ZAGG Inc. is informing customers that their credit card data has been exposed to unauthorized individuals after hackers compromised a third-party application provided by the company’s e-commerce provider, BigCommerce.

ZAGG is a consumer electronics accessories maker known for its mobile accessories, such as screen protectors, phone cases, keyboards, and power banks. The Utah-based company has an annual revenue of $600 million.

According to the letter sent to impacted individuals, the attacker breached the FreshClicks app provided by BigCommerce and injected malicious code that stole shoppers’ card details.

“We learned that an unknown actor injected into the FreshClick app malicious code that was designed to scrape credit card data entered as part of the checkout process for certain ZAGG.com customer transactions between October 26, 2024 and November 7, 2024.” – ZAGG

BigCommerce is an Austin-based software-as-a-service (SaaS) e-commerce platform provider that serves a diverse range of businesses, from small enterprises to large corporations, across various industries and regions.

FreshClick is a third-party app that helps create applications and responsive websites for the BigCommerce platform. It is designed to enhance the functionality of electronic stores and improve customer experience.

Although FreshClick isn’t developed directly by BigCommerce, it is offered through the platform’s app marketplace, which is a curated space for merchants to find and install add-ons for their shops.

In a statement for BleepingComputer, BigCommerce emphasized that its systems were not breached or compromised. Using internal tools, BigCommerce discovered that the FreshClicks App had been hacked and uninstalled it from its customers’ stores.

“Using our internal tools and in communication with the partner, we verified the third-party FreshClicks App was compromised. Acting in the best interest of our customers and their shoppers, we immediately uninstalled the app in their stores, which removed any compromised APIs and malicious code” – BigCommerce

As a result of this data breach, the attacker stole names, addresses, and payment card data belonging to shoppers at zagg.com between October 26 and November 7, 2024.

In response to this incident, ZAGG implemented remediation measures, notified federal law enforcement and regulators, and arranged for impacted individuals to receive a free-of-charge, 12-month credit monitoring service through Experian.

Letter recipients were also advised to monitor financial account activity closely, place fraud alerts, and consider placing a credit freeze.

ZAGG has not disclosed yet how many customers were impacted by this security breach.

BigCommerce’s store currently lists six add-ons created by FreshClick, which collectively have 178 reviews. However, the compromised plugin may have been temporarily removed.

Dec 27, 2024Ravie LakshmananCyber Attack / Data Theft

The threat actor known as Cloud Atlas has been observed using a previously undocumented malware called VBCloud as part of its cyber attack campaigns targeting “several dozen users” in 2024.

“Victims get infected via phishing emails containing a malicious document that exploits a vulnerability in the formula editor (CVE-2018-0802) to download and execute malware code,” Kaspersky researcher Oleg Kupreev said in an analysis published this week.

More than 80% of the targets were located in Russia. A lesser number of victims have been reported from Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam.

Also referred to as Clean Ursa, Inception, Oxygen, and Red October, Cloud Atlas is an unattributed threat activity cluster that has been active since 2014. In December 2022, the group was linked to cyber attacks aimed at Russia, Belarus, and Transnistria that deployed a PowerShell-based backdoor called PowerShower.

Then exactly a year later, Russian cybersecurity company F.A.C.C.T. revealed that various entities in the country were targeted by spear-phishing attacks that exploited an old Microsoft Office Equation Editor flaw (CVE-2017-11882) to drop a Visual Basic Script (VBS) payload responsible for downloading an unknown next-stage VBS malware.

Kaspersky’s latest report reveals that these components are part of what it calls VBShower, which is then used to download and install PowerShower as well as VBCloud.

The starting point of the attack chain is a phishing email that contains a booby-trapped Microsoft Office document that, when opened, downloads a malicious template formatted as an RTF file from a remote server. It then abuses CVE-2018-0802, another flaw in the Equation Editor, to fetch and run an HTML Application (HTA) file hosted on the same server.

“The exploit downloads the HTA file via the RTF template and runs it,” Kupreev said. “It leverages the alternate data streams (NTFS ADS) feature to extract and create several files at %APPDATA%\Roaming\Microsoft\Windows\. These files make up the VBShower backdoor.”

This includes a launcher, which acts as a loader by extracting and running the backdoor module in memory. The other VB Script is a cleaner that cares of erasing the contents of all files inside the “\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\” folder, in addition to those within itself and the launcher, thereby covering up evidence of the malicious activity.

The VBShower backdoor is designed to retrieve more VBS payloads from the command-and-control (C2) server that comes with capabilities to reboot the system; gather information about files in various folders, names of running processes, and scheduler tasks; and install PowerShower and VBCloud.

PowerShower is analogous to VBShower in functionality, the chief difference being that it downloads and executes next-stage PowerShell scripts from the C2 server. It’s also equipped to serve as a downloader for ZIP archive files.

