A fake proof-of-concept (PoC) exploit designed to lure cybersecurity researchers into downloading malicious software. This deceptive tactic leverages a recently patched critical vulnerability in Microsoft's Windows LDAP service (CVE-2024-49113), which can cause denial-of-service attacks.

****SUMMARY****

*   **Fake PoC Exploit for CVE-2024-49113**: A malicious exploit, “LDAPNightmare,” targets researchers by disguising it as a PoC for a patched Windows LDAP vulnerability.

*   **Data Theft**: The malware steals computer and network information, sending it to attackers’ servers.

*   **Sophisticated Attack**: A fake repository mimics a legitimate one, using malicious files and scripts to deploy the malware.

*   **High-Profile Target**: Attackers aim to compromise security researchers for valuable intelligence.

*   **Precautions**: Researchers should verify repository authenticity, prioritize official sources, and check for suspicious activity.

According to the latest research from Trend Micro, a fake Proof-of-Concept (PoC) exploit has been identified for CVE-2024-49113, a denial-of-service (DoS) vulnerability previously found in Microsoft’s Windows Lightweight Directory Access Protocol (LDAP). Both vulnerabilities were originally identified by Safebreach.

The attackers have set up a malicious repository containing the fake PoC, leading to the exfiltration of sensitive computer and network information. This attack, known as LDAPNightmare, is designed to lure security researchers into downloading and executing information-stealing malware.

Repository containing “poc.exe” (Via Trendmicro)

When unsuspecting researchers download/execute this harmless-looking code, they inadvertently unleash an information-stealing malware. This malware stealthily collects sensitive data from the infected machine, including computer information, running processes, network details, and installed updates. It then transmits this stolen data to a remote server controlled by the attackers.

The attackers have employed a sophisticated technique to deliver the malware. The malicious repository appears to be a legitimate fork of an original repository, making it difficult to immediately identify as malicious.

The genuine Python files in the repository have been replaced with a malicious executable, which, upon execution, drops and executes a PowerShell script. This script then establishes a scheduled task that downloads and executes another malicious script from Pastebin. This final script collects the victim’s public IP address and exfiltrates stolen data to an external FTP server.

It is worth noting that the vulnerability was addressed in Microsoft’s December 2024 Patch Tuesday release, which addressed two other critical vulnerabilities in LDAP. The first, CVE-2024-49112, is a remote code execution bug that attackers can exploit by sending specially crafted LDAP requests. The second, CVE-2024-49113, is a DoS vulnerability that can be exploited to crash the LDAP service, causing service disruptions. 

For your information, PoC exploits are non-harmful attacks that reveal software security weaknesses, aiding companies in patching vulnerabilities. However, if used incorrectly, PoCs can provide attackers with a blueprint for exploiting a system before users can install fixes, potentially causing harm.

This attack method, as per Trendmicro’s report, while not entirely novel, threatens the cybersecurity community because by exploiting a high-profile vulnerability and targeting security researchers – individuals who are often highly aware of security threats – attackers can gain valuable intelligence and potentially compromise critical security systems.

Therefore, security researchers should be cautious when downloading and executing code from online repositories. They should prioritize official sources, scrutinize repositories for suspicious content, and verify the authenticity of the repository owner or organization.

Moreover, it is essential to consider community feedback for repositories with minimal activity and look for red flags within the repository that may indicate potential security risks. This will help them stay protected from potential threats and ensure their security.

1.  Hackers Use Fake PoCs on GitHub to Steal AWS Keys
2.  Warning: Fake GitHub Repos Delivering Malware as PoCs
3.  Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!
4.  How to Conduct a Cybersecurity Proof of Concept with a Vendor
5.  Fake 7-Zip Exploit Code Traced to AI-Generated Misinterpretation

Fake PoC Exploit Targets Cybersecurity Researchers with Malware

About Authentication Bypass – Hunk Companion WordPress plugin (CVE-2024-11972) vulnerability. ThemeHunk company develops commercial themes for WordPress CMS. And the Hunk Companion plugin is designed to complement and enhance the functionality of these themes. The plugin has over 10,000 installations. On December 10, WPScan reported a vulnerability in Hunk Companion plugin versions below 1.9.0, allowing […]

**About Authentication Bypass – Hunk Companion WordPress plugin (CVE-2024-11972) vulnerability.** ThemeHunk company develops commercial themes for WordPress CMS. And the Hunk Companion plugin is designed to complement and enhance the functionality of these themes. The plugin has over 10,000 installations.

