Russian APT group Storm-2372 employs device code phishing to bypass Multi-Factor Authentication (MFA). Targets include government, technology, finance,…

**Russian APT group Storm-2372 employs device code phishing to bypass Multi-Factor Authentication (MFA). Targets include government, technology, finance, defense, healthcare.**

Cybersecurity researchers at SOCRadar have discovered a new attack tactic used by the notorious Russian state-backed advanced persistent threat (APT), Storm-2372. According to SOCRadar’s research, shared with Hackread.com, Storm-2372 can now break into online accounts of major organizations without trying to guess passwords.

This is achieved through a method called “device code phishing,” which helps them get around even strong security measures like Multi-Factor Authentication (MFA).

Device Code Phishing takes advantage of the way some devices, like smart TVs, connect to online services. Usually, these devices give you a special code that you type into a website on your computer or phone to log in (OAuth device authorization flow). Hackers are using this same process to fool people into giving them access to their work accounts.

****Here’s how it works****

The hackers send fake messages, often through email or text, telling people they need to use a device code to log in. These messages direct them to real-looking login pages, like the ones from Microsoft. The victims then unknowingly type in a code that the hackers have created. Once the person enters the code, the hackers can get into their account without needing a password or triggering the usual security checks. This makes it much harder to spot the attack as the victims don’t realize they have been compromised until it is too late.

Device Code Phishing Attack Sequence (Source: SOCRadar)

Previously, the method OG Device Code Phishing was used by hackers to create a device code using special tools and sent it via message. However, these codes only lasted about 15 minutes, making it difficult for hackers to log in if the person didn’t see the message.

Storm-2372 employs the more advanced Dynamic Device Code Phishing technique, previously documented by Black Hills in 2023, to create fake websites resembling real login pages using services like Azure Web Apps. When a user visits these fake sites, they generate a new device code, allowing hackers to log in. They sometimes use CORS-Anywhere to display the code correctly in the user’s browser. When the user enters the fake code, they receive access tokens and refresh tokens, allowing hackers to access Microsoft email for up to three months.

Storm-2372 is, reportedly, targeting organizations that hold valuable information and make important decisions. This includes government agencies, technology companies, banks, defence contractors, healthcare providers, and media companies. They’ve been seen attacking organizations in countries like the United States, Ukraine, the United Kingdom, Germany, Canada, and Australia.

This new trick shows that these hackers are getting better at fooling people to get past even good security systems, and companies need to find smarter ways to protect themselves from such sneaky attacks.

“The campaign underlines the critical need for modern organizations to embrace adaptive, context-aware defense mechanisms to counter identity-based threats that are increasingly evading conventional protections,” researchers concluded.

Russia’s Storm-2372 Hits Orgs with MFA Bypass via Device Code Phishing

As organizations increasingly rely on SaaS applications to run their operations, securing them has become a necessity. Without…

As organizations increasingly rely on SaaS applications to run their operations, securing them has become a necessity. Without strong protection, sensitive data, user access, and cloud infrastructure are left vulnerable to breaches. SaaS security is not a single-layer fix; it demands multiple approaches to address cybersecurity threats across identity, data, and applications.

****Key Components of a Secure SaaS Architecture****

Creating a secure SaaS architecture involves prioritizing the most important security factors. Each factor serves to mitigate certain threats that may endanger your application or customer information.

****Identity and Access Management (IAM)****

A strong IAM solution enforces secure access using multi-factor authentication (MFA), single sign-on (SSO), and user provisioning to minimize identity-based threats. Integrate identity providers like Azure AD, Okta, or Google Workspace to gain centralized control over user authentication and authorization.

****Data Protection****

Encrypt sensitive data, implement data loss prevention (DLP) policies, and control data sharing to prevent leaks or breaches. Implement encryption at rest and in transit to protect data at multiple levels.

****Secure Development Practices****

Adopt secure coding principles, perform code reviews, and implement automated security scanning tools to identify vulnerabilities in the initial phases of the development life cycle. Use tools like SonarQube, Snyk, or Checkmarx to scan code and identify vulnerabilities.

****Network Security****

You must implement firewalls, Virtual Private Clouds (VPCs), and network segmentation so that sensitive workloads are placed within secure boundaries. It will also minimize the attack surface. Implement IP whitelisting, VPN access, and network-level monitoring to secure data flow.

****Incident Response Plan****

Establish a good incident response plan that provides detection, containment, and recovery procedures in the case of security incidents. Regular practice drills are necessary to educate your staff to respond to an incident properly.

Bridging these building blocks contributes to developing a good foundation for your SaaS architecture.

****Essential SaaS Security Practices****

Effective SaaS security requires a layered approach. These essential strategies help protect your SaaS applications from unauthorized access, misconfigurations, and third-party vulnerabilities:

1.  **Data Encryption**: You must encrypt data at rest and in transit to prevent unauthorized access. Ensure encryption keys are managed securely to prevent compromise.
2.  **Access Controls**: Use role-based access controls (RBAC) and implement the principle of least privilege. It is necessary to regularly review and audit permissions to minimize over-privileged accounts.
3.  **Secure Configuration**: Regularly review and harden cloud configurations to minimize exposure. Tools like AWS Config, Azure Security Center, and GCP Security Command Center help maintain consistent security configurations.
4.  **Monitoring and Logging**: Enable detailed logs and use tools to detect suspicious behavior. Solutions like AWS CloudTrail, Azure Monitor, and Google Cloud Operations provide insights for incident response.
5.  **Third-Party Risk Management**: Assess the security posture of third-party integrations. Regularly conduct vendor assessments to evaluate risks posed by external services.

