### Summary
The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection.

### Details
The Comment feature implements a character filter on the client-side, this can be bypassed by directly sending a request to the endpoint.

Example Request:

```
PATCH /activity/comment/3 HTTP/2
Host: directus.local

{
  "comment": "<h1>TEST <p style=\"color:red\">HTML INJECTION</p> <a href=\"//evil.com\">Test Link</a></h1>"
}
```

Example Response:

```json
{
  "data": {
    "id": 3,
    "action": "comment",
    "user": "288fdccc-399a-40a1-ac63-811bf62e6a18",
    "timestamp": "2023-09-06T02:23:40.740Z",
    "ip": "10.42.0.1",
    "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36",
    "collection": "directus_files",
    "item": "7247dda1-c386-4e7a-8121-7e9c1a42c15a",
    "comment": "<h1>TEST <p style=\"color:red\">HTML INJECTION</p> <a href=\"//evil.com\">Test Link</a></h1>",
    "origin": "https://directus.local",
    "revisions": []
  }
}
```

Example Result:

![Screenshot 2023-09-06 094536](https://user-images.githubusercontent.com/61263002/265876100-12e068fe-3d53-41b4-bfcb-458c2bc2a638.png)

## Impact

With the introduction of session cookies this issue has become exploitable as a malicious script is now able to do authenticated actions on the current users behalf.


**Summary**

The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection.

**Details**

The Comment feature implements a character filter on the client-side, this can be bypassed by directly sending a request to the endpoint.

Example Request:

    PATCH /activity/comment/3 HTTP/2
    Host: directus.local
    
    {
      "comment": "<h1>TEST <p style=\"color:red\">HTML INJECTION</p> <a href=\"//evil.com\">Test Link</a></h1>"
    }
    

Example Response:

{
  "data": {
    "id": 3,
    "action": "comment",
    "user": "288fdccc-399a-40a1-ac63-811bf62e6a18",
    "timestamp": "2023-09-06T02:23:40.740Z",
    "ip": "10.42.0.1",
    "user\_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36",
    "collection": "directus\_files",
    "item": "7247dda1-c386-4e7a-8121-7e9c1a42c15a",
    "comment": "<h1>TEST <p style=\\"color:red\\"\>HTML INJECTION</p> <a href=\\"//evil.com\\"\>Test Link</a></h1>",
    "origin": "https://directus.local",
    "revisions": \[\]
  }
}

Example Result:

**Impact**

With the introduction of session cookies this issue has become exploitable as a malicious script is now able to do authenticated actions on the current users behalf.

**References**

*   GHSA-r6wx-627v-gh2f
*   https://nvd.nist.gov/vuln/detail/CVE-2024-54128
*   directus/directus@4487fb1
*   directus/directus@c89dbb2

GHSA-r6wx-627v-gh2f: Directus has an HTML Injection in Comment

Researchers testing generative AI systems can use prompt injection, re-register after being banned, and bypass rate limits without running afoul of copyright law.

Source: Vitalii Vodolazskyi via Shutterstock

In a net positive for researchers testing the security and safety of AI systems and models, the US Library of Congress ruled that certain types of offensive activities — such as prompt injection and bypassing rate limits — do not violate the Digital Millennium Copyright Act (DMCA), a law used in the past by software companies to push back against unwanted security research.

The Library of Congress, however, declined to create an exemption for security researchers under the fair use provisions of the law, arguing that an exemption would not be enough to provide security researchers safe haven.

Overall, the triennial update to the legal framework around digital copyright works in the security researchers' favor, as does having clearer guidelines on what is permitted, says Casey Ellis, founder and adviser to crowdsourced penetration testing service BugCrowd.

"Clarification around this type of thing — and just making sure that security researchers are operating in as favorable and as clear an environment as possible — that's an important thing to maintain, regardless of the technology," he says. "Otherwise, you end up in a position where the folks who own the \[large language models\], or the folks that deploy them, they're the ones that end up with all the power to basically control whether or not security research is happening in the first place, and that nets out to a bad security outcome for the user."

Security researchers have increasingly gained hard-won protections against prosecution and lawsuits for conducting legitimate research. In 2022, for example, the US Department of Justice stated that its prosecutors would not charge security researchers with violating the Computer Fraud and Abuse Act (CFAA) if they did not cause harm and pursued the research in good faith. Companies that sue researchers are regularly shamed, and groups such as the Security Legal Research Fund and the Hacking Policy Council provide additional resources and defenses to security researchers pressured by large companies.

