Everyone’s favorite Linux component has hit a milestone, while a fresh contender comes of age – with a touch of Lisp.

In news that is sure to delight the Linux world, version 257 of systemd has arrived. Just a day before its release, a major new version of another Linux init system came out, GNU Shepherd version 1.0. They’re very different ways of doing the same basic task, and we’re happy to see more options in this particularly controversial role.

The last version of systemd, back in June, merited special attention from The Register – it received two separate articles. The first highlighted an impressively tone-deaf attempt at a joke, when the Fediverse announcement proclaimed that Version 256 of systemd boasts “42 percent less Unix philosophy.” A week later, a point-release followed: systemd 256.1: Now slightly less likely to delete /home.

To recap that fun little feature, if you run the systemd command to clear up temporary files, and you don’t get it exactly right, it totally wipes the entire tree of user home directories. The headline feature of version 257 indicates to us that the repercussions of that hilarious incident are still being felt:

In summary, the developers have made a backwards-incompatible change to the format of one of its config files, which they’re reluctant to do. The change in the file-format makes it less likely that unwary use of the command systemd-tmpfiles --purge will remove all data for all users on the computer. So that’s good.

The gist is that the systemd-tmpfiles tool was named so because originally it was designed to manage temporary files. Since then, it’s grown to do much more. It manages many kinds of files that are created and removed in normal operation of a Linux computer. Its config file, which is called tmpfiles.d (and that link will tell you everything you could ever want to know about what files it can manage) now has a new specifier:

In other words, you have to specifically mark lines that describe the files that the purge sub-command will remove. It’s a small enough change, but it means that if that config file doesn’t tell it to, the command systemd-tmpfiles --purge now will not delete everything in every folder created since the first user was added. So that’s good.

It is an absolutely minimal sort of fix, though. The fact is that the name systemd-tmpfiles is not remotely accurate any more. The tool no longer just manages temporary files. The developers could have made a deeper, more generally helpful change, such as renaming the command – but that would cause more breakage. (We suspect this probably is not function that is used often or by many people, but that’s a separate consideration.) Whether this minimal config-file-format change, which does make things safer, is a better course of action than a more drastic, breaking one such as renaming a command is a judgement call.

It’s fair to say that making the minimum possible form of change is a typical Unix sort of attitude. On the other hand, Apple’s macOS is still a certified UNIX™ and it’s made many far more sweeping changes than this – and yet it’s by far the most successful commercial Unix in history.

The other changes are mostly far underneath the covers, so to speak, and will likely be invisible to anyone who isn’t maintaining a Linux distribution. The tooling around the new Unified Kernel Image format is improved, cgroups version 1 and System V service scripts inch close to being deprecated, it now understands volume button presses on mobile phones – showing how mainstream Linux is moving into more pockets – and it’s offloaded some old keyboard handling code to X.org. The feature that made us smile is that during shutdown, systemd hands responding to the classic “three finger salute” back to the kernel. So if systemd crashes during shutdown, with any luck Ctrl+Alt+Delete will still reboot your computer. That one sounds handy.

(The Reg FOSS desk’s top tip for rebooting balky systemd-controlled boxes is that if you press Ctrl+Alt+Del seven times within two seconds, it tells systemd to reboot immediately whatever is going on. Only try this if the machine’s not shutting down normally as it might do bad things if it’s not an emergency. It’s also worth remembering the REISUB keystroke exists too.)

Shepherding services for Guix

The other new init system in the news this week is from the GNU Project, and it’s called Shepherd. Shepherd itself isn’t new. In fact, development started in 2003, so it’s old enough to drink in the US. What is new is that the development team has released version 1.0. To go with this milestone in maturity, it also has a new logo and website.

The main distinctive thing about Shepherd is that it’s implemented in GNU Guile. Guile is the GNU implementation of the Scheme programming language, and it was intended to be the GNU Project’s standard extension language. Indeed, its original name was GEL, short for GNU Extension Language.

Its use of GNU Guile makes Shepherd something of a flag-bearer for the Guile language and project. Additionally, Shepherd is the default init system of the GNU Guix distribution.

Guix is both a packaging tool and a distro built with that tool. Guix has closely comparable goals to Nix, and to the NixOS distro built with it. It aims to automate away manual package management. The key difference is that while Nix has its own, unique language for writing config files, Guix uses standard Guile Scheme, and so in theory it’s more accessible to more people. We say “in theory” because Nix itself is really pretty niche even in the Linux world, and we hear far more about Nix than Guix.

Shepherd defines services in a restricted subset of Scheme. That is probably enough to immediately either win over, or forever put off, many people. Scheme uses Lisp-style prefix notation (yes, with lots of parentheses), which tends to polarize techies. If you like Lisp and Lisp-based systems, you might enjoy Enzuru’s Lisp-centric Linux distro, which is still under construction.

We doubt that Shepherd is going to transform the Linux init system landscape, but it’s good to see one of the alternative init systems taking a step towards greater maturity. ®

Bootnote

If the rather obscure pun in our subheading isn’t clear, “Guix” is pronounced like geeks. So, no, Nix and Guix do not rhyme. They just look like they should.

A federal court has indicted 14 more North Korean IT workers as part of an ongoing U.S. government campaign to crack down on Pyongyang’s use of tech professionals to swindle American companies and nonprofits.

The Justice Department said the 14 indicted workers generated at least $88 million throughout a conspiracy that stretched over approximately six years, ending in March 2023. North Korea-controlled companies in China and Russia — Yanbian Silverstar and Volasys Silverstar, respectively — used the so-called “IT Warriors” to obtain false U.S. identities, pose as employees doing remote IT work in the United States and transfer funds from their employers to eventually end up in the hands of the North Korean government, according to the indictment. 

