Plus: Russian spies keep hijacking other hackers’ infrastructure, Hydra dark web market admin gets life sentence in Russia, and more of the week’s top security news.

A consortium of global law enforcement agencies led by Britain’s National Crime Agency announced a takedown operation this week against two major Russian money-laundering networks that process billions of dollars each year in more than 30 locations around the world. WIRED had exclusive access to the investigation, which uncovered new and troubling laundering techniques, particularly schemes to directly change cryptocurrency for cash. As the United States government scrambles to address China’s “Salt Typhoon” digital espionage campaign into US telecoms, two senators demanded this week that the Department of Defense investigate its failure to secure its own communications and address known vulnerabilities in US telecom infrastructure. Meanwhile, Signal Foundation president Meredith Whittaker spoke at WIRED’s The Big Interview event in San Francisco this week about Signal’s enduring commitment to bring private, end-to-end encrypted communication services to people all over the world regardless of geopolitical climate.

A new smartphone scanner from the mobile device security firm iVerify can quickly and easily detect spyware and has already flagged seven devices infected with the invasive Pegasus surveillance tool. Programmer Micah Lee built a tool to help you save and delete your X posts after he offended Elon Musk and was banned from the platform. And privacy advocate Nighat Dad is fighting to protect women from digital harassment in Pakistan after escaping from an abusive marriage.

The US Federal Trade Commission is targeting data brokers who it says unlawfully tracked protesters and US military personnel, but the enforcement efforts seem likely to trail off under the Trump administration. Similarly, the US Consumer Financial Protection Bureau has devised a strategy to impose new oversight on predatory data brokers, but the new administration may not continue the initiative. Some new laws are finally coming around the world in 2025 that will attempt to regulate the dysfunction of the digital advertising industry, but malicious advertising is still booming around the world and continues to play a big role in global scamming.

And there’s more. Each week, we round up the security and privacy news we didn’t cover in-depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**US Officials Urge Americans to Encrypt Calls and Texts After Chinese Telecom Hacking**

Remember how the US federal government spent much of the last three decades periodically decrying the dangers of strong, freely available encryption tools, arguing that because they enable criminals and terrorists, they should be outlawed or required to implement government-approved backdoors? As of this week, the government will never again be able to make that argument without privacy advocates pointing to a particular phone call where two officials recommended Americans use exactly those encryption tools to protect themselves amidst an ongoing massive breach of US telecoms by Chinese hackers.

In a briefing with reporters about the breach of no fewer than eight phone companies by the Chinese state-sponsored espionage hackers known as Salt Typhoon, officials from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI both said that amid the still-uncontrolled infiltration of US telecoms that have exposed calls and texts, Americans should use encryption apps to safeguard their privacy. “Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication,” said Jeff Greene, CISA’s executive assistant director for cybersecurity. (Signal and WhatsApp, for instance, end-to-end encrypt calls and texts, though the officials didn’t name any particular apps.)

The recommendation amid what one senator has called “the worst telecom hack in our nation’s history” represents a stunning reversal from previous US officials’ rhetoric on encryption, and in particular the FBI’s repeated calls for access to backdoors in encryption. In fact, it was exactly this sort of government-approved wiretap capability requirement for US telecoms that the Salt Typhoon hackers in some cases exploited to access Americans communications.

**Russia’s FSB Hackers Keep Hijacking Other Hackers’ Infrastructure for Spying**

The hacker group known as Secret Blizzard, Snake, or Turla, widely believed to work for Russia’s FSB intelligence agency, is known for using some of the most ingenious hacking techniques ever seen to spy on its victims. One of the tricks that’s now become its signature move: hacking the infrastructure of other hackers to stealthily piggyback on their access. This week Microsoft’s threat intelligence researchers and security firm Lumen Technologies revealed that Turla gained access to the servers of a Pakistan-based hacker group and used its visibility into victim networks to spy on government, military and intelligence targets in India and Afghanistan of interest to the Kremlin. In some cases, Turla hijacked the Pakistani hackers’ access to install their own malware, while in other instances they appear to have used the other group’s tools for even greater stealth and deniability. The incident marks the fourth known time since 2017, when it penetrated an Iranian hacker group’s command-and-control servers, that Turla has freeloaded on another hacker group’s infrastructure and tooling, according to Lumen.

**Admin of Russian Dark Web Market Hydra Sentenced to Life in Prison**

The Russian government is known for turning a blind eye to cybercrime—until it doesn’t. This week 15 convicted members of the notorious dark web market Hydra learned the limits of that forbearance when they reportedly received prison sentences ranging from 8 years to 23 years, as well an unprecedented life sentence for the site’s creator Stanislav Moiseyev. Before it was taken down two years ago in a law enforcement operation led by IRS criminal investigators in the US and Germany’s BKA police agency, Hydra was a uniquely sprawling dark web marketplace, one that not only served as the post-Soviet world’s biggest online bazaar for narcotics but also a vast money laundering machine for crimes including ransomware, scams, and sanctions evasion. In total, Hydra enabled more than $5 billion dollars in dirty cryptocurrency transactions since 2015, according to crypto tracing firm Elliptic.

**Suspected Ransomware Actor “Wazawaka” Reportedly Charged and Apprehended by Russia**

Russian law enforcement charged and arrested a software developer last week who is suspected of prolific contributions to multiple ransomware groups, including building malware to extort money from businesses and other targets. The suspect is reportedly Mikhail Matveev, or “Wazawaka,” who has worked as an affiliate with ransomware gangs like Conti, LockBit, Babuk, DarkSide, and Hive. Social media reports indicate that Matveev confirmed his indictment and said that he has been released from law enforcement custody on bail.