In a post to its site, the Center for Cybersecurity Policy and Law called the clarifications by the US Copyright Office "a partial win" for security researchers — providing more clarity but not safe harbor. The Copyright Office is organized under the Library of Congress's purview.

"The gap in legal protection for AI research was confirmed by law enforcement and regulatory agencies such as the Copyright Office and the Department of Justice, yet good faith AI research continues to lack a clear legal safe harbor," the group stated. "Other AI trustworthiness research techniques may still risk liability under DMCA Section 1201, as well as other anti-hacking laws such as the Computer Fraud and Abuse Act."

**Brave New Legal World**

The fast adoption of generative AI systems and algorithms based on big data have become a major disruptor in the information-technology sector. Given that many large language models (LLMs) are based on mass ingestion of copyrighted information, the legal framework for AI systems started off on a weak footing.

For researchers, past experience provides chilling examples of what could go wrong, says BugCrowd's Ellis.

"Given the fact that it's such a new space — and some of the boundaries are a lot fuzzier than they are in traditional IT — a lack of clarity basically always converts to a chilling effect," he says. "For folks that are mindful of this, and a lot of security researchers are pretty mindful of making sure they don't break the law as they do their work, it has resulted in a bunch of questions coming out of the community."

The Center for Cybersecurity Policy and Law and the Hacking Policy Council proposed that red teaming and penetration testing for the purpose of testing AI security and safety be exempted from the DMCA, but the Librarian of Congress recommended denying the proposed exemption.

The Copyright Office "acknowledges the importance of AI trustworthiness research as a policy matter and notes that Congress and other agencies may be best positioned to act on this emerging issue," the Register entry stated, adding that "the adverse effects identified by proponents arise from third-party control of online platforms rather than the operation of section 1201, so that an exemption would not ameliorate their concerns."

**No Going Back**

With major companies investing massive sums in training the next AI models, security researchers could find themselves targeted by some pretty deep pockets. Luckily, the security community has established fairly well-defined practices for handling vulnerabilities, says BugCrowd's Ellis.

"The idea of security research being being a good thing — that's now kind of common enough ... so that the first instinct of folks deploying a new technology is not to have a massive blow up in the same way we have in the past," he says. "Cease and desist letters and \[other communications\] that have gone back and forth a lot more quietly, and the volume has been kind of fairly low."

In many ways, penetration testers and red teams are focused on the wrong problems. The biggest challenge right now is overcoming the hype and disinformation about AI capabilities and safety, says Gary McGraw, founder of the Berryville Institute of Machine Learning (BIML), and a software security specialist. Red teaming aims to find problems, not be a proactive approach to security, he says.

"As designed today, ML systems have flaws that can be exposed by hacking but not fixed by hacking," he says.

Companies should be focused on finding ways to produce LLMs that do not fail in presenting facts — that is, "hallucinate" — or are vulnerable to prompt injection, says McGraw.

"We are not going to red team or pen test our way to AI trustworthiness — the real way to secure ML is at the design level with a strong focus on training data, representation, and evaluation," he says. "Pen testing has high sex appeal but limited effectiveness."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Library of Congress Offers AI Legal Guidance to Researchers

Cloudflare Tunnels is just the latest legitimate cloud service that cybercriminals and state-sponsored threat actors are abusing to hide their tracks.

Source: Classic Image via Alamy Stock Photo

NEWS BRIEF

BlueAlpha, a Russian state-sponsored advanced persistent threat (APT) group, has recently evolved its malware delivery chain to abuse Cloudflare Tunnels — with the goal of ultimately infecting victims with its proprietary GammaDrop malware.

Cloudflare Tunnels is, as its name suggests, a secure tunneling software. It can be used to connect resources to Cloudflare's network without using a publicly routable IP address, with the goal of protecting Web servers and applications from distributed denial-of-service (DDoS) and other direct cyberattacks, by hiding their origins.

Unfortunately, this obfuscation mechanism, like other legitimate cloud tools, can also be used by the likes of BlueAlpha, which uses Cloudflare Tunnels to conceal its GammaDrop staging infrastructure from traditional network detection mechanisms, according to Recorded Future's Insikt Group.