“When the defendants gained access to a U.S. employer’s sensitive business information, the defendants in some instances extorted payments from the employer by threatening to release, and in some cases releasing, that sensitive information online,” per the indictment, which the DOJ publicized Thursday.

The U.S. District Court of the Eastern Division of Missouri handed down the indictment. In addition to the indictment, the State Department announced rewards of up to $5 million for individuals and companies involved in the scheme.

“Yesterday’s indictment is the latest in a series of actions under a National Security Division initiative launched earlier this year to disrupt North Korea’s efforts to generate revenue by duping American companies into hiring its citizens for remote work,” said Assistant Attorney General Matthew Olsen of the Justice Department’s National Security Division. “This indictment and associated disruptions highlight the cybersecurity dangers associated with this threat, including theft of sensitive business information for the purposes of extortion.”

The Justice Department has repeatedly targeted this specific group of alleged conspirators in an attempt to disrupt them, including court-authorized seizures of a collective $764,800 via two orders unsealed Thursday, in addition to seizures of more money and internet domains the DOJ said the group used to appeal to prospective employers.

But it’s also sought to combat the broader trend of North Korea using its IT workers for nefarious purposes, including via arrests and alerts with other federal agencies.

The charged workers’ names are Jong Song Hwa, Ri Kyong Sik, Kim Ryu Song, Rim Un Chol, Kim Mu Rim, Cho Chung Pom, Hyon Chol Song, Son Un Chol, Sok Kwang Hyok, Choe Jong Yong, Ko Chung Sok, Kim Ye Won, Jong Kyong Chol and Jang Chol Myong.

Michael Barnhart, who leads Mandiant’s North Korea threat hunting team, told CyberScoop after the indictment was announced that threat actors have recently become more dangerous since gaining employment at Western organizations.

“For the first time, we’re seeing IT workers follow through on releasing sensitive data of organizations they’ve infiltrated to pressure victims into paying exorbitant ransoms,” he said.  “They’re also demanding more cryptocurrency than they ever have before. We assess that the heightened media attention and ongoing government disruptions targeting their cyber operations this past year are forcing an escalation in their tactics.”

You can read the full indictment here. 

The Dubai Police are the latest victims of impersonation by fraudsters in the United Arab Emirates (UAE), who are sending thousands of text messages out to unwitting mobile users while purporting to represent the law enforcement agency.

Researchers at BforeAI observed a recent surge in phishing attacks leveraging alleged police communications, which encourage text recipients to click on a malicious URL to respond to supposed legal trouble or to register with an “official” online portal. The included links redirect victims to fake websites designed to harvest sensitive information, including bank details or personal identification details.

The campaign uses well-crafted lures with official branding, suggesting a moderate level of sophistication, according to BforeAI. But while the lures are tailored to UAE citizens, the phishing methodology resembles a ‘spray-and-pray’ model in its broad reach.

“The campaign targets individuals likely to respond to law enforcement-related communications, of which legitimate comms of this nature are not uncommon in the UAE — targeting particularly those with a limited understanding of digital threats,” Abu Qureshi, lead for threat intelligence and mitigation at BforeAI, tells Dark Reading.

“The most striking aspect of this campaign is the calculated misuse of Dubai Police branding to establish credibility and deceive victims,” he adds. “This demonstrates a sophisticated understanding of social engineering techniques and reliance on psychological manipulation, exploiting fear and trust in law enforcement — which for citizens of the UAE is of utmost importance.”

Related:Governments, Telcos Ward Off China’s Hacking Typhoons

Cybercriminals Increasingly Target UAE, Middle East

Cybercrime campaigns targeting organizations and individuals in Dubai and other parts of the UAE are noticeably on the rise. According to research from Kaspersky earlier this year, 87% of companies in UAE have faced some form of cyber incident in the past two years.

“The UAE is a high-value target due to its affluent population, high Internet penetration, and reliance on digital services,” Qureshi says. “Cybercriminals exploit these factors alongside vulnerabilities in newly adopted technologies.”

The cybercrime spree is part of a larger trend in the targeting of individuals and organizations in some areas of the Middle East in general, he notes.

“There’s a focus on wealthy regions and individuals to maximize financial gain,” he says. “There are also regional geopolitical interests and an increased focus on Middle Eastern entities due to economic and political dynamics.”

Related:African Law Enforcement Nabs 1,000+ Cybercrime Suspects

To boot, because the area has embraced digital transformation and IT modernization with gusto, cybercriminals are targeting digital adoption vulnerabilities that come from the rapid implementation of advanced technologies without adequate protections, according to Qureshi.

Anchoring a UAE Cybercrime Campaign in Singapore

The cyberattackers behind the Dubai Police offensive appear to have used an automated domain generation algorithm (DGA) or bulk registration to quickly cycle through different domains to host malicious Web pages bent on financial fraud. Each domain is short-lived, in order to better avoid detection.

Most of those domains originated from Tencent servers based in Singapore, according to BforeAI researchers, who noted the company’s servers have hosted malicious activity before, including spam, phishing, and botnets.

“Tencent, a Chinese-based technology giant, maintains a significant hub in Singapore, leveraging the city-state’s strategic location and robust digital infrastructure,” says Qureshi. “Despite Singapore’s strong cyber-resilience and rigorous policies to address malicious activity, its status as a global tech hub makes it a prime location for abuse of legitimate platforms by cybercriminals.”

