Threat actors punch holes in the company's online ordering systems, tripping up doughnut deliveries across the US after a late November breach.

Source: Matthew Horwood via Alamy Stock Photo

US doughnut dealer Krispy Kreme suffered a cybersecurity incident that's made a mess of online ordering but spared retail operations that continue to serve up sugar-coated confections nationwide.

A Securities and Exchange Commission filing from Krispy Kreme disclosed the company was subject to an "unauthorized activity on a portion of its information technology systems" in late November.

"The Company, along with its external cybersecurity experts, continues to work diligently to respond to and mitigate the impact from the incident, including the restoration of online ordering, and has notified federal law enforcement," the Krispy Kreme 8-K filing explained. "As the investigation of the incident is ongoing, the full scope, nature, and impact of the incident are not yet known."

Krispy Kreme added that while the cybersecurity incident is likely to have a "material impact" on the business until it is able to recover, anticipated losses are likely to be offset by cyber insurance.

Beyond operational impact, the statement did not indicate whether customer data was compromised. Paul Bischoff, consumer privacy advocate at Comparitech, recommended anyone who's ordered doughnuts online through Krispy Kreme should expect they've been exposed.

"Most attacks of this nature don't just disrupt systems," Bischoff added. "They also steal data. Companies typically take about six months to investigate breaches and find contact information for affected customers, give or take a few months."

**Krispy Kreme Incident Recovery Continues**

As the company recovers from the incident, Ilia Sotnikov, security strategist at Netwrix, said the Krispy Kreme cybersecurity team likely worked quickly to avoid more widespread damage.

"All their shops are open and all delivery commitments to retail and restaurant partners are fulfilled," Sotnikov said in a statement. "This means that the team identified the intrusion and was ready to swiftly follow the incident response plan."

Beyond initial concerns about business continuity, the entire Krispy Kreme supply chain is potentially vulnerable to follow-on cyberattacks, according to Ryan Sherstobitoff, senior vice president of threat research and intelligence at Security Scorecard.

"As one of the world's largest doughnut companies with over 400 US locations, this breach raises concerns about not only operational disruptions amidst the holidays but also the potential exposure of sensitive data within Krispy Kreme and its supply chain," Sherstobitoff noted, in a statement. "With the holiday season in full swing, retailers must remain vigilant. Cybercriminals are lurking, waiting to exploit any distraction."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Krispy Kreme Doughnut Delivery Gets Cooked in Cyberattack

A financial firm registered in Canada has emerged as the payment processor for dozens of Russian cryptocurrency exchanges and websites hawking cybercrime services aimed at Russian-speaking customers, new research finds. Meanwhile, an investigation into the Vancouver street address used by this company shows it is home to dozens of foreign currency dealers, money transfer businesses, and cryptocurrency exchanges -- none of which are physically located there.

A financial firm registered in Canada has emerged as the payment processor for dozens of Russian cryptocurrency exchanges and websites hawking cybercrime services aimed at Russian-speaking customers, new research finds. Meanwhile, an investigation into the Vancouver street address used by this company shows it is home to dozens of foreign currency dealers, money transfer businesses, and cryptocurrency exchanges — none of which are physically located there.

**Richard Sanders** is a blockchain analyst and investigator who advises the law enforcement and intelligence community. Sanders spent most of 2023 in Ukraine, traveling with Ukrainian soldiers while mapping the shifting landscape of Russian crypto exchanges that are laundering money for narcotics networks operating in the region.

More recently, Sanders has focused on identifying how dozens of popular cybercrime services are getting paid by their customers, and how they are converting cryptocurrency revenues into cash. For the past several months, he’s been signing up for various cybercrime services, and then tracking where their customer funds go from there.

The 122 services targeted in Sanders’ research include some of the more prominent businesses advertising on the cybercrime forums today, such as:

\-abuse-friendly or “bulletproof” hosting providers like anonvm\[.\]wtf, and PQHosting;  
\-sites selling aged email, financial, or social media accounts, such as verif\[.\]work and kopeechka\[.\]store;  
\-anonymity or “proxy” providers like crazyrdp\[.\]com and rdp\[.\]monster;  
\-anonymous SMS services, including anonsim\[.\]net and smsboss\[.\]pro.

The site Verif dot work, which processes payments through Cryptomus, sells financial accounts, including debit and credit cards.

Sanders said he first encountered some of these services while investigating Kremlin-funded disinformation efforts in Ukraine, as they are all useful in assembling large-scale, anonymous social media campaigns.

According to Sanders, all 122 of the services he tested are processing transactions through a company called **Cryptomus**, which says it is a cryptocurrency payments platform based in Vancouver, British Columbia. Cryptomus’ website says its parent firm — **Xeltox Enterprises Ltd.** (formerly certa-pay\[.\]com) — is registered as a money service business (MSB) with the **Financial Transactions and Reports Analysis Centre of Canada** (FINTRAC).

Sanders said the payment data he gathered also shows that at least 56 cryptocurrency exchanges are currently using Cryptomus to process transactions, including financial entities with names like **casher\[.\]su**, **grumbot\[.\]com**, **flymoney\[.\]biz, obama\[.\]ru** and **swop\[.\]is**.

These platforms are built for Russian speakers, and they each advertise the ability to anonymously swap one form of cryptocurrency for another. They also allow the exchange of cryptocurrency for cash in accounts at some of Russia’s largest banks — _nearly all of which are currently sanctioned by the United States and other western nations_.

A machine-translated version of Flymoney, one of dozens of cryptocurrency exchanges apparently nested at Cryptomus.

An analysis of their technology infrastructure shows that all of these exchanges use Russian email providers, and most are directly hosted in Russia or by Russia-backed ISPs with infrastructure in Europe (e.g. Selectel, Netwarm UK, Beget, Timeweb and DDoS-Guard). The analysis also showed nearly all 56 exchanges used services from **Cloudflare**, a global content delivery network based in San Francisco.

