On Call Digital technology remains frighteningly finickity, which is why good tech support people are always in demand – and also the reason The Register never tires of telling your support stories each Friday in On Call, the column your generosity makes possible.
This week, meet a reader we’ll Regomize as “Boris” who years ago worked for a business providing services to what he described as “a large international automotive company” that ran its production planning application on an old school mainframe – proper supervillain lair kit, with big tape drives whirring away all day.
The IT director at this client had a temper.
“He was known and feared as someone who ate systems support people for breakfast.”
Boris was therefore far from thrilled when he was called in to address a problem his colleagues had been unable to address.
“The planning application would sometimes suddenly hang at random points without any obvious reason,” Boris told On Call. “This was very upsetting as delays in the availability of manufacturing schedules interfered with plant operations, which cost serious money.”
Hardware experts were put on trans-Atlantic flights so they could pore over the mainframe’s innards. Software engineers who had hand-coded the machine’s OS were sent to find faults.
None could determine the cause of the hangs. Indeed, all reported the machine was working as intended. All systems nominal.
Those investigations consumed months – and did not make the client happier.
Indeed, the irate IT director began making serious noises about seeking compensation and junking the mainframe.
In desperation, Boris was asked to examine the situation.
Boris wasn’t thrilled about that, as his skill set – engineering and scientific matters – was not obviously applicable to the situation. And he knew nothing about scheduling assembly lines.
He nonetheless visited the client’s office, and was quickly “shouted at and threatened by the IT director.”
Boris managed to retain sufficient composure to ask for the application’s source code.
“Fortuitously it was in Fortran – one of the programming languages I was very familiar with,” Boris told On Call. It also contained an obvious error that he spotted after about ten minutes.
“The code assumed that all the tapes were at their start point. Whether or not the program would run successfully depended on the state of the tapes left by any previously executed application. Sometimes it would run, and sometimes not.”
The fix seemed simple: a Rewind All; statement in the code – one at the start and one at the end – would surely ensure the tape was always at the start point when the application ran.
Boris recompiled the software, ran it, and relaxed as the problem went away.
Which is where his troubles began – because the abusive IT director took a shine to him.
“Forever after I was his ‘go to’ person for advice on almost everything from hardware selection decisions to application development and I was treated with reverence and the appropriate level of respect by all.”
But Boris knew this couldn’t last – because his Fortran fix was fortuitous. He therefore lived in fear of being found out and ending up on the wrong side of the abusive IT director’s wrath.
“Fortunately, I was moved overseas on a different project before my limitations could be tested,” he told On Call.
Phew!
Have you ever found a fix despite not being an expert in the troubled tech you were asked to tend? If so, click here to send On Call an email so we can feature your story after the festive season.
On Call wishes readers all the best for their end-of-year celebrations, and thanks you all for the weekly gift of your stories. ®
The introduction of new cybersecurity disclosure rules by the U.S. Securities and Exchange Commission has led to a significant uptick in the number of reported cybersecurity incidents from public companies, according to a leading U.S. law firm that specializes in finance and M&A activity.
Analysis by Paul Hastings LLP found that since the disclosure law went into effect in 2023, there has been a 60% increase in disclosures of cybersecurity incidents, and 78% of disclosures were made within eight days of discovery of the incident.
The regulations require public companies to disclose material cybersecurity incidents within four business days of determining their materiality, aiming to provide investors with timely and relevant information that could impact investment decisions.
Despite the increase in disclosures, less than 10% of disclosures detailed the material impacts of these incidents, revealing potential hesitancy or difficulty in assessing comprehensive impacts swiftly. Companies are often faced with the challenge of balancing detailed reporting with the protection of sensitive operation details, as the rules do not mandate disclosing specific technical details that could hinder remediation efforts.
Michelle Reed, co-chair of Paul Hastings’ data privacy and cybersecurity practice, said the hesitancy is likely because companies are disclosing very quickly, so as to not be penalized by the SEC for delayed disclosure.
“The coming year will be an interesting testing ground on how materiality in the cyber world ultimately shakes out,” Reed told CyberScoop.
