Posing as an application used to locate Ukrainian military recruiters, a Kremlin-backed hacking initiative delivers malware, along with disinformation designed to undermine sign-ups for soldiers in the war against Russia.

Bumble Dee Via Alamy Stock Photo

Ukrainian efforts to recruit new soldiers to serve in its military in the country's war against Russia is under a two-pronged cyberattack by Kremlin-backed threat actors.

Researchers at Google's Threat Intelligence Group (TAG) and Mandiant have tracked down an active campaign that uses a spoofed version of the legitimate Ukrainian-language tool "Civil Defense," a crowdsourced mapping tool used to locate military recruiters. Attackers are using the fake version to perform dual malicious actions — dropping malware and delivering misinformation.

The hybrid op, which researchers named UNC5812, uses a Telegram channel to lure perspective recruits to a download the malicious version of "Civil Defense" from a spoofed site, outside of the confines of Google Play. Once downloaded, the application drops Windows and Android malware.

**Russian Opp Uses Malware With a Side of Social Engineering**

Windows users who make their way to the fake "Civil Defense" site to download the tool will be delivered the Pronsis Loader, which then starts a chain to deliver a malicious mapping application called Sunspinner, as well as an infostealer called Purestealer.

Android users, on the other hand, get a common user backdoor called Craxsrat, in addition to Sunspinner.

"Notably, the Civil Defense website also contains an unconventional form of social engineering designed to preempt user suspicions about APK delivery outside of the App Store and justify the extensive permissions required for the Craxsrat installation," the report noted. "The website's FAQ contains a strained justification for the Android application being hosted outside the App Store, suggesting it is an effort to 'protect the anonymity and security' of its users, and directing them to a set of accompanying video instructions."

The video also provides instructions on how to disable Google Play Protect.

"While the Civil Defense website also advertises support for macOS and iPhones, only Windows and Android payloads were available at the time of analysis," the report said.

Sunspinner, a decoy graphical user interface (GUI) application written using the Flutter framework, offers functionality aimed to convince victims that the application is legitimate.

"Consistent with the functionality advertised on the \[legitimate\] Civil Defense website, Sunspinner is capable of displaying crowdsourced markers with the locations of the Ukrainian military recruiters, with an option for users to add their own markers," according to the Google TAG analysis. But the fake map offers only fake locations: "However, despite possessing the limited functionality required for users to register and add markers, the displayed map does not appear to have any genuine user inputs. All markers present \[were pulled from the attacker's C2 and\] were added on the same day by the same user."

**Parallel Anti-Mobilization Effort Against Ukrainian Military**

In tandem with the espionage effort, the other goal of the Russian fake Civil Defense campaign is to deliver disinformation aimed at suppressing Ukraine's military mobilization effort for the war. The malicious versions of Civil Defense's site and Telegram have pushed out videos with incendiary, anti-Ukrainian-military titles like, "Unfair Actions From Territorial Recruitment Centers," the TAG Mandiant report added.

Users who click on the button provided by the Russian hacker-operated site to "Send Material," ostensibly to discredit recruitment efforts, are automatically fed an attacker-controlled chat thread," the report said. "Anti-mobilization content cross-posted to the group's website and Telegram channel appears to be sourced from wider pro-Russian social media ecosystems. In at least one instance, a video shared by UNC5812 was shared a day later by the Russian Embassy in South Africa's X account."

Russia has consistently used cyberattacks as part of its war strategy against Ukraine, as well as against other governments, including a recent distributed denial-of-service (DDoS) cyberattack campaign against shipping ports in Japan. Russian hackers have also been working feverishly to distribute disinformation ahead of the US 2024 election. The threat group currently understood to be most actively, and directly, supporting Russian military activities in Ukraine is Sandworm, but, as this newly uncovered "Civilian Defense" campaign highlights, that's just one of many hacker groups doing the Kremlin's dirty work in cyberspace.

