As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SIMATIC CP
Vulnerability: Incorrect Authorization
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an unauthenticated attacker to gain access to the filesystem.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following version of SIMATIC CP is affected:
SIMATIC CP1543-1: V4.0 (6GK7543-1AX10-0XE0)
3.2 Vulnerability Overview
3.2.1 INCORRECT AUTHORIZATION CWE-863
Affected devices do not properly handle authorization. This could allow an unauthenticated remote attacker to gain access to the filesystem.
CVE-2024-50310 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C).
A CVSS v4 score has also been calculated for CVE-2024-50310. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported this vulnerability to CISA.
4. MITIGATIONS
Siemens has identified the following specific workarounds and mitigations that users can apply to reduce risk:
SIMATIC CP1543-1 V4.0 (6GK7543-1AX10-0XE0): Update to SIMATIC CP1543-1 V4.0.50 or later versions
Restrict access to Port 8448/tcp to trusted systems only
As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security, and following the recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-654798 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY
November 14, 2024: Initial Publication

Siemens SIMATIC CP

Cisco Talos discovered a new information stealing campaign operated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia.

New PXA Stealer targets government and education sectors for sensitive information

Experts expect Donald Trump’s next administration to relax cybersecurity rules on businesses, abandon concerns around human rights, and take an aggressive stance against the cyber armies of US adversaries.

For American companies grousing about new cybersecurity rules, spyware firms eager to expand their global business, and hackers trying to break AI systems, Donald Trump’s second term as president will be a breath of fresh air.

For nearly four years, president Joe Biden’s administration has tried to make powerful US tech firms and infrastructure operators more responsible for the nation’s cybersecurity posture, as well as restrict the spread of spyware, apply guardrails to AI, and combat online misinformation. But when Trump takes office in January, he will almost certainly eliminate or significantly curtail those programs in favor of cyber strategies that benefit business interests, downplay human-rights concerns, and emphasize aggressive offense against the cyber armies of Russia, China, Iran, and North Korea.

“There will be a national security focus, with a strong emphasis on protecting critical infrastructure, government networks, and key industries from cyber threats,” says Brian Harrell, who served as the Cybersecurity and Infrastructure Security Agency’s assistant director for infrastructure security during Trump’s first term.

From projects whose days are numbered to areas where Trump will go further than Biden, here is what a second Trump administration will likely mean for US cybersecurity policy.

**Full Reversal**

The incoming Trump administration is likely to scrap Biden’s ambitious effort to impose cyber regulations on sectors of US infrastructure that currently lack meaningful digital-security safeguards. That effort has borne fruit with railroads, pipelines, and aviation but has hit hurdles in sectors like water and health care.

Despite mounting cyberattacks targeting vital systems—and despite this year’s Republican Party platform promising to “raise the security standards for our critical systems and networks”—conservatives are unlikely to support new regulatory mandates on infrastructure operators.

There will be “no more regulation without explicit congressional authorization,” says James Lewis, senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies.

Harrell says “more regulation will be dismantled than introduced.” Biden’s presidency was “riddled with new cyber regulation” that sometimes confused and overburdened industry, he adds. “The new White House will be looking to reduce regulatory burdens while streamlining smart compliance.”

This approach may not last, according to a US cyber official who requested anonymity to discuss politically sensitive issues. “I think they’ll eventually recognize that the efforts focused on regulation in cyber are needed to ensure the security of our critical infrastructure.”

“Regulation is the only tool that works,” Lewis says.

Some Biden cyber rules might be overturned in court, now that the Supreme Court has eliminated the deference that judges previously gave to agencies in disputes over their regulations. John Miller, senior vice president of policy at the Information Technology Industry Council, a major tech trade group, says it’s also possible that Trump officials “might not wait for the courts” to void those rules.

Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, predicts that the Trump administration will emphasize cooperation and incentives in its efforts to protect vulnerable industries. He points to a House GOP plan for water cybersecurity standards as an example.

