Operation Destabilise was a major international operation led by the UK's National Crime Agency (NCA) to dismantle two Russian-speaking criminal networks: Smart and TGR. These networks were backbone in laundering billions of dollars for various criminal activities.

****KEY POINTS of THIS STORY****

*   **Operation Destabilise Success**: The UK’s NCA led an international effort that dismantled two major Russian-speaking criminal networks laundering millions of dollars.

*   **Criminal Activities**: The networks funded ransomware attacks, drug trafficking, and Russian espionage, laundering over $2.3 million in ransomware payments.

*   Global Reach: These networks operated in 30 countries, using cryptocurrency and cash-for-crypto methods to fund illicit activities.

*   **Arrests and Seizures**: Authorities arrested 84 individuals, seized £20 million in cash and crypto, and imposed US sanctions on key figures.

*   **Blockchain Analysis**: The operation highlighted the critical role of blockchain tracing in combating cyber and traditional organized crime.

A joint international effort led by the UK’s National Crime Agency (NCA) has successfully disrupted two large-scale Russian-speaking criminal networks involved in laundering millions of dollars in illegal funds.

Dubbed Operation Destabilise, the investigation exposed a network of financial transactions that supported various criminal activities, including ransomware attacks, drug trafficking, and Russian espionage.

Two networks, identified as “Smart” (led by Ekaterina Zhdanova) and “TGR” (led by Rossi, Chirkinyan, and Bradens), were instrumental in facilitating the movement of illegal funds across borders, often using cryptocurrency as a primary tool.

Authorities found that between 2022 and 2023, these networks laundered over $2.3 million (£20 million) in ransomware payments made to the **Ryuk ransomware group,** provided financial support to notorious criminal organizations like the Kinahan crime syndicate known for drug and arms trafficking, and facilitated funding of Russian espionage operations, helping to bypass financial sanctions imposed on Russia.

According to the NCA’s **press release**, the network had a global reach, with operations spanning across 30 countries, including the UK, Russia, the Middle East, and South America. 

Further probing revealed the techniques employed to hide the origin of ill-gotten funds, often involving cash-for-crypto transactions. Criminal gangs used cryptocurrency to reinvest in their illegal business, buying more drugs and firearms without transferring physical money across borders. This financial service allowed these groups to continue their violent activity. 

The operation resulted in the arrest of 84 individuals and the seizure of over £20 million in cash and cryptocurrency. Additionally, the US Department of Treasury’s Office of Foreign Assets Control (OFAC) has **imposed sanctions** on four entities and five individuals associated with the TGR network. These sanctions target key figures involved in laundering money for Russian elites and cyber criminals.

The operation was a collaborative effort involving multiple international law enforcement agencies, including the UK Metropolitan Police Service, French police, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), the Drug Enforcement Agency (DEA), and the Federal Bureau of Investigation (FBI).

“While these organisations have sought to exploit emerging technologies such as cryptocurrency to obscure their activities, the inherent traceability of blockchain has proven invaluable in unravelling their activities that operated on a truly global scale, moving billions of dollars for a range of different threat actors,” the NCA’s head of cyber intelligence, Will Lyne, stated.

This operation has significantly disrupted the activities of various criminal organizations, including ransomware groups, drug traffickers, and Russian intelligence services. It has also exposed the complex ways in which cybercrime and traditional organized crime intersect.

1.  **Russian Court Jails Four REvil Ransomware Gang Members**
2.  **Leading French IT firm Sopra Steria hit by Ryuk ransomware**
3.  **Russian Man Extradited to US over Phobos Ransomware Attacks**
4.  **Dark Web Hydra Market Mastermind Sentenced to Life by Russia**
5.  **Hacker Wanted by FBI in Ransomware Attacks Arrested in Russia**

84 Arrested as Russian Ransomware Laundering Networks Disrupted

Plus: Russian spies keep hijacking other hackers’ infrastructure, Hydra dark web market admin gets life sentence in Russia, and more of the week’s top security news.

