The security vulnerability tracked as CVE-2024-50603, which rates 10 out of 10 on the CVSS scale, enables unauthenticated remote code execution on affected systems, which cyberattackers are using to plant malware.

Source: Everett Collection Historical via Alamy Stock Photo

Multiple threat actors are actively targeting a recently disclosed maximum-severity security bug in the Aviatrix Controller centralized management platform for cloud networking.

In a worst-case scenario, the vulnerability, identified as CVE-2024-50603 (CVSS 10) could allow an unauthenticated remote adversary to run arbitrary commands on an affected system and take full control of it. Attackers are currently exploiting the flaw to deploy XMRig cryptomining malware and the Sliver backdoor on vulnerable targets.

**CVE-2024-50603: A High-Impact Vulnerability**

The vulnerability presents an especially severe risk in Amazon Web Services (AWS) cloud environments, where Aviatrix Controller allows privilege escalation by default, researchers at Wiz Security warned in a blog on Jan. 10.

"Based on our data, around 3% of cloud enterprise environments have Aviatrix Controller deployed," the researchers noted. "In 65% of such environments, the virtual machine hosting Aviatrix Controller has a lateral movement path to administrative cloud control plane permissions."

Hundreds of large companies use Aviatrix's technology to manage cloud networking across AWS, Azure, Google Cloud Platform (GCP), and other multi-cloud environments. Common use cases include automating the deployment and management of cloud network infrastructure, and managing security, encryption, and connectivity policies. The company lists organizations such as Heineken, Raytheon, Yara, and IHG Hotels and Resorts among its customers.

Related:In Appreciation: Amit Yoran, Tenable CEO, Passes Away

CVE-2024-50603 stems from Aviatrix Controller not properly checking or validating the data that users send through its application programming interface (API). It is the latest bug to highlight the security risks tied to the growing use of APIs among organizations of all sizes. Other common API-related risks include those stemming from configuration errors, lack of visibility, and inadequate security testing.

The flaw is present in all supported versions of Aviatrix Controller before 7.2.4996 or 7.1.4191. Aviatrix has issued a patch for the bug and recommends that organizations apply it or upgrade to either versions 7.1.4191 or 7.2.4996 of the Controller.

"In certain circumstances the patch is not fully persistent across controller upgrades and must be re-applied, even if the controller status is displayed as 'patched,'" the company noted. One such circumstance is applying the patch on non-supported versions of the controller, Aviatrix said.

**Hackers Mount Opportunistic Cloud Attacks**

Security researcher Jakub Korepta of SecuRing, who discovered and reported the bug to Aviatrix, publicly disclosed details of the flaw on Jan. 7. Just one day later, a proof-of-concept exploit for the bug became available on GitHub, triggering near-immediate exploit activity.

Related:Managing Cloud Risks Gave Security Teams a Big Headache in 2024

"Since the proof-of-concept release, Wiz observed that most of the vulnerable instances were specifically targeted by attackers looking for unpatched Aviatrix deployments," says Alon Schindel, vice president of AI & Threat Research at Wiz. "The overall volume of exploitation attempts has been steady. However, we see customers patching their systems and preventing attackers from targeting them."

Schindel characterizes the exploit activity so far as largely opportunistic in nature, and emanating from scanners and automated tool sets combing the Internet for unpatched Aviatrix instances.

"Although some of the payloads and infrastructure used suggest higher sophistication in a few cases, most of the attempts appear to be broad sweeps rather than highly customized or targeted attacks on specific organizations," he says.

Available telemetry suggests that multiple threat actors, including organized criminal gangs, are leveraging the flaw in various ways. So far at least, there is no evidence pointing to any single group as dominating the exploitation activity, Schindel says. "Depending on the environment's setup, an attacker might exfiltrate sensitive data, access other parts of the cloud or on-prem infrastructure, or disrupt normal operations," he notes.

