Baron Martin, a 20-year-old resident of Tucson, Arizona, was arrested Wednesday on charges of producing child sexual abuse material and cyberstalking. His arrest is connected to his involvement in online terror networks, specifically 764 and CVLT, which are known for violent extremist activities.

Martin, also known under the alias “Convict,” is charged with significant involvement in these networks since 2021. He allegedly boasted about being a leader within 764 and CVLT and provided guidance on victim extortion. The Department of Justice’s criminal complaint details his use of popular communication platforms to form and execute his plans, notably involving two minors in September 2022 to engage in self-harming acts.

U.S. Assistant Attorney General for National Security Matthew G. Olsen has described the 764 network as a dangerous organization of violent extremists. The network is said to systematically target children, utilizing child sexual abuse material in an agenda aimed at societal collapse and governmental destabilization. Olsen reaffirmed the Justice Department’s commitment to combating such acts of terrorism and dismantling these networks.

The unsealed complaint provides a grim overview of the 764 network’s operations. It describes the group’s targeting of underage populations to share extreme and violent media, desensitizing youth to violence and normalizing the dissemination of child sexual abuse material (CSAM). The network is noted for its use of cybercriminal tactics and manipulation of societal norms to exploit minors, guided by a broader agenda of societal chaos.

If convicted, Martin could face up to 30 years in prison for producing child sexual abuse material, alongside a potential 10-year term for the cyberstalking offense. Both charges also include fines and the possibility of lifetime supervised release.

CyberScoop reported earlier this month that groups like 764 and the global collective of loosely associated groups known as “The Com” are using tools and techniques normally reserved for financially motivated cybercrime tactics — such as SIM swapping, IP grabbing and social engineering — to commit violent crimes.

The reports offer insight into the underbelly of the global network, showing how they are using traditional cybercriminal tools to identify, target, groom, extort, and cause physical and psychological harm to victims as young as 10. They were shared with police nationwide and in some cases, with foreign-allied governments.

Gary Restaino, U.S. Attorney for the District of Arizona, emphasized in a release the importance of vigilance among parents and children in online environments. He noted that Project Safe Childhood, a Justice Department initiative, aims to protect youth from individual and organized threats online.

PRESS RELEASE

BOSTON — December 12, 2024 — Zerto, a Hewlett Packard Enterprise company, today announced the launch of the Zerto Cloud Vault, which delivers Zerto’s best-in-class cyber resilience capabilities as a service through managed service providers (MSPs). Zerto’s security-focused MSP partners at launch include Assurestor, Converge, LincolnIT, and Verinext. Built on the capabilities of the Zerto Cyber Resilience Vault, the Zerto Cloud Vault is a cloud-based, fully managed solution that offers logical air-gapping, immutability, and clean room recovery.

Ransomware attacks remain a harsh fact of life for most businesses with collective ransomware losses totaling over $1 billion in 2023 alone. This financial toll is exacerbated by the resulting data loss and downtime, with some estimates suggesting upwards of $1 million in losses per hour of downtime for larger businesses.

With Zerto Cloud Vault, customers can leverage MSPs that deliver tailored cyber resilience strategies to meet the specific requirements of their organizations. Cloud Vault is the latest offering in HPE’s comprehensive cyber resilience portfolio and complements the existing Zerto Cyber Resilience Vault, which is deployed as a self-hosted, on-premises stack.

Zerto Cloud Vault capabilities include:

“Zerto’s disaster recovery and cyber resilience solutions offer peace of mind to businesses struggling to combat ransomware attacks,” said Jim O’Dorisio, senior vice president and general manager, HPE Storage. “Leveraging our cyber resilience capabilities, MSPs will be able to bring fully managed Cloud Vault services to even more organizations, helping them thwart the plans of attackers and keep precious business assets safe.”

