The security system that underlies the internet makes use of a curious fact: You can broadcast part of your encryption to make your information much more secure.

If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more. Please also consider subscribing to WIRED

_The original version of_ _this story_ _appeared in Quanta Magazine._

For thousands of years, if you wanted to send a secret message, there was basically one way to do it. You’d scramble the message using a special rule, known only to you and your intended audience. This rule acted like the key to a lock. If you had the key, you could unscramble the message; otherwise, you’d need to pick the lock. Some locks are so effective they can never be picked, even with infinite time and resources. But even those schemes suffer from the same Achilles’ heel that plagues all such encryption systems: How do you get that key into the right hands while keeping it out of the wrong ones?

The counterintuitive solution, known as public key cryptography, relies not on keeping a key secret but rather on making it widely available. The trick is to also use a second key that you never share with anyone, even the person you’re communicating with. It’s only by using this combination of two keys—one public, one private—that someone can both scramble and unscramble a message.

To understand how this works, it’s easier to think of the “keys” not as objects that fit into a lock, but as two complementary ingredients in an invisible ink. The first ingredient makes messages disappear, and the second makes them reappear. If a spy named Boris wants to send his counterpart Natasha a secret message, he writes a message and then uses the first ingredient to render it invisible on the page. (This is easy for him to do: Natasha has published an easy and well-known formula for disappearing ink.) When Natasha receives the paper in the mail, she applies the second ingredient that makes Boris’ message reappear.

In this scheme, anyone can make messages invisible, but only Natasha can make them visible again. And because she never shares the formula for the second ingredient with anyone—not even Boris—she can be sure the message hasn’t been deciphered along the way. When Boris wants to receive secret messages, he simply adopts the same procedure: He publishes an easy recipe for making messages disappear (that Natasha or anyone else can use), while keeping another one just for himself that makes them reappear.

In public key cryptography, the “public” and “private” keys work just like the first and second ingredients in this special invisible ink: One encrypts messages, the other decrypts them. But instead of using chemicals, public key cryptography uses mathematical puzzles called trapdoor functions. These functions are easy to compute in one direction and extremely difficult to reverse. But they also contain “trapdoors,” pieces of information that, if known, make the functions trivially easy to compute in both directions.

One common trapdoor function involves multiplying two large prime numbers, an easy operation to perform. But reversing it—that is, starting with the product and finding each prime factor—is computationally impractical. To make a public key, start with two large prime numbers. These are your trapdoors. Multiply the two numbers together, then perform some additional mathematical operations. This public key can now encrypt messages. To decrypt them, you’ll need the corresponding private key, which contains the prime factors—the necessary trapdoors. With those numbers, it’s easy to decrypt the message. Keep those two prime factors secret, and the message will stay secret.

Illustration: Mark Belan/_Quanta Magazine_

The foundations for public key cryptography were first discovered between 1970 and 1974 by British mathematicians working for the U.K. Government Communications Headquarters, the same government agency that cracked the Nazi Enigma code during World War II. Their work (which remained classified until 1997) was shared with the US National Security Agency, but due to limited and expensive computing capacity, neither government implemented the system. In 1976, the American researchers Whitfield Diffie and Martin Hellman discovered the first publicly known public key cryptography scheme, influenced by the cryptographer Ralph Merkle. Just a year later, the RSA algorithm, named after its inventors Ron Rivest, Adi Shamir and Leonard Adleman, established a practical way to use public key cryptography. It’s still in wide use today, a fundamental building block of the modern internet, enabling everything from shopping to web-based email.

This two-key system also makes possible “digital signatures”—mathematical proof that a message was generated by the holder of a private key. This works because private keys can be used to encrypt messages too, not just decrypt them. Of course, this is useless for keeping messages secret: If you used your private key to scramble a message, anyone could just use the corresponding public key to unscramble it. But it does prove that you, and only you, created the message, since as the holder of the private key, only you could have encrypted the message. Cryptocurrencies like bitcoin couldn’t exist without this idea.

If two cryptographic keys instead of one is so effective, why did it take millennia to discover? According to Russell Impagliazzo, a computer scientist and cryptography theorist at the University of California, San Diego, the concept of a trapdoor function just wasn’t useful enough before the invention of computers.

“It’s a matter of technology,” he said. “A person in the 19th century thought of encryption as being between individual agents with military intelligence in the field—literally, in a field with guns firing. So if your first step is ‘pick two 100-digit prime numbers to multiply together,’ the battle is going to be over before you do that.” If you reduce the problem to something a human can do quickly, it’s not going to be terribly secure.

But while computers helped make public key cryptography possible, they’ve also created cracks in its armor. In 1994, the mathematician Peter Shor discovered a way for quantum computers to efficiently reverse the trapdoor functions that underlie most current public key cryptography systems, including prime factorization. This algorithm, if implemented, would act like an all-purpose “reappearing ink,” capable of making any invisible message reappear. Goodbye, internet security.

Luckily, quantum computers themselves are “still in the ENIAC phase,” Impagliazzo said, referring to the room-size machine built for the US Army in 1945. By the time quantum computers become sophisticated enough to pose a real threat to public key cryptography, its original trapdoor functions could be replaced by “quantum-safe” versions called lattice problems. Of course, this new computational “ink” may also become susceptible to attack in the future. But that’s the great thing about public key cryptography: As long as we can find new functions to use, we can just keep reinventing the wheel. Or in this case, the key.

_Original story_ _reprinted with permission from Quanta Magazine, an editorially independent publication of the_ _Simons Foundation_ _whose mission is to enhance public understanding of science by covering research developments and trends in mathematics and the physical and life sciences._

The Simple Math Behind Public Key Cryptography

Another day, another healthcare database misconfiguration exposing sensitive patient information.

****SUMMARY****

*   **Cybersecurity researcher Jeremiah Fowler discovered an unprotected Care1 database with over 4.8 million patient records.**

*   **Exposed data included names, addresses, medical histories, and Personal Health Numbers (PHNs).**

*   **Responsibility for the breach and its duration remains unclear.**

*   **Healthcare data breaches are increasing, posing significant privacy risks.**

*   **Stronger cybersecurity measures are essential for protecting sensitive patient information.**

Cybersecurity researcher **Jeremiah Fowler** recently discovered a massive database belonging to Care1, a Canadian company that provides AI-powered software solutions to optometrists. The database, containing over 4.8 million records of patient information (with a total size of 2.2 TB), was left completely unprotected, exposing sensitive data like patient names, addresses, medical histories, and even their unique Personal Health Numbers (PHNs).

Care1 is a specialized healthcare technology company with over 170 partner optometrists and over 150,000 patient visits managed using their software. They specialize in eyecare disruption using artificial intelligence, leveraging advanced software engineering and extensive partnership networks.

According to Fowler’s investigation, published by vpnMentor, the exposed data included detailed eye exam reports with patient information, doctor’s notes, and images. Eye exam reports were in PDF format and included patient PII, doctor’s comments, and images.