On December 10, WPScan reported a vulnerability in Hunk Companion plugin versions below 1.9.0, allowing unauthenticated attackers to install and activate plugins from the WordPressOrg repository. The exploit has been on GitHub since December 28.

This way, attackers can install plugins that contain additional vulnerabilities. 👾 In the incident analyzed by WPScan, the attackers installed the WP Query Console plugin with RCE vulnerability CVE‑2024‑50498 on the website and exploited it to install a backdoor.

If you use WordPress, try to minimize the number of plugins and update them regularly!

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Authentication Bypass – Hunk Companion WordPress plugin (CVE-2024-11972) vulnerability

Infoblox cybersecurity researchers investigating the mysterious activities of 'Muddling Meerkat' unexpectedly uncovered widespread use of domain spoofing in malicious spam campaigns.

****SUMMARY****

*   **Infoblox discovered widespread domain spoofing in spam campaigns while investigating ‘Muddling Meerkat.’**

*   **Collaboration with the cybersecurity community linked Muddling Meerkat’s DNS activities to spam distribution.**

*   **Researchers identified multiple spam campaigns through abuse reports and domain analysis.**

*   **Techniques included phishing with QR codes, impersonating brands, extortion, and mysterious financial spam.**

*   **The findings show domain spoofing remains highly effective, bypassing current security measures.**

In its latest report, cybersecurity firm Infoblox has revealed how scammers use domain spoofing in spam campaigns, a discovery made through a collaboration between the cybersecurity and networking community on research about **the Chinese Great Firewall**.

This research project was initially aimed at understanding the activities of a threat actor known as a Muddling Meerkat. Muddling Meerkat is known for conducting strange DNS operations involving fake Chinese Great Firewall responses. The researchers could not determine the ultimate purpose of Muddling Meerkat’s activities, but they did learn a lot about how domain spoofing is used in **malspam**.

The research team, initially perplexed by Muddling Meerkat’s activities, sought external perspectives by sharing their findings with the broader security community. One key observation pointed towards a potential connection between Muddling Meerkat’s operations and spam distribution. 

Several organizations reported receiving abuse notifications for domains they owned, often internal domains with limited external exposure. These notifications indicated large-scale spam campaigns originating from Chinese IP addresses, targeting major email providers. This observation resonated with the team’s own findings, as they had **previously observed** Muddling Meerkat generating fake mail server (MX) records emanating from Chinese IP space.

A significant breakthrough occurred when the researchers discovered that they owned several of the “target” domains identified in the Muddling Meerkat research. By analysing abuse reports related to their own domains, leveraging their authoritative DNS server logs, and examining their internal spam collection, the researchers gained unprecedented insights into the tactics employed by spammers.

The investigation yielded a treasure trove of information about modern **malspam techniques**. Several distinct campaigns were identified, each employing sophisticated domain spoofing tactics to deceive recipients. These include QR Code Phishing, targeting Chinese citizens with emails containing QR codes, which redirect victims to phishing websites. Japanese Phishing campaigns impersonate reputable brands like Amazon and major Japanese banks and lure users to fake login pages.

A phishing QR code and an Amazon phishing page (Via Infoblox)

Extortion campaigns demand ransom **payments in cryptocurrency** to prevent exposure. Mysterious Financial Campaigns, originating from China, send seemingly innocuous spreadsheet attachments purporting to be from a Chinese freight company. The purpose of these campaigns remains unclear, as they lack clear malicious content or motive, Infoblox researchers noted in their **technical blog** shared with Hackread.com.