A consortium of global law enforcement agencies led by Britain’s National Crime Agency announced a takedown operation this week against two major Russian money-laundering networks that process billions of dollars each year in more than 30 locations around the world. WIRED had exclusive access to the investigation, which uncovered new and troubling laundering techniques, particularly schemes to directly change cryptocurrency for cash. As the United States government scrambles to address China’s “Salt Typhoon” digital espionage campaign into US telecoms, two senators demanded this week that the Department of Defense investigate its failure to secure its own communications and address known vulnerabilities in US telecom infrastructure. Meanwhile, Signal Foundation president Meredith Whittaker spoke at WIRED’s The Big Interview event in San Francisco this week about Signal’s enduring commitment to bring private, end-to-end encrypted communication services to people all over the world regardless of geopolitical climate.

A new smartphone scanner from the mobile device security firm iVerify can quickly and easily detect spyware and has already flagged seven devices infected with the invasive Pegasus surveillance tool. Programmer Micah Lee built a tool to help you save and delete your X posts after he offended Elon Musk and was banned from the platform. And privacy advocate Nighat Dad is fighting to protect women from digital harassment in Pakistan after escaping from an abusive marriage.

The US Federal Trade Commission is targeting data brokers who it says unlawfully tracked protesters and US military personnel, but the enforcement efforts seem likely to trail off under the Trump administration. Similarly, the US Consumer Financial Protection Bureau has devised a strategy to impose new oversight on predatory data brokers, but the new administration may not continue the initiative. Some new laws are finally coming around the world in 2025 that will attempt to regulate the dysfunction of the digital advertising industry, but malicious advertising is still booming around the world and continues to play a big role in global scamming.

And there’s more. Each week, we round up the security and privacy news we didn’t cover in-depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**US Officials Urge Americans to Encrypt Calls and Texts After Chinese Telecom Hacking**

Remember how the US federal government spent much of the last three decades periodically decrying the dangers of strong, freely available encryption tools, arguing that because they enable criminals and terrorists, they should be outlawed or required to implement government-approved backdoors? As of this week, the government will never again be able to make that argument without privacy advocates pointing to a particular phone call where two officials recommended Americans use exactly those encryption tools to protect themselves amidst an ongoing massive breach of US telecoms by Chinese hackers.

In a briefing with reporters about the breach of no fewer than eight phone companies by the Chinese state-sponsored espionage hackers known as Salt Typhoon, officials from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI both said that amid the still-uncontrolled infiltration of US telecoms that have exposed calls and texts, Americans should use encryption apps to safeguard their privacy. “Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication,” said Jeff Greene, CISA’s executive assistant director for cybersecurity. (Signal and WhatsApp, for instance, end-to-end encrypt calls and texts, though the officials didn’t name any particular apps.)

The recommendation amid what one senator has called “the worst telecom hack in our nation’s history” represents a stunning reversal from previous US officials’ rhetoric on encryption, and in particular the FBI’s repeated calls for access to backdoors in encryption. In fact, it was exactly this sort of government-approved wiretap capability requirement for US telecoms that the Salt Typhoon hackers in some cases exploited to access Americans communications.

**Russia’s FSB Hackers Keep Hijacking Other Hackers’ Infrastructure for Spying**

The hacker group known as Secret Blizzard, Snake, or Turla, widely believed to work for Russia’s FSB intelligence agency, is known for using some of the most ingenious hacking techniques ever seen to spy on its victims. One of the tricks that’s now become its signature move: hacking the infrastructure of other hackers to stealthily piggyback on their access. This week Microsoft’s threat intelligence researchers and security firm Lumen Technologies revealed that Turla gained access to the servers of a Pakistan-based hacker group and used its visibility into victim networks to spy on government, military and intelligence targets in India and Afghanistan of interest to the Kremlin. In some cases, Turla hijacked the Pakistani hackers’ access to install their own malware, while in other instances they appear to have used the other group’s tools for even greater stealth and deniability. The incident marks the fourth known time since 2017, when it penetrated an Iranian hacker group’s command-and-control servers, that Turla has freeloaded on another hacker group’s infrastructure and tooling, according to Lumen.