Russia’s prosecutor general did not name Matveev, but described charges last week against a 32-year-old hacker under Article 273 of Russia’s Criminal Code, which bans the creation or use of malware. The move came as Russia seemed to be sending some sort of message about its tolerance for cybercrime with the sentencing of the dark web marketplace Hydra’s staff, including a life sentence for its administrator. In 2023, the US government indicted and sanctioned Matveev.

**FBI Is Investigating Exxon Lobbyist Firm Over Hack-and-Leak Operation Targeting Activists**

In a disturbing scoop (one we didn’t cover last week due to the Thanksgiving holiday), Reuters reporters have revealed that the FBI is now investigating a lobbying consultancy hired by Exxon over the firm’s role in a hack-and-leak operation that targeted climate change activists. DCI Group, a lobbying firm hired at the time by Exxon, allegedly gave a list of target activists to a private investigator who then outsourced a hacking operation against those targets to mercenary hackers. After the private investigator—an Israeli man named Amit Forlit, who was later arrested in London and faces US hacking charges—allegedly gave the hacked material to DCI, it leaked the activists’ internal communications about climate change litigation against Exxon to the media, Reuters discovered. The FBI, according to Reuters, has determined that DCI also first previewed that material to Exxon before leaking it. “Those documents were directly employed by Exxon to come after me with all guns blazing,” one attorney working with the activist group, the Center for Climate Integrity, told Reuters. “It turned my life upside down.”

Exxon has denied knowing about any hacking activities and DCI told Reuters in a statement that “we direct all our employees and consultants to comply with the law.”

US Officials Recommend Encryption Apps Amid Chinese Telecom Hacking

Cybersecurity researchers have warned of a new scam campaign that leverages fake video conferencing apps to deliver an information stealer called Realst targeting people working in Web3 under the guise of fake business meetings.
"The threat actors behind the malware have set up fake companies using AI to make them increase legitimacy," Cado Security researcher Tara Gould said. "The company

Hackers Using Fake Video Conferencing Apps to Steal Web3 Professionals' Data

The activity-recording capability has drawn concerns from the security community and privacy experts, but the tech giant is being measured in its gradual rollout, which is still in preview mode.

Source: Pictorial Press Ltd via Alamy Stock Photo

NEWS BRIEF

Microsoft has expanded access for its Windows Recall feature to Copilot+ PCs that use AMD and Intel chipsets, after initially offering it to users with Snapdragon-powered machines. And, it has now launched in Europe.

The launch is part of a gradual rollout that for now is in a preview phase within the Windows Insiders testing community.

Recall is an AI-powered feature that allows PC users to record everything they do on their computers, and then go back to a desired "snapshot" of activity later. It's a useful tool, as Microsoft pointed out in its expansion announcement on Dec. 6: "It's now possible to quickly find and get back to apps, websites, images, or documents just by describing its content." But the capability also has sparked ongoing concerns about privacy and data security (Microsoft keeps and hosts the recorded content in the cloud), as well as the potential for the feature to be compromised and used for cyber-espionage ends.

The tech giant appears to be taking those concerns seriously; in June, it beefed up its planned privacy and security features for Recall, including data encryption, turning Recall off by default, and requiring users to enroll in Windows Hello biometrics authentication to prove they're present at the keyboard as recording is happening. It also added it to its bug bounty program to track down exploitable security vulnerabilities.

Microsoft has taken its time with the launch in light of the concerns; after being set to go live in June, Redmond pushed the release date for Recall back to October, and then to November, when it finally became available in limited release.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Microsoft Expands Access to Windows Recall AI Feature

The new film about an FBI agent chasing a white supremacist terror cell is based on a true story—and one that connects the headlines of 30 years ago to those of today.

In _The Order,_ director Justin Kurzel’s electric new film, Terry Husk, a haggard, possessed FBI veteran played by Jude Law, pores over a thin paperback with a blood-red cover, paging through diagrams of targeted killings, bombings, and a gallows erected in front of the United States Capitol.

“There are six steps in that book,” says a young sheriff deputized as his assistant, played by Tye Sheridan. He gives the Cliff Notes version as he scours the book, his eyes riveted.

“Recruiting,” he says. “Fundraising. Armed revolution. Domestic terror. Assassination.

“Number six is the day of the rope.”

The book is _The Turner Diaries_, a 1978 novel that depicts the violent overthrow of the American government by armed white supremacist insurgents and the extermination of people of color and Jews in a race war. Photocopied pages from it were found in Oklahoma City bomber Timothy McVeigh’s getaway car when he was apprehended by law enforcement.

Along with Husk and Bob Mathews—the founder of a murderous underground white supremacist guerrilla outfit that counterfeited money and robbed banks and armored cars, played by Nicholas Hoult—_The Turner Diaries_ is the third major character in _The Order_. Though Mathews formally named his group the Silent Brotherhood and claimed he took little inspiration from William Luther Pierce’s incendiary novel, he and his comrades did refer to their group as “The Order”—the same term used in the book for the protagonist’s genocidal militants.

The book’s crimson cover and lurid drawings resurface time and time again. Mathews reads excerpts to his young son before bedtime; a pastor at a neo-Nazi compound in Idaho proffers it to visiting law enforcement agents; and it turns up in the hands of FBI agents desperately seeking to plot out the insurgents’ next moves.