As many as seven PowerShell payloads have been observed by Kaspersky. Each of them carries out a distinct task as follows –

• Get a list of local groups and their members on remote computers via Active Directory Service Interfaces (ADSI)
• Conduct dictionary attacks on user accounts
• Unpack the ZIP archive downloaded by PowerShower and execute a PowerShell script contained within it in order to carry out a Kerberoasting attack, which is a post-exploitation technique for obtaining credentials for Active Directory accounts
• Get a list of administrator groups
• Get a list of domain controllers
• Get information about files inside the ProgramData folder
• Get the account policy and password policy settings on the local computer

VBCloud also functions a lot like VBShower, but utilizes public cloud storage service for C2 communications. It gets triggered by a scheduled task every time a victim user logs into the system.

The malware is equipped to harvest information about disks (drive letter, drive type, media type, size, and free space), system metadata, files and documents matching extensions DOC, DOCX, XLS, XLSX, PDF, TXT, RTF, and RAR, and files related to the Telegram messaging app.

“PowerShower probes the local network and facilitates further infiltration, while VBCloud collects information about the system and steals files,” Kupreev said. “The infection chain consists of several stages and ultimately aims to steal data from victims’ devices.”

RansomHub, the ransomware collective that emerged earlier this year, quickly gained momentum, outpacing its criminal colleagues and hitting its victims especially hard. The group named and shamed hundreds of organizations on its leak site, while demanding exorbitant payments across various industries.

The group, a suspected Knight rebrand, first appeared in February and quickly picked up out-of-work affiliates from Lockbit following that crew’s law enforcement takedown around the same time. RansomHub also eagerly filled the void left by ALPHV/BlackCat after that group’s widely reported exit scam in March – bragging about recruiting affiliates from both defunct groups via TOX and cyber crime forums.

By August, just six months after setting up shop, RansomHub had claimed 210 victims and drawn the attention of the FBI, CISA, and other government agencies gunning for cyber criminals. Its victims allegedly include auction house Christie’s, Frontier Communications, US pharmacy chain Rite Aid, Planned Parenthood, and Delaware public libraries, among many others.

Its brand of malware has since become the encryptor of choice for Scattered Spider and other sophisticated criminals, and the gang posted a record-high 98 victims on its leak site in November. 

But, as other prolific digital thieves – including Scattered Spider – have learned, a string of high-profile attacks paints a very large target on the group and its affiliates. While it’s much more difficult to apprehend ransomware crooks who are given safe harbor by Russian prosecutors, even cyber criminals take holidays – and sometimes, the cops are waiting to make arrests during those moments.

‘Most active and significant’ ransomware threat

“I don’t want to put RansomHub up on a pedestal. They are an opportunistic group,” Michael McPherson, SVP of Security Operations at ReliaQuest, told The Register. “But they were smart to make this landgrab when they did. It will be interesting to see how long they can keep this run going.”

During its brief tenure, the Russia-linked group has made a name for itself as “the current most active and significant threat in ransomware activity,” according to an October 30 report from ReliaQuest, which called the gang the most dominant ransomware group during the third quarter of 2024.

“It’s an interesting group that did have a meteoric rise and almost seems to come out of nowhere,” conceded McPherson, a former FBI special agent. “There was an obvious effort for RansomHub to gain affiliates. They’re very, I would say, generous in their model and advertising a 90–10 split.”

This means the affiliates who pull off the attack may keep 90 percent of the extortion payment while the ransomware operators receive 10 percent. An 80–20 or 70–30 split is more common among these crime crews, so the higher payout makes it easier for the new kids on the block to attract more workers.

It will be interesting to see how long they can keep this run going

“These affiliates will go where the money is, and if somebody pays more, it would be silly not to go there,” McPherson opined, adding that this business model “would feed RansomHub’s ability to go out and hit so many victims at once by having a large affiliate base.”

Additionally, RansomHub’s operators on their dark web sites like to tout transparency with their affiliates – likely an effort to build trust with fellow criminals, following ALPHV’s alleged exit scam.

“There’s marketing involved,” McPherson observed. “They are reaching out to affiliates, trying to be more of a partner with them. They’re trying to evolve and take advantage of the cyber criminal landscape to grab market share. That’s what they want.”

Crew ‘moved fast and filled a void’

Still, the group’s tactics are not unique, he noted. The group employs repurposed Knight code and double-extortion methods – which are used by most ransomware gangs today.

This involves first breaking into their victims’ network and stealing valuable files, and then encrypting the data on the network, while also extorting the orgs for massive sums of money on dark web leak sites.

“Their actual tactics are not unique, but their ability to move fast and fill a void is what makes them so noteworthy at this moment in time,” McPherson told us. “Or maybe they’re just trying to run as hard and fast as they can, because they know they’re protected where they are.”

ZeroFox analysts have also tracked RansomHub’s rise this year, and reported the group accounted for about 2 percent of all attacks in Q1, 5.1 percent in Q2, 14.2 in Q3, and about 20 percent in Q4.

While it is almost certain that this will plateau, there is a likely chance that the collective will continue to attract experienced affiliates and remain the most dangerous threat

“The greatest threat in early 2025 will very likely emanate from RansomHub,” the security firm declared [PDF] in a December 12 report that also called RansomHub “the most prominent R&DE [ransomware and data exfiltration] outfit” of 2024.

