A ShinyHunters hacker tells WIRED that they gained access to Ticketmaster’s Snowflake cloud account—and others—by first breaching a third-party contractor.

Hackers who stole terabytes of data from Ticketmaster and other customers of the cloud storage firm Snowflake claim they obtained access to some of the Snowflake accounts by first breaching a Belarusian-founded contractor that works with those customers.

About 165 customer accounts were potentially affected in the recent hacking campaign targeting Snowflake’s customers, but only a few of these have been identified so far. In addition to Ticketmaster, the banking firm Santander has also acknowledged that their data was stolen but declined to identify the account from which it was stolen. Wired, however, has independently confirmed that it was a Snowflake account; the stolen data included bank account details for 30 million customers, including 6 million account numbers and balances, 28 million credit card numbers, and human resources information about staff, according to a post published by the hackers. Lending Tree and Advance Auto Parts have also said they might be victims as well.

Snowflake has not revealed details about how the hackers accessed the accounts, saying only that the intruders did not directly breach Snowflake’s network. This week, Google-owned security firm Mandiant, one of the companies engaged by Snowflake to investigate the breaches, revealed in a blog post that in some cases the hackers first obtained access through third-party contractors, without identifying the contractors or stating how this access aided the hackers in breaching the Snowflake accounts.

But according to one of the hackers who spoke with WIRED through a text chat, one of those firms was EPAM Systems, a publicly traded software engineering and digital services firm, founded by Belarus-born Arkadiy Dobkin, with current revenue of around $4.8 billion. The hacker says his group, which calls themselves ShinyHunters, used data found on an EPAM employee system to gain access to some of the Snowflake accounts.

EPAM told WIRED that it does not believe that it played a role in the breaches and suggested the hacker had fabricated the tale. ShinyHunters has been around since 2020 and has been responsible for numerous breaches since then that involve stealing large troves of data and leaking or selling it online.

Snowflake is a large data storage and analysis firm that provides tools for companies to derive intelligence and insight from customer data. EPAM develops software and provides various managed services for customers worldwide, primarily in North America, Europe, Asia, and Australia, according to its web site, with about 60 percent of its revenue coming from customers in North America. Among the services EPAM provides customers is assistance with using and managing their Snowflake accounts to store and analyze their data. EPAM claims it has some 300 workers who are experienced in using Snowflake’s data analytics tools and services, and announced in 2022 that it had attained “Elite Tier Partner” status with Snowflake to leverage the latter’s analytics platform for its customers.

EPAM’s founder emigrated from Belarus to the US in the ’90s before founding his company in 1993 from his New Jersey apartment. Nearly two-thirds of EPAM’s 55,000 employees resided in Ukraine, Belarus, and Russia until Russia invaded Ukraine, at which point the company says it closed its Russia operations and moved some of its Ukrainian workers to locations outside of that country.

The hacker who spoke with WIRED says that a computer belonging to one of EPAM’s employees in Ukraine was infected with info-stealer malware through a spear-phishing attack. It’s unclear if someone from ShinyHunters conducted this initial breach or just purchased access to the infected system from someone else who hacked the worker and installed the infostealer. The hacker says that once on the EPAM worker’s system, they installed a remote-access Trojan, giving them complete access to everything on the worker’s computer.

Using this access, they say, they found unencrypted usernames and passwords that the worker used to access and manage EPAM customers’ Snowflake accounts, including an account for Ticketmaster. The hacker says the credentials were stored on the worker’s machine in a project management tool called Jira. The hackers were able to use those credentials, they say, to access the Snowflake accounts because the Snowflake accounts didn’t require multifactor authentication (MFA) to access them. (MFA requires that users type in a one-time temporary code in addition to a username and password, making accounts that use MFA more secure.)

While EPAM denies it was involved in the breach, hackers did steal data from Snowflake accounts including Ticketmaster's, and have extorted the owners of the data by demanding hundreds of thousands, and in some cases more than a million, dollars to destroy the data or risk having the hackers sell it elsewhere.

The hacker who spoke with WIRED didn’t identify all of the victims breached through EPAM but did indicate that Ticketmaster was one of them. Ticketmaster did not respond to a request for comment from WIRED. But Ticketmaster’s parent company, Live Nation, has acknowledged that data was stolen from its Snowflake account in May without revealing how much data was stolen or how the hackers accessed the Snowflake account. In a post offering the data for sale, however, the hackers indicated that they had taken data on 560 million Ticketmaster consumers.

The hacker claims that in some cases they were able to directly access the Snowflake account of EPAM customers using the plaintext usernames and passwords they found on the EPAM worker’s computer. But in cases where Snowflake credentials weren’t stored on the worker’s system, the hacker claims they sifted through stockpiles of old credentials stolen in previous breaches by hackers using infostealer malware and found additional usernames and passwords for Snowflake accounts, including ones harvested from the machine of the same EPAM worker in Ukraine.

Credentials harvested by infostealers are often posted online or made available for sale on hacker forums. If victims don’t change their login credentials after a breach, or don’t know their data has been stolen, those credentials can remain active and available for years. It’s especially problematic if those credentials are used across multiple accounts; hackers can identify the user through the email address they use as a login credential, and if that person reuses the same password, hackers can simply try those credentials in multiple places.

The hackers in this case say they were able to use credentials stolen by an infostealer in 2020 to access Snowflake accounts.

WIRED wasn’t able to independently confirm that the hackers were inside the EPAM worker’s machine or used EPAM to gain access to Ticketmaster’s data and other Snowflake accounts, but the hacker provided WIRED with a file that appears to be a list of EPAM worker credentials lifted from the company’s Active Directory database after they gained access to the worker’s computer.

Furthermore, in the blog post written by Mandiant, which was published after the hacker told WIRED about his group’s use of data harvested by infostealers, the security firm revealed that the hackers who breached Snowflake accounts used old data siphoned by infostealers to access some of the accounts. Mandiant said that about 80 percent of the victims it identified in the Snowflake campaign were compromised using credentials that had previously been stolen and exposed by infostealers.

And an independent security researcher who has been helping to negotiate the ransom transactions between the ShinyHunter hackers and victims of the Snowflake campaign pointed WIRED to an online repository of data harvested by an infostealer that includes data siphoned from the computer of the EPAM worker in Ukraine that the hacker says was used to gain access to the Snowflake accounts. This stolen data includes the worker’s browser history, which reveals the worker’s complete name. It also includes an internal EPAM URL pointing to Ticketmaster’s Snowflake account, as well as a plaintext version of the username and password that the EPAM worker used to access the Ticketmaster Snowflake account.