Related:Yakuza Victim Data Leaked in Japanese Agency Attack

Qureshi adds that the presence of malicious activity on Tencent servers could be due to the exploitation of legitimate services.

“High-traffic servers can be abused to host or relay malicious content without the company’s direct knowledge,” he explains, adding that jurisdictional complexity could also be at play: “Singapore’s law enforcement may face challenges in coordinating with foreign entities and differentiating criminal use from legitimate operations. While Tencent is based in Singapore — they are a Chinese firm.”

Two of the registrants were found to be from India and Dubai itself, with suspicious names suggesting that they originate from a legitimate company, according to the research. For the most part though, the cyberattackers have managed to keep their identity anonymous.

Tencent did not immediately return a request for comment.

How Organizations in the Middle East Can Protect Against Cyber Fraud

For organizations in the region, campaigns like this should prompt changes in risk management, Qureshi advises. Although the phishing messages are broad-based, in the age of the mobile office, even campaigns designed to hit individuals can end up affecting companies.

Common-sense security hygiene includes the basics, like double-checking the official domain of the Dubai government and the payment portal before proceeding with any payment, as well as looking for red flags like missing HTTPs protocol, broken links, out-of-place Web designs, or suspicious phrasing or grammar.

Qureshi advises organizations to take several additional steps to mitigate their risk, including:

And finally, “this Dubai Police campaign highlights the globalized nature of cybercrime, where local targets are exploited using international infrastructure,” Qureshi warns. “The importance of cross-border cooperation and leveraging threat intelligence to stay ahead of evolving tactics cannot be overstated.”

Albanian law enforcement has seized the Rydox cybercrime marketplace and arrested three administrators in collaboration with international partners.

Kosovo nationals Ardit Kutleshi, Jetmir Kutleshi, and Shpend Sokoli were arrested on Thursday by Kosovo law enforcement and Albania’s Special Anti-Corruption Body (SPAK). The U.S. Justice Department indicted the first two for involvement in Rydox’s operations, and they’re awaiting extradition to the United States.

Ardit Kutleshi and Jetmir Kutleshi face multiple charges related to their Rydox admin roles, including two counts of identity theft, conspiracy to commit identity theft, aggravated identity theft, access device fraud, and money laundering. If convicted, each could receive five years for each charge, 10 years for access device fraud, and up to 20 years for money laundering.

Since February 2016, Rydox marketplace sellers have been involved in over 7,600 sales of credit card information, login credentials, and personal information such as social security numbers, names, and addresses stolen from thousands of U.S. citizens and various cybercrime tools and devices.

Rydox also offered for sale over 321,000 other “cybercrime products” to more than 18,000 users, including tools and materials for committing cyber crimes, such as tutorials and spam tools.

According to the indictment, registered users had to deposit a sum of cryptocurrency into their accounts before making a purchase via Perfect Money, Ethereum, Litecoin, Bitcoin (“BTC”), Monero, Ripple, Tron, or Verge payments deposited into a cryptocurrency wallet controlled by Rydox.

They could use the funds to purchase illicit products, services, tools, and programs from Rydox sellers. However, once the funds were deposited, they were under the defendants’ control, who controlled the Rydox cryptocurrency wallets.

Rydox also charged registered users a one-time fee (that fluctuated between the equivalent of $200 to $500) to become authorized sellers on the marketplace. Rydox authorized sellers received 60% of the sale proceeds, while the market retained 40% from every sale.

The United States obtained judicial authorization to seize the Rydox[.]cc domain, used to access the cybercrime marketplace’s website, and the FBI seized servers in Kuala Lumpur that hosted the Rydox illicit marketplace with the help of the Royal Malaysian Police and took the website offline.

The Unites States also received court authorization to seize about $225,000 in cryptocurrency from the defendants’ accounts.

The operation was carried out with the help of the FBI’s Pittsburgh Office, Albania’s National Bureau of Investigation (BKH), the Albanian Directorate of Cybercrime Investigation, the Kosovo Special Prosecutor’s Office, the Kosovo Police, and the Malaysian Royal Police.

“The Rydox marketplace was a one-stop shop where upwards of 18,000 of its cybercriminal customers could choose from more than 300,000 cybercrime tools,” said U.S. Attorney Eric G. Olshan on Thursday.

“While cybercrime often involves conduct occurring overseas and the actions of foreign nationals, its harms can be devastatingly local, with residents in our own communities suffering financial ruin as a result of the theft and misuse of their sensitive personal information.”

Earlier this month, eight members of an international cybercrime network who set up fraud centers in rented Airbnb properties to steal millions of Euros from victims were arrested in Belgium and the Netherlands.

German law enforcement also shut down the country’s largest online cybercrime marketplace and the Manson cybercrime market, arresting key suspects.

Dec 13, 2024Ravie LakshmananLinux / Threat Analysis

Cybersecurity researchers have uncovered a new Linux rootkit called PUMAKIT that comes with capabilities to escalate privileges, hide files and directories, and conceal itself from system tools, while simultaneously evading detection.

“PUMAKIT is a sophisticated loadable kernel module (LKM) rootkit that employs advanced stealth mechanisms to hide its presence and maintain communication with command-and-control servers,” Elastic Security Lab researchers Remco Sprooten and Ruben Groenewoud said in a technical report published Thursday.

The company’s analysis comes from artifacts uploaded to the VirusTotal malware scanning platform earlier this September.

