“Yahoo Boy” cybercriminals are openly running dozens of scams across Facebook, WhatsApp, Telegram, TikTok, YouTube, and more.

Most scammers and cybercriminals operate in the digital shadows and don’t want you to know how they make money. But that’s not the case for the Yahoo Boys, a loose collective of young men in West Africa who are some of the web’s most prolific—and increasingly dangerous—scammers.

Thousands of people are members of dozens of Yahoo Boy groups operating across Facebook, WhatsApp, and Telegram, a WIRED analysis has found. The scammers, who deal in types of fraud that total hundreds of millions of dollars each year, also have dozens of accounts on TikTok, YouTube, and the document-sharing service Scribd that are getting thousands of views.

Inside the groups, there’s a hive of fraudulent activity with the cybercriminals often showing their faces and sharing ways to scam people with other members. They openly distribute scripts detailing how to blackmail people and how to run sextortion scams—that have driven people to take their own lives—sell albums with hundreds of photographs, and advertise fake social media accounts. Among the scams, they’re also using AI to create fake “nude” images of people and real-time deepfake video calls.

The Yahoo Boys don’t disguise their activity. Many groups use “Yahoo Boys” in their name as well as other related terms. WIRED’s analysis found 16 Yahoo Boys Facebook groups with almost 200,000 total members, a dozen WhatsApp channels, around 10 Telegram channels, 20 TikTok accounts, a dozen YouTube accounts, and more than 80 scripts on Scribd. And that’s just the tip of the iceberg.

Broadly, the companies do not allow content on their platforms that encourages or promotes criminal behavior. The majority of the Yahoo Boys accounts and groups WIRED identified were removed after we contacted the companies about the groups’ overt existence. Despite these removals, dozens more Yahoo Boys groups and accounts remain online.

“They’re not hiding under different names,” says Kathy Waters, the cofounder and executive director of the nonprofit Advocating Against Romance Scammers, which has tracked the Yahoo Boys for years. Waters says the social media companies are essentially providing the Yahoo Boys with “free office space” to organize and conduct their activities. “They’re selling scripts, selling photos, identifications of people, all online, all on the social media platforms,” she says. “Why these accounts still remain is beyond me.”

The Yahoo Boys aren’t a single, organized group. Instead, they’re a collection of thousands of scammers who work individually or in clusters. Often based in Nigeria, their name comes from formerly targeting users of Yahoo services, with links back to the Nigerian Prince email scams of old. Groups in West Africa can be often organized in various confraternities, which are cultish gangs.

“Yahoo is a set of knowledge that allows you to conduct scams,” says Gary Warner, the director of intelligence at DarkTower and director of the University of Alabama at Birmingham’s Computer Forensics Research Laboratory. While there are different levels of sophistication of Yahoo Boys, Warner says, many simply operate from their phones. “Most of these threat actors are only using one device,” he says.

The Yahoo Boys run dozens of scams—from romance fraud to business email compromise. When making contact with potential victims, they’ll often “bomb” people by sending hundreds of messages to dating app accounts or Facebook profiles. “They will say anything they can in order to get the next dime in their pocket,” Waters says.

Searching for the Yahoo Boys on Facebook brings up two warnings: Both say the results may be linked to fraudulent activity, which isn’t allowed on the website. Clicking through the warnings reveals Yahoo Boy groups with thousands of members—one had more than 70,000.

Within the groups—alongside posts selling SIM cards and albums with hundreds of pictures—many of the scammers push people toward other messaging platforms such as Meta’s WhatsApp or Telegram. Here, the Yahoo Boys are at their most bold. Some groups and channels on the two platforms receive hundreds of posts per day and are part of their wider web of operations.

After WIRED asked Facebook about the 16 groups we identified, the company removed them, and some WhatsApp groups were deactivated. “Scammers use every platform available to them to defraud people and constantly adapt to avoid getting caught,” says Al Tolan, a Meta spokesperson. They did not directly address the accounts that were removed or that they were easy to find. “Purposefully exploiting others for money is against our policies, and we take action when we become aware of it,” Tolan says. “We continue to invest in technology and cooperate with law enforcement so they can prosecute scammers. We also actively share tips on how people can protect themselves, their accounts, and avoid scams.”

Groups on Telegram were removed after WIRED messaged the company’s press office; however, the platform did not respond about why it had removed them.

Across all types of social media, Yahoo Boys scammers share “scripts” that they use to socially manipulate people—these can run to thousands of words long and can be copied and pasted to different victims. Many have been online for years. “I’ve seen some scripts that are 30 and 60 layers deep, before the scammer actually would have to go and think of something else to say,” says Ronnie Tokazowski, the chief fraud fighter at Intelligence for Good, which works with cybercrime victims. “It’s 100 percent how they'll manipulate the people,” Tokazowski says.

Among the many scams, they pretend to be military officers, people offering “hookups,” the FBI, doctors, and people looking for love. One “good morning” script includes around a dozen messages the scammers can send to their targets. “In a world full of deceit and lies, I feel lucky when see the love in your eyes. Good morning,” one says. But things get much darker.

The Yahoo Boys have been behind a recent wave of sextortion across the United States and elsewhere, says Paul Raffile, an intelligence analyst at the Network Contagion Research Institute who is closely tracking the criminals. Broadly speaking, during sextortion, a scammer will use intimate or explicit images to try to get someone to pay them money. “The Yahoo Boys are the principal threat actor behind the surge of sextortion that we’re seeing over the past 18 months,” Raffile says. “They are responsible for forcing dozens of teens to suicide.”

