Infoblox cybersecurity researchers investigating the mysterious activities of 'Muddling Meerkat' unexpectedly uncovered widespread use of domain spoofing in malicious spam campaigns.

****SUMMARY****

*   **Infoblox discovered widespread domain spoofing in spam campaigns while investigating ‘Muddling Meerkat.’**

*   **Collaboration with the cybersecurity community linked Muddling Meerkat’s DNS activities to spam distribution.**

*   **Researchers identified multiple spam campaigns through abuse reports and domain analysis.**

*   **Techniques included phishing with QR codes, impersonating brands, extortion, and mysterious financial spam.**

*   **The findings show domain spoofing remains highly effective, bypassing current security measures.**

In its latest report, cybersecurity firm Infoblox has revealed how scammers use domain spoofing in spam campaigns, a discovery made through a collaboration between the cybersecurity and networking community on research about **the Chinese Great Firewall**.

This research project was initially aimed at understanding the activities of a threat actor known as a Muddling Meerkat. Muddling Meerkat is known for conducting strange DNS operations involving fake Chinese Great Firewall responses. The researchers could not determine the ultimate purpose of Muddling Meerkat’s activities, but they did learn a lot about how domain spoofing is used in **malspam**.

The research team, initially perplexed by Muddling Meerkat’s activities, sought external perspectives by sharing their findings with the broader security community. One key observation pointed towards a potential connection between Muddling Meerkat’s operations and spam distribution. 

Several organizations reported receiving abuse notifications for domains they owned, often internal domains with limited external exposure. These notifications indicated large-scale spam campaigns originating from Chinese IP addresses, targeting major email providers. This observation resonated with the team’s own findings, as they had **previously observed** Muddling Meerkat generating fake mail server (MX) records emanating from Chinese IP space.

A significant breakthrough occurred when the researchers discovered that they owned several of the “target” domains identified in the Muddling Meerkat research. By analysing abuse reports related to their own domains, leveraging their authoritative DNS server logs, and examining their internal spam collection, the researchers gained unprecedented insights into the tactics employed by spammers.

The investigation yielded a treasure trove of information about modern **malspam techniques**. Several distinct campaigns were identified, each employing sophisticated domain spoofing tactics to deceive recipients. These include QR Code Phishing, targeting Chinese citizens with emails containing QR codes, which redirect victims to phishing websites. Japanese Phishing campaigns impersonate reputable brands like Amazon and major Japanese banks and lure users to fake login pages.

A phishing QR code and an Amazon phishing page (Via Infoblox)

Extortion campaigns demand ransom **payments in cryptocurrency** to prevent exposure. Mysterious Financial Campaigns, originating from China, send seemingly innocuous spreadsheet attachments purporting to be from a Chinese freight company. The purpose of these campaigns remains unclear, as they lack clear malicious content or motive, Infoblox researchers noted in their **technical blog** shared with Hackread.com.

Nevertheless, the research reveals a disturbing reality: domain spoofing remains a highly effective and prevalent tactic for spammers. Despite the existence of various security mechanisms designed to detect and prevent spoofing, these campaigns continue to evade detection and successfully reach their targets.

Infoblox’s research came just days after another domain abuse-related report was **published by WatchTowr**, which exposed more than 4,000 active hacker backdoors in expired domains and abandoned infrastructure worldwide. This shows the ongoing challenge of combating sophisticated spam techniques and the need for continuous implementation of cybersecurity measures.

1.  **Hackers Use Fake Domains in Trump Trading Card Scam**
2.  **99% of UAE’s .ae Domains Exposed to Phishing and Spoofing**
3.  **“Sitting Ducks” DNS Attack Lets Hackers Easy Domain Takeover**
4.  **Scammers Exploit Fake Domains in Dubai Police Phishing Scams**
5.  **DeFi Hack Alert: Squarespace Domains** **Vulnerable** **to DNS Hijacking**

Muddling Meerkat Linked to Domain Spoofing in Global Spam Scams

New year, same story. Despite Ivanti's commitment to secure-by-design principles, threat actors — possibly the same ones as before — are exploiting its edge devices for the nth time.

Source: Lobro via Alamy Stock Photo

A Chinese threat actor is once again exploiting Ivanti remote access devices at large.

