This week on the Lock and Code podcast, we speak with Ron de Jesus about the work of achieving user privacy while balancing company goals.

_This week on the Lock and Code podcast…_

Privacy is many things for many people.

For the teenager suffering from a bad breakup, privacy is the ability to stop sharing her location and to block her ex on social media. For the political dissident advocating against an oppressive government, privacy is the protection that comes from secure, digital communications. And for the California resident who wants to know exactly how they’re being included in so many targeted ads, privacy is the legal right to ask a marketing firm how they collect their data.

In all these situations, privacy is being provided to a person, often by a company or that company’s employees.

The decisions to disallow location sharing and block social media users are made—and implemented—by people. The engineering that goes into building a secure, end-to-end encrypted messaging platform is done by people. Likewise, the response to someone’s legal request is completed by either a lawyer, a paralegal, or someone with a career in compliance.

In other words, privacy, for the people who spend their days with these companies, is _work_. It’s their expertise, their career, and their to-do list.

But what does that work actually entail?

Today, on the Lock and Code podcast with host David Ruiz, we speak with Transcend Field Chief Privacy Officer Ron de Jesus about the responsibilities of privacy professionals today and how experts balance the privacy of users with the goals of their companies.

De Jesus also explains how everyday people can meaningfully judge whether a company’s privacy “promises” have any merit by looking into what the companies provide, including a legible privacy policy and “just-in-time” notifications that ask for consent for any data collection as it happens.

> “When companies provide these really easy-to-use controls around my personal information, that’s a really great trigger for me to say, hey, this company, really, is putting their money where their mouth is.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 A day in the life of a privacy pro, with Ron de Jesus (Lock and Code S05E26) 

A 20-year-old Tucson man was arrested for horrific CSAM and cyberstalking linked to the dangerous online extremist group 764.

****SUMMARY****

*   **Arrest and Charges**: Baron Martin, 20, arrested for producing child sexual abuse material and cyberstalking, linked to extremist networks 764 and CVLT.

*   **Disturbing Crimes**: Accused of coercing minors into self-mutilation, creating abuse material, and plotting violence against victims and their families.

*   **764 Network**: The extremist group uses child exploitation to normalize violence and promote societal collapse, flagged as a major threat by the DoJ.

*   **Potential Penalties**: Martin faces up to 40 years in prison for his crimes, alongside fines and possible lifetime supervised release.

*   **Law Enforcement Response**: FBI and DoJ emphasize vigilance and programs like Project Safe Childhood to combat online child exploitation.

A 20-year-old Tucson man, Baron Martin, has been arrested for producing child sexual abuse material (CSAM) and cyberstalking offences linked to his involvement in online violent extremist networks known as 764 and CVLT, reveals an unsealed complaint by the Department of Justice (DoJ).

The complaint details a disturbing pattern of behaviour by 764 members. They allegedly target vulnerable youth online, force them into self-harm, and spread the abuse to desensitize victims and normalize violence. Martin, who allegedly used the online alias “Convict,” is accused of:

*   **Creating a guide on how to identify, groom, and extort children:** Martin is accused of creating child sex abuse content on Discord in September 2022 by having two minors self-mutilate for him, with one child having his name cut into their chest, stomach, and thighs, and directing them to cut swastikas and satanic symbols.

*   **Forcing two minors (aged 13 and 16) to self-mutilate on Discord:** Martin allegedly directed a 16-year-old victim on Discord to self-injury, drawing blood, and pouring alcohol over the wounds. Martin sent three videos of the abuse to another user

*   **Cyberstalking a 13-year-old by threatening her grandmother and soliciting her murder**: Martin is accused of cyberstalking a 13-year-old girl in September 2022, threatening her grandmother, and soliciting her murder. He agreed to pay $3,000 for the kidnapping and murder, and in a separate chat, posted the girl’s and her grandmother’s phone numbers for harassment.

If convicted, Martin faces up to 30 years in prison for producing CSAM and up to 10 years for cyberstalking, along with significant fines and potential lifetime supervised release.

****764 Network Described as “Dangerous” by DoJ****

According to the DoJ’s press release, it considers the 764 network a huge threat. “764 is a dangerous network of violent extremists who systematically target children and use child sexual abuse material to further their agenda of societal collapse,” said Assistant Attorney General for National Security Matthew G. Olsen.

The FBI is leading the investigation. The case is being prosecuted by the U.S. Attorney’s Office for the District of Arizona and the National Security Division’s Counterterrorism Section. 

It is worth noting that Martin is not the only alleged member of the notorious 764 network to face legal action. In November 2024, Richard Anthony Reyna Densmore, 47, of Kaleva, Michigan, was **sentenced** to 30 years in prison on charges related to child sexual abuse material (CSAM).

The arrest of Baron Martin shows the problematic reality of online extremism and grooming and its devastating impact on vulnerable youth. This issue extends beyond the U.S., with the U.K. facing similar challenges, particularly on platforms like Snapchat. According to a **report** by a U.K. charity, half of all online child grooming cases now occur on Snapchat.

The 764 network’s calculated targeting of children and their use of child sexual abuse material to further their extremist ideology emphasises the urgent need for increased vigilance and law enforcement efforts to combat such threats. 

US Attorney Gary Restaino for the District of Arizona stressed the importance of **Project Safe Childhood** (PCS), a US-based initiative targeting child sexual exploitation, and encouraged parents and children to seek help if they encounter online predators.

1.  **Man sought dark web hitman to murder child abuse victim**
2.  **Op protected childhood: 113 online child predators arrested**
3.  **How Facebook Helped FBI Capture a Notorious Child Abuser**
4.  **9 risky apps that you must monitor on your kids’ smartphone**
5.  **Microsoft’s tool detects, reports pedophiles from online chats**

FBI Targets 764 Network: Man Faces 30 Years for Cyberstalking, CSAM

Find out the key security risks of firmware security: Identify threats, and learn best practices and protection methods…

Find out the key security risks of firmware security: Identify threats, and learn best practices and protection methods against modern hacker attacks.