_The Order_ unearths a critical chapter in the history of the American extreme right largely forgotten by the general public. The murder of Jewish talk radio host Alan Berg in 1984 by two of Mathews’ acolytes brought the Order to national attention 30 years ago and inspired not one but two Hollywood films in that decade—_Betrayed_ and Oliver Stone’s _Talk Radio_. Since then, though, only close observers of prison gang and skinhead culture have had cause to track mentions of the Silent Brotherhood by tweaked-out Aryan Brotherhood killers or the annual “Martyrs Day” pilgrimage of Hammerskins from across the West Coast to Whidbey Island in the Puget Sound, where Mathews met his fiery death during a shootout with the FBI.

Now, as the country ponders a return to the 2016-2020 period, when Mathews’ ideological offspring ran riot from Oregon to Washington, DC, his saga is getting marquee billing.

While the film debuts almost a full decade into the American extreme right’s current revival, screenwriter Zach Baylin and producer Bryan Haas began developing the project back in 2016, before the deadly 2017 Unite the Right rally in Charlottesville, Virginia. Baylin tells WIRED that he and Haas stumbled on _The Turner Diaries_ while researching Ruby Ridge, the 1990s militia movement, and McVeigh (who slept with the book under his pillow) and casting around for a lesser-known story to explore the origins of American extremism.

“We were looking to encase the story of one of these groups inside a classic crime thriller,” Baylin says. They stumbled across _The Silent Brotherhood_, a 1989 book by reporters Kevin Flynn and Gary Gerhardt that traced the entire arc of Mathews’ crime spree, from his teenage radicalization through the John Birch Society and Phoenix militias all the way through his death and the subsequent criminal trials of his followers.

“The crimes the Order committed and the way the investigation unfolded, it had the framework of the kind of film that we’d been talking about,” he said.

Flynn and Gerhart’s book, which began with their coverage of Berg’s assassination in his driveway and followed the Order’s saga through the federal pursuit, investigation, and prosecution, is remarkably detailed. Once members of the group were up for trial, Flynn and Gerhart spent hours interviewing them in the Arapahoe County jail, gathering priceless material that allowed them to reconstruct the terrorist group’s inner workings in minute detail. Readers of the book, which is back in print (with a new title) after three decades off the shelves, will note the film’s fidelity to life, particularly in the robbery and heist scenes. However, for Flynn and Gerhardt—who died in 2015—the minutiae of Mathews’ terror campaign were a mechanism to engage audiences with a deeper, darker reality.

“We didn’t write the book for the details. We wrote it to expose the banality of evil, so readers could understand where these folks come from and how endemic it is in American society,” says Flynn, who reported for the Rocky Mountain News for nearly three decades before it shuttered in 2009. Since 2015, he has served as a city councilman in Denver.

_The Order_ is the sort of film America does not produce anymore. Its taut action scenes hearken back to _Heat_, _To Live and Die in L.A._, _The French Connection_, and Sidney Lumet’s police corruption canon (_Serpico_, _Prince of the City_, _Q&A_); the droning soundtrack does not overwhelm viewers; and Adam Arkapaw’s washed-out cinematography encapsulates both the grandeur and the intimidating solitude of the interior Pacific Northwest. The dialog is sparing, direct, and—in spite of Mathews’ grandiose promises of a renewed whites-only bastion in the Pacific Northwest—remarkably free of proselytizing.

For a movie shot in such wide-open landscapes, _The Order_ is tinged through with claustrophobia, a testament to the tension rife throughout Baylin’s writing and Kurzel’s meticulous direction. Like Al Pacino and Robert DeNiro in Michael Mann’s _Heat_, Hoult and Law only come face to face with each other a few times before their penultimate confrontation. However, Kurzel had both actors follow each other for a day and compile dossiers on their opposite number to develop a granular sense of how a manhunt actually functions.

“I wanted them to ask themselves, what does that feel like having a relationship with someone you’re trying to take down? You’re living with a phantom, in a way,” Kurzel says.

Law, whose slow-burn performance is unlike any prior role from his four decades on stage and screen, says the similarities between Husk and Mathews as two opposites of the same coin are at the core of _The Order_’s dramatic tension.

“They’re more alike than they’d ever admit—both are driven, charismatic, and know exactly how to manipulate those around them to achieve their goals,” he says. “Nicholas and I really leaned into that symmetry during our scenes together. It’s almost like they’re looking into a dark mirror—each recognizing qualities in the other that they either admire or fear. That underlying connection adds layers to their conflict, making it not just a clash of ideologies but also a deeply personal battle. It was fascinating to explore that tension with Nicholas.”

Mathews’ brief campaign of armed insurgency and domestic terrorism has continued to inspire generations of extremists in the United States and beyond, from McVeigh and the neo-Nazi bankrollers of the Aryan Republican Army to the killers of Germany’s National Socialist Underground, all the way through to contemporary groups like Atomwaffen Division, the Base and the Terrorgram Collective. The latter group, which federal law enforcement believes to be a “bold-letter, category one” domestic terrorism threat, circulates voluminous propaganda booklets that meld the ethos of _The Turner Diaries_ with Ted Kaczynski’s anti-industrial-civilization ethos and neo-Nazi occultism.

Terrorgram’s materials, which include viable bomb-making instructions, camouflage and tactical guides, and instructions on how to disable critical infrastructure like electrical substations, water treatment plants and dams, have radicalized at least one so-called “saint,” or mass shooter, and are alleged to have been connected to a series of power grid attacks in North Carolina as well as several active federal prosecutions.

“William Pierce doesn’t build bombs,” Mark Potok of the Southern Poverty Law Center, told Rolling Stone a quarter of a century ago. “He builds bombers.” In many ways, the Terrorgram Collective fulfills the same role now, and its publications have become the modern-day version of the _Turner Diaries_. Disseminated worldwide through the moderation-free wilderness of Telegram, the group’s message of hate and violence is now circulating independently of any organized group or ideology for disaffected, unbalanced “lone wolves” to latch onto as justification for future atrocities.