In addition, CSV and XLS spreadsheets were also part of the exposed database and listed patients with home addresses, Personal Health Numbers (PHNs), and other health-related information, including doctor’s comments and images from the eye exams.

For your information, in the Canadian healthcare system, a Personal Health Number (PHN) is a unique identifier that ensures a patient’s health information is accessible to all providers. While the PHN itself might not directly lead to financial fraud, it can be a valuable piece of information for criminals to build a comprehensive profile of an individual.

It’s unclear whether the database was directly owned and managed by Care1 or handled by a third-party contractor. It is also unclear for how long it remained exposed or whether it was accessed by any unauthorized individual unless an internal forensic audit is conducted. According to Fowler’s **blog post**, he sent a responsible disclosure notice to the company and public access was restricted promptly. 

With the increasing reliance on digital systems in **healthcare**, the potential for data breaches is also increasing. This level of exposure poses significant privacy risks for patients, as their medical information could be misused for identity theft or other malicious activities. In 2023, Fowler **discovered** a non-password-protected database belonging to Indian medical diagnostics firm Redcliffe Labs, containing over 12 million records, including sensitive patient data like medical scans and test results.

These incidents reflect the need for heightened security measures within the healthcare sector. Companies like Care1, which handle sensitive patient information, must prioritize stringent cybersecurity measures, including strong encryption, access controls, and regular security audits.

1.  **7TB of Healthcare Data Leak Affects 12 Million Patients**
2.  **AI Firm’s Server Exposed 5.3 TB of Mental Health Records**
3.  **How Artificial Intelligence (AI) is Impacting Modern Healthcare**
4.  **Dark Web Sales Fuel 32% Increase in Healthcare Cyberattacks**
5.  **AI in Healthcare: ChatGPT Helps Boy Get Diagnosis After Doctors Fail**

Canadian Eyecare Firm Care1 Exposes 2.2TB of Patient Records

Businesses deploying large language models and other GenAI systems have a growing collection of open source tools for testing AI security.

Source: Olena Ivanova via Shutterstock

Companies deploying generative artificial intelligence (GenAI) models — especially large language models (LLMs) — should make use of the widening variety of open source tools aimed at exposing security issues, including prompt-injection attacks and jailbreaks, experts say.

This year, academic researchers, cybersecurity consultancies, and AI security firms released a growing number of open source tools, including more resilient prompt injection tools, frameworks for AI red teams, and catalogs of known prompt injections. In September, for example, cybersecurity consultancy Bishop Fox released Broken Hill, a tool for bypassing the restrictions on nearly any LLM with a chat interface.

The open source tool can be trained on a locally hosted LLM to produce prompts that can be sent to other instances of the same model, causing those instances to disobey their conditioning and guardrails, according to Bishop Fox.

The technique works even when companies deploy additional guardrails — typically, simpler LLMs trained to detect jailbreaks and attacks, says Derek Rush, managing senior consultant at the consultancy.

"Broken Hill is essentially able to devise a prompt that meets the criteria to determine if \[a given input\] is a jailbreak," he says. "Then it starts changing characters and putting various suffixes onto the end of that particular prompt to find \[variations\] that continue to pass the guardrails until it creates a prompt that results in the secret being disclosed."

The pace of innovation in LLMs and AI systems is astounding, but security is having trouble keeping up. Every few months, a new technique appears for circumventing the protections used to limit an AI system's inputs and outputs. In July 2023, a group of researchers used a technique known as "greedy coordinate gradients" (GCG) to devise a prompt that could bypass safeguards. In December 2023, a separate group created another method, Tree of Attacks with Pruning (TAP), that also bypasses security protections. And two months ago, a less technical approach, known as Deceptive Delight, was introduced that uses fictionalized relationships to fool AI chatbots to violate their systems restrictions.

The rate of innovation in attacks underscores the difficulty of securing GenAI systems, says Michael Bargury, chief technology officer and co-founder of AI security firm Zenity.

"It's an open secret that we don't really know how to build secure AI applications," he says. "We are all trying, but we don't know how to yet, and we are basically figuring that out while building them with real data and with real repercussions."

**Guardrails, Jailbreaks, and PyRITs**

Companies are erecting defenses to protect their valuable business data, but whether those defenses are effective remains a question. Bishop Fox, for example, has several clients using programs such as PromptGuard and LlamaGuard, which are LLMs programmed to analyze prompts for validity, says Rush.

"We're seeing a lot of clients \[adopting\] these various gatekeeper large language models that try to shape, in some manner, what the user submits as a sanitization mechanism, whether it's to determine if there's a jailbreak or perhaps it's to determine if it's content-appropriate," he says. "They essentially ingest content and output a categorization of either safe or unsafe."

Now researchers and AI engineers are releasing tools to help companies determine whether such guardrails are actually working.

Microsoft released its Python Risk Identification Toolkit for generative AI (PyRIT) in February 2024, for example, an AI penetration testing framework for companies that want to simulate attacks against LLMs or AI services. The toolkit allows red teams to build an extensible set of capabilities for probing various aspects of an LLM or GenAI system.

Zenity uses PyRIT regularly in its internal research, says Bargury.

"Basically, it allows you to encode a bunch of prompt-injection strategies, and it tries them out on an automated basis," he says.

Zenity also has its own open source tool, PowerPwn, a red-team toolkit for testing Azure-based cloud services and Microsoft 365. Zenity's researchers used PowerPwn to find five vulnerabilities in Microsoft Copilot.

**Mangling Prompts to Evade Detection**

Bishop Fox's Broken Hill is an implementation of the GCG technique that expands on the original researchers' efforts. Broken Hill starts with a valid prompt and begins changing some of the characters to lead the LLM in a direction that is closer to the adversary's objective of disclosing a secret, Rush says.

"We give Broken Hill that starting point, and we generally tell it where we want to to end up, like perhaps the word 'secret' being within the response might indicate that it would disclose the secret that we're looking for," he says.

The open source tool currently works on more than two dozen GenAI models, according to its GitHub page.

Companies would do well to use Broken Hill, PyRIT, PowerPwn, and other available tools to explore their AI applications vulnerabilities because the systems will likely always have weaknesses, says Zenity's Bargury.

"When you give AI data — that data is an attack vector — because anybody that can influence that data can now take over your AI if they are able to do prompt injection and perform jailbreaking," he says. "So we are in a situation where, if your AI is useful, then it means it's vulnerable because in order to be useful, we need to feed it data."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Generative AI Security Tools Go Open Source

A new side-channel attack method is a computationally practical way to infer the structure of a convolutional neural network — meaning that cyberattackers or rival companies can plagiarize AI models and take their data for themselves.

Source: Daniel Chetroni via Alamy Stock Photo

Researchers have demonstrated how to recreate a neural network using the electromagnetic (EM) signals emanating from the chip it runs on.

