Image: Shutterstock, Dreamansions.

KrebsOnSecurity.com turns 15 years old today! Maybe it’s indelicate to celebrate the birthday of a cybercrime blog that mostly publishes bad news, but happily many of 2024’s most engrossing security stories were about bad things happening to bad guys. It’s also an occasion to note that despite my publishing fewer stories than ever this past year, we somehow managed to attract near record levels of readership (thank you!).

In case you missed any of them, here’s a recap of 2024’s most-read stories. In January, KrebsOnSecurity told the story of a Canadian man who was falsely charged with larceny and lost his job after becoming the victim of a complex e-commerce scam known as triangulation fraud. This can occur when you buy something online — from a seller on Amazon or eBay, for example — but the seller doesn’t actually own the item for sale. Instead, they purchase the item using stolen payment card data and your shipping address. In this scam, you receive what you ordered, and the only party left to dispute the transaction is the owner of the stolen payment card.

Triangulation fraud. Image: eBay Enterprise.

March featured several investigations into the history of various people-search data broker services. One story exposed how the Belarusian CEO of the privacy and data removal service OneRep had actually founded dozens of people-search services, including many that OneRep was offering to remove people from for a fee. That story quickly prompted Mozilla to terminate its partnership with OneRep, which Mozilla had bundled as a privacy option for Firefox users.

A story digging into the consumer data broker Radaris found its CEO was a fabricated identity, and that the company’s founders were Russian brothers in Massachusetts who operated multiple Russian language dating services and affiliate programs, in addition to a dizzying array of people-search websites.

Radaris repeatedly threatened to sue KrebsOnSecurity unless that publication was retracted in full, alleging that it was replete with errors both factual and malicious. Instead, we doubled down and published all of the supporting evidence that wasn’t included in the original story, leaving little room for doubt about its conclusions. Fittingly, Radaris now pimps OneRep as a service when consumers request that their personal information be removed from the data broker’s website.

Easily the longest story this year was an investigation into Stark Industries Solutions, a large, mysterious new Internet hosting firm that materialized when Russia invaded Ukraine. That piece revealed how Stark was being used as a global proxy network to conceal the true source of cyberattacks and disinformation campaigns against enemies of Russia.

The homepage of Stark Industries Solutions.

Much of my summer was spent reporting a story about how advertising and marketing firms have created a global free-for-all where anyone can track the daily movements and associations of hundreds of millions of mobile devices, thanks to the ubiquity of mobile location data that is broadly and cheaply available.

Research published in September explored the dark nexus between harm groups and cybercrime communities consumed with perpetrating financial fraud. That analysis found an increasing number of young, Western cybercriminals are also members of fast-growing online groups that exist solely to bully, stalk, harass and extort vulnerable teens into physically harming themselves and others.

One focus of that story was a Canadian cybercriminal who used the nickname Judische. Identified by the Mandiant as one of the most consequential threat actors of 2024, Judische was responsible for a hacking rampage that exposed private information on hundreds of millions of Americans.  That story withheld Judische’s real name, but the reporting came in handy in late October when a 25-year-old Canadian man named Connor Riley Moucka was arrested and charged with 20 criminal counts connected to the Snowflake data extortions.

A surveillance photo of Connor Riley Moucka, a.k.a. “Judische” and “Waifu,” dated Oct 21, 2024, 9 days before Moucka’s arrest. This image was included in an affidavit filed by an investigator with the Royal Canadian Mounted Police (RCMP).

In November, KrebsOnSecurity published a profile of Judische’s accomplice — a hacker known as Kiberphant0m — detailing how Kiberphant0m had left a trail of clues strongly suggesting that they are or recently were a U.S. Army soldier stationed in South Korea.

My reporting in December was mainly split between two investigations. The first profiled Cryptomus, a dodgy cryptocurrency exchange allegedly based in Canada that has become a major payment processor and sanctions evasion platform for dozens of Russian exchanges and cybercrime services online.

How to Lose a Fortune with Just One Bad Click told the sad tales of two cryptocurrency heist victims who were scammed out of six and seven figures after falling for complex social engineering schemes over the phone. In these attacks, the phishers abused at least four different Google services to trick targets into believing they were speaking with a Google representative, and into giving thieves control over their account with a single click. Look for a story here in early 2025 that will explore the internal operations of these ruthless and ephemeral voice phishing gangs.

Before signing off for 2024, allow me to remind readers that the reporting we’re able to provide here is made possible primarily by the ads you may see at the top of this website. If you currently don’t see any ads when you load this website, please consider enabling an exception in your ad blocker for KrebsOnSecurity.com. There is zero third-party content on this website, apart from the occasional Youtube video embedded as part of a story. More importantly, all of our ads are static images or GIFs that are vetted by me and served in-house directly.

Fundamentally, my work is supported and improved by your readership, tips, encouragement and, yes, criticism. So thank you for that, and keep it coming, please.

Here’s to a happy, healthy, wealthy and wary 2025. Hope to see you all again in the New Year!

Interview Now that criminals have realized there’s no need to train their own LLMs for any nefarious purposes – it’s much cheaper and easier to steal credentials and then jailbreak existing ones – the threat of a large-scale supply chain attack using generative AI becomes more real.

No, we’re not talking about a fully AI-generated attack from the initial access to the business operations shutdown. Technologically, the criminals aren’t there yet. But one thing LLMs are getting very good at is assisting in social engineering campaigns. 

