A critical security flaw has been disclosed in the Kubernetes Image Builder that, if successfully exploited, could be abused to gain root access under certain circumstances.
The vulnerability, tracked as CVE-2024-9486 (CVSS score: 9.8), has been addressed in version 0.1.38. The project maintainers acknowledged Nicolai Rybnikar for discovering and reporting the vulnerability.
"A security issue

Vulnerability / Kubernetes

A critical security flaw has been disclosed in the Kubernetes Image Builder that, if successfully exploited, could be abused to gain root access under certain circumstances.

The vulnerability, tracked as **CVE-2024-9486** (CVSS score: 9.8), has been addressed in version 0.1.38. The project maintainers acknowledged Nicolai Rybnikar for discovering and reporting the vulnerability.

"A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process," Red Hat's Joel Smith said in an alert.

"Additionally, virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access."

That having said, Kubernetes clusters are only impacted by the flaw if their nodes use virtual machine (VM) images created via the Image Builder project with the Proxmox provider.

As temporary mitigations, it has been advised to disable the builder account on affected VMs. Users are also recommended to rebuild affected images using a fixed version of Image Builder and redeploy them on VMs.

The fix put in place by the Kubernetes team eschews the default credentials for a randomly-generated password that's set for the duration of the image build. In addition, the builder account is disabled at the end of the image build process.

Kubernetes Image Builder version 0.1.38 also addresses a related issue (CVE-2024-9594, CVSS score: 6.3) concerning default credentials when image builds are created using the Nutanix, OVA, QEMU or raw providers.

The lower severity for CVE-2024-9594 stems from the fact that the VMs using the images built using these providers are only affected "if an attacker was able to reach the VM where the image build was happening and used the vulnerability to modify the image at the time the image build was occurring."

The development comes as Microsoft released server-side patches three Critical-rated flaws Dataverse, Imagine Cup, and Power Platform that could lead to privilege escalation and information disclosure -

*   **CVE-2024-38139** (CVSS score: 8.7) - Improper authentication in Microsoft Dataverse allows an authorized attacker to elevate privileges over a network
*   **CVE-2024-38204** (CVSS score: 7.5) - Improper Access Control in Imagine Cup allows an authorized attacker to elevate privileges over a network
*   **CVE-2024-38190** (CVSS score: 8.6) - Missing authorization in Power Platform allows an unauthenticated attacker to view sensitive information through a network attack vector

It also follows the disclosure of a critical vulnerability in the Apache Solr open-source enterprise search engine (CVE-2024-45216, CVSS score: 9.8) that could pave the way for an authentication bypass on susceptible instances.

"A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path," a GitHub advisory for the flaw states. "This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing."

The issue, which affects Solr versions from 5.3.0 before 8.11.4, as well as from 9.0.0 before 9.7.0, have been remediated in versions 8.11.4 and 9.7.0, respectively.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Kubernetes Image Builder Vulnerability Exposes Nodes to Root Access Risk

Brazilian police have arrested the hacker known as USDoD, responsible for high-profile breaches including the FBI’s InfraGard and…

Brazilian police have arrested the hacker known as USDoD, responsible for high-profile breaches including the FBI’s InfraGard and National Public Data breach which leaked personal details of billions.

The Department of Federal Police (DPF) has arrested a 33-year-old hacker from Belo Horizonte (MG), believed to be responsible for some of the most significant global cyberattacks on critical infrastructure.

While the police have not officially released the suspect’s name, it has confirmed that the individual was involved in the **FBI’s InfraGard breach**, a major security incident that leaked the personal details of 87,000 members on Breach Forums and Russian language cyber crime forum XSS.

The hacker behind the InfraGard breach was USDoD, also using the alias EquationCorp. This same hacker was also responsible for the massive **National Public Data (NPD) data breach**, which exposed the personal information, including Social Security Numbers (SSNs), of 3.9 billion people.

The DPF **press release** states that the hacker was arrested on Wednesday, October 16, 2024, as part of Operation Data Breach, an ongoing cybercrime crackdown. Authorities have seized several of his devices for further investigation.

It is worth noting that USDoD had managed to maintain his anonymity until July 2024, when he **publicly announced** the scraping and leaking of a 100,000-line Indicator of Compromise (IoC) list from the cybersecurity firm CrowdStrike.

