Researchers discovered a malicious package on the npm package registry that resembles a library for Ethereum smart contract vulnerabilities but actually drops an open-source remote access trojan called Quasar RAT onto developer systems.

****SUMMARY****

*   **Malicious NPM Package Identified:** “ethereumvulncontracthandler” disguises as a vulnerability scanner but installs Quasar RAT malware.

*   **Technical Details:** The package uses obfuscation and downloads scripts to modify Windows settings, ensuring persistence and communication with a command-and-control server.

*   **Quasar RAT Risks:** This malware enables keystroke logging, credential theft, and data breaches, posing significant risks to developers handling sensitive Ethereum projects.

*   **Supply Chain Attack:** The package exploits trust in dependencies, infiltrating systems through a seemingly legitimate tool.

*   **Prevention Tips:** Experts recommend strict vetting of third-party code, robust access controls, and dependency scans to secure the software supply chain.

Cybersecurity researchers at Socket recently uncovered a malicious NPM package, “ethereumvulncontracthandler,” posing as a legitimate tool for detecting vulnerabilities in Ethereum smart contracts. However, this package secretly installs Quasar RAT, a sophisticated remote access trojan, onto developers’ systems.

This malicious package was published on December 18, 2024, by an actor using the alias “solidit-dev-416.” Further probing revealed that it utilizes heavy obfuscation techniques like Base64 and XOR encoding to evade detection. Upon installation, it downloads a malicious script from a remote server, which silently executes to deploy Quasar RAT on Windows systems.

The threat actor has employed various deceptive tactics to ensure the malware’s persistence. The initial npm package serves as a loader, and retrieves/executes Quasar RAT from a remote server. Once executed, the malicious script runs hidden PowerShell commands and installs Quasar RAT.

For this purpose, it also modifies the Windows registry to ensure persistence. The infected machine then communicates with a command-and-control server at captchacdncom:7000, allowing the threat actor to maintain control and potentially spread the infection further.

For your information, Quasar RAT is a dangerous malware known for its extensive capabilities such as keystroke logging, screenshot capturing, and credential harvesting. It has become a significant threat to developers, potentially exposing private keys and sensitive information.

Another malware campaign targeting Roblox developers was recently discovered, which leveraged NPM packages to steal sensitive data and compromise systems. The campaign also involved dropping Quasar RAT payloads.

Quasar RAT in action (Via Socket Research Team)

Such incidents highlight the need for developers to be vigilant, scrutinize third-party code, especially from unknown sources, and use tools to monitor dependencies for potential threats. This proactive identification and mitigation of malicious packages can help safeguard systems and prevent malicious actors from infiltrating.

“For both individual developers and large organizations, the presence of Quasar RAT in a trusted environment can have catastrophic consequences. Ethereum developers, in particular, face the risk of exposing private keys and credentials linked to significant financial assets,” researchers noted in their blog post.

Commenting on this, Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM), told Hackread, _“_Ethereum smart contracts are the backbone of decentralized applications. This malicious NPM package disguises itself as a vulnerability scanner but installs Quasar RAT to monitor sensitive projects, steal data, and undermine systems. Security teams must validate unverified code, monitor registry changes, and watch for abnormal network activity._“_

1.  **Supply Chain Attack Hits Vant npm Packages with Monero Miner**
2.  **Luna Grabber Malware Hits Roblox Devs Through npm Packages**
3.  **Hackers Use Fake PoCs on GitHub to Steal WordPress, AWS Keys**
4.  **FortiGuard Labs: Series of Malicious NPM Packages Stealing Data**
5.  **Protestware Uses npm Packages to Call for Peace in Gaza, Ukraine**

NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT

### Summary
Due to insufficient validation on the content of new FAQ posts, it is possible for authenticated users to inject malicious HTML or JavaScript code that can impact other users viewing the FAQ. This vulnerability arises when user-provided inputs in FAQ entries are not sanitized or escaped before being rendered on the page.

### Details
An attacker can inject malicious HTML content into the FAQ editor at http://localhost/admin/index.php?action=editentry, resulting in a complete disruption of the FAQ page's user interface. By injecting malformed HTML elements styled to cover the entire screen, an attacker can render the page unusable. This injection manipulates the page structure by introducing overlapping buttons, images, and iframes, breaking the intended layout and functionality. 

### PoC

1. In the source code of a FAQ Q&A post, insert the likes of this snippet:
```
<p>&lt;--`<img src="&#96;"> --!&gt;</p>
<div style="position: absolute; top: 0; left: 0; width: 100%; height: 100%;"><form><button>HTML INJECTION 1<img> <img> <img> <img> <iframe></iframe></button>
<div style="xg-p: absolute; top: 0; left: 0; width: 100%; height: 100%;">x</div>
<button>HTML INJECTION 2<iframe></iframe> <iframe></iframe> </button></form></div>
```

![image](https://github.com/user-attachments/assets/7c12ff40-1978-4dee-b501-c48f3ea2b9ba)
2. A normal user would see the broken FAQ page, or otherwise manipulated by the attacker to present a different malicious page:
![image](https://github.com/user-attachments/assets/4b815663-4836-4370-8b02-5b01bce71b0c)
 
A demo (fresh install overwrites every 24hours) here: https://roy.demo.phpmyfaq.de/content/1/24/en/24.html?

### Impact
Exploiting this issue can lead to Denial of Service for legitimate users, damage to the user experience, and potential abuse in phishing or defacement attacks. 


**Summary**

Due to insufficient validation on the content of new FAQ posts, it is possible for authenticated users to inject malicious HTML or JavaScript code that can impact other users viewing the FAQ. This vulnerability arises when user-provided inputs in FAQ entries are not sanitized or escaped before being rendered on the page.

