Two men have been arrested for allegedly stealing data from and extorting dozens of companies that used the cloud data storage company Snowflake, but a third suspect — a prolific hacker known as Kiberphant0m — remains at large and continues to publicly extort victims. However, this person’s identity may not remain a secret for long: A careful review of Kiberphant0m’s daily chats across multiple cybercrime personas suggests they are a U.S. Army soldier who is or was recently stationed in South Korea.

Kiberphant0m’s identities on cybercrime forums and on Telegram and Discord chat channels have been selling data stolen from customers of the cloud data storage company Snowflake. At the end of 2023, malicious hackers discovered that many companies had uploaded huge volumes of sensitive customer data to Snowflake accounts that were protected with nothing more than a username and password (no multi-factor authentication required).

After scouring darknet markets for stolen Snowflake account credentials, the hackers began raiding the data storage repositories for some of the world’s largest corporations. Among those was AT&T, which disclosed in July that cybercriminals had stolen personal information, phone and text message records for roughly 110 million people.  Wired.com reported in July that AT&T paid a hacker $370,000 to delete stolen phone records.

On October 30, Canadian authorities arrested Alexander Moucka, a.k.a. Connor Riley Moucka of Kitchener, Ontario, on a provisional arrest warrant from the United States, which has since indicted him on 20 criminal counts connected to the Snowflake breaches. Another suspect in the Snowflake hacks, John Erin Binns, is an American who is currently incarcerated in Turkey.

A surveillance photo of Connor Riley Moucka, a.k.a. “Judische” and “Waifu,” dated Oct 21, 2024, 9 days before Moucka’s arrest. This image was included in an affidavit filed by an investigator with the Royal Canadian Mounted Police (RCMP).

Investigators say Moucka, who went by the handles Judische and Waifu, had tasked Kiberphant0m with selling data stolen from Snowflake customers who refused to pay a ransom to have their information deleted. Immediately after news broke of Moucka’s arrest, Kiberphant0m was clearly furious, and posted on the hacker community BreachForums what they claimed were the AT&T call logs for President-elect Donald J. Trump and for Vice President Kamala Harris.

“In the event you do not reach out to us @ATNT all presidential government call logs will be leaked,” Kiberphant0m threatened, signing their post with multiple “#FREEWAIFU” tags. “You don’t think we don’t have plans in the event of an arrest? Think again.”

On the same day, Kiberphant0m posted what they claimed was the “data schema” from the U.S. National Security Agency.

“This was obtained from the ATNT Snowflake hack which is why ATNT paid an extortion,” Kiberphant0m wrote in a thread on BreachForums. “Why would ATNT pay Waifu for the data when they wouldn’t even pay an extortion for over 20M+ SSNs?”

Kiberphant0m posting what he claimed was a “data schema” stolen from the NSA via AT&T.

Also on Nov. 5, Kiberphant0m offered call logs stolen from Verizon’s push-to-talk (PTT) customers — mainly U.S. government agencies and emergency first responders. On Nov. 9, Kiberphant0m posted a sales thread on BreachForums offering a “SIM-swapping” service targeting Verizon PTT customers. In a SIM-swap, fraudsters use credentials that are phished or stolen from mobile phone company employees to divert a target’s phone calls and text messages to a device they control.

MEET ‘BUTTHOLIO’

Kiberphant0m joined BreachForums in January 2024, but their public utterances on Discord and Telegram channels date back to at least early 2022. On their first post to BreachForums, Kiberphant0m said they could be reached at the Telegram handle @cyb3rph4nt0m.

A review of @cyb3rph4nt0m shows this user has posted more than 4,200 messages since January 2024. Many of these messages were attempts to recruit people who could be hired to deploy a piece of malware that enslaved host machines in an Internet of Things (IoT) botnet.

On BreachForums, Kiberphant0m has sold the source code to “Shi-Bot,” a custom Linux DDoS botnet based on the Mirai malware. Kiberphant0m had few sales threads on BreachForums prior to the Snowflake attacks becoming public in May, and many of those involved databases stolen from companies in South Korea.

On June 5, 2024, a Telegram user by the name “Buttholio” joined the fraud-focused Telegram channel “Comgirl” and claimed to be Kiberphant0m. Buttholio made the claim after being taunted as a nobody by another denizen of Comgirl, referring to their @cyb3rph4nt0m account on Telegram and the Kiberphant0m user on cybercrime forums.

“Type ‘kiberphant0m’ on google with the quotes,” Buttholio told another user. “I’ll wait. Go ahead. Over 50 articles. 15+ telecoms breached. I got the IMSI number to every single person that’s ever registered in Verizon, Tmobile, ATNT and Verifone.”

On Sept. 17, 2023, Buttholio posted in a Discord chat room dedicated to players of the video game Escape from Tarkov. “Come to Korea, servers there is pretty much no extract camper or cheater,” Buttholio advised.

In another message that same day in the gaming Discord, Buttholio told others they bought the game in the United States, but that they were playing it in Asia.

“USA is where the game was purchased from, server location is actual in game servers u play on. I am a u.s. soldier so i bought it in the states but got on rotation so i have to use asian servers,” they shared.