Russia Kneecaps Ukraine Army Recruitment With Spoofed 'Civil Defense' App

Four members of the notorious REvil ransomware group have been sentenced to prison terms in Russia. This development…

Four members of the notorious REvil ransomware group have been sentenced to prison terms in Russia. This development marks a major step in the global fight against cybercrime. Learn more about the REvil ransomware gang and the recent sentencing.

Four members of the notorious REvil ransomware gang (also known as Sodinokibi) have been sentenced to prison terms in Russia. This is a rare example of Russian authorities taking action against cybercriminals especially a ransomware group operating within their borders.

The St. Petersburg Garrison Military Court found Artem Zayets, Aleksey Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov guilty of various cybercrimes, including illegal circulation of payment means and malware distribution.

The convicted individuals were part of a larger group of 14 people initially detained in connection with the REvil case. The REvil group, once a prolific threat actor, was dismantled following the arrest of several members by Russian authorities.

Revil ransomware gang aka Sodinokibi’s dark web leak site and ransomware note

“All defendants have been in custody since early 2022. They have not admitted their guilt. The arrests of the alleged REvil members, who are called pro-Russian cybercriminals in the Western press, took place in several regions of the Russian Federation in June 2021,” Russian news outlet Kommersant reported.

The investigation, initiated by a request from U.S. law enforcement, revealed the group’s involvement in high-profile cyberattacks targeting international technology companies, Spanish Telecom firm MasMovil, Kaseya, US nuclear weapons contractor, and many more.

The four individuals received prison sentences ranging from 4.5 to 6 years. This outcome is particularly noteworthy considering that Russia has often been perceived as a haven for cybercriminals.

The sentencing of these REvil members follows a wider crackdown on cybercrime in Russia. Earlier this year, Russian authorities also initiated investigations into the Cryptex and UAPS groups, known for providing money laundering services to cybercriminals.

In addition, it follows the sentencing of Yaroslav Vasinskyi, a 24-year-old Ukrainian national, to 13 years in prison in the U.S. for his involvement in over 2,500 REvil ransomware attacks.

It is important to note that the Russian government’s actions against REvil came amidst increased international pressure, particularly from the United States after 2021 when the gang targeted over 1,000 businesses worldwide.

1.  REvil ransomware gang goes dark after Tor sites hack
2.  REvil gang hits UK ITSPs with extortion-based DDoS attacks
3.  REvil ransomware is back after disappearing amid Kaseya attack
4.  Universal decryptor key for Sodinokibi, REvil ransomware released
5.  Cardiologist Charged for Developing Jigsaw v.2, Thanos Ransomware

Russian Court Jails Four REvil Ransomware Gang Members

A report distributed by the US Department of Homeland Security warned that financially motivated cybercriminals are more likely to attack US election infrastructure than state-backed hackers.

Russian, Chinese, and Iranian state-backed hackers have been active throughout the 2024 United States campaign season, compromising digital accounts associated with political campaigns, spreading disinformation, and probing election systems. But in a report from early October, the threat-sharing and coordination group known as the Election Infrastructure ISAC warned that cybercriminals like ransomware attackers pose a far greater risk of launching disruptive attacks than foreign espionage actors.

While state-backed actors were emboldened following Russia's meddling in the 2016 US presidential election, the report points out that they favor intelligence-gathering and influence operations rather than disruptive attacks, which would be viewed as direct hostility against the US government. Ideologically and financially motivated actors, on the other hand, generally aim to cause disruption with hacks like ransomware or DDoS attacks.

The document was first obtained by the national security transparency nonprofit Property of the People and viewed by WIRED. The US Department of Homeland Security, which contributed to the report and distributed it, did not return WIRED's requests for comment. The Center for Internet Security, which runs the Election Infrastructure ISAC, declined to comment.

“Since the 2022 midterm elections, financially and ideologically motivated cyber criminals have targeted US state and local government entity networks that manage or support election processes,” the alert states. “In some cases, successful ransomware attacks and a distributed denial-of-service (DDoS) attack on such infrastructure delayed election-related operations in the affected state or locality but did not compromise the integrity of voting processes … Nation-state-affiliated cyber actors have not attempted to disrupt US elections infrastructure, despite reconnaissance and occasionally acquiring access to non-voting infrastructure."