**Details**

An attacker can inject malicious HTML content into the FAQ editor at http://localhost/admin/index.php?action=editentry, resulting in a complete disruption of the FAQ page's user interface. By injecting malformed HTML elements styled to cover the entire screen, an attacker can render the page unusable. This injection manipulates the page structure by introducing overlapping buttons, images, and iframes, breaking the intended layout and functionality.

**PoC**

1.  In the source code of a FAQ Q&A post, insert the likes of this snippet:

    <p>&lt;--`<img src="&#96;"> --!&gt;</p>
    <div style="position: absolute; top: 0; left: 0; width: 100%; height: 100%;"><form><button>HTML INJECTION 1<img> <img> <img> <img> <iframe></iframe></button>
    <div style="xg-p: absolute; top: 0; left: 0; width: 100%; height: 100%;">x</div>
    <button>HTML INJECTION 2<iframe></iframe> <iframe></iframe> </button></form></div>
    

  
2\. A normal user would see the broken FAQ page, or otherwise manipulated by the attacker to present a different malicious page:  

A demo (fresh install overwrites every 24hours) here: https://roy.demo.phpmyfaq.de/content/1/24/en/24.html?

**Impact**

Exploiting this issue can lead to Denial of Service for legitimate users, damage to the user experience, and potential abuse in phishing or defacement attacks.

**References**

*   GHSA-ww33-jppq-qfrp
*   https://nvd.nist.gov/vuln/detail/CVE-2024-56199

GHSA-ww33-jppq-qfrp: phpMyFAQ Vulnerable to Stored HTML Injection at FAQ

PRESS RELEASE

The Chief Digital and Artificial Intelligence Office (CDAO) has successfully concluded a Crowdsourced AI Red-Teaming (CAIRT) Assurance Program pilot focused on the use of Large-Language Model (LLM) chatbots in the context of military medicine. The CAIRT program supports the Department of Defense (DoD) in generating grassroots, crowdsourced approaches to AI Assurance and AI Risk Mitigation. Through crowdsourcing, projects are able to elicit a large volume of data and involve a wide variety of stakeholders.

This CAIRT LLM pilot was conducted by Humane Intelligence, a tech company building a community of practice around algorithmic evaluations, in collaboration with the Defense Health Agency (DHA) and the Program Executive Office, Defense Healthcare Management Systems (PEO DHMS). Through red-teaming methodology―using adversarial techniques to internally test system robustness―Humane Intelligence was able to effectively detect specific system vulnerabilities. Additionally, red-teaming attracts participants who want to engage with new technologies and, as possible future beneficiaries, gain the opportunity to contribute to improving the systems. Previously, in the spring of 2024, the CDAO held a valuable red-teaming CAIRT exercise utilizing a financial bounty.

In the latest pilot program, Humane Intelligence utilized crowdsourced red-teaming for two prospective use cases in the context of military medicine:  clinical note summarization and a medical advisory chatbot. Over 200 participants, including clinical providers and healthcare analysts from DHA, the Uniformed Services University of the Health Sciences, and the Services, participated in the exercise, which compared three popular LLMs. The exercise uncovered over 800 findings of potential vulnerabilities and biases related to employing these capabilities in these prospective use cases. This exercise will result in repeatable and scalable output via the development of benchmark datasets, which can be used to evaluate future vendors and tools for alignment with performance expectations. Furthermore, these findings will play a crucial role in shaping DoD policies and best practices for responsible use of Generative AI (GenAI), ultimately improving military medical care. If, when fielded, these prospective use cases comprise covered AI defined in OMB M-24-10, they will adhere to all required risk management practices.

“Since applying GenAI for such purposes within the DoD is in earlier stages of piloting and experimentation, this program acts as an essential pathfinder for generating a mass of testing data, surfacing areas for consideration, and validating mitigation options that will shape future research, development, and assurance of GenAI systems that may be deployed in the future,” remarked CDAO’s lead for this initiative, Dr. Matthew Johnson.

As the recent pilot and others have revealed, continued testing of LLMs and AI systems through the CAIRT Assurance Program will be critical to accelerating the CDAO’s AI Rapid Capabilities Cell, improving GenAI mission effectiveness, and contributing to justified confidence across DoD use cases.

**About the CDAO**

The CDAO became operational in June 2022 and is dedicated to integrating and optimizing AI capabilities across the DoD. The office is responsible for accelerating the DoD’s adoption of data, analytics, and AI, enabling the Department’s digital infrastructure and policy adoption to deliver scalable AI-driven solutions for enterprise and joint use cases, safeguarding the nation against current and emerging threats.

For more information about the CDAO, please visit our website at ai.mil. You can also connect with the CDAO on LinkedIn (@ DoD Chief Digital and Artificial Intelligence Office) and X, formally known as Twitter (@dodcdao). Additional updates and news can be found on the CDAO Unit Page on DVIDS.

You May Also Like

CDAO Sponsors Crowdsourced AI Assurance Pilot in the Context of Military Medicine

PRESS RELEASE

The agreement on the legally binding treaty marked the culmination of a five-year effort by UN Member States, with inputs from civil society, information security experts, academia and the private sector.

UN Secretary-General António Guterres welcomed the adoption of the Convention – the first international criminal justice treaty to have been negotiated in over 20 years.

“This treaty is a demonstration of multilateralism succeeding during difficult times and reflects the collective will of Member States to promote international cooperation to prevent and combat cybercrime,” his spokesperson said in a statement.

The statement added that the Convention “creates an unprecedented platform for collaboration” in the exchange of evidence, protection for victims and prevention, while safeguarding human rights online.

