Efficiency is the name of the game for the security operations center — and 91% of cybersecurity pros say artificial intelligence and machine learning are winning that game.

Only 9% of cybersecurity professionals said that new artificial intelligence (AI) and machine learning (ML) tools have not improved their security operations center (SOC) functionality, according to Dark Reading's latest research on enterprise security. The vast majority of respondents saw noticeable rises in speed, accuracy, and efficiency — good news for those frontline workers.

In Dark Reading's Artificial Intelligence and Machine Learning in Cybersecurity Survey, an equal number of respondents (31%) said AI and ML tools contributed to SOC performance by improving threat detection, automating routine tasks, and speeding up responses to threats. All of these improvements directly reflect the value that automation brings to improving response accuracy and operational efficiency in the SOC.

One of the greatest challenges that SOC analysts face now is an overwhelming volume of false positives raised by their security tools. Analysts have to sift through system alerts and discern which ones are false positives and which ones are potential threats. The tediousness of that work can lead to missed warnings, slower incident response times, and dissatisfaction that can result in burnout. The good news is that AI and ML are perfectly suited for handling this kind of donkeywork.

In fact, 24% said that AI and ML tools improved their SOC operations by reducing the volume of false positives.

For 28% of Dark Reading respondents, AI and ML tools provided better visibility into security events, and 24% cited improved efficiency in handling security events. A quarter of respondents cited quicker response times from SOC personnel as a positive effect of these tools. AI and ML tools are gaining traction in enterprises, and these responses show those technologies are already making a positive impact on enterprise security posture.

For more on the impact of AI and ML on cybersecurity, download the Dark Reading report "The State of Artificial Intelligence and Machine Learning in Cybersecurity."

**About the Author**

It's Near-Unanimous: AI, ML Make the SOC Better

Palo Alto, California, 20th November 2024, CyberNewsWire

**Palo Alto, California, November 20th, 2024, CyberNewsWire**

SquareX, the leading browser security company, will make its Australian debut at Melbourne CyberCon 2024, hosted by AISA (Australian Information Security Association), from 26th to 28th November 2024. SquareX will showcase its groundbreaking Browser Detection and Response (BDR) solution at StartUp Booth 42, addressing the growing risk of browser-based cyber threats targeting employees.

With the browser being the most used application within the enterprise but also the least protected, browser security is an increasingly serious risk for enterprises. The risk is compounded as endpoint security has zero visibility into the browser, and SASE/SSE solutions such as Secure Web Gateways (SWG) lack user context and cannot detect client-side attacks just by using network traffic.

SquareX addresses this gap with a browser-native layer of protection, running directly within the browser. Leveraging rich data metrics such as browser DOM insights and user context, SquareX empowers security teams to create precise policies to protect employees from web threats. In an effort to help enterprises access their own security posture, SquareX has also launched **scan.browser.security** — a website featuring over 25+ SWG bypass for enterprises and vendors to assess their current security posture.

> “Cyber threats are on the rise globally and in Australia. As reported by authorities such as the Australian Signals Directorate in its recent Cyber Threat Report 2022-2023, malicious cyber activity continues to pose a risk to Australia’s security and prosperity,” said Vivek Ramachandran, Founder and CEO of SquareX.

SquareX’s browser-native security solution, deployed as an extension on major browsers, detects client-side attacks, prevents data loss, enables secure access to private apps for unmanaged devices and more. “Our solution allows security teams to immediately mitigate attacks and conduct threat-hunting across the organization,” added Ramachandran.

Attendees can also look forward to an exclusive session on Wednesday, 27 November at 2pm (AEST), where SquareX Founder Vivek Ramachandran and Chief Architect Jeswin Mathai will be delivering a talk titled **“The Silver Bullet in Your Enterprise Defense Strategy: Browser Security Solutions”** . The talk will cover why SMEs and non-profits should choose a native browser security solution to protect themselves, and offer guidance on selecting the right solution based on factors such as scalability, attack coverage and cost.

Explore SquareX’s BDR solution at Booth 42, AISA Melbourne CyberCon via live demos and see first-hand how SquareX’s browser-native approach fills crucial gaps in today’s cybersecurity landscape.

