The five intelligence sources that power social engineering scams.

Source: LightField Studios Inc. via Alamy Stock Photo

COMMENTARY

Social engineering is one of the most prevalent attack vectors used by cyber scammers to infiltrate organizations. These manipulative attacks typically are executed in four phases: 

1.  Information gathering (attacker gathers information about the target)
    
2.  Relationship development (attacker engages the target and earns their trust)
    
3.  Exploitation (attacker persuades the target to carry out an action)
    
4.  Execution (the information collected through exploitation is operationalized to execute the attack)
    

The first phase obviously is the most important — without the right information, it can be difficult to execute a targeted social engineering attack. 

**Five Sources of Intelligence**

So how do attackers gather data about their targets? There are five sources of intelligence cybercriminals can use to gather and analyze information about their targets. They are:

1\. OSINT (open source intelligence)

OSINT is a technique hackers use to collect and assess publicly available information about organizations and their people. Threat actors can use OSINT tools to learn about their target's IT and security infrastructure; exploitable assets such as open ports and email addresses; IP addresses; vulnerabilities in websites, servers, and IoT (Internet of Things) devices; leaked or stolen credentials; and more. Attackers weaponize this information to launch social engineering attacks.

2\. SOCMINT (social media intelligence)

Although SOCMINT is a subset of OSINT, it deserves a mention. Most people voluntarily expose personal and professional details about their lives on popular social media platforms: their headshot, their interests and hobbies, their family, friends and connections, where they live and work, their current job position, and lots of other details. Using SOCINT tools such as Social Analyzer, Whatsmyname, and NameCheckup.com, attackers can filter social media activity and information about an individual and design targeted social engineering scams. 

3\. ADINT (advertising intelligence)

Say you download a free chess app on your phone. There's a small area on the app that serves location-based ads from sponsors and event organizers, updating users on local players, events, and chess meetups. Whenever this ad gets displayed, the app shares certain details about the user with the advertising exchange service, which includes things like IP addresses, the type of operating system in use (iOS or Android), the name of the mobile phone carrier, the user's screen resolution, GPS coordinates, etc. Typically, ad exchanges store and process this information for serving up relevant ads based on user interest, activity, and location. Ad exchanges also sell this valuable data. What if a threat actor or a rogue government buys this information? That's exactly what intelligence agencies and adversaries have been doing to track activity and hack their targets. 

4\. DARKINT (Dark Web intelligence)

The Dark Web is a billion-dollar illicit marketplace transacting corporate espionage services, DIY ransomware kits, drugs and weapons, human trafficking, et al. Billions of stolen records (personally identifiable information, healthcare records, banking and transaction data, corporate data, compromised credentials) are available for purchase on the Dark Web. Threat actors can purchase off-the-shelf data and mobilize it for their social engineering schemes. They can also choose to outsource professionals who will socially engineer people on their behalf or discover hidden vulnerabilities in target organizations. In addition, there are hidden online forums and instant messaging platforms (such as Telegram) where people can access information about potential targets. 

5\. AI-INT (AI intelligence)

Some analysts are calling AI the sixth intelligence discipline, on top of the five core disciplines. With recent advancements in generative AI technology like Google Gemini and ChatGPT, it's not hard to imagine cybercriminals deploying AI tools to mine, assimilate, process, and filter information about their targets. Threat researchers are already reporting the presence of malicious AI-based tools that are popping up in Dark Web forums such as FraudGPT and WormGPT. Such tools can significantly reduce the research time for social engineers and provide actionable information they can use to execute social engineering schemes. 

**What Can Businesses Do to Mitigate Social Engineering Attacks?**

The root cause of all social engineering attacks is information and the careless handling of it. If businesses and employees can reduce their information exposure, they will lower social engineering attacks by a significant degree. Here's how:

*   Train staff monthly: Using phishing simulators and classroom training, teach employees to avoid posting sensitive or personal information about themselves, their families, their coworkers, or the organization.
    
*   Draft AI-use policies: Make it clear to employees what is acceptable and unacceptable online behavior. For example, prompting ChatGPT with a line of code or proprietary data is unacceptable; responding to unusual or suspicious requests without proper verification is unacceptable.
    