Coupled with the expertise of Zerto’s vetted MSP partners, the hosted Zerto Cloud Vault mitigates the most devastating ransomware scenarios while keeping businesses in compliance with state and federal regulations — reducing the risk of substantial fines or prosecution. Where other solutions offer detrimental lengthy recovery point objectives (RPOs) and recovery time objectives (RTOs), Zerto Cloud Vault slashes both, minimizing the risks of disruption and allowing businesses to get back on their feet as fast as possible after the inevitable happens. Zerto is a part of HPE’s hybrid cloud business, helping HPE customers protect workloads and data across hybrid IT environments.

Partner Quotes

“Our Gold Standard for cyber recovery considers a product’s recoverability readiness, non-disruptive testing capability, and speed of data recovery; we found that Zerto substantially delivered on all these points. Combined with Cloud Vault, the protection provided from ransomware attacks was robust and allowed pinpoint recovery faster than any other products evaluated,” said Stephen Young, executive director, Assurestor.

“Ransomware attacks are a real threat to the data and operations of organizations of all sizes. Having the ability to offer a cloud vault with Zerto technology gives our clients added protection against ransomware and peace of mind that they can recover successfully,” said John Antimisiaris, executive vice president, LincolnIT.

“Some of our clients’ infrastructure protection needs to be kept with a very tight RPO, but they still need some deeper recovery options than simple replication can provide. A cyberattack is seldom clearly understood, even when recovery efforts have begun. Zerto Cloud Vault provides immutable protection history that can be leveraged to find the latest clean point in time for replicated hosts,” said Jeremy Brovage, product engineer and solutions architect, Converge Enterprise Cloud.

“Cyberattacks that encrypt data are one of the primary disruptors requiring data recovery. Zerto provides the best tools to recover quickly and with the least data loss in a cloud vault,” said Nick Martino, product manager, managed services, Verinext.

Explore the Zerto Cloud Vault and discover how it empowers businesses to safeguard their data and operations: Learn More. 

About Zerto

Zerto, a Hewlett Packard Enterprise company, empowers customers to run an always-on business by simplifying the protection, recovery, and mobility of on-premises and cloud applications. Zerto eliminates the risk and complexity of modernization and cloud adoption across private, public, and hybrid deployments. The simple, software-only solution uses continuous data protection at scale to solve for ransomware resilience, disaster recovery, and multi-cloud mobility. Zerto is trusted by over 9,500 customers globally, and is powering offerings for Microsoft Azure, IBM Cloud, Google Cloud, Oracle Cloud, and more than 350 managed service providers.

Automobile parts giant LKQ Corporation disclosed that one of its business units in Canada was hacked, allowing threat actors to steal data from the company.

LKQ is a public American company specializing in automotive replacement parts, components, and services to repair and maintain vehicles. The company has 45,000 employees in 25 countries and operates numerous brands, including Keystone, Tri Star, and ADL.

In a Friday evening FORM 8-K filing filed with the SEC, the company says one of its business units in Canada was breached on November 13, disrupting business operations.

“On November 13, 2024, LKQ Corporation (the “Company” or “we”) detected unauthorized access to information technology (IT) systems of a single business unit in Canada (“Business Unit”). The attack disrupted the Business Unit’s operations,” reads the LKQ Form 8-K filing.

“Upon discovery, we immediately began taking steps to investigate, contain, and recover from the incident, including activating our security incident response and recovery plans, partnering with industry leading forensic investigators, and initiating containment measures for affected systems. We also promptly notified law enforcement authorities. We are analyzing data impacted by the incident and will be notifying affected parties as appropriate.”

“As a result of the incident, the Company’s operations within this Business Unit were adversely impacted for a few weeks while affected systems were recovered; however, the Company believes that it has effectively contained the threat and that none of its other businesses were impacted by the threat, and the Business Unit is now operating near full capacity.”

The company says that they do not believe the incident will have any material impact on its financials or operations for the remainder of the fiscal year. LKQ says that they will seek reimbursement for costs and expenses stemming from the cyberattack from their cyber insurance company.

LKQ warns that its containment measures have caused some disruption within the breached business for a few weeks but has since restored operations.

No ransomware gangs or other threat actors have claimed responsibility for the attack.

Dec 13, 2024Ravie LakshmananCyber Attack / Malware

A now-removed GitHub repository that advertised a WordPress tool to publish posts to the online content management system (CMS) is estimated to have enabled the exfiltration of over 390,000 credentials.