In a series of posts in one Telegram channel, highlighted by Warner, who is also involved in Intelligence for Good, one cybercriminal can be seen walking others through how to run a sextortion scam. They say they tricked people into sharing nude images—posting screenshots of the conversation—and explained ways other people can replicate it. “Hey I am posting your naked pictures on social media and Facebook,” says a sample message cybercriminals could use. “Am not just posting it am sending copies of it to your area,” the message says, before demanding $700.

While the scripts like these are shared on all social media channels, WIRED found at least 80 on the document-sharing service Scribd. The company removed them after WIRED got in touch, with a spokesperson saying there are limits on what people can upload and that the company has automated and manual reviews to remove content. “We’re actively building out new capabilities to broaden the scope of content moderation coverage to include a wider range of concerning text and image violations,” the spokesperson says. Some of the scripts had been online since 2020, and on pages where they were removed a “reading suggestions” section recommended other scam scripts.

Raffile says the Yahoo Boys have been able to “thrive” online “due to lack of moderation around all the illicit material” that they’re sharing. “They’re acting with impunity because they feel they will never get caught,” Raffile says.

Beyond the messaging platforms, the Yahoo Boys have a presence on TikTok and YouTube. “We design our app to be inhospitable to those who seek to exploit our community and we’ve removed this content for violating our policies,” a TikTok spokesperson says.

“Our policies prohibit spam, scams, or other deceptive practices that take advantage of the YouTube community,” a YouTube spokesperson says. “We also prohibit videos that encourage illegal or dangerous activities. As such, we have terminated the flagged channels for violating our policies and our terms of service.” They add that the company removed accounts for breaching policies about harmful content, spam, and generally violating its terms of service.

The accounts posted tutorials about how to scam people, link to groups on messaging apps, and promote technology for fake video calls. On TikTok, multiple accounts include carousels of images that the scammers can use in their efforts to create believable personas. Some of these include posts of elderly women for scammers who are in “need of grandma pictures for proof” of their fake identities and others for scammers who “need kids pics” for their victims.

As well as being a threat to thousands of people around the world, the Yahoo Boys can be quick to adopt new technologies. David Maimon, a professor at Georgia State University and the head of fraud insights at the identity-verification firm SentiLink, has monitored Yahoo Boys for years and says their techniques have evolved alongside new technologies.

“To build rapport with victims, the fraudsters first used text messages, then started sending recorded audio messages, to now using deepfake tools to communicate with victims live,” Maimon says. “On some of the markets we now also see the use of cloned voices. It is now accompanied with sending physical items to victims such as presents, food deliveries, and flowers.” Within some groups, they use “nudification” tools to turn photos of people clothed into nude photos, and deepfake video calls.

While the Yahoo Boys have been active for years, all the experts spoken to for this piece say they should be treated more seriously by social media companies and law enforcement. “It’s time that we start looking at Yahoo Boys as a dangerous organization, transnational organized crime, and start giving it some of those labels,” Raffile says.

These Dangerous Scammers Don’t Even Bother to Hide Their Crimes

Microsoft has uncovered a common vulnerability pattern in several apps allowing code execution; at least four of the apps have more than 500 million installations each; and one, Xiaomi's File Manager, has at least 1 billion installations.

Source: rafapress via Shutterstock

Researchers from Microsoft recently discovered many Android applications — including at least four with more than 500 million installations each — to be vulnerable to remote-code execution attacks, token theft, and other issues because of a common security weakness.

Microsoft informed Google's Android security research team of the problem and Google has published new guidance for Android app developers on how to recognize and remediate the issue.

**Billions of Installations at Risk of Compromise**

Microsoft has also shared its findings with vendors of affected Android apps on Google's Play store. Among them were Xiaomi Inc.'s File Manager product, which has more than 1 billion installations, and WPS Office with some 500 million downloads.

Microsoft said vendors of both products have already fixed the issue. But it believes there are more apps out there that are fallible to exploit and compromise because of the same security weakness. "We anticipate that the vulnerability pattern could be found in other applications," Microsoft's threat intelligence team said, in a blog post this week. "We're sharing this research so developers and publishers can check their apps for similar issues, fix as appropriate, and prevent introducing such vulnerabilities into new apps or releases."

The issue that Microsoft discovered affects Android applications that share files with other applications. To facilitate the sharing in a secure manner, Android implements a so-called "content provider" feature that basically acts as an interface for managing and exposing an app's data to other installed applications on a device, Microsoft said. An app that needs to share its files — or a file provider in Android speak — declares the specific paths that other apps can use to get to the data. File providers also include an identifying feature that other apps can use as an address to find them on a system.

**Blind Trust & Lack of Content Validation**

"This content provider-based model provides a well-defined file-sharing mechanism, enabling a serving application to share its files with other applications in a secure manner with fine-grained control," Microsoft said. However, in many cases when an Android app receives a file from another app, it does not validate the content. "Most concerning, it uses the filename provided by the serving application to cache the received file within the consuming application's internal data directory."