And this is why Crystal Morin, former intelligence analyst for the US Air Force and cybersecurity strategist at Sysdig, anticipates seeing highly successful supply chain attacks in 2025 that originated with an LLM-generated spear phish. 

When it comes to using LLMs, “threat actors are learning and understanding and gaining the lay of the land just the same as we are,” Morin told The Register. “We’re in a footrace right now. It’s machine against machine.”

Sysdig, along with other researchers, in 2024 documented an uptick in criminals using stolen cloud credentials to access LLMs. In May, the container security firm documented attackers targeting Anthropic’s Claude LLM model. 

While they could have exploited this access to extract LLM training data, their primary goal in this type of attack appeared to be selling access to other criminals. This left the cloud account owner footing the bill — at the hefty price of $46,000 per day related to LLM consumption costs.

Digging deeper, the researchers discovered that the broader script used in the attack could check credentials for 10 different AI services: AI21 Labs, Anthropic, AWS Bedrock, Azure, ElevenLabs, MakerSuite, Mistral, OpenAI, OpenRouter, and GCP Vertex AI.

We’re in a footrace right now. It’s machine against machine

Later in the year, Sysdig spotted attackers attempting to use stolen credentials to enable LLMs. 

The threat research team calls any attempt to illegally obtain access to a model “LLMjacking,” and in September reported that these types of attacks were “on the rise, with a 10x increase in LLM requests during the month of July and 2x the amount of unique IP addresses engaging in these attacks over the first half of 2024.”

Not only does this cost victims a significant amount of money, according to Sysdig, but this can run more than $100,000 per day when the victim org is using newer models like Claude 3 Opus. 

Plus, victims are forced to pay for people and technology to stop these attacks. There’s also a risk of enterprise LLMs being weaponized, leading to further potential costs.

2025: The year of LLM phishing?

In 2025, “the greatest concern is with spear phishing and social engineering,” Morin said. “There’s endless ways to get access to an LLM, and they can use this GenAI to craft unique, tailored messages to the individuals that they’re targeting based on who your employer is, your shopping preferences, the bank that you use, the region that you live in, restaurants and things like that in the area.”

In addition to helping attackers overcome language barriers, this can make messages sent via email or social media messaging apps appear even more convincing because they are expressly crafted for the individual victims. 

“They’re going to send you a message from this restaurant that’s right down the street, or popular in your town, hoping that you’ll click on it,” Morin added. “So that will enable their success quite a bit. That’s how a lot of successful breaches happen. It’s just the person-on-person initial access.”

She pointed to the Change Healthcare ransomware attack – for which, we should make very clear, there is no evidence suggesting it was assisted by an LLM – as an example of one of 2024’s hugely damaging breaches. 

In this case, a ransomware crew locked up Change Healthcare’s systems, disrupting thousands of pharmacies and hospitals across the US and accessing private data belonging to around 100 million people. It took the healthcare payments giant nine months to restore its clearinghouse services following the attack.

It will be a very small, simple portion of the attack chain with potentially massive impact

“Going back to spear phishing: imagine an employee of Change Healthcare receiving an email and clicking on a link,” Morin said. “Now the attacker has access to their credentials, or access to that environment, and the attacker can get in and move laterally.”

When and if we see this type of GenAI assist, “it will be a very small, simple portion of the attack chain with potentially massive impact,” she added.

While startups and existing companies are releasing security tools and that also use AI to detect and prevent email phishes, there are some really simple steps that everyone can take to avoid falling for any type of phishing attempt. “Just be careful what you click,” Morin advised.

Think before you click

Also: pay close attention to the email sender. “It doesn’t matter how good the body of the email might be. Did you look at the email address and it’s some crazy string of characters or some weird address like name@gmail but it says it’s coming from Verizon? That doesn’t make sense,” she added. 

LLMs can also help criminals craft a domain with different alphanumerics based on legitimate, well-known company names, and they can use various prompts to make the sender look more believable. 

Even voice-call phishing will likely become harder to distinguish because of AI used for voice cloning, Morin believes.

“I get, like, five spam calls a day from all over the country and I just ignore them because my phone tells me it’s spam,” she noted.

“But they use voice cloning now, too,” Morin continued. “And most of the time when people answer your phone, especially if you’re driving or something, you’re not actively listening, or you’re multitasking, and you might not catch that this is a voice clone – especially if it sounds like someone that’s familiar, or what they’re saying is believable, and they really do sound like they’re from your bank.”

We saw a preview of this during the run-up to the 2024 US presidential election, when AI-generated robocalls impersonating President Biden urged voters not to participate in the state’s presidential primary election.

Since then, the FTC issued a $25,000 reward to solicit ideas on the best ways to combat AI voice cloning and the FCC declared AI-generated robocalls to be illegal.

Morin doesn’t expect this to be a deterrent to criminals. 

“If there’s a will, there’s a way,” she opined. “If it costs money, then they’ll figure out a way to get it for free.” ®

Ukrainian national Mark Sokolovsky was sentenced Wednesday to five years in federal prison for his role in operating Raccoon Infostealer malware, which infiltrated millions of computers worldwide to steal personal data.

According to court documents, Sokolovsky, 28, was integral to operations that allowed the leasing of Raccoon Infostealer for $200 per month, payable via cryptocurrency. Users predominantly deployed this malware through phishing schemes to extract data from unsuspecting victims. The stolen data included log-in credentials, financial information, and other personal records, often used for financial crimes or sold on cybercrime forums.

