FortiGate firewall leak exposes 15,000+ configurations, impacting organizations globally. The actor behind the leak is Belsen Group. Learn…

FortiGate firewall leak exposes 15,000+ configurations, impacting organizations globally. The actor behind the leak is Belsen Group. Learn how to mitigate risks and protect your systems.

A new leak from a threat actor group dubbed Belsen Group or (Belsen\_Group) has exposed configurations from over 15,000 **FortiGate firewalls**, threatening organizations that use these devices, as it could allow attackers to gain access to sensitive systems and bypass defences. The US, UK, Poland, and Belgium have the highest number of victims, followed by France, Spain, Malaysia, Netherlands, Thailand, and Saudi Arabia.

Research by CloudSEK’s contextual AI digital risk platform XVigil **reveals** that in 2022, the Belsen Group breached a zero-day vulnerability, leaking over 15,000 Fortigate firewall configurations. The leaked information includes usernames, passwords (some in plain text), device management digital certificates, and all firewall rules. This data gives attackers a treasure trove of information that they can exploit. 

Belsen Group on Breach Forums and its dark web leak site (Screenshot Hackread.com)

Exposed usernames and passwords, especially those in plain text, can be used by attackers to directly access sensitive systems on your network. Even if you patched the vulnerability (**CVE-2022-40684)** in 2022, it is crucial to check for signs of compromise since this was a zero-day exploit. Leaked firewall configurations reveal your internal network structure, potentially allowing attackers to identify weaknesses and bypass security measures.

Breached digital certificates could allow unauthorized access to devices or impersonation during secure communications. What’s even more concerning is that organizations that patched the vulnerability after the initial disclosure in 2022 might still be at risk if attackers gained access before the patch was applied.

****Belsen Group’s Motives and History****

While the Belsen Group appears to be new on the hacking forum scene, the leaked data suggests they’ve been around for at least three years. Researchers believe they were likely part of a group that exploited a zero-day vulnerability (CVE-2022-40684) in FortiGate firewalls in 2022. After potentially using or selling the access gained through the exploit, they’ve now resorted to leaking the data in 2025.

To mitigate risks arising from such leaks, it is essential to update all device and VPN credentials, especially those listed in the leaked data, and implement strong passwords. Audit and reconfigure firewalls to identify vulnerabilities and tighten access controls. Rotate compromised digital certificates to ensure secure communication.

Additionally, determine the timeline for patching CVE-2022-40684 in your organization, conduct forensic analysis on compromised devices, and monitor your network for unusual activity. These steps will help protect your network and reduce potential risks.

CloudSEK has created a useful resource for organizations to check if any network is part of the exposed IPs after analysing data, which is available **here**.

1.  **UNC5820 Exploits FortiManager Zero-Day Vulnerability**
2.  **CISA and Fortinet Warns of New FortiOS Zero-Day Flaws**
3.  **Hackers Exploiting 0-day Vulnerability in Fortinet Products**
4.  **Hackers leak login credentials of vulnerable Fortinet SSL VPNs**
5.  **Hackers dump login credentials of Fortinet VPN users in plain-text**

Belsen Group Leaks 15,000+ FortiGate Firewall Configurations

Feeling creative? Have something to say about cybersecurity? Submit your caption and our panel of experts will reward the winner with a $25 gift card.

What motivates you? What will change how you do security? Send us a cybersecurity-related caption to describe the above scene and our favorite entry will win its wordsmith a $25 gift card.

Here are four convenient ways to submit your ideas before the Feb. 12 deadline:

*   Via social media: Bluesky, LinkedIn, Facebook, and X. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

Shout out — and a $25 gift card — to Paul Mauriks, ICT security specialist, technology solutions, at the Department of Justice and Community Safety in Victoria, Australia for sending us the winning caption for last month's "Sneaking Around" cartoon. Some noteworthy contenders included "I guarantee you there are no backdoors to our network," "Finally found a way to get rid of all that old IT gea.," and "‘Yeah, asset disposal by ‘Back Door Inc.’ I’ll do the supplier assessment thing on Monday…’" Congrats to Paul, and a big thank you to all who participated.

**About the Author**

Cartoonist

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Toon: Incentives

WriteFreely through 0.15.1, when MySQL is used, allows local users to discover credentials by reading config.ini.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-3qc3-mx6x-267h: Insecure default config access in WriteFreely

The US Department of Commerce will prohibit the import of components for connected vehicles from China or Russia, as the US continues to ban technology it sees as potential national security threats.

Source: Hsyn20 via Shutterstock

Smart-vehicle makers are facing supply chain disruption as the US Department of Commerce plans to enforce new regulations banning the import of connected-vehicle technology from China and Russia over cybersecurity fears.

The Commerce Department pursued new regulations after President Biden declared a national emergency over concerns that the United States had become overreliant on China for information and communications technology and services (ICTS). The rule mandates that companies and their suppliers eliminate hardware or software imported from China or Russia in their vehicle connectivity system (VCS) or in their automated driving system (ADS).

It aims to address two concerns: vulnerabilities that would allow a nation-state or criminal organization to implant a backdoor in automotive hardware or software; and the collection of data on US drivers through diagnostic features and other mechanisms, says Yoav Levy, CEO and co-founder of automotive cybersecurity provider Upstream.