If you had a nickel for every high-profile vulnerability affecting Ivanti appliances last year, you'd have a lot of nickels. There was the critical authentication bypass in its Virtual Traffic Manager (vTM), the SQL injection bug in its Endpoint Manager, a trio affecting its Cloud Services Appliance (CSA), critical issues with its Standalone Sentry and Neurons for IT Service Management (ITSM), plus dozens more.

It all started last January, when two serious vulnerabilities were discovered in Ivanti's Connect Secure (ICS) and Policy Secure gateways. By the time of disclosure, the vulnerabilities were already being exploited by a suspected Chinese-nexus threat actor, UNC5337, believed to be an entity of UNC5221.

Now, one year and one secure-by-design pledge later, threat actors have returned to haunt Ivanti all over again, via a new critical vulnerability in ICS which also affects Policy Secure and Neurons for Zero Trust Access (ZTA) gateways. Ivanti has further warned of a second, slightly less severe bug that hasn't been observed in exploits yet.

"Just because we're seeing these often doesn't necessarily mean that they're easy to pull off — it's a highly sophisticated group that is doing this," Arctic Wolf CISO Adam Marrè points out, in defense of the downtrodden IT vendor. "Engineering is not easy, and secure engineering is even more difficult. So even though you may be following the principles of secure-by-design, that doesn't mean that someone isn't going to be able to come along and either with new technologies, or new techniques, and enough time and resources, hack in."

Related:New AI Challenges Will Test CISOs & Their Teams in 2025

**2 More Security Bugs in Ivanti Devices**

As yet unexploited (as far as researchers can tell) is CVE-2025-0283, a buffer overflow opportunity in ICS versions prior to 22.7R2.5, Policy Secure before 22.7R1.2, and Neurons for ZTA gateways before 22.7R2.3. The "high" severity 7.0 out of 10-rated issue in the Common Vulnerability Scoring System (CVSS) could enable an attacker to escalate their privileges on a targeted device, but requires them to be authenticated first.

CVE-2025-0282 — rated a "critical" 9.0 in CVSS — does not come with that same caveat, allowing for code execution as root with no authentication required. Ivanti disclosed few details regarding the exact cause of the issue, but researchers from watchTowr were able to successfully reverse engineer an exploit after comparing ICS's patched and unpatched versions.

Related:Best Practices & Risks Considerations in LCNC and RPA Automation

According to Mandiant, a threat actor began exploiting CVE-2025-0282 in mid-December, deploying the same "Spawn" family of malware tied to UNC5337 exploits of previous Ivanti bugs. Those tools include:

*   The SpawnAnt installer, which drops its malware colleagues and persists through system upgrades
    
*   SpawnMole, which facilitates back-and-forth communications with attacker infrastructure
    
*   SpawnSnail, a passive secure shell (SSH) backdoor
    
*   SpawnSloth, which tampers with logs to conceal evidence of malicious activity
    

"The threat actor's malware families demonstrate significant knowledge of the Ivanti Connect Secure appliance," says Mandiant senior consultant Matt Lin. In fact, besides UNC5337 and its spawn, researchers also observed two more unrelated but equally bespoke malware deployed to infected devices. One — DryHook, a Python script — is designed to steal user credentials off targeted devices.

The other, PhaseJam, is a bash shell script that enables remote and arbitrary command execution. Most creative, though, is its ability to maintain persistence through sleight of hand. If an administrator attempts to upgrade their device — a process that would unseat PhaseJam — the malware will instead show them a fake progress bar that simulates each of the 13 steps one might expect in a legitimate update. Meanwhile, in the background, it prevents the legitimate update from running, thereby ensuring that it lives another day.

Related:Cybercriminals Don't Care About National Cyber Policy

DryHook and PhaseJam might have been the work of UNC5337, Mandiant noted, or another threat actor altogether.

**Time to Update**

Data from The ShadowServer Foundation suggests that north of 2,000 ICS instances could be vulnerable at the time of writing, with the greatest concentration in the US, France, and Spain.

