At Microsoft, we are committed to fostering a secure and innovative environment for our customers and users. As part of this commitment, we are thrilled to announce significant updates to our Copilot (AI) Bounty Program. These changes are designed to enhance the program’s effectiveness, incentivize broader participation, and ensure that our Copilot consumer products remain robust, safe, and secure.

At Microsoft, we are committed to fostering a secure and innovative environment for our customers and users. As part of this commitment, we are thrilled to announce significant updates to our Copilot (AI) Bounty Program. These changes are designed to enhance the program’s effectiveness, incentivize broader participation, and ensure that our Copilot consumer products remain robust, safe, and secure. 

Building on our commitment to support AI researchers, we are also introducing new initiatives aimed at providing comprehensive training and resources to support aspiring AI professionals as part of Zero Day Quest. These initiatives will include workshops, access to Microsoft AI engineers, and cutting-edge research and development tools. By investing in the growth and education of AI researchers, we aim to cultivate a community of skilled professionals who can contribute to the advancement of AI technology and uphold the highest standards of security and innovation.  

**Integrating the Microsoft Vulnerability Classification for Online Services**

One of the most impactful changes to our Copilot Bounty Program is the integration of the Microsoft Vulnerability Severity Classification for Online Services (Online Services bug bar). This integration builds off our existing alignment with the Microsoft Vulnerability Severity Classification for AI Systems (AI bug bar) and establishes a clear and consistent framework for evaluating the severity of vulnerabilities discovered in our Copilot consumer products. By aligning with the Online Services Bug Bar, we ensure that all reported vulnerabilities are assessed with the same rigor and standards applied across Microsoft’s online services. This not only streamlines the evaluation process but also enhances the transparency and fairness of our bounty rewards.  

For more details on how the severity levels are classified, as defined by the Microsoft Security Response Center (MSRC) advisory rating and the Microsoft Exploitability Index, refer to the individual bug bars: Online Services bug bar and AI bug bar. 

**Incentivizing moderate severity cases**

We recognize that even moderate vulnerabilities can have significant implications for the security and reliability of our Copilot consumer products. To address this, we are introducing new incentives for moderate severity Copilot cases. Researchers who identify and report moderate severity vulnerabilities will now be eligible for bounty rewards up to $5,000. Expanding our bounty program to include Copilot reflects our ongoing commitment to security across Microsoft products and services, and we encourage researchers to help us identify and mitigate vulnerabilities.

**Expanding in-scope targets**

To further enhance the security of our Copilot consumer products, we are expanding the scope of our Copilot Bounty Program. The updated program now includes a broader range of Copilot consumer products and services, ensuring that more areas are covered and protected. This expansion provides researchers with more opportunities to contribute to the security of our Copilot ecosystem and helps us identify and mitigate potential vulnerabilities across a wider array of platforms. The in-scope targets now include: 

*   Copilot for Telegram 
    
*   Copilot for WhatsApp 
    
*   copilot.microsoft.com and copilot.ai 
    

**Join us in securing the future of Copilot** 

We believe that collaboration with the security research community is essential to maintaining the integrity and security of our Copilot consumer products. The updates to our Copilot (AI) Bounty Program reflect our ongoing commitment to this collaboration and our dedication to fostering a secure and innovative environment for all. 

We invite all security researchers, developers, and enthusiasts to join us in this mission. By participating in the Copilot (AI) Bounty Program, you can help us identify and address vulnerabilities, contribute to the security of our Copilot consumer products, and earn awards for your valuable contributions. 

Together, we can ensure that our Copilot products remain secure, safe, and innovative. Thank you for your continued support and dedication to making the digital world a safer place. 

If you have any questions about this program or any other security research incentive program, please email us at bounty@microsoft.com. 

Happy Hunting!  

_Lynn Miyashita and Madeline Eckert_

Microsoft Bounty Team

Exciting updates to the Copilot (AI) Bounty Program: Enhancing security and incentivizing innovation

Ya-moon, S. Korea’s notorious sex crime hub operating since 1990, hacked; user data leaked, exposing CSAM, exploitation, and illicit activities.

A hacker using the alias “Valerie” is claiming to have hacked Ya-moon, a notorious South Korean private pornography website and forum. According to the hacker, the hack took place in June 2024 using a zero-day vulnerability, but the details of it have only been shared earlier today.

The site, which has been operating since 1990, is infamous for hosting illicit content, including Child Sexual Abuse Material, also known as **CSAM**, hidden camera footage, revenge porn, and videos depicting rape. Its users often brag about gang rapes, the sexual exploitation of minors, and the intimidation of women into sexual acts.

Hacker on Breach Forums where data has been leaked (Screenshot credit: Hackread.com)

The hacker claims that despite multiple attempts by South Korean authorities, Interpol, and U.S. law enforcement to dismantle the site, efforts had previously failed to bring it down. Now, a massive data breach has exposed the platform’s users, including 326,000 lines of data.