“RansomHub’s attack tempo has been on a consistent upward trajectory, accounting for approximately 20 percent of all R&DE incidents in Q4 2024,” according to the report. 

“While it is almost certain that this will plateau, there is a likely chance that the collective will continue to attract experienced affiliates and remain the most dangerous R&DE threat,” it noted.

“The way they’re conducting business, and the pace at which they’re exposing and publishing victims, is quite common with new ransomware groups,” ZeroFox VP of Intelligence Adam Darrah told The Register. “It is likely RansomHub is made up of individuals affiliated with other now-defunct or waning-in-their-influence ransomware collectives. It is not uncommon for a newer shakedown mafia to come in and to make a splash.”

The US presidential election this year also likely added to the increased attacks, added Darrah, a former CIA political analyst. 

“In the run up to a major US election, they [were] taking advantage of a community of defenders, both inside and outside the government, who are already on edge about cyber-based attacks,” he said. “Ransomware groups that have any kind of official or unofficial affiliation with a nation-state intelligence service know that publishing such a high number of victims at an increased pace, at such an alarming rate, takes away time, attention, and resources from other defensive operations.”

It’s important to note that the number of listed victims doesn’t directly equate to attacks. Victims that pay the ransom demand – or come to some sort of agreement with the criminals – may not ever see their org’s names on the criminals’ leak sites.

“When they get on a radar this quickly, that also catches the attention of very capable good guys around the world,” Darrah said. “So there’s a reason the life cycle of some of these groups is not long.”

ZeroFox’s report warns that other ransomware gangs such as Meow, Play Ransomware, and Hunters International are “very likely” to emerge as serious threats in early 2025. While it’s unknown how long RansomHub can keep up its run, one thing is clear: there’s no shortage of collectives waiting to take its place at the top of the charts. ®

The United States’ telecommunications infrastructure has been infiltrated by actors affiliated with China. Some of our nation’s most powerful leaders have been targeted — including President-elect Donald Trump and Vice President-elect JD Vance. This is one of the most severe cybersecurity incidents against telecom the United States has ever been subject to, and — worse yet — it is ongoing. 

Commonly called Salt Typhoon, actors affiliated with China have successfully gained access to at least eight of our nation’s largest communications companies. In fact, federal officials say that no networks have fully removed the threat and that individuals should rely on encrypted messaging platforms in the meantime.

Given the national security implications, one would assume that our government is rushing to secure communications and make sure something like this can’t happen again. Instead, the current administration’s response is to call for regulation and point out industry failures. For example, the Federal Communications Commission has proposed new requirements on carriers, such as expanded legal obligations, and the White House has also amplified this, saying that voluntary measures have proven inadequate. This follows similar calls for regulatory requirements and liability on industry over the past four years.

This is not the time for new regulations, and rushing to implement them would be a massive misstep. There is no shortage of existing federal agencies or authorities pertaining to cybersecurity. Instead, security teams face overlapping and even contradictory security requirements and standards. This places compliance burdens on security practitioners. For example, there have been instances where their time and resources were diverted to responding to government inquiries instead of defending networks.

During a Dec. 11 Senate Commerce Committee hearing, Sen. Ted Cruz, R-Texas, urged federal leaders not to rush new regulations and instead see how they can assist telecom companies in a time of need. That is precisely right. The first priority must be to fully understand how China gained access, what and who is impacted, short- and long-term remedies, and ultimately ensuring this does not happen again.

This is not to say there is no room for security standards and baselines. But what is currently in place should be assessed to determine if there is a way to harmonize our system. This would help security teams ultimately keep their focus on security, help cut down on critical resources being diverted elsewhere, and provide flexibility to decide what is best for their specific company. Rushing new regulations will simply exacerbate the problem and create an ever more complex patchwork of laws. Given Trump’s calls for deregulation and the creation of a Department of Government Efficiency, this is a perfect time to tackle cybersecurity.

Moving forward, there are several realities to account for.

First, no critical infrastructure sector is immune to threats like Salt Typhoon. Nation-state actors, especially China, are constantly getting more sophisticated and looking for new, easy targets. If our largest telecommunications companies faced an incident of this magnitude, then smaller critical infrastructure operators like a local water provider or hospital are certainly at risk, as are operators across all sectors, from health care to energy. This will require a continued effort to better secure critical infrastructure and more work to deter China in the first place.

Second, the federal government has a key role in supporting critical infrastructure. It is unrealistic to think critical infrastructure can defend itself alone against a nation-state actor. The federal government needs to help make the lives of critical infrastructure security teams easier and bolster the resources available to them. With Salt Typhoon in particular, the government should look internally at its own response and at how it could have been improved rather than blaming industry.

Third, we cannot neglect our technology. It is not uncommon to see outdated products embedded in our critical infrastructure or even continued use of products made by foreign adversaries. These weak spots carry cybersecurity challenges, along with national security and privacy concerns. The cost of replacing and updating technology is not trivial, and local and state restrictions make things more difficult. It is ultimately important to modernize our technology over time to best defend against advanced actors.

One thing is for certain: China and other foreign adversaries will continue to try to compromise our critical infrastructure systems and exploit our data. This makes it imperative that government and industry are truly in sync rather than pointing fingers or seeking to add new burdens in a crisis.