This gives attackers an opening to create a rogue app that can send a file with a malicious filename directly to a receiving app — or file share target — without the user's knowledge or approval, Microsoft said. Typical file share targets include email clients, messaging apps, networking apps, browsers, and file editors. When a share target receives a malicious filename, it uses the filename to initialize the file and trigger a process that could end with the app getting compromised, Microsoft said.

The potential impact will vary depending on an Android application's implementation specifics. In some cases, an attacker could use a malicious app to overwrite a receiving app's settings and cause it to communicate with an attacker-controlled server, or get it to share the user's authentication tokens and other data. In other situations, a malicious application could overwrite malicious code into a receiving app's native library to enable arbitrary code execution. "Since the rogue app controls the name as well as the content of the file, by blindly trusting this input, a share target may overwrite critical files in its private data space, which may lead to serious consequences," Microsoft said.

Both Microsoft and Google have provided tips to developers on how to avoid the issue. End users, meanwhile, can mitigate the risk by ensuring their Android apps are up to date and by only installing apps from trusted sources.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Billions of Android Devices Open to 'Dirty Stream' Attack

Organizations can go a long way toward preventing spoofing attacks by changing one basic parameter in their DNS settings.

Source: Panther Media GmbH via Alamy Stock Photo

North Korean hackers are taking advantage of weak DMARC configurations to impersonate organizations in phishing attacks against individuals of strategic significance to the Kim Jong Un regime.

DMARC, short for Domain-based Message Authentication, Reporting & Conformance, is a security protocol for preventing email-based attacks. Unlike most security solutions, however, which potential victims implement for themselves, DMARC policies are set by email senders. In part for this reason, it can be easily overlooked.

On Thursday, the FBI and National Security Agency released a joint cybersecurity advisory detailing how the APT Kimsuky (aka APT 43, Thallium) is taking advantage. For some time now, it has been masquerading as organizations that have weak or nonexistent DMARC policies in convincing spear phishing emails.

"This is a highly effective new tool in the arsenal of one of the more prolific social engineering threat groups that Mandiant tracks," Gary Freas, Mandiant senior analyst with Google Cloud, said in an email. "Organizations in a variety of industries around the world are at risk of leaving themselves unnecessarily exposed. Proper DMARC configuration, in conjunction with proper management of SPF/DKIM, is low-hanging fruit to deliver high-impact prevention of phishing and spoofing of an organization."

**The Difference DMARC Makes**

Kimsuky's primary objective is to steal valuable intelligence — regarding geopolitical events, other nations' foreign policy strategies, and more — for the Kim regime. To do that, it aims cyberattacks at journalists, think tanks, government organizations, and the like.

To add legitimacy to these attacks, it often impersonates individuals from trusted organizations like these in highly targeted emails. Such emails are extra convincing when Kimsuky gains access to their puppet's legitimate account or domain (often through a separate spear phishing attack) to send emails on their behalf.

A Kimsuky phishing email sent from late 2023 to early 2024. Source: FBI/NSA

This is what DMARC is designed to prevent. It combines two authentication mechanisms: the Sender Policy Framework (SPF), which checks that a sender's IP address is authorized to send emails from their specified domain, and DomainKeys Identified Mail (DKIM), which uses public key cryptography for anti-tampering. Domain owners can set a DMARC record in their domain name system (DNS) settings to determine what happens should an email-en-route fail one of these checks: either block it (p=reject), treat it with suspicion (p=quarantine), or do nothing (p=none).

The FBI-NSA joint advisory suggests organizations favor p=reject or p=quarantine to prevent threat actors like Kimsuky from sending emails from their domains.

"DMARC hygiene is critical," says Jeremy Fuchs, Harmony Email analyst at Check Point. "It's a fantastic way to ensure that when someone gets an email from your company, it’s actually from your company. It can be a big project, though, to ensure p=reject state, especially when you have many domains. This is why reporting, monitoring, and consistent hygiene is key.

"DMARC is not a silver bullet, as hackers have plenty of ways to spoof, but it can be a good starting point."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

DPRK's Kimsuky APT Abuses Weak DMARC Policies, Feds Warn

DMARC adoption is more important than ever following Google's and Yahoo's latest mandates for large email senders. This Tech Tip outlines what needs to be done to enable DMARC on your domain.

Source: Tapati Runchumrus via Shutterstock

For cybersecurity professionals in email security and anti-phishing, the beginning of 2024 marked the start of an evolution. 

In January, adoption of the email standard for protecting domains from spoofing by fraudsters — Domain-based Messaging Authentication, Reporting and Conformance, or DMARC — became a necessity as companies prepared for the enforcement of mandates by email giants Google and Yahoo. DMARC uses a domain record and other email-focused security technologies to determine whether an email comes from a server authorized to send messages on behalf of a particular organization. 

Yet three months later, DMARC adoption is already starting to taper off, and many companies have completed only the most minimal configuration of their domains, such as setting DMARC to flag issues rather than quarantine or even reject messages. 

Unfortunately, many organizations remain concerned that DMARC is just another security control that, if done wrong, could break critical email services, says Rahul Powar, CEO of Red Sift, a threat intelligence provider.

"Many organizations are rightly concerned that if they go and they do a DMARC policy and it's not correct, that they could block something that's really material to the business, such as a massive marketing campaign, or that the CEO's email won't land in the right inbox," he says. "There's a concern about getting it wrong."