“The Secretary-General trusts that the new treaty will promote a safe cyberspace and calls on all States to join the Convention and to implement it in cooperation with relevant stakeholders.”

New tool to protect people

Philémon Yang, President of the General Assembly, highlighted the importance of the new Convention.

“We live in a digital world, one where information and communications technologies have enormous potential for the development of societies, but also increases the potential threat of cybercrime,” he said.

“With the adoption of this Convention, Member States have at hand the tools and means to strengthen international cooperation in preventing and combating cybercrime, protecting people and their rights online.”

The resolution containing the Convention was adopted without a vote by the 193-member General Assembly.

A victory for multilateralism

Ghada Waly, Executive Director of the UN Office on Drugs and Crime (UNODC) also described the adoption of the treaty as a “major victory” for multilateralism.

“It is a crucial step forward in our efforts to address crimes like online child sexual abuse, sophisticated online scams and money laundering,” she said.

Ms. Waly reiterated the UN agency’s commitment to support all nations in signing, ratifying and implementing the new treaty, as well as providing them with the tools and support they need to protect their economies and safeguard the digital sphere from cybercrime.

The Convention

The Convention against Cybercrime acknowledges the significant risks posed by the misuse of information and communications technologies (ICT), which enable criminal activities on an unprecedented scale, speed, and scope.

It highlights the adverse impacts such crimes can have on States, enterprises, and the well-being of individuals and society, and focuses on protecting them from offenses such as terrorism, human trafficking, drug smuggling and online financial crimes.

It also recognises the growing impact of cybercrime on victims and prioritises justice, especially for vulnerable groups. It further underscores the need for technical assistance, capacity-building and collaboration among States and other stakeholders.

Read more about why the Convention against Cybercrime matters in this explainer.

Next steps

The Convention against Cybercrime will open for signature at a formal ceremony to be hosted in Hanoi, Viet Nam, in 2025. It will enter into force 90 days after being ratified by the 40th signatory.

UN General Assembly Adopts Cybercrime Treaty

PRESS RELEASE

DETROIT & TOKYO--(BUSINESS WIRE)-- VicOne, a leading automotive cybersecurity solutions provider, announced today it will co-host the zero-day vulnerability discovery contest, "Pwn2Own Automotive 2025," with Zero Day Initiative (ZDI). The event will take place from Wednesday, January 22 to Friday, January 24, 2025, at Tokyo Big Sight, West Hall, as part of the “17th AUTOMOTIVE WORLD 2025 – Advanced Automotive Technology Expo.” This will be the second Pwn2Own Automotive contest, following its highly successful debut in January 2024 where 49 zero-day vulnerabilities were discovered.

Pwn2Own Automotive helps build a foundation for automotive cybersecurity by strengthening cybersecurity measures and promoting the prevention of cyber incidents through the discovery of zero-day vulnerabilities. This event addresses growing concerns about vulnerabilities and increased attack risks with the growing adoption of software-defined vehicles (SDVs).

Through ZDI, the contest enables world-class security researchers to conduct real-world testing of the latest automotive technologies. By identifying zero-day vulnerabilities before they can circulate and become real-world cyber-attacks, the event facilitates swift countermeasures, helping prevent cyber threats and enhancing the overall security of automotive vehicles and products.

Additionally, the contest fosters innovation by recognizing the achievements of security researchers and offering over $1 million USD in total prizes. This incentivizes further research and development while providing hands-on experience that nurtures talent in the cybersecurity industry, ultimately contributing to an improved global cybersecurity landscape.

About Pwn2Own 2025 Automotive

Participants in "Pwn2Own Automotive 2025" will compete by earning points in four categories:

*   In-vehicle infotainment (IVI) systems
    
*   Electric vehicle (EV) chargers, and
    

Each contestant must demonstrate the ability to execute arbitrary code on the target devices or OS in their chosen category. They are allowed up to three attempts per target during the contest. Successful challenges earn points, and the participant or team with the highest points at the end of the contest is awarded the prestigious title of "Master of Pwn."

To qualify, the vulnerabilities targeted must be previously unknown, undisclosed, and unreported (according to the contest rules). Only the first participant to successfully complete a challenge in each category is eligible for a monetary reward. The order of the challenges is determined randomly through a draw.

“Through ZDI, we conduct research to address real-world cyberattack scenarios in the automotive sector. Hosting this contest in collaboration with VicOne, who has unmatched expertise and experience in automotive cybersecurity, is a key step in demonstrating our security research expertise within the automotive industry and the research community,” said

Brian Gorenc, VP of Threat Research at VicOne’s parent company, Trend Micro.

“Together with ZDI, VicOne is contributing to building a safer future for software-defined vehicles (SDVs). By discovering zero-day vulnerabilities, this event enables security researchers to uncover unknown, unpublished, and unreported vulnerabilities, facilitating early risk identification and mitigation within the automotive industry. Such efforts are critically important for the global automotive sector, especially as the evolution of SDVs accelerates,” said Max Cheng, CEO of VicOne

Registration Deadline

The deadline to register for the contest is 5:00 PM (JST) on January 16, 2025.

To complete registration, participants must submit a white paper detailing the vulnerability testing procedures and execution methods. Remote participation online is also available.

For more information about Pwn2Own Automotive and the contest rules, visit: https://www.zerodayinitiative.com/Pwn2OwnAuto2025Rules.html

VicOne and Partners at CES 2025

In addition, VicOne will be showcasing its award-winning comprehensive portfolio of cutting edge cybersecurity software and services for the whole automotive industry at the Las Vegas Consumer Electronics Show (CES), one of the most powerful tech events in the world (7-10 January 2025). Together with partners like P3 digital services, a leading provider of In-Vehicle Infotainment (IVI) systems, VicOne offers a safe and secure IVI environment for Android Automotive OS, with content protection for driver and all the vehicle’s passengers.