According to DHS statistics highlighted in the report, 95 percent of “cyber threats to elections” were unsuccessful attempts by unknown actors. Two percent were unsuccessful attempts by known actors, and 3 percent were successful attempts “to gain access or cause disruption.” The report emphasizes that threat intelligence sharing and collaboration between local, state, and federal authorities help prevent breaches and mitigate the fallout of successful attacks.

In general, government-backed hackers may stoke geopolitical tension by conducting particularly aggressive digital espionage, but their activity isn't inherently escalatory so long as they are abiding by espionage norms. Criminal hackers are bound by no such restrictions, though they can call too much attention to themselves if their attacks are too disruptive and risk a law enforcement crackdown.

The report cites an incident from March, for example, in which an unnamed US county “experienced a ransomware attack that forced it to purchase new network devices and reconnect to the state-level election system.” If such an attack occurred on or around Election Day, it could meaningfully disrupt voting.

More broadly, domestic security concerns in connection with the 2024 election have skyrocketed, fostering what DHS calls a “heightened threat environment.” Reporting by WIRED this month revealed that the agency has been issuing warnings to law enforcement across the US since summer, alarmed by the efforts of some extremists to mobilize and commit actual violence against elected officials, while targeting US voter ballots for destruction.

Other warnings show that concern is mounting over propaganda calling for Americans to engage in “civil war,” a narrative that DHS fears is raising the risk of domestic attacks. Threats tied to what the government calls “immigration-related grievances”—including the false narrative of “migrant invasion,” which is core to Donald Trump’s reelection efforts—have escalated this year, while expanding to ensnare federal judges and US border patrol officers deemed “traitors” among some antigovernment groups.

“Targeted violence and terrorism associated with ideologically motivated individuals will continue to be a threat through the 2024 election cycle,” says another intelligence report also obtained by WIRED. It warns, meanwhile, that “insider threats” affiliated with US election systems will “likely be an issue.”

Cybercriminals Pose a Greater Threat of Disruptive US Election Hacks Than Russia or China

This article details a new campaign by TeamTNT, a notorious hacking group, leveraging exposed Docker daemons to deploy…

This article details a new campaign by TeamTNT, a notorious hacking group, leveraging exposed Docker daemons to deploy malware, using compromised servers and Docker Hub to spread their attacks. They also use cryptomining to earn money from their victims’ computational power.

Cybersecurity researchers at Aqua Nautilus have discovered a new hacking campaign by Adept Libra (aka TeamTNT), targeting exposed Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers. 

TeamTNT is a notorious hacking group known for aggressive and persistent attacks on cloud-native environments. The group is known for exploiting vulnerabilities in Docker daemons and Kubernetes clusters to deploy malware and hijack resources for cryptocurrency mining.

In a recent campaign, TeamTNT compromised a legitimate Docker Hub account (nmlm99) to host malicious software, uploading around 30 images divided into two categories: infrastructure and impact. The infrastructure images are used to spread malware, while the impact images focus on mining cryptocurrency or renting out computing power.

Attack flow and TeamTNT’s signature

TeamTNT is using Docker Gatling Gun, which scans a massive range of IP addresses (around 16.7 million) for vulnerabilities in Docker daemons running on specific ports (2375, 2376, 4243, and 4244). If a vulnerability is found, a container from a compromised TeamTNT Docker Hub account is deployed, running a minimal Alpine Linux operating system and executing a malicious script called “TDGGinit.sh”. This script likely sets the stage for further malicious activity on the compromised system.

“TeamTNT deploys among other a local search of keys and credentials, such as SSH, cloud metadata server calls etc. Once they gain access, they store and disseminate their malware through these accounts,” the report read.

To evade detection, TeamTNT employs the Sliver malware, a more advanced and stealthier tool compared to their previous tool, Tsunami. They also use familiar names like Chimaera and Bioset to blend in with legitimate processes. Additionally, they steal credentials and scan networks for further targets.