**Admin of Russian Dark Web Market Hydra Sentenced to Life in Prison**

The Russian government is known for turning a blind eye to cybercrime—until it doesn’t. This week 15 convicted members of the notorious dark web market Hydra learned the limits of that forbearance when they reportedly received prison sentences ranging from 8 years to 23 years, as well an unprecedented life sentence for the site’s creator Stanislav Moiseyev. Before it was taken down two years ago in a law enforcement operation led by IRS criminal investigators in the US and Germany’s BKA police agency, Hydra was a uniquely sprawling dark web marketplace, one that not only served as the post-Soviet world’s biggest online bazaar for narcotics but also a vast money laundering machine for crimes including ransomware, scams, and sanctions evasion. In total, Hydra enabled more than $5 billion dollars in dirty cryptocurrency transactions since 2015, according to crypto tracing firm Elliptic.

**Suspected Ransomware Actor “Wazawaka” Reportedly Charged and Apprehended by Russia**

Russian law enforcement charged and arrested a software developer last week who is suspected of prolific contributions to multiple ransomware groups, including building malware to extort money from businesses and other targets. The suspect is reportedly Mikhail Matveev, or “Wazawaka,” who has worked as an affiliate with ransomware gangs like Conti, LockBit, Babuk, DarkSide, and Hive. Social media reports indicate that Matveev confirmed his indictment and said that he has been released from law enforcement custody on bail.

Russia’s prosecutor general did not name Matveev, but described charges last week against a 32-year-old hacker under Article 273 of Russia’s Criminal Code, which bans the creation or use of malware. The move came as Russia seemed to be sending some sort of message about its tolerance for cybercrime with the sentencing of the dark web marketplace Hydra’s staff, including a life sentence for its administrator. In 2023, the US government indicted and sanctioned Matveev.

**FBI Is Investigating Exxon Lobbyist Firm Over Hack-and-Leak Operation Targeting Activists**

In a disturbing scoop (one we didn’t cover last week due to the Thanksgiving holiday), Reuters reporters have revealed that the FBI is now investigating a lobbying consultancy hired by Exxon over the firm’s role in a hack-and-leak operation that targeted climate change activists. DCI Group, a lobbying firm hired at the time by Exxon, allegedly gave a list of target activists to a private investigator who then outsourced a hacking operation against those targets to mercenary hackers. After the private investigator—an Israeli man named Amit Forlit, who was later arrested in London and faces US hacking charges—allegedly gave the hacked material to DCI, it leaked the activists’ internal communications about climate change litigation against Exxon to the media, Reuters discovered. The FBI, according to Reuters, has determined that DCI also first previewed that material to Exxon before leaking it. “Those documents were directly employed by Exxon to come after me with all guns blazing,” one attorney working with the activist group, the Center for Climate Integrity, told Reuters. “It turned my life upside down.”

Exxon has denied knowing about any hacking activities and DCI told Reuters in a statement that “we direct all our employees and consultants to comply with the law.”

US Officials Recommend Encryption Apps Amid Chinese Telecom Hacking

Cybercriminals know that privileged accounts are the keys to your kingdom. One compromised account can lead to stolen data, disrupted operations, and massive business losses. Even top organizations struggle to secure privileged accounts. Why?
Traditional Privileged Access Management (PAM) solutions often fall short, leaving:

Blind spots that limit full visibility.
Complex deployment processes.

Learn How Experts Secure Privileged Accounts—Proven PAS Strategies Webinar

Cybersecurity researchers have warned of a new scam campaign that leverages fake video conferencing apps to deliver an information stealer called Realst targeting people working in Web3 under the guise of fake business meetings.
"The threat actors behind the malware have set up fake companies using AI to make them increase legitimacy," Cado Security researcher Tara Gould said. "The company

Hackers Using Fake Video Conferencing Apps to Steal Web3 Professionals' Data

The ABB BMS/BAS controller allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

ABB Cylon Aspect 3.08.02 (userManagement.php) Cross-Site Request Forgery

An FBI operation nabbed a member of the infamous cybercrime group, who is spilling the tea on 'key Scattered Spider members' and their tactics.

