Analysis of the traffic between networked devices has always been of interest since devices could even communicate with one another. 
As the complexity of networks grew, the more useful dedicated traffic analysis tools became. Major advancements have been made over the years with tools like Snort or Wireshark, but

Badgerboard: A PLC backplane network visibility module

Registered Agents Inc. has for years allowed businesses to register under a cloak of anonymity. A WIRED investigation reveals that its secretive founder has taken the practice to an extreme.

Inside a drab one-story office building in Post Falls, Idaho, a little-known American company has built the machinery that enables hundreds of thousands of businesses to operate in near-total secrecy.

The company, Registered Agents Inc., is a one-stop shop for people seeking to incorporate a business in any US state, often in those with advantageous tax policies, while obscuring their identities. According to five former employees of Registered Agents Inc. or its subsidiaries, the company routinely incorporates thousands of businesses on behalf of its customers using fake personas. Former Registered Agents Inc. employees say that the company’s widespread use of personas is an outgrowth of its founder’s obsession with privacy and a desire to push the boundaries of incorporation laws.

The registered agent industry, which incorporates businesses and acts as a point of contact for legal notices, is already effective at masking the identity of who owns a company. Registered agents have many legitimate uses, and states often require that a company have a registered agent. In some instances, however, these services have benefited “oligarchs, criminals, and online scammers,” according to a 2022 investigation by _The Washington Post_ and the International Consortium of Investigative Journalists. Experts say a lack of adequate federal and state regulations of registered agents helps to make the United States a hotbed for money-laundering and other shady business dealings.

In a typical scenario, a registered agent would incorporate a company on behalf of a customer. An employee of the registered agent company would list their name on the incorporation documents, sometimes providing the company’s email address and office as contact information. That process provides business owners one layer of secrecy, preventing anyone who looks at state records from determining the real owner of a company.

Registered Agents Inc., according to the former employees, routinely goes one step further, incorporating companies in the names of fictional personas created by the company’s founder, Dan Keen. It’s unclear what benefit Registered Agents Inc. or its customers receive when a company is incorporated by a fake identity.

Around the country, at least 1,463 companies incorporated by Registered Agents Inc. list a woman named Riley Park as an organizer or agent, according to a WIRED analysis of publicly available incorporation documents. But Riley Park isn’t a real person, the former employees say. She’s one of multiple fake personas used by Registered Agents Inc. Former employees identified at least 10 fake personas used by the company, including David Roberts, Drake Forester, and Morgan Noble.

Using business records made public by OpenCorporates, a website that shares and standardizes information sourced from business registries around the world, WIRED found 36,257 business listing company officers who share names that former employees say are fake. At least 3,735 of these businesses’ incorporation paperwork references Registered Agents Inc., either explicitly in the paperwork or by using an address known to former employees as belonging to Registered Agents Inc.

WIRED’s analysis found that these companies are registered in 20 different states and appear to provide services ranging from law enforcement training to landscaping. Many of these companies with officers using an alleged fake name were registered to addresses known by sources to belong to Registered Agents Inc. For example, six allegedly fake names were listed as officers for 887 of businesses registered to the same address in Sheridan, Wyoming—an office of Registered Agents Inc.

This is likely an undercount. WIRED looked specifically for company records indicating that Registered Agents Inc. incorporated the company alongside at least one of a dozen false names provided by sources. We additionally looked for companies registered by these same false names associated with addresses previously utilized by Registered Agents Inc. for incorporating thousands of other companies. Sources believe the true number is likely much higher.

Registered Agents Inc. declined to fully answer WIRED’s detailed set of questions about its business practices.

“To put it plainly, your assertions in this question set are outdated and patently wrong about Registered Agents Inc.,” the company said in a statement. “Therefore, at this time Registered Agents Inc. will provide no comment as it is apparent that you, Wired and its editors attempt \[to\] fit a pre-arranged narrative through publishing false facts and other blatant lies.”

Registered Agents Inc. says that it has offices in every state in the US and in Washington, DC, allowing it to offer its customers the ability to register a business anywhere. Many of those offices are small outfits located near state government offices, so its employees can easily submit paperwork. (The Sheridan office is located just a block away from city hall.)

Registered Agents Inc. has expanded beyond incorporation services, building custom software to manage entire businesses. Last year, it acquired Epik, a domain registrar and web hosting company that had previously catered to far-right extremists.