Brandon Pugh is the director of the R Street Institute’s cybersecurity and emerging threats team and serves as a cyber law professor in the military. Brian Harrell is a former assistant secretary for infrastructure protection at the U.S. Department of Homeland Security.

“A quarter of cybersecurity leaders want to quit,” hollered the headline of a study sponsored by global cybersecurity company Black Fog. While that is suggestive of stress or morale problems at the higher levels of security teams, the more alarming numbers came later in the press release, below the graphic: 45% of security leaders have used drugs or alcohol to relieve work pressure in the past year, and 69% have “withdrawn from social activities.”

That’s starting to sound more like burnout than stress.

The reason it’s important to distinguish the cause of self-destructive behavior at work is that short-term stress and burnout have different treatments and timelines. According to a journal article by Arno van Dam, 80% of people suffering short-term stress are back at work in six to 12 weeks. Burnout patients, however, take more than a year to recover; one quarter to one half of patients still haven’t recovered after two to four years.

What Is Cybersecurity Burnout?

To discern burnout, it’s helpful to have a standard definition. While the US list of maladies, Diagnostic and Statistical Manual of Mental Disorders (aka the DSM), still doesn’t include work-related burnout as a diagnosis as of version 5, the World Health Organization (WHO) sees it differently. The WHO’s alternative resource, International Statistical Classification of Diseases and Related Health Problems (aka the ICD), has a code for burnout — QD85 — and defined it in the context of work/unemployment problems:

Related:Emerging Threats & Vulnerabilities to Prepare for in 2025

According to the van Dam article, burnout happens when an employee buries their experience of chronic stress for years. The people who burn out are often formerly great performers, perfectionists who exhibit perseverance. But if the person perseveres in a situation where they don’t have control, they can experience the kind of morale-killing stress that, left unaddressed for months and years, leads to burnout. In such cases, “perseverance is not adaptive anymore and individuals should shift to other coping strategies like asking for social support and reflecting on one’s situation and feelings,” the article read.

“I wrestle with burnout pretty regularly, escalated thanks to neurodivergence,” says Ian Campbell, senior security operations engineer at DomainTools. Burnout is also a condition familiar to the neurodivergent, especially autistic people. Autistic burnout, a term used mostly by that community, entails chronic exhaustion, losing the use of skills, and a lowered tolerance for stimuli. The role it might play in the better-known work burnout is unknown, but the similarity of symptoms is interesting.

Related:Name That Toon: Sneaking Around

Campbell sees the interplay from the inside. “Autism, depression, and anxiety are a wickedly effective combination in encouraging burnout. Hyperfocus can lead to working far too much and ignoring work/life balance,” he says. “Depression and anxiety are self-perpetuating, exquisitely engineered to set up feedback cycles hard to break away from, and that can be doubly toxic around work — the depression saying things won’t get better, the anxiety pressing you to work longer, harder, be more useful and less expendable.”

Bryan Kissinger, chief information security officer (CISO) and senior VP at Trace3, adds, “People also need to have the courage to say to their managers or coworkers, ‘Hey, I need a break.'”

Handling Staff Burnout on Security Teams

“Sometimes it’s very challenging” to tell when someone’s burning out, Kissinger says. He tells the story of one employee who kept their stress to themselves until it was almost too late: “They were ready to leave because they were burning out, and I said, ‘This is the first I’ve heard about it. Can we bring on some contractors to help us moderate the workload?'”

Related:How Nation-State Cybercriminals Are Targeting the Enterprise

When asked how he helps his staff fend off burnout, Kissinger describes a hands-on approach. “I audit their day. A lot of people either tend to get roped into things … or volunteer for things,” he says. “What are the one or two things that need to be done today, and what can be done Monday or later next week?”

Jill Knesek, CISO at BlackLine, has a team of about 30 people, and has a quarterly one-on-one with each of them. “I offer more if they want more, and if you want to do monthly or every six weeks, then please do,” she says. “I just try to take the time with each person on the team to make them feel important and empowered. And I know that there’s opportunities for them, even if it’s not maybe what they’re doing today.”

If a person’s team is not supportive of work/life balance, that can exacerbate the issue.

Knesek says, “I want to make sure they know that I know what they’re doing and I care about what they’re doing and I can help guide them. So they feel important, and they feel like the really important things get noticed by leadership.”

How Cyber Staff Handles Work Pressure

“Taking all my holiday was a big help,” says Terence Eden, who moved from civil service to start his own consultancy, Open Ideas, which affords him much more control over his schedule and work/life balance. “And doing it in big chunks, not just a day or two, allowed me to reset.”

Resetting from the buildup of stress is an important part of disrupting the path to burnout, as Knesek knows well. She says, “I encourage my team all the time to make sure their work-life balance is always good. Recharging your batteries is really important, and I am an important representative of that, right? So if I don’t do it and everybody says, ‘Well, Jill never takes [paid time off] but she tells us to do it. But does she really mean that? Because she’s not taking it.'”