“Purportedly, the purpose of these platforms is for companies to accept cryptocurrency payments in exchange for goods or services,” Sanders told KrebsOnSecurity. “Unfortunately, it is next to impossible to find any goods for sale with websites using Cryptomus, and the services appear to fall into one or two different categories: Facilitating transactions with sanctioned Russian banks, and platforms providing the infrastructure and means for cyber attacks.”

Cryptomus did not respond to multiple requests for comment.

**PHANTOM ADDRESSES?**

The Cryptomus website and its FINTRAC listing say the company’s registered address is **Suite 170, 422 Richards St. in Vancouver, BC.** This address was the subject of an investigation published in July by **CTV National News** and the **Investigative Journalism Foundation (IJF)**, which documented dozens of cases across Canada where multiple MSBs are incorporated at the same address, often without the knowledge or consent of the location’s actual occupant.

This building at 422 Richards St. in downtown Vancouver is the registered address for 90 money services businesses, including 10 that have had their registrations revoked. Image: theijf.org/msb-cluster-investigation.

Their inquiry found 422 Richards St. was listed as the registered address for at least 76 foreign currency dealers, eight MSBs, and six cryptocurrency exchanges. At that address is a three-story building that used to be a bank and now houses a massage therapy clinic and a co-working space. But they found none of the MSBs or currency dealers were paying for services at that co-working space.

The reporters found another collection of 97 MSBs clustered at an address for a commercial office suite in Ontario, even though there was no evidence these companies had ever arranged for any business services at that address.

**Peter German**, a former deputy commissioner for the **Royal Canadian Mounted Police** who authored two reports on money laundering in British Columbia, told the publications it goes against the spirit of Canada’s registration requirements for such businesses, which are considered high-risk for money laundering and terrorist financing.

“If you’re able to have 70 in one building, that’s just an abuse of the whole system,” German said.

Ten MSBs registered to 422 Richard St. had their registrations revoked. One company at 422 Richards St. whose registration was revoked this year had a director with a listed address in Russia, the publications reported. “Others appear to be directed by people who are also directors of companies in Cyprus and other high-risk jurisdictions for money laundering,” they wrote.

A review of FINTRAC’s registry (.CSV) shows many of the MSBs at 422 Richards St. are international money transfer or remittance services to countries like Malaysia, India and Nigeria. Some act as currency exchanges, while others appear to sell merchant accounts and online payment services. Still, KrebsOnSecurity could find no obvious connections between the 56 Russian cryptocurrency exchanges identified by Sanders and the dozens of payment companies that FINTRAC says share an address with the Cryptomus parent firm Xeltox Enterprises.

**SANCTIONS EVASION**

In August 2023, **Binance** and some of the largest cryptocurrency exchanges responded to sanctions against Russia by cutting off many Russian banks and restricting Russian customers to transactions in Rubles only. Sanders said prior to that change, most of the exchanges currently served by Cryptomus were handling customer funds with their own self-custodial cryptocurrency wallets.

By September 2023, Sanders said he found the exchanges he was tracking had all nested themselves like Matryoshka dolls at Cryptomus, which adds a layer of obfuscation to all transactions by generating a new cryptocurrency wallet for each order.

“They all simply moved to Cryptomus,” he said. “Cryptomus generates new wallets for each order, rendering ongoing attribution to require transactions with high fees each time.”

“Exchanges like Binance and OKX removing Sberbank and other sanctioned banks and offboarding Russian users did not remove the ability of Russians to transact in and out of cryptocurrency easily,” he continued. “In fact, it’s become easier, because the instant-swap exchanges do not even have Know Your Customer rules. The U.S. sanctions resulted in the majority of Russian instant exchanges switching from their self-custodial wallets to platforms, especially Cryptomus.”

Russian President Vladimir Putin in August signed a new law legalizing cryptocurrency mining and allowing the use of cryptocurrency for international payments. The Russian government’s embrace of cryptocurrency was a remarkable pivot: Bloomberg notes that as recently as January 2022, just weeks before Russia’s full-scale invasion of Ukraine, the central bank proposed a blanket ban on the use and creation of cryptocurrencies.

In a report on Russia’s cryptocurrency ambitions published in September, blockchain analysis firm **Chainalysis** said Russia’s move to integrate crypto into its financial system may improve its ability to bypass the U.S.-led financial system and to engage in non-dollar denominated trade.

“Although it can be hard to quantify the true impact of certain sanctions actions, the fact that Russian officials have singled out the effect of sanctions on Moscow’s ability to process cross-border trade suggests that the impact felt is great enough to incite urgency to legitimize and invest in alternative payment channels it once decried,” Chainalysis assessed.

Asked about its view of activity on Cryptomus, Chainanlysis said Cryptomus has been used by criminals of all stripes for laundering money and/or the purchase of goods and services.

“We see threat actors engaged in ransomware, narcotics, darknet markets, fraud, cybercrime, sanctioned entities and jurisdictions, and hacktivism making deposits to Cryptomus for purchases but also laundering the services using Cryptomos payment API,” the company said in a statement.

**SHELL GAMES**

It is unclear if Cryptomus and/or Xeltox Enterprises have any presence in Canada at all. A search in the United Kingdom’s Companies House registry for Xeltox’s former name — Certa Payments Ltd. — shows an entity by that name incorporated at a mail drop in London in December 2023.

The sole shareholder and director of that company is listed as a 25-year-old Ukrainian woman in the Czech Republic named **Vira Krychka**. Ms. Krychka was recently appointed the director of several other new U.K. firms, including an entity created in February 2024 called Globopay UAB Ltd, and another called **WS Management and Advisory Corporation Ltd.** Ms. Krychka did not respond to a request for comment.