Much of the company’s high-level operations and development take place in the Pacific Northwest, including Spokane, Washington, and Post Falls, Idaho. The company has two major subsidiaries: Two Barrels LLC, which develops software, and Corporate Tools LLC, which enables its customers to manage the filings of multiple businesses.

“Somebody will hire \[Registered Agents Inc.\] to create an LLC, and then \[Registered Agents Inc. will\] sign all that paperwork with fake identities and submit it to the Secretary of State,” says Mikhail Slyusarev, who worked as a senior software engineer at the company for more than six years. “There’s no oversight, you're not really answering to anybody, and you’re just making shit up.”

On July 29, 2015, Registered Agents Inc. updated the name listed on its own incorporation documents it had filed with the Wyoming secretary of state. While Keen had previously signed as president and registered agent of the company, the new registered agent for the company was a man named Bill Havre.

Registered Agent Inc.’s website featured a vivid yarn detailing Havre’s life story, according to an archived version of the site from December 2021. Havre grew up on a small ranch in Wyoming and studied medicine at the University of California, Berkeley in the early 1970s, the bio read. But shortly after enrolling in classes, Havre returned home to Wyoming to tend to a family emergency, eventually starting his own businesses in the state.

“After gaining some insight into the nature of starting a business, Mr. Havre was intrigued by the business entity formation process, particularly concerned by what at the time seemed exorbitant fees paid to attorneys to complete and file corporate formation documents,” the website said.

Havre was once listed on Registered Agent Inc.’s website as the company’s president and executive director. Havre has helped register 491 companies with Registered Agents Inc., WIRED found. He’s also an entirely fabricated persona, five former employees say, an invention of Dan Keen.

That 2015 document is the earliest recorded instance of the company using fake names identified by WIRED. Havre’s name was removed from the company’s website in 2022 following inquiries from _The Washington Post_ and the International Consortium of Investigative Journalists.

The Wyoming incorporation paperwork viewed by WIRED includes the full text of the state law against filing a false document, reminding registrants that doing so may be a felony punishable by up to two years in prison and a $2,000 fine. Former employees say that customers of Registered Agents Inc. typically aren’t aware that a fake name is used to sign their company’s incorporation documents.

Provided a copy of the Wyoming incorporation document, experts say using a fake person would likely violate the law. “This does look like it requires a real person to sign—Riley Park would seemingly be in violation,” says Gary Kalman, the executive director of Transparency International US, an anti-corruption group.

Former Registered Agents Inc. employees allege that Keen justified using fake names by saying it was a way to protect employees from being drawn into legal battles and being forced to testify about the company’s customers.

The laws for incorporating companies in America are decided at the state level, allowing a prospective business owner to shop around based on tax advantages, anonymity rules, and other considerations. Many state offices don’t fully investigate filings to determine if the signatories are legitimate, former employees of Registered Agents Inc. say.

“There is no federal requirement, there is no state-level requirement that these registered agents have any code of ethics. There’s no anything,” says Sarah Beth Felix, an expert on financial transparency. “For being essential gatekeepers to legitimize businesses, they’re grossly unregulated.”

Former employees say that the registered agents industry benefits from relaxed incorporation laws in states like Wyoming and Montana, where registering a completely anonymous company is as simple as paying a registered agent service as little as $200. That makes the US an appealing location for illicit financial activity even before the added layer of opacity by a registered agent.

According to two former employees, the company doesn’t screen to see if its customers are real people, or even if their email addresses are legitimate. Former employees say they raised concerns about not knowing the true identity of all of their customers to company leadership, but were dismissed. Experts and former employees said that verifying the identity of its customers is often not required for registered agents.

“You could say your name was Billy Bob and your email was BillyBob123, and we would have created an LLC for you,” the former software developer says.

“Dan takes it almost to an extreme. He tries to maximize what the laws allow in each state,” says Don Evans, who worked in a chief technical officer role at the company. “If people find ways to use his services that are in the gray area, he would turn a cheek to it.”

Since 2008, Dan Keen has grown his business from a small company serving customers in the Pacific Northwest to a major national player in what’s known as the corporate formation industry. The company and its competitors offer the ability to incorporate a business in the state of a customer’s choosing and receive mail and legal notices.

Keen started the company after running a tree trimming and landscaping business. Former employees said Keen worked tirelessly to build the business, often sending emails at all hours of the night.