USDoD hacker on Breach Forums (Screenshot credit: Hackread.com)

Following this, CrowdStrike began tracking his activities and, within a month, successfully uncovered his real identity. The company then shared the information with Brazilian authorities, leading to his arrest.

**_Hackread.com_** was the first and only publication to **interview USDoD** amid the allegations, during which he revealed his identity in a video message and confirmed that CrowdStrike’s claims about him were accurate.

****The United States and Brazil Extradition Treaty****

Although it is too early to speculate, given the hacker’s involvement in high-profile cyberattacks, the United States may seek his extradition under the Brazil-U.S. Extradition Treaty.

However, Brazil has a well-documented **history** of not extraditing its own citizens, which could complicate efforts to prosecute him in the U.S. If extradition is denied, the hacker may still face prosecution in Brazil under local cybercrime laws.

_This is a developing story. Stay tuned!_

1.  **Australian Man Arrested for “Evil Twin” Wi-Fi Scam**
2.  **Alleged ShinyHunters Hacker Group Member Arrested**
3.  **Feds Bust N. Korean Identity Theft Ring Targeting US Firms**
4.  **MIT Graduate Brothers Arrested for $25 Million Ethereum Heist**
5.  **Alcasec Hacker, aka “Robin Hood of Spanish Hackers,” Arrested**

Brazil arrests USDoD hacker tied to FBI, National Public Data breaches

But the time when quantum computers pose a tangible threat to modern encryption is likely still several years away.

Source: funtap via Shutterstock

Researchers at China's Shanghai University have demonstrated how quantum mechanics could pose a realistic threat to current encryption schemes even before full-fledged quantum computers become available.

The researchers' paper describes how they developed a working RSA public key cryptography attack using D-Wave's Advantage quantum computer. Specifically, the researchers used the computer to successfully factor a 50-bit integer into its prime factors, thereby giving them a way to derive private keys for decryption.

**Significant Development**

Security researchers who have taken a look at the report generally don't consider the demonstration as posing any current threat to modern encryption systems, which typically use 2048-bit — or sometimes even larger — keys. Breaking these 2048-bit keys still remains computationally unfeasible, and the new research has not changed that fact.

What it does show, however, is the potential for quantum approaches to crack modern cryptography in a way that researchers have not considered before.

"Realistically, achieving the computational power necessary to break RSA-2048 encryption — which requires around 10,000 stable, error-corrected qubits — remains at least a few years away, given current technological limitations," says Avesta Hojjati, head of R&D at DigiCert.

But the Chinese research demonstrates significant progress in exploiting cryptographic weaknesses through specialized quantum techniques, rather than full-fledged universal quantum computers, Hojjati says. "It effectively illustrates that advancements in niche quantum methods could pose earlier, smaller-scale cryptographic risks, emphasizing a gradual rather than immediate progression toward large-scale quantum threats."

Almost everyone agrees the arrival of quantum computers in the next few years will completely undermine the protections of modern cryptography. They perceive quantum computers as easily breaking even the strongest current encryption protocols with their enormous computing power. Stakeholders, including governments, hardware makers, software developers, cloud service providers, and enterprises, all foresee the need for new quantum-resilient cryptography standards to protect against the threat and are collectively working toward developing those standards.

**A Different Approach to an Old Challenge**

One reason the Chinese research has attracted considerable attention is because it takes a different approach to harnessing quantum mechanisms for cryptography. Specifically, it involves a quantum approach called quantum annealing, which typically has been applied in processes like optimization and sampling, but not so much in factorization. A lot of the research around the implications of quantum computing on cryptography has instead focused on gate-based quantum computing. "D-Wave's quantum annealing, operating with fewer qubits than projected universal quantum computers for large-scale cryptography, succeeded in factoring with greater efficiency," Hojjati says. "By reimagining RSA's integer factorization as an optimization problem, the researchers showcase quantum annealing's potential to exploit cryptographic vulnerabilities ahead of the availability of universal quantum computers."

Rahul Tyagi, CEO of SECQAI, says the significance of the Chinese research lies in its innovative approach to quantum computing. It offers fresh insight beyond the well-explored paths of algorithms that are tailored to gate-based quantum computers. "The research emphasizes the importance of considering other computing paradigms, such as D-Wave, which may be better suited for certain types of algorithmic approaches," Tyagi says.