The internals of the malware is based on a multi-stage architecture that comprises a dropper component named “cron,” two memory-resident executables (“/memfd:tgt” and “/memfd:wpn”), an LKM rootkit (“puma.ko”), and a shared object (SO) userland rootkit called Kitsune (“lib64/libs.so”).

It also uses the internal Linux function tracer (ftrace) to hook into as many as 18 different system calls and various kernel functions such as “prepare_creds,” and “commit_creds” to alter core system behaviors and accomplish its goals.

“Unique methods are used to interact with PUMA, including using the rmdir() syscall for privilege escalation and specialized commands for extracting configuration and runtime information,” the researchers said.

“Through its staged deployment, the LKM rootkit ensures it only activates when specific conditions, such as secure boot checks or kernel symbol availability, are met. These conditions are verified by scanning the Linux kernel, and all necessary files are embedded as ELF binaries within the dropper.”

The executable “/memfd:tgt” is the default Ubuntu Linux Cron binary sans any modifications, whereas “/memfd:wpn” is a loader for the rootkit assuming the conditions are satisfied. The LKM rootkit, for its part, contains an embedded SO file that’s used to interact with the rookie from userspace.

Elastic noted that every stage of the infection chain is designed to hide the malware’s presence and take advantage of memory-resident files and specific checks prior to unleashing the rootkit. PUMAKIT has not been attributed to any known threat actor or group.

“PUMAKIT is a complex and stealthy threat that uses advanced techniques like syscall hooking, memory-resident execution, and unique privilege escalation methods. Its multi-architectural design highlights the growing sophistication of malware targeting Linux systems,” the researchers concluded.

Two men have been arrested for allegedly stealing data from and extorting dozens of companies that used the cloud data storage company Snowflake, but a third suspect — a prolific hacker known as Kiberphant0m — remains at large and continues to publicly extort victims. However, this person’s identity may not remain a secret for long: A careful review of Kiberphant0m’s daily chats across multiple cybercrime personas suggests they are a U.S. Army soldier who is or was recently stationed in South Korea.

Kiberphant0m’s identities on cybercrime forums and on Telegram and Discord chat channels have been selling data stolen from customers of the cloud data storage company Snowflake. At the end of 2023, malicious hackers discovered that many companies had uploaded huge volumes of sensitive customer data to Snowflake accounts that were protected with nothing more than a username and password (no multi-factor authentication required).

After scouring darknet markets for stolen Snowflake account credentials, the hackers began raiding the data storage repositories for some of the world’s largest corporations. Among those was AT&T, which disclosed in July that cybercriminals had stolen personal information, phone and text message records for roughly 110 million people.  Wired.com reported in July that AT&T paid a hacker $370,000 to delete stolen phone records.

On October 30, Canadian authorities arrested Alexander Moucka, a.k.a. Connor Riley Moucka of Kitchener, Ontario, on a provisional arrest warrant from the United States, which has since indicted him on 20 criminal counts connected to the Snowflake breaches. Another suspect in the Snowflake hacks, John Erin Binns, is an American who is currently incarcerated in Turkey.

A surveillance photo of Connor Riley Moucka, a.k.a. “Judische” and “Waifu,” dated Oct 21, 2024, 9 days before Moucka’s arrest. This image was included in an affidavit filed by an investigator with the Royal Canadian Mounted Police (RCMP).

Investigators say Moucka, who went by the handles Judische and Waifu, had tasked Kiberphant0m with selling data stolen from Snowflake customers who refused to pay a ransom to have their information deleted. Immediately after news broke of Moucka’s arrest, Kiberphant0m was clearly furious, and posted on the hacker community BreachForums what they claimed were the AT&T call logs for President-elect Donald J. Trump and for Vice President Kamala Harris.

“In the event you do not reach out to us @ATNT all presidential government call logs will be leaked,” Kiberphant0m threatened, signing their post with multiple “#FREEWAIFU” tags. “You don’t think we don’t have plans in the event of an arrest? Think again.”

On the same day, Kiberphant0m posted what they claimed was the “data schema” from the U.S. National Security Agency.

“This was obtained from the ATNT Snowflake hack which is why ATNT paid an extortion,” Kiberphant0m wrote in a thread on BreachForums. “Why would ATNT pay Waifu for the data when they wouldn’t even pay an extortion for over 20M+ SSNs?”

Kiberphant0m posting what he claimed was a “data schema” stolen from the NSA via AT&T.

Also on Nov. 5, Kiberphant0m offered call logs stolen from Verizon’s push-to-talk (PTT) customers — mainly U.S. government agencies and emergency first responders. On Nov. 9, Kiberphant0m posted a sales thread on BreachForums offering a “SIM-swapping” service targeting Verizon PTT customers. In a SIM-swap, fraudsters use credentials that are phished or stolen from mobile phone company employees to divert a target’s phone calls and text messages to a device they control.

MEET ‘BUTTHOLIO’

Kiberphant0m joined BreachForums in January 2024, but their public utterances on Discord and Telegram channels date back to at least early 2022. On their first post to BreachForums, Kiberphant0m said they could be reached at the Telegram handle @cyb3rph4nt0m.

A review of @cyb3rph4nt0m shows this user has posted more than 4,200 messages since January 2024. Many of these messages were attempts to recruit people who could be hired to deploy a piece of malware that enslaved host machines in an Internet of Things (IoT) botnet.

On BreachForums, Kiberphant0m has sold the source code to “Shi-Bot,” a custom Linux DDoS botnet based on the Mirai malware. Kiberphant0m had few sales threads on BreachForums prior to the Snowflake attacks becoming public in May, and many of those involved databases stolen from companies in South Korea.