While _The Order_ remains firmly rooted in the past save for one passing reference to the 1995 Oklahoma City bombing in a title card, during production there was no escaping the drumbeat of resurgent far-right militancy in the United States. Kurzel, the director, recalls watching news coverage of the January 6 insurrection and remarking on the gallows erected outside the Capitol building—a drawing of which features in the book and the exposition scene with law. “_The Turner Diaries_ started to become more visible in a present-day setting in a way I was kind of shocked by,” he says, speaking to WIRED from his Tasmania residence. Indeed, following January 6, Amazon removed _The Turner Diaries_ from its online inventory.

Hoult’s bravura portrayal of an ice-cool, controlled yet menacing Mathews through the Order’s campaign of armed robbery, counterfeiting, murder, and armed confrontation with the FBI is one of the film’s dual anchors. Aside from a striking physical resemblance to the Silent Brotherhood’s founder, Hoult closely studied his subject, aping Mathews’ mannerisms and movements from old documentary footage, studying texts that radicalized his subject, lifting weights, and cutting alcohol from his diet.

“Mathews was someone who thought and planned so in advance of what his ultimate goal was, I think he always kept in sight. That’s something Justin and I spoke about, that he wouldn’t lose his head on trivial things or things that would potentially harm his cause. In his mind, he’d already, in some ways, planned his destiny,” Hoult tells WIRED.

By choosing to play Mathews with reserve instead of bombast, as more of a watcher who carefully observes his surroundings and other people to better understand how to turn situations to his advantage, Hoult aimed to show audiences how someone with the charisma of his villain could attract followers and build a movement.

“I think that shows how they penetrate communities and societies in a different way, and perhaps people in the future might be less susceptible to people who behave like him,” he says.

As with any artistic project that focuses on extremism and mass violence, _The Order_’s production team walked a fine line between showing Mathews’ magnetism and the murderous project at the heart of his ideology and actions.

“I think you need to understand the pull of a figure like this,” says Kurzel, whose prior films _Snowtown_ and _Nitram_ depicted, respectively, youthful serial killers and Australia’s worst mass shooting, the 1996 Port Arthur massacre. “Mathews is definitely someone who understands their reach and how to communicate and gather people. There’s gonna be a certain kind of charisma about that.”

Haas, one of the film’s producers, echoed Kurzel's remarks about art pushing the boundaries of acceptability. “It felt like part of the movie was to show the appeal of Bob. He was someone who had charisma, and that tied to these really toxic ideas is really dangerous,” Haas says, praising the “unrelenting realism” the cast brought to their performances.

Ultimately, the hope of slipping an unsparing portrayal of domestic extremism—produced outside of the Hollywood studio system—into the December award season is to reintroduce a discussion of radicalization to American society. “If you don’t learn from history, you’re doomed to repeat it—how a guy that, in the way Nick depicted him, could live down anybody’s street,” says Haas. “There are lots of people right now who are hurting and struggling and looking for answers.”

_Updated: 12/6/2024 4:01 pm EST: This story was updated to clarify which character reads out six steps given in_ The Turner Diaries.

The Real Story of “The Order”

Cybersecurity researchers have disclosed multiple security flaws impacting open-source machine learning (ML) tools and frameworks such as MLflow, H2O, PyTorch, and MLeap that could pave the way for code execution.
The vulnerabilities, discovered by JFrog, are part of a broader collection of 22 security shortcomings the supply chain security company first disclosed last month.
Unlike the first

Researchers Uncover Flaws in Popular Open-Source Machine Learning Frameworks

We are excited to introduce LLMail-Inject, a new challenge focused on evaluating state-of-the-art prompt injection defenses in a realistic simulated LLM-integrated email client. In this challenge, participants assume the role of an attacker who sends an email to a user. The user then queries the LLMail service with a question (e.

  

We are excited to introduce LLMail-Inject, a new challenge focused on evaluating state-of-the-art prompt injection defenses in a realistic simulated LLM-integrated email client. In this challenge, participants assume the role of an attacker who sends an email to a user. The user then queries the LLMail service with a question (e.g., “please summarize the last emails about project X”), which prompts the retrieval of relevant emails from a simulated email database. The inclusion of the attacker’s email in these retrievals varies depending on the scenario. The LLMail service is equipped with tools, and the attacker’s objective is to manipulate the LLM into executing a specific tool call as defined by the challenge design, while bypassing the prompt injection defenses in place. The challenge contains several scenarios that require the attacker to ensure that their email is retrieved by the client under certain conditions. Teams with the highest scores will win awards from a total pool of $10,000 USD. 

Since this challenge takes place in a simulated environment, submissions will not be part of Microsoft’s Zero Day Quest. However, since this is a realistic environment, the prompt injection techniques you develop might be applicable to real systems. We encourage you to apply your learnings from this challenge and participate in the Zero Day Quest!  

**What are Prompt Injection Attacks (PIA)?**

In prompt injection attacks against large language models (LLMs), an attacker crafts a specific input (prompt) designed to manipulate the behavior of the model in unintended ways. In such attacks, the attacker exploits the model’s ability to follow instructions embedded within text inputs. By embedding possibly malicious instructions within the input data, the attacker aims to bypass the model’s intended functionality, often to execute unauthorized commands, leak sensitive information, or manipulate outputs. Understanding and defending against prompt injection attacks is crucial for maintaining the security and reliability of LLM-based systems. 