"Cloudflare offers the tunneling service for free with the use of the TryCloudflare tool," according to an analysis published this week from Insikt. "The tool allows anyone to create a tunnel using a randomly generated subdomain of trycloudflare.com and have all requests to that subdomain proxied through the Cloudflare network to the Web server running on that host."

The APT then uses the concealed infrastructure to mount HTML smuggling attacks that bypass email security systems, along with employing DNS fast-fluxing, which makes it more difficult to disrupt BlueAlpha’s command-and-control (C2) communications, Insikt Group researchers noted — and in the end, deliver the GammaDrop malware, which enables data exfiltration, credential theft, and backdoor access to networks.

BlueAlpha, which shares DNA with other Russian threat groups like Trident Ursa, Gamaredon, Shuckworm, and Hive0051, first emerged in 2014, and has lately targeted Ukrainian organizations via spearphishing campaigns. The APT has used the custom VBScript malware GammaLoad since at least October 2023.

To protect against such attacks, Insikt Group recommended several mitigations, including:

*   Beef up email security to block HTML smuggling techniques
    
*   Flag attachments with suspicious HTML events
    
*   Use application control policies to block malicious use of mshta.exe and untrusted .lnk files
    
*   Set up network rules to flag requests to trycloudflare.com subdomains
    

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Russia's 'BlueAlpha' APT Hides in Cloudflare Tunnels

A single barrier prevented attackers from exploiting a critical vulnerability in an enterprise collaboration platform. Now there's a workaround.

Source: Kristoffer Tripplaar via Alamy Stock Photo

Two new vulnerabilities in Mitel's MiCollab unified communications and collaboration (UCC) platform could help expose gobs of enterprise data.

MiCollab is a cross-platform application on mobile devices and desktops that combines instant messaging, SMS, phone calls, video calls, file sharing, remote desktop sharing — really any form of collaboration that occurs within an organization, save talking out loud. Organizations rely on it heavily for day-to-day business operations and, invariably, to house large amounts of personal and communications data.

That's what made CVE-2024-35286 so inconvenient when it was discovered earlier this year. This SQL injection vulnerability, resulting from a lack of user input sanitization, earned a "critical" 9.8 score in the Common Vulnerability Scoring System (CVSS) for how it allowed attackers to access important business data, and execute database and management operations at will. It came with a catch, though: A specific configuration was required to reach the vulnerable endpoint, where the treasure lay.

In a new blog post, researchers from watchTowr noted that "No sensible admin would do this" — referring to the undisclosed configuration — so the risk to reliable organizations was low. However, the researchers went on to discover a path traversal vulnerability in MiCollab — not to mention a third, arbitrary file-read vulnerability — which rendered that one lone defense moot.

**The New MiCollab Exploit Chain**

At Black Hat six years ago, a researcher going by the moniker Orange Tsai presented research exposing issues with how Web applications handle path normalization. Using special characters in URLs, attackers could trick Web servers into giving them access to files and directories they shouldn't be able to access.

Researchers from watchTowr put this logic to the test while toying with CVE-2024-35286. Working with an Apache configuration for MiCollab published to the Web back in 2009, they discovered that they could use the input "..;/" to bypass all roadblocks on the way to the vulnerable endpoint — "/npm-admin" from the NuPoint Unified Messaging (UM) component of the platform — with no authentication required. This stacked vulnerability was acknowledged as CVE-2024-41713, and given a "high" CVSS score of 7.5.

CVE-2024-41713 gave new life to the older CVE-2024-35286, and then the researchers discovered yet another zero-day allowing for arbitrary file read, which hasn't been assigned a CVE label or CVSS score. The three work best in combination: CVE-2024-41713 lubricating initial access, the arbitrary file-read issue providing visibility into files across the system, and CVE-2024-35286 enabling any number of malicious operations thereon. For its part, watchTowr published a proof-of-concept (PoC) exploit to GitHub that combines the first two.

"Based on public sources, there are over 10,000 publicly exposed Mitel MiCollab devices," notes Mayuresh Dani, manager of security research at the Qualys Threat Research Unit. "Provided that NuPoint Unified Messaging (NPM) is enabled, a remote threat actor can use CVE-2024-41713 and the \[file-read\] zero-day to access arbitrary files on affected devices."

