A fraudulent Google ad meant to phish employees for their login credentials redirects them to a fake browser update page instead.

On December 15, we detected a malicious campaign targeting Kaiser Permanente employees via Google Search Ads. The fraudulent ad masquerades as the health care company’s HR portal used to check for benefits, download paystubs and other corporate related tasks.

We believe the threat actors’ intent was to phish KP employees for their login credentials, but something unexpected happened. Instead, victims who clicked on the ad were redirected to a compromised website that prompted them to update their browser.

This notification is part of a malware campaign known as SocGholish that tricks users into running a script supposedly meant to update their browser. Rather, it infects machines and if the victim is deemed important enough, a human operator will gain access in order to perform nefarious actions.

In this blog post, we review how this attack unfolds and why a compromised website derailed the attackers’ plan. We already reported the malicious ad to Google.

Several criminal gangs are currently abusing Google Ads to phish victims of various large companies. They prey on employees simply googling for their HR portal so that they can display a malicious ad to lure them in.

Case in point, when searching for Kaiser Permanente’s HR portal, we saw the following ad:

We were able to identify the advertiser who registered a fake account under the name ‘Heather Black’. This ad was only showed for U.S.-based searches, as can be seen in the Google Ads Transparency Center report:

**Former company’s website hijacked for phishing**

The displayed url shown in the ad (_https://www.bellonasoftware\[.\]com_) does not look associated with Kaiser Permanente. According to LinkedIn, Bellona Software was a company based in Romania. We can see what their website looked like in 2021, using the Internet Archive:

Sometimes more recently, this same website was taken over by criminals who transformed it into a phishing page for Kaiser Permanente:

**Malicious redirect to SocGholish**

It looks like there was more than one cook in the kitchen, as malicious code was also injected in the core JavaScript libraries for that website, confirmed in a scan by Sucuri’s SiteCheck:

When potential victims clicked on the ad, they landed on that compromised website, which in turn briefly displayed the phishing template only for as long as a mouse scroll or click. Then, a new screen appeared with what looks like a Google Chrome notification claiming the user’s browser is out of date:

This screen, also known as SocGholish, is a long running malware campaign that targets vulnerable websites indiscriminately. When a user executes the downloaded _Update.js_ file, they are instead running a malicious script that will collect some of their computer’s information and relay it to a group of criminals. After this fingerprinting takes place, additional tooling such as Cobalt Strike may be downloaded, preparing the ground for a _human on keyboard_ type of attack.

To the best of our knowledge, the phishing campaign has nothing to do with SocGholish, and we assume that the original threat actors did not anticipate for the website they took over to be compromised. As for the gang behind SocGholish, the victims would come from a Google search, something they usually check for via the referer.

**Protecting against web threats**

For victims, neither the phishing scheme nor the malware are a happy outcome. While initially targeted because of what they searched for, they fell into the hands of a different criminal syndicate.

Such is the reality of web threats. This is a dynamic and ever changing landscape with a number of malicious players trying to lure users in their own way.

Online ads, and in particular search ads, continue to be a threat. As we have showed many times on this blog, any brand is at risk of being impersonated. Unfortunately, this trend has continued unabated throughout 2024.

At the same time, ‘old’ malware campaigns like SocGholish pose a risk due to a never ending number of outdated websites ready to be compromised and act as a springboard for malware delivery.

When searching online, we urge to use extreme caution with any sponsored results and if possible add protection to your online browsing experience with tools like Malwarebytes Browser Guard.

We reported the malicious ad to Google and will update this blog if we hear anything back.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**Indicators of Compromise**

Phishing site

bellonasoftware\[.\]com

SocGholish infrastructure

premium\[.\]davidabostic\[.\]com  
riders\[.\]50kfor50years\[.\]com

 Malicious ad distributes SocGholish malware to Kaiser Permanente employees 

Plus: The US indicts North Koreans in fake IT worker scheme, file-sharing firm Cleo warns customers to patch a vulnerability amid live attacks, and more.

What a week! On Monday, police arrested 26-year-old Luigi Mangione and charged him in the murder of UnitedHealthcare CEO Brian Thompson. Mangione’s five-day run from authorities ended after he was spotted eating at a McDonald’s in Altoona, Pennsylvania, about 300 miles from Manhattan, where Thompson was gunned down on the morning of December 4. Authorities say they found Mangione carrying fake IDs and a 3D-printed “ghost gun,” the model of which is known as the FMDA, or “Free Men Don’t Ask.”