‘REVERSESHELL’

The account @Kiberphant0m was assigned the Telegram ID number 6953392511. A review of this ID at the cyber intelligence platform Flashpoint shows that on January 4, 2024 Kibertphant0m posted to the Telegram channel “Dstat,” which is populated by cybercriminals involved in launching distributed denial-of-service (DDoS) attacks and selling DDoS-for-hire services [Full disclosure: Flashpoint is currently an advertiser on this website].

Immediately after Kiberphant0m logged on to the Dstat channel, another user wrote “hi buttholio,” to which Kiberphant0m replied with an affirmative greeting “wsg,” or “what’s good.” On Nov. 1, Dstat’s website dstat[.]cc was seized as part of “Operation PowerOFF,” an international law enforcement action against DDoS services.

Flashpoint’s data shows that @kiberphant0m told a fellow member of Dstat on April 10, 2024 that their alternate Telegram username was “@reverseshell,” and did the same two weeks later in the Telegram chat The Jacuzzi. The Telegram ID for this account is 5408575119.

Way back on Nov. 15, 2022, @reverseshell told a fellow member of a Telegram channel called Cecilio Chat that they were a soldier in the U.S. Army. This user also shared the following image of someone pictured waist-down in military fatigues, with a camouflaged backpack at their feet:

Kiberphant0m’s apparent alias ReverseShell posted this image on a Telegram channel Cecilio Chat, on Nov. 15, 2022. Image: Flashpoint.

In September 2022, Reverseshell was embroiled in an argument with another member who had threatened to launch a DDoS attack against Reverseshell’s Internet address. After the promised attack materialized, Reverseshell responded, “Yall just hit military base contracted wifi.”

In a chat from October 2022, Reverseshell was bragging about the speed of the servers they were using, and in reply to another member’s question said that they were accessing the Internet via South Korea Telecom.

Telegram chat logs archived by Flashpoint show that on Aug. 23, 2022, Reverseshell bragged they’d been using automated tools to find valid logins for Internet servers that they resold to others.

“I’ve hit US gov servers with default creds,” Reverseshell wrote, referring to systems with easy-to-guess usernames and/or passwords. “Telecom control servers, machinery shops, Russian ISP servers, etc. I sold a few big companies for like $2-3k a piece. You can sell the access when you get a big SSH into corporation.”

On July 29, 2023, Reverseshell posted a screenshot of a login page for a major U.S. defense contractor, claiming they had an aerospace company’s credentials to sell.

PROMAN AND VARS_SECC

Flashpoint finds the Telegram ID 5408575119 has used several aliases since 2022, including Reverseshell and Proman557.

A search on the username Proman557 at the cyber intelligence platform Intel 471 shows that a hacker by the name “Proman554” registered on Hackforums in September 2022, and in messages to other users Proman554 said they can be reached at the Telegram account Buttholio.

Intel 471 also finds the Proman557 moniker is one of many used by a person on the Russian-language hacking forum Exploit in 2022 who sold a variety of Linux-based botnet malware.

Proman557 was eventually banned — allegedly for scamming a fellow member out of $350 — and the Exploit moderator warned forum users that Proman557 had previously registered under several other nicknames, including an account called “Vars_Secc.”

Vars_Secc’s thousands of comments on Telegram over two years show this user divided their time between online gaming, maintaining a DDoS botnet, and promoting the sale or renting of their botnets to other users.

“I use ddos for many things not just to be a skid,” Vars_Secc pronounced. “Why do you think I haven’t sold my net?” They then proceeded to list the most useful qualities of their botnet:

-I use it to hit off servers that ban me or piss me off
-I used to ddos certain games to get my items back since the data reverts to when u joined
-I use it for server side desync RCE vulnerabilities
-I use it to sometimes ransom
-I use it when bored as a source of entertainment

Flashpoint shows that in June 2023, Vars_Secc responded to taunting from a fellow member in the Telegram channel SecHub who had threatened to reveal their personal details to the federal government for a reward.

“Man I’ve been doing this shit for 4 years,” Vars_Secc replied nonchalantly. “I highly doubt the government is going to pay millions of dollars for data on some random dude operating a pointless ddos botnet and finding a few vulnerabilities here and there.”

For several months in 2023, Vars_Secc also was an active member of the Russian-language crime forum XSS, where they sold access to a U.S. government server for $2,000. However, Vars_Secc would be banned from XSS after attempting to sell access to the Russian telecommunications giant Rostelecom. [In this, Vars_Secc violated the Number One Rule for operating on a Russia-based crime forum: Never offer to hack or sell data stolen from Russian entities or citizens].

On June 20, 2023, Vars_Secc posted a sales thread on the cybercrime forum Ramp 2.0 titled, “Selling US Gov Financial Access.”

“Server within the network, possible to pivot,” Vars_Secc’s sparse sales post read. “Has 3-5 subroutes connected to it. Price $1,250. Telegram: Vars_Secc.”

Vars_Secc also used Ramp in June 2023 to sell access to a “Vietnam government Internet Network Information Center.”

“Selling access server allocated within the network,” Vars_Secc wrote. “Has some data on it. $500.”

