Automobile parts giant LKQ Corporation disclosed that one of its business units in Canada was hacked, allowing threat actors to steal data from the company.

LKQ is a public American company specializing in automotive replacement parts, components, and services to repair and maintain vehicles. The company has 45,000 employees in 25 countries and operates numerous brands, including Keystone, Tri Star, and ADL.

In a Friday evening FORM 8-K filing filed with the SEC, the company says one of its business units in Canada was breached on November 13, disrupting business operations.

“On November 13, 2024, LKQ Corporation (the “Company” or “we”) detected unauthorized access to information technology (IT) systems of a single business unit in Canada (“Business Unit”). The attack disrupted the Business Unit’s operations,” reads the LKQ Form 8-K filing.

“Upon discovery, we immediately began taking steps to investigate, contain, and recover from the incident, including activating our security incident response and recovery plans, partnering with industry leading forensic investigators, and initiating containment measures for affected systems. We also promptly notified law enforcement authorities. We are analyzing data impacted by the incident and will be notifying affected parties as appropriate.”

“As a result of the incident, the Company’s operations within this Business Unit were adversely impacted for a few weeks while affected systems were recovered; however, the Company believes that it has effectively contained the threat and that none of its other businesses were impacted by the threat, and the Business Unit is now operating near full capacity.”

The company says that they do not believe the incident will have any material impact on its financials or operations for the remainder of the fiscal year. LKQ says that they will seek reimbursement for costs and expenses stemming from the cyberattack from their cyber insurance company.

LKQ warns that its containment measures have caused some disruption within the breached business for a few weeks but has since restored operations.

No ransomware gangs or other threat actors have claimed responsibility for the attack.

Dec 13, 2024Ravie LakshmananCyber Attack / Malware

A now-removed GitHub repository that advertised a WordPress tool to publish posts to the online content management system (CMS) is estimated to have enabled the exfiltration of over 390,000 credentials.

The malicious activity is part of a broader attack campaign undertaken by a threat actor, dubbed MUT-1244 (where MUT refers to “mysterious unattributed threat”) by Datadog Security Labs, that involves phishing and several trojanized GitHub repositories hosting proof-of-concept (PoC) code for exploiting known security flaws.

“Victims are believed to be offensive actors – including pentesters and security researchers, as well as malicious threat actors – and had sensitive data such as SSH private keys and AWS access keys exfiltrated,” researchers Christophe Tafani-Dereeper, Matt Muir, and Adrian Korn said in an analysis shared with The Hacker News.

It’s no surprise that security researchers have been an attractive target for threat actors, including nation-state groups from North Korea, as compromising their systems could yield information about possible exploits related to undisclosed security flaws they may be working on, which could then be leveraged to stage further attacks.

In recent years, there has emerged a trend where attackers attempt to capitalize on vulnerability disclosures to create GitHub repositories using phony profiles that claim to host PoCs for the flaws but actually are engineered to conduct data theft and even demand payment in exchange for the exploit.

The campaigns undertaken by MUT-1244 not only involve making use of trojanized GitHub repositories but also phishing emails, both of which act as a conduit to deliver a second-stage payload capable of dropping a cryptocurrency miner, as well as stealing system information, private SSH keys, environment variables, and contents associated with specific folders (e.g., ~/.aws) to File.io.

One such repository was “github[.]com/hpc20235/yawpp,” which claimed to be “Yet Another WordPress Poster.” Prior to its takedown by GitHub, it contained two scripts: One to validate WordPress credentials and another to create posts using the XML-RPC API.

But the tool also harbored malicious code in the form of a rogue npm dependency, a package named @0xengine/xmlrpc that deployed the same malware. It was originally published to npm in October 2023 as a JavaScript-based XML-RPC server and client for Node.js. The library is no longer available for download.

It’s worth noting that cybersecurity firm Checkmarx revealed last month that the npm package remained active for over a year, attracting about 1,790 downloads.

The yawpp GitHub project is said to have enabled the exfiltration of over 390,000 credentials, likely for WordPress accounts, to an attacker-controlled Dropbox account by compromising unrelated threat actors who had access to these credentials through illicit means.

Another method used to deliver the payload entails sending phishing emails to academics in which they are tricked into visiting links that instruct them to launch the terminal and copy-paste a shell command to perform a supposed kernel upgrade. The discovery marks the first time a ClickFix-style attack has been documented against Linux systems.

“The second initial access vector that MUT-1244 utilizes is a set of malicious GitHub users publishing fake proof-of-concepts for CVEs,” the researchers explained. “Most of them were created in October or November [2024], have no legitimate activity, and have an AI-generated profile picture.”

