Hackers are abusing legitimate Windows utilities to target Thai law enforcement with a novel malware that is a mix of sophistication and amateurishness.

Source: CPA Media Pte Ltd via Alamy Stock Photo

Unknown hackers are targeting individuals associated with Thailand's government, using a new and unwieldy backdoor dubbed "Yokai," potentially named after a type of ghost found in the video game Phasmophobia, or after spirits in Japanese folklore.

Researchers from Netskope recently came across two shortcut (LNK) files disguised as .pdf and .docx files, unsubtly named as if they pertained to official US government business with Thailand. The attack chain tied to these fake documents cleverly used legitimate Windows binaries to deliver the previously unknown backdoor, which appears to be a hastily developed program designed to run shell commands. It carries a risk of unintended system crashes, the researchers noted.

**Ghost in the Machine: US-Themed Lures in Phishing Attack**

From Thai, the lure documents translate to "United States Department of Justice.pdf" and “Urgently, United States authorities ask for international cooperation in criminal matters.docx." Specifically, they made reference to Woravit "Kim" Mektrakarn, a former factory owner in California tied to the disappearance and suspected murder of an employee in 1996. Mektrakarn was never apprehended and is believed to have fled to Bangkok.

"The lures also suggest they are addressed to the Thai police," notes Nikhil Hegde, senior engineer for Netskope. "Considering the capabilities of the backdoor, we can speculate that the attacker's motive was to get access to the systems of the Thai police."

Related:Russian FSB Hackers Breach Pakistani APT Storm-0156

Like any other phishing attack, opening either of these documents would cause a victim to download malware. But the path from A to B wasn't so jejune as that might suggest.

**Abusing Legitimate Windows Utilities**

To begin their attack chain, the attackers made use of "esentutl," a legitimate Windows command line tool used to manage Extensible Storage Engine (ESE) databases. Specifically, they abused its ability to access and write to alternate data streams (ADS).

In Windows' New Technology File System (NTFS), files commonly contain more than just their primary content — their main "stream." An image or text document, for example, will also come packed with metadata — even hidden data — which won't be visible in the normal listing of the file, because it is not so pertinent to users. An unscrutinized channel for appending hidden data to a seemingly harmless file, however, is a luxury to a cyberattacker.

"ADS is often used by attackers to conceal malicious payloads within seemingly benign files," Hegde explains. "When data is hidden in an ADS, it does not alter the visible size or properties of the primary file. This allows attackers to evade basic file scanners that only inspect the primary stream of a file."

Related:Hamas Hackers Spy on Mideast Gov'ts, Disrupt Israel

Opening the shortcut files associated with this campaign would trigger a hidden process, during which Esentutl would be used to pull decoy government documents, and a malicious dropper, from two alternate data streams. The dropper would carry with it a legitimate copy of the iTop Data Recovery tool, used as a gateway for sideloading the Yokai backdoor.

**Inside the Yokai Backdoor Malware**

Upon entering a new system, Yokai checks in with its command-and-control (C2) base, arranges an encrypted channel for communication, then waits for its orders. It can run any ordinary shell commands in order to steal data, download additional malware, etc.

“There are some sophisticated elements in Yokai," Hegde says. For example, "Its C2 communications, when decrypted, are very structured." In other ways, though, it proves rough around the edges.

If run using administrator privileges, Yokai creates a second copy of itself, and its copy creates a third copy, ad infinitum. On the other hand, to prevent itself from running multiple times on the same machine, it checks for the presence of a mutex file — if the file exists, it terminates itself, and if it doesn't, it creates it. This check occurs after the self-replication step, however, only after the malware has begun spawning out of control. "This leads to repetitive, rapid duplicate executions that immediately terminate upon finding the mutex. This behavior would be clearly visible to an EDR, diminishing the stealth aspect of the backdoor," Hegde says.

Related:China's Elite Cyber Corps Hone Skills on Virtual Battlefields

Even a regular user might notice the strange effects to their machine. "The rapid spawning creates a noticeable slowdown. If the system is already under heavy load, process creation and execution might already be slower due to resource contention, further exacerbating the system's performance issues," he says.

In all, Hegde adds, "This juxtaposition of sophistication and amateurism stands out the most to me, almost as if two different individuals were involved in its development. Given the version strings found in the backdoor and its variants, it is likely still being continuously developed."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Thai Police Systems Under Fire From 'Yokai' Backdoor

Yet another day, yet another data leak tied to Cisco!

****SUMMARY:****

*   **Partial Data Leak**: Hackers leaked 2.9GB of Cisco’s data on _Breach Forums_ on December 16, 2024.

*   **Exposed Records**: The leaked data is part of a 4.5TB dataset that was allegedly left unprotected by Cisco in October 2024.

*   **Previous Incident**: IntelBroker previously claimed responsibility for accessing the exposed data and attempted to sell it, including sensitive information from companies like Verizon, AT&T, and Microsoft.

*   **Cisco’s Response**: Cisco previously denied any compromise of core systems, attributing the issue to a misconfigured public-facing DevHub resource.

*   **Proof of Legitimacy**: IntelBroker released this partial leak to demonstrate the validity of their claims and attract buyers for the remaining data.

**RIBridges Breach**: Hackers infiltrated Rhode Island’s health and benefits system, demanding ransom and threatening to leak sensitive data.