**How does PIA work?**

Prompt injection attacks work by exploiting the inherent design of LLMs, which are trained to follow instructions and generate coherent and contextually appropriate responses based on the input they receive. Attackers craft inputs that include injected commands, which the model then interprets and executes as part of its response generation process. These commands can be embedded in various ways, such as through straight-forward instructions, cleverly phrased questions, statements, or code snippets that the model processes without recognizing them as injected instructions. For instance, an attacker might insert a command within a seemingly benign email message that tricks the model into performing actions like unauthorized data access or executing specific functions. The success of these attacks hinges on the model’s lack of context about the legitimacy of the instructions embedded in the input, making it crucial for developers to implement robust defenses and validation mechanisms to detect and mitigate such manipulative inputs. 

**What are the challenge scenarios and levels in LLMail-Inject?**

The LLMail-Inject challenge is structured into various scenarios based on retrieval configurations and the attacker’s objectives, resulting in a total of 40 levels. Each level is a unique combination of Retrieval-Augmented Generation (RAG) configuration, an LLM (GPT-4o mini or Phi-3-medium-128k-instruct), and a specific defense mechanism. 

Each level and scenario in LLMail-Inject tests different aspects of the LLM’s ability to withstand prompt injection attacks and aims to highlight the importance of robust defense mechanisms. 

**What defenses are included in LLMail-Inject?**

Despite prompt injection attacks being relatively new, researchers have already proposed several defenses to mitigate their effect. The LLMail-Inject challenge incorporates various state-of-the-art defenses to test the robustness of LLMs against prompt injection attacks. These include: 

*   Spotlighting \[1\]: A preventative defense that “marks” data (as opposed to instructions) that is provided to an LLM using methods like adding special delimiters, encoding data (e.g., in base64), or marking each token in the data with a special preceding token. 
    
*   PromptShield \[2\]: A black-box classifier designed to detect prompt injections, ensuring that malicious prompts are identified and mitigated. 
    
*   LLM-as-a-judge: This defense uses an LLM to detect attacks by evaluating prompts instead of relying on a trained classifier. 
    
*   TaskTracker \[3\]: Based on analyzing the model’s internal states to detect task drift, this defense extracts activations when the user first prompts the LLM and again when the LLM processes external data. It then contrasts these activation sets to detect drift via a linear probe on the activation deltas. 
    
*   Combination of all: A variant in the challenge where multiple defenses are stacked together, requiring an attack to evade all defenses simultaneously with a single prompt. 
    

**How do I participate?**

To participate in the LLMail-Inject challenge, please follow the instructions below and visit the official challenge website at LLMail-Inject.  

1.  Create a team by signing in with your GitHub account.  
    
2.  Start playing! You can make a submission through the website UI or programmatically via our competition API. 
    

If using the API for programmatic submissions: 

*   We have API documentation on the website and your API key is already injected into the example Python client. 
    
*   Your API key is also available on your user profile page. 
    
*   We have rate limits in place to ensure a great experience for all participants. The website also provides comprehensive information on how to get started, including how to configure your environment and submit your entries. This setup ensures that participants can easily join the competition and contribute, regardless of their level of experience or preferred method of interaction. 
    

**Scoring, winners, and awards**

The Contest starts at 11:00 a.m. Coordinated Universal Time (UTC) on December 9, 2024, and ends at 11:59 a.m. UTC on January 20, 2025 (“Entry Period”). If at least 10% of the levels have not been solved by at least four (4) teams on the end date listed above, we may opt to extend the challenge. Check LLMail-Inject for any updates to the schedule. 

Throughout the event, a live scoreboard will be displayed (here along with the scoring details). The challenge has a total prize pool of $10,000 USD, with awards distributed as follows:  

*   $4,000 USD for the top team 
    
*   $3,000 USD for the second-place team 
    
*   $2,000 USD for the third-place team 
    
*   $1,000 USD for the fourth-place team.  
    

The winning teams will be invited to co-present with the organizers at the IEEE Conference on Secure and Trustworthy Machine Learning (SaTML) 2025.  

**References**

\[1\] Keegan Hines et al. Defending Against Indirect Prompt Injection Attacks With Spotlighting 

\[2\] Azure AI announces Prompt Shields for Jailbreak and Indirect prompt injection attacks 

\[3\] Sahar Abdelnabi et al. Are you still on track!? Catching LLM Task Drift with Activations 

_This challenge is co-organized by Aideen Fay\*, Sahar Abdelnabi\*, Benjamin Pannell\*, Giovanni Cherubin\*, Ahmed Salem, Andrew Paverd, Conor Mac Amhlaoibh, Joshua Rakita, Santiago Zanella-Beguelin, Egor Zverev, Mark Russinovich, and Javier Rando_

(\*: Core contributors).

Announcing the Adaptive Prompt Injection Challenge (LLMail-Inject) 

Researchers testing generative AI systems can use prompt injection, re-register after being banned, and bypass rate limits without running afoul of copyright law.

Source: Vitalii Vodolazskyi via Shutterstock

In a net positive for researchers testing the security and safety of AI systems and models, the US Library of Congress ruled that certain types of offensive activities — such as prompt injection and bypassing rate limits — do not violate the Digital Millennium Copyright Act (DMCA), a law used in the past by software companies to push back against unwanted security research.

The Library of Congress, however, declined to create an exemption for security researchers under the fair use provisions of the law, arguing that an exemption would not be enough to provide security researchers safe haven.

Overall, the triennial update to the legal framework around digital copyright works in the security researchers' favor, as does having clearer guidelines on what is permitted, says Casey Ellis, founder and adviser to crowdsourced penetration testing service BugCrowd.