Which is exactly what the proof-of-concept code does, he adds. "It does so by accessing the npm-pwg directory and invoking the Reconcile Wizard, which is normally used to generate system reports. If the attacker gets ahold of sensitive files containing authentication information on the device, this could be used to gain access to the device and possibly snoop on conversations flowing through the vulnerable instance."

**Hacking Enterprise Communications**

An email arrives in an employee's inbox from their boss. "Hi, please wire a payment to our contractor at \[bank account number\] immediately." The number one thing employees are told, to screen scams like this, is to call their boss to confirm the legitimacy of the email. But what if their phone system itself is breached?

"The vulnerabilities in Mitel MiCollab highlight a growing trend of attackers targeting communication platforms to gain access to sensitive systems," says Callie Guenther, senior manager of cyber threat research at Critical Start. Besides intercepting or blocking an organization's central lines of communication, snooping on employees, or simply causing a general havoc, attackers can also use a platform like MiCollab to facilitate any number of other kinds of cyberattacks. "Similar issues have been exploited in the past, such as the 2022 Mitel MiVoice Connect vulnerability (CVE-2022-29499), which ransomware groups used to deploy Web shells and move laterally through networks," she notes.

Both named CVEs have been patched as of Oct. 9. Mitel acknowledged the arbitrary file-read bug, but hasn't yet patched it at the time of publication. Organizations with MiCollab up to date are covered most of the way, though, as this last issue requires authentication to exploit.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Bypass Bug Revives Critical N-Day in Mitel MiCollab

At least 17 affiliate groups have used the "DroidBot" Android banking Trojan against 77 financial services companies across Europe, with more to come, researchers warn.

Source: baosheng feng via Alamy Stock Photo

NEWS BRIEF

A fierce Android remote access Trojan (RAT), dubbed "DroidBot," is using spyware features like keylogging and monitoring, as well as inbound and outbound data transmission, to steal data from banks, cryptocurrency exchanges, and other national organizations. But the real concern cybersecurity analysts have about the DroidBot banking Trojan is its apparent expansion into a full-on malware-as-a-service operation.

Researchers behind the discovery warned the DroidBot RAT has been active since mid-2024 and is already in heavy rotation among at least 17 affiliate groups, and has been used in 77 cyberattacks on organizations in France, Italy, Portugal, and Spain, according to a report from Cleafy. Further, evidence indicates the DroidBot Android banking Trojan is being continuously updated and is possibly on the precipice of spilling over into Latin America.

Analysis showed the developers are native Turkish speakers but have started to expand into Spanish-speaking countries, which researchers said was a sign of the operation's intent to expand into Central and South America.

"Inconsistencies observed across multiple samples indicate that this malware is still under active development," the report said. "These inconsistencies include placeholder functions, such as root checks, different levels of obfuscation, and multi-stage unpacking. Such variations suggest ongoing efforts to enhance the malware's effectiveness and tailor it to specific environments."

**Android Banking Trojan-as-a-Service Emerges**

In order to drop DroidBot, adversaries hide the malware in malicious banking applications and other ubiquitous applications, the researchers said, which is hardly new.

The RAT's novelty, according to the researchers, is the use of surveillance tools including SMS message interception, keylogging, and periodically capturing screen shots of the victim device. The malware also leverages accessibility services to allow threat actors to remotely execute commands and operate the victim's device.

"Moreover, it leverages dual-channel communication, transmitting outbound data through MQTT and receiving inbound commands via HTTPS, providing enhanced operation flexibility and resilience," the report explained. "Recent examples of Android banking Trojans adopting this protocol include Copybara and BRATA/AmexTroll."

Technical specs aside, Cleafy researchers raised the alarm that the rise of what appears to be a new banking RAT-as-a-service business model is a significant shift in the threat landscape.

"\[W\]hile the technical difficulties are not so high, the real point of concern lies in this new model of distribution and affiliation, which would elevate the monitoring of the attack surface to a whole new level," the report said. "This could be a critical point, as changing the scale of such an important data set could significantly increase the cognitive load."

**About the Author**

Senior Editor, Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Trojan-as-a-Service Hits Euro Banks, Crypto Exchanges

AI-powered tools are making cybersecurity tasks easier to solve, as well as easier for the team to handle.