Nevertheless, the research reveals a disturbing reality: domain spoofing remains a highly effective and prevalent tactic for spammers. Despite the existence of various security mechanisms designed to detect and prevent spoofing, these campaigns continue to evade detection and successfully reach their targets.

Infoblox’s research came just days after another domain abuse-related report was **published by WatchTowr**, which exposed more than 4,000 active hacker backdoors in expired domains and abandoned infrastructure worldwide. This shows the ongoing challenge of combating sophisticated spam techniques and the need for continuous implementation of cybersecurity measures.

1.  **Hackers Use Fake Domains in Trump Trading Card Scam**
2.  **99% of UAE’s .ae Domains Exposed to Phishing and Spoofing**
3.  **“Sitting Ducks” DNS Attack Lets Hackers Easy Domain Takeover**
4.  **Scammers Exploit Fake Domains in Dubai Police Phishing Scams**
5.  **DeFi Hack Alert: Squarespace Domains** **Vulnerable** **to DNS Hijacking**

Muddling Meerkat Linked to Domain Spoofing in Global Spam Scams

New year, same story. Despite Ivanti's commitment to secure-by-design principles, threat actors — possibly the same ones as before — are exploiting its edge devices for the nth time.

Source: Lobro via Alamy Stock Photo

A Chinese threat actor is once again exploiting Ivanti remote access devices at large.

If you had a nickel for every high-profile vulnerability affecting Ivanti appliances last year, you'd have a lot of nickels. There was the critical authentication bypass in its Virtual Traffic Manager (vTM), the SQL injection bug in its Endpoint Manager, a trio affecting its Cloud Services Appliance (CSA), critical issues with its Standalone Sentry and Neurons for IT Service Management (ITSM), plus dozens more.

It all started last January, when two serious vulnerabilities were discovered in Ivanti's Connect Secure (ICS) and Policy Secure gateways. By the time of disclosure, the vulnerabilities were already being exploited by a suspected Chinese-nexus threat actor, UNC5337, believed to be an entity of UNC5221.

Now, one year and one secure-by-design pledge later, threat actors have returned to haunt Ivanti all over again, via a new critical vulnerability in ICS which also affects Policy Secure and Neurons for Zero Trust Access (ZTA) gateways. Ivanti has further warned of a second, slightly less severe bug that hasn't been observed in exploits yet.

"Just because we're seeing these often doesn't necessarily mean that they're easy to pull off — it's a highly sophisticated group that is doing this," Arctic Wolf CISO Adam Marrè points out, in defense of the downtrodden IT vendor. "Engineering is not easy, and secure engineering is even more difficult. So even though you may be following the principles of secure-by-design, that doesn't mean that someone isn't going to be able to come along and either with new technologies, or new techniques, and enough time and resources, hack in."

Related:New AI Challenges Will Test CISOs & Their Teams in 2025

**2 More Security Bugs in Ivanti Devices**

As yet unexploited (as far as researchers can tell) is CVE-2025-0283, a buffer overflow opportunity in ICS versions prior to 22.7R2.5, Policy Secure before 22.7R1.2, and Neurons for ZTA gateways before 22.7R2.3. The "high" severity 7.0 out of 10-rated issue in the Common Vulnerability Scoring System (CVSS) could enable an attacker to escalate their privileges on a targeted device, but requires them to be authenticated first.

CVE-2025-0282 — rated a "critical" 9.0 in CVSS — does not come with that same caveat, allowing for code execution as root with no authentication required. Ivanti disclosed few details regarding the exact cause of the issue, but researchers from watchTowr were able to successfully reverse engineer an exploit after comparing ICS's patched and unpatched versions.