*   Leverage the same tools hackers use: Use the same intelligence sources highlighted above to proactively understand how much information about your organization, your people, and your infrastructure is available online. Develop an ongoing process to reduce that exposure.
    

Good cybersecurity hygiene begins with clamping down on root causes. The root cause behind 80% to 90% of all cyberattacks is attributed to social engineering and bad judgement. Organizations must focus on two things primarily: reducing information exposure and controlling human behavior via training exercises and education. By applying efforts in these two areas, organizations can significantly reduce their threat exposure and the potential downstream impact of that exposure.

**About the Author(s)**

Founder & CEO, KnowBe4, Inc.

Stu Sjouwerman is founder and CEO of KnowBe4, provider of the world’s largest security awareness training and simulated phishing platform used by more than 65,000 organizations around the globe. He was co-founder of Sunbelt Software, the anti-malware software company acquired in 2010. He is the author of four books, including Cyberheist: The Biggest Financial Threat Facing American Businesses.

Where Hackers Find Your Weak Spots

By Deeba Ahmed
IT professionals are under attack! This article exposes a malicious malvertising campaign targeting IT teams with a novel backdoor named MadMxShell. Learn how attackers use typosquatting and DNS techniques to compromise systems.
This is a post from HackRead.com Read the original post: Malvertising: Fake Popular Software Ads Deliver New MadMxShell Backdoor

In a recent wave of cyberattacks, IT professionals have become the target of a cunning malvertising campaign uncovered by Zscaler ThreatLabz researchers Roy Tay and Sudeep Singh.

According to the company’s research, this campaign leverages deceptive online advertisements to distribute a previously unseen backdoor named “MadMxShell.” It all started in March 2024, when Zscaler ThreatLabz discovered a threat actor using look-alike domains to distribute MadMxShell, utilizing DLL sideloading, DNS protocol abuse, and memory forensics security solutions.

Researchers believe the attackers have displayed a calculated approach. Between November 2023 and March 2024, attackers registered multiple domain names closely resembling those of popular IP scanner and network administration software, including Advanced IP Scanner, Angry IP Scanner, PRTG IP Scanner by Paessler, Manage Engine, and network admin tasks related to VLANs.

This tactic is known as typosquatting. It creates a high chance that the domains will appear on top searches and IT professionals might click on the malicious advertisement by mistake. 

Once clicked, the ad redirects the user to a landing page designed to look like the genuine software vendor’s website. Here, they’re presented with a downloadable file that, unbeknownst to them, harbours the MadMxShell backdoor.

****New Backdoor with Evasive Techniques****

As per Zscaler’s blog post, the MadMxShell backdoor employs a multi-stage deployment process designed to evade detection by traditional security solutions. The initial payload leverages DLL sideloading, a technique where a legitimate program is tricked into loading a malicious library file. This malicious library then downloads additional components that establish communication with the attacker’s command-and-control (C2) server.

One of the most concerning aspects of MadMxShell is its use of DNS MX record queries for C2 communication. This technique leverages the standard Domain Name System (DNS) protocol in an unconventional way to mask communication with the attacker’s infrastructure. Additionally, MadMxShell employs anti-dumping techniques to prevent memory analysis, making it difficult for security researchers to understand its inner workings.

****Protecting Your Systems:****

To mitigate risks, be cautious of unsolicited ads, enable pop-up blockers, maintain robust security software, and educate employees about the dangers of malvertising and social engineering tactics.

Jason Soroko, Senior Vice President of Products at Sectigo commented on the new campaign. _“_Defenders don’t usually look for malicious control communications (C2) in email exchange DNS traffic, so the attackers in this case found a place to hide. The attackers also employ a technique that blocks the ‘dumping’ of memory for analysis by endpoint security solutions,” Jason explained.

_“_Malvertising isn’t new, however, the malware techniques being used here demonstrate that the technology pipeline of the attackers is deep and a great deal of thought has been put into hiding in the dark corners of networking and operating systems,_“_ he wanted.

1.  Provocative Facebook Ads Deliver NodeStealer Malware
2.  New VPN Malvertising Attack Drops OpcJacker Crypto Stealer
3.  Malvertising attack drops malicious Chrome extensions, backdoors
4.  Millions of PornHub users affected by a year-long malvertising attack
5.  Big Head Ransomware Found in Malvertising, Fake Windows Updates

Malvertising: Fake Popular Software Ads Deliver New MadMxShell Backdoor

An internet scraping platform is offering access to a database filled with over four billion Discord messages and combined user profiles.