Attendees are encouraged to schedule a demo here to secure a slot to meet the team this November.

**About SquareX:**

SquareX helps organizations detect, mitigate and threat-hunt client-side web attacks happening against their users in real time.

SquareX’s industry-first Browser Detection and Response (BDR) solution, takes an attack-focused approach to browser security, ensuring enterprise users are protected against advanced threats like malicious QR Codes, Browser-in-the-Browser phishing, macro-based malware and other web attacks encompassing malicious files, websites, scripts, and compromised networks.

With SquareX, enterprises can provide contractors and remote workers with secure access to internal applications, enterprise SaaS, and convert the browsers on BYOD / unmanaged devices into trusted browsing sessions.

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Brings Industry’s First Browser Detection Response Solution to AISA Melbourne CyberCon 2024

In US Senate testimony, a CrowdStrike exec explained how this advanced persistent threat penetrated telcos in Asia and Africa, gathering SMS messages, unique identifiers, and other metadata along the way.

Source: Jakub Krechowicz via Alamy Stock Photo

A newly unveiled threat actor has been spying on mobile phones in Asia and Africa for more than four years. 

On Nov. 19, Adam Meyers, senior vice president for counter-adversary operations at CrowdStrike, testified before the US Senate Judiciary Subcommittee on Privacy, Technology, and the Law, on the subject of Chinese cyber threats to critical infrastructure. In the process, he unveiled Liminal Panda, an advanced persistent threat (APT) hyper-focused on gathering intelligence from telecommunications networks.

Since 2020, Liminal Panda has been using network-based attacks to penetrate and pivot between telcos across geographic regions, gathering SMS messages, unique identifiers, and other metadata associated with mobile phones that could be of political or economic use to the Chinese state.

**Liminal Panda's MO**

Though the aim is to obtain data transmitted over telecommunications channels, a typical Liminal Panda attack might look a lot like any regular network breach.

"Your cellphone has a radio that talks to a tower, called a base station controller. And those things are connected, typically, by Internet-type protocols — network technology," Meyers explained. Where some attackers might focus on the towers and their transmissions, Liminal Panda targets the IT network infrastructure underpinning the system. "They're going to go in through the gateway of the telco, and inside there's going to be a lot of traditional IT systems."

Once inside a telco's network — so often staffed by outdated legacy systems — Liminal Panda has tools for collecting call and text records and other sensitive identifying data on large groups or individual targets. "When you send a text message from your mobile device, it goes to the tower via SMS that gets passed back into the core of the telco. Routing decisions are made, and then it goes to the next destination," he says. Liminal Panda malware acts on that interim step.

To facilitate the exfiltration of that information, the group's command-and-control (C2) setup emulates the Global System for Mobile Communications (GSM). GSM is a mobile communications standard that enables calling, texting, and the use of mobile data, and is the most widespread such standard in the world, used in more than 193 countries.

**Hopping Between Telcos**

Besides attacking specific telcos, Liminal Panda has also been observed hopping between them.

"When you go from one part of the country to another, or when you go from one country to another, you need to have interoperability. And there's a lot of infrastructure that goes into making that happen," Meyers said. Thing is: The open lines of communication between telecommunications providers, and their infrastructure over long distances, can also be weaponized. "There are multiple threat actors from China who really understand how telecommunications infrastructure works. They understand how it's all connected together, and they're able to abuse that in order to go between providers."

Though its understanding of industry-specific protocols helps, Liminal Panda also jumps between providers simply by abusing the Domain Name System (DNS). By the end of a campaign, the group has often established multiple, redundant routes for traveling between providers.

**China's End Goals**

Oppressive governments have long used telecommunications breaches to spy on foreign officials, internal political dissidents, journalists, and academics. "All of these groups are targeting telcos to perform bulk collection, because it gives them the opportunity to then \[hone in on\] an individual — see who they're texting, who they're calling, who they're with," Meyers explained.

If Liminal Panda is indeed working on behalf of China, as CrowdStrike assesses with admittedly low confidence, then this sort of spying might have a dual economic benefit as well. In his Senate testimony, Meyers highlighted how major national projects like the Belt and Road Initiative, Made in China 2025, the 2035 Vision, the Global China 2049, and the country's regular Five-Year Plans provide impetus for economic espionage.

