A highly targeted cyber-intelligence campaign adds fuel to the increasingly complex relationship between the two former Soviet states.

Source: Daniren via Alamy Stock Photo

A suspected Russia-nexus threat actor has been executing convincing spear phishing attacks against diplomatic entities in Kazakhstan.

UAC-0063, active since at least 2021, was first documented by Ukraine's Computer Emergency Response Team (CERT-UA) in 2023. With medium confidence, CERT-UA tied it to APT28 (aka Fancy Bear, Forest Blizzard, Strontium, Sofacy), from the General Staff Main Intelligence Directorate (GRU) Military Unit 26165. APT28 is best known for its high-profile attacks against Western governments: the Democratic National Committee (DNC) hack of 2016, campaigns against parliamentary bodies in Germany, Norway, and the Netherlands, and much more.

UAC-0063, specifically, has used cyber operations to collect intelligence from government entities, nongovernmental organizations (NGOs), academic institutions, and energy and defense organizations in Eastern Europe — most notably Ukraine — as well as Central Asia, including Kazakhstan, Kyrgyzstan, Tajikistan, and other countries in the vicinity, including Israel and India.

Its latest ongoing campaign, which, in a blog post, researchers from Sekoia date back to at least 2022, may fold into a broader effort by Vladimir Putin's government to gain strategic insights into, and advantage over, a former Soviet state that has sought to broaden its diplomatic horizons in recent years.

**Phishing Kazakh Diplomats**

On Oct. 16, 2024 — one month after it'd been deployed in the wild — researchers spotted a diplomatic document uploaded to VirusTotal. It appeared to be a legitimate draft of a joint declaration between the chancellor of Germany and heads of Central Asian countries.

"The first step, when you open this document, is that it asks you to enable macros," recalls Amaury Garçon, cyber threat intelligence (CTI) analyst at Sekoia Threat Detection & Research (TDR), adding that the document was obscured by "shapes" at first sight. "Some phishing documents look really ugly or have a bad shape \[at first\] — they prompt the user to enable macros, because if you don't enable macros you can't write text in the document, can't move images, etc.," he notes.

Clicking "enable" would trigger various malicious, unseen commands on a target device. While the user was made privy to the full, unadulterated lure document, in the background their security settings would be downgraded so as to remove the need for future "enable macros" prompts. Next a second, blank document was created and opened by a hidden instance of Microsoft Word. The Visual Basic (VB) code associated with this hidden document — now enabled by default, of course — dropped and executed a malicious HTML application (HTA) containing a backdoor named "HatVibe."

The purpose of HatVibe is to receive and execute code from a remote server. Though Sekoia couldn't identify the payloads associated with this phishing campaign, CERT-UA has previously observed HatVibe downloading and executing a more complex Python backdoor named "CherrySpy."

**What This Means for Kazakhstan and Russia**

Six weeks after researchers spotted the first VirusTotal upload associated with this campaign, on Nov. 27, Putin went on a two-day state visit to the country he deemed Russia's "true ally," Kazakhstan. He and Kazakhstan's president, Kassym-Jomart Tokayev, used the opportunity afforded by the Collective Security Treaty Organization (CSTO) summit to discuss various areas for economic partnership — particularly around the energy sector — and signed agreements over energy, education, and transportation.

"Central Asia is a real point of interest for Russian influence," Maxime Arquillière, senior CTI analyst at Sekoia TDR explains. "We know that Kazakhstan is a close ally, but since the beginning of the Ukraine war, Kazakhstan has distanced itself a little bit from Russia, trying to develop new connections with both Western states and also China."

Kazakhstan's centrality in the Asian continent positions it nicely as a trade bridge between China and Europe, particularly while Ukraine and Russia are consumed by war. And as Sekoia notes in its blog, the country's gradually broadening geopolitical ties are evident in recent agreements with Mongolia and Afghanistan's new Taliban government, and, most notably, its balanced position on the war in Ukraine — supporting Ukraine's right to territorial integrity without outright condemning Russia's invasion.