Related:DDoS Attacks Surge as Africa Expands Its Digital Footprint

**A Reminder of API-Based Cyber-Risks**

Ray Kelly, a fellow at Black Duck, says the Aviatrix Controller vulnerability is another reminder of both the growing risks associated with API endpoints and the challenges involved in addressing them. The vulnerability shows how a server can be compromised via a simple Web call to an API, and highlights the need for thorough testing of APIs. But such testing can be daunting, given the size, complexity, and interdependence of APIs and the fact that many APIs are developed and managed by external software and service providers.

"One effective approach to mitigating these risks is by establishing clear 'rules of governance' for third-party software," Kelly says. "This includes implementing thorough vetting processes for third-party providers, enforcing consistent security measures, and maintaining continuous monitoring of software performance and vulnerabilities."

Wiz's Schindel says the best recourse for organizations affected by the new Aviatrix bug is to apply the company's patch for it as soon as possible. Organizations that are unable to patch immediately should restrict network access to the Aviatrix Controller via an IP allowlist so only trusted sources can reach it, Schindel advises. They should also monitor logs and system behavior closely for suspicious activity or known exploit indicators, set up alerts for abnormal behavior associated with Aviatrix, and reduce unnecessary lateral movement paths between their cloud identities.

Jessica MacGregor, spokeswoman for Aviatrix says the company issued an emergency patch for the vulnerability back in November 2024 given its potential severity. The security patch applied to all supported releases and also for versions of Aviatrix Controller for which support had ended two years ago. The company also reached out privately to customers via multiple targeted campaigns to make sure affected organizations applied the patch, MacGregor says.

While a significant portion of affected customers have applied the patch and recommended hardening measures, some organizations have not. And it is these customers that are experiencing the current attacks, she notes. "While we strongly recommend that customers remain current in their software, customers on Controller version 6.7+ who have applied the Security Patch can be protected even if they have not upgraded to the latest versions with the permanent fixes," she says.

 MacGregor says Aviatrix wants anyone unable to upgrade or patch their systems to reach out so the company can work with them to harden their configuration based on best practices. "We will also work closely with customers that believe they been exploited to restore their Aviatrix software to a clean state."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Cloud Attackers Exploit Max-Critical Aviatrix RCE Flaw

### Overview
OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2) are vulnerable to authorization bypass when certain Check and ListObject calls are executed.

### Am I Affected?
You are affected by this authorization bypass vulnerability if you are using OpenFGA v1.3.8 to v1.8.2, specifically under the following conditions: 
1. Calling Check API or ListObjects with a model that uses [conditions](https://openfga.dev/docs/modeling/conditions), and 
2. OpenFGA is configured with caching enabled (`OPENFGA_CHECK_QUERY_CACHE_ENABLED`), and 
3. Check API call or ListObjects API calls contain [contextual tuples](https://openfga.dev/docs/concepts#what-are-contextual-tuples) that include conditions.

### Fix
Upgrade to v1.8.3. This upgrade is backwards compatible.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-56323

**OpenFGA Authorization Bypass**

Moderate severity GitHub Reviewed Published Jan 13, 2025 in openfga/openfga • Updated Jan 13, 2025

**Package**

gomod github.com/openfga/openfga (Go)

**Affected versions**

\>= 1.3.8, < 1.8.3

**Overview**

OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2) are vulnerable to authorization bypass when certain Check and ListObject calls are executed.

**Am I Affected?**

You are affected by this authorization bypass vulnerability if you are using OpenFGA v1.3.8 to v1.8.2, specifically under the following conditions:

1.  Calling Check API or ListObjects with a model that uses conditions, and
2.  OpenFGA is configured with caching enabled (OPENFGA_CHECK_QUERY_CACHE_ENABLED), and
3.  Check API call or ListObjects API calls contain contextual tuples that include conditions.

**Fix**

Upgrade to v1.8.3. This upgrade is backwards compatible.

**References**

*   GHSA-32q6-rr98-cjqv

Published to the GitHub Advisory Database

Jan 13, 2025

Last updated

Jan 13, 2025

GHSA-32q6-rr98-cjqv: OpenFGA Authorization Bypass

Threat actors are targeting people searching for pirated or cracked software with fake downloaders that include infostealing malware such as Lumma and Vidar.