Importantly, this research does not appear to compromise existing cryptographic systems. It seems instead to present optimizations of existing methods while suggesting new ideas and approaches. "Ultimately, any research into new attack vectors is valuable, and this paper underscores the need to look beyond conventional methods and consider the broader quantum computing landscape."

Like Hojjati, Tyagi perceives significant advancements still remain before quantum computers break open encryption mechanisms. And that will likely take years. In the meantime, organizations should remain proactive by investing in quantum-resistant technologies and continuously updating their security protocols. From an academic perspective, the key question is how to redesign known attack vectors to exploit this emerging heterogeneous landscape of computational capabilities, Tyagi adds.

For the moment, what organizations must do is understand their own infrastructure, and establish what cryptography is being used and where. "Systems with a lifetime of 10 years or more need to be migrated ASAP to quantum-resilient encryption," Tyagi says. "Anything with a four-year time horizon is probably OK for now — however, a long-term road map needs to be created to define when the migration needs to occur."

Hojjati recommends that organizations enable visibility into current encryption practices so they can identify vulnerable algorithms and create pathways for swift transitions to quantum-safe options. "By developing crypto agility now," he advises, "organizations can efficiently deploy quantum-resistant encryption as standards evolve, reducing long-term risks and minimizing disruption."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Chinese Researchers Tap Quantum to Break Encryption

An issue in the component /index.php?page=backup/export of REDAXO CMS v5.17.1 allows attackers to execute a directory traversal.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-37gm-h5wr-pf25: Path traversal in redaxo

The US DoJ indicts two Sudanese nationals allegedly behind Anonymous Sudan for over 35,000 DDoS attacks targeting critical…

The US DoJ indicts two Sudanese nationals allegedly behind Anonymous Sudan for over 35,000 DDoS attacks targeting critical infrastructure, hospitals, and major tech firms. The FBI seized a powerful DDoS tool; victims include the DOJ, Microsoft, and Cedars-Sinai.

The United States Department of Justice (DoJ) has indicted two Sudanese nationals for their alleged role in operating the hacktivist group Anonymous Sudan. The group claimed fame for conducting “tens of thousands” of large-scale and crippling Distributed Denial of Service attacks (DDoS attacks) targeting critical infrastructure, corporate networks, and government agencies globally.

****The Alleged Masterminds Behind the Attacks****

Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27, stand accused of conspiracy to damage protected computers. Ahmed Salah faces additional charges for damaging protected computers.

The duo is believed to have controlled Anonymous Sudan, which, since early 2023, launched attacks on high-profile entities such as ChatGPT, UAE’s Flydubai Airline, London Internet Exchange, Microsoft, and the Israeli BAZAN Group.

Anonymous Sudan taking responsibility for DDoS attacks on OpenAI’s ChatGPT (Screenshot credit: Hackrad.com)

The group and its clients also utilized the Distributed Cloud Attack Tool (DCAT) to conduct over 35,000 DDoS attacks. These attacks targeted sensitive government and critical infrastructure in the U.S. and globally, including the Department of Justice, Department of Defense, FBI, State Department, and Cedars-Sinai Medical Center in Los Angeles.

The attacks, which sometimes lasted days, reportedly caused major damage, often crippling websites and networks. For instance, the attack on Cedars-Sinai Medical Center forced the redirection of incoming patients for eight hours, causing over $10 million in damages to U.S. victims.

****FBI Seized Anonymous Sudan’s DDoS Tool****

For your information, DCAT refers to a type of malicious tool or framework that exploits cloud resources across multiple geographic locations to execute cyberattacks. These tools often take advantage of the scalability, distribution, and on-demand nature of cloud services to create strong attack infrastructures.

According to the DoJ’s press release, in March 2024, the U.S. Attorney’s Office and the FBI, acting on court-authorized seizure warrants, successfully disabled and seized Anonymous Sudan’s “powerful DDoS tool.” This tool, which the group allegedly used to execute attacks and sold as a service to other criminals, was the base of their operations.

The March 2024 operation, which disrupted the DCAT tool (also known as “Godzilla,” “Skynet,” and “InfraShutdown”), involved seizing key components, including servers that launched and controlled attacks and those that relayed commands. The warrants also covered accounts containing the source code for the DDoS tools.