As of the end of April, about 7.9 million domains have some sort of DMARC record (yellow), but only 32% are BIMI ready (green). Source: BIMIRadar.com

However, DMARC — and the underlying technologies of Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) — are not difficult to set up for small or midsize businesses that have simple email infrastructure through a third-party service, such as Google Workspace or Microsoft 365. However, if there are older systems or some segmentation using subdomains, the configuration can get complex — fast, says Gerasim Hovhannisyan, co-founder and CEO at service provider EasyDMARC.

"The problem comes when you have legacy systems and multiple sending sources and infrastructure," he says. "Not only enterprises, but the midmarket can have huge problems during email authentication deployment. It's straightforward or easy to do at first glance, but if you do something wrong, totally valid emails will be rejected."

Here is what to keep in mind when setting up DMARC for your organization.

**1\. SPF Alerts Recipients to Emails From Nonapproved Sources**

The first DNS record that an organization needs to set up is SPF, a string that lists the IP addresses and domain names of the mail servers authorized to send email on behalf of the domain. This record is typically set up through your domain provider or email hosting provider. 

A typical SPF record is a DNS TXT record and looks like:

v=spf1 ip4:192.168.1.1 ip4:192.168.2.1 include:example.com -all

The "v=spf1" designates the string as an SPF record and is required for all SPF records. The "ip4" fields list the IP addresses that are allowed to send email on behalf of the domain and can include network addresses using the slash notation. The "include" tag lists the third-party domains that are authorized to send email for the domain, while the "-all" flag specifies that every other domain is not allowed. Other variants, such as "~all," are possible and specify that mail from other domains are allowed but marked insecure, while "+all" allows any server to send email on behalf of the domain.

While the SPF record is a good first step, spammers could exploit the fact that other organizations using a common third-party server, such as Google's, would be authorized to send email on behalf of every other organization using that server.

**2\. DKIM Uses PKI to Verify Email Messages**

DKIM solves the problem of multiple tenants on the same email server and adds email verification as well. The DKIM selector and key is generated by your email provider and then registered as a TXT record in your DNS service provider. 

A typical DKIM record is a DNS TXT record with a selector — a name — such as "\[third party\].\_domainkey" and a value of:

v=DKIM1; k=rsa; p={public key string}

The "v=DKIM1" designates the TXT string as a DKIM record and is required for all DKIM records. The "k=rsa" designates the type of encryption used for the public-key data, with RSA as the default and other values, such as Edwards-curve Digital Signature Algorithm (EdDSA), allowed as well. The "p=" tag contains the public-key data generated by the email service provider. 

As with any public-key encryption infrastructure, organizations should make sure to regularly rotate the keys for their domain infrastructure, says EasyDMARC's Hovannisyan. 

"We have password management systems or rotating passwords for other \[types of\] keys, but we don't do that with DKIM keys," he says. "This is something that should be in place and each time something can be broken, you need to have alerting."

**3\. DMARC Establishes Policies for Email Recipients**

DMARC uses the already-established controls of SPF and DKIM and specifies an organization's email policy — not for emails coming into the organization, but for emails claiming to be sent on behalf of the organization. Organizations that specify a DMARC record gain two benefits: They can tell a receiving server what to do with an email that fails authentication — such as allow delivery, quarantine the message, or reject it — and they direct the receiving server to generate reports about any messages sent to the domain. 

The result is that an organization using DMARC gains visibility into how its domain name and brand is being used by unauthorized parties. 

A typical DMARC record is a DNS TXT record with a "\_DMARC" and a value that is a string with a number of fields, such as:

v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:\[email protected\]

In this example, the "v=DMARC1" is the required identifier, the authentication policies for both SPF and DKIM at set to strict — as designated by the "aspf=s" and "adkim=s" tags — and the DMARC reports are sent to an organization-specific email at a third-party provider. In this case, the policy is set to reject, but companies can start with a policy of "none" to gain access to the reporting and move to a policy of "quarantine."

**4\. Check Your DMARC Reports Regularly and Maintain Records**

Establishing a DMARC policy is fairly simple, but using the added information as part of an email-security and brand-protection program requires an alerting mechanism and regular oversight. Often companies will just insert a valid DMARC record in their DNS with a policy of "none" and then forget about the added threat intelligence, Hovannisyan says.

"One of the biggest mistakes with DMARCs is \[a company saying\] that once it's done, I don't need to do anything more," he says. 

Instead, companies should advance through the different policies, starting with "none" but quickly moving to "quarantine" and then finally "strict."

While DMARC can be easy to manage for small companies, large enterprises will likely want to adopt a service to manage the configuration of its email infrastructure and make use of the added capabilities.

"For a small deployment, where you basically just have a Google or an Office 365 on your domain, it's pretty straightforward," says Red Sift's Powar. "I mean, the spec is quite simple, but as soon as you add a little bit of complexity — once you start including a marketing department, an HR department, or maybe a procurement department — you're going to find a lot of senders suddenly start to appear out of your infrastructure."

**5\. Consider BIMI to Increase Trust**

Finally, companies have a fourth standard that can help add more trust to their email messages. The Brand Indicators for Message Identification, or BIMI, standard allows companies to register their logos for use in email clients, but only after they have adopted the maximum level of strictness for their DMARC policies. 