Firmware is low-level software that builds the interaction between the hardware and the operating system. It contains important instructions for the operation of electronic devices such as routers, IoT sensors, smartphones, and even cars. However, these instructions are often invisible to the user, making firmware less secure. This article will reveal the principal risks of firmware security and best practices for protecting against hackers.

****Key security risks in firmware development****

Ensuring the safety of firmware systems is paramount. Firmware serves as the bridge between hardware and software, making it a prime target for malicious attacks. According to Lemberg Solutions, a firmware development firm, firmware vulnerabilities have seen a notable rise, with security researchers estimating a 7.5-fold increase compared to three years ago. This is a result of vulnerabilities introduced during coding, lack of encryption, inadequate authentication mechanisms, and insufficient security updates.

Handling these challenges early in development is crucial to protecting devices and preventing potential breaches. Nevertheless, firmware attacks come in many forms. Let’s have a look at a few of them:

*   **Firmware modification.** Hackers modify a device’s firmware to introduce malicious code or “backdoors” which can cause significant damage.
*   **Firmware extraction.** Hackers extract firmware from a device to analyze it for vulnerabilities. By reverse engineering the firmware, they can identify weaknesses and develop targeted exploits to compromise the device’s security. 
*   **Remote update attacks.** If hackers manage to intercept and manipulate updates, they can inject spyware or make unauthorized changes to the firmware, potentially compromising the entire system. For example, in the case of the Internet of Things (IoT), a device with poorly secured access can be compromised and used for DDoS attacks.
*   **Integration of unverified code**. Using open or unverified code can introduce hidden vulnerabilities.
*   **Physical attacks.** If a device is not physically secured, attackers can access its internal components through JTAG, UART, or other debug ports. For example, attackers can read the microcontroller memory through the JTAG interface and access sensitive data.

By understanding the methods hackers use, users can take steps to protect their devices, such as regularly updating firmware and implementing robust security practices. On the other hand, manufacturers should prioritize firmware security during the development process, conduct thorough testing, and implement strong security measures to reduce the risk of attacks or entrust security issues to a firmware development company.

****Best practices for protecting firmware****

By following a few simple steps, organizations can secure their devices’ firmware, making them more resistant to attack and less likely to be compromised. Let’s examine firmware security best practices. 

****Buffer and stack overflow protection****

Buffer and stack overflow protection is vital for firmware security, preventing unauthorized access from data overrun vulnerabilities. Effective mechanisms, such as stack canaries and address space layout randomization, are essential for improving memory safety.

Firmware must integrate overflow protections from the design phase. Regular audits and testing are required to address buffer vulnerabilities promptly. By prioritizing these safeguards, organizations can enhance device security and protect user data against evolving cyber threats.

****Capture security exceptions****

To identify and address potential threats in firmware operations, we must secure exceptions, which involves logging incidents and anomalies to enable quick responses to risks. Exception-handling protocols ensure that deviations from normal operations trigger alerts for security teams. Organizations should establish clear guidelines for managing and reviewing security exceptions regularly to maintain operational integrity and prevent incidents. 

****Input validation****

Input validation is a cornerstone in firmware security; by accepting only authorized data, organizations can effectively prevent unauthorized or malicious inputs that threaten to exploit system vulnerabilities. Validation protocols must be regularly updated to confront the ever-evolving landscape of security threats. Furthermore, investing in personnel training about the significance of input validation reinforces an organization’s commitment to safeguarding devices against cyber risks. 

****Secure boot mechanisms****

Secure boot ensures that only trusted firmware and software run when a device starts. It uses cryptographic checks to confirm the firmware hasn’t been tampered with. If the software isn’t signed with a trusted key, it won’t load, blocking malicious code from sneaking in during startup. For example, your laptop only works with an official operating system signed by the manufacturer. If someone tries to install fake software or modify the boot process, the system refuses to start, keeping your device safe.

****Secure firmware updates****

Implementing firmware updates with cryptographic signatures is vital for ensuring their authenticity and integrity. It guarantees that only verified updates are applied, reducing the risk of malicious modifications.

Cryptographic signatures validate updated sources, preventing vulnerabilities from unverified patches. By incorporating cryptographic signatures, companies can shield their systems from counterfeit updates, ensuring that only legitimate enhancements are deployed. 

****Role of AI and machine learning in threat detection****

AI and machine learning play a critical role in threat detection. They enable the creation of automated systems that quickly and accurately respond to modern challenges, such as malware, cyberattacks, and other threats. Let’s explore this in more detail:

1.  **AI identifies unusual activities** and anomalies in device behavior by analyzing network traffic, log files, and system interactions. For example, a system might monitor a company’s network traffic. If a device that typically transmits small amounts of data suddenly sends large data packets to an external server, the system flags this as an anomaly and blocks the transmission.
2.  Machine learning models can detect malware in code by identifying patterns that indicate malicious behavior. This is especially valuable for identifying new types of malware that traditional methods might miss.
3.   AI **can use data** from past attacks to forecast future threats. It analyzes attackers’ tactics, techniques, and procedures (TTPs) from previous incidents. For instance, a monitoring system might receive data about similar cyberattacks targeting companies within a specific industry. Based on this data, it could predict that your company might be the next target and recommend strengthening the security of particular systems.
4.  **AI analyzes** text messages and emails’ vocabulary, style, and domains to prevent phishing attacks. For example, it identifies suspicious phrasing, unusual sender domains, or inconsistencies in the email’s language that may indicate a phishing attempt.

This proactive and intelligent approach demonstrates the growing importance of AI in enhancing cybersecurity and mitigating evolving threats.

****Ensuring compliance and standards in firmware security****

Ensuring compliance and standards in firmware security is critical to protecting devices from vulnerabilities and threats. Below are key aspects of ensuring compliance and standards in firmware security.

**Aspect**

**Details**

Adopting industry standards

NIST Guidelines (e.g., NIST SP 800-193) provide a framework for protecting firmware against unauthorized modification, detecting security breaches, and recovering to a secure state.ISO/IEC 27001 ensures information security management practices, including firmware integrity, aligns with globally accepted standards. Trusted platform module (TPM) for secure boot and firmware measurement to ensure integrity.