Trump’s election also likely spells doom for CISA’s work to counter mis- and disinformation, especially around elections. After Trump lost the 2020 election, he fired CISA’s first director for debunking right-wing election conspiracy theories, and the conservative backlash to anti-misinformation work has only grown since then.

In 2022, Trump outlined a “free speech policy initiative” to “break up the entire toxic censorship industry that has arisen under the false guise of tackling so-called ‘mis-’ and ‘dis-information.’” Elon Musk, the billionaire owner of Tesla, SpaceX, and X whom Trump has tapped to colead a “government efficiency” initiative, enthusiastically shared the plan last week.

CISA has already dramatically scaled back its efforts to combat online falsehoods following a right-wing pressure campaign, but Trump appointees are almost certain to smother what remains of that mission. “Disinformation efforts will be eliminated,” Montgomery predicts.

Harrell agrees that Trump would “refocus” CISA on core cyber initiatives, saying the agency’s “priorities have mistakenly bordered on social issues lately.”

Also likely on the chopping block: elements of Biden’s artificial intelligence safety agenda that focus on AI’s social harms, like bias and discrimination, as well as Biden’s requirement for large AI developers to report to the government about their model training.

“I expect the repeal of Biden’s executive order on AI, specifically because of its references to AI regulation,” says Nick Reese, a director of emerging technology policy at the Department of Homeland Security under Trump and Biden. “We should expect a change in direction toward less regulation, which would mean less compulsory AI safety measures.”

Trump is also unlikely to continue the Biden administration’s campaign to limit the proliferation of commercial spyware technologies, which authoritarian governments have used to harass journalists, civil-rights protesters, and opposition politicians. Trump and his allies maintain close political and financial ties with two of the most prolific users of commercial spyware tools, Saudi Arabia and the United Arab Emirates, and he showed little concern about those governments’ human-rights abuses in his first term.

“There’s a high probability that we see big rollbacks on spyware policy,” says Steven Feldstein, a senior fellow in the Carnegie Endowment for International Peace’s Democracy, Conflict, and Governance Program. Trump officials are likely to care more about spyware makers’ counterterrorism arguments than about digital-rights advocates’ criticisms of those tools.

Spyware companies “will undoubtedly receive a more favorable audience under Trump,” Feldstein says—especially market leader NSO Group, which is closely affiliated with the Trump-aligned Israeli government.

**Dubious Prospects**

Other Biden cyber initiatives are also in jeopardy, even if their fates are not as clear.

Biden’s National Cybersecurity Strategy emphasized the need for greater corporate responsibility, arguing that well-resourced tech firms must do more to prevent hackers from abusing their products in devastating cyberattacks. Over the past few years, CISA launched a messaging campaign to encourage companies to make their products “secure by design,” the Justice Department created a Civil Cyber-Fraud Initiative to prosecute contractors that mislead the government about their security practices, and White House officials began considering proposals to make software vendors liable for damaging vulnerabilities.

That corporate-accountability push is unlikely to receive strong support from the incoming Trump administration, which is almost certain to be stocked with former business leaders hostile to government pressure.

Henry Young, senior director of policy at the software trade group BSA, predicts that the secure-by-design campaign will “evolve to more realistically balance the responsibilities of governments, businesses, and customers, and hopefully eschew finger pointing in favor of collaborative efforts to continue to improve security and resilience.”

A Democratic administration might have used the secure-by-design push as a springboard to new corporate regulations. Under Trump, secure-by-design will remain at most a rhetorical slogan. “Turning it into something more tangible will be the challenge,” the US cyber official says.

**Chipping Away at the Edges**

One landmark cyber program can’t easily be scrapped under a second Trump administration but could still be dramatically transformed.

In 2022, Congress passed a law requiring CISA to create cyber incident reporting regulations for critical infrastructure operators. CISA released the text of the proposed regulations in April, sparking an immediate backlash from industry groups that said it went too far. Corporate America warned that CISA was asking too many companies for too much information about too many incidents.

