Hackers can exploit critical vulnerabilities in Mazda’s infotainment system, including one that enables code execution via USB, compromising…

Hackers can exploit critical vulnerabilities in Mazda’s infotainment system, including one that enables code execution via USB, compromising your car’s security and putting you at risk.

Cybersecurity researchers at ZDI (Zero Day Initiative) have identified several critical vulnerabilities in Mazda‘s infotainment systems, specifically in the Connectivity Master Unit (CMU) installed in multiple Mazda car models, including the Mazda 3 from the years 2014 to 2021.

These vulnerabilities, caused by “insufficient sanitization” when handling attacker-supplied input, could allow a physically present attacker to exploit them by connecting a specially crafted USB device to the target system. Successful exploitation could result in arbitrary code execution with root privileges.

****The Target****

The CMU unit, manufactured by Visteon Corporation, an anutomotive technology company, and initially developed by Johnson Controls Inc (JCI), runs on the latest available software version (74.00.324A). However, earlier software versions down to at least 70.x may also be affected by these vulnerabilities. The CMU is part of an active “modding scene” where users release software tweaks to alter the unit’s operation, often exploiting such vulnerabilities.

****The Vulnerabilities****

There are multiple vulnerabilities identified in the CMU system. The details of each are as follows:

*   **SQL Injection (CVE-2024-8355/ZDI-24-1208)**: An attacker can inject malicious SQL code by spoofing the iAP serial number of an Apple device. This allows the attacker to manipulate the database, disclose information, create arbitrary files, and potentially execute code.
*   **OS Command Injection (CVE-2024-8359/ZDI-24-1191)**: The REFLASH\_DDU\_FindFile function in the libjcireflashua.so shared object fails to sanitize user input, allowing an attacker to inject arbitrary OS commands that can be executed by the head unit OS shell.
*   **OS Command Injection (CVE-2024-8360/ZDI-24-1192)**: The REFLASH\_DDU\_ExtractFile function in the libjcireflashua. so shared object also fails to sanitize user input, allowing an attacker to inject arbitrary OS commands that can be executed by the head unit OS shell.
*   **Missing Root of Trust in Hardware (CVE-2024-8357/ZDI-24-1189)**: The application SoC is missing any authentication of the bootstrap code, allowing an attacker to manipulate the root filesystem, configuration data, and potentially the bootstrap code itself.
*   **Unsigned Code (CVE-2024-8356/ZDI-24-1188)**: The VIP MCU can be updated with unsigned code, allowing an attacker to pivot from a compromised application SoC running Linux to the VIP MCU and gain direct access to the connected CAN busses of the vehicle.

****Exploitation****

An attacker can exploit these vulnerabilities by creating a file on a FAT32-formatted USB mass storage device with a name that contains the OS commands to be executed. The filename must end with .up for it to be recognized by the software update handling code.

Once the initial compromise is achieved, the attacker can gain persistence through manipulation of the root file system or install a specially crafted VIP microcontroller software allowing unrestricted access to vehicle networks.

****Associated Risks****

According to ZDI’s blog post, the attack chain can be completed in a few minutes in a lab environment, and there is no reason to believe it will take significantly more time against a unit installed in a car.

This means that the vehicle can be compromised while being handled by a valet, during a rideshare, or via USB malware. The CMU can then be compromised and “enhanced” to attempt to compromise any connected device in targeted attacks that can result in DoS, bricking, ransomware, safety compromise, etc. The worst part of it is that these security vulnerabilities remain unpatched.

> _“This research effort and its output highlighted the fact that high-impact vulnerabilities can be found even in a very mature automotive product that has been on the market for a number of years and with a long history of security fixes. To date, these vulnerabilities remain unpatched by the vendor.”_
> 
> ZDI analyst Dmitry Janushkevich 

****Conclusion****

The discovery of these vulnerabilities shows the importance of considering the whole system’s security and security-testing complete production systems in all their operational modes. The use of memory-safe languages or other security tools does not guarantee that deployed systems are secure. It is important to ensure system integrity at all runtime stages and for all components to guarantee downstream security properties of languages and their compilers.

1.  Cybercriminals Exploit CAN Injection Hack to Steal Cars
2.  App Flaw Let Honda and Nissan Cars Hack by Knowing VIN
3.  Tesla cars can be remotely hacked using drone, WIFI dongle
4.  Hackers Remotely Control Kia Cars by Exploiting License Plates
5.  High severity Intel chip flaw left cars and IoT devices vulnerable

Hackers Can Access Mazda Vehicle Controls Via System Vulnerabilities

Questions remain over what a corporate ban will achieve, since Canadians will still be able to use the app.

Source: SOPA Images Limited via Alamy Stock Photo

ByteDance is being exiled from Canada, though the TikTok app is not.

Following the US's example, Canada has spent recent years rubbing up against the world's most popular Chinese app. In February 2023, TikTok was banned from all government devices, citing security concerns. Later that year, the government called for a broader national security review under the 1985 Investment Canada Act, which empowers the government to scrutinize foreign investments.

In concluding that review, the minister of Innovation, Science and Economic Development Canada (ISED) — a federal agency responsible for regulating and supporting various aspects of the country's economy, industry, and scientific endeavors — unveiled a significant, though not comprehensive, development in his country's approach.

To address "specific national security risks," the minister said yesterday, the offices of TikTok Technology Canada Inc. — the Canadian subsidiary of ByteDance, TikTok's parent company — must now be shuttered. However, he noted, the government will not actually block any Canadians from using the app, as "the decision to use a social media application or platform is a personal choice."

**TikTok vs. Governments**

Ever since TikTok blew up during the COVID-19 pandemic, governments worldwide have struggled with how to administer: Ban it, to the chagrin of millions, or don't, and risk consequences to mass privacy and national security.

Concern is widespread that the Chinese Communist Party (CCP) could conduct data gathering and spying through TikTok, since it wields potentially unlimited authority over Chinese companies. And "The CCP has long been known for having an enormous capability to gather otherwise benign-looking datasets, and to process them to produce intelligence to further its national interests," notes Casey Ellis, founder and adviser at Bugcrowd. "While it can easily be argued that Western governments and companies are capable of the same, the CCP's national interests are at best competitive, and at worst disruptive to the national interests of the West."

Blocking the app to prevent CCP data gathering is controversial, however, since it's massively popular, and there is no definitive, significant proof of such malicious activity to date. A few scattered countries have done so (for varying reasons), most notably India in 2020, but most have taken up solutions somewhere in the middle.