The malicious activity is part of a broader attack campaign undertaken by a threat actor, dubbed MUT-1244 (where MUT refers to “mysterious unattributed threat”) by Datadog Security Labs, that involves phishing and several trojanized GitHub repositories hosting proof-of-concept (PoC) code for exploiting known security flaws.

“Victims are believed to be offensive actors – including pentesters and security researchers, as well as malicious threat actors – and had sensitive data such as SSH private keys and AWS access keys exfiltrated,” researchers Christophe Tafani-Dereeper, Matt Muir, and Adrian Korn said in an analysis shared with The Hacker News.

It’s no surprise that security researchers have been an attractive target for threat actors, including nation-state groups from North Korea, as compromising their systems could yield information about possible exploits related to undisclosed security flaws they may be working on, which could then be leveraged to stage further attacks.

In recent years, there has emerged a trend where attackers attempt to capitalize on vulnerability disclosures to create GitHub repositories using phony profiles that claim to host PoCs for the flaws but actually are engineered to conduct data theft and even demand payment in exchange for the exploit.

The campaigns undertaken by MUT-1244 not only involve making use of trojanized GitHub repositories but also phishing emails, both of which act as a conduit to deliver a second-stage payload capable of dropping a cryptocurrency miner, as well as stealing system information, private SSH keys, environment variables, and contents associated with specific folders (e.g., ~/.aws) to File.io.

One such repository was “github[.]com/hpc20235/yawpp,” which claimed to be “Yet Another WordPress Poster.” Prior to its takedown by GitHub, it contained two scripts: One to validate WordPress credentials and another to create posts using the XML-RPC API.

But the tool also harbored malicious code in the form of a rogue npm dependency, a package named @0xengine/xmlrpc that deployed the same malware. It was originally published to npm in October 2023 as a JavaScript-based XML-RPC server and client for Node.js. The library is no longer available for download.

It’s worth noting that cybersecurity firm Checkmarx revealed last month that the npm package remained active for over a year, attracting about 1,790 downloads.

The yawpp GitHub project is said to have enabled the exfiltration of over 390,000 credentials, likely for WordPress accounts, to an attacker-controlled Dropbox account by compromising unrelated threat actors who had access to these credentials through illicit means.

Another method used to deliver the payload entails sending phishing emails to academics in which they are tricked into visiting links that instruct them to launch the terminal and copy-paste a shell command to perform a supposed kernel upgrade. The discovery marks the first time a ClickFix-style attack has been documented against Linux systems.

“The second initial access vector that MUT-1244 utilizes is a set of malicious GitHub users publishing fake proof-of-concepts for CVEs,” the researchers explained. “Most of them were created in October or November [2024], have no legitimate activity, and have an AI-generated profile picture.”

Some of these bogus PoC repositories were previously highlighted by Alex Kaganovich, Colgate-Palmolive’s global head of offensive security red team, in mid-October 2024. But in an interesting twist, the second-stage malware is through four different ways –

• Backdoored configure compilation file
• Malicious payload embedded in a PDF file
• Using a Python dropper
• Inclusion of a malicious npm package “0xengine/meow”

“MUT-1244 was able to compromise the system of dozens of victims, mostly red teamers, security researchers, and anyone with an interest in downloading PoC exploit code,” the researchers said. “This allowed MUT-1244 to gain access to sensitive information, including private SSH keys, AWS credentials, and command history.”

The financial technology firm Finastra is investigating the alleged large-scale theft of information from its internal file transfer platform, KrebsOnSecurity has learned. Finastra, which provides software and services to 45 of the world’s top 50 banks, notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the company.

London-based Finastra has offices in 42 countries and reported $1.9 billion in revenues last year. The company employs more than 7,000 people and serves approximately 8,100 financial institutions around the world. A major part of Finastra’s day-to-day business involves processing huge volumes of digital files containing instructions for wire and bank transfers on behalf of its clients.