The materiality clause has led to inconsistent outcomes among companies that have publicly disclosed a cybersecurity incident. For instance, the ransomware attack on automotive software provider CDK Global in June resulted in varying degrees of materiality disclosures. CDK’s parent company, Brookfield Business Partners, said in their July disclosure they did not “expect this incident to have a material impact” on their business despite paying a $25 million ransom.
Some other car dealerships also filed disclosures saying the attack on CDK negatively impacted their company, but stopped short of saying the incident caused a “material impact.”
Reed told CyberScoop these cases illuminate the ambiguity companies face in determining the depth of information necessary for reporting, while avoiding the disclosure of sensitive security measures that could exacerbate vulnerabilities and lead to lawsuits.
“Materiality is a sliding scale, weighing risk and likelihood of impact,” she said. “The exact same breach could happen to two different companies, and based on size of the company and effectiveness of their incident response, one may have to disclose and the other may not.”
An additional concern covered in the report is the prevalence of third-party breaches, which account for 1 in 4 incidents. The report points out this kind of cybersecurity incident leads to further dilemmas for companies on whether to disclose third-party breaches, particularly when other companies may have disclosed an incident related to the same breach.
You can read the full report on Paul Hastings’ website.
A critical, stubborn new vulnerability in Apache Struts 2 may be under active exploitation already, and fixing it isn’t as simple as downloading a patch.
Struts 2 is an open source (OSS) framework for building Java applications. Though long past its prime, Struts 2 remains common in older legacy systems across industries. In fact, its prevalence combined with its agedness is what makes its newly discovered vulnerability — CVE-2024-53677, CVSS 9.5 — so tricky. As its components have withered, and newer technologies and security practices have moved on, fixing any newly arising issues like this can require more than just a standard patch.
“The risk lies in the fact that older applications are less likely to be integrated with a modern CI/CD pipeline,” explains Chris Wysopal, chief security evangelist at Veracode. “As a result, updating the Struts 2 library, building and deploying a new version of a vulnerable application requires more manual effort and takes significantly longer. This significant effort will result in a longer window of vulnerability, during which attackers may exploit and take advantage of this weakness.”
He assesses that “It is likely that we will see the exploitation of this vulnerability for weeks as organizations find and fix all instances of Struts 2 usage.”
This same time last year, nearly to the day, a Struts 2 vulnerability with a “critical” 9.8 score in the Common Vulnerability Scoring System (CVSS) was disclosed to the public. CVE-2023-50164 resulted from attackers’ ability to manipulate file upload parameters, opening the door to path traversal. Under certain conditions an attacker could upload a specially crafted malicious script in order to achieve remote code execution (RCE) on a server.
CVE-2024-53677 is CVE-2023-50164 regen. It, too, lies in Struts 2’s File Upload Interceptor component, responsible for handling file uploads, and enables RCE via path traversal. In a blog post, Johannes Ullrich of the SANS Institute speculated that an inadequate patch for CVE-2023-50164 led to this latest deja vu.
He also observed active exploitation attempts from one IP address, which utilized a public proof-of-concept (PoC). The attacker played with the vulnerability by uploading “a one-liner script that is supposed to return ‘Apache Struts.’ Next, the attacker attempts to find the uploaded script. The exploit attempt is very close to the original PoC. Since then, a slightly improved exploit has been uploaded to the same GitHub repository,” he wrote.
Typically in situations such as this, organizations are advised to apply patches as soon as possible. In the case of CVE-2024-53677, the story isn’t quite as simple.
Organizations do need to upgrade to the latest version of Struts, 6.7.0 — or, at least, 6.4.0, released in the wake of CVE-2023-50164, which deprecated the File Upload Interceptor at issue. The fix isn’t backwards compatible, however, Apache noted in its security bulletin. IT teams will need to migrate to the newfangled Action File Upload Interceptor, and adjust how their existing applications handle file uploads by diligently rewriting their code to make use of it.
“It’s not a simple version bump,” warns Saeed Abbasi, manager of vulnerability research at Qualys. “It requires code rewrites, configuration adjustments, and can break existing logic and dependencies. In complex environments, removing all traces of the legacy interceptor poses significant challenges due to intricate plugin chains and layered frameworks. This complexity is further compounded by the need for extensive regression testing.”