Employees sometimes scoff at the wellness programs companies put out as an attempt to keep people healthy. “Most ‘corporate’ solutions — use this app! attend this webinar! — felt juvenile and unhelpful,” Eden says. And it does seem like many solutions fall into the same quick-fix category as home improvement hacks or dump dinner recipes.

Christina Maslach’s scholarly work attributed work stress to six main sources: workload, values, reward, control, fairness, and community. “If any are lacking or out of sync, you may be headed toward exhaustion, cynicism, and the feeling of being ineffective,” said this article presenting a two-minute burnout assessment tool.

An even quicker assessment is promised by the Matches Measure from Cindy Muir Zapata. “The graphic she offered in her paper is a six-point and eight-point spectrum of matches, from unlit, to singed, to burned, to disintegrated,” read an article on HR Dive. A worker looks at the layout of matches and picks the one that shows how burned out they feel.

But Campbell has an idea for how to handle wellness better: “So my first and strongest recommendation to everyone is this: psychotherapy.”

“Professionals will help a lot more than any quick hack to keep you running for another few weeks — therapy allows you to vent out what’s building up, gain insight on your own status and choices, and plan for future burnout occurrences,” he adds. “It doesn’t make everything magically better, but you learn the tools to keep treading water, then tools to swim against counterproductive currents, and more.”

“The time to start learning and building the tool sets is before the burnout hits, or at least before it becomes a true crisis,” he adds.

Hope in a Hopeless Place

If worse comes to worst, and burnout hits, the van Dam article found hope in the study of disaster survivors. No matter how awful the disastrous events they went through, people tend to perceive some good coming from their trauma. This post-traumatic growth falls into three categories of benefits: changes in self-perception, in relationships, and in life philosophy.

The article built on that to posit post-burnout growth as well. “Many former burnout patients report that they have learned from their burnout and that their life is better now than before their burnout,” Campbell explains. “They know better who they are and what is important to them in life; they spend more time with their friends and families; and they changed their priorities. Many former burnout patients allow themselves to enjoy life more and to be happy.”

And again, he has some advice, particularly for the neurodivergent people: hack your needs to make yourself comfortable. “There are a thousand ways to optimize your own senses, and it’s something we as a culture often fail at. Whether you’re neurodivergent, neurotypical, or something else entirely — find the best sensory augments that allow you to work, and the better we’ll all be protecting, hacking, investigating, hunting, and more.”

Volkswagen’s automotive software company, Cariad, exposed data collected from around 800,000 electric cars. The info could be linked to drivers’ names and reveal precise vehicle locations.

Terabytes of Volkswagen customer details in Amazon cloud storage remained unprotected for months, allowing anyone with little technical knowledge to track drivers’ movement or gather personal information.

The exposed databases include details for VW, Seat, Audi, and Skoda vehicles, with geo-location data for some of them being as precise as a few centimeters.

Precise geo-location data

Access to the car data was possible due to Cariad’s incorrect configuration in two IT applications, a company representative told BleepingComputer.

Cariad was informed on November 26 of the issue by the Chaos Computer Club (CCC), the largest organization of ethical hackers in Europe that for more than 30 years has promoted security, privacy, and free access to information.

According to German publication Spiegel, the CCC found out about the vulnerability from a whistleblower and tested the insecure access before informing Cariad and Volkswagen responsible and providing technical details.

In a statement to BleepingComputer, a Cariad representative said that the exposed data affected only vehicles connected to the internet and had been registered for online services.

From the nearly 800,000 vehicles exposed, the researchers found geo-location data for 460,000 cars, for some of them with an accuracy of ten centimeters.

A little over 30 vehicles were part of Hamburg police’s fleet of patrol cars, while others belonged to suspected intelligence service employees, Spiegel says.

The company said that the CCC hackers could access the data only after bypassing several security mechanisms that required significant time and technical expertise.

Additionally, because individual vehicle data was pseudonymized for privacy purposes, the hackers had to combine different data sets to associate the details with a particular user.

However, Spiegel assembled a team of IT experts and journalists who found location details collected from the cars of two German politicians, Nadja Weippert and Bundestag member Markus Grübel, using freely available software.

The tools searched for exposed Cariad assets that contained files with sensitive information, which led to finding a copy of a memory dump from an internal Cariad application.

Inside the memory dump the hackers discovered access keys to a cloud storage instance on Amazon where Cariad saved data collected from Volkswagen Group customers’ vehicles.

Spiegel reports that some data points referred to the longitude and latitude location of the cars when the electric motor was turned off.

Most of the affected vehicles, 300,000 of them, were in Germany but the researchers also found details about cars in Norway (80,000), Sweden (68,000), the United Kingdom (63,000), the Netherlands (61,000), France (53,000), Belgium (68,000), and Denmark (35,000).

Quick fix after responsible disclosure

Cariad told BleepingComputer that its security team reacted quickly to fix the problem and closed access the same day the CCC sent them the report.

CCC representatives confirmed for Spiegel that Cariad’s “technical team responded quickly, thoroughly and responsibly” and that the company reacted within hours of receiving the technical details.