Combining these strategies ensures a stronger security posture for your SaaS applications.

****Implementing Identity First Security for Stronger Access Control****

Identity-first security shifts the security focus from the network perimeter to individual user identities. This approach strengthens access control by ensuring that identity is the core factor in securing resources.

****1\. Centralized Identity Management****

You must use centralized identity providers (IdPs) like Azure AD, Okta, or Google Workspace to simplify user management and ensure consistent security policies. Centralized identity management reduces identity sprawl and makes it easier to enforce MFA, password policies, and session control.

****2\. Multi-Factor Authentication (MFA)****

MFA across critical applications is important so you can prevent unauthorized access even if credentials are compromised. Enable adaptive MFA to assess risk signals, such as user behavior or device location, before prompting additional verification.

****3\. Role-Based Access Control (RBAC)****

Implement RBAC to ensure users only have access to resources relevant to their roles, reducing excessive permissions. Continuously review and audit roles to prevent privilege creep.

****4\. Just-in-Time (JIT) Access****

Grant temporary elevated access only when required, minimizing the risk of long-term privileged accounts. This reduces the risk of attackers exploiting excessive or dormant privileges.

By focusing on identity as the foundation for security, organizations can better control access and reduce exposure to breaches.

****Building Secure SaaS Workflows****

Implementing secure workflows helps reduce the risk of human errors and potential security gaps. Structured workflows ensure consistent handling of data, identity, and application behavior.

*   **Secure Onboarding and Offboarding**: Create well-defined onboarding and offboarding processes to manage user access efficiently. Automated provisioning and deprovisioning tools help ensure that no orphaned accounts remain active. Integrate these processes with your IAM provider to streamline access management.

*   **Secure API Management**: Ensure all SaaS APIs are authenticated, encrypted, and properly documented. Implement API gateways and limit exposure to only essential endpoints. Use OAuth 2.0, OpenID Connect, and API rate limiting to enhance API security.

*   **Data Backup and Recovery**: Establish backup routines with strict data recovery objectives. Regularly test recovery processes to minimize downtime in case of an incident. Adopt services like AWS Backup, Azure Backup, or Google Cloud Backup for automated backup management.

By following these practices, organizations can maintain secure and efficient workflows.

****Why Identity Security is the Backbone of Modern Cybersecurity****

Identity security plays an important role in protecting cloud applications, services, and data. Since compromised identities are often the starting point for cyberattacks, securing identities is key to preventing major security incidents.

****Preventing Credential-Based Attacks****

Attackers frequently exploit weak passwords or stolen credentials. Strong identity security with MFA, password policies, and behavior-based monitoring can reduce this risk. Use tools like Microsoft Defender for Identity, Google Cloud Identity Protection, or Okta ThreatInsight to detect suspicious identity-related behavior.

****Enabling Zero Trust Architecture****

Identity security aligns with Zero Trust principles, ensuring that no user or device is trusted by default. Every access request is verified based on identity, device health, and location before access is granted.

****Enhancing User Accountability****

With proper identity tracking and auditing, organizations can monitor user actions and quickly detect suspicious behavior. Solutions like AWS CloudTrail, Azure AD Logs, and Google Cloud Audit Logs provide visibility into identity-related events.

****Improving Compliance****

Identity security helps meet compliance standards by enforcing access controls, maintaining audit trails, and ensuring data protection. Frameworks such as ISO 27001, SOC 2, and HIPAA emphasize strong identity security as part of compliance best practices.

Organizations can build a resilient defense against evolving cyber threats by prioritising identity security.

****Conclusion****

SaaS security is not a one-time effort but a continuous strategy combining proactive threat defense, identity-centric access control, and scalable automation. By implementing strong data encryption, enforcing least-privilege access, and managing identities with precision, businesses can significantly reduce their exposure to threats.

Prioritizing identity security lays the groundwork for Zero Trust and helps meet growing compliance demands. Investing in these security measures not only protects your SaaS stack but also builds long-term customer trust and operational resilience as your business scales.

Top/Featured Image by Vicki Hamilton from Pixabay

SaaS Security Essentials: Reducing Risks in Cloud Applications

The Israeli spyware maker, still on the US Commerce Department’s “blacklist,” has hired a new lobbying firm with direct ties to the Trump administration, a WIRED investigation has found.

Shortly after Donald Trump declared victory in November, NSO Group cofounder and majority owner Omri Lavie rushed to X to congratulate him, speaking of a “new chapter where the world goes back to common sense,” while accusing the outgoing Biden administration of being “weak.” In another tweet, he gushed in Hebrew that Republicans “won in every category: the presidency, Congress, Senate, and the popular vote.”

Lavie’s enthusiasm is understandable. His company—frequently associated with alleged human rights abuses, most recently in February when journalists in Serbia were targeted with its Pegasus spyware—had a significant stake in a Trump victory, with the hopes of regaining the ability to freely do business with US entities. In a comment to Amnesty International, NSO stated, in part, that its “commitment to maintain the highest standard of ethical conduct as well as confidentiality towards our customers is paramount and is consistent with industry norms and our legal obligations.”

The Israeli spyware vendor has been on the US Commerce Department’s “blacklist” for more than three years, meaning it cannot do business with US companies without specific government approval. NSO Group poured at least $1.8 million into an aggressive pre-election lobbying effort, focusing primarily on Republican senators and representatives, with some meetings occurring as often as eight times. Yet the company remains on the Entity List.

Now, with a new occupant in the White House, NSO Group appears to be shifting its political strategy.

The company seems to have either terminated or altered its engagement with several of its previous lobbying consultancies in Washington—some of which were closely aligned with the Democrats—and has started working with a key new lobbying partner: the Vogel Group.