This latest cyber campaign, then, fits neatly into Russia's broader initiatives with regard to its Central Asian neighbor. Sekoia identified 11 lure documents in all, each one legitimate and likely having originated with Kazakhstan's Ministry of Foreign Affairs, pertaining to diplomatic business between Kazakhstan and potential partner nations.

Exactly how the threat actor obtained these documents is not known. They include, for example:

*   Letters from Kazakhstan's embassies in Afghanistan and Belgium, regarding diplomatic and economic developments.
    
*   A draft of a joint statement between Germany and Central Asian states, following a Sept. 16, 2024, summit in Astana.
    
*   Administrative reports and briefings on the Kazakh president's visits to Mongolia and New York.
    

"It's really coherent with the \[need for\] Russian intelligence to conduct this kind of cyber espionage, to know about the strategic interests between Kazakhstan and European states," Arquillière says.

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Russian APT Phishes Kazakh Gov't for Strategic Intel

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-vg7j-7cwx-8wgw: Mongoose search injection vulnerability

Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia have been targeted by the China-nexus RedDelta threat actor to deliver a customized version of the PlugX backdoor between July 2023 and December 2024.
"The group used lure documents themed around the 2024 Taiwanese presidential candidate Terry Gou, the Vietnamese National Holiday, flood protection in Mongolia, and meeting invitations, including an

RedDelta Deploys PlugX Malware to Target Mongolia and Taiwan in Espionage Campaigns

Your messages going back years are likely still lurking online, potentially exposing sensitive information you forgot existed. But there's no time like the present to do some digital decluttering.

If you're worried about possible expansions of government surveillance and access to your information, or simply want to do some digital purging so you're not saddled with old data, there are a bunch of concrete steps you can take to protect your digital privacy. Just as archeologists study carefully preserved tombs and ancient trash heaps to gain insight into historic communities, your long-forgotten digital footprint could be more revealing and sensitive than you realize. And while you can't control everything—particularly information stolen in breaches or gathered by data brokers—you probably have a digital attic full of old data that you can delete or download and save offline. First stop? Old message histories.

Chats are a good place to start your digital decluttering. Their real-time nature makes it easy to forget that if you don't have auto-delete turned on for a chat (or if a platform doesn't offer it), all of those “be there in 10 minutes,” “wait, what color is this dress???” and “welp, I have covid” messages are still knocking around years later. If you sent them on an end-to-end encrypted platform like Signal or WhatsApp, they only exist on your device and the devices of the other person or people you were chatting with. That means that for governments or bad actors to read them, they would need direct control of your device—a good level of protection, though not foolproof.

Crucially, though, messages that you sent on regular web apps like Slack, Facebook Messenger for most of its history, and Google Chat/Hangouts/Gchat are sitting on a cloud server somewhere. And while they're probably stored in an encrypted form to protect against theft, the platform itself has the keys to decrypt your data and would be able to comply with government requests for it, no matter how old the information is. Sure, all of those “u up?"s may not seem significant now, but years and years of chat histories can paint a very detailed picture of your life, associations, political beliefs, and past movements and activity.

“Doing a good digital cleaning from time to time is a great habit, especially with social media and old chat messages,” says Kenn White, security principal at the database developer MongoDB and director of the Open Crypto Audit Project. “Who you were five or 10 years ago is probably very different than who you are today, so it's worth asking yourself, ‘Do I really need those seven-year-old inside jokes and sarcastic posts? Do I need to keep old group chat messages and carry them forward to every new phone I get?’”

Some programs like Apple's Messages make it easy to auto-delete your chat histories after a set period of time. On iOS, go to **Settings** > **Apps** > **Messages** and then scroll and tap **Keep Messages**. Then choose whether to keep messages forever, for one year, or for 30 days before auto-deleting.