On June 5, 2024, a Telegram user by the name “Buttholio” joined the fraud-focused Telegram channel “Comgirl” and claimed to be Kiberphant0m. Buttholio made the claim after being taunted as a nobody by another denizen of Comgirl, referring to their @cyb3rph4nt0m account on Telegram and the Kiberphant0m user on cybercrime forums.

“Type ‘kiberphant0m’ on google with the quotes,” Buttholio told another user. “I’ll wait. Go ahead. Over 50 articles. 15+ telecoms breached. I got the IMSI number to every single person that’s ever registered in Verizon, Tmobile, ATNT and Verifone.”

On Sept. 17, 2023, Buttholio posted in a Discord chat room dedicated to players of the video game Escape from Tarkov. “Come to Korea, servers there is pretty much no extract camper or cheater,” Buttholio advised.

In another message that same day in the gaming Discord, Buttholio told others they bought the game in the United States, but that they were playing it in Asia.

“USA is where the game was purchased from, server location is actual in game servers u play on. I am a u.s. soldier so i bought it in the states but got on rotation so i have to use asian servers,” they shared.

‘REVERSESHELL’

The account @Kiberphant0m was assigned the Telegram ID number 6953392511. A review of this ID at the cyber intelligence platform Flashpoint shows that on January 4, 2024 Kibertphant0m posted to the Telegram channel “Dstat,” which is populated by cybercriminals involved in launching distributed denial-of-service (DDoS) attacks and selling DDoS-for-hire services [Full disclosure: Flashpoint is currently an advertiser on this website].

Immediately after Kiberphant0m logged on to the Dstat channel, another user wrote “hi buttholio,” to which Kiberphant0m replied with an affirmative greeting “wsg,” or “what’s good.” On Nov. 1, Dstat’s website dstat[.]cc was seized as part of “Operation PowerOFF,” an international law enforcement action against DDoS services.

Flashpoint’s data shows that @kiberphant0m told a fellow member of Dstat on April 10, 2024 that their alternate Telegram username was “@reverseshell,” and did the same two weeks later in the Telegram chat The Jacuzzi. The Telegram ID for this account is 5408575119.

Way back on Nov. 15, 2022, @reverseshell told a fellow member of a Telegram channel called Cecilio Chat that they were a soldier in the U.S. Army. This user also shared the following image of someone pictured waist-down in military fatigues, with a camouflaged backpack at their feet:

Kiberphant0m’s apparent alias ReverseShell posted this image on a Telegram channel Cecilio Chat, on Nov. 15, 2022. Image: Flashpoint.

In September 2022, Reverseshell was embroiled in an argument with another member who had threatened to launch a DDoS attack against Reverseshell’s Internet address. After the promised attack materialized, Reverseshell responded, “Yall just hit military base contracted wifi.”

In a chat from October 2022, Reverseshell was bragging about the speed of the servers they were using, and in reply to another member’s question said that they were accessing the Internet via South Korea Telecom.

Telegram chat logs archived by Flashpoint show that on Aug. 23, 2022, Reverseshell bragged they’d been using automated tools to find valid logins for Internet servers that they resold to others.

“I’ve hit US gov servers with default creds,” Reverseshell wrote, referring to systems with easy-to-guess usernames and/or passwords. “Telecom control servers, machinery shops, Russian ISP servers, etc. I sold a few big companies for like $2-3k a piece. You can sell the access when you get a big SSH into corporation.”

On July 29, 2023, Reverseshell posted a screenshot of a login page for a major U.S. defense contractor, claiming they had an aerospace company’s credentials to sell.

PROMAN AND VARS_SECC

Flashpoint finds the Telegram ID 5408575119 has used several aliases since 2022, including Reverseshell and Proman557.

A search on the username Proman557 at the cyber intelligence platform Intel 471 shows that a hacker by the name “Proman554” registered on Hackforums in September 2022, and in messages to other users Proman554 said they can be reached at the Telegram account Buttholio.

Intel 471 also finds the Proman557 moniker is one of many used by a person on the Russian-language hacking forum Exploit in 2022 who sold a variety of Linux-based botnet malware.

Proman557 was eventually banned — allegedly for scamming a fellow member out of $350 — and the Exploit moderator warned forum users that Proman557 had previously registered under several other nicknames, including an account called “Vars_Secc.”

Vars_Secc’s thousands of comments on Telegram over two years show this user divided their time between online gaming, maintaining a DDoS botnet, and promoting the sale or renting of their botnets to other users.

“I use ddos for many things not just to be a skid,” Vars_Secc pronounced. “Why do you think I haven’t sold my net?” They then proceeded to list the most useful qualities of their botnet:

-I use it to hit off servers that ban me or piss me off
-I used to ddos certain games to get my items back since the data reverts to when u joined
-I use it for server side desync RCE vulnerabilities
-I use it to sometimes ransom
-I use it when bored as a source of entertainment

Flashpoint shows that in June 2023, Vars_Secc responded to taunting from a fellow member in the Telegram channel SecHub who had threatened to reveal their personal details to the federal government for a reward.

“Man I’ve been doing this shit for 4 years,” Vars_Secc replied nonchalantly. “I highly doubt the government is going to pay millions of dollars for data on some random dude operating a pointless ddos botnet and finding a few vulnerabilities here and there.”

For several months in 2023, Vars_Secc also was an active member of the Russian-language crime forum XSS, where they sold access to a U.S. government server for $2,000. However, Vars_Secc would be banned from XSS after attempting to sell access to the Russian telecommunications giant Rostelecom. [In this, Vars_Secc violated the Number One Rule for operating on a Russia-based crime forum: Never offer to hack or sell data stolen from Russian entities or citizens].

