Wagenius posted about hacking more than 15 telecom providers on the Telegram messaging service.

Source: Gregg Vignal via Alamy Stock Photo

NEWS BRIEF

A US Army soldier was reportedly arrested Dec. 20 in Texas and charged with two counts of unlawful transfer of confidential phone records.  

Cameron John Wagenius, 20, is suspected of leaking presidential call logs belonging to AT&T and Verizon under an online alias of "Kiberphant0m."

Wagenius was initially flagged as being involved in the Snowflake hacking campaign along with Connor Riley Moucka, also known as "Judische," who was arrested last October as part of the Snowflake account hacking.

Kiberphant0m reportedly published stolen call logs for former President Donald Trump and Vice President Kamala Harris after Moucka was arrested, as well as offered data schema from the National Security Agency, call logs from US government agencies, and a SIM-swapping Verizon service.

He also posted on Telegram about hacking more than 15 telecom providers and maintaining a distributed denial-of-service botnet.

An indictment alleges that Wagenius was involved in the sale and transmission of confidential phone records; no further details have been released regarding his connection to the Snowflake attacks.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

US Soldier Arrested in Verizon, AT&amp;T Hacks

Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and Verizon. As first reported by KrebsOnSecurity last month, the accused is a communications specialist who was recently stationed in South Korea.

Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being **Kiberphant0m**, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from **AT&T** and **Verizon**. As first reported by KrebsOnSecurity last month, the accused is a communications specialist who was recently stationed in South Korea.

One of several selfies on the Facebook page of Cameron Wagenius.

**Cameron John Wagenius** was arrested near the Army base in Fort Hood, Texas on Dec. 20, after being indicted on two criminal counts of unlawful transfer of confidential phone records.

The sparse, two-page indictment (PDF) doesn’t reference specific victims or hacking activity, nor does it include any personal details about the accused. But a conversation with Wagenius’ mother — Minnesota native **Alicia Roen** — filled in the gaps.

Roen said that prior to her son’s arrest he’d acknowledged being associated with **Connor Riley Moucka**, a.k.a. “**Judische**,” a prolific cybercriminal from Canada who was arrested in late October for stealing data from and extorting dozens of companies that stored data at the cloud service **Snowflake**.

In an interview with KrebsOnSecurity, Judische said he had no interest in selling the data he’d stolen from Snowflake customers and telecom providers, and that he preferred to outsource that to Kiberphant0m and others. Meanwhile, Kiberphant0m claimed in posts on Telegram that he was responsible for hacking into at least 15 telecommunications firms, including AT&T and Verizon.

On November 26, KrebsOnSecurity published a story that followed a trail of clues left behind by Kiberphantom indicating he was a U.S. Army soldier stationed in South Korea.

Ms. Roen said Cameron worked on radio signals and network communications at an Army base in South Korea for the past two years, returning to the United States periodically. She said Cameron was always good with computers, but that she had no idea he might have been involved in criminal hacking.

“I never was aware he was into hacking,” Roen said. “It was definitely a shock to me when we found this stuff out.”

Ms. Roen said Cameron joined the Army as soon as he was of age, following in his older brother’s footsteps.

“He and his brother when they were like 6 and 7 years old would ask for MREs from other countries,” she recalled, referring to military-issued “meals ready to eat” food rations. “They both always wanted to be in the Army. I’m not sure where things went wrong.”

Immediately after news broke of Moucka’s arrest, Kiberphant0m posted on the hacker community **BreachForums** what they claimed were the AT&T call logs for **President-elect** **Donald J. Trump** and for **Vice President Kamala Harris**.

“In the event you do not reach out to us @ATNT all presidential government call logs will be leaked,” Kiberphant0m threatened, signing their post with multiple “#FREEWAIFU” tags. “You don’t think we don’t have plans in the event of an arrest? Think again.”

Kiberphant0m posting what he claimed was a “data schema” stolen from the NSA via AT&T.

On that same day, Kiberphant0m posted what they claimed was the “data schema” from the **U.S. National Security Agency**.

On Nov. 5, Kiberphant0m offered call logs stolen from Verizon’s push-to-talk (PTT) customers — mainly U.S. government agencies and emergency first responders. On Nov. 9, Kiberphant0m posted a sales thread on BreachForums offering a “SIM-swapping” service targeting Verizon PTT customers. In a SIM-swap, fraudsters use credentials that are phished or stolen from mobile phone company employees to divert a target’s phone calls and text messages to a device they control.