WS Management and Advisory Corporation bills itself as the regulatory body that exclusively oversees licenses of cryptocurrencies in the jurisdiction of Western Sahara, a disputed territory in northwest Africa. Its website says the company assists applicants with bank setup and formation, online gaming licenses, and the creation and licensing of foreign exchange brokers. One of Certa Payments’ former websites — certa\[.\]website — also shared a server with 12 other domains, including rasd-state\[.\]ws, a website for the Central Reserve Authority of the Western Sahara.

The website crasadr dot com, the official website of the Central Reserve Authority of Western Sahara.

This business registry from the Czech Republic indicates Ms. Krychka works as a director at an advertising and marketing firm called **Icon Tech SRO**, which was previously named **Blaven Technologies** (Blaven’s website says it is an online payment service provider).

In August 2024, Icon Tech changed its name again to **Mezhundarondnaya IBU SRO**, which describes itself as an “experienced company in IT consulting” that is based in Armenia. The same registry says Ms. Krychka is somehow also a director at a Turkish investment venture. So much business acumen at such a young age!

For now, Canada remains an attractive location for cryptocurrency businesses to set up shop, at least on paper. The IJF and CTV News found that as of February 2024, there were just over 3,000 actively registered MSBs in Canada, 1,247 of which were located at the same building as at least one other MSB.

“That analysis does not include the roughly 2,700 MSBs whose registrations have lapsed, been revoked or otherwise stopped,” they observed. “If they are included, then a staggering 2,061 out of 5,705 total MSBs share a building with at least one other MSB.”

How Cryptocurrency Turns to Cash in Russian Banks

The Russian nation-state actor tracked as Secret Blizzard has been observed leveraging malware associated with other threat actors to deploy a known backdoor called Kazuar on target devices located in Ukraine.
The new findings come from the Microsoft threat intelligence team, which said it observed the adversary leveraging the Amadey bot malware to download custom malware onto "specifically

Secret Blizzard Deploys Kazuar Backdoor in Ukraine Using Amadey Malware-as-a-Service

Infiltrating other nations' telecom networks is a cornerstone of China's geopolitical strategy, and it's having the unintended consequence of driving the uptake of encrypted communications.

Source: Ar\_TH via Shutterstock

While the US government and at least eight telecommunications firms struggle to defend their networks against the China-sponsored Salt Typhoon group, other nations' telecommunications firms have often been primary targets for advanced persistent threats (APTs) as well.

In 2023, China-linked group Earth Estries — which may overlap with Salt Typhoon — compromised telecommunications firms in the Asia-Pacific (APAC) and the Middle East and North Africa (MENA) regions, as well as the US. In 2022, a Chinese APT group alternatively known as Daggerfly and Evasive Panda infected systems at a telecommunications organization in Africa, installing a backdoor tool known as MgBot. And earlier this year, Chinese APT group Volt Typhoon targeted Singapore's largest telco, Singtel, with attacks, although the company denies any of the probes were successful.

China has made infiltrating other nations' networks a foundation of its geopolitical strategy, and other countries — and their citizens — should consider their networks no longer private, says David Wiseman, vice president of secure communications for cybersecurity firm BlackBerry.

"All countries need to assume they are affected," he says. "The impact \[of these attacks are\] operational in that the government can no longer be confident using traditional phone calls and SMS. This is accelerating the usage of 'over the top' encrypted communications applications for official government communications."

Over-the-top (OTT) applications and services are those that are delivered over the Internet, not through traditional telecommunications systems.

US telecommunications firms — including Verizon, AT&T, and T-Mobile — are struggling to clean their networks and prevent two Chinese groups, Salt Typhoon and Volt Typhoon, from persisting in their systems. Earlier this year, Salt Typhoon gained access to some of the telecom systems used to satisfy wiretap requests, while Volt Typhoon has compromised telecommunications and other critical infrastructure to pre-position ahead of possible region conflict.

Telecommunications infrastructure is one of the most attractive targets for nation-state actors, because they affect all facets of a country's economy and provide in-depth data on its citizens, says Chris Henderson, senior director of threat operations at Huntress, a threat-intelligence firm.

"As telecommunication companies have grown from managing landline infrastructure to being one of the most data-rich organizations, their attractiveness to both for-profit groups and state-sponsored espionage has also grown," he says, adding that they "know more about you than arguably any other organization — they understand where you have been physically located, who you are speaking with, and for how long."

**From Singapore to India and Beyond**

China has long focused on the telecommunication firms of its regional rivals. In 2014, for example, the government of India accused Chinese equipment maker Huawei of hacking the state-owned Bharat Sanchar Nigam Limited (BSNL), after that firm used another Chinese service provider, ZTE, to provision its lines.

In 2023, an investigation by cybersecurity firm Trend Micro found that China-linked Earth Estries targeted at least 20 telecommunications and other infrastructure providers across Southeast and South Asia, South Africa, and Brazil, using a cross-platform backdoor.

Every country should act to defend their telecommunications infrastructure, says BlackBerry's Wiseman. While the success of attacks on Singapore, India, and the US are among the few that have become public, other companies are likely breached and still not aware, he says.

Organizations and citizens should no longer assume that their communications are safe, Wiseman says.

"General harvesting of communication records to build out a continual understanding of changes in command-and-control networks is a key thing that can be done," he says. "More concerning is that since the voice calls of specific people can be listened to along with reading of the SMS messages, there is the potential for more advanced communications manipulation."

**A Boost for Encryption**

The Salt Typhoon attacks may push citizens — and possibly their governments — toward greater use of encryption. While the trend has been for authoritarian governments and security agencies — such as law enforcement and internal security groups — to argue for less encryption, or at least backdoors into encrypted systems, the global attacks on telecommunications technology demonstrate that even nations with well-considered, strict privacy laws are not safe havens, says Gregory Nojeim, senior counsel and director of the security and surveillance project at the Center for Democracy and Technology, a digital-rights group.