Trump’s election could throw a wrench in CISA’s ambitious incident-reporting plans. New appointees at the White House, DHS, and CISA itself could force agency staff to rewrite the rules to be more industry-friendly, exempting entire swaths of critical infrastructure or eliminating requirements for companies to report certain data. Trump’s team has months to revise the final rule before its required publication in late 2025.

BSA’s Young expects Trump’s team to scale back the regulations, which he says “take a very broad view of the authority CISA believes Congress granted it.”

The current rule is “particularly vulnerable to a court challenge” because it exceeds Congress’s intent, ITI’s Miller warns, and Trump’s team “may direct CISA to scale it back” if the agency doesn’t “proceed cautiously” on its own.

**New Urgency**

One area where Trump might pick up the baton from the Biden administration is the government’s use of military hacking operations and its response to foreign adversaries’ cyberattacks.

Under Biden, the military’s US Cyber Command has scaled up its overseas hacker-hunting engagements with allies. But Republicans have pressed Biden to respond more muscularly to Chinese, Russian, and Iranian hacks, and Trump is likely to embrace that approach—particularly after picking representative Mike Waltz, an advocate for cyberattacks on Russia, North Korea, and Mexican cartels, as his national security adviser.

“A much more aggressive stance will be taken against China, which is sorely needed,” Harrell says, predicting that Chinese hackers penetrating US critical infrastructure “will be held to account.”

Montgomery agrees that Trump may “adopt a more aggressive approach” to national cyber defense, including giving the National Guard “a more significant role” in protecting domestic infrastructure.

Montgomery also says he expects more frequent and more muscular offensive operations by Cyber Command, which Trump elevated to a full combatant command during his first term. He predicts the Trump administration will “look more favorably” on creating a separate military cyber service, which the Biden administration opposed, and “take a more skeptical view” of the joint leadership of Cyber Command and the National Security Agency, which the Biden administration supported.

Trump could also harness other tools to constrain China, including authorities he created during his first term to block the use of risky technology in the US. “The Trump administration will look at the full set of policy levers when deciding how to push back on China in cyberspace,” says Kevin Allison, a consultant on geopolitics and technology.

More Spyware, Fewer Rules: What Trump’s Return Means for US Cybersecurity

APT Wirte is doing double duty, adding all manner of supplemental malware to gain access, eavesdrop, and wipe data, depending on the target.

Source: Christophe Coat via Alamy Stock Photo

A longstanding threat actor affiliated with Hamas has been conducting espionage against governments across the Middle East and destructive wiper attacks in Israel.

"Wirte" is a 6 1/2-year-old advanced persistent threat (APT) working to support Hamas' political agenda. Check Point Research identifies it as a subgroup of the Gaza Cybergang (aka Molerats), which is also thought to overlap with TA402.

In recent weeks and months, Wirte has leveraged the Gaza war to spread phishing attacks against government entities spread across the region. It has also been carrying out wiper attacks in Israel. "It shows that Hamas still has cyber capabilities, even with the ongoing war," says Sergey Shykevich, threat intelligence group manager at Check Point.

**Wirte's Spying and Wiping Attacks**

Wirte attacks are not particularly unique or sophisticated. A PDF in an email might contain a link directing targets to a file for download, named in some way to lend it legitimacy (e.g., "Beirut — Developments of the War in Lebanon 2"). The file will contain a lure document, one or more legitimate executables, and the malware.

To upgrade this infection chain, Wirte has sometimes made use of the IronWind loader, starting in October 2023. IronWind uses a complex, multistage infection chain to drop malware, with the goal of frustrating analysis. It employs geofencing, and reflective loaders that run code directly in memory, rather than on the disk, where it might otherwise be spotted by antivirus software.

In an espionage-focused attack, the end of this chain might bring the open source penetration testing framework "Havoc." Havoc enables persistent access to a compromised machine, useful for establishing remote control, performing lateral movement, stealing data, and more.

In February and October 2024, by contrast, Wirte campaigns climaxed with the deployment of a wiper called "SameCoin."