“Dan put in a lot of effort, he worked nonstop,” says Matt MacKenzie, who worked as a legal compliance specialist for more than 11 years and was one of the company’s earliest employees.

When the company was a small upstart, Keen regularly listed his name on the formation documents of the company and its various subsidiaries in states across America. “It wasn't until down the road a couple years later, where he started wanting to use full-on fake names and take his name off all the corporate paperwork for Registered Agents Inc.,” MacKenzie says.

Keen is described by former employees as a driven but eccentric businessman who is prone to micromanagement and sudden shifts in mood. Keen dresses modestly, former employees say, wearing shorts and flannel shirts, and is an avid skier and outdoorsman.

Keen often took a passive aggressive approach with his staff, according to six former employees. Two recounted Keen begrudgingly offering health care plans to employees after being told it was required by the Affordable Care Act, allegedly telling his staff they were “whiners and complainers” for asking for it.

Multiple former employees described Keen as “inappropriate,” saying he often made comments about employees' physical appearance. Two former employees described him as making misogynistic statements, which allegedly included making sexual comments about women and frequently questioning their ability to perform their job.

Several former employees questioned the high-security nature of the office, which they say was filled with security cameras and required them to lock their cell phones in boxes. Slyusarev, Registered Agents Inc.’s former senior software engineer, says the phone system, which he says he installed, was capable of surreptitiously recording employee phone calls.

Former employees say that Keen chafed at government regulations and exercised complete control over the company and its operations. Keen has no website or social media profiles and doesn't give interviews about his business.

“He thinks people are out to get him, or out to get the company,” Evans, the former senior employee, claims.

Details about its inner workings, including the ownership and management structure, are concealed from employees, who say they were discouraged from discussing it at the office. And the practice of using fake personas extends even to Registered Agents Inc.’s own workers.

When Don Evans began interviewing at Registered Agents Inc., he recalled first speaking over LinkedIn with Diane Brunner, who identified herself as a recruiter at the company. When he arrived at the office for an interview, he asked to speak with Brunner and was told nobody by that name works at the company.

Jack Stephenson, who claims to be a vice president and client relations director at Registered Agents Inc. on LinkedIn, is another fake persona, employees say. Stephenson frequently comments on the registered agents industry on LinkedIn. He lists a Bachelor of Business Administration from Utah State University on his profile, but an official from the university told WIRED they couldn’t find any records pertaining to Jack Stephenson.

Inside Registered Agents Inc., the Shadowy Firm Pushing the Limits of Business Privacy

Debian Linux Security Advisory 5635-1 - Aviv Keller discovered that the frames.html file generated by YARD, a documentation generation tool for the Ruby programming language, was vulnerable to cross-site scripting.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5635-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMarch 04, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : yardCVE ID         : CVE-2024-27285Aviv Keller discovered that the frames.html file generated by YARD, adocumentation generation tool for the Ruby programming language, wasvulnerable to cross-site scripting.For the oldstable distribution (bullseye), this problem has been fixedin version 0.9.24-1+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 0.9.28-2+deb12u2.We recommend that you upgrade your yard packages.For the detailed security status of yard please refer toits security tracker page at:https://security-tracker.debian.org/tracker/yardFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmXmMwMACgkQEMKTtsN8TjYteA/+OJKIMLYc36uSErez5guFT6OYcCINkwjm8Uv+7S9lkBp3aq80agghHHPwoghyZaW/2VohG/nDEFXh5g/NUPNFT+/044ymLsSMgJOF8C80+K6xJ7C/lHBeqYOMIjxzWuooWe0pL7ZLMpZHIipvbVtlS/M+GkjBudPMptMdk8hxfX3zlNgzJqxvZdE7dOu/eTqUOc+aOXRo7NPXkYfqkzkJxwy6DFnkRMrVd9IvHcYOs3Aw0EQE92QTsB68etFwakgmZZOzLW1ubkYJWGXGKq0ASWuGOlSUGjx62KiGWR53iIGUhY4VEQRUDjmPOVDoxOePO1Vr0W6UPqbsrGqSyKwpU8lqQKqAGbOJyw5XsnOjhu/fk1q9J3DRA/oa8fc/6Vgt+Ys8nOj1YHW+SbxjseRnGFraPqq88ICJ1Lg/UsxHn1RcO1dozClKI+FxLlbyZMFETA1yfy2+iHu6go5jQDTjQHuLk4aUzSAf1y6a8507QWyQSThB+9gehIs+GxTLRzYIOTgB40xrE5vaouVvZb5Qg9j9P1j2DY3+R8+ig+15nnMaVRSAQFaXl+9Vyn3STUox9lvhxBB7tCYEWV4P6IPQqjwsNWMKZR0gfmpJxrql3cUCkFTH68prMfWNbPYfsqVrnVkWQMzkqb1NvAdyYP3TJYEDdG1oI09vIye4d6VXbW4==CnLF-----END PGP SIGNATURE-----