****The Hack and Leaked Data****

According to the hacker, the website’s entire database and chat logs have been published online. Initially, the data was handed over to a “databroker” who leaked a small portion but then disappeared, allegedly arrested. Frustrated with the inactivity surrounding the breach, the hacker decided to release the full dataset independently.

****Key Data Exposed in the Ya-moon.com Breach****

As seen and analysed by _Hackread.com’s research team_, the leaked database includes personally identifiable information (PII) and incriminating activity logs, making this quite a sensitive leak. The dataset contains:

1: **User Identification**

*   **Usernames**
*   **IP addresses (revealing user locations)**
*   **Email addresses (52,000 – some linked to real identities)**
*   **Plain-text passwords (suggesting weak security measures)**

**2: Activity & Behavior**

*   **Date of joining the forum**
*   **Last activity timestamps (showing recent usage patterns)**
*   **Chat logs, containing discussions of illegal activities**
*   **Published content, including uploaded media and discussion posts**

**3: Private Communications**

*   **Inbox messages exchanged between users**
*   **Potential evidence of coordination or transactions**
*   **Discussions about law enforcement activity, security concerns, and evasion tactics.**

The leaked data (Screenshot credit: Hackread.com)

If verified, this could be a major blow to users who engaged in illegal activities on the platform, as law enforcement agencies could track down those involved.

****Korean-Based User Activity Revealed in the Breach****

The majority of users’ IP addresses trace back to South Korea. This confirms that Ya-moon.com is largely a domestic operation, based on South Korean users who engaged in illegal content distribution and discussions. While some may have used VPNs or proxies, many users relied on their real IP addresses, suggesting a lack of security within the forum.

This dataset could also become a crucial investigative tool for South Korean authorities, who have struggled for years to take down networks like this one. If acted upon, it may lead to important arrests and legal action against individuals involved in the platform’s criminal activities.

****South Korea and Online Sex Crimes****

South Korea has a long history of tackling online sex crimes, including high-profile cases like the **Nth Room scandal**, where perpetrators exploited victims through encrypted chatrooms. However, forums like Ya-moon.com continued to exist, exposing gaps in enforcement and digital policing.

If authorities acquire and verify the data, arrests and prosecutions could follow, similar to previous dark web takedowns like **Operation Dark HunTor** and **Playpen**. This breach may deter users from engaging in illicit activities online, knowing they can be exposed.

****Not The First Time****

This is not the first instance of hackers targeting sites linked to CSAM and other forms of abuse. **In February 2017**, Anonymous hacktivists breached Freedom Hosting II, the largest dark web hosting provider at the time, resulting in the shutdown of thousands of CSAM sites. The hosting service managed approximately **11,000 websites**, accounting for nearly 20% of all dark web sites that year.

S. Korea’s Notorious Sex Crime Hub Ya-moon Hacked, User Data Leaked

Thorsten examines last year’s CVE list and compares it to recent Talos Incident Response trends. Plus, get all the details on the new vulnerabilities disclosed by Talos’ Vulnerability Research Team.

Thursday, February 6, 2025 14:03

> “Enough Ripples, And You Change The Tide. For The Future Is Never Truly Set.” X-Men: Days of Future Past

In January, I dedicated some time to examine threat data from 2024, comparing it with the previous years to identify anomalies, spikes, and changes.  

As anticipated, the number of Common Vulnerabilities and Exposures (CVEs) rose significantly, from 29,166 in 2023 to 40,289 in 2024, marking a substantial 38% increase. Interestingly, the severity levels of the CVEs remained centered around 7-8 for both years. 

When taking a closer look at the known exploited vulnerabilities reported by the Cybersecurity and Infrastructure Security Agency (CISA), I observed that the numbers remained relatively stable, with 186 in 2024 compared to 187 in 2023. However, there was a noteworthy 36% increase for the critical vulnerabilities scored (9-10).  

There is more to uncover from this data, and the analysis is still ongoing.  

It was also time to “stack” the data of our Quarterly Incident Response Reports. The standout aspects are the initial access vectors to me. "Exploiting Public Facing Applications" and "Valid Accounts" were dominant, outperforming other methods. This serves as a timely reminder to implement (proper) MFA and other identity and access control solutions as well as patch regularly and replace end-of-life assets. 

Reflecting on CVEs, patching, initial access vectors and also lateral movement, it's important to remember that the "free" support for Windows 10 will end on October 14, 2025.  

Mark.your.calendars. Please. And plan accordingly to ensure your systems remain secure.  

**The one big thing**

Cisco Talos’ Vulnerability Research team recently disclosed three vulnerabilities in Observium, three vulnerabilities in Offis, and four vulnerabilities in Whatsup Gold.   

**Why do I care?**

Observium and WhatsUp Gold can be categorized as Network Monitoring Systems (NMS). A NMS as such holds a lot of valuable information such as Network Topology, Device Inventory, Log Files, Configuration Data and more, making them an attractive for the bad guys. 