In 2020, President Trump signed executive orders effectively forcing ByteDance to sell TikTok to an American company, or else face a national ban. President Biden's No TikTok on Government Devices Act banned the app in government settings, and his Protecting Americans from Foreign Adversary Controlled Applications Act carried the forced sale idea from the Trump administration. US policy is likely to subside now that Trump has been elected again. "Trump has made strong moves against ByteDance in the past," Ellis notes. "He has a reputation for being tough on China, and for operating on the assumption that China is competitive to the US as a great power. I think we'll see more activity around addressing 'creeping threats' from ByteDance and other Chinese companies, particularly those with a larger and established presence, both in the US and amongst its allies, over the coming year."

Meanwhile, in 2023, the Canadian government took parallel actions. And just as it had in the US, TikTok says it will challenge Canada's latest ruling in court.

**What Would Actually Solve TikTok Privacy?**

Debate has now begun over whether banning the corporate half of the TikTok operation will be helpful, if not abjectly harmful to Canada's national security aims.

As Canadian academic Michael Geist argued in a blog post, "banning the company rather than the app may actually make matters worse since the risks associated with the app will remain but the ability to hold the company accountable will be weakened," since it will no longer have a domestic presence. "It is hard to envision it prioritizing (or perhaps even complying) with Canadian regulatory processes if it is banned from formally operating in the jurisdiction."

Dark Reading has asked the ISED for its view of how the ban will benefit Canadian national security. This article will be updated when ISED's response is received.

A separate development poised to directly affect TikTok data collection in Canada is the legislation C-27, which would supersede the Personal Information Protection and Electronic Documents Act, Canada's primary privacy legislation since 2000.

C-27 packages three separate Acts: the Consumer Privacy Protection Act, the bit most relevant for TikTok user privacy; the Electronic Documents Act; and the Artificial Intelligence and Data Act. Though it may be viewed as efficient and ambitious to address so many issues at once, ongoing debates primarily around the artificial intelligence component are currently holding up the passage of the other two along with it.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Canada Closes TikTok Offices, Citing National Security

North Korean hackers are targeting cryptocurrency businesses with a sophisticated new malware campaign, dubbed “Hidden Risk.” Learn how…

North Korean hackers are targeting cryptocurrency businesses with a sophisticated new malware campaign, dubbed “Hidden Risk.” Learn how this stealthy attack works, the techniques used, and how to protect yourself from this growing threat.

North Korean state-sponsored APT group ‘**BlueNoroff**‘ is targeting crypto-related businesses in a campaign dubbed ‘Hidden Risk’, according to SentinelOne’s findings shared with Hackread.com. 

SentinelLabs’ threat researchers reportedly discovered that BlueNoroff, a subgroup of the larger North Korean state-backed **Lazarus Group**, is targeting cryptocurrency and DeFi businesses using use email and PDF-based lures with fake news headlines/crypto-related stories in a campaign that began in July 2024.

Examples of fake news, posts and announcements used in the attack (Via SentinelOne)

****Analyzing the Attack****

Researchers noted that attackers have employed unique tactics to evade detection and compromise victim systems. The attack begins with a **well-crafted phishing email** that lures unsuspecting victims into clicking on a malicious link that leads to a seemingly legitimate PDF document, which is actually hiding a malicious Swift-language-based Mac application cleverly disguised as a PDF reader (signed/notarized on 19 October 2024).

“The application is disguised as a link to a PDF document relating to a cryptocurrency topic such as “Hidden Risk Behind New Surge of Bitcoin Price”, “Altcoin Season 2.0-The Hidden Gems to Watch” and “New Era for Stablecoins and DeFi, CeFi”,” researchers **explained**.

Once executed, this application discreetly downloads a decoy PDF (Hidden Risk) and then downloads/executes a malicious x86-64 binary (“growth”) on both Intel and Apple silicon machines. 

Growth installs itself persistently and acts as a backdoor. It gathers sensitive information about the infected system, communicates with a remote server controlled by the attackers, and can potentially receive and execute commands.

****Persistence Mechanism****

To ensure persistence, the attackers have opted for a unique method of modifying the Zsh configuration file (zshenv) by adding malicious code to ensure its continued presence. This is a critical file used by the Zsh shell and is sourced during every Zsh session, allowing the backdoor to automatically execute upon system startup, even after a reboot.

****The BlueNoroff Connection****

SentinelLabs’ researchers have linked this campaign with BlueNoroff because it resembles techniques from their past campaigns, including parsing server commands and saving them in hidden files. The campaign’s network infrastructure analysis also reveals connections to domains used in previous campaigns using services like **NameCheap** and Quickpacket for hosting.

Furthermore, the malware uses a User-Agent string previously linked to BlueNoroff’s “**RustBucket**” malware and exploits a developer account to get their malware notarized by Apple, bypassing security measures like **Gatekeeper**.

****Staying Protected****

BlueNoroff has a history of targeting cryptocurrency exchanges, venture capital firms, and banks and poses a constant threat to the industry. They prefer using PDF-based lures mainly because PDF documents are widely used and trusted, making them ideal for malicious payloads.

Hackread recently **reported** BlueNoroff-linked malware, TodoSwift, disguised as a legitimate PDF viewer and ObjCShellz malware **targeting macOS** to run remote shell commands on Intel and Arm Macs.

Therefore, it is important to double-check email addresses, watch out for emails from anonymous sources, and avoid clicking on links in unknown emails, especially if they ask for downloading applications/PDFs. MacOS users must remain aware of risks given the sudden rise in **macOS-oriented attacks**.

1.  **Fake North Korean IT Workers Infiltrate Western Firms**
2.  **North Korean Hackers Team Up with Play Ransomware**
3.  **N Korean hackers stole $1.7 billion from crypto exchanges**
4.  **North Korean Hackers Drop Linux Malware for ATM Cashouts**
5.  **SnatchCrypto attack hits DeFi, Blockchain Firms with backdoor**

North Korean Hackers Use Fake News to Spread ‘Hidden Risk’ Malware

A threat actor with ties to the Democratic People's Republic of Korea (DPRK) has been observed targeting cryptocurrency-related businesses with a multi-stage malware capable of infecting Apple macOS devices.
Cybersecurity company SentinelOne, which dubbed the campaign Hidden Risk, attributed it with high confidence to BlueNoroff, which has been previously linked to malware families such as

A threat actor with ties to the Democratic People's Republic of Korea (DPRK) has been observed targeting cryptocurrency-related businesses with a multi-stage malware capable of infecting Apple macOS devices.