Debian Security Advisory 5635-1

WordPress Neon Text plugin versions 1.1 and below suffer from a persistent cross site scripting vulnerability.

**WordPress Neon Text 1.1 Cross Site Scripting**

Posted Mar 5, 2024

Authored by Eren Car

WordPress Neon Text plugin versions 1.1 and below suffer from a persistent cross site scripting vulnerability.

tags | exploit, xss

advisories | CVE-2023-5817

SHA-256 | f6fa131d3df7c7fa0667803c7757179d6f0f6967ebbb7d6ee2469662460a8a4e

Download | Favorite | View

**WordPress Neon Text 1.1 Cross Site Scripting**

    # Exploit Title: Wordpress Plugin Neon Text <= 1.1 - Stored Cross Site Scripting (XSS)# Date: 2023-11-15# Exploit Author: Eren Car# Vendor Homepage: https://www.eralion.com/# Software Link: https://downloads.wordpress.org/plugin/neon-text.zip# Category: Web Application# Version: 1.0# Tested on: Debian / WordPress 6.4.1# CVE : CVE-2023-5817# 1. Description:The Neon text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's neontext_box shortcode in 1.1 and above versions.   # 2. Proof of Concept (PoC):  a. Install and activate version 1.0 of the plugin.  b. Go to the posts page and create new post.  c. Add shorcode block and insert the following payload:      [neontext_box][neontext color='"onmouseover="alert(document.domain)"']TEST[/neontext][/neontext_box]          d. Save the changes and preview the page. Popup window demonstrating the vulnerability will be executed.

**File Tags**

*   ActiveX (933)
*   Advisory (84,370)
*   Arbitrary (16,579)
*   BBS (2,859)
*   Bypass (1,818)
*   CGI (1,032)
*   Code Execution (7,578)
*   Conference (687)
*   Cracker (844)
*   CSRF (3,370)
*   DoS (24,373)
*   Encryption (2,381)
*   Exploit (52,611)
*   File Inclusion (4,246)
*   File Upload (982)
*   Firewall (822)
*   Info Disclosure (2,832)
*   Intrusion Detection (905)
*   Java (3,117)
*   JavaScript (887)
*   Kernel (6,944)
*   Local (14,657)
*   Magazine (586)
*   Overflow (12,989)
*   Perl (1,430)
*   PHP (5,174)
*   Proof of Concept (2,364)
*   Protocol (3,687)
*   Python (1,595)
*   Remote (31,291)
*   Root (3,613)
*   Rootkit (519)
*   Ruby (617)
*   Scanner (1,647)
*   Security Tool (7,962)
*   Shell (3,236)
*   Shellcode (1,217)
*   Sniffer (899)
*   Spoof (2,255)
*   SQL Injection (16,491)
*   TCP (2,420)
*   Trojan (688)
*   UDP (896)
*   Virus (668)
*   Vulnerability (32,461)
*   Web (9,836)
*   Whitepaper (3,768)
*   x86 (966)
*   XSS (18,130)
*   Other

**File Archives**

*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,060)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,926)
*   Debian (6,978)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,466)
*   HPUX (880)
*   iOS (369)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (48,786)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (487)
*   RedHat (15,203)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,336)
*   UNIX (9,371)
*   UnixWare (187)
*   Windows (6,635)
*   Other

WordPress Neon Text 1.1 Cross Site Scripting

Red Hat Security Advisory 2024-1077-03 - An update for edk2 is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include a buffer overflow vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1077.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: edk2 security updateAdvisory ID:        RHSA-2024:1077-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1077Issue date:         2024-03-05Revision:           03CVE Names:          CVE-2023-45230====================================================================Summary: An update for edk2 is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es):* edk2: Buffer overflow in the DHCPv6 client via a long Server ID option (CVE-2023-45230)* edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message (CVE-2023-45234)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45230References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2258685https://bugzilla.redhat.com/show_bug.cgi?id=2258697