The method, called "TPUXtract," comes courtesy of North Carolina State University's Department of Electrical and Computer Engineering. Using many thousands of dollars worth of equipment and a novel technique called "online template-building," a team of four managed to infer the hyperparameters of a convolutional neural network (CNN) — the settings that define its structure and behavior — running on a Google Edge Tensor Processing Unit (TPU), with 99.91% accuracy.

Practically, TPUXtract enables a cyberattacker with no prior information to essentially steal an artificial intelligence (AI) model: They can recreate a model in its entirety and save the actual data it was trained on, for purposes of intellectual property (IP) theft or follow-on cyberattacks.

**How TPUXtract Works to Recreate AI Models**

The study was conducted on a Google Coral Dev Board, a single-board computer for machine learning (ML) on smaller devices: think edge, Internet of Things (IoT), medical equipment, automotive systems, etc. In particular, researchers paid attention to the board's Edge Tensor Processing Unit (TPU), the application-specific integrated circuit (ASIC) at the heart of the device that allows it to efficiently run complex ML tasks.

Any electronic device like this, as a byproduct of its operations, will emit EM radiation, the nature of which will be influenced by the computations it performs. Knowing this, the researchers conducted their experiments by placing an EM probe on top of the TPU — removing any obstructions like cooling fans — and centering it on the part of the chip emanating the strongest EM signals. Then they fed the machine input data and recorded the signals it leaked.

To begin to make sense of those signals, they first identified that before any data gets processed, a neural network quantizes — compresses — its input data. Only when the data is in a format suitable for the TPU does the EM signal from the chip shoot up, indicating that computations have begun.

At this point, the researchers could begin mapping the EM signature of the model. But trying to estimate all of the dozens or hundreds of compressed layers that comprise the network at the same time would have been effectively impossible.

Every layer in a neural network will have some combination of characteristics: It will perform a certain type of computation, have a certain number of nodes, etc. Importantly, "the property of the first layer affects the 'signature,' or the side-channel pattern of the second layer," notes Ashley Kurian, one of the researchers. Thus, trying to understand anything about the second, 10th, or 100th layer becomes increasingly impossible, as it rests on all of the properties of what came before it.

"So if there are 'N' layers, and there are 'K' numbers of combinations \[of hyperparameters\] for each layer, then computing cost would have been N raised to K," she explains. The researchers studied neural networks with 28 to 242 layers (N) and estimated that K — the total number of possible configurations for any given layer — equaled 5,528.

Instead of having to commit infinite computing power to the problem, they figured they could isolate and analyze each layer in turn.

To recreate each layer of a neural network, the researchers built "templates" — thousands of simulated combinations of hyperparameters, and read the signals they gave off when processing data. Then they compared those results to the signals emitted by the model they were trying to approximate. The closest simulation would be considered correct. Then, they applied the same process to the next layer.

"Within a day, we could completely recreate a neural network that took weeks or months of computation by the developers," Kurian reports.

**Stolen AIs Lead to IP, Cybercrime Risk to Companies**

Pulling off TPUXtract isn't trivial. Besides a wealth of technical know-how, the process also demands a variety of expensive and niche equipment.

The NCSU researchers used a Riscure EM probe station with a motorized XYZ table to scan the chip's surface, and a high sensitivity electromagnetic probe for capturing its weak radio signals. A Picoscope 6000E oscilloscope recorded the traces, Riscure's icWaves field-programmable gate array (FPGA) device aligned them in real-time, and the icWaves transceiver used bandpass filters and AM/FM demodulation to translate and filter out irrelevant signals.

As tricky and costly as it may be for an individual hacker, Kurian says, "It can be a competing company who wants to do this, \[and they could\] in a matter of a few days. For example, a competitor wants to develop \[a copy of\] ChatGPT without doing all of the work. This is something that they can do to save a lot of money."

Intellectual property theft, though, is just one potential reason anyone might want to steal an AI model. Malicious adversaries might also benefit from observing the knobs and dials controlling a popular AI model, so they can probe them for cybersecurity vulnerabilities.

And for the especially ambitious, the researchers also cited four studies that focused on stealing regular neural network parameters. Theoretically, those methods in combination with TPUXtract could be used to recreate the entirety of any AI model — parameters and hyperparameters in all.

To combat these risks, the researchers suggested that AI developers could introduce noise into the AI inference process using dummy operations, or running random operations concurrently, or confuse analysis by randomizing the sequence of layers during processing.

"During the training process," says Kurian, "developers will have to insert these layers, and the model should be trained to know that these noisy layers need not be considered."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

With 'TPUXtract,' Attackers Can Steal Orgs' AI Models

An authenticated access vulnerability in the aspectMemory.php script of ABB Cylon Aspect BMS/BAS controllers allows attackers to set arbitrary values for Java heap memory parameters (HEAPMIN and HEAPMAX). This configuration is written to /usr/local/aam/etc/javamem. The absence of input validation can lead to system performance degradation, Denial-of-Service (DoS) conditions, and crashes of critical Java applications.

Title: ABB Cylon Aspect 3.08.02 (aspectMemory.php) Arbitrary Heap Memory Configuration  
Advisory ID: ZSL-2024-5883  
Type: Local/Remote  
Impact: Manipulation of Data, DoS  
Risk: (4/5)  
Release Date: 13.12.2024

**Summary**

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

**Description**

An authenticated access vulnerability in the aspectMemory.php script of ABB Cylon Aspect BMS/BAS controllers allows attackers to set arbitrary values for Java heap memory parameters (HEAPMIN and HEAPMAX). This configuration is written to /usr/local/aam/etc/javamem. The absence of input validation can lead to system performance degradation, Denial-of-Service (DoS) conditions, and crashes of critical Java applications.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
Firmware: <=3.08.02

**Tested On**

GNU/Linux 3.15.10 (armv7l)  
GNU/Linux 3.10.0 (x86\_64)  
GNU/Linux 2.6.32 (x86\_64)  
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
PHP/7.3.11  
PHP/5.6.30  
PHP/5.4.16  
PHP/4.4.8  
PHP/5.3.3  
AspectFT Automation Application Server  
lighttpd/1.4.32  
lighttpd/1.4.18  
Apache/2.2.15 (CentOS)  
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86\_64)  
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)  
ErgoTech MIX Deployment Server 2.0.0

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[03.12.2024\] Vendor releases version 3.08.03 to address this issue.  
\[13.12.2024\] Coordinated public security advisory released.

**PoC**

abb\_aspect\_mem1.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch  
\[2\] https://www.cve.org/CVERecord?id=CVE-2024-51544  
\[3\] https://www.cve.org/CVERecord?id=CVE-2024-51550  
\[4\] https://packetstorm.news/files/id/183145/

**Changelog**

\[13.12.2024\] - Initial release  
\[15.12.2024\] - Added reference \[4\]

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon Aspect 3.08.02 (aspectMemory.php) Arbitrary Heap Memory Configuration

Small, easily weaponizable drones have become a feature of battlefields from the Middle East to Ukraine. Now the threat looms over the US homeland—and the Pentagon's ability to respond is limited.