For command and control, TeamTNT relies on web servers, Docker Hub, and various communication protocols like DNS, mTLS, and potentially proxies. Ultimately, their goal is to hijack resources for cryptocurrency mining or sell access to the compromised systems.

To mine cryptocurrency, such as Monero, TeamTNT uses various mining software, including XMRig, T-Rex, CGMiner, BFGMiner, and SGMiner. They often optimize mining operations by targeting specific hardware and software configurations. 

This campaign shows TeamTNT’s ability to adapt and evolve, urging organizations to be alert and upgrade their cybersecurity. The group is highly skilled and motivated and is not afraid to take risks. To protect against TeamTNT risks, organizations must invest in strong security practices, including software updates and network infrastructure security.

1.  **Google Kubernetes Engine Flaws Could Allow Cluster Takeover**
2.  **OracleIV DDoS Botnet Malware Hits Docker Engine API Instances**
3.  **Malware Exploits 9Hits, Turns Docker Servers into Crypto Miners**
4.  **Linux Malware Alert: Spinning YARN Hits Docker, Other Key Apps**
5.  **Cryptomining, Malware Flourish on Exposed Kubernetes Clusters**

TeamTNT Exploits 16 Million IPs in Malware Attack on Docker Clusters

SafeBreach Labs unveils ‘Windows Downdate,’ a new attack method which compromises Windows 11 by downgrading system components, and…

SafeBreach Labs unveils ‘Windows Downdate,’ a new attack method which compromises Windows 11 by downgrading system components, and reviving old/ptched vulnerabilities like the DSE bypass.

In a recent research, SafeBreach Labs researcher Alon Leviev exposed a new attack technique that could compromise the security of fully patched Windows 11 systems. This technique, dubbed Windows Downdate, involves manipulating the Windows Update process to downgrade critical system components, effectively resurrecting previously patched vulnerabilities. 

The attack was initially reported in August 2024 at Black Hat USA 2024 and DEF CON 32. Researchers have now published additional details to enhance public understanding of the attack.

One such vulnerability is the “ItsNotASecurityBoundary” Driver Signature Enforcement (DSE) bypass, which allows attackers to load unsigned kernel drivers. This bypass allows attackers to replace a verified security catalogue with a malicious version, enabling the loading of unsigned kernel drivers.

According to SafeBreach’s blog post shared with Hackread.com ahead of publishing on Saturday, by leveraging Windows Downdate, attackers can target specific components, such as the “ci.dll” module essential for parsing security catalogues, and downgrade them to a vulnerable state, enabling the exploitation of this bypass and gaining kernel-level privileges. 

For your information, the “ItsNotASecurityBoundary” DSE bypass is part of a new class of flaws called False File Immutability (FFI), exploiting incorrect assumptions about file immutability, allowing “immutable” files to be modified by clearing the system’s working set. 

Leviev outlines the steps to exploit vulnerabilities in Windows systems with different levels of Virtualization-Based Security (VBS) protection. They identified multiple ways of disabling VBS key features, including features like Credential Guard and Hypervisor-Protected Code integrity (HVCI), even with UEFI locks for the first time. 

> _“To my knowledge, this is the first time VBS’s UEFI locks have been bypassed without physical access. As a result, I was able to make a fully patched Windows machine susceptible to past vulnerabilities, turning fixed vulnerabilities unfixed and making the term “fully patched” meaningless on any Windows machine in the world.”_
> 
> Alon Leviev

To exploit a system without UEFI lock, an attacker must disable VBS by modifying registry settings. Once disabled, they can downgrade the ci.dll module to a vulnerable version and exploit the “ItsNotASecurityBoundary” vulnerability.

For systems with UEFI lock, the attacker must invalidate the SecureKernel.exe file to bypass VBS protection. However, VBS with UEFI Lock and “Mandatory” Flag” was the securest configuration, preventing VBS from being disabled even if the lock is bypassed. Researchers explain that currently there is no known way to exploit a system with this level of protection without physical access.