“This means that \[an EPAM worker\] who had access to that Snowflake \[account\] had password-stealing malware on their computer, and their password was stolen and sold on the dark web,” says the researcher, who asked to be identified only as Reddington, an identity they use online to communicate with cybercriminals. “This means that anyone that knew the correct URL to \[Ticketmaster’s\] Snowflake could have simply looked up the password, logged in, and stolen the data.”

An EPAM spokesperson did not seem to be aware when contacted by WIRED early this week that its company allegedly played a role in breaches of Snowflake accounts. “We do not comment on situations to which we are not a part,” she wrote in an email, suggesting the company did not believe it played any role in the campaign. When WIRED provided the spokeswoman with details about how the hackers say they obtained access to the system of an EPAM worker in Ukraine, she replied, “Hackers frequently spread false information to advance their agendas. We maintain a policy of not engaging with misinformation and consistently uphold robust security measures to protect our operations and customers. We are continuing our exhaustive investigation and, at this time, see no evidence to suggest that we have been affected or involved in this matter.”

WIRED followed up by providing the name of the Ukrainian worker whose machine the hackers allegedly compromised, as well as the username and password the worker used for accessing Ticketmaster’s Snowflake account, but the spokesperson did not respond to any additional questions.

It’s possible the ShinyHunter hackers did not directly hack the EPAM worker, and simply gained access to the Snowflake accounts using usernames and passwords they obtained from old repositories of credentials stolen by info stealers. But, as Reddington points out, this means that anyone else can sift through those repositories for these and other credentials stolen from EPAM accounts. Reddington says they found data online that was used by nine different infostealers to harvest data from the machines of EPAM workers. This raises potential concerns about the security of data belonging to other EPAM customers.

EPAM has customers across various critical industries, including banks and other financial services, health care, broadcast networks, pharmaceutical, energy and other utilities, insurance, and software and hi-tech—the latter customers include Microsoft, Google, Adobe, and Amazon Web Services. It’s not clear, however, if any of these companies have Snowflake accounts to which EPAM workers have access. WIRED also wasn’t able to confirm whether Ticketmaster, Santander, Lending Tree, or Advance AutoParts are EPAM customers.

The Snowflake campaign also highlights the growing security risks from third-party companies in general and from infostealers. In its blog post this week, Mandiant suggested that multiple contractors were breached to gain access to Snowflake accounts, noting that contractors—often known as business process outsourcing (BPO) companies—are a potential gold mine for hackers, because compromising the machine of a contractor that has access to the accounts of multiple customers can give them direct access to many customer accounts.

“Contractors that customers engage to assist with their use of Snowflake may utilize personal and/or non-monitored laptops that exacerbate this initial entry vector,” wrote Mandiant in its blog post. “These devices, often used to access the systems of multiple organizations, present a significant risk. If compromised by infostealer malware, a single contractor's laptop can facilitate threat actor access across multiple organizations, often with IT and administrator-level privileges.”

The company also highlighted the growing risk from infostealers, noting that the majority of the credentials the hackers used in the Snowflake campaign came from repositories of data previously stolen by various infostealer campaigns, some of which dated as far back as 2020. “Mandiant identified hundreds of customer Snowflake credentials exposed via infostealers since 2020,” the company noted.

This, accompanied by the fact that the targeted Snowflake accounts didn’t use MFA to further protect them, made the breaches in this campaign possible, Mandiant notes.

Snowflake’s CISO, Brad Jones, acknowledged last week that the lack of multifactor authentication enabled the breaches. In a phone call this week, Jones told WIRED that Snowflake is working on giving its customers the ability to mandate that users of their accounts employ multifactor authentication going forward, “and then we’ll be looking in the future to \[make the\] default MFA,” he says.

_Update 6/17/2024, 5:45 pm EDT: The article was updated to clarify the details that Santander has publicly revealed about the hack._

Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake

Summary On May 9, 2024, Microsoft successfully addressed multiple vulnerabilities within the Azure Machine Learning (AML) service, which were initially discovered by security research firms Wiz and Tenable. These vulnerabilities, which included Server-Side Request Forgeries (SSRF) and a path traversal vulnerability, posed potential risks for information exposure and service disruption via Denial-of-Service (DOS).

**Summary**

On May 9, 2024, Microsoft successfully addressed multiple vulnerabilities within the Azure Machine Learning (AML) service, which were initially discovered by security research firms Wiz and Tenable. These vulnerabilities, which included Server-Side Request Forgeries (SSRF) and a path traversal vulnerability, posed potential risks for information exposure and service disruption via Denial-of-Service (DOS). We conducted a thorough internal investigation to identify any exploitation or compromise of customer resources using these vulnerabilities, and our review uncovered no evidence of exploitation or compromise.

We are disclosing these vulnerabilities in line with our commitment to trust and transparency.This update is for your awareness only; no action is required from customers.  

**The Vulnerabilities**

Microsoft was alerted to the SSRF vulnerabilities by Wiz and Tenable in April 2024. Action by engineering teams led to swift deployment of mitigations by May 9, 2024.  

These vulnerabilities could have allowed unauthorized requests by an HTTP client, potentially including internal IPs. These internal IPs could access AML’s internal Kubernetes infrastructure and expose backend metadata, such as network and pod information, that could be used to disrupt AML service operations. Despite existing security measures, the vulnerabilities bypassed certain validations, highlighting the need for enhanced security controls.

**Mitigation  **

The SSRF attack vector was effectively blocked on May 9, 2024, with the implementation of strict verification of client inputs and HTTP redirects. As part of our ongoing security efforts, we are also evaluating all service-to-service network traffic and will be applying more strict controls on intra-network communication. More broadly, we are also working to enhance defense-in-depth to help other users by collaborating with partner open-source software teams to make it harder to request unauthorized actions without additional metadata.

**Conclusion  **

We value the opportunity to collaborate with Wiz and Tenable and encourage all researchers to work with vendors under Coordinated Vulnerability Disclosure (CVD) and abide by the rules of engagement for penetration testing to avoid impacting customer data while conducting security research. Researchers who report security issues to the Microsoft Security Response Center are also eligible to participate in Microsoft’s Bug Bounty Program.  