On November 8, 2024, Finastra notified financial institution customers that on Nov. 7 its security team detected suspicious activity on Finastra’s internally hosted file transfer platform. Finastra also told customers that someone had begun selling large volumes of files allegedly stolen from its systems.

“On November 8, a threat actor communicated on the dark web claiming to have data exfiltrated from this platform,” reads Finastra’s disclosure, a copy of which was shared by a source at one of the customer firms.

“There is no direct impact on customer operations, our customers’ systems, or Finastra’s ability to serve our customers currently,” the notice continued. “We have implemented an alternative secure file sharing platform to ensure continuity, and investigations are ongoing.”

But its notice to customers does indicate the intruder managed to extract or “exfiltrate” an unspecified volume of customer data.

“The threat actor did not deploy malware or tamper with any customer files within the environment,” the notice reads. “Furthermore, no files other than the exfiltrated files were viewed or accessed. We remain focused on determining the scope and nature of the data contained within the exfiltrated files.”

In a written statement in response to questions about the incident, Finastra said it has been “actively and transparently responding to our customers’ questions and keeping them informed about what we do and do not yet know about the data that was posted.” The company also shared an updated communication to its clients, which said while it was still investigating the root cause, “initial evidence points to credentials that were compromised.”

“Additionally, we have been sharing Indicators of Compromise (IOCs) and our CISO has been speaking directly with our customers’ security teams to provide updates on the investigation and our eDiscovery process,” the statement continues. Here is the rest of what they shared:

“In terms of eDiscovery, we are analyzing the data to determine what specific customers were affected, while simultaneously assessing and communicating which of our products are not dependent on the specific version of the SFTP platform that was compromised. The impacted SFTP platform is not used by all customers and is not the default platform used by Finastra or its customers to exchange data files associated with a broad suite of our products, so we are working as quickly as possible to rule out affected customers. However, as you can imagine, this is a time-intensive process because we have many large customers that leverage different Finastra products in different parts of their business. We are prioritizing accuracy and transparency in our communications.

Importantly, for any customers who are deemed to be affected, we will be reaching out and working with them directly.”

On Nov. 8, a cybercriminal using the nickname “abyss0” posted on the English-language cybercrime community BreachForums that they’d stolen files belonging to some of Finastra’s largest banking clients. The data auction did not specify a starting or “buy it now” price, but said interested buyers should reach out to them on Telegram.

abyss0’s Nov. 7 sales thread on BreachForums included many screenshots showing the file directory listings for various Finastra customers. Image: Ke-la.com.

According to screenshots collected by the cyber intelligence platform Ke-la.com, abyss0 first attempted to sell the data allegedly stolen from Finastra on October 31, but that earlier sales thread did not name the victim company. However, it did reference many of the same banks called out as Finastra customers in the Nov. 8 post on BreachForums.

The original October 31 post from abyss0, where they advertise the sale of data from several large banks that are customers of a large financial software company. Image: Ke-la.com.

The October sales thread also included a starting price: $20,000. By Nov. 3, that price had been reduced to $10,000. A review of abyss0’s posts to BreachForums reveals this user has offered to sell databases stolen in several dozen other breaches advertised over the past six months.

The apparent timeline of this breach suggests abyss0 gained access to Finastra’s file sharing system at least a week before the company says it first detected suspicious activity, and that the Nov. 7 activity cited by Finastra may have been the intruder returning to exfiltrate more data.

Maybe abyss0 found a buyer who paid for their early retirement. We may never know, because this person has effectively vanished. The Telegram account that abyss0 listed in their sales thread appears to have been suspended or deleted. Likewise, abyss0’s account on BreachForums no longer exists, and all of their sales threads have since disappeared.

It seems improbable that both Telegram and BreachForums would have given this user the boot at the same time. The simplest explanation is that something spooked abyss0 enough for them to abandon a number of pending sales opportunities, in addition to a well-manicured cybercrime persona.

In March 2020, Finastra suffered a ransomware attack that sidelined a number of the company’s core businesses for days. According to reporting from Bloomberg, Finastra was able to recover from that incident without paying a ransom.