“Anonymous Sudan sought to maximize havoc and destruction against governments and businesses around the world,” stated United States Attorney Martin Estrada. He emphasized the group’s callousness, noting attacks on hospitals providing emergency care. “We are committed to safeguarding our nation’s infrastructure and holding cybercriminals accountable,” he added.

****Operation PowerOFF****

These actions are part of Operation PowerOFF, an international effort to dismantle DDoS-for-hire infrastructures active since 2018. Private sector entities like Akamai SIRT, Amazon Web Services, Cloudflare, and Microsoft have played a key role in the takedown since.

In its latest blog post shared with Hackread.com, Akamai SIRT expressed gratitude to the FBI, DOJ, and the Big Pipes working group for their commitment to prioritizing DDoS investigations and disrupting these operations.

“Akamai would like to thank the members of the Federal Bureau of Investigation (FBI), the DOJ, and the Big Pipes working group for their commitment to prioritizing DDoS investigations, as well as their investment of time and energy into unravelling these operations and attempting to disrupt them,” the company said.

1.  Cyberattack on American Water Halts Billing
2.  Dark Web’s cybercrime group indicted after stealing $530M
3.  Technician Indicted for Hacking California Water Treatment Facility
4.  Russian Hacker Wanted for Cyberattacks on Ukraine, $10M Reward
5.  North Korean Hacker Charged for Ransomware Attacks on Hospitals

US Charges Duo Behind Anonymous Sudan for Over 35,000 DDoS Attacks

### Summary
An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.

### PoC
1. Go to
https://www.admidio.org/demo_en/adm_program/modules/messages/messages.php
2. Click on Send Private Message
3. In the `Message` field, enter the following payload
`Testing<br><h1>HTML</h1><br><h2>Injection</h2>`

> 
![image](https://github.com/user-attachments/assets/0e5d9e4e-69c5-4908-9ab9-0c45c2548ff8)

4. Send the message
5. Open the message again

> 
![image](https://github.com/user-attachments/assets/d36f1b64-7d96-486d-ab65-cce2b7d21428)


### Impact
1. Data Theft: Stealing sensitive information like cookies, session tokens, and user credentials.
2. Session Hijacking: Gaining unauthorized access to user accounts.
3. Phishing: Tricking users into revealing sensitive information.
4. Website Defacement: Altering the appearance or content of the website.
5. Malware Distribution: Spreading malware to users' devices.
6. Denial of Service (DoS): Overloading the server with malicious requests.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-47836

**Admidio Vulnerable to HTML Injection In The Messages Section**

Low severity GitHub Reviewed Published Oct 16, 2024 in Admidio/admidio • Updated Oct 16, 2024

**Package**

composer admidio/admidio (Composer)

**Affected versions**

< 4.3.12

**Summary**

An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.

**PoC**

1.  Go to  
    https://www.admidio.org/demo\_en/adm\_program/modules/messages/messages.php
2.  Click on Send Private Message
3.  In the Message field, enter the following payload  
    Testing<br><h1>HTML</h1><br><h2>Injection</h2>

4.  Send the message
5.  Open the message again

**Impact**

1.  Data Theft: Stealing sensitive information like cookies, session tokens, and user credentials.
2.  Session Hijacking: Gaining unauthorized access to user accounts.
3.  Phishing: Tricking users into revealing sensitive information.
4.  Website Defacement: Altering the appearance or content of the website.
5.  Malware Distribution: Spreading malware to users' devices.
6.  Denial of Service (DoS): Overloading the server with malicious requests.

**References**

*   GHSA-7c4c-749j-pfp2
*   Admidio/admidio@176f60d

Published to the GitHub Advisory Database

Oct 16, 2024

Last updated

Oct 16, 2024

GHSA-7c4c-749j-pfp2: Admidio Vulnerable to HTML Injection In The Messages Section

By using EDRSilencer, threat actors are able to prevent security alerts and reports getting generated.

Source: Artur Marciniec via Alamy Stock Photo

EDRSilencer, a tool frequently used in red-team operations, is being co-opted by the dark side in malicious attempts to identify security tools and mute security alerts.

As an open source endpoint detection and response tool that detects EDR processes running on a system, EDRSilencer uses Windows Filtering Platform (WFP) to monitor, block, and modify network traffic. 