Founded by Alex Vogel, who served as chief counsel to former Senate majority leader Bill Frist, the Vogel Group is providing NSO Group with “strategic advisory on cybersecurity policy matters,” according to lobbying disclosure documents filed on March 10.

The Vogel Group’s connection to the Trump administration includes areas of key interest to NSO Group. One of the Israeli spyware vendor’s new lobbyists, Jonathan Fahey, joined Vogel’s Washington, DC, office as a principal on January 29 and served in various roles during Trump's first term, including acting director and acting principal legal adviser at Immigration and Customs Enforcement, deputy assistant secretary at the Department of Homeland Security, and general counsel to the White House Office of National Drug Control Policy—all three relevant departments for a company selling surveillance technology.

Another Vogel Group staffer, Hayden Jewett, is listed in disclosure records as assigned to lobby on behalf of NSO group. Jewett served as a congressional staff liaison to President Trump’s 2016 inauguration, facilitating coordination between congressional offices and the inaugural committee.

Law firm Holtzman Vogel—of which Alex Vogel is a partner—was founded by his wife, Jill Holtzman Vogel, a former Virginia state senator, a former chief counsel of the Republican National Committee (RNC), and a current principal at the Vogel Group. The firm has reportedly worked for the National Republican Senatorial Committee and the National Republican Congressional Committee and received in 2024 over $9.3 million in reported payments, with significant political funding from Republican organizations.

Holtzman Vogel also represented former Metropolitan Police Department lieutenant Andrew Zabavsky, who was pardoned by Trump in January 2025 for his conviction for obstruction of justice related to the investigation into the death of 20-year-old Karon Hylton-Brown, a case that sparked protests ahead of the 2020 US election.

Bill McGinley, a principal at the Vogel Group and former assistant to the president and cabinet secretary during Trump’s first term, left the lobbying firm after Trump appointed him to White House counsel on November 12. He was then reassigned as counsel to the so-called Department of Government Efficiency (DOGE) on December 4, only to leave on January 23.

“Lobbyists and advisers who have passed through the revolving door, having worked in the previous Trump White House or for the campaign, as well as those who are big campaign donors have a unique ability to bend the ear of the new administration,” says Dan Auble, a senior researcher at the nonprofit OpenSecrets, which tracks US political spending. “That access is very valuable.”

NSO Group spokesperson Gil Lainer declined to comment on the scope of the contract with the Vogel Group when asked by WIRED. The Vogel Group did not respond to WIRED’s request for comment.

**Closing the Circle**

NSO Group’s recent lobbying efforts appear to have mainly focused on Republican lawmakers, more than executive branch power players, particularly as the Biden administration had been engaged in a crackdown on commercial spyware. The company previously worked with several lobbying contractors, with whom it appears to have either terminated or altered its registrations.

These include its registrations under Foreign Agents Registration Act (FARA) with Pillsbury Winthrop Shaw Pittman LLP and Chartwell Strategy Group, as well as registrations under the Lobbying Disclosure Act (LDA) with law firms Paul Hastings LLP and Steptoe LLP. Pillsbury previously engaged Chartwell Strategy Group to provide NSO Group with “strategic communications counsel.” Chartwell Strategy Group has now, for the first time, registered under the LDA as a lobbyist for NSO Group, while the only current active registration of NSO Group under FARA is with Paul Hastings LLP.

Lobbyists representing foreign commercial interests—if their work is not intended to benefit a foreign government or political party—can be exempt from FARA and instead register under the LDA, which has no requirement to report specific meetings and is, overall, far less transparent than FARA.

Much of the public knowledge about NSO Group’s lobbying efforts came from FARA filings. Since both the Vogel Group and Chartwell Strategy Group are now registered under the LDA, it will now be more difficult to monitor their lobbying efforts.

Examining NSO Group's past and present consultants reveals numerous individuals who, one way or another, have been associated with the Trump administration. These people are not all lobbyists, but they do have direct connections to Trump world. They include David Tamasi, managing director at Chartwell Strategy and DC chairman of Trump’s 2016 joint fundraising committee, who bundled more than $500,000 for Trump’s campaign and the RNC in 2020, and at least $15,000 in 2024. His firm, a key player in NSO Group’s lobbying, had been actively preparing clients for Trump’s return.

Other NSO-connected figures also have close Trump ties: Bryan Lanza, a partner at Mercury Public Affairs, which consulted for the company from 2020 to 2021, is a veteran Trump ally; Michael Flynn, Trump’s former national security adviser, was paid nearly $100,000 by NSO Group’s parent firms, according to the The Washington Post, and was recently appointed by Trump to a West Point advisory board; Jeff Miller, who raised millions for Trump, received $170,000 from an NSO-linked company and was spotted at Trump’s 2024 election night event at Mar-a-Lago; and Rod Rosenstein, Trump’s former deputy attorney general, represented NSO Group in a lawsuit and previously helped justify Trump’s firing of FBI director James Comey.

Pillsbury Winthrop Shaw Pittman LLP, Chartwell Strategy Group, Paul Hastings LLP, and Steptoe LLP did not reply to WIRED’s request for comment. Nor did Flynn, Miller, or Rosenstein. Tamasi did not respond in time for publication.

**What Counts as a Win**

As of early March—before Vogel Group’s registration as a lobbyist for NSO Group—there had been no indication that the Trump administration intended to remove the company from the Entity List, according to a source familiar with the administration’s moves regarding spyware, who asked not to be named in order to discuss confidential matters. However, recent comments by NSO Group’s Lavie soft-peddled the impact of the Entity List on the company’s ability to operate in the US.