The Potential Scope of Impact for CVE-2024-53677
The national centers for cybersecurity in Australia, Belgium, Canada, Singapore, and the UK have all released urgent security warnings regarding CVE-2024-53677. That this issue has attracted so much attention may not be obvious at first, since Struts 2 is so rarely used by developers today. It does, however, live on in legacy systems worldwide.
In the 2000s, Struts 2 was king among Java Web frameworks. By 2007 it was receiving nearly 350,000 downloads per month. Its webpage received millions of monthly visits, even its newsletter had thousands of subscribers. Today, Wysopal says, “It no longer has mainstream appeal and is rarely chosen for new projects. Its presence is more an artifact of historical adoption rather than active popularity.”
“Its ‘kingdom’ is confined to those stable, older applications in conservative industries — particularly finance, insurance, government, and large-scale manufacturing or logistics — often in organizations and regions that are regulated and less likely to modernize,” he says. Case in point: a Struts 2 vulnerability was at the heart of the infamous 2017 Equifax breach.
Just how common is Struts 2 in legacy systems in 2024? Abbasi reports that within the first 24 hours following the disclosure of CVE-2024-53677, Qualys “observed tens of thousands of vulnerable instances, reflecting the breadth and urgency of the challenge.”
To his view, “The persistence of Struts 2 in critical systems, long after more secure frameworks have emerged, illustrates the ongoing struggle enterprises face with technical debt. Many organizations run versions of Struts past their end-of-life, without proper planning which compounds the impact of new vulnerabilities. Enterprises need solid attack surface management, along with lifecycle management strategies, ensuring that critical frameworks are regularly updated, and deprecated components are swiftly phased out.”
Juniper Networks has warned customers of Mirai malware attacks targeting and infecting Session Smart routers using default credentials.
As the networking infrastructure company explained, the malware scans for devices with default login credentials and executes commands remotely after gaining access, enabling a wide range of malicious activities.
The campaign was first observed on December 11, when the first infected routers were found on customers’ networks. Later, the operators of this Mirai-based botnet used the compromised devices to launch distributed denial-of-service (DDoS) attacks.
“On Wednesday, December 11, 2024, several customers reported suspicious behavior on their Session Smart Network (SSN) platforms,” says a security advisory published this Tuesday.
“Any customer not following recommended best practices and still using default passwords can be considered compromised as the default SSR passwords have been added to the virus database.”
Juniper also shared indicators of compromise admins should look for on their networks and devices to detect potential Mirai malware activity, including:
scans for devices on common Layer 4 ports (e.g., 23, 2323, 80, 8080),
failed login attempts on SSH services indicative of brute-force attacks,
sudden spike in outbound traffic volume hinting at devices being co-opted in DDoS attacks,
devices rebooting or behaving erratically, suggesting they’ve been compromised,
SSH connections from known malicious IP addresses.
The company advised customers to immediately ensure their devices follow recommended username and password policies, including changing the default credentials on all Session Smart routers and using unique and strong passwords across all devices.
Admins are also recommended to keep firmware updated, review access logs for anomalies, set alerts automatically triggered when suspicious activity is detected, deploy intrusion detection systems to monitor network activity, and use firewalls to block unauthorized access to Internet-exposed devices.
Juniper also warned that routers already infected in these attacks must be reimaged before being brought back online.
“If a system is found to be infected, the only certain way of stopping the threat is by reimaging the system as it cannot be determined exactly what might have been changed or obtained from the device,” Juniper said.
Last year, in August, the ShadowServer threat monitoring service warned of ongoing attacks targeting a critical remote code execution exploit chain impacting Juniper EX switches and SRX firewalls using a watchTowr Labs proof-of-concept (PoC) exploit.
Since then, Juniper also warned of a critical RCE bug in its firewalls and switches in January and released an out-of-cycle patch for a maximum-severity authentication bypass flaw in its Session Smart Router (SSR), Session Smart Conductor, and WAN Assurance Router products.
Juniper Networks is warning that Session Smart Router (SSR) products with default passwords are being targeted as part of a malicious campaign that deploys the Mirai botnet malware.