Related:Best Practices & Risks Considerations in LCNC and RPA Automation

According to Mandiant, a threat actor began exploiting CVE-2025-0282 in mid-December, deploying the same "Spawn" family of malware tied to UNC5337 exploits of previous Ivanti bugs. Those tools include:

*   The SpawnAnt installer, which drops its malware colleagues and persists through system upgrades
    
*   SpawnMole, which facilitates back-and-forth communications with attacker infrastructure
    
*   SpawnSnail, a passive secure shell (SSH) backdoor
    
*   SpawnSloth, which tampers with logs to conceal evidence of malicious activity
    

"The threat actor's malware families demonstrate significant knowledge of the Ivanti Connect Secure appliance," says Mandiant senior consultant Matt Lin. In fact, besides UNC5337 and its spawn, researchers also observed two more unrelated but equally bespoke malware deployed to infected devices. One — DryHook, a Python script — is designed to steal user credentials off targeted devices.

The other, PhaseJam, is a bash shell script that enables remote and arbitrary command execution. Most creative, though, is its ability to maintain persistence through sleight of hand. If an administrator attempts to upgrade their device — a process that would unseat PhaseJam — the malware will instead show them a fake progress bar that simulates each of the 13 steps one might expect in a legitimate update. Meanwhile, in the background, it prevents the legitimate update from running, thereby ensuring that it lives another day.

Related:Cybercriminals Don't Care About National Cyber Policy

DryHook and PhaseJam might have been the work of UNC5337, Mandiant noted, or another threat actor altogether.

**Time to Update**

Data from The ShadowServer Foundation suggests that north of 2,000 ICS instances could be vulnerable at the time of writing, with the greatest concentration in the US, France, and Spain.

Source: The Shadowserver Foundation

Ivanti and the Cybersecurity and Infrastructure Security Agency (CISA) have published instructions for mitigating CVE-2025-0282, emphasizing that network defenders should run Ivanti's built-in Integrity Checker Tool (ICT) to seek out infections, and implement patches immediately.

"We have released a patch addressing vulnerabilities related to Ivanti Connect Secure," an Ivanti spokesperson tells Dark Reading. "There has been limited exploitation of one of the vulnerabilities and we are actively working with affected customers. Ivanti’s ICT has been effective in identifying compromise related to this vulnerability. Threat actor exploitation was identified by the ICT on the same day it occurred, enabling Ivanti to respond promptly and rapidly develop a fix. We strongly advise customers to closely monitor their internal and external ICT as part of a robust and layered approach to cybersecurity to ensure the integrity and security of the entire network infrastructure."

It may be worth noting that unlike ICS, Policy Secure and ZTA gateways won't be receiving their patches until Jan. 21. In its security advisory, Ivanti stated that ZTA gateways "cannot be exploited when in production," and that Policy Secure is designed to not be Internet-facing, reducing the risk of exploitation via CVE-2025-0282 or similar vulnerabilities.

"It's important that administrators here are doing the right things," Marrè says, noting, "That may result in some downtime, which can be disruptive for organizations, which can lead to them putting it off, or not fixing it as thoroughly and as well as they should."

Lin adds, "We’ve observed organizations that have historically acted promptly in response to these threats did not experience the same negative impacts when compared to organizations that failed to do the same." He also acknowledges, "All the swirl that takes place in the background once one of these patches is announced.

"Security teams across orgs have to scramble to not just patch, but also understand whether they’re vulnerable, and if so, do they only need to patch, or have they already been breached? And if they have been breached, that starts another incident response, which creates massive workflows across companies around the world. It’s important to not lose sight of the toil and exhaustion that defenders go through when assessing these scenarios and not be hyper critical of their initial reaction times."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Threat Actors Exploit a Critical Ivanti RCE Bug, Again

Microweber Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the create new backup function in the endpoint /admin/module/view?type=admin__backup

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-w5g5-4jj3-8f6v: Microweber Cross-site Scripting vulnerability

Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the First Name and Last Name parameters in the endpoint /admin/module/view?type=users

GHSA-97h9-p9f8-4p3r: Microweber Cross-site Scripting vulnerability

Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the campaign Name (Internal Name) field in the Add new campaign function

GHSA-j4v9-cm37-h7c2: Microweber Cross-site Scripting vulnerability

Ivanti has issued a critical security advisory addressing two vulnerabilities in its Connect Secure, Policy Secure, and ZTA Gateway products.