“\[The Americans\], when they say ‘blacklist,’ it sounds much more dramatic to me than it actually is,” Lavie claimed during an interview in Hebrew on an Israeli podcast following Trump’s election. He added: “You can still do business in the United States; it is definitely not a barrier for us to sell in the US.”

“In practice, we are on the list of Commerce, and what this does for us from a regulatory perspective, it simply forces American companies—if we want to buy technology from them—to ask for permission to sell us the technology. That's all,” Lavie said.

​​Lobbying efforts can target different parts of the US government. By lobbying the executive branch (the president and agencies), lobbyists can influence how laws are enforced rather than what the laws say. In contrast, when lobbying Congress, the focus is on passing, blocking, or amending laws by influencing legislators.

For example, for a company to be removed from the Entity List, it must go through a lengthy administrative process that includes a review by an interagency committee composed of representatives from the departments of Commerce, State, and Defense, among others. Although Congress could theoretically influence this process, it is not directly involved.

During the presidential transition period, NSO Group mainly focused on Congress and reached out to at least 10 Republican senators, representatives, and their staff, before beginning its outreach with the incoming administration. On February 2, the company shared its annual transparency report with Trump’s new deputy national security adviser, Alex Wong.

The Vogel Group could play a key role in supporting NSO Group if it attempts to engage with the new executive branch, including the president’s executive office, the National Security Council, and the State, Justice, and Commerce Departments, among other relevant agencies. Such engagement might aim not only at addressing NSO Group’s placement on the Entity List, but also at challenging the spyware-related visa restrictions imposed by the previous administration. In addition, the firm could potentially assist in efforts to roll back Executive Order 14093, signed by President Joe Biden, which continues to restrict the US government’s use of commercial spyware.

Asked whether the Trump administration intends to uphold the EO, White House press secretary Karoline Leavitt declined to comment.

“Much is at stake if the US revokes Executive Order 14093, an order that sets standards on US acquisition of spyware, as access to the US market, and US purchasing power, are great tools in shaping the global scope and scale of the market for spyware,” says Jen Roberts, the Atlantic Council’s associate director of the Cyber Statecraft Initiative and coauthor of a recent major report on the commercial spyware industry. Roberts also highlighted the need to better regulate US outbound investment into such technologies.

**Watching for Signs**

During Trump's first term, the FBI secretly acquired the Pegasus spyware for limited testing in 2019 and seriously contemplated its operational deployment; while during the final months of the administration in 2020, the US initiated a deal that financed the purchase of the Israeli spyware for Colombian security forces, according to the Colombian ambassador to the US and reported by Drop Site News. (The deal was finalized in 2021, after Trump left office.) In an official statement, NSO Group confirmed its dealings with Colombia but denied claims that the software was purchased irregularly. The New York Times also reported that in 2018 the CIA had purchased Pegasus for the government of Djibouti to conduct counterterrorism operations, while the Secret Service held discussions with NSO Group the same year.

The access and influence NSO Group could attain through lobbying efforts by companies like the Vogel Group and Chartwell Strategy Group could lead to a more favorable political environment and, in turn, potentially increase business opportunities under a second Trump administration—something very hard for outsiders to measure, given the opaque nature of government procurement of surveillance technologies.

In the coming weeks and months, NSO Group’s interactions with US government officials, facilitated by its lobbying, will be critical in achieving such a favorable political environment. Caroline Glick, an adviser to Israeli prime minister Benjamin Netanyahu, has also been recently lobbying the Trump White House—among others—on the matter of “request\[ing\] to check for options for lifting sanctions on Israeli technology companies,” according to reports in the Israeli media.

Experts closely monitoring the commercial spyware industry are raising the alarm about the prospect of NSO Group regaining business under Trump—further exacerbated by new reports that the company has been simultaneously pushing its interests on the international stage through the so-called Pall Mall Process, a UK- and France-led initiative to regulate such technologies.

“NSO has become a toxic brand that is widely associated not just with human rights abuses but also with national security threats to US, UK, France, and other countries,” says Natalia Krapiva, senior tech-legal counsel at civil-liberties-focused nonprofit Access Now.

Lainer, the NSO Group spokesperson, tells WIRED that the company “complies with all laws and regulations and sells only to vetted intelligence and law enforcement agencies, which use these technologies daily to prevent crime and terror attacks.” Lainer adds that NSO “has initiated and implemented the industry’s leading compliance and human rights program, which protects against misuse by government entities and investigates all credible claims of misuse”

Ultimately, the current administration will have the final say on how the US regulates NSO Group.

Senator Ron Wyden of Oregon, who has actively worked to address concerns related to surveillance and spyware, tells WIRED that “the Biden Administration blacklisted NSO” because its tool was used to “maliciously targeting journalists, human rights workers, and even US government officials around the world on behalf of foreign dictators and making all Americans less safe.”

“If Donald Trump puts the NSO Group back in business,” Wyden adds, “he'll be directly responsible for opening up new threats to our national security and enabling atrocities by foreign dictators.”

Spyware Maker NSO Group Is Paving a Path Back Into Trump’s America

A lawyer for Xiaofeng Wang and his wife says they are “safe” after FBI searches of their homes and Wang’s sudden dismissal from Indiana University, where he taught for over 20 years.

Before the official faculty profiles of renowned Indiana University, Bloomington (IU) data privacy professor Xiaofeng Wang and his wife disappeared and the FBI raided two of the couple’s homes last week, the school is said to have been reviewing for months whether the professor received unreported research funding from China, WIRED has learned.