For more information about VicOne’s automotive cyber security portfolio please visit https://vicone.com/.

About VicOne

With a vision to secure the vehicles of tomorrow, VicOne delivers a broad portfolio of cybersecurity software and services for the automotive industry. Purpose-built to address the rigorous needs of automotive manufacturers, VicOne solutions are designed to secure and scale with the specialized demands of the modern vehicle. As a Trend Micro subsidiary, VicOne is powered by a solid foundation in cybersecurity drawn from Trend Micro's 30+ years in the industry, delivering unparalleled automotive protection and deep security insights that enable our customers to build secure as well as smart vehicles. For more information, visit: www.vicone.com.

VicOne and Zero Day Initiative (ZDI) to Lead Pwn2Own Automotive

A recent claim that a critical zero-day vulnerability existed in the popular open-source file archiver 7-Zip has been met with skepticism from the software's creator and other security researchers.

****SUMMARY****

*   **A user on X (@NSA\_Employee39) claimed to discover a zero-day exploit for 7-Zip, alleging a critical buffer overflow vulnerability.**

*   **The exploit purportedly involved a crafted .7z archive with a malformed LZMA stream to execute arbitrary code.**

*   **Cybersecurity experts and 7-Zip creator Igor Pavlov dismissed the claim, citing non-existent functions and failed reproduction attempts.**

*   **Researchers suggested the exploit code might have been generated by an AI, undermining its credibility.**

*   **The incident highlights the persistent threat of zero-day exploits and the importance of robust cybersecurity measures.**

The cybersecurity community recently faced a stir caused by a user on the social media platform X (formally Twitter), claiming to possess a zero-day exploit for the popular file archiver 7-Zip.

For your information, this user, under the handle @NSA\_Employee39, alleged that they had discovered a critical vulnerability that could allow attackers to execute arbitrary code on a victim’s system by exploiting a buffer overflow within the 7-Zip software. The user provided a code snippet on Pastebin, purportedly demonstrating this exploit.

“This exploit targets a vulnerability in the LZMA decoder of the 7-Zip software. It uses a crafted .7z archive with a malformed LZMA stream to trigger a buffer overflow condition in the RC\_NORM function. By aligning offsets and payloads, the exploit manipulates the internal buffer pointers to execute shellcode which results in arbitrary code execution,” the user wrote on Pastebin.

Despite the initial attention, cybersecurity experts quickly began to express doubts about the exploit’s validity. Attempts to replicate the exploit proved unsuccessful, leading to scepticism about the code’s effectiveness.

The claim was later dismissed by 7-Zip’s creator, Igor Pavlov, who stated that the alleged vulnerability relies on a function (“RC\_NORM”) that does not exist in the 7-Zip LZMA decoder. Pavlov suggested that the code was likely generated by an AI model, further undermining its credibility.

Furthermore, security researcher @LowLevelTweets reported being unable to reproduce the claimed exploit, stating that it produced no crashes, hangs, or timeouts during their testing. These findings suggest that the reported 7-Zip zero-day may be a false alarm, potentially arising from artificially generated code or a misunderstanding of the software’s internal workings.

While this particular incident proved to be a false alarm, the threat of zero-day exploits remains a serious concern. These vulnerabilities are highly dangerous as they are unknown to software developers and thus lack any pre-existing defences.

Last month, Hackread reported a Windows zero-day vulnerability allowing attackers to steal NTLM credentials through a deceptive method. The vulnerability affected various Windows systems, including Windows Server 2022, Windows 11 (up to v24H2), Windows 10 (multiple versions), Windows 7 and Server 2008 R2.

To stay safe from zero-day exploits, comprehensive security software is important as it can provide essential protection against various threats, including viruses, malware, and zero-day exploits. These solutions typically include features like real-time threat detection, advanced threat defences, and strong privacy features to protect users from cybersecurity threats.

1.  **Fake PoC Script Downloads VenomRAT**
2.  **Hackers Use Fake PoCs on GitHub to Steal AWS Keys**
3.  **Warning: Fake GitHub Repos Delivering Malware as PoCs**
4.  **LockBit 3.0 Posts Dubious Claims of Breaching Darktrace**
5.  **AI Generated Fake Obituary Websites Target Grieving Users**

Fake 7-Zip Exploit Code Traced to AI-Generated Misinterpretation

Your messages going back years are likely still lurking online, potentially exposing sensitive information you forgot existed. But there's no time like the present to do some digital decluttering.

If you're worried about possible expansions of government surveillance and access to your information, or simply want to do some digital purging so you're not saddled with old data, there are a bunch of concrete steps you can take to protect your digital privacy. Just as archeologists study carefully preserved tombs and ancient trash heaps to gain insight into historic communities, your long-forgotten digital footprint could be more revealing and sensitive than you realize. And while you can't control everything—particularly information stolen in breaches or gathered by data brokers—you probably have a digital attic full of old data that you can delete or download and save offline. First stop? Old message histories.

Chats are a good place to start your digital decluttering. Their real-time nature makes it easy to forget that if you don't have auto-delete turned on for a chat (or if a platform doesn't offer it), all of those “be there in 10 minutes,” “wait, what color is this dress???” and “welp, I have covid” messages are still knocking around years later. If you sent them on an end-to-end encrypted platform like Signal or WhatsApp, they only exist on your device and the devices of the other person or people you were chatting with. That means that for governments or bad actors to read them, they would need direct control of your device—a good level of protection, though not foolproof.