****SUMMARY****

*   **Critical Vulnerabilities Identified**: Ivanti has disclosed two critical vulnerabilities (CVE-2025-0282 and CVE-2025-0283) in Connect Secure, Policy Secure, and ZTA Gateways, with CVE-2025-0282 already being actively exploited.

*   **Impact of Vulnerabilities**: CVE-2025-0282 allows unauthenticated remote attackers to execute arbitrary code, potentially gaining full control of affected systems. CVE-2025-0283 enables local authenticated attackers to escalate privileges, posing significant security risks.

*   **Patch Availability**: Ivanti has released a patch for Connect Secure (version 22.7R2.5) addressing both vulnerabilities. Patches for Policy Secure and ZTA Gateways are expected by January 21, 2025.

*   **Recommended Actions**: Ivanti advises organizations to immediately patch Connect Secure systems, isolate vulnerable Policy Secure and ZTA Gateways, and monitor systems closely using tools like the Integrity Checker Tool (ICT).

*   **Expert Warning**: Experts highlight the urgency of patching and maintaining heightened vigilance against potential cyberattacks, citing past incidents like the Akira breach as reminders of the risks involved.

Ivanti has raised concerns about two remotely exploitable vulnerabilities in its enterprise-facing products, with one bug already being exploited in the wild.

According to Ivanti’s security advisory, the company has addressed two critical vulnerabilities (CVE-2025-0282 and CVE-2025-0283) affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways.

CVE-2025-0282, the more critical of the two, is a stack-based buffer overflow vulnerability in Ivanti Connect Secure. This vulnerability allows unauthenticated remote attackers to execute arbitrary code on vulnerable systems. Essentially, attackers can remotely compromise the system without any prior knowledge or credentials, potentially gaining complete control over the affected appliance.

CVE-2025-0283, while still a high-severity vulnerability, is less critical. This vulnerability, also a stack-based buffer overflow, allows local authenticated attackers to escalate their privileges on the system. This means that an attacker who already has legitimate access to the system can exploit this vulnerability to gain higher-level privileges, potentially compromising sensitive data or disrupting critical operations.

Ivanti has released a patch for Connect Secure (version 22.7R2.5), addressing both vulnerabilities. However, patches for Policy Secure and ZTA Gateways are not yet available and are scheduled for release on January 21st, 2025.

Given the active exploitation of CVE-2025-0282, Ivanti strongly urges organizations to prioritize patching their Connect Secure appliances immediately. For Policy Secure and ZTA Gateways, proactive measures such as temporarily isolating affected systems are recommended until the patches become available.

To mitigate the risks associated with these vulnerabilities, Ivanti recommends applying the latest patches as soon as they become available. For Connect Secure, upgrading to version 22.7R2.5 is suggested. Moreover, closely monitoring systems using the Integrity Checker Tool (ICT) and other security monitoring tools is essential to detect any signs of compromise.

In addition, the company recommends Policy Secure and ZTA Gateways users consider isolating affected systems from the network until the patches are applied. Organizations utilizing Ivanti products should prioritize implementing these recommendations to mitigate the risks associated with these vulnerabilities.

Martin Jartelius, CISO at Outpost24 commented on the latest development urging impacted parties to immediately install patches. “Last time we had an Ivanti zero-day exploitation, the attackers shifted to their active/destructive phase as the patch became available, so anyone impacted should firstly patch at once, and secondly, review their readiness in incident response and keep extra eyes on their monitoring for the near future._“_

1.  **Hackers Target Ivanti Users Despite Patches**
2.  **Ivanti VPN Zero-Day Flaws Fuel Widespread Cyber Attacks**
3.  **Ivanti VPN Flaws Exploited to Spread KrustyLoader Malware**
4.  **Magnet Goblin Hackers Using Ivanti Flaws to Drop Linux Malware**
5.  **Dell Urges Immediate Update to Fix Power Manager Vulnerability**

Ivanti Urges Patch for Flaws in Connect Secure, Policy Secure and ZTA Gateways

Cybercriminals are luring victims into downloading the XMRig cryptomining malware via convincing emails, inviting them to schedule fake interviews using a malicious link.