**So now what?**

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, make sure your installation is up to date. 

**Top security headlines of the week**

The Cybersecurity and Infrastructure Security Agency analyzed a patient monitor used by the Healthcare and Public Health sector and discovered an embedded backdoor. (CISA) 

Apple has released software updates to address several security flaws across its portfolio, including a zero-day vulnerability that it said has been exploited in the wild. (Hacker News) 

Nearly 100 journalists and other members of civil society using WhatsApp were targeted by a “zero-click” attack (Guardian) 

DeepSeek AI tools impersonated by infostealer malware on PyPI (Bleeping Computer) 

**Can't get enough Talos?**

*   Web shell frenzies, the first appearance of Interlock, and why hackers have the worst cybersecurity: IR Trends Q4 2024 
*   New TorNet backdoor seen in widespread campaign 

**Upcoming events where you can find Talos**

Talos team members: Martin LEE, Thorsten ROSENDAHL, Yuri KRAMARZ, Giannis TZIAKOURIS, and Vanja SVAJCER will be speaking at Cisco Live EMEA. Amsterdam, Netherlands, 9-14 February.   

S4x25 (February 10-12, 2025)  
Tampa, FL

RSA (April 28-May 1, 2025)  
San Francisco, CA

TIPS 2025 (May 14-15, 2025)  
Arlington, VA

**Most prevalent malware files from the week**

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

Typical Filename: VID001.exe 

Claimed Product: N/A 

Detection Name: Win.Worm.Coinminer::1201 

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

Typical Filename: VID001.exe 

Claimed Product: n/a  

Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA256:873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f  

MD5: d86808f6e519b5ce79b83b99dfb9294d   

VirusTotal: 

https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f 

Typical Filename: n/a  

Claimed Product: n/a   

Detection Name: Win32.Trojan-Stealer.Petef.FPSKK8   

SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   

MD5: ff1b6bb151cf9f671c929a4cbdb64d86   

VirusTotal: https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  

Typical Filename: endpoint.query   

Claimed Product: Endpoint-Collector   

Detection Name: W32.File.MalParent   

SHA 256: 744c5a6489370567fd8290f5ece7f2bff018f10d04ccf5b37b070e8ab99b3241 

MD5: a5e26a50bf48f2426b15b38e5894b189 

VirusTotal: https://www.virustotal.com/gui/file/744c5a6489370567fd8290f5ece7f2bff018f10d04ccf5b37b070e8ab99b3241 

Typical Filename: a5e26a50bf48f2426b15b38e5894b189.vir 

Claimed Product: N/A 

Detection Name: Win.Dropper.Generic::1201

Changing the tide: Reflections on threat data from 2024

Experts question whether Edward Coristine, a DOGE staffer who has gone by “Big Balls” online, would pass the background check typically required for access to sensitive US government systems.

A young technologist known online as “Big Balls,” who works for Elon Musk's so-called Department of Government Efficiency (DOGE), has access to sensitive US government systems. But his professional and online history call into question whether he would pass the background check typically required to obtain security clearances, security experts tell WIRED.

Edward Coristine, a 19-year-old high school graduate, established at least five different companies in the last four years, with entities registered in Connecticut, Delaware, and the United Kingdom, most of which were not listed on his now-deleted LinkedIn profile. Coristine also briefly worked in 2022 at Path Network, a network monitoring firm known for hiring reformed blackhat hackers. Someone using a Telegram handle tied to Coristine also solicited a cyberattack-for-hire service later that year.

Coristine did not respond to multiple requests for comment.

One of the companies Coristine founded, Tesla.Sexy LLC, was set up in 2021, when he would have been around 16 years old. Coristine is listed as the founder and CEO of the company, according to business records reviewed by WIRED.

Tesla.Sexy LLC controls dozens of web domains, including at least two Russian-registered domains. One of those domains, which is still active, offers a service called Helfie, which is an AI bot for Discord servers targeting the Russian market. While the operation of a Russian website would not violate US sanctions preventing Americans doing business with Russian companies, it could potentially be a factor in a security clearance review.

"Foreign connections, whether it's foreign contacts with friends or domain names registered in foreign countries, would be flagged by any agency during the security investigation process," Joseph Shelzi, a former US Army intelligence officer who held security clearance for a decade and managed the security clearance of other units under his command, tells WIRED.

A longtime former US intelligence analyst, who requested anonymity to speak on sensitive topics, agrees. “There's little chance that he could have passed a background check for privileged access to government systems,” they allege.

Another domain under Coristine’s control is faster.pw. The website is currently inactive, but an archived version from October 25, 2022 shows content in Chinese that stated the service helped provide “multiple encrypted cross-border networks.”

Prior to joining DOGE, Coristine worked for several months of 2024 at Elon Musk’s Neuralink brain implant startup, and, as WIRED previously reported, is now listed in Office of Personnel Management records as an “expert” at that agency, which oversees personnel matters for the federal government. Employees of the General Services Administration say he also joined calls where they were made to justify their jobs and to review code they’ve written.