Source: The Shadowserver Foundation

Ivanti and the Cybersecurity and Infrastructure Security Agency (CISA) have published instructions for mitigating CVE-2025-0282, emphasizing that network defenders should run Ivanti's built-in Integrity Checker Tool (ICT) to seek out infections, and implement patches immediately.

"We have released a patch addressing vulnerabilities related to Ivanti Connect Secure," an Ivanti spokesperson tells Dark Reading. "There has been limited exploitation of one of the vulnerabilities and we are actively working with affected customers. Ivanti’s ICT has been effective in identifying compromise related to this vulnerability. Threat actor exploitation was identified by the ICT on the same day it occurred, enabling Ivanti to respond promptly and rapidly develop a fix. We strongly advise customers to closely monitor their internal and external ICT as part of a robust and layered approach to cybersecurity to ensure the integrity and security of the entire network infrastructure."

It may be worth noting that unlike ICS, Policy Secure and ZTA gateways won't be receiving their patches until Jan. 21. In its security advisory, Ivanti stated that ZTA gateways "cannot be exploited when in production," and that Policy Secure is designed to not be Internet-facing, reducing the risk of exploitation via CVE-2025-0282 or similar vulnerabilities.

"It's important that administrators here are doing the right things," Marrè says, noting, "That may result in some downtime, which can be disruptive for organizations, which can lead to them putting it off, or not fixing it as thoroughly and as well as they should."

Lin adds, "We’ve observed organizations that have historically acted promptly in response to these threats did not experience the same negative impacts when compared to organizations that failed to do the same." He also acknowledges, "All the swirl that takes place in the background once one of these patches is announced.

"Security teams across orgs have to scramble to not just patch, but also understand whether they’re vulnerable, and if so, do they only need to patch, or have they already been breached? And if they have been breached, that starts another incident response, which creates massive workflows across companies around the world. It’s important to not lose sight of the toil and exhaustion that defenders go through when assessing these scenarios and not be hyper critical of their initial reaction times."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Threat Actors Exploit a Critical Ivanti RCE Bug, Again

Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the campaign Name (Internal Name) field in the Add new campaign function

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-j4v9-cm37-h7c2: Microweber Cross-site Scripting vulnerability

Microweber Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the create new backup function in the endpoint /admin/module/view?type=admin__backup

GHSA-w5g5-4jj3-8f6v: Microweber Cross-site Scripting vulnerability

Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the First Name and Last Name parameters in the endpoint /admin/module/view?type=users

GHSA-97h9-p9f8-4p3r: Microweber Cross-site Scripting vulnerability

Ivanti has issued a critical security advisory addressing two vulnerabilities in its Connect Secure, Policy Secure, and ZTA Gateway products.

****SUMMARY****

*   **Critical Vulnerabilities Identified**: Ivanti has disclosed two critical vulnerabilities (CVE-2025-0282 and CVE-2025-0283) in Connect Secure, Policy Secure, and ZTA Gateways, with CVE-2025-0282 already being actively exploited.

*   **Impact of Vulnerabilities**: CVE-2025-0282 allows unauthenticated remote attackers to execute arbitrary code, potentially gaining full control of affected systems. CVE-2025-0283 enables local authenticated attackers to escalate privileges, posing significant security risks.

*   **Patch Availability**: Ivanti has released a patch for Connect Secure (version 22.7R2.5) addressing both vulnerabilities. Patches for Policy Secure and ZTA Gateways are expected by January 21, 2025.

*   **Recommended Actions**: Ivanti advises organizations to immediately patch Connect Secure systems, isolate vulnerable Policy Secure and ZTA Gateways, and monitor systems closely using tools like the Integrity Checker Tool (ICT).

*   **Expert Warning**: Experts highlight the urgency of patching and maintaining heightened vigilance against potential cyberattacks, citing past incidents like the Akira breach as reminders of the risks involved.

Ivanti has raised concerns about two remotely exploitable vulnerabilities in its enterprise-facing products, with one bug already being exploited in the wild.

According to Ivanti’s security advisory, the company has addressed two critical vulnerabilities (CVE-2025-0282 and CVE-2025-0283) affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways.