Four billions public Discord messages are for sale on an internet scraping service called Spy.pet.

At first sight there doesn’t seem to be much that is illegal about it. The messages were publicly accessible and there are no laws against scraping data. However, it turns out the site did disregard some laws: more on that later.

To get this amount of data the platform gathered information from 14,201 servers about 627,914,396 users.

The way in which Spy.pet organized the information could turn out to be problematic for certain users. It built a database based on user profiles which contains all known aliases, pronouns, connected accounts (such as Steam and GitHub), Discord servers joined, and public messages.

The buyers don’t need to descend into the dark dungeons of the dark web to buy this information. It’s available for anyone on the regular web.

For a search of information about a specific user, all you need is their Discord User-ID and some cryptocurrency.

To look up profiles, you’ll first have to buy credits. A credit costs $0.01 and you’ll have to buy a minimum of 500 credits.

A new search for a profile will put you back 10 credits (7 for a cached profile).

Interestingly the platform also offers an enterprise version for which interested parties are invited to contact the administrator.

**Breaking a few laws**

Scraping data is a common practice nowadays, but there are a few rules that, when broken, will cost a lot more than a few dollars. Scraping and selling data about minors, especially without consent, is illegal in most parts of the world, including the US.

And when you are gathering data about European Union (EU) citizens, you’ll need to have a method in place for those citizens to have their information removed. Spy.pet does have a “Request Removal” button, but clicking it will show you an annoying snippet of a Spiderman movie where the news editor laughs at Peter Parker.

Discord told the Register it is probing Spy.pet to see if any action needs to be taken against the chat-harvesting service.

> “Discord is committed to protecting the privacy and data of our users. We are currently investigating this matter. If we determine that violations of our Terms of Service and Community Guidelines have occurred, we will take appropriate steps to enforce our policies. We cannot provide further comments as this is an ongoing investigation.”

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

 Billions of scraped Discord messages up for sale 

Thousands of exposed files on a misconfigured North Korean server hint at one way the reclusive country may evade international sanctions.

For almost a decade, Nick Roy has been scanning North Korea’s tiny internet presence, spotting new websites coming online and providing a glimpse of the Hermit Kingdoms’ digital life. However, at the end of last year, the cybersecurity researcher and DPRK blogger stumbled across something new: signs North Koreans are working on major international TV shows.

In December, Roy discovered a misconfigured cloud server on a North Korean IP address containing thousands of animation files. Included in the cache were animation cells, videos, and notes discussing the work, plus changes that needed to be made to ongoing projects. Some images appeared to be from an Amazon Prime Video superhero show and an upcoming Max (aka HBO Max) children’s anime.

The findings and security lapse—detailed in a report by the Stimson Center think tank's North Korea–focused 38 North Project, which helped analyze the findings along with Google-owned security firm Mandiant—provide a glimpse at how North Korea can use skilled IT and tech workers to raise funds for its heavily sanctioned regime. It also comes as US officials increasingly warn about North Korean IT workers infiltrating companies and their outsourcing.

North Korea’s internet is a small—and fragile—space. The repressive nation only has 1,024 IP addresses and around 30 websites that connect to the global internet. While there is a limited internal intranet, only a few thousand of the country’s 26 million people can get on the internet. When they do, it’s highly controlled: These select few North Koreans can use the internet for an hour at a time and have a person sitting next to them approving their use every five minutes.

When Roy discovered the exposed cloud server, it was being updated on a daily basis. Martyn Williams, a senior fellow on the 38 North Project who helped analyze the contents of the server, says the server likely allowed work to be sent to and from North Korean animators. The server itself is still live, but it mysteriously stopped being used at the end of February. While there is a login page, its contents can be accessed without a username and password. “I found the login page after I found all the exposed files,” Roy says.

Inside, the files contained editing comments and instructions in Chinese which were translated to Korean, the researchers write in their report. “For a lot of the animation files, we would find things like spreadsheets with details of the workflow,” Williams says. A sample of the files shared with WIRED show detailed anime images and video clips, with notes for the authors and date stamps on various files. In one instance, the report says, an animator was “asked to improve the shape of the character’s head.”