The profile photo on Wagenius’ Facebook page was deleted within hours of my Nov. 26 story identifying Kiberphant0m as a likely U.S. Army soldier. Still, many of his original profile photos remain, including several that show Wagenius in uniform while holding various Army-issued weapons.

Several profile photos visible on the Facebook page of Cameron Wagenius.

November’s story on Kiberphant0m cited his own Telegram messages saying he maintained a large botnet that was used for distributed denial-of-service (DDoS) attacks to knock websites, users and networks offline. In 2023, Kiberphant0m sold remote access credentials for a major U.S. defense contractor.

**Allison Nixon,** chief research officer at the New York-based cybersecurity firm Unit 221B, helped track down Kiberphant0m’s real life identity. Nixon was among several security researchers who faced harassment and specific threats of violence from Judische and his associates.

“Anonymously extorting the President and VP as a member of the military is a bad idea, but it’s an even worse idea to harass people who specialize in de-anonymizing cybercriminals,” Nixon told KrebsOnSecurity. She said the investigation into Kiberphant0m shows that law enforcement is getting better and faster at going after cybercriminals — especially those who are actually living in the United States.

“Between when we, and an anonymous colleague, found his opsec mistake on November 10th to his last Telegram activity on December 6, law enforcement set the speed record for the fastest turnaround time for an American federal cyber case that I have witnessed in my career,” she said.

Nixon asked to share a message for all the other Kiberphant0ms out there who think they can’t be found and arrested.

“I know that young people involved in cybercrime will read these articles,” Nixon said. “You need to stop doing stupid shit and get a lawyer. Law enforcement wants to put all of you in prison for a long time.”

The indictment against Wagenius was filed in Texas, but the case has been transferred to the U.S. District Court for the Western District of Washington in Seattle.

U.S. Army Soldier Arrested in AT&T, Verizon Extortions

SUMMARY: VulnCheck has discovered a critical new vulnerability (CVE-2024-12856) affecting Four-Faith industrial routers (F3x24 and F3x36), with evidence…

****SUMMARY:****

*   **Vulnerability**: CVE-2024-12856 impacts Four-Faith routers (models F3x24 and F3x36), allowing remote code execution.

*   **Exploit Path**: Attackers use the /apply.cgi endpoint to exploit the adj_time_year parameter.

*   **Risk**: Over 15,000 devices with default credentials are at high risk.

*   **Impact**: Exploits enable malware installation, data theft, and network disruption.

*   **Fix**: Update firmware, change default credentials, and use Suricata rules for detection.

VulnCheck has discovered a critical new vulnerability (CVE-2024-12856) affecting Four-Faith industrial routers (F3x24 and F3x36), with evidence of active exploitation in the wild. This, as per the company, is a post-authentication flaw vulnerability that allows attackers to remotely execute commands on vulnerable devices by exploiting a weakness in the router’s system time adjustment functionality.

“The attack can be conducted against, at least, the Four-Faith F3x24 and F3x36 over HTTP using the /apply.cgi endpoint. Censys finds approximately 15,000 internet-facing devices,” VulnCheck researcher Jacob Baines wrote in the blog post shared with Hackread.com.

As per the investigation from the VulnCheck Initial Access team, the attack specifically targets the /apply.cgi endpoint, which allows for system configuration changes. By manipulating the adj\_time\_year parameter (responsible for modifying the router’s system time) within a POST request, attackers can inject malicious commands.

This bypasses authentication as the attack leverages the router’s default credentials. However, this vulnerability should not be confused with CVE-2019-12168 even though both flow through the same apply.cgi endpoint, Baines noted.

In addition, VulnCheck observed exploitation attempts originating from the IP address 178.215.23891. The firmware version’s default credentials could potentially escalate the vulnerability into an unauthenticated and remote OS command execution issue if not altered.

Furthermore, another research blog published in November 2024 also documented the exploitation of this vulnerability, with the observed User-Agent matching the User-Agent VulnCheck observed, although with a different payload, corroborating VulnCheck’s findings.

Successful exploitation allows attackers to execute remote code on a router, install malware, steal sensitive data, disrupt network operations, and use the router as a launch point for further attacks.

To mitigate this threat, VulnCheck has provided a Suricata rule to detect exploitation attempts on the network. This rule monitors HTTP traffic, specifically looking for POST requests to /apply.cgi with the adjust\_sys\_time parameter and suspicious patterns in the adj\_time\_year field.

VulnCheck has also responsibly disclosed this vulnerability to Four-Faith and its customers. Users are advised to contact Four-Faith directly for information on patches, affected models, and firmware versions.