On the free version of Slack, data older than a year is automatically deleted. The company keeps data forever on paid plans, unless the administrator sets up rolling deletion. This is useful if you have an active Slack with your friends, but most people who use Slack at work don't make decisions about administrative policies and can't control deletion. Keep this in mind for any communication you do on an employer's platforms. You may be able to go through and delete messages or files one by one, but you likely won't have the access to make policy decisions about automatic or batch deletion.

Similarly, you may want to go through your chats on Android or iOS and delete old SMS conversations. Meta's Messenger now offers auto-delete options, but for your existing chats, you have to go down the list on desktop or in the Messenger mobile app and delete chats one by one. Meta's other chat platforms, Instagram Chat and WhatsApp, are similar, except that WhatsApp has been end-to-end encrypted since 2016 instead of adding the protection recently.

Consider whether you've spent time chatting on other social platforms as well. X, for example, has been through a lot of changes since Elon Musk bought Twitter more than two years ago and took the company private again. Musk promised that he would add end-to-end encryption to DMs on X, and eventually debuted an opt-in encryption feature with the paid tier of the platform, but the company doesn't definitively say that the tool offers full end-to-end encryption and it isn't open source for vetting. You can delete individual messages or go through your chat list and delete whole DM conversations if you want to pare down the data you're keeping on the platform.

If you've had Gmail for a long time, the messenger service “Google Talk,” once colloquially known as “Gchat,” may have a special place in your heart. And perhaps, over the years, you went through the saga in which Gchat—which was once known for interoperability with platforms like AIM—became the siloed Google chat platform Hangouts, and then transformed again into what is now called Google Chat. Your chats on this platform through the years are still hanging around, but they're not all in the same place.

The crucial thing to understand is that Gchat was fully integrated with Gmail and wasn't a separate platform, so your chat histories all saved in your mail archive. To find them now, open Gmail and **search for the phrase in:chats** (using no quotation marks). Hundreds or thousands of chats from May 2013 and earlier may pop up. They must be deleted directly from Gmail. After May 2013, Google migrated Gchat users to Hangouts, and that history has come forward into what is now Google Chat, so you can delete whole chats or individual messages there.

“Messages sent and received with history on in Google Talk from before May 2013 (the time when Google Hangouts launched) are stored in Gmail under the ‘in:chats’ label. Those messages are not available in Google Chat and can be deleted directly from Gmail only,” Google spokesperson Ross Richendrfer tells WIRED. “In terms of Hangouts data—which was merged with Chat—core Chat controls (including deletion) will work.”

There are lots of other chat apps to consider, too, where old messages may still be lurking. Think about Skype chat or GroupMe. And there's one other complicating factor when you declutter your messages: Most deletion features only delete data from your account, and the messages live on in the accounts of the person or people you were chatting with. To do a total digital detox you need to recruit your community to delete their message archives as well.

Additionally, you may feel sentimental about burning your letters (aka deleting all of your old chats). If you're sad about hitting that trash icon, consider downloading chat histories with your closest friends or other loved ones and storing them on an encrypted external hard drive before deleting them from the cloud. This way, you don't have to give up that slice of life completely, but the data isn't controlled by other entities anymore.

“Some apps, including Signal, give one the ability to set a ‘self-destruct’ time on messages, perhaps in hours or weeks. This is worth considering to reduce your exposure, particularly if you travel outside the country, are politically active, or in any way have a higher public profile,” MongoDB's White says. “It's easy to dismiss the potential of attacks on our personal data and physical safety as something that's only a concern for some James Bond–type scenarios, but the hard truth is that threats exist in many forms, both online and in person.”

Hey, Maybe It's Time to Delete Some Old Chat Histories

Hackers are constantly evolving, and so too should our security protocols.

Source: Brain light via Alamy Stock Photo

COMMENTARY

We witnessed some of the largest data breaches in recent history in 2024, with victims including industry titans like AT&T, Snowflake (and, therefore, Ticketmaster), and more. For US businesses, data breaches cost more than $9 million on average, and they cause lasting damage to customer and partner trust. 