Cybersecurity company SentinelOne, which dubbed the campaign **Hidden Risk**, attributed it with high confidence to BlueNoroff, which has been previously linked to malware families such as RustBucket, KANDYKORN, ObjCShellz, RustDoor (aka Thiefbucket), and TodoSwift.

The activity "uses emails propagating fake news about cryptocurrency trends to infect targets via a malicious application disguised as a PDF file," researchers Raffaele Sabato, Phil Stokes, and Tom Hegel said in a report shared with The Hacker News.

"The campaign likely began as early as July 2024 and uses email and PDF lures with fake news headlines or stories about crypto-related topics."

As revealed by the U.S. Federal Bureau of Investigation (FBI) in a September 2024 advisory, these campaigns are part of "highly tailored, difficult-to-detect social engineering" attacks aimed at employees working in the decentralized finance (DeFi) and cryptocurrency sectors.

The attacks take the form of bogus job opportunities or corporate investment, engaging with their targets for extended periods of time to build trust before delivering malware.

SentinelOne said it observed an email phishing attempt on a crypto-related industry in late October 2024 that delivered a dropper application mimicking a PDF file ("Hidden Risk Behind New Surge of Bitcoin Price.app") hosted on delphidigital\[.\]org.

The application, written in the Swift programming language, has been found to be signed and notarized on October 19, 2024, with the Apple developer ID "Avantis Regtech Private Limited (2S8XHJ7948)." The signature has since been revoked by the iPhone maker.

Upon launch, the application downloads and displays to the victim a decoy PDF file retrieved from Google Drive, while covertly retrieving a second-stage executable from a remote server and executing it. A Mach-O x86-64 executable, the C++-based unsigned binary acts as a backdoor to execute remote commands.

The backdoor also incorporates a novel persistence mechanism that abuses the zshenv configuration file, marking the first time the technique has been abused in the wild by malware authors.

"It has particular value on modern versions of macOS since Apple introduced user notifications for background Login Items as of macOS 13 Ventura," the researchers said.

"Apple's notification aims to warn users when a persistence method is installed, particularly oft-abused LaunchAgents and LaunchDaemons. Abusing Zshenv, however, does not trigger such a notification in current versions of macOS."

The threat actor has also been observed using domain registrar Namecheap to establish an infrastructure that's centered around themes related to cryptocurrency, Web3, and investments to give it a veneer of legitimacy. Quickpacket, Routerhosting, and Hostwinds are among the most commonly used hosting providers.

It's worth noting that the attack chain shares some level of overlap with a previous campaign that Kandji highlighted in August 2024, which also employed a similarly named macOS dropper app "Risk factors for Bitcoin's price decline are emerging(2024).app" to deploy TodoSwift.

It's not clear what prompted the threat actors to shift their tactics, and if it's in response to public reporting. "North Korean actors are known for their creativity, adaptability, and awareness of reports on their activities, so it's entirely possible that we're simply seeing different successful methods emerge from their offensive cyber program," Stokes told The Hacker News.

Another concerning aspect of the campaign is BlueNoroff's ability to acquire or hijack valid Apple developer accounts and use them to have their malware notarized by Apple.

"Over the last 12 months or so, North Korean cyber actors have engaged in a series of campaigns against crypto-related industries, many of which involved extensive 'grooming' of targets via social media," the researchers said.

"The Hidden Risk campaign diverts from this strategy taking a more traditional and cruder, though not necessarily any less effective, email phishing approach. Despite the bluntness of the initial infection method, other hallmarks of previous DPRK-backed campaigns are evident."

The development also comes amid other campaigns orchestrated by North Korean hackers to seek employment at various companies in the West and deliver malware using booby-trapped codebases and conferencing tools to prospective job seekers under the guise of a hiring challenge or an assignment.

The two intrusion sets, dubbed Wagemole (aka UNC5267) and Contagious Interview, have been attributed to a threat group tracked as Famous Chollima (aka CL-STA-0240 and Tenacious Pungsan).

ESET, which has given Contagious Interview the moniker DeceptiveDevelopment, has classified it as a new Lazarus Group activity cluster that's focused on targeting freelance developers around the world with the aim of cryptocurrency theft.

"The Contagious Interview and Wagemole campaigns showcase the evolving tactics of North Korean threat actors as they continue to steal data, land remote jobs in Western countries, and bypass financial sanctions," Zscaler ThreatLabz researcher Seongsu Park said earlier this week.

"With refined obfuscation techniques, multi-platform compatibility, and widespread data theft, these campaigns represent a growing threat to businesses and individuals alike."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS

Cisco Talos Incident Response (Talos IR) recently observed an attacker conducting big-game hunting and double extortion attacks using the relatively new Interlock ransomware.

Thursday, November 7, 2024 06:00

*   Cisco Talos Incident Response (Talos IR) recently observed an attacker conducting big-game hunting and double extortion attacks using the relatively new Interlock ransomware.  
*   Our analysis uncovered that the attacker used multiple components in the delivery chain including a Remote Access Tool (RAT) masquerading as a fake browser updater, PowerShell scripts, a credential stealer, and a keylogger before deploying and enabling the ransomware encryptor binary. 
*   We also observed that the attacker primarily used remote desktop protocol (RDP) to move laterally within the victim’s network, as well as other tools such as AnyDesk and PuTTY. 
*   The attacker used Azure Storage Explorer, which leverages the utility AZCopy, to exfiltrate the victim’s data to an attacker-controlled Azure storage blob.  
*   The timeline of the attacker’s activity, from the initial compromise stage until the deployment of ransomware encryptor binary, indicates their dwelling time in the victim’s environment was about 17 days.  
*   Talos assesses with low confidence that Interlock ransomware is likely a new diversified group that emerged from Rhysida ransomware operators or developers, based on some similarities in the operators’ tactics, techniques, and procedures (TTPs) and in the ransomware encryptor binaries. 

**Who is Interlock? **

Interlock first appeared in public reporting in September 2024 and has been observed launching big-game hunting and double extortion attacks. The group has notably targeted businesses in a wide range of sectors, which at the time of reporting includes healthcare, technology, government in the U.S. and manufacturing in Europe, according to the data leak site disclosure, indicating their targeting is opportunistic. 

Like other ransomware players in the big-game hunting space, Interlock also operates a data leak site called “Worldwide Secrets Blog,” providing links to victims’ leaked data, chat support for victims' communications, and the email address, “interlock@2mail\[.\]co”.   