CVE-2025-0282, the more critical of the two, is a stack-based buffer overflow vulnerability in Ivanti Connect Secure. This vulnerability allows unauthenticated remote attackers to execute arbitrary code on vulnerable systems. Essentially, attackers can remotely compromise the system without any prior knowledge or credentials, potentially gaining complete control over the affected appliance.

CVE-2025-0283, while still a high-severity vulnerability, is less critical. This vulnerability, also a stack-based buffer overflow, allows local authenticated attackers to escalate their privileges on the system. This means that an attacker who already has legitimate access to the system can exploit this vulnerability to gain higher-level privileges, potentially compromising sensitive data or disrupting critical operations.

Ivanti has released a patch for Connect Secure (version 22.7R2.5), addressing both vulnerabilities. However, patches for Policy Secure and ZTA Gateways are not yet available and are scheduled for release on January 21st, 2025.

Given the active exploitation of CVE-2025-0282, Ivanti strongly urges organizations to prioritize patching their Connect Secure appliances immediately. For Policy Secure and ZTA Gateways, proactive measures such as temporarily isolating affected systems are recommended until the patches become available.

To mitigate the risks associated with these vulnerabilities, Ivanti recommends applying the latest patches as soon as they become available. For Connect Secure, upgrading to version 22.7R2.5 is suggested. Moreover, closely monitoring systems using the Integrity Checker Tool (ICT) and other security monitoring tools is essential to detect any signs of compromise.

In addition, the company recommends Policy Secure and ZTA Gateways users consider isolating affected systems from the network until the patches are applied. Organizations utilizing Ivanti products should prioritize implementing these recommendations to mitigate the risks associated with these vulnerabilities.

Martin Jartelius, CISO at Outpost24 commented on the latest development urging impacted parties to immediately install patches. “Last time we had an Ivanti zero-day exploitation, the attackers shifted to their active/destructive phase as the patch became available, so anyone impacted should firstly patch at once, and secondly, review their readiness in incident response and keep extra eyes on their monitoring for the near future._“_

1.  **Hackers Target Ivanti Users Despite Patches**
2.  **Ivanti VPN Zero-Day Flaws Fuel Widespread Cyber Attacks**
3.  **Ivanti VPN Flaws Exploited to Spread KrustyLoader Malware**
4.  **Magnet Goblin Hackers Using Ivanti Flaws to Drop Linux Malware**
5.  **Dell Urges Immediate Update to Fix Power Manager Vulnerability**

Ivanti Urges Patch for Flaws in Connect Secure, Policy Secure and ZTA Gateways

Cybercriminals are luring victims into downloading the XMRig cryptomining malware via convincing emails, inviting them to schedule fake interviews using a malicious link.

Source: ImageBroker.com GmbH & Co. KG via Alamy Stock Photo

NEWS BRIEF

Cybercriminals have picked up a new tactic, impersonating CrowdStrike recruiters in order to distribute a cryptominer on their victims' devices.

This malicious campaign starts with an email, inviting the victim to schedule an interview with a recruiter for a position as a junior developer.

The illegitimate email contains a link, alleging that it will take the recipient to a site so they can schedule their interview, but in reality, takes the victim to a malicious website containing links to download a purported "CRM application."

"While interview and job-related phishing emails are not uncommon, this is a very targeted campaign that goes beyond the vast majority of malicious campaigns we see with this theme," said Chance Caldwell, senior director of the Phishing Defense Center at Cofense, in an emailed statement. "The campaign uses URLs that were created to look like they might actually belong to CrowdStrike, and the downloaded malware provides a pop-up that directs users to the real CrowdStrike support portal. Most of the use cases we see are lucky to have proper branding, much less the extended work done here to really portray themselves as CrowdStrike."

**Malicious Recruiter Lures Target Both Windows & Mac**

The site offers options for both Windows and macOS, and regardless of which option the victim chooses, once selected, it will download a Windows executable written in Rust. The executable will then download the cryptominer XMRig.

The executable runs several environmental checks to analyze the device and evade detection, such as scanning the running processes, verifying the CPU, and more.

If the checks are passed, the executable will display a false error message pop-up for the user, while downloading additional payloads needed to run the XMRig miner.

CrowdStrike, which identified the campaign just days ago, is warning job seekers to be vigilant, as this is not the only scam involving fake employment offers that's circulating out there.