Some of these bogus PoC repositories were previously highlighted by Alex Kaganovich, Colgate-Palmolive’s global head of offensive security red team, in mid-October 2024. But in an interesting twist, the second-stage malware is through four different ways –

• Backdoored configure compilation file
• Malicious payload embedded in a PDF file
• Using a Python dropper
• Inclusion of a malicious npm package “0xengine/meow”

“MUT-1244 was able to compromise the system of dozens of victims, mostly red teamers, security researchers, and anyone with an interest in downloading PoC exploit code,” the researchers said. “This allowed MUT-1244 to gain access to sensitive information, including private SSH keys, AWS credentials, and command history.”

The financial technology firm Finastra is investigating the alleged large-scale theft of information from its internal file transfer platform, KrebsOnSecurity has learned. Finastra, which provides software and services to 45 of the world’s top 50 banks, notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the company.

London-based Finastra has offices in 42 countries and reported $1.9 billion in revenues last year. The company employs more than 7,000 people and serves approximately 8,100 financial institutions around the world. A major part of Finastra’s day-to-day business involves processing huge volumes of digital files containing instructions for wire and bank transfers on behalf of its clients.

On November 8, 2024, Finastra notified financial institution customers that on Nov. 7 its security team detected suspicious activity on Finastra’s internally hosted file transfer platform. Finastra also told customers that someone had begun selling large volumes of files allegedly stolen from its systems.

“On November 8, a threat actor communicated on the dark web claiming to have data exfiltrated from this platform,” reads Finastra’s disclosure, a copy of which was shared by a source at one of the customer firms.

“There is no direct impact on customer operations, our customers’ systems, or Finastra’s ability to serve our customers currently,” the notice continued. “We have implemented an alternative secure file sharing platform to ensure continuity, and investigations are ongoing.”

But its notice to customers does indicate the intruder managed to extract or “exfiltrate” an unspecified volume of customer data.

“The threat actor did not deploy malware or tamper with any customer files within the environment,” the notice reads. “Furthermore, no files other than the exfiltrated files were viewed or accessed. We remain focused on determining the scope and nature of the data contained within the exfiltrated files.”

In a written statement in response to questions about the incident, Finastra said it has been “actively and transparently responding to our customers’ questions and keeping them informed about what we do and do not yet know about the data that was posted.” The company also shared an updated communication to its clients, which said while it was still investigating the root cause, “initial evidence points to credentials that were compromised.”

“Additionally, we have been sharing Indicators of Compromise (IOCs) and our CISO has been speaking directly with our customers’ security teams to provide updates on the investigation and our eDiscovery process,” the statement continues. Here is the rest of what they shared:

“In terms of eDiscovery, we are analyzing the data to determine what specific customers were affected, while simultaneously assessing and communicating which of our products are not dependent on the specific version of the SFTP platform that was compromised. The impacted SFTP platform is not used by all customers and is not the default platform used by Finastra or its customers to exchange data files associated with a broad suite of our products, so we are working as quickly as possible to rule out affected customers. However, as you can imagine, this is a time-intensive process because we have many large customers that leverage different Finastra products in different parts of their business. We are prioritizing accuracy and transparency in our communications.

Importantly, for any customers who are deemed to be affected, we will be reaching out and working with them directly.”

On Nov. 8, a cybercriminal using the nickname “abyss0” posted on the English-language cybercrime community BreachForums that they’d stolen files belonging to some of Finastra’s largest banking clients. The data auction did not specify a starting or “buy it now” price, but said interested buyers should reach out to them on Telegram.

abyss0’s Nov. 7 sales thread on BreachForums included many screenshots showing the file directory listings for various Finastra customers. Image: Ke-la.com.

According to screenshots collected by the cyber intelligence platform Ke-la.com, abyss0 first attempted to sell the data allegedly stolen from Finastra on October 31, but that earlier sales thread did not name the victim company. However, it did reference many of the same banks called out as Finastra customers in the Nov. 8 post on BreachForums.

The original October 31 post from abyss0, where they advertise the sale of data from several large banks that are customers of a large financial software company. Image: Ke-la.com.

The October sales thread also included a starting price: $20,000. By Nov. 3, that price had been reduced to $10,000. A review of abyss0’s posts to BreachForums reveals this user has offered to sell databases stolen in several dozen other breaches advertised over the past six months.

The apparent timeline of this breach suggests abyss0 gained access to Finastra’s file sharing system at least a week before the company says it first detected suspicious activity, and that the Nov. 7 activity cited by Finastra may have been the intruder returning to exfiltrate more data.

Maybe abyss0 found a buyer who paid for their early retirement. We may never know, because this person has effectively vanished. The Telegram account that abyss0 listed in their sales thread appears to have been suspended or deleted. Likewise, abyss0’s account on BreachForums no longer exists, and all of their sales threads have since disappeared.