Last month, Wirte puppetted the email address of a legitimate Israeli reseller of ESET software. Its lure message — sent to hospitals, municipal governments, and others — warned recipients that "Government-based attackers may be trying to compromise your device!" and included a download link. The link first tried to connect to the website for Israel's Home Front Command, a wing of the Israel Defense Forces (IDF) responsible for protecting civilians. Its site is accessible only to those within Israel, so if the redirection succeeded, the attack would proceed.

Next, a downloaded zip file dropped and decrypted a pro-Hamas wallpaper JPG, a propaganda video, a tool designed to enable lateral movement within targeted networks, and the SameCoin wiper.

Still image from a political video spread in the SameCoin campaign; Source: @NicoleFishi19 on X

**What Wirte Wants**

Wirte spying has crossed into Egypt and Saudi Arabia, but its favored targets appear to be from Jordan and the Palestinian Authority (PA), the government entity that oversees parts of the West Bank and is controlled by Fatah, Hamas's primary political rival within Palestine. For the most part, this has remained consistent in its half-dozen-year history.

Wirte has evolved somewhat is in its approach to Israel. And in this way, it has also mirrored other Palestinian threat actors.

"Before the war, it was focused mostly on espionage, and stealthy persistence in networks," Shykevich explains. This is in stark contrast to its latest wave of loud wiper attacks, for example, which were timed to begin on Oct. 7, the one-year anniversary of Hamas's Operation Al-Aqsa Flood, the terror attack that killed more than 1,000 Israelis and led to the capture of nearly 250 more.

"Now, it has become more and more about making \[breaches\] public, showing the data, the destruction. The focus is more and more on hack-and-leak operations, and how they can use cyber capabilities to try to shape a narrative."

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Hamas Hackers Spy on Mideast Gov'ts, Disrupt Israel

The Salt-SSH pre-flight option copies the script to the target at a predictable path, which allows an attacker to force Salt-SSH to run their script. If an attacker has access to the target VM and knows the path to the pre-flight script before it runs they can ensure Salt-SSH runs their script with the privileges of the user running Salt-SSH. Do not make the copy path on the target predictable and ensure we check return codes of the scp command if the copy fails.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-4277-m35q-7c9w: Salt preflight script could be attacker controlled

Alan Filion, believed to have operated under the handle “Torswats,” admitted to making more than 375 fake threats against schools, places of worship, and government buildings around the United States.

In perhaps the largest swatting case to ever be prosecuted, an 18-year-old from Lancaster, California, has pleaded guilty to federal charges stemming from a nationwide spree of hundreds of shooting and bomb threat hoaxes that sent police scrambling to high schools, courthouses, and the homes of law enforcement officials and prominent politicians.

Alan Winston Filion now faces a maximum penalty of five years in prison for each of four counts of making interstate threats to injure the person of another, according to the United States Department of Justice.

Early this year, Filion was arrested and extradited to Seminole County, Florida. At the time, state prosecutors charged Filion with four state-level felony counts stemming from a single incident in which, prosecutors allege, Filion told a Sanford Police Department dispatcher that he was armed with pipe bombs and an AR-15 rifle and was walking into Masjid Al Hayy Mosque to kill everyone he saw.

Filion, whom authorities believe operated online as “Torswats,” has been in jail without a trial for nearly a year. He entered a plea of not guilty to the state charges.

The federal charges announced on Wednesday, along with interviews from people connected to the investigation—and Filion himself—allege his swatting activities reached far beyond Florida’s borders.

Between approximately August 2022 to January 2024 Filion made more than 375 swatting calls, according to the plea agreement. These included incidents where he claimed to have planted bombs or threatened to conduct mass shootings at targeted locations that included religious institutions, high schools, and historically black colleges and universities.

“This prosecution and today’s guilty plea reaffirm the Justice Department’s commitment to using all tools to hold accountable every individual who endangers our communities through swatting and hoax threats,” deputy attorney general Lisa Monaco said in a statement. “For well over a year, Alan Filion targeted religious institutions, schools, government officials, and other innocent victims with hundreds of false threats of imminent mass shootings, bombings, and other violent crimes. He caused profound fear and chaos and will now face the consequences of his actions.”