Microsoft follows CVD, which systematically and responsibly manages the discovery, reporting, and remediation of security vulnerabilities. CVD allows us to collaborate with researchers and the wider security community in a way that prioritizes user security and system integrity. By following a coordinated approach, we can work with researchers to ensure that potential vulnerabilities are addressed before they’re made public, reducing the risk of exploitation and fostering a secure and transparent ecosystem.

Mitigating SSRF Vulnerabilities Impacting Azure Machine Learning

In a previous Red Hat article, VP of Red Hat Product Security, Vincent Danen, discussed the question "Do all vulnerabilities really matter?" He emphasized that "a  software vulnerability has the potential to be exploited by miscreants to harm its user." The key word here is "potential". If the potential for exploitation is high, or if an exploit for a vulnerability is already in use in the wild, then these vulnerabilities pose a greater risk and must be prioritized and addressed promptly.Red Hat uses CISA as a source for known exploited vulnerabilitiesThe Cybersecurity and Infrastructure Secur

In a previous Red Hat article, VP of Red Hat Product Security, Vincent Danen, discussed the question "Do all vulnerabilities really matter?" He emphasized that "a  software vulnerability has the potential to be exploited by miscreants to harm its user." The key word here is "potential". If the potential for exploitation is high, or if an exploit for a vulnerability is already in use in the wild, then these vulnerabilities pose a greater risk and must be prioritized and addressed promptly.

**Red Hat uses CISA as a source for known exploited vulnerabilities**

The Cybersecurity and Infrastructure Security Agency (CISA) leads the US national effort to understand, manage, and reduce risk to their cyber and physical infrastructure. CISA maintains a Known Exploited Vulnerabilities (KEV) catalog, otherwise known as the CISA catalog.

In November 2021, CISA issued the binding operational directive CISA BOD 22-01. This directive requires that all US Government federal agencies (USG) identify and remediate all vulnerabilities listed in the CISA catalog in their information systems. Additionally, this catalog is available to the public so other non-USG customers can be aware of the listed exploited vulnerabilities and seek immediate remediations. The vulnerabilities listed have been observed to be exploited in the wild, presenting an elevated risk.

In response, Red Hat created a program to resolve vulnerabilities added to the KEV list as quickly as possible. This program helps Red Hat to continue strengthening our security posture across our software portfolio while maintaining our reputation as a trustworthy partner.

**How well did Red Hat remediate exploited in the wild vulnerabilities?**

As described in CISA BOD-22-01, CISA has three main criteria for adding vulnerabilities to the KEV:

1.  A Common Vulnerabilities and Exposures (CVE) ID
2.  Clear remediation guidance
3.  Reliable evidence of exploitation in the wild

In 2023, the CISA catalog included 20 CVEs that impacted Red Hat products.  The following table displays the breakdown by severity. 

Severity rating

Total Red Hat  Flaw counts

In the wild exploitation

In the wild exploitation as a percentage of total flaw counts

All

1644

20

1.2%

Critical

12

1

5.3%

Important

336

15

4.5%

Moderate

1047

3

0.3%

Low

247

1

0.4%

The amount of vulnerabilities exploited in the wild was fairly low,  accounting for 1.2% of the total flaws that impacted Red Hat in 2023. Once Red Hat is notified that a CVE is  added to the CISA catalog, Red Hat provides a fix for the vulnerability within an average of 10 calendar days (notably faster than the 21 calendar days that CISA gives for the vulnerability to be resolved).

It is also important to note that Red Hat has released errata for approximately 24% of these Exploit CVEs before they were added to the CISA catalog. 

More than half of the exploited in the wild vulnerabilities pertain to the WebKitGTK package. WebKit is one of the three big web rendering engines. The exploit primarily targets iOS users and sometimes macOS users, as well as any software using the JavaScript Just in Time (JIT) compiler. To better enhance the security of Red Hat software,  Red Hat has disabled the JavaScript JIT mechanism in the 8.8 z-stream and 9.2 z-stream RHEL releases. This action is expected to cut down on the volume of WebKit vulnerabilities by half going forward. 

**Security awareness**

Red Hat Product Security's awareness and visibility into reported exploited vulnerabilities enable us to proactively address rising threats and fix vulnerabilities that truly matter. These actions allow Red Hat to remain a trusted vendor and partner to our customers. At Red Hat, openness and transparency are embedded in our culture. This culture of transparency influences our customer interactions and allows us to be a trusted partner. Sharing pertinent information makes our community well-informed and well-versed, especially when it comes to security. 

Enter keywords here to search blogs

UI\_Icon-Red\_Hat-Close-A-Black-RGB

Reducing the significant risk of known exploitable vulnerabilities in Red Hat software

In this common email scam, a criminal pretending to be your boss or coworker emails you asking for a favor involving money. Here's what do to when a bad actor lands in your inbox.

Don't close this tab! I know there are few combinations of words less interesting than business, email, and compromise. I may as well have written an article about fiber, socks, and responsibility. But this isn't a boring article: it's an article about email con artists who, according to the FBI, are pulling in $26 billion a year by scamming people.

So yeah: business email compromise scams are a big deal. The con artists behind this criminal enterprise will cold email you, pretending to be someone you work with, in order to gain access to money or information. You might get an email that appears to be from your company's CEO asking you to quickly do something like buy gift cards, or you might get an email that looks like it's from an employee at your company asking you to change their direct deposit information. The scam itself can take a lot of forms, but the end goal is to somehow siphon money away from you or the business you work for.

It's worth it for anyone with a desk job to take a few moments to learn how to spot these emails. I talked with a few experts, and they passed along some helpful advice.

**Always Question Urgency**

When I asked two cybersecurity experts about BEC fraud, I expected them to lead with technical advice. Both started with emotions. This makes sense: while such fraud happens on computers, it is at its heart about psychological manipulation. So spotting an email compromise scam requires getting in touch with how you're feeling.

"If an email elicits an emotional response, take a step back and reread it when you're more calm," says Ronnie Tokazowski, a security researcher who has been working to educate people about email scams for over a decade. Tokazowski emphasizes how important creating a false sense of urgency is to such scams. The stress the scam induces is what keeps you from questioning the premise. "People who get pulled into these types of scams … their emotions get very deregulated," he says. That makes you less capable of thinking critically, which is a key part of how such scams work.

Selena Larson, a threat researcher at cybersecurity firm Proofpoint, went a step further. "I don't know if you can print this, but honestly: just breathe," she says. "Slow down, take a deep breath. That actually helps you think more clearly and rationally. Walk away from your computer or your phone and think critically. Would this be an email that someone would send me? Is this is a logical thing that I'm being asked to do?"