The company said it’s issuing the advisory after “several customers” reported anomalous behavior on their Session Smart Network (SSN) platforms on December 11, 2024.
“These systems have been infected with the Mirai malware and were subsequently used as a DDOS attack source to other devices accessible by their network,” it said. “The impacted systems were all using default passwords.”
Mirai, which has had its source code leaked in 2016, has spawned several variants over the years. The malware is capable of scanning for known vulnerabilities as well as default credentials to infiltrate devices and enlist them into a botnet for mounting distributed denial-of-service (DDoS) attacks.
To mitigate such threats, organizations are recommended to change their passwords with immediate effect to strong, unique ones (if not already), periodically audit access logs for signs of suspicious activity, use firewalls to block unauthorized access, and keep software up-to-date.
Some of the indicators associated with Mirai attacks include unusual port scanning, frequent SSH login attempts indicating brute-force attacks, increased outbound traffic volume to unexpected IP addresses, random reboots, and connections from known malicious IP addresses.
“If a system is found to be infected, the only certain way of stopping the threat is by reimaging the system as it cannot be determined exactly what might have been changed or obtained from the device,” the company said.
The development comes as the AhnLab Security Intelligence Center (ASEC) revealed that poorly managed Linux servers, particularly publicly exposed SSH services, are being targeted by a previously undocumented DDoS malware family dubbed cShell.
“cShell is developed in the Go language and is characterized by exploiting Linux tools called screen and hping3 to perform DDoS attacks,” ASEC said.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Adam Griffin is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies. A scammer called using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from google.com, and ultimately seized control over the account by convincing him to click “yes” to a Google prompt on his mobile device.
Griffin is a battalion chief firefighter in the Seattle area, and on May 6 he received a call from someone claiming they were from Google support saying his account was being accessed from Germany. A Google search on the phone number calling him — (650) 203-0000 — revealed it was an official number for Google Assistant, an AI-based service that can engage in two-way conversations.
At the same time, he received an email that came from a google.com email address, warning his Google account was compromised. The message included a “Google Support Case ID number” and information about the Google representative supposedly talking to him on the phone, stating the rep’s name as “Ashton”— the same name given by the caller.
Griffin didn’t learn this until much later, but the email he received had a real google.com address because it was sent via Google Forms, a service available to all Google Docs users that makes it easy to send surveys, quizzes and other communications.
A phony security alert Griffin received prior to his bitcoin heist, via Google Forms.
According to tripwire.com’s Graham Cluely, phishers will use Google Forms to create a security alert message, and then change the form’s settings to automatically send a copy of the completed form to any email address entered into the form. The attacker then sends an invitation to complete the form to themselves, not to their intended victim.
“So, the attacker receives the invitation to fill out the form – and when they complete it, they enter their intended victim’s email address into the form, not their own,” Cluely wrote in a December 2023 post. “The attackers are taking advantage of the fact that the emails are being sent out directly by Google Forms (from the google.com domain). It’s an established legitimate domain that helps to make the email look more legitimate and is less likely to be intercepted en route by email-filtering solutions.”
The fake Google representative was polite, patient, professional and reassuring. Ashton told Griffin he was going to receive a notification that would allow him to regain control of the account from the hackers. Sure enough, a Google prompt instantly appeared on his phone asking, “Is it you trying to recover your account?”
Adam Griffin clicked “yes,” to an account recovery notification similar to this one on May 6.
Griffin said that after receiving the pop-up prompt from Google on his phone, he felt more at ease that he really was talking to someone at Google. In reality, the thieves caused the alert to appear on his phone merely by stepping through Google’s account recovery process for Griffin’s Gmail address.
“As soon as I clicked yes, I gave them access to my Gmail, which was synched to Google Photos,” Griffin said.
Unfortunately for Griffin, years ago he used Google Photos to store an image of the secret seed phrase that was protecting his cryptocurrency wallet. Armed with that phrase, the phishers could drain all of his funds.
“From there they were able to transfer approximately $450,000 out of my Exodus wallet,” Griffin recalled.
Griffin said just minutes after giving away access to his Gmail account he received a call from someone claiming to be with Coinbase, who likewise told him someone in Germany was trying to take over his account.