A spectre is haunting the United States—the spectre of drone warfare.

Since the middle of November, unidentified unmanned aerial vehicles have lit up the skies above New Jersey, startling residents and baffling military and government officials. The US Army’s Picatinny Arsenal research and manufacturing facility in the state’s Morris County reported 11 confirmed instances of mysterious drones illegally entering its airspace since the middle of the month, while a dozen drones were spotted hovering over US Naval Weapons Station Earle in Monmouth County in early December. Similar sightings were reported in at least six other counties throughout the state; according to the Coast Guard, a group of drones even followed one of the service’s vessels “in close pursuit” near a state park.

The spate of drone sightings in the skies above New Jersey have caused alarm among state lawmakers, prompting one to call for a “limited state of emergency … until the public receives an explanation” regarding the source of the unidentified drones. One Republican US congressman even claimed the drones were originating from an Iranian “mothership” lurking off of the state’s coastline, an assertion the US Defense Department quickly batted down.

“As you know, Joint Base McGuire-Dix-Lakehurst possess \[sic\] capabilities to identify and take down unauthorized unmanned aerial systems and have utilized this capability to address overflights of the installation,” New Jersey representative Chris Smith told Defense Secretary Lloyd Austin in a December 10 letter. “I urgently request all capabilities possessed by the Department of Defense, especially those in use by JBMDL to be immediately deployed to identify and address the potential threats posed by \[drones\] over the state of New Jersey.”

Despite the growing chorus of concern from New Jersey lawmakers, the US military appears relatively unimpressed with the sudden incursions. In a December 11 statement, US Northern Command (NORTHCOM) revealed that the command had “conducted a deliberate analysis of the events, in consultation with other military organizations and interagency partners, and at this time we have not been requested to assist with these events.” The following day, White House national security communications adviser John Kirby stated that many of the alleged drone sightings that had alarmed civilian observers on the ground in recent weeks were, in fact, conventional manned aircraft. The Federal Bureau of Investigation and Department of Homeland Security echoed this assessment in a statement on Thursday, saying, “it appears that many of the reported sightings are actually manned aircraft, operating lawfully. There are no reported or confirmed drone sightings in any restricted air space.”

“At this time, we have no evidence that these activities are coming from a foreign entity or the work of an adversary. We're going to continue to monitor what is happening,” deputy Pentagon press secretary Sabrina Singh told reporters on Wednesday. “At no point were our installations threatened when this activity was occurring." (In an interesting confluence of events, the US Department of Justice that same day announced the arrest of a Chinese citizen for flying a drone over and taking photos of Vandenberg Space Force Base in California.)

The alarm over the sudden drone incursions over New Jersey, neighboring New York and Pennsylvania, and near sensitive US government sites in particular, even if overblown, isn’t completely unwarranted: Officials at North American Aerospace Defense Command (NORAD)—the joint US-Canadian military organization tasked with overseeing air sovereignty on the continent—revealed in October that they had received reports of nearly 600 incursions above domestic US military installations since 2022.

The issue is, US law severely limits how the US military can respond to these mysterious drones—even if the number of incidents has been growing for years.

Indeed, for several months earlier this year, unidentified drones repeatedly circled Plant 42 in California, the Edwards Air Force Base installation where defense contractor Northrop Grumman has been working on the Air Force’s vaunted new B-21 Raider stealth bombers. In December 2023, Langley Air Force Base in Virginia was targeted by a wave of mysterious drone overflights, prompting the Pentagon to relocate a contingent of F-22 Raptor fighter jets stationed there to another base. And the New Jersey incidents come on the heels of a mid-November series of drone incursions near RAF Lakenheath in the United Kingdom, which, while not a US domestic installation, hosts a strategically-important contingent of American fighter jets, among other capabilities.

It appears that Pentagon assets in the continental United States have been subject to such drone activity as far back as 2019, when a fleet of US Navy Arleigh Burke-class destroyers was shadowed by a swarm of drones for several days during maneuvers at a training range off the coast of southern California. Later that year, a series of mysterious drone sightings in eastern Colorado and western Nebraska and Kansas confounded not just local law enforcement and federal agencies, but alarmed Air Force officers at nearby F.E. Warren Air Force Base in Wyoming, home to one of the Pentagon’s many Minuteman III ICBM fields.

These incidents aren’t limited to US military facilities. In October 2023, several drones were detected in the airspace above the US Energy Department’s Nevada National Security Site, which is used for nuclear research and development, the Wall Street Journal recently reported. And back in 2019, the Palo Verde Nuclear Generating Station in Arizona—the most powerful nuclear power plant in the United States—was subject to a series of mass drone incursions that Nuclear Regulatory Commission officials would later characterize as a “drone-a-palooza,” albeit with grave concern over the potential vulnerability exposed by the incursion, according to email correspondence obtained by The War Zone in 2020.

“I would point out that restricted airspace will do nothing to stop an adversarial attack and even the detection systems identified earlier in this email chain have limited success rates, and there is even lower likelihood that law enforcement will arrive quickly enough to actually engage with the pilots,” one senior NRC security official at Palo Verde wrote in an email regarding the incident. “We should be focusing our attention on getting Federal regulations and laws changed to allow sites to be defended and to identify engineering fixes that would mitigate an adversarial attack before there our \[sic\] licensed facilities become vulnerable.”

While unmanned aerial vehicles have been in military use for generations for surveillance and reconnaissance, the US military is largely responsible for transforming modern drones into vehicles of precision violence during the early years of the Global War on Terrorism, a policy especially expanded under US president Barack Obama. In more recent years, the rise of cheap, commercially-available unmanned platforms like those used by hobbyists has turned the small drone into the weapon of choice for both nation states and irregular forces abroad, from militant groups like ISIS In Iraq and Syria and the Iran-backed Houthi rebels in Yemen to the Russian and Ukrainian militaries. With a potential conflict with China over Taiwan looming on the horizon amid the US military’s pivot to “great power competition,” the Pentagon is itself in the midst of a major surge in both unmanned capabilities and technology to defend against weaponized drones belonging to foreign adversaries.

The US military has been slowly but surely adjusting to the sudden spike in mysterious drone incursions near sensitive sites across the United States with an expanded counter-drone strategy. In early December, Defense Secretary Lloyd Austin signed the Pentagon’s new Strategy for Countering Unmanned Systems, which seeks to unify disparate DoD efforts to address the rise of drone threats both at home and abroad into a single coherent framework, one that implicitly acknowledges the potential for the rising tide of domestic drone threats to grow from intrusive surveillance risks to something more damaging.

“From the Middle East to Ukraine and across the globe—including in the US homeland—unmanned systems are reshaping tactics, techniques, and procedures; challenging established operational principles; and condensing military innovation cycles,” the unclassified fact sheet on the new Pentagon strategy states. “The relatively low-cost, widely available nature of these systems has, in effect, democratized precision strike.”