Meanwhile, a flood of mysterious drone sightings across New Jersey and neighboring states caused so much havoc, it quickly gained federal attention. While many people wondered why the US military couldn’t just shoot down the drones, the FBI, Department of Homeland Security, and independent experts say the drone mystery may not be much of a mystery, and the drones are probably mostly just airplanes.

As for more terrestrial threats, we dove into the far-right realm of “Active Clubs,” small groups of young, fitness-focused men who are steeped in extremist ideology and linked to several violent attacks. While the man who helped invent the Active Club network, Robert Rundo, was sentenced in federal court this week, Active Clubs around the world are proliferating.

Finally, we investigated cheating schemes that use tiny cameras to gain an illicit edge in poker, and we interrogated the ways humans will use generative AI to make the world a more dangerous place.

But that’s not all. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Back in May, Microsoft jubilantly announced Recall, an AI feature for some Windows PCs that silently takes screenshots every five seconds and then allows you to easily search through the resulting digital footprint. Forgotten where you saw a recipe online? Tapping a couple of keywords into Recall could, in theory, find the dish again. It didn’t take long for the privacy and security community to find gaping holes in the feature.

In response, Microsoft delayed Recall’s launch and eventually made some significant changes—such as making Recall opt-in rather than on by default, better encrypting information captured by Recall, and adding authentication to access data that it stored. Recall finally launched for some users this month.

However, this week, testing of Recall by Tom’s Hardware demonstrated that a key safeguard put in place by Microsoft can still fail. With a Recall setting called “filter sensitive information” turned on, Tom’s Hardware’s tests found that it still took screenshots of some sensitive information—such as credit card numbers and Social Security numbers. When the publication typed a credit card number and a username and password into a Notepad window, they were gathered in the screenshots. “Similarly, when I filled out a loan application PDF in Microsoft Edge, entering a social security number, name and DOB, Recall captured that,” Avram Piltch writes. The tool, however, didn’t record details when they were entered on a couple of online stores.

Microsoft pointed to its product information that says the system will get better over time and that people should report if sensitive information is captured by Recall. While that may be the case, it’s unlikely that any system can correctly determine what is and isn’t sensitive every time. And that could make it a bigger target for hackers.

**14 North Koreans Identified and Indicted as Fraudulent IT Workers**

For years, North Korean nationals posing as tech workers have tried to get hired by global businesses so they can send their wages back to help the Hermit Kingdom pay for its nuclear programs. Increasingly, some companies are revealing they were targeted, and investigators are unravelling the schemes. This week, the US government indicted 14 North Koreans for their alleged role in generating $88 million, stealing sensitive business information, and attempting to use that information to extort more payments from companies. To get hired, the FBI alleges, the IT workers stole real identities, paid people in the US to use their home Wi-Fi connections, or paid them to attend job interviews. Researchers from Google-owned cybersecurity firm Mandiant who focus on North Korea say that in recent months they’ve seen IT workers following through on leaking sensitive data and demanding more cryptocurrency than ever before—although, they say this desperation could be a sign of the schemes becoming less effective.

**Cleo File-sharing Software Exploited to Spread Cybercriminal Malware**

File-sharing software firm Cleo this week warned customers to implement a new security patch to prevent a wave of intrusions by cybercriminals actively exploiting a vulnerability in its code. Researchers at security firm Huntress Labs told news outlet Recorded Future that at least two dozen organizations have already been breached by the hackers exploiting the Cleo flaw. Huntress has found a sample of malware found on those victims’ networks it calls Malichus, and says it appears to have been used by a sophisticated hacker group. Huntress also noted that Blue Yonder, a software firm breached by the Termite ransomware gang in November, had a vulnerable instance of Cleo’s software exposed on its network, and some evidence suggests the same cybercrime group may now be using the software’s vulnerability to hit other victims. Cleo first released a patch for the bug currently being exploited in October, but hackers appear to have circumvented it, and the company is urging customers to apply its new patch now.