According to court records, Filion was also part of a high-profile international swatting group that targeted several prominent figures between December 2023 and January 2024. Among the victims were US Homeland Security secretary Alejandro Mayorkas, Cybersecurity and Infrastructure Security Agency director Jen Easterly, Republican US representative Marjorie Taylor Greene of Georgia, and Republican senator Rick Scott of Florida. Investigators say they linked the scheme to roughly 100 calls, one of which targeted an unnamed former president of the United States.

In August, the Department of Justice charged two European men, Tomasz Szabo and Nemanja Radovanovic, in connection with the widespread swatting operation, which led to at least one car accident with injuries. During interviews with the US Secret Service in January and February, both men admitted their roles in the scheme. Radovanovic, however, claimed that he was directed by a third party who provided detailed scripts and selected the targets.

According to the plea agreement, Filion admitted to orchestrating the operation, supplying the names, addresses, and phone numbers of many of the targeted individuals.

“I shot my wife in the head with my AR-15,” a man identifying himself as "James" said in one such call. He told dispatchers in Georgia that he caught his wife sleeping with another man and, after killing her, had taken the man hostage. “I’ll release him for $10,000 in cash,” he added, threatening to detonate pipe bombs and blow up the house if his demands weren’t met. This call targeted the home of Georgia state senator John Albers.

The case against Filion, first reported by WIRED, was built on a trail of digital evidence left across platforms like Telegram, YouTube, and Discord, and pieced together by Brad “Cafrozed” Dennis, a private investigator. Dennis had been hired by two high-profile Twitch stars, both victims of Torswats’ calls, to find the person responsible.

For months, Dennis had posed online as a vengeful ex-husband looking to troll and harass his former wife. He used this persona to infiltrate private Discord servers and Telegram groups where Torswats and affiliates hung out. These were chats dedicated to extortion plots and racist memes; channels filled with child sexual abuse material, self-harm, and animal abuse—some of the worst content he'd ever seen, Dennis told WIRED.

On New Year's Eve 2022, Dennis sent Torswats a private message on Telegram: “You wanna make some real cash? Add me on Tox,” he wrote, referring to the peer-to-peer messaging service, under the pretense of arranging a swatting.

Using network monitoring tools, Dennis then captured the IP address linked to the Torswats account and uncovered a new username: "Paimon Arnum." In January 2023, Dennis handed this critical piece of evidence, along with other usernames and active Discord servers he had tracked over several months, over to the FBI.

According to emails reviewed by WIRED, that information was central to how the FBI broke the case and was the basis of subpoenas sent to Discord and Google in April of 2023 seeking information on accounts Dennis had identified. By early May, the FBI had successfully pinpointed Torswats’ identity and location.

That month, Torswats privately took responsibility for swatting incidents in Telegram chats reviewed by WIRED. These incidents affected up to 25 schools in Washington state, impacting approximately 18,116 students and costing taxpayers an estimated $271,173 in lost instructional time, according to Don Beeler, CEO of TDR Technology Solutions, a company specializing in school surveillance and threat analysis.

Additionally, 911 audio and other police records obtained by WIRED corroborate that the same individual made the calls for more than a dozen of these swatting incidents. In some instances, the caller told dispatchers he had been commanded by Satan to kill students. In others, he said he had been mistreated because he was gay. In others, he seemed to have become bored enough with the game that he didn’t bother to make up a reason.

On July 12, the Torswats handle announced a new swatting operation dubbed the “Grand Offensive,” targeting a dozen senators. Three days later, the FBI raided Filion’s home and seized his electronic devices.

But the raid didn’t stop the swatting.

On November 6, 2023, someone using the Torswats handle took responsibility for a bomb threat aimed at North Beach High School in Ocean Shores, Washington, through a Telegram message. According to police reports and call records obtained by WIRED, the caller impersonated a drug dealer who wanted to report his client to the police because he had said he had placed pipe bombs around the school and was planning a mass shooting. That same month, a person going by Torswats also admitted to swatting an investigator and cybercrime expert named Keven Hendricks in private Telegram communications.