Source: Steven Frame via Alamy Stock Photo

Chasing down members of Scattered Spider, the cybercrime group known for their social engineering takedowns of massive organizations, has been a top law enforcement priority over the past several months. Now, the Federal Bureau of Investigation has made a new arrest in the case, a 19-year-old hacker living in Fort Worth, Texas — and he's talking.

Remington Goy Ogletree is accused of a phishing operation that ran from October 2023 to last May, when, according to the complaint, he was able to gain credentials and unauthorized access to two telecommunications companies and one US-based national bank. He then stole data, including API keys and cryptocurrency, and sold off access to other threat actors on the Dark Web, according to the indictment.

He is also accused of hijacking one of the telecommunications platforms to send about 8.5 million phishing texts in an attempt to steal cryptocurrency. Ogletree likewise allegedly used a hacked telecom network to send phishing messages to employees of an unidentified financial institution with the intent to steal their credentials. The FBI complaint added that Ogletree hacked into a second telecommunications organization to send an additional 140,000 fraudulent phishing text messages.

**Suspect Spills Details on Scattered Spider Cybercrime Ring**

Once he was arrested in February, Ogletree admitted to being a part of the Scattered Spider threat group.

"I know key Scattered Spider members," Ogletree told the cops. "Any company getting ransom\[ed\] ... that's not crypto-related, it's gonna be them."

He went on to tell the FBI that Scattered Spider prefers to target business process outsourcing (BPO) organizations, "because outsourcing companies, they have less security." He also told law enforcement that Scattered Spider has already compromised five of the top BPO companies, the complaint explained.

Scattered Spider threat group is well known for recruiting young, native English speakers into its fold to help pull off brazen social engineering schemes to steal employee login credentials. Some of the group's most infamous breaches include last year's casino ransomware attacks on Caesars and MGM Resorts.

**FBI Keeps Nabbing Scattered Spider Members**

The arrest is the latest in a string of Scattered Spider stings. Just a few weeks ago, another group of Scattered Spider members was arrested and charged with various cybercrimes; four of them are American. Last June, a 22-year-old British man was arrested by Spanish police for his connection to Scattered Spider and was found with control of more than $27 million in Bitcoin. And in July, a 17-year-old was arrested in the UK for his role in the Scattered Spider operation.

The arrests are welcome news. Last year, law enforcement received criticism for not doing more to stop Scattered Spider and keep them from committing additional cybercrimes.

The FBI was able to nab Ogletree by posing as a cryptocurrency laundering operation called "Cash Service." When he engaged with the front operation to convert stolen crypto to cash, they were able to track him down and make the arrest, according to the complaint.

**About the Author**

Senior Editor, Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Texas Teen Arrested for Scattered Spider Telecom Hacks

The activity-recording capability has drawn concerns from the security community and privacy experts, but the tech giant is being measured in its gradual rollout, which is still in preview mode.

Source: Pictorial Press Ltd via Alamy Stock Photo

NEWS BRIEF

Microsoft has expanded access for its Windows Recall feature to Copilot+ PCs that use AMD and Intel chipsets, after initially offering it to users with Snapdragon-powered machines. And, it has now launched in Europe.

The launch is part of a gradual rollout that for now is in a preview phase within the Windows Insiders testing community.

Recall is an AI-powered feature that allows PC users to record everything they do on their computers, and then go back to a desired "snapshot" of activity later. It's a useful tool, as Microsoft pointed out in its expansion announcement on Dec. 6: "It's now possible to quickly find and get back to apps, websites, images, or documents just by describing its content." But the capability also has sparked ongoing concerns about privacy and data security (Microsoft keeps and hosts the recorded content in the cloud), as well as the potential for the feature to be compromised and used for cyber-espionage ends.