Red Hat Security Advisory 2024-1077-03

Red Hat Security Advisory 2024-1076-03 - An update for edk2 is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a buffer overflow vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1076.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: edk2 security updateAdvisory ID:        RHSA-2024:1076-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1076Issue date:         2024-03-05Revision:           03CVE Names:          CVE-2023-45230====================================================================Summary: An update for edk2 is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es):* edk2: Buffer overflow in the DHCPv6 client via a long Server ID option (CVE-2023-45230)* edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message (CVE-2023-45234)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45230References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2258685https://bugzilla.redhat.com/show_bug.cgi?id=2258697

Red Hat Security Advisory 2024-1076-03

Red Hat Security Advisory 2024-1075-03 - An update for edk2 is now available for Red Hat Enterprise Linux 9. Issues addressed include a buffer overflow vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1075.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: edk2 security updateAdvisory ID:        RHSA-2024:1075-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1075Issue date:         2024-03-05Revision:           03CVE Names:          CVE-2023-45230====================================================================Summary: An update for edk2 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es):* edk2: Buffer overflow in the DHCPv6 client via a long Server ID option (CVE-2023-45230)* edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message (CVE-2023-45234)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45230References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2258685https://bugzilla.redhat.com/show_bug.cgi?id=2258697

Red Hat Security Advisory 2024-1075-03

Cisco Talos observed a surge in GhostSec, a hacking group’s malicious activities since this past year. GhostSec has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware.

Tuesday, March 5, 2024 08:00

*   Cisco Talos observed a surge in GhostSec, a hacking group’s malicious activities since this past year.
*   GhostSec has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware.
*   The GhostSec and Stormous ransomware groups are jointly conducting double extortion ransomware attacks on various business verticals in multiple countries. 
*   GhostLocker and Stormous ransomware have started a new ransomware-as-a-service (RaaS) program STMX\_GhostLocker, providing various options for their affiliates. 
*   Talos also discovered two new tools in GhostSec arsenal, the “GhostSec Deep Scan tool” and “GhostPresser,” both likely being used in the attacks against websites.

**Victimology of ransomware attacks**

Talos observed the GhostSec and Stormous ransomware groups operating together to conduct several double extortion attacks using the GhostLocker and StormousX ransomware programs against the victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand and Indonesia according to our assessment of the disclosure messages posted by the group in their Telegram channels and Stormous ransomware data leak site.  

The collaborative operation affected victims across various business verticals, according to disclosures made by the groups in their Telegram channels.

Talos’ observation in GhostSec’s Telegram channels highlighted the group’s continued attacks on Israel’s Industrial systems, critical infrastructure and technology companies. On Nov. 12, 2023, they claimed that the affected organizations also included the Ministry of Defense in Israel.

Example of GhostSec’s Telegram chat message.

**GhostSec has remained active since this past year**

GhostSec is a hacker group that claims to be one of a modern-day Five Families group that includes ThreatSec, Stormous, Blackforums and SiegedSec on their Telegram channels. GhostSec is financially motivated, conducting single and double extortion attacks on victims across various geographies. They have also conducted several denial-of-service (DoS) attacks and have taken down victims’ websites, according to their Telegram channel messages. Their claims also showed us that their primary focus is raising funds for hacktivists and threat actors through their cybercriminal activities. 

The actor’s name, GhostSec, resembles the well-known hacktivist Ghost Security Group, primarily focusing on counterterrorism efforts and targeting pro-ISIS websites. The Ghost Security Group mentioned in their blog that another hacking group mimics their identity. 

In October 2023, GhostSec announced a new ransomware-as-a-service (RaaS) framework called GhostLocker. After their successful collaborative operations with the Stormous ransomware group in July 2023 against Cuban ministries, on Oct. 14, 2023, the Stormous gang announced that they would use the GhostLocker ransomware program in addition to their StormousX program. 

Stormous ransomware Telegram chat message.

Since then, the GhostSec and Stormous ransomware groups have jointly conducted double extortion ransomware attacks targeting victims across various business verticals in multiple countries. Along with the ransomware attacks, GhostSec seemed to be conducting attacks against corporate websites, including a national railway operator in Indonesia and one of Canada’s leading energy companies. They have likely leveraged their GhostPresser tool along with the cross-site scripting attack technique to compromise the websites. 