Raccoon Infostealer, a potent tool in the cybercriminal arsenal, was dismantled by international law enforcement, alongside Sokolovsky’s arrest, in March 2022. In October 2022, a grand jury indicted Sokolovsky — also known as “Photix,” “raccoonstealer,” and “black21jack77777” —  for charges including conspiracy to commit fraud, money laundering, and aggravated identity theft. He was extradited from the Netherlands to the U.S. in February. 

In a plea deal reached in October, Sokolovsky agreed to forfeit $23,975 and pay restitution of at least $910,844.61. His actions were linked to compromising over 52 million user credentials, which facilitated fraud, identity theft, and ransomware attacks affecting victims worldwide.

U.S. Attorney Jaime Esparza for the Western District of Texas described Sokolovsky as a pivotal figure in an international conspiracy that enabled amateurs to commit significant cybercrimes.  He praised the teamwork of international law enforcement in capturing Sokolovsky and promised to keep working hard to fight cybercrime.

The Raccoon Infostealer had reportedly claimed to cease operations in March 2022 following the death of a developer in the Russian invasion of Ukraine. However, reports suggested a resurgence of the malware by June 2022. 

The quest to create a useful quantum computer reached a significant milestone at the end of 2024 with Google’s announcement of its Willow chip. The chip promises reduced noise and fewer errors as the number of qubits grows — a necessary step to advance toward advanced quantum computing. Despite some debate on when these systems will actually become available, experts still advise making plans and migrating to post-quantum technologies.

The shift from today’s technology, where adding more qubits adds more noise, to a future where increasing the number of qubits exponentially reduces the amount of noise — an achievement known as “threshold scalability” — conquers a major impediment to quantum computers. Creating a 1,000-qubit quantum computer requires foundational advancements beyond today’s noisy intermediate-scale quantum (NISQ) computers to create reliable logical qubits that can be used in easily scaled architectures.

The Google announcement marks “a significant leap forward,” says Karl Holmqvist, founder and CEO at Lastwall, an identity services provider focused on quantum resilience.

“Companies should be starting to get concerned about a usable quantum computer now,” Holmqvist says. “This is not because there is proof of a cryptographically relevant quantum computer yet. It is because there are active campaigns that are currently taking place to capture encrypted data and store it until there is a system that can break our asymmetric encryption.”

Related:Dark Reading Confidential: Quantum Has Landed, So Now What?

The threat posed by quantum computers seems to be becoming more real every day. In addition to Google’s Willow chip announcement, Microsoft announced in November that it had reached a 24-qubit milestone with Atom Computing using lasers, while Japanese researchers from the Riken Quantum Computer Research Center announced a “general-purpose” optical quantum computer.

The future implications could be dire. The Hudson Institute, a free-market think tank, warns that quantum computers pose a systemic cyber-risk to financial systems; it published two papers describing risks of disruption to the US financial system and cryptocurrencies.

Less Than a Decade Away?

Quantum computing is one of those technologies that many have perennially predicted is only a decade away. Currently, the median estimate among experts is that within 15 years, a quantum computer will be able to break RSA-2048 in 24 hours, according to the “Quantum Threat Timeline Report 2024.”

The middle-of-the-road estimate of when quantum computers will pose an encryption threat is less than 15 years. Source: Global Risk Institute

While many experts see the possibility of a useful quantum computer in less than a decade — based on three key areas: hardware progression, error correction, and algorithm development — useful quantum computers still have a long way to go before they become possible. For example, while Google’s work on Willow is a major step toward making error correction — mainly a theoretical field before this decade — more achievable in larger quantum computing chips, achieving this step is just the second milestone out of six listed on its quantum computer road map.

Related:Quantum Leap: Advanced Computing Is a Vulnerable Cyber Target

In addition, gauging the risk is difficult, with terms such as “threshold scalability” and “quantum supercomputers” muddying the waters, says Rebecca Krauthamer, co-founder and CEO of QuSecure.

“There’s so much complicated vocabulary when it comes to quantum, the thing that people need to look out for is when they start seeing quantum computers beginning to solve problems that they recognize,” Krauthamer says. “So whether it’s improved battery technology, or route optimization for self-driving cars, or optimized portfolio management, or breaking encryption — that’s the time everybody should have already migrated to post-quantum technologies, and not just post-quantum but crypto-agile management of cryptography.”

Yet the lack of significant benefits for the private sector could put a damper on development. The Boston Consulting Group, for example, points out that quantum computing programs have had difficulty converting effort into value.

“Quantum computing today provides no tangible advantage over classical computing in either commercial or scientific applications,” BCG stated in a July analysis. “Though experts agree that there are clear scientific and commercial problems for which quantum solutions will one day far surpass the classical alternative, the newer technology has yet to demonstrate this advantage at scale.”

Experts Still Urge Preparation

In addition, the point at which nation-states could use quantum computers to break encryption could be sooner, increasing the risk for some industries. Quantinuum, for example, accelerated its road map for fully fault-tolerant quantum computing to 2030 and warns that quantum secure solutions will likely be necessary before 2035.

“Given where we stand today, the need to complete migration to PQC [post-quantum computing] to effectively protect sensitive data needs to be prioritized,” says Duncan Jones, head of cybersecurity for Quantinuum.

Quantinuum expects incremental advances in the next few years. That includes improvements in error correction and qubit scaling, continued research into applications such as quantum decryption, and, as a result, greater adoption of PQC technologies, such as post-quantum encryption, quantum key distribution, and quantum random number generation (QRNG), says the company’s Jones.