In their blog, Interlock claims to target organizations’ infrastructure by exploiting unaddressed vulnerabilities and claims their actions are in part motivated by a desire to hold companies’ accountable for poor cybersecurity, in addition to monetary gain. 

**Recent attack methodologies **

Throughout the investigation into the Interlock ransomware attack, Talos observed several notable TTPs used by the attacker in each stage of the delivery chain. Talos assesses that the attacker was present in the victim’s environment for approximately 17 days, from the initial compromise until deployment and execution of the Interlock ransomware. 

**Initial access **

The attacker gained access to the victim machine via a fake Google Chrome browser updater executable that the victim was prompted to download from a compromised legitimate news website.  When clicked, the fake browser updater executable “upd\_2327991.exe” was downloaded onto the victim machine from a second compromised URL of a legitimate retailer. 

**Execution **

Talos IR discovered the fake browser updater executable is a Remote Access Tool (RAT) that automatically executes an embedded PowerShell script when downloaded and run. The script initially downloads a legitimate Chrome setup executable “ChromeSetup.exe” to the victim machine’s applications temporary folder and established persistence by dropping a Windows shortcut file in the Windows StartUp folder with the file name “fahhs.lnk” configured to run the RAT every time the victim logs in, establishing persistence.  

Sample PowerShell command that downloads the RAT. 

The RAT executes the command “cmd.exe /c systeminfo" and collects information from victim machine, listed below:

Host Name

Time Zone

OS Name

Total Physical Memory

OS Version

Available Physical Memory

OS Manufacturer

Virtual Memory

OS Configuration

Max Size

OS Build Type

Virtual Memory: Available

Registered Owner

Virtual Memory: In Use

Registered Organization

Page File Location(s)

Product ID

Domain

Original Install Date

Logon Server

System Boot Time

Hotfix(s)

System Manufacturer

Network Card(s)

System Model

Connection Name

System Type

Status

Processor(s)

DHCP Enabled

BIOS Version

DHCP Server

Windows Directory

IP address(es)

System Directory

Hyper-V Requirements

Boot Device

System Locale

Then, the RAT encrypts the collected information in the memory stream. It establishes a secured socket to the command and control (C2) server hidden behind the attacker-controlled Cloudflare domain “apple-online\[.\]shop”, sends the encrypted data stream of victim machine information to the C2 server, and waits to receive the response.  

The RAT also allowed the attacker to execute two other PowerShell commands on the victim machine, which downloads the encrypted data blobs of a credential stealer “cht.exe” and a keylogger binary “klg.dll”, decrypts them with the passwords “jgSkhg934@kjv#1vkfg2S” and runs them. We observed that the keylogger is a DLL file that is run using the LOLBin “rundll32.exe”.  

A sample PowerShell command that downloads and runs the Keylogger. 

**Defense Evasion **

Talos IR observed that EDR was disabled on some of the compromised servers in the victim environment during the investigation. According to the indicators seen, Talos IR believes that the attacker could have either leveraged an EDR uninstaller tool or instrumented a vulnerable device driver Sysmon.sys (TfSysMon.sys) to disable the EDR on the victim machine. We also observed the attacker’s attempts to delete contents of the Event logs on some of the compromised systems.  

**Credential Access **

The credential stealer discovered in this campaign is compiled in Golang. It enumerates the installed browser profiles on the victim machine and copies the Login data, Login State, key4.db, browser history and bookmarks files to the victim’s application profile temporary folder. The stealer then processes the data and uses SQL queries to collect the login information of victims’ online accounts along with the associated account URLs. Finally, the data is written to a file “chrgetpdsi.txt” in the user profile temporary folder.  

The keylogger DLL running on the victim machine is a tiny executable, which hooks to the victim machine keyboard and logs keystrokes in a file called “conhost.txt”, the same folder where the Keylogger was downloaded.  

**Discovery **

The attacker ran PowerShell commands that are known indicators of pre-kerberoasting reconnaissance, a method used to obtain domain admin credentials. We assess with moderate confidence that a Kerberoasting attack was used to obtain accounts with higher privileges. 

(('AD\_Computers: {0}' -f (\[adsiSearcher\]'(ObjectClass=computer)').FindAll().count)  
(\[adsisearcher\]'(&(objectCategory=user)(servicePrincipalName=\*))').FindAll() 

**Lateral Movement **

Talos IR observed that the attacker primarily used Remote Desktop Protocol (RDP) and several compromised credentials to move between systems.  Further analysis showed that the attacker has also used AnyDesk and possibly LogMeIn to allow remote connectivity. We also spotted the installation of PuTTY on the compromised machines, which was likely used to move laterally to Linux hosts. We are not clear how these tools were dropped and executed on the infected machines. 

Sample RDP command executions observed during our analysis and with the redacted IP address details are shown below. 

mstsc /v 10.\*.\*.\* 
.\\conhost.exe -d \\10.\*.\*.\*\\e$ 

**Collection and Exfiltration  **

The attacker executed storage-explorer, a tool that allows users to manage and interact with Azure Storage, and AzCopy, which allows users to copy files to a remote Azure storage, in the victim’s machine. We believe that the attacker used storage-explorer to navigate and identify sensitive information in the victim network and executed AzCopy to upload the data to the Azure storage blob according to network artifacts analysis. We were not able to confirm how the storage-explorer and AzCopy were delivered to the victim machine. 

**Impact **

The attacker deployed the Interlock ransomware encryptor binary with the file name “conhost.exe”, masquerading as a legitimate file, onto the victim machine and stored it in a folder named with a single digit number (example: “3” or “4”) in the user profile application data temporary folder. When run, the ransomware encrypts the targeted files on the victim machine with the file extension “.Interlock” and drops the ransom note “!\_\_README\_\_!.txt” file in every folder containing files that the encryptor has attempted to encrypt. Talos IR also observed that the attacker configured the ransom note to display during interactive login, was pushed using Group Policy Objects (GPOs), a Windows utility that allows users to manage Windows operating systems and applications.  

In the ransom note, the attacker warns against attempting to recover the encrypted files and rebooting the affected machines. They also demand a response within 96 hours or else they threaten to release the victim's data on their leak site and notify the media outlets, which could lead to financial and reputational damage.  

The ransom note includes the URL for an onion site where the affected victims can contact the operator to discuss the ransom demand and purchase the decryption keys using a unique company ID of sixty alphanumeric characters generated for each victim. 