BUG BOUNTIES

The Vars_Secc identity claimed on Telegram in May 2023 that they made money by submitting reports about software flaws to HackerOne, a company that helps technology firms field reports about security vulnerabilities in their products and services. Specifically, Vars_Secc said they had earned financial rewards or “bug bounties” from reddit.com, the U.S. Department of Defense, and Coinbase, among 30 others.

“I make money off bug bounties, it’s quite simple,” Vars_Secc said when asked what they do for a living. “That’s why I have over 30 bug bounty reports on HackerOne.”

A month before that, Vars_Secc said they’d found a vulnerability in reddit.com.

“I poisoned Reddit’s cache,” they explained. “I’m going to exploit it further, then report it to reddit.”

KrebsOnSecurity sought comment from HackerOne, which said it would investigate the claims. This story will be updated if they respond.

The Vars_Secc telegram handle also has claimed ownership of the BreachForums member “Boxfan,” and Intel 471 shows Boxfan’s early posts on the forum had the Vars_Secc Telegram account in their signature. In their most recent post to BreachForums in January 2024, Boxfan disclosed a security vulnerability they found in Naver, the most popular search engine in South Korea (according to statista.com). Boxfan’s comments suggest they have strong negative feelings about South Korean culture.

“Have fun exploiting this vulnerability,” Boxfan wrote on BreachForums, after pasting a long string of computer code intended to demonstrate the flaw. “Fuck you South Korea and your discriminatory views. Nobody likes ur shit kpop you evil fucks. Whoever can dump this DB [database] congrats. I don’t feel like doing it so I’ll post it to the forum.”

The many identities tied to Kiberphant0m strongly suggest they are or until recently were a U.S. Army soldier stationed in South Korea. Kiberphant0m’s alter egos never mentioned their military rank, regiment, or specialization.

However, it is likely that Kiberphant0m’s facility with computers and networking was noticed by the Army. According to the U.S. Army’s website, the bulk of its forces in South Korea reside within the Eighth Army, which has a dedicated cyber operations unit focused on defending against cyber threats.

On April 1, 2023, Vars_Secc posted to a public Telegram chat channel a screenshot of the National Security Agency’s website. The image indicated the visitor had just applied for some type of job at the NSA.

A screenshot posted by Vars_Secc on Telegram on April 1, 2023, suggesting they just applied for a job at the National Security Agency.

The NSA has not yet responded to requests for comment.

Reached via Telegram, Kiberphant0m acknowledged that KrebsOnSecurity managed to unearth their old handles.

“I see you found the IP behind it no way,” Kiberphant0m replied. “I see you managed to find my old aliases LOL.”

Kiberphant0m denied being in the U.S. Army or ever being in South Korea, and said all of that was a lengthy ruse designed to create a fictitious persona. “Epic opsec troll,” they claimed.

Asked if they were at all concerned about getting busted, Kiberphant0m called that an impossibility.

“I literally can’t get caught,” Kiberphant0m said, declining an invitation to explain why. “I don’t even live in the USA Mr. Krebs.”

Below is a mind map that hopefully helps illustrate some of the connections between and among Kiberphant0m’s apparent alter egos.

A mind map of the connections between and among the identities apparently used by Kiberphant0m. Click to enlarge.

KrebsOnSecurity would like to extend a special note of thanks to the New York City based security intelligence firm Unit 221B for their assistance in helping to piece together key elements of Kiberphant0m’s different identities.

Broadcom has told investors its integration of VMware is all but done, ahead of schedule, and that it has turned the virtualization giant into an even more prolific money machine than it hoped it would be possibke.

Speaking on the giant conglomerate’s Q4 2024 earnings call today, Broadcom CEO Hock Tan told investors VMware’s quarterly costs have fallen from an average $2.4 billion to $1.2 billion in this quarter, and margins have gone from below 30 percent to 70 percent. He didn’t break out Virtzilla’s revenue, and said Broadcom won’t do so again. But he did use two other metrics to describe VMware’s progress: processor cores covered by new subscription sales and annual booking value (ABV).

The latter, which measures the value of future revenue from subscriptions, saw $2.7 billion worth of deals done in the quarter – up $200 million from Q3. Tan revealed VMware sold subs for 21 million processor cores in the quarter – up from 19 million in Q3.

The CEO also told investors that 17 million of those newly-sold cores will be used to run the flagship private cloud suite VMware Cloud Foundation (VCF), and that 4,500 of Broadcom’s top 10,000 VMware customers have signed up for VCF since the acquisition.

Full-year revenue for Broadcom’s software division hit $21.5 billion, up from $7.6 billion for FY 2023 – an increase of $13.8 billion. VMware’s last full year of revenue as an independent company was $13.4 billion, and Broadcom did not own the virty giant for a few weeks of its FY 2024 and therefore can’t count a few hundred million dollars of revenue. The Register also feels safe in assuming that the other parts of Broadcom’s software biz – CA and Symantec – are not growing fast, if at all.

It therefore looks a lot like VMware revenue is growing and Broadcom’s strategy is working.

Tan’s remarks about margin improvement suggest as much. He followed them with a prediction that Broadcom’s planned $8.5 billion EBITDA growth for VMware would be achieved in a tighter time frame than the three years initially forecast – and that further improvements are achievable.