Based on the documents and drawings, the researchers were able to identify some of the shows and projects the North Koreans were working on. Some of the projects included work from season 3 of the Amazon show _Invincible_, which is produced by California-based Skybound Entertainment. There were also documents linked to Max and Cartoon Network show _Iyanu: Child of Wonder_, produced by YouNeek Studios, as well as files from a Japanese anime series and an animation studio in Japan.

Some file names gave away clues about the series and episode numbers. There were also files and projects the researchers could not identify—including a “bunch of files” with videos of horses and a Russian book on horses, Williams says.

Sanctions placed upon the North Korean regime, for its ongoing human rights abuses and nuclear warfare programs, prohibit US companies from working with DPRK companies or individuals. However, the researchers say it is highly unlikely that any companies involved would have a clue about North Korean animators working on the shows, and there is nothing suggesting the companies violated any sanctions or other laws. “It is likely that the contracting arrangement was several steps downstream from the major producers,” the report says.

Spokespeople for Amazon and Max spokesperson declined to comment for this story. YouNeek Studios did not respond to a request for comment.

“We do not work with North Korean companies, or Chinese companies on _Invincible_, or any affiliated entities, and have no knowledge of any North Korean or Chinese companies working on _Invincible_,” a spokesperson for Skybound Entertainment says. “We take any claims very seriously and have commenced an investigation into this.” In a post on X, the company characterized the findings as “unconfirmed” and said it is working with authorities to investigate.

Williams says it is possible that a front company in China is used to help disguise the activity and involvement of North Koreans. The researchers were able to analyze connections to the exposed server and, despite most having their location masked by a VPN, spotted access from Spain and three Chinese cities. “All three cities are known to have many North Korean–operated businesses and are main centers for North Korea’s IT workers who live overseas,” the report says.

While Williams says the researchers did not find any identifiable names of North Korean organizations buried in the files, the country has a well-established animation company called April 26 Animation Studio, which is also known as SEK Studio. Originally set up in the 1950s, the studio has worked on hundreds of international TV shows and movies.

However, in recent years, the US Treasury Department has sanctioned SEK Studios, individuals linked to it, and various “front companies” that it says are used to “work for foreign customers.” Many of these have links to China, according to the sanctions. “SEK Studio has utilized an assortment of front companies to evade sanctions targeting the government of the DPRK and to deceive international financial institutions,” a statement issued as part of the sanctions in 2021 says.

The main aim of these efforts, says Michael Barnhart, a North Korea researcher at Mandiant, is to raise money for the North Korean regime. The country’s hackers and scammers have stolen and extorted billions of dollars to help fund its military ambitions in recent years, including from huge cryptocurrency heists. In early 2022, the FBI issued a 16-page alert warning companies that remote North Korean freelance IT workers were infiltrating businesses to earn money they could funnel back home.

“The volume is much higher than we were expecting,” Barnhart says of North Korea’s IT workers. They are constantly changing their tactics to avoid being caught, he says. “We had one not too long ago, where during the interview, the person’s mouth was just off-frame. You could tell that someone in the background was speaking on their behalf.” Technically, Barnhart says, companies should verify their remote workers’ devices and make sure that there is no remote software connecting to a company laptop or network. Businesses should also put extra efforts at the hiring stage by training HR staff to detect possible IT workers.

However, he says, increasingly there is a greater crossover between North Korean IT workers and individuals who are members of known hacking groups or classified as advanced persistent threats (APTs). “The more we focus on IT workers, the more we’re starting to see APT operators and efforts blending in with those,” he says. “This might be the most quick learning-on-your-feet, nimble nation-state that I've ever seen.”

North Koreans Secretly Animated Amazon and Max Shows, Researchers Say

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'/`XSS`) vulnerability in Apache Answer.This issue affects Apache Answer: before 1.3.0.

XSS attack when user changes personal website. A logged-in user, when modifying their personal website, can input malicious code in the website to create such an attack.
Users are recommended to upgrade to version [1.3.0], which fixes the issue.



Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-29217

**Apache Answer: XSS vulnerability when changing personal website**

Moderate severity GitHub Reviewed Published Apr 21, 2024 to the GitHub Advisory Database • Updated Apr 22, 2024

**Package**

gomod github.com/apache/incubator-answer (Go)

**Affected versions**

< 1.3.0

**Description**

Published to the GitHub Advisory Database

Apr 21, 2024

Last updated

Apr 22, 2024

GHSA-cvqr-mwh6-2vc6: Apache Answer: XSS vulnerability when changing personal website

By Deeba Ahmed
Veriti Research exposes surge in Androxgh0st attacks, exploiting CVEs and building botnets for credential theft. Patch systems, monitor for web shells, and use behavioral analysis to protect yourself.
This is a post from HackRead.com Read the original post: Androxgh0st Malware Compromises Servers Worldwide for Botnet Attack

Veriti Research has discovered a surge in attacks from operators of the Androxgh0st malware family, uncovering over 600 servers compromised primarily in the U.S., India and Taiwan.

According to Veriti’s blog post, the adversary behind Androxgh0st had their C2 server exposed, which could allow for a counterstrike by revealing the impacted targets. The researchers then went on to alert the victims.

Further research revealed that Androxgh0st operators are exploiting multiple CVEs, including **CVE-2021-3129** and **CVE-2024-1709** to deploy a web shell on vulnerable servers, granting remote control capabilities. Moreover, evidence suggests active web shells associated with **CVE-2019-2725**. 

Image: Veriti

****Androxgh0st Threat Actor Ramps Up Activity****

Hackread.com has been tracking Androxgh0st operations since was first noticed in December 2022. The malware operator is known for deploying **Adhublika ransomware** and was previously observed communicating with an IP address associated with the Adhublika group.

Androxgh0st operators prefer exploiting Laravel applications to steal credentials for cloud-based services like AWS, SendGrid, and Twilio. They exploit vulnerabilities in Apache web servers and PHP frameworks, deploying webshells for persistence. 

However. their recent focus seems to be building botnets to exploit more systems. Recently, the FBI and CISA issued a joint Cybersecurity Advisory (CSA) advisory, **warning** about Androxgh0st constructing a botnet to carry out credential theft and establish backdoor access. 

Last year, Cado Security Ltd. **revealed** the details of a Python-based credential harvester and a hacking tool called Legion, linked to the AndroxGh0st malware family. Legion is designed to exploit email services for abuse.

****The Way Forward****

Veriti’s research goes onto show the importance of proactive exposure management and threat intelligence in cyber security. Organizations must regularly update their security measures, including patch management for known vulnerabilities, strong web shell deployment monitoring, and behavioural analysis tools to prevent breaches and protect against similar vulnerabilities.

1.  Russian Hackers Hit Ubiquiti Routers for Botnet Creation
2.  ActiveMQ Flaw Exploited to Spread GoTitan Botnet, PrCtrl Rat
3.  Mirai-based NoaBot Botnet Hit Linux Systems with Cryptominer
4.  Qakbot Botnet Disrupted, Infected 700,000 Computers Globally
5.  OracleIV DDoS Botnet Malware Targets Docker Engine API Instances

Androxgh0st Malware Compromises Servers Worldwide for Botnet Attack

Plus: New York’s legislature suffers a cyberattack, police disrupt a global phishing operation, and Apple removes encrypted messaging apps in China.

Looking for love? Be careful what you wish for.

A loose-knit community of con artists known as Yahoo Boys has begun using real-time face-swap technology to woo victims with romance scams. Using a variety of tools and techniques, the scammers use AI-powered apps to make themselves look like entirely different people on video calls. Just remember: If someone you’ve never met IRL is asking you for money, just say no.

Elsewhere in the world of harmful deepfakes, two major websites used for creating fake nude images of people are now blocked in the United Kingdom. The censorship, which appears to be self-imposed, comes just days after the UK proposed legislation that would ban nonconsensual, sexualized AI-generated images.

A Russian cybercriminal gang called Cyber Army of Russia Reborn appears to have been created with the help of Sandworm, the notorious Russian military hacking unit that has carried out devastating cyberattacks against Ukraine for years. The difference? Cyber Army of Russia Reborn is even more brazen, taking credit for attacks against critical infrastructure in Europe and the United States.