Based on the results of its investigation, Cariad has no evidence suggesting that other parties, except the CCC hackers, had access to the exposed vehicle data or that the information had been misused by a third party.

The company also emphasizes that the CCC only had access to data collected from the vehicles and could not access the cars themselves.

Cariad says that customers of the Volkswagen Group brands can agree to use products and services that require the processing of personal data and can deactivate the option at any time.

However, the company notes that the data collected from the vehicles helps it “provide, develop, and improve digital functions” for its customers as well as create additional benefits.

As an example, the company explains that customers’ charging behavior and habits are anonymized and help optimize future battery generations and charging software.

At the same time, the collected data is stored in the cloud in a way that protects the identity of the customer and their movement with the vehicle.

“The brands in the Volkswagen Group collect, store, transmit and use personal data exclusively within the framework of legal regulations and an existing contractual relationship, legitimate interests or explicit consent from the customer,” Cariad says.

The automotive software company also says that it employs strong data protection practices that include storing data points separately, restrictive access rights, pseudonymization, and anonymization, as well as aggregating and processing data within stated purposes.

Dec 28, 2024Ravie LakshmananVulnerability / Threat Intelligence

A high-severity flaw impacting select Four-Faith routers has come under active exploitation in the wild, according to new findings from VulnCheck.

The vulnerability, tracked as CVE-2024-12856 (CVSS score: 7.2), has been described as an operating system (OS) command injection bug affecting router models F3x24 and F3x36.

The severity of the shortcoming is lower due to the fact that it only works if the remote attacker is able to successfully authenticate themselves. However, if the default credentials associated with the routers have not been changed, it could result in unauthenticated OS command execution.

In the attack detailed by VulnCheck, the unknown threat actors have been found to leverage the router’s default credentials to trigger exploitation of CVE-2024-12856 and launch a reverse shell for persistent remote access.

The exploitation attempt originated from the IP address 178.215.238[.]91, which has been previously used in connection with attacks seeking to weaponize CVE-2019-12168, another remote code execution flaw affecting Four-Faith routers. According to threat intelligence firm GreyNoise, efforts to exploit CVE-2019-12168 have been recorded as recently as December 19, 2024.

“The attack can be conducted against, at least, the Four-Faith F3x24 and F3x36 over HTTP using the /apply.cgi endpoint,” Jacob Baines said in a report. “The systems are vulnerable to OS command injection in the adj_time_year parameter when modifying the device’s system time via submit_type=adjust_sys_time.”

Data from Censys shows that there are over 15,000 internet-facing devices. There is some evidence suggesting that attacks exploiting the flaw may have been ongoing since at least early November 2024.

There is currently no information about the availability of patches, although VulnCheck stated that it responsibly reported the flaw to the Chinese company on December 20, 2024. The Hacker News has reached out to Four-Faith for comment prior to the publication of this story and will update the piece if we hear back.

Amid growing competition and skyrocketing compute requirements necessary to support the next generation of AI models, OpenAI is shaking up its corporate structure – again.

The ChatGPT creator on Thursday outlined its plan to establish a public benefit corporation (PBC), which it argued would clear the way for large-scale investment, hamstrung by its current organizational structure.

Under the new structure, OpenAI plans to convert its for-profit wing into a Delaware-based PBC, which will run and control OpenAI’s operations and business, while its non-profit arm will be responsible for hiring and directing charitable initiatives for healthcare, education, science, and other fields.

The shift reflects OpenAI’s ongoing transition away from its non-profit roots.

Since its founding in 2015 OpenAI’s status as a non-profit corporation has been rather fluid. “In those early days, we thought that progress relied on key ideas produced by top researchers and that supercomputing clusters were less important,” the ChatGPT maker explained in a blog post on Friday.

By 2019, it became clear that massive quantities of compute would be required to achieve OpenAI’s mission of advancing digital intelligence. “We would need far more compute, and therefore far more capital, than we could obtain with donations in order to pursue our mission.” And so in 2019, the AI model builder transitioned to an unorthodox structure, establishing a for-profit business controlled by the non-profit.

This approach aimed to drive profits to provide capped returns to investors and employees, with the remainder being funneled into the overarching non-profit. The change opened the door to massive shareholder investment including Microsoft’s $1 billion investment that same year.

In the five years since this structure was enacted, the AI space has exploded, with OpenAI now facing stiff competition from rival model builders like Anthropic, Meta, and Google.

“The hundreds of billions of dollars that major companies are now investing into AI development show what it will really take for OpenAI to continue pursuing the mission,” the blog post explained. “We once again need to raise more capital than we’d imagined. Investors want to back us, but at this scale of capital, need conventional equity and less structural bespokeness.”

In other words: OpenAI’s corporate structure has become inconvenient given the competitive landscape, and so once again, it’s altering the deal.

OpenAI’s latest structural shift, planned for 2025, will effectively see the for-profit wing take the reins of the AI giant’s operations and business. It’s not clear to what degree the non-profit portion of the outfit will have any meaningful control, though the blog post suggests that it would retain “significant interest in the existing for-profit,” taking the form of shares in the PBC at a valuation that will be “determined by independent financial advisors.”