With that kind of prediction on record during an earnings call – wherein execs are encouraged to be conservative in forward statements – VMware customers surely have a clear signal Broadcom won’t need to change its plans, which bring increased costs to most customers.

Chipping away at hyperscalers

Tan offered investors two other forecasts for Broadcom’s silicon business, which he noted now needs to be discussed in AI-adjacent and non-AI segments.

The CEO told investors Broadcom see huge growth ahead from hyperscale customers of its XPU accelerators and associated networking gear. Three existing hyperscale customers intend to use Broadcom kit to build million-XPU clusters – an addressable opportunity worth between $60 and $90 billion in 2027. Tan asserted that Broadcom is “very well positioned to achieve leading market share in this opportunity.”

He also revealed Broadcom is talking to another pair of hyperscalers about custom accelerators that will use its IP – meaning more big opportunities lie ahead. The CEO celebrated hyperscalers’ interest in Broadcom’s wares as a sign that Ethernet is in favor – an important observation given Nvidia’s fondness for InfiniBand.

Tan also pledged that Broadcom’s next-generation XPUs, built on a 3nm process, will debut in the second half of 2025. Tan claimed they’ll be the first products in the field built at 3nm.

AI silicon is powering growth for Broadcom’s chip division, which earned $8.2 billion – up 12 percent year on year. AI-related sales grew 150 percent year on year to $3.7 billion, while other products were down 23 percent to $4.5 billion. Tan noted that non-AI chips have come out of a slump and will recover.

Which brings us to those two forecasts: Tan predicted non-AI silicon sales will slip by “mid-teens” in Q1 of 2025, while AI chips grow by 65 percent.

Broadcom remains in rude health. Quarterly revenue of $14 billion represented a 51 percent year-on-year leap, and annual revenue of $51.5 billion was up an impressive 44 percent. Net income for the full year was $5.9 billion – a drop of $8.2 billion – but free cashflow is strong, and Tan declared Broadcom will use it to pay down the debt it used to acquire VMware.

He also revealed that Broadcom is quietly looking for other software acquisitions, but has strict demands for target prey. He did not suggest any purchases are imminent.

Investors liked what they heard: Broadcom’s share price jumped 15 percent in after hours trading. ®

The Justice Department announced Thursday that it had participated in a coordinated effort to seize and dismantle Rydox, an online marketplace for stolen personal information and cybercrime tools. The operation led to the arrest of three individuals alleged to be the site’s administrators.

Rydox has been linked to over 7,600 illicit sales and generated substantial profits since its inception in 2016. Authorities reported the site’s revenue exceeded $230,000, primarily sourced from selling sensitive data such as credit card information, login credentials, and other PII stolen from thousands of U.S. residents. The site has offered for sale at least 321,372 cybercrime products to over 18,000 users.

The operation was carried out by the FBI’s Pittsburgh Office, Albania’s Special Anti-Corruption Body (SPAK) and its National Bureau of Investigation (BKH), the Kosovo Special Prosecution Office, the Kosovo Police, and the Royal Malaysian Police.

Kosovo nationals Ardit Kutleshi, 26, and Jetmir Kutleshi, 28, were apprehended in Kosovo. They will be extradited to the Western District of Pennsylvania to face multiple charges, including identity theft and money laundering. A third man, Shpend Sokoli, also from Kosovo, was detained in Albania. Sokoli will be prosecuted in Albania.

The domain, Rydox.cc, and its associated servers were seized in Kuala Lumpur, Malaysia. Additionally, U.S. authorities seized approximately $225,000 in cryptocurrency linked to the defendants.

Eric Olshan, U.S. Attorney for the Western District of Pennsylvania, said in a release that despite these cases being a concerted, multi-national law enforcement effort, the “harms can be devastatingly local.”

Thursday’s “takedown reinforces our steadfast message that the Western District of Pennsylvania and our domestic and international law enforcement partners will use every available tool to hold accountable those who pursue illicit profit at the expense of ordinary citizens around the world,” Olshan said. 

Reseachers have discovered hundreds of thousands of servers running Prometheus open source monitoring software on the open Web are exposing passwords, tokens, and opportunities for denial of service (DoS) and remote code execution.

As a leader among open source observability tools, Prometheus is used widely by organizations to monitor the performance of their applications and cloud infrastructure. But it comes with a catch: As noted in its documentation, “It is presumed that untrusted users have access to the Prometheus HTTP endpoint and logs. They have access to all time series information contained in the database, plus a variety of operational/debugging information.”

Apparently, a whole lot of users either aren’t aware of the ways in which Prometheus is exposed by default, or don’t realize the value of the data that’s exposed along the way. Using Shodan, researchers from Aqua Nautilus discovered more than 40,000 exposed Prometheus servers, and more than 296,000 exposed “exporters,” which the program uses to collect data from monitored endpoints. The researchers found sensitive data in those servers and exporters, and opportunities for “repojacking” and DoS attacks.

What Prometheus Exposes

On first impression, the data Prometheus collects might seem rather bland: application performance metrics, metrics associated with particular cloud tools, CPU, memory, and disk usage, for example.