**US Sanctions Chinese Hackers Who Allegedly Hijacked Thousands of Firewalls**

For five years, UK cybersecurity firm Sophos engaged in a cat-and-mouse game with a mysterious group of Chinese hackers targeting the company’s firewalls as a vector to break into its customers’ networks, as WIRED chronicled in October. Sophos went so far as to download surveillance “implants” to its devices that the hackers were testing to better monitor and preempt their intrusion techniques—and to gain more information about who they were and where they operated. Now, following Sophos’s revelations, those hackers have been hit with sanctions from the US government, and one of them has been indicted by name. Sichuan Silence Information Technology, based in Chengdu, and an alleged hacker named Guan Tianfeng are accused of hijacking 81,000 firewalls by exploiting a zero-day vulnerability that Guan is said to have discovered. Sichuan Silence, a known seller of disinformation tools to the Chinese government, and Guan are accused of targeting 23,000 firewalls in the US specifically, 36 of which were used in US critical infrastructure networks. The US State Department also issued a $10 million bounty for information about the company or Guan.

Microsoft’s AI Recall Tool Is Still Sucking Up Credit Card and Social Security Numbers

PRESS RELEASE

BOSTON — December 12, 2024 — Zerto, a Hewlett Packard Enterprise company, today announced the launch of the Zerto Cloud Vault, which delivers Zerto’s best-in-class cyber resilience capabilities as a service through managed service providers (MSPs). Zerto’s security-focused MSP partners at launch include Assurestor, Converge, LincolnIT, and Verinext. Built on the capabilities of the Zerto Cyber Resilience Vault, the Zerto Cloud Vault is a cloud-based, fully managed solution that offers logical air-gapping, immutability, and clean room recovery.

Ransomware attacks remain a harsh fact of life for most businesses with collective ransomware losses totaling over $1 billion in 2023 alone. This financial toll is exacerbated by the resulting data loss and downtime, with some estimates suggesting upwards of $1 million in losses per hour of downtime for larger businesses.

With Zerto Cloud Vault, customers can leverage MSPs that deliver tailored cyber resilience strategies to meet the specific requirements of their organizations. Cloud Vault is the latest offering in HPE’s comprehensive cyber resilience portfolio and complements the existing Zerto Cyber Resilience Vault, which is deployed as a self-hosted, on-premises stack.

Zerto Cloud Vault capabilities include:

*   Managed Cyber Services: Take advantage of MSP experts who know how to prevent and mitigate attacks and have built their services on top of Zerto’s award-winning technology.
    
*   Real-Time Encryption Detection: Detect encryption anomalies in real-time and be alerted within seconds to potential issues through integration with cybersecurity dashboards.
    
*   Immutable Data Copies: Retain data for up to 12 months and protect against ransomware attacks through immutable copies, all without impacting production workloads, without any agents or snapshots.
    
*   Clean Room Recovery: Leverage the elasticity of the cloud to create clean environments on demand with isolated networks that are protected from attackers. Use it to validate data, scrub malware, and perform forensics before recovering back into production.
    
*   Non-Disruptive Testing: With Zerto’s non-disruptive solutions, businesses can test more frequently and comprehensively, including conducting cyber recovery tests at any time on entire sites, multiple sites, or individual VMs. These tests can be used to validate recovery plans and train incident response teams.
    
*   Fully isolated from production environments: Ability to run different security postures within product and vault environments.
    

“Zerto’s disaster recovery and cyber resilience solutions offer peace of mind to businesses struggling to combat ransomware attacks,” said Jim O’Dorisio, senior vice president and general manager, HPE Storage. “Leveraging our cyber resilience capabilities, MSPs will be able to bring fully managed Cloud Vault services to even more organizations, helping them thwart the plans of attackers and keep precious business assets safe.”

Coupled with the expertise of Zerto’s vetted MSP partners, the hosted Zerto Cloud Vault mitigates the most devastating ransomware scenarios while keeping businesses in compliance with state and federal regulations — reducing the risk of substantial fines or prosecution. Where other solutions offer detrimental lengthy recovery point objectives (RPOs) and recovery time objectives (RTOs), Zerto Cloud Vault slashes both, minimizing the risks of disruption and allowing businesses to get back on their feet as fast as possible after the inevitable happens. Zerto is a part of HPE’s hybrid cloud business, helping HPE customers protect workloads and data across hybrid IT environments.

Partner Quotes

“Our Gold Standard for cyber recovery considers a product’s recoverability readiness, non-disruptive testing capability, and speed of data recovery; we found that Zerto substantially delivered on all these points. Combined with Cloud Vault, the protection provided from ransomware attacks was robust and allowed pinpoint recovery faster than any other products evaluated,” said Stephen Young, executive director, Assurestor.