"The threat is definitely real," he says. "There are many cases where cars could be hacked — including the safety elements within the cars — and there were many cases where data was stolen or leaked. ... But so far, we haven't seen something like that on a huge scale."

Related:Leveraging Behavioral Insights to Counter LLM-Enabled Hacking

The concerns come as software-defined vehicles (SDVs) shake up the automotive market, while also potentially increasing the cyberattack surface area of automobiles. In the past, vehicle makers created a variety of platforms for their different models, and the number of processors — known as electronic control units (ECUs) — quickly climbed. While the post-pandemic chip shortage slowed the shift to new platforms, manufacturers now aim to quickly reduce the number of ECUs and other hardware needed for the VCS and ADS systems. While current models, for example, can have as many as 130 ECUs, Rivian has already reduced the number of ECUs to seven in its second generation R1 vehicles.

**Wielding the Cyber-Ban Hammer**

Rivian aside, most automobiles have a wide variety of components sourced from China, raising concerns that the United States' reliance on the technologies could allow future compromises.

Banning technology from China and sanctioning Russia is nothing new, says Ivan Novikov, CEO at API security firm Wallarm. The US government has already raised cybersecurity concerns over telecommunications equipment from Huawei, Chinese-made cargo equipment at US seaports, home routers made by Chinese manufacturer TP-Link, and popular social media app TikTok.

Related:Strategic Approaches to Threat Detection, Investigation & Response

"This is kind of the next logical step," he says.

The new commerce regulations will prohibit any "transactions involving VCS hardware and covered software designed, developed, manufactured, or supplied" by people or organizations linked to China or Russia, according to a 213-page final rule, which will be put into effect after months of comments.

Yet, many implementation details remain unclear, Novikov says.

"The open question here is who will enforce the regulations, because the usual enforcement of security requirements and crash \[safety\] tests is under the Department of Transportation," he says. "It's unclear how these two agencies can work together, and how this final DoT requirements or restrictions or controls can work."

**Securing Supply Chains & the Economy?**

The impact on the supply chain will be significant, experts say. The first tier of OEMs — large US and international companies — are not the problem. Their products, however, often come from suppliers that source their own components from Chinese companies, says Alex Oyler, director for North America at industry consultancy SBD Automotive.

It's just one more way that the supply chain is currently undergoing changes, he says. Many carmakers are looking to rewrite their relationships with providers as they move to software-defined vehicles.

Related:Trusted Apps Sneak a Bug Into the UEFI Boot Process

"We're in a bit of a different phase of software-defined vehicle in the sense that OEMs are actually starting to become a lot more prescriptive in the specification of the components that they're sourcing," Oyler says. "It's more of what's called a build-to-print relationship, where they provide not the functional requirements, but requirements for the component architecture — we want this processor, we need this memory, we need this GPU."

The shift to other sources of supply will take years, with the Biden administration allowing carmakers a grace period to comply with the regulations: Software components can no longer be sourced from China and Russia starting with 2027 car models, while by 2030 car models must contain no hardware from prohibited sources.

Making such changes will not be easy, says Upstream's Levy.

"It's not that easy to replace a supplier," he says. "There are financial implications with the supply chain — maybe it's going to be more expensive, or there may be some changes to software that they would need to do for the for the new supplier — an adjustment to the architecture. ... It really depends on what they are actually going to replace."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

US Ban on Automotive Components Could Curb Supply Chain

New hands-on testing results show that most devices are unable to catch phishing emails, texts, or calls, leaving users at risk.

Source: Thomas Bethge via Alamy Stock Photo

Highlights:

*   Consumer survey shows that the most common security issues are phishing attacks, such as text or emails seeking personal information, as well as malware and physical theft. 
    

*   Hands-on device testing shows that Samsung S24 offers the best anti-phishing protection, while the Google Pixel 9 Pro leads in many other areas. 
    

*   The iPhone 16 Pro and other premium Android smartphones from Honor, Xiaomi, and OnePlus lack security features and protections. 
    

COMMENTARY  
New research from Omdia shows that the security capabilities on several of the latest consumer smartphones, including top devices from Apple, Google, and Samsung, fail to detect several types of common phishing attacks.

As part of the fourth-annual Omdia Mobile Device Security Scorecard, Omdia surveyed 1,572 consumers across 13 major countries in the Americas, Asia and Oceania, and Europe, in October 2024. This survey covered the demographics of smartphone users, their security concerns and attitudes, their perception of the most common security threats, and the key smartphone purchasing drivers.

Consumers reported that the most common security issue they encountered was phishing scams and attacks (texts, emails or calls which use false pretenses to try to get the target to give away valuable personal information), with 24% reporting to have experienced phishing. 

Omdia also asked consumers to rate how important various security features were, with anti-phishing having the largest net-importance rating. In fact, over the four years Omdia has conducted its Mobile Device Security Scorecard research, anti-phishing has been rising in importance. This is no surprise, as phishing not only becomes more common, but also as consumers become more familiar with the attacks and the potential for personal information theft or financial loss. 

The next most common security issue was malware and viruses. The third most common was physical theft, such as pickpocketing, mugging or snatching. 