It recommended avoiding any interviews carried out through instant message or email, and refusing to download any software for an interview, and it stressed the importance of verifying the authenticity of any CrowdStrike hiring communications by contacting \[email protected\].

"It is very unlikely that a recruiter will direct someone to download an executable as part of the interview process," Caldwell noted. "Any suspicious requests, such as this one, should be sufficiently verified before downloading anything, and contact information should be verified through the legitimate company website."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Fake CrowdStrike 'Job Interviews' Become Latest Hacker Tactic

Growing sales of the System for Operative Investigative Activities (SORM), a Russian wiretapping platform, in Central Asia and Latin American suggests increasing risks for Western businesses.

Source: Golden Dayz via Shutterstock

A half-dozen governments in Central Asia and Latin American have purchased the System for Operative Investigative Activities (SORM) wiretapping technology from Russian providers, expanding their — and potentially Russian intelligence's — ability to intercept communications.

The technology includes monitoring equipment placed inside a telecommunications provider's facility, which delivers information to the client government's intelligence agency, including mobile numbers, phones identifiers, geolocation, names, email addresses, and IP addresses. That's according to threat intelligence firm Recorded Future, which found in an analysis that the former Soviet territories of Belarus, Kazakhstan, Kyrgyzstan, and Uzbekistan, and the Latin American nations of Cuba and Nicaragua, have very likely acquired the technology to wiretap citizens.

Western companies and citizens should take measures to protect their communications and to understand the risks of surveillance when traveling to countries that have lax civil protections against wiretapping, says a threat analyst with Recorded Future's Insikt threat intelligence group, who asked to remain anonymous due to the sensitivity of the topic.

"Obviously, in countries that don't employ SORM — even Western countries — surveillance frameworks are not immune to abuse, but it's important to look holistically at this when there's evidence of these systems being built with Russian-company inputs in a country with a history of state surveillance operations," the analyst says. "Particularly, human rights defenders, activists, journalists, members of civil society, but also foreign travelers, \[could all be targets\]."

Related:Fake CrowdStrike 'Job Interviews' Become Latest Hacker Tactic

The expansion of Russia's SORM kit highlights the gains of digital surveillance technology worldwide. The companies behind the spyware tools used by authoritarian governments — such as NSO Group's Pegasus and Intellexa Consortium's Predator — have made inroads globally, as the companies refine their ability to evade roadblocks on sales to sanctioned nations, according to an in-depth report published by the Atlantic Council in September. Overall, 41% of the 195 countries worldwide have licensed commercial spyware, including 14 of the 27 countries in the European Union, according to the Atlantic Council.

Wiretapping technology and spyware are often used for legitimate reasons, whether that be law enforcement investigations of suspected criminals or intelligence gathering against nation-state rivals. However, in countries with few protections for civil liberties, or poor regulation of digital surveillance technologies, abuses inevitably follow for governments that deploy it without adequate oversight, according to the Atlantic Council analysts.

Related:Banshee 2.0 Malware Steals Apple's Encryption to Hide on Macs

"Spyware makes it easier for states to penetrate even the most robust commercial technologies, cell phones, computers, and communications services; makes it far easier to act against citizens beyond state borders; and even provides governments with the ability to target senior officials, both domestically and abroad, where they might otherwise have no means to do so," the Atlantic Council analysts stated in the report. "Where that information is used to facilitate repression and abuse, its harms are untenable."

**The Spyware Nexus: An R Joins the Three I's**

The Atlantic Council identified 435 "entities" — companies and people associated with commercial spyware — and found that two-thirds lead back to three nations: Israel, Italy, and India. Now, Russia has become a major provider of surveillance technology as well.

Existing law in Russia requires that telecommunications providers install and maintain monitoring devices that meet SORM regulations, but the firms are not authorized to access the capabilities of the devices nor audit communications collection, according to Recorded Future's report. Countries in Russia's sphere of influence have passed similar laws mandating SORM-compliant technology, which is typically installed and serviced by Russian providers, likely giving Russia the ability to access intercepted communications.