Nevertheless, this Windows Update takeover capability poses a major threat to organizations by allowing attackers to load unsigned kernel drivers, enable custom rootkits to neutralize security controls, hide processes, and maintain stealth. 

Attackers can craft custom downgrades for critical OS components, including DLLs, drivers, and even the NT kernel. By downgrading these components, the attacker can expose previously patched vulnerabilities, making the system susceptible to exploitation.

To mitigate the risks, organizations should keep systems up-to-date with the latest security patches to address vulnerabilities. It is essential to deploy robust endpoint detection and response (EDR) solutions to detect and respond to malicious activity, including downgrade attempts, and implement strong network security measures to prevent unauthorized access and data breaches. In addition, enabling VBS with UEFI lock and the “Mandatory” flag can provide additional protection against attacks.

1.  Decade-Old Linux Flaw Exploited for DDoS Attacks on CUPS
2.  7-Year-Old Pre-Installed Google Pixel App Flaw Puts Millions at Risk
3.  7-Year-Old 0-Day in Microsoft Office Exploited to Drop Cobalt Strike
4.  Windows SmartScreen Flaw Open Data Theft in Major Stealer Attack
5.  Black Hat USA: AWS Bucket Monopoly Flaw Led to Account Takeover

New Attack Lets Hackers Downgrade Windows to Exploit Patched Flaws

A hacker leaked the personal data of 180,000 Esport North Africa users just before the tournament. While no…

A hacker leaked the personal data of 180,000 Esport North Africa users just before the tournament. While no financial details were exposed, users are advised to change passwords and stay alert for phishing attacks.

The hacker, known as “Shooked,” leaked the personal details of over 180,000 Esport North Africa (ESNA) users just one day before the tournament is set to begin in Morocco. The 3 GB data dump, which Shooked claims is the “full database,” was released on **Breach Forums** on the morning of Wednesday, October 23, 2024. The ESNA tournament is scheduled to start on Thursday, October 24th.

Screenshot from the targeted site

For context, Esport North Africa (ESNA – Electronic Sports North Africa) is a platform designed to promote competitive gaming and esports development across the North African region. It organizes tournaments in popular games such as FC25, Free Fire, Street Fighter 6, and other competitive titles, providing opportunities for gamers to showcase their skills.

The leaked data was analyzed by the Hackread.com research team and contains over 9 million lines. However, after the removal of duplicate entries, the total number of unique user records stands at 180,000. This data includes the following information:

*   **User ID**
*   **Country**
*   **Usernames**
*   **IP addresses**
*   **Timestamp**
*   **Session ID**
*   **WordPress URLs**
*   **Email addresses (179,224)**

and other details…

Hacker on Breach Forum and sample data (Screenshot: Hackread.com)

While the leaked data does not include passwords or financial details, the breach appears legitimate. However, final confirmation is pending a response from the organization, which Hackread.com has reached out to for comment.

Cyberattacks on gaming companies and gamers are not new, as they are often lucrative targets for criminals. Last year, Akamai’s research revealed how hackers used **the Dark Frost Botnet** to target gaming companies and players, compromising devices to execute DDoS attacks.

If you have an account on ESNA (ESNA.GG), it’s recommended to change your password as a precaution. Additionally, be cautious of potential phishing emails from cybercriminals posing as Esport North Africa representatives, attempting to **exploit the breach**.

**RELATED ARTICLES**

1.  **Online gaming and protection against cyber attacks**
2.  **RapperBot malware hits gaming servers with DDoS attacks**
3.  **Gaming Giant Activision Employees Hit by SMS Phishing Attack**
4.  **Gaming controllers manufacturer exposed 1.1M customer records**
5.  **How data collected in gaming can be used to breach user privacy**

Hackers Leak 180,000 Esport North Africa User Records a Day Before Tournament Begins

Russia-linked hackers have taken aim at Japan, following its ramping up of military exercises with regional allies and the increase of its defense budget.

