An elusive, sophisticated cybercriminal group has used known and zero-day vulnerabilities to compromise more than 20,000 SOHO routers and other IoT devices so far, and then puts them up for sale on a residential proxy marketplace for state-sponsored cyber-espionage actors and others to use.

Source: Jiraroj Praditcharoenkul via Alamy Stock Photo

A cybercriminal group is exploiting vulnerabilities in Internet of Things (IoT) devices and then turning a tidy profit by putting them up for sale on a residential proxy marketplace, where they can be turned into proxy botnets by state-sponsored advance persistent threats (APTs) and other malicious actors.

The gang, tracked as "Water Barghest," has already compromised more than 20,000 IoT devices, including small office and home office (SOHO) routers used by businesses, by using automated scripts to identify and compromise vulnerable devices, according to new research from Trend Micro. The threat actor, which has operated for more than five years (largely under the radar due to a sophisticated automation strategy) discovers vulnerable IoT devices from public Internet-scanning databases such as Shodan, the researchers noted.

Once Water Barghest compromises devices, it deploys proprietary malware called Ngioweb to register the device as a proxy — i.e., a network that puts an intermediary between a client and a server. Water Barghest then lists the device for sale on a residential proxy marketplace for other threat actors to purchase.

The entire cybercriminal process to enslave a target takes as little as 10 minutes, "indicating a highly efficient and automated operation," Trend Micro researchers Feike Hacquebord and Fernando Mercês wrote in the post.

**Selling Proxy Devices as a Cybercrime Business Model**

There is indeed a significant incentive for both espionage-motivated and financially motivated actors to set up proxy botnets to help hide where their malicious activities originate; Russia's Sandworm, for example, recently used the VPNFilter botnet and Cyclops Blink in activities against Ukraine that were elusive for a time before being ultimately disrupted by the FBI, according to Trend Micro.

"These \[botnets\] can serve as an anonymization layer, which can provide plausibly geolocated IP addresses to scrape contents of websites, access stolen or compromised online assets, and launch cyberattacks," the researchers wrote.

Threat actors can find any IoT device that accepts incoming connections on the open Internet using public scanning services, making it easy for them to compromise ones with known vulnerabilities, or even zero-days, for future use in malicious activities, they wrote. This makes it easy for threat actors like Water Barghest to exploit them for financial gain and further abuse, they added.

**Uncovering the Elusive Botnet-for-Sale Cyber Operation**

Trend Micro discovered Water Barghest's operation during an investigation of the Department of Justice's disruption of a Russian military intelligence botnet that Russian state-sponsored threat group Fancy Bear (aka APT28) used for global cyber espionage.

The researchers examined EdgeRouter devices that had been used by Sandworm, and eventually uncovered Water Barghest's Ngioweb malware and botnet. The group's infrastructure had been up and running for more than five years but had been able to evade detection by security researchers and law enforcement "because of their careful operational security and high degree of automation," the researchers wrote.

"They quietly erased log files from their servers and made forensic analysis more difficult," they wrote. "They removed human error from their operations by automating almost everything. They also removed financial traceability by using cryptocurrency for anonymous payments."

Water Barghest automates each step of the 10-minute process, from initially finding vulnerable IoT devices to ultimately putting them for sale on a residential proxy marketplace. The group first acquires known exploits for flaws in devices, then uses search queries on one of the publicly available Internet-scanning databases to find vulnerable devices and their IP addresses. It then uses a set of data center IP addresses to try the exploits against potentially vulnerable IoT devices.

When one works, the compromised IoT devices download a script that iterates through Ngioweb malware samples compiled for different Linux architectures. When one of the samples runs successfully, Ngioweb will run in memory on the victim’s IoT device, registering it with a command-and-control (C2) server, and then eventually sending it to be listed on a Dark Web marketplace.

Water Barghest has about 17 identities on virtual private servers that continuously scan routers and IoT devices for known vulnerabilities and also upload Ngioweb malware to freshly compromised IoT devices. In this way, Water Barghest has been running a profitable business "for years, with the worker IP addresses changing slowly over time," according to the Trend Micro analysis.

**Protecting SOHO Routers: Limit Exposure to Public Internet**

Trend Micro expects that both the commercial market for residential proxy services and the underground market of proxies will grow in the coming years due to high demand from both APTs and financial cybercriminal groups alike. This growth will pose "a challenge for many enterprises and government organizations around the world" to protect against the anonymization layers behind which these groups hide, the researchers wrote.

While law enforcement has been effective in disrupting proxy botnets, it's better to go directly to the source to combat the problem, and that can be done by addressing the security of IoT devices. Indeed, these devices are notoriously hackable, posing a problem for organizations that must manage increasingly larger networks of them.

"It is important \[for organizations\] … to put mitigations in place to avoid their infrastructure being part of the problem itself," the researchers wrote. They can do this, they added, by limiting the exposure of these devices to incoming connections from the open Internet whenever it is not business-essential.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'Water Barghest' Sells Hijacked IoT Devices for Proxy Botnet Misuse

QR codes are disproportionately effective at bypassing most anti-spam filters. Talos discovered two effective methods for defanging malicious QR codes, a necessary step to make them safe for consumption.