It seems improbable that both Telegram and BreachForums would have given this user the boot at the same time. The simplest explanation is that something spooked abyss0 enough for them to abandon a number of pending sales opportunities, in addition to a well-manicured cybercrime persona.

In March 2020, Finastra suffered a ransomware attack that sidelined a number of the company’s core businesses for days. According to reporting from Bloomberg, Finastra was able to recover from that incident without paying a ransom.

This is a developing story. Updates will be noted with timestamps. If you have any additional information about this incident, please reach out to krebsonsecurity @ gmail.com or at protonmail.com.

Google is rolling out two new features to help Android users evade stalkers who abuse Bluetooth tags to surreptitious track them.

The Temporarily Pause Location feature lets users halt location updates sent to Bluetooth trackers via their phone for up to 24 hours. In Google’s view, this will allow users to quickly take action against a tag without having to stop and search for a hidden device, which may compromise safety.

When users feel safe enough to search for the device, the Find Nearby feature is introduced to help locate it. Android users could already activate a sound on a tracker placed on them, but the feature employs a visual aid – a shape that fills as the user nears the tracker – to simplify locating it. A text prompt will also describe the status of the connection to the tag.

Both features build on the existing protections Google has made available to users for years, more of which it said will continue to be rolled out over time.

However, these features work exclusively with trackers compatible with Android’s Find My Device Network, which launched earlier this year after much anticipation and was met with its fair share of naysayers.

Critics’ main gripe was that the network defaulted to activation only in high-traffic areas, although this can be manually changed to enable it everywhere. It meant tracker locating performance was limited in low-density areas.

Another issue lies in the limited number of devices compatible with the network. Only Pebblebee tags and Chipolo ONE Point and Chipolo CARD Point devices are fully compatible, benefiting from the bonus features that come with it.

Apple’s AirTags, among the most popular devices of their kind, are compatible but with limitations. Android users will be alerted if an AirTag is being used to track them, but the Find My Device Network features announced this week, for example, won’t work.

Other network features include gathering additional data about the tracker device itself. Once located, users can hold the tag near the back of their Android phone to retrieve data like the device identifier and the owner’s hidden email address. The data can be saved via screenshots and forwarded to law enforcement in extreme cases.

Both Apple and Google have been working for well over a year on a common device specification to allow trackers from all manufacturers to benefit from the advanced features on their respective networks.

Detecting Unwanted Location Trackers – the proposed specification name – was rolled out in May 2024 and Apple said that devices made by major players such as Chipolo, eufy, Jio, Motorola, and Pebblebee will adopt it in the future.

Serious and ongoing concerns

Consumer-grade Bluetooth trackers have been on the market for over a decade, but it was the release of Apple’s AirTags in 2021 that renewed concerns about people’s safety.

It took just over a year before the very worst offenses were carried out with the assistance of the tags, which were designed to help locate lost keys and pets.

Andre Smith was killed by his ex-girlfriend who tracked him using an AirTag concealed within his car’s bodywork. She would go on to be sentenced to 18 years in prison for manslaughter.

Numerous other grizzly cases have been reported over the years, from women stalked after separating from their partners, to celebrities tracked while on holiday. Charities such as Refuge and the Suzy Lamplugh Trust have reported an uptick in reports of AirTag and other Bluetooth tracker abuse since.

Apple has routinely and vehemently condemned abuse of AirTags. It said in a 2022 statement: “Based on our knowledge and on discussions with law enforcement, incidents of AirTag misuse are rare; however, each instance is one too many.”

Apple’s anti-tracking features mirror Android’s in that not all tags work with its Find My network. Tags adhering to the Detecting Unwanted Location Trackers standard but not compatible with Find My will also trigger unwanted tracking notifications on iOS 17.5 or newer. ®

In a sweeping international crackdown, law enforcement agencies from 15 countries, including the United States and multiple European nations, have dismantled 27 of the most popular platforms used for carrying out distributed denial-of-service (DDoS) attacks, Europol announced Wednesday. The operation, known as PowerOFF, has led to the arrest of three administrators in France and Germany and identified 300 users of these illegal services.

Booter and stresser websites allow individuals to launch overwhelming amounts of traffic at targeted websites, effectively rendering them inaccessible. These platforms are widely used by threat actors due to their simplicity and effectiveness in disrupting online services without the need for advanced technical skills. The takedowns occurred just before the Christmas holiday period, a time known for increased DDoS activity.

In addition to the website seizures, authorities launched an online advertising campaign aimed at deterring potential offenders. As part of these preventive measures, ads will target individuals searching for DDoS-for-hire services on Google and YouTube, highlighting the illegality and consequences of such activities.