Change Healthcare’s ransomware saga entered a new chapter this week. A cybercriminal group called RansomHub claims to be selling highly sensitive patient information stolen from the company. The sale follows RansomHub’s claims that it possesses terabytes of data stolen in a February attack by another ransomware gang known as AlphV or Black Cat, which received a $22 million payment in March. Change Healthcare says it has spent $872 million response to the ransomware attack as of March 31.

The biggest global surveillance program carried out by the US may be about to get bigger. A two-year renewal of Section 702 of the Foreign Intelligence Surveillance Act, which technically expired on Friday, will soon go up for a vote by the US Senate after passing the House last week. Included in the legislation is a provision that would greatly expand the number of businesses that could be conscripted to spy on behalf of the US government, which critics have called the “Stasi provision.” One of the largest lobbying firms for Big Tech companies has opposed the provision over fears that tech industry workers could be forced to become informants.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

There’s a kernel of truth in every good fiction, which is why the very real Defense Advanced Research Projects Agency, or Darpa, is a constant go-to for shows like the _X-Files_ and games like _Metal Gear Solid_. It tends to pop up whenever a shadowy government agency is needed to reverse engineer a stolen alien artifact or construct a giant killer robot. A Darpa announcement this Thursday, however, sounds almost too much like the opening sequence of a Hideo Kojima game: With the help of the US Air Force Test Pilot School, the agency says an experimental aircraft known as the X-62 was successfully flown by artificial intelligence during a simulated dogfight against a human pilot in an F-16. “The potential for autonomous air-to-air combat has been imaginable for decades,” US Air Force secretary Frank Kendall says, “but the reality has remained a distant dream up until now.”

**New York State Legislature Hit by Cyberattack**

Details are scant as to the impact, but for at least several hours this week, hackers felled computer systems supporting the work of New York’s state legislature. While an attack on something called the Legislative Bill Drafting Commission isn’t quite as jaw-dropping as one against a power plant or a naval base, the LBDC is one of a dozen required stops that legislation in New York must make en route to becoming law. Bills can’t be introduced, amended, or reviewed by committee without it, much less get a vote. Luckily, the agency reports it was able to get back on its feet within a few hours using a “backup system.” An investigation of the attack is ongoing.

**Police Disrupt Global Phishing Operation**

An armada of law enforcement agencies arrested 37 suspects around the world last weekend in an operation targeting LabHost, reportedly one of the world’s largest phishing-as-a-service platforms. The investigation was spearheaded by the London Metropolitan Police in cooperation with Europol. Investigators uncovered a whopping 40,000 phishing domains being operated by as many as 10,000 users worldwide, Europol says. LabHost charged a monthly fee of $249. That cybercriminals have discovered the psychological benefits of just-below pricing is yet another sign of the growing popularity and sophistication of these markets.

**Apple Removes Encrypted Messaging Apps in China**

Encrypted messaging apps WhatsApp, Signal, and Telegram have gone the way of Winnie the Pooh. Citing “national security concerns,” China ordered Apple to delete “certain apps” from its Chinese App Store this week, the tech behemoth announced (while neglecting to specify which ones). Apple reportedly met with Chinese authorities to express concern over how banning the apps would impact its users but relented after being met with a stone wall. “We are obligated to follow the laws in the countries where we operate,” the company said, “even when we disagree.” Apple is heavily dependent on China’s workforce to manufacture its products, and sales in the region have topped $70 billion in recent years. That Apple has become beholden to the Chinese government because of this is no longer much of a secret.

AI-Controlled Fighter Jets Are Dogfighting With Human Pilots Now

Chinese actors are ready and poised to do "devastating" damage to key US infrastructure services if needed, he said.

Source: KaimDH via Shutterstock

FBI Director Christopher Wray this week delivered what might be the starkest warning yet on the threat that China-backed hackers pose to US national and economic security.

In remarks at a Vanderbilt University\-hosted summit on modern conflict and emerging threats, Wray described Chinese hackers as outnumbering FBI personnel by at least 50 to 1 and standing poised to "wreak havoc" on US critical infrastructure at a moment's notice.

**Immediate and Imminent Threat**

Stakeholders across private industry and government need to treat the threat as immediate and implement plans to fortify networks and respond to attacks now, the nation's leading law enforcement official said.