Other elements of Coristine’s personal record reviewed by WIRED, government security experts say, would also raise questions about obtaining security clearances necessary to access privileged government data. These same experts further wonder about the vetting process for DOGE staff—and, given Coristine’s history, whether he underwent any such background check.

The White House did not immediately respond to questions about what level of clearance, if any, Corisitine has and, if so, how it was granted.

At Path Network, Coristine worked as a systems engineer from April to June of 2022, according to his now-deleted LinkedIn résumé. Path has at times listed as employees Eric Taylor, also known as Cosmo the God, a well-known former cybercriminal and member of the hacker group UGNazis, as well as Matthew Flannery, an Australian convicted hacker whom police allege was a member of the hacker group LulzSec. It’s unclear whether Coristine worked at Path concurrently with those hackers, and WIRED found no evidence that either Coristine or other Path employees engaged in illegal activity while at the company.

“If I was doing the background investigation on him, I would probably have recommended against hiring him for the work he’s doing,” says EJ Hilbert, a former FBI agent who also briefly served as the CEO of Path Network prior to Coristine’s employment there. “I’m not opposed to the idea of cleaning up the government. But I am questioning the people that are doing it.”

**Got a tip?**

_Are you a current or former US government employee? We'd like to hear from you. Using a nonwork phone or computer, contact the reporters securely on Signal at Andy.01 (Andy Greenberg), DavidGilbert.01 (David Gilbert), or +1 (347) 722-1347 (Lily Hay Newman)._

Potential concerns about Coristine extend beyond his work history. Archived Telegram messages shared with WIRED show that, in November 2022, a person using the handle “JoeyCrafter” posted to a Telegram channel focused on so-called distributed denial of service (DDoS) cyberattacks that bombard victim sites with junk traffic to knock them offline. In his messages, JoeyCrafter—which records from Discord, Telegram, and the networking protocol BGP indicate was a handle used by Coristine—writes that he’s “looking for a capable, powerful and reliable L7” that accepts bitcoin payments. That line, in the context of a DDoS-for-hire Telegram channel, suggests he was looking for someone who could carry out a layer-7 attack, a certain form of DDoS. A DDoS-for-hire service with the name Dstat.cc was seized in a multinational law enforcement operation last year.

The JoeyCrafter Telegram account had previously used the name “Rivage,” a name linked to Coristine on Discord and at Path, according to Path internal communications shared with WIRED. Both the Rivage Discord and Telegram accounts at times promoted Coristine’s DiamondCDN startup. It’s not clear whether the JoeyCrafter message was followed by an actual DDoS attack. (In the internal messages among Path staff, a question is asked about Rivage, at which point an individual clarifies they are speaking about “Edward.”)

"It does depend on which government agency is sponsoring your security clearance request, but everything that you've just mentioned would absolutely raise red flags during the investigative process," says Shelzi, the former US Army intelligence officer. He adds that a secret security clearance could be completed in as little as 50 days, while a top-secret security clearance could take anywhere from 90 days to a year to complete.

Coristine’s online history, including a LinkedIn account where he calls himself Big Balls, has disappeared recently. He also previously used an account on X with the username @edwardbigballer. The account had a bio that read: “Technology. Arsenal. Golden State Warriors. Space Travel.”

Prior to using the @edwardbigballer username, Coristine was linked to an account featuring the screen name “Steven French” featuring a picture of what appears to be Humpty Dumpty smoking a cigar. In multiple posts from 2020 and 2021, the account can be seen responding to posts from Musk. Coristine’s X account is currently set to private.

Davi Ottenheimer, a longtime security operations and compliance manager, says many factors about Coristine’s employment history and online footprint could raise questions about his ability to obtain security clearance.

“Limited real work experience is a risk,” says Ottenheimer, as an example. “Plus his handle is literally Big Balls.”

DOGE Teen Owns ‘Tesla.Sexy LLC’ and Worked at Startup That Has Hired Convicted Hackers

Cheap banking scams are often easier to pull off in a country with older devices, fewer regulations, and experienced fraudsters.

Source: Jayant Bahel via Alamy Stock Photo

A series of fake banking apps are making the rounds in India, mimicking trusted institutions to steal credentials and, ultimately, money.

The scale of the campaign is impressive, featuring nearly 900 different malware samples tied to around 1,000 different phone numbers used to perpetrate the fraud. Researchers from Zimperium observed all those malware couched in apps that mimic billion-dollar financial institutions, designed to target regular people across India.

**Banking Fraud in East India**

Across India, regular people have been receiving WhatsApp messages carrying malicious Android Package Kit (APK) files. Once downloaded, these APKs open into fake apps mimicking one of more than a dozen banks, including most of the largest in India: HDFC Bank, ICICI Bank, the State Bank of India (SBL), and others.