**Interlock ransomware analysis **

Talos observed that Interlock ransomware has both Windows Portable Executable (EXE) and the Linux executable (ELF) variants, indicating that the attacker is targeting both Windows and Linux machines.   

The Interlock ransomware encryption binary is a 64-bit executable, compiled on October 2, 2024. The ransomware appears on the victim’s machines in a packed executable format with the custom unpacker code located in its Thread Local Storage and several obfuscated stack strings in the binary which are decrypted during the runtime of the ransomware. 

When the ransomware runs on the victim machine it initializes the binary by loading custom structures, strings, and Application programming interface (API) functions. After the initialization, it enumerates the logical disk drives that are available on the victim machine. Initially, the ransomware checks for the drive letters “A” through “Z” and excludes the “C drive”. It picks the available logical drives and enumerates all the folders and files in them, encrypting the targeted files on the victim machine and appending the file extension “.interlock” on encrypted files. Once the logical drives are enumerated, the ransomware then enumerates and encrypts the files in the folders of the “C drive”.  

During this enumeration process, the ransomware excludes specific folders and file extensions on the victim machine from being encrypted. The operator hardcoded the folder and files extension exclusion list, shown below, in the Interlock binary.

Folder exclusion list of Windows Interlock variant:

$Recycle.Bin

Windows

Boot

$RECYCLE.BIN

Documents and Settings

AppData

PerfLogs

WindowsApps

ProgramData

Windows Defender

Recovery

WindowsPowerShell

System Volume Information

Windows Defender Advanced Threat Protection

File extension exclusion list of Windows Interlock variant:

.bat

.bin

.cab

.cmd

.com

.cur

.diagcab

.diagcfg

.diagpkg

.drv

.hlp

.hta

.ico

.msi

.ocx

.psm1

.src

.sys

.ini

.url

.dll

.exe

.ps1

Thumbs.db

The Linux variant of the Interlock ransomware performs a similar enumeration of directories and files, starting from the root directory, and encrypts the files excluding those that are in the file extension exclusion list hardcoded in the binary.

File extension exclusion list of Linux Interlock variant:

boot

.cfg

.b00

.v00

.v01

.v02

.v03

.v04

.v05

.v06

.v07

.t00

Interlock ransomware uses LibTomCrypt library, an open-source comprehensive, modular and portable cryptographic library for encryption.  The Windows Interlock ransomware variant uses the Cipher Block Chaining (CBC) encryption technique to encrypt the files on the victim machine whereas the Linux Interlock variant uses either CBC or RSA encryption technique. 

Encryption routine in Windows variant 

Encryption routine in ELF variant 

 

 

After encrypting each of the targeted files in the victim machine Interlock drops the ransom note “!\_\_README\_\_!.txt” file in each of the enumerated folders. 

Windows variant ransom note function 

ELF variant ransom note function 

 

 

We observed that the Windows Interlock variant creates a windows task name “TaskSystem” that runs at 8:00 PM daily on the victim machine as a SYSTEM user executing the configured command to run the ransomware, indicating the ransomware establishing the persistence.  

schtasks /create /sc DAILY /tn “TaskSystem” /tr “cmd /c cd "$Path of the Interlock binary" && "$command” /st 20:00 /ru system > nul

The ransomware has the capability to delete itself upon encrypting the targeted files, hiding the evidence of the encryption binary on the victim machine.  To delete the encryption binary in the Windows variant, Interlock ransomware has a tiny DLL binary embedded in the data section that is dropped into the user profile applications temporary folder with the file name “tmp41.wasd”.  

Then, “rundll32.exe” is used to execute the DLL’s export function, called “run”, which then executes the remove() function to delete the encryption binary.  

The Linux variant uses a similar technique to delete the encryptor binary from the victim machine, by executing the removeme function, which is an inline routine in the same encryptor binary.  

**Interlock TTPs overlap with Rhysida Ransomware **

Talos assesses with low confidence that Interlock ransomware is a new diversified group that emerged from Rhysida operators or developers, based on some similarities in TTPs, tools, and the ransomware encryptor binaries’ behaviors. 

We discovered code overlaps in the binaries of Interlock and Rhysida ransomware samples. Notably, the files and folders exclusion list hardcoded in the Windows variant of the Interlock ransomware has similarities with the exclusion list in Rhysida ransomware, reported by Talos in an August 2023 Threat Advisory. 

Additionally, the Interlock ransomware encryptor with the filename “conhost.exe” was earlier seen in Rhysida ransomware attacks, along with overlaps in TTPs and tools including PowerShell scripts, AnyDesk, and PuTTY, based on a CISA #StopRansomware advisory report on Rhysida Ransomware. Furthermore, both Rhysida and Interlock operators use AzCopy to exfiltrate the victim’s data to an attacker-controlled Azure storage blob, an old but uncommon technique. 

Finally, Interlock and Rhysida deliver ransom notes with a similar theme, where they portray themselves as a helpful partner notifying the victim of a breach and offering to help rectify it. This is in contrast to other prolific and sophisticated cyber groups, such a Black Basta and ALPHV, whose ransom notes demand payment, threaten, and attempt to intimidate the victim.  

Rhysida ransom note. 

Interlock ransom note. 

Interlock’s possible affiliation with Rhysida operators or developers would align with several broader trends in the cyber threat landscape, which Talos reported in our 2022 and 2023 Year in Review reports. We observed ransomware groups diversifying their capabilities to support more advanced and varied operations, and ransomware groups have been growing less siloed, as we observed operators increasingly working alongside multiple ransomware groups. 

****Coverage** **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64114, 64113, 64189 and 301042. 

ClamAV detections are also available for this threat: 

Win.Ransomware.Interlock-10036524-0 

Unix.Ransomware.Interlock-10036662-0 

Win.Trojan.Kryptik-10036729-0 

Win.Downloader.Kryptik-10036730-0 

**Indicators of Compromise **

IOCs for this threat can be found in our GitHub repository here.

Unwrapping the emerging Interlock ransomware attack

Attackers are triggering victims' deep-seated fear of getting in trouble in order to spread the sophisticated stealer across continents.

Source: Charles Walker Collection via Alamy Stock Photo

Hundreds of companies worldwide have been targeted with spear-phishing emails claiming copyright infringement that actually deliver an infostealer.

Starting in July, Check Point Research began to track the emails as they spread across the Americas, Europe, and Southeast Asia, coming from a new domain each time. Hundreds of its customers have been targeted, indicating that the real reach of the campaign may be far greater still.