"If you're doing a deal in that region, I want to know who you're meeting with. I can collect that information, if you're sending text messages about the deal," he says. "Or I can intercept them if you're meeting with somebody that is politically problematic for me."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

China's 'Liminal Panda' APT Attacks Telcos, Steals Phone Data

### Impact

Password Pusher comes with a configurable rate limiter.  In versions prior to [v1.49.0](https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0), the rate limiter could be bypassed by forging proxy headers allowing bad actors to send unlimited traffic to the site potentially causing a denial of service.


### Patches

In [v1.49.0](https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0), a fix was implemented to only authorize proxies on local IPs which resolves this issue.

If you are running a remote proxy, please see [this documentation](https://docs.pwpush.com/docs/proxies/#trusted-proxies) on how to authorize the IP address of your remote proxy.

### Workarounds

It is highly suggested to upgrade to at least [v1.49.0](https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0) to mitigate this risk.

If for some reason you cannot immediately upgrade, the alternative is that you can add rules to your proxy and/or firewall to not accept external proxy headers such as `X-Forwarded-*` from clients.

### References

The new settings are [configurable to authorize remote proxies](https://docs.pwpush.com/docs/proxies/#trusted-proxies).


**Impact**

Password Pusher comes with a configurable rate limiter. In versions prior to v1.49.0, the rate limiter could be bypassed by forging proxy headers allowing bad actors to send unlimited traffic to the site potentially causing a denial of service.

**Patches**

In v1.49.0, a fix was implemented to only authorize proxies on local IPs which resolves this issue.

If you are running a remote proxy, please see this documentation on how to authorize the IP address of your remote proxy.

**Workarounds**

It is highly suggested to upgrade to at least v1.49.0 to mitigate this risk.

If for some reason you cannot immediately upgrade, the alternative is that you can add rules to your proxy and/or firewall to not accept external proxy headers such as X-Forwarded-* from clients.

**References**

The new settings are configurable to authorize remote proxies.

**References**

*   GHSA-ffp2-8p2h-4m5j

GHSA-ffp2-8p2h-4m5j: Password Pusher rate limiter can be bypassed by forging proxy headers

Cybersecurity investigators found the leaked data to be information from a third party, not Ford itself, that is already accessible to the public and not sensitive in nature.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

On Nov. 17, hackers that go by the aliases IntelBroker and EnergyWeaponUser claimed to have breached Ford customer records, laying out their "success" in a post on BreachForums.

The hackers claimed that they had stolen 44,000 Ford customer records that included names, physical addresses, and acquisition information. In truth, after making the data sample public, it was found that the data only included physical addresses of car dealers from around the world, data that is likely already public and not considered sensitive.

The initial claims, however, prompted an investigation by Ford, which determined that there was no breach of its systems or compromised customer data involved. The leaked information actually originated from a third-party supplier, according to the automotive giant.

This isn't the first time IntelBroker has pulled a stunt such as this; though its victims do suffer from some type of breach, the hacker's claims of its attacks' magnitude are often exaggerated. Nonetheless, it's important to carefully vet any hacker claims, according to Roger Grimes, data-driven defense evangelist at KnowBe4.

"Any stolen confidential information, like purchasing habits, is something that can be used in a targeted spear phishing attack to trick more potential victims,” he wrote in an emailed statement to Dark Reading. "So, you can't completely discount any data breach no matter how innocuous it first seems."

**About the Author**

Alleged Ford 'Breach' Encompasses Auto Dealer Info

Though the information regarding the exploits is limited, the company did report that Intel-based Mac systems have been targeted by cybercriminals looking to exploit CVE-2024-44308 and CVE-2024-44309.

Source: Shahid Jamil via Alamy Stock Photo

Apple has released security updates to address two zero-day vulnerabilities that are under active exploitation in the wild.

The bugs, tracked as CVE-2024-44308 (CVSS 6.8) and CVE-2024-44309 (CVSS 4.3), are, respectively, a vulnerability in JavaScriptCore that could lead to arbitrary code execution; and a cookie management vulnerability in WebKit that could lead to a cross-site scripting (XSS) attack while processing malicious Web content.