Source: StudioProX via Shutterstock

Two Russian hacking groups leveled distributed denial-of-service (DDoS) attacks at Japanese logistics and shipbuilding firms — as well as government and political organizations — in what experts believe are attempts to pressure the Japanese government. The attacks came after lawmakers boosted the nation's defense budget, and its military conducted exercises with regional allies.

The two pro-Russian cyberthreat groups — NoName057(16) and the Russian Cyber Army Team — started attacking Japanese targets on Oct. 14, with more than half of the attacks targeting logistics, shipbuilding, and manufacturing firms, according to network-monitoring firm Netscout. The groups, especially NoName057(16), have made a name for themselves by attacking Ukrainian and European targets following Russia's invasion of Ukraine.

In the latest spate of attacks, the groups targeted Japanese industry and government agencies after the Ministry of Foreign Affairs of the Russian Federation expressed concern over the ramp-up of Japan's military, says Richard Hummel, director of threat intelligence for Netscout.

"Japan had their elections last week, and the leader that took over is no fan of Russia and, in fact, has been very vocal about supporting Ukraine and sending aid," he says. "Japan is also working with the US military on joint exercises and ballistics missiles testing — these are the \[regional events\] that NoName057 will go after."

Related:Hong Kong Crime Ring Swindles Victims Out of $46M

With geopolitical rivalries with China and Russia heating up, Japan is in the midst of its largest military buildup since World War II. In December 2022, the nation unveiled a five-year $320 billion plan that includes long-range cruise missiles that could hit targets in China, North Korea, and Russia. The move marked a significant shift away from Japan's self-defense-only policy, with the government continuing the move by increasing military spending by 16% this year.

On Oct. 17, Japan's Deputy Chief Cabinet Secretary Kazuhiko Aoki said the government is investigating the DDoS attacks.

More than half of the attacks targeted the logistics and manufacturing sector, while nearly a third targeted government agencies and political organizations in Japan, Netscout stated in its analysis.

The Russian group "has leveraged every attack capability of the DDoSia botnet, employing a wide range of direct-path attack vectors against multiple targets," the analysis stated. "As of this writing, approximately 40 targeted Japanese domains have been identified. On average, each domain is hit by three attack waves, utilizing four distinct DDoS attack vectors, utilizing approximately 30 different attack configurations to maximize attack impact."

Related:Iran's APT34 Abuses MS Exchange to Spy on Gulf Gov'ts

**Hacktivists and the Resurgence of DDoS**

The attacks mark the latest shift in DDoS attacks. In the past, 85% to 90% of such attacks originated in the gaming world, with players targeting other players, Netscout's Hummel says. Over the past few years, while many hacktivism attacks amounted to little more than PR stunts, cybercriminals have increasingly used DDoS attacks to cause outages in business operations to support a cause or monetize a botnet — sometimes, both.

US authorities recently charged two Sudanese brothers — 22-year-old Ahmed Salah Yousif Omer and 27-year-old Alaa Salah Yusuuf Omer — following more than 35,000 DDoS attacks during the past 18 months, which targeted government agencies, a major Los Angeles-area hospital, and technology companies. The US Department of Justice charged one of the two brothers with three counts of damage to a protected computer, and the indictment included his message taking credit for "any damage to the hospital ... and their health systems + any collateral damage," according to a federal indictment.

The impact of a DDoS attack on the ability of connected medical devices to operate means that increasingly they will have physical impacts, Hummel says.

Related:DPRK's APT37 Targets Cambodia With Khmer, 'VeilShell' Backdoor

The brother was "charged with essentially attempted murder, because they were taking down hospital infrastructure where people needed life-saving technology," he says. "If the Internet goes down, then \[these connected medical devices\] stop functioning, they stop checking in."

**Definitively Russian? Nyet**

Both NoName057 and the Russian Cyber Army Team obviously pursue priorities expressed by the Russian government, but that does not necessarily mean they are a military or intelligence agency operation, Hummel says.

Overall, the groups have claimed 60 attacks against 19 different targets in the weeks following the criticism of Japan's accelerated military buildup by Russia's Minister of Foreign Affairs. In a Telegram post, NoName057(16) confirmed the link.