“Ransomware attacks are a real threat to the data and operations of organizations of all sizes. Having the ability to offer a cloud vault with Zerto technology gives our clients added protection against ransomware and peace of mind that they can recover successfully,” said John Antimisiaris, executive vice president, LincolnIT.

“Some of our clients’ infrastructure protection needs to be kept with a very tight RPO, but they still need some deeper recovery options than simple replication can provide. A cyberattack is seldom clearly understood, even when recovery efforts have begun. Zerto Cloud Vault provides immutable protection history that can be leveraged to find the latest clean point in time for replicated hosts,” said Jeremy Brovage, product engineer and solutions architect, Converge Enterprise Cloud.

“Cyberattacks that encrypt data are one of the primary disruptors requiring data recovery. Zerto provides the best tools to recover quickly and with the least data loss in a cloud vault,” said Nick Martino, product manager, managed services, Verinext.

Explore the Zerto Cloud Vault and discover how it empowers businesses to safeguard their data and operations: Learn More. 

About Zerto

Zerto, a Hewlett Packard Enterprise company, empowers customers to run an always-on business by simplifying the protection, recovery, and mobility of on-premises and cloud applications. Zerto eliminates the risk and complexity of modernization and cloud adoption across private, public, and hybrid deployments. The simple, software-only solution uses continuous data protection at scale to solve for ransomware resilience, disaster recovery, and multi-cloud mobility. Zerto is trusted by over 9,500 customers globally, and is powering offerings for Microsoft Azure, IBM Cloud, Google Cloud, Oracle Cloud, and more than 350 managed service providers.

Zerto Introduces Cloud Vault Solution for Enhanced Cyber Resilience Through MSPs

A new side-channel attack method is a computationally practical way to infer the structure of a convolutional neural network — meaning that cyberattackers or rival companies can plagiarize AI models and take their data for themselves.

Source: Daniel Chetroni via Alamy Stock Photo

Researchers have demonstrated how to recreate a neural network using the electromagnetic (EM) signals emanating from the chip it runs on.

The method, called "TPUXtract," comes courtesy of North Carolina State University's Department of Electrical and Computer Engineering. Using many thousands of dollars worth of equipment and a novel technique called "online template-building," a team of four managed to infer the hyperparameters of a convolutional neural network (CNN) — the settings that define its structure and behavior — running on a Google Edge Tensor Processing Unit (TPU), with 99.91% accuracy.

Practically, TPUXtract enables a cyberattacker with no prior information to essentially steal an artificial intelligence (AI) model: They can recreate a model in its entirety and save the actual data it was trained on, for purposes of intellectual property (IP) theft or follow-on cyberattacks.

**How TPUXtract Works to Recreate AI Models**

The study was conducted on a Google Coral Dev Board, a single-board computer for machine learning (ML) on smaller devices: think edge, Internet of Things (IoT), medical equipment, automotive systems, etc. In particular, researchers paid attention to the board's Edge Tensor Processing Unit (TPU), the application-specific integrated circuit (ASIC) at the heart of the device that allows it to efficiently run complex ML tasks.

Any electronic device like this, as a byproduct of its operations, will emit EM radiation, the nature of which will be influenced by the computations it performs. Knowing this, the researchers conducted their experiments by placing an EM probe on top of the TPU — removing any obstructions like cooling fans — and centering it on the part of the chip emanating the strongest EM signals. Then they fed the machine input data and recorded the signals it leaked.

To begin to make sense of those signals, they first identified that before any data gets processed, a neural network quantizes — compresses — its input data. Only when the data is in a format suitable for the TPU does the EM signal from the chip shoot up, indicating that computations have begun.

At this point, the researchers could begin mapping the EM signature of the model. But trying to estimate all of the dozens or hundreds of compressed layers that comprise the network at the same time would have been effectively impossible.

Every layer in a neural network will have some combination of characteristics: It will perform a certain type of computation, have a certain number of nodes, etc. Importantly, "the property of the first layer affects the 'signature,' or the side-channel pattern of the second layer," notes Ashley Kurian, one of the researchers. Thus, trying to understand anything about the second, 10th, or 100th layer becomes increasingly impossible, as it rests on all of the properties of what came before it.