This is a developing story. Updates will be noted with timestamps. If you have any additional information about this incident, please reach out to krebsonsecurity @ gmail.com or at protonmail.com.

Google is rolling out two new features to help Android users evade stalkers who abuse Bluetooth tags to surreptitious track them.

The Temporarily Pause Location feature lets users halt location updates sent to Bluetooth trackers via their phone for up to 24 hours. In Google’s view, this will allow users to quickly take action against a tag without having to stop and search for a hidden device, which may compromise safety.

When users feel safe enough to search for the device, the Find Nearby feature is introduced to help locate it. Android users could already activate a sound on a tracker placed on them, but the feature employs a visual aid – a shape that fills as the user nears the tracker – to simplify locating it. A text prompt will also describe the status of the connection to the tag.

Both features build on the existing protections Google has made available to users for years, more of which it said will continue to be rolled out over time.

However, these features work exclusively with trackers compatible with Android’s Find My Device Network, which launched earlier this year after much anticipation and was met with its fair share of naysayers.

Critics’ main gripe was that the network defaulted to activation only in high-traffic areas, although this can be manually changed to enable it everywhere. It meant tracker locating performance was limited in low-density areas.

Another issue lies in the limited number of devices compatible with the network. Only Pebblebee tags and Chipolo ONE Point and Chipolo CARD Point devices are fully compatible, benefiting from the bonus features that come with it.

Apple’s AirTags, among the most popular devices of their kind, are compatible but with limitations. Android users will be alerted if an AirTag is being used to track them, but the Find My Device Network features announced this week, for example, won’t work.

Other network features include gathering additional data about the tracker device itself. Once located, users can hold the tag near the back of their Android phone to retrieve data like the device identifier and the owner’s hidden email address. The data can be saved via screenshots and forwarded to law enforcement in extreme cases.

Both Apple and Google have been working for well over a year on a common device specification to allow trackers from all manufacturers to benefit from the advanced features on their respective networks.

Detecting Unwanted Location Trackers – the proposed specification name – was rolled out in May 2024 and Apple said that devices made by major players such as Chipolo, eufy, Jio, Motorola, and Pebblebee will adopt it in the future.

Serious and ongoing concerns

Consumer-grade Bluetooth trackers have been on the market for over a decade, but it was the release of Apple’s AirTags in 2021 that renewed concerns about people’s safety.

It took just over a year before the very worst offenses were carried out with the assistance of the tags, which were designed to help locate lost keys and pets.

Andre Smith was killed by his ex-girlfriend who tracked him using an AirTag concealed within his car’s bodywork. She would go on to be sentenced to 18 years in prison for manslaughter.

Numerous other grizzly cases have been reported over the years, from women stalked after separating from their partners, to celebrities tracked while on holiday. Charities such as Refuge and the Suzy Lamplugh Trust have reported an uptick in reports of AirTag and other Bluetooth tracker abuse since.

Apple has routinely and vehemently condemned abuse of AirTags. It said in a 2022 statement: “Based on our knowledge and on discussions with law enforcement, incidents of AirTag misuse are rare; however, each instance is one too many.”

Apple’s anti-tracking features mirror Android’s in that not all tags work with its Find My network. Tags adhering to the Detecting Unwanted Location Trackers standard but not compatible with Find My will also trigger unwanted tracking notifications on iOS 17.5 or newer. ®

In a sweeping international crackdown, law enforcement agencies from 15 countries, including the United States and multiple European nations, have dismantled 27 of the most popular platforms used for carrying out distributed denial-of-service (DDoS) attacks, Europol announced Wednesday. The operation, known as PowerOFF, has led to the arrest of three administrators in France and Germany and identified 300 users of these illegal services.

Booter and stresser websites allow individuals to launch overwhelming amounts of traffic at targeted websites, effectively rendering them inaccessible. These platforms are widely used by threat actors due to their simplicity and effectiveness in disrupting online services without the need for advanced technical skills. The takedowns occurred just before the Christmas holiday period, a time known for increased DDoS activity.

In addition to the website seizures, authorities launched an online advertising campaign aimed at deterring potential offenders. As part of these preventive measures, ads will target individuals searching for DDoS-for-hire services on Google and YouTube, highlighting the illegality and consequences of such activities.