Security professionals say adding large language model (LLM) and generative artificial intelligence (GenAI) capabilities to security programs improves efficiency in threat detection and increases productivity of analysts, according to Dark Reading's latest research on enterprise security. Efficiency and effectiveness were recurring themes.

In Dark Reading's Artificial Intelligence and Machine Learning in Cybersecurity Survey, the top three benefits of using GenAI and LLMs in a cybersecurity program were more efficient threat detection (28%), improved analyst productivity and efficiency (27%), and better threat intelligence analysis (23%).

The promise of AI tools is enhancing the analysts' performance. Almost one-fifth (19%) of respondents said they appreciated how AI helped generate reports faster, while the same number (19%) liked how AI-infused technologies learn and adapt from new information. Fifteen percent felt the pressure lift from AI's ability to analyze security alerts to reduce false positives, while another 15% appreciated how the technology helped them discover and reduce misconfigurations.

Cybersecurity practitioners also saw value in active uses for AI, such as proactive threat hunting (16%), greater user behavior analysis (15%), improved incident response (15%), and a better security posture (11%).

There are also benefits to the business side. LLM tools can optimize resources (13%) to help make an organization's network more efficient and reduce costs (9%). Respondents also see ways GenAI can scale up their operations (12%), as well as improve cybersecurity response by supplementing the skills of the current team (12%). On the budgeting side, LLM use can reduce both the need for additional headcount (11%) and costs of operation (9%).

For more on the impact of AI and ML on cybersecurity, download the Dark Reading report "The State of Artificial Intelligence and Machine Learning in Cybersecurity."

**About the Author**

Karen joined Dark Reading in January 2022 as features editor. She's been in tech editing since before the img tag was introduced, working for outlets such as the IEEE Computer Society, CNET Download.com, and TechTV. She lives in Los Angeles with her husband, son, and two cats. Find her on Mastodon.

LLMs Raise Efficiency, Productivity of Cybersecurity Teams

One Identity wins "Hot Company: Privileged Access Management" at the 12th Cyber Defense Magazine InfoSec Innovator Awards, showcasing PAM excellence in cybersecurity.

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s Annual InfoSec Awards during CyberDefenseCon 2024.

One Identity proudly announces it has been named a winner in the Hot Company: Privileged Access Management (PAM) category in the 12th annual Cyber Defense Awards by Cyber Defense Magazine (CDM), the industry’s leading information security magazine.

> _“We are deeply honored to be recognized amongst the winners of the 12th annual Cyber Defense Awards at CyberDefenseCon 2024,” said Mark Logan, CEO of One Identity. “Being recognized for our advancements in Privileged Access Management (PAM) is a powerful affirmation of the commitment One Identity has to safeguarding critical data and systems while empowering our customers to take charge of enhancing their security. With the intense competition from the industry’s best, this award underscores our dedication to setting new standards in cybersecurity.”_

> _“One Identity embodies three major features we judges look for with the potential to become winners: understanding tomorrow’s threats today, providing a cost-effective solution and innovating in unexpected ways that can help mitigate cyber risk and get one step ahead of the next breach,” said Gary S. Miliefsky, Publisher of Cyber Defense Magazine.”_

This award highlights the role One Identity has in advancing privileged access management through solutions including Safeguard, Safeguard On Demand, and PAM Essentials. These solutions empower organizations to manage, authenticate, and analyze privileged access, streamlining the granting of credentials with role-based access controls and automated workflows. With these scalable and reliable PAM solutions, organizations of all sizes can address their complex and ever-evolving cybersecurity challenges.

The full list of the Top InfoSec Innovators for 2024: https://cyberdefenseawards.com/top-infosec-innovators-for-2024/

****About One Identity****

One Identity delivers unified identity security solutions that help customers strengthen their overall cybersecurity posture and protect the people, applications, and data essential to business. Their Unified Identity Security Platform brings together identity and access management solutions: Identity Governance and Administration (IGA), Access Management (AM), Privileged Access Management (PAM), and Active Directory Management (AD Mgmt) capabilities to enable organizations to shift from a fragmented to a holistic approach to identity security. One Identity is trusted and proven on a global scale – managing more than 500 million identities for more than 11,000 organizations worldwide.