Source: Zimperium

The apps ask victims to submit their most sensitive financial information, including their mobile banking credentials, credit and debit card numbers, ATM PINs, Permanent Account Number (PAN) Card — used for various financial and government purposes, like paying taxes or opening a bank account — and Aadhar Card, and equivalent to a Social Security number (SSN).

To allow the attackers to log into victims' bank accounts, the malware intercepts one-time passwords sent via SMS, and redirects them either to an attacker-controlled phone number, or a command-and-control (C2) server running on Firebase.

Related:Russian APT Phishes Kazakh Gov't for Strategic Intel

The malware also sports stealth and anti-analysis measures, like "packing," where the malware is compressed, encrypted, and obfuscated to the point of illegibility. It can install itself invisibly by taking advantage of accessibility services, and obtain all conceivable permissions on users' devices by simply prodding a user to thoughtlessly hit "Allow" when it asks nicely.

"Since you don't see the app, it's not easy to uninstall it," explains Nico Chiaraviglio, chief scientist at Zimperium. "And then you \[have to deal with the\] higher permissions. So if you want to uninstall the app, the device will say you cannot install it because it's a system app. You basically need to connect the phone to a computer and uninstall it using the Android Debug Bridge (ADB). It's not something that you can do from a regular user's standpoint."

**Why Fraud Works in India**

Phone numbers tied to the campaign lovingly named "FatBoyPanel" have tended to concentrate in eastern states: West Bengal (30.2%), Bihar (22.6%), Jharkjand (10%).

That FatBoyPanel seems to be going so well, Chiaraviglio thinks, comes down to a couple of obvious factors. First: older, outdated phones are common in East India, and, "If you want to run some sort of exploit, it's easier to do on older devices," he says.

Related:Chinese APT Group Is Ransacking Japan's Secrets

"It's also widely known that there are a lot of scammers in India," he adds. In this campaign, "They are targeting some specific apps, and this basically tells you that the attackers are Indians, and that they know the market that they are working in."

One thing surprised him, he says: "We publish a report every year on banking Trojans, and we see most of them targeting many different countries at the same time. It's very uncommon that we see a campaign that is only targeting one country."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Basket of Bank Trojans Defraud Citizens of East India

A banking malware campaign using live phone numbers to redirect SMS messages has been identified by the zLabs research team, uncovering 1,000+ malicious apps and 2.5GB of exposed data.

Mobile devices have become a prime target for financial fraud, as the availability of digital payments and interception of OTPs (one-time passwords) for authentication make them vulnerable. Threat actors’ latest targets are Indian bank users, forced to reveal sensitive financial/personal data in a sophisticated mobile malware campaign, uncovered by the Zimperium zLabs research team. 

According to the company, banking trojans are targeting Indian banks and government institutions, and live phone numbers are used to intercept and redirect SMS messages, putting sensitive data at risk. This campaign is believed to be the work of a single threat actor and targets mobile devices running the Android OS. The researchers have dubbed the actor as “FatBoyPanel.”

This “coordinated effort” utilizes over 1,000 malicious Android applications designed to steal financial and personal data, researchers noted in the blog post shared with Hackread.com ahead of publishing on Wednesday. 

These apps, disguised as legitimate banking and government tools, are distributed primarily through WhatsApp. Victims are tricked into revealing Aadhaar and PAN card details, ATM PINs, and mobile banking credentials.

The most frequently impersonated banks are:

*   ICICI: 15.2%
*   SBI: 10.5%
*   RBL: 11.9%
*   PNB: 12.9%

Unlike traditional malware campaigns, this one employs a more innovative approach towards OTP theft. As observed by Zimperium researchers, instead of relying solely on command-and-control servers, the malware intercepts and redirects SMS messages in real-time using live phone numbers.  This method, however, leaves a traceable digital trail and may aid law enforcement in identifying the perpetrators.  

ZLas researchers have identified around 900 malware samples and approximately 1,000 phone numbers involved in this operation. Around 63% of these numbers were registered in West Bengal, Bihar, and Jharkhand.

*   Bihar: 22.6% of victims
*   Jharkhand: 10.0% of victims
*   West Bengal: 30.2% of victims

The scope of this campaign is substantial.  Analysis of the malicious apps reveals shared code, user interface elements, and app logos, indicating a centralized operation.  Furthermore, researchers discovered over 222 unprotected Firebase storage buckets containing 2.5 gigabytes of stolen data.  This exposed information, including bank details, card information, government IDs, and SMS messages, affects an estimated 50,000 victims.

The phishing UI used within the app to steal sensitive information, along with the admin dashboard view of the C&C servers managed by the threat actors (Via Zimperium zLabs)

The malware operates in three distinct variants: SMS Forwarding, Firebase-Exfiltration, and a Hybrid approach.  All variants intercept and exfiltrate SMS messages, including OTPs, enabling unauthorized transactions.  Evasion techniques include hiding its icon, resisting uninstallation, and using code obfuscation and packing.  