"Clarification around this type of thing — and just making sure that security researchers are operating in as favorable and as clear an environment as possible — that's an important thing to maintain, regardless of the technology," he says. "Otherwise, you end up in a position where the folks who own the \[large language models\], or the folks that deploy them, they're the ones that end up with all the power to basically control whether or not security research is happening in the first place, and that nets out to a bad security outcome for the user."

Security researchers have increasingly gained hard-won protections against prosecution and lawsuits for conducting legitimate research. In 2022, for example, the US Department of Justice stated that its prosecutors would not charge security researchers with violating the Computer Fraud and Abuse Act (CFAA) if they did not cause harm and pursued the research in good faith. Companies that sue researchers are regularly shamed, and groups such as the Security Legal Research Fund and the Hacking Policy Council provide additional resources and defenses to security researchers pressured by large companies.

In a post to its site, the Center for Cybersecurity Policy and Law called the clarifications by the US Copyright Office "a partial win" for security researchers — providing more clarity but not safe harbor. The Copyright Office is organized under the Library of Congress's purview.

"The gap in legal protection for AI research was confirmed by law enforcement and regulatory agencies such as the Copyright Office and the Department of Justice, yet good faith AI research continues to lack a clear legal safe harbor," the group stated. "Other AI trustworthiness research techniques may still risk liability under DMCA Section 1201, as well as other anti-hacking laws such as the Computer Fraud and Abuse Act."

**Brave New Legal World**

The fast adoption of generative AI systems and algorithms based on big data have become a major disruptor in the information-technology sector. Given that many large language models (LLMs) are based on mass ingestion of copyrighted information, the legal framework for AI systems started off on a weak footing.

For researchers, past experience provides chilling examples of what could go wrong, says BugCrowd's Ellis.

"Given the fact that it's such a new space — and some of the boundaries are a lot fuzzier than they are in traditional IT — a lack of clarity basically always converts to a chilling effect," he says. "For folks that are mindful of this, and a lot of security researchers are pretty mindful of making sure they don't break the law as they do their work, it has resulted in a bunch of questions coming out of the community."

The Center for Cybersecurity Policy and Law and the Hacking Policy Council proposed that red teaming and penetration testing for the purpose of testing AI security and safety be exempted from the DMCA, but the Librarian of Congress recommended denying the proposed exemption.

The Copyright Office "acknowledges the importance of AI trustworthiness research as a policy matter and notes that Congress and other agencies may be best positioned to act on this emerging issue," the Register entry stated, adding that "the adverse effects identified by proponents arise from third-party control of online platforms rather than the operation of section 1201, so that an exemption would not ameliorate their concerns."

**No Going Back**

With major companies investing massive sums in training the next AI models, security researchers could find themselves targeted by some pretty deep pockets. Luckily, the security community has established fairly well-defined practices for handling vulnerabilities, says BugCrowd's Ellis.

"The idea of security research being being a good thing — that's now kind of common enough ... so that the first instinct of folks deploying a new technology is not to have a massive blow up in the same way we have in the past," he says. "Cease and desist letters and \[other communications\] that have gone back and forth a lot more quietly, and the volume has been kind of fairly low."

In many ways, penetration testers and red teams are focused on the wrong problems. The biggest challenge right now is overcoming the hype and disinformation about AI capabilities and safety, says Gary McGraw, founder of the Berryville Institute of Machine Learning (BIML), and a software security specialist. Red teaming aims to find problems, not be a proactive approach to security, he says.

"As designed today, ML systems have flaws that can be exposed by hacking but not fixed by hacking," he says.

Companies should be focused on finding ways to produce LLMs that do not fail in presenting facts — that is, "hallucinate" — or are vulnerable to prompt injection, says McGraw.

"We are not going to red team or pen test our way to AI trustworthiness — the real way to secure ML is at the design level with a strong focus on training data, representation, and evaluation," he says. "Pen testing has high sex appeal but limited effectiveness."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Library of Congress Offers AI Legal Guidance to Researchers

A single barrier prevented attackers from exploiting a critical vulnerability in an enterprise collaboration platform. Now there's a workaround.

Source: Kristoffer Tripplaar via Alamy Stock Photo

Two new vulnerabilities in Mitel's MiCollab unified communications and collaboration (UCC) platform could help expose gobs of enterprise data.

MiCollab is a cross-platform application on mobile devices and desktops that combines instant messaging, SMS, phone calls, video calls, file sharing, remote desktop sharing — really any form of collaboration that occurs within an organization, save talking out loud. Organizations rely on it heavily for day-to-day business operations and, invariably, to house large amounts of personal and communications data.

That's what made CVE-2024-35286 so inconvenient when it was discovered earlier this year. This SQL injection vulnerability, resulting from a lack of user input sanitization, earned a "critical" 9.8 score in the Common Vulnerability Scoring System (CVSS) for how it allowed attackers to access important business data, and execute database and management operations at will. It came with a catch, though: A specific configuration was required to reach the vulnerable endpoint, where the treasure lay.

In a new blog post, researchers from watchTowr noted that "No sensible admin would do this" — referring to the undisclosed configuration — so the risk to reliable organizations was low. However, the researchers went on to discover a path traversal vulnerability in MiCollab — not to mention a third, arbitrary file-read vulnerability — which rendered that one lone defense moot.

**The New MiCollab Exploit Chain**

At Black Hat six years ago, a researcher going by the moniker Orange Tsai presented research exposing issues with how Web applications handle path normalization. Using special characters in URLs, attackers could trick Web servers into giving them access to files and directories they shouldn't be able to access.