The Pentagon has been working overtime to field fresh counter-drone capabilities to US forces deployed overseas in recent years, including traditional firearms outfitted with computerized optics and remotely operated vehicle-mounted heavy weapons turrets, laser-guided rocket and missile systems, AI-assisted kinetic interceptors, radio frequency- and Global Positioning System-jamming electronic warfare suites, and even exotic directed energy weapons like high-energy lasers and high-powered microwaves, among others. As recently as late October, NORTHCOM was working in conjunction with the Federal Aviation Administration to demo fresh counter-drone tech as part of its Falcon Peak 2025 experiment at Fort Carson in Colorado.

“By all indications, \[small unmanned aerial systems\] will present a safety and security risk to military installations and other critical infrastructure for the foreseeable future,” NORTHCOM boss Air Force general Gregory Guillot told reporters at the time. “Mitigating those risks requires a dedicated effort across all federal departments and agencies, state, local, tribal and territorial communities, and Congress to further develop the capabilities, coordination and legal authorities necessary for detecting, tracking and addressing potential sUAS threats in the homeland.”

But US military officials also indicated to reporters that the types of counter-drone capabilities the Pentagon may be able to bring to bear for domestic defense may be limited to non-kinetic “soft kill” means like RF and GPS signal jamming and other relatively low-tech interception techniques like nets and “string streamers” due to legal constraints on the US military’s ability to engage with drones over American soil.

“The threat, and the need to counter these threats, is growing faster than the policies and procedures that \[are\] in place can keep up with,” as Guillot told reporters during the counter-drone experiment. “A lot of the tasks we have in the homeland, it’s a very sophisticated environment in that it’s complicated from a regulatory perspective. It’s a very civilianized environment. It’s not a war zone.”

Defense officials echoed this sentiment during the unveiling of the Pentagon’s new counter-drone strategy in early December.

“The homeland is a very different environment in that we have a lot of hobbyist drones here that are no threat at all, that are sort of congesting the environment,” a senior US official told reporters at the time. “At the same time, we have, from a statutory perspective and from an intelligence perspective, quite rightly, \[a\] more constrained environment in terms of our ability to act.”

The statute in question, according to defense officials, is a specific subsection of Title 10 of the US Code, which governs the US armed forces. The section, known as 130(i), encompasses military authorities regarding the “protection of certain facilities and assets from unmanned aircraft.” It gives US forces the authority to take “action” to defend against drones, including with measures to “disrupt control of the unmanned aircraft system or unmanned aircraft, without prior consent, including by disabling the unmanned aircraft system or unmanned aircraft by intercepting, interfering, or causing interference with wire, oral, electronic, or radio communications used to control the unmanned aircraft system or unmanned aircraft” and to “use reasonable force to disable, damage, or destroy the unmanned aircraft system or unmanned aircraft.”

As The War Zone points out, 130i limits when and where the US military can actually deploy counter-drone assets outside of immediate self-defense in the face of an imminent threat. Notably, it requires the defense secretary to “coordinate” with both the US transportation secretary and Federal Aviation Administration (FAA) administrator regarding any counter-drone implementation that “might affect aviation safety, civilian aviation and aerospace operations, aircraft airworthiness, or the use of airspace.” Not only that, but 130i authority is only applicable to a specific list of installations, mainly those dealing with nuclear deterrence and missile defense functions of the US national security apparatus.

This, in turn, limits what kinds of counter-drone systems the US military can actually employ domestically. Service members may be up to their eyes in fresh counter-drone tech overseas, but the regulatory environment at home is rigid enough that “hard kill” solutions like missiles, guns, and other kinetic interceptors aren't even considered potential options because there’s simply too much risk that they might end up inflicting collateral damage on innocent, unsuspecting civilians in nearby neighborhoods. Even “soft kill” solutions like RF and GPS jamming require coordination with the FAA and other federal agencies to prevent potential harm to civilian air travel, approvals that could slow down the reaction time among base security forces amid a potential drone incursion.

“Given the impact of GPS denial, just across infrastructure and all that stuff, it is a very, very difficult capability to get permissions to utilize,” as one official told The War Zone at Falcon Peak.

While the Pentagon’s broad new counter-drone strategy is a step in the right direction when it comes to bolstering domestic drone defenses, Congress is taking action as well. In the compromise version of the annual National Defense Authorization Act defense budget legislation unveiled in December, lawmakers included language calling upon the Pentagon to not just conduct an assessment of the counter-drone technology landscape at large, but generate recommendations on how policy changes could reduce the amount of burdensome bureaucratic coordination between federal agencies required to address the growing number of drone incursions—and, in an ideal world, allow the US military to move quickly and decisively to counter intrusive drones at sensitive installations before they become dangerous.

“We agree that US troops have the inherent right of self defense, including from \[drone\] attacks, wherever they may be,” the explanatory statement accompanying the compromise NDAA says.

At the moment, the Pentagon seems unconvinced that the Northeast drone sightings and earlier incursions are connected to a foreign adversary. But with lawmakers increasingly concerned with the potential threat to sensitive installations and critical infrastructure in their states, the US military’s renewed approach to counter-drone defense can’t come soon enough.

Why the US Military Can't Just Shoot Down the Mystery Drones

AI creates what it’s told to, from plucking fanciful evidence from thin air, to arbitrarily removing people’s rights, to sowing doubt over public misdeeds.

OpenAI CEO Sam Altman expects AGI, or artificial general intelligence—AI that outperforms humans at most tasks—around 2027 or 2028. Elon Musk’s prediction is either 2025 or 2026, and he has claimed that he was "losing sleep over the threat of AI danger." Such predictions are wrong. As the limitations of current AI become increasingly clear, most AI researchers have come to the view that simply building bigger and more powerful chatbots won’t lead to AGI.

However, in 2025, AI will still pose a massive risk: not from artificial superintelligence, but from human misuse.

These might be unintentional misuses, such as lawyers over-relying on AI. After the release of ChatGPT, for instance, a number of lawyers have been sanctioned for using AI to generate erroneous court briefings, apparently unaware of chatbots’ tendency to make stuff up. In British Columbia, lawyer Chong Ke was ordered to pay costs for opposing counsel after she included fictitious AI-generated cases in a legal filing. In New York, Steven Schwartz and Peter LoDuca were fined $5,000 for providing false citations. In Colorado, Zachariah Crabill was suspended for a year for using fictitious court cases generated using ChatGPT and blaming a "legal intern" for the mistakes. The list is growing quickly.

Other misuses are intentional. In January 2024, sexually explicit deepfakes of Taylor Swift flooded social media platforms. These images were created using Microsoft’s “Designer” AI tool. While the company had guardrails to avoid generating images of real people, misspelling Swift's name was enough to bypass them. Microsoft has since fixed this error. But Taylor Swift is the tip of the iceberg, and non-consensual deepfakes are proliferating widely—in part because open-source tools to create deepfakes are available publicly. Ongoing legislation across the world seeks to combat deepfakes in hope of curbing the damage. Whether it is effective remains to be seen.