Source: ImageBroker.com GmbH & Co. KG via Alamy Stock Photo

NEWS BRIEF

Cybercriminals have picked up a new tactic, impersonating CrowdStrike recruiters in order to distribute a cryptominer on their victims' devices.

This malicious campaign starts with an email, inviting the victim to schedule an interview with a recruiter for a position as a junior developer.

The illegitimate email contains a link, alleging that it will take the recipient to a site so they can schedule their interview, but in reality, takes the victim to a malicious website containing links to download a purported "CRM application."

"While interview and job-related phishing emails are not uncommon, this is a very targeted campaign that goes beyond the vast majority of malicious campaigns we see with this theme," said Chance Caldwell, senior director of the Phishing Defense Center at Cofense, in an emailed statement. "The campaign uses URLs that were created to look like they might actually belong to CrowdStrike, and the downloaded malware provides a pop-up that directs users to the real CrowdStrike support portal. Most of the use cases we see are lucky to have proper branding, much less the extended work done here to really portray themselves as CrowdStrike."

**Malicious Recruiter Lures Target Both Windows & Mac**

The site offers options for both Windows and macOS, and regardless of which option the victim chooses, once selected, it will download a Windows executable written in Rust. The executable will then download the cryptominer XMRig.

The executable runs several environmental checks to analyze the device and evade detection, such as scanning the running processes, verifying the CPU, and more.

If the checks are passed, the executable will display a false error message pop-up for the user, while downloading additional payloads needed to run the XMRig miner.

CrowdStrike, which identified the campaign just days ago, is warning job seekers to be vigilant, as this is not the only scam involving fake employment offers that's circulating out there.

It recommended avoiding any interviews carried out through instant message or email, and refusing to download any software for an interview, and it stressed the importance of verifying the authenticity of any CrowdStrike hiring communications by contacting \[email protected\].

"It is very unlikely that a recruiter will direct someone to download an executable as part of the interview process," Caldwell noted. "Any suspicious requests, such as this one, should be sufficiently verified before downloading anything, and contact information should be verified through the legitimate company website."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Fake CrowdStrike 'Job Interviews' Become Latest Hacker Tactic

Growing sales of the System for Operative Investigative Activities (SORM), a Russian wiretapping platform, in Central Asia and Latin American suggests increasing risks for Western businesses.

Source: Golden Dayz via Shutterstock

A half-dozen governments in Central Asia and Latin American have purchased the System for Operative Investigative Activities (SORM) wiretapping technology from Russian providers, expanding their — and potentially Russian intelligence's — ability to intercept communications.

The technology includes monitoring equipment placed inside a telecommunications provider's facility, which delivers information to the client government's intelligence agency, including mobile numbers, phones identifiers, geolocation, names, email addresses, and IP addresses. That's according to threat intelligence firm Recorded Future, which found in an analysis that the former Soviet territories of Belarus, Kazakhstan, Kyrgyzstan, and Uzbekistan, and the Latin American nations of Cuba and Nicaragua, have very likely acquired the technology to wiretap citizens.

Western companies and citizens should take measures to protect their communications and to understand the risks of surveillance when traveling to countries that have lax civil protections against wiretapping, says a threat analyst with Recorded Future's Insikt threat intelligence group, who asked to remain anonymous due to the sensitivity of the topic.

"Obviously, in countries that don't employ SORM — even Western countries — surveillance frameworks are not immune to abuse, but it's important to look holistically at this when there's evidence of these systems being built with Russian-company inputs in a country with a history of state surveillance operations," the analyst says. "Particularly, human rights defenders, activists, journalists, members of civil society, but also foreign travelers, \[could all be targets\]."