The goal of the emails is to bait guilt-riddled victims into downloading Rhadamanthys, a sophisticated infostealer equally capable of pilfering nation-state intelligence or, in this case, cryptocurrency wallet passphrases.

**CopyR(ight)hadamantys**

No two emails in the campaign that researchers have dubbed "CopyR(ight)hadamantys" come from the same address, indicating that there must be some kind of automation behind their distribution. This automation proves awkward in some circumstances — like when an Israeli target receives an email almost entirely in Korean — and limits the emails' ability to realistically impersonate known brands.

Each one is made to seem as if it came from legal representatives of specific, known companies. Nearly 70% of those companies come from either technology — like Check Point itself — or from media and entertainment industries.

The profile of impersonated brands weaves in neatly with the story the attackers peddle: that recipients have posted some sort of content on social media that violated a copyright. "I assume everyone has done it to some degree in his life," says Sergey Shykevich, threat intelligence group manager at Check Point. "It just makes people hesitate and think, 'Oh, did I use some wrong image? Did I copy some text \[by accident\]?' Even if you didn't."

Recipients are asked to remove specific images and videos, the details of which are contained in a password-protected file. The file is actually a link that redirects the user to download an archive from Dropbox or Discord. The archive contains a decoy document, a legitimate executable, and a malicious dynamic link library (DLL) containing the Rhadamanthys stealer.

**What to Know About Rhadamanthys**

Rhadamanthys is a popular and accomplished information stealer. As Shykevich explains, "It's without any doubt the most sophisticated of those infostealers which are sold as commodity malware in the Dark Web. It's more expensive than other infostealers: Mostly you'll rent other infostealers from between $100 to $200. Rhadamanthys is more, around $1,000. It's much more modular, more obfuscated, and more complicated in how it's built: The way it loads itself, hides itself, all this makes detection much more complicated."

Among other features, the newest Rhadamanthys version 0.7 sports a slightly archaic machine-learning-based optical character recognition (OCR) component. It's hardly advanced artificial intelligence (AI) — it struggles with text in mixed colors, can't read handwriting, and only interprets the most popular fonts. Nonetheless, it helps the malware read data from static documents (like PDFs) and images.

In CopyR(ight)hadamantys, the OCR module comes loaded with a dictionary of 2,048 words associated with Bitcoin wallet protection codes. This might suggest that the attackers are after cryptocurrencies, which, if true, would also align with the campaign's broad targeting, characteristic of financially motivated campaigns. In recent months, Rhadamanthys has also been associated with nation-state threat actors like Iran's Void Manticore, and the pro-Palestine group "Handala."

**One Strange Stealth Feature**

Organizations looking to defend against CopyR(ight)hadamantys should start with phishing protections, but there's another quirk of the campaign worth noting as well.

After making landfall, the malicious DLL writes a significantly larger version of itself to the victim computer's Documents folder, which masquerades as a component of Firefox. This version of the file is functionally equivalent to the first. What makes it so much heavier is an "overlay" — useless data that serves two meta-functions. First, it changes the file's hash value, a common means by which antivirus programs identify malware.

Some antivirus programs also avoid scanning extra large files. "For example, they don't want to run files associated with games, with a huge number of gigabytes, because it makes for an intense load," Shykevich explains. By this logic, an otherwise uselessly larger Rhadamanthys file might improve its chances of avoiding detection. Though, he adds, "It's not extremely common because it's also not convenient for the attackers to deal with huge files. With some email solutions, you can't attach files more than 20MB, so you need to send the victim to some external resource. So it's a tactic, but it's not some crazy tactic that always works."

Organizations might want to sniff out at any particularly large files that employees may be downloading from emails. "It's not easy, because there are many reasons why some legitimate files will be big," he says. "But I think it's possible to implement some \[effective\] rules for what you can download."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Fake Copyright Infringement Emails Spread Rhadamanthys

The mobile device maker continues to investigate IntelBroker's claims of another high-profile data breach, with the cybercriminal group posting on BreachForums internal data allegedly stolen from Nokia through a third-party contractor.

Source: Nico El Nino via Alamy Stock Photo

Nokia is investigating an alleged cyberattack in which threat actors claim to have stolen sensitive internal data. However, the company says that so far there is no evidence that either its data or systems were affected by a breach.

Known threat actor IntelBroker on Tuesday posted what it claimed is Nokia's online internal data — including SSH keys, source code, and internal credentials — putting it up for sale on the BreachForums cybercrime site for $20,000, according to a published report on HackRead.

The group claimed to have obtained the data through a breach of a third-party contractor linked to Nokia’s internal tool development, though no customer data seems to have been affected by the breach, according to the report.

"Nokia is aware of reports that an unauthorized actor has alleged to have gained access to certain third-party contractor data and possibly data of Nokia," a Nokia spokesperson tells Dark Reading. "Nokia takes this allegation seriously and we are investigating."

However, at this time, the company's investigation "has found no evidence that any of our systems or data being impacted," though Nokia continues "to closely monitor the situation," the spokesperson says.

**Group Known for High-Profile Data Heists**

Given that IntelBroker is a notorious threat actor that already has pulled off a series of high-profile data heists, the chance that Nokia eventually will find that its data has been stolen seems likely. The Serbian-based entity began operations in 2022 and is linked to data breaches that affected Apple, the US House of Representatives, Europol, General Electric, and DARPA (Defense Advanced Research Projects Agency).

If IntelBroker's claim turns out to be true, data stolen in the heist and then sold to a malicious actor or actors potentially could be used to engage in other cybercriminal activity against Nokia. For example, stolen using credentials to gain unauthorized access to Nokia systems and breach other sensitive data or propagate malware. Depending on the nature of the data, other organizations also could be at risk.

The incident also demonstrates yet another example of how organizations are exposed to security risks through third-parties that contract with the company, observes Jim Routh, chief trust officer at cybersecurity firm Saviynt. However, that the breach itself occurred through a third party is not a huge surprise, he tells Dark Reading via email.

**Mitigating Third-Party Risk**

In fact, numerous high-profile cyberattacks at global multinational organizations have been the result of breaches through third parties, including incidents that occurred at credit card company American Express, Spanish banking institution Santander, and US-based financial organization Bank of America.

However, Routh says that the alleged Nokia breach "represents a bit of a head-scratcher" because it involves the compromise of "third-party credentials for access to the software supply chain."