**Mobile Device Security Testing Results**

For each of these security issues, Omdia tested leading premium smartphones to determine availability and effectiveness of security features and capabilities. Google's Pixel 9 Pro and Samsung's Galaxy S24 both scored highly, ahead of Apple's iPhone 16 Pro and other leading Android-based devices, including the OnePlus 12, Xiaomi 14, and Honor Magic 6 Pro.

Despite the importance consumers place on phishing prevention on mobile devices, the anti-phishing features failed to some degree on every device Omdia tested. No device caught all the attempted phishing texts, calls, and emails initiated as part of the testing.  

Several of the devices did catch simulated spam calls: All Android devices from Google, Xiaomi, OnePlus, Honor, and Samsung, which have voice call protection, flagged suspected spam calls before the recipient could answer the call. The iPhone 16 Pro, however, did not have the same protections and did not catch the simulated spam call. 

Text messages with malicious short links were sent from an unknown number and sender ID, but these were not successfully caught by the test devices. Simulated phishing emails were sent from both Gmail and Google's Mail Delivery subsystem, but no device caught the phishing emails from Gmail; the messages were only identified as spam when sent from Google's SMTP. 

Despite not all phishing texts and emails being caught, once malicious links were opened on the devices, those that use Google Safe Browsing protections successfully blocked the link from opening. A warning screen was raised, forcing the user to bypass it to proceed.

Yet not all Android devices performed similarly: Samsung Internet blocked most links except the more sophisticated custom URLs, while the Xiaomi Mii and OnePlus Internet browsers failed to warn the user even when loading known malicious links. 

In previous years' testing, smartphones have been able to detect and successfully block or warn against the attempted phish. However, the difference year-on-year showcases the ever-changing nature of threats.

**Lack of Mobile Security Impacts Consumer Trust**

The lack of effective security protections on mobile devices, particularly against the growing threat of phishing attacks, is eroding consumer trust.

When Omdia asked consumers if their trust following a security issue increased (due to how well the issue was handled) or decreased, 73% reported they had reduced trust in the smartphone brand and operating system developer. 

Despite some manufacturers' efforts to ensure the latest mobile device security protections are in place, Omdia notes that it is difficult to protect against 100% of phishing attempts. This highlights the severity of the issue and potential impact to consumers.

That said, Omdia asserts that smartphone manufacturers can (demonstrated by the more advanced phishing protection capabilities on the market) and should have more effective baseline phishing protection in place — such as voice call protection, and all Android devices making use of Google’s Safe Browsing protections. 

Omdia sees the value in the phishing protection features implemented by the leading smartphone vendors, and how this can help to protect consumers — at least in most instances, based on Omdia's latest round of testing.

However, these features need to be paired with awareness activity from manufacturers, as well as the wider industry, to help consumers be vigilant and prepared for the instance when a security threat evades a protection mechanism. Such awareness adds an important additional layer of protection against the rising number of scams targeting consumers through their mobile devices.

**About the Authors**

Principal Analyst, IoT Cybersecurity, Omdia

Hollie works as a Principal Analyst within the Omdia team, providing insight into the fascinating and fast-moving domain of IoT Cybersecurity.

Hollie has a range of experience in research. She began her career in the legal sector, writing and researching for expert witness reports on the labour market. She then moved into product testing, with a consumer protection focus. In this role she was responsible for managing comparative tests of various tech products, as well as regular testing and investigative work into the security of these products.

She has published various articles for Which?, the UK's largest consumer organisation and one of the largest subscription magazines, and Computing magazine.

Senior Analyst, Smartphones, Omdia

Aaron West provides expertise and analysis of the smartphone market, joining Omdia in 2022. His areas of reporting include the active smartphone installed base, eSIM development, mmWave 5G, sustainability, and the foldable smartphone market.

Aaron has a range of research and publishing experience. He graduated with a degree in theoretical physics before moving into consumer product testing, with a focus on sustainability and the environment.

In this role, he was responsible for research project management, including comparative testing of technology products and consumer surveys. He also reported on the energy efficiency and longevity of home appliances, as well as the product lifecycle and obsolescence of smartphones.

Phishing Attacks Are the Most Common Smartphone Security Issue for Consumers

Security researcher discovers a non-password-protected database containing over 240,000 records belonging to US-based FinTech bill payment platform Willow…

Security researcher discovers a non-password-protected database containing over 240,000 records belonging to US-based FinTech bill payment platform Willow Pays. The exposed data includes names, emails, credit limits, and internal billing details.

Cybersecurity researcher Jeremiah Fowler recently discovered and reported a publicly accessible database containing over 240,000 records belonging to Willow Pays, a bill payment software company based in Chicago, IL. This database, lacking any password protection or encryption, contained sensitive information such as user names, email addresses, credit limits, and internal billing details.

For your information, Willow Pays is a service that allows users to finance bills and other expenses over four weeks. Customers upload their bills and personal information, and Willow Pays approves or denies the request before facilitating payments.

According to Fowler’s investigation published by Website Planet, this publicly exposed database contained 241,970 records, including “bills, mailing lists, account inconsistencies, repayment schedules, screenshots, settings, and snapshots,” the report read.

The records included names, email addresses, credit limits, and other internal information and a single spreadsheet document contained around 56,864 individuals’ details, who could be active customers, prospects, or blocked accounts.