While almost three-quarters of large organizations (73%) have adopted the most basic version of DMARC, the share of those organizations that would pass the most stringent standards vary significantly by nation: In the US, 77% of companies have a strict policy, while only 40% in Germany and 15% in Japan do, according to data from Red Sift. Of all domains, only 3% are considered ready for BIMI, but 32% of the 7.9 million DMARC-enabled domains have strict enough policies to adopt BIMI, according to the BIMIRadar tracking site.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Why Haven't You Set Up DMARC Yet?

Weaponizing Microsoft's own services for command-and-control is simple and costless, and it helps attackers better avoid detection.

Source: Robert K Chin Storefronts via Alamy Stock Photo

Nation-state espionage operations are increasingly using native Microsoft services to host their command-and-control (C2) needs.

A number of unrelated groups in recent years have all come to the same realization: Rather than building and maintaining their own infrastructure, it's more economical and effective to simply use Microsoft's own services against their targets. Besides the costs and headaches saved from not having to set up and maintain their own infrastructure, using legitimate services allows attackers' malicious behavior to more subtly mix in with legitimate network traffic.

This is where Microsoft Graph comes in handy. Graph offers an application programming interface (API) that developers use to connect to a wide range of data — email, calendar events, files, etc. — across Microsoft cloud services. Harmless on its own, it provides an easy means for hackers to run C2 infrastructure using those same cloud services.

Recently, for example, Symantec threat hunters discovered a novel malware they call "BirdyClient," used against an organization in Ukraine. BirdyClient's purpose is to connect to the Graph API in order to upload and download files using OneDrive.

Dark Reading is awaiting comment on this story from Microsoft.

**Hackers Abuse Microsoft Graph**

Long before BirdyClient, there was Bluelight, a second-stage tool for command-and-control via several different Microsoft cloud services. It was first discovered in 2021, having been developed by North Korea's APT37 (aka ScarCruft, Reaper, Group123).

"We see it frequently with cybercrime groups and espionage groups: Somebody hits on a new technique, and everybody copies it," says Dick O'Brien, principal intelligence analyst at Symantec. "This is the case here. They've realized how they can leverage this, and now all of these major players are jumping on board."

After Bluelight came Backdoor.Graphon, used by the Harvester group in a nation-state-backed espionage operation against organizations in southern Asia. Then, there was Graphite, spread via spear-phishing attacks against governments in Europe and Asia, and SiestaGraph, which made an appearance in a December 2022 breach of a southeast Asian foreign affairs office.

Last June brought Backdoor.Graphican, used by APT15 (aka Flea, Nickel, Vixen Panda, KE3CHANG, Royal APT, and Playful Dragon) against foreign affairs ministries in the Americas. A month later, researchers spotted Russia's Cozy Bear (aka APT29, Cloaked Ursa, UAC-0004, Midnight Blizzard/Nobelium) using the same trick in attacks against global diplomatic missions, and Symantec identified a further case from November involving a target in Asia it has yet to disclose.

Despite their myriad differences, all the malware in these cases share the use of Graph API to make C2s out of 365 services, primarily OneDrive.

"From an organization's perspective, you need to start being a lot more aware of people using unsanctioned cloud accounts," O'Brien says. And this doesn't just apply to malicious attacks. For example, "It's quite common to hear people say that they access their personal OneDrive account from a work network. The danger in allowing wholesale access to these cloud platforms is that malware may be less likely to raise red flags," he says.

"Look at ensuring that any connections are to your own tenants — accounts that belong to your enterprise — and lock down everything else."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft Graph API Emerges as a Top Attacker Tool to Plot Data Theft

Ukraine needs small drones to combat Russian forces—and is bootstrapping its own industry at home.

Inside Ukraine’s Killer-Drone Startup Industry

Red Hat and Intel are collaborating on a joint solution that more seamlessly integrates Intel® IPU with Red Hat OpenShift, propelling cloud and edge computing into a new era of performance and scalability.The solution brings together Intel’s latest leading programmable network device, the Intel® Infrastructure Processing Unit (Intel® IPU) E2000 Series with Red Hat OpenShift. This solution, shown in the following diagram, is designed for performance at scale under real world workloads and opens up a wide array of use cases through the ability to flexibly service chain network functions at

Red Hat and Intel are collaborating on a joint solution that more seamlessly integrates Intel® IPU with Red Hat OpenShift, propelling cloud and edge computing into a new era of performance and scalability.

The solution brings together Intel’s latest leading programmable network device, the Intel® Infrastructure Processing Unit (Intel® IPU) E2000 Series with Red Hat OpenShift. This solution, shown in the following diagram, is designed for performance at scale under real world workloads and opens up a wide array of use cases through the ability to flexibly service chain network functions at the edge. 

Integrating network function chaining on the Intel® IPU and orchestrating it with business logic running on OpenShift worker nodes can help conserve energy through optimized resource utilization, enhanced efficiency, reduced overall power consumption, and industry-leading security practices.

OpenShift offers the industry’s leading hybrid cloud application platform powered by Kubernetes, enhancing security across infrastructure. Its capabilities enable integration of security into applications, automated policies for container deployment security, and enhanced protection of the container runtime. This presents systems security as a top priority while maximizing performance and efficiency.

**Challenges that exist with traditional infrastructure solutions**

As network speeds continue advancing towards 100Gb Ethernet and beyond, and the complexity of supporting and managing new network infrastructure use cases at the edge grows in parallel, it places significant additional demands on components like standard Network Interface Cards (NICs) that were not designed for supporting this increased network complexity at these data rates.

