**AWS Lambda Functions**

The following example demonstrates Talos using the same commands previously mentioned within a Google Cloud Platform (GCP) environment, now applied in an Amazon Web Services (AWS) environment using Lambda functions. This illustrates that the method utilized by the Tenable lab can be adapted for other cloud-based environments, such as AWS.

**Azure Functions**

The following example demonstrates the same process performed with an AWS Lambda function, but instead utilizing Azure Functions within the Azure environment. This further proves that the method can be employed across various cloud-based environments.

**Conclusion and Defense Summary****Google’s Response**

As described in Tenable’s article, Google responded to their research by creating a remediation patch. This update altered the default behavior of Cloud Build and the default Cloud Build SA. Additionally, new organization policies were released to give organizations full control over which SA Cloud Build uses by default. While Google has implemented this remediation, Cloud Build services can still be used to execute non-privileged commands as a means of enumerating an environment.

**Mitigation Summary**

The most effective mitigation strategy to protect your environment from similar threat actor behavior is to ensure that all SAs within your cloud environment adhere to the principle of least privilege and that no legacy cloud SAs are still in use. Ensure that all cloud services and dependencies are up to date with the latest security patches. If legacy SAs are present, replace them with least-privilege SAs. 

Additionally, users with access to Cloud Functions should not have IAM permissions to the services included in the function’s orchestration.

**Threat Hunting Recommendations**

1.  **Audit and monitor SA permissions**: Regularly audit and monitor SA permissions, with a particular focus on the default Cloud Build SA. Adhere to the principle of least privilege by removing any excessive permissions that are not essential for the SA’s operations.
2.  **Alert setup for Cloud Functions**: Establish alerts for any unusual or unauthorized creation or modification of Cloud Functions. Identify potentially malicious activities where an attacker may be attempting to exploit function deployments for privilege escalation.
3.  **Inspect network traffic**: Analyze network traffic for unusual patterns or connections that might indicate data exfiltration attempts. Pay attention to data being sent to unknown or unauthorized external endpoints, such as those using Ngrok or similar tunneling services.
4.  **Verify NPM package integrity**: Ensure the integrity and authenticity of NPM packages used within Cloud Functions. Prevent the execution of malicious scripts embedded in package.json files that could facilitate environment enumeration or other malicious activities.
5.  **Detect environment enumeration**: Detect and respond to signs of environment enumeration, such as ICMP discovery or system information gathering.

Tag

#amazon