“Organizations implementing quantum-safe strategies today should focus on PQC migration while ensuring their cryptographic foundations are as strong as possible through the use of QRNGs,” he says. “This approach provides immediate security benefits while preparing for future quantum-safe technologies.”

Google acknowledges that while its error correction breakthrough is significant, there is a difference between theory and practice.

“We still have a long way to go before we reach our goal of building a large-scale, fault-tolerant quantum computer,” two members of the Google Quantum AI team stated in a blog post. “The engineering challenge ahead of us is immense.”

ZAGG Inc. is informing customers that their credit card data has been exposed to unauthorized individuals after hackers compromised a third-party application provided by the company’s e-commerce provider, BigCommerce.

ZAGG is a consumer electronics accessories maker known for its mobile accessories, such as screen protectors, phone cases, keyboards, and power banks. The Utah-based company has an annual revenue of $600 million.

According to the letter sent to impacted individuals, the attacker breached the FreshClicks app provided by BigCommerce and injected malicious code that stole shoppers’ card details.

“We learned that an unknown actor injected into the FreshClick app malicious code that was designed to scrape credit card data entered as part of the checkout process for certain ZAGG.com customer transactions between October 26, 2024 and November 7, 2024.” – ZAGG

BigCommerce is an Austin-based software-as-a-service (SaaS) e-commerce platform provider that serves a diverse range of businesses, from small enterprises to large corporations, across various industries and regions.

FreshClick is a third-party app that helps create applications and responsive websites for the BigCommerce platform. It is designed to enhance the functionality of electronic stores and improve customer experience.

Although FreshClick isn’t developed directly by BigCommerce, it is offered through the platform’s app marketplace, which is a curated space for merchants to find and install add-ons for their shops.

In a statement for BleepingComputer, BigCommerce emphasized that its systems were not breached or compromised. Using internal tools, BigCommerce discovered that the FreshClicks App had been hacked and uninstalled it from its customers’ stores.

“Using our internal tools and in communication with the partner, we verified the third-party FreshClicks App was compromised. Acting in the best interest of our customers and their shoppers, we immediately uninstalled the app in their stores, which removed any compromised APIs and malicious code” – BigCommerce

As a result of this data breach, the attacker stole names, addresses, and payment card data belonging to shoppers at zagg.com between October 26 and November 7, 2024.

In response to this incident, ZAGG implemented remediation measures, notified federal law enforcement and regulators, and arranged for impacted individuals to receive a free-of-charge, 12-month credit monitoring service through Experian.

Letter recipients were also advised to monitor financial account activity closely, place fraud alerts, and consider placing a credit freeze.

ZAGG has not disclosed yet how many customers were impacted by this security breach.

BigCommerce’s store currently lists six add-ons created by FreshClick, which collectively have 178 reviews. However, the compromised plugin may have been temporarily removed.

Dec 27, 2024Ravie LakshmananCyber Attack / Data Theft

The threat actor known as Cloud Atlas has been observed using a previously undocumented malware called VBCloud as part of its cyber attack campaigns targeting “several dozen users” in 2024.

“Victims get infected via phishing emails containing a malicious document that exploits a vulnerability in the formula editor (CVE-2018-0802) to download and execute malware code,” Kaspersky researcher Oleg Kupreev said in an analysis published this week.

More than 80% of the targets were located in Russia. A lesser number of victims have been reported from Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam.

Also referred to as Clean Ursa, Inception, Oxygen, and Red October, Cloud Atlas is an unattributed threat activity cluster that has been active since 2014. In December 2022, the group was linked to cyber attacks aimed at Russia, Belarus, and Transnistria that deployed a PowerShell-based backdoor called PowerShower.

Then exactly a year later, Russian cybersecurity company F.A.C.C.T. revealed that various entities in the country were targeted by spear-phishing attacks that exploited an old Microsoft Office Equation Editor flaw (CVE-2017-11882) to drop a Visual Basic Script (VBS) payload responsible for downloading an unknown next-stage VBS malware.

Kaspersky’s latest report reveals that these components are part of what it calls VBShower, which is then used to download and install PowerShower as well as VBCloud.

The starting point of the attack chain is a phishing email that contains a booby-trapped Microsoft Office document that, when opened, downloads a malicious template formatted as an RTF file from a remote server. It then abuses CVE-2018-0802, another flaw in the Equation Editor, to fetch and run an HTML Application (HTA) file hosted on the same server.

“The exploit downloads the HTA file via the RTF template and runs it,” Kupreev said. “It leverages the alternate data streams (NTFS ADS) feature to extract and create several files at %APPDATA%\Roaming\Microsoft\Windows\. These files make up the VBShower backdoor.”

This includes a launcher, which acts as a loader by extracting and running the backdoor module in memory. The other VB Script is a cleaner that cares of erasing the contents of all files inside the “\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\” folder, in addition to those within itself and the launcher, thereby covering up evidence of the malicious activity.

The VBShower backdoor is designed to retrieve more VBS payloads from the command-and-control (C2) server that comes with capabilities to reboot the system; gather information about files in various folders, names of running processes, and scheduler tasks; and install PowerShower and VBCloud.

PowerShower is analogous to VBShower in functionality, the chief difference being that it downloads and executes next-stage PowerShell scripts from the C2 server. It’s also equipped to serve as a downloader for ZIP archive files.