Griffin said a follow-up investigation revealed the attackers had used his Gmail account to gain access to his Coinbase account from a VPN connection in California, providing the multi-factor code from his Google Authenticator app. Unbeknownst to him at the time, Google Authenticator by default also makes the same codes available in one’s Google account online.
But when the thieves tried to move $100,000 worth of cryptocurrency out of his account, Coinbase sent an email stating that the account had been locked, and that he would have to submit additional verification documents before he could do anything with it.
GRAND THEFT AUTOMATED
Just days after Griffin was robbed, a scammer impersonating Google managed to phish 45 bitcoins — approximately $4,725,000 at today’s value — from Tony, a 42-year-old professional from northern California. Tony agreed to speak about his harrowing experience on condition that his last name not be used.
Tony got into bitcoin back in 2013 and has been investing in it ever since. On the evening of May 15, 2024, Tony was putting his three- and one-year-old boys to bed when he received a message from Google about an account security issue, followed by a phone call from a “Daniel Alexander” at Google who said his account was compromised by hackers.
Tony said he had just signed up for Google’s Gemini AI (an artificial intelligence platform formerly known as “Bard”), and mistakenly believed the call was part of that service. Daniel told Tony his account was being accessed by someone in Frankfurt, Germany, and that he could evict the hacker and recover access to the account by clicking “yes” to the prompt that Google was going to send to his phone.
The Google prompt arrived seconds later. And to his everlasting regret, Tony clicked the “Yes, it’s me” button.
Then came another call, this one allegedly from security personnel at Trezor, a company that makes encrypted hardware devices made to store cryptocurrency seed phrases securely offline. The caller said someone had submitted a request to Trezor to close his account, and they forwarded Tony a message sent from his Gmail account that included his name, Social Security number, date of birth, address, phone number and email address.
Tony said he began to believe then that his Trezor account truly was compromised. The caller convinced him to “recover” his account by entering his cryptocurrency seed phrase at a phishing website (verify-trezor[.]io) that mimicked the official Trezor website.
“At this point I go into fight or flight mode,” Tony recalled. “I’ve got my kids crying, my wife is like what the heck is going on? My brain went haywire. I put my seed phrase into a phishing site, and that was it.”
Almost immediately, all of the funds he was planning to save for retirement and for his children’s college fund were drained from his account.
“I made mistakes due to being so busy and not thinking correctly,” Tony told KrebsOnSecurity. “I had gotten so far away from the security protocols in bitcoin as life had changed so much since having kids.”
Tony shared this text message exchange of him pleading with his tormentors after being robbed of 45 bitcoins.
Tony said the theft left him traumatized and angry for months.
“All I was thinking about was protecting my boys and it ended up costing me everything,” he said. “Needless to say I’m devastated and have had to do serious therapy to get through it.”
MISERY LOVES COMPANY
Tony told KrebsOnSecurity that in the weeks following the theft of his 45 bitcoins, he became so consumed with rage and shame that he was seriously contemplating suicide. Then one day, while scouring the Internet for signs that others may have been phished by Daniel, he encountered Griffin posting on Reddit about the phone number involved in his recent bitcoin theft.
Griffin said the two of them were initially suspicious of each other — exchanging cautious messages for about a week — but he decided Tony was telling the truth after contacting the FBI agent that Tony said was working his case. Comparing notes, they discovered the fake Google security alerts they received just prior to their individual bitcoin thefts referenced the same phony “Google Support Case ID” number.
Adam Griffin and Tony said they received the same Google Support Case ID number in advance of their thefts. Both were sent via Google Forms, which sends directly from the google.com domain name.
More importantly, Tony recognized the voice of “Daniel from Google” when it was featured in an interview by Junseth, a podcaster who covers cryptocurrency scams. The same voice that had coaxed Tony out of his considerable cryptocurrency holdings just days earlier also had tried to phish Junseth, who played along for several minutes before revealing he knew it was a scam.
Daniel told Junseth he was a teenager and worked with other scam callers who had all met years ago on the game Minecraft, and that he recently enjoyed a run of back-to-back Gmail account compromises that led to crypto theft paydays.