The new corporate structure comes just months after OpenAI raised $6.6 billion in new funding, which drove its valuation to $157 billion. The funding is expected to further the development of more advanced models, including OpenAI’s o-series of models, which it says demonstrate “new reasoning capabilities.”

But while OpenAI makes the case this latest transition is imperative to the success of the firm going forward, not everyone is a fan of the move. OpenAI has faced ongoing criticism from Elon Musk, who initially funded the model builder before founding rival AI firm xAI. Musk has previously launched legal challenges to OpenAI’s structure, and earlier this month filed for an injunction against the AI firm to prevent it from morphing into an entirely for-profit business.

Bootnote:

Speaking of xAI, the Musk-backed startup raised $6 billion in a series-C funding round this week, which it says will support the expansion of its Colossus supercomputer.

The startup currently plans to expand the machine to 200,000 GPUs with ambitions to eventually grow it to a million accelerators. The machine will power the development of future Grok models as well as its Aurora image-gen models. ®

The White House said Friday that as the U.S. government continues to assess the damage caused by the Salt Typhoon hacks, the breach occurred in large part due to telecommunications companies failing to implement rudimentary cybersecurity measures across their IT infrastructure. 

Anne Neuberger, the White House’s deputy national security adviser for cyber and emerging technology, told reporters Friday that the Biden administration has further zeroed on how these companies can improve their cybersecurity, particularly by sharing threat-hunting guides and instructions for hardening of systems. These guides, shared with telecom companies, have unearthed a new victim, bringing the total of affected companies to nine. 

In a previous briefing this month, Neuberger said that while the impacted telecommunications companies are currently working to expel the hackers from their networks, the risk of further breaches remains high until cybersecurity gaps are fully addressed. In Friday’s briefing, she shared more details on some of the flaws that have been uncovered in telecom systems, which allowed the threat actors to carry out their actions. 

In one incident response case, it was found that the attackers, which are believed to be state-affiliated actors from China, obtained credentials to one administrator account that had access to over 100,000 routers. Additionally, the group erased logs of their actions, and the logs that did remain were inadequate for determining the size and scope of the hack. 

“The reality is that from what we’re seeing regarding the level of cybersecurity implemented across the telecom sector, those networks are not as defensible as they need to be to defend against a well-resourced, capable offensive cyber actor like China,” Neuberger said. 

The White House still cannot definitively say the actors have been removed from the telecom networks. Neuberger said the number of individuals directly impacted are “less than 100.” However, she said the Chinese were interested in a large number of individuals that were geo-located in the Washington, D.C. area, with “the goal of identifying who those phones belong to and if they were government targets of interest for follow-on espionage and intelligence collection of communications.” 

The attackers are believed to have targeted the phones and data of President-elect Donald Trump and Vice-president elect JD Vance, among others.

In the aftermath of the breaches, Neuberger said the White House has outlined four areas where telecom companies can improve their cybersecurity: configuration management, vulnerability management, network segmentation, and sector-wide information sharing. She also expressed support for the new rules pushed forth by the Federal Communications Commission that would force telecoms to further harden their networks. 

The White House says these rules would follow similar regulations in Australia and the U.K., which have been in place since 2018 and 2022, respectively. 

“When I talked with our U.K. colleagues and I asked, ‘do you believe your regulations would have prevented the Salt Typhoon attack?’, their comment to me was, ‘we would have found it faster. We would have contained it faster, [and] it wouldn’t have spread as widely and had the impact and been as undiscovered for as long,’ had those regulations been in place,” Neuberger said. “That’s a powerful message.” 

The unprecedented wave of high-profile cyberattacks on US water utilities over the past year has just kept flowing.

In one incident, pro-Iranian hackers penetrated a Pittsburgh-area water utility’s PLC and defaced the touchscreen with an anti-Israel message, forcing the utility to revert to manual control of its water pressure-regulation system. A water and wastewater operator for 500 North American communities temporarily severed connections between its IT and OT networks after ransomware infiltrated some back-end systems and exposed its customers’ personal data. Customer-facing websites and the telecommunications network at the US’s largest regulated water utility went dark after an October cyberattack.

Those were just some of the more chilling stories that have recently sparked fear over the security and physical safety of drinking water and wastewater systems. The cyberattacks have spurred warnings and security guidelines from the Cybersecurity and Infrastructure Security Agency (CISA), the White House, the FBI and the Office of the Director of National Intelligence (ODNI), the Environmental Protection Agency (EPA), and the Water ISAC (Information Sharing and Analysis Center).

Most of the attacks landed on the softest of targets, small water utilities without security expertise and resources, in mainly opportunistic attacks. Meanwhile, cyberattacks on large utilities like Veolia and American Water hit IT, not OT, systems — none of which actually disrupted water services. Overall, the cyberattacks on water appeared to be mainly about “poking around and eroding confidence,” says Gus Serino, president of I&C Secure and a former process control engineer for the Massachusetts Water Resources Authority.