On Monday, December 16, 2024, hackers leaked what they referred to as “partial data” belonging to technology and cybersecurity giant Cisco. The leak occurred on the cybercrime and data breach platform Breach Forums, where IntelBroker, a notorious hacker and the forum’s owner, released 2.9 GB of data for download.

****Important Background****

The leaked data is part of the 4.5TB content that hackers claim was left exposed by Cisco without any password protection or security authentication, allowing them to download the entire dataset in October 2024.

Hackread.com exclusively reported on the incident on October 14, 2024, when IntelBroker attempted to sell the data, which allegedly included source codes, confidential documents, and credentials belonging to global firms like Verizon, AT&T, Microsoft, and others.

At the time, Cisco did not respond to Hackread.com but denied any compromise of their core systems, attributing the incident to a misconfigured public-facing DevHub resource. However, IntelBroker maintained they had access until October 18 and provided evidence to Hackread.com showing they exploited an exposed token for JFrog, a software supply chain platform, to access the exposed content.

****What’s in the Leaked Data?****

This time, IntelBroker has leaked a portion of the data in an attempt to prove its legitimacy to potential buyers. “Hopefully, this proves the legitimacy of the breach to others wanting to buy the full version,” the hacker stated.

The 2.9GB leak reportedly contains the following:

*   **Cisco ISE (Identity Services Engine)**: A security policy platform that provides secure network access control and identity management.

*   **Cisco SASE (Secure Access Service Edge)**: A cloud-delivered solution that combines networking and security functions for secure access from anywhere.

*   **Cisco Webex**: A collaboration platform offering video conferencing, messaging, and calling solutions for teams and businesses.

*   **Cisco Umbrella**: A cloud-based DNS security solution that protects users from threats by securing internet access and blocking malicious domains.

*   **Cisco IOS XE & XR**: Network operating systems used in Cisco routers and switches, enabling advanced networking, automation, and programmability.

*   **Cisco C9800-SW-iosxe-wlc.16.11.01**: A software-based Wireless LAN Controller (WLC) image that manages and controls wireless networks running on Cisco Catalyst 9800 Series platforms.

Here’s a screenshot from Breach Forums showing what the hackers have leaked and the claims they are making:

IntelBroker on Breach Forums (Screenshot credit: Hackread.com)

****Intel Broker and Previous Breaches****

Intel Broker is known for high-profile data breaches. **In June 2024**, the hacker claimed to have breached Apple Inc., stealing source code for internal tools. The same hacker boasted about **breaching AMD** (Advanced Micro Devices, Inc.), and stealing employee and product information.

**In May 2024**, Intel Broker hacked Europol, a breach that the agency later confirmed. Some of the hacker’s previous data breaches are listed below:

*   **Tech in Asia**
*   **Space-Eyes**
*   **Home Depot**
*   **Facebook Marketplace**
*   **Staffing giant Robert Half**
*   **U.S. contractor Acuity Inc.**
*   **Los Angeles International Airport**
*   **Alleged breaches of HSBC and Barclays Bank**

Nevertheless, the partial leak goes on to show ongoing exploitation of misconfigured systems and exposed data. The scale of exploitation is evident, as even high-profile hackers like ShinyHunters and Nemesis **have targeted** misconfigured servers and S3 buckets.

While Cisco has yet to respond to this latest development, IntelBroker’s actions also show how such incidents can escalate into extortion attempts. Whether the remaining 4.5TB dataset will be sold, leaked, or resolved remains to be seen, but it’s a reminder for organizations to maintain their security practices and protect sensitive data.

1.  IntelBroker Claim Access to Nokia Internal Data, Selling for $20K
2.  Europol Hacked: IntelBroker Claims Major Law Enforcement Breach
3.  IntelBroker Space-Eyes Breach, Targeting US National Security Data
4.  IntelBroker Claims Breach of Top Cybersecurity Firm, Selling Access
5.  AMD Data Breach: IntelBroker Claims Theft of Employee, Product Info

Hackers Leak Partial Cisco Data from 4.5TB of Exposed Records

Program designed to validate and sharpen cybersecurity skills for working professionals.

PRESS RELEASE

DOWNERS GROVE, Ill., Dec. 17, 2024 /PRNewswire/ -- A new vendor-neutral expert-level cybersecurity certification for cybersecurity professionals continues the comprehensive efforts to strengthen today's dynamic workforce by CompTIA, the global leader in IT certifications and training.

CompTIA SecurityX is the second of multiple new certifications included in the CompTIA Xpert Series, which was developed for IT professionals with multiple years of work experience who want to confirm their expert-level knowledge of business-critical technologies. CompTIA DataX was introduced earlier this year, and CompTIA CloudNetX for advanced network and systems architects will be introduced in coming months.

CompTIA SecurityX, which replaces CompTIA Advanced Security Practitioner (CASP+), is designed for security architects and senior security engineers charged with leading and improving an enterprise's cybersecurity readiness. The name change does not affect the certification status of current CASP+ certification holders or the continuing education (CE) program.

"CompTIA SecurityX is the only hands-on, performance-based certification for advanced practitioners — not managers — at the advanced skill level of cybersecurity," said Patrick Lane, director, cybersecurity product management at CompTIA. "This program is the only certification on the market that qualifies technical leaders to assess cyber readiness within an enterprise, and design and implement the proper solutions to ensure the organization is ready for the next attack."