Crucially, though, messages that you sent on regular web apps like Slack, Facebook Messenger for most of its history, and Google Chat/Hangouts/Gchat are sitting on a cloud server somewhere. And while they're probably stored in an encrypted form to protect against theft, the platform itself has the keys to decrypt your data and would be able to comply with government requests for it, no matter how old the information is. Sure, all of those “u up?"s may not seem significant now, but years and years of chat histories can paint a very detailed picture of your life, associations, political beliefs, and past movements and activity.

“Doing a good digital cleaning from time to time is a great habit, especially with social media and old chat messages,” says Kenn White, security principal at the database developer MongoDB and director of the Open Crypto Audit Project. “Who you were five or 10 years ago is probably very different than who you are today, so it's worth asking yourself, ‘Do I really need those seven-year-old inside jokes and sarcastic posts? Do I need to keep old group chat messages and carry them forward to every new phone I get?’”

Some programs like Apple's Messages make it easy to auto-delete your chat histories after a set period of time. On iOS, go to **Settings** > **Apps** > **Messages** and then scroll and tap **Keep Messages**. Then choose whether to keep messages forever, for one year, or for 30 days before auto-deleting.

On the free version of Slack, data older than a year is automatically deleted. The company keeps data forever on paid plans, unless the administrator sets up rolling deletion. This is useful if you have an active Slack with your friends, but most people who use Slack at work don't make decisions about administrative policies and can't control deletion. Keep this in mind for any communication you do on an employer's platforms. You may be able to go through and delete messages or files one by one, but you likely won't have the access to make policy decisions about automatic or batch deletion.

Similarly, you may want to go through your chats on Android or iOS and delete old SMS conversations. Meta's Messenger now offers auto-delete options, but for your existing chats, you have to go down the list on desktop or in the Messenger mobile app and delete chats one by one. Meta's other chat platforms, Instagram Chat and WhatsApp, are similar, except that WhatsApp has been end-to-end encrypted since 2016 instead of adding the protection recently.

Consider whether you've spent time chatting on other social platforms as well. X, for example, has been through a lot of changes since Elon Musk bought Twitter more than two years ago and took the company private again. Musk promised that he would add end-to-end encryption to DMs on X, and eventually debuted an opt-in encryption feature with the paid tier of the platform, but the company doesn't definitively say that the tool offers full end-to-end encryption and it isn't open source for vetting. You can delete individual messages or go through your chat list and delete whole DM conversations if you want to pare down the data you're keeping on the platform.

If you've had Gmail for a long time, the messenger service “Google Talk,” once colloquially known as “Gchat,” may have a special place in your heart. And perhaps, over the years, you went through the saga in which Gchat—which was once known for interoperability with platforms like AIM—became the siloed Google chat platform Hangouts, and then transformed again into what is now called Google Chat. Your chats on this platform through the years are still hanging around, but they're not all in the same place.

The crucial thing to understand is that Gchat was fully integrated with Gmail and wasn't a separate platform, so your chat histories all saved in your mail archive. To find them now, open Gmail and **search for the phrase in:chats** (using no quotation marks). Hundreds or thousands of chats from May 2013 and earlier may pop up. They must be deleted directly from Gmail. After May 2013, Google migrated Gchat users to Hangouts, and that history has come forward into what is now Google Chat, so you can delete whole chats or individual messages there.

“Messages sent and received with history on in Google Talk from before May 2013 (the time when Google Hangouts launched) are stored in Gmail under the ‘in:chats’ label. Those messages are not available in Google Chat and can be deleted directly from Gmail only,” Google spokesperson Ross Richendrfer tells WIRED. “In terms of Hangouts data—which was merged with Chat—core Chat controls (including deletion) will work.”

There are lots of other chat apps to consider, too, where old messages may still be lurking. Think about Skype chat or GroupMe. And there's one other complicating factor when you declutter your messages: Most deletion features only delete data from your account, and the messages live on in the accounts of the person or people you were chatting with. To do a total digital detox you need to recruit your community to delete their message archives as well.

Additionally, you may feel sentimental about burning your letters (aka deleting all of your old chats). If you're sad about hitting that trash icon, consider downloading chat histories with your closest friends or other loved ones and storing them on an encrypted external hard drive before deleting them from the cloud. This way, you don't have to give up that slice of life completely, but the data isn't controlled by other entities anymore.

“Some apps, including Signal, give one the ability to set a ‘self-destruct’ time on messages, perhaps in hours or weeks. This is worth considering to reduce your exposure, particularly if you travel outside the country, are politically active, or in any way have a higher public profile,” MongoDB's White says. “It's easy to dismiss the potential of attacks on our personal data and physical safety as something that's only a concern for some James Bond–type scenarios, but the hard truth is that threats exist in many forms, both online and in person.”

Hey, Maybe It's Time to Delete Some Old Chat Histories

Researchers at FortiGuard Labs have identified a prolific attacker group known as "EC2 Grouper" who frequently exploits compromised credentials using AWS tools.

****SUMMARY****

*   **EC2 Grouper Identified:** Researchers found EC2 Grouper exploiting AWS credentials and tools using distinct patterns like “ec2group12345.”

*   **Credential Compromise:** They primarily obtain credentials from code repositories tied to valid accounts.

*   **API Reliance:** The group avoids manual activity, using APIs for reconnaissance and resource creation.

*   **Detection Challenges:** Indicators like naming conventions and user agents are unreliable for consistent detection.

*   **Security Recommendations:** Use CSPM tools, monitor for credential misuse, and detect unusual API activity to mitigate risks.

Cloud environments are **constantly under attack**, with sophisticated threat actors employing various techniques to gain unauthorized access. One such actor, dubbed _EC2 Grouper_, has become a notable adversary for security teams.