“We think that it’s only statistics — it’s only information about the health of the system. That’s the problem,” says Assaf Morag, director of threat intelligence at Aqua Nautilus. Probing the data from the perspective of an attacker reveals all kinds of information that could lubricate cyberattacks.

“We noticed that we can actually see plaintext passwords and tokens, and API addresses of internal locations that should be kept hidden,” Morag says. For example, he found one exposed and unauthenticated instance of Prometheus belonging to Skoda Auto, the Czech automobile manufacturer, which revealed some of the company’s subdomains, and Docker registries and images.

Besides exposing secrets, open Web Prometheus servers and exporters also carry a risk of DoS. There’s the ‘/debug/pprof’ endpoint, for example, which helps users profile remote hosts, and is enabled by default by most Prometheus components. In their testing, the researchers demonstrated that they could overload the endpoint to disrupt communications or outright crash Amazon Web Services Elastic Compute Cloud (AWS EC2) instances or Kubernetes pods.

“The result was conclusive: We ended up stopping virtual machines each time we ran our script,” Morag reports. To drive home the significance of such an attack scenario, he jokes, “I read somewhere that Kubernetes clusters run in fighter jets. I don’t think that they are exposed to the Internet, but [it goes to show] we run Kubernetes in lots of places today.”

Repojacking Opportunities in Prometheus

Users can protect their Prometheus servers and exporters by taking them offline, or at least adding a layer of authentication to keep out prying eyes. And, of course, there are tools designed to mitigate DoS risks.

Less easily solved is a third issue in the platform: Several of its exporters were found vulnerable to repojacking attacks.

The opportunity for repojacking can occur whenever a developer changes or deletes their account on GitHub and doesn’t perform a namespace retirement. Simply, an attacker registers the developer’s old username, then plants malware under the same title as the developer’s old, legitimate projects. Then any projects that reference this repository but aren’t updated with the correct redirect link can end up ingesting the malicious copycat.

Prometheus’ official documentation referenced several exporters associated with freely claimable usernames, meaning that any attacker could have stepped in and taken advantage to perform remote code execution. Aqua Nautilus reported the issue to Prometheus, and it has since been addressed.

Repojacking opportunities are likely far more widespread than is realized, Morag emphasizes, so organizations need to be monitoring any discrepancies between the projects they rely on and the links they follow to access them. “It’s not that difficult,” he says. “But if you’re doing it for millions of open source projects, that’s where the problem starts. If you use an automated [scanning tool], you could be safe.”

A new Linux rootkit malware called Pumakit has been discovered that uses stealth and advanced privilege escalation techniques to hide its presence on systems.

The malware is a multi-component set that includes a dropper, memory-resident executables, a kernel module rootkit, and a shared object (SO) userland rootkit.

Elastic Security discovered Pumakit in a suspicious binary (‘cron’) upload on VirusTotal, dated September 4, 2024, and reported having no visibility into who uses it and what it targets.

Generally, these tools are used by advanced threat actors targeting critical infrastructure and enterprise systems for espionage, financial theft, and disruption operations. 

The Pumakit

Pumakit employs a multi-stage infection process starting with a dropper named ‘cron,’ which executes embedded payloads (‘/memfd:tgt’ and ‘/memfd:wpn’) entirely from memory.

The ‘/memfd:wpn’ payload, which executes in a child process, performs environment checks and kernel image manipulation and eventually deploys the LKM rootkit module (‘puma.ko’) into the system kernel.

Embedded within the LKM rootkit is Kitsune SO (‘lib64/libs.so’), acting as the userland rootkit that injects itself into processes using ‘LD_PRELOAD’ to intercept system calls at the user level.

Stealthy privilege escalation

The rootkit follows a conditional activation, checking for specific kernel symbols, secure boot status, and other prerequisites before loading.

Elastic says Puma utilizes the ‘kallsyms_lookup_name()’ function to manipulate system behavior. This indicates the rootkit was designed to only target Linux kernels before version 5.7, as newer versions no longer export the function and, therefore, can’t be used by other kernel modules.

“The LKM rootkit’s ability to manipulate system behavior begins with its use of the syscall table and its reliance on kallsyms_lookup_name() for symbol resolution,” explains Elastic researchers Remco Sprooten and Ruben Groenewoud.

“Unlike modern rootkits targeting kernel versions 5.7 and above, the rootkit does not use kprobes, indicating it is designed for older kernels.”

Puma hooks 18 syscalls and multiple kernel functions using ‘ftrace,’ to gain privilege escalation, command execution, and the ability to hide processes.

The kernel functions ‘prepare_creds’ and ‘commit_creds’ are abused to modify process credentials, granting root privileges to specific processes.

The rootkit can hide its own presence from kernel logs, system tools, and antivirus, and can also hide specific files in a directory and objects from process lists.

If the hooks are interrupted, the rootkit reinitializes them, ensuring that its malicious changes aren’t reverted and the module cannot be unloaded.

The userland rootkit Kitsune SO operates in synergy with Puma, extending its stealth and control mechanisms to user-facing interactions.

It intercepts user-level system calls and alters the behavior of looks like ls, ps, netstat, top, htop, and cat to hide files, processes, and network connections associated with the rootkit

It can also dynamically hide any other files and directories based on attacker-defined criteria and make malicious binaries entirely invisible to users and system admins.