"So if there are 'N' layers, and there are 'K' numbers of combinations \[of hyperparameters\] for each layer, then computing cost would have been N raised to K," she explains. The researchers studied neural networks with 28 to 242 layers (N) and estimated that K — the total number of possible configurations for any given layer — equaled 5,528.

Instead of having to commit infinite computing power to the problem, they figured they could isolate and analyze each layer in turn.

To recreate each layer of a neural network, the researchers built "templates" — thousands of simulated combinations of hyperparameters, and read the signals they gave off when processing data. Then they compared those results to the signals emitted by the model they were trying to approximate. The closest simulation would be considered correct. Then, they applied the same process to the next layer.

"Within a day, we could completely recreate a neural network that took weeks or months of computation by the developers," Kurian reports.

**Stolen AIs Lead to IP, Cybercrime Risk to Companies**

Pulling off TPUXtract isn't trivial. Besides a wealth of technical know-how, the process also demands a variety of expensive and niche equipment.

The NCSU researchers used a Riscure EM probe station with a motorized XYZ table to scan the chip's surface, and a high sensitivity electromagnetic probe for capturing its weak radio signals. A Picoscope 6000E oscilloscope recorded the traces, Riscure's icWaves field-programmable gate array (FPGA) device aligned them in real-time, and the icWaves transceiver used bandpass filters and AM/FM demodulation to translate and filter out irrelevant signals.

As tricky and costly as it may be for an individual hacker, Kurian says, "It can be a competing company who wants to do this, \[and they could\] in a matter of a few days. For example, a competitor wants to develop \[a copy of\] ChatGPT without doing all of the work. This is something that they can do to save a lot of money."

Intellectual property theft, though, is just one potential reason anyone might want to steal an AI model. Malicious adversaries might also benefit from observing the knobs and dials controlling a popular AI model, so they can probe them for cybersecurity vulnerabilities.

And for the especially ambitious, the researchers also cited four studies that focused on stealing regular neural network parameters. Theoretically, those methods in combination with TPUXtract could be used to recreate the entirety of any AI model — parameters and hyperparameters in all.

To combat these risks, the researchers suggested that AI developers could introduce noise into the AI inference process using dummy operations, or running random operations concurrently, or confuse analysis by randomizing the sequence of layers during processing.

"During the training process," says Kurian, "developers will have to insert these layers, and the model should be trained to know that these noisy layers need not be considered."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

With 'TPUXtract,' Attackers Can Steal Orgs' AI Models

Law enforcement across mainland China have been using EagleMsgSpy surveillance tool to collect mobile device data since at least 2017, new research shows.

Source: Vicky Barlow via Alamy Stock Photo

NEWS BRIEF

A surveillance tool named EagleMeSpy, developed by a Chinese software company for legal use by the country's public security bureaus, has been scraping the most sensitive data from targeted Android devices since at least 2017.

Researchers at Lookout warn that the EagleMeSpy spyware has been under constant development, and while at the moment they have only seen evidence of an Android version, analysis of the tool's infrastructure indicates a potential Apple iOS version is out there somewhere as well.

Unlike other commercial spyware products, EagleMeSpy requires physical access to the targeted device to deploy the tool, the Lookout team found. The researchers reported they found no evidence of the spyware in Google Play or any other app stores, leading them to conclude Chinese law enforcement officials are the only ones initiating the surveillance software infection.

"An installer component, which would presumably be operated by law enforcement officers who gained access to the unlocked device, is responsible for delivering a headless surveillance module that remains on the device and collects extensive sensitive data," the Lookout report read.

Once installed, EagleMsgSpy gathers everything it can, including chat and text messages, screen and audio recordings, call logs, contacts, location data, and network activity, Lookout said. Additional evidence shows the vendor behind the spyware has multiple clients.

"Lookout researchers have observed an evolution in the sophistication of the use of obfuscation and storage of encrypted keys over time," the report warned. "This indicates that this surveillanceware is an actively maintained product whose creators make continuous efforts to protect it from discovery and analysis."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Chinese Cops Caught Using Android Spyware to Track Mobile Devices

In Operation PowerOFF, global authorities aim to deter individuals from engaging in malicious cyber acts.

Source: M4OS Photos via Alamy Stock Photo

NEWS BRIEF

Law enforcement agencies around the world have seized 27 of the most popular Web platforms used to launch distributed denial-of-service (DDoS) attacks.