"The head-scratching comes from why a third party has access to Nokia source code," he notes. However, it's possible that attackers gained access through a software engineer contributing to an internal project, Routh adds, speculating that hackers exploited "credential management for access to the software build process."

One potential way that organizations can protect themselves from a similar incident, he says, is to improve identity management for cloud accounts with access to the software supply chain to avoid inadvertently exposing sensitive data to threat actors.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Nokia: No Evidence So Far That Hackers Breached Company Data

The advent of Generative AI and its application in real-life use cases has been on the cards for…

The advent of Generative AI and its application in real-life use cases has been on the cards for a few years now. With advancements in chip manufacturing, neural networks and other deep learning technology, Machine Learning has slowly made way for Generative AI applications, powered by large foundation models that learn from a vast pool of data. However, this is not the impetus for demand.

As a lifelong student of the markets, I observed that use cases required to enhance customer experience with products, services and brands, became challenging to serve with traditional Machine Learning. This in turn caused innovators in academia and industry to develop Large Language Models and Foundation Models, to support and exceed customer expectations.

Customers today expect quick and insightful responses, highly personalized recommendations, expert advice, and the ability to generate media, all at their fingertips. A Google Cloud research found that 95% of retail decision-makers believe that generative AI will have an impact on customer experience. With the proliferation of services and products that are comparable in terms of technology and the solutions offered, customer experience has become a crucial differentiator and business driver.

Statista found that customer experience is considered a primary competitive differentiator by 44.5% of organizations globally. Use cases such as personalization, summarization, Q&A, and intelligent chat-bots, to improve customer interactions, increase employee productivity and ensure a positive brand recall. 

In this article, I explore how generative AI can be leveraged to improve customer experiences, and the best practices across 3 use cases, that can help organizations of all sizes create a differentiated value proposition for themselves.

Let’s start with a ubiquitous use case, personalization. Whether it be content recommendations on your favourite streaming platform, or product recommendations on your preferred online stores, personalization, when done right, can help boost customer engagement.

For organizations, understanding individual preferences can help design targeted customer journeys. These targeted customer journeys can be designed to contain tailored marketing campaigns, product placement and support responses. According to Adobe, 72% of consumers worldwide express confidence in generative AI’s ability to enhance their customer experience.

Foundation models like BLOOM (BigScience Large Open-science Open-access Multilingual Language Model) and the Llama family of models from Meta are popular open-source choices for building personalization engines. By leveraging multiple foundations and smaller machine learning models in conjunction, organizations can create hyper-personalized applications, where responses are tailored to every unique individual.

The possibilities here are unbound, with smart marketers able to create actionable customer cohorts from personalized campaigns. Generative AI enhances customer data sets, providing actionable insights that inform business decisions. By identifying patterns and correlations in customer behaviour, organizations can make informed choices about product development, marketing strategies, and customer engagement efforts.

This data-driven approach leads to improved performance and competitiveness. Where generic marketing messages often fail to resonate with customers, we notice a large group of market-savvy organizations adopt personalized advertisement placements across relevant social media.

This practice helps organizations of all sizes reach their target customers more effectively, and allows smaller organizations to compete for the same markets, increasing customer choice and creating a fair market.

Victoria’s Secret is a good example of an organization that has implemented an AI-powered search feature that leverages Google Cloud’s Vision API. Customers can upload images to find specific products, creating a highly personalized shopping experience. 

The second use case that has benefited greatly from imbibing generative AI is Customer Support. This enhanced customer support helps organizations retain customers, derive insights into products and customer behaviour, and increase employee productivity.

Studies across the National Bureau of Economics, Shakked Noy and Whitney Zhang, Sida Peng, Eirini Kalliamvakou, Peter Cihon, and Mert Demirer display how organizations, including a Fortune 500 enterprise software firm, increase productivity by 66% on average!

The benefits don’t stop there either, as implementing generative AI tools can help cover knowledge gaps among employees and upskill them in additional areas of expertise. Another benefit is the undifferentiated heavy lift of document generation that is routine and process-led.

Leveraging generative AI tools for such tasks frees up an organization’s workforce to focus on value creation and innovation, in turn fulfilling employees’ career and personal goals. Organizations can observe productivity gains, improved employee retention and greater customer satisfaction as a result of creating impactful employee assistant tools.

One approach to enhanced customer support is automation, where organizations can design AI-powered chatbots and virtual assistants to handle routine inquiries, allowing human agents to focus on more complex issues. This not only improves efficiency but also enhances customer satisfaction by providing quicker responses. 

A second approach is agent assistants, which help employees get resolutions to customer issues in real-time, by relying on vast troves of proprietary data. Organizations are building tools to conduct Retrieval Augmented Generation (RAG) on this proprietary data, ensuring that responses are relevant and accurate to the customer.

The best examples of this are from the financial services, Banking and Healthcare industries, where generic responses to customer queries can be confusing and misleading, necessitating responses that are use case, issue and organization relevant.

A third approach rising in prevalence is code assistance, with tools that can help code developers reduce the lead times in project development, version migrations, debugging and updates. The advancements in this field will be interesting to follow, as organizations and society grapple with questions about right-sizing workforces based on the tools available.

Regardless, I believe that these tools further democratize the market for organizations of all sizes and help people focus on pursuing value-added activities. This in turn spurs innovation and improves customer experience.     

The third and last use case I explore here is dynamic content creation. Generative AI has empowered organizations to create impactful content leveraging their creative skills, by outsourcing the heavy burden of background tasks to powerful tools. Large models such as Stable Diffusion and Dall-E allow organizations to build innovative applications where their users can generate images based on text inputs, bringing a creative flair and unmatched user engagement to these organizations.

As large, open-source models become more powerful, expect capabilities such as creating rich presentations and powerful story-telling with word prompts to become prevalent in business. 

To summarize, the evolution of generative AI promises to be the biggest game-changer to customer experiences since the internet, with rich experiences now within the grasp of organizations large and small.

As more enterprises develop powerful, purpose-built tools and capabilities, forward-looking players in the space will move fast and develop enhanced customer experiences that aid in customer retention, create positive top and bottom-line growth, and improve user experience for all consumers.

****References****

_National Bureau of Economic Research (NBER)- Generative AI at Work_

_PR Newswire- Google Cloud Shares New Research on 2024 Outlook on Generative AI in Retail  
_  
_Statista- Share of professionals perceiving customer experience (CX) as a competitive differentiator for their organization worldwide in 2021_

_Adobe- Consumers and marketers see a role for (responsible) generative AI in customer experiences_

Enhance customer experiences with Generative AI

Hackers claim to have breached MIT Technology Review Magazine via a third-party contractor, leaking nearly 300,000 user records…

Hackers claim to have breached MIT Technology Review Magazine via a third-party contractor, leaking nearly 300,000 user records on Breach Forums. Data includes full names, email addresses, and activity details, posing risks for phishing and targeted scams.