“No one gets arrested,” Daniel enthused to Junseth in the May 7 podcast, which quickly went viral on social media. “It’s almost like there’s no consequences. I have small legal side hustles, like businesses and shit that I can funnel everything through. If you were to see me in real life, I look like a regular child going to school with my backpack and shit, you’d never expect this kid is stealing all this shit.”
Daniel explained that they often use an automated bot that initiates calls to targets warning that their account is experiencing suspicious activity, and that they should press “1” to speak with a representative. This process, he explained, essentially self-selects people who are more likely to be susceptible to their social engineering schemes. [It is possible — but not certain — that this bot Daniel referenced explains the incoming call to Griffin from Google Assistant that precipitated his bitcoin heist].
Daniel told Junseth he and his co-conspirators had just scored a $1.2 million theft that was still pending on the bitcoin investment platform SwanBitcoin. In response, Junseth tagged SwanBitcoin in a post about his podcast on Twitter/X, and the CEO of Swan quickly replied that they caught the $1.2 million transaction that morning.
Apparently, Daniel didn’t appreciate having his voice broadcast to the world (or his $1.2 million bitcoin heist disrupted) because according to Junseth someone submitted a baseless copyright infringement claim about it to Soundcloud, which was hosting the recording.
The complaint alleged the recording included a copyrighted song, but that wasn’t true: Junseth later posted a raw version of the recording to Telegram, and it clearly had no music in the background. Nevertheless, Soundcloud removed the audio file.
“All these companies are very afraid of copyright,” Junseth explained in a May 2024 interview with the podcast whatbitcoindid.com, which features some of the highlights from his recorded call with Daniel.
“It’s interesting because copyright infringement really is an act that you’re claiming against the publisher, but for some reason these companies have taken a very hard line against it, so if you even claim there’s copyrighted material in it they just take it down and then they leave it to you to prove that you’re innocent,” Junseth said. “In Soundcloud’s instance, part of declaring your innocence is you have to give them your home address and everything else, and it says right on there, ‘this will be provided to the person making the copyright claim.’”
AFTERMATH
When Junseth asked how potential victims could protect themselves, Daniel explained that if the target doesn’t have their Google Authenticator synced to their Google cloud account, the scammers can’t easily pivot into the victim’s accounts at cryptocurrency exchanges, as they did with Griffin.
By default, Google Authenticator syncs all one-time codes with a Gmail user’s account, meaning if someone gains access to your Google account, they can then access all of the one-time codes handed out by your Google Authenticator app.
To change this setting, open Authenticator on your mobile device, select your profile picture, and then choose “Use without an Account” from the menu. If you disable this, it’s a good idea to keep a printed copy of one-time backup codes, and to store those in a secure place.
You may also wish to download Google Authenticator to another mobile device that you control. Otherwise, if you turn off cloud synching and lose that sole mobile device with your Google Authenticator app, it could be difficult or impossible to recover access to your account if you somehow get locked out.
Griffin told KrebsOnSecurity he had no idea it was so easy for thieves to take over his account, and to abuse so many different Google services in the process.
“I know I definitely made mistakes, but I also know Google could do a lot better job protecting people,” he said.
In response to questions from KrebsOnSecurity, Google said it can confirm that this was a narrow phishing campaign, reaching a “very small group of people.”
“We’re aware of this narrow and targeted attack, and have hardened our defenses to block recovery attempts from this actor,” the company said in a written statement, which emphasized that the real Google will never call you.
“While these types of social engineering campaigns are constantly evolving, we are continuously working to harden our systems with new tools and technical innovations, as well as sharing updated guidance with our users to stay ahead of attackers,” the statement reads.
Both Griffin and Tony say they continue to receive “account security” calls from people pretending to work for Google or one of the cryptocurrency platforms.
“It’s like you get put on some kind of list, and then those lists get recycled over and over,” Tony said.
Griffin said that for several months after his ordeal, he accepted almost every cryptocurrency scam call that came his way, playing along in the vain hope of somehow tricking the caller into revealing details about who they are in real life. But he stopped after his taunting caused one of the scammers to start threatening him personally.