The top sources of distribution of SMS messages based on their sender are:

*   Jio Payments: 47.4%
*   Airtel Payments Bank: 18.5%

Hardcoded phone numbers within the malware and the Firebase endpoints act as exfiltration points for stolen data. The administrative dashboard for this platform even contained a “WhatsApp Admin” button, suggesting a multi-user environment and facilitating direct communication among the threat actors.

To protect yourself from mobile malware, download apps from official app stores and avoid downloading APK files from websites, messaging apps or untrusted sources. Verify app details before installing and avoid apps that request excessive permissions for a secure mobile experience.

Banking Malware Uses Live Numbers to Hijack OTPs, Targeting 50,000 Victims

Ransomware gangs continued to wreak havoc in 2024, but new research shows that the amounts victims paid these cybercriminals fell by hundreds of millions of dollars.

For much of the past year, the trail of destruction and mayhem left behind by ransomware hackers was on full display. Digital extortion gangs paralyzed hundreds of US pharmacies and clinics through their attack on Change Healthcare, exploited security vulnerabilities in the customer accounts of cloud provider Snowflake to breach a string of high-profile targets, and extracted a record $75 million from a single victim.

Yet beneath those headlines, the numbers tell a surprising story: Ransomware payments actually fell overall in 2024—and in the second half of the year dropped more precipitously than in any six-month period on record.

Cryptocurrency tracing firm Chainalysis today released a portion of its annual crime report focused on tracking the ransomware industry, which found that ransomware victims’ extortion payments totaled $814 million in 2024, a drop of 35 percent compared to the record $1.25 billion that hackers extracted from ransomware victims the previous year. Breaking down the payments over the course of 2024 shows an even more positive trend: Hackers collected just $321 million from July through December compared to $492 million the previous half year, the biggest falloff in payments between two six-month periods that Chainalysis has ever seen.

“The drastic reversal of the trends we were seeing in the first half of the year to the second was quite surprising,” says Jackie Burns Koven, who leads cyber threat intelligence at Chainalysis. She suggests that dropoff is likely due to law enforcement takedowns and disruptions, some of which had delayed effects that weren't immediately apparent in the first half of the year as ransomware victims and the cybersecurity industry grappled with catastrophic attacks.

“Don't get me wrong: For everyone who's a defender or an incident responder, it's been _a year,_" Burns Koven says. “But it is noteworthy that for the major attacks that occurred last year, those groups don't exist anymore or have been laying low. There's been a strong signal from law enforcement that if you cross the line, there's going to be consequences.”

US and UK law enforcement scored two significant disruptions of major ransomware groups around the beginning of 2024: Six days before Christmas of 2023, the FBI announced that it had found vulnerabilities in the encryption software used by the group known as BlackCat or AlphV, distributed decryption keys to victims to foil the group’s extortion tactics, and taken down the dark-web sites the group had used to issue its threats. Two months later, in February of 2024, the UK’s National Crime Agency carried out an operation against the notorious ransomware group Lockbit, hijacking its infrastructure, seizing its cryptocurrency wallets, taking down its dark-web sites, and even obtaining information about its members and cybercriminal partners.

Initially, however, both groups seemed to bounce back from those busts. AlphV in February announced that it had hacked Change Healthcare, disabling payments at hundreds of US clinics and pharmacies and extracting $22 million from the United Healthcare–owned company in one of the worst health-care-related ransomware incidents in history. Lockbit, too, seemed to shake off the NCA’s blows, immediately launching a new dark-web site where it continued to extort victims old and new.

But in fact, both law enforcement operations may have been more successful than they appeared. AlphV, after receiving its $22 million ransom from Change Healthcare, pulled a so-called “exit scam,” taking the money and disappearing rather than sharing it with the hacker partners who had carried out the Change breach. Lockbit, too, largely fell off the map in the months that followed the NCA’s takedown, due perhaps to the cybercriminal underground’s distrust of the group and its alleged leader, Dmitry Khoroshev, when it became clear the NCA had identified him. In May of 2024, Khoroshev was also sanctioned by the US Treasury, making it far more legally complicated for Lockbit victims to pay a ransom to the group.

While the vacuum left behind by those major players in the ransomware ecosystem was filled by newer groups during the second half of 2024, many of them didn’t have the skills or experience to go after targets as big and as well defended as Lockbit and AlphV had, says Burns Koven. The result, she says, was far smaller ransom payments, often in the tens of thousands of dollars rather than the millions or tens of millions.

“Their talent is not quite as robust as their predecessors,“ Burns Koven says of the newer generation of ransomware gangs. “We're seeing the hangover of these law enforcement takedowns, not just directly targeting individuals and strains of malware but also the infrastructure and tools and services that had been used to help perpetuate these attacks.”