The bugs affect Apple's iOS, iPadOS, macOS, visionOS, and the Safari Web browser; the company reports that it has addressed them with better checks and improved state management.

Clément Lecigne and Benoît Sevens at Google's Threat Analysis Group (TAG) first discovered and reported the vulnerabilities and, as is customary for the company, Apple did not provide any additional details of reported attacks nor did it offer indicators of compromise (IoCs).

"Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems," Apple stated its advisory for both zero-days, the lone piece of information regarding in-the-wild exploitation attempts.

Those using affected Apple ecosystem products should update to iOS 18.1.1, macOS Sequoia 15.1.1, and  iOS 17.7.2 as soon as possible to avoid compromise.

**About the Author**

Apple Urgently Patches Actively Exploited Zero-Days

If the US wants to maintain its lead in cybersecurity, it needs to make the tough funding decisions that are demanded of it.

Michael Daniel, President & CEO, Cyber Threat Alliance

November 20, 2024

5 Min Read

Source: Skorzewiak via Alamy Stock Photo

COMMENTARY

The term "government cybersecurity agency" probably conjures up a range of images, from men in dark suits to rooms filled with huge screens and people typing away at keyboards. It likely does not prompt people to think of a small underfunded agency in the Department of Commerce. Although organizations like the National Security Agency (NSA), the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA) receive the most attention regarding cybersecurity, many other government agencies perform critical cybersecurity functions and are chronically underfunded and short-staffed. 

The digital ecosystem can suffer far-reaching negative impacts if these agencies cannot perform their missions. If the US wants to maintain its cybersecurity edge, Congress must allocate appropriate funding for agencies across the cybersecurity ecosystem to protect networks and critical infrastructure. The Commerce Department's National Institute of Standards and Technology (NIST) and the National Vulnerabilities Database (NVD) provide an excellent case study for this problem. 

The NVD is a catalog of known IT software and hardware vulnerabilities that bad actors can exploit to carry out malicious activities, such as breaking into a network to steal data or accessing a control system to sabotage equipment. 

Software vendors, cybersecurity providers, and network operators want to know about vulnerabilities so they can patch them and prevent bad actors from exploiting them. The NVD serves as a foundation for almost all vulnerability analysis, assessment, management, or remediation activities in the US, the European Union, and throughout much of the world. 

The US government has operated the NVD since 1999 under NIST. A relatively small agency by US government standards, it has a well-deserved reputation for quality, industry collaboration, and integrity; its expertise in standards development is unparalleled. The agency plays an outsized role in the cybersecurity ecosystem due to the extensive use of its standards, guidelines, best practices, and other cybersecurity products. 

**How the NVD Started and Developed**

The NVD started as a research project. As the vulnerability management process evolved, NIST staff began adding certain data fields to the NVD entries, a process that became known as enrichment. As the number and importance of vulnerability tracking increased — and businesses and network operators increasingly relied on the data — maintaining the NVD and its enriched data became an essential operational requirement for cybersecurity across the entire ecosystem. NIST continued to manage the NVD, despite not being an operational agency.  

This status quo persisted until mid-February 2024, when NIST stopped enriching the NVD entries without much warning. 

While the reasons for the outage are not fully known, long-time observers assert that a lack of resources played into NIST's decision. This abrupt change created major problems across the cybersecurity ecosystem because so many organizations relied on the enriched NVD data for their vulnerability management systems. While the resulting outcry eventually forced the US government to cobble together a solution and restart the process, the decision to stop enriching vulnerabilities measurably increased global cyber-risk for several months. 

**The Problem: Widespread Underfunding of Government Security**

This process breakdown shows what happens when we rely on underfunded government organizations for critical Internet security functions. Unfortunately, the NVD is hardly an outlier. A review of executive orders, presidential guidance documents, and national strategies would show many new tasks for NIST, but decreased funding in the financial year 2025 budget. NIST isn't the only agency in this situation. The Environmental Protection Agency, the Coast Guard, and the Department of Agriculture all have cybersecurity missions and are critical players in increasing our cyber resilience. The State Department and the US Agency for International Development are also responsible for carrying out our cyber policies abroad. Yet the collective resource allocations for these agencies and programs don't reflect their contribution to our overall cybersecurity. The allocated resources are not commensurate with our national security, economic prosperity, and public health and safety needs. 