On June 20, 2023, Vars_Secc posted a sales thread on the cybercrime forum Ramp 2.0 titled, “Selling US Gov Financial Access.”

“Server within the network, possible to pivot,” Vars_Secc’s sparse sales post read. “Has 3-5 subroutes connected to it. Price $1,250. Telegram: Vars_Secc.”

Vars_Secc also used Ramp in June 2023 to sell access to a “Vietnam government Internet Network Information Center.”

“Selling access server allocated within the network,” Vars_Secc wrote. “Has some data on it. $500.”

BUG BOUNTIES

The Vars_Secc identity claimed on Telegram in May 2023 that they made money by submitting reports about software flaws to HackerOne, a company that helps technology firms field reports about security vulnerabilities in their products and services. Specifically, Vars_Secc said they had earned financial rewards or “bug bounties” from reddit.com, the U.S. Department of Defense, and Coinbase, among 30 others.

“I make money off bug bounties, it’s quite simple,” Vars_Secc said when asked what they do for a living. “That’s why I have over 30 bug bounty reports on HackerOne.”

A month before that, Vars_Secc said they’d found a vulnerability in reddit.com.

“I poisoned Reddit’s cache,” they explained. “I’m going to exploit it further, then report it to reddit.”

KrebsOnSecurity sought comment from HackerOne, which said it would investigate the claims. This story will be updated if they respond.

The Vars_Secc telegram handle also has claimed ownership of the BreachForums member “Boxfan,” and Intel 471 shows Boxfan’s early posts on the forum had the Vars_Secc Telegram account in their signature. In their most recent post to BreachForums in January 2024, Boxfan disclosed a security vulnerability they found in Naver, the most popular search engine in South Korea (according to statista.com). Boxfan’s comments suggest they have strong negative feelings about South Korean culture.

“Have fun exploiting this vulnerability,” Boxfan wrote on BreachForums, after pasting a long string of computer code intended to demonstrate the flaw. “Fuck you South Korea and your discriminatory views. Nobody likes ur shit kpop you evil fucks. Whoever can dump this DB [database] congrats. I don’t feel like doing it so I’ll post it to the forum.”

The many identities tied to Kiberphant0m strongly suggest they are or until recently were a U.S. Army soldier stationed in South Korea. Kiberphant0m’s alter egos never mentioned their military rank, regiment, or specialization.

However, it is likely that Kiberphant0m’s facility with computers and networking was noticed by the Army. According to the U.S. Army’s website, the bulk of its forces in South Korea reside within the Eighth Army, which has a dedicated cyber operations unit focused on defending against cyber threats.

On April 1, 2023, Vars_Secc posted to a public Telegram chat channel a screenshot of the National Security Agency’s website. The image indicated the visitor had just applied for some type of job at the NSA.

A screenshot posted by Vars_Secc on Telegram on April 1, 2023, suggesting they just applied for a job at the National Security Agency.

The NSA has not yet responded to requests for comment.

Reached via Telegram, Kiberphant0m acknowledged that KrebsOnSecurity managed to unearth their old handles.

“I see you found the IP behind it no way,” Kiberphant0m replied. “I see you managed to find my old aliases LOL.”

Kiberphant0m denied being in the U.S. Army or ever being in South Korea, and said all of that was a lengthy ruse designed to create a fictitious persona. “Epic opsec troll,” they claimed.

Asked if they were at all concerned about getting busted, Kiberphant0m called that an impossibility.

“I literally can’t get caught,” Kiberphant0m said, declining an invitation to explain why. “I don’t even live in the USA Mr. Krebs.”

Below is a mind map that hopefully helps illustrate some of the connections between and among Kiberphant0m’s apparent alter egos.

A mind map of the connections between and among the identities apparently used by Kiberphant0m. Click to enlarge.

KrebsOnSecurity would like to extend a special note of thanks to the New York City based security intelligence firm Unit 221B for their assistance in helping to piece together key elements of Kiberphant0m’s different identities.

Broadcom has told investors its integration of VMware is all but done, ahead of schedule, and that it has turned the virtualization giant into an even more prolific money machine than it hoped it would be possibke.

Speaking on the giant conglomerate’s Q4 2024 earnings call today, Broadcom CEO Hock Tan told investors VMware’s quarterly costs have fallen from an average $2.4 billion to $1.2 billion in this quarter, and margins have gone from below 30 percent to 70 percent. He didn’t break out Virtzilla’s revenue, and said Broadcom won’t do so again. But he did use two other metrics to describe VMware’s progress: processor cores covered by new subscription sales and annual booking value (ABV).

The latter, which measures the value of future revenue from subscriptions, saw $2.7 billion worth of deals done in the quarter – up $200 million from Q3. Tan revealed VMware sold subs for 21 million processor cores in the quarter – up from 19 million in Q3.

The CEO also told investors that 17 million of those newly-sold cores will be used to run the flagship private cloud suite VMware Cloud Foundation (VCF), and that 4,500 of Broadcom’s top 10,000 VMware customers have signed up for VCF since the acquisition.

Full-year revenue for Broadcom’s software division hit $21.5 billion, up from $7.6 billion for FY 2023 – an increase of $13.8 billion. VMware’s last full year of revenue as an independent company was $13.4 billion, and Broadcom did not own the virty giant for a few weeks of its FY 2024 and therefore can’t count a few hundred million dollars of revenue. The Register also feels safe in assuming that the other parts of Broadcom’s software biz – CA and Symantec – are not growing fast, if at all.