Both threats could be attributed to the same individual, according to a law enforcement official who reviewed the recordings for WIRED but requested anonymity because they were unauthorized to speak to the press.

Details about Filion’s life outside his online activities remain sparse. Enrollment records from Lancaster’s Antelope Valley Community College show that Filion began pursuing a degree in mathematics in the fall of 2022. A former classmate, who requested anonymity due to fears of retaliation, described Filion as quiet and “forgettable.”

“He didn’t appear to have many friends,” they said.

In January 2024, an individual affiliated with the Torswats Telegram account and claiming to be a friend of Filion suggested that he was part of a group aiming to incite racial violence and that he sought money to “buy weapons and commit a mass shooting.” The allegation aligns with a written tip, placed to the FBI’s Internet Crime Complaint Center in April 2023 and obtained by WIRED, alleging that the person behind the Torswats account was involved in a neo-Nazi cult known as the Order of Nine Angles.

“He believes he is doing his part to bring about the end of days by ‘bleeding the finances and man hours of the system,’” the tipster wrote.

Filion’s family could not be immediately reached for comment. A sentencing date for the teenager has not yet been set.

_Updated at 10:45 am EST, November, 2024: Added additional details about Filion’s involvement in swatting attacks against prominent US government officials and others._

Teen Behind Hundreds of Swatting Attacks Pleads Guilty to Federal Charges

The China-affiliated group is using the highly modular DeepData framework to target organizations in South Asia.

Source: u3d via Shutterstock

China's APT41 threat group is using a sophisticated Windows-based surveillance toolkit in a cyber-espionage campaign targeting organizations in South Asia.

The malware adds to the already broad portfolio of malicious tools that the threat actor has deployed in recent years and makes APT41 an even more pernicious threat to targeted enterprises.

**Optimized Plug-ins**

Researchers at BlackBerry, among the many who are tracking the threat actor, spotted the new malware toolkit earlier this year and have dubbed it "DeepData Framework." Their analysis showed it to be a highly modular toolkit that supports as many as 12 separate plug-ins, each one optimized for a specific malicious function.

Four of the plug-ins steal communications from WhatsApp, Signal, Telegram, and WeChat. Another three are rigged to steal and exfiltrate system information, Wi-Fi network data, and information on all installed applications on the compromised system — including names and installation paths. Three DeepData plug-ins steal information related to browsing history and cookies; they also grab passwords from Web browsers, Baidu storage services, FoxMail, and other cloud services, and other information like user emails and contact lists in Microsoft Outlook. The remaining two plug-ins enable theft of audio files from compromised systems.

Blackberry researchers chanced upon DeepData when conducting an investigation of "LightSpy," an iOS implant that they have tracked APT41 using in an ongoing and wide-ranging mobile espionage campaign against targets in India and South Asia. Their analysis showed DeepData to have a similar design to LightSpy in that both have a core module and support for multiple data theft plug-ins.

Significantly, DeepData appears to be a malware toolkit that the attackers are manually interacting with after compromising a target and gaining access. "The \[command and control\] address is also specified as a command line argument, as are the requested plugins to be run or data to extract," Blackberry's research and intelligence team said in a blog post this week. "The implication of this execution method is that it must be done manually, sans a script or some other bundling distribution."

**Surveillance Powers Continue to Grow**

DeepData adds to APT41's already formidable surveillance and cyber espionage capabilities. The malicious framework is an example of the constantly emerging threats that organizations have to deal with when trying to mitigate threats from advanced persistent threat groups and nation-state bad actors. "Our latest findings indicate that the threat actor behind DeepData has a clear focus on long-term intelligence gathering," BlackBerry said. Since first deploying LightSpy in 2022, the threat actor has methodically and strategically bulked up its capabilities to intercept communications and steal data in total stealth, BlackBerry said.

APT41 is a known threat actor that security vendors and researchers have been variously tracking as Winnti, WickedPanda, Barium, Wicked Spider, and other names. Some vendors consider APT41 to be a collection of smaller subgroups collectively working at the behest of, or on behalf of the Chinese government. The group's mandate appears to be very broad, based on its targets and the kind of campaigns it has conducted in recent years.