"The \[People's Republic of China\] has made it clear that it considers every sector that makes our society run as fair game in its bid to dominate on the world stage," Wray said. "Its plan is to land low blows against civilian infrastructure to try to induce panic and break America's will to resist."

Wray's comments build on repeated warnings in recent months from US officials — and the FBI itself — about a dangerous and systematic escalation in Chinese targeting of networks and systems belonging to organizations in critical infrastructure sectors. Wray and others have repeatedly described the intrusions as attempts by Chinese hackers to methodically pre-position themselves for attacks designed to disrupt telecommunications, energy, water, technology and other critical infrastructure services when needed.

China's cyberattackers are "giving the Chinese government the ability to wait for just the right moment to deal a devastating blow," Wray said. Beijing, he added, is building a capability to deter any US attempts to intervene in the event of a crisis between China and Taiwan.

**Multifaceted Attacks**

The ongoing attempts by Chinese hackers to establish and maintain a presence on critical infrastructure adds to the pressure that US organizations have had to deal with for more than a decade from China-backed cyber-espionage and cybercriminal groups. To support economic initiatives like Made in China 2025 and multiple separate five-year plans, Beijing has for years deployed cyber groups to systematically steal intellectual property and trade secrets from companies in key competitive sectors, Wray said.

Targets have included organizations in fields as diverse as biotech, aviation, artificial intelligence, agriculture, and healthcare. "The PRC is engaged in the largest and most sophisticated theft of intellectual property and expertise in the history of the world," Wray noted. "You could close your eyes and pull an industry or sector out of a hat and, chances are, Beijing has targeted it."

In recent months, the Volt Typhoon group has been one of the most visible faces of what the US regards as China's untrammeled aggression in cyberspace. The US Cybersecurity and Infrastructure Security Agency (CISA) and security vendors have, on multiple occasions this year, reported on the threat actor's intrusions into US critical infrastructure networks and operational technology environments with a view to gaining a presence on these networks and lying in wait for instructions to attack. Last year, The New York Times identified Volt Typhoon hitting military bases, prompting worried Biden administration officials to admit that the threat actor's malware was more endemic on US networks than previously thought.

**"Scattershot" and "Indiscriminate" Attacks**

Wray pointed to widespread attacks in 2021 that exploited zero-day vulnerabilities in Microsoft Exchange Server as one of the "most egregious examples" of China's "scattershot, indiscriminate, cyber campaigns," in recent memory. Those attacks involved China-backed Hafnium group deploying Web shells for remote access on thousands of corporate systems. The FBI — in an unprecedented move at the time — later obtained a court order to remotely remove those Web shells from thousands of infected systems before the threat actor could use them to inflict further damage.

In response to the growing threat, the FBI has mobilized its own field offices in the US and around the world to address the threat, Wray said. The agency is also working with US Cyber Command, the CIA, and foreign law enforcement agencies to disrupt Chinese hacking operations. The effort has included going after known hackers, malware developers, and the owners of support infrastructure like bulletproof hosting services and money launderers.

Private sector organizations can do their part by being more diligent about their cyber defense and response mechanisms and by sharing information that can prevent nascent threats from "metastasizing to other sectors" and businesses, Wray said. "We've seen the best outcomes in situations where a company made a habit of reaching out to their local FBI field office even before there was any indication of a problem, because that put everyone on the same page and contributed to the company's readiness."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

FBI Director Wray Issues Dire Warning on China's Cybersecurity Threat

A ransomware gang claimed responsibility for the attack, though it is unknown if a ransom was demanded or paid.

The UN City building located in Copenhagen, DenmarkSource: BERK OZDEMIR via Alamy Stock Photo

The United Nations Development Programme (UNDP) became the victim of a cyberattack in late March, which also impacted the IT infrastructure of the city of Copenhagen, Denmark. 

The UNDP received word of a data-extortion actor stealing its data, some of it related to human resources and procurement. 

As the agency continues to assess the scope of the attack, the UNDP noted in a statement that "actions were immediately taken to identify a potential source and contain the affected server."

The UNDP determined which data was exposed and who is at risk because of the breach. It's also been in contact with those who have been impacted, as well as with stakeholders, such as UN system partners. 