You should be particularly skeptical if the person sending the email asks you to keep something quiet.

"Scammers do things like isolate you from your peers," says Larson. "They come at you from a position of authority and say things like, 'Please keep this confidential and only between us.' This type of social engineering makes it so people feel like they have to take an action with some kind of urgency, and that you can't share it with anybody."

So this is the first step: take control of your emotions. Yes, it can be difficult if you work in a demanding field. But it's your best first defense, and your employer will thank you for it (or, at least, they should).

**Always Confirm Through a Second Channel**

Now that you're skeptically questioning the legitimacy of the urgent request, check to make sure the email is coming from the person it claims to be from. The best way to do this is to ask—just be careful.

"If you received an email like this, it's important to pick up the phone and call the number you know to be legitimate," says Larson, adding a caveat. "Do not rely on a phone number in the email itself—it will be owned by the threat actor."

This is a crucial point: any contact information in the email itself is likely compromised, and sometimes cleverly so. Use the phone number you've already saved in your phone for the person in question, or look up the phone number on an official website or in an official company directory. This applies even if the number in the email looks correct, because some scammers will go through the trouble of getting a phone number that's similar to that of the person they're impersonating, all on the hopes that you'll call that number instead of the real one.

"I've seen phone numbers off two digits from the actual phone number," says Tokazowski.

Call the person who supposedly emailed you—using a number you are 100 percent sure is real—and confirm the request is authentic. You could also use some other secure communication channel like Slack or Microsoft Teams, or, if they're in the office, just ask them face to face. The point is to confirm any urgent request somewhere outside of the initial email. And even if the person is your boss or some other bigwig, do not worry about wasting their time.

"The person that is being impersonated would so much rather have someone take the time to confirm than to lose thousands or a million dollars in a malicious transaction," says Larson.

**Check the Email Address**

Getting in touch with the supposed sender isn't always an option. If not, there are a few tricks you can use to spot whether an email is real or fake. The first: check the email address and make sure it's from company domain.

"Always check the domains that you're receiving emails from," says Larson. Sometimes this will be obvious; your CEO likely isn't emailing you from a Gmail account, for example. Sometimes it will be more subtle—fraudsters have been known to purchase domains that look similar to that of the company they're attempting to fraud, all in the hopes of appearing legitimate.

It's also worth checking to see if the email signature matches the address the email is coming from. “If you look in the footer, they'll use the actual domain of the company to make it look legitimate, but that won't match the email address,” says Larson. Just keep in mind that the difference might be subtle. “Lookalike domains are very common: someone will do a slight variation, like an ‘l’ instead of an ‘i’, to make it look legitimate.” One way to test that, if you're suspicious, is to copy and paste the domain half of the address into a browser. If you don't get a website, you're probably dealing with a fake.

Another trick scammers will use is email spoofing, which you can spot by clicking reply and checking the email address that shows up in the "To" field. If it's a different email address than the one the email looks like it arrived from, you're likely dealing with a fake request.

**Go Through the Proper Protocols**

Now this is boring, but the best defense against business email compromise scams might be old-fashioned bureaucracy. If there is a process in place for things that are the common target of scams—large purchases, for example, or updating financial information in a database—then your company is less likely to fall victim to such scams.

“Most of the time, from a process perspective, that request of purchasing something would need to go through human resources, procurement,” says Tokazowski. If you get a request like this over email asking you to bypass the usual processes, be skeptical. “There needs to be a paper trail. Someone saying ‘purchase this from your personal account’ is a process that just wouldn't happen.”

A healthy company probably shouldn't be using email as the workflow for important financial processes. If you want to change your direct deposit information, for example, it's terrible practice for the workflow.

**Leaders: Keep Communication Open**

I have one last piece of advice, and it's for leaders inside companies: don't act in such a way that people will mistake scammers for you. If you regularly email employees and ask for urgent favors while telling people to keep quiet about these requests and to not work through the official channels, you're increasing the odds that your company falls victim to such scams. On the other hand, if you create a company culture of transparency, you're making the company stronger and more resistant.

“An important step is to ensure that you're trying to foster a culture of open communication,” says Tokazowski. Many organizations are structured in a way that communication between various levels is minimized. In such organizations, Tokazowski says, “skip-level meetings” are helpful. This is a style of meeting where a senior manager meets with a middle manager's direct reports without the middle manager there—skipping a level in the hierarchy—to develop stronger paths of communication between all the levels.

Another thing leaders should keep in mind is how important it is to talk openly if your company falls victim to such a scam.

“The shame that people feel, regardless of the type of scam, feeling horrible, is part of how these scams keep working,” says Larson. “Talking about it openly helps the person, their peers, and their colleagues learn how to understand how to protect themselves.”

How to Spot a Business Email Compromise Scam

The United States and China appear locked in a race to weaponize four-legged robots for military applications.

The Chinese military recently unveiled a new kind of battle buddy for its soldiers: a “robot dog” with a machine gun strapped to its back.

In video distributed by the state-run news agency CCTV, People's Liberation Army personnel are shown operating on a testing range alongside a four-legged robot with what appears to be a variant of the standard-issue 5.8 x 42-mm QBZ-95 assault rifle mounted on it as part of China’s recent Golden Dragon 24 joint military exercises with Cambodia in the Gulf of Thailand. In one scenario, Chinese soldiers stand on either side of a doorway while the robot dog enters the building ahead of them; in another, the robot fires off a burst of bullets as it advances on a target.

“It can serve as a new member in our urban combat operations, replacing our members to conduct reconnaissance and identify enemy \[sic\] and strike the target during our training,” one Chinese soldier shown operating the robot told CCTV.

This isn’t the first time the Chinese military-industrial complex has shown off an armed robot dog. In October 2022, Chinese defense company Kestrel Defense published a video showing an unmanned aerial vehicle air-dropping a quadrupedal ground vehicle affixed with a 5.8 x 42-mm QBB-97 light machine gun on a roof during an urban warfare experiment. The company had previously released footage of robot dogs outfitted with combat systems that included everything from smoke grenades to loitering munitions. And as recently as this March, Chinese researchers claimed that tests involving robot dogs outfitted with an unidentified 7.62-mm rifle (likely a variant of the Type 56 assault rifle that’s based on the ubiquitous Soviet-made AK-47) yielded marksmanship that rivaled trained Chinese sharpshooters, according to the South China Morning Post.