“We know that Booter services are an attractive entry-level cyber crime, and users can go on to even more serious offending,” Frank Tutty, from the U.K.’s National Crime Agency, said in a news release. “Therefore, tackling this threat doesn’t just involve arresting offenders, it includes steering people away from straying into cyber crime and helping them make the right cyber choices.”

The operation involved close cooperation between agencies such as the FBI and Europol, as well as national police forces from countries including Brazil, Canada, and Japan. The timing of the operation was strategic, particularly given recent reports, including one from Cloudflare, that indicate a significant increase in DDoS attacks worldwide, with the banking and financial sectors being major targets amid growing geopolitical tensions.

U.S. prosecutors in Los Angeles this week unsealed one indictment charging one defendant with running booter services. 

Ricardo Cesar Colli, a.k.a. “TotemanGames,” 22, of Brazil, is charged with conspiracy to violate and violating the Computer Fraud and Abuse Act related to the alleged operation of a booter service named Securityhide.net (formerly known as Securityhide.com). Additionally, prosecutors in Alaska have indicted one defendant with being the administrator of significant booter services. That indictment remains under seal. The Department of Justice said Wednesday it “continues to work with international partners to pursue an arrest and extradition” related to those charges. 

This coordinated effort reflects a broader strategy by international law enforcement to tackle cyber threats comprehensively, from dismantling illegal infrastructures to preventing future attacks through education and awareness campaigns. The crackdown on DDoS-for-hire services is part of a series of operations in recent months led by Europol and its partners, which have also targeted other forms of cybercrime, including phone phishing scams and illegal streaming networks.

COMMENTARY

As organizations lean into low-code/no-code (LCNC) platforms to streamline development and empower citizen developers, security risks become increasingly challenging to manage. One of the more under-the-radar LCNC threats is OData injection, an attack vector that can expose sensitive corporate data and is predominant on the Microsoft Power Platform. This new vulnerability is poorly understood by security professionals in LCNC environments, where traditional safeguards are lacking.

What Is OData? 

OData, or Open Data Protocol, is an OASIS standard that has gained traction in LCNC platforms as a way to manage and deliver data through REST APIs. It’s widely adopted because it allows seamless communication between applications and data sources, regardless of the underlying data storage model. In LCNC environments, it is commonly used as a query language to retrieve data from a variety of sources, such as SQL databases, SharePoint, or Dataverse.

OData is particularly valuable in LCNC platforms because of its simplicity — developers don’t need to be database experts to use it, and the same query language can be used for very different data sources. 

The OData Injection Threat

OData injection manipulates user input that is later used by an application or automation to form an OData query. The query is then applied to an enterprise data source. This allows an attacker to gain unauthorized access to manipulate or exfiltrate sensitive user and corporate data. 

While SQL injection (SQLi) is generally understood by security professionals, OData injection poses a different set of challenges, especially in LCNC environments, where multiple data sources are often connected and managed by citizen developers with minimal security training. Unlike SQLi, which is confined to relational databases, OData can connect to a wide array of data sources, including custom applications and third-party services, broadening the potential impact of an attack. 

OData also lacks the well-established security practices that have been developed for SQL. For example, SQLi can typically be mitigated with parameterized queries, a practice that has become standard over the years. OData injection, however, doesn’t have a similar one-size-fits-all solution. Developers must create custom input validation mechanisms — a manual and error-prone process. In addition, the general lack of awareness of OData injection techniques further reduces the likelihood that custom validation methods will be implemented. 

A New External Attack Surface

OData vulnerabilities in LCNC environments often stem from the unrecognized risks associated with external data inputs. These are frequently integrated into workflows that manipulate critical enterprise data, including Web forms, email messages, social media, and external Web applications. These inputs typically are accepted without stringent validation, leaving the attack surface vulnerable and often undefended, as developers and security teams may overlook these sources as potential risks.  

This oversight allows attackers to exploit these inputs by injecting malicious OData queries. For instance, a simple product feedback form could be exploited to extract sensitive data or modify stored information. 