Wednesday, November 20, 2024 06:00

*   QR codes are disproportionately effective at bypassing most anti-spam filters, as most filters are not designed to recognize that a QR code is present in an image and decode the QR code. According to Cisco Talos’ data, roughly 60% of all email containing a QR code is spam.  
*   Talos discovered two effective methods for defanging malicious QR codes, a necessary step to make them safe for consumption. Users could obscure the data modules, the black and white squares within the QR code that represent the encoded data. Alternatively, users could remove one or more of the position detection patterns — large square boxes located in corners of the QR code used to initially identify the code's orientation and position. 
*   Further complicating detection, both by users and anti-spam filters, Talos found QR code images that are “QR code art.” These images blend the data points of a QR code seamlessly into an artistic image so the result does not appear to be a QR code at all. 

Prior to 1994, most code scanning technology utilized one-dimensional barcodes. These one-dimensional barcodes consist of a series of parallel black lines of varying width and spacing. We are all familiar with these codes, like the type you might find on the back of a cereal box from the grocery store. However, as the use of barcodes increased, their limitations became problematic, especially considering that a one-dimensional barcode can only hold up to 80 alphanumeric characters of information. To eliminate this limitation, a company named Denso Wave created the very first “Quick Response“ codes (QR codes). 

QR codes are a two-dimensional matrix bar code that can encode just over 7,000 numeric characters, or up to approximately 4,300 alphanumeric characters. While they can represent almost any data, most frequently we encounter QR codes that are used to encode URLs. 

**Quantifying the QR code problem **

Talos extracts QR codes from images inside email messages and attached PDF files for analysis. QR codes in email messages make up between .01% and .2% of all email worldwide. This equates to roughly one out of every 500 email messages. However, because QR codes are disproportionately effective at bypassing anti-spam filters, a significant number find their way into users’ email inboxes, skewing users’ perception of the overall problem.  

Also, of course, not all email messages with a QR code inside are spam or malicious. Many email users send QR codes as part of their email signature, or you may also find legitimate emails containing QR codes used as signups for events, and so on. However, according to Talos’ data, **roughly 60% of all email containing a QR code is spam**.   

Truly malicious QR codes can be found in a much smaller number of messages. These emails contain links to phishing pages, etc. The most common malicious QR codes tend to be multifactor authentication (MFA) requests used for phishing user credentials. 

An example MFA phishing email utilizing a QR code.

One of the problems that defenders may encounter when dealing with users’ scanning of QR codes received via email, assuming the user’s device is not connected to the corporate wi-fi, is that subsequent traffic between the victim and the attacker will traverse the cellular network, largely outside the purview of corporate security devices. This can complicate defense, because few/no alerts from security devices will notify security teams that this has occurred. 

**Why are malicious QR codes hard to detect? **

Because QR codes are displayed in images, it can be difficult for anti-spam systems to identify problematic codes. Identifying and filtering these messages requires the anti-spam system to recognize that a QR code is present in an image, decode the QR code, then analyze the link (or other data) present in the decoded data. As spammers are always looking for innovative ways to bypass spam filters, using QR codes has been a valuable technique for spammers to accomplish this. 

As anti-spam systems improve their capability to detect malicious QR codes in images, enterprising attackers have instead decided to craft their QR codes using Unicode characters.

__An email containing a QR code constructed from Unicode characters (defanged).__

The graphical parts of the image are contained within a PDF file. The PDF metadata indicates it was created from HTML using the tool wkhtmltopdf. Converting the PDF back into HTML shows the Unicode that is being used to construct the QR code. 

__HTML used to construct a malicious QR Code from Unicode characters.__

**Defanging QR codes **

When sharing malicious URLs, it is common to change the protocol from “http” to “hxxp”, and/or to add brackets (“\[\]”) around one of the dots in the URL. This makes it so browsers and other applications do not render the link as an active URL, ensuring that users do not inadvertently click on the malicious URL. This is a process known as “defanging.” Unfortunately, while defanging URLs is commonplace, many people do not defang malicious QR codes. For example, below is a news article from BBC about criminals who put QR code stickers on parking meters in an attempt to harvest payment credentials from unsuspecting victims. 

__A news article from BBC containing a working QR code (this has been defanged by Talos).__

The problem is that these QR codes can still be scanned, taking visitors to whatever malicious link that the QR code encoded. **To make malicious QR codes safe for consumption, they should be defanged.** 

There are a couple of different ways to do this. One way is to obscure the data modules, the black and white squares within the QR code that represent the encoded data. This is where the data that the QR code represents is located. However, based on Talos’ own research, a far easier way to defang a QR code is to remove one or more of the position detection patterns (a.k.a. finder patterns). These are the large square boxes located in three of the four corners of the QR code, which are used by the QR code scanner to initially identify the code's orientation and position. Removing the position detection patterns renders a QR code unscannable by virtually all scanners. Additional details on how this is achieved, will be covered later in the blog. 

A normal QR code on the left vs. a defanged QR code on the right.

**Be careful what you scan! **

For years, security professionals have encouraged users **not** to click on unfamiliar or suspicious URLs. These URLs could potentially lead to phishing pages, malware or other harmful sites. However, many users do not exercise the same care when scanning an unknown QR code as they do when clicking on a suspicious link. To be clear, scanning an unknown/suspicious QR code is equivalent to clicking on a suspicious URL. 