As many as seven PowerShell payloads have been observed by Kaspersky. Each of them carries out a distinct task as follows –

• Get a list of local groups and their members on remote computers via Active Directory Service Interfaces (ADSI)
• Conduct dictionary attacks on user accounts
• Unpack the ZIP archive downloaded by PowerShower and execute a PowerShell script contained within it in order to carry out a Kerberoasting attack, which is a post-exploitation technique for obtaining credentials for Active Directory accounts
• Get a list of administrator groups
• Get a list of domain controllers
• Get information about files inside the ProgramData folder
• Get the account policy and password policy settings on the local computer

VBCloud also functions a lot like VBShower, but utilizes public cloud storage service for C2 communications. It gets triggered by a scheduled task every time a victim user logs into the system.

The malware is equipped to harvest information about disks (drive letter, drive type, media type, size, and free space), system metadata, files and documents matching extensions DOC, DOCX, XLS, XLSX, PDF, TXT, RTF, and RAR, and files related to the Telegram messaging app.

“PowerShower probes the local network and facilitates further infiltration, while VBCloud collects information about the system and steals files,” Kupreev said. “The infection chain consists of several stages and ultimately aims to steal data from victims’ devices.”

RansomHub, the ransomware collective that emerged earlier this year, quickly gained momentum, outpacing its criminal colleagues and hitting its victims especially hard. The group named and shamed hundreds of organizations on its leak site, while demanding exorbitant payments across various industries.

The group, a suspected Knight rebrand, first appeared in February and quickly picked up out-of-work affiliates from Lockbit following that crew’s law enforcement takedown around the same time. RansomHub also eagerly filled the void left by ALPHV/BlackCat after that group’s widely reported exit scam in March – bragging about recruiting affiliates from both defunct groups via TOX and cyber crime forums.

By August, just six months after setting up shop, RansomHub had claimed 210 victims and drawn the attention of the FBI, CISA, and other government agencies gunning for cyber criminals. Its victims allegedly include auction house Christie’s, Frontier Communications, US pharmacy chain Rite Aid, Planned Parenthood, and Delaware public libraries, among many others.

Its brand of malware has since become the encryptor of choice for Scattered Spider and other sophisticated criminals, and the gang posted a record-high 98 victims on its leak site in November. 

But, as other prolific digital thieves – including Scattered Spider – have learned, a string of high-profile attacks paints a very large target on the group and its affiliates. While it’s much more difficult to apprehend ransomware crooks who are given safe harbor by Russian prosecutors, even cyber criminals take holidays – and sometimes, the cops are waiting to make arrests during those moments.

‘Most active and significant’ ransomware threat

“I don’t want to put RansomHub up on a pedestal. They are an opportunistic group,” Michael McPherson, SVP of Security Operations at ReliaQuest, told The Register. “But they were smart to make this landgrab when they did. It will be interesting to see how long they can keep this run going.”

During its brief tenure, the Russia-linked group has made a name for itself as “the current most active and significant threat in ransomware activity,” according to an October 30 report from ReliaQuest, which called the gang the most dominant ransomware group during the third quarter of 2024.

“It’s an interesting group that did have a meteoric rise and almost seems to come out of nowhere,” conceded McPherson, a former FBI special agent. “There was an obvious effort for RansomHub to gain affiliates. They’re very, I would say, generous in their model and advertising a 90–10 split.”

This means the affiliates who pull off the attack may keep 90 percent of the extortion payment while the ransomware operators receive 10 percent. An 80–20 or 70–30 split is more common among these crime crews, so the higher payout makes it easier for the new kids on the block to attract more workers.

It will be interesting to see how long they can keep this run going

“These affiliates will go where the money is, and if somebody pays more, it would be silly not to go there,” McPherson opined, adding that this business model “would feed RansomHub’s ability to go out and hit so many victims at once by having a large affiliate base.”

Additionally, RansomHub’s operators on their dark web sites like to tout transparency with their affiliates – likely an effort to build trust with fellow criminals, following ALPHV’s alleged exit scam.

“There’s marketing involved,” McPherson observed. “They are reaching out to affiliates, trying to be more of a partner with them. They’re trying to evolve and take advantage of the cyber criminal landscape to grab market share. That’s what they want.”

Crew ‘moved fast and filled a void’

Still, the group’s tactics are not unique, he noted. The group employs repurposed Knight code and double-extortion methods – which are used by most ransomware gangs today.

This involves first breaking into their victims’ network and stealing valuable files, and then encrypting the data on the network, while also extorting the orgs for massive sums of money on dark web leak sites.

“Their actual tactics are not unique, but their ability to move fast and fill a void is what makes them so noteworthy at this moment in time,” McPherson told us. “Or maybe they’re just trying to run as hard and fast as they can, because they know they’re protected where they are.”

ZeroFox analysts have also tracked RansomHub’s rise this year, and reported the group accounted for about 2 percent of all attacks in Q1, 5.1 percent in Q2, 14.2 in Q3, and about 20 percent in Q4.

While it is almost certain that this will plateau, there is a likely chance that the collective will continue to attract experienced affiliates and remain the most dangerous threat

“The greatest threat in early 2025 will very likely emanate from RansomHub,” the security firm declared [PDF] in a December 12 report that also called RansomHub “the most prominent R&DE [ransomware and data exfiltration] outfit” of 2024.