Source: Bits and Splits via Shutterstock

Attackers are targeting people interested in pirated and cracked software downloads by abusing YouTube and Google search results.

Researchers from Trend Micro uncovered the activity on the video-sharing platform, on which threat actors are posing as "guides" offering legitimate software installation tutorials to lure viewers into reading the video descriptions or comments, where they then include links to fake software downloads that lead to malware, they revealed in a recent blog post.

On Google, attackers are seeding search results for pirated and cracked software with links to what appear to be legitimate downloaders, but which in reality also include infostealing malware, the researchers said.

Moreover, the actors "often use reputable file hosting services like Mediafire and Mega.nz to conceal the origin of their malware, and make detection and removal more difficult," Trend Micro researchers Ryan Maglaque, Jay Nebre, and Allixon Kristoffer Francisco wrote in the post.

**Evasive & Anti-Detection Built Into the Campaign**

The campaign appears to be similar to one that surfaced about a year ago spreading Lumma Stealer — a malware-as-a-service (MaaS) commonly used to steal sensitive information like passwords and cryptocurrency-wallet data — via weaponized YouTube channels. At the time, the campaign was thought to be ongoing.

Related:Fake CrowdStrike 'Job Interviews' Become Latest Hacker Tactic

Though the Trend Micro did not mention if the campaigns are related, if they are, the recent activity appears to up the ante in terms of the variety of malware being spread and advanced evasion tactics, as well as the addition of malicious Google search results.

The malicious downloads spread by attackers often are password-protected and encoded, which complicates analysis in security environments such as sandboxes and allows malware to evade early detection, the researchers noted.

After infection, the malware lurking in the downloaders collects sensitive data from Web browsers to steal credentials, demonstrating "the serious risks of exposing your personal information by unknowingly downloading fraudulent software," the researchers wrote.

In addition to Lumma, other infostealing malware observed being distributed via fake software downloads on links posted on YouTube include PrivateLoader, MarsStealer, Amadey, Penguish, and Vidar, according to the researchers.

Overall, the campaign exploits the trust that people have in platforms such as YouTube and file-sharing services, the researchers wrote; it especially can affect people looking for pirated software who think they are downloading legitimate installers for popular programs, they said.

Related:Russia Carves Out Commercial Surveillance Success Globally

**Shades of a GitHub Campaign**

The thinking behind the campaign also is similar to one recently found abusing GitHub, in which attackers exploited the trust that developers have in the platform to hide the Remcos RAT in GitHub repository comments.

Though the attack vector is different, comments play a big role in spreading malware, the researchers explained. In one attack they observed, a video post purports to be advertising a free "Adobe Lightroom Crack" and includes a comment with a link to the software downloader.

Upon accessing the link, a separate post on YouTube opens, revealing the download link for the fake installer, which leads to a download of the malicious file that includes infostealing malware from the Mediafire file hosting site.

Another attack discovered by Trend Micro planted a shortened link to a malicious fake installer file from OpenSea, the NFT marketplace, as the third result in a search for an Autodesk download.

"The entry contains a shortened link that redirects to the actual link," the researchers wrote. "One assumption is that they use shortened links to prevent scraping sites from accessing the download link."

The link prompts the user for the actual download link and the zip file's password, presumably because "password-protecting the files can help prevent sandbox analysis of the initial file upon arrival, which can be a quick win for an adversary," they noted.

Related:Banshee 2.0 Malware Steals Apple's Encryption to Hide on Macs

**Protect Your Organization From Malware**

As shown by the threat activity, attackers continue to use social engineering tactics to target victims and apply a variety of methods to avoid security defenses, including: using large installer files, password-protected zip files, connections to legitimate websites, and creating copies of files and renaming them to appear benign, the researchers noted.

To defend against these attacks, organizations should "stay updated on current threats and to remain vigilant regarding detection and alert systems," the researchers wrote. "Visibility is important because solely relying on detection can result in many malicious activities going unnoticed."