Secure Firmware development lifecycle (FDLC)

NIST Guidelines (e.g., NIST SP 800-193) provide a framework for protecting firmware against unauthorized modification, detecting security breaches, and recovering to a secure state.ISO/IEC 27001 ensures information security management practices, including firmware integrity, aligns with globally accepted standards. Trusted platform module (TPM) for secure boot and firmware measurement to ensure integrity.

Cryptographic protections

Threat modellingRegularly review firmware code for compliance with secure coding standards. Use tools to verify firmware binaries against secure policies.

Compliance audits and certifications

Third-party auditsCertifications like Common Criteria (CC) or FIPS 140-2 for assurance.

Supply chain security

Code signing.  Ensures only authenticated and authorized firmware updates are installed.Encryption. Protects firmware data in transit and at rest. Secure Boot, validates firmware signatures during the boot process, preventing tampering.

****Future of firmware security****

Due to technological advancements and evolving threats, the future of firmware security will be more dynamic and resilient. As artificial intelligence and machine learning become integrated into firmware, new attack vectors emerge that need addressing. 

The rise of IoT and edge devices will demand standardized and scalable security frameworks. Enhanced global threat intelligence sharing and blockchain technology will improve defences against vulnerabilities. With a focus on secure, self-healing firmware and stricter regulations, organizations will emphasize security by design and education, making the firmware ecosystem safer and more privacy-oriented.

Image via PixaBay/Nanoslavic

1.  **Intel Responds to ‘Downfall’ Attack with Firmware Updates**
2.  **New Firmware Version of Nintendo Switch Hacked in 4 Hours**
3.  **Cheap Android Smartphones Shipped with Malicious Firmware**
4.  **Zero-day Flaws Exposed EV Chargers to Shutdowns, Data Theft**
5.  **Professions That Are the Most Exposed to Cybersecurity Threats**

Firmware Security: Identifying Risks to Implement Best Cybersecurity Practices

Cybercriminals are targeting YouTube creators with sophisticated phishing attacks disguised as brand collaborations. Learn how to identify these scams, protect your data, and safeguard your online presence

****summary****

*   **Phishing Attack**: Cybercriminals use fake brand collaboration emails to target YouTube creators.

*   **Malware Disguise**: Malicious files are hidden in password-protected attachments like contracts or promotional materials.

*   **Cloud Hosting**: Attackers leverage platforms like OneDrive to host malware, adding a layer of credibility.

*   **Sensitive Data Theft**: Malware steals login credentials, financial information, and grants remote access.

*   **Wide Reach**: Over 200,000 creators targeted globally, with thousands of phishing emails sent via automated tools.

CloudSEK’s threat research team has disclosed details of an advanced new phishing campaign targeting YouTube creators. According to CloudSEK’s investigation, shared exclusively with _Hackread.com_, scammers are using fake brand collaboration emails to steal accounts and spread scams to millions of followers.

****Campaign Analysis****

Report author Mayank Sahariya notes that this sophisticated phishing campaign involves impersonating trusted brands to distribute malware through fake collaboration offers. 

Attackers begin by scraping email addresses from YouTube channels, likely using a specialized parser tool. This allows them to target creators and organizations directly. With email addresses in hand, attackers use browser automation tools to send bulk phishing emails.

Next, the attackers send cleverly crafted emails that appear to be legitimate business proposals from well-known brands. These emails entice recipients with lucrative collaboration deals and include enticing compensation structures based on subscriber count. The malware is cleverly disguised within attachments such as Word documents, PDFs, or Excel files, often masquerading as promotional materials, contracts, or business proposals.

“At the end of the email, the threat actor includes instructions and a OneDrive link to access a zip file containing the agreement and promotional materials, secured with the password,” the report read.

The extracted files reveal four files, including Digital Agreement Terms and Payments Comprehensive Evaluation.exe, which is a malicious payload. Once downloaded and extracted, the zip file unleashes a malicious script disguised as a harmless file format, such as “webcams.pif.” This script leverages AutoIt3 automation software to execute further malware hidden within the archive.

To further bypass detection, the attackers host these malicious attachments on cloud storage platforms like OneDrive (form this ID- \[email protected\] created on August 15, 2024), protected by passwords. This tactic adds a layer of legitimacy, as recipients might expect collaboration agreements and promotional materials to be password-protected.

Once a curious YouTuber downloads the attachment, the malware installs itself on the victim’s system. This malware is designed to steal sensitive information, including login credentials, financial data, and intellectual property. In some cases, it can even grant remote access to the attacker, compromising the entire system.

Attack flow and malicious email used in the scam (Via CloudSec)

****Who are the Targets?****

According to CloudSec’s blog post, this global campaign primarily targets businesses and individuals involved in marketing, sales, and executive positions. These individuals are more likely to engage with brand collaborations and promotions, making them prime targets for this phishing scheme.  

So far, this campaign has targeted over 2 lakh YouTube creators, involving 500-1,000 phishing emails sent from a single email account and around 340+ SMTP servers have been weaponized for attacks.

To stay protected, YouTube creators should be cautious of unsolicited collaboration offers, especially password-protected attachments. Always double-check email addresses, and contact brands directly to confirm the legitimacy of collaboration offers. Also, avoid downloading attachments from unknown senders, even if password-protected to protect valuable data.

1.  **Scammers Rake in $600K with YouTube Deepfakes**
2.  **YouTube Channels Hacked to Spread Lumma Stealer**
3.  **Fake YouTube Android Apps Used to Distribute CapraRAT**
4.  **New YouTube phishing scam using authentic email address**
5.  **Get Paid to Like Videos YouTube Scam Empties Your Wallets**

Malware Hidden in Fake Business Proposals Hits YouTube Creators

Staffers at the Cybersecurity and Infrastructure Security Agency tell WIRED they fear the new administration will cut programs that keep the US safe—and “persecution.”