As a country, we should recognize the importance of these functions and resource them appropriately. We should also think critically about who performs these tasks; for example, in the case of the NVD, should a government research organization maintain a foundational operational capability, or should another agency take over the function? For that matter, we should consider whether a function should be moved out of the federal government to a private sector entity or nonprofit. 

The structures, policies, and resource allocations that worked when the Internet was a "nice-to-have" no longer suffice. Now that the Internet is a "critical function," underpinning public health, safety, and global economic prosperity, we need to invest in the cybersecurity capabilities needed to keep the Internet functioning. We must shoulder our responsibilities appropriately, including allocating sufficient resources to meet our collective needs. 

Unfortunately, the current approach to funding government agencies by continuing resolution simply compounds the resourcing problem. Continuing resolutions are better than a government shutdown, of course, but they are otherwise bad for cybersecurity. They keep agencies at the same funding level as previous years, making no changes for inflation or mission, and they do not permit agencies to start new programs. Their short duration creates uncertainty and effectively freezes the federal government in place. We need Congress to pass annual appropriations bills and provide the resources necessary for our cybersecurity. As the recent McCrary Institute Presidential Transition Task Force report states, "The misalignment between policy objectives and funding is a recurring issue that compromises the effectiveness of national cybersecurity efforts." That's why the report dedicates an entire section to funding and resource recommendations — without adequate resources, the best policies will not achieve their intended effects. 

The US is still a cyber superpower, but that status is not guaranteed to last — we could squander it. If the US wants to maintain its lead in cybersecurity, we need to act like adults and make the tough funding decisions that are demanded of us. Growing up is hard to do — but the alternative is very unattractive.

**About the Author**

President & CEO, Cyber Threat Alliance

Michael Daniel is president of the Cyber Threat Alliance and oversees the organization's operations. Prior to joining CTA in February 2017, Michael served from June 2012 to January 2017 as Special Assistant to President Obama and Cybersecurity Coordinator on the National Security Council Staff. In this role, Michael led the development of national cybersecurity strategy and policy, and ensured that the US government effectively partnered with the private sector, non-governmental organizations, and other nations.

Small US Cyber Agencies Are Underfunded &amp; That's a Problem

Aqua Nautilus’ research reveals hackers are leveraging vulnerable and misconfigured Jupyter Notebook servers to steal live sports streams.…

Aqua Nautilus’ research reveals hackers are leveraging vulnerable and misconfigured Jupyter Notebook servers to steal live sports streams. Learn about the techniques used, the risks involved, and how to protect your organization from similar attacks.

Cybersecurity researchers at Aqua Nautilus uncovered a novel attack technique where threat actors exploited misconfigured JupyterLab and Jupyter Notebook servers to illegally stream sports events, drop live streaming capture tools, and duplicate broadcasts on their illegal server, causing stream ripping.

Unfortunately, illegal live streaming of sports events is a growing issue, impacting broadcasters, leagues, and legitimate platforms. With readily available streaming tools and high-speed internet, unauthorized broadcasts are flourishing, causing financial losses for both major leagues and smaller teams dependent on viewership revenue.

The targeted source streamed the UEFA Champions League match between Shakhtar Donetsk and BSC Young Boys on November 6, 2024 (Screenshot: Aqua Nautilus)

“The problem is widespread, with 5.1 million adults in England, Scotland, and Wales admitting to watching an illegal stream during the first six of last year,” researchers noted in the blog post. 

In this instance, the red flag was the seemingly harmless tool, ffmpeg. This open-source software is widely used for video processing and streaming. While threat intelligence confirmed its legitimacy, closer inspection revealed a twist. The attackers exploited misconfigured JupyterLab and Jupyter Notebook environments to gain access and deploy ffmpeg for live stream ripping.

The attack started with exploiting unauthenticated access to JupyterLab or Jupyter Notebook, which allowed remote code execution. The attackers then updated the server and downloaded ffmpeg, which was repurposed to capture live sports streams and redirect them to a malicious server. 