On Feb. 24, 2024, Stormous group mentioned on “The Five Families” Telegram channel that they have started their new ransomware-as-a-service (RaaS) program “STMX\_GhostLocker” along with their partners in GhostSec. The new program is made up of three categories of services for the affiliates: paid, free, and another for the individuals without a program who only want to sell or publish data on their blog (PYV service). 

The group has shared their working model flow diagrams for member and non-member affiliates on their Telegram channels.

Stmx\_GhostLocker member affiliate working model.

Stmx\_GhostLocker non-member affiliate working model.

Stormous ransomware and GhostSec have rebuilt the new official blog of their RAAS program Stmx\_GhostLocker on the TOR network, with features for the affiliates to join their program and disclose their victim’s data. Their blog dashboard shows the count of victims and disclosures of victims’ information with a link to their leaked data. They also display the largest ransom as $500,000 USD — we are not sure if that is the highest ransom payment they have received. 

Redacted picture of Stmx\_GhostLocker blog. 

**Evolution of GhostLocker 2.0 ransomware **

In November 2023, GhostSec announced a newer version of their GhostLocker ransomware called GhostLocker 2.0. Recently we observed that they have again started advertising their latest Golang version “GhostLocker 2.0” by calling it “GhostLocker V2” and mentioning their ongoing work on the GhostLocker V3, indicating their continuous evolution in developing their toolset. 

GhostLocker 2.0 encrypts the files on the victim’s machine using the file extension “.ghost” and drops and opens a ransom note. The ransom note has changed from its previous version, where the operator tells users to secure the encryption ID displayed in the ransom note and share it with them in their chat service during the negotiation by clicking “Click me.” The operator also mentions that the victim’s stolen data will be disclosed if they fail to contact them in seven days. 

Ransom Note of GhostLocker (left) and ransom Note of GhostLocker 2.0 (right).

The GhostLocker RAAS has a C2 panel where the affiliates can get an overview of their attacks and gains. When deployed on the victim’s machine, the ransomware binaries will register to the C2 panel, and the affiliates can track the encryption status on the victim’s machine. Talos discovered the GhostLocker 2.0 C2 server with the IP address 94\[.\]103\[.\]91\[.\]246 located in Moscow, Russia. We observed that the geolocation of the C2 server is similar to that of the C2 servers of earlier versions of the GhostLocker ransomware that security researchers at Uptycs reported. 

GhostLocker C2 panels.

GhostLocker RAAS provides its affiliates with the ransomware builder, which contains configuration options, including the mode of persistence that the ransomware binary can establish after being successfully run on the victim machine, target directories to encrypt, and techniques to evade the detections, such as killing the defined processes or services or running the arbitrary command to kill the scheduled task or bypass the User Account Controls (UAC). 

GhostLocker 2.0 ransomware builder panel.

Talos discovered the new variant of GhostLocker ransomware, “GhostLocker 2.0” in the wild on Nov. 15, 2023. The majority of the ransomware functionality of GhostLocker 2.0 remains the same as that of its earlier version GhostLocker, which was written in Python, excluding the watchdog component that the operator had used in earlier versions to start the dropped ransomware binary from the victim’s machine Windows Startup location and the AES encryption key length of 256 bits with that of 128 bits in the earlier version. 

During the initial execution, GhostLocker 2.0 copies itself to the Windows Startup folder to establish persistence. It also generates a random string of 32 bytes and uses the generated string as the filename for its dropped copy in the Windows Startup folder. 

After establishing the persistence, the ransomware establishes the connection to the C2 server through the URL hxxp\[://\]94\[.\]103\[.\]91\[.\]246\[/\]incrementLaunch.

A function that initiates the connection to C2.

After establishing a successful connection with the C2 server, the ransomware generates the secret key and the encryption ID and gathers the victim’s IP address, infection date and other information from its configuration parameters, including encryption status, ransom amount and a victim identifier string, to create a JSON file in the victim’s machine memory.

JSON file generated in the machine’s memory.

The generated JSON file is sent to the C2 server through the URL hxxp\[://\]94\[.\]103\[.\]91\[.\]246\[/\]addInfection to register the victim’s machine infection in the C2 panel.

Function to register the infection to the C2 by sending the JSON file.