Donald Trump helped create the US government’s cybersecurity agency during his first term as president. Six years later, employees of that agency are afraid of what he’ll do with it once he retakes office.

Trump’s alliances with libertarian-minded billionaires like Elon Musk and his promises to cut government spending and corporate oversight have alarmed staffers at the Cybersecurity and Infrastructure Security Agency, the component of the Department of Homeland Security that defends US government computer systems from hackers and helps state and local governments, private companies, and nonprofit groups protect themselves.

CISA, which the Trump administration and Congress created in 2018 by reorganizing an existing DHS wing, became a target of right-wing vitriol after its Trump-appointed director rebuffed the president’s election conspiracy theories in 2020 (prompting Trump to fire him) and after it worked with tech companies to combat online misinformation during the 2022 election.

The incidents turned a once-obscure agency with bipartisan credibility into a conservative bogeyman. House Republicans have accused CISA of spying on and censoring Americans, and the GOP senator who will soon oversee the agency wants to eliminate it.

Now, with Trump returning to office vowing to purge disloyal civil servants and turn DHS into an immigration-crackdown machine, CISA employees are acutely worried about the fate of their still-fledgling agency, according to interviews with four current staffers and another US cyber official, all of whom requested anonymity to speak candidly about a sensitive subject.

“We believe it's our responsibility to help those who don't really have the ability to help themselves,” says one CISA employee. “We take our missions seriously, which is why we are all concerned, to a T, about if any decisions are going to affect our mission negatively.”

**Scaling Back Corporate Accountability**

CISA is bracing for change in several areas that were key to US president Joe Biden’s cybersecurity agenda.

Biden’s cyber strategy called for companies to take more responsibility for the security of their products and services, and CISA led that effort with its campaign encouraging companies to make their systems “secure by design” and “secure by default.” Agency officials pushed tech firms to make security features free and automatic and to pay closer attention to the quality of their code. Hundreds of companies have signed CISA’s secure-by-design pledge and vowed to take cybersecurity more seriously.

CISA employees and Biden administration officials expect the Trump team to kill Biden’s corporate responsibility initiatives. “They do not think it's the role of the US government to make \[the\] private sector act in a certain way,” says a US cyber official.

A second CISA employee predicts that “compliance efforts like secure-by-design may not have the support that they currently benefit from.”

That retreat from corporate oversight will be a top priority of Musk and other tech billionaires who have flocked to Trump. “The tech influence here, assuming Elon Musk stays in Trump's good graces, is going to be significant,” the cyber official says.

Without high-level White House backing, CISA’s secure-by-design campaign “becomes toothless,” says the first CISA employee. “Some companies will be less inclined to follow these \[guidelines\] if they don't believe that the executive branch is going to support them.”

CISA employees are also watching uneasily to see if Trump officials pressure the cyber agency to water down its draft regulation requiring critical infrastructure operators to report cyber incidents. Congress mandated the rule in a 2022 spending bill, but groups representing infrastructure operators have complained that the draft requirements—which must be finalized by late 2025—are too onerous. Trump could force CISA to scale back the rules in order to appease the private sector.

Trump and his allies want to “get rid of anybody who can enforce the rules, because then the rules don't matter,” the cyber official says. “In CISA’s instance, that's going to be pretty significant.”

CISA is also bracing for changes to its election security mission. The agency has already dramatically scaled back conversations with social media companies about online misinformation following a right-wing backlash, but Trump’s team could force CISA to abandon even more of its election security work. CISA staffers worry that Trump will block the agency from participating in state and local election officials’ “Trusted Info” initiative, which encourages Americans to listen to their local election supervisors instead of provocative online claims.

“I think that work is probably dead,” says a third CISA employee.

South Dakota governor Kristi Noem, Trump’s pick to lead the Department of Homeland Security, embraced election conspiracies after Biden’s win in 2020. “Kristi Noem is a Trump loyalist who has backed him in election denial claims, and now she's going to be in charge of the agency that oversees \[CISA\],” says the cyber official. “I have a lot of questions about what happens there.”

The third CISA employee expects to see the “persecution of those who have done election security work” once Trump takes office.

**Weakening Authorities**

Trump’s victory could also have serious consequences for other CISA missions.

Under Biden, CISA gained broader authority and new funding to monitor other agencies’ networks for suspicious activity, turning it into the centralized defender of federal networks that many experts always hoped it would become. That could change under Trump, especially if senior officials close to Trump bristle at CISA’s oversight.

“I can absolutely see the new administration coming in and saying, ‘Hey, you guys are not letting agencies do what they need to do. You have … too much power \[to look\] at how the agencies do things. We're going to reduce your power,’” says the first CISA employee. “That will prevent us from doing the very necessary work that we need to do to protect the American people.”

One of CISA’s most formidable powers over other agencies could be watered down for an unexpected reason.

CISA can order the rest of the government to rapidly patch vulnerabilities and make other security improvements, and it has repeatedly used this authority in response to emerging digital crises. But while these directives only apply to federal agencies, some businesses treat them like unofficial government dictates and push their security teams to implement them.

If corporate leaders complain about these directives’ effects on their bottom lines, Trump’s team could force CISA to scale back its use of this authority.

The Trump administration could also try to cut costs at CISA by slashing the free services that it provides to state and local governments and critical infrastructure providers.

“My concern would be that some of those programs would just kind of fall to the wayside,” says the first CISA employee, who also fears that CISA’s “ability to express to the nation what we do and what services we offer” will “come under attack.”

**Dimming the Stars**

Trump’s influence on CISA could also undermine the agency’s long-running uphill battle to attract talented experts away from lucrative industry jobs and into public service.

Multiple CISA employees say they worry that Trump’s election will mean the end of what one called “star hires” like senior advisers Bob Lord and Jack Cable, the corporate cyber veteran and young security whiz, respectively, who lead CISA’s secure-by-design program.

“I can absolutely see guys like Bob Lord and Jack Cable—big, well-respected individuals in the security community—deciding that they want to take their stuff elsewhere if they don't believe that the administration is serious about helping companies be more secure,” says the first CISA employee. Lord and Cable declined WIRED’s request to comment.