Indiana University contacted Wang in December to ask about a 2017-2018 grant in China that listed Wang as a researcher, according to an unsigned statement that appears to be written by a Purdue University professor and long-time collaborator of Wang seen by WIRED. The statement says that the author believed IU was concerned that Wang allegedly failed to properly disclose the funding to the university and in applications for US federal research grants.

The statement has been circulating among cybersecurity and privacy scholars at universities around the world in recent days and was sent to WIRED by three separate sources. It claims that Wang had explained the funding situation to IU, then was told in February that the school would continue looking into the matter.

Alex Tanford, a professor emeritus at Indiana University and the IU Bloomington Chapter president of the American Association of University Professors, says Wang reached out to him and said that he had been accused of alleged research misconduct. Tanford says he provided Wang guidance as a member of the faculty board of review. IU did not answer WIRED’s questions regarding any probes into Wang.

“The charge seemed trivial—that he had failed to properly disclose who was principal investigator on a grant application and had not fully listed all his coauthors on an article,” Tanford tells WIRED of the allegations. He says Wang wanted to know if the university had the right to lock him out of his office and computer, as he was in the middle of ongoing research.

Research papers Wang published between 2017 and 2018 list funding from places like the National Science Foundation, National Institutes of Health, the US Defense Advanced Research Projects Agency, the US Army Research Office, Google, and Samsung, according to a WIRED review of his publications from the time period.

Wang regularly collaborated with researchers at the Institute of Information Engineering (IIE) at the Chinese Academy of Sciences, a government-funded cybersecurity research lab. In papers, Wang and his coauthors disclosed that the IIE scholars received funding from sources such as the National Natural Science Foundation of China, but that Wang was being supported by US grants. It’s not uncommon for professors at US institutions to collaborate with researchers in China, and there's no public evidence to suggest that the arrangements were improper.

According to the unsigned statement’s title and metadata, it appears to have been authored by Ninghui Li, a computer science professor at Purdue who has collaborated on research with Wang since at least 2006. The pair also serve together on the board of the ACM Special Interest Group on Security, Audit, and Control (SIGSAC), which aims “to develop the information security profession by sponsoring high quality research conferences and workshops,” according to the Association for Computer Machinery’s website. Li did not respond to emailed requests for comment nor a voicemail left on his office phone.

Jason Covert, one of attorneys representing Xiaofeng Wang and his wife, Nianli Ma, a library systems analyst whose employee profile was also removed by Indiana University, tells WIRED that Wang and Ma are both “safe” and that neither of them have been arrested. Their legal team is not currently aware of any pending criminal charges against them, and while the couple’s attorneys have viewed a search warrant from the Department of Justice, Covert says they have not received a copy of the affidavit establishing probable cause.

Wang is considered among the top researchers in the field of privacy, data security, and biometric privacy, and his sudden disappearance came as a shock to many of his academic peers. Wang joined IU in 2004 and is the lead principal investigator of the multidisciplinary Center for Distributed Confidential Computing, which he established in 2022 with an almost $3 million grant from the National Science Foundation (NSF), according to a since-deleted bio on IU’s website. As part of his application for the NSF funding and other US federal research grants, Wang would have been required to disclose other grants he already received or were currently pending review.

On March 28, the FBI searched two home addresses associated with Wang. The same day, IU also reportedly terminated Wang’s job via an email sent by provost Rahul Shrivastav, which WIRED obtained and was first reported by The Indiana Daily Student. The email also said it was understood that Wang had recently accepted a position with a university in Singapore, a detail also repeated in the statement attributed to Li.

The statement says Wang planned to start at the unnamed Singaporean university on June 1, 2025, and requested a leave of absence from Indiana University in early March. But IU responded by “putting him on administrative leave, removing his IU homepage, and disabling his IU email address,” it claims.

Wang’s new job offer “would be irrelevant in any event because it is for \[the\] next academic year and would not justify firing him,” Tanford says. Terminating his employment via an email was a violation of university policy, Tanford claims, which prohibits firing a tenured professor without cause, and requires a 10-day notice and a hearing before a faculty board of review, if requested by the staff member. “The faculty is deeply concerned. If the administration can fire a tenured professor without due process and in violation of a policy approved by our trustees, none of us is safe,” he says.

Reached for comment, an IU spokesperson declined to answer detailed questions from WIRED about prior communications between the university and Wang and the school’s decision to fire him.

“Indiana University was recently made aware of a federal investigation of an Indiana University faculty member,” university spokesperson Mark Bode tells WIRED in an emailed statement. “At the direction of the FBI, Indiana University will not make any public comments regarding this investigation. In accordance with Indiana University practices, Indiana University will also not make any public comments regarding the status of this individual.”

The FBI has so far not commented on the reason for its activities surrounding Wang’s properties. In a statement sent to WIRED, Indianapolis-based spokesperson Chris Bavender says, “The FBI conducted court authorized law enforcement activity at homes in Carmel and Bloomington, Indiana last Friday. We have no further comment at this time.”

WIRED could not immediately reach Wang or Ma for comment directly, but Covert, their attorney, provided a statement on their behalf.

“Prof. Wang and Ms. Ma are thankful for the outpouring of support they have received from colleagues at Indiana University and their peers across the academic community,” the statement reads. “They look forward to clearing their names and resuming their successful careers at the conclusion of this investigation.”

To many in the academic research community, the events surrounding Wang and another Chinese-born scholar in Florida who was fired recently are reminiscent of the China Initiative, a US Department of Justice campaign launched under the first Trump administration to combat cybercrime and economic espionage. Critics accused the program of unfairly targeting Chinese-born researchers and broader Asian-immigrant and Asian-American academic communities.