“RansomHub’s attack tempo has been on a consistent upward trajectory, accounting for approximately 20 percent of all R&DE incidents in Q4 2024,” according to the report. 

“While it is almost certain that this will plateau, there is a likely chance that the collective will continue to attract experienced affiliates and remain the most dangerous R&DE threat,” it noted.

“The way they’re conducting business, and the pace at which they’re exposing and publishing victims, is quite common with new ransomware groups,” ZeroFox VP of Intelligence Adam Darrah told The Register. “It is likely RansomHub is made up of individuals affiliated with other now-defunct or waning-in-their-influence ransomware collectives. It is not uncommon for a newer shakedown mafia to come in and to make a splash.”

The US presidential election this year also likely added to the increased attacks, added Darrah, a former CIA political analyst. 

“In the run up to a major US election, they [were] taking advantage of a community of defenders, both inside and outside the government, who are already on edge about cyber-based attacks,” he said. “Ransomware groups that have any kind of official or unofficial affiliation with a nation-state intelligence service know that publishing such a high number of victims at an increased pace, at such an alarming rate, takes away time, attention, and resources from other defensive operations.”

It’s important to note that the number of listed victims doesn’t directly equate to attacks. Victims that pay the ransom demand – or come to some sort of agreement with the criminals – may not ever see their org’s names on the criminals’ leak sites.

“When they get on a radar this quickly, that also catches the attention of very capable good guys around the world,” Darrah said. “So there’s a reason the life cycle of some of these groups is not long.”

ZeroFox’s report warns that other ransomware gangs such as Meow, Play Ransomware, and Hunters International are “very likely” to emerge as serious threats in early 2025. While it’s unknown how long RansomHub can keep up its run, one thing is clear: there’s no shortage of collectives waiting to take its place at the top of the charts. ®

The United States’ telecommunications infrastructure has been infiltrated by actors affiliated with China. Some of our nation’s most powerful leaders have been targeted — including President-elect Donald Trump and Vice President-elect JD Vance. This is one of the most severe cybersecurity incidents against telecom the United States has ever been subject to, and — worse yet — it is ongoing. 

Commonly called Salt Typhoon, actors affiliated with China have successfully gained access to at least eight of our nation’s largest communications companies. In fact, federal officials say that no networks have fully removed the threat and that individuals should rely on encrypted messaging platforms in the meantime.

Given the national security implications, one would assume that our government is rushing to secure communications and make sure something like this can’t happen again. Instead, the current administration’s response is to call for regulation and point out industry failures. For example, the Federal Communications Commission has proposed new requirements on carriers, such as expanded legal obligations, and the White House has also amplified this, saying that voluntary measures have proven inadequate. This follows similar calls for regulatory requirements and liability on industry over the past four years.

This is not the time for new regulations, and rushing to implement them would be a massive misstep. There is no shortage of existing federal agencies or authorities pertaining to cybersecurity. Instead, security teams face overlapping and even contradictory security requirements and standards. This places compliance burdens on security practitioners. For example, there have been instances where their time and resources were diverted to responding to government inquiries instead of defending networks.

During a Dec. 11 Senate Commerce Committee hearing, Sen. Ted Cruz, R-Texas, urged federal leaders not to rush new regulations and instead see how they can assist telecom companies in a time of need. That is precisely right. The first priority must be to fully understand how China gained access, what and who is impacted, short- and long-term remedies, and ultimately ensuring this does not happen again.

This is not to say there is no room for security standards and baselines. But what is currently in place should be assessed to determine if there is a way to harmonize our system. This would help security teams ultimately keep their focus on security, help cut down on critical resources being diverted elsewhere, and provide flexibility to decide what is best for their specific company. Rushing new regulations will simply exacerbate the problem and create an ever more complex patchwork of laws. Given Trump’s calls for deregulation and the creation of a Department of Government Efficiency, this is a perfect time to tackle cybersecurity.

Moving forward, there are several realities to account for.

First, no critical infrastructure sector is immune to threats like Salt Typhoon. Nation-state actors, especially China, are constantly getting more sophisticated and looking for new, easy targets. If our largest telecommunications companies faced an incident of this magnitude, then smaller critical infrastructure operators like a local water provider or hospital are certainly at risk, as are operators across all sectors, from health care to energy. This will require a continued effort to better secure critical infrastructure and more work to deter China in the first place.

Second, the federal government has a key role in supporting critical infrastructure. It is unrealistic to think critical infrastructure can defend itself alone against a nation-state actor. The federal government needs to help make the lives of critical infrastructure security teams easier and bolster the resources available to them. With Salt Typhoon in particular, the government should look internally at its own response and at how it could have been improved rather than blaming industry.

Third, we cannot neglect our technology. It is not uncommon to see outdated products embedded in our critical infrastructure or even continued use of products made by foreign adversaries. These weak spots carry cybersecurity challenges, along with national security and privacy concerns. The cost of replacing and updating technology is not trivial, and local and state restrictions make things more difficult. It is ultimately important to modernize our technology over time to best defend against advanced actors.

One thing is for certain: China and other foreign adversaries will continue to try to compromise our critical infrastructure systems and exploit our data. This makes it imperative that government and industry are truly in sync rather than pointing fingers or seeking to add new burdens in a crisis.

Brandon Pugh is the director of the R Street Institute’s cybersecurity and emerging threats team and serves as a cyber law professor in the military. Brian Harrell is a former assistant secretary for infrastructure protection at the U.S. Department of Homeland Security.