The extent of any actual data compromise is yet unknown, however, Fowler believes that the exposed information could be exploited by criminals. This could include phishing attacks leveraging real billing data to deceive users, or using the information to gain unauthorized access to other accounts.

Fowler sent a responsible disclosure notice to Willow Pays, which promptly restricted the database from public access. The owner or management of the database is unknown, and the duration of exposure before discovery or if anyone else gained access is unknown.  

This incident highlights the increasing threat of cyberattacks on financial institutions, with Verizon reporting that 95% of data breaches are now financially motivated. Hackread.com recently reported that Czech cybersecurity startup Wultra has raised €3 million to develop post-quantum authentication technology to protect banks and fintech against quantum threats. The investment comes amid this growing global concern over the vulnerability of traditional security methods.

Given the persistent nature of this threat, security experts emphasize the need for financial software providers to implement effective cybersecurity measures, including encrypting sensitive data, regular security audits, and adopting multi-factor authentication. To stay protected from financial fraud online, check out this fraud prevention guide from Hackread.com.

1.  **Israeli fintech firms hit by Cardinal RAT malware**
2.  **Fuel Industry Software Provider Exposes SSNs, PII Data**
3.  **Hackers Exploit Revolut’s Payment System, Stealing $20M**
4.  **Builder.ai Database Exposes 1.29 TB of Unsecured Records**
5.  **Millions of US Voter Data Exposed in 13 Misconfigured Databases**

Fintech Bill Pay Platform “Willow Pays” Exposes Over 240,000 Records

Sneaky 2FA: New Phishing-as-a-Service targets Microsoft 365, leveraging sophisticated evasion techniques and a Telegram-based platform to steal credentials.…

Sneaky 2FA: New Phishing-as-a-Service targets Microsoft 365, leveraging sophisticated evasion techniques and a Telegram-based platform to steal credentials.

In December 2024, during routine threat hunting activities, Sekoia.io uncovered a new Adversary-in-the-Middle (AiTM) phishing kit specifically targeting Microsoft 365 accounts. This phishing kit, dubbed Sneaky 2FA, has been circulating since at least October 2024, with potential compromises identified through Sekoia.io telemetry.

Further probing revealed that Sneaky 2FA is being offered as a Phishing-as-a-Service (PhaaS) by the cybercrime service “Sneaky Log,” which operates through a fully-featured bot on Telegram.

The modus operandi of the entire campaign includes customers receiving access to a licensed and obfuscated source code version, allowing them to independently deploy phishing pages, typically hosted on compromised infrastructure, frequently involving WordPress websites and other domains controlled by the attackers.

Sneaky 2FA’s on Telegram and blurred background images that it uses (Via Sekoia)

In addition, the Sneaky 2FA phishing kit incorporates elements from the W3LL Panel OV6, another AiTM phishing kit previously reported by Group-IB. This connection suggests a possible lineage and development within the cybercriminal infrastructure.

****Characteristics of Sneaky 2FA****

According to Sekoia’s report, the Sneaky 2FA phishing kit employs several techniques to evade detection and enhance its success. It utilizes URL patterns, such as “mysilverfox.commy/00/#victimexamplecom,” to automatically prefill the phishing page with the victim’s email address.

These phishing URLs are generated using 150 alphanumeric characters, followed by the path /index, /verify, and /validate. This pattern offers opportunities for tracking. Most customers deploy the server in a dedicated repository, named /auth/ by default.

To further enhance its stealth, Sneaky 2FA integrates anti-bot and anti-analysis features. Cloudflare Turnstile pages are employed to differentiate human users from bots. These pages often present seemingly benign content before loading the actual challenge. Additionally, the phishing kit incorporates anti-debugging techniques to hinder analysis using web browser developer tools.  

The phishing pages themselves utilize a variety of obfuscation methods, including HTML and JavaScript code obfuscation, the embedding of text as images, and the inclusion of junk data within the HTML code. These techniques aim to make phishing pages more difficult to detect by security tools.

****Sneaky Log’s Operations****

The Sneaky Log service operates through a sophisticated Telegram bot that allows customers to purchase the phishing kit, manage subscriptions, and receive support. The bot offers a user-friendly interface and supports multiple cryptocurrency payment options, including Bitcoin, Ethereum, and Tether.  

Analysis of cryptocurrency transactions revealed potential money laundering activities, with users instructed to pay a 10% premium and subsequent transfers occurring between various addresses.

****Detection and Tracking Opportunities****

Detecting Sneaky 2FA attacks can be achieved by analysing authentication logs for anomalies. The phishing kit utilizes inconsistent User-Agent strings for different stages of the authentication process, which can be identified as “impossible device shifts” and flagged as suspicious activity.  Furthermore, the analysis of phishing page URLs, including patterns and domain registrations, can help track and identify campaigns associated with Sneaky 2FA.

Sneaky 2FA is a growing threat in Microsoft 365 phishing attacks, offering sophisticated features and a user-friendly PhaaS platform. To mitigate risks, organizations must continuously monitor and share threat intelligence apart from improving cybersecurity measures.