Routers, responsible for directing internet traffic, are often overlooked in security measures, making them easy targets for cybercriminals. The prevalence of default passwords and outdated firmware creates a significant security risk, as they often contain unpatched vulnerabilities. 

Recently, Censys uncovered 14 critical vulnerabilities in DrayTek Vigor routers, including a buffer overflow and OS command injection flaw. Now the discovery of vulnerability in Four-Faith routers further shows the need for improved security measures to protect routers and their users.

1.  **New Botnets Exploit Old D-Link Router for DDoS Attacks**
2.  **Condi DDoS Botnet Targets Vulnerable TP-Link AX21 Routers**
3.  **FBI: Hackers Target Ubiquiti Routers for Data, Botnet Creation**
4.  **ASUS, NordVPN Partner to Integrate VPN Service into Routers**
5.  **6,000 Asus Routers Hacked in 72 Hours by** **TheMoon Malware**

Critical Flaw Exposes Four-Faith Routers to Remote Exploitation

Secure Gaming during holidays is essential as cyberattacks rise by 50%. Protect accounts with 2FA, avoid fake promotions,…

Secure Gaming during holidays is essential as cyberattacks rise by 50%. Protect accounts with 2FA, avoid fake promotions, use secure downloads, and trust verified tools to enjoy safe, uninterrupted gameplay.

The holiday season is a time of joy for gamers, with more free time to play, exciting events, and in-game promotions. However, this festive period comes with higher risks of cyberattacks than any other period of the year.

Studies by Wowvendor, a company dealing in WoW services, indicate that hackers increase their activity by 50% during the holidays and especially prey on gamers via malware and phishing. This article will detail these risks and give some useful advice on how to enjoy gaming without compromising your account security.

****The Rise of Cyber Threats During Holidays****

The gaming community gets busy during the holidays. Unfortunately, cybercriminals find this an attractive target. The key reasons for increased risks are as follows:

*   **Increased player traffic** – A large consumer base of online gaming creates, in turn, more opportunities for hackers to exploit vulnerabilities.
*   **Attractive holiday promotions** – Many players get tricked into fake giveaways and deals, without knowing it compromises their data security.
*   **Malware in pirated games** – Most of the time, hackers put harmful software inside cracked versions of popular titles.

For instance, cybersecurity companies have informed that the number of phishing emails with “in-game rewards notifications” and “discount offers” have spiked around the times of past holiday seasons. These examples of threats put the importance of vigilance during peak gaming hours deeper into focus.

****Common Cyber Threats to Gamers****

Cyber threats range from gaming cyber attacks and data security incidents to DDoS attacks. This will likely impact some players more and possibly their performance during peak gaming periods. Understanding these dangers can help players stay protected:

****Fake add-ons, mods and Phishing schemes** **

Hacks through counterfeit mods are common in games such as World of Warcraft. Hackers distribute these infected mods using counterfeit mods and give the malware the chance to steal login credentials or infect the device they’re playing on. Additionally, fraudulent links and websites trick people into providing personal information or downloading malicious software.

****DDoS attacks** **

The gaming industry is seeing a lot of DDoS attacks (distributed denial of service attacks), wherein hacker group gets a network of infected devices (botnet) that perform a network DDoS attack to inundate a game server or a group of players with a massive amount of traffic. This overload disrupts the server or network connection and has broken the game so that normal users can’t even get in.

These attacks send many requests and place a heavy load onto the server. Hackers aim at certain players’ IP addresses and try to degrade their connection, or that of the player behind it, to give themselves an in-game advantage. This type of targeted interference disrupts competitive gameplay and can negatively impact a game’s experience for the player.

Additionally, the number of ransomware attacks against gaming accounts has risen as well. They involve locking players out of their accounts and asking for payment to access them. When you are faced with unfamiliar software or links, it’s best to stay awake and alert to risks.

****Best Practices for Secure Gaming****

A large number of cyber attacks on gamers can stem from unauthorized downloads, according to leading cyber security firm Kaspersky. To enjoy your games safely during the holidays, follow these cybersecurity tips:

*   **Download software from official sources** — Do not download games or updates from untrusted websites — they can hide malware.
*   **Use two-factor authentication (2FA)** — It simply gives you extra protection for your gaming accounts.
*   **Verify promotional offers** — Don’t accept offers that are simply too good even to be true. There are always official channels for you to confirm their legitimacy.
*   **Avoid cracked games** — First and foremost pirated games are illegal, and they’re dangerous for security reasons too.