The red-team tool is capable of blocking 16 common EDR tools, including Microsoft Defender, SentinelOne, FortiEDR, Palto Alto Networks Traps/Cortex XDR, and TrendMicro Apex One, among others.

The threat actors behind the subversion are attempting to integrate the tool into their attacks and repurpose it to evade detection. If successful, they can disrupt data exchange between EDRSilencer and its management server, preventing not just alerts but also detailed telemetry reports. It also gives the attackers options to add filters or avoid certain file paths to evade detection.

"The emergence of EDRSilencer as a means of evading endpoint detection and response systems marks a significant shift in the tactics employed by threat actors," the researchers at TrendMicro wrote in a post. "By disabling critical security communications, it enhances the stealth of malicious activities, increasing the potential for successful ransomware attacks and operational disruptions."

The researchers note that organizations must remain vigilant and implement advanced detection mechanisms as well as threat hunting strategies to counteract these evasion tools.

**About the Author**

Bad Actors Manipulate Red-Team Tools to Evade Detection

The shift to a distributed work model has exposed organizations to new threats, and a low but continuing stream of printer-related vulnerabilities isn't helping.

Source: Magnetic Mcc via Shutterstock

The shift to hybrid work models has exposed new vulnerabilities in corporate print infrastructure and heightened security risks at many organizations.

The risks run the gamut and include employees using insecure and unmanaged printers, remote workers sending print jobs over public networks, inadequate user authentication and print job release processes, exposed local spools and caches, and inconsistent patching practices.

A relatively low but steady volume of print-related vulnerabilities have exacerbated these issues. Recent examples of such vulnerabilities include CVE-2024-38199 (a remote code execution \[RCE\] vulnerability in the Windows or Line Printer Daemon \[LPD\] Service), CVE-2024-21433 (a Windows Print Spooler elevation of privilege vulnerability), and CVE-2024-43529 (a similar vulnerability that Microsoft disclosed in its October security update). The threats are certainly not Windows-specific, either. Recently, researchers discovered a set of potentially severe flaws in Common Unix Printing System (CUPS), a legacy protocol largely used in Linux, Unix, and heterogeneous environments.

Though few of these flaws have presented as major a threat as the PrintNightmare RCE flaw from 2021 in the Windows Print Spooler service, they have complicated the challenge of managing modern print infrastructure. Attackers, including nation-state actors, have sometimes abused printer software vulnerabilities — like CVE-2022-38028 — to substantial effect in their campaigns.

**Increase in Printer-Related Breaches**

The trends have driven an increase in print-related data breaches. A recent study that Quocirca conducted found that 67% of respondents experienced a printer-related security incident in 2024, compared with 61% last year. Small and mid-market organizations fared worse, with three-quarters (74%) reporting a printer-related data loss incident. Thirty-three percent pointed to unmanaged, employee-owned printers as a major security concern, and 29% identified vulnerabilities in office printing environments as presenting a major risk. More than a quarter (28%) identified their biggest printer related security challenge as protecting sensitive and confidential information.

Casey Ellis, founder and chief strategy officer at Bugcrowd, says the takeaway for organizations is that print security needs to be priority for decision makers. "Printer and print servers are an excellent place to establish persistence and gain business intelligence on a target," he says. The CUPS vulnerabilities showed that old, unused printer software can still represent a significant attack surface, especially for internal attacks and lateral movement.

Unfortunately, many organizations might be underestimating the risks or overlooking them altogether. And the shift to cloud/hybrid print environments have made printer infrastructure even more of an invisible issue from a vulnerability management standpoint, Ellis notes. "Let’s be real — the list of people who spend their days thinking about or even interacting with printers is a pretty small one," he says. "If your vulnerability management process allows out-of-sight, out-of-mind to dictate priority, it’s easy to miss \[printer security risks\]," he says.

The main takeaway is a general one, Ellis says: "Organizations need to remain diligent about their asset inventory and overall attack surface and ensure that they have a process for evaluating the risk."

**Printers, an Underestimated Risk?**

The legacy nature of many printer service environments is another issue, because vulnerabilities can sometimes exist undetected on them for years. Often, these printer environments lack the kind of monitoring tools that are available on other endpoint systems, making them a big target for attackers.