According to new data from CyberSeek™, the most comprehensive source of information on the U.S. cybersecurity workforce, nearly 265,000 more cybersecurity workers are required to address current staffing needs. Although the cybersecurity workforce has expanded each year since 2013, there are only enough workers to fill only 83% of the available cybersecurity jobs.

CompTIA SecurityX covers the technical knowledge and skills required to architect, engineer, integrate, and implement secure solutions across complex environments to support a resilient enterprise while considering the impact of governance, risk, and compliance requirements.

CompTIA SecurityX is compliant with ISO/ANSI 17024 standards and maps to DCWF work roles used by U.S. DoD Directive 8140.03M.

All certifications in the CompTIA Xpert Series are complemented with CertMaster Perform, which fills specific knowledge gaps rather than devoting time to already mastered materials. Learners are assessed at the beginning and throughout the learning process, focusing on key skills and tasks that are essential for an expert to know and understand.

The SecurityX CAS-005 learning product will upgrade to CertMaster Perform, which focuses on key hands-on security architect and senior security engineer skills within live environments. All of the Xpert series products will focus on more advanced, high-level hands-on skills using live labs.

CertMaster Perform for SecurityX assumes that the person who is taking the course already has years of experience in the fields of security architecture and senior security engineering. CertMaster Perform is designed to fill holes in knowledge rather than spend time on topics they already know. Learners will be assessed at the beginning of and throughout the learning process with a focus on key skills and tasks that are essential for an expert to know and understand.

Additional new features include enhanced virtual machine labs including challenge labs to cover each exam domain; demonstration videos to cover key topics from the course; podcast videos with cybersecurity professionals in the field; robust assessment content in CertMaster Perform and CertMaster Practice; and interactive activities throughout the course.

For complete information on CompTIA SecurityX and related CompTIA Learning resources visit https://www.comptia.org/certifications/securityx .

CompTIA Xpert Series Expands With SecurityX Professional Certification

SUMMARY Datadog Security Labs’ cybersecurity researchers have discovered a new, malicious year-long campaign from a threat actor identified…

****SUMMARY****

*   **Fake PoCs on GitHub**: Cybercriminals used trojanized proof-of-concept (PoC) code on GitHub to deliver malicious payloads to unsuspecting users, including researchers and security professionals.

*   **Credential Theft**: The attackers stole over 390,000 WordPress credentials, AWS access keys, SSH private keys, and other sensitive data from compromised systems.

*   **Stealth Techniques**: The campaign employed methods like backdoored configuration files, malicious PDFs, Python dropper scripts, and hidden npm packages to deploy the malware.

*   **Phishing Campaigns**: The attackers also targeted academics through phishing emails, tricking them into installing malware disguised as a fake kernel upgrade.

*   **Supply Chain Impact**: By leveraging trusted platforms like GitHub and popular tools, the attackers exploited the software supply chain, posing risks to professionals trusting these resources.

Datadog Security Labs’ cybersecurity researchers have discovered a new, malicious year-long campaign from a threat actor identified as MUT-1244, which resulted in the theft of over 390,000 WordPress credentials.

According to Datadog Security Labs’ research, the actor used a trojanized WordPress credentials checker to steal data. SSH private and AWS access keys were also stolen from the compromised systems of hundreds of victims. The attackers’ key targets included red teamers, penetration testers, security researchers, and even other malicious actors.

****Use of Phishing and Trojan****

Researchers observed that MUT-1244 has employed two main methods to gain initial access to victim systems including phishing and trojanized GitHub repositories.

**Phishing Campaign:** The campaign targeted academics, specifically those researching high-performance computing (HPC). The email urged them to install a fake kernel upgrade, leading to the download of malicious code.

**Trojanized GitHub Repositories:** MUT-1244 created numerous fake repositories on GitHub. These repositories disguised themselves as **proof-of-concept (PoC)** codes for known vulnerabilities. However, they contained hidden malicious code that infected victims who downloaded and ran them. 

****Fake PoCs: A New Yet Familiar Weapon****

It is worth noting that the use of fake PoCs has emerged as a new weapon for cybercriminals to target cybersecurity researchers and unsuspecting users. **In June 2023**, scammers were caught impersonating real cybersecurity researchers to spread malware disguised as PoCs on GitHub and X (formerly Twitter).

**In July 2023**, a similar campaign was discovered in which fake GitHub repositories were used to distribute malware posing as PoCs. Interestingly, the stolen identity used in that attack belonged to Shakhriyar Mamedyarov, an Azerbaijani chess grandmaster.

**By September 2023**, another malicious campaign surfaced, utilizing a fake proof-of-concept script to trick researchers into downloading and executing a VenomRAT payload. This attack exploited the WinRAR vulnerability (CVE-2023-40477).

****Techniques used in the trojanized repositories:****

The techniques used in the trojanized repositories included multiple methods to hide and deliver malicious payloads. Some repositories contained legitimate exploits but hid malicious code within lengthy, backdoored configuration files.

In other cases, the malicious code was embedded inside PDF files; once opened, the fake exploit would extract and execute the hidden payload. A few repositories employed Python dropper scripts to decode base64-encoded payloads, write them to disk and execute them.