Stephen Kowski, Field CTO at Pleasanton, Calif.-based SlashNext Email Security+ commented on this urging Microsoft 365 to remain alert. _“_This kit’s ‘sneaky’ aspects include its sophisticated ability to populate victim email addresses automatically, its evasion of detection through Cloudflare Turnstile challenges, and its clever redirection of security tools to Wikipedia pages._“_

_“_The kit is a full-featured PhaaS platform with real-time credential and session cookie theft capabilities, making it particularly dangerous for Microsoft 365 environments,_“_ Stephen warned. _“_Protection requires phishing-resistant authentication methods like FIDO2/WebAuthn, real-time URL scanning at the time of click that completely bypasses Cloudflare Turnstile protection and proactive detection of newly registered phishing domains before they become active threats._“_

1.  **Malware Bypasses MS Defender, 2FA to Steal $24K in Crypto**
2.  **Rockstar 2FA Phishing-as-a-Service Kit Hits MS 365 Accounts**
3.  **Dark Web Anti-Bot Services Let Phishers Bypass Google’s Red Page**
4.  **New Telekopye Scam Toolkit Targeting Booking.com and Airbnb Users**
5.  **Malware Exploits Avast Anti-Rootkit Driver to Disable Security Software**

Telegram-Based “Sneaky 2FA” Phishing Kit Targets Microsoft 365 Accounts

Confidential Containers (CoCo) are containers deployed within an isolated hardware enclave protecting data and code (data in use) from privileged users such as cloud administrators. Red Hat OpenShift confidential containers are available from OpenShift sandboxed containers 1.7.0 as a tech-preview on Azure cloud and as a tech-preview on Azure Red Hat OpenShift.In this article we introduce confidential containers on bare metal which is now available as a preview using Assisted Installer for OpenShift. We cover a number of use cases for CoCo bare metal, explain how it works with different trusted

Confidential Containers **(CoCo)** are containers deployed within an isolated hardware enclave protecting data and code (data in use) from privileged users such as cloud administrators. Red Hat OpenShift confidential containers are available from OpenShift sandboxed containers 1.7.0 as a tech-preview on Azure cloud and as a tech-preview on Azure Red Hat OpenShift.

In this article we introduce confidential **containers on bare metal** which is now available as a preview using Assisted Installer for OpenShift. We cover a number of use cases for CoCo bare metal, explain how it works with different trusted execution environment (TEE) technologies (Intel TDX and AMD SEV-SNP) and third party attestation services such as Intel Trust Authority (ITA). We provide a high level overview of how this solution is deployed today, using an on-premises environment as an example. Additionally we briefly discuss the future roadmap and known issues in this preview release. 

We finish up with a demonstration of deploying CoCo bare metal and using it with Red Hat OpenShift AI.

**OpenShift confidential containers for bare metal **

The OpenShift confidential containers solution is based on deploying 2 operators:

*   OpenShift sandboxed containers operator—based on the Kata Containers open source project running pods inside virtual machines (VMs) for isolation workloads. This operator has been enhanced to also support the CNCF Confidential Containers (CoCo) open source project when deployed in environments that support **TEE** infrastructure such as Intel TDX and AMD SEV-SNP. For simplicity we refer to this operator in diagrams as “**OpenShift confidential containers**.”
*   Confidential compute attestation operator—based on the Trustee project (also part of the CNCF CoCo open source project) providing remote attestation capability. It’s responsible for performing the attestation operations and delivering secrets after successful attestation. A key point for this operator is to be deployed in a **trusted environment**

For additional details on the building blocks each operator consists of, their interaction and the key problems they solve (workload secret, signed container image, encrypted container image), we recommend reading Exploring the OpenShift confidential containers solution and Use cases and ecosystem for OpenShift confidential containers.

In this article our starting point is the following diagram showing the overall OpenShift confidential containers deployed for secrets retrieval by the workload use case: 

CoCo integrates TEE infrastructure with the cloud-native world. A TEE is at the heart of a confidential computing solution. TEEs are isolated environments with enhanced security (e.g. runtime memory encryption, integrity protection), provided by confidential computing-capable hardware. A special **virtual machine (VM)** called a **confidential virtual machine (CVM)** that executes inside the TEE is the foundation for OpenShift CoCo solution.

For CoCo bare metal, our focus is around TEEs provided by Intel TDX and AMD SEV-SNP.

The primary driver for CoCo bare metal solution has been for on-prem environments.

**CoCo bare metal business use cases for on-prem environments**

Whether to use CoCo on-prem or CoCo public cloud depends on the **area of trust to be established:**

*   **Public cloud is useful when a zone of trust between two or more partners in an untrusted area is required**
*   **On-prem is useful when increased isolation from other services is required**— deploying a workload which must be run inside of a company's trusted environment in order to give partners a safe haven. In this case, the company deploying the workload provides the servers and the host systems. Therefore, this environment usually consists of bare metal installations. The purpose here is to provide an extra level of security to either partners or (internal/external) customers within an on-prem datacenter

Let's look at some actual CoCo on-prem business use cases.

**IP protection / IP integrity**

Let's say a supplier is interested in providing a service to a customer. This service includes running workloads in the customer’s environment, and these workloads include proprietary business logic the supplier owns (its secret sauce).

By using confidential containers, the supplier can run its workloads in the customer’s on-prem environment and still protect its business logic from the customer even though the customer has full control of the on-prem environment. And with the use of a confidential container and its use of a CVM allows for further isolation of that workload from the rest of the datacenter infrastructure.