Related:Unconventional Cyberattacks Aim to Take Over PayPal Accounts

Record Future used a variety of indicators for the adoption of SORM, including marketing materials and the websites of the providers of SORM technologies. The largest providers of SORM technology are companies called Citadel, Norsi-Trans, and Protei, who — along with five other identified technology firms — are likely exporting SORM products and services to at least 15 telecommunications companies, the firm found.

The risks of illicit digital surveillance are growing, argues Vitor Ventura, manager for EMEA and Asia at Cisco's Talos threat intelligence group.

"In certain countries, it might just be legal to do certain kind of interceptions for reasons that are not allowed in other countries, or because you have a law that says that if national security is at risk, you can do whatever you want," he says, adding that there has been a global boom in surveillance technology over the past few years.

"I don't think that the law is changing that much — I just think that there is a bigger appetite, and there's a lot more being offered," he says. "The prices eventually came down, and everyone that has the money for \[surveillance technology\] will actually go for it."

**Know Your Telecom Tech, Wiretapping Laws**

Companies that have employees based in nations with weaker civil liberty protections should note that adopting privacy and encryption tools can help mitigate the risk, but providers of virtual private network (VPN) services often are subject to the same laws as telecommunications providers, according to the Recorded Future report, and might also be turning over intelligence to government agencies.

In many ways, the cyber-risks mirror those argued by the US government in regards to Russian cybersecurity firm Kaspersky, whose antivirus products were banned in mid-2024, the Recorded Future analyst says.

"These \[telecom\] companies might be able to go into systems and have access to such a vast range of data — there's definitely a high intelligence value there," the analyst says. "The same risks that apply to Kaspersky are equally as applicable to Russian SORM providers."

Companies should keep apprised of the spread of the technology in the future. For example, one Russian provider, Protei, markets SORM in trade shows in Africa, the Middle East, and Latin America, raising the likelihood that countries in those regions will adopt the wiretapping platform at some time in the future.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Russia Carves Out Commercial Surveillance Success Globally

BayMark Health Services, Inc. notified an unknown number of patients that attackers stole their personal and health information.

BayMark Health Services, Inc. (BayMark) notified an unknown number of patients that attackers stole their personal and health information.

BayMark profiles itself as North America’s largest provider of medication-assisted treatment (MAT) for substance use disorders helping tens of thousands of individuals with recovery.

In a breach notification, the company disclosed that on October 11, 2024 it learned about an incident that disrupted the operations of some of its IT systems. This incident consisted of an unauthorized party accessing some of the files on BayMark’s systems between September 24 and October 14 of last year.

An investigation showed that the exposed files contained information that varied per patient but could have included the patient’s name and one or more of the following:

*   Social Security number (SSN)
*   Driver’s license number
*   Date of birth
*   The services received and the dates of service
*   Insurance information
*   Treating provider
*   Treatment and/or diagnostic information

While BayMark did not provide any information about the number of victims or the nature of the accident, it has been separately reported that the RansomHub ransomware group has BayMark listed on their leak site.

The RansomHub ransomware group claims to have exfiltrated an enormous 1.5 terabytes of sensitive data from BayMark Health Services.

BayMark’s listing on RansomHub leak site

The date on the dark web site matches the date published in the breach notification. Further, the fact that the data are listed as “published” means that BayMark did not pay the ransom, which is confirmed by the cybercriminals you click through on the company’s tile.  

Here, the ransomware group lays blame on the company itself. This isn’t rare for a ransomware group, as the tactics and vernacular are often based around shame, guilt, and a pre-teen-like arrogance. As claimed in the dark web site:

> One of the few companies from Texas that does not value its data. For a nominal fee, they could have not worried about anything, improved their network and protected themselves. But they chose the path of destroying their reputation, publishing sensitive data and publicizing it in the media.
> 
> {names}
> 
> These people decided to do other things than their company. BayMark Health Services is dedicated to providing treatment tailored to meet each person regardless of where they are in their recovery journey. BayMark provides a full continuum of care, integrating evidence-based practices, clinical counseling, recovery support, and medical services.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

 BayMark Health Services sends breach notifications after ransomware attack 

Data WIRED collected during the 2024 Democratic National Convention strongly suggests the use of a cell-site simulator, a controversial spy device that intercepts sensitive data from every phone in its range.