“We know that Booter services are an attractive entry-level cyber crime, and users can go on to even more serious offending,” Frank Tutty, from the U.K.’s National Crime Agency, said in a news release. “Therefore, tackling this threat doesn’t just involve arresting offenders, it includes steering people away from straying into cyber crime and helping them make the right cyber choices.”

The operation involved close cooperation between agencies such as the FBI and Europol, as well as national police forces from countries including Brazil, Canada, and Japan. The timing of the operation was strategic, particularly given recent reports, including one from Cloudflare, that indicate a significant increase in DDoS attacks worldwide, with the banking and financial sectors being major targets amid growing geopolitical tensions.

U.S. prosecutors in Los Angeles this week unsealed one indictment charging one defendant with running booter services. 

Ricardo Cesar Colli, a.k.a. “TotemanGames,” 22, of Brazil, is charged with conspiracy to violate and violating the Computer Fraud and Abuse Act related to the alleged operation of a booter service named Securityhide.net (formerly known as Securityhide.com). Additionally, prosecutors in Alaska have indicted one defendant with being the administrator of significant booter services. That indictment remains under seal. The Department of Justice said Wednesday it “continues to work with international partners to pursue an arrest and extradition” related to those charges. 

This coordinated effort reflects a broader strategy by international law enforcement to tackle cyber threats comprehensively, from dismantling illegal infrastructures to preventing future attacks through education and awareness campaigns. The crackdown on DDoS-for-hire services is part of a series of operations in recent months led by Europol and its partners, which have also targeted other forms of cybercrime, including phone phishing scams and illegal streaming networks.

COMMENTARY

As organizations lean into low-code/no-code (LCNC) platforms to streamline development and empower citizen developers, security risks become increasingly challenging to manage. One of the more under-the-radar LCNC threats is OData injection, an attack vector that can expose sensitive corporate data and is predominant on the Microsoft Power Platform. This new vulnerability is poorly understood by security professionals in LCNC environments, where traditional safeguards are lacking.

What Is OData? 

OData, or Open Data Protocol, is an OASIS standard that has gained traction in LCNC platforms as a way to manage and deliver data through REST APIs. It’s widely adopted because it allows seamless communication between applications and data sources, regardless of the underlying data storage model. In LCNC environments, it is commonly used as a query language to retrieve data from a variety of sources, such as SQL databases, SharePoint, or Dataverse.

OData is particularly valuable in LCNC platforms because of its simplicity — developers don’t need to be database experts to use it, and the same query language can be used for very different data sources. 

The OData Injection Threat

OData injection manipulates user input that is later used by an application or automation to form an OData query. The query is then applied to an enterprise data source. This allows an attacker to gain unauthorized access to manipulate or exfiltrate sensitive user and corporate data. 

While SQL injection (SQLi) is generally understood by security professionals, OData injection poses a different set of challenges, especially in LCNC environments, where multiple data sources are often connected and managed by citizen developers with minimal security training. Unlike SQLi, which is confined to relational databases, OData can connect to a wide array of data sources, including custom applications and third-party services, broadening the potential impact of an attack. 

OData also lacks the well-established security practices that have been developed for SQL. For example, SQLi can typically be mitigated with parameterized queries, a practice that has become standard over the years. OData injection, however, doesn’t have a similar one-size-fits-all solution. Developers must create custom input validation mechanisms — a manual and error-prone process. In addition, the general lack of awareness of OData injection techniques further reduces the likelihood that custom validation methods will be implemented. 

A New External Attack Surface

OData vulnerabilities in LCNC environments often stem from the unrecognized risks associated with external data inputs. These are frequently integrated into workflows that manipulate critical enterprise data, including Web forms, email messages, social media, and external Web applications. These inputs typically are accepted without stringent validation, leaving the attack surface vulnerable and often undefended, as developers and security teams may overlook these sources as potential risks.  

This oversight allows attackers to exploit these inputs by injecting malicious OData queries. For instance, a simple product feedback form could be exploited to extract sensitive data or modify stored information. 

Security Challenges 

Because most citizen developers don’t have formal security training and are often unfamiliar with the dangers of accepting unchecked external inputs in their workflows, OData Injection vulnerabilities can flourish undetected.

Also, unlike SQL injection, validating user inputs in OData queries requires a more hands-on approach. Developers must manually sanitize inputs — removing harmful characters, ensuring proper formatting, and guarding against common injection techniques. This process takes time, effort, and more advanced programming knowledge that most LCNC developers lack.

Furthermore, in traditional development environments, security vulnerabilities are often tracked and remediated through ticketing systems or backlog management tools like Jira. This formal process does not exist in most LCNC development environments, where developers may not be full-time coders and have no formalized way to handle bug tracking or vulnerability management.