“I probably shouldn’t have, but I recorded two 30-minute conversations with these guys,” Griffin said, acknowledging that maybe it wasn’t such a great idea to antagonize cybercriminals who clearly already knew everything about him. “One guy I talked to about his personal life, and then his friend called me up and said he was going to dox me and do all this other bad stuff. My FBI contact later told me not to talk to these guys anymore.”
Sound advice. So is hanging up whenever anyone calls you about a security problem with one of your accounts. Even security-conscious people tend to underestimate the complex and shifting threat from phone-based phishing scams, but they do so at their peril.
When in doubt: Hang up, look up, and call back. If your response to these types of calls involves anything other than hanging up, researching the correct phone number, and contacting the entity that claims to be calling, you may be setting yourself up for a costly and humbling learning experience.
Understand that your email credentials are more than likely the key to unlocking your entire digital identity. Be sure to use a long, unique passphrase for your email address, and never pick a passphrase that you have ever used anywhere else (not even a variation on an old password).
Finally, it’s also a good idea to take advantage of the strongest multi-factor authentication methods offered. For Gmail/Google accounts, that includes the use of passkeys or physical security keys, which are heavily phishing resistant. For Google users holding measurable sums of cryptocurrency, the most secure option is Google’s free Advanced Protection program, which includes more extensive account security features but also comes with some serious convenience trade-offs.
The US Supreme Court has decided to consider made-in-China social network TikTok’s appeal against the law that requires it to shift to local ownership, or close, by January 19.
TikTok and its owner ByteDance have argued that the Protecting Americans from Foreign Adversary Controlled Applications Act (PFACAA) is unconstitutional because it will rob its 170 million US users of their right to free speech. The Biden administration introduced the law as it feels TikTok is a threat to national security and citizens’ privacy. Despite assurances that the social network stores data in the US, it operates tools allowing ByteDance workers in China to access personal information about US users.
A series of court challenges followed passage of the PFACAA, the most recent and significant of which was the early December decision by the US Court of Appeals for the District of Columbia that found the Act was justifiable on national security grounds, and disregarded TikTok’s free speech argument.
TikTok decided to make one last appeal, to the United States’ ultimate jurisdiction: the Supreme Court. The Supreme Court is not obliged to hear appeals, and usually decides to do so only when, according to its own guidance about its procedures, a matter “could have national significance, might harmonize conflicting decisions in the federal Circuit courts, and/or could have precedential value.”
In an order [PDF] published on Wednesday, the Supreme Court revealed it intends to consider whether the PFACAA violates the First Amendment and therefore the right to free speech.
Parties were given a December 27 deadline to file a 13,000-word brief, and a January 5 deadline to deliver a 6,000-word reply.
On January 10, the Court will stage a two-hour session to hear oral arguments.
When a decision will land is not known or spelled out in the order.
The Court might decide to rule quicky, as the PFACAA requires TikTok to find a new owner that has no ties to China or shut down on January 19 – just nine days after oral arguments will be heard.
Or it might decide that it can move more slowly, for two reasons. One is that the US president can authorize a one-off 90-day extension to the January 19 deadline – although the Biden administration has shown little interest in doing so. The other is that the inauguration of president-elect Donald Trump takes place on January 20, and there’s a school of thought that argues the new administration should have a chance to implement its policies.
TikTok welcomed the chance to put its case to the Supreme Court, in a brief statement that proclaimed “We believe the Court will find the TikTok ban unconstitutional so the over 170 million Americans on our platform can continue to exercise their free speech rights.”
The White House appears not to have commented on the matter.
No suitable US-based entity has signaled an interest in acquiring TikTok – an act that would mean it can continue operating stateside. Even if a buyer emerged, ByteDance is not keen to sell. ®
Federal civilian agencies have a new list of cyber-related requirements to address after the Cybersecurity and Infrastructure Security Agency on Tuesday issued guidance regarding the implementation of secure practices for cloud services.
CISA’s Binding Operational Directive (BOD) 25-01 instructs agencies to identify all of its cloud instances and implement assessment tools, while also making sure that their cloud environments are aligned with the cyber agency’s Secure Cloud Business Applications (SCuBA) configuration baselines.
CISA Director Jen Easterly said in a statement that the actions laid out in the directive are “an