A device capable of intercepting phone signals was likely deployed during the 2024 Democratic National Convention (DNC) in Chicago, WIRED has learned, raising critical questions about who authorized its use and for what purpose.

The device, known as a cell-site simulator, was identified by the Electronic Frontier Foundation (EFF), a digital rights advocacy organization, after analyzing wireless signal data collected by WIRED during the August event.

Cell-site simulators mimic cell towers to intercept communications, indiscriminately collecting sensitive data such as call metadata, location information, and app traffic from all phones within their range. Their use has drawn widespread criticism from privacy advocates and activists, who argue that such technology can be exploited to covertly monitor protesters and suppress dissent.

The DNC convened amid widespread protests over Israel’s assault on Gaza. While credentialed influencers attended exclusive yacht parties and VIP events, thousands of demonstrators faced a heavy law enforcement presence, including officers from the US Capitol Police, the Secret Service, Homeland Security Investigations, local sheriff’s offices, and Chicago police.

Concerns over potential surveillance prompted WIRED to conduct a first-of-its-kind wireless survey to investigate whether cell-site simulators were being deployed. Reporters, equipped with two rooted Android phones and Wi-Fi hot spots running detection software, used Rayhunter—a tool developed by the EFF to detect data anomalies associated with these devices. WIRED’s reporters monitored signals at protests and event locations across Chicago, collecting extensive data during the political convention.

Initial tests conducted during the DNC revealed no conclusive evidence of cell-site simulator activity. However, months later, EFF technologists reanalyzed the raw data using improved detection methods. According to Cooper Quintin, a senior technologist at the EFF, the Rayhunter tool stores all interactions between devices and cell towers, allowing for deeper analysis as detection techniques evolve.

A breakthrough came when EFF technologists applied a new heuristic to examine situations where cell towers requested IMSI (international mobile subscriber identity) numbers from devices. According to the EFF’s analysis, on August 18—the day before the convention officially began—a device carried by WIRED reporters en route a hotel housing Democratic delegates from states in the US Midwest abruptly switched to a new tower. That tower asked for the device’s IMSI and then immediately disconnected—a sequence consistent with the operation of a cell-site simulator.

“This is extremely suspicious behavior that normal towers do not exhibit,” Quintin says. He notes that the EFF typically observed similar patterns only during simulated and controlled attacks. “This is not 100 percent incontrovertible truth, but it’s strong evidence suggesting a cell-site simulator was deployed. We don’t know who was responsible—it could have been the US government, foreign actors, or another entity.”

Under Illinois law, law enforcement agencies must obtain a warrant to deploy cell-site simulators. Similarly, federal agents—including those from the Department of Homeland Security—are required to secure warrants unless an immediate national security threat exists. However, a 2023 DHS Inspector General report found that both the Secret Service and Homeland Security Investigations did not always comply with these requirements.

The Chicago Police Department tells WIRED it did not deploy a cell-site simulator during the DNC, while the Secret Service tells WIRED in a statement that, “as a matter of practice,” it does not discuss the “means and methods” of its operations for “National Special Security Events.”

Other components of DHS as well as the DNC have not responded to requests for comment.

Quintin notes that the EFF detected similar anomalous behavior in a previous test conducted in Washington, DC’s Embassy Row, an area known for its high concentration of embassies and diplomatic offices. It wouldn’t be the first time that cell-site simulators were found in the nation's capitol. In 2019, the FBI accused Israel’s government of deploying a cell-site simulator near the White House—a claim Israel denied.

While the possible deployment of a cell-site simulator at the DNC has raised more questions than answers, for privacy and civil liberties advocates the implications are troubling nonetheless.

Nate Wessler, deputy director of the ACLU’s Speech, Privacy, and Technology Project, says, “It would be a big deal if the digital artifacts you found were in fact due to the presence of a cell-site simulator deployed to identify people at a protest.” However, Wessler adds, “it is also entirely possible that law enforcement was using a cell-site simulator in the area for a lawful purpose.”

For Wessler, the lack of clarity around their use is itself a cause for concern. “The ambiguity is really chilling,” he says. “The uncertainty around their use undermines people’s ability to express themselves.”

Tag

#auth