Employee training, as security experts often note, also goes a long way in ensuring employees don't fall for socially engineered attacks or try to download pirated software.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

The Hellcat ransomware group has stolen roughly 5,000 documents, potentially containing confidential information, from the telecom giant's internal database.

Source: Photo Art Lucas via Alamy Stock Photo

NEWS BRIEF

Telefonica, the multinational telecommunications company headquartered in Madrid, has confirmed that its internal systems were breached by hackers, leading to the theft of more than 236,000 lines of customer data and close to a half-million Jira tickets.

"We have become aware of unauthorized access to an internal ticketing system," Telefonica said in an emailed statement to media. "We are currently investigating the extent of the incident and have taken the necessary steps to block any unauthorized access."

Four threat actors posted an exfiltrated Jira database on the BreachForums Dark Web hacking community last week, claiming that it contains nearly 470,000 lines of internal ticketing data and more than 5,000 PDFs, Word documents, PowerPoints, and other documents.

Three of the four threat actors in question are believed to be a part of the Hellcat ransomware group.

Hudson Rock, a cybersecurity vendor that claims to have spoken with the threat actors, reported that the perpetrators used infostealer malware to compromise roughly 15 Telefonica employees and gain access to the system via their credentials. 

The vendor says that the breach has exposed 24,000 Telefonica employee emails and names as well as the Jira issues. The stolen documents also likely contain other confidential information.

"The data includes summaries of internal Jira issues, which can reveal sensitive operational details, project plans and vulnerabilities within Telefonica's infrastructure," Hudson Rock warned. "This poses a significant risk as it could be used to map out internal workflows and exploit weaknesses."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Telefonica Breach Exposes Jira Tickets, Customer Data

This week on the Lock and Code podcast, we speak with Mallory Knodel about whether AI assistants are compatible with encrypted messaging apps.

_This week on the Lock and Code podcast…_

The era of artificial intelligence everything is here, and with it, come everyday surprises into exactly where the next AI tools might pop up.

There are major corporations pushing customer support functions onto AI chatbots, Big Tech platforms offering AI image generation for social media posts, and even Google has defaulted to include AI-powered overviews into everyday searches.

The next gold rush, it seems, is in AI, and for a group of technical and legal researchers at New York University and Cornell University, that could be a major problem.

But to understand their concerns, there’s some explanation needed first, and it starts with Apple’s own plans for AI.

Last October, Apple unveiled a service it is calling Apple Intelligence (“AI,” get it?), which provides the latest iPhones, iPads, and Mac computers with AI-powered writing tools, image generators, proof-reading, and more.

One notable feature in Apple Intelligence is Apple’s “notification summaries.” With Apple Intelligence, users can receive summarized versions of a day’s worth of notifications from their apps. That could be useful for an onslaught of breaking news notifications, or for an old college group thread that won’t shut up.

The summaries themselves are hit-or-miss with users—one iPhone customer learned of his own breakup from an Apple Intelligence summary that said: “No longer in a relationship; wants belongings from the apartment.”

What’s more interesting about the summaries, though, is how they interact with Apple’s messaging and text app, Messages.

Messages is what is called an “end-to-end encrypted” messaging app. That means that only a message’s sender and its recipient can read the message itself. Even Apple, which moves the message along from one iPhone to another, cannot read the message.

But if Apple cannot read the messages sent on its own Messages app, then how is Apple Intelligence able to summarize them for users?

That’s one of the questions that Mallory Knodel and her team at New York University and Cornell University tried to answer with a new paper on the compatibility between AI tools and end-to-end encrypted messaging apps.

Make no mistake, this research isn’t into whether AI is “breaking” encryption by doing impressive computations at never-before-observed speeds. Instead, it’s about whether or not the promise of end-to-end encryption—of confidentiality—can be upheld when the messages sent through that promise can be analyzed by separate AI tools.

And while the question may sound abstract, it’s far from being so. Already, AI bots can enter digital Zoom meetings to take notes. What happens if Zoom permits those same AI chatbots to enter meetings that users have chosen to be end-to-end encrypted? Is the chatbot another party to that conversation, and if so, what is the impact?