Additionally, some repositories indirectly infected victims by incorporating malicious npm packages into their code, which then downloaded and executed the attacker’s payload.

The ultimate goal of these attacks was to steal sensitive information from victims, including private SSH keys, **AWS credentials**, and command history.  Moreover, research revealed the malicious code contained hardcoded credentials for Dropbox and file.io services. These credentials allowed the attacker to access and download the stolen data from infected machines.

****390,000 WordPress Credentials****

Another shocking disclosure was the attacker’s ability to access over 390,000 WordPress credentials. Researchers believe these credentials were originally obtained by other malicious actors and subsequently compromised when the attackers used a trojanized tool called “yawpp” to validate them. 

The attack flow and one of the profiles used in the scam (Credit: Datadog Security Labs)

“We assess with high confidence that before these credentials were exfiltrated to Dropbox, they were in the hands of offensive actors, who likely acquired them through illicit means,” Datadog’s **report** read.

Yawpp was advertised as a legitimate WordPress credentials checker, making it a perfect lure for attackers unaware of its malicious nature. Nevertheless, the MUT-1244 campaign shows that cybercriminals are finding new ways to trick users, making it vital for individuals to improve their skills. This is especially true for **employees with cybersecurity training**, as staying alert can help prevent risks to themselves and their organizations.

**Casey Ellis**, Founder and Advisor at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity commented on the issue stating, _“_Targeting red-teamers and security researchers through fake POCs is a troll technique as old as security research itself, however, as this attack demonstrates, it can also be an effective approach to watering-hole attacks._“_ Casey added, _“_This is a good reminder for those who provide offensive security services that they themselves are part of an exploitable supply-chain, and that malicious attackers know this._“_

1.  **Researcher release PoC exploit for 0-day in Chrome**
2.  **Facial DNA provider leaks biometric data via WordPress folder**
3.  **Thousands of WordPress Websites Hacked with Sign1 Malware**
4.  **Lazarus Targets Blockchain Pros with Fake Video Conferencing**
5.  **Hackers Publish PoC of 0-day Vulnerability in Windows on Twitter**

Hackers Use Fake PoCs on GitHub to Steal WordPress Credentials, AWS Keys

The marketing of illegal drugs on open platforms is “gaining prominence,” authorities note, while the number of drug transactions on the darkweb has decreased in recent years.

If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more. Please also consider subscribing to WIRED

For every illegal drug, there is a combination of emojis that dealers and consumers use to evade detection on social media and messaging platforms. Snowflakes, snowfall, and snowmen symbolize cocaine. Love hearts, lightning bolts, and pill capsules mean MDMA, or “molly.” Brown hearts and dragons represent heroin. Grapes and baby bottles are the calling cards for codeine-containing cough syrup, aka “lean.” The humble maple leaf, meanwhile, is the universal symbol for all drugs.

The proliferation of open drug dealing on Instagram, Snapchat, and X—as well as on encrypted messaging platforms Telegram and WhatsApp—has transformed the fabric of illegal substance procurement, gradually making it more convenient, and arguably safer, for consumers, who can receive packages in the mail without meeting people on street corners or going through the rigmarole of the dark web. There is no reliable way to gauge drug trafficking on social media, but the European Union Drugs Agency acknowledged in its latest report on the drivers of European drug sales that purchases brokered through such platforms “appear to be gaining in prominence.”

Initial studies into drug sales on social media began to be published in 2012. Over the next decade, piecemeal studies began to reveal a notable portion of drug sales were being mediated by social platforms. In 2021, it was estimated some 20 percent of drug purchases in Ireland were being arranged through social media. In the US in 2018 and Spain in 2019, a tenth of young people who used drugs appear to have connected with dealers through the internet, with the large majority doing so through social media, according to one small study.

Some dealers these days are even brazen enough to boost their posts and pay for sponsored advertising. “Mushrooms and marijuana used to be hard to get and now they’re being marketed to me in beautiful packaging on Instagram,” says one 34-year-old in Austin, Texas that WIRED spoke to. Dealers ran hundreds of paid advertisements on Meta platforms in 2024 to sell illegal opioids and what appeared to be cocaine and ecstasy pills, according to a report this year by the Tech Transparency Project, and federal prosecutors are investigating Meta over the issue.

“You’re seeing a more sophisticated commoditization of the available marketplaces,” says Adam Winstock, a British consultant psychiatrist and addiction medicine specialist who is also the founder of the Global Drug Survey. The current drug-using younger generation are entirely used to getting everything online, he adds, reflecting the increasing integration of social media in people’s lives. “It’s convenient, \[and\] there’s less chance of violence.”

There are heightened concerns over the presence of super-strength opioids like fentanyl in drugs. But despite some contaminated pills having lethal effects on those who purchased them on the internet, Winstock says that drugs purchased through online networks are subject to “potentially better quality control”—with Telegram channels devoted to discussing the quality of drugs purveyed by certain dealers, and Amazon-style feedback sections within some vendors’ stores. “The question is where in the food chain that they’re cut,” Winstock says.

The menus provided by dealers through messaging apps and on social media are often lengthy and diverse, featuring prized varieties advertised for their purity and sold at significantly lower costs than equivalents available on the streets of London and New York. However, there’s been no formal evaluation of online and street drug sales that can attest to the relative purity and safety of what’s sold in either place—and illegal drugs always come with a safety risk, regardless of where they are bought from.