To complicate the situation even more, there are QR code images that are “QR code art.” These images blend the data points of a QR code seamlessly into an artistic image so the result does not appear to be a QR code at all. The potential danger with QR code art images is that a user could conceivably be tricked into scanning a QR code art image with their camera, and then inadvertently navigate to the linked content without realizing it.

**How to protect yourself from malicious QR codes **

QR codes have become ubiquitous, appearing in email, on restaurant menus, at public events, on retail packaging, in museums, and even public parks and trails. The perfect defense is to avoid scanning any QR codes; however, it can be difficult to avoid scanning these entirely, so users must exercise caution. Scanning a QR code is essentially the same as clicking on an unknown hyperlink, but without the ability to see the full URL beforehand. 

There are several QR code decoders freely available online. Typically, if you can save a screenshot of the QR code, you can upload this image to one of these decoders, and the QR code decoder will tell you what data was encoded inside the QR code. This will allow you to more closely inspect the link. You can also choose to navigate to that URL using an application like Cisco Secure Malware Analytics (Threat Grid). This will allow you to view the content behind the URL from a safe place, without jeopardizing the security of your desktop or mobile device. As always, never enter your username and password into an unknown site. It is better to navigate directly to anywhere you wish to login, rather than clicking on a URL presented to you from an unknown third party.

Malicious QR Codes: How big of a problem is it, really?

The company says no sensitive data was stolen, but federal agencies claim otherwise. CISA and FBI sources said attackers accessed all records of specific customers and the private communications of targeted individuals.

Source: GK Images via Alamy Stock Photo

T-Mobile USA is the latest telecommunications provider to acknowledge it's been targeted by the Chinese advanced persistent threat (APT) known as Salt Typhoon, as part of a widescale and unsettling cyber-espionage operation that hacked numerous US and international telecommunications companies aiming to steal sensitive information.

The second-largest wireless carrier in the US is currently investigating and monitoring a cyberattack "consistent" with the recent activities of the Chinese state-sponsored cyber actor, a company spokesperson told Dark Reading late on Nov. 18 in a statement.

However, so far, the company has "had no evidence of access or exfiltration of any customer or other sensitive information as other companies may have experienced," according to T-Mobile. Moreover, "there have been no significant impacts to T-Mobile systems or data," the company said. T-Mobile, based in Bellevue, Wash., has more than 127.5 million US subscribers.

However, T-Mobile's account differs from reports in which federal agencies said that there is evidence that the threat actor gained access to sensitive data, according to a published report in the Wall Street Journal that cited sources from the FBI and Cybersecurity and Infrastructure Security Agency (CISA).

Related:Akamai Reports Third Quarter 2024 Financial Results

According to those agencies, Salt Typhoon accessed call records of specific customers, private communications of targeted individuals, and information about law enforcement surveillance requests in an effort to gather intelligence on high-ranking US national security and policy officials, the report said.

**T-Mo Cyberattack: Full Impact Yet Unknown**

All in all, the wave of recent attacks by Salt Typhoon that have rocked telecom providers both at home and abroad — including AT&T, Verizon, and Lumen Technologies — is "unnerving," says one industry expert.

"No one is pleased with the idea that the Chinese government has access to information about us from our cellphones, one of the more intimate devices used in our daily life," says Jim Routh, former CISO at Aetna, American Express, and CVS and currently chief trust officer at security firm Saviynt. "The practical reality is that this incident does little to change the risk of a significant impact to US consumers."

As T-Mobile is not yet acknowledging that data was even stolen, let alone what type of data, the full impact of the attack won't be known for some time, Paul Bischoff, consumer privacy advocate at Comparitech, notes. That said, there is a chance it's not as serious as some fear depending on what is revealed, he observes.

Related:Critical WordPress Plug-in Flaw Exposes 4M Sites to Takeover

"Metadata like call times and participants, although concerning, is not nearly as scary as state-sponsored threat actors stealing texts and audio messages," Bischoff says.

Still, the national security implications of Chinese threat actors rooting around in the personal data of mobile device users, and then using that data to "island hop into a myriad of government agencies and critical infrastructures … are profound," observes another security expert, Tom Kellermann, senior vice president of cyber strategy at Contrast Security.

"This is the third telecom provider compromised by \[China\] in the last 12 months," Kellermann says. "The systematic campaign of infiltration will take months to root out."

**Further Salt Typhoon Telecom Attacks Imminent?**

Indeed, experts have surmised that the idea behind Salt Typhoon's wave of attacks is to leverage the useful information that can be gleaned from people's personal communications to launch further malicious activity and/or potentially disrupt communications to further China's interests in its political and economic conflict with the US.

"We can expect to see additional attacks by this group in the coming months, as \[it\] works to access the phone lines and records of national security officials and politicians," notes Chris Hauk, consumer privacy champion at Pixel Privacy.

Related:DHS Releases Secure AI Framework for Critical Infrastructure

The incidents are certainly a rude awakening for telecommunications and other critical infrastructure providers, and demonstrate just how vulnerable they are to compromise by organized cybercriminal groups, experts say. Indeed, T-Mobile itself doesn't have the best track record in cybersecurity, Bischoff notes, as just last month the mobile carrier paid a $31.5 million settlement to resolve multiple data breaches that took place over three years.