Traditional monolithic applications constructed in virtual machines also do not translate well to how modern microservices are developed independently using containers. The level of agility required to rapidly deploy new edge capabilities on an on-demand basis is difficult with rigid legacy architectures.

Finally, delivering advanced network functions like compression, encryption/decryption, traffic filtering and firewalling at the network edge with greater security imposes new demands that strain traditional shared-resource server models, as they were not designed with strong isolation between edge services and infrastructure processing.

To address these challenges, service providers and enterprises are investing heavily in data center modernization to deliver more efficient compute for cloud native applications and microservices at the edge. The applications delivering these services must have access to high-speed networking infrastructure with a strong security footprint and low latency storage.

Network infrastructure based on the Intel® IPU is optimized for these emerging edge use cases whose potential can be fully realized through interfacing to OpenShift worker nodes to truly deliver innovative real-time applications.

Traditional SmartNICs can accelerate some infrastructure tasks like packet processing through static or semi-programmable logic to offload work from server CPUs. The IPU goes far beyond this by integrating both programmable hardware acceleration and a highly efficient multi-core CPU to enable full offloading and distributed processing of the entire software stack. Infrastructure services such as virtual switching, security, and storage that consume a significant number of CPU cycles can be offloaded to the IPU, freeing up CPU cores for improved application performance.

By leveraging the capabilities of OpenShift, the Intel® IPU-based solution maximizes performance, scalability, efficiency and provides a layered approach to container and Kubernetes security across your network infrastructure.

In parallel to the technical benefits, the key to unlocking this potential lies also in openness and scalability. To that end, Intel and Red Hat are building an open, standards-based solution that is fully Open Programmable Infrastructure (OPI) compliant.

**Simplifying infrastructure provisioning**

The ease of use associated with provisioning and managing OpenShift is well documented and understood in the industry.

This solution extends the ease of provisioning and management to the IPU through the integration of the Redfish standard from DMTF into the IPU’s Integrated Management Complex (IMC). Integrated with the Intel® IPU Software Development Kit (Intel® IPU SDK), which now comes equipped with Redfish support, administrators can seamlessly perform out-of-band provisioning tasks.

Redfish enables administrators to interact with the IPU through standard web services, such as HTTP and REST APIs. The provided HTTP provisioning interface greatly simplifies the Red Hat Enterprise Linux install process, with clients only needing to know the URI path to access this resource.

**Ease of use and manageability**

Red Hat provides a comprehensive set of tools to help you manage your newly deployed solution. With Red Hat Enterprise Linux (RHEL) seamlessly running on the IPU, you gain access to all the normal Red Hat manageability tools for free. The IPU is treated just like any other server and can be managed effortlessly using the same familiar tools as any other component in your infrastructure.

The single pane of glass interface provided to all Red Hat subscribers, known as the Red Hat Portal, streamlines management tasks, offering a unified experience for overseeing your entire infrastructure.

The Red Hat Portal is a web-based interface that provides a centralized location for managing Red Hat subscriptions, accessing Red Hat tools and services, and monitoring infrastructure. It allows users to more easily manage their Red Hat environments, including deploying and managing RHEL, Red Hat OpenShift, and other Red Hat solutions.

Red Hat provides security updates for its products through the Red Hat Security Advisories and alerts. These updates are available on the Red Hat Customer Portal and include information on vulnerabilities, patches, and workarounds. This ecosystem helps keep your solution up-to-date with the latest security fixes and empowers you to take steps to protect your system from potential security threats.

In addition, the OpenShift web console provides a graphical user interface to visualize your project data and perform administrative, management, and troubleshooting tasks. The web console is designed to be user-friendly and intuitive, and it provides a wide range of features and capabilities for managing your workloads.

**Chaining network functions**

Network Function Chaining, also known as Service Function Chaining (SFC), is a technique used in software-defined networking (SDN) that creates a chain of connected network services.

The solution developed by Intel and Red Hat enables the deployment of these network functions on the IPU at the edge where latency, bandwidth and resource constraints are critical. Offloading the chaining of network functions on the IPU is facilitated through its P4-programmable packet processing engine, freeing up valuable CPU resources on the OpenShift worker nodes which can result in decreased capital expenditure (CAPEX) and operational expenditure (OPEX).

The robust security boundary established between the OpenShift worker nodes and the IPU empowers infrastructure administrators with full autonomy to enforce network functionality transparently. This provides confidence that critical network operations cannot be tampered with or disabled from the host side, providing an added layer of protection and reliability.

OpenShift worker nodes can focus on delivering the business logic workflows. Resource intensive packet processing workflows can be executed on the IPU and network functions like firewalls, packet filtering and compression can be chained to deliver complex services with the added benefit of enhanced efficiency and reduced overall power consumption.

**Summary**

The collaboration between Red Hat and Intel represents a significant leap forward in edge computing. By combining the power of the Intel® IPU with Red Hat's OpenShift platform, organizations can be poised to achieve unparalleled performance, scalability, flexibility, and robust security.

Red Hat and Intel’s joint solution allows you to embrace the future of edge computing, trusting in the knowledge that your infrastructure is not only high-performing and capable of supporting key revenue-generating use cases, but also that it is more securely positioned from end-to-end.