Though the UNDP has not confirmed who the threat actor was, 8Base, a ransomware gang, updated its website in early April, listing UNDP as one of its victims, along with three other entities. The group commented that information such as personal data, certificates, "a huge amount of confidential information," and invoices, among other things, were uploaded to the servers.

UNDP made no subsequent comment and didn't address whether a ransom has been demanded or paid.

**About the Author(s)**

UNDP, City of Copenhagen Targeted in Data-Extortion Cyberattack

The world's most-visited deepfake website and another large competing site are stopping people in the UK from accessing them, days after the UK government announced a crackdown.

Two of the biggest deepfake pornography websites have now started blocking people trying to access them from the United Kingdom. The move comes days after the UK government announced plans for a new law that will make creating nonconsensual deepfakes a criminal offense.

Nonconsensual deepfake pornography websites and apps that “strip” clothes off of photos have been growing at an alarming rate—causing untold harm to the thousands of women they are used to target.

Clare McGlynn, a professor of law at Durham University, says the move is a “hugely significant moment” in the fight against deepfake abuse. “This ends the easy access and the normalization of deepfake sexual abuse material,” McGlynn tells WIRED.

Since deepfake technology first emerged in December 2017, it has consistently been used to create nonconsensual sexual images of women—swapping their faces into pornographic videos or allowing new “nude” images to be generated. As the technology has improved and become easier to access, hundreds of websites and apps have been created. Most recently, schoolchildren have been caught creating nudes of classmates.

The blocks on the deepfake websites in the UK were first spotted today, with two of the most prominent services displaying notices on their landing pages that they are no longer accessible to people visiting from the country. WIRED is not naming the two websites due to their enabling of abuse.

One of the websites with the restriction in place is the biggest deepfake pornography website existing today. Its homepage, when visiting from the UK, displays a message saying access is denied. “Due to laws or (upcoming) legislation in your country or state, we are unfortunately obligated to deny you access to this website,” the message says. It also shows the visitor’s IP address and country.

The other website, which also has an app, displays a similar message. “Access to the service in your country is blocked,” it says, before hinting there may be ways to get around the geographic restriction. The websites do not appear to have any restrictions in place when visiting from the United States, although may also be restricted in other countries.

It is not immediately clear why the sites have introduced the location blocks or whether they have done so in response to any legal orders or notices. Nor is it clear whether the blocks are temporary. Messages sent to the websites through email addresses and contact forms went unanswered. The creators of the websites have not posted any public messages on the websites or their social media channels about the blocks.

Ofcom, the UK’s communications regulator, has the power to persue action against harmful websites under the UK’s controversial sweeping online safety laws that came into force last year. However, these powers are not yet fully operational, and Ofcom is still consulting on them.

It’s likely the restrictions may significantly limit the amount of people in the UK seeking out or trying to create deepfake sexual abuse content. Data from Similarweb, a digital intelligence company, shows the biggest of the two websites had 12 million global visitors last month, while the other website had 4 million visitors. In the UK, they had around 500,000 and 50,000 visitors, respectively.

This week, politicians in the UK announced plans for a law that criminalizes the creation of nonconsensual deepfakes. Under the law, which is yet to be passed, people could face an unlimited fine if they create deepfakes to “cause alarm, humiliation, or distress to the victim.” This builds on previous provisions that make it illegal for people in the UK to share sexualized deepfakes.

“While it’s unclear if these platforms have been ordered to block UK access or have done so proactively due to the recent criminalization, it shows legislation can make a meaningful difference in removing the legal ambiguity that many deepfake pornography platforms use as cover for the clear ethical harms they cause,” Henry Ajder, an AI and deepfake expert, tells WIRED. Ajder adds that search engines and hosting providers around the world should be doing more to limit the spread and creation of harmful deepfakes.

While the two websites can still be accessed in the UK using a VPN, the restrictions are a sign that constant pressure—from lawmakers, tech companies, and campaigners—can make deepfake porn harder to access and create. “Of course, people will be able to use VPN to access these websites and apps, but that introduces friction,” Durham University’s McGlynn says. “It introduces a message that there’s something wrong and harmful about this material such that you have to use a VPN to access it.”

“Hopefully,” McGlynn adds, “this can show other governments around the world that if we take steps, we could actually reduce the prevalence \[of\] and easy access to deepfake sexual abuse material.”

Tag

#web