Mitigation Best Practices

Combating OData injection requires a proactive security strategy. Ideally, LCNC developers should be trained on OData query risks and how external inputs could be exploited. This is unrealistic, since citizen developers aren’t full-time coders. 

Instead, automation can play a significant role in monitoring and detecting OData injection vulnerabilities. Security teams should deploy tools that continuously assess LCNC environments for potential vulnerabilities, especially as new applications and workflows are created. This will help identify weaknesses early and quickly provide developers with actionable insights into how to fix them.

Collaboration between security teams and LCNC developers is another essential piece of the puzzle. Security teams should be granted access to monitor the development process in real-time, particularly in environments where critical corporate data is being processed. When vulnerabilities are identified, security must communicate clearly with developers, offering specific guidance on how to remediate issues. This could include best practices for input validation and sanitation, as well as tools for automating the process where possible.

Lastly, security should be integrated into the LCNC development life cycle. Much like the “shift-left” movement in traditional software development, security checks should be built into the LCNC workflow from the outset. Automated testing tools can be leveraged to scan for vulnerabilities as applications are being built, reducing the likelihood of OData injection vulnerabilities slipping through the cracks.

As the adoption of LCNC continues to grow, so will the complexity of the threats organizations face. Addressing LCNC vulnerabilities like OData injection now will help keep enterprises safe in the long run.

Germany’s Federal Office for Information Security (BSI) has disrupted the BadBox malware operation pre-loaded in over 30,000 Android IoT devices sold in the country.

The types of impacted devices include digital picture frames, media players and streamers, and potentially smartphones and tablets.

BadBox is an Android malware that comes pre-installed in an internet-connected device’s firmware that is used to steal data, install additional malware, or for the threat actors to remotely gain access to the network where the device is located.

When an infected device is first connected to the internet, the malware will attempt to contact a remote command and control server run by the threat actors. This remote server will tell the BadBox malware what malicious services should be run on the device and will also receive data stolen from the network.

BSI says the malware can steal two-factor authentication codes, install further malware, and create email and messaging platform accounts to spread fake news. It can also engage in ad fraud by loading and clicking on ads in the background, generating revenue for fraud rings.

Finally, BadBox can be set up to act as a proxy, allowing other people to use the device’s internet bandwidth and hardware to route their own traffic. This tactic, known as residential proxying, often involves illegal operations that implicate the user’s IP address.

Germany’s cybersecurity agency says it blocked communication between the BadBox malware devices and their command and control (C2) infrastructure by sinkholing DNS queries so that the malware communicates with police-controlled servers rather than the attacker’s command and control servers. 

Sinkholing prevents the malware from sending stolen data to the attackers and receiving new commands to execute on the infected device, effectively preventing the malware from working.

“The BSI is currently redirecting the communication of affected devices to the perpetrators’ control servers as part of a sinkholing measure pursuant to Section 7c of the BSI Act ( BSIG ),” reads BSI’s announcement.

“This affects providers who have over 100,000 customers (More about sinkholing). There is no acute danger for these devices as long as the BSI maintains the sinkholing measure.”

Infected device owners to be notified

Device owners who are impacted by this sinkholing operation will be notified by their internet service providers based on their IP address.

The agency says that anyone who receives a notification should immediately disconnect the device from their network or stop using it. Unfortunately, as the malware came pre-installed with firmware, other firmware from the device’s manufacturer should not be trusted and the device should be returned or discarded.

BSI notes that all of the impacted devices were running outdated Android versions and old firmware, so even if they were secured against BadBox, they remain vulnerable to other botnet malware for as long as they are exposed online.

“Malware on internet-enabled products is unfortunately not a rare phenomenon. Outdated firmware versions in particular pose a huge risk,” warned BSI President Claudia Plattner. “We all have a duty here: manufacturers and retailers have a responsibility to ensure that such devices do not come onto the market. But consumers can also do something: cyber security should be an important criterion when purchasing!”

Moreover, the announcement mentions that, due to the vast variance in Android IoT manufacturers and device iterations, it’s very likely that many more devices infected by BadBox or similar malware exist in the country, which BSI could not pinpoint this time.

This may include smartphones and tablets, smart speakers, security cameras, smart TVs, streaming boxes, and various internet-connected appliances that follow an obscure route from manufacturing to resell networks.

Signs that your device is infected by botnet malware include overheating when seemingly idle, random performance drops, unexpected settings changes, atypical activity, and connections to unknown external servers.

To mitigate the risk of outdated Android IoTs, install a firmware image from a trustworthy vendor, turn off unnecessary connectivity features, and keep the device isolated from critical networks.