The tech giant appears to be taking those concerns seriously; in June, it beefed up its planned privacy and security features for Recall, including data encryption, turning Recall off by default, and requiring users to enroll in Windows Hello biometrics authentication to prove they're present at the keyboard as recording is happening. It also added it to its bug bounty program to track down exploitable security vulnerabilities.

Microsoft has taken its time with the launch in light of the concerns; after being set to go live in June, Redmond pushed the release date for Recall back to October, and then to November, when it finally became available in limited release.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Microsoft Expands Access to Windows Recall AI Feature

Two operators and 50 servers that were behind an online marketplace where criminals could buy stolen data have been seized

A coordinated action between several European law enforcement agencies shut down an online marketplace called Manson Market that sold stolen data to any interested cybercriminal.

What made this market attractive for cybercriminals was that they could buy data sorted by region and account balance with advanced filtering options. This allowed the criminals to carry out targeted fraud with greater efficiency.

The law enforcement investigation started in 2022 when investigators were able to track very specific information used by scammers to the specialized marketplace. The scammers participated in fraudulent phone calls in which they impersonated bank employees to extract sensitive information, such as addresses and security answers, from their victims.

A network of fake online shops set up to phish for payment information provided one of the sources of stolen data.

Coordinated by Europol, the police in Germany, Finland, the Netherlands, and Norway seized the infrastructure of over 50 servers. With this, more than 200 terabytes of digital evidence have been collected.

Two main suspects were arrested in Germany and Austria on European arrest warrants and are currently awaiting their trials.

The operators of the Manson Market also ran Telegram channels, with one of the channels sharing credit card details, such as the number, expiration date, and the CVC code, for free every day.  

The seized website currently warns visitors that:

> “All transactions, communications, and user information associated with this site are now in the custody of law enforcement.
> 
> If you have engaged in any illegal activity, you are under investigation.
> 
> Criminals are neither anonymous nor safe!
> 
> Justice is coming…”

And we can’t deny that European law enforcement had a fruitful week in the fight against online crime.

Earlier this week the German police shut down the servers and arrested one of the administrators of the country’s largest German-speaking online marketplaces for illegal goods and services, including stolen data, drugs, and forged documents.

Europol also published how French and Dutch authorities shut down an encrypted messaging service called MATRIX, which was used by criminals to commit serious crimes, including international drug trafficking, arms trafficking, and money laundering.

The Manson Market case shows once more how important it is to be vigilant with your online purchases. Make sure you are protected, be weary of search results for goods that are in high demand, and keep your personal information safe.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Europol takes down criminal data hub Manson Market in busy month for law enforcement 

The "Census of Free and Open Source Software" report, which identifies the most critical software projects, sees more cloud infrastructure and Python software designated as critical software components.

Source: Photon Photo via Shutterstock

Open source components aimed at connecting applications to cloud resources and those written in Python have jumped up the list of critical packages, according to the latest rankings of the open source software ecosystem — a reordering that underscores the projects that need to be well-funded to improve the security of the software ecosystem.

The data-collection effort — known as the "Census of Free and Open Source Software" — classifies the open source projects into eight top 500 lists, depending on their ecosystem, whether version information is included, and whether direct and indirect dependencies are taken into account. The latest survey of software, known as Census III, found that packages for Python software and those meant to connect developers with specific cloud services — such as a toolkit for Amazon's Elastic Computing Cloud (EC2) or the API for connecting Go programs to Google Cloud — have become much more popular and, thus, critical to software development.

While cloud-native and hybrid development are by no means new, cloud providers have created an increasing number of software development kits (SDKs) for developers. Their widespread use has boosted those tools in the rankings of critical software, says David Wheeler, director of open source supply chain security for the Linux Foundation, which collaborates with Harvard Business School to produce the census.