Often flaws are introduced into organizations' print infrastructure because print services are on by default and administrators are not aware of this, says Tom Boyer, director of security at Automox. "This means that this risk will go unseen for years and adversaries use that to their advantage," he notes. "They often know more about the target environment than the company themselves."

The Quocirca survey found security to be the top barrier to adoption of cloud print services as well.

"Although many organizations believe the cloud is more secure than an on-premise environment, security concerns remain a critical barrier to cloud print adoption," says Nicole Heinsler, chief engineer of security and device management at Xerox. "Overall, there is a disconnect between providers and clients on how the cloud can improve security by managing zero-day threats more effectively, and how data sovereignty can be more easily managed through cloud policies."

**Cloud Printing Cyber-Risks**

The survey found that many organizations view resting data — such as print jobs waiting in a queue and documents uploaded to the cloud print service — as a primary risk, Heinsler says: "This is why incorporating zero-trust principles in your cloud print infrastructure, such as authentication and access control, monitoring, detection, remediation, data and document protection, encryption, and automation, is so imperative."

One way to centralize print management infrastructure is to use cloud print options that deploy a native cloud architecture, rather than to attempt a "lift-and-shift" of traditional on-premises server architecture to a private cloud, she notes. The challenges organizations face will depend on the level of customization their applications have.

"For example, if they use standard print protocols, there's often little issue with \[cloud\] integration," Heinsler says. "\[But\] specific applications should be subjected to proof of concept before full enterprise deployment."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Hybrid Work Exposes New Vulnerabilities in Print Security

Challenges with cybercrime prosecution are making it easier for attackers to act with impunity. Law enforcement needs to catch up.

Source: Tero Vesalainen via Alamy Stock Photo

COMMENTARY

Historically, cybercriminals have always had an edge over law enforcement. It may take a few hours to steal thousands of credit cards after exploiting a SQL injection flaw, but the subsequent investigation and prosecution of the cybercriminals can take years — and still fail.

Europol described the challenges in investigating and prosecuting cybercrime — the collection and preservation of digital evidence, difficulty tracing and identifying attackers, and legal and judicial hurdles associated with cross-border investigations — back in 2019. These challenges remain relevant in 2024.

**Challenges That Law Enforcement Faces**

While many countries have one or more specialized law enforcement agencies (LEAs) or police units capable of investigating cybercrime, the general trend is to commingle computer-enabled crimes (cybercrimes) with cyberattacks and send them all to a single agency.

Cybercrimes, which include online dating scams and other types of digital fraud that rely on social engineering, cause damages ranging from 100 to several thousand dollars. Compare that with cyberattacks — which require fairly advanced tech skills and resources from cyber gangs — such as ransomware attacks on critical national infrastructure and advanced persistent threats aimed at stealthily stealing valuable trade secrets from large companies or classified information from governmental agencies. When a single agency is tasked with handling all types of digital crimes, it is unsurprising that just the initial triage of incoming cases can consume virtually all agency resources.

In contrast to overwhelmed LEAs dealing with all kinds of tasks simultaneously using extremely modest resources, modern cyber gangs usually have narrow specializations, such as vulnerability research and exploit development, where they truly excel technically and financially. Cyber mercenaries may use breached LEAs as proxies to attack other systems and slow down investigations, while state-backed groups may exploit backdoored LEAs for perfidious attacks trying to frame their political enemies. On the Dark Web, the number of announcements selling access to backdoored LEA systems or networks is steadily growing.

Despite national security being a hot topic for lawmakers on both sides of the Atlantic — and the increased funding that attention brings — specialized LEAs or units dedicated to tackling cybercrime still remain underfunded compared to their highly sophisticated, extraordinarily well-prepared, and well-funded adversaries.

Insufficient funding makes it harder to attract talented individuals to work on defense. In Western countries, state agencies struggle to compete with the deep-pocketed private sector for talented cybersecurity professionals, who can be swayed by perks unavailable to most government employees, such as higher salaries, longer leaves, and working from home. The situation is even worse in other countries: Young graduates with good technical skills can earn their annual salaries in a couple of weeks working for cybercrime conglomerates that actively prospect and recruit new members. In January 2024, FBI director Christopher Wray estimated that the number of hackers in China outnumbers all available FBI cyber personnel by at least 50 to 1.