Generally, it is recommended that you buy smart devices only from reputable manufacturers and look for products offering long-term security support.

Dec 13, 2024The Hacker NewsIoT Security / Operational Technology

Iran-affiliated threat actors have been linked to a new custom malware that’s geared toward IoT and operational technology (OT) environments in Israel and the United States.

The malware has been codenamed IOCONTROL by OT cybersecurity company Claroty, highlighting its ability to attack IoT and supervisory control and data acquisition (SCADA) devices such as IP cameras, routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), firewalls, and other Linux-based IoT/OT platforms.

“While the malware is believed to be custom-built by the threat actor, it seems that the malware is generic enough that it is able to run on a variety of platforms from different vendors due to its modular configuration,” the company said.

The development makes IOCONTROL the tenth malware family to specifically single out Industrial Control Systems (ICS) after Stuxnet, Havex, Industroyer (aka CrashOverride), Triton (aka Trisis), BlackEnergy2, Industroyer2, PIPEDREAM (aka INCONTROLLER), COSMICENERGY, and FrostyGoop (aka BUSTLEBERM) to date.

Claroty said it analyzed a malware sample extracted from a Gasboy fuel management system that was previously compromised by the hacking group called Cyber Av3ngers, which has been linked to cyber attacks exploiting Unitronics PLCs to breach water systems. The malware was embedded within Gasboy’s Payment Terminal, otherwise called OrPT.

This also means that the threat actors, given their ability to control the payment terminal, also had the means to shut down fuel services and potentially steal credit card information from customers.

“The malware is essentially a cyberweapon used by a nation-state to attack civilian critical infrastructure; at least one of the victims were the Orpak and Gasboy fuel management systems,” Claroty said.

The end goal of the infection chain is to deploy a backdoor that’s automatically executed every time the device restarts. A notable aspect of IOCONTROL is its use of MQTT, a messaging protocol widely used in IoT devices, for communications, thereby allowing the threat actors to disguise malicious traffic.

What’s more, command-and-control (C2) domains are resolved using Cloudflare’s DNS-over-HTTPS (DoH) service. This approach, already adopted by Chinese and Russian nation-state groups, is significant, as it allows the malware to evade detection when sending DNS requests in cleartext.

Once a successful C2 connection is established, the malware transmits information about the device, namely hostname, current user, device name and model, timezone, firmware version, and location, to the server, after it awaits further commands for execution.

This includes checks to ensure the malware is installed in the designated directory, execute arbitrary operating system commands, terminate the malware, and scan an IP range in a specific port.

“The malware communicates with a C2 over a secure MQTT channel and supports basic commands including arbitrary code execution, self-delete, port scan, and more,” Claroty said. “This functionality is enough to control remote IoT devices and perform lateral movement if needed.”

Federal prosecutors in Los Angeles this week unsealed criminal charges against five men alleged to be members of a hacking group responsible for dozens of cyber intrusions at major U.S. technology companies between 2021 and 2023, including LastPass, MailChimp, Okta, T-Mobile and Twilio.

A visual depiction of the attacks by the SMS phishing group known as Scattered Spider, and Oktapus. Image: Amitai Cohen twitter.com/amitaico.

The five men, aged 20 to 25, are allegedly members of a hacking conspiracy dubbed “Scattered Spider” and “Oktapus,” which specialized in SMS-based phishing attacks that tricked employees at tech firms into entering their credentials and one-time passcodes at phishing websites.

The targeted SMS scams asked employees to click a link and log in at a website that mimicked their employer’s Okta authentication page. Some SMS phishing messages told employees their VPN credentials were expiring and needed to be changed; other phishing messages advised employees about changes to their upcoming work schedule.

These attacks leveraged newly-registered domains that often included the name of the targeted company, such as twilio-help[.]com and ouryahoo-okta[.]com. The phishing websites were normally kept online for just one or two hours at a time, meaning they were often yanked offline before they could be flagged by anti-phishing and security services.

The phishing kits used for these campaigns featured a hidden Telegram instant message bot that forwarded any submitted credentials in real-time. The bot allowed the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website.

In August 2022, multiple security firms gained access to the server that was receiving data from that Telegram bot, which on several occasions leaked the Telegram ID and handle of its developer, who used the nickname “Joeleoli.”

The Telegram username “Joeleoli” can be seen sandwiched between data submitted by people who knew it was a phish, and data phished from actual victims. Click to enlarge.

That Joeleoli moniker registered on the cybercrime forum OGusers in 2018 with the email address joelebruh@gmail.com, which also was used to register accounts at several websites for a Joel Evans from North Carolina. Indeed, prosecutors say Joeleoli’s real name is Joel Martin Evans, and he is a 25-year-old from Jacksonville, North Carolina.