Working with your use of strong, unique passwords across all your accounts, these measures can go a long way toward mitigating your risk of being victimized in this way.

****The Role of Gaming Companies****

Leading gaming companies have stepped up their efforts to combat cyber threats. Their initiatives include:

*   **Enhanced security systems** – AI detecting and blocking unusual activity on gaming networks.
*   **Regular updates and patches** – Time and time again, developers release updates to patch vulnerabilities, and protect players with updates.
*   **Player education** – Many platforms offer users a way of recognizing and preventing scammers.

For instance, World of Warcraft’s creators, Blizzard Entertainment, is constantly monitoring its ecosystem for threats and expelling them while at the same time urging players to use solutions, for example, 2FA. Machine learning has been introduced into other companies, such as Valve and Riot Games, in an attempt to detect possible hacking through in-game behaviours.

****Advanced Cybersecurity Tools for Gamers****

Gamers now have access to cutting-edge cybersecurity solutions tailored to safeguard their online experience:

*   **Gaming-optimized VPNs** – VPN services will make sure that you have safe, encrypted connections while reducing latency and optimizing the routing of the server. It shields against DDoS attacks and keeps the gameplay smooth.
*   **Anti-phishing extensions** – Google Safe Browsing and Microsoft Defender SmartScreen are tools that actively block malicious sites and alert players that a phishing page is attempting to lure them into a trick.
*   **Behavioural analytics and anti-cheat systems** – Dedicated platforms use machine learning to analyze login patterns and in-game behaviour, detecting anomalies like hacking or unauthorized access.
*   **DDoS mitigation services** – Distribution denial-of-service attacks that cause gaming servers to stop working are identified and neutralized by Cloudflare, Akamai Prolexic, and other companies that protect gaming servers so that gamers can continue enjoying online sessions uninterrupted.

With these state-of-the-art tools, gamers will be protected from changing threats, which will protect gaming for the holidays and beyond.

****Stay on the Safe Side****

The holiday season is a wonderful opportunity to connect with your favourite games and communities. While cyber threats do increase during this period, staying informed and adopting secure practices can protect your gaming experience. From using official platforms to enabling two-factor authentication, every step you take helps reduce risks.

Gaming companies are also playing their part by providing services and insights that enhance player safety. By working together and staying alert, gamers can fully embrace the holiday spirit, free from cybersecurity concerns.

1.  What is Blockchain Gaming and its Play-to-Earn Model?
2.  Exploring Data Privacy and Security in B2B Gaming Data
3.  The Rise of Blockchain Gaming and Secure Marketplaces
4.  Winos4.0 Malware Targeting Windows via Fake Gaming Apps
5.  Gcore Thwarts 500 Million PPS DDoS Attack on Gaming Company

Secure Gaming During the Holidays

Mirai and Keksec botnet variants are exploiting critical vulnerabilities in D-Link routers. Learn about the impact, affected devices, and how to protect yourself from these attacks.

****In This Article, You Will Read About:****

*   **Increased Botnet Activity**: Surge in the activity of new “FICORA” and “CAPSAICIN” botnets, variants of Mirai and Kaiten.

*   **Exploited Vulnerabilities**: Attackers exploit known D-Link router vulnerabilities (e.g., CVE-2015-2051, CVE-2024-33112) to execute malicious commands.

*   **Botnet Capabilities**: Both botnets use shell scripts, target Linux systems, kill malware processes, and conduct DDoS attacks.

*   **Global Impact**: FICORA targeted multiple countries, while CAPSAICIN focused on East Asia, which had intense activity for over two days.

*   **Mitigation Measures**: Regular firmware updates and robust network monitoring are recommended to prevent exploitation.

FortiGuard Labs has observed a surge in the activity of two botnets, “FICORA” and “CAPSAICIN,” in October and November 2024. In its blog post, shared exclusively with Hackread.com, FortiGuard Labs’ Threat Research team explained that these botnets are variants of the well-known Mirai and Kaiten botnets and can execute malicious commands.

Further probing revealed that the distribution of these botnets involves exploiting D-Link vulnerabilities that allow remote attackers to execute malicious commands via a GetDeviceSettings action on the Home Network Administration Protocol (HNAP) interface. 

These vulnerabilities include CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112. These CVEs represent specific instances of vulnerabilities within D-Link routers that attackers have exploited. They often involve flaws in how HNAP handles user input and authentication. Attackers use the HNAP interface to deliver the malware, and this weakness was first exposed almost a decade ago.