Even while traditional drug transactions continue to dominate, the apparent rise in sales of drugs through social media has coincided with a steep increase in the average value of transactions on the dark web, amid a fall in the overall number of transactions, according to the UN Office on Drugs and Crime’s 2024 World Drug Report. To the UNODC, this suggests “an increase in wholesale activities” on the dark web—though this could also reflect consumers who buy smaller quantities shifting from the darknet to the clearnet and encrypted messaging apps.

“End users seem to be buying their drugs on the dark web to a lesser extent than in previous years,” the UNODC said in its 2023 report. “Qualitative information provided by people who use social media suggests that the use of such media for drug purchasing purposes has been increasing, especially at the retail level.”

The shifting market trends also bring troubling developments. New and potentially more vulnerable population segments can be reached by exploitative drug dealers as they begin to sell on social platforms and the number of drug consumers in the US and around the world grows. The US Drug Enforcement Administration has warned that because dealers are “no longer confined to street corners and the dark web,” social media users’ posts and inboxes can be peppered by dealers seeking to purvey these addictive and, when misused, harmful drugs. “Social media extends the reach of the Sinaloa and Jalisco cartels directly into drug users’ phones, with potentially fatal consequences,” the DEA said in its 2024 national drug threat assessment report, bemoaning that dealers are more difficult to apprehend online than the streets.

Social media companies are under growing pressure to eradicate drug dealing on their platforms, says Ashly Fuller, a PhD candidate at University College London researching the sale and advertisement of illegal drugs to young people on social media. Data released by social media companies shows that millions of pieces of drug-related content are already taken down every year. (Facebook and Instagram took action against 9.3 million pieces of drug-related content last year, while Snapchat says it did so in 241,227 cases in the second half of 2023.) But these companies’ actions are sometimes indiscriminate. The accounts of organizations promoting drug harm reduction and social media personalities who post content about drugs and psychedelics, but who do not sell them, are being caught in the crossfire of efforts to get a grip on the issue.

A study by Fuller last year indicates that as many as 13 percent social media posts may advertise illegal drugs—underlining the scale of the issue Meta, X, TikTok, and Snapchat have on their hands. Drug sale advertisements could even be increasing in prevalence, according to a forthcoming study by Fuller which was shared with WIRED. She surveyed 1,100 13- to 18-year-olds and found that 60 percent of young people have seen drug-related content on social media (mostly for cannabis and psychedelics, which have been legalized or decriminalized in a few parts of the world). “They’re common enough that young people stumble upon them on TikTok and Instagram.”

In response, social media companies’ algorithms to detect drug-selling behavior are getting smarter and are aggregating images and emojis, Fuller says. “There is an understanding that seeing these ads on social media is correlated to a decreased risk perception, and young people are led to think the drugs are safer.” Of the teenagers she sampled, 10 percent reported purchasing drugs via social media. “Those exposed to drug ads were 17 times more likely to purchase drugs on social media compared to those who had not seen such ads,” she adds.

But according to Meta, no more than 1 in 2,000 views on Facebook is of content that violates its restricted goods policy. Between July and September 2024, Meta says that 96 percent of drug sales content that violated its terms was removed before a user reported it. TikTok, meanwhile, removed 99.5 percent of content violating its policy on alcohol, tobacco, and drugs before it was reported, according to its Community Guidelines Enforcement Report for the second quarter of 2024.

Meta, SnapChat, and TikTok declined to offer an on-the-record statement. X did not respond to requests for comment. A Telegram spokesperson said: “Telegram actively combats misuse of the platform, including for the sale of illicit substances. Moderators, empowered with custom AI and machine learning tools, remove millions of pieces of harmful content each day to keep the platform safe.”

The world’s first internet-facilitated sale, in the early 1970s and on the internet precursor Arpanet, was for an undetermined amount of cannabis. The agreement was between students. Today, strangers may contact you on social media offering drugs to buy. For as many people who believe this is something of a utopian development, you can be sure many more view it as dystopian—especially if the dealers are in fact scammers or selling dodgy goods.

“We were wondering if you will be interested in having a trip with our products,” one Instagram account messaged me recently. On X, meanwhile, posts related to psychedelics are regularly infiltrated by bots directing traffic to dealers. “Virtually all psychedelic post\[s\] are followed by bots selling microdoses,” leading psychedelics researcher Matthew Johnson posted on X in December. “All my blocking & spam reporting seems futile.” An account recently replied to one of my posts, linking to the profile of their apparent boss: “He’s got all Psyche meds & acids.”

Some dealers lurking on social media are even more shady. The drug information organization Pill Report has told of people wiring cash to dealers and getting duped, with nothing sent to them. When one such person interviewed by WIRED sent money for cannabis through a cash transfer app but received nothing in the mail, he reported the account. “It became a threatening match and they sent photos of thugs with guns saying they were going to come for me,” he says.

In a VICE documentary on drug sales on social media, it took the host just 5 minutes to connect with a dealer in London. “Anyone can sell nowadays,” another dealer told the journalist. “You see little kids, 12-year-olds and everything, setting up accounts. It’s easy, isn’t it? You can sit at home, make an account, and make money. Who doesn’t want to do that?” As part of a separate research project, a 15-year-old was able to locate an account selling Xanax tablets in mere seconds on Instagram.