"Cloud providers offer a lot of specialized services, but the early uses of cloud were a lot of lift-and-shift moves," he says. "Increasingly, we're seeing people write software specifically intended to be run on a cloud, \[and there is a\] rising level of these kinds of packages — it's something that is dramatically increasing."

The third "Census of Free and Open Source Software" report comes more than two years after the official publication of Census II in March 2022 — an initial version of that report was released in 2020 — and nine years after the original census report. The data-collection exercises aim to identify the most critical open source software so that the public and private sectors can effectively invest in the projects as a path to improve software security. Each software package is scored using data from software supply chain firms FOSSA, Snyk, Sonatype, and the Black Duck Cybersecurity Research Center.

The resilience of the software supply chain has become a major concern of the software industry and national governments. The Biden administration, for example, released a National Cybersecurity Strategy that firmly emphasized finding ways to improve the security of software and the open source ecosystem on which most applications rely.

**Critical Connections to the Cloud**

The Amazon Web Services (AWS) software development kit for Python, known as Boto3, rose to fifth place on the list of critical software on the "Non-npm, Direct, Version Agnostic Packages" list. The library was not ranked in the previous Census II. A similar package — aws-sdk — rose to the seventh spot on the JavaScript-ecosystem "npm, Direct, Version Agnostic Packages" list, from 307th in the previous census.

Other cloud-focused packages saw similar jumps: The software development kit to connect Go programs to Google Cloud ranked eighth, while the AWS kit for .NET rose to number 30. Neither were ranked in the previous census.

Because the Node Package Manager (npm) ecosystem sees a significant volume of JavaScript downloads — 4.5 trillion in 2024, compared to 530 billion for Python, according to Sonatype — the data overwhelms measurements of popularity. As a result, the census breaks out npm downloads from those for other software ecosystems.

The data underscores the criticality of open source software to the infrastructure underpinning cloud services, says Brian Fox, CTO and co-founder of Sonatype, a software supply chain management firm.

"Open source across the board just continues to see 'hockey stick' growth year after year, which is shocking — we're starting to see really, really big numbers," he says. "That's the reason why they're doing the census, because it is so important to be shining a light on these things."

**Perils of Python 2 Boost Compatibility Library**

Replacing or patching outdated software has become a central focus of efforts to eliminate vulnerabilities from software. Over the past decade, for example, Python developers have only slowly moved to use Python 3, which was originally introduced in 2006. Last year, 1% of Python developers used Python 2 as their primary programming language, down from 13% in 2019, according to data from JetBrains' annual "Developer Ecosystem" report.

As a result, a project designed to allow compatibility between software written in Python 2 and code in Python 3 — the "Six" project — has become a critical software component, according to Census III. Typically, Python versions are supported for five years. Python 3.11 — currently used by 27% of developers as their primary programming language, making it the most popular version at present — will reach its end of life in October 2027. The final version of Python 2 — version 2.7 — passed its end of life in January 2020.

The data does not address how often developers encounter — and interact with — components written in Python 2. The overwhelming shift to Python 3 is driving the use of Six, as developers need to use older code with programs written in the latest version of Python. In addition, certain groups of developers — such as 29% of data scientists and 19% of Web developers — continue to use some Python 2 code, according to data from JetBrains, a maker of development tools.

"If you look at the raw numbers, Python 3 is far more common, but in various specific domains Python 2 is still widely, widely used, which is why Six is showing up more," the Linux Foundation's Wheeler says. "I would argue it's why we're finally able to get so many more Python 3 users is because the bridge to move from 2 to 3 is easier."

While Census III is available to download from the Linux Foundation, companies should be automating their package management and regularly testing and updating their software, says Sonatype's Fox. The real lesson from the census is not which packages should be given the most attention, but which projects need additional funds and paid maintainers.

"The sustainability of the \[open source ecosystem\] is something that should be top of mind," he says. "We're dependent more and more on largely an aging and unpaid workforce for maintaining critical software — those two things together don't end well."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Open Source Security Priorities Get a Reshuffle

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

Tag

#web