The affected platforms include D-Link DIR-645 Wired/Wireless Router Rev. Ax, D-Link DIR-806 devices, and D-Link GO-RT-AC750 GORTAC750\_revA\_v101b03 and GO-RT-AC750\_revB\_FWv200b02. According to FortiGuard Labs IPS telemetry, the botnets have a high severity level and are spread through older attacks.

The FICORA botnet is malicious software that targets multiple Linux architectures and encodes its configuration using the ChaCha20 encryption algorithm. Furthermore, its functionalities also include a brute force attack feature, embedding a shell script with hexadecimal ASCII characters to identify and kill other malware processes, and DDoS attack functionalities using protocols like UDP, TCP, and DNS.

This botnet, according to to FortiGuard Labs Threat Research team’s blog post, downloads a shell script named ‘multi’ that uses various methods including wget, ftpget, curl, and tftp to download the actual malware.

Downloader script “multi” using the “curl” command (Via FortiGuard Labs)

The FICORA botnet attack, which targeted many countries worldwide, was triggered by attackers from Netherlands servers. On the other hand, the CAPSAICIN attack, unlike FICORA, was only intensely active over two days between October 21 and 22, 2024, and targeted East Asian countries. 

However, like FICORA it also exhibits diverse functionalities, including downloading a shell script called ‘bins.sh’, targeting multiple Linux architectures, killing known botnet processes, establishing a connection with its C2 server, sending victim host information, and offering DDoS attack functions.

Although the vulnerabilities exploited in this attack have been known for almost a decade, these attacks are still prevalent, which is concerning. Nevertheless, to reduce the risk of D-Link devices being compromised by botnets, it is recommended to regularly update firmware and maintain comprehensive network monitoring.

“FortiGuard Labs discovered that “FICORA” and “CAPSAICIN” spread through this weakness. Because of this, it is crucial for every enterprise to regularly update the kernel of their devices and maintain comprehensive monitoring,” FortiGuard Lab’s researcher Vincent Li concluded.

1.  **Mirai-Inspired Gorilla Botnet Hits 0.3m Targets in 100 Countries**
2.  **OracleIV DDoS Botnet Malware Hits Docker Engine API Instances**
3.  **Androxgh0st Botnet Hits IoT Devices, Exploiting 27 Vulnerabilities**
4.  **‘Matrix’ Hackers Deploy Massive New IoT Botnet for DDoS Attacks**
5.  **Golang Botnet “Zergeca” Discovered, Delivers Brutal DDoS Attacks**

FICORA, CAPSAICIN Botnets Exploit Old D-Link Router Flaws for DDoS Attacks

Cybersecurity researchers are warning about a spike in malicious activity that involves roping vulnerable D-Link routers into two different botnets, a Mirai variant dubbed FICORA and a Kaiten (aka Tsunami) variant called CAPSAICIN.
"These botnets are frequently spread through documented D-Link vulnerabilities that allow remote attackers to execute malicious commands via a GetDeviceSettings

FICORA and Kaiten Botnets Exploit Old D-Link Vulnerabilities for Global Attacks

LockBit ransomware gang's takedown is in progress!

****KEY SUMMARY POINTS****

*   **Arrest of Rostislav Panev**: Dual Russian-Israeli national Rostislav Panev, a key developer for the LockBit ransomware group, was arrested in Israel in August and awaits extradition to the U.S.

*   **Role in LockBit Operations**: Panev allegedly developed and maintained malware infrastructure for LockBit, enabling affiliates to launch ransomware attacks globally since 2019.

*   **Evidence Seized**: Authorities discovered administrator credentials for LockBit’s dark web tools, malware source codes, and control panel access during Panev’s arrest.

*   **Admissions and Payments**: Panev admitted to disabling antivirus software, deploying malware, and printing ransom notes, earning over $230,000 in cryptocurrency for his work.

*   **Impact of LockBit**: LockBit ransomware has targeted over 1,800 U.S. victims and thousands more worldwide, causing billions in damages and collecting over $500 million in ransom payments.

The U.S. Department of Justice (DoJ) has announced the arrest of Rostislav Panev, a dual Russian and Israeli national accused of being a key developer for the LockBit ransomware operation.

The 51-year-old was apprehended in Israel back in August and is now awaiting extradition to the United States to face charges including computer fraud, wire fraud, and extortion for his role in developing and maintaining LockBit ransomware infrastructure from 2019 to 2024.

LockBit, once dubbed the “most destructive ransomware group in the world,” has created major problems for thousands of victims across more than 120 countries, including over 1,800 in the U.S. alone. **From hospitals** and schools to **critical infrastructure** and multinational corporations, no sector has been safe from their attacks.