Still, a resounding 98% of companies work with vendors that have had a breach. While business leaders have become more cautious in identifying vendors, they're integral to the growth of a business — providing critical goods, services, and technology to support ever-evolving business models and complex supply chains. 

These vendors may never be able to fully guarantee security and peace of mind, so security teams must regularly conduct due diligence measures to make more informed decisions and mitigate risks as much as possible. As businesses plan for the coming year, here are tips for ensuring your data, privacy, and information assets are secured and protected in 2025. 

**Proactive Security Reviews**

Vendors are essential, but relying on them without verifying their security practices is like playing with fire. Conducting regular security reviews will help your team mitigate potential risks before they turn into costly incidents. A security review is a comprehensive analysis of a vendor's ability to protect sensitive data, comply with industry regulations, and respond to potential breaches. Conducting a security review involves evaluating several key areas, such as data encryption, compliance with standards like the European Union's General Data Protection Regulation (GDPR) and the US Health Insurance Portability and Accountability Act (HIPAA), and incident response protocols.

Related:'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

Ongoing audits and real-time monitoring track a vendor's changing security posture and detect emerging vulnerabilities. Continuous monitoring ensures compliance and proactive threat detection, preventing gaps in security oversight.

The SolarWinds breach, for example, could have been mitigated with better continuous monitoring, which would have detected the malicious software update earlier.

A practical approach is to implement quarterly security assessments for vendors that handle critical infrastructure. These assessments can identify evolving risks, ensuring that a one-time review doesn't leave blind spots in long-term vendor security. 

To streamline assessments, leverage automation tools, vulnerability scanners, and compliance platforms to hand off repetitive tasks, improve accuracy, and save time, ensuring comprehensive reviews without manual bottlenecks. Using AI-driven security tools reduces detection times for vulnerabilities, helping companies address issues faster.

Related:Chinese Cops Caught Using Android Spyware to Track Mobile Devices

Security reviews aren't a complete fail-safe, but they do equip businesses to choose vendors that align with their security postures. With consistent, proactive security reviews, businesses can reduce their risk of cyberattacks, breaches, and regulatory fines.

**Updates to Legacy Systems**

Legacy systems are inherently risky, as outdated software and hardware are not receiving regular security updates. Assess your legacy systems for vulnerabilities, and plan to invest in upgrades or replacements. If an immediate replacement isn't possible, isolate legacy systems from your shared networks and utilize segmentation to contain threats. 

**Advanced Security Measures **

Once you have a process for regular security reviews and risk assessments in place, and your tech stack is protected from vulnerabilities, implement advanced security measures like encryption and access controls to protect your data and your team's data. 

**Encryption Protocols**

Encryption is a fundamental security measure that protects data at rest and in transit. For data at rest, ensure you are encrypting sensitive information stored on servers, databases, and other storage devices using robust encryption algorithms such as AES-256. For data in transit, encrypting information transmitted over networks using protocols like Transport Layer Security (TLS) is crucial to prevent interception and eavesdropping.

Related:Europol Cracks Down on Holiday DDoS Attacks

**Access Control Systems**

Stringent access controls help to ensure that only authorized personnel can access sensitive information. Multifactor authentication (MFA) is required to access critical systems and data, adding an extra layer of security beyond just passwords.

Role-based access control (RBAC) assigns permissions based on roles within an organization, so that employees have access only to the information necessary for their job functions. Regularly review and update these permissions to reflect changes in roles and responsibilities.

Identifying and mitigating IT infrastructure vulnerabilities, conducting thorough risk assessments, and implementing advanced security measures are critical steps in preventing data breaches. Organizations can significantly enhance their security posture, protect sensitive information, and ensure compliance with regulatory requirements by focusing on these areas. As we look ahead to 2025, remember to remain vigilant and agile: Hackers are constantly evolving, and so too should our security protocols. 