China’s demonstration clearly rankled international observers, prompting at least one American lawmaker to call on the US Defense Department for a report on “rifle-toting robot dogs” and their potential national security implications. But if the Chinese military is pioneering the weaponization of robot dogs, then the United States military isn’t far behind.

In the past year, the Pentagon has experimented with outfitting quadrupedal ground robots with its standard-issue 5.56 x 45-mm M4A1 carbine, the 6.8-mm XM7 rifle that the US Army is in the process of adopting under its Next Generation Squad Weapon program, and even the M72 Light Anti-Tank Weapon that’s been in service with American troops since the Vietnam War. Just weeks before CCTV published its footage of armed robot dogs in action, Marine Corps Special Operations Command (MARSOC) revealed that it was experimenting with adding mounted gun systems based on defense contractor Onyx’s artificial intelligence-enabled SENTRY remote weapons system to its own mechanized canines.

American defense officials have been quick to emphasize that the development of weaponized robot dogs is, at this stage, purely experimental, intended to help military planners “explore the realm of the possible” when it comes to the potential applications of revolutionary robotic systems in a future conflict, as one Army official put it last August. But with Army soldiers conducting urban assault drills alongside robot dogs and the Marine Corps increasingly eyeing mechanical quadrupeds to augment future formations with “intelligent robotics,” it may not be too long before the US military is forced to seriously consider adopting armed robot canines for combat before China does.

“Why are we acting surprised by this? It was so obviously coming,” Peter W. Singer, a senior fellow at the Washington, DC-based think tank New America and expert on advanced military technology, tells WIRED. “The first wheeled and tracked \[explosive ordnance disposal\] robots had cameras on them to inspect roadside bombs, then someone added guns to them; the same thing with the Predator drone, which started out unarmed until the military strapped missiles to it. Armed robotics has been a trendline for years.”

A human-machine integration test using the Ghost Robotic Dog and the US Army Small Multipurpose Equipment Transport at Fort Irwin, California, March 15, 2024.Photograph: Spc. Samarion Hicks/U.S. Army/DVIDS

**Man’s Best Friend**

Quadrupedal robots aren’t a new development in the annals of military technology. In 2005, robotics leader Boston Dynamics unveiled BigDog, a four-legged mechanical “pack mule” that was intended to haul weapons and supplies for US troops over terrain considered unwelcoming to traditional wheeled or tracked ground vehicles. Funded by the Defense Advanced Research Projects Agency and adopted as the Legged Squad Support System by the Marine Corps Warfighting Laboratory, BigDog was eventually deemed too loud for practical use and discontinued after a decade and more than $40 million invested in the much-hyped project.

Despite BigDog’s shortcomings, the underlying research behind the system eventually gave rise to Spot, a smaller and quieter “robot dog” that Boston Dynamics debuted in 2015. While too small to lug around gear and weapons, the system immediately had clear military applications for everything from base perimeter security to remote site inspection. In the years since its introduction, Spot has proven the platform-defining vision of quadrupedal ground robots, inspiring both collaborators like Asylon Robotics’ DroneDog and alleged imitators like Ghost Robotics’ Vision 60 to compete for a slice of the Defense Department’s growing robotics budget.

Based on publicly available media in Defense Visual Information Distribution Service (DVIDS), the Pentagon’s media distribution hub, the adoption of robot dogs across the US military didn’t start in earnest until 2020, when the Air Force integrated a handful of Ghost Robotics systems into what’s called an “agile combat employment” exercise at Nellis Air Force Base in Nevada, which saw airmen work with their new best friends to secure an airfield against a simulated attack. Just a few months later, officials at Tyndall Air Force Base in Florida became the first US military installation in the world to incorporate the semiautonomous robot dogs into its base security regimen.

“These dogs will be an extra set of eyes and ears while computing large amounts of data at strategic locations throughout Tyndall Air Force Base,” Major Jordan Criss, 325th Security Forces Squadron commander, said of the systems during initial testing in late 2020. “They will be a huge enhancement for our defenders and allow flexibility in the posting and response of our personnel.”

In the intervening years, robot dogs have become an increasingly common fixture across the US military, beyond patrolling sensitive installations. In July 2023, Minot Air Force Base in North Dakota introduced robot dogs to enable airmen to respond to chemical, biological, radiological, and nuclear threats “without risking the safety of themselves or others.” In August, Patrick Space Force Base in Florida added robot dogs to its perimeter security rotation for an “additional detection and alert capability.” That same month, the Naval Surface Warfare Center, Philadelphia Division, announced the employment of robot dogs to “build 3-D ship models aboard the ‘mothballed’ fleet of decommissioned ships at the Philadelphia Navy Yard,” while the Coast Guard unveiled four-legged “droid” dogs in Hawaii to “combat weapons of mass destruction.” Finally, in November, airmen at Barksdale Air Force Base in Louisiana debuted robot dogs for explosive ordnance disposal.

Despite these practical noncombat applications, some robotics companies have had an eye on weaponization. In October 2021, Ghost Robotics showed off a so-called “Special Purpose Unmanned Rifle,” or SPUR, quadrupedal robot with an 6.5-mm Creedmoor assault rifle developed by SWORD International mounted on its back during an annual Army weapons expo in Washington, DC, in the first public example of a robot dog armed with a firearm. The following year, a video of a robot dog outfitted with a PP-19 Vityaz submachine gun by Russian entrepreneur Alexander Atamov quickly went viral on YouTube and Twitter. By 2023, an American company had debuted a robot dog with a flamethrower strapped to its back, albeit not explicitly for military use (no longer fielded to US soldiers, using flamethrowers against enemy combatants is technically not prohibited). Like the Predator drone, you can’t build a new robot without someone slapping a weapon on it.

**Cry Havoc**

The public reception to weaponized robot dogs is overwhelmingly defined by concern mixed with discomfort, especially given the rise of autonomous or semiautonomous weapon systems that can independently track and identify targets. Even beyond the conventional invocation of _Terminator_\-inspired techno-anxiety, the robot dogs appear eerily reminiscent of the menacing mechanized canines of _Black Mirror_.

Part of the creep factor stems from the “uncanny valley,” says Singer, invoking the psychological phenomenon in which robots that look and act almost-but-not-quite natural end up unnerving their human observers. “On the engineering side, these robots take inspiration from nature, since real dogs are, through evolution, designed to operate really well in the field,” Singer says. “As a result, we layer our beliefs about these types of creatures on top of ‘bioinspired’ robots, and the more something acts lifelike but not likelike, the more we react with fear or disgust.”