The threat of imminent further attacks by Salt Typhoon demand that telecom providers act fast to shore up cybersecurity efforts. "We can expect to continue to see attacks like this, as well as traditional ransomware attacks," Hauk notes, "as state actors continue to wage a cyberwar against the United States and its vulnerable infrastructure."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Salt Typhoon Hits T-Mobile as Part of Telecom Attack Spree

ChatGPT, Google Gemini, and Meta AI may be everywhere, but Baby Boomers don't trust the tech or the companies behind it.

Artificial intelligence tools like ChatGPT, Claude, Google Gemini, and Meta AI represent a stronger threat to data privacy than the social media juggernauts that cemented themselves in the past two decades, according to new research on the sentiments of older individuals from Malwarebytes.  

A combined 54% of people between the ages of 60 and 78 told Malwarebytes that they “agree” or “strongly agree” that ChatGPT and similar generative AI tools “are more of a threat than social media platforms (e.g., Facebook, Twitter/X, etc.) concerning personal data misuse.” And an even larger share of 82% said they “agree” or “strongly agree” that they are “concerned with the security and privacy of my personal data and those I interact with when using AI tools.”  

The findings arrive at an important time for consumers, as AI developers increasingly integrate their tools into everyday online life—from Meta suggesting that users lean on AI to write direct messages on Instagram to Google forcing users by default to receive “Gemini” results for basic searches. With little choice in the matter, consumers are responding with robust pushback.  

For this research, Malwarebytes conducted a pulse survey of its newsletter readers in October via the Alchemer Survey Platform. In total, 851 people across the globe responded. Malwarebytes then focused its analysis on survey participants who belong to the Baby Boomer generation.  

Malwarebytes found that:  

*   35% of Baby Boomers said they know “just the names” of some of the largest generative AI products, such as ChatGPT, Google Gemini, and Meta AI.  

*   71% of Baby Boomers said they have “never used” any generative AI tools—a seeming impossibility as Google search results, by default, now provide “AI overviews” powered by the company’s Gemini product. 

*   Only 12% of Baby Boomers believe that “generative AI tools are good for society.”  

*   More than 80% of Baby Boomers said that they worry about generative AI tools both improperly accessing their data and misusing their personal information.  

*   While more than 50% of Baby Boomers said they would feel more secure in using generative AI tools if the companies behind them provided regular security audits, a full 23% were unmoved by proposals in transparency or government regulation. 

****Distrust, concern, and unfamiliarity with AI**  **

Since San Francisco-based AI developer OpenAI released ChatGPT two years ago to the public, “generative” artificial intelligence has spread into nearly every corner of online life.  

Countless companies have integrated the technology into their customer support services with the help of AI-powered chatbots (which caused a problem for one California car dealer when its own AI chat bot promised to sell a customer a 2024 Chevy Tahoe for just $1). Emotional support and mental health providers have toyed with having their clients speak directly with AI chatbots when experiencing a crisis (to middling results). Audio production companies now advertise features to generate spoken text based off samples of recorded podcasts, art-sharing platforms regularly face scandals of AI-generated “stolen” work, and even AI “girlfriends”—and their scantily-clad, AI-generated avatars—are on offer today.  

The public are unconvinced.  

According to Malwarebytes’ research, Baby Boomers do not trust generative AI, the companies making it, or the tools that implement it.  

A full 75% of Baby Boomers said they “agree” or “strongly agree” that they are “fearful of what the future will bring with AI.” Those sentiments are reflected in the 47% of Baby Boomers who said they “disagree” or “strongly disagree” that “generative AI tools are good for society.”  

In particular, Baby Boomers shared a broad concern over how these tools—and the developers behind them—collect and use their data.  

More than 80% of Baby Boomers agreed that they held the following concerns about generative AI tools: 

*   My data being accessed without my permission (86%) 

*   My personal information being misused (85%) 

*   Not having control over my data (84%) 

*   A lack of transparency into how my data is being used (84%) 

The impact on behavior here is immediate, as 71% of Baby Boomers said they “refrain from including certain data/information (e.g., names, metrics) when using generative AI tools due to concerns over security or privacy.”  

The companies behind these AI tools also have yet to win over Baby Boomers, as 87% said they “disagree” or “strongly disagree” that they “trust generative AI companies to be transparent about potential biases in their systems.” 

Perhaps this nearly uniform distrust in generative AI—in the technology itself, in its implementation, and in its developers—is at the root of a broad disinterest from Baby Boomers. An enormous share of this population, at 71%, said they had never used these tools before.  

The statistic is difficult to believe, primarily because Google began powering everyday search requests with its own AI tool back in May 2024. Now, when users ask a simple question on Google, they will receive an “AI overview” at the top of their results. This functionality is powered by Gemini—Google’s own tool that, much like ChatGPT, can generate images, answer questions, fine-tune recipes, and deliver workout routines.  

Whether or not users know about this, and whether they consider this “using” generative AI, is unclear. What is clear, however, is that a generative AI tool created by one of the largest companies in the world is being pushed into the daily workstreams of a population that is unconvinced, uncomfortable, and unsold on the entire experiment.  

****Few paths to improvement**  **

Coupled with the high levels of distrust that Baby Boomers have for generative AI are widespread feelings that many corrective measures would have little impact.  