In 2025, it will get even harder to distinguish what’s real from what’s made up. The fidelity of AI-generated audio, text, and images is remarkable, and video will be next. This could lead to the "liar's dividend": those in positions of power repudiating evidence of their misbehavior by claiming that it is fake. In 2023, Tesla argued that a 2016 video of Elon Musk could have been a deepfake in response to allegations that the CEO had exaggerated the safety of Tesla autopilot leading to an accident. An Indian politician claimed that audio clips of him acknowledging corruption in his political party were doctored (the audio in at least one of his clips was verified as real by a press outlet). And two defendants in the January 6 riots claimed that videos they appeared in were deepfakes. Both were found guilty.

Meanwhile, companies are exploiting public confusion to sell fundamentally dubious products by labeling them “AI.” This can go badly wrong when such tools are used to classify people and make consequential decisions about them. Hiring company Retorio, for instance, claims that its AI predicts candidates' job suitability based on video interviews, but a study found that the system can be tricked simply by the presence of glasses or by replacing a plain background with a bookshelf, showing that it relies on superficial correlations.

There are also dozens of applications in health care, education, finance, criminal justice, and insurance where AI is currently being used to deny people important life opportunities. In the Netherlands, the Dutch tax authority used an AI algorithm to identify people who committed child welfare fraud. It wrongly accused thousands of parents, often demanding to pay back tens of thousands of euros. In the fallout, the Prime Minister and his entire cabinet resigned.

In 2025, we expect AI risks to arise not from AI acting on its own, but because of what people do with it. That includes cases where it _seems_ to work well and is over-relied upon (lawyers using ChatGPT); when it works well and is misused (non-consensual deepfakes and the liar's dividend); and when it is simply not fit for purpose (denying people their rights). Mitigating these risks is a mammoth task for companies, governments, and society. It will be hard enough without getting distracted by sci-fi worries.

Human Misuse Will Make Artificial Intelligence More Dangerous

The white supremacist Robert Rundo faces years in prison. But the “Active Club” network he helped create has proliferated in countries around the world, from Eastern Europe to South America.

American neo-Nazi Robert Rundo’s six-year “battle with the feds”—a fight that spans two dismissals, three appellate reversals, and an extradition and deportation from at least two countries—concludes today with his sentencing to federal prison for attacking ideological opponents at political rallies across California in 2017.

Along with several members of the Rise Above Movement, a fight club-cum-street gang Rundo cofounded with fellow extremist Ben Daley in Southern California during the peak of the alt-right movement, Rundo was convicted on 2018 charges of conspiracy to violate the federal Anti-Riot Act for training and planning a series of attacks on political opponents at rallies across California and Unite the Right in Virginia the year prior. While Rundo may be locked behind bars for years, the movement he created is running wild around the globe.

In the interceding years since his initial arrest, indictment, imprisonment, and flight from the US after his case was initially dismissed in 2019, Rundo helped mastermind an international network of RAM clones known as “Active Clubs.” A transnational alliance of far-right fight clubs that closely overlap with skinhead gangs and neofascist political movements in North America, Europe, the Antipodes, and South America, the Active Club network is proliferating internationally. There are dozens of Active Clubs in the United States, United Kingdom, Ireland, France, Germany, Holland, Scandinavia, Australia, and Colombia, according to the groups’ presence on Telegram and extremism researchers.

Seemingly harmless from the outside, Active Clubs are small groups of young men who go on hikes, train in combat sports, weight-lift, and build camaraderie—all part of the Rise Above Movement’s original program. But the darkness is in the details: The groups’ membership often overlaps with other extremist organizations like Patriot Front, criminal skinhead groups like the Hammerskins, and other violent extremists in foreign nations. Some US-based Active Clubs are branching out into political intimidation and violence, like the Rise Above Movement before them.

“I definitely do believe that in the future there needs to be a mass movement, a mass organization, but when it comes for that, do you really want a bunch of guys coming strictly from the online world to come join a mass movement without having any experience or skills?” Rundo said in a video posted online shortly before his March 2023 arrest in Bucharest, Romania. “Active clubs are a great local way to start guys off as they come from the online world into the real world, to learn actual skills.”

Hannah Gais, a senior research analyst at the Southern Poverty Law Center who has long researched Rundo and his associates, says the Active Club model stands out for its low barrier to entry, emphasis on positive community building to draw new blood from outside of extremist circles, and a ready-made international network. “The model has really made it easier to facilitate those transnational connections,” Gais says. “If you’re not an organization, then you can network with whoever you want.”

The Active Club network is seeing expanded breadth and growing significance in street politics (American members appeared alongside foreign counterparts at extreme right-wing demonstrations in Paris this May and Warsaw this fall), a fact emphasized by US prosecutors in their filing seeking prison time for Rundo. Federal attorneys scoured Rundo’s media output—which is considerable, ranging from a series of far-right “influencer” Telegram channels to the Media2Rise propaganda outlet that he ran in conjunction with stateside followers and members of Patriot Front—for their explanation of how seemingly innocuous fitness organizations like Active Clubs serve as vehicles for radicalization.

In a November 26 sentencing memorandum, prosecutors flagged Rundo’s description of the Active Cub network as “brush fire effect” that will be difficult for authorities to stamp out “because these clubs are generally small and local, helping to shield it from infiltrators and broader law enforcement actions.”

The Active Club ideology also leans heavily on young male grievances against a world that supposedly singles them out in favor of people of color and LGBTQ+ youth. “Defendant lamented that ‘\[b\]oy scouts no longer teach boys how to be men, instead softening them up, discouring \[sic\] any forms of competition, accepting girls, and promoting LGBT values,’ and encouraged Active Clubs to ‘put out propaganda’ to ‘let\[\] our own know the fight is not over,’ the government’s filing reads.

The Active Club network was not Rundo’s creation alone: He came up with the idea along with Denis Nikitin, a German-Russian neo-Nazi who started out as a soccer hooligan before moving into combat sports as a fighter, promoter, and organizer of far-right tournaments. According to exhibits filed by US prosecutors, Nikitin counseled Rundo on how to flee the US in 2018 while dodging what he believed to be his first arrest warrant, and sought to smuggle him into Ukraine with the assistance of the Azov Movement (a neo-Nazi political movement that has its own paramilitary forces integrated with the Ukrainian military and organizes with other similar extremist groups across Europe) and its allies in that country’s security services. Nikitin is not currently charged with an offense by the United States government.

Nikitin, whose legal surname is Kapustin, is one of Europe’s most influential neo-Nazi activists, starting out small with fight club events held in backwater Russian cities among amateurs from soccer hooligan and skinhead groups. In 2012, Nikitin’s MMA tournament promotion vehicle, White Rex, ran its first tournament outside Russia, in Kyiv. Soon Nikitin was hosting tournaments in Italy, Hungary, France, Germany, Greece, and elsewhere.