Researchers from watchTowr put this logic to the test while toying with CVE-2024-35286. Working with an Apache configuration for MiCollab published to the Web back in 2009, they discovered that they could use the input "..;/" to bypass all roadblocks on the way to the vulnerable endpoint — "/npm-admin" from the NuPoint Unified Messaging (UM) component of the platform — with no authentication required. This stacked vulnerability was acknowledged as CVE-2024-41713, and given a "high" CVSS score of 7.5.

CVE-2024-41713 gave new life to the older CVE-2024-35286, and then the researchers discovered yet another zero-day allowing for arbitrary file read, which hasn't been assigned a CVE label or CVSS score. The three work best in combination: CVE-2024-41713 lubricating initial access, the arbitrary file-read issue providing visibility into files across the system, and CVE-2024-35286 enabling any number of malicious operations thereon. For its part, watchTowr published a proof-of-concept (PoC) exploit to GitHub that combines the first two.

"Based on public sources, there are over 10,000 publicly exposed Mitel MiCollab devices," notes Mayuresh Dani, manager of security research at the Qualys Threat Research Unit. "Provided that NuPoint Unified Messaging (NPM) is enabled, a remote threat actor can use CVE-2024-41713 and the \[file-read\] zero-day to access arbitrary files on affected devices."

Which is exactly what the proof-of-concept code does, he adds. "It does so by accessing the npm-pwg directory and invoking the Reconcile Wizard, which is normally used to generate system reports. If the attacker gets ahold of sensitive files containing authentication information on the device, this could be used to gain access to the device and possibly snoop on conversations flowing through the vulnerable instance."

**Hacking Enterprise Communications**

An email arrives in an employee's inbox from their boss. "Hi, please wire a payment to our contractor at \[bank account number\] immediately." The number one thing employees are told, to screen scams like this, is to call their boss to confirm the legitimacy of the email. But what if their phone system itself is breached?

"The vulnerabilities in Mitel MiCollab highlight a growing trend of attackers targeting communication platforms to gain access to sensitive systems," says Callie Guenther, senior manager of cyber threat research at Critical Start. Besides intercepting or blocking an organization's central lines of communication, snooping on employees, or simply causing a general havoc, attackers can also use a platform like MiCollab to facilitate any number of other kinds of cyberattacks. "Similar issues have been exploited in the past, such as the 2022 Mitel MiVoice Connect vulnerability (CVE-2022-29499), which ransomware groups used to deploy Web shells and move laterally through networks," she notes.

Both named CVEs have been patched as of Oct. 9. Mitel acknowledged the arbitrary file-read bug, but hasn't yet patched it at the time of publication. Organizations with MiCollab up to date are covered most of the way, though, as this last issue requires authentication to exploit.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Bypass Bug Revives Critical N-Day in Mitel MiCollab

AI-powered tools are making cybersecurity tasks easier to solve, as well as easier for the team to handle.

Security professionals say adding large language model (LLM) and generative artificial intelligence (GenAI) capabilities to security programs improves efficiency in threat detection and increases productivity of analysts, according to Dark Reading's latest research on enterprise security. Efficiency and effectiveness were recurring themes.

In Dark Reading's Artificial Intelligence and Machine Learning in Cybersecurity Survey, the top three benefits of using GenAI and LLMs in a cybersecurity program were more efficient threat detection (28%), improved analyst productivity and efficiency (27%), and better threat intelligence analysis (23%).

The promise of AI tools is enhancing the analysts' performance. Almost one-fifth (19%) of respondents said they appreciated how AI helped generate reports faster, while the same number (19%) liked how AI-infused technologies learn and adapt from new information. Fifteen percent felt the pressure lift from AI's ability to analyze security alerts to reduce false positives, while another 15% appreciated how the technology helped them discover and reduce misconfigurations.

Cybersecurity practitioners also saw value in active uses for AI, such as proactive threat hunting (16%), greater user behavior analysis (15%), improved incident response (15%), and a better security posture (11%).

There are also benefits to the business side. LLM tools can optimize resources (13%) to help make an organization's network more efficient and reduce costs (9%). Respondents also see ways GenAI can scale up their operations (12%), as well as improve cybersecurity response by supplementing the skills of the current team (12%). On the budgeting side, LLM use can reduce both the need for additional headcount (11%) and costs of operation (9%).

For more on the impact of AI and ML on cybersecurity, download the Dark Reading report "The State of Artificial Intelligence and Machine Learning in Cybersecurity."

**About the Author**

Karen joined Dark Reading in January 2022 as features editor. She's been in tech editing since before the img tag was introduced, working for outlets such as the IEEE Computer Society, CNET Download.com, and TechTV. She lives in Los Angeles with her husband, son, and two cats. Find her on Mastodon.

LLMs Raise Efficiency, Productivity of Cybersecurity Teams

Ever wonder what an extroverted strategy security nerd does? Wonder no longer! This week, Joe pontificates on his journey at Talos, and then is inspired by the people he gets to meet and help.

Thursday, December 5, 2024 14:02

Welcome to this week’s edition of the Threat Source newsletter. 

I am unbelievably lucky to do the work that I do. My title is technically ‘Senior Security Strategist’. It’s a very fancy title, but basically: I get to research threats with my colleagues and friends to keep people safe here at Talos. I also get to travel and talk to our customers and communities about that work and how we fight that good fight. This has taken me to some interesting places - from Ukraine to California and lots of places in between. Not bad for a guy from a small town in Alabama.  

This gig isn’t for everyone. You must have some extroverted tendencies, and as the youth would say, some ‘rizz’. It’s not enough to talk about something like, say, ransomware. You need to be able to explain it in high technical detail if needed and then explain it to a board of C-levels and speak the language of business they understand. And you need to do it in an engaging way to keep your audiences bought in. It’s a unique blend of security practitioner expertise and the ability to communicate that to audiences, some technical, some not.  