Baby Boomers were asked about a variety of restrictions, regulations, and external controls that would make them “feel more secure about using generative AI tools,” but few of those controls gained mass approval.  

For instance, “detailed reports on how data is stored and used” only gained the interest of 44% of Baby Boomers, and “government regulation” ranked even lower, with just 35% of survey participants. “Regular security audits by third parties” and “clear information on what data is collected” piqued the interest of 52% and 53% of Baby Boomers, respectively, but perhaps the most revealing answers came from the suggestions that the survey participants wrote in themselves.  

Several participants specifically asked for the ability to delete any personal data ingested by the AI tools, and other participants tied their distrust to today’s model of online corporate success, believing that any large company will collect and sell their data to stay afloat. 

But frequently, participants also said they could not be swayed at all to use generative AI. As one respondent wrote:  

“There is nothing that would make me comfortable with it.”    

Whether Baby Boomers represent a desirable customer segment for AI developers is unknown, but for many survey participants, that likely doesn’t matter. It’s already too late.

 AI is everywhere, and Boomers don’t trust it  

PRESS RELEASE

SAN FRANCISCO, Nov. 4, 2024 /PRNewswire/ -- Bugcrowd, the leader in crowdsourced security, today announced the addition of Trey Ford as Chief Information Security Officer for the Americas, to the leadership team.

Trey is a seasoned strategic advisor and security thought leader with over 25 years of experience in offensive and defensive security disciplines. Trey has held key leadership roles at Deepwatch, Vista Equity Partners, Salesforce, Black Hat, and more. He has also been a valued member of Bugcrowd's advisory board for over a decade.

Trey is passionate about working with enterprise leaders, corporate directors, and investors to help teams strengthen their technology and execution strategy.

"I'm really looking forward to joining this amazing Bugcrowd team and this fast-growing, dynamic organization that continues to execute on its compelling vision for the future of cybersecurity, based on the ingenuity of the crowd," Ford said. "I've always believed in taking a hands-on approach to building, breaking, and deconstructing security problems to first principles -- I intend to continue applying that same mindset here at Bugcrowd."

"Trey's addition to our team marks a pivotal moment for enhancing our operational capabilities in the Americas region," said Nick McKenzie, Chief Information and Security Officer of Bugcrowd. "His leadership and offensive security expertise, coupled with his ability to help us connect with and support customers, will elevate the team's capabilities to new heights—a timely appointment with our current business momentum."

Bugcrowd also announced the availability of Bugcrowd Continuous Attack Surface Pentesting as a Service Subscription, a new way to consume pen testing. By using this subscription model, customers can enjoy the flexibility and predictability of pre-paid capacity on the Bugcrowd Platform to be drawn-down on demand.

In addition, Bugcrowd announced an additional growth capital facility of $50 million from Silicon Valley Bank in October. The new financing will further scale Bugcrowd's AI-powered platform globally, fund continued innovation into the Bugcrowd Platform, and leverage opportunities for strategic M&A, providing added value to clients, partners, and the hacker community.

"We are extremely excited by the rapid growth and market momentum that Bugcrowd has achieved so far this year," said Dave Gerry, Chief Executive Officer of Bugcrowd. "We believe we are putting together the world's strongest combination of people and technologies to deliver on the powerful insights provided by elite hackers operating on our global Platform."

The Bugcrowd Platform connects organizations with trusted security researchers and hackers to help proactively defend themselves against sophisticated threats. For over a decade, Bugcrowd's unique "skills-as-a-service" approach has uncovered more high-impact vulnerabilities than traditional methods, along with clearer ROI, for more than 1,200 customers – including OpenAI, Google, T-Mobile, Carvana, the US Department of Defense's Chief Digital and Artificial Intelligence Office (CDAO), ExpressVPN, Rapyd, New Relic, and OpenSea. With unmatched flexibility and access to a decade of vulnerability intelligence, the Bugcrowd Platform has evolved to address a changing attack surface influenced by adoption of mobile infrastructure, hybrid work, APIs, crypto, cloud workloads, and AI. Bugcrowd's crowdsourced solutions include penetration-testing-as-a-service, managed bug bounties, vulnerability disclosure programs (VDPs), and AI Safety and Security products.

To learn more about how the Bugcrowd platform can help your organization fight against today's evolving cyberattacks, visit here.

To download a copy of the Inside the Mind of a Hacker 2024 report, click here.

About Bugcrowd

We are Bugcrowd. Since 2012, we've been empowering organizations to take back control and stay ahead of threat actors by uniting the collective ingenuity and expertise of our customers and trusted alliance of elite hackers, with our patented data and AI-powered Security Knowledge Platform™. Our network of hackers brings diverse expertise to uncover hidden weaknesses, adapting swiftly to evolving threats, even against zero-day exploits. With unmatched scalability and adaptability, our data and AI-driven CrowdMatch™ technology in our platform finds the perfect talent for your unique fight. We are creating a new era of modern crowdsourced security that outpaces threat actors.

Unleash the ingenuity of the hacker community with Bugcrowd, visit www.bugcrowd.com. Read our blog.

Bugcrowd Names Trey Ford as CISO

A vulnerability found in the Really Simple Security plug-in allows an attacker to remotely gain access to any account on an affected website, including the administrator, when 2FA is enabled.