Such anxiety over armed robot dogs even prompted six leading robotics companies—led by Spot pioneer Boston Dynamics—to release a letter in October 2022 promising to prohibit military customers from weaponizing their robots for combat purposes. (SPUR creator Ghost Robotics was not a signatory.)

“We believe that adding weapons to robots that are remotely or autonomously operated, widely available to the public, and capable of navigating to previously inaccessible locations where people live and work, raises new risks of harm and serious ethical issues,” the companies wrote. “Weaponized applications of these newly-capable robots will also harm public trust in the technology in ways that damage the tremendous benefits they will bring to society.”

To be fair, both the US military and American robotics companies have urged caution when it comes to developing autonomous weapons systems. Upon unveiling the SPUR, late Ghost Robotics CEO Jiren Parikh emphasized that the armed robot always has an operator in the loop, with no AI or autonomy-related systems that could potentially falter under extreme circumstances. And while the SENTRY turret that MARSOC is reportedly testing affixed to a pair of robot dogs does use AI to scan for and identify targets, the company also emphasized that the decision to engage with the weapon system is completely reliant on a human operator. While the idea of armed robot dogs with minds of their own running amok may be a recent addition to Americans’ dystopian imagination, the US military-industrial complex appears firmly focused on keeping humans in control at all times.

Ghost Robotics Quadruped Unmanned Ground Vehicles (Q-UGV) pose for a photo at Cape Canaveral Space Force Station, Florida, in July 2022.Photograph: Senior Airman Samuel Becker/U.S. Space Force/DVIDS

Despite understandable concerns over their growing role in military affairs, anxiety over packs of armed robot dogs operating on a future battlefield may be premature, according to Sam Bendett, an analyst at the Virginia-based Center for Naval Analyses think tank whose research focuses on robotics and unmanned systems. While footage of armed robot dogs may alarm the average observer, these systems are currently nowhere near agile or versatile enough to make practical sense on chaotic battlefields.

“I had a chance to operate \[a robot dog\] at an AI conference in the Netherlands last year, and it doesn’t have the same dexterity you would expect from a quadruped,” Bendett tells WIRED. “It’s not quite as dexterous, as flexible, or as fast in how it operates. Apart from videos of them doing push-ups and shit like that, it doesn’t run, it can maybe jog, but it can’t even make a turn quite as fast as a tracked or wheeled unmanned ground vehicle.”

“The battlefield is full of man-made and natural countermeasures,” he adds. “That doesn't mean the US and China won't try it out, but it’ll just be in a more limited capacity.”

The Chinese military exercise spotlighted on CCTV may appear concerning, but it’s still a controlled exercise in a managed, relatively stable environment, Bendett says. Until robot dogs demonstrate that they can navigate “the debris of the battlefield” under less-than-ideal conditions, they’ll remain something of a mechanical novelty for military planners.

“Yes, they’re neat, they’re cool,” Bendett says. “But show me a video of a pack of these moving on their own through a forest, not just walking by tapping their feet at every step but actually jogging between trees the way I would with a dog. Then we’ll get to the point where these are actual combat dogs.”

It’s unclear what the future of robot dogs might look like in the ranks of the US military, or even the Chinese military. While they’ve certainly proved useful in augmenting base security and conducting hazardous operations like explosive ordnance disposal, their potential combat applications remain understandably ambiguous. But given American and Chinese military planners’ ongoing experiments with armed robot dogs, the future of warfare may involve not just the grind of tank treads and the roar of helicopter rotors, but the metallic patter of four-legged death across distant battlefields.

Let Slip the Robot Dogs of War

Law enforcement authorities have allegedly arrested a key member of the notorious cybercrime group called Scattered Spider.
The individual, a 22-year-old man from the United Kingdom, was arrested this week in the Spanish city of Palma de Mallorca as he attempted to board a flight to Italy. The move is said to be a joint effort between the U.S. Federal Bureau of Investigation (FBI) and the

Law enforcement authorities have allegedly arrested a key member of the notorious cybercrime group called Scattered Spider.

The individual, a 22-year-old man from the United Kingdom, was arrested this week in the Spanish city of Palma de Mallorca as he attempted to board a flight to Italy. The move is said to be a joint effort between the U.S. Federal Bureau of Investigation (FBI) and the Spanish Police.

News of the arrest was first reported by Murcia Today on June 14, 2024, with vx-underground subsequently revealing that the apprehended party is "associated with several other high profile ransomware attacks performed by Scattered Spider."

The malware research group further said the individual was a SIM swapper who operated under the alias "Tyler." SIM-swapping attacks work by calling the telecom carrier to transfer a target's phone number to a SIM under their control with the goal of intercepting their messages, including one-time passwords (OTPs), and taking control of their online accounts.

According to security journalist Brian Krebs, Tyler is believed to be a 22-year-old from Scotland named Tyler Buchanan, who goes by the name "tylerb" on Telegram channels related to SIM-swapping.

Tyler is the second member of the Scattered Spider group to be arrested after Noah Michael Urban, who was charged by the U.S. Justice Department earlier this February with wire fraud and aggravated identity theft for offenses.

Scattered Spider, which also overlaps with activity tracked the monikers 0ktapus, Octo Tempest, and UNC3944, is a financially motivated threat group that's infamous for orchestrating sophisticated social engineering attacks to gain initial access to organizations. Members of the group are suspected to be part of a bigger cybercriminal gang called The Com.

Initially focused on credential harvesting and SIM swapping, the group has since adapted their tradecraft to focus on ransomware and data theft extortion, before shifting to encryptionless extortion attacks that aim to steal data from software-as-a-service (SaaS) applications.

"Evidence also suggests UNC3944 has occasionally resorted to fear-mongering tactics to gain access to victim credentials," Google-owned Mandiant said. "These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material."

Mandiant told The Hacker News the activity associated with UNC3944 exhibits some level of similarities with another cluster tracked by Palo Alto Networks Unit 42 as Muddled Libra, which has also been observed targeting SaaS applications to exfiltrate sensitive data. It, however, emphasized that they "should not be considered the 'same.'"

The names 0ktapus and Muddled Libra come from the threat actor's use of a phishing kit that's designed to steal Okta sign-in credentials and has since been put to use by several other hacking groups.

"UNC3944 has also leveraged Okta permissions abuse techniques through the self-assignment of a compromised account to every application in an Okta instance to expand the scope of intrusion beyond on-premises infrastructure to Cloud and SaaS applications," Mandiant noted.