****About Cyber Defense Awards****

This is Cyber Defense Magazine’s 12th year of honoring cybersecurity innovators on our Cyber Defense Awards platform. In this competition, judges for these and other prestigious awards include cybersecurity industry veterans, trailblazers, and market makers Gary Miliefsky of CDMG, Dr. Lindsey Polley de Lopez of VentureScope, Katie Gray of In-Q-Tel, Robert R. Ackerman Jr. of Allegis Cyber, Dino Boukouris of AltitudeCyber and with much appreciation to emeritus judges Robert Herjavec of Cyderes, Dr. Peter Stephenson of CDMG and David DeWalt of NightDragon. 

Users can download The Back Unicorn Report for 2024: https://cyberdefenseawards.com/the-black-unicorn-report-for-2024/ 

Top Global CISOs Winners for 2024: https://cyberdefenseawards.com/top-global-cisos-winners-for-2024/

****Contact****

**Liberty Pike**  
**One Identity**  
**\[email protected\]**

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

SUMMARY A day after taking down the cybercrime platform MATRIX, Europol and international law enforcement agencies have successfully…

****SUMMARY****

*   **Manson Market Takedown**: Europol and international law enforcement dismantled the notorious Manson Market cybercrime platform, disrupting phishing networks and seizing stolen data.

*   **Sophisticated Marketplace**: Manson Market allowed cybercriminals to buy and sell stolen data with advanced filtering options, facilitating targeted fraud and financial crimes.

*   **Phishing Scams Uncovered**: Investigators linked the marketplace to fake online shops designed to steal payment information, fueling a steady flow of stolen credentials.

*   **Massive Operation**: Over 50 servers were seized across multiple countries, yielding 200 terabytes of evidence, and two suspects were arrested in Germany and Austria.

*   **Global Collaboration**: The operation highlights Europol’s role and international cooperation in dismantling complex cybercrime networks and protecting citizens.

A day after **taking down** the cybercrime platform MATRIX, Europol and international law enforcement agencies have successfully taken down Manson Market, a notorious cybercrime marketplace. This significant operation disrupted a network of phishing websites and seized a massive amount of stolen data.

Europol, along with authorities in Germany and other European countries, successfully dismantled a notorious cybercrime marketplace called Manson Market, serving a huge blow to the cybercrime fraternity.

Users trying to access the website (manson-market.pw) are informed that law enforcement authorities now possess all transactions, communications, and user information.

Screenshot credit: Hackread.com

The investigation began in late 2022 following reports of a surge in fraudulent phone calls. Scammers, impersonating bank employees, were deceiving victims into revealing sensitive personal information such as addresses and security answers. These tactics were used to gain access to online accounts and facilitate further fraudulent activities.

Investigators quickly traced these malicious activities to a Dark Web platform, Mason Market, which served as a _central hub_ for cybercriminals, enabling them to buy and sell stolen data with alarming ease, Europol’s press release **revealed**.

The marketplace even allowed for sophisticated filtering, allowing criminals to purchase data specifically tailored to their needs, such as information from victims in a particular region or with high account balances. This level of customization significantly increased the efficiency and impact of subsequent fraudulent activities. Europol reported that thousands of users took advantage of this illicit marketplace, putting countless individuals at financial risk.

Furthermore, the investigation uncovered a network of fake online shops designed to lure unsuspecting consumers into exposing payment information. These phishing scams, generally a common tactic employed by cybercriminals, were used to generate a steady stream of stolen credentials, which were then sold through the illicit marketplace, enriching the network’s operators.

Europol played a crucial role in dismantling this sophisticated criminal network. The agency’s European Cybercrime Centre (EC3) leveraged its extensive resources and expertise, coordinating efforts between law enforcement agencies across the continent. Europol’s forensic capabilities were instrumental in analyzing the complex digital evidence, uncovering crucial connections and advancing the investigation. 

On December 4th, authorities conducted searches in Germany and Austria, while the marketplace’s infrastructure and fake online shops were dismantled in Germany, Finland, the Netherlands, Norway, and other countries. Over 50 servers were seized, yielding a massive trove of digital evidence exceeding 200 terabytes. Two key suspects, a 27-year-old and a 37-year-old, were arrested from Austria and Germany, and placed in pretrial detention.

This takedown follows another significant victory against illegal platforms. Recently, German authorities **shut down** Crimenetwork, the largest online criminal marketplace in Germany, which has been operating since 2012 with over 100,000 buyers and 100 sellers. Europol also **dismantled** the encrypted messaging app Ghost used by drug traffickers and arrested 51 suspects.