This reveals that the MITRE ATT&CK framework was used in an attack, where adversaries gained access through misconfigured Jupyter Notebook and JupyterLab environments. Attackers installed and ran ffmpeg, exfiltrated video content, and used the victim’s bandwidth to transfer the stolen streaming data.

This exploitation can result in “denial of service, data manipulation, data theft, corruption of AI and ML processes, lateral movement to more critical environments and, in the worst-case scenario, substantial financial and reputational damage,” researchers explained.

Attack flow (Screenshot: Aqua Nautilus)

Though seemingly minor in its immediate impact on organizations, the attack indicates the importance of behavioural analysis. Traditional security solutions might overlook such activity. However, the unusual deployment and execution of ffmpeg for live-stream capture alerted Aqua Nautilus’ security team. By analyzing network traffic, files, and memory dumps, Aqua Nautilus was able to reconstruct the entire attack sequence.

Undoubtedly, JupyterLab and Jupyter Notebook are valuable assets for data scientists, but security shortcomings can leave them vulnerable. Often, these servers are managed by individuals without a strong security background.

Leaving them connected to the internet with open access or weak firewalls allows threat actors to exploit them for attack. Token mishandling is another concern, as exposed tokens can grant full access. Thankfully, implementing best practices like restricted IPs, strong authentication, HTTPS, and proper token management can greatly lower these risks.

1.  New Jupyter infostealer delivered through the MSI installer
2.  Qubitstrike Malware Hits Jupyter Notebooks for Cloud Data
3.  New Jupyter backdoor malware steals Chrome, Firefox data
4.  NTLM Credential Theft in Python Apps Risk Windows Security
5.  PythonAnywhere Cloud Platform Abused to Host Ransomware

Hackers Exploit Misconfigured Jupyter Servers for Illegal Sports Streaming

An elusive, sophisticated cybercriminal group has used known and zero-day vulnerabilities to compromise more than 20,000 SOHO routers and other IoT devices so far, and then puts them up for sale on a residential proxy marketplace for state-sponsored cyber-espionage actors and others to use.

Source: Jiraroj Praditcharoenkul via Alamy Stock Photo

A cybercriminal group is exploiting vulnerabilities in Internet of Things (IoT) devices and then turning a tidy profit by putting them up for sale on a residential proxy marketplace, where they can be turned into proxy botnets by state-sponsored advance persistent threats (APTs) and other malicious actors.

The gang, tracked as "Water Barghest," has already compromised more than 20,000 IoT devices, including small office and home office (SOHO) routers used by businesses, by using automated scripts to identify and compromise vulnerable devices, according to new research from Trend Micro. The threat actor, which has operated for more than five years (largely under the radar due to a sophisticated automation strategy) discovers vulnerable IoT devices from public Internet-scanning databases such as Shodan, the researchers noted.

Once Water Barghest compromises devices, it deploys proprietary malware called Ngioweb to register the device as a proxy — i.e., a network that puts an intermediary between a client and a server. Water Barghest then lists the device for sale on a residential proxy marketplace for other threat actors to purchase.

The entire cybercriminal process to enslave a target takes as little as 10 minutes, "indicating a highly efficient and automated operation," Trend Micro researchers Feike Hacquebord and Fernando Mercês wrote in the post.

**Selling Proxy Devices as a Cybercrime Business Model**

There is indeed a significant incentive for both espionage-motivated and financially motivated actors to set up proxy botnets to help hide where their malicious activities originate; Russia's Sandworm, for example, recently used the VPNFilter botnet and Cyclops Blink in activities against Ukraine that were elusive for a time before being ultimately disrupted by the FBI, according to Trend Micro.

"These \[botnets\] can serve as an anonymization layer, which can provide plausibly geolocated IP addresses to scrape contents of websites, access stolen or compromised online assets, and launch cyberattacks," the researchers wrote.

Threat actors can find any IoT device that accepts incoming connections on the open Internet using public scanning services, making it easy for them to compromise ones with known vulnerabilities, or even zero-days, for future use in malicious activities, they wrote. This makes it easy for threat actors like Water Barghest to exploit them for financial gain and further abuse, they added.