"Greater geopolitical tension breeds greater geopolitical incentive to gain access to other countries' communications and that will also incentivize the adoption and use of encryption," Nojeim says. "Hopefully, it will also incentivize the protection of encryption against proposals that would weaken it."

In the US, government agencies such as the FBI have argued for law-enforcement backdoors into telecommunications networks and are calling for workers and citizens to use stronger encryption.

Meanwhile, telecommunications providers — whether private or state-owned — should focus more heavily on security, and their citizens should also adopt encrypted services, BlackBerry's Wiseman says. "Many countries realized this earlier than the US \[and\] started widespread adoption of end-to-end app-based encrypted communications sooner," he says. "The earliest movers were countries that did not have the same level of controls over their telecom network supply chains as the more developed countries."

Most countries in the Global South score lower on rankings of Internet privacy than their peers in North America, Europe, and East Asia. However, lower privacy rights can mean citizens are more likely to use encrypted services, says CDT's Nojeim.

"One lesson of Salt Typhoon is that people who live in democracies can't comfort themselves that their own government won't listen in absent a good reason," he says. "Now they have to be concerned about foreign governments listening in, and the way to prevent that, again, is to use an encrypted service."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Governments, Telcos Ward Off China's Hacking Typhoons

As part of the commitment to CISA's Secure by Design pledge, Snowflake will begin blocking sign-ins using single-factor authentication next year.

NEWS BRIEF

Snowflake has announced a new authentication policy that will require all customers to enable multifactor authentication (MFA) on their accounts by November 2025 or risk having their access blocked.

The three-phase policy change comes after Snowflake's recent decision to enable MFA by default on all new accounts.

"MFA will be enforced by default for all human users in any Snowflake account created as of October 2024," Snowflake's Anoosh Saboori and Brad Jones wrote back in September.

In the first phase, planned for April, human users on accounts without a customized authentication policy will be required to enroll in MFA the next time they sign into Snowflake.

The second phase, in August, will require MFA for all password-based sign-ins for human users. This requirement will apply regardless of any custom authentication policy in place on the account.

In the final phase, Snowflake will block all password-based sign-in attempts using single-factor authentication. While the previous two phases focused on human users, this phase will also apply to service accounts using programmatic access.

Snowflake customers must make the necessary changes before November. Snowflake has created guides to help organizations with the migration. There is also a Threat Intelligence scanner package available on Snowflake's Trust Center that can scan accounts to identify users who do not have MFA enabled and are at risk of losing access.

The spree of attacks targeting Snowflake customers earlier this year was a result of poor hygiene and the lack of MFA. More than 165 organizations were impacted, such as Neiman Marcus, Ticketmaster, and AT&T. A significant volume of customer data has been stolen, and several victims were hit with subsequent extortion attempts.

**About the Author**

Snowflake Rolls Out Mandatory MFA Plan

FCC Chairwoman Jessica Rosenworcel recommended "urgent action" to safeguard the nation's communications systems from real and present cybersecurity threats.

Source: Asharkyu via Shutterstock

NEWS BRIEF

In the wake of recent cyberattacks against US communications companies by foreign actors, the Federal Communications Commission (FCC) has proposed new cybersecurity rules on how telecommunication companies should secure their networks. 

"The cybersecurity of our nation's communications critical infrastructure is essential to promoting national security, public safety, and economic security,” said FCC Chairwoman Jessica Rosenworcel in a statement last week. "As technology continues to advance, so does the capabilities of adversaries, which means the U.S. must adapt and reinforce our defenses." 

Under the proposed requirements, which has been shared as a Declaratory Ruling with the other members of the commission, telecommunications carriers would need to secure their networks from unlawful access or interception of communications and to submit annual certifications to FCC confirming that they have created, updated, and implemented a cybersecurity risk management plan to fortify their defenses against future attacks. The proposal focuses on a "modern framework to help companies secure their networks," Rosenworcel said.

"The FCC is creating a forcing function to prioritize risk management and cybersecurity, which will also drive modernization in a lot of useful ways," said Trey Ford, chief information security officer at Bugcrowd, in an emailed statement. "The FCC will appreciate the challenges that Corporate Directors and the SEC have been wrestling with - how inventory, score, and treat cyber risks - and the challenges in communicating what needs done, when, and how."

The Chinese-state sponsored hacker group Salt Typhoon hit several Internet service provider networks in the US earlier this year, compromising targets at organizations including Verizon, AT&T, and Lumen. The carriers have not yet successfully evicted the attackers from their networks, and the intelligence community is still trying to determine the scope and impact of the attacks.

In what is considered one of the largest, most egregious cyberattacks, a large number of call records, including phone numbers, call types and duration, have been compromised. Salt Typhoon also intercepted the calls and messages of government officials and politicians. 

Last week, the Cybersecurity and Infrastructure Security Agency (CISA) issued guidance with the National Security Agency and the FBI to the telecom industry on how to handle the threat. The new guidance includes best practices and recommendations on quickly detecting threat activity, improving visibility, reducing existing vulnerabilities, and limiting the attack surface. It also highlighted ways to harden Cisco network gear. 

After a classified briefing in the Senate, Sen. Ron Wyden introduced legislation this week to require the FCC, along with CISA and the Director of National Intelligence, to create specific digital security standards designed to prevent unauthorized interceptions. The proposed bill would require telecoms to conduct annual tests of the safety measures, work to patch any uncovered vulnerabilities, and tap an outside auditor to carry out yearly assessments of compliance with the cybersecurity rules. With Congress poised for recess soon, it is unclear whether there will be any immediate action on this legislation.

If the FCC proposal is adopted, the Declaratory Ruling would take effect immediately. The draft Notice of Proposed Rulemaking would seek comment on cybersecurity risk management requirements and on additional ways to strengthen the cybersecurity posture of communications systems and services.

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

FCC Proposes New Cybersecurity Rules for Telecoms

Several recent schemes were uncovered involving poker players at casinos allegedly using miniature cameras, concealed in personal electronics, to spot cards. Should players everywhere be concerned?