The operation’s success underscores the significance of international cooperation in combating cybercrime, enabling law enforcement agencies to dismantle sophisticated criminal networks and safeguard citizens.

1.  **Europe’s largest known illegal IPTV op dismantled by police**
2.  **Europol takes down VPNLab used by ransomware operators**
3.  **Europol nabs 106 criminals involved in SIM swapping scams**
4.  **Telegram Founder Pavel Durov Reportedly Arrested in France**
5.  **Europol Busts Major Online CSAM Racket in Western Balkans**

Police Dismantle Manson Market, Seize 50 Servers and 200TB Evidence

BT Group, a major telecommunications firm, has been hit by a ransomware attack from the Black Basta group. The attack targeted the company's Conferencing division, leading to server shutdowns and potential data theft.

****SUMMARY****

*   **BT Group Ransomware Attack**: British telecom giant BT Group’s Conferencing division was hit by a ransomware attack by Black Basta, leading to certain servers being taken offline.
*   **Stolen Data**: Black Basta claims to have stolen 500 GB of sensitive data, including financial, corporate, and personal information, and threatened to leak it unless a ransom is paid.
*   **Company Response**: BT Group stated the attack was confined to specific parts of its Conferencing platform, with core services unaffected, and is working with authorities to investigate.
*   **Black Basta’s Methods**: The group uses advanced tactics like email bombing and social engineering through platforms like Microsoft Teams to gain initial access.
*   **Global Ransomware Threat**: Black Basta has targeted over 500 organizations, affecting critical infrastructure sectors, emphasizing the need for robust cybersecurity measures.

Days after the ransomware attacks on the NHS Hospitals in the United Kingdom, British telecommunications giant BT Group has fallen victim to a ransomware attack launched by the notorious Black Basta gang. The attack specifically targeted the company’s Conferencing business division, forcing the company to take certain servers offline as a precautionary measure.

While BT Group has downplayed the severity of the attack, claiming limited impact on its services and customer data, Black Basta paints a far more alarming picture. The ransomware gang asserts that they successfully stole a staggering 500 gigabytes of sensitive information. As an evidence, the group has released screenshots of stolen documents and folder listings. 

The threat actors added BT’s btci.com and btconferencing.com domains to their data leak site, threatening to publicly release the stolen information, which includes financial, corporate, and even personal data such as passport copies, unless a ransom is paid. However, the exact amount of the ransom has not been disclosed.

BT Group has confirmed to _Hackread.com_ that it is actively investigating the incident and cooperating with relevant authorities. The company has emphasized that the attack was confined to specific elements of the Conferencing platform and that core services remain operational.

“We identified an attempt to compromise our BT Conferencing platform. This incident was restricted to specific elements of the platform, which were rapidly taken offline and isolated.”

“We’re continuing to actively investigate all aspects of this incident, and we’re working with the relevant regulatory and law enforcement bodies as part of our response,” BT Group’s spokesperson stated.

Black Basta has targeted over 500 organizations globally in the past two years, targeting 12 out of 16 critical infrastructure sectors, with victims including Ascension Healthcare, Hyundai Europe, Capita, Yellow Pages Canada, and Dish. 

The group, a ransomware-as-a-service (RaaS) variant emerging in 2022 after the Russian invasion of Ukraine and the downfall of Conti,  has had significant impacts on the global economy, according to the FBI and CISA’s (PDF) advisory titled “#StopRansomware: Black Basta.”

Research reveals that Black Basta, has been refining its social engineering methods. The group often initiates attacks by bombarding victims with emails from various mailing lists, creating a sense of urgency and confusion. 

“Recent techniques include email bombing—a tactic used to send a large volume of spam emails—to aid social engineering over Microsoft Teams and trick victim end users into providing initial access via remote monitoring and management (RMM) tools,” CISA’s updated advisory revealed.

This social engineering ploy often leads victims to grant remote access to their devices, allowing the hackers to deploy malware and steal sensitive information.

The incident reminds us that ransomware attacks remain a consistent threat, even for large, well-resourced organizations. Therefore, businesses must invest in advanced cybersecurity measures to protect sensitive data and maintain business continuity.