One of Scattered Spider’s first big victims in its 2022 SMS phishing spree was Twilio, a company that provides services for making and receiving text messages and phone calls. The group then used their access to Twilio to attack at least 163 of its customers. According to prosecutors, the group mainly sought to steal cryptocurrency from victim companies and their employees.

“The defendants allegedly preyed on unsuspecting victims in this phishing scheme and used their personal information as a gateway to steal millions in their cryptocurrency accounts,” said Akil Davis, the assistant director in charge of the FBI’s Los Angeles field office.

Many of the hacking group’s phishing domains were registered through the registrar NameCheap, and FBI investigators said records obtained from NameCheap showed the person who managed those phishing websites did so from an Internet address in Scotland. The feds then obtained records from Virgin Media, which showed the address was leased for several months to Tyler Buchanan, a 22-year-old from Dundee, Scotland.

A Scattered Spider phishing lure sent to Twilio employees.

As first reported here in June, Buchanan was arrested in Spain as he tried to board a flight bound for Italy. The Spanish police told local media that Buchanan, who allegedly went by the alias “Tylerb,” at one time possessed Bitcoins worth $27 million.

The government says much of Tylerb’s cryptocurrency wealth was the result of successful SIM-swapping attacks, wherein crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls sent to the victim — including one-time passcodes for authentication, or password reset links sent via SMS.

According to several SIM-swapping channels on Telegram where Tylerb was known to frequent, rival SIM-swappers hired thugs to invade his home in February 2023. Those accounts state that the intruders assaulted Tylerb’s mother in the home invasion, and that they threatened to burn him with a blowtorch if he didn’t give up the keys to his cryptocurrency wallets. Tylerb was reputed to have fled the United Kingdom after that assault.

A still frame from a video released by the Spanish national police, showing Tyler Buchanan being taken into custody at the airport.

Prosecutors allege Tylerb worked closely on SIM-swapping attacks with Noah Michael Urban, another alleged Scattered Spider member from Palm Coast, Fla. who went by the handles “Sosa,” “Elijah,” and “Kingbob.”

Sosa was known to be a top member of the broader cybercriminal community online known as “The Com,” wherein hackers boast loudly about high-profile exploits and hacks that almost invariably begin with social engineering — tricking people over the phone, email or SMS into giving away credentials that allow remote access to corporate networks.

In January 2024, KrebsOnSecurity broke the news that Urban had been arrested in Florida in connection with multiple SIM-swapping attacks. That story noted that Sosa’s alter ego Kingbob routinely targeted people in the recording industry to steal and share “grails,” a slang term used to describe unreleased music recordings from popular artists.

FBI investigators identified a fourth alleged member of the conspiracy – Ahmed Hossam Eldin Elbadawy, 23, of College Station, Texas — after he used a portion of cryptocurrency funds stolen from a victim company to pay for an account used to register phishing domains.

The indictment unsealed Wednesday alleges Elbadawy controlled a number of cryptocurrency accounts used to receive stolen funds, along with another Texas man — Evans Onyeaka Osiebo, 20, of Dallas.

Members of Scattered Spider are reputed to have been involved in a September 2023 ransomware attack against the MGM Resorts hotel chain that quickly brought multiple MGM casinos to a standstill. In September 2024, KrebsOnSecurity reported that a 17-year-old from the United Kingdom was arrested last year by U.K. police as part of an FBI investigation into the MGM hack.

Evans, Elbadawy, Osiebo and Urban were all charged with one count of conspiracy to commit wire fraud, one count of conspiracy, and one count of aggravated identity theft. Buchanan, who is named as an indicted co-conspirator, was charged with conspiracy to commit wire fraud, conspiracy, wire fraud, and aggravated identity theft.

A Justice Department press release states that if convicted, each defendant would face a statutory maximum sentence of 20 years in federal prison for conspiracy to commit wire fraud, up to five years in federal prison for the conspiracy count, and a mandatory two-year consecutive prison sentence for aggravated identity theft. Buchanan would face up to 20 years in prison for the wire fraud count as well.

Further reading:

The redacted complaint against Buchanan (PDF)

Charges against Urban and the other defendants (PDF).

Everyone’s favorite Linux component has hit a milestone, while a fresh contender comes of age – with a touch of Lisp.

In news that is sure to delight the Linux world, version 257 of systemd has arrived. Just a day before its release, a major new version of another Linux init system came out, GNU Shepherd version 1.0. They’re very different ways of doing the same basic task, and we’re happy to see more options in this particularly controversial role.