If you’re thinking this also requires some kind of social media influencer level of Hemsworth caliber good looks and hyper charisma, have no fear. I’m about as much a security influencer as Chris Farley was a Beverly Hills ninja. I am just a security nerd who likes to talk. Like I said - I'm very lucky.  

Sometimes this gig takes you to very unexpected places. A couple of weeks ago I found myself at the Ford Foundation Center for Social Justice. I was there to attend and support the NGO-ISAC annual summit. The NGO-ISAC ‘is a non-profit organization improving the cybersecurity of US-based nonprofits.’ They do amazing work supporting cyber security for non-governmental organizations that help protect and promote civil society. We’re also fortunate at Talos to be a partner with them and donate time and resources to support their mission of helping the helpers.  

We are proud to be partners and volunteer our time with NGO-ISAC and it’s members. If you ever want to be truly humbled, spend time with an NGO and learn about what they do. The energy and heart those people have is incredible and will inspire you. They help feed the hungry, cloth the homeless, protect refugees, promote democracies, and generally help take care of some of the most vulnerable people and institutions our society relies upon. They also traditionally struggle with cybersecurity - security investments and practitioner expertise can be difficult to obtain when your budgets are built upon donations to support your mission. They are the embodiment of fighting the good fight, and we at Talos will always have the time to help them help others.  

While I was there, we debuted a custom NGO version of Backdoors & Breaches I helped co-develop with the NGO-ISAC. It was a real hit, and we ran demo games that resonated very well with the audiences. Helping teach cybersecurity to NGOs is fantastic. If we can help them stay secure, there’s so many others who will be helped by it. Also, keep your eyes peeled for a blog post in January about how we designed and created a custom expansion for Backdoors & Breaches.  

Also, the Ford Foundation? Amazing building. It’s in the heart of NYC and is an island of pure serenity. They have an indoor atrium/park that is next level. They pipe in some absolute jazz bangers throughout the entire building that, mixed with the decor, exudes a class I've rarely encountered in my travels. If I could make a blanket out of that entire vibe and wrap myself up in it, I'd do it.  

**The one big thing **

QR Codes, am I right? Sometimes you can scan one with your phone and maybe win a free cheeseburger, sometimes it can take you to a fake O365 phishing site. The tricky bit with QR codes in e-mails is how easily they can avoid spam filters. My man Jaeson Schultz did some great research on attacks, prevalence, and detection of QR codes in e-mail messages. The parts on AI-generated QR imagery are fantastic – be careful what you scan! 

**Why do I care? **

E-mail phishing and evading defenses are a tried and tested tactic with attackers. QR codes are another method of attack, and because they can be difficult to defang/detect, defenders have to work extra hard to understand those threats and stop them.  

**So now what? **

Exercise serious caution when scanning a QR code. If possible, detonate those suspicious QR code e-mails in a sandbox, like Threat Grid. 

**Top security headlines of the week **

At least 97 major water systems in the US have serious cybersecurity vulnerabilities and compliance issues, raising concerns that cyberattacks could disrupt businesses, industry, and the lives of millions of citizens. (Dark Reading) 

The NSA updated its mobile devices security best practices report. Reboot those phones at least once a week friends.  (ZDNet) 

The United States and other Western nations released guidance Tuesday designed to evict the China-linked group in the wake of the high-profile hack. (CyberScoop) 

**Can’t get enough Talos? **

*   New PXA Stealer targets government and education sectors for sensitive information 
*   The TTP Episode 7: Explore this year's Macro-ATT&CK findings  
*   Beers with Talos is back (kind of) with a special “B Team” episode: Misadventures, Rabbit Holes, and Turkey Lurkey Goes to the Movies 

**Upcoming events where you can find Talos ****AVAR (Dec. 4-6)   **

_Chennai, India_    

Vanja Svancer and Chetan Raghuprasad from Cisco Talos will both present, Vanja will be discussing Exploring Vulnerable Windows Drivers, while Chetan presents Sweet and Spicy Recipes for Government Agencies by SneakyChef.   

**Most prevalent malware files from Talos telemetry over the past week  ****SHA 256: 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647 **

MD5: bbcf7a68f4164a9f5f5cb2d9f30d9790 

VirusTotal: https://www.virustotal.com/gui/file/0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647/details 

Typical Filename: cwjhtmbwgyomzrhbo.exe 

Claimed Product: n/a 

Detection Name: Win.Dropper.Scar::1201  

**SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca **

MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/detection 

Typical Filename: VID001.exe 

Claimed Product: n/a 

Detection Name: Coinminer:MBT.26mw.in14.Talos 

**SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   **

MD5: 200206279107f4a2bb1832e3fcd7d64c  

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details%C2%A0 

Typical Filename: lsgkozfm.bat  

Claimed Product: N/A  

Detection Name: Win.Dropper.Scar::tpd    

**SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   **

MD5: 71fea034b422e4a17ebb06022532fdde   

VirusTotal: https://www.virustotal.com/gui/file/bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a/details 

Typical Filename: VID001.exe   

Claimed Product: N/A   

Detection Name: RF.Talos.80   

**SHA 256: 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   **

MD5: 8b84d61bf3ffec822e2daf4a3665308c   

VirusTotal: https://www.virustotal.com/gui/file/3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66/details%C2%A0 

Typical Filename: RemComSvc.exe   

Claimed Product: N/A   

Detection Name: W32.3A2EA65FAE-95.SBX.TG

Tag

#mac