“This country has gotten so much more politicized over the past eight years to where it gets in the way of us doing our jobs,” the first CISA employee adds.

Trump’s promised changes to civil-service rules, which would expose more government workers to politically motivated firings, are also alarming CISA employees. “I worry about getting weaponized,” says the third CISA employee.

**Political Tensions**

When it comes to CISA’s fate, much will depend on whom Trump picks to lead the agency and how they navigate broader DHS politics.

The main contenders for CISA director—Karen Evans, a former Energy Department cyber official and White House IT official; Matt Hayden, who served as DHS’s assistant secretary for cyber policy during Trump’s first term; and Brian Harrell, who led CISA’s infrastructure protection wing under Trump—have cyber experience and bipartisan credibility. But if Trump passes over them, it’s not clear who will end up leading CISA.

“There’s not really a ton of star, right-leaning info security people out there who want to risk their credibility as a political appointee,” says the third CISA employee.

Even if CISA gets competent, well-liked senior officials, they will still be at the mercy of DHS leadership. Kristi Noem has touted her work on cybersecurity as South Dakota’s governor, including in an op-ed after her nomination that referenced CISA. But Noem was the only governor to reject money from a DHS cyber grant program for state and local governments in 2023, suggesting that she won’t support the program, which expires in late 2025.

A fourth CISA employee says they hope that once Noem and other Trump appointees “are briefed on the full extent of our nation’s cybersecurity problems, they will recognize the value of our work and its critical importance to national security.”

But even if Noem mostly leaves CISA to its own devices, her department’s leading role in Trump’s controversial immigration agenda—including promised mass deportations of undocumented immigrants—will likely inflame longstanding tensions between DHS and CISA.

“People within CISA don't want to be considered part of DHS,” says the first CISA employee. “They believe that CISA should be its own realm.”

Amid a migration surge during Trump’s first term, DHS asked CISA employees to volunteer to help safeguard the US-Mexico border. “I do not believe that people \[will\] want to be considered part of DHS if that type of stuff is going to continue,” the first CISA employee says.

With DHS leaning harder than ever before into immigration crackdowns, CISA employees are longing for a separation—with even the conservative Project 2025’s unorthodox reorganization proposal sounding appealing to some.

“DHS is gonna be a real awful place the next four years,” says the third CISA employee. “Maybe we should move to Transportation.”

**Quiet Concerns**

While they wait for Trump to signal his approach to cybersecurity, CISA employees are quietly exchanging worries about what’s next for their workplace.

“There have been unspoken concerns about what's going to happen once the administration changes,” says the first CISA employee. “Anything that we do is going to affect the American public in one way or another, so we need to know … what's going to be coming down the pike.”

The mood inside the agency is “uncertain,” says the second CISA employee.

“CISA’s staff isn’t interested in getting politicized,” says the third CISA employee. “We just want to do good work for the American public that makes things more secure and resilient.”

CISA director Jen Easterly said in a statement that she “could not be prouder” of the agency’s achievements.

“CISA’s been able to accomplish its mission thanks to a talented and dedicated workforce, bipartisan support in Congress, and partnerships across government and industry,” Easterly said. “It’s important this work continues as the nation’s critical infrastructure faces an ever evolving and complex threat environment.”

For now, agency employees are distracting themselves by doubling down on that work.

“We kind of bury ourselves into the day to day, just trying to do as much as we can until we get the call that this position or this branch is going to be eliminated,” says the first CISA employee. “We don't have any control over things right now, and I think that's what makes things scary for a lot of us.”

The Top Cybersecurity Agency in the US Is Bracing for Donald Trump

A thwarted attack demonstrates that threat actors using yet another delivery method for the malware, which already has been spread using phishing emails, malvertising, hijacking of instant messages, and SEO poisoning.

Source: Brian Jackson via Alamy Stock Photo

The DarkGate remote access Trojan (RAT) has a new attack vector: A threat actor targeted a Microsoft Teams user via a voice call to gain access to their device.

The attack adds to the other methods for spreading the RAT, which previously has been propagated using phishing emails, malvertising, hijacking of Skype and Teams messages, and search engine optimization (SEO) poisoning, researchers said.

Researchers at Trend Micro discovered the voice phishing, or vishing, attack, in which an attacker initially tried to install a Microsoft remote support application to gain access to the user's device, they revealed in a recent blog post. While this failed, the cyberattackers then used social engineering to convince the victim to download the AnyDesk tool for remote access, which they eventually achieved.

The attacker loaded multiple "suspicious files" onto the victim's machine via a connection that was established to a command-and-control (C2) server, one of which was DarkGate, according to Trend Micro. The RAT, distributed as usual via an AutoIt script, enabled remote control over the user's machine, executed malicious commands, gathered system information, and connected to a command-and-control (C2) server.

**A Multistage Vishing Cyberattack**

The multistage attack started off in a more typical DarkGate way, through a flood of thousands of phishing emails sent to the victim's inbox. The emails were followed up with a Microsoft Teams call purportedly for technical support, which kicked off the vishing attack.

The caller claimed to be an employee of an external supplier of the victim's company needing assistance, and instructed the victim to download the Microsoft Remote Support application.

"However, the installation via the Microsoft Store failed," Trend Micro researchers Catherine Loveria, Jovit Samaniego, and Gabriel Nicoleta wrote in the post. "The attacker then instructed the victim to download AnyDesk via browser and manipulate the user to enter her credentials to AnyDesk."

The attacker used AnyDesk to set up a communication channel to C2 and initiate various malicious scripts and eventually a PowerShell command to drop DarkGate using the Autoit legitimate Windows automation and scripting tool favored by attackers for obfuscation and defense evasion. After installation, the attack also loaded files and a registry entry for persistence.

**Another Channel for Spreading DarkGate Malware**

While ultimately the attack was stopped before data could be exfiltrated from the victim's machine, it demonstrates DarkGate actors using yet another means to spread the formidable RAT, adding to a long list of previously used delivery methods, the researchers said.