The DOJ abandoned the program under the Biden administration in 2022 after it lost or withdrew charges in a number of associated cases. At the time, a top DOJ official said it had “helped give rise to a harmful perception” that there are lower standards for prosecuting conduct related to China, and people with ties to the country are treated differently. But several congressional efforts have since sought to resurrect the program or start similar law enforcement campaigns, including a 2023 bill that passed the House but not the Senate last year.

“We, like many other organizations and individuals, have broad concerns that the end of the \[China Initiative\] is just in name but does not reflect a change in fact and substance,” Jeremy Wu, the coorganizer of APA Justice, a nonprofit organization that advocates against racial profiling, said in a March webinar at the Michigan State University. Wu declined WIRED’s request to comment on the events surrounding Wang.

Matthew Green, a professor at Johns Hopkins University who specializes in cryptography and cryptographic engineering says that, while he doesn’t know Wang personally, he is troubled by how secretive Indiana University has been about the circumstances that led to his alleged firing. “This is not normal behavior by a university,” Green tells WIRED.

Green says he worries that cases like Wang’s could make young engineers from China think twice about studying at American universities, and even motivate talented researchers who have lived in the US for decades to instead consider working abroad. “We may lose a huge amount of expertise,” Green says.

Cybersecurity Professor Faced China-Funding Inquiry Before Disappearing, Sources Say

Missing Authorization vulnerability in Drupal OAuth2 Server allows Forceful Browsing. This issue affects OAuth2 Server: from 0.0.0 before 2.1.0.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-4f8q-mwgc-3mwc: Drupal OAuth2 Server Missing Authorization vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Drupal OAuth2 Client allows Cross Site Request Forgery. This issue affects OAuth2 Client: from 0.0.0 before 4.1.3.

GHSA-6chf-hhqf-749c: Drupal OAuth2 Client Cross-Site Request Forgery (CSRF)

Xiaofeng Wang, a longtime computer science professor at Indiana University, has disappeared along with his wife, and their profiles on the school's website were wiped ahead of recent FBI raids.

A prominent computer scientist who has spent 20 years publishing academic papers on cryptography, privacy, and cybersecurity has gone incommunicado, had his professor profile, email account, and phone number removed by his employer, Indiana University, and had his homes raided by the FBI. No one knows why.

Xiaofeng Wang has a long list of prestigious titles. He was the associate dean for research at Indiana University's Luddy School of Informatics, Computing and Engineering, a fellow at the Institute of Electrical and Electronics Engineers and the American Association for the Advancement of Science, and a tenured professor at Indiana University at Bloomington. According to his employer, he has served as principal investigator on research projects totaling nearly $23 million over his 21 years there.

He has also coauthored scores of academic papers on a diverse range of research fields, including cryptography, systems security, and data privacy, including the protection of human genomic data. I have personally spoken to him on three occasions for articles here, here, and here.

****“None of This Is in Any Way Normal”****

In recent weeks, Wang's email account, phone number, and profile page at the Luddy School were quietly erased by his employer. Over the same time, Indiana University also removed a profile for his wife, Nianli Ma, who was listed as a lead systems analyst and programmer at the university's Library Technologies division.

As reported by The Bloomingtonian and later the The Herald-Times in Bloomington, a small fleet of unmarked cars driven by government agents descended on the Bloomington home of Wang and Ma on Friday. They spent most of the day going in and out of the house and occasionally transferred boxes from their vehicles. TV station WTHR, meanwhile, reported that a second home owned by Wang and Ma, located in Carmel, Indiana, was also searched. The station said that both a resident and an attorney for the resident were on scene during at least part of the search.

Attempts to locate Wang and Ma have so far been unsuccessful. An Indiana University spokesman didn't answer emailed questions asking if the couple was still employed by the university and why their profile pages, email addresses, and phone numbers had been removed. The spokesman provided the contact information for a spokeswoman at the FBI's field office in Indianapolis. In an email, the spokeswoman wrote: “The FBI conducted court authorized law enforcement activity at homes in Bloomington and Carmel Friday. We have no further comment at this time.”

Searches of federal court dockets turned up no documents related to Wang, Ma, or any searches of their residences. The FBI spokeswoman didn't answer questions seeking which US district court issued the warrant and when, and whether either Wang or Ma is being detained by authorities. Justice Department representatives didn't return an email seeking the same information. An email sent to a personal email address belonging to Wang went unanswered at the time this post went live. Their resident status (e.g., US citizens or green card holders) is currently unknown.

Fellow researchers took to social media over the weekend to register their concern over the series of events.

“None of this is in any way normal,” Matthew Green, a professor specializing in cryptography at Johns Hopkins University, wrote on Mastodon. He continued: “Has anyone been in contact? I hear he’s been missing for two weeks and his students can’t reach him. How does this not get noticed for two weeks???”

In the same thread, Matt Blaze, a McDevitt professor of computer science and law at Georgetown University, said, “It's hard to imagine what reason there could be for the university to scrub its website as if he never worked there. And while there's a process for removing tenured faculty, it takes more than an afternoon to do it.”

Local news outlets reported the agents spent several hours moving boxes in an out of the residences. WTHR provided the following details about the raid on the Carmel home:

_Neighbors say the agents announced "FBI, come out!" over a megaphone._

_A woman came out of the house holding a phone. A video from a neighbor shows an agent taking that phone from her. She was then questioned in the driveway before agents began searching the home, collecting evidence and taking photos._

_A car was pulled out of the garage slightly to allow investigators to access the attic._

_The woman left the house before 13News arrived. She returned just after noon accompanied by a lawyer. The group of 10 or so investigators left a few minutes later._

_The FBI would not say what they were looking for or who is under investigation. A bureau spokesperson issued a statement: “I can confirm we conducted court-authorized activity at the address in Carmel today. We have no further comment at this time.”_

_Investigators were at the house for about four hours before leaving with several boxes of evidence. 13News rang the doorbell when the agents were gone. A lawyer representing the family who answered the door told us they're not sure yet what the investigation is about._

This post will be updated if new details become available. Anyone with firsthand knowledge of events involving Wang, Ma, or the investigation into either is encouraged to contact me, preferably over Signal at DanArs.82. The email address is: dan.goodin@arstechnica.com.