After registering the victim’s machine infection with the C2 panel, the ransomware attempts to terminate the defined processes or services or Windows scheduled tasks from its configuration parameters in the victim’s machine to evade detection. 

Functions to stop Windows scheduled tasks. 

GhostLocker 2.0 searches for the target files on the victim’s machine according to the file extension list defined by the threat actor, and before the encryption routine starts, it will upload the target files to the C2 server through the URL “hxxp\[://\]94\[.\]103\[.\]91\[.\]246\[/\]upload” using HTTP post method. In the GhostLocker 2.0 sample we analyzed, the actor has configured the ransomware to exfiltrate and encrypt the files that have file extensions .doc, .docx, .xls and .xlsx. 

Function to exfiltrate the target files to the C2 server. 

After successfully exfiltrating, GhostLocker 2.0 encrypts the targeted files and appends “.ghost” as the file extension for the encrypted files. During the encryption process, GhostLocker 2.0 skips the “C:\\Windows” folder. After completing the encryption routine, the ransomware drops the embedded ransom note to an HTML file with the filename “Ransomnote.html” on the victim’s desktop and launches it using the Windows \`Start\` command. 

A function that drops and opens ransom notes.

Talos’ research uncovered two new tools in GhostSec’s arsenal that the hacking group claimed to have used in compromising legitimate websites. One of them is the “GhostSec Deep Scan toolset” to scan legitimate websites recursively, and another is a hack tool to perform cross-site scripting (XSS) attacks called “GhostPresser.”

The GhostSec deep scan toolset is a Python utility that an attacker can use to scan the websites of their potential targets. 

The tool has several modules to perform the following scans on the targeted websites:

*   Perform a user-specific search. 
*   Scans multiple websites.
*   Extract the hyperlinks on the website. 
*   Performs a deep scan and analyzes the technologies used to build the web page.
*   Scans the security protocols to detect the SSL/TLS and HSTS (HTTP Strict Transport Security).
*   Perform the website content analysis and extract the contents to a file.
*   Performs a WhoIs lookup.
*   Checks for the existence of any broken links in the website.

The tool also contains placeholders to perform specific functions including SSL analysis, DNS lookup, checks for robots.txt and sitemap.xml, CVE scans on the targeted website, and an advanced search based on the file type, date range and the custom criteria of the websites, indicating the GhostSec’s continuous evolution of tools in their arsenal. 

One of the modules that stood out to us is the \`deep\_scan\` function that the actor has defined to parse and scrape information from the targeted web pages and assess the technologies used in the web page. It is done by using the Python libraries Beautiful Soup, a Python package used for parsing data out of HTML and XML files, and the BuiltWith Python library, a Python package used to detect the technology used by a website, such as Apache, JQuery and WordPress. 

A function to parse and identify the technology used in the webpage.

GhostPresser, an admin bypass and hacking tool targeting the WordPress content management system, is a shell script that GhostSec claims to have used in an XSS attack against a legitimate website in Canada. The tool appears to be under enhancement process as we spotted several placeholders in the tool to include functionalities to perform audits on the targeted websites. We are not sure at this moment about what type of audits the threat actor intends to implement in their tool. 

GhostPresser tool.

A threat actor can achieve the following actions after successfully injecting the GhostPresser into a targeted website on WordPress. 

*   Bypass logins and perform actions such as test cookies. 
*   Activate and deactivate a plugin. 
*   Change WordPress settings.
*   Create a new user. 
*   Update WordPress core information. 
*   Functions to install a new theme.

Below is an example of the function in the GhostPresser to install new themes in WordPress.

Function to install new WordPress theme.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 62983-62989, and 300818-300820. 

ClamAV detections are also available for this threat:

Win.Ransomware.GhostSec-10020906-0

**Indicators of Compromise**

Indicators of Compromise associated with this threat can be found here.

GhostSec’s joint ransomware operation and evolution of their arsenal

Last year, 11% of all detections on Macs were caused by malware. The illuminating figure gives a view into the world of Mac cyberthreats.

We’re going to let you in on a little cybersecurity secret… There’s malware on Mac computers. There pretty much always has been.

As revealed in our 2024 ThreatDown State of Malware report, a full 11% of all detections recorded by Malwarebytes on Mac computers in 2023 were for different variants of malware—the catch-all term that cybersecurity researchers use to refer to ransomware, trojans, info stealers, worms, viruses, and more.