DarkGate has been used to target users around the world since at least 2017 and integrates multiple diverse and malicious functions. Among its capabilities are executing commands for gathering system information, mapping networks, and doing directory traversal, as well as launching Remote Desktop Protocol (RDP), hidden virtual network computing, AnyDesk, and other remote access software.

DarkGate also has features to support cryptocurrency mining, keylogging, privilege escalation, and stealing information from browsers, and is even known to carry additional payloads, including other RATs like Remcos.

**How to Protect Against Sophisticated Vishing Attacks**

Vishing attacks are becoming ever more psychologically sophisticated, with attackers even resorting to physical intimidation to coerce victims into complying with demands. Training employees on signs of a vishing attack, including staying up to date on the latest tactics, is becoming increasingly important as these attacks escalate.

"Well-informed employees are less likely to fall victim to social engineering attacks, strengthening the organization’s overall security posture," the researchers wrote.

Organizations also should "thoroughly vet third-party technical support providers" to "ensure that any claims of vendor affiliation are directly verified before granting remote access to corporate systems, the researchers wrote. Moreover, they should establish cloud-vetting processes to evaluate and approve remote access tools, such as AnyDesk to assess security compliance and vendor reputation before putting them in use.

Whitelisting approved remote access tools and blocking any unverified applications as well as integrating multifactor authentication (MFA) on remote access tools also reduce "the risk of malicious tools being used to gain control over internal machines," the researchers wrote.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Microsoft Teams Vishing Spreads DarkGate RAT

A list of topics we covered in the week of December 9 to December 15 of 2024

December 13, 2024 - Care1, a Canadian healthcare solutions provider left a cloud storage instance freely accessible and unencrypted for anyone to find.

December 12, 2024 - Apple has released security patches for most of its operating systems, including iOS, Mac, iPadOS, Safari, and visionOS.

December 12, 2024 - Senators introduced a bill to stop data brokers from trading in health and location data and enable the FTC to enforce the new rules

December 10, 2024 - TikTok has requested an emergency injunction to stop or postpone the planned ban on the platform in the US.

December 9, 2024 - Authorities were able to intercept the Matrix messaging service’s traffic and monitor criminal activity for three months.

 A week in security (December 9 &#8211; December 15) 

A fraudulent Google ad meant to phish employees for their login credentials redirects them to a fake browser update page instead.

On December 15, we detected a malicious campaign targeting Kaiser Permanente employees via Google Search Ads. The fraudulent ad masquerades as the health care company’s HR portal used to check for benefits, download paystubs and other corporate related tasks.

We believe the threat actors’ intent was to phish KP employees for their login credentials, but something unexpected happened. Instead, victims who clicked on the ad were redirected to a compromised website that prompted them to update their browser.

This notification is part of a malware campaign known as SocGholish that tricks users into running a script supposedly meant to update their browser. Rather, it infects machines and if the victim is deemed important enough, a human operator will gain access in order to perform nefarious actions.

In this blog post, we review how this attack unfolds and why a compromised website derailed the attackers’ plan. We already reported the malicious ad to Google.

Several criminal gangs are currently abusing Google Ads to phish victims of various large companies. They prey on employees simply googling for their HR portal so that they can display a malicious ad to lure them in.

Case in point, when searching for Kaiser Permanente’s HR portal, we saw the following ad:

We were able to identify the advertiser who registered a fake account under the name ‘Heather Black’. This ad was only showed for U.S.-based searches, as can be seen in the Google Ads Transparency Center report:

**Former company’s website hijacked for phishing**

The displayed url shown in the ad (_https://www.bellonasoftware\[.\]com_) does not look associated with Kaiser Permanente. According to LinkedIn, Bellona Software was a company based in Romania. We can see what their website looked like in 2021, using the Internet Archive:

Sometimes more recently, this same website was taken over by criminals who transformed it into a phishing page for Kaiser Permanente:

**Malicious redirect to SocGholish**

It looks like there was more than one cook in the kitchen, as malicious code was also injected in the core JavaScript libraries for that website, confirmed in a scan by Sucuri’s SiteCheck:

When potential victims clicked on the ad, they landed on that compromised website, which in turn briefly displayed the phishing template only for as long as a mouse scroll or click. Then, a new screen appeared with what looks like a Google Chrome notification claiming the user’s browser is out of date:

This screen, also known as SocGholish, is a long running malware campaign that targets vulnerable websites indiscriminately. When a user executes the downloaded _Update.js_ file, they are instead running a malicious script that will collect some of their computer’s information and relay it to a group of criminals. After this fingerprinting takes place, additional tooling such as Cobalt Strike may be downloaded, preparing the ground for a _human on keyboard_ type of attack.

To the best of our knowledge, the phishing campaign has nothing to do with SocGholish, and we assume that the original threat actors did not anticipate for the website they took over to be compromised. As for the gang behind SocGholish, the victims would come from a Google search, something they usually check for via the referer.

**Protecting against web threats**

For victims, neither the phishing scheme nor the malware are a happy outcome. While initially targeted because of what they searched for, they fell into the hands of a different criminal syndicate.

Such is the reality of web threats. This is a dynamic and ever changing landscape with a number of malicious players trying to lure users in their own way.

Online ads, and in particular search ads, continue to be a threat. As we have showed many times on this blog, any brand is at risk of being impersonated. Unfortunately, this trend has continued unabated throughout 2024.

At the same time, ‘old’ malware campaigns like SocGholish pose a risk due to a never ending number of outdated websites ready to be compromised and act as a springboard for malware delivery.

When searching online, we urge to use extreme caution with any sponsored results and if possible add protection to your online browsing experience with tools like Malwarebytes Browser Guard.

We reported the malicious ad to Google and will update this blog if we hear anything back.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**Indicators of Compromise**

Phishing site

bellonasoftware\[.\]com

SocGholish infrastructure

premium\[.\]davidabostic\[.\]com  
riders\[.\]50kfor50years\[.\]com

 Malicious ad distributes SocGholish malware to Kaiser Permanente employees 

Resecurity unveils AI-powered GSOC at NATO Edge 2024, integrating VR for advanced cybersecurity. Tailored for MSSPs, it enhances…

Resecurity unveils AI-powered GSOC at NATO Edge 2024, integrating VR for advanced cybersecurity. Tailored for MSSPs, it enhances threat detection, response, and collaboration globally.