**Uncovering the Elusive Botnet-for-Sale Cyber Operation**

Trend Micro discovered Water Barghest's operation during an investigation of the Department of Justice's disruption of a Russian military intelligence botnet that Russian state-sponsored threat group Fancy Bear (aka APT28) used for global cyber espionage.

The researchers examined EdgeRouter devices that had been used by Sandworm, and eventually uncovered Water Barghest's Ngioweb malware and botnet. The group's infrastructure had been up and running for more than five years but had been able to evade detection by security researchers and law enforcement "because of their careful operational security and high degree of automation," the researchers wrote.

"They quietly erased log files from their servers and made forensic analysis more difficult," they wrote. "They removed human error from their operations by automating almost everything. They also removed financial traceability by using cryptocurrency for anonymous payments."

Water Barghest automates each step of the 10-minute process, from initially finding vulnerable IoT devices to ultimately putting them for sale on a residential proxy marketplace. The group first acquires known exploits for flaws in devices, then uses search queries on one of the publicly available Internet-scanning databases to find vulnerable devices and their IP addresses. It then uses a set of data center IP addresses to try the exploits against potentially vulnerable IoT devices.

When one works, the compromised IoT devices download a script that iterates through Ngioweb malware samples compiled for different Linux architectures. When one of the samples runs successfully, Ngioweb will run in memory on the victim’s IoT device, registering it with a command-and-control (C2) server, and then eventually sending it to be listed on a Dark Web marketplace.

Water Barghest has about 17 identities on virtual private servers that continuously scan routers and IoT devices for known vulnerabilities and also upload Ngioweb malware to freshly compromised IoT devices. In this way, Water Barghest has been running a profitable business "for years, with the worker IP addresses changing slowly over time," according to the Trend Micro analysis.

**Protecting SOHO Routers: Limit Exposure to Public Internet**

Trend Micro expects that both the commercial market for residential proxy services and the underground market of proxies will grow in the coming years due to high demand from both APTs and financial cybercriminal groups alike. This growth will pose "a challenge for many enterprises and government organizations around the world" to protect against the anonymization layers behind which these groups hide, the researchers wrote.

While law enforcement has been effective in disrupting proxy botnets, it's better to go directly to the source to combat the problem, and that can be done by addressing the security of IoT devices. Indeed, these devices are notoriously hackable, posing a problem for organizations that must manage increasingly larger networks of them.

"It is important \[for organizations\] … to put mitigations in place to avoid their infrastructure being part of the problem itself," the researchers wrote. They can do this, they added, by limiting the exposure of these devices to incoming connections from the open Internet whenever it is not business-essential.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'Water Barghest' Sells Hijacked IoT Devices for Proxy Botnet Misuse

Bitcoin is a pioneer in technological advancement and decentralization. As its creator states in the white paper, peer-to-peer…

Bitcoin is a pioneer in technological advancement and decentralization. As its creator states in the white paper, peer-to-peer digital cash will allow payments without the need for a third party to verify and approve them. Network timestamps, hashing, and mining keep Bitcoin safe and useful for the crypto community, but its value comes from its adaptation features for the real world. 

Users leverage Bitcoin for crowdfunding, donations, and purchasing goods and services, so its integration in the real world is prominent. The Bitcoin price prediction has also shown a trend of stability higher than stocks, so it has become available in more markets since it’s everyone’s first crypto investment.  

However, one Bitcoin element makes it the propelling force for Web3 adoption, where decentralization, immutability, and transparency will shape the financial sector. Let’s discuss digital signatures, the technology that ensures a digital document’s authenticity and integrity. 

****Digital signatures and Bitcoin’s security** **

Digital signatures are blockchain technology that proves a person’s link to a document. Based on cryptography, a digital signature shows that no one has tampered with the information and that an authorized user provided it. 

The digital signature works through the following: 

*   A hashing code that sums up the information
*   A digital keychain consisting of the public and private key

The process is simple. One user locks the hash code through their private key, creating the digital signature. The one who received it uses their public key to access the original hash and compare it with a new one to ensure it’s a perfect match, meaning the transaction is genuine. 

****Why are digital signatures this important?****

Considering the decentralized crypto ecosystem works without third parties, developers must still work in a safe environment, while users should be able to transact in a secure system. That’s why digital signatures are necessary―they prevent users from messing up each other’s information. 