Unleashing the potential of Intel® IPU with Red Hat OpenShift 

The breach was carried out with stolen Citrix credentials for an account that lacked multifactor authentication. Attackers went undetected for days, and Change's backup strategy failed.

Source: STANCA SANDA via Alamy Stock Photo

UnitedHealth's Change Healthcare subsidiary paid $22 million in ransom to the attackers who broke into its systems in February, according to Congressional testimony today. And it revealed that the scope of the breach could be much larger than anyone imagined — even as it remains unclear whether the ransom payment secured the data from being used in follow-on attacks.

UnitedHealth's CEO Andrew Witty testified before the US House Energy and Commerce Committee today after weeks of disruption at the nation's largest health insurer, during which a series of concerning revelations about the breach came to light.

**Poor Security: Stolen Credentials, No MFA**

For instance, the BlackCat/ALPHV ransomware affiliate hackers who broke into Change in February didn't have to work very hard to achieve success. According to the testimony, they were able to use previously compromised credentials to log into Change's Citrix platform, possibly obtained via an initial access broker — and that account wasn't protected with multifactor authentication (MFA).

Also, the attack was discovered when BlackCat deployed ransomware on Feb. 23, but the attackers actually had unfettered access to the environment for more than a week before that, indicating a woefully lacking intrusion detection apparatus.

“On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops," according to Witty's prepared testimony, released ahead of the hearing. "The portal did not have multifactor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later."

In his oral testimony, Witty also spilled additional details that, when added to the unchanged Citrix credentials (it's evident that the company doesn't have processes in place to track compromised credentials that may be part of prior breaches) and lack of MFA, point to an overall lack of security maturity. For instance, the company has had to perform a complete rebuild on its systems, even after decrypting files; and its backups weren't sequestered with network segmentation or infrastructure gapping, so the attackers were able to lock those up too, blocking any recovery path from the initial attack.

"This attack exemplifies ... why it is important to have controls in place to regularly review access entitlements. Compromised credentials or not, the attackers were able to leverage an account that gave them access to carry out their attack," said Piyush Pandey, CEO at Pathlock, in an emailed statement. "In this case, MFA could have been an effective gate to the proliferation of this attack. The additional layers of security would make the breach more challenging ... in a broader view, this is a great example of the importance of layering technologies and processes, such as MFA, combined with strong application access controls and data security technologies, such as data masking, which can help mitigate widespread data breaches."

**Impact on Data Security for PII, PHI Unclear**

Also in the oral testimony today, Witty confirmed that the adversaries made off with a large amount of personally identifiable information (PII) and personal health information (PHI). While Witty didn't talk hard numbers, the data in question "could cover a substantial proportion of people in America," he said. He did not address whether the data is still at risk.

To put that comment into perspective, "Change Healthcare processes roughly 15 billion healthcare transactions annually, and a third of Americans' patient records pass through its digital doors," Sen. Ron Wyden (D-Ore.) noted in a statement ahead of the hearing.

The senator added, "Change specializes in moving patient data from doctor's office to doctor's office, or to and from your insurance company. That means medical bills that are chock full of sensitive diagnoses, treatments, and medical histories that reveal everything from abortions to mental health disorders to diagnosis of cancer to sexually transmitted infections. Military personnel are included in this data."

Wyden also warned that the breach could end up being a clear national security threat.

"I don't think it's a stretch \[that\] the impact here rivals the 2015 hack of government personnel data from the Office of Personnel Management, which the FBI called a 'treasure trove' of counterintelligence information for foreign intelligence services," he said.

**UnitedHealth's Next Steps Unknown**

UnitedHealth is the nation's largest insurer and the fifth largest company in the US, with $324 billion in revenue and housing data on 152 million individuals. The breach is easily the largest cyber incident to ever affect the healthcare landscape. But it's unclear what's next for Change and UnitedHealth; Wyden pointed out that existing regulations, such as they are, carry only "slap on the wrist" enforcement actions. The companies also haven't detailed how or when they plan to improve their cyber defense postures (UnitedHealth has no cybersecurity executive on its board).

Meanwhile, in the weeks since the breach was made public, the company has seen copycat activity from the RansomHub cybercrime outfit, and because the incident wreaked havoc across the healthcare supply chain, the Department of Health & Human Services responded with a policy game plan to address cyber-risk at insurers (though it still does not require healthcare orgs to meet minimum cybersecurity standards). It is almost certain that there will be additional developments in the saga going forward.

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

UnitedHealth Congressional Testimony Reveals Rampant Security Fails

PRESS RELEASE

Intel 471, a global provider of cyber threat intelligence (CTI) solutions, today announced that the company acquired Cyborg Security, founded in 2019, to provide organizations with advanced threat hunting capabilities and expertise. With this acquisition, Intel 471 is setting the standard for intelligence-led threat hunting by cementing CTI as a key requirement to enable accurate hunts and proper measurements for operational success, ensuring return on investment for customers’ threat hunt programs. 

“We are excited to add Cyborg Security’s innovative platform and approach to threat hunting to our solution portfolio," said Jason Passwaters, CEO and Co-Founder of Intel 471. “Our customers have grown to rely upon Intel 471’s expertise to unlock the power of cyber threat intelligence and support all aspects of their business. This acquisition is a natural extension of our leadership by including advanced behavioral threat hunting packages that are fully customized to the client’s environment. Customers will benefit from the HUNTER Platform fueled by our premier cyber threat intelligence to streamline the hunt process, improve their team’s efficiency, and stay ahead of emerging threats.”