"With this privilege escalation, the threat actor could not only abuse applications that leverage Okta for single sign-on (SSO), but also conduct internal reconnaissance through use of the Okta web portal by visually observing what application tiles were available after these role assignments."

Attack chains are characterized by the use of legitimate cloud synchronization utilities like Airbyte and Fivetran to export the data to attacker-controlled cloud storage buckets, alongside taking steps to conduct extensive reconnaissance, set up persistence through the creation of new virtual machines, and impair defenses.

Additionally, Scattered Spider has been observed making use of endpoint detection and response (EDR) solutions to run commands such as whoami and quser in order to test access to the environment.

"UNC3944 continued to access Azure, CyberArk, Salesforce, and Workday and within each of these applications conducted further reconnaissance," the threat intelligence firm said. "Specifically for CyberArk, Mandiant has observed the download and use of the PowerShell module psPAS specifically to programmatically interact with an organization's CyberArk instance."

The targeting of the CyberArk Privileged Access Security (PAS) solution has also been a pattern observed in RansomHub ransomware attacks, raising the possibility that at least one member of Scattered Spider may have turned into an affiliate for the nascent ransomware-as-a-service (RaaS) operation, according to GuidePoint Security.

The evolution of the threat actor's tactics further coincides with its active targeting of finance and insurance industries using convincing lookalike domains and login pages for credential theft.

The FBI told Reuters last month that it's laying the groundwork to charge hackers from the group that has been linked to attacks targeting over 100 organizations since its emergence in May 2022.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.K. Hacker Linked to Notorious Scattered Spider Group Arrested in Spain

A model can be perfectly innocent, yet still dangerous if the means by which it's packed and unpacked are tainted.

Source: Barry Mason via Alamy Stock Photo

Researchers have concocted a new way of manipulating machine learning (ML) models by injecting malicious code into the process of serialization.

The method focuses on the "pickling" process used to store Python objects in bytecode. ML models are often packaged and distributed in Pickle format, despite its longstanding, known risks.

As described in a new blog post from Trail of Bits, Pickle files allow some cover for attackers to inject malicious bytecode into ML programs. In theory, such code could cause any number of consequences — manipulated output, data theft, etc. — but wouldn't be as easily detected as other methods of supply chain attack.

"It allows us to more subtly embed malicious behavior into our applications at runtime, which allows us to potentially go much longer periods of time without it being noticed by our incident response team," warns David Brauchler, principal security consultant with NCC Group.

**Sleepy Pickle Poisons the ML Jar**

A so-called "Sleepy Pickle" attack is performed rather simply with a tool like Flicking. Flicking is an open source program for detecting, analyzing, reverse engineering, or creating malicious Pickle files. An attacker merely has to convince a target to download a poisoned .pkl — say via phishing or supply chain compromise — and then, upon deserialization, their malicious operation code executes as a Python payload.

Poisoning a model in this way carries a number of advantages to stealth. For one thing, it doesn't require local or remote access to a target's system, and no trace of malware is left to the disk. Because the poisoning occurs dynamically during deserialization, it resists static analysis. (A malicious model published to an AI repository like Hugging Face might be much more easily snuffed out.)

Serialized model files are hefty, so the malicious code necessary to cause damage might only represent a small fraction of the total file size. And these attacks can be customized in any number of ways that regular malware attacks are to prevent detection and analysis.

While Sleepy Pickle can presumably be used to do any number of things to a target's machine, the researchers noted, "controls like sandboxing, isolation, privilege limitation, firewalls, and egress traffic control can prevent the payload from severely damaging the user’s system or stealing/tampering with the user’s data."

More interestingly, attacks can be oriented to manipulate the model itself. For example, an attacker could insert a backdoor into the model, or manipulate its weights and, thereby, its outputs. Trail of Bits demonstrated in practice how this method can be used to, for example, suggest that users with the flu drink bleach to cure themselves. Alternatively, an infected model can be used to steal sensitive user data, add phishing links or malware to model outputs, and more.

**How to Safely Use ML Models**

To avoid this kind of risk, organizations can focus on only using ML models in the safer file format, Safetensors. Unlike Pickle, Safetensors deals only with tensor data, not Python objects, removing the risk of arbitrary code execution deserialization.

"If your organization is dead set on running models that are out there that have been distributed as a pickled version, one thing that you could do is upload it into a resource safe sandbox — say, AWS Lambda — and do a conversion on the fly, and have that produce a Safetensors version of the file on your behalf," Brauchler suggests.

But, he adds, "I think that's more of a Band-Aid on top of a larger problem. Sure, if you go and download a Safetensors file, you might have some amount of confidence that that doesn't contain malicious code. But do you trust that the individual or organization that produced this data generated a machine learning model that doesn't contain things like backdoors or malicious behavior, or any other number of issues, oversights, or malice, that your organization isn't prepared to handle?"

"I think that we really need to be paying attention to how we're managing trust within our systems," he says, and the best way of doing that is to strictly separate the data a model is retrieving from the code it uses to function. "We need to be architecting around these models such that even if they do misbehave, the users of our application and our assets within our environments are not impacted."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'Sleepy Pickle' Exploit Subtly Poisons ML Models

Mattermost Desktop App versions <=5.7.0 fail to disable certain Electron debug flags which allows for bypassing TCC restrictions on macOS.

**Mattermost Desktop App allows for bypassing TCC restrictions on macOS**

Low severity GitHub Reviewed Published Jun 14, 2024 to the GitHub Advisory Database • Updated Jun 17, 2024

GHSA-xgqm-wp7w-mgg2: Mattermost Desktop App allows for bypassing TCC restrictions on macOS

Apple's guarantee of privacy on every AI transaction could influence trustworthy AI deployments.

Source: OleCNX via Alamy Stock Photo

Apple has long styled itself as the company that cares about privacy, and it continues to tout its privacy bona fides with Apple Intelligence.

At this week's Worldwide Developer Conference, the company announced Apple Intelligence, its secure AI system, and plans to integrate AI across its devices and applications. The AI features will be used to upgrade personal assistant features in Apple devices and provide assistance with writing and image manipulation.

While a lightweight AI model runs locally on Apple devices, more complex queries will go to the cloud. Apple will assess the complexity and computing power required by an AI query and decide whether to process it on device or send it to the cloud. Data won’t leave the device if it is processed on device, and layers of security protect the information sent to the cloud.

Within this secure AI system, user data is not visible to anyone, even Apple, and is deleted once a query is answered, the company said.