"Particular discontent was caused by the participation of non-regional NATO member countries in the maneuvers, which, in Russia's opinion, increases the threat and is unacceptable," they stated in the Telegram post (machine translated from Russian). "We punish Russophobic Japan and remind you that any measures directed against Russia may end badly."

The groups' attacks against Japan match with previous targeting against any critic of Russia or its strategy, Hummel says.

"I can't say definitively if they are part of the Russian government ... or if any agency is giving them direct instructions," he says. "What I can tell you is that all of the targeting is against groups that are anti-Russia or anti-Muslim. And oftentimes, it's usually going to be in that political sphere when people are vocal about their support of anybody against Russia."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Russia-Linked Hackers Attack Japan's Govt, Ports

This latest breach was through Zendesk, a customer service platform that the organization uses.

Source: Postmodern Studio via Alamy Stock Photo

Just a few days after the Internet Archive told the public it was getting back on its feet after a data breach and a barrage of distributed denial-of-service (DDoS) attacks forced it to go offline, the digital library website is once again in trouble.

Unknown bad actors have allegedly claimed access tokens to the archive's Zendesk implementation, using them to send a mass email on Oct. 20 to those who tried to interact with the archive's platform.

The email began as follows:

"It's dispiriting to see that even after being made aware of the breach two weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their GitLab secrets," the hacker stated. “As demonstrated by this message, this includes a Zendesk token with perm\[ission\]s to access 800K+ support tickets sent to \[email protected\] since 2018." 

The email continued, "Whether you were trying to ask a general question or requesting the removal of your site from the Wayback Machine — your data is now in the hands of some random guy. If not me, it'd be someone else."

Though it can’t be said for certain, Chris Hickman, chief security officer (CSO) of Keyfactor, said the hacker may not have serious malicious intent, but instead wants to prove a point: that those in charge of the Internet Archive must be more proactive in protecting its network from those who would do much worse.

"This is a security oversight as tokens that are not rotated regularly have longer lifespans, increasing the window of opportunity for attackers to steal and misuse them," Hickman wrote in an emailed statement to Dark Reading. "If a token is not rotated correctly, it might expire, leading to authentication failures for legitimate users. If a malicious actor obtains an unrotated token, they could use it to gain unauthorized access to systems or services, leading to service disruptions and customer frustration, damaging a company's reputation and bottom line."

The organization hasn't made any public comments regarding the latest breach, but it did request donations last week to help support its endeavors of promoting open access to knowledge resources.

Internet Archive Gets Pummeled in Round 2 Breach

The Internet Archive (Archive.org) suffered a second security breach in October 2024, exposing support tickets through unrotated Zendesk…

The Internet Archive (Archive.org) suffered a second security breach in October 2024, exposing support tickets through unrotated Zendesk API tokens. The organization faces reputational damage and risks to user data.

The Internet Archive, a non-profit organization founded by Brewster Kahle to preserve the Internet’s history, has been experiencing a series of cyberattacks throughout October 2024. It all started on October 9th with a dual attack: a data breach and a Distributed Denial-of-Service (DDoS) attack, which were **promptly reported by Hackread.com**.

The attack was revealed with a message displayed on the Internet Archive’s website (archive.org), with the hackers themselves, taunting the organization’s security vulnerabilities and announcing the stolen data on a website called “Have I Been Pwned?” (HIBP). 

Reportedly, the hackers exploited a GitLab token, compromising the Archive’s source code and stealing user data from 31 million accounts. This exposed sensitive information, including Bcrypt-hashed passwords and email addresses.

A Pro-Palestinian group SN\_BlackMeta launched another DDoS attack around the same time, temporarily knocking the site offline, including the Wayback Machine, which collects snapshots of hundreds of billions of web pages. While these attacks coincided, they were likely conducted by separate entities.

On October 18, Kahle **confirmed** that stored data is safe and that “Wayback Machine, Archive-It, scanning, and national library crawls have resumed.” He also stated that the organization is taking a cautious approach to rebuilding and strengthening defences.