“A quarter of cybersecurity leaders want to quit,” hollered the headline of a study sponsored by global cybersecurity company Black Fog. While that is suggestive of stress or morale problems at the higher levels of security teams, the more alarming numbers came later in the press release, below the graphic: 45% of security leaders have used drugs or alcohol to relieve work pressure in the past year, and 69% have “withdrawn from social activities.”

That’s starting to sound more like burnout than stress.

The reason it’s important to distinguish the cause of self-destructive behavior at work is that short-term stress and burnout have different treatments and timelines. According to a journal article by Arno van Dam, 80% of people suffering short-term stress are back at work in six to 12 weeks. Burnout patients, however, take more than a year to recover; one quarter to one half of patients still haven’t recovered after two to four years.

What Is Cybersecurity Burnout?

To discern burnout, it’s helpful to have a standard definition. While the US list of maladies, Diagnostic and Statistical Manual of Mental Disorders (aka the DSM), still doesn’t include work-related burnout as a diagnosis as of version 5, the World Health Organization (WHO) sees it differently. The WHO’s alternative resource, International Statistical Classification of Diseases and Related Health Problems (aka the ICD), has a code for burnout — QD85 — and defined it in the context of work/unemployment problems:

Related:Emerging Threats & Vulnerabilities to Prepare for in 2025

According to the van Dam article, burnout happens when an employee buries their experience of chronic stress for years. The people who burn out are often formerly great performers, perfectionists who exhibit perseverance. But if the person perseveres in a situation where they don’t have control, they can experience the kind of morale-killing stress that, left unaddressed for months and years, leads to burnout. In such cases, “perseverance is not adaptive anymore and individuals should shift to other coping strategies like asking for social support and reflecting on one’s situation and feelings,” the article read.

“I wrestle with burnout pretty regularly, escalated thanks to neurodivergence,” says Ian Campbell, senior security operations engineer at DomainTools. Burnout is also a condition familiar to the neurodivergent, especially autistic people. Autistic burnout, a term used mostly by that community, entails chronic exhaustion, losing the use of skills, and a lowered tolerance for stimuli. The role it might play in the better-known work burnout is unknown, but the similarity of symptoms is interesting.

Related:Name That Toon: Sneaking Around

Campbell sees the interplay from the inside. “Autism, depression, and anxiety are a wickedly effective combination in encouraging burnout. Hyperfocus can lead to working far too much and ignoring work/life balance,” he says. “Depression and anxiety are self-perpetuating, exquisitely engineered to set up feedback cycles hard to break away from, and that can be doubly toxic around work — the depression saying things won’t get better, the anxiety pressing you to work longer, harder, be more useful and less expendable.”

Bryan Kissinger, chief information security officer (CISO) and senior VP at Trace3, adds, “People also need to have the courage to say to their managers or coworkers, ‘Hey, I need a break.'”

Handling Staff Burnout on Security Teams

“Sometimes it’s very challenging” to tell when someone’s burning out, Kissinger says. He tells the story of one employee who kept their stress to themselves until it was almost too late: “They were ready to leave because they were burning out, and I said, ‘This is the first I’ve heard about it. Can we bring on some contractors to help us moderate the workload?'”

Related:How Nation-State Cybercriminals Are Targeting the Enterprise

When asked how he helps his staff fend off burnout, Kissinger describes a hands-on approach. “I audit their day. A lot of people either tend to get roped into things … or volunteer for things,” he says. “What are the one or two things that need to be done today, and what can be done Monday or later next week?”

Jill Knesek, CISO at BlackLine, has a team of about 30 people, and has a quarterly one-on-one with each of them. “I offer more if they want more, and if you want to do monthly or every six weeks, then please do,” she says. “I just try to take the time with each person on the team to make them feel important and empowered. And I know that there’s opportunities for them, even if it’s not maybe what they’re doing today.”

If a person’s team is not supportive of work/life balance, that can exacerbate the issue.

Knesek says, “I want to make sure they know that I know what they’re doing and I care about what they’re doing and I can help guide them. So they feel important, and they feel like the really important things get noticed by leadership.”

How Cyber Staff Handles Work Pressure

“Taking all my holiday was a big help,” says Terence Eden, who moved from civil service to start his own consultancy, Open Ideas, which affords him much more control over his schedule and work/life balance. “And doing it in big chunks, not just a day or two, allowed me to reset.”

Resetting from the buildup of stress is an important part of disrupting the path to burnout, as Knesek knows well. She says, “I encourage my team all the time to make sure their work-life balance is always good. Recharging your batteries is really important, and I am an important representative of that, right? So if I don’t do it and everybody says, ‘Well, Jill never takes [paid time off] but she tells us to do it. But does she really mean that? Because she’s not taking it.'”

Employees sometimes scoff at the wellness programs companies put out as an attempt to keep people healthy. “Most ‘corporate’ solutions — use this app! attend this webinar! — felt juvenile and unhelpful,” Eden says. And it does seem like many solutions fall into the same quick-fix category as home improvement hacks or dump dinner recipes.

Christina Maslach’s scholarly work attributed work stress to six main sources: workload, values, reward, control, fairness, and community. “If any are lacking or out of sync, you may be headed toward exhaustion, cynicism, and the feeling of being ineffective,” said this article presenting a two-minute burnout assessment tool.

An even quicker assessment is promised by the Matches Measure from Cindy Muir Zapata. “The graphic she offered in her paper is a six-point and eight-point spectrum of matches, from unlit, to singed, to burned, to disintegrated,” read an article on HR Dive. A worker looks at the layout of matches and picks the one that shows how burned out they feel.