**About the Author**

Founder & CEO, SecurityPal

Pukar C. Hamal is founder and CEO of SecurityPal, an San Francisco-based startup delivering customer assurance — a holistic security framework designed to accelerate enterprise transactions and innovation. Born in a rural village in Nepal and proficient in eight languages, Pukar understands that innovation and economic potential aren't limited to Western "tech hubs," which is why SecurityPal has offices worldwide, including in Kathmandu, Nepal. Pukar’s vision with SecurityPal is to accelerate business growth and innovation by simplifying and securing the customer journey. Trusted by the world's most innovative companies, including OpenAI, MongoDB, Airtable, and Figma, SecurityPal has helped organizations answer nearly 2 million security questions.

Tips for Preventing Breaches in 2025

Discover the future of eCommerce with bespoke app development. Learn how tailored solutions enhance user experience, security, and performance while empowering businesses to meet unique needs and gain a competitive edge.

eCommerce has become an essential part of our daily lives with hundreds of thousands of stores powered by Shopify, Magento, and WooCommerce. According to Mangosoft, a custom ecommerce application development firm, as of the end of Q2 2024, there are approximately 30,722,000 ecommerce sites worldwide, and approximately 88% of US consumers have at least one shopping app installed on their smartphones, with 52% using them weekly.

The mentioned companies empower store owners with flexibility, control, and the ability to craft unique user experiences. In this article, we’ll explore the future of eCommerce, the concept of bespoke eCommerce app development, the steps involved, and the advantages it offers to businesses.

****What is a custom eCommerce application?****

Software created specifically to facilitate online sales is known as a custom eCommerce application. Unlike pre-built platforms, these apps are entirely customized to meet the demands of the business and are either built from the bottom up or based on flexible frameworks. 

It could be a full-fledged online store or a specialized system for managing orders, catalogues, logistics, and other e-commerce-related duties. The main goals of custom development are to improve performance, give clients unique features, and ensure that the application completely conforms with the organization’s business practices.

****Key stages of custom eCommerce application development****

**Requirements analysis**

The first phase includes a detailed analysis of the client’s needs. Determining which elements should be included and comprehending the audience, competition, and corporate objectives are essential. A company with a large product selection, for example, could need a strong filtering system, and a business-to-business corporation might need CRM connectivity.

**Prototyping and interface design**

After analysis, a prototype of the future application is developed, which demonstrates the layout of elements, navigation and overall user experience (UX/UI). This allows to harmonize the vision of the client and developers.

**Technology selection**

An important step is to select the technologies to be developed. For example:

*   React, Angular or Vue.js are often used for the front end.
*   For the database – MySQL, PostgreSQL or MongoDB.
*   For the backend, Node.js, Python (Django, Flask) or PHP (Laravel) are popular.

The choice depends on the scalability of the project, functional requirements and budget.

**Development and testing**

Application development includes writing code for frontend, backend and integration with external systems. Each module is tested at all stages to identify bugs.

**Launch and Support**

After testing and deployment, the application is hosted on a server or in the cloud where it is available to users. However, the process doesn’t end there – developers continue to support the system, update features and fix problems.

****Advantages of custom eCommerce application development****

*   **Customized approach to business**

Off-the-shelf platforms often limit the possibilities of customization, whereas custom solutions allow implementation of any features: from unique design to complex data processing algorithms.

*   **High performance**

Custom applications are optimized for specific tasks, which ensures high page load speed and efficient data processing even under high load.

*   Scalability

If your business grows, a custom app can easily adapt to new requirements. You can add new modules, integrate third-party systems, and expand functionality without limitations.

*   Integration with other systems

Custom apps make it easier to set up integrations with CRM, ERP, payment systems and analytics platforms.

*   Competitive advantage

A unique application allows you to stand out from your competitors. You can offer customers innovative functionality or create an interface that meets their needs.

*   Increased security

Off-the-shelf solutions are susceptible to mass attacks because they use universal code. Custom apps have customized security mechanisms, which reduces the risk of hacking.