The last version of systemd, back in June, merited special attention from The Register – it received two separate articles. The first highlighted an impressively tone-deaf attempt at a joke, when the Fediverse announcement proclaimed that Version 256 of systemd boasts “42 percent less Unix philosophy.” A week later, a point-release followed: systemd 256.1: Now slightly less likely to delete /home.

To recap that fun little feature, if you run the systemd command to clear up temporary files, and you don’t get it exactly right, it totally wipes the entire tree of user home directories. The headline feature of version 257 indicates to us that the repercussions of that hilarious incident are still being felt:

In summary, the developers have made a backwards-incompatible change to the format of one of its config files, which they’re reluctant to do. The change in the file-format makes it less likely that unwary use of the command systemd-tmpfiles --purge will remove all data for all users on the computer. So that’s good.

The gist is that the systemd-tmpfiles tool was named so because originally it was designed to manage temporary files. Since then, it’s grown to do much more. It manages many kinds of files that are created and removed in normal operation of a Linux computer. Its config file, which is called tmpfiles.d (and that link will tell you everything you could ever want to know about what files it can manage) now has a new specifier:

In other words, you have to specifically mark lines that describe the files that the purge sub-command will remove. It’s a small enough change, but it means that if that config file doesn’t tell it to, the command systemd-tmpfiles --purge now will not delete everything in every folder created since the first user was added. So that’s good.

It is an absolutely minimal sort of fix, though. The fact is that the name systemd-tmpfiles is not remotely accurate any more. The tool no longer just manages temporary files. The developers could have made a deeper, more generally helpful change, such as renaming the command – but that would cause more breakage. (We suspect this probably is not function that is used often or by many people, but that’s a separate consideration.) Whether this minimal config-file-format change, which does make things safer, is a better course of action than a more drastic, breaking one such as renaming a command is a judgement call.

It’s fair to say that making the minimum possible form of change is a typical Unix sort of attitude. On the other hand, Apple’s macOS is still a certified UNIX™ and it’s made many far more sweeping changes than this – and yet it’s by far the most successful commercial Unix in history.

The other changes are mostly far underneath the covers, so to speak, and will likely be invisible to anyone who isn’t maintaining a Linux distribution. The tooling around the new Unified Kernel Image format is improved, cgroups version 1 and System V service scripts inch close to being deprecated, it now understands volume button presses on mobile phones – showing how mainstream Linux is moving into more pockets – and it’s offloaded some old keyboard handling code to X.org. The feature that made us smile is that during shutdown, systemd hands responding to the classic “three finger salute” back to the kernel. So if systemd crashes during shutdown, with any luck Ctrl+Alt+Delete will still reboot your computer. That one sounds handy.

(The Reg FOSS desk’s top tip for rebooting balky systemd-controlled boxes is that if you press Ctrl+Alt+Del seven times within two seconds, it tells systemd to reboot immediately whatever is going on. Only try this if the machine’s not shutting down normally as it might do bad things if it’s not an emergency. It’s also worth remembering the REISUB keystroke exists too.)

Shepherding services for Guix

The other new init system in the news this week is from the GNU Project, and it’s called Shepherd. Shepherd itself isn’t new. In fact, development started in 2003, so it’s old enough to drink in the US. What is new is that the development team has released version 1.0. To go with this milestone in maturity, it also has a new logo and website.

The main distinctive thing about Shepherd is that it’s implemented in GNU Guile. Guile is the GNU implementation of the Scheme programming language, and it was intended to be the GNU Project’s standard extension language. Indeed, its original name was GEL, short for GNU Extension Language.

Its use of GNU Guile makes Shepherd something of a flag-bearer for the Guile language and project. Additionally, Shepherd is the default init system of the GNU Guix distribution.

Guix is both a packaging tool and a distro built with that tool. Guix has closely comparable goals to Nix, and to the NixOS distro built with it. It aims to automate away manual package management. The key difference is that while Nix has its own, unique language for writing config files, Guix uses standard Guile Scheme, and so in theory it’s more accessible to more people. We say “in theory” because Nix itself is really pretty niche even in the Linux world, and we hear far more about Nix than Guix.

Shepherd defines services in a restricted subset of Scheme. That is probably enough to immediately either win over, or forever put off, many people. Scheme uses Lisp-style prefix notation (yes, with lots of parentheses), which tends to polarize techies. If you like Lisp and Lisp-based systems, you might enjoy Enzuru’s Lisp-centric Linux distro, which is still under construction.

We doubt that Shepherd is going to transform the Linux init system landscape, but it’s good to see one of the alternative init systems taking a step towards greater maturity. ®

Bootnote

If the rather obscure pun in our subheading isn’t clear, “Guix” is pronounced like geeks. So, no, Nix and Guix do not rhyme. They just look like they should.