The group’s malicious activities have reportedly netted them at least $500 million in ransom payments while causing billions more in damages through lost revenue and recovery costs.

****Who is Rostislav Panev?****

According to the DoJ’s **press release**, Panev allegedly played a critical role in the development and maintenance of LockBit’s malware infrastructure. From the group’s emergence in 2019 until at least February 2024, Panev worked as a developer, creating tools that enabled LockBit affiliates to carry out attacks and extort victims.

During his arrest, authorities seized Panev’s computer, uncovering evidence that linked him directly to the group’s operations. This included administrator credentials for a dark web repository containing source code for multiple versions of the LockBit builder, a tool used to generate custom malware for specific victims. Investigators also found access credentials for the LockBit control panel, a dark web dashboard used by developers and affiliates to coordinate attacks.

According to the DoJ’s superseding criminal complaint, in interviews with Israeli authorities following his arrest, Panev admitted to writing code that disabled antivirus software, deployed malware across victim networks, and printed ransom notes on connected printers. He also confessed to receiving regular cryptocurrency payments for his work, summing over $230,000 between June 2022 and February 2024.

****Takedown of LockBit****

Panev’s arrest is the latest in a series of actions against the LockBit group. Earlier this year, the UK’s National Crime Agency (NCA) **led a coordinated international effort** to disrupt LockBit’s operations, seizing key servers and websites used by the group. This move significantly crippled LockBit’s ability to launch new attacks and extort victims.

The DoJ has also charged seven other individuals associated with LockBit, including **Dmitry Yuryevich Khoroshev**, the group’s alleged primary administrator. Khoroshev, who remains at large, is believed to have played a central role in recruiting affiliates and overseeing LockBit’s operations.

Two other LockBit affiliates, Mikhail Vasiliev and Ruslan Astamirov, have already pleaded guilty to their involvement in the group and are awaiting sentencing. Meanwhile, other key figures like Artur Sungatov and Ivan Kondratyev remain fugitives, with rewards of up to $10 million offered for information leading to their arrest.

In November 2024, Russian authorities arrested **Mikhail Pavlovich Matveev**, also known as Wazawaka and Boriselcin, a member of the Lockbit group. Matveev is also wanted by the FBI for his involvement in the Hive and Babuk ransomware operations.

Nevertheless, the fight against ransomware takes a major step forward with Panev’s extradition and prosecution, marking an important milestone in holding cybercriminals accountable. The message is simple: in our connected world, cybercrime doesn’t pay.

1.  **Ukraine Arrests Cryptor Specialist Aiding Conti and LockBit**
2.  **Rabbi Arrested for Hacking CCTV at Lady’s Swimwear Shop**
3.  **FBI Kills Kelihos Botnet Amid Russian Hacker’s Arrest in Spain**
4.  **Israeli arrested for hacking Madonna’s PC, selling songs online**
5.  **Husband, wife among ransomware operators arrested in Ukraine**

LockBit Developer Rostislav Panev, a Dual Russian-Israeli Citizen, Arrested

Cyberattacks against OT/ICS engineering workstations are widely underestimated, according to researchers who discovered malware designed to shut down Siemens workstation engineering processes.

Source: Constantine Johnny via Alamy Stock Photo

NEWS BRIEF

Operational technology (OT) and Industrial control systems (ICS) are increasingly exposed to compromise through engineering workstations. A new malware developed to kill stations running Siemens systems joins a growing list of botnets and worms working to infiltrate industrial networks through these on-premises, Internet-connected attack vectors.

Forescout researchers reported the discovery of the Siemens malware, which they called "Chaya\_003." But that's hardly an isolated case. The researchers also found two Mitsubishi engineering workstations compromised by the Ramnit worm, they explained in a new report.

"Malware in OT/ICS is more common than you think — and engineering workstations connected to the Internet are targets," the Forescout team warned.

Researchers from SANS said engineering workstation compromise accounts for more than 20% of OT cybersecurity incidents, the report noted. Botnets targeting OT systems, which the report said includes Aisuru, Kaiten, and Gafgyt, rely on Internet-connected devices to infiltrate networks.

Engineering workstations make excellent targets for cyberattack because they are on-premises stations running traditional operating systems as well as specialized software tools provided by vendors such as the Siemens TIA portal or Mitsubishi GX Works, the Forescout team wrote.

To defend against these campaigns, OT/ICS network operators should ensure engineering workstations are protected and that there is adequate network segmentation, and implement an ongoing threat monitoring program.