Matt Berkey was becoming suspicious.

Berkey, a 42-year-old poker pro known for his presence in some of the highest-stakes cash games in Las Vegas, was playing in a well-known casino poker room over the summer. One player in the game who wasn’t particularly familiar to Berkey and other regulars at the table, but who was believed to be an amateur based on his play style, was displaying some strange behavior.

For one, the player was wearing earbuds—typically a no-no in these kinds of semi-private games where many players have existing friendships.

“Nobody has headphones on during our games,” Berkey says. “The player in question had headphones in, so that’s already a bit off.”

The player’s style of play also raised some alarms.

Texas Hold’em, the game being played, features two individual cards dealt to each player, plus five community cards dealt in stages to the center of the table. Players combine their own cards with the community cards to make the best possible five-card poker hand. There are four rounds of betting: One before any communal cards are dealt, one after the first three communal cards are spread at once (the part of the game known as “the flop”), one after the fourth communal card (“the turn”), and one more after the fifth and final communal card (“the river”).

Berkey noticed that, despite presenting as an amateur who was clearly the least skilled player at the table, the suspicious player never seemed to lose on the river. When he was in a hand that reached that point, he always either folded or showed the winning hand—one of the first red flags seasoned poker players have come to recognize in suspected cheating situations. As the thinking goes, cheaters with knowledge of their opponents’ cards prefer to wait until all communal cards are dealt before making large bets, allowing them to do so with perfect information about who holds the best hand, which often isn’t certain until that final card.

“Playing all rivers perfectly over an eight-hour sample—that’s an anomaly that isn’t really statistically possible, especially from a recreational player,” Berkey says. “When you start to see things that don’t add up, like the least skilled player in the game never showing down a losing hand, that kind of begins to trigger your suspicions.”

The player also had his phone and earbuds case arranged around him, with the case on the felt and his phone on the rail that runs along the table’s edge. While occasional phone usage at poker tables is normal, that kind of arrangement is unusual and is even something many casinos have guarded against for years. Berkey began to wonder if this game was falling victim to a new cheating scheme that word had been spreading about in high-stakes circles for months: Hidden cameras placed at felt level, capturing the faces of cards as they’re dealt and transmitting that intel to an accomplice, who then relays it back to the player at the table through an earpiece.

Berkey also noticed that the player always seemed to sit in the seats directly to the left of the casino’s dealer, even across multiple days and playing sessions. That furthered suspicions, as the rumored cheating method required a player to be in these seats to maximize camera visibility.

Berkey says he quietly alerted other regulars of his suspicions, and the game eventually broke down, but not before the player had made enormous profits. “Not just for his skill level but for the stakes he was playing,” Berkey says. “He was up hundreds of thousands of dollars playing a $10,000 buy-in game.”

Berkey says he and the other regulars in the game flagged the incident to casino staff, but they are unsure what, if any, action was taken. Security for the casino declined to comment on this incident.

Several other such incidents involving the same suspected cheating method have been rumored in various locations over the past 18 months, including one other instance WIRED verified independently. (Specific casinos where these incidents are alleged are not being named in this story to protect the safety of players who confirmed the incidents occurred.) This form of cheating is now a known concern to high-stakes poker players everywhere.

But each of these rumored incidents has lacked a “smoking gun”—proof of the measures, methods, and equipment the cheaters were using to see the cards being dealt. That is, until recently. A breaking case in France has provided revealing new evidence, fueling concerns that this cheating method is rampant around the globe and may be more advanced than anyone had assumed.

What kinds of modern technology can facilitate such a scheme? Should poker players at all levels, not just high-stakes pros, be worried about scofflaws attempting it in games they play, and what can be done to prevent it?

The recent scandal sounds like a rejected _Ocean’s_ movie script.

Following tips of suspicious behavior at a major casino in Enghien-les-Bains, French police with the Central Racing and Gaming Service (SCCJ) launched an elaborate in-person and video surveillance operation around two suspected players at both blackjack and Ultimate Texas Hold’em poker (a type of poker played against the casino rather than against fellow players). Though they were initially in the dark about the method being used, investigators soon noticed a pattern.

“They were putting \[something\] beside the \[dealing\] shoe,” Stéphane Piallat, commissioner of SCCJ, alleges to WIRED, referring to the tabletop container a dealer pulls from to draw new cards. “But it was quite difficult to understand why.”

Both players were arrested inside the French casino in late July after weeks of surveillance, with police recovering a variety of items from both their person and their hotel rooms (including ID cards from casinos around Europe that suggested a prolonged scheme). The technology seized by law enforcement amazed even a seasoned gambling fraud officer like Piallat, both for its ingenuity and its relative simplicity.

The players had allegedly modified existing smartphone cameras with simple mirrors, allowing them to capture footage on a phone’s camera sensor laterally, while the phone was in a flat position. Sitting in the seat nearest to the dealer’s shoe, they placed these devices either on the felt (concealed in some situations by a hat or another piece of clothing) or within pockets of their own clothing (with tiny holes cut out to afford the camera a view of the cards). Police say they used these devices to capture card faces as they were dealt from the shoe—a stunning realization given that casino shoes are quite literally designed to prevent card exposure by allowing the dealer to slide new cards directly onto the felt. Clearly, some exposure was still being captured.

“It’s quite incredible,” Piallat says. “They didn’t need to mark cards … Those cards were normal cards.”

Police also recovered basic communication devices that transmitted these feeds to an outside accomplice, believed to be sitting in the casino parking lot. (As of WIRED’s interview with French police, this accomplice remains at large.) The accomplice is thought to have relayed information about which cards the dealer was holding back to their partner at the table, but not through a standard earbud.

“This device is so small that you can’t take it off with your fingers,” Piallat says of the hearing device recovered by police. “You need a magnet to pull it off, otherwise you can’t do it. It looks like a typical James Bond movie device.”