Source: Primakov via Shutterstock

A WordPress plug-in installed on more than 4 million websites exposes them to full administrative takeover through a scripting flaw that potentially can be used to launch large-scale automated attacks against multiple sites.

Researchers from Wordfence called the authentication bypass flaw "one of the more serious vulnerabilities" that they have ever identified, uncovering it earlier this month in a plug-in from Really Simple Security that provides WordPress security features for sites, according to a recent blog post. The flaw, rated with a critical CVSS score of 9.8, affects the Really Simple Security Pro and Pro Multisite plug-ins, versions 9.0.0 to 9.1.1.1.

"The vulnerability makes it possible for an attacker to remotely gain access to any account on the site, including the administrator account, when the two-factor authentication (2FA) feature is enabled," Wordfence security researcher Istvan Marton wrote in the post.

The flaw exists due to improper user check error handling in the two-factor REST API actions with the "check\_login\_and\_get\_user" function, according to Wordfence. Moreover, because the flaw is scriptable, it can be weaponized against numerous WordPress sites simultaneously in an automated way.

Due to the critical nature of the bug, Wordfence acted quickly after discovering the flaw on Nov. 6 to work with the Really Simple Security team to mitigate it. After immediately disclosing the flaw to the vendor, a patched update, version 9.1.2, was released publicly on Nov. 12. Then, on Wordfence's advice, Really Simple Security force-updated all sites running the plug-in two days later.

Related:Akamai Reports Third Quarter 2024 Financial Results

Still, Wordfence recommended that any administrator with a site that uses the plug-in confirm that it has been automatically updated to the patched version, as "it appears that sites without a valid license may not have auto-updates functioning," Marton noted in the post.

**New 'Really Simple Security' Feature Introduces Flaw**

The Really Simple Security plug-in was formerly known as Really Simple SSL; it was renamed in its latest major version update, which also expanded the plug-in with security features such as log-in protection, vulnerability detection, and 2FA.

During this revamp, one of the features adding 2FA "was insecurely implemented" to introduce the flaw, which allows an attacker to create a simple request to gain access to any user account with 2FA on.

Specifically, the plug-in uses the skip\_onboarding() function in the Rsssl\_Two\_Factor\_On\_Board\_Api class to handle authentication via REST API that returns a WP\_REST\_Response error in case of a failure. However, this is not handled within the function, which "means that even in the case of an invalid nonce, the function processing continues and invokes authenticate\_and\_redirect()," Marton wrote. This "authenticates the user based on the user id passed in the request, even when that user’s identity hasn’t been verified," he wrote.

Related:DHS Releases Secure AI Framework for Critical Infrastructure

Ultimately, this makes it possible for threat actors to bypass authentication and gain access to arbitrary accounts on sites running a vulnerable version of the plug-in.

"As always, authentication bypass vulnerabilities and resulting access to high privileged user accounts make it easy for threat actors to completely compromise a vulnerable WordPress site and further infect it," Marton explained.

**Wordfence: Spread the Word, Check Your Plug-ins**

Due to its widespread use as a foundation for millions of websites, the WordPress platform and its plug-ins especially are a notoriously popular threat target for threat actors, giving them easy access to a broad attack surface. Attackers particularly like to exploit singular plug-ins with large install bases, making flaws like the one found in Really Simple Security's plug-in an attractive target.

Related:Microsoft Pulls Exchange Patches Amid Mail Flow Issues

Even though most sites using the plug-in should have been updated already, Wordfence still advises that users spread the word to ensure the broadest patch coverage possible due to the critical nature of the flaw.

"If you know someone who uses these plugins on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk," Marton wrote in the post.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Critical WordPress Plug-in Flaw Exposes 4M Sites to Takeover

Companies that recognize current market opportunities — from the need to safely implement revolutionary technology like AI to the vast proliferation of cyber threats — have remarkable growth prospects.

Source" Brian Jackson via Alamy Stock Photo

Companies have never faced a wider and more dynamic array of cyber threats than they do right now. From rapidly rising costs associated with data breaches and other cyberattacks to the exploitation of artificial intelligence (AI) to make attacks more effective than ever, the cyber-threat landscape is constantly evolving. This has led to a drastic increase in cybersecurity spending, as well as a wave of innovation in the sector.

As cyberattacks become more targeted and sophisticated, there is a vast and growing market for solutions that help companies address their most vulnerable attack vectors. For example, cybercriminals often steal account names, passwords, and other credentials to launch attacks, which is why identity and access management have become key priorities for companies across many industries. Cybercriminals are also using AI resources such as LLMs to target employees with advanced social engineering attacks that allow them to infiltrate secure networks and steal information.

Cybercriminals and other bad actors such as hostile foreign governments are more motivated than ever to develop powerful cyber capabilities that enable them to hijack data, disrupt operations, and bypass existing cybersecurity protocols. This trend will only gain momentum, and revolutionary technology like AI will function as a force multiplier that makes cyberattacks more destructive and difficult to detect. This is why the cybersecurity industry will continue to see unprecedented demand and investment in the coming years.