The report acknowledges malware developed specifically for OT environments is relatively rare compared with efforts put behind enterprise compromises, "but there’s little room to sleep easily if you’re a security operator in OT or manage industrial control system security," the researchers added.

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

OT/ICS Engineering Workstations Face Barrage of Fresh Malware

Juniper Networks is warning that Session Smart Router (SSR) products with default passwords are being targeted as part of a malicious campaign that deploys the Mirai botnet malware.
The company said it's issuing the advisory after "several customers" reported anomalous behavior on their Session Smart Network (SSN) platforms on December 11, 2024.
"These systems have been infected with the Mirai

Juniper Warns of Mirai Botnet Targeting SSR Devices with Default Passwords

A free VPN app called Big Mama is selling access to people’s home internet networks. Kids are using it to cheat in a VR game while researchers warn of bigger security risks.

In the hit virtual reality game _Gorilla Tag_, you swing your arms to pull your primate character around—clambering through virtual worlds, climbing up trees and, above all, trying to avoid an infectious mob of other gamers. If you’re caught, you join the horde. However, some kids playing the game claim to have found a way to cheat and easily “tag” opponents.

Over the past year, teenagers have produced video tutorials showing how to side-load a virtual private network (VPN) onto Meta’s virtual reality headsets and use the location-changing technology to get ahead in the game. Using a VPN, according to the tutorials, introduces a delay that makes it easier to sneak up and tag other players.

While the workaround is likely to be an annoying but relatively harmless bit of in-game cheating, there’s a catch. The free VPN app that the video tutorials point to, Big Mama VPN, is also selling access to its users’ home internet connections—with buyers essentially piggybacking on the VR headset’s IP address to hide their own online activity.

This technique of rerouting traffic, which is best known as a residential proxy and more commonly happens through phones, has become increasingly popular with cybercriminals who use proxy networks to conduct cyberattacks and use botnets. While the Big Mama VPN works as it is supposed to, the company’s associated proxy services have been heavily touted on cybercrime forums and publicly linked to at least one cyberattack.

Researchers at cybersecurity company Trend Micro first spotted Meta’s VR headsets appearing in its threat intelligence residential proxy data earlier this year, before tracking down that teenagers were using Big Mama to play _Gorilla Tag_. An unpublished analysis that Trend Micro shared with WIRED says its data shows that the VR headsets were the third most popular devices using the Big Mama VPN app, after devices from Samsung and Xiaomi.

“If you’ve downloaded it, there’s a very high likelihood that your device is for sale in the marketplace for Big Mama,” says Stephen Hilt, a senior threat researcher at Trend Micro. Hilt says that while Big Mama VPN may be being used because it is free, doesn’t require users to create an account, and apparently doesn’t have any data limits, security researchers have long warned that using free VPNs can open people up to privacy and security risks.

These risks may be amplified when that app is linked to a residential proxy. Proxies can “allow people with malicious intent to use your internet connection to potentially use it for their attacks, meaning that your device and your home IP address may be involved in a cyberattack against a corporation or a nation state,” Hilt says.

"Gorilla Tag is a place to have fun with your friends and be playful and creative—anything that disturbs that is not cool with us,” a spokesperson for Gorilla Tag creator Another Axiom says, adding they use “anti-cheat mechanisms” to detect suspicious behavior. Meta did not respond to a request for comment about VPNs being side-loaded onto its headsets.

**Proxies Rising**

Big Mama is made up of two parts: There’s the free VPN app, which is available on the Google Play store for Android devices and has been downloaded more than 1 million times. Then there’s the Big Mama Proxy Network, which allows people (among other options) to buy shared access to “real” 4G and home Wi-Fi IP addresses for as little as 40 cents for 24 hours.

Vincent Hinderer, a cyber threat intelligence team manager who has researched the wider residential proxy market at Orange Cyberdefense, says there are various scenarios where residential proxies are used, both for people who are having traffic routed through their devices and also those buying and selling proxy services. “It’s sometimes a gray zone legally and ethically,” Hinderer says.

For proxy networks, Hinderer says, one end of the spectrum is where networks could be used as a way for companies to scrape pricing details from their competitors' websites. Other uses can include ad verification or people scalping sneakers during sales. They may be considered ethically murky but not necessarily illegal.

At the other end of the scale, according to Orange’s research, residential proxy networks have broadly been used for cyber espionage by Russian hackers, in social engineering efforts, as part of DDoS attacks, phishing, botnets, and more. “We have cybercriminals using them knowingly,” Hinderer says of residential proxy networks generally, with Orange Cyberdefense having frequently seen proxy traffic in logs linked to cyberattacks it has investigated. Orange’s research did not specifically look at uses of Big Mama's services.