The international operation, which remains ongoing, is known as PowerOFF and was coordinated by Europol, involving 15 countries. The operation targeted various levels of operatives in the groups engaged in the cybercriminal activities, including three administrators who were arrested in France and Germany. It also identified 300 other cybercriminals.

Three of the so-called "booter" and "stresser" websites that were taken down as part of Operation PowerOFF include zdstresser.net, orbitalstress.net, and starkstresser.net.

"While these platforms are often marketed as legitimate tools for stress-testing, they are frequently misused to facilitate malicious attacks," said Sarah Jones, cyber threat intelligence research analyst at Critical Start, in an emailed statement to Dark Reading. "By dismantling these services and identifying more than 300 customers, law enforcement agencies aim to disrupt the entire ecosystem addressing both the supply of these tools and the demand from those who use them for illegal activities."

The holiday season in particular has in the past been a peak period for hackers to carry out DDoS attacks, ultimately leading to financial loss, reputational damage for retailers, and operational disruption.

Law enforcement agencies launched an online ad campaign using Google search ads and YouTube to deter individuals from engaging in criminal activities like DDoS, highlighting the consequences of such attacks. Law enforcement also plans to conduct knock-and-talks, and use warning letters and emails.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Europol Cracks Down on Holiday DDoS Attacks

The rules necessary to secure US communications have already been in place for 30 years, argues Sen. Wyden, the FCC just hasn't enforced them. It's unclear if they will help.

In the wake of a widespread telecommunications breach at the hands of China, a US senator is proposing legislation aimed at enforcing cybersecurity standards across the communications industry — but it's unclear how efficacious they could be.

Salt Typhoon (aka Earth Estries, FamousSparrow, GhostEmperor, UNC2286) recently overtook Volt Typhoon as China's threat actor du jour, thanks to a year-plus campaign of cyber espionage against at least eight telcos, including AT&T, Verizon, and T-Mobile. Its winnings were remarkable: Not only did the group manage to steal extensive metadata on calls and text messages between ordinary Americans, but they also reportedly accessed and even recorded calls involving high-ranking government officials. Reports from the same time highlighted breaches of both the Trump and Harris campaigns and the Biden administration. They're also active globally.

In the wake of that national security failure, Sen. Ron Wyden (D-Ore.) on Dec. 10 released draft legislation aimed at securing US phone networks. The "Secure American Communications Act" would require the Federal Communications Commission (FCC) to issue new cybersecurity rules for telcos and enforce those that have already been applied based on older legislation.

Related:Lessons From the Largest Software Supply Chain Incidents

"Sen. Wyden deserves credit for putting critical infrastructure security in the spotlight," says Madison Horn, former congressional candidate for Oklahoma's 5th district. She suggests, however, that the proposal is less revolutionary than rhetorical. "His push for stronger cybersecurity standards is important, but let's be clear — most of what he's calling for already exists."

**Has the FCC Been Negligent in Enforcing Telco Security?**

In a press release, Wyden's staff framed his bill not as a major change to the telecommunications industry, but a wake-up call — "to fix \[the FCC's\] own failure to fully implement telecom security requirements already required by federal law."

At issue is Title I, Section 105 of the Communications Assistance for Law Enforcement Act (CALEA), which:

Requires a carrier to ensure that any interception of communications or \[call-identifying information\] access effected within its switching premises can be activated only in accordance with a court order or other lawful authorization and with the affirmative intervention of a carrier officer or employee acting in accordance with Federal Communications Commission (FCC) regulations.

Wyden's camp argues that this proposition, formulated without specific regard for cyber systems, "required providers to secure their systems from unauthorized interceptions, and gave the FCC the authority to issue regulations to implement this requirement," adding that "in the years since, the FCC has never fully implemented this provision."

Related:Google Launches Open Source Patch Validation Tool

FCC Chairwoman Jessica Rosenworcel agreed, in a draft Declaratory Ruling shared with her fellow commissioners last week. And besides affirming that interpretation of Section 105, Rosenworcel floated a proposal requiring communications services providers (CSPs) to submit annual reports, "attesting that they have created, updated, and implemented a cybersecurity risk management plan, which would strengthen communications from future cyberattacks." Unlike the newly drafted bill in the Senate, this ruling would take effect immediately if it were adopted.