Last year actually saw more ransomware incidents than the previous year, says Allan Liska, a threat intelligence analyst focused on ransomware at the security firm Recorded Future. The firm counted 4,634 attacks in 2024 versus 4,400 in 2023. But the lower ransom amounts received by those newer ransomware groups suggests they may have been favoring quantity over quality, he says. “What we're seeing in terms of payments is a reflection of newer threat actors being attracted by the amount of money that they see you can make in ransomware, trying to get into the game and not being very good at it,” Liska says.

In addition to major law enforcement actions at the beginning of 2024, Chainalysis attributes the decline in payments during the second half of the year to heightened global awareness about the threat of ransomware, leading to more mature defenses and response plans within governments and other institutions. And Burns Koven adds that cryptocurrency regulation and law enforcement crackdowns on money laundering infrastructure, including mixers that help criminals anonymize and obfuscate the source of their ill-gotten cryptocurrencies, have also eroded ransomware actors’ abilities to handle payments without specialized knowledge.

While the decline in payments during the second half of 2024 is significant for being the largest ever in Chainalysis’s data, the number of ransomware attacks and volume of payments has fluctuated and declined before. Notably, researchers saw a marked decrease in activity in 2022, a year in which Chainalysis placed total ransomware payments at $655 million compared to $1.07 billion in 2021 and nearly $1 billion in 2020. But while governments and defenders were initially heartened that their deterrence efforts were working, ransomware surged back as an even more dire threat in 2023, totaling, by Chainalysis’s count, $1.25 billion in payments that year.

"I think ebbs and flows are inevitable," says Brett Callow, a managing director at FTI Consulting and longtime ransomware researcher. "If the baddies had a couple of brilliant quarters, a dip will follow, same as if the goodies had some good quarters. That's why we really need to analyze trends over a longer period, because increases and decreases over shorter periods don't really tell us much.”

Additionally, researchers have long warned that it is difficult to get truly reliable numbers about the volume of ransomware attacks and an accurate total of payments each year. This is partly the result of attackers attempting to inflate their records and make themselves seem more effective and menacing by claiming old data breaches as new attacks or simply making up attacks that they haven’t actually carried out. And it is always difficult to get accurate numbers about ransomware (not to mention digital scams more broadly), because stigma and regulatory requirements often keep victims from coming forward. This makes ransomware forecasting more of an art than a science.

"My vibe from the second half of 2024 is that if there was a decrease, there will also be a rebound," Callow says.

Chainalysis researchers are clear that the 2024 payment decline is not a guarantee of future reductions in ransomware attacks. But Burns Coven emphasizes that for defenders who are in the trenches on incident response, the data point is useful for making the case that sustained investment in ransomware defense is worthwhile.

“We're still standing in the rubble, right? We can't go tell everyone, everything's great, we solved ransomware—they’re continuing to go after schools, after hospitals and critical infrastructure," says Burns Koven. But, she adds, “I don't think anybody's necessarily celebrating. I think it's a signal of what work needs to be continued.”

Despite Catastrophic Hacks, Ransomware Payments Dropped Dramatically Last Year

WhatsApp has accused professional spyware company Paragon of spying on a select group of users.

WhatsApp has accused the professional spyware company Paragon of spying on a select group of users.

WhatsApp, the Meta-owned, end-to-end encrypted messaging platform, said it has reliable information that nearly 100 journalists and other “members of civil society” were targets of a spyware campaign conducted by the Israeli spyware company.

“Members of civil society” usually refers to individuals and organizations that operate independently from government and business sectors, often those advocating for public interests, influencing policy, or holding governments accountable.

In a statement, a WhatsApp spokesperson said:

> “This is the latest example of why spyware companies must be held accountable for their unlawful actions. WhatsApp will continue to protect people’s ability to communicate privately”

Many such targets use WhatsApp because they rely on the end-to-end encryption (E2EE) that it offers by default to safeguard communications, protect sources, and shield sensitive information from prying eyes.

The targets were spread over two dozen countries, including several in Europe. WhatsApp notified the possibly affected accounts through its own app. The platform has the ability notify users about sensitive matters directly via a WhatsApp chat. In such a case, the chat will include a system message at the top of the chat that verifies that it originates from the official account of WhatsApp Support, and there will be a blue checkmark next to WhatsApp Support at the top of the chat.

A spokesperson stated that WhatsApp was able to identify and block the attack vector which Paragon used in these attacks. Reportedly, the hacking campaign used malicious PDFs sent via WhatsApp groups to compromise targets. The attack apparently required no action from the target, a so-called zero-click attack.

Researchers have often compared Paragon’s Graphite spyware to the Pegasus spyware, a deeply invasive tool developed by a company called NSO that WhatsApp has been fighting in court since 2019. But up until now, Paragon was able to keep a low profile. This is the first time that Paragon has been publicly linked to a hacking campaign that allegedly targeted journalists and members of civil society.

WhatsApp has sent Paragon Solutions a cease-and-desist letter following the series of attempted attacks. Meta also notified Canadian privacy watchdog Citizen Lab. Citizen Lab’s researcher John Scott-Railton says they observed this campaign and have started an investigation.