But Campbell has an idea for how to handle wellness better: “So my first and strongest recommendation to everyone is this: psychotherapy.”

“Professionals will help a lot more than any quick hack to keep you running for another few weeks — therapy allows you to vent out what’s building up, gain insight on your own status and choices, and plan for future burnout occurrences,” he adds. “It doesn’t make everything magically better, but you learn the tools to keep treading water, then tools to swim against counterproductive currents, and more.”

“The time to start learning and building the tool sets is before the burnout hits, or at least before it becomes a true crisis,” he adds.

Hope in a Hopeless Place

If worse comes to worst, and burnout hits, the van Dam article found hope in the study of disaster survivors. No matter how awful the disastrous events they went through, people tend to perceive some good coming from their trauma. This post-traumatic growth falls into three categories of benefits: changes in self-perception, in relationships, and in life philosophy.

The article built on that to posit post-burnout growth as well. “Many former burnout patients report that they have learned from their burnout and that their life is better now than before their burnout,” Campbell explains. “They know better who they are and what is important to them in life; they spend more time with their friends and families; and they changed their priorities. Many former burnout patients allow themselves to enjoy life more and to be happy.”

And again, he has some advice, particularly for the neurodivergent people: hack your needs to make yourself comfortable. “There are a thousand ways to optimize your own senses, and it’s something we as a culture often fail at. Whether you’re neurodivergent, neurotypical, or something else entirely — find the best sensory augments that allow you to work, and the better we’ll all be protecting, hacking, investigating, hunting, and more.”

Volkswagen’s automotive software company, Cariad, exposed data collected from around 800,000 electric cars. The info could be linked to drivers’ names and reveal precise vehicle locations.

Terabytes of Volkswagen customer details in Amazon cloud storage remained unprotected for months, allowing anyone with little technical knowledge to track drivers’ movement or gather personal information.

The exposed databases include details for VW, Seat, Audi, and Skoda vehicles, with geo-location data for some of them being as precise as a few centimeters.

Precise geo-location data

Access to the car data was possible due to Cariad’s incorrect configuration in two IT applications, a company representative told BleepingComputer.

Cariad was informed on November 26 of the issue by the Chaos Computer Club (CCC), the largest organization of ethical hackers in Europe that for more than 30 years has promoted security, privacy, and free access to information.

According to German publication Spiegel, the CCC found out about the vulnerability from a whistleblower and tested the insecure access before informing Cariad and Volkswagen responsible and providing technical details.

In a statement to BleepingComputer, a Cariad representative said that the exposed data affected only vehicles connected to the internet and had been registered for online services.

From the nearly 800,000 vehicles exposed, the researchers found geo-location data for 460,000 cars, for some of them with an accuracy of ten centimeters.

A little over 30 vehicles were part of Hamburg police’s fleet of patrol cars, while others belonged to suspected intelligence service employees, Spiegel says.

The company said that the CCC hackers could access the data only after bypassing several security mechanisms that required significant time and technical expertise.

Additionally, because individual vehicle data was pseudonymized for privacy purposes, the hackers had to combine different data sets to associate the details with a particular user.

However, Spiegel assembled a team of IT experts and journalists who found location details collected from the cars of two German politicians, Nadja Weippert and Bundestag member Markus Grübel, using freely available software.

The tools searched for exposed Cariad assets that contained files with sensitive information, which led to finding a copy of a memory dump from an internal Cariad application.

Inside the memory dump the hackers discovered access keys to a cloud storage instance on Amazon where Cariad saved data collected from Volkswagen Group customers’ vehicles.

Spiegel reports that some data points referred to the longitude and latitude location of the cars when the electric motor was turned off.

Most of the affected vehicles, 300,000 of them, were in Germany but the researchers also found details about cars in Norway (80,000), Sweden (68,000), the United Kingdom (63,000), the Netherlands (61,000), France (53,000), Belgium (68,000), and Denmark (35,000).

Quick fix after responsible disclosure

Cariad told BleepingComputer that its security team reacted quickly to fix the problem and closed access the same day the CCC sent them the report.

CCC representatives confirmed for Spiegel that Cariad’s “technical team responded quickly, thoroughly and responsibly” and that the company reacted within hours of receiving the technical details.

Based on the results of its investigation, Cariad has no evidence suggesting that other parties, except the CCC hackers, had access to the exposed vehicle data or that the information had been misused by a third party.

The company also emphasizes that the CCC only had access to data collected from the vehicles and could not access the cars themselves.

Cariad says that customers of the Volkswagen Group brands can agree to use products and services that require the processing of personal data and can deactivate the option at any time.

However, the company notes that the data collected from the vehicles helps it “provide, develop, and improve digital functions” for its customers as well as create additional benefits.

As an example, the company explains that customers’ charging behavior and habits are anonymized and help optimize future battery generations and charging software.

At the same time, the collected data is stored in the cloud in a way that protects the identity of the customer and their movement with the vehicle.

“The brands in the Volkswagen Group collect, store, transmit and use personal data exclusively within the framework of legal regulations and an existing contractual relationship, legitimate interests or explicit consent from the customer,” Cariad says.

The automotive software company also says that it employs strong data protection practices that include storing data points separately, restrictive access rights, pseudonymization, and anonymization, as well as aggregating and processing data within stated purposes.