However, the Internet Archive experienced another security breach on 20 October 2024, where hackers exploited unrotated Zendesk API tokens to access its support platform. The breach exposed thousands of support tickets dating back to 2018, potentially containing personal identification documents, and highlighted a critical lapse in the Archive’s security practices, leading to a failure to rotate access tokens regularly.

According to online malware repository VX-Underground, “The Internet Archive users are reporting to have received this e-mail. It appears that the person(s) who compromised The Internet Archive still maintain some form of persistent access and are trying to send a message.”

****What Now for the Internet Archive?****

The Archive suffered multiple breaches due to vulnerabilities in its infrastructure, allowing attackers to access user data. It is speculated that the attacks were motivated by reputation rather than financial gain, with hackers seeking recognition within hacker communities. Although no ransom demands were made, the stolen data poses risks like **phishing attacks and identity theft**.

The Internet Archive hasn’t yet commented on the recent breach. Nevertheless, considering that it serves as a crucial repository of historical digital information, the series of attacks raise concerns about the long-term safety of this digital treasure trove and signifies the importance of strong cybersecurity measures. Regular security audits, secure coding practices, and prompt responses to vulnerabilities are essential for protecting user data and critical infrastructure. 

1.  **DDoS Attacks Hit France Over Telegram’s Pavel Durov Arrest**
2.  **Archive of Our Own Website Suffering Massive DDoS Attacks**
3.  **Examining the US Government’s DDoS Protection Guidance Update**
4.  **Panamorfi DDoS Attack Exploits Misconfigured Jupyter Notebooks**
5.  **Misconfigured AWS bucket exposed 421GB of Artwork Archive data**

Internet Archive (Archive.org) Hacked for Second Time in a Month

Those who hacked the Internet Archive haven’t gone away. Users of the Internet Archive who have submitted helpdesk tickets are reporting...

Those who hacked the Internet Archive haven’t gone away. Users of the Internet Archive who have submitted helpdesk tickets are reporting replies to the tickets from the hackers themselves.

Internet Archive, most known for its Wayback Machine, is a digital library that allows users to look at website snapshots from the past. It is often used for academic research and data analysis. Earlier in October, the Internet Archive suffered from a data breach and DDoS attack.

During that breach the attackers were able to steal a user authentication database containing 31 million records.

While the Wayback Machine is almost fully functional again, in a recent turn of events the attackers have started replying to those users that have opened a support ticket with the Internet Archive.

This is one of the replies a user reported:

> “It’s dispiriting to see that even after being made aware of the breach 2 weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets.
> 
> As demonstrated by this message, this includes a Zendesk token with perms to access 800K+ support tickets sent to info@archive.org since 2018.
> 
> Whether you were trying to ask a general question, or requesting the removal of your site from the Wayback Machine—your data is now in the hands of some random guy. If not me, it’d be someone else.
> 
> Here’s hoping that they’ll get their shit together now.”

An Application Programming Interface (API) token is like a special pass that allows a computer program or app to access and use services provided by another program or website. It is used as proof that the user or app has permission to access the service.

It appears as if the Internet Archive uses Zendesk to manage its support tickets. Having the Internet Archive’s Zendesk token would certainly explain why the hackers can reply to customer tickets.

Changing a Zendesk API token is not very hard, but it can have unexpected consequences, so it may require some advance planning to minimize potential disruptions. This could be why the Internet Archive may not have gotten round to it yet. But not changing API keys that would grant the attackers access to the organization’s important infrastructure like Zendesk would be a serious omission.

On October 18, 2024, Internet Archive founder Brewster Kahle, posted an update stating the stored data of the Internet Archive is safe and work on resuming services safely is in progress.

> “We’re taking a cautious, deliberate approach to rebuild and strengthen our defenses. Our priority is ensuring the Internet Archive comes online stronger and more secure.”

So far, the Internet Archive has not responded to the new developments, and the motivation for the attacks on the Internet Archive remain unclear. We’ll keep you posted.

Tag

#ddos