That 11% figure may not sound imposing but remember that many people today still believe that Apple devices, including Mac computers, are invulnerable to cyberinfections because of some sort of vague “Apple magic.”

In reality, “Apple magic” is more a byproduct of old advertising (this 2006 commercial from the “I’m a Mac, and I’m a PC” series did irreparable harm) and faulty conclusions concerning cybersecurity’s biggest breaches and attacks: People mistakenly believe that because _most_ attacks target Windows computers and servers, _no_ attacks target Macs.

The truth is far more nuanced, as the visible, overwhelming focus of cyberattacks on Windows machines is a consequence of Microsoft’s long-standing success in business computing.

For decades, every multinational corporation, every local travel agency, every dentist, every hospital, every school, government, and city hall practically ran on Windows. This mass adoption was good for Microsoft and its revenue, but it also drew and maintained the interests of cybercriminals, who would develop malware that could impact the highest number of victims. This is why the biggest attacks, even today, predominantly target Windows-based malware and the sometimes-unpatched vulnerabilities found in Windows software and applications.  

Essentially, as Windows is the biggest target, cybercriminals zero in their efforts respectively.

But new information last year revealed that could all be changing.

****Mac malware tactics shifted in 2023****

Apple’s desktop and laptop operating system, macOS, represents a 31% share of US desktop operating systems, and roughly 25% of all businesses reportedly utilize Mac devices somewhere in their networks.

Already, the cybercriminals have taken note.

In April 2023, the most successful and dangerous ransomware in the world—LockBit—was found to have a variant developed for Mac. Used in at least 1,018 known attacks last year, LockBit ransomware, and the operators behind it, destroyed countless businesses, ruined many organizations, and, according to the US Department of Justice, brought in more than $120 million before being disrupted by a coordinated law enforcement effort in February of this year.

While the LockBit variant for Mac was not operational upon discovery, the LockBit ransomware gang said at the time that it was “actively being developed.” Fortunately, LockBit suffered enormous blows this year, and the ransomware gang is probably less concerned with Mac malware development and more concerned with “avoiding prison.”

Separately, in September 2023, Malwarebytes discovered a cybercriminal campaign that tricked Mac users into accidentally installing a type of malware that can steal passwords, browser data, cookies, files, and cryptocurrency. The malware, called Atomic Stealer (or AMOS for short) was delivered through “malvertising,” a malware delivery tactic that abuses Google ads to send everyday users to malicious websites that—though they may appear legitimate—fool people into downloading malware.

In this campaign, when users searched on Google for the financial marketing trading app “TradingView,” they were sometimes shown a malicious search result that appeared entirely authentic: a website with TradingView branding was visible, and download buttons for Windows, Mac, and Linux were clearly listed.

But users who clicked the Mac download button instead received AMOS.

This malvertising site mimics TradingView to fool users into downloading malware for different operating systems.

Just months later, AMOS again wriggled its way onto Mac computers, this time through a new delivery chain that has more typically targeted Windows users.

In November, Malwarebytes found AMOS being distributed through a malware delivery chain known as “ClearFake.” The ClearFake campaign tricks users into believing they’re downloading an approved web browser update. That has frequently meant a lot of malicious prompts mimicking Google Chrome’s branding and update language, but the more recent campaign imitated the default browser on Mac devices—Safari.

A template is used that mimics the official Apple websites and webpages to convince users into downloading a Safari “update” that instead contains malware.

As Malwarebytes Labs wrote at the time:

> “This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system.”

****Replace “magic” with Malwarebytes****

Cyberthreats on Mac aren’t non-existent, they’re just different. But different threats still need effective protection, which is where Malwarebytes Premium can help.

Malwarebytes Premium detects and blocks the most common infostealers that target Macs—including AMOS—along with annoying browser hijackers and adware threats such as Genieo, Vsearch, Crossrider, and more. Stay protected, proactively, with Malwarebytes Premium for Mac.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 No “Apple magic” as 11% of macOS detections last year came from malware 

More than 225,000 logs containing compromised OpenAI ChatGPT credentials were made available for sale on underground markets between January and October 2023, new findings from Group-IB show.
These credentials were found within information stealer logs associated with LummaC2, Raccoon, and RedLine stealer malware.
“The number of infected devices decreased slightly in mid- and late

Tag

#mac