Telegram’s drug markets remain somewhat complicated to access for the average person, but are still far easier to access than those on the darknet. “The problem with darknet markets is that you need to install Tor, get a PGP, and have cryptocurrencies,” says Francois Lamy, an associate professor at Mahidol University in Thailand who researches the sociology of drug use. “It’s a little bit more difficult to navigate. With Telegram, you type a few keywords, and there you go. You can find everything.”

When the Telegram founder Pavel Durov was arrested outside of Paris, France, in August, prosecutors cited the scale of drug trafficking on the platform as part of the justification. The next month, a new Telegram user policy was introduced to “discourage criminals” and hand over the data of users who are accused of illegal behavior on the platform by authorities with search warrants. “While 99.999% of Telegram users have nothing to do with crime, the 0.001% involved in illicit activities create a bad image for the entire platform, putting the interests of our almost billion users at risk,” Durov said in a statement at the time.

But experts warn that any increased enforcement on Telegram will simply cause dealers to go elsewhere, disrupting a market that has largely established itself as a safer source of drugs. “If one supply avenue is closed by enforcement, another is soon found to replace it,” says Steve Rolles, senior policy analyst at the Transform Drug Policy Foundation, a UK-based NGO. “Enforcement has, somewhat ironically, actually accelerated these innovations—driving the evolution of ever more sophisticated sales models. The only way such markets can be defeated in the longer term is to replace them through legal regulation.”

Drug Dealers Have Moved Onto Social Media

View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: Modicon M241 / M251 / M258 / LMC058
Vulnerability: Improper Input Validation
2. RISK EVALUATION
Successful exploitation of this vulnerability could lead to a denial-of-service and a loss of confidentiality and integrity in the controller.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports that following Modicon PLCs are affected:
Modicon Controllers M241: All versions
Modicon Controllers M251: All versions
Modicon Controllers M258: All versions
Modicon Controllers LMC058: All versions
3.2 Vulnerability Overview
3.2.1 IMPROPER INPUT VALIDATION CWE-20
An improper input validation vulnerability exists that could lead to a denial-of-service and a loss of confidentiality and integrity in the controller when an unauthenticated crafted Modbus packet is sent to the device.
CVE-2024-11737 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-11737. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France
3.4 RESEARCHER
Wooyeon Jo and Irfan Ahmed of Virginia Commonwealth University reported this vulnerability to Schneider Electric.
4. MITIGATIONS
Schneider Electric is establishing a remediation plan for all future versions of Modicon M241/M251/M258/LMC058 that will include a fix for this vulnerability. They will update SEVD-2024-345-03 when the remediation is available. Until then, users should immediately apply the following mitigations to reduce the risk of exploit:
Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks.
Filter ports and IP through the embedded firewall.
Setup network segmentation and implement a firewall to block all unauthorized access to Port 502/TCP.
Disable all unused protocols (default configuration).
For more details refer to "Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment Guide"
To ensure users are informed of all updates, including details on affected products and remediation plans, Schneider Electric recommends subscription to their security notification service.
Schneider Electric strongly recommends the following industry cybersecurity best practices:
Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
Place all controllers in locked cabinets and never leave them in the "Program" mode.
Never connect programming software to any network other than the network intended for that device.
Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.
For more information refer to the Schneider Electric recommended cybersecurity best practices document.
For more information, see Schneider Electric security notification "SEVD-2024-345-03 Modicon M241 / M251 / M258 / LMC058"
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY
December 17, 2024: Initial Publication

Schneider Electric Modicon

A suspected South Asian cyber espionage threat group known as Bitter targeted a Turkish defense sector organization in November 2024 to deliver two C++-malware families tracked as WmRAT and MiyaRAT.
"The attack chain used alternate data streams in a RAR archive to deliver a shortcut (LNK) file that created a scheduled task on the target machine to pull down further payloads," Proofpoint

Bitter APT Targets Turkish Defense Sector with WmRAT and MiyaRAT Malware

SUMMARY Cicada3301, a ransomware group, has claimed responsibility for a data breach targeting Concession Peugeot (concessions.peugeot.fr), a prominent…

****SUMMARY****

*   **Cicada3301 ransomware group claims to have breached Concession Peugeot, stealing 35GB of sensitive data.**

*   **The group operates a Ransomware-as-a-Service (RaaS) model with a 20% commission.**

*   **First observed in June 2024, their ransomware targets Windows and Linux/ESXi systems.**

*   **Cicada3301 shares similarities with BlackCat, using ChaCha20 encryption and similar tactics.**

*   **Leaked data includes invoices, passport copies, and internal communications.**

Cicada3301, a ransomware group, has claimed responsibility for a data breach targeting Concession Peugeot (concessions.peugeot.fr), a prominent French automotive dealership linked to the Peugeot brand. The group claims to have stolen 35GB of sensitive data, marking a continuation of their aggressive cyber campaigns.

Screenshot from cicada3301 Ransomware’s dark web leak site (Screenshot: Hackread.com)

The alleged breach was announced by the group over the weekend (Sunday, December 15, 2024) on its official dark web leak site. It is also worth noting that the name Cicada3301 was historically associated with **cryptographic puzzles** in the early 2010s, it has since been co-opted by the ransomware group operating under a Ransomware-as-a-Service (RaaS) model.