_This story originally appeared on_ _Ars Technica._

Cybersecurity Professor Mysteriously Disappears as FBI Raids His Homes

Palo Alto, USA, 29th March 2025, CyberNewsWire

**Palo Alto, USA, March 28th, 2025, CyberNewsWire**

From WannaCry to the MGM Resorts Hack, ransomware remains one of the most damaging cyberthreats to plague enterprises. Chainalysis estimates that corporations spend nearly $1 billion dollars on ransom each year, but the greater cost often comes from the reputational damage and operational disruption caused by the attack.

Ransomware attacks typically involve tricking victims into downloading and installing the ransomware, which copies, encrypts, and/or deletes critical data on the device, only to be restored upon the ransom payment. Traditionally, the primary target of ransomware has been the victim’s device. However, thanks to the proliferation of the cloud and SaaS services, the device no longer holds the keys to the kingdom. Instead, the browser has become the primary way through which employees conduct work and interact with the internet. In other words, the browser is becoming the new endpoint.

SquareX has been disclosing major browser vulnerabilities like Polymorphic Extensions and Browser Syncjacking, and is now issuing a strong warning on the emergence of browser-native ransomware. 

> SquareX’s founder, Vivek Ramachandran cautions, “With the recent surge in browser-based identity attacks like the one we saw with the Chrome Store OAuth attack, we are beginning to see evidence of the ‘ingredients’ of browser-native ransomwares being used by adversaries. It is only a matter of time before one smart attacker figures out how to put all the pieces together. While EDRs and Anti-Viruses have played an unquestionably vital role in defending against traditional ransomware, the future of ransomware will no longer involve file downloads, making a browser-native solution a necessity to combat browser-native ransomwares.”

Unlike traditional ransomware, browser-native ransomware requires no file download, rendering them completely undetectable by endpoint security solutions. Rather, this attack targets the victim’s digital identity, taking advantage of the widespread shift toward cloud-based enterprise storage and the fact that browser-based authentication is the primary gateway to accessing these resources. In the case studies demonstrated by SquareX, these attacks leverage AI agents to automate the majority of the attack sequence, requiring minimal social engineering and interference from the attacker.

One potential scenario involves social engineering a user into granting a fake productivity tool access to their email, through which it can identify all the SaaS applications the victim is registered with. It can then systematically reset the password of these apps with AI agents, logging the users out on their own and holding enterprise data stored on these applications hostage. 

Similarly, the attacker can also target file-sharing services like Google Drive, Dropbox and OneDrive, using the victim’s identity to copy out and delete all files stored under their account. Critically, attackers can also gain access to all shared drives, including those shared by colleagues, customers and other third parties. This significantly expands the attack surface of browser-native ransomware – where the impact of most traditional ransomware is confined to a single device, all it takes is one employee’s mistake for attackers to gain full access to enterprise-wide resources.

As fewer and fewer files are being downloaded, it is inevitable for attackers to follow where work and valuable data are being created and stored. As browsers become the new endpoint, it is crucial for enterprises to reconsider their browser security strategy – just as EDRs were critical to defend against file-based ransomware, a browser-native solution with a deep understanding of client-side application layer identity attacks will become essential in combating the next generation of ransomware attacks.

To learn more about this security research, users can visit https://sqrx.com/browser-native-ransomware

**About SquareX**

SquareX’s industry-first Browser Detection and Response (BDR) solution helps organizations detect, mitigate, and threat-hunt client-side web attacks happening against their users in real time. In addition to browser ransomware, SquareX also protects against various browser threats including identity attacks, malicious extensions, advanced spearphishing, GenAI DLP, and insider threats.

The browser-native ransomware disclosure is part of the Year of Browser Bugs project. Every month, SquareX’s research team releases a major web attack that focuses on architectural limitations of the browser and incumbent security solutions. Previously disclosed attacks include Browser Syncjacking and Polymorphic Extensions. 

To learn more about SquareX’s BDR, users can contact \[email protected\].

For press inquiries on this disclosure or the Year of Browser Bugs, users can email \[email protected\]. 

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Discloses Browser-Native Ransomware that Puts Millions at Risk

Oracle is caught up in a cybersecurity mess right now, with claims about a massive data breach affecting…

Oracle is caught up in a cybersecurity mess right now, with claims about a massive data breach affecting its cloud infrastructure. Last week, Hackread.com **published an article** based on the findings of cybersecurity firm CloudSEK revealing that a threat actor had stolen 6 million records from Oracle Cloud. The hacker, identified as “**rose87168**“, claimed to have compromised a key Single Sign-On (SSO) endpoint, resulting in the exfiltration of sensitive data including SSO and LDAP credentials, OAuth2 keys, and customer tenant information.

****Oracle’s Firm Denial****

Shortly after the story broke, Oracle issued a categorical denial, making a strong statement that “**There has been no breach of Oracle Cloud**.” The company maintained that the credentials published by the threat actor were not associated with Oracle Cloud and emphasized that no Oracle Cloud customers were affected. This statement directly contradicted the findings of CloudSEK, which had alerted the public and Oracle via formal reports.