Due to the ongoing nature of the investigation, police declined to provide any pictures or further details about the specific items used to facilitate this scheme. A simple look at available technology, though, offers a number of cheap, simple candidates, including several that don’t require pairing with a phone or any other large device.

“The same kind of modules that are used in your iPhone or your DSLR, you can just buy them,” says John Coles, the director of technology for the VR company Rezzil, who has also spent years working in camera and broadcast technology.

The alleged cheaters in France used simple techniques to conceal their cameras, like hiding the devices in their clothing, but much more robust options exist on the open market. A device that looks like a battery charger may not cause alarm if it was spotted sitting on a poker or blackjack table, at least in casinos where devices are generally allowed (some have stopped allowing any devices on tables); one can find a 4K, Wi-Fi capable “hidden camera powerbank” on Amazon. (It’s marketed as a “nanny camera” for surveilling your child’s babysitter, naturally.) Even smaller options exist, like a “spy camera pen” or a pinhole camera that could easily be inserted into various items. And that’s just a fraction of the true marketplace, says Coles: “If that’s what you know about publicly, the stuff that exists behind closed doors is like 10 times what you’re aware of.”

“You could probably build that into a lighter,” Coles says of a typical tiny camera rig. “There are lighters and pens that have modules integrated that still work as those items so they’re less conspicuous.”

For bad actors at traditional poker tables that feature “pitch”-style dealing instead of a more secure casino shoe, the video quality demands are even lower. Card faces are visible for exponentially longer when pitched from a dealer’s hand situated a foot or so above the card table.

The transmission element of the scheme is similarly attainable using today’s technology. You can buy a “mini spy earpiece” from Amazon that receives signals from an inductive coil for just $18. An entire industry of earpieces appears to exist for exam cheating purposes, from tiny Bluetooth earpieces that connect to a phone to setups contained within glasses and pens. It’s easy to imagine these methods converted for use in cheating at the card table, especially when aided by basic video-calling technology and access to the Wi-Fi networks offered at most casinos. In fact, while police say the suspects in France allegedly used separate devices for capture and transmission, Coles believes it would be simple enough to handle the entire operation with a single device.

“I think it’s kind of surprising that a lot of these things don’t happen sooner, to be perfectly honest,” Coles says, noting that many of these cameras, earpieces, and transmitters have existed for a decade or more.

“You could do it with a very cheap investment,” Piallat says. “You won’t need a lot of money.”

Clearly, these schemes are out there and available. So should poker players everywhere be concerned?

Mini-camera cheating is now an open secret in the poker community, from its references in forums to an entire August episode from Berkey’s _Only Friends_ podcast that covered the alleged methods in detail. And if casinos and law enforcement weren’t aware of it much earlier, they certainly are now; Piallat confirmed to WIRED that his unit dispersed information about the case around the globe through Interpol networks.

What can casinos, players, and law enforcement do about it, though?

The first step is simple vigilance, something all these parties are well-versed in. Policing of suspicious players happens at casino level. WIRED independently confirmed a separate alleged incident at a different casino in June that included an individual reportedly earning seven-figure profits before disappearing. The alleged cheater in this case hasn’t been seen since, and Berkey wonders if he was banned from this and possibly other casinos.

“It would seem as though the Vegas casinos have acted,” Berkey says.

Those are retroactive measures, though; what about stopping this cheating as or before it happens?

Some Vegas casinos, per multiple sources, have begun banning phones from being set down at felt level on tables. Many casinos have long had policies prohibiting phone use during hands, and some have even banned phones entirely in prior years, and now these efforts are growing more widespread. However, with the knowledge that today’s miniature cameras can be built into lighters, pens, and other non-phone devices, is that enough of a safety measure? A true “no items on the table whatsoever” rule feels more prudent, but will casinos view that as too invasive toward their clientele? Then there’s a whole separate conversation about placing devices on the rail, which is where players rest their elbows and which sits slightly higher than the felt itself.

“There will be guys who want to watch the game at the table and have their phone propped up,” Berkey says. “That should just be fine. It’s a fine line; it’s a gray line.”

Berkey even suggested some sort of hybrid arrangement where phones or other devices are allowed so long as they sit behind chips or some other item that blocks their view of the felt. These solutions, though, also fail to account for rings or other jewelry that may contain a concealed camera.

The device removal tactic would have run into another big snag when the arrests in France took place: One of the suspects had nothing on the table at all. He allegedly concealed a camera in his clothing. If that scheme worked to capture card faces out of a dealer’s shoe, it would definitely work for the traditional dealer-pitch style used in Vegas.

The better long-term solution, one Berkey and others in the poker world support, involves retraining the dealers—a process that’s already begun.

The European Poker Tour has introduced a new form of dealer pitch known as slide dealing, where the deck remains on the table and the dealer slides each top card off individually to greatly minimize or eliminate any exposure. EPT tournament director Toby Stone directly cited issues of camera cheating as the impetus behind this change, which took effect within the past couple of months.

Casinos could take it even further; some have been cracking down for years. The Star casinos in Australia, for instance, have long used a modified version of a blackjack shoe meant for a single poker deck, which sits at the center of the table and allows cards to slide out from within it. This ostensibly makes it much harder to capture cards than from the traditional blackjack shoe placed at the very side of the table, closer to potential cameras. Anecdotally, these contraptions also seem to limit or eliminate other common risks like bottom-dealing or cards flipping over while being dealt.

While it might take time to retrain the world’s legion of poker dealers to mitigate these schemes, that could be the eventual outcome here.

“I’ve spoken to a few of the \[casino\] higher-ups, and it seems they’re all open to the idea of retraining dealers,” Berkey says.

Maybe even that eventual move wouldn’t completely eliminate mini camera cheating. As the suspects in France allegedly showed us, today’s video technology is truly amazing. Would you ever have guessed a mini camera could accurately capture which cards are being dealt during the split second they’re exposed as they’re pulled from a blackjack shoe?