Some people can consent to having their devices used in proxy networks and be paid for their connections, Hinderer says, while others may be included because they agreed to it in a service’s terms and conditions—something research has long shown people don’t often read or understand.

Big Mama doesn’t make it a secret that people who use its VPN will have other traffic routed through their networks. Within the app it says it “may transport other customer’s traffic through” the device that’s connected to the VPN, while it is also mentioned in the terms of use and on a FAQ page about how the app is free.

The Big Mama Network page advertises its proxies as being available to be used for ad verification, buying online tickets, price comparison, web scraping, SEO, and a host of other use cases. When a user signs up, they’re shown a list of locations proxy devices are located in, their internet service provider, and how much each connection costs.

This marketplace, at the time of writing, lists 21,000 IP addresses for sale in the United Arab Emirates, 4,000 in the US, and tens to hundreds of other IP addresses in a host of other countries. Payments can only be made in cryptocurrency. Its terms of service say the network is only provided for “legal purposes,” and people using it for fraud or other illicit activities will be banned.

Despite this, cybercriminals appear to have taken a keen interest in the service. Trend Micro’s analysis claims Big Mama has been regularly promoted on underground forums where cybercriminals discuss buying tools for malicious purposes. The posts started in 2020. Similarly, Israeli security firm Kela has found more than 1,000 posts relating to the Big Mama proxy network across 40 different forums and Telegram channels.

Kela’s analysis, shared with WIRED, shows accounts called “bigmama\_network” and “bigmama” posted across at least 10 forums, including cybercrime forums such as WWHClub, Exploit, and Carder. The ads list prices, free trials, and the Telegram and other contact details of Big Mama.

It is unclear who made these posts, and Big Mama tells WIRED that it does not advertise.

Posts from these accounts also said, among other things, that “anonymous” bitcoin payments are available. The majority of the posts, Kela’s analysis says, were made by the accounts around 2020 and 2021. Although, an account called “bigmama\_network” has been posting on the clearweb Blackhat World SEO forum until October this year, where it has claimed its Telegram account has been deleted multiple times.

In other posts during the last year, according to the Kela analysis, cybercrime forum users have recommended Big Mama or shared tips about the configurations people should use. In April this year, security company Cisco Talos said it had seen traffic from the Big Mama Proxy, alongside other proxies, being used by attackers trying to brute force their way into a variety of company systems.

**Mixed Messages**

Big Mama has few details about its ownership or leadership on its website. The company’s terms of service say that a business called BigMama SRL is registered in Romania, although a previous version of its website from 2022, and at least one live page now, lists a legal address for BigMama LLC in Wyoming. The US-based business was dissolved in April and is now listed as inactive, according to the Wyoming Secretary of State’s website.

A person using the name Alex A responded to an email from WIRED about how Big Mama operates. In the email, they say that information about free users’ connections being sold to third parties through the Big Mama Network is “duplicated on the app market and in the application itself several times,” and people have to accept the terms of conditions to use the VPN. They say the Big Mama VPN is officially only available from the Google Play Store.

“We do not advertise and have never advertised our services on the forums you have mentioned,” the email says. They say they were not aware of the April findings from Talos about its network being used as part of a cyberattack. “We do block spam, DDOS, SSH as well as local network etc. We log user activity to cooperate with law enforcement agencies,” the email says.

The Alex A persona asked WIRED to send it more details about the adverts on cybercrime forums, details about the Talos findings, and information about teenagers using Big Mama on Oculus devices, saying they would be “happy” to answer further questions. However, they did not respond to any further emails with additional details about the research findings and questions about their security measures, whether they believe someone was impersonating Big Mama to post on cybercrime forums, the identity of Alex A, or who runs the company.

During its analysis, Trend Micro’s Hilt says that the company also found a security vulnerability within the Big Mama VPN, which could have allowed a proxy user to access someone’s local network if exploited. The company says it reported the flaw to Big Mama, which fixed it within a week, a detail Alex A confirmed.

Ultimately, Hilt says, there are potential risks whenever anyone downloads and uses a free VPN. “All free VPNs come with a trade-off of privacy or security concerns,” he says. That applies to people side-loading them onto their VR headsets. “If you’re downloading applications from the internet that aren't from the official stores, there’s always the inherent risk that it isn’t what you think it is. And that comes true even with Oculus devices.”

Tag

#botnet