**What Wyden's Telco Security Bill Misses**

The Secure American Communications Act, similarly, proposes that CSPs conduct, document, and report annual vulnerability testing, and engage with independent auditors for annual assessments of FCC cybersecurity compliance. Above all, the bill proposes that the FCC enforce the spirit of Section 105 by implementing cybersecurity requirements aimed at blocking unauthorized access to these networks.

Related:Large-Scale Incidents & the Art of Vulnerability Prioritization

Are these the steps necessary to prevent the next Salt Typhoon-style attack against American communications?

In Horn's view, "The problem isn’t a lack of rules. Telcos are required to follow FCC rules, NIST standards, and ISO 27001 protocols. They conduct annual cybersecurity certifications, report breaches to multiple agencies — with CISA being a prime example — and manage supply chain risks. The efforts to secure supply chains, especially after Huawei’s impact, have already led to significant regulatory action."

Instead of a lack of rules and regulations, she argues, "It's largely a resources and scaling problem. We’re talking about a US telecommunications network that spans 800,000 miles of fiber-optic cables and 113,000 miles of long-haul fiber routes, not to mention undersea cables and satellite links. Every mile of that network introduces new endpoints and attack surfaces. The real challenge is ensuring the frameworks we already have can be implemented faster, more effectively, and at this monumental scale."

Bulky legacy systems ill-equipped to adapt to new cybersecurity guidelines, insufficient funding for cybersecurity projects, and an insufficient pool of cybersecurity talent nationwide aren't problems that can be fixed with any wave of a pen, either.

"Our adversaries are operating at the speed of war, while we’re moving at the speed of paperwork," she laments. "Attacks like Salt Typhoon don’t succeed because our policies failed — they succeed because our capacity to act didn’t keep pace with the threat."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Efforts to Secure US Telcos Beset by Salt Typhoon Might Fall Flat

****SUMMARY****

*   **Global Dismantling of DDoS Platforms**: Law enforcement from 15 countries shut down 27 websites offering DDoS attack services as part of Operation PowerOFF.

*   **Arrests and Identifications**: Europol coordinated the arrest of three site administrators in France and Germany and identified over 300 users for further action.

*   **Offline Platforms**: Popular DDoS services like zdstresser.net, orbitalstress.net, and starkstresser.net are now offline, displaying seizure notices.

*   **Holiday Season Spike**: The takedown coincides with a rise in DDoS attacks, often targeting gaming platforms and driven by financial, ideological, or extortion motives.

*   **Prevention and Outreach**: Operation PowerOFF combines takedowns with education and deterrence, including online ads and direct warnings to discourage illegal activities.

Law enforcement agencies from 15 countries have dismantled and seized 27 websites used to sell Distributed Denial-of-Service (DDoS) attack services. The takedown was part of the ongoing **Operation PowerOFF**, an initiative to shut down cybercrime and platforms facilitating it.

These websites, commonly referred to as ‘booter’ and ‘stresser’ sites, were popular among cybercriminals and hacktivists. By flooding targets with illegal traffic, these platforms enabled attackers to disrupt services, causing financial losses, reputational damage, and outages for their victims.

****Arrests!****

Coordinated by Europol; the operation targeted everyone involved in this criminal activity, from the administrators running these sites to the users hiring their services. Three administrators were arrested in France and Germany, and over 300 users were identified for further action.

As of now, 27 malicious service providers, including zdstresser.net, orbitalstress.net, and starkstresser.net, have been taken offline and display seizure notices to visitors.

The homepage of the seized sites (Credit: Hackread.com)

This takedown comes at a time when DDoS attacks, especially against gaming platforms, spike during the holiday season. Motivations for these attacks depend on several factors, including financial gain and extortion to ideological reasons, as seen with groups like Russian Killnet and Anonymous Sudan.

****Not Just Takedowns: A Broader Plan of Action****

According to Europol’s press release, Operation PowerOFF isn’t just about shutting down websites. It also aims to prevent future attacks through a combination of education and deterrence.

Europol, working with its international partners, has launched an online ad campaign targeting potential offenders. These ads, appearing on Google search results and YouTube, highlight the consequences of DDoS attacks and aim to dissuade individuals from engaging in this illegal activity.

In addition to online outreach, law enforcement agencies are using more traditional methods like warning letters and “knock-and-talks” to reach out to users of these illegal services.

In a comment to Hackread.com, Derek Manky, Chief Security Strategist at Fortinet, emphasizes the need for continued collaboration: “Turning the tide against cybercrime requires a global effort. Public-private partnerships are essential to disrupt large-scale cybercrime operations and create a safer online environment for everyone.”