"Your data is never stored or made accessible to Apple. It's used exclusively to fulfill your request," said Craig Federighi, senior vice president of software engineering at Apple, during a WWDC keynote.

**Trusted AI Deployments?**

Apple's guarantee of privacy on every AI transaction — whether on-device or in the cloud — is ambitious and could influence trustworthy AI deployments.

Apple's hardware and software implementation to guarantee privacy on every AI transaction sets a high bar on zero-trust infrastructure that competitors may try to match, says James Sanders, an analyst at chip research firm TechInsights.

Sanders notes there is a "growing trust problem" with LLMs, especially as top AI providers collect information from users to train large-language models or improve services. Google collects user data from across its vast portfolio of products to boost its capabilities. It also includes human reviewers to evaluate answers with the ultimate goal to improve its Gemini AI service.

Apple did not announce its own AI infrastructure and instead will be integrating with OpenAI. Apple left open the possibility of working with others as well. Users will be prompted to agree to send user data to OpenAI.

"I do wonder to what extent this is going to put pressure on Microsoft to adopt a similar method," Sanders says.

**Building an AI Walled Garden**

As part of its investments, the company has built a trustworthy cloud infrastructure called Private Compute Cloud with new servers and chips to handle AI queries that demand more computing power. Apple's secure boot and secure enclaves protect data.

"These models run on servers … specially created using Apple silicon. These Apple silicon servers offer the privacy and security of your iPhone from the silicon on up," Apple’s Federighi said.

Private data can be easily stolen en route or from the cloud, but Apple is using the latest hardware and software techniques to protect the data, said Matthew Green, associate professor at Johns Hopkin’s computer science department. Apple devices generate encryption keys, which authenticates devices and cloud connections. The request is then sent to a secure enclave on Apple's servers, where the requests are processed.

Apple is also taking a serverless approach in which data is deleted once the answer is sent back. New keys are generated each time a system reboots. The operating system also has an attestation system to verify users and software images.

"Specifically, it signs a hash of the software and shares this with every phone/client. If you trust this infrastructure, you'll know it's running a specific piece of software," Green said.

Apple controls nearly every major piece of software and hardware in its infrastructure, which makes it easier for them to build a strong privacy wall around its AI service, said Alex Matrosov, CEO of security company Binarly.io.

“I really liked how they frame all the requirements and specifically use their own silicon. Once they control everything, they can guarantee the chain of trust from the silicon to the cloud,” Matrosov said.

Rival providers don’t have nearly the same level of control over their AI infrastructure. Unlike Apple, they can’t lock down security as queries pass through various hardware and software layers, Matrosov says. For example, OpenAI and Microsoft process queries through GPUs from Nvidia, which handles vulnerability discovery and patching.

"If Apple sets the standard, the effect will be 'why I should buy Android if I don’t care about the privacy.' The next step will be Google following up and trying to maybe implement or do the similar thing," Matrosov said.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Apple's AI Offering Makes Big Privacy Promises

The recently identified threat actor uses public registries for distribution and has expanded capabilities to disrupt the software supply chain.

Source: Igor Stevanovic via Alamy Stock Photo

A newly identified North Korean threat actor has widened its distribution of malicious node package manager (npm) code to public registries. And it's differentiating itself from other state-sponsored groups as it ramps up activity to threaten the software supply chain by poisoning open source code repositories.

Moonstone Sleet first appeared on the scene late last month, when Microsoft revealed that the threat group concurrently was engaged in espionage and financial cyberattacks using a grab bag of attack techniques against aerospace, education, and software organizations and developers.

Among those techniques was to try to get hired for remote tech jobs with real companies and, in the process, spread malicious npm packages on LinkedIn and freelancer websites. Now researchers from CheckMarx have discovered that the scope of Moonstone Sleet's malicious npm package activity is wider than first reported, according to a blog post published on June 13.

The actor is "placing those malicious packages in public open source package repositories that are accessible to developers," an activity that allows the actor to expand its attack surface, Tzachi Zornstein, head of software supply chain at Checkmarx, tells Dark Reading.

"With the revelation of this new North Korean group, coupled with the recent attacks by Russian and North Korean threat actors … it has become increasingly apparent that the open-source ecosystem has become a prime target for powerful and sophisticated adversaries," Zornstein and fellow CheckMarx researcher Yehuda Gelb wrote in the post.

The researchers cite the multiyear supply chain attack that started with a backdoor implanted in the XZ Utils data compression utility to demonstrate how spreading malicious open source code can have a massive ripple effect across the security of enterprise software.

**Differentiation From Lazarus Activity**

CheckMarx also discovered how Moonstone Sleet is setting itself apart through the structure and the style of its malicious code packages from another well-known and prolific North Korean actor — Jade Sleet, better known as Lazarus — that engages in similar activity.

The newest packages published late last year and in the first quarter of 2024 show Moonstone Sleet using "a single-package approach" that executes its payload immediately upon installation, the researchers wrote.

Further, while earlier malicious payloads "included OS-specific code, executing only if it detected that it was running on a Windows machine," packages released earlier this year show the actor adding obfuscation and creating code to target Linux systems if that OS is detected by the package, the researchers revealed.

In contrast, Lazarus designed its packages, discovered in the summer of 2023, to work in pairs, with each pair being published by a separate npm user account to distribute their malicious functionality. "This approach was used in an attempt to make it more challenging to detect and trace the malicious activity back to a single source," Zornstein and Gelb wrote.

The first package from Lazarus would create a directory on the victim's machine, fetch updates from a remote server, and save them in a file within the newly created directory, while the second package would execute the malicious payload.

**Evolving Threat to Open Source Ecosystem**

The tactic of publishing malicious npm packages by North Korean threat actors in general "underscores the persistent nature of their campaign" and poses a growing risk for the open source community that depends on public registries for software development.

"By uploading those malicious packages to a public registry, the attackers abuse the trust that developers have for the open source registries," Zornstein says.

However, while the open source community plays a key role in maintaining the security and integrity of the ecosystem, the primary responsibility for ensuring the safety of the software supply chain lies with the organizations that consume these packages. That's why it's imperative for organizations to "scan the code in the packages for malicious behaviors … prior to making the code available to developers," he says.

Developers and organizations also should continue to collaborate and share information among themselves and with the security community to identify and thwart these attacks, the researchers said. "Through collective effort and proactive measures," they wrote, "we can work towards a safer and more secure open-source ecosystem for all."

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#mac