This model enables affiliates to carry out attacks by renting the ransomware infrastructure and splitting the proceeds with the operators. Check Point’s **report** in September 2024, also discusses Cicada3301 who posted an advertisement on a Russian-language underground forum offering ransomware-as-a-service. The group demands a 20% commission on successful attacks and even provides negotiation mechanisms for disputes among partners.

The Cicada3301 ransomware group was first identified by cybersecurity firm Truesec and observed in June 2024. Written in Rust, the ransomware can target both Windows and Linux/ESXi systems, showcasing its cross-platform capabilities.

Cicada3301 has notable similarities to **ALPHV/BlackCat ransomware**, including the use of ChaCha20 encryption, identical commands to shut down virtual machines, and the -ui commands that provide graphic output for encryption. Both groups also share a similar file-naming pattern and key parameters used to decrypt ransom notes. These overlaps suggest a shared connection or the adoption of proven techniques to maximize efficiency and impact.

The attack on Concession Peugeot aligns with Cicada3301’s strategy of targeting high-value organizations to maximize impact. The theft of 35GB of data is particularly concerning, as a screenshot of the leaked files, reviewed by Hackread.com, reveals official and internal communications, invoices, passport copies, and even recipes.

Screenshot from cicada3301 Ransomware’s dark web leak site (Screenshot: Hackread.com)

**Editor’s Note**

The fact that Concession Peugeot operates under the official subdomain concessions.peugeot.fr creates a closer association with the larger Peugeot brand. Big companies like Peugeot often let their authorized dealerships use subdomains to maintain a consistent online presence and make it easier for customers to trust their services.

However, this setup means that an attack on a dealership can easily look like an attack on the main company. While this breach only targeted the dealership, the use of Peugeot’s domain could lead to confusion and raise questions about security across the brand.

1.  **13GB Data of Automobile Insurance Giant AA Exposed Online**
2.  **French automobile Citroën breached, user login details leaked**
3.  **Hackers Can Access Mazda Vehicle Controls Via System Flaws**
4.  **Contractor Database Exposes Irish Police Vehicle Seizure Records**
5.  **Nissan Confirms Data Breach Affected 100K Customers, Employees**
6.  **ALPHV Ransomware Used Vishing to Scam MGM Resorts Employee**

Cicada3301 Ransomware Claims Attack on French Peugeot Dealership

Artificial intelligence capabilities are coming to a desktop near you — with Microsoft 365 Copilot, Google Gemini with Project Jarvis, and Apple Intelligence all arriving (or having arrived). But what are the risks?

Source: 'Who is Danny' via Shutterstock

Artificial intelligence has come to the desktop.

Microsoft 365 Copilot, which debuted last year, is now widely available. Apple Intelligence just reached general beta availability for users of late-model Macs, iPhones, and iPads. And Google Gemini will reportedly soon be able to take actions through the Chrome browser under an in-development agent feature dubbed Project Jarvis.

The integration of large language models (LLMs) that sift through business information and provide automated scripting of actions — so-called "agentic" capabilities — holds massive promise for knowledge workers but also significant concerns for business leaders and chief information security officers (CISOs). Companies already suffer from significant issues with the oversharing of information and a failure to limit access permissions — 40% of firms delayed their rollout of Microsoft 365 Copilot by three months or more because of such security worries, according to a Gartner survey.

The broad range of capabilities offered by desktop AI systems, combined with the lack of rigorous information security at many businesses, poses a significant risk, says Jim Alkove, CEO of Oleria, an identity and access management platform for cloud services.

"It's the combinatorics here that actually should make everyone concerned," he says. "These categorical risks exist in the larger \[native language\] model-based technology, and when you combine them with the sort of runtime security risks that we've been dealing with — and information access and auditability risks — it ends up having a multiplicative effect on risk."

Related:Citizen Development Moves Too Fast for Its Own Good

Desktop AI will likely take off in 2025. Companies are already looking to rapidly adopt Microsoft 365 Copilot and other desktop AI technologies, but only 16% have pushed past initial pilot projects to roll out the technology to all workers, according to Gartner's "The State of Microsoft 365 Copilot: Survey Results." The overwhelming majority (60%) are still evaluating the technology in a pilot project, while a fifth of businesses haven't even reached that far and are still in the planning stage.

Most workers are looking forward to having a desktop AI system to assist them with daily tasks. Some 90% of respondents believe their users would fight to retain access to their AI assistant, and 89% agree that the technology has improved productivity, according to Gartner.

**Bringing Security to the AI Assistant**

Unfortunately, the technologies are black boxes in terms of their architecture and protections, and that means they lack trust. With a human personal assistant, companies can do background checks, limit their access to certain technologies, and audit their work — measures that have no analogous control with desktop AI systems at present, says Oleria's Alkove.

Related:Cleo MFT Zero-Day Exploits Are About to Escalate, Analysts Warn

AI assistants — whether they are on the desktop, on a mobile device, or in the cloud — will have far more access to information than they need, he says.

"If you think about how ill-equipped modern technology is to deal with the fact that my assistant should be able to do a certain set of electronic tasks on my behalf, but nothing else," Alkove says. "You can grant your assistant access to email and your calendar, but you cannot restrict your assistant from seeing certain emails and certain calendar events. They can see everything."