**A New Era of Cyberattacks**

Companies are investing heavily in cybersecurity — according to a PwC survey, 77% of companies plan to increase their cyber budgets, while Gartner has projected that information security spending will spike by 15% in 2025. However, these investments haven't yet turned the tide against the onslaught of cyberattacks that are inflicting increasingly severe financial, reputational, and operational costs on companies. A 2024 IBM report found that the average cost of a data breach hit $4.88 million globally this year, a record high and a 10% increase from 2023.

The 2024 Allianz Risk Barometer found that cyber incidents are the top global business risk for the "first time and by a clear margin" — a finding that applies to companies of all sizes. AI is a key driver of this trend, as it has lowered the barriers to entry for cybercriminals around the world. For example, large language models (LLMs) allow cybercriminals to launch advanced phishing attacks regardless of their language skills or technical ability. Hostile foreign governments are using AI to launch cyberattacks as well — Microsoft reported that Russia, North Korea, and China are all using AI for surveillance, scripting, and social engineering.

As cyber threats become more dangerous and dynamic, the market for robust solutions will continue to expand. Companies in the sector will have to leverage emerging technology like AI and develop cybersecurity solutions that address specific vulnerabilities more effectively than their competitors.

**Opportunities in the Cybersecurity Market**

The cybersecurity industry has seen significant fragmentation in recent years as the demand for specialized solutions increases. Particular categories of cyberattacks, such as phishing, call for targeted solutions capable of countering the latest cybercriminal tactics. IBM reported that phishing is one of the most common and financially destructive initial attack vectors, which means cybercriminals are using it to gain access and launch broader cyberattacks. A major goal of phishing attacks is credential theft, which is why stolen or compromised credentials are involved in initial attacks more often than any other individual factor.

Companies like Strata help customers resist phishing attacks and other forms of credential theft with holistic identity and access management solutions. The reliance on legacy systems is one of the most urgent cybersecurity challenges many companies face — a challenge that has become all the more daunting due to the growing risk posed by third-party vendors and other partners. Supply chain cyberattacks are becoming increasingly common — Verizon found that there was a 68% increase in "supply chain interconnection" involved in breaches between 2023 and 2024.

Integrated cybersecurity solutions are critical, as cybercriminals and other bad actors need only  a single access point to infiltrate an organization. Solutions that help customers modernize their cybersecurity infrastructure for the evolving cyber-threat landscape are becoming more vital. Chief information security officers (CISOs) and other cybersecurity leaders need access to simplified solutions that break down silos between IT and security teams, meet increasingly stringent compliance demands, and help them evaluate and address vulnerabilities.

**Maximizing the Impact of Emerging Technology**

While AI is propelling a new wave of cyberattacks, it can also be harnessed to keep companies safer. Companies can use AI to simulate cyberattacks, detect malicious activity, prioritize cyber threats and potential vulnerabilities, and protect data across many different environments. However, AI still faces significant trust issues, due to problems like hallucinations (when LLMs present false information as accurate) and the existence of "black box" machine learning algorithms that don't provide any transparency into their decision-making processes.

According to a recent survey of 6,000 knowledge workers, 54% of AI users don't trust the data used to train AI systems — and more than two-thirds of these workers say they're hesitant to adopt AI. Meanwhile, laws and regulations around AI are becoming stricter all the time. For example, the EU AI Act requires companies to mitigate systemic risks, report cyber incidents, and focus on cybersecurity in their AI implementations.

While the AI trust gap is hindering adoption of the technology and regulations are becoming tougher, this opens a market for companies that provide end-to-end AI governance. At a time when AI adoption is skyrocketing, companies need the infrastructure necessary to ensure compliance and monitor AI systems for potential cyber threats. IBM found that 82% of executives believe "secure and trustworthy AI is essential to the success of their business," but less than a quarter of generative AI projects are being secured.

From the need to safely implement technology like AI to the vast proliferation of cyber threats (many of which are being powered by that very same technology), the cybersecurity industry has reached an inflection point. The companies that recognize these market opportunities have remarkable growth prospects in the coming years.

**About the Author**

General Partner, Titanium Ventures

Marcus Bartram is General Partner at Titanium Ventures (former Telstra Ventures), a San Francisco-based VC firm that differentiates by generating revenue for its portfolio with strategic channel partners and customer relationships as well as by using data science to drive its investment process. Marcus is on the founding team and has led investments in cybersecurity companies like CrowdStrike, Auth0, Anomali, Cequence, CloudKnox, Cofense, CyberGRX, Elastica, vArmour, and Zimperium.

Why the Demand for Cybersecurity Innovation Is Surging

Another day, another hack at T-Mobile! This time, Chinese state-sponsored group Salt Typhoon hacked T-Mobile, targeting US telecoms…

Another day, another hack at T-Mobile! This time, Chinese state-sponsored group Salt Typhoon hacked T-Mobile, targeting US telecoms in a breach spree. The attack exposes vulnerabilities in telecom infrastructure and security.

T-Mobile has become the latest major telecommunications company to fall victim to a large-scale cyberespionage campaign linked to Chinese state-sponsored hackers. The group responsible for the hacking is identified as Salt Typhoon.

This was revealed on 15 November 2024, just a day after the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) **issued a joint advisory** detailing a sophisticated cyberespionage campaign by state-sponsored Chinese hackers that has successfully infiltrated US telecommunications networks.