Nikitin also got his hands dirty. He allegedly participated in the hooligan riot during Russia’s 2016 European Championship clash with England in Marseille and trained British Nazis in armed combat tactics in 2014 at camps in England and Wales, as well as Swiss extremists in 2017. In 2019, he was reportedly banned from the European Union’s Schengen Zone for promoting extremism in several countries.

Nikitin currently leads a volunteer combat battalion of far-right wing extremists in association with Ukrainian command that spearheaded a surprise assault on Russia’s Kursk region earlier this year.

Since Rundo and Kapustin coined the concept of an Active Club in 2021 on an eponymous podcast, the neo-Nazi fight clubs have proliferated throughout Western Europe, Australia, and the United States, and are currently the preeminent organizing model for far-right streetfighters. Their members have been involved in political violence in the US and France, have been banned and arrested in Germany, and are a growing concern for UK and Irish law enforcement as the place of their recruiting has skyrocketed following this summer's riots.

Michael Vandelune, a research fellow at the American Counterterrorism Targeting & Resilience Institute, has long studied transnational networking by neo-fascist groups, including Rundo’s relationship with Nikitin. “Rundo was building on the Eastern European emphasis on hypermasculinity and physical fitness, and in many ways, he was a perfect Western mouthpiece for Nikitin and similar peoples’ ideas,” Vandelune says. Rundo’s devotion to Nikitin is apparent: While getting RAM off the ground, he repeatedly cited Nikitin’s white-nationalist clothing brand and MMA promotion company White Rex as inspiration, and got the company’s logo tattooed on his shin in 2018.

Along with members of the Azov Movement’s 3rd Assault Battalion who have been integrated into the regular units of Ukraine military intelligence directorate (HUR), Nikitin hosted a September conference in Lviv that gathered representatives from extreme right-wing organizations across Europe for a strategy conference. Italian fascist organization Casapound, which Rundo visited in 2018 and views as an exemplar, sent a representative, as did Germany’s openly neo-Nazi party Dritte Weg (Third Way).

Patrick Macdonald, a Canadian known as ‘Dark Foreigner’ who allegedly produced the neo-Nazi group Atomwaffen Division’s eyecatching signature far-right propaganda at the end of the last decade, did the same work for the Active Club network, according to testimony given during his trial in Ottawa this month (Macdonald has plead not guilty to several charges, including participating in terrorist activity). Last year, the Canadian Anti-Hate Network identified Macdonald as a participant in Canada’s Active Club.

Outside of North America, the Active Clubs have proliferated most widely in France, the first European country to start such an organization. There are currently at least 50 such organizations in operation across the country, from Normandy to Provence and the Swiss border.

Sébastien Bourdon, a French journalist with Le Monde’s video investigations unit who authored a forthcoming book on that country’s far-right, says Active Clubs are the fastest-expanding facet of far-right militancy in France.

“When they launched the first Active Club in France in early 2022, within a few months they had 10 to15 groups. That’s already quite a lot. The fact that within two years they’ve grown from 15 groups to 50-plus groups throughout the country is mad,” Bourdon says. “Historically, most far-right groups in France have been active in big cities like Paris, Lyon, but if you look at some of the places they claim, some of them I’ve never heard of before.”

In France, where far-right street violence has a decades-long history despite authorities’ attempts to ban and dissolve organized groups, Bourdon says Active Clubs have proved effective at dodging legal crackdowns while appearing to have carried out acts of violence including an attack on an asylum center near Nantes last year. At least one founding member of the Active Club in Lyon has gone on to fight in Ukraine alongside other far-right volunteers.

As for Rundo, he will likely spend years in prison—a place he’s been before. He previously served nearly two years for stabbing a rival gang member in Flushing Queens in 2009. While he did radicalize during his stint at New York’s Greene Correctional Facility, starting a small white power gang, Rundo’s forthcoming prison term will mark his first federal term as a certified domestic extremist. But it remains unlikely that federal lockup will change his ideologies.

Rundo “has not renounced the violent extremist ideology that motivated that conduct,” US prosecutors wrote in their sentencing memo. It’s also likely that Rundo will hold out for help from a friendlier government.

Prior to the US election in November, Rundo urged his supporters to vote for Donald Trump specifically in the hope that the Republican president-elect would pardon him and other extremists who plead guilty to federal crimes. Since the election, there has been a sustained pardon campaign from corners of the far-right internet, which is a possibility since Rundo will be serving time in a federal prison when the incoming administration is sworn in this January.

As the Mastermind of Far-Right ‘Active Clubs’ Goes to Prison, His Violent Movement Goes Global

A sophisticated social engineering cybercrime campaign bent on financial gain was observed being run from Tencent servers in Singapore.

Source: Rastislav Sedlak via Alamy Stock Photo

The Dubai Police are the latest victims of impersonation by fraudsters in the United Arab Emirates (UAE), who are sending thousands of text messages out to unwitting mobile users while purporting to represent the law enforcement agency.

Researchers at BforeAI observed a recent surge in phishing attacks leveraging alleged police communications, which encourage text recipients to click on a malicious URL to respond to supposed legal trouble or to register with an "official" online portal. The included links redirect victims to fake websites designed to harvest sensitive information, including bank details or personal identification details.

The campaign uses well-crafted lures with official branding, suggesting a moderate level of sophistication, according to BforeAI. But while the lures are tailored to UAE citizens, the phishing methodology resembles a 'spray-and-pray' model in its broad reach.

"The campaign targets individuals likely to respond to law enforcement-related communications, of which legitimate comms of this nature are not uncommon in the UAE — targeting particularly those with a limited understanding of digital threats," Abu Qureshi, lead for threat intelligence and mitigation at BforeAI, tells Dark Reading.

"The most striking aspect of this campaign is the calculated misuse of Dubai Police branding to establish credibility and deceive victims," he adds. "This demonstrates a sophisticated understanding of social engineering techniques and reliance on psychological manipulation, exploiting fear and trust in law enforcement — which for citizens of the UAE is of utmost importance."

Related:Governments, Telcos Ward Off China's Hacking Typhoons

**Cybercriminals Increasingly Target UAE, Middle East**

Cybercrime campaigns targeting organizations and individuals in Dubai and other parts of the UAE are noticeably on the rise. According to research from Kaspersky earlier this year, 87% of companies in UAE have faced some form of cyber incident in the past two years.

"The UAE is a high-value target due to its affluent population, high Internet penetration, and reliance on digital services," Qureshi says. "Cybercriminals exploit these factors alongside vulnerabilities in newly adopted technologies."

The cybercrime spree is part of a larger trend in the targeting of individuals and organizations in some areas of the Middle East in general, he notes.

"There's a focus on wealthy regions and individuals to maximize financial gain," he says. "There are also regional geopolitical interests and an increased focus on Middle Eastern entities due to economic and political dynamics."