1.  **US, UK Military Social Network “Forces Penpals” Leaks PII Data**
2.  **Qilin Ransomware Leaks 400GB of NHS, Patient Data on Telegram**
3.  **Russian Midnight Blizzard Breached UK Home Office via Microsoft**
4.  **Major UK Security Provider Leaks Trove of Guard and Suspect Data**
5.  **China Suspected in Cyberattack on UK’s Ministry of Defence (MoD)**

Telecom Giant BT Group Hit by Black Basta Ransomware

The emerging threat actor, potentially a Chinese state-sponsored APT, is using the known exploit kit Moonshine in cross-platform attacks that deliver a previously undisclosed backdoor called "DarkNimbus" to ethnic minorities, including Tibetans.

Source: BeeBright via Shutterstock

A newly identified cyber-threat operation is using a known exploit kit to target security vulnerabilities in the popular WeChat app, to deliver previously unreported spyware to both Android and Windows devices belonging to the Tibetan and Uyghur ethnic-minority communities in China.

A group that researchers at Trend Micro are tracking as Earth Minotaur is wielding the Moonshine exploit kit, which first surfaced in 2019, to deliver a backdoor called DarkNimbus. The malware can steal data and monitor device activity, they revealed in a blog post published today, while Moonshine typically targets vulnerabilities in instant messaging apps on Android devices to deliver the malware. It also exploits multiple known vulnerabilities in Chromium-based browsers. The latest version of the kit discovered by Trend Micro has been upgraded with "newer vulnerabilities and more protections to deter analysis of security researchers," the researchers wrote.

The attacks begin as carefully crafted messages aiming to lure victims into clicking on an embedded malicious link, which typically claims to be related to government announcements; relevant Chinese news topics, such as COVID-19, religion, or stories about Tibetans or Uyghurs; or Chinese travel information. Attackers "disguise themselves as different characters on chats to increase the success of their social engineering attacks," the researchers wrote.

Related:African Law Enforcement Nabs 1,000+ Cybercrime Suspects

The ultimate payload, DarkNimbus, is "a comprehensive Android surveillance tool" that starts by collecting basic information from the infected device, installed apps, and geolocation systems. It goes on to steal personal information, including contact lists, phone call records, SMS, clipboard content, browser bookmarks, and conversations from multiple messaging apps. DarkNimbus also can record calls, take photos and screenshots, file operations, and execute commands, the researchers added.

**Novel Cyberattack Actor, Familiar Tools & Targets**

The researchers believe Earth Minotaur is a new threat actor, though the group isn't the first to use the Moonshine toolkit, they wrote.

"In the first report of Moonshine exploit kit in 2019, the threat actor using the toolkit was named Poison Carp," according to the post. However, the researchers did not find connections between Earth Minotaur and that group, they said.

"The backdoor DarkNimbus had been developed in 2018 but was not found in any of Poison Carp's previous activity," the researchers wrote. "Therefore, we categorize them as two different intrusion sets." At this time, there are at least 55 Moonshine exploit kits being actively used by threat actors in the wild, they said.

Related:CISA Issues Guidance to Telecom Sector on Salt Typhoon Threat

Moonshine was first discovered as part of a malicious campaign against the Tibetan community, and it's also associated with previous malicious activity against Uyghurs. Both groups are ethic minorities in China that face discrimination and surveillance by the Chinese government, and both are the key targets of Earth Minotaur, the researchers said. While it's likely the group is an advanced persistent threat (APT) backed by China, the researchers did not have enough evidence to make a definitive connection, they said.

**Defending Against Persistent Threats**

Earth Minotaur's activities and use of Moonshine share similarities with two previously identified threat campaigns. One, identified in 2002, spread an Android malware called BadBazaar along with Moonshine via Uyghur-language sites and social media.

BadBazaar then resurfaced later in broader attacks against users in several countries that delivered the malware via Trojanized versions of the Signal and Telegram messaging apps, in an attack vector similar to the one Earth Minotaur was seen employing.

To prevent similar attacks, Trend Micro suggested some basics. One, that people exercise caution when clicking on links embedded on suspicious messages, "as these may lead to malicious servers like those of Moonshine compromising their devices," the researchers wrote.

Related:Venom Spider Spins Web of New Malware for MaaS Platform

They also recommended regularly updating applications to the latest versions, as Moonshine takes advantage of flaws to conduct its malicious activities.

"These updates offer essential security improvements to protect against known vulnerabilities," the researchers wrote.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#auth