Anyone putting their money down at a casino, particularly higher up the stakes spectrum, should at least be aware of the risk of bad actors—particularly in a game like poker, where your opponents are other patrons rather than the casino itself. Whether to combat this or any other potential scheme, a dose of diligence goes a long way.

“As long as there’s a fair game to be offered, there will be people who will try to corrupt it,” Berkey says. “The best we can do is continually work hard to keep the game as fair as possible.”

Poker Cheaters Allegedly Use Tiny Hidden Cameras to Spot Dealt Cards

Cisco Talos' Vulnerability Research team recently discovered two vulnerabilities in MC Technologies LR Router and three vulnerabilities in the GoCast service. 
These vulnerabilities have not been patched at time of this posting. 
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule

Monday, December 9, 2024 14:30

Cisco Talos' Vulnerability Research team recently discovered two vulnerabilities in MC Technologies LR Router and three vulnerabilities in the GoCast service. 

These vulnerabilities have not been patched at time of this posting. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

****MC Technologies OS command injection vulnerabilities** **

_Discovered by Matt Wiseman of Cisco Talos._ 

The MC-LR Router from MC Technologies supports IPsec and OpenVPN implementations, firewall capabilities, remote management via HTTP and SNMP, and configurable alerting via SMS and email, with two-port and four-port variants, includes models that support transparent serial-to-TCP translations and 1-in/1-out digital I/O. 

Talos recently published two advisories detailing OS command injection vulnerabilities discovered in the MC-LR Router from MC Technologies. TALOS-2024-1953 covers three vulnerabilities (CVE-2024-28025 through CVE-2024-28027), which are reachable through the I/O configuration functionality of the web interface. TALOS-2024-1954 covers one vulnerability (CVE-2024-21786) in the importation of uploaded configuration files. All vulnerabilities may be triggered with an authenticated HTTP request. 

****GoCast authentication and OS command injection vulnerabilities** **

_Discovered by Edwin Molenaar and Matt Street of Cisco Meraki._ 

The GoCast tool provides BGP routing for advertisements from a host; it is commonly used for anycast-based load balancing for infrastructure service instances available in geographically diverse regions.  

The GoCast HTTP API allows the registration and deregistration of apps without requiring authentication, shown in TALOS-2024-1962 (CVE-2024-21855). The lack of authentication can be used to exploit TALOS-2024-1960 (CVE-2024-28892) and TALOS-2024-1961 (CVE-2024-29224), leading to OS command injection and arbitrary command execution.

MC LR Router and GoCast unpatched vulnerabilities

More than 4% of US attempted e-commerce transactions between Thanksgiving and Cyber Monday suspected to be fraudulent.

PRESS RELEASE

MONTRÉAL, December 4, 2024 — Genetec Inc. (“Genetec”), the global leader in enterprise physical security software, today shared the results of its "2025 State of the Physical Security Report." Based on insights from over 5,600 physical security leaders worldwide (including end users, channel partners, systems integrators, and consultants), the report offers a comprehensive analysis of evolving trends in physical security operations.

**Hybrid cloud adoption grows as organizations seek flexibility and control**

As organizations evaluate cloud solutions for physical security, most are prioritizing a hybrid strategy that aligns with operational needs, budget constraints, and storage requirements. This pragmatic and flexible deployment approach allows critical data and applications to be managed both on-premises and in the cloud.

According to the report, 43% of end users envision hybrid deployments as their preferred approach within the next five years, compared to just 18% favoring fully cloud-based implementations and 17% planning to remain fully on-premises. This preference for hybrid-cloud is echoed by consultants and channel partners, with 66% of consultants planning to recommend hybrid deployments in the next five years.

This data not only reflects the rising demand for adaptable deployment models but also highlights a measured approach to cloud adoption as the industry matures.

By focusing on operational realities, varying costs of the cloud, and evolving seditecurity requirements, organizations will be better positioned to successfully adopt the cloud at a pace and cost that reflects their needs.

“There’s no all-or-nothing with a hybrid-cloud approach. Businesses remain in total control of how they deploy their systems across various locations. With an open ecosystem, they can implement the best technology—whether on-premises or in the cloud— that meets their business needs and avoid unnecessary compromise without ever being locked into proprietary solutions. This allows them to deploy, scale, and upgrade systems faster, streamline processes, and strengthen their security posture in the most efficient and effective ways,” said Christian Morin, Vice President Product Engineering, Genetec Inc.

**IT departments become central to decisions**

A decade ago, physical security systems in large organizations were typically managed by personnel in specialized security departments. However, the increasing adoption of cloud and hybrid-cloud solutions, the rise in cybersecurity threats, and the need to align physical and digital security have led IT teams to take an increasingly prominent role in influencing the acquisition and deployment of physical security systems.

According to the report, 77% of end users say physical security and information technology (IT) departments now work collaboratively. Additionally, IT departments are taking on an increasing role in the buying process, with over 50% of end users, systems integrators, and consultants reporting that IT teams are now actively involved in physical security purchasing decisions.

“The evolving role of physical security is reshaping how organizations secure both their people and digital networks. With IT at the forefront of implementing cloud and hybrid solutions, physical security operations are becoming more resilient, data-driven, and adaptable to evolving threats," Morin added.

**AI adoption grows as industry prioritizes practical applications**

The report reveals a significant rise in the interest toward AI adoption in physical security, with 37% of end users planning to implement AI-powered features in 2025, up from just 10% in 2024. This heightened interest aligns with a strategic, purpose-driven approach. With 42% of end users seeing AI as a tool to streamline security operations, organizations are focusing on practical applications, such as refining threat detection and automating routine processes, with intelligent automation as the ultimate goal.