**Total tenant isolation / Service provider**

From talking to several public organizations, we've found that consolidating OpenShift services on a central infrastructure helps solve several problems. This includes reducing the number of administrators and providing dynamic load balancing between the tenants with higher utilization. This does, however, reduce the isolation between the different tenants, which many organizations are not comfortable with. Such organizations require a strict separation between the OpenShift tenants to better prevent data leaks.

With confidential computing we are able to deploy all OpenShift services shared between tenants as confidential objects, helping prevent unauthorized tenants or users from obtaining the confidential data in use. This makes it possible for additional organizations to move to these consolidated services.

Aside from public organizations, specialized service providers (focusing on specific industries such as financial services) are also interested in a similar solution. We have seen use cases where a specialized service provider acts like a public cloud provider for their clients. In order to do this, they need to provide an environment to their customers while maintaining the isolation of each customer and adhering to regulations and laws.

**Advanced use cases**

We are seeing traction on two additional use cases for CoCo on public cloud and CoCo on-prem: **support for confidential GPUs** and **secure cloud-bursting deployments**.

For additional information on those use cases we recommend reading our previous articles on secure cloud bursting and CoCo with confidential GPUs for AI workloads.

**CoCo and third party attestation solutions**

As we are concentrating on deploying the solution in an on-prem bare metal environment, the importance of remote attestation remains. The confidential compute attestation operator provides the remote attestation functionality. It has built-in support for Intel TDX and AMD SEV-SNP TEEs. Additionally, it can work with external third-party attestation services.

**Working with external attestation services**

The confidential compute attestation operator can also use external attestation services (AS) supported by Trustee as shown in the following diagram: 

As you can see, instead of Trustee providing the attestation service, it’s relying on an external attestation service. 

The value that the confidential compute attestation operator brings for such deployments is the abstraction of third-party attestation services from OpenShift confidential containers. The same interfaces are used between the Trustee agent and key broker service (KBS) regardless of the backend attestation service being used.

**Intel Trust Authority for OpenShift attestation **

The Trustee project supports Intel Trust Authority (ITA) providing attestation services for Intel TDX, AMD SEV-SNP and accelerated compute infrastructure such as those provided by NVIDIA. The confidential compute attestation operator now provides support for using ITA in OpenShift clusters: 

The following diagram shows how the different components we’ve described come together when using Intel TDX and ITA: 

It should be noted that similar to Trustee working with external attestation servers, it can work with external key managers as explained in this article. 

**Deploying CoCo bare metal**

The CoCo bare metal deployment relies on the following parts:

*   Assisted Installer for OpenShift—used for deploying OpenShift along with the **OpenShift sandboxed containers (OSC)** operator which includes OpenShift confidential containers support
*   Attestation operator install helper—helper script to install and configure confidential compute attestation operator
*   Confidential container install helper—helper script for setting up CoCo on bare metal OpenShift worker nodes using the OSC operator

**Assisted installer for installing OSC**

Assisted installer for OpenShift is a user-friendly installation solution offered on the Red Hat Hybrid Cloud Console. We leverage it for deploying OSC on bare metal servers. 

The following diagram shows how to choose the OpenShift sandboxed containers operator via Assisted installer:

**Attestation operator install helper**

In the general case, there are a number of deployment considerations that should be addressed when deciding where to deploy the attestation operator:

*   How do you bootstrap, verify and trust the TEE in an untrusted environment?
*   What are the components of your trusted environment?
*   What are the workload (pod) requirements when deployed in the TEE environment?

These questions relate to the topic of **Trusted Computing Base (TCB)** which includes hardware, firmware and software components for the CoCo solution and should be constructed when deploying the OpenShift CoCo solution. For additional details on this topic, we recommend reading Deployment considerations for Red Hat OpenShift Confidential Containers solution.

For simplicity, when testing and experimenting, we recommend installing this operator on the same bare metal deployment where your OpenShift cluster has been installed.

The install helper script takes care of deploying and configuring the confidential compute attestation operator.

**Confidential container install helper**

Once your OSC operator and confidential compute attestation operator have been installed, this script will take care everything else you require, including:

*   Deploying on Intel TDX machines
*   Deploying on AMD SEV-SNP machines
*   Etc

**Future releases and consolidation on assisted installer**

As the CoCo bare metal releases progress, we expect to gradually move all additional steps described here (confidential compute attestation operator and CoCo helper script) into an assisted installer to help simplify deployment.

**Current limitations**

*   Self-signed certificate authority (CA) certificates for the container registry are not supported, so the container registry must use public CA signed certificates. This is important if you are using private registries. Container registries like quay.io, ghcr.io, hub.docker.com, etc. use public CA signed certificates and we recommend using any of these container registries for this release
*   There is no support for encrypted container images while signed container images are supported
*   Container image double pull—the container image is downloaded and executed inside the confidential VM that executes inside the TEE. Currently, this container image is also downloaded on the worker node

**Demo: CoCo bare metal and Red Hat OpenShift AI**

**Wrap up**

In this article we introduced the confidential containers bare metal solution and some of the use cases it addresses, specifically for on-prem environments. We’ve also provided a short overview of how it’s deployed in practice and have shown a video of using the CoCo bare metal for deploying OpenShift AI workloads. In upcoming articles we will provide hands-on instructions for trying out confidential containers on bare metal.