Related:Fake CrowdStrike 'Job Interviews' Become Latest Hacker Tactic

The expansion of Russia's SORM kit highlights the gains of digital surveillance technology worldwide. The companies behind the spyware tools used by authoritarian governments — such as NSO Group's Pegasus and Intellexa Consortium's Predator — have made inroads globally, as the companies refine their ability to evade roadblocks on sales to sanctioned nations, according to an in-depth report published by the Atlantic Council in September. Overall, 41% of the 195 countries worldwide have licensed commercial spyware, including 14 of the 27 countries in the European Union, according to the Atlantic Council.

Wiretapping technology and spyware are often used for legitimate reasons, whether that be law enforcement investigations of suspected criminals or intelligence gathering against nation-state rivals. However, in countries with few protections for civil liberties, or poor regulation of digital surveillance technologies, abuses inevitably follow for governments that deploy it without adequate oversight, according to the Atlantic Council analysts.

Related:Banshee 2.0 Malware Steals Apple's Encryption to Hide on Macs

"Spyware makes it easier for states to penetrate even the most robust commercial technologies, cell phones, computers, and communications services; makes it far easier to act against citizens beyond state borders; and even provides governments with the ability to target senior officials, both domestically and abroad, where they might otherwise have no means to do so," the Atlantic Council analysts stated in the report. "Where that information is used to facilitate repression and abuse, its harms are untenable."

**The Spyware Nexus: An R Joins the Three I's**

The Atlantic Council identified 435 "entities" — companies and people associated with commercial spyware — and found that two-thirds lead back to three nations: Israel, Italy, and India. Now, Russia has become a major provider of surveillance technology as well.

Existing law in Russia requires that telecommunications providers install and maintain monitoring devices that meet SORM regulations, but the firms are not authorized to access the capabilities of the devices nor audit communications collection, according to Recorded Future's report. Countries in Russia's sphere of influence have passed similar laws mandating SORM-compliant technology, which is typically installed and serviced by Russian providers, likely giving Russia the ability to access intercepted communications.

Related:Unconventional Cyberattacks Aim to Take Over PayPal Accounts

Record Future used a variety of indicators for the adoption of SORM, including marketing materials and the websites of the providers of SORM technologies. The largest providers of SORM technology are companies called Citadel, Norsi-Trans, and Protei, who — along with five other identified technology firms — are likely exporting SORM products and services to at least 15 telecommunications companies, the firm found.

The risks of illicit digital surveillance are growing, argues Vitor Ventura, manager for EMEA and Asia at Cisco's Talos threat intelligence group.

"In certain countries, it might just be legal to do certain kind of interceptions for reasons that are not allowed in other countries, or because you have a law that says that if national security is at risk, you can do whatever you want," he says, adding that there has been a global boom in surveillance technology over the past few years.

"I don't think that the law is changing that much — I just think that there is a bigger appetite, and there's a lot more being offered," he says. "The prices eventually came down, and everyone that has the money for \[surveillance technology\] will actually go for it."

**Know Your Telecom Tech, Wiretapping Laws**

Companies that have employees based in nations with weaker civil liberty protections should note that adopting privacy and encryption tools can help mitigate the risk, but providers of virtual private network (VPN) services often are subject to the same laws as telecommunications providers, according to the Recorded Future report, and might also be turning over intelligence to government agencies.

In many ways, the cyber-risks mirror those argued by the US government in regards to Russian cybersecurity firm Kaspersky, whose antivirus products were banned in mid-2024, the Recorded Future analyst says.

"These \[telecom\] companies might be able to go into systems and have access to such a vast range of data — there's definitely a high intelligence value there," the analyst says. "The same risks that apply to Kaspersky are equally as applicable to Russian SORM providers."

Companies should keep apprised of the spread of the technology in the future. For example, one Russian provider, Protei, markets SORM in trade shows in Africa, the Middle East, and Latin America, raising the likelihood that countries in those regions will adopt the wiretapping platform at some time in the future.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Tag

#auth