Today, on the Lock and Code podcast with host David Ruiz, we speak with lead author and encryption expert Mallory Knodel on whether AI assistants can be compatible with end-to-end encrypted messaging apps, what motivations could sway current privacy champions into chasing AI development instead, and why these two technologies cannot co-exist in certain implementations.

> “An encrypted messaging app, at its essence is encryption, and you can’t trade that away—the privacy or the confidentiality guarantees—for something else like AI if it’s fundamentally incompatible with those features.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 The new rules for AI and encrypted messaging, with Mallory Knodel (Lock and Code S06E01) 

By focusing on vigilant security practices, responsible AI deployment, and alignment with global regulatory standards, the OSS community can make 2025 a transformative year for security.

Source: Wavebreakmedia Ltd FUS1407 via Alamy Stock Photo

COMMENTARY

As we move into 2025, open source software (OSS) remains central to digital innovation across industries. However, its widespread adoption brings heightened security challenges and evolving regulatory demands. In the coming year, we expect a rise in targeted OSS supply chain attacks, a greater reliance on AI in cybersecurity — with both positive and negative implications — and a stronger push for global regulatory standards promoting responsible OSS practices.

**Growing Threats in the Open Source Supply Chain**

Following incidents like the XZ Utils backdoor, OSS supply chain attacks are expected to increase in frequency and sophistication. These attacks will likely prompt a heightened sense of urgency within organizations as they realize that a single security scan is insufficient. Moving forward, implementing proactive, continuous monitoring and adopting advanced tools will be essential to identifying threats before they can cause damage.

Understanding the growing importance of OSS security, the Open Source Security Foundation (OpenSSF) has taken steps to address these security challenges. As threats evolve, organizations will increasingly rely on resources like OpenSSF's SIREN mailing list, which notifies the OSS community about emerging threats, and the Open Source Vulnerabilities project, which helps identify malicious packages and other vulnerabilities. Tools such as Scorecard and GUAC provide visibility into project dependencies, helping developers assess risk within their OSS components. As the supply chain threat landscape intensifies, adopting these tools as standard practice will be important for any organization that relies on OSS.

**AI as a Double-Edged Sword in Cybersecurity**

AI will continue transforming cybersecurity in 2025, acting as a powerful ally for defenders and a dangerous weapon for attackers. On the one hand, AI integrated into automated tools and continuous integration and continuous delivery(CI/CD) pipelines will help organizations identify coding flaws and vulnerabilities more efficiently. Security teams will also increasingly rely on AI to analyze vast data volumes and detect unusual patterns in real time.

However, attackers will use AI to enhance their tactics, such as refining social engineering techniques or automating the search for vulnerabilities within codebases. Additionally, they will exploit flaws in AI-generated code for malicious purposes. This double-edged sword with AI highlights the urgent need for robust safeguards and security-focused innovation to harness AI's benefits while mitigating its risks.

**A Global Regulatory Push for Open Source Compliance**

The regulatory landscape surrounding OSS security will shift in 2025 as the European Union's Cyber Resilience Act (CRA) takes effect. By requiring software bills of materials (SBOM) and setting compliance standards, the CRA is expected to establish a global precedent, influencing nations like Japan, India, and the US to adopt similar legislation.

This regulatory shift will likely push more organizations to reassess their OSS practices, prioritizing transparency and accountability. As compliance pressures mount, companies will increasingly contribute to the open source projects they depend on, recognizing that supporting the OSS community bolsters the security and resilience of their digital ecosystems. This collaboration will enhance security and foster sustainable growth in the OSS landscape.

**Opportunities and Strategies for Open Source Security**

While these trends present clear challenges, companies can proactively strengthen OSS security. Businesses need to understand their dependencies and implement proactive measures to secure OSS components. Simple measures — such as supporting the developers behind critical open source projects and investing in secure infrastructure — can make a significant impact.

Most OSS developers are highly skilled but may lack specialized training in cybersecurity practices. OpenSSF aims to bridge this gap by offering tools and training that help embed security into the development process. Companies that adopt OSS due diligence, such as reviewing a project's security practices before integrating it, are better positioned to avoid vulnerabilities and maintain a secure infrastructure.