According to the latest research from Fortinet’s FortiGuard Labs Threat Research team, this group is characterized by its consistent use of **AWS tools** and a unique security group naming convention in its attacks. Researchers tracked this actor in several dozen customer environments due to similar user agents and security group naming conventions. 

The latest revelation comes amid increasing exploitation of AWS infrastructure by top hacker groups. In December 2024, **reports revealed** that ShinyHunters and the Nemesis Group collaborated to target misconfigured servers, particularly AWS S3 Buckets.

EC2 Grouper typically initiates attacks by leveraging AWS tools like PowerShell, often employing a distinctive user agent string. Furthermore, the group consistently creates security groups with naming patterns like “ec2group,” “ec2group1,” “ec2group12,” and so on. Also, they frequently use code repositories to acquire credentials in their cloud attacks, often originating from valid accounts. This method is believed to be the primary method of credential acquisition.

Further probing revealed that Grouper uses APIs for reconnaissance, security group creation, and resource provisioning, avoiding direct actions like inbound access configuration.

While these indicators can provide initial clues, they are often insufficient for reliable threat detection, researcher Chris Hall noted in the **blog post**, shared with hackread.com. That’s because relying solely on these indicators can be misleading. Attackers can easily modify their user agents and may deviate from their usual naming conventions. 

Researchers did not observe calls to AuthorizeSecurityGroupIngress, which is essential to configure inbound access to EC2 launched with the security group, but they observed CreateInternetGateway and CreateVpc for remote access.

Moreover, no actions have been based on objectives or manual activity in a compromised cloud environment. EC2 Grouper may be selective in their escalation or compromised accounts were detected and quarantined before they escalated.

Screenshot: FortiGuard Labs

Still, researchers note that by analysing signals like credential compromise and API usage, security teams can develop a reliable detection strategy and help organizations defend against sophisticated adversaries like EC2 Grouper. They suggest that a more effective approach would be monitoring for suspicious activity related to legitimate secret scanning services to identify potential credential compromises, which are the primary source of access for EC2 Grouper.

To stay safe, organizations must also utilize Cloud Security Posture Management (CSPM) tools to monitor and assess your cloud environment’s security posture continuously. Implementing anomaly detection techniques to identify unusual behaviour within the cloud environment, such as unexpected API calls, resource creation, or data exfiltration can also help. 

1.  **Hackers Use Fake PoCs on GitHub to Steal AWS Keys**
2.  **New APT Group “Unfading Sea Haze” Hits Military Targets**
3.  **TA866 Linked to WarmCookie Malware in Espionage Campaign**
4.  **Builder.ai Database Misconfiguration Exposes 1.29TB of Records**
5.  **Russian Cozy Bear Phish Critical Sectors with Microsoft, AWS Lures**

FortiGuard Labs Links New EC2 Grouper Hackers to AWS Credential Exploits

The fast growing region has its own unique cyber issues — and it needs its own talent to fight them.

Source: Panther Media via Alamy Stock Photo

COMMENTARY

The Middle East is undergoing a digital transformation that is as rapid as it is remarkable. Tech multinationals are investing big in the region as Dubai, Riyadh, and Abu Dhabi strive to establish themselves as global innovation hubs.   

But this increased digitization comes with an increased risk of cyberattacks — and businesses throughout the Middle East are at risk of being caught with their guard down.

The pace of digital growth in countries throughout the Middle East has far outstripped cybersecurity talent in the region, leaving organizations fatally exposed. While some businesses resort to outsourcing their cybersecurity measures to tech giants and their tools, this hands-off approach is risk-prone.

The Middle East now sits squarely in the firing line. With cyberattacks emboldened by AI, robust cybersecurity defenses are more crucial than ever. Businesses must move away from outsourcing and focus on building strong in-house defenses by investing in tool-based approaches and heavily leveraging in-house hiring, upskilling, and talent retention practices.

**Victims of Their Own Success?**

The commercial success of locations like Dubai, Abu Dhabi, and Saudi Arabia has transformed them into potential hotbeds for cybercrime. Distributed denial-of-service (DDoS) attacks on Middle Eastern countries have risen 75% in the past year, with the UAE and Saudi Arabia taking the brunt of the blow. 

Related:Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel

The UAE alone falls victim to around 50,000 cyberattacks a day. And it comes at a cost: in 2023, cyberattacks cost businesses, organizations, and public bodies more than $8 million per incident.

The uptick in cyberattacks is only exacerbated by changing patterns in the cybercrime landscape. The rise of AI has lowered the barrier to entry for would-be hackers, allowing those with even the most novice skills to carry out a full-scale attack. Meanwhile, the proliferation of cybercrime as a service (CaaS), offering services like DDoS-for-hire, means threat actors now need little more than an intention to launch a cyberattack. In this new era of cybercrime, where there's a will, there's a way.

The current cybersecurity skills gap seen throughout the Middle East is leaving companies exposed and vulnerable to bad actors. Over half the companies in the EMEA region have attributed cybersecurity breaches to a lack of skills and training, while 70% of business leaders believe that skills shortages create a whole host of additional cybersecurity risks for companies to address.

**AI Muddles Outsourced Security Equation**

Related:DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks

Too many businesses attempt to remedy this lack of talent by outsourcing their cybersecurity to third parties. While this might have been effective when countries like the US were the main target for threat actors, that's no longer the case.   

The rise of AI-enhanced cyberattacks presents a new host of threats that businesses outsourcing cybersecurity won't necessarily be able to tackle. Not only has AI made it easier for threat actors to carry out cyberattacks, it's also made the attacks themselves more sophisticated and more malicious.