Security Challenges 

Because most citizen developers don’t have formal security training and are often unfamiliar with the dangers of accepting unchecked external inputs in their workflows, OData Injection vulnerabilities can flourish undetected.

Also, unlike SQL injection, validating user inputs in OData queries requires a more hands-on approach. Developers must manually sanitize inputs — removing harmful characters, ensuring proper formatting, and guarding against common injection techniques. This process takes time, effort, and more advanced programming knowledge that most LCNC developers lack.

Furthermore, in traditional development environments, security vulnerabilities are often tracked and remediated through ticketing systems or backlog management tools like Jira. This formal process does not exist in most LCNC development environments, where developers may not be full-time coders and have no formalized way to handle bug tracking or vulnerability management.

Mitigation Best Practices

Combating OData injection requires a proactive security strategy. Ideally, LCNC developers should be trained on OData query risks and how external inputs could be exploited. This is unrealistic, since citizen developers aren’t full-time coders. 

Instead, automation can play a significant role in monitoring and detecting OData injection vulnerabilities. Security teams should deploy tools that continuously assess LCNC environments for potential vulnerabilities, especially as new applications and workflows are created. This will help identify weaknesses early and quickly provide developers with actionable insights into how to fix them.

Collaboration between security teams and LCNC developers is another essential piece of the puzzle. Security teams should be granted access to monitor the development process in real-time, particularly in environments where critical corporate data is being processed. When vulnerabilities are identified, security must communicate clearly with developers, offering specific guidance on how to remediate issues. This could include best practices for input validation and sanitation, as well as tools for automating the process where possible.

Lastly, security should be integrated into the LCNC development life cycle. Much like the “shift-left” movement in traditional software development, security checks should be built into the LCNC workflow from the outset. Automated testing tools can be leveraged to scan for vulnerabilities as applications are being built, reducing the likelihood of OData injection vulnerabilities slipping through the cracks.

As the adoption of LCNC continues to grow, so will the complexity of the threats organizations face. Addressing LCNC vulnerabilities like OData injection now will help keep enterprises safe in the long run.

Germany’s Federal Office for Information Security (BSI) has disrupted the BadBox malware operation pre-loaded in over 30,000 Android IoT devices sold in the country.

The types of impacted devices include digital picture frames, media players and streamers, and potentially smartphones and tablets.

BadBox is an Android malware that comes pre-installed in an internet-connected device’s firmware that is used to steal data, install additional malware, or for the threat actors to remotely gain access to the network where the device is located.

When an infected device is first connected to the internet, the malware will attempt to contact a remote command and control server run by the threat actors. This remote server will tell the BadBox malware what malicious services should be run on the device and will also receive data stolen from the network.

BSI says the malware can steal two-factor authentication codes, install further malware, and create email and messaging platform accounts to spread fake news. It can also engage in ad fraud by loading and clicking on ads in the background, generating revenue for fraud rings.

Finally, BadBox can be set up to act as a proxy, allowing other people to use the device’s internet bandwidth and hardware to route their own traffic. This tactic, known as residential proxying, often involves illegal operations that implicate the user’s IP address.

Germany’s cybersecurity agency says it blocked communication between the BadBox malware devices and their command and control (C2) infrastructure by sinkholing DNS queries so that the malware communicates with police-controlled servers rather than the attacker’s command and control servers. 

Sinkholing prevents the malware from sending stolen data to the attackers and receiving new commands to execute on the infected device, effectively preventing the malware from working.

“The BSI is currently redirecting the communication of affected devices to the perpetrators’ control servers as part of a sinkholing measure pursuant to Section 7c of the BSI Act ( BSIG ),” reads BSI’s announcement.

“This affects providers who have over 100,000 customers (More about sinkholing). There is no acute danger for these devices as long as the BSI maintains the sinkholing measure.”

Infected device owners to be notified

Device owners who are impacted by this sinkholing operation will be notified by their internet service providers based on their IP address.