Resecurity, a global leader in cybersecurity solutions, unveiled its advanced Government Security Operations Center (GSOC) during NATO Edge 2024, the NATO Communications and Information Agency’s flagship conference. The solution is also specifically tailored for MSSPs that protect aerospace and defense organizations.

This year’s event, held from December 3 to 5, emphasized emerging technologies in defense, fostering collaboration between governments, academia, and private enterprises. Resecurity’s GSOC harnesses cutting-edge artificial intelligence (AI) through Context AI and innovative virtual reality (VR) capabilities, revolutionizing the future of cybersecurity operations.

Resecurity’s GSOC solution resonated strongly with the event’s goals, demonstrating how advanced AI and VR capabilities could bolster NATO’s cybersecurity infrastructure and address its operational challenges.

****GSOC: A modern approach to cybersecurity****

The **Government Security Operations Center (GSOC)** is a centralized hub for cybersecurity monitoring, threat detection, and response coordination. Resecurity’s GSOC leverages **AI and VR** to address the increasing complexity of cybersecurity operations by enabling real-time insights, collaboration, and action.

****SOC solution powered by AI****

Context AI is at the core of Resecurity’s GSOC, an advanced AI-powered engine designed to revolutionize how security events are analyzed and managed. Context AI integrates machine learning, predictive analytics, and data visualization to deliver unparalleled capabilities in cybersecurity operations:

*   **Real-time threat analysis**: Resecurity quickly and precisely identifies suspicious activities and potential vulnerabilities by processing and correlating data from numerous sources, including threat intelligence feeds, network logs, and endpoint devices.
*   **Enhanced decision-making**: Context AI by Resecurity employs natural language processing (NLP) and machine learning to generate actionable insights, enabling operators to make faster, more informed decisions.
*   **Scalability and automation**: The SOC platform automates repetitive tasks such as alert triaging, allowing cybersecurity professionals to focus on complex, high-priority incidents.

By integrating Context AI into GSOC, Resecurity addresses the critical challenges faced by traditional SOCs, such as **overwhelming alert volumes** and false positives, ensuring efficient operations even under significant stress.

****VR and the Cybersecurity Metaverse****

A standout feature of the GSOC is its integration of virtual reality (VR), enabling operators to leverage the cybersecurity metaverse for enhanced situational awareness, threat management, and collaboration. The use of VR offers a unique and immersive way to interact with cybersecurity data and operational environments:

**1\. Immersive threat visualization**: Operators can explore attack surfaces, breach points, and threat vectors in a dynamic, 3D virtual space. This visualization provides a holistic view of cybersecurity events that are often impossible to achieve with traditional tools.

**2\. Collaborative incident response**: In the VR environment, multiple operators, regardless of geographic location, can collaborate in real-time to simulate, analyze, and respond to cyber incidents. These foster improved communication and coordination, which are critical for national and allied security operations.

**3\. Advanced training simulations**: VR environments allow GSOC personnel to train in realistic scenarios, such as handling ransomware attacks or defending against state-sponsored cyber intrusions. These simulations provide operators with hands-on experience in a controlled yet realistic setting, improving their readiness for real-world incidents.

By integrating VR, GSOC goes beyond conventional dashboards and interfaces, creating a more intuitive and interactive approach to managing cybersecurity threats.

****The role of GSOC in national security****

Resecurity’s GSOC is designed to serve as a comprehensive cybersecurity framework for governments and allied organizations. It enables a **centralized approach to security operations**, ensuring real-time monitoring and response capabilities across agencies and infrastructure.

Key benefits of the GSOC include:

*   **Unified security monitoring**: By consolidating security operations, GSOC provides a holistic view of all potential threats across critical systems, such as energy grids, transportation networks, and communication platforms.
*   **Threat intelligence aggregation**: The GSOC collects and processes threat intelligence from various public and private sources, enabling governments to stay ahead of emerging threats.
*   **Cross-agency collaboration**: Governments can use GSOC to coordinate cybersecurity efforts between multiple agencies, ensuring cohesive and timely responses to incidents.

NATO Edge 2024 emphasized the importance of leveraging advanced technologies, such as AI and VR, to bolster member states’ defense capabilities.

****The future of GSOC: Driving cybersecurity innovation****

Resecurity’s GSOC is not just a technological solution; it represents a paradigm shift in how governments and organizations approach cybersecurity. The integration of AI and VR is just the beginning of what GSOCs can achieve in the future.

*   **Evolving AI applications**: Advances in AI, such as predictive analytics and autonomous systems, will enable GSOCs to anticipate and neutralize threats before they materialize.
*   **Expanding VR capabilities**: The use of VR in GSOCs will extend beyond training and visualization, incorporating augmented reality (AR) tools for field operatives and remote teams.
*   **International collaboration**: GSOCs will play a key role in fostering global partnerships, allowing nations to pool resources, share intelligence, and build collective defense strategies.

****About Resecurity****

Resecurity® is a cybersecurity company that delivers a unified endpoint protection, fraud prevention, risk management, and cyber threat intelligence platform. Known for providing best-of-breed data-driven intelligence solutions, Resecurity’s services and platforms focus on early-warning identification of data breaches and comprehensive protection against cybersecurity risks.

Founded in 2016, it has been globally recognized as one of the world’s most innovative cybersecurity companies with the sole mission of enabling organizations to combat cyber threats regardless of how sophisticated they are.

Most recently, Resecurity was named one of the Top 10 fastest-growing private cybersecurity companies in Los Angeles, California, by Inc. Magazine. An Official Partner of the Cybercrime Atlas by the World Economic Forum (WEF), a Member of InfraGard National Members Alliance (INMA), AFCEA, NDIA, SIA, FS-ISAC, Cloud Security Alliance (CSA), and the American Chamber of Commerce in Saudi Arabia (AmChamKSA), Singapore (AmChamSG), Korea (AmChamKorea), Mexico (AmChamMX), Thailand (AmChamThailand), and UAE (AmChamDubai).