Likewise, forensic tools and special equipment designed to bypass encryption on mobile devices or acquire digital evidence from a multicloud environment are also quite expensive, oftentimes being affordable only to leading national agencies or central forensic labs that serve thousands of requests from an entire country. As a result, a backlog of cybercrime investigations is building relentlessly, undermining people's trust in their government's capacity to protect their privacy and property on the Internet.

**Advantages for the Cyber Gangs**

International collaboration and judicial assistance in cybercrime investigation has never been simple. The Budapest Convention of 2001 is probably the most important international treaty designed to combat cross-border cybercrime. But even after the enactment of the Second Additional Protocol, the convention has fallen short of its original goals for political and organizational reasons. The recently proposed UN Treaty on Cybercrime is unlikely to do much better amid the unfolding geopolitical crises and the weakening force of international law.

The problem is that some countries, even after ratifying a treaty, are very selective when complying with the underlying duties and obligations owed to other signatories. They frequently ignore or simply delay required actions to the extent that, by the time they're finally performed, they are worthless — for instance, seizing volatile digital evidence several years after receiving a mutual legal assistance (MLAT) request from another sovereign state.

Indeed, some countries are considered safe harbors for cyber gangs that cooperate with, or work for, the government. These barons enjoy a luxurious lifestyle, safe in the knowledge that they will never be prosecuted domestically, let alone extradited, for cybercrimes that do not conflict with state public policy. Such cybercrime havens create a strong feeling of impunity among perpetrators, who believe — usually accurately — that they are above the law. Even if they are apprehended, cybercriminals usually get lenient punishments for the financial damage caused, compared to the decades-long and even life sentences for leaders of drug cartels or masterminds of Ponzi schemes.

Alarmingly, as the World Economic Forum reports, cybercrime has started to merge with organized and violent crime — for example, exploiting forced labor to staff large-scale online fraud and extortion campaigns.

**How Law Enforcement Can Make Up Ground**

To win against the seemingly invincible cybercrime hydra, governments should better organize their national cybercrime LEAs. Here's what they need to do:

*   Create specialization and internal segmentation.
    
*   Allocate additional funding to these agencies.
    
*   Form more public-private partnerships to jointly trace and dismantle cyber gangs.
    
*   Revise national legislation, including sentencing guidelines, for cybercrimes to boost the deterrence effect.
    

Otherwise, in a few years, the Internet may become an uncontrollable zone of lawlessness and chaos, co-managed by rival cyber gangs.

For a longer version of this article, please contact the author.

**About the Author**

Partner, Platt Law

Dr. Ilia Kolochenko is a Swiss expert in cybersecurity, cybercrime investigation, and cyber law. He is also a lawyer admitted to the DC Bar in Washington, DC. His legal practice is mainly focused on data protection, privacy, and cybersecurity law. Dr. Ilia Kolochenko currently serves as a Chief Architect and CEO at ImmuniWeb, a global application security company headquartered in Geneva, Switzerland. He is also a Partner & Cybersecurity Practice Lead at a US law firm with offices in New York and Washington. As part of his academic activities, Dr. Kolochenko is an Adjunct Professor of Cybersecurity Practice & Cyber Law at Capitol Technology University in Maryland, and a Faculty Member at the DC Bar Continuous Legal Education (CLE) Program, where he teaches a cybersecurity and privacy course for lawyers and other legal and judicial professionals.

Dr. Ilia Kolochenko has an LL.M. (Master of Laws) degree in Information Technology Law from the University of Edinburgh Law School, an M.Sc. in Criminal Justice (Cybercrime Investigations & Cybersecurity) from Boston University, and a Ph.D. in Computer Science from Capitol Technology University. He currently completes an advanced LL.M. in Cyber, Information and National Security (CINS) at George Mason University, Antonin Scalia Law School.

He is a Fellow of Information Privacy (FIP) and a Privacy Law Specialist (PLS) at the International Association of Privacy Professionals (IAPP), two most advanced credentials in privacy practice and privacy law by the IAPP, respectively, while also holding AIGP, CIPP/A, CIPP/C, CIPP/E, CIPP/US, CIPM, and CIPT privacy certifications. Additionally, he earned numerous offensive and defensive security certifications by the Global Information Assurance Certification (GIAC) after ongoing training in advanced cloud security, cyber operations, and investigations at SANS Institute.