In a new data breach disclosed today, the hacker known as Intel Broker claims to have stolen the personal data of 290,762 individuals from MIT’s _Technology Review_ website via a third-party contractor. The data, which could be the website’s newsletter subscribers list, was posted on Breach Forums, a popular cybercrime platform, earlier today.

Intel Broker, notorious for **recent attacks on high-profile organizations**, alleges that the data includes Personally Identifiable Information. Hackread.com analyzed the leaked data and can confirm it includes personal details, which, while not as sensitive as financial data, could be leveraged in phishing attempts or targeted scams. Here is what the hacker has leaked:

*   **Full names**
*   **Dates of activity**
*   **Educational details**
*   **Email addresses (3,924 – After removal of duplicates: 1,343)**

Screenshot from the leaked data (Credit: Hackread.com)

Though the leak does not appear to contain highly sensitive information like passwords, social security numbers or financial data, the compromised data is still a privacy risk, as it could be exploited for phishing scams or identity verification attacks.

It is worth noting that this is not the first time Intel Broker has targeted a technology publication. In June 2024, an affiliate of Intel Broker **breached the “Tech in Asia” news outlet**, leaking the personal data of 221,470 users.

MIT Technology Review, an esteemed publication from the Massachusetts Institute of Technology, is known for its analysis of emerging technologies and their impact on society. This data breach potentially exposes readers and contributors who engaged with the platform, a situation that may lead to reputational challenges for the publication, as well as privacy concerns for its user base.

**Recent Activity of Intel Broker**

The alleged breach of Technology Review comes on the heels of another claim by Intel Broker, who recently advertised the sale of **sensitive internal data from Nokia** on the same forum, allegedly obtained through a similar contractor vulnerability. In the Nokia case, the hacker reportedly set a price of $20,000 for access to the stolen data, which included SSH keys, source code, and login credentials.

**Privacy Implications and MIT’s Response**

With names, email addresses, and activity data accessible, cybercriminals may use this information to craft sophisticated schemes aimed at those connected with the platform. Hackread.com has reached out to MIT’s Technology Review for a response regarding the data breach. Updates will be provided as more information becomes available. Stay tuned.

1.  **US Microchip Giant Cyberattack Disrupts Operations**
2.  **Hacker IntelBroker Leaks Sensitive US DoD Documents**
3.  **IntelBroker Apple Breach: Steals Source Code for Internal Tools**
4.  **AMD Data Breach: IntelBroker Steals Employee and Product Info**
5.  **Europol Hacked: IntelBroker Claims Major Law Enforcement Breach**

Hackers Leak 300,000 MIT Technology Review Magazine User Records

Hackers claim to have breached Nokia through a third-party contractor, allegedly stealing SSH keys, source code, and internal…

Hackers claim to have breached Nokia through a third-party contractor, allegedly stealing SSH keys, source code, and internal credentials. The data is being sold for $20,000 on BreachForums, though no customer data was affected. Nokia has not yet commented on the claim.

A notorious hacker known as Intel Broker has announced a data breach involving the telecommunications giant Nokia. Posting on the infamous cybercrime forum BreachForums, Intel Broker claims to have gained unauthorized access to sensitive Nokia information through a third-party contractor linked to Nokia’s internal tool development.

The hacker claims that no customer information was accessed, but they have obtained **critical internal data** from Nokia’s systems, which they’re now selling for $20,000.

**Details of the Breach**

According to Intel Broker’s post, the stolen data includes SSH keys, source code, RSA keys, Bitbucket logins, SMTP accounts, webhooks, and hardcoded credentials. All of these items could potentially enable further unauthorized access to internal systems or facilitate other types of cyber attacks. In an attempt to validate the breach, Intel Broker also shared a file tree, showcasing various files and folders apparently related to Nokia’s internal operations.

In an exclusive conversation with Hackread.com, Interl Broker said that the stolen data collection is up for sale for $20,000, and he is reaching out to prospective buyers on BreachForums. According to the post, only those with high-ranking status and sufficient reputation on the forum are being encouraged to inquire.

Intel Broker on Breach Forums (Screenshot: Hackread.com)

The hacker claims to have pulled this data from a contractor working closely with Nokia, rather than Nokia’s own systems directly. This method of breaching systems through third-party vendors has become **increasingly common**, as vendors are often granted extensive access to the companies they serve. Cybersecurity experts have long warned about this weak point, advising companies to ensure that security standards extend to their contractors and partners.

**Potential Impact**

While Intel Broker emphasizes that customer data is not included in the breach, the exposure of alleged Nokia’s internal data could still have widespread implications. With access to development environments, source code, and credentials, hackers could potentially tamper with Nokia’s tools or services, or exploit the vulnerabilities in these resources to compromise other systems.

Screenshot from the sample data that Hackread.com analysed

****Nokia’s Response****

At the time of reporting, there has been no official statement from Nokia on this alleged breach. However, Hackread.com has reached out to the company awaiting a response. Stay tuned.

****About Intel Broker****

Intel Broker who is also the owner of Breach Forums is known for high-profile data breaches. **In June 2024**, the hacker claimed to have breached Apple Inc., stealing source code for internal tools. The same hacker boasted about **breaching AMD** (Advanced Micro Devices, Inc.), and stealing employee and product information.

**In May 2024**, Intel Broker hacked Europol, a breach that the agency later confirmed. Some of the hacker’s previous data breaches are listed below:

*   **Tech in Asia**
*   **Space-Eyes**
*   **Home Depot**
*   **Facebook Marketplace**
*   **Staffing giant Robert Half**
*   **U.S. contractor Acuity Inc.**
*   **Los Angeles International Airport**
*   **Alleged breaches of HSBC and Barclays Bank**

Although the hacker’s origins and affiliates are unknown, according to the United States government, IntelBroker is alleged to be the perpetrator behind one of the **T-Mobile data breaches**.

1.  **Hacker Leaks Thousands of Nokia Employee Details**
2.  **Nokia Taiwan Hacked, 100,000+ accounts leaked online**
3.  **Cisco Network Breach as Employee’s Google Account was Hacked  
    **

Tag

#apple