Related:African Law Enforcement Nabs 1,000+ Cybercrime Suspects

To boot, because the area has embraced digital transformation and IT modernization with gusto, cybercriminals are targeting digital adoption vulnerabilities that come from the rapid implementation of advanced technologies without adequate protections, according to Qureshi.

**Anchoring a UAE Cybercrime Campaign in Singapore**

The cyberattackers behind the Dubai Police offensive appear to have used an automated domain generation algorithm (DGA) or bulk registration to quickly cycle through different domains to host malicious Web pages bent on financial fraud. Each domain is short-lived, in order to better avoid detection.

Most of those domains originated from Tencent servers based in Singapore, according to BforeAI researchers, who noted the company's servers have hosted malicious activity before, including spam, phishing, and botnets.

"Tencent, a Chinese-based technology giant, maintains a significant hub in Singapore, leveraging the city-state's strategic location and robust digital infrastructure," says Qureshi. "Despite Singapore's strong cyber-resilience and rigorous policies to address malicious activity, its status as a global tech hub makes it a prime location for abuse of legitimate platforms by cybercriminals."

Related:Yakuza Victim Data Leaked in Japanese Agency Attack

Qureshi adds that the presence of malicious activity on Tencent servers could be due to the exploitation of legitimate services.

"High-traffic servers can be abused to host or relay malicious content without the company's direct knowledge," he explains, adding that jurisdictional complexity could also be at play: "Singapore's law enforcement may face challenges in coordinating with foreign entities and differentiating criminal use from legitimate operations. While Tencent is based in Singapore — they are a Chinese firm."

Two of the registrants were found to be from India and Dubai itself, with suspicious names suggesting that they originate from a legitimate company, according to the research. For the most part though, the cyberattackers have managed to keep their identity anonymous.

Tencent did not immediately return a request for comment.

**How Organizations in the Middle East Can Protect Against Cyber Fraud**

For organizations in the region, campaigns like this should prompt changes in risk management, Qureshi advises. Although the phishing messages are broad-based, in the age of the mobile office, even campaigns designed to hit individuals can end up affecting companies.

Common-sense security hygiene includes the basics, like double-checking the official domain of the Dubai government and the payment portal before proceeding with any payment, as well as looking for red flags like missing HTTPs protocol, broken links, out-of-place Web designs, or suspicious phrasing or grammar.

Qureshi advises organizations to take several additional steps to mitigate their risk, including:

*   Enhanced monitoring: Implement robust predictive phishing detection systems and actively monitor for misuse of branding;
    
*   Awareness programs: Train employees on phishing recognition and reporting;
    
*   Collaboration: Work with CERTs and law enforcement to address identified threats;
    
*   Incident response: Develop and test response plans to address phishing-related breaches;
    
*   Reporting: Alert phishing reporting websites such as Etisalat and DU when employees receive phishing messages;
    
*   And continuous vigilance: Adopt a proactive cybersecurity stance to protect brand reputation and customer trust.
    

And finally, "this Dubai Police campaign highlights the globalized nature of cybercrime, where local targets are exploited using international infrastructure," Qureshi warns. "The importance of cross-border cooperation and leveraging threat intelligence to stay ahead of evolving tactics cannot be overstated."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

Open source Prometheus servers and exporters are leaking plaintext passwords and tokens, along with API addresses of internal locations.

Statue of PrometheusSource: luminous via Alamy Stock Photo

Reseachers have discovered hundreds of thousands of servers running Prometheus open source monitoring software on the open Web are exposing passwords, tokens, and opportunities for denial of service (DoS) and remote code execution.

As a leader among open source observability tools, Prometheus is used widely by organizations to monitor the performance of their applications and cloud infrastructure. But it comes with a catch: As noted in its documentation, "It is presumed that untrusted users have access to the Prometheus HTTP endpoint and logs. They have access to all time series information contained in the database, plus a variety of operational/debugging information."

Apparently, a whole lot of users either aren't aware of the ways in which Prometheus is exposed by default, or don't realize the value of the data that's exposed along the way. Using Shodan, researchers from Aqua Nautilus discovered more than 40,000 exposed Prometheus servers, and more than 296,000 exposed "exporters," which the program uses to collect data from monitored endpoints. The researchers found sensitive data in those servers and exporters, and opportunities for "repojacking" and DoS attacks.

**What Prometheus Exposes**

On first impression, the data Prometheus collects might seem rather bland: application performance metrics, metrics associated with particular cloud tools, CPU, memory, and disk usage, for example.

"We think that it's only statistics — it's only information about the health of the system. That's the problem," says Assaf Morag, director of threat intelligence at Aqua Nautilus. Probing the data from the perspective of an attacker reveals all kinds of information that could lubricate cyberattacks.

"We noticed that we can actually see plaintext passwords and tokens, and API addresses of internal locations that should be kept hidden," Morag says. For example, he found one exposed and unauthenticated instance of Prometheus belonging to Skoda Auto, the Czech automobile manufacturer, which revealed some of the company's subdomains, and Docker registries and images.

Besides exposing secrets, open Web Prometheus servers and exporters also carry a risk of DoS. There's the '/debug/pprof' endpoint, for example, which helps users profile remote hosts, and is enabled by default by most Prometheus components. In their testing, the researchers demonstrated that they could overload the endpoint to disrupt communications or outright crash Amazon Web Services Elastic Compute Cloud (AWS EC2) instances or Kubernetes pods.

"The result was conclusive: We ended up stopping virtual machines each time we ran our script," Morag reports. To drive home the significance of such an attack scenario, he jokes, "I read somewhere that Kubernetes clusters run in fighter jets. I don't think that they are exposed to the Internet, but \[it goes to show\] we run Kubernetes in lots of places today."

**Repojacking Opportunities in Prometheus**

Users can protect their Prometheus servers and exporters by taking them offline, or at least adding a layer of authentication to keep out prying eyes. And, of course, there are tools designed to mitigate DoS risks.

Less easily solved is a third issue in the platform: Several of its exporters were found vulnerable to repojacking attacks.

The opportunity for repojacking can occur whenever a developer changes or deletes their account on GitHub and doesn't perform a namespace retirement. Simply, an attacker registers the developer's old username, then plants malware under the same title as the developer's old, legitimate projects. Then any projects that reference this repository but aren't updated with the correct redirect link can end up ingesting the malicious copycat.

Prometheus' official documentation referenced several exporters associated with freely claimable usernames, meaning that any attacker could have stepped in and taken advantage to perform remote code execution. Aqua Nautilus reported the issue to Prometheus, and it has since been addressed.

Repojacking opportunities are likely far more widespread than is realized, Morag emphasizes, so organizations need to be monitoring any discrepancies between the projects they rely on and the links they follow to access them. "It's not that difficult," he says. "But if you're doing it for millions of open source projects, that's where the problem starts. If you use an automated \[scanning tool\], you could be safe."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Tag

#intel