Kitsune SO also handles all communications with the command and control (C2) server, relaying commands to the LKM rootkit and transmitting configuration and system info to the operators.

Besides file hashes, Elastic Security has published a YARA rule to help Linux system administrators detect Pumakit attacks.

Dec 12, 2024Ravie LakshmananVulnerability / Cloud Security

Cybersecurity researchers are warning that thousands of servers hosting the Prometheus monitoring and alerting toolkit are at risk of information leakage and exposure to denial-of-service (DoS) as well as remote code execution (RCE) attacks.

“Prometheus servers or exporters, often lacking proper authentication, allowed attackers to easily gather sensitive information, such as credentials and API keys,” Aqua security researchers Yakir Kadkoda and Assaf Morag said in a new report shared with The Hacker News.

The cloud security firm also said that the exposure of the “/debug/pprof” endpoints used for determining heap memory usage, CPU usage, and others, could serve as a vector for DoS attacks, rendering the servers inoperable.

As many as 296,000 Prometheus Node Exporter instances and 40,300 Prometheus servers have been estimated to be publicly accessible over the internet, making them a huge attack surface that could put data and services at risk.

The fact that sensitive information, such as credentials, passwords, authentication tokens, and API keys, could be leaked through internet-exposed Prometheus servers has been documented previously by JFrog in 2021 and Sysdig in 2022.

“Unauthenticated Prometheus servers enable direct querying of internal data, potentially exposing secrets that attackers can exploit to gain an initial foothold in various organizations,” the researchers said.

In addition, it has been found that the “/metrics” endpoint can not only reveal internal API endpoints, but also data about subdomains, Docker registries, and images — all valuable information for an attacker conducting reconnaissance and looking to expand their reach within the network.

That’s not all. An adversary could send multiple simultaneous requests to endpoints like “/debug/pprof/heap” to trigger CPU and memory-intensive heap profiling tasks that can overwhelm the servers and cause them to crash.

Aqua further called out a supply chain threat that involves using repojacking techniques to leverage the name associated with deleted or renamed GitHub repositories and introduce malicious third-party exporters.

Specifically, it discovered that eight exporters listed in Prometheus’ official documentation are vulnerable to RepoJacking, thereby allowing an attacker to recreate an exporter with the same name and host a rogue version. These issues have since been addressed by the Prometheus security team as of September 2024.

“Unsuspecting users following the documentation could unknowingly clone and deploy this malicious exporter, leading to remote code execution on their systems,” the researchers said.

Organizations are recommended to secure Prometheus servers and exporters with adequate authentication methods, limit public exposure, monitor “/debug/pprof” endpoints for any signs of anomalous activity, and take steps to avoid RepoJacking attacks.

Phishing attacks increased nearly 40 percent in the year ending August 2024, with much of that growth concentrated at a small number of new generic top-level domains (gTLDs) — such as .shop, .top, .xyz — that attract scammers with rock-bottom prices and no meaningful registration requirements, new research finds. Meanwhile, the nonprofit entity that oversees the domain name industry is moving forward with plans to introduce a slew of new gTLDs.

Image: Shutterstock.

A study on phishing data released by Interisle Consulting finds that new gTLDs introduced in the last few years command just 11 percent of the market for new domains, but accounted for roughly 37 percent of cybercrime domains reported between September 2023 and August 2024.

Interisle was sponsored by several anti-spam organizations, including the Anti-Phishing Working Group (APWG), the Coalition Against Unsolicited Commercial Email (CAUCE), and the Messaging, Malware, and Mobile Anti-Abuse Working Group (M3AAWG).

The study finds that while .com and .net domains made up approximately half of all domains registered in the past year (more than all of the other TLDs combined) they accounted for just over 40 percent of all cybercrime domains. Interisle says an almost equal share — 37 percent — of cybercrime domains were registered through new gTLDs.

Spammers and scammers gravitate toward domains in the new gTLDs because these registrars tend to offer cheap or free registration with little to no account or identity verification requirements. For example, among the gTLDs with the highest cybercrime domain scores in this year’s study, nine offered registration fees for less than $1, and nearly two dozen offered fees of less than $2.00. By comparison, the cheapest price identified for a .com domain was $5.91.

Currently, there are around 2,500 registrars authorized to sell domains by the Internet Corporation for Assigned Names and Numbers (ICANN), the California nonprofit that oversees the domain industry.

The top 5 new gTLDs, ranked by cybercrime domains reported. Image: Interisle Cybercrime Supply Chain 2014.

Incredibly, despite years of these reports showing phishers heavily abusing new gTLDs, ICANN is shuffling forward on a plan to introduce even more of them. ICANN’s proposed next round envisions accepting applications for new gTLDs in 2026.

John Levine is author of the book “The Internet for Dummies” and president of CAUCE. Levine said adding more TLDs without a much stricter registration policy will likely further expand an already plentiful greenfield for cybercriminals.

“The problem is that ICANN can’t make up their mind whether they are the neutral nonprofit regulator or just the domain speculator trade association,” Levine told KrebsOnSecurity. “But they act a lot more like the latter.”