Dr. Ilia Kolochenko currently serves a Vice-Chair of the Information Security Committee at the American Bar Association (ABA), also being a Fellow at the European Law Institute (ELI) and a Member of the Cybercrime Investigation & Cybersecurity (CIC) Center at Boston University. Additionally, Dr. Kolochenko is part of the Europol's Data Protection Experts Network (EDEN), INTERPOL's Digital Forensics Expert Group (DFEG), National Association of Criminal Defense Lawyers (NACDL), SANS CISO Network, and the EU CyberNet.

Dr. Ilia Kolochenko has authored over 75 articles on cybersecurity, computer crime investigations, cyber law, and artificial intelligence. His interviews and expert comments have been published in over 250 media across Europe and the US; he is also a frequent lecturer at cybersecurity, law enforcement, and legal conferences around the globe.

Cyber Gangs Aren't Afraid of Prosecution

North Korean hackers target Linux-based payment switches with new FASTCash malware, enabling ATM cashouts. Secure your financial infrastructure…

North Korean hackers target Linux-based payment switches with new FASTCash malware, enabling ATM cashouts. Secure your financial infrastructure and protect against these sophisticated attacks with expert cybersecurity solutions.

A new variant of the FASTCash malware, previously known to target Windows and AIX systems, has now been identified targeting Linux-based payment switches. 

FASTCash, first documented by U.S. CISA in 2018, has been linked to a series of ATM cashout schemes targeting banks in Africa and Asia since at least 2016, and has been developed by the notorious North Korean state-backed hacking group known as Lazarus (aka Hidden Cobra).

The malware operates by compromising payment switch servers, which are crucial components of a bank’s infrastructure responsible for processing card transactions. These systems handle the flow of transaction data between acquirers (the banks that enable merchants to accept payments), issuers (the banks that provide cards), and card networks like Visa and Mastercard. By targeting these payment switch servers, the malware disrupts the entire transaction process, making financial institutions vulnerable to fraud.

FASTCash for Linux uses Ubuntu Linux 22.04 (Focal Fossa), C++ programming language, AES-128 CBC encryption, and a hardcoded key to protect the configuration file.

A researcher, using the handle HaxRob, discovered two new samples of FASTCash for Linux switches in June 2023, one compiled for Ubuntu Linux 20.04 and likely developed after April 21, 2022, and the other likely not used. As of Sunday, only four anti-malware engines detected each sample.

HaxRob explains that the malware is present in the userspace of an interbank switch. When a compromised card is used for fraudulent translation, FASTCash manipulates messages received from issuers, causing transaction messages for denies to be converted to approvals.

The Linux variant of FASTCash is disguised as a shared object file named “libMyFc.so.” It specifically targets ISO 8583 messages – the standard format for communication within payment networks, intercepting declined transaction messages, typically triggered by insufficient funds, for a predetermined list of cardholder accounts. 

It then manipulates these messages, authorizing them for a random withdrawal amount in Turkish Lira, ranging from 12,000 to 30,000 Lira ($350 to $875). This modus operandi mirrors a Windows variant of FASTCash identified by the Cybersecurity and Infrastructure Security Agency (CISA) in September 2020.

For targeted transactions, the malware modifies the authorization response message by:

*   Removing specific data elements to avoid detection.
*   Overwriting the processing code to indicate approval.
*   Adding a random amount of Turkish Lira to the transaction amount.

Attack flow (Screenshot credit: Doubleagent.net

This expansion highlights the increasing sophistication and persistence of North Korean cyberattacks aimed at financial institutions and the need for enhanced security measures in payment switch systems.

Organizations should implement robust detection capabilities, regularly update software, configure security controls, patch and update systems, implement strong network security, conduct regular audits, and educate staff on phishing and social engineering risks to stay protected.

1.  **ATMJackpot Malware Stealing Cash From ATMs**
2.  **Cyber Criminals Selling Bitcoin ATM Malware on Dark Web**
3.  **ATM bombing suspect blew himself up while filming tutorial**
4.  **Card Skimmers and ATMs Used to Drain EBT Accounts in SoCal**
5.  **Prilex ATM Malware Modified to Clone Chip-and-Pin Payment Cards**

Tag

#auth