Survey methodology

Genetec Inc. surveyed physical security professionals from August 12th to September 15th, 2024. Following a review of submissions and data cleansing, 5,696 respondents (including end users, channel partners, and consultants) were included in the sample for analysis. Survey samples were run across all regions including North America, Central America, the Caribbean, South America, Europe, the Middle East, Africa, East Asia, Southern Asia, South-Eastern Asia, Central Asia, Western Asia, and Australia-New Zealand.

Genetec Physical Security Report Shows Accelerating Hybrid Cloud Adoption

We can anticipate a growing number of emerging vulnerabilities in the near future, emphasizing the need for an effective prioritization strategy.

Audra Streetman, Senior Threat Intelligence Analyst, Splunk

December 9, 2024

4 Min Read

Source: Skorzewiak via Alamy Stock Photo

COMMENTARY

The work of cybersecurity defenders continues to evolve. The sheer amount of software and applications within an organization's IT environment has increased the attack surface and, consequently, the number of vulnerabilities. According to the Verizon "2024 Data Breach Investigations Report," "14% of breaches involved the exploitation of vulnerabilities as an initial access step, almost triple the amount from last year's report."

With vulnerability exploitation increasing, prioritization can be difficult and time-consuming if you don't have a clear plan. The consequences of large-scale incidents, such as Log4j and the MOVEit breach, have had lasting impacts on the cybersecurity world. However, cybersecurity defenders can learn from these experiences.

**Key Considerations for Vulnerability Evaluation**

The first step in vulnerability evaluation mirrors the basics of reading comprehension: understanding the who, what, when, where, and why:

Who: Who is discussing vulnerabilities? Pay attention to peers, industry experts, and government advisories. Know that vulnerability discourse on social media and online forums may include fear-mongering and hyperbole. 

What: After identifying a vulnerability, analyze its exploitability. Determine if it is exploitable over a network or requires local access, or if exploit code is public. 

When: Timing is crucial. Know when the vulnerability was disclosed and if it has been exploited in the wild.

Where: Know where the vulnerability exists in your environment, which can influence the impact of exploitation. Check if it appears in a software bill of materials (SBOM) or a vendor advisory, as this can direct your remediation efforts.

If a patch is available, determine if it will cause downtime and if you are bound by a service-level agreement. If you opt to not patch, or if a patch is not available, research mitigation guidance to minimize risk.

Why: Understand how the vulnerability aligns with recent trends in adversary behavior. Also, Common Vulnerability scores and Exploit Prediction scores can inform prioritization, but should not be relied upon as the only factor when evaluating vulnerabilities.

**Learning From Large-Scale Incidents****MOVEit **

A great way to combat vulnerabilities is to learn from the past. For example, when the MOVEit Transfer vulnerability emerged in 2023, there were early signs pointing to the potential for mass exploitation. The cybercriminal group behind the breach was known to target vulnerabilities in file transfer software for spray-and-pray attacks that relied on data exfiltration without encryption to reach more victims. Ultimately, more than 2,700 organizations and 95.8 million people were impacted by the breach, according to cybersecurity firm Emsisoft, teaching the cybersecurity world three things:

1.  Adversary behavior can influence the likelihood of exploitation. A critical vulnerability in a file transfer appliance carried additional urgency in 2023 because of the strategies employed by cybercriminals. 
    
2.  Zero-day vulnerabilities with low attack complexity are a higher priority. Attacks began days before the MOVEit vulnerability was publicly disclosed and one attack vector allowed data exfiltration directly from the MOVEit application. One caveat here is that not all zero-day vulnerabilities are a high priority; there are other factors to consider, such as attack complexity. 
    
3.  Vulnerabilities with cascading effects on the supply chain are critical priorities. Some organizations were impacted by the breach because their vendor's contractor's subcontractor used MOVEit Transfer.
    

**Log4j**

The 2021 Log4j incident highlights the challenges with identifying vulnerable software components in your environment. This vulnerability was a high priority for several reasons:

1.  It was remotely exploitable.
    
2.  It was publicly disclosed before a fix was available.
    
3.  Exploit code circulated online.
    
4.  Because the Log4j library was popular among Java developers, it was embedded into thousands of software packages and integrated into millions of systems worldwide. 
    

Many organizations struggled to identify where Log4j was present in their environment, as these open source components aren't always readily listed. Accurate asset inventories and widespread SBOM adoption — which is essentially an ingredients list of software components — can go a long way in improving how organizations identify and respond to future vulnerabilities. 

**Knowing the Score With Vulnerabilities**

Cybersecurity defenders have at their disposal a number of vulnerability databases and scoring frameworks, such as the Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities (KEV) catalog and the National Vulnerability Database (NVD). As organizations mature and refine their vulnerability management program, they can begin to implement additional steps, such as continuous monitoring, automation, and the integration of vulnerability management tools with configuration management databases (CMDBs) to improve detection and remediation.

In the future, we may see software suppliers adopt a secure-by-design philosophy that takes greater ownership of customer security outcomes. This could be influenced by future regulations, heightened liability for security executives, and the loss of customer trust. We may also see new use cases for emerging technologies, like machine learning and artificial intelligence, to help speed up and guide the vulnerability prioritization process, while maintaining a human-in-the-loop approach. In the meantime, we can anticipate a growing number of emerging vulnerabilities, emphasizing the need for an effective prioritization strategy.

**About the Author**

Senior Threat Intelligence Analyst, Splunk

Audra Streetman is an active member of Splunk's global security team and previously contributed to Splunk's SURGe research team. Before arriving at Splunk, Audra worked as a reporter, producer, and news anchor at local TV stations in Indiana, California, Kentucky, and Colorado. Audra produced and co-hosted a podcast called The Security Detail, which examined the cyber threat landscape in different industries. Audra is a member of the GIAC Advisory Board and has several certifications, including GDAT, GCTI, Security+, Linux+, Network+, AWS Cloud Practitioner, and Splunk Enterprise Certified Admin.

Tag

#intel