Most recently, researchers tied APT41 to attacks targeting global logistics and utilities companies, and to a campaign that targeted research entities in Taiwan. Over the years, the group has stolen data from a wide range of organizations, including intellectual property and trade secrets from healthcare organizations, media and entertainment companies, government agencies, automative firms, retailers, energy companies, pharmaceutical companies, and others. Its activities prompted a US government investigation and subsequent indictment of five alleged members of APT41 back in 2020. Its victims have spanned Europe, Asia, and North America.

The group's latest South Asian campaign appears aimed at politicians, journalists, and political activists in the region, according to BlackBerry. "Organizations of all sizes, particularly those in targeted regions, should treat this threat as a high priority and implement comprehensive defensive measures."

The company's recommended mitigation measures include blocking the group's known C2 infrastructure, monitoring networks and devices for unexpected audio recording activities, using secure communications for transmitting data, and deploying the detection rules that BlackBerry has released for DeepData components.  

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Toolkit Vastly Expands APT41's Surveillance Powers

PRESS RELEASE

(Paris, France) – October 31, 2024 – As counterfeiting represents a global issue for brands and societies alike, Cypheme, a pioneering French company focused on AI-powered anti-counterfeiting solutions, today announced that Vrai AI, its AI anti-counterfeit technology that can detect fake products based on just a picture of a specific detail of a product or label, purely with visual analysis, is now available to brands worldwide. This ground-breaking artificial intelligence, which is perfect for companies across multiple verticals (i.e.: jewelry, pharmaceuticals, electronics, fashion, etc.), is easy to implement and only requires the use of a smartphone to keep a brands’ reputation and customers safe.

Lacoste, a world-renowned fashion brand, is the first company to pioneer the use of this technology, marking a major milestone in the worlds of AI development, the fashion industry and the global fight against counterfeiting. Already, Cypheme’s ground-breaking solution has achieved a near perfect level of accuracy of 99.7% for Lacoste, helping them easily identify fake products and remove them from the market.

By incorporating Cypheme’s powerful technology, which examines microscopic visual details of a specific feature of the product, the AI can differentiate a real from a fake, much in a way similar to a human expert. No modification of the product, no special label, or hidden marker is needed. For Lacoste, Cypheme uses the famous and iconic crocodile logo to identify fakes among a wide variety of Lacoste products. This represents an unprecedented technological leap in the fight against counterfeiting that could play a major part in solving or mitigating crisis linked to the criminal activity across multiple regions and sectors.

For certain types of products, however, the use of Cypheme’s “Noise Print Label,” a proprietary fingerprint anti-counterfeit label that protects every product it is affixed on, is also available. Noise Print is an anti-copy label that utilizes an advanced set of algorithms powered by an artificial neural network that verifies a product’s authenticity. However, it doesn’t stop there. Noise Print can also help trace back the origin points where fake products are known to be made.

“Today, according the European Union Agency for Law Enforcement Cooperation, counterfeiting represents 2.5% of the world’s trade, or $461 billion, and puts low-quality goods on the market, generating risks for health, well-being, security and safety,” explains Hugo Garcia-Cotte, CEO, Cypheme. “Implementing anti-counterfeiting technologies helps brands combat piracy, secure operations, enhance revenue and improve customer engagement, however they do not stop at just that, they have a much larger impact, helping shape safer societies overall.”

About Cypheme  
Cypheme is a pioneering French company focused on AI-powered anti-counterfeiting solutions. With their AI technology, Vrai AI, they aim to make counterfeit trade an unattractive activity for all people of the world. Cypheme’s technology is used in many different industries and countries to safeguard people from the negative impact of fake goods. For more information, visit https://www.cypheme.com/.

Lacoste First to Use AI-Powered Anti-counterfeiting Solution

Among the top exploited zero-day vulnerabilities were bugs found in systems from Citrix and Cisco.