It therefore looks a lot like VMware revenue is growing and Broadcom’s strategy is working.

Tan’s remarks about margin improvement suggest as much. He followed them with a prediction that Broadcom’s planned $8.5 billion EBITDA growth for VMware would be achieved in a tighter time frame than the three years initially forecast – and that further improvements are achievable.

With that kind of prediction on record during an earnings call – wherein execs are encouraged to be conservative in forward statements – VMware customers surely have a clear signal Broadcom won’t need to change its plans, which bring increased costs to most customers.

Chipping away at hyperscalers

Tan offered investors two other forecasts for Broadcom’s silicon business, which he noted now needs to be discussed in AI-adjacent and non-AI segments.

The CEO told investors Broadcom see huge growth ahead from hyperscale customers of its XPU accelerators and associated networking gear. Three existing hyperscale customers intend to use Broadcom kit to build million-XPU clusters – an addressable opportunity worth between $60 and $90 billion in 2027. Tan asserted that Broadcom is “very well positioned to achieve leading market share in this opportunity.”

He also revealed Broadcom is talking to another pair of hyperscalers about custom accelerators that will use its IP – meaning more big opportunities lie ahead. The CEO celebrated hyperscalers’ interest in Broadcom’s wares as a sign that Ethernet is in favor – an important observation given Nvidia’s fondness for InfiniBand.

Tan also pledged that Broadcom’s next-generation XPUs, built on a 3nm process, will debut in the second half of 2025. Tan claimed they’ll be the first products in the field built at 3nm.

AI silicon is powering growth for Broadcom’s chip division, which earned $8.2 billion – up 12 percent year on year. AI-related sales grew 150 percent year on year to $3.7 billion, while other products were down 23 percent to $4.5 billion. Tan noted that non-AI chips have come out of a slump and will recover.

Which brings us to those two forecasts: Tan predicted non-AI silicon sales will slip by “mid-teens” in Q1 of 2025, while AI chips grow by 65 percent.

Broadcom remains in rude health. Quarterly revenue of $14 billion represented a 51 percent year-on-year leap, and annual revenue of $51.5 billion was up an impressive 44 percent. Net income for the full year was $5.9 billion – a drop of $8.2 billion – but free cashflow is strong, and Tan declared Broadcom will use it to pay down the debt it used to acquire VMware.

He also revealed that Broadcom is quietly looking for other software acquisitions, but has strict demands for target prey. He did not suggest any purchases are imminent.

Investors liked what they heard: Broadcom’s share price jumped 15 percent in after hours trading. ®

The Justice Department announced Thursday that it had participated in a coordinated effort to seize and dismantle Rydox, an online marketplace for stolen personal information and cybercrime tools. The operation led to the arrest of three individuals alleged to be the site’s administrators.

Rydox has been linked to over 7,600 illicit sales and generated substantial profits since its inception in 2016. Authorities reported the site’s revenue exceeded $230,000, primarily sourced from selling sensitive data such as credit card information, login credentials, and other PII stolen from thousands of U.S. residents. The site has offered for sale at least 321,372 cybercrime products to over 18,000 users.

The operation was carried out by the FBI’s Pittsburgh Office, Albania’s Special Anti-Corruption Body (SPAK) and its National Bureau of Investigation (BKH), the Kosovo Special Prosecution Office, the Kosovo Police, and the Royal Malaysian Police.

Kosovo nationals Ardit Kutleshi, 26, and Jetmir Kutleshi, 28, were apprehended in Kosovo. They will be extradited to the Western District of Pennsylvania to face multiple charges, including identity theft and money laundering. A third man, Shpend Sokoli, also from Kosovo, was detained in Albania. Sokoli will be prosecuted in Albania.

The domain, Rydox.cc, and its associated servers were seized in Kuala Lumpur, Malaysia. Additionally, U.S. authorities seized approximately $225,000 in cryptocurrency linked to the defendants.

Eric Olshan, U.S. Attorney for the Western District of Pennsylvania, said in a release that despite these cases being a concerted, multi-national law enforcement effort, the “harms can be devastatingly local.”

Thursday’s “takedown reinforces our steadfast message that the Western District of Pennsylvania and our domestic and international law enforcement partners will use every available tool to hold accountable those who pursue illicit profit at the expense of ordinary citizens around the world,” Olshan said. 

Reseachers have discovered hundreds of thousands of servers running Prometheus open source monitoring software on the open Web are exposing passwords, tokens, and opportunities for denial of service (DoS) and remote code execution.

As a leader among open source observability tools, Prometheus is used widely by organizations to monitor the performance of their applications and cloud infrastructure. But it comes with a catch: As noted in its documentation, “It is presumed that untrusted users have access to the Prometheus HTTP endpoint and logs. They have access to all time series information contained in the database, plus a variety of operational/debugging information.”

Apparently, a whole lot of users either aren’t aware of the ways in which Prometheus is exposed by default, or don’t realize the value of the data that’s exposed along the way. Using Shodan, researchers from Aqua Nautilus discovered more than 40,000 exposed Prometheus servers, and more than 296,000 exposed “exporters,” which the program uses to collect data from monitored endpoints. The researchers found sensitive data in those servers and exporters, and opportunities for “repojacking” and DoS attacks.

What Prometheus Exposes

On first impression, the data Prometheus collects might seem rather bland: application performance metrics, metrics associated with particular cloud tools, CPU, memory, and disk usage, for example.

“We think that it’s only statistics — it’s only information about the health of the system. That’s the problem,” says Assaf Morag, director of threat intelligence at Aqua Nautilus. Probing the data from the perspective of an attacker reveals all kinds of information that could lubricate cyberattacks.

“We noticed that we can actually see plaintext passwords and tokens, and API addresses of internal locations that should be kept hidden,” Morag says. For example, he found one exposed and unauthenticated instance of Prometheus belonging to Skoda Auto, the Czech automobile manufacturer, which revealed some of the company’s subdomains, and Docker registries and images.

Besides exposing secrets, open Web Prometheus servers and exporters also carry a risk of DoS. There’s the ‘/debug/pprof’ endpoint, for example, which helps users profile remote hosts, and is enabled by default by most Prometheus components. In their testing, the researchers demonstrated that they could overload the endpoint to disrupt communications or outright crash Amazon Web Services Elastic Compute Cloud (AWS EC2) instances or Kubernetes pods.

“The result was conclusive: We ended up stopping virtual machines each time we ran our script,” Morag reports. To drive home the significance of such an attack scenario, he jokes, “I read somewhere that Kubernetes clusters run in fighter jets. I don’t think that they are exposed to the Internet, but [it goes to show] we run Kubernetes in lots of places today.”

Repojacking Opportunities in Prometheus

Users can protect their Prometheus servers and exporters by taking them offline, or at least adding a layer of authentication to keep out prying eyes. And, of course, there are tools designed to mitigate DoS risks.

Less easily solved is a third issue in the platform: Several of its exporters were found vulnerable to repojacking attacks.

The opportunity for repojacking can occur whenever a developer changes or deletes their account on GitHub and doesn’t perform a namespace retirement. Simply, an attacker registers the developer’s old username, then plants malware under the same title as the developer’s old, legitimate projects. Then any projects that reference this repository but aren’t updated with the correct redirect link can end up ingesting the malicious copycat.

Prometheus’ official documentation referenced several exporters associated with freely claimable usernames, meaning that any attacker could have stepped in and taken advantage to perform remote code execution. Aqua Nautilus reported the issue to Prometheus, and it has since been addressed.

Repojacking opportunities are likely far more widespread than is realized, Morag emphasizes, so organizations need to be monitoring any discrepancies between the projects they rely on and the links they follow to access them. “It’s not that difficult,” he says. “But if you’re doing it for millions of open source projects, that’s where the problem starts. If you use an automated [scanning tool], you could be safe.”

A new Linux rootkit malware called Pumakit has been discovered that uses stealth and advanced privilege escalation techniques to hide its presence on systems.

The malware is a multi-component set that includes a dropper, memory-resident executables, a kernel module rootkit, and a shared object (SO) userland rootkit.

Elastic Security discovered Pumakit in a suspicious binary (‘cron’) upload on VirusTotal, dated September 4, 2024, and reported having no visibility into who uses it and what it targets.

Generally, these tools are used by advanced threat actors targeting critical infrastructure and enterprise systems for espionage, financial theft, and disruption operations. 

The Pumakit

Pumakit employs a multi-stage infection process starting with a dropper named ‘cron,’ which executes embedded payloads (‘/memfd:tgt’ and ‘/memfd:wpn’) entirely from memory.

The ‘/memfd:wpn’ payload, which executes in a child process, performs environment checks and kernel image manipulation and eventually deploys the LKM rootkit module (‘puma.ko’) into the system kernel.

Embedded within the LKM rootkit is Kitsune SO (‘lib64/libs.so’), acting as the userland rootkit that injects itself into processes using ‘LD_PRELOAD’ to intercept system calls at the user level.

Stealthy privilege escalation

The rootkit follows a conditional activation, checking for specific kernel symbols, secure boot status, and other prerequisites before loading.

Elastic says Puma utilizes the ‘kallsyms_lookup_name()’ function to manipulate system behavior. This indicates the rootkit was designed to only target Linux kernels before version 5.7, as newer versions no longer export the function and, therefore, can’t be used by other kernel modules.

“The LKM rootkit’s ability to manipulate system behavior begins with its use of the syscall table and its reliance on kallsyms_lookup_name() for symbol resolution,” explains Elastic researchers Remco Sprooten and Ruben Groenewoud.

“Unlike modern rootkits targeting kernel versions 5.7 and above, the rootkit does not use kprobes, indicating it is designed for older kernels.”

Puma hooks 18 syscalls and multiple kernel functions using ‘ftrace,’ to gain privilege escalation, command execution, and the ability to hide processes.

The kernel functions ‘prepare_creds’ and ‘commit_creds’ are abused to modify process credentials, granting root privileges to specific processes.

The rootkit can hide its own presence from kernel logs, system tools, and antivirus, and can also hide specific files in a directory and objects from process lists.

If the hooks are interrupted, the rootkit reinitializes them, ensuring that its malicious changes aren’t reverted and the module cannot be unloaded.

The userland rootkit Kitsune SO operates in synergy with Puma, extending its stealth and control mechanisms to user-facing interactions.

It intercepts user-level system calls and alters the behavior of looks like ls, ps, netstat, top, htop, and cat to hide files, processes, and network connections associated with the rootkit

It can also dynamically hide any other files and directories based on attacker-defined criteria and make malicious binaries entirely invisible to users and system admins.

Kitsune SO also handles all communications with the command and control (C2) server, relaying commands to the LKM rootkit and transmitting configuration and system info to the operators.

Besides file hashes, Elastic Security has published a YARA rule to help Linux system administrators detect Pumakit attacks.