Introducing confidential containers on bare metal

TikTok is now unavailable in the United States—and getting around the ban isn’t as simple as using a VPN. Here’s what you need to know.

After an opaque and uncertain saga, TikTok went dark on millions of phones across the United States on Saturday evening around 10:30 pm EST. Google Play and Apple’s App Store both pulled the app late Saturday as well. If it was already installed prior to Saturday evening, the app is still there on your phone, but launching it only reveals a pop-up warning about the ban. As the deadline loomed, TikTok users had been bracing for the change and flooding other platforms, including the Chinese social app Xiaohongshu or “RedNote.” But if you’re not quite ready to give up the latest skin-care hacks, budgeting tips, and pet tortoise influencers, there are some options for circumventing the ban and continuing to use the platform.

“Sorry, TikTok isn’t available right now,” the app alert reads. “A law banning TikTok has been enacted in the U.S. Unfortunately, that means you can’t use TikTok for now. We are fortunate that President Trump has indicated that he will work with us on a solution to reinstate TikTok once he takes office. Please stay tuned!” Other ByteDance-owned apps, including CapCut and Lemon8, also disappeared from US app stores.

Such a ban has never existed in the US before, so the technical methods being employed to implement it are still evolving, and circumvention techniques may need to change as well. The law driving the situation, the Protecting Americans From Foreign Adversary Controlled Applications Act (PAFACA), doesn’t make it illegal to have TikTok on your phone. And, notably, it also doesn’t say that TikTok itself has to stop the app from working in the US.

Nonetheless, the company said in the days before the law took effect that it planned to make the app inaccessible to US users—a level of cooperation and accommodation that the outgoing Biden White House called a “stunt” on Saturday afternoon. Even if TikTok itself had obligations under the law, the Biden White House had signaled that it did not plan to enforce the ban before Trump took office on Monday.

Rather than putting the pressure on TikTok, PAFACA requires app stores and cloud hosting services to stop doing anything to “distribute, maintain or update” TikTok. That puts the pressure on Apple and Google to stop new users from downloading TikTok, as well as infrastructure providers like Oracle to keep new content or software updates from reaching the app’s users. Over time, TikTok would likely degrade and become unusable.

Officials in India banned TikTok in 2020, and the company also proactively blacked out the app in that case. When Indian users who already had the app installed tried to launch it, a pop-up appeared telling them that they couldn’t access the service.

Devashish Gosain, a network analysis researcher and assistant professor at the Indian Institute of Technology Bombay, says that in India, TikTok users must remove their Indian SIM card from their phone or use an international SIM card and then run a VPN in order to load content in the app.

“Even VPNs do not lead to circumvention” in India, Gosain told WIRED.

In the early hours of the US ban, it was unclear exactly how feasible it would be to get around the restrictions for US accounts. It seemed that TikTok had taken a more extreme approach, turning any US builds of the app dark—blacking out versions of the TikTok app software that had been made to be downloaded and used by US users. It also seemed that US-linked accounts were being blocked regardless of IP address or SIM country information.

Running a VPN alone was certainly not enough to circumvent the ban and get back on TikTok. But seemingly using a non-US TikTok account after removing a SIM (or on a device without a US SIM card/US phone number) worked when combined with a VPN. Similarly, using a VPN with a desktop browser or the Tor Browser was enough to get a non-US TikTok account to load in the US early on Sunday morning, though TikTok’s desktop version has always been much more limited than its mobile app.

“TikTok inspects the source IP of the network packets—if the source IP belongs to India, it drops the packets,” Gosain explains, of the restrictions in India. “Also, the TikTok app fetches the country information embedded in the SIM card, and if the country code is ‘IN,’ it filters the network connection. When we remove the SIM card, the TikTok app fails to identify Indian users from the SIM card, and when we use VPNs, the IP address changes, and it no longer belongs to the Indian IP range. Thus, TikTok again fails to identify that the user is accessing from India. This is how we bypass the filtering.”

Virtual private networks, or VPNs, work by passing your internet traffic through servers that are physically maintained in locations around the world, so you can select an IP address that is tied to a different location than where you physically are. For example, American TikTok users can use VPNs to make it look like they are accessing the internet from outside the US. VPNs also stop your internet service provider (ISPs) from seeing your browsing data, adding an extra potential layer of privacy. When you’re using a VPN, your ISP will simply see connections to the VPN instead of having access to the detailed list of all the websites you’re visiting.

As a result of these capabilities, VPNs are frequently used in attempts to get around digital geolocation restrictions, like those on Netflix or other streaming platforms. They’re also an important, and familiar, tool for circumventing internet censorship programs for people living under authoritarian regimes like those in Russia, China, and Iran.

Using a VPN comes with caveats, though. Some commercial VPNs log people’s browsing history, which essentially just shifts data collection from ISPs to VPN makers. This means that the data isn’t more protected, and that law enforcement could request it from a VPN provider in the same way that they make requests to ISPs. As a result, picking a free VPN is generally not a good idea—with some even selling access to your home internet connections. But some VPNs publish no-logging policies and offer third-party audits and other transparency features in an attempt to show their compliance.