****Contact****

**Mills**

**Peter**

**Resecurity, Inc.**

**\[email protected\]**

Resecurity introduces Government Security Operations Center (GSOC) at NATO Edge 2024

The security system that underlies the internet makes use of a curious fact: You can broadcast part of your encryption to make your information much more secure.

If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more. Please also consider subscribing to WIRED

_The original version of_ _this story_ _appeared in Quanta Magazine._

For thousands of years, if you wanted to send a secret message, there was basically one way to do it. You’d scramble the message using a special rule, known only to you and your intended audience. This rule acted like the key to a lock. If you had the key, you could unscramble the message; otherwise, you’d need to pick the lock. Some locks are so effective they can never be picked, even with infinite time and resources. But even those schemes suffer from the same Achilles’ heel that plagues all such encryption systems: How do you get that key into the right hands while keeping it out of the wrong ones?

The counterintuitive solution, known as public key cryptography, relies not on keeping a key secret but rather on making it widely available. The trick is to also use a second key that you never share with anyone, even the person you’re communicating with. It’s only by using this combination of two keys—one public, one private—that someone can both scramble and unscramble a message.

To understand how this works, it’s easier to think of the “keys” not as objects that fit into a lock, but as two complementary ingredients in an invisible ink. The first ingredient makes messages disappear, and the second makes them reappear. If a spy named Boris wants to send his counterpart Natasha a secret message, he writes a message and then uses the first ingredient to render it invisible on the page. (This is easy for him to do: Natasha has published an easy and well-known formula for disappearing ink.) When Natasha receives the paper in the mail, she applies the second ingredient that makes Boris’ message reappear.

In this scheme, anyone can make messages invisible, but only Natasha can make them visible again. And because she never shares the formula for the second ingredient with anyone—not even Boris—she can be sure the message hasn’t been deciphered along the way. When Boris wants to receive secret messages, he simply adopts the same procedure: He publishes an easy recipe for making messages disappear (that Natasha or anyone else can use), while keeping another one just for himself that makes them reappear.

In public key cryptography, the “public” and “private” keys work just like the first and second ingredients in this special invisible ink: One encrypts messages, the other decrypts them. But instead of using chemicals, public key cryptography uses mathematical puzzles called trapdoor functions. These functions are easy to compute in one direction and extremely difficult to reverse. But they also contain “trapdoors,” pieces of information that, if known, make the functions trivially easy to compute in both directions.

One common trapdoor function involves multiplying two large prime numbers, an easy operation to perform. But reversing it—that is, starting with the product and finding each prime factor—is computationally impractical. To make a public key, start with two large prime numbers. These are your trapdoors. Multiply the two numbers together, then perform some additional mathematical operations. This public key can now encrypt messages. To decrypt them, you’ll need the corresponding private key, which contains the prime factors—the necessary trapdoors. With those numbers, it’s easy to decrypt the message. Keep those two prime factors secret, and the message will stay secret.

Illustration: Mark Belan/_Quanta Magazine_

The foundations for public key cryptography were first discovered between 1970 and 1974 by British mathematicians working for the U.K. Government Communications Headquarters, the same government agency that cracked the Nazi Enigma code during World War II. Their work (which remained classified until 1997) was shared with the US National Security Agency, but due to limited and expensive computing capacity, neither government implemented the system. In 1976, the American researchers Whitfield Diffie and Martin Hellman discovered the first publicly known public key cryptography scheme, influenced by the cryptographer Ralph Merkle. Just a year later, the RSA algorithm, named after its inventors Ron Rivest, Adi Shamir and Leonard Adleman, established a practical way to use public key cryptography. It’s still in wide use today, a fundamental building block of the modern internet, enabling everything from shopping to web-based email.

This two-key system also makes possible “digital signatures”—mathematical proof that a message was generated by the holder of a private key. This works because private keys can be used to encrypt messages too, not just decrypt them. Of course, this is useless for keeping messages secret: If you used your private key to scramble a message, anyone could just use the corresponding public key to unscramble it. But it does prove that you, and only you, created the message, since as the holder of the private key, only you could have encrypted the message. Cryptocurrencies like bitcoin couldn’t exist without this idea.

If two cryptographic keys instead of one is so effective, why did it take millennia to discover? According to Russell Impagliazzo, a computer scientist and cryptography theorist at the University of California, San Diego, the concept of a trapdoor function just wasn’t useful enough before the invention of computers.

“It’s a matter of technology,” he said. “A person in the 19th century thought of encryption as being between individual agents with military intelligence in the field—literally, in a field with guns firing. So if your first step is ‘pick two 100-digit prime numbers to multiply together,’ the battle is going to be over before you do that.” If you reduce the problem to something a human can do quickly, it’s not going to be terribly secure.

But while computers helped make public key cryptography possible, they’ve also created cracks in its armor. In 1994, the mathematician Peter Shor discovered a way for quantum computers to efficiently reverse the trapdoor functions that underlie most current public key cryptography systems, including prime factorization. This algorithm, if implemented, would act like an all-purpose “reappearing ink,” capable of making any invisible message reappear. Goodbye, internet security.

Luckily, quantum computers themselves are “still in the ENIAC phase,” Impagliazzo said, referring to the room-size machine built for the US Army in 1945. By the time quantum computers become sophisticated enough to pose a real threat to public key cryptography, its original trapdoor functions could be replaced by “quantum-safe” versions called lattice problems. Of course, this new computational “ink” may also become susceptible to attack in the future. But that’s the great thing about public key cryptography: As long as we can find new functions to use, we can just keep reinventing the wheel. Or in this case, the key.

_Original story_ _reprinted with permission from Quanta Magazine, an editorially independent publication of the_ _Simons Foundation_ _whose mission is to enhance public understanding of science by covering research developments and trends in mathematics and the physical and life sciences._

Tag

#mac