AI-enhanced malware is stealthier, making it harder to detect a breach of IT infrastructure. Automated phishing attacks enable bad actors to target a larger number of potential victims, while the phishing attacks themselves are highly tailored to their targets.

It is crucial that Middle Eastern businesses — particularly those in the UAE and Saudi Arabia — are on top of their cybersecurity measures. They cannot sit back and outsource cybersecurity with the assumption that the risk is also transferred. Instead, they must take an active approach to their cybersecurity measures by building up a strong in-house cybersecurity team that can identify, respond to, and deal with threats in an effective and timely manner. 

Related:South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel

Bringing cybersecurity in-house mitigates the risks that can crop up when relying on outsourced defenses, such as slow response times. Instead, in-house cybersecurity teams will have their fingers on the pulse of the business's security framework, as well as a thorough understanding of business specifics, enabling them to react quickly to threats.

But to achieve this, businesses must invest heavily in new and pre-existing IT talent to close the Middle East's skills gap — and this should be done with a particular focus on hiring and retention practices.

**Retention Is Tough in Smaller Talent Pool**

Over half of organizations globally say they struggle to recruit candidates with cybersecurity experience. Difficulties in hiring cybersecurity talent are compounded by trouble retaining cybersecurity staff, throwing employers into a vicious cycle of hiring and re-hiring. In the Middle East, where the digital economy is still young, this is of particular concern — the talent pool is finite, and companies cannot afford to lose out on promising employees.   

To combat this, corporations in the Middle East should turn their attention to the fresh talent coming out of universities throughout the Middle East and around the world. By forming partnerships with universities and offering attractive graduate schemes, businesses can tap into dense talent pools brimming with promising cybersecurity talent.

Graduates are eager to learn and willing to mold to the company ethos, making them the ideal choice for corporations looking to build up a dedicated in-house cybersecurity team.

Investing in apprenticeship schemes is another option for companies. Although more hands-on, companies will be able to train candidates from the ground up, ensuring the candidate's skills and knowledge are strongly aligned with the business's cybersecurity needs.

**Learning & Development Must Be Fostered**

Retaining this talent is just as crucial as bringing them on board in the first place.  Alongside the usual retention tactics, such as competitive pay packets and desirable benefits, companies must invest heavily in continuous learning and development (L&D) opportunities throughout the employee's career.  

Poor training — or a lack of training altogether — is a surefire way to lose employees. Conversely, 94% of employees say they would stay longer with an employer that invested in L&D. In a fast-changing, continually developing industry like cybersecurity, L&D is especially vital.

Investing in training sessions and development courses for cybersecurity employees will ensure they're kept up to date with any changes in the threat and security landscape. And, in the process, employees will feel as if the company is giving them opportunities to develop their skills and abilities, rounding them out into highly experienced cybersecurity professionals.

Investing in staff as a cybersecurity tactic shouldn't begin and end with cybersecurity staff. Deploying a company-wide cybersecurity upskilling program is a vital first step — and a simple way of ruling out one of the greatest causes behind cybersecurity breaches: human error. Negligence, a lack of awareness, or simple mistakes can lead to vulnerabilities and breaches, even in the most robust systems. Upskilling is a vital step companies must take to mitigate this risk.

With the rising rate of cyberattacks in the Middle East, corporations cannot afford to sit back and wait until they become the next big victim of a data breach or DDoS attack.

Companies can't rely solely on third-party cybersecurity measures — they must build up comprehensive in-house defenses. Businesses need to act now and double their investments in cybersecurity talent, paying particular mind to up-and-coming graduate talent.

**About the Author**

Founder, PG Advisors Ltd.

Partha Gopalakrishnan is a leading business transformation expert with more than 25 years of experience directing global teams to drive digital growth. He also has his own firm, PG Advisors, which offers board advisory and non-executive director services for prominent analysts and PE Firms. 

Partha has served in executive leadership positions with some of the world’s largest technology firms and global systems Integrators, including 17 years with Infosys, followed by a tenure at Tech Mahindra. He has completed executive education programs at the Stanford University Graduate School of Business and The Wharton School of the University of Pennsylvania.

Cybersecurity Lags in Middle East Business Development

AI tools will enable significant productivity and efficiency benefits for organizations in the coming year, but they also will exacerbate privacy, governance, and security risks.

Source: Anggalih Prasetya via Shutterstock

Most industry analysts expect organizations will accelerate efforts to harness generative artificial intelligence (GenAI) and large language models (LLMs) in a variety of use cases over the next year.

Typical examples include customer support, fraud detection, content creation, data analytics, knowledge management, and, increasingly, software development. A recent survey of 1,700 IT professionals conducted by Centient on behalf of OutSystems had 81% of respondents describing their organizations as currently using GenAI to assist with coding and software development. Nearly three-quarters (74%) plan on building 10 or more apps over the next 12 months using AI-powered development approaches.

While such use cases promise to deliver significant efficiency and productivity gains for organizations, they also introduce new privacy, governance, and security risks. Here are six AI-related security issues that industry experts say IT and security leaders should pay attention to in the next 12 months.

**AI Coding Assistants Will Go Mainstream — and So Will Risks**

Use of AI-based coding assistants, such as GitHub Copilot, Amazon CodeWhisperer, and OpenAI Codex, will go from experimental and early adopter status to mainstream, especially among startup organizations. The touted upsides of such tools include improved developer productivity, automation of repetitive tasks, error reduction, and faster development times. However, as with all new technologies, there are some downsides as well. From a security standpoint these include auto-coding responses like vulnerable code, data exposure, and propagation of insecure coding practices.