The advisory confirmed that Chinese state-sponsored actors had compromised the networks of multiple telecommunications providers to steal customer data and intercept private communications.   

****T-Mobile Breach****

According to the Wall Street Journal **report**, hackers were able to breach T-Mobile’s systems and gain access to valuable intelligence, including the cellphone communications of high-value targets,

The group used advanced techniques to infiltrate American telecom infrastructure, including Cisco Systems routers, artificial intelligence or machine learning for their espionage activities and likely obtained call logs, unencrypted texts, and audio from targets, possibly posing national security risks.

While T-Mobile has maintained that no sensitive customer data has been compromised, the possible implications of this breach are hard to ignore. The hackers may have gained access to sensitive information about law enforcement surveillance requests, call records of specific customers, and even private communications of targeted individuals.

“T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information,” a company spokeswoman told Hackread.com. “We will continue to monitor this closely, working with industry peers and the relevant authorities.”

****Salt Typhoon****

Hackread.com has been following Salt Typhoon’s activities and has observed that this group has been particularly interested in the wiretap systems that telecom companies are legally obligated to maintain for law enforcement purposes.

In October 2024, it was reported that **Salt Typhoon hacked AT&T and Verizon** to access wiretap data. This data, essential for government-mandated surveillance, is a prime target for cybercrime groups seeking to exploit vulnerabilities and gain access to sensitive information.

****T-Mobile Keeps Getting Breached****

It’s important to note that T-Mobile’s cybersecurity practices have received massive **criticism lately** given the frequency of data breaches it has been experiencing. The company settled a $31.5 million FCC settlement for prior breaches, half of which was for security infrastructure improvement.

T-Mobile, owned by Deutsche Telekom, has faced particularly challenging years due to repeatedly being targeted by data breaches. **Back in August 2021**, the company lost data of 49 million T-Mobile account holders, whereas the hackers claimed they stole data of 100 million users.

T-Mobile has also experienced at least six reported data breaches (**1, 2, 3, 4, 5**, **6**) between 2015 and 2023, making it safe to say that a cybersecurity year without a T-Mobile security incident is a rare occurrence.

Nevertheless, the latest T-Mobile breach shows that the company needs to rethink its entire approach to cybersecurity. Telecom companies should focus on stronger security, invest in better threat detection systems, and use reliable encryption to handle cyber threats effectively.

1.  8220 Gang Targets Telecom in Cryptojacking Attack
2.  IoT Botnet DDoS Attacks Threaten Telecom Networks, Nokia
3.  Hackers Breach TPG Telecoms’ Email Host to Steal Client Data
4.  Minor arrest over A1 Telecom data breach and ransom demand
5.  Telecom giant behind routing SMS discloses 5-year-long breach

Chinese Salt Typhoon Hacked T-Mobile in US Telecom Breach Spree

Frenos offers a zero-impact, continuous security assessment platform for operational technology environments.

Source: Zoonar GmbH via Alamy Stock Photo

Continuous security assessment platform newcomer Frenos narrowly edged out the competition to win this year's DataTribe Challenge, held by seed-stage venture capital firm DataTribe.

Four finalists were chosen from hundreds of pre-seed and seed stage cybersecurity and data science startups, and each got to present their case during Wednesday's Challenge Finalists Event. In addition to splitting part of a $25,000 prize, finalists were given the opportunity to present their business to a panel of judges, investors and industry leaders. Finalists also received one-on-one messaging and strategy coaching from DataTribe.

When evaluating the finalists, whether the company has the right team in place — and if they're truly experts in their field — plays a big part, says DataTribe's chief innovation officer Leo Scott. The judges also evaluate the addressable market for each company’s offering and how well they meet that need. 

Frenos, based in Charlotte, N.C., has both.

The startup created a zero-impact, continuous security assessment platform for operational technology environments, giving OT organizations the ability to perform attack simulations and penetration testing. 

"They are truly leading experts in the OT environment," Scott says. "And if you look into the geopolitical landscape, it is a pretty important space, from broad national security to literally keeping the lights on."

The list of finalists include Austin, Tex.-based DataMonstr, New Jersey-based Force Field, and San Francisco-based Validia.

*   DataMonstr provides protection to the developer environment, both at developer endpoints and at the source code repository level. 
    
*   Force Field offers a system to verify the authenticity of photos, videos and audio to reduce fraud in areas like insurance claims. 
    
*   Validia provides real-time identify verification to combat deepfakes and impersonation in remote work environments. 
    

For Brian Proctor, founder and CEO of Frenos, participating in the competition has helped the company on its road to landing seed funding. 

"One of the great things about it, which we really liked, is that every finalist is assigned an advisor from DataTribe. So they really work hand in hand with you to refine the pitch, get feedback on your presentation," says Proctor. "We had an excellent advisor, David, who was part of our team. Honestly, without David, I'm not sure what the outcome would have been. He was a huge help."

DataTribe has invested in eight of the finalists of its six previous competitions, and more than 20 companies have received funding after participating in the competition, Scott says.

Check out what DataTribe's Leo Scott had to say regarding the DataTribe Challenge in this Dark Reading News Desk segment from Black Hat USA 2024.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Frenos Takes Home the Prize at 2024 DataTribe Challenge

Cisco Talos discovered a new information stealing campaign operated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia.

Tag

#cisco