Source: JUN LI via Alamy Stock Photo

The Cybersecurity and Infrastructure Security Agency is warning that the most routinely exploited vulnerabilities in 2023 were zero-days in its latest research conducted alongside global cybersecurity authorities.

These findings are a reversal from 2022, when less than half of the most exploited vulnerabilities were zero-days.

CISA's "2023 Top Routinely Exploited Vulnerabilities" report shows that threat actors continue to have success exploiting these kinds of vulnerabilities even two years after public disclosure. After this time frame, the value of the vulnerability tends to decline as patches get applied and systems are replaced.

Some of the top zero-day flaws came from vendors such as Citrix and Cisco, with vulnerabilities involving code injection bugs (CVE-2024-3519), privilege escalation (CVE-2023-20198), and buffer overflow (CVE-2023-4966).

To combat exploitation from threat actors, CISA is urging organizations to check for signs of compromise and keep up with patching CVEs. However, even this may not be enough. Three other tools that CISA recommends are endpoint detection and response (EDR), Web application firewalls, and network protocol analyzers. 

As to why zero-days were among the top exploited, many individuals in the cybersecurity community argued that it's because the quality of software is getting worse.

Others argue that it's because cybercriminals are focusing less on sharing proof-of-concepts (PoC) on forums and more on reserving knowledge about vulnerabilities in-house.

Regardless, CISA provides a variety of mitigation resources for end users and organizations to combat these threats in its study, highlighting identity and access management, protective controls and architecture, and supply chain security.

Zero-Days Win the Prize for Most Exploited Vulns

PRESS RELEASE

NEW YORK, Oct. 30, 2024 /PRNewswire/ -- Industrial manufacturers ranked network security as their top cybersecurity investment to guard against adverse cyber events, according to a recent State of Technology in Manufacturing survey by global technology intelligence firm ABI Research. With increasingly connected and digitized industrial assets providing ever more information about processes and workforce, manufacturers are focusing their security on network security technologies such as authentication and access control. Coupled with a growing body of industrial-focused security regulation and an expanding cybercrime element (for whom data in discrete manufacturing processes are extremely high value), this puts pressure on manufacturers to safeguard their operations better.

Network breaches can have significant repercussions on industrial manufacturers. Unplanned downtime impacts production, which could lead to revenue loss or potential regulatory liability for data breaches. In Europe alone, three regulatory instruments impose financial penalties for non-compliance: the General Data Protection Regulations, the NIS2 Directive, and the Cyber Resilience Act.

"Industrial manufacturers are one of the top targeted sectors by threat actors. Not only is counterfeiting in contract manufacturing rife, but ransomware is a prevalent threat," says Michela Menting, Senior Research Director. "Supply chain vulnerabilities and social engineering constitute important vectors for threat actors, and manufacturers are understandably concerned about security as they increasingly connect their industrial assets to operational networks."

Demand for cybersecurity solutions focused on operational technologies is growing quickly as a result, with ABI Research forecasting a US$2 billion market globally in 2024. Much of it is driven by demand for network security and segmentation technologies. This correlates with the survey findings, with manufacturers citing network security solutions such as access control, authentication, and threat detection as their top security investments.

These findings are from ABI Research's Industrial and Manufacturing Survey 1H 2024: Cybersecurity Impacts and Investments report. This report is part of the company's OT Cybersecurity research service, which includes research, data, and ABI Insights.

About ABI Research

ABI Research is a global technology intelligence firm delivering actionable research and strategic guidance to technology leaders, innovators, and decision makers around the world. Our research focuses on the transformative technologies that are dramatically reshaping industries, economies, and workforces today.

ABI Research是一家国际科技情报公司，为全球科技领袖、创新人士和决策者提供实用的市场研究和战略性指导。我们密切关注一切为各行各业、全球经济和劳动市场带来颠覆性变革的创新与技术。

For more information about ABI Research's services, contact us at +1.516.624.2500 in the Americas, +44.203.326.0140 in Europe, +65.6592.0290 in Asia-Pacific, or visit www.abiresearch.com.

You May Also Like

Tag

#auth