For now, it seems that TikTok’s efforts to block US users are extremely draconian, and even a non-US SIM card or no SIM card plus a VPN may not be a workable path to getting back on the app with a US TikTok account. But the restrictions may only be temporary anyway. In practice, there seems to be little appetite for a permanent ban in the US. And, in spite of originating the idea, President Trump has said in recent days that he doesn’t want the app to be banned.

“My decision on TikTok will be made in the not too distant future, but I must have time to review the situation,” Trump said in a Truth Social post on Friday. “Stay tuned!”

How to Get Around the US TikTok Ban

The Supreme Court has affirmed TikTok's ban in the US, which has its users in revolt and is creating a whole new set of national cybersecurity concerns.

Source: Roykas Tenys via Alamy Stock Photo

Now that the US Supreme Court has upheld a ban on the wildly popular video social media platform we know as TikTok, its most influential users have decided to retaliate by moving their game over to REDnote, a competing Chinese social media company, thus creating an entirely new, and arguably worse, situation for the nation's cybersecurity.

The move to the alternate platform is emerging as a pop culture phenomenon. Of TikTok's roughly 170 million monthly users in the US, more than 3 million have already headed over to REDnote. Chart-topping rapper Doechii announced her account, with 2.5 million followers, was headed over to REDnote just days before the Supreme Court ruling. Bunnie XO, wife of country music star Jelly Roll, with 7 million TikTok followers, has already declared her love for Mandarin Trap music after spending time on the app. The term "TikTok refugees," referring to new US users, is trending on REDnote, according to data. Searches for REDnote have spiked 100% over the past three months, and a recent "TikTok refugees" live chat attracted more than 50,000 users across the US and China.

Meanwhile, native Chinese speakers on the app are teaching their new group of US users how to correctly pronounce REDnote's Mandarin name, "Xiaohongshu," which directly translates to "Little Red Book," sharing the same name as Mao Zedong's book of quotations. Chairman Mao founded the People's Republic of China.

And, as US TikTok culture jokes about willingly handing over their data to a Chinese company with impunity as payback for the government's ban of the app, the US national security over TikTok just got even more problematic, according to experts.

**REDnote's Cybersecurity Problems**

ByteDance, the parent company behind TikTok, is headquartered in Singapore, and it has tried to convince the US it is run independent of the Chinese government. REDnote, on the other hand, is based in Shanghai, and it's one of the few social media platforms allowed to operate on both sides of the Great Firewall, making spying on Americans and throttling propaganda aligned with the Chinese Communist Party (CCP) agenda seemingly much easier. For US users interested in the specific terms of service to use REDNote, they are written in Mandarin, leaving the few who want to drill down on the app's data use to rely on Google Translate or a similar service to decipher the details.

"REDnote appears to be a more dangerous application than TikTok, as its terms of service are in Mandarin and it has not been vetted as extensively as TikTok," Ted Miracco, CEO of Approov, says. "REDnote's servers are primarily located in China, which means that user data is subject to Chinese cybersecurity laws that require companies to grant government access upon request. This situation contrasts with TikTok, which has made efforts to store some user data on US servers, offering a modicum of oversight by American authorities."

That said, national security concerns about a Chinese company controlling such a huge communications platform as TikTok in the US were well founded, according to Lawrence Pingree, vice president of Dispersive.

"I think that there are some valid concerns about the involvement of government agencies in espionage and influence operations that are important issues to address," Pingree said. "Things like data sovereignty, isolation networks and access, regular trusted third-party audits, background checks, authentication of remote employees, and, potentially, source code review are all prudent measures to require. Bans need to consider the totality of the situation, and the politics of the time."

And the politics are indeed prickly. Chinese government-backed hackers have been ramping up their espionage activities in recent weeks with compromises of multiple telecommunications networks and a breach of the US Treasury Department systems. Just a day before the Supreme Court's ruling, President Biden issued a sweeping new executive order on cybersecurity, directly calling out the malign activities of the Chinese government against the US.

The chances of a Chinese company like REDnote complying with any of the US's TikTok requirements to operate, like audits and background checks for employees, seem pretty slim in this environment.

**The Cyber Problem With the TikTok Ban**

The ban, which technically goes into effect on Sunday, was narrowly focused on TikTok and simply doesn't go far enough, Approov's Miracco adds.

"As the problem of data misuse continues to escalate, focusing solely on foreign platforms like TikTok without addressing the systemic issues within domestic social media creates an incomplete solution. A comprehensive approach is needed — one that holds all social media companies accountable for their data practices and prioritizes user privacy and security across the board," Miracco insists.

The ongoing larger problem is that legislation and lawmakers continue to lag behind technology, he adds. The ban wasn't able to effectively meet the moment, creating unintended consequences for US national security.

"The slow pace of legislative and legal actions often fails to keep up with the rapid evolution of technology and tactics employed by bad actors," Miracco says. "This gap can leave users unprotected against emerging threats that exploit the chaos surrounding the ban. As users seek alternatives to TikTok, they will inadvertently download less secure or malicious applications, including REDnote."

However, the threat of users migrating to other apps shouldn't be a deterrent to making decisions to improve US cybersecurity posture, argues Willy Leichter, chief marketing officer of AppSOC.

"The ban may inspire targeted attacks against other US-based social media platforms, but those are already happening. As a general rule, you shouldn't let the fear of reprisals stop you from taking proactive security steps," Leichter says. "We need to be prepared for the consequences anyway."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Tag

#auth