**Looking Ahead: A Collaborative Approach to Open Source Security**

OSS has grown beyond a convenient tool for developers — it is now a critical component of the global economy, valued in the trillions of dollars. While it will remain a driving force for technological progress, security must be a priority. Companies, governments, and the OSS community must work together to ensure a sustainable, secure, open source ecosystem.

Focusing on vigilant security practices, responsible AI deployment, and alignment with global regulatory standards, the OSS community can make 2025 a transformative year for security. By prioritizing collaboration and investment in security initiatives, we can build a resilient open source future in which OSS continues to power innovation safely and sustainably.

**About the Author**

Chief Security Architect, Open Source Security Foundation

Christopher Robinson (aka CRob) is the chief security architect for the Open Source Software Foundation (OpenSSF). With more than 25 years of experience in engineering and leadership, he has worked with Fortune 500 companies in industries like finance, healthcare, and manufacturing, and spent six years as program architect for Red Hat’s product security team.

The Shifting Landscape of Open Source Security

SUMMARY Three Russian nationals have been indicted for their alleged roles in running cryptocurrency mixing services Blender.io and…

****SUMMARY****

*   **Indictment Filed:** Three Russian nationals have been indicted for operating cryptocurrency mixers Blender.io and Sinbad.io, used to launder cybercrime proceeds.

*   **Criminal Links:** The mixers allegedly facilitated laundering for the Lazarus Group, a North Korean hacking organization, including $20.5M stolen from Axie Infinity.

*   **Arrests Made:** Roman Vitalyevich Ostapenko and Alexander Evgenievich Oleynik were arrested in December 2024; a third suspect, Anton Vyachlavovich Tarasov, remains at large.

*   **Charges:** The defendants face conspiracy to commit money laundering and operating an unlicensed money-transmitting business, with potential 20-year prison sentences.

*   **Global Effort:** The case highlights international collaboration to combat cybercrime and hold cryptocurrency laundering facilitators accountable.

Three Russian nationals have been indicted for their alleged roles in running cryptocurrency mixing services Blender.io and Sinbad.io, used to launder money from cybercrimes. The indictment, filed on January 7 in the Northern District of Georgia, targets Roman Vitalyevich Ostapenko and Alexander Evgenievich Oleynik, who were arrested in December 2024. A third suspect, Anton Vyachlavovich Tarasov, remains at large.

For your information, in November 2023, the US Treasury sanctioned Sinbad.io and seized its domain for providing its services to the North Korean Lazarus group to launder money stolen from numerous data breaches. On the other hand, the Treasury’s Office of Foreign Assets Control (OFAC) also sanctioned Blender.io for assisting the Lazarus Group in laundering millions of dollars worth of cryptocurrency stolen from the crypto-based game Axie Infinity back in July 2022.

Blender.io and Sinbad.io domains (Credit: Hackread.com)

****What are Cryptocurrency Mixers?****

Imagine trying to wash dirty money. In the physical world, criminals might use shell companies or complex transactions to make it hard to trace where the money came from. Cryptocurrency mixers do something similar in the digital world. They take cryptocurrency from multiple users, mix it all, and then send it out to the intended recipients. This process makes it very difficult to follow the money trail and connect the source of the funds to the final destination.

****The Allegations****

According to the indictment, Roman Vitalyevich Ostapenko, Alexander Evgenievich Oleynik, and Anton Vyachlavovich Tarasov operated Blender.io from around 2018 to 2022. The service promised complete anonymity, claiming a “No Logs Policy” and deleting all user transaction data. When Blender.io was shut down, Sinbad.io quickly took its place, offering similar services.

****Arrests and Charges****

Ostapenko and Oleynik were arrested on December 1, 2024. Tarasov is still being sought by authorities. The men are charged with conspiracy to commit money laundering and operating an unlicensed money-transmitting business. If found guilty, they could face up to 20 years in prison.