Levine said the vast majority of new gTLDs have a few thousand domains — a far cry from the number of registrations they would need just to cover the up-front costs of operating a new gTLD (~$180,000-$300,000). New gTLD registrars can quickly attract customers by selling domains cheaply to customers who buy domains in bulk, but that tends to be a losing strategy.

“Selling to criminals and spammers turns out to be lousy business,” Levine said. “You can charge whatever you want on the first year, but you have to charge list price on domain renewals. And criminals and spammers never renew. So if it sounds like the economics makes no sense it’s because the economics makes no sense.”

In virtually all previous spam reports, Interisle found the top brands referenced in phishing attacks were the largest technology companies, including Apple, Facebook, Google and PayPal. But this past year, Interisle found the U.S. Postal Service was by far the most-phished entity, with more than four times the number of phishing domains as the second most-frequent target (Apple).

At least some of that increase is likely from a prolific cybercriminal using the nickname Chenlun, who has been selling phishing kits targeting domestic postal services in the United States and at least a dozen other countries.

Interisle says an increasing number of phishers are eschewing domain registrations altogether, and instead taking advantage of subdomain providers like blogspot.com, pages.dev, and weebly.com. The report notes that cyberattacks hosted at subdomain provider services can be tough to mitigate, because only the subdomain provider can disable malicious accounts or take down malicious web pages.

“Any action upstream, such as blocking the second-level domain, would have an impact across the provider’s whole customer base,” the report observes.

Interisle tracked more than 1.18 million instances of subdomains used for phishing in the past year (a 114 percent increase), and found more than half of those were subdomains at blogspot.com and other services operated by Google.

“Many of these services allow the creation of large numbers of accounts at one time, which is highly exploited by criminals,” the report concludes. “Subdomain providers should limit the number of subdomains (user accounts) a customer can create at one time and suspend automated, high-volume automated account sign-ups – especially using free services.”

Dec. 4, 10:21 a.m. ET: Corrected link to report.

Microsoft is among those in the blast radius of General Motors’ decision to wind up its autonomous taxi business, Cruise.

In a filing made to the US Securities and Exchange Commission (SEC) this week, the company said it expected to record an impairment charge to the tune of approximately $800 million in the second quarter of fiscal year 2025. It will categorize the charge as “Other income and expense” and estimated that the impact would be approximately $0.09 to second quarter diluted earnings per share.

Cruise robotaxis parked forever, as GM decides it can’t compete and wants to cut costs

READ MORE

Microsoft noted that the charge wasn’t included in the second-quarter guidance provided on October 30. However, even then, it was clear that things were not going well for Cruise. General Motors’ announcement that it was pulling the plug refocusing Cruise’s operation earlier this week did not come as a surprise considering the technical challenges encountered by the self-driving outfit.

A few weeks before GM gave up on the robotaxis, a Vulture from El Reg’s San Francisco office snapped a picture of a parking lot full of resting Cruise cabs.

The autonomous taxis became available for public hire in February 2022, but a succession of incidents meant the robocabs were required to have a human at the wheel, thus defeating the point of the system.

Microsoft announced its minority investment in January 2021, joining Honda and other institutional investors. All told, the players invested $2 billion at the time, bringing the post-money valuation of Cruise to $30 billion.

What a difference a few years makes.

Microsoft was also meant to be Cruise’s preferred cloud provider. Company boss Satya Nadella said, “As Cruise and GM’s preferred cloud, we will apply the power of Azure to help them scale and make autonomous transportation mainstream.”

However, rather than making autonomous transportation mainstream, at least via the medium of autonomous taxis, Microsoft is instead taking an $800 million charge.

According to Nikkei Asia, Honda will also dissolve its self-driving vehicle partnership with GM. ®

Abiola Kayode, a 37-year-old Nigerian national, has been extradited from Ghana to the United States to face charges of conspiracy to commit wire fraud. 

Kayode, who was on the FBI’s Most Wanted cybercriminal list, is charged with participating in a business email compromise (BEC) scheme and romance fraud from January 2015 to September 2016, defrauding businesses of over $6 million. The scheme involved Kayode’s co-conspirators impersonating high-level executives and directing company employees to make fraudulent wire transfers. The funds were then diverted to accounts controlled by Kayode and others, many of which belonged to victims of romance scams.

The Treasury Department sanctioned Kayode and five others involved in the schemes in 2020. The sanctions block these individuals’ property and generally prohibit U.S. persons from conducting business with them. 

Several of Kayode’s alleged accomplices have already been sentenced. Adewale Aniyeloye received 96 months in prison, Pelumi Fawehinimi got 72 months, and Onome Ijomone was sentenced to 60 months for their roles in the scams. Another partner in crime, Alex Ogunshakin, was recently sentenced to 45 months following his extradition from Nigeria.

The Office of International Affairs at the Department of Justice played a significant role in securing Kayode’s extradition. The broader initiative, coordinated with the FBI, aims to combat the growing threat of cyber-enabled fraud schemes targeting vulnerable Americans. According to FinCEN, BEC fraud reports have skyrocketed, with attempts to steal nearly $9 billion from U.S. financial institutions since 2016.