Therefore, no one can pretend to be someone else, which is crucial for a decentralized environment in which people interact with strangers from across the globe. 

Digital signatures also ensure: 

*   Trust between users as they can always be sure the information received is true;
*   Reassurance in signing contracts as agreements cannot be denied or taken back;

****How are digital signatures nurturing the Web3 adoption?****

The Web3 world is already starting to take form, as we’re using Internet of Things devices and exploring machine learning, AI, and 3D graphics. However, the new era of the Internet is much more than that. Web3 will introduce the semantic web to the world by allowing users to create and share content through technology-based search and analysis. 

At the same time, it makes data trustless since people can communicate in public or private online environments without third-parties spying on them. Finally, Web3 allows users to participate in ecosystems without permission from a central authority. 

These can all be achieved through the introduction of blockchain technology, as its features of decentralization, immutability, and consensus contribute to advanced security and improved transaction efficiency. 

****Blockchains use different signature schemes****

Digital signatures may use the same concept, but blockchains leverage them differently due to infrastructure technology. For example, Bitcoin works with the Elliptic Curve Digital Signature Algorithm (ECDSA), which generates signatures that users can easily verify but not forge. Despite its use case, the ECDSA is prone to numerous vulnerabilities, which the developers have tried to fix with the Segregated Witness update. 

A new scheme, the Schnarr signature, was introduced for Bitcoin to solve the inefficiency of ECDSA. The technology is much more complex as it reduces block load through the taproot smart contract technique. 

Ethereum also used the same signature scheme until it switched from PoW to PoS, when it started leveraging the Boneh-Lynn-Shacham (BLS) strategy. At the same time, Polkadot uses the GRANDPA validation system. 

****Why are we pushing forward for the Web3?** **

We’re currently living in the Web2 world, with a few Web3 introductions here and there. Experts consider that it’ll take some time for the latter to fully integrate into our systems, especially 

considering the differences in internet coverage across the world. 

The second stage of the internet leverages mostly user-generated content, as social media allows anyone to post content freely online. It has improved communication and increased accessibility, but it’s still struggling with the following:

*   Spamming, hacking, and forging; 
*   Online stalking, cyberbullying, and identity theft;
*   Misinformation due to the availability of everyone to post online;

Of course, Web2 was considerably pushing towards innovation, considering how it allowed fiat currency to become digital. However, we’re waiting for the future of the financial world online, where assets like Bitcoin make it easy for worldwide users to exchange and trade in online environments. 

****We must be wary of Web3 challenges** **

Web3 is a revolutionary step forward for future nations to nurture their knowledge and create something unique, but it has its issues, especially regarding vulnerabilities. First, since most of Web3 will be designed through smart contracts, it will be prone to timestamp dependence, front-running attacks, and logic errors. 

On the other hand, given people in the future will leverage custodial wallets to keep their assets, they’ll be faced with problems due to a single point of failure, which is common in crypto exchanges. At the same time, in most cases, these companies cannot protect users from bankruptcy, which traditional banks provide. 

Finally, the problem with high-frequency trading in DeFi ecosystems exposes users to front-running attacks and network congestion, as the high transaction volumes slow down systems and increase gas fees. Overall, security in Web3 will have its own issues. 

****What do you think about the Web3?** **

Web3 is the next generation of the Internet, where users will benefit from enhanced decentralization, immutability, and transparency. Although it has yet to be fully implemented in our environments, we’ve dipped into the Web3 world through the use of cryptocurrencies like Bitcoin, IoT devices, and artificial intelligence. Bitcoin might contribute to the emergence of this new era through its digital signature technology, which allows parties to ensure the information they’re exchanging is genuine and will be helpful in contracts and agreements. 

1.  The Idea of Web3 and 7 Global Web3 Agencies
2.  Owning Versus Renting – The Circumstances of Web3 Domains
3.  Particle Network’s Intent-Centric Approach Aims to Secure Web3
4.  Regardless of Market Fluctuation, Web3 Infrastructure Is Booming
5.  Blockchain Networks Use API Security Data to Mitigate Web3 Threats

Tag

#auth