“This case shows the power of working together across borders to fight cybercrime,” said an FBI spokesperson in a DoJ press release. Authorities are determined to hold those who facilitate online criminal activity accountable.

1.  Crypto tumbler BestMixer.io seized for money laundering
2.  US Sanctions Chinese Cybersecurity Firm for Firewall Exploit
3.  U.S. Sanctions Chinese Cybersecurity Firm Over Cyberattacks
4.  US Sanctions Intellexa Spyware Over Threat to National Security
5.  China Arrests 4 Who Weaponized ChatGPT for Ransomware Attacks

3 Russians Indicted for Operating Blender.io and Sinbad.io Crypto Mixers

Telefónica faces a data breach impacting its internal systems, linked to hackers using compromised credentials. Learn more about this alarming cyber threat.

****SUMMARY****

*   **Telefonica confirmed a data breach involving its internal Jira ticketing system, with stolen data leaked online.**

*   **Hackers used compromised employee credentials to access and scrape 2.3 GB of internal data.**

*   **The breach is linked to Hellcat Ransomware, also tied to a Schneider Electric cyberattack.**

*   **No extortion attempts were made; data was leaked without contacting Telefonica.**

*   **The attack highlights increasing cyber threats against global telecommunications firms.**

Telefonica, a Spanish multinational telecommunications company, confirmed a data breach of their internal ticketing system. The confirmation came after stolen data appeared on Breach Forums, a cybercrime and hacking forum.

Screenshot from Breach Forums (Credit: Hackread.com)

Telefonica, the largest telecommunications firm in Spain, operates in twelve countries with over 104,000 employees. The Telefonica cyberattack. The company has confirmed that its ticketing system was breached and that it is currently investigating the incident’s extent and has taken steps to prevent further unauthorized access. The leak on the hacking forum included a Telefonica Jira database. 

Four individuals using aliases DNA, Grep, Pryx, and Rey claimed responsibility for the breach. According to Pryx, one of the attackers, the “internal ticketing system” is an internal Jira development and ticketing server utilized by Telefonica for reporting and resolving internal issues. 

According to sources, compromised employee credentials were used to breach the system on the prior day. Telefonica responded by blocking their access and resetting passwords on impacted accounts. The attackers say they were able to scrape roughly 2.3 GB of documents, tickets, and various data using the compromised employee accounts. While some of this data was labeled as customers, the tickets were opened with @telefonica.com email addresses, indicating they might have been opened on behalf of customers.

Screenshot from the leaked data (Credit: Hackread.com)

Pryx claims they did not contact Telefonica or attempt extortion before leaking the data online. Three individuals behind the attack, Grep, Pryx, and Rey, are also part of a recently launched ransomware operation known as Hellcat Ransomware. Hellcat is responsible for a recent data breach at Schneider Electric, where 40GB of data was stolen from the company’s JIRA server.

This Telefonica cyberattack reportedly involves Fortinet, a crucial component of the company’s network infrastructure. While the extent of the data breach and the nature of the compromised data remain undisclosed, concerns have arisen regarding the potential impact. Despite the claim, Telefonica’s official website remains functional, raising questions about the authenticity of the alleged cyberattack.

This, however, is not the first time that Telefonica has suffered a data breach. In July 2018, millions of Telefonica customers had their data exposed after a security breach. Nevertheless, as the telecommunications industry faces cyber threats, companies must maintain their collaboration to establish proper cybersecurity measures against critical infrastructure. 

1.  **Telecom Giant BT Group Hit by Black Basta Ransomware**
2.  **8220 Gang Targets Telecom in Global Cryptojacking Attack**
3.  **Hackers Breach TPG Telecoms’ Email Host to Steal Client Data**
4.  **US Telecom Breaches Widen as 9 Firms Hit by Chinese Hackers**
5.  **New XorDdos-Linked Linux RAT Krasue Targeting Telecom Firms**

Hackers Breach Telefonica Network, Leak 2.3 GB of Data Online

Behind the scenes, companies and governments are feeding a trove of data about international travelers into opaque AI tools that aim to predict who’s safe—and who’s a threat.

Tag

#auth