It has been a busy month for the Justice Department’s focus on BEC scams. Last week, Okechuckwu Valentine Osuji, a 39-year-old Nigerian national, was sentenced to eight years in prison for running a business email compromise scheme from multiple countries, including the United States.

COMMENTARY

In the past, security professionals were true hackers at heart — passionate individuals who made money doing what they loved: breaking systems, pushing boundaries, and constantly learning. They grew their skills out of sheer curiosity and dedication.

Today, however, many in security are simply “professionals” who found a well-paying job but lack that hacker spirit. They’re not driven by a love of the challenge or a hunger to learn. They may take the occasional course or learn a few technical tricks — but often, they’re doing the bare minimum. This leads to weak security. Meanwhile, attackers? They still have that old-school hacker passion, constantly learning and evolving for the love of the challenge.

We’ve completely misunderstood how to do security. Instead of genuinely simulating bad guys and preparing for the real thing, we play around with automated tools and call it “offensive” security. Many red-team exercises simply follow a checklist of known exploits without adapting to the specific environment. In contrast, a genuine adversary simulation requires creativity and a deep understanding of the target’s weaknesses — crafting custom attack paths and adjusting tactics on the fly. It’s about going beyond technical skills and truly getting into the adversary mindset.

Let’s be real — technical skills alone aren’t going to save anyone. To outsmart attackers, we need to cultivate a hacker mindset: understand the motivations, tactics, and psychology behind attacks, focusing on creativity and adaptability rather than just checking boxes.

Why Adversaries Do What They Do

Too many defenders get stuck on the “how” of an attack — the technical exploits, tools, and vulnerabilities — but to stay ahead, we need to ask “why.” Attackers aren’t just pushing buttons; they’re making strategic decisions, choosing the path of least resistance and maximum gain specific to their objectives.

Attackers know defenders are predictable. They know defenders — often too focused on what looks scary instead of what’s actually vulnerable — will patch the big vulnerabilities while ignoring the misconfigurations or overly trusted third-party integrations. Red teams might overlook these, but real adversaries know they’re prime opportunities. Attackers exploit trusted integrations to move laterally or exfiltrate data without triggering alarms. This is why understanding the “why” behind attacks is crucial. Attackers aren’t just targeting technology — they’re going after the path of least resistance, and too often, that’s where we’re late.

Stop Being a Button-Pusher

Here’s the harsh truth: Relying solely on automated tools and predefined processes is a recipe for failure. While those tools are useful, attackers thrive on predictability, so the more security teams rely on the same tools and scripts, the easier it is for them to slip through.

Think about the SolarWinds breach, where attackers leveraged a trusted, automated process to compromise thousands of systems — because defenders didn’t critically assess their own tools. SolarWinds is a lesson in the danger of blind trust in automation. If you’re just pushing buttons, you’re making their job easy.

Attackers are constantly testing the boundaries — doing the unexpected, finding unnoticed cracks. To defend against that, you need to do the same. Be curious, be creative, and don’t be afraid to challenge the rules. That’s what attackers are doing every day.

Detecting Intent in the Cloud

The cloud is a whole new ballgame. Old perimeter defenses don’t cut it anymore — it’s about understanding intent. Attackers aren’t just exploiting vulnerabilities; they’re using legitimate cloud services against you, moving laterally, escalating privileges, and blending in with regular user activity.

Take the Sisense breach: The attacker exploited cloud misconfigurations and legitimate credentials to access sensitive data. They didn’t break in — they logged in. The attacker understood how to blend in with typical user activity. Recognizing intent in the cloud is critical; it’s about seeing the attacker’s goals and cutting them off before they succeed.

If you notice unusual activity, don’t wait for an alert. Assume intent and start digging. The faster you understand why something is happening, the faster you can stop it.

Building a Hacker Culture

Growing and honing a hacker mindset is a journey, and it won’t come from reading a book or taking a course. It takes time, practice, mentorship, and hands-on experience. Pair up newer team members with people who’ve been through the trenches, involve the defense team in red team exercises, and let them make mistakes. Real learning happens by doing.

Want to know if you have a hacker mindset? Try the Jack Attack Test (JAT), where creativity — not content — reveals true hacker thinking. For example, finding 10 different ways to “turn off the light” is similar to finding 10 ways to perform a denial-of-service (DoS) attack. Hackers think conceptually, while security professionals might get lost in the details, saying they “don’t know anything about electricity.”

Another thing: Give your team members the chance to think like attackers. Run attack simulations where they must step into the hacker’s shoes. Get a threat intel report, and make them explain the why, not the how. Challenge them to take unconventional approaches. Attackers are masters of the unexpected, and if defenders want to keep up, they need to be too.

Embracing the Adversary Mindset

At the end of the day, security isn’t just about tools — it’s about understanding how the enemy thinks and why they make certain choices. Every move they make — each target, exploit, and escalation — is deliberate. To stay ahead, defenders must adopt this mindset. By understanding the strategy behind their actions, defenders can identify weak points in their defenses. It’s not just about technology; it’s about understanding intent, anticipating the unexpected, and challenging the norm. No tool can replace a curious mind ready to step into an adversary’s shoes and do whatever it takes to stay ahead.