The agency says that anyone who receives a notification should immediately disconnect the device from their network or stop using it. Unfortunately, as the malware came pre-installed with firmware, other firmware from the device’s manufacturer should not be trusted and the device should be returned or discarded.

BSI notes that all of the impacted devices were running outdated Android versions and old firmware, so even if they were secured against BadBox, they remain vulnerable to other botnet malware for as long as they are exposed online.

“Malware on internet-enabled products is unfortunately not a rare phenomenon. Outdated firmware versions in particular pose a huge risk,” warned BSI President Claudia Plattner. “We all have a duty here: manufacturers and retailers have a responsibility to ensure that such devices do not come onto the market. But consumers can also do something: cyber security should be an important criterion when purchasing!”

Moreover, the announcement mentions that, due to the vast variance in Android IoT manufacturers and device iterations, it’s very likely that many more devices infected by BadBox or similar malware exist in the country, which BSI could not pinpoint this time.

This may include smartphones and tablets, smart speakers, security cameras, smart TVs, streaming boxes, and various internet-connected appliances that follow an obscure route from manufacturing to resell networks.

Signs that your device is infected by botnet malware include overheating when seemingly idle, random performance drops, unexpected settings changes, atypical activity, and connections to unknown external servers.

To mitigate the risk of outdated Android IoTs, install a firmware image from a trustworthy vendor, turn off unnecessary connectivity features, and keep the device isolated from critical networks.

Generally, it is recommended that you buy smart devices only from reputable manufacturers and look for products offering long-term security support.

Dec 13, 2024The Hacker NewsIoT Security / Operational Technology

Iran-affiliated threat actors have been linked to a new custom malware that’s geared toward IoT and operational technology (OT) environments in Israel and the United States.

The malware has been codenamed IOCONTROL by OT cybersecurity company Claroty, highlighting its ability to attack IoT and supervisory control and data acquisition (SCADA) devices such as IP cameras, routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), firewalls, and other Linux-based IoT/OT platforms.

“While the malware is believed to be custom-built by the threat actor, it seems that the malware is generic enough that it is able to run on a variety of platforms from different vendors due to its modular configuration,” the company said.

The development makes IOCONTROL the tenth malware family to specifically single out Industrial Control Systems (ICS) after Stuxnet, Havex, Industroyer (aka CrashOverride), Triton (aka Trisis), BlackEnergy2, Industroyer2, PIPEDREAM (aka INCONTROLLER), COSMICENERGY, and FrostyGoop (aka BUSTLEBERM) to date.

Claroty said it analyzed a malware sample extracted from a Gasboy fuel management system that was previously compromised by the hacking group called Cyber Av3ngers, which has been linked to cyber attacks exploiting Unitronics PLCs to breach water systems. The malware was embedded within Gasboy’s Payment Terminal, otherwise called OrPT.

This also means that the threat actors, given their ability to control the payment terminal, also had the means to shut down fuel services and potentially steal credit card information from customers.

“The malware is essentially a cyberweapon used by a nation-state to attack civilian critical infrastructure; at least one of the victims were the Orpak and Gasboy fuel management systems,” Claroty said.

The end goal of the infection chain is to deploy a backdoor that’s automatically executed every time the device restarts. A notable aspect of IOCONTROL is its use of MQTT, a messaging protocol widely used in IoT devices, for communications, thereby allowing the threat actors to disguise malicious traffic.

What’s more, command-and-control (C2) domains are resolved using Cloudflare’s DNS-over-HTTPS (DoH) service. This approach, already adopted by Chinese and Russian nation-state groups, is significant, as it allows the malware to evade detection when sending DNS requests in cleartext.

Once a successful C2 connection is established, the malware transmits information about the device, namely hostname, current user, device name and model, timezone, firmware version, and location, to the server, after it awaits further commands for execution.

This includes checks to ensure the malware is installed in the designated directory, execute arbitrary operating system commands, terminate the malware, and scan an IP range in a specific port.

“The malware communicates with a C2 over a secure MQTT channel and supports basic commands including arbitrary code execution, self-delete, port scan, and more,” Claroty said. “This functionality is enough to control remote IoT devices and perform lateral movement if needed.”