****When should you choose a custom solution?****

Developing a custom eCommerce application is not suitable for everyone. It requires more time, resources and investments than using ready-made platforms. However, it becomes justified in the following cases:

*   You place a high priority on data security and privacy.
*   Your business is planning to scale and grow in the coming years.
*   You wish to provide functionality that the current solutions do not offer. 
*   You have a non-standard business process that cannot be implemented on a standard platform.

****Conclusion****

Developing custom eCommerce apps is a great approach to advance your company’s operations. It enables you to develop a solution that completely satisfies your aims and objectives, enhances user experience, and makes you stand out from the competition.

Additionally, because of their flexibility, scalability, and customisation, these apps offer long-term benefits despite their greater price. A bespoke eCommerce app will be an effective instrument for success if you are prepared to invest in your company’s future.

1.  The Basics of Ecommerce Cyber-Security
2.  Kotlin app development company – How to choose
3.  Building Your First Web Application with Yii Framework
4.  The Essential Tools, Plugins for WordPress Development
5.  Why Front-End Development Matters for Online Businesses?

The Future of eCommerce: How Custom Apps Help You Get Ahead of the Competition

Mongoose before 8.8.3 can improperly use $where in match.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-m7xq-9374-9rvx: Mongoose search injection vulnerability

Andrew Tate’s “The Real World” platform has been breached, again, leaking user data including emails and private chat…

Andrew Tate’s “The Real World” platform has been breached, again, leaking user data including emails and private chat logs. Explore the details of the hack and leaked data.

Andrew Tate, the controversial social media influencer currently under house arrest, is the newest victim of hacktivism. According to reports, unidentified hackers have successfully breached his online self-help platform, _The Real World_, formerly known as Hustler’s University.

Screenshot from the leaked data (Credit: Hackread.com)

The incident occurred when Tate was busy streaming the latest episode of his _show Emergency Meeting_, which airs on Rumble. This attack has resulted in the exposure of sensitive user data, including usernames, email addresses, and private chat messages. 

For your information, The Real World is an online university that focuses on health, fitness, financial investment, and e-commerce businesses with over 113,000 active users. It provides advanced training and mentoring at $50 per month and also teaches users how to master money making skills. 

The hackers, as per DailyDot, exploited a critical security vulnerability in the platform. After the successful attack, they flooded the primary chatroom with pro-feminist and LGBTQ+ emojis, temporarily banning users, and deleting attachments.

Their posted emojis included transgender flags, feminist fist, Tate’s AI-generated image draped in rainbow flags, another one with his buttocks enlarged, and cat characters used in his “boykisser” meme. 

Screenshot shows emojis spammed by the hackers

What is more concerning is that according to DDoSecrets, the hackers also managed to access a vast amount of user data, including over 794,000 usernames comprising current and former members, the content of The Real World’s 221 public and 395 private chat servers covering around a dozen campuses, and nearly 325,000 email addresses of users removed from the platform.

Tate is a controversial figure known for his toxic masculinity. The leaked data, now publicly available, offers a glimpse into the community that has formed around Tate with users expressing concerns about the _LGBTQ agenda_, the _matrix_, and recurrent shooting incidents. The hackers claimed their motive was hacktivism and Tate’s site being ‘hilariously insecure.’

It’s worth noting that this isn’t the first time Tate’s online platform has been compromised. Earlier this year, a data breach exposed millions of user messages and personal information due to a MongoDB database containing 88 gigabytes of data belonging to 968,447 user accounts being exposed since April 8, 2024. These repeated security failures raise serious questions about the platform’s commitment to protecting user data and maintaining a secure online environment.