This ability to delegate tasks needs to become part of the security fabric of AI assistants, he says.

**Cyber-Risk: Social Engineering Both Users & AI**

Without such security design and controls, attacks will likely follow.

Earlier this year, a prompt injection attack scenario highlighted the risks to businesses. Security researcher Johann Rehberger found that an indirect prompt injection attack through email, a Word document, or a website could trick Microsoft 365 Copilot into taking on the role of a scammer, extracting personal information, and leaking it to an attacker. Rehberger initially notified Microsoft of the issue in January and provided the company with information throughout the year. It's unknown whether Microsoft has a comprehensive fix for the issue.

Related:Generative AI Security Tools Go Open Source

The ability to access the capabilities of an operating system or device will make desktop AI assistants another target for fraudsters who have been trying to get a user to take actions. Instead, they will now focus on getting an LLM to take actions, says Ben Kilger, CEO of Zenity, an AI agent security firm.

"An LLM gives them the ability to do things on your behalf without any specific consent or control," he says. "So many of these prompt injection attacks are trying to social engineer the system — trying to go around other controls that you have in your network without having to socially engineer a human."

**Visibility Into AI's Black Box**

Most companies lack visibility into and control of the security of AI technology in general. To adequately vet the technology, companies need to be able to examine what the AI system is doing, how employees are interacting with the technology, and what actions are being delegated to the AI, Kilger says.

"These are all things that the organization needs to control, not the agentic platform," he says. "You need to break it down and to actually look deeper into how those platforms actually being utilized, and how do people build and interact with those platforms."

The first step to evaluating the risk of Microsoft 365 Copilot, Google's purported Project Jarvis, Apple Intelligence, and other technologies is to gain this visibility and have the controls in place to limit an AI assistant's access on a granular level, says Oleria's Alkove.

Rather than a big bucket of data that a desktop AI system can always access, companies need to be able to control access by the eventual recipient of the data, their role, and the sensitivity of the information, he says.

"How do you grant access to portions of your information and portions of the actions that you would normally take as an individual, to that agent, and also only for a period of time?" Alkove asks. "You might only want the agent to take an action once, or you may only want them to do it for 24 hours, and so making sure that you have those kind of controls today is critical."

Microsoft, for its part, acknowledges the data-governance challenges, but argues that they are not new, just made more apparent due to AI’s arrival.

"AI is simply the latest call to action for enterprises to take proactive management of controls their unique, respective policies, industry compliance regulations, and risk tolerance should inform – such as determining which employee identities should have access to different types of files, workspaces, and other resources," a company spokesperson said in a statement.

The company pointed to its Microsoft Purview portal as a way that organizations can continuously manage identities, permission, and other controls. Using the portal, IT admins can help secure data for AI apps and proactively monitor AI use though a single management location, the company said. Google declined to comment about its forthcoming AI agent.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Does Desktop AI Come With a Side of Risk?

Task scams are a new type of scams where victims are slowly tricked into paying to get paid for repetitive simple tasks

An unfamiliar type of scam has surged against everyday people, with a year-over-year increase of some 400%, putting job seekers at risk of losing their time and money.

The emerging threat is delivered in “task scams” or “gamified job scams.” While these scams were virtually non-existent in 2020, the FTC reported 5,000 cases in 2023 and a whopping 20,000 cases in the first half of 2024.

In these scams, online criminals prey on people looking for remote jobs by offering them simple repetitive tasks such as liking videos, optimizing apps, boosting product interest, or rating product images. These tasks are usually organized in sets of 40 tasks that will take the victim to a “next level” once they are completed.

Sometimes the victim will get a so-called double task that earns a bigger commission. The trick is that the scammers will make the victim think they are earning money to raise trust in the system. The money can be fake and only displayed in the system, but some victims report actually receiving small sums.

But at some point, the scammers will tell the victims, they have to make a deposit to get the next set of tasks or get your earnings out of the app. So, victims are likely to make that deposit, or all their work will have been for naught.

Scammers use cryptocurrency like USDT (a digital stable-coin with a value tied to the value of the US dollar) to make their payments.

Task scams typically begin with unsolicited text messages or messages via platforms like WhatsApp, Telegram, or other messaging apps. These messages often come from unknown numbers or profiles that may appear professional to gain trust. Reportedly, these scams like to impersonate legitimate companies such as Deloitte, Amazon, McKinsey and Company, and Airbnb.

Scammers count on the urge that victims do not want to “cut their losses” and will try to pull victims in even deeper, sometimes inviting them into groups where newcomers can learn and hear success stories from (fake) experienced workers.

**How to avoid task scams**

Once you know the red flags, it is easier to shy away from task scams.

*   Do not respond to unsolicited job offers via text messages or messaging apps.
*   Never pay to get paid.
*   Verify the legitimacy of the employer through official channels.
*   Don’t trust anyone who offer to pay for something illegal such as rating or liking things online.

It’s also important to keep in mind that legitimate employers do not ask employees to pay for the opportunity to work. And as with most scams, if it sound to good to be true, it probably is.

If you run into a task scam, please report them to the FTC at ReportFraud.ftc.gov.

Tag

#mac