****CloudSEK’s Follow-Up Investigation****

However, CloudSEK has doubled down on Oracle’s claims with a new follow-up analysis, presenting what it calls “conclusive evidence” of the breach. In a **blog post**, which the company shared with Hackread.com ahead of its publishing over the weekend, CloudSEK outlined how their researchers detected the threat actor’s activities on March 21, 2025.

According to the cybersecurity firm, they traced the attack to a compromised production SSO endpoint (**login.us2.oraclecloud.com**), which the hacker exploited to steal records from more than 140,000 tenants.

CloudSEK also found evidence that the threat actor had actively used the compromised domain to authenticate API requests via **OAuth2 tokens**, as seen in an archived public GitHub repository under Oracle’s official **"oracle-quickstart"** account. The endpoint was proven to be in use for production purposes, contradicting Oracle’s assertion that the credentials were unrelated to their infrastructure.

****New Evidence: Real Customer Data Confirmed****

One of the most noteworthy pieces of evidence involves real customer domain names that the hacker provided as samples. CloudSEK verified the domains against publicly available data and found that they were, in fact, valid Oracle Cloud customers. Some of the domain names identified include:

*   **sbgtv.com**

*   **nexinfo.com**

*   **nucor-jfe.com**

*   **rapid4cloud.com**

*   **cloudbasesolutions.com**

These domains were present in GitHub repositories and Oracle partner documentation, and CloudSEK confirmed they were not mere dummy or canary accounts. Additionally, the compromised endpoint, **login.us2.oraclecloud.com**, was validated as an active production SSO setup, used in real-world configurations by OneLogin and Rainfocus.

The screenshot shared by CloudSEK shows “login.us2.oraclecloud.com” was a production SSO setup

****The Impact and Concerns****

The impact of this breach, if proven, could be serious. The exposure of 6 million records, including encrypted SSO and LDAP passwords risks unauthorized access, espionage, and data breaches across affected systems. Additionally, the inclusion of JKS files and OAuth2 keys means attackers might gain long-term control over affected services.

CloudSEK warns that the compromised credentials could potentially be cracked and reused in a way that poses further risks to enterprise environments. The hacker is also reportedly demanding **ransom payments** from affected firms to delete the stolen data, amplifying both financial and reputational threats.

****CloudSEK’s Stance: Evidence over Speculation****

In response to Oracle’s denial, Rahul Sasi, CEO of CloudSEK, stated that the company is focused on providing transparency and evidence rather than speculation. CloudSEK has been sharing its findings through public reports and free tools to help organizations assess whether they are affected.

Additionally, Rahul recommends companies change their SSO and LDAP credentials right away and set up multi-factor authentication (MFA) to add extra protection. It’s also important to take a closer look at logs to spot any unusual activity related to the compromised endpoint. Keeping an eye on **dark web forums** for any signs of leaked data is a good move too. On top of that, it’s a good idea to get in touch with Oracle Security to figure out any weak spots and fix them.

****Questions Are Pouring In Already****

Cybersecurity experts are already questioning Oracle’s quick denial. **Chad Cragle**, CISO at Deepwatch, a San Francisco, Calif.-based AI+Human Cyber Resilience Platform stressed that Oracle needs to address the questions raised by CloudSEK to maintain its credibility.

_“_CloudSEK raises a critical point. If there was no breach, how did a threat actor allegedly upload a file to the Oracle Cloud subdomain?_“_ argued Chad. _“_This indicates unauthorized access, even if it wasn’t a full-scale compromise.”

_“_Dismissing the incident without addressing this key detail raises more questions than answers. If Oracle wants to maintain credibility, the company must clarify how the file ended up there, whether any security gaps were exploited, and why the subdomain was taken down,_“_ he added.

**Heath Renfrow**, CISO and Co-founder at Fenix24 a Chattanooga, Tennessee-based cyber disaster recovery firm, expressed concerns about Oracle’s stance on the breach and the threat actor’s ability to upload files within critical infrastructure.

_“_Regardless of Oracle’s position, the presence of a threat actor-uploaded file in the webroot of what appears to be an Oracle Cloud Infrastructure (OCI) login subdomain is deeply concerning,_“_ said Health. _“_This detail, coupled with the public availability of sensitive data on forums, raises valid questions about the scope of compromise and whether customers with federated login configurations could be at risk._“_

Hackread.com has reached out to Oracle. Stay tuned for updates!

CloudSEK Disputes Oracle Over Data Breach Denial with New Evidence

### Impact

The 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse Server apps. For example, if a user signed up using the same authentication provider in two unrelated Parse Server apps, the credentials stored by one app can be used to authenticate the same user in the other app. Note that this only affects Parse Server apps that specifically use an affected 3rd party authentication provider for user authentication, for example by setting the Parse Server option `auth` to configure a Parse Server authentication adapter. See the [3rd party authentication docs](https://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication) for more information on which authentication providers are affected.

### Patches

The fix of this vulnerability requires to upgrade Parse Server to a version that includes the bug fix, as well as upgrade the client app to send a secure payload, which is different from the previous insecure payload. To accommodate a gradual rollout of the client app update, affected Parse Server authentication adapters now offer an `enableInsecureAuth` option to accept both insecure and secure payloads from clients apps. See the [3rd party authentication docs](https://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication) for how to migrate from insecure to secure authentication.

### Workarounds

None.

### References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-837q-jhwx-cmpv
- Parse Server documentation for 3rd party authentication providers: https://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication
- Bug fix in Parse Server 7: https://github.com/parse-community/parse-server/pull/9668
- Bug fix in Parse Server 8: https://github.com/parse-community/parse-server/pull/9667

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

Tag

#oauth