1.  SiegedSec Hacktivist Strike NATO and Leak Sensitive Docs
2.  DDoS Attacks Hit France Over Telegram’s Pavel Durov Arrest
3.  Muslim Hacktivists Hack ISIS website; expose subscribers list
4.  Hacktivists Shut Down Donald Trump Hotel Collections Website
5.  RansomHub Hits Planned Parenthood Hack, Steals 93GB of Data
6.  SiegedSec Hits Heritage Foundation; Leaks Data Over “Project 2025”

Andrew Tate’s University Breach: 1 Million User Records and Chats Leaked

Aftermath of MOVEit vulnerability: Data vigilante ‘Nam3L3ss’ leaks nearly 8 million employee records from industry giants like Amazon,…

Aftermath of MOVEit vulnerability: Data vigilante ‘Nam3L3ss’ leaks nearly 8 million employee records from industry giants like Amazon, 3M, HP, and Delta, exposing cybersecurity flaws across major firms.

A “Data Vigilante” using the alias Nam3L3ss has leaked millions of employee records from global industry giants, in connection with the widespread **MOVEit vulnerability**. For your information, the MOVEit flaw is a security vulnerability in the MOVEit file transfer software, which many organizations use to share sensitive data.

Nam3L3ss, who denies being a hacker, began leaking the data on Friday, November 8, 2024. So far, sensitive and non-sensitive records from 27 companies, totalling 7,952,414 employee records, have been exposed. This includes 2,861,111 records from Amazon employees, a breach acknowledged by the company.

“Amazon and AWS systems remain secure, and we have not experienced a security event. We were notified about a security event at one of our property management vendors that impacted several of its customers including Amazon,” Amazon spokesperson Adam Montgomery told Hackread.com. “The only Amazon information involved was employee work contact information, for example, work email addresses, desk phone numbers, and building locations.”

****Data Analysis****

The Hackread.com research team conducted an in-depth analysis of each file leaked by Nam3L3ss, revealing that the data includes full names, email addresses, phone numbers, office addresses, residential addresses, company names, location coordinates, and more.

****List of Affected Companies and Employee Counts****

    3M: 48,630 employees
    
    HP: 104,119 employees
    
    Delta: 57,317 employees
    
    MetLife: 585,130 employees
    
    Amazon: 2,861,111 employees
    
    McDonald's: 3,295 employees
    
    Lenovo: 45,522 employees
    
    TIAA: 2,464,625 employees
    
    CalSTRS: 422,311 employees
    
    BT: 15,347 employees
    
    URBN: 17,553 employees
    
    Leidos: 52,610 employees
    
    UBS: 20,462 employees
    
    HSBC: 280,693 employees
    
    Firmenich: 13,248 employees
    
    U.S. Bank: 114,076 employees
    
    Canada Post: 69,860 employees
    
    Westinghouse: 18,193 employees
    
    Rush University: 15,853 employees
    
    Omnicom Group: 37,320 employees
    
    Charles Schwab: 49,356 employees
    
    City National Bank: 9,358 employees
    
    Applied Materials: 53,170 employees
    
    Cardinal Health: 407,437 employees
    
    Bristol-Myers Squibb: 37,497 employees
    
    TIAA (additional listing): 23,857 employees
    
    Fidelity Investments: 124,464 employees

List of targeted companies (Screenshot credit: Hackread.com)

****Nam3L3ss’s Manifesto: Motivation and Methodology****

In a post on Breach Forums, Nam3L3ss outlined their “manifesto” to explain who they are and why they’re leaking data. According to the post, they monitor misconfigured and unsecured cloud databases across various services, including AWS Buckets, Azure, Digital Ocean, Google, and FTP and MongoDB servers, to extract and make this data public.

Nam3L3ss also claims to monitor ransomware groups, analyze stolen data, clean it by removing duplicates and irrelevant information, and then release it online. For example, the leaked MetLife employee directory originated from MetLife, a global financial services firm that suffered a ransomware attack in 2023.

Nam3L3ss intro and Manifesto (Screenshot credit: Hackread.com)

The Cl0p ransomware gang exploited MOVEit extensively, targeting hundreds of organizations worldwide. They even **created clear web websites to leak** the stolen data in July 2024.