The attacks reportedly took place in December 2024. If you are a potential target and you received a suspicious PDF you can reach out to Citizen Lab or the non-profit digital security helpline AccessNow.

If you received a WhatsApp notification about the attack, you can contact WhatsApp Support in-app by clicking here.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 WhatsApp says Paragon is spying on specific users 

The ABB Cylon FLXeon BAS controller is vulnerable to authenticated root command execution via the cmds API. An authenticated attacker can execute arbitrary system commands with root privileges.

Title: ABB Cylon FLXeon 9.3.4 (cmds.js) Authenticated Root Remote Code Execution  
Advisory ID: ZSL-2025-5908  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (5/5)  
Release Date: 02.02.2025

**Summary**

BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions.

**Description**

The ABB Cylon FLXeon BAS controller is vulnerable to authenticated root command execution via the cmds API. An authenticated attacker can execute arbitrary system commands with root privileges.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

FLXeon Series (FBXi Series, FBTi Series, FBVi Series)  
CBX Series (FLX Series)  
CBT Series  
CBV Series  
Firmware: <=9.3.4

**Tested On**

Linux Kernel 5.4.27  
Linux Kernel 4.15.13  
NodeJS/8.4.0  
Express

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[20.01.2025\] Vendor releases version 9.3.5 to address this issue.  
\[02.02.2025\] Coordinated public security advisory released.

**PoC**

cmdsapi.py

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5684&LanguageCode=en&DocumentPartId=PDF&Action=Launch  
\[2\] https://www.cve.org/CVERecord?id=CVE-2024-48841

**Changelog**

\[02.02.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon FLXeon 9.3.4 (cmds.js) Authenticated Root Remote Code Execution

WhatsApp recently revealed a targeted spyware campaign linked to the Israeli firm Paragon, which affected 90 individuals, including…

WhatsApp recently revealed a targeted spyware campaign linked to the Israeli firm Paragon, which affected 90 individuals, including journalists and civil society members. The platform confirmed that affected users have been directly notified.

Meta-owned messaging app **WhatsApp** confirmed that it was taking action to stop a spyware attack targeting approximately 90 individuals, including journalists and members of civil society organizations. Those affected have been directly notified about the security breach, however, WhatsApp has not disclosed the location of journalists and civil society members, including if any of them were based in the US.

WhatsApp’s investigation points to Paragon Solutions, an Israeli spyware firm acquired by AE Industrial Partners, as the perpetrator of this attack. Reportedly, the attack vector involved the distribution of malicious PDF files through WhatsApp groups. Experts claim the targeting was a “**zero-click**” attack, requiring no malicious links to be infected. WhatsApp has since released a security update to neutralize this vulnerability.  

This campaign was also independently observed and is under investigation by John Scott-Railton, a senior researcher at The Citizen Lab, as he noted in a post on X (formerly Twitter). 

> NEW: @WhatsApp says Israeli mercenary spyware company #Paragon targeted scores of users around world.
> 
> The infection happened with no interaction. No link to click or attachment to open.
> 
> This is called a "zero-click" attack.
> 
> WA says targets included journalists & members of… pic.twitter.com/TekGNMdkoF
> 
> — John Scott-Railton (@jsrailton) February 1, 2025

WhatsApp believes the campaign occurred in December and has issued a cease and desist letter to Paragon. Since its inception in 2019, Paragon has maintained a low profile and has been embroiled in a hacking controversy for the first time, unlike other spyware makers like Intellexa and NSO Group, which have faced U.S. government sanctions and blocklists.

 However, the company has been under scrutiny following Wired Magazine’s October **report** of the company signing a $2m contract with the US Immigration and Customs Enforcement’s homeland security investigations division.

This action follows WhatsApp’s successful legal challenge against NSO Group, another Israeli spyware firm, as **reported** by Hackread.com.  In that case, the NSO Group was found liable for exploiting a WhatsApp vulnerability to deploy its Pegasus spyware on at least 1,400 devices, targeting journalists, activists, and government officials. Hackread.com had **previously reported** that WhatsApp discovered the vulnerability exploited in this attack in May 2019.

The recent Paragon campaign targeted individuals across over two dozen countries, particularly in Europe, with the Italian news outlet fanpage.it confirming it was among those targeted. WhatsApp collaborated with The Citizen Lab, a research group based at the University of Toronto, on its investigation. 

According to Scott-Railton, the targeting of journalists and civil society is a systemic issue within the commercial spyware industry, not an isolated incident.  He also highlighted the potential risk to government personnel from such attacks.  

Paragon and AE Industrial Partners have yet to respond to this news.

WhatsApp’s previous legal victory against NSO Group and its ongoing efforts against Paragon demonstrate its commitment to challenging the spyware industry and protecting user privacy.

“This is the latest example of why spyware companies must be held accountable for their unlawful actions. WhatsApp will continue to protect people’s ability to communicate privately,” WhatsApp’s spokesperson stated.

Tag

#sap