1.  **Russian Ransomware Laundering Networks** **Disrupted**
2.  **Criminal Encrypted Messaging Platform MATRIX Taken Down**
3.  **Interpol Arrests 5,500 Cybercriminals, Recovers $400 Million**
4.  **INTERPOL Arrests 41, Takes Down 22,000 IPs and 59 Servers**
5.  **Phishers Impersonating Police Arrested in Multi-Million Euro Scam**

Authorities Shut Down 27 DDoS-for-Hire Platforms, Arrest 3 Admins

BforeAI has discovered a surge in phishing attacks targeting the Dubai Police, a government-run entity. Learn how cybercriminals are exploiting the Dubai Police name to steal personal information and money.

****SUMMARY:****

*   **Researchers found a rise in phishing attacks in the UAE impersonating Dubai Police via SMS.**

*   **Attackers use fake domains with typosquatting and suspicious extensions like “.xyz” and “.top.”**

*   **Many domains originate from Singapore servers linked to prior malicious activity.**

*   **The scams aim to steal financial data and exploit fear using emergency numbers like 999.**

*   **Residents should verify websites, avoid unknown contacts, and check for “HTTPS” to stay safe.**

Cybersecurity researchers at BforeAI have identified a rise in phishing attacks targeting residents of the United Arab Emirates (**UAE**) by impersonating the Dubai Police. The attacks are primarily relayed via SMS texts and redirect users to malicious domains.

The researchers analyzed 268 domains from September 17 to November 22 to identify patterns and trends. Most domains originated from Singapore servers and have a history of malicious activity, including spam, phishing, and botnets. Around 50% of these domains were registered by Gname, and the rest by NameSilo, and Dominet.

One such SMS with a malicious link (Via BforeAI)

Further probing revealed that over two dozen domains have expired, with some registered as recently as November. Two registrants, from India and Dubai, have suspicious names suggesting legitimate company origins. Threat actors, however, have managed to keep their identities anonymous, revealed BeforeAI’s **advisory** shared exclusively with Hackread.com ahead of its publishing.

This update follows **last month’s revelations** that 99% of UAE’s .ae domains are vulnerable to phishing and spoofing attacks due to insufficient DMARC implementation.

****What’s going on****

The attackers are deploying a multi-sided approach to deceive victims. This includes registering numerous domains in fast succession, often with sequential numbering, hinting at the use of automated tools, and using **Typosquatting**. This means they are creating misspelled variations of “Dubai Police” (e.g., “dubaiploce”) to trick unsuspecting recipients into clicking on illegitimate links.

Furthermore, attackers are adding terms like “police,” “gov,” “portal,” and “online” to the domain names to appear official and trustworthy.

Beyond the “.com” domain, the attackers are heavily utilizing less-regulated extensions like “.top,” “.xyz,” and “.click,” which provide them with more anonymity. Interestingly, a significant portion of the domains were registered using Tencent servers in Singapore, previously linked to malicious activities.

****Who are the Targets?****

These fraudulent campaigns seem to have two main targets- stealing financial information from individuals who believe they’re interacting with a legitimate government entity and exploiting fear by incorporating emergency numbers like 999 (UAE emergency services) to target those worried about supposed fines or seeking genuine assistance from Dubai Police.

Researchers observed a quick turnaround time for these phishing campaigns.  Many domains expire within weeks, suggesting the attackers launch frequent, short-lived operations to evade detection.

To avoid falling victim to such scams, UAE residents should verify official websites, be cautious of unfamiliar contacts, and be wary of websites lacking the “HTTPS” protocol, broken links, or unprofessional design.

1.  **Stolen UAE InvestBank Data Sold on Dark Web**
2.  **Anonymous Sudan Hits UAE’s Flydubai with DDoS Attack**
3.  **US Gov Agencies Impersonated in DocuSign Phishing Scams**
4.  **In UAE Supporting Qatar on the Internet is Now a Cybercrime**
5.  **Google takes on sites with ties to hack-for-hire groups in UAE**

Scammers Exploit Fake Domains in Dubai Police Phishing Scams

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

**References**

*   golang/crypto@b4f1988
*   https://go.dev/cl/635315
*   https://go.dev/issue/70779
*   https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ
*   https://pkg.go.dev/vuln/GO-2024-3321

Tag

#google