"While AI-based code assistants undoubtedly offer strong benefits when it comes to auto-complete, code generation, re-use, and making coding more accessible to a non-engineering audience, it is not without risks," says Derek Holt, CEO of Digital.ai. The biggest is the fact that the AI models are only as good as the code they are trained on. Early users saw coding errors, security anti-patterns, and code sprawl while using AI coding assistants for development, Holt says. "Enterprises users will continue to be required to scan for known vulnerabilities with \[Dynamic Application Security Testing, or DAST; and Static Application Security Testing, or SAST\] and harden code against reverse-engineering attempts to ensure negative impacts are limited and productivity gains are driving expect benefits."

**AI to Accelerate Adoption of xOps Practices**

As more organizations work to embed AI capabilities into their software, expect to see DevSecOps, DataOps, and ModelOps — or the practice of managing and monitoring AI models in production — converge into a broader, all-encompassing xOps management approach, Holt says. The push to AI-enabled software is increasingly blurring the lines between traditional declarative apps that follow predefined rules to achieve specific outcomes, and LLMs and GenAI apps that dynamically generate responses based on patterns learned from training data sets, Holt says. The trend will put new pressures on operations, support, and QA teams, and drive adoption of xOps, he notes.

"xOps is an emerging term that outlines the DevOps requirements when creating applications that leverage in-house or open source models trained on enterprise proprietary data," he says. "This new approach recognizes that when delivering mobile or web applications that leverage AI models, there is a requirement to integrate and synchronize traditional DevSecOps processes with that of DataOps, MLOps, and ModelOps into an integrated end-to-end life cycle." Holt perceives this emerging set of best practices will become hyper-critical for companies to ensure quality, secure, and supportable AI-enhanced applications.

**Shadow AI: A Bigger Security Headache**

The easy availability of a wide and rapidly growing range of GenAI tools has fueled unauthorized use of the technologies at many organizations and spawned a new set of challenges for already overburdened security teams. One example is the rapidly proliferating — and often unmanaged — use of AI chatbots among workers for a variety of purposes. The trend has heightened concerns about the inadvertent exposure of sensitive data at many organizations.

Security teams can expect to see a spike in the unsanctioned use of such tools in the coming year, predicts Nicole Carignan, vice president of strategic cyber AI at Darktrace. "We will see an explosion of tools that use AI and generative AI within enterprises and on devices used by employees," leading to a rise in shadow AI, Carignan says. "If unchecked, this raises serious questions and concerns about data loss prevention as well as compliance concerns as new regulations like the EU AI Act start to take effect," she says. Carignan expects that chief information officers (CIOs) and chief information security officers (CISOs) will come under increasing pressure to implement capabilities for detecting, tracking, and rooting out unsanctioned use of AI tools in their environment.

**AI Will Augment, Not Replace, Human Skills**

AI excels at processing massive volumes of threat data and identifying patterns in that data. But for some time at least, it remains at best an augmentation tool that is adept at handling repetitive tasks and enabling automation of basic threat detection functions. The most successful security programs over the next year will continue to be ones that combine AI's processing power with human creativity, according to Stephen Kowski, field CTO at SlashNext Email Security+.

Many organizations will continue to require human expertise to identify and respond to real-world attacks that evolve beyond the historical patterns that AI systems use. Effective threat hunting will continue to depend on human intuition and skills to spot subtle anomalies and connect seemingly unrelated indicators, he says. "The key is achieving the right balance where AI handles high-volume routine detection while skilled analysts investigate novel attack patterns and determine strategic responses."

AI's ability to rapidly analyze large datasets will heighten the need for cybersecurity workers to sharpen their data analytics skills, adds Julian Davies, vice president of advanced services at Bugcrowd. "The ability to interpret AI-generated insights will be essential for detecting anomalies, predicting threats, and enhancing overall security measures." Prompt engineering skills are going to be increasingly useful as well for organizations seeking to derive maximum value from their AI investments, he adds.

**Attackers Will Leverage AI to Exploit Open Source Vulns**

Venky Raju, field CTO at ColorTokens, expects threat actors will leverage AI tools to exploit vulnerabilities and automatically generate exploit code in open source software. "Even closed source software is not immune, as AI-based fuzzing tools can identify vulnerabilities without access to the original source code. Such zero-day attacks are a significant concern for the cybersecurity community," Raju says.

In a report earlier this year, CrowdStrike pointed to AI-enabled ransomware as an example of how attackers are harnessing AI to hone their malicious capabilities. Attackers could also use AI to research targets, identify system vulnerabilities, encrypt data, and easily adapt and modify ransomware to evade endpoint detection and remediation mechanisms.

**Verification, Human Oversight Will Be Critical**

Organizations will continue to find it hard to fully and implicitly trust AI to do the right thing. A recent survey by Qlik of 4,200 C-suite executives and AI decision-makers showed most respondents overwhelmingly favored the use of AI for a variety of uses. At the same time, 37% described their senior managers as lacking trust in AI, with 42% of mid-level managers expressing the same sentiment. Some 21% reported their customers as distrusting AI as well.

"Trust in AI will remain a complex balance of benefits versus risks, as current research shows that eliminating bias and hallucinations may be counterproductive and impossible," SlashNext's Kowski says. "While industry agreements provide some ethical frameworks, the subjective nature of ethics means different organizations and cultures will continue to interpret and implement AI guidelines differently." The practical approach is to implement robust verification systems and maintain human oversight rather than seeking perfect trustworthiness, he says.

Davies from Bugcrowd says there's already a growing need for professionals who can handle the ethical implications of AI. Their role is to ensure privacy, prevent bias, and maintain transparency in AI-driven decisions. "The ability to test for AI’s unique security and safety use cases is becoming critical," he says.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#git