**Ferhat Dikbiyik**, chief research and intelligence officer at Black Kite, weighed in on the recent Amazon data breach, explaining, that Amazon’s recent data breach traced back to a third-party vendor’s use of the MOVEit tool, is another wake-up call for the supply chain’s hidden vulnerabilities.

“Amazon’s recent data breach traced back to a third-party vendor’s use of the MOVEit tool, is another wake-up call for the supply chain’s hidden vulnerabilities. The MOVEit flaw initially hit hundreds, but the shockwave extended across 2,700+ organizations as the ripple effects reached third and even fourth-party vendors,” Ferhat said.

“We’ve identified over 600 MOVEit servers that were likely caught in this “spray” attack—leaving a vast field of potential targets,” he explained. “CL0P ransomware, the group exploiting this flaw, named 270 victims within three months, and the count is still rising.”

“With 200 to 400 organizations speculated to have paid ransoms, the real impact stretches far beyond these numbers. This breach emphasizes that ransomware risk doesn’t stop at your company’s doorstep. In today’s ecosystem, exposure management must extend across the entire supply chain to truly defend against the next big attack.”

****Data Vigilante?****

Although the term Data Vigilante is debatable, Nam3L3ss expresses frustration with companies and government institutions for failing to secure their networks. By leaking this data, they aim to raise awareness about data security and encourage better cybersecurity practices.

****Implications of the Data Leak and Advice to Employees****

Although passwords and financial details weren’t included in the leaked files, the exposure poses significant risks to companies and employees. Threat actors, especially state-sponsored groups like **North Korea’s Lazarus Group**, are known to exploit such data to initiate phishing scams, steal cryptocurrency, and access financial information that could aid their **country’s economy**.

If you work for one of the affected companies, be on the lookout for phishing scams via email, SMS phishing (smishing), and voice phishing (vishing) attempts, as attackers may try to exploit this data for further scams.

1.  Hacker Leaks Thousands of Microsoft and Nokia Employee Details
2.  Hackers Calling Employees to Steal VPN Credentials from US Firms
3.  Hacker Leaks Data of 33K Accenture Employees in 3rd-Party Breach
4.  Shadow IT: Personal GitHub Repos Expose Employee Cloud Secrets
5.  Indian Ex-Employee Jailed for Wiping 180 Virtual Servers in Singapore

Data Vigilante Leaks 8 Million Employee Records from Amazon, HP and Others

Interpol disrupts 22,000 malicious IP addresses, 59 servers, 43 electronic devices, and arrests 41 suspected cybercriminals.

Source: Timon Schneider via Alamy Stock Photo

Operation Synergia II, an international law enforcement effort supported by the private cybersecurity sector, successfully dismantled a widespread cybercrime operation stretching from Hong Kong to Estonia, Interpol said this week.

Operation Synergia II was launched in April, with law enforcement collaborating with cybersecurity experts from Group-IB, Trend Micro, Kaspersky, and Team Cymru to track down thousands of servers used to commit cybercrimes involving phishing, infostealers, and ransomware attacks. Interpol discovered 30,000 malicious IP addresses and has already taken down 22,000, along with 59 servers.

Law enforcement across several countries contributed on-the-ground resources to perform house searches and seize electronics believed to support the cybercriminal operation — leading to the arrest of 41 people, with 65 others still under investigation, according to Interpol.

As part of the coordinated response, police in Hong Kong took down 1,037 servers, while in Mongolia police conducted 21 house searches and were able to identify 93 individuals believed to be linked to cybercrimes. Macau cops took 291 servers offline, and in Madagascar police tracked down 11 people linked to the servers and seized multiple devices. And in Estonia, authorities confisacted more than 80GB of server data, which is still being analyzed at Interpol.

"The global nature of cybercrime requires a global response which is evident by the support member countries provided to Operation Synergia II," Neal Jetton, Interpol's director of the Cybercrime Directorate, said in a statement. "Together, we've not only dismantled malicious infrastructure but also prevented hundreds of thousands of potential victims from falling prey to cybercrime."

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!

Tag

#mongo