The convergence of CTI and threat hunting practices across the cybersecurity industry is evidenced by the rapid adoption of complementary use cases, defined methodologies, and a growing trend to integrate the two within the same organizational construct and budget. Economic buyers and practitioners alike increasingly recognize the need for intelligence-led threat hunting as a core component of their overall cybersecurity program. Intel 471 is well-positioned to meet these emerging security requirements with the merging of Cyborg Security and its innovative Hunter Platform into its solution portfolio.

“Intel 471 is a company that embraces the same values as Cyborg Security. Our organizations were built by practitioners – threat hunters, threat intelligence analysts, and security researchers who appreciate the importance of defending the threat landscape,” said David Amsler, CEO and Founder of Cyborg Security. “Threat hunting requires continuous monitoring of the threat landscape, which includes ever-evolving cyber adversary behaviors, TTPs and targeted technologies, as observed across various phases of the attack lifecycle. Intel 471’s CTI prowess and data contextualization deliver those relevant and timely insights. Together, our capabilities provide enterprises the tools and systems to deliver best-in-class threat hunting.”

For more information, please visit: https://intel471.com/

About Intel 471

Intel 471 empowers enterprises, government agencies, and other organizations to win the cybersecurity war using near-real-time insights into the latest malicious actors, relationships, threat patterns, and imminent attacks relevant to their businesses. The company's TITAN platform collects, interprets, structures, and validates human-led, automation-enhanced results. Clients across the globe leverage this threat intelligence with our proprietary framework to map the criminal underground, zero in on key activity, and align their resources and reporting to business requirements. Intel 471 serves as a trusted advisor to security teams, offering ongoing trend analysis and supporting your use of the platform. Learn more at https://intel471.com/.

You May Also Like

Intel 471 Acquires Cyborg Security

By Deeba Ahmed
Uncover the "Muddling Meerkat," a China-linked threat actor manipulating the DNS. Infoblox research reveals a sophisticated group with deep DNS expertise and potential ties to the Great Firewall. Learn their tactics and how to stay protected.
This is a post from HackRead.com Read the original post: Muddling Meerkat Group Suspected of Espionage via Great Firewall of China

Infoblox, a provider of cloud networking and security solutions, has discovered a highly skilled Chinse State threat actor known as “Muddling Meerkat.” This actor appears to be able to control the Great Firewall of China (GFW), a previously undisclosed phenomenon.

This group operates through the Domain Name System (DNS), a critical internet infrastructure component. In a joint research involving undisclosed security vendors, threat researchers, an independent non-profit corporation, Merit Network, and DomainTools, researchers revealed that Muddling Meerkat operates through the Domain Name System (DNS), a critical internet infrastructure component, and has remained under the radar since 2019.

“Muddling Meerkat operations are complex and demonstrate that the actor has a strong  
understanding of DNS, as well as internet savvy” Infoblox’s Threat Intelligence Team wrote in the report.

For your information, Meerkat is a mongoose species known for its cleverness, persistence, and ferocity despite its small size. Muddling Meerkat activity is characterized by its “popping up and down” over time and location, similar to meerkats from their burrows.

Here’s what makes Muddling Meerkat unique:

1.  **DNS Expertise:** Their operations demonstrate a deep understanding of DNS, uncommon among most threat actors. This highlights the growing weaponization of DNS for malicious purposes.
2.  **Great Firewall Control:** Muddling Meerkat manipulates China’s Great Firewall (GFW), the system controlling internet access within China. This ability to influence a national-level infrastructure raises serious concerns.
3.  **False MX Records:** A key tactic involves generating false MX (mail exchange) records from Chinese IP addresses for specific domains. This behaviour has never been observed before and suggests a direct connection with the GFW operators.
4.  **Global Reach:** Muddling Meerkat leverages open DNS resolvers worldwide, creating a vast network to conduct their activities, potentially for reconnaissance or laying the groundwork for future attacks.
5.  **Unclear Motive:** While the ultimate goal remains unclear, Infoblox experts suggest it could be information gathering or setting the stage for a large-scale DNS denial-of-service (DDoS) attack.

This research validates the threat posed by the Chinese Communist Party (CCP) to the US’s critical infrastructure. The FBI calls CCP a “broad and unrelenting” hybrid threat involving crime, counterintelligence, and cybersecurity. 

According to FBI Director Christopher Wray, this threat is “driven by the CCP’s aspirations to wealth and power,” adding that the PRC wants to “seize economic development in the areas most critical to tomorrow’s economy.” 

Muddling Meerkat is a skilled actor, demonstrating their sophistication in DNS-based attacks and ability to manipulate the Great Firewall. Implementing advanced DNS security measures is crucial to understand and defend against this evolving threat.

1.  Why are Google and Facebook banned in China?
2.  Great Firewall of China at Work, Apple News Blocked
3.  Chinese Man Who Sold VPNs Gets 9 Months Prison Sentence
4.  ‘Great Cannon’ of China Blocks Websites Like No One Else Can
5.  Chinese Great Cannon resurfaces against Hong Kong protestors
6.  Cyberattacks Surge 325% in Philippines Amid South China Sea Standoff

Tag

#intel