Related:IoT Cloud Cracked by ‘Open Sesame’ Over-the-Air Attack

The race is now on to secure the water sector — especially the smaller more vulnerable utilities — from further cyberattacks. Many larger water utilities already have been “stepping up their game” in securing their OT networks, and others started building out their security infrastructures years ago, notes Dale Peterson, president of ICS/OT security consultancy Digital Bond. “My first client in 2000 was a water utility,” he recalls. “Some [large utilities] have been working on this for a very long time.”

The challenge lies in securing smaller utilities, without overprescribing them with unnecessary and high-overhead security infrastructure. Tools that require expertise and overhead are a nonstarter at sites where there isn’t even dedicated IT support, much less cyber know-how. Peterson argues that government recommendations for sophisticated security monitoring systems are just plain overkill for most small utilities. These tiny outfits have bigger and more tangible priorities, he says, like replacing aging or damaged pipes in their physical infrastructure.

Related:Frenos Takes Home the Prize at 2024 DataTribe Challenge

ICS/OT Cyber-Risk: Something in the Water?

Like other ICS/OT industries, water utilities of all sizes have been outfitting once-isolated programmable logic controller (PLC) systems and OT equipment with remote access, so operators can more efficiently monitor and manage plants from afar — to control water pumps or check alarms, for instance. That has put traditionally isolated equipment at risk.

“They are starting and stopping pumps, setting changes, responding to alarms or failures [in] a system. They remote in to look at SCADA/HMI screens to see what’s wrong or to take corrective action,” explains I&C Secure’s Serino, who works closely with water utilities. He says it’s rare for those systems to be properly segmented, and VPNs are “not always” used for secure remote access.

PLC vendors such as Siemens are increasingly building security features into their devices, but water plants don’t typically run this next-generation gear.

“I have yet to see any secure PLCs deployed” in smaller water sites, Serino says. “Even if there are new PLCs, their security features are not ‘on.’ So if you [an attacker] can get in and get access to the device on that network, you can do whatever you are capable of doing to a PLC.”

Related:20% of Industrial Manufacturers Are Using Network Security as a First Line of Defense

Because many ICS/OT systems integrators that install OT systems traditionally do not also set up security for the equipment and software they install in water utility networks, these networks often are left exposed, with open ports or default credentials. “We need to help integrators making [and installing] SCADA equipment for these utilities make sure they are secured” for utilities, says Chris Sistrunk, technical leader of Google Cloud Mandiant’s ICS/OT consulting practice and a former senior engineer at Entergy. 

Default credentials are one of the most common security weaknesses found in OT networks, as well as industrial devices sitting exposed on the public Internet. The Iranian-based Cyber Av3ngers hacking group easily broke into the Israeli-made Unitronics Vision Series PLCs at the Aliquippa Municipal Water Authority plant (as well as other water utilities and organizations), merely by logging in with the PLCs’ easily discoverable factory-setting credentials.

The good news is that some major systems integrators such as Black & Veatch are working with large water utilities on building security into their new OT installations. Ian Bramson, vice president of global industrial cybersecurity at Black & Veatch, says his team works with utilities that consider security a physical safety issue. “They are looking to build [security] in and not bolt it in,” he explains, to prevent any physical safety consequences from poor cybersecurity security controls.

Cybersecurity Cleanup for Water

Meanwhile, there are plenty of free cybersecurity resources for resource-strapped water utilities, including the Water-ISAC’s top 12 Security Fundamentals and the American Waterworks Association (AWWA)’s free security assessment tool for water utilities that helps them map their environments to the NIST Cybersecurity Framework. Kevin Morley, manager of federal relations for the AWWA and a utility cybersecurity expert, says the tool includes a survey of the utility’s technology and then provides a priority list of the security controls the utility should adopt and address, focusing on risk and resilience.

“It creates a heat map” of where the utility’s security weaknesses and risks lie, he says. That helps arm a utility with a cybersecurity business case in the budget process. “They can go to leadership and say ‘we did this analysis and this is what we found,'” he explains.

There’s also a new cyber volunteer program that assists rural water utilities. The National Rural Water Association recently teamed up with DEF CON to match volunteer cybersecurity experts to utilities in need of cyber help. Six utilities in Utah, Vermont, Indiana, and Oregon encompass the initial cohort for the bespoke DEF CON Franklin project, where volunteer ICS/OT security experts will assess their security posture and help them secure and protect their OT systems from cyber threats.

Mandiant’s Sistrunk, who serves as a volunteer cyber expert for some small utilities, points to three main and basic security steps small (and large) utilities should take to improve their defenses: enact multifactor authentication, especially for remote access to OT systems; store backups offline or with a trusted third party; and have a written response plan for who to call when a cyberattack hits.

Serino recommends a firewall as well. “Get a firewall if you don’t have one, and have it configured and locked down to control data flows in and out,” he says. It’s common for firewalls at a water utility to be misconfigured and left wide open to outgoing traffic, he notes: “If an adversary can get in, they could establish their own persistence and command and control, so hardening up the perimeter” for both outgoing and ingoing traffic is important.

He also recommends centralized logging of OT systems, especially for larger water utilities with the resources to support logging and detection operations: “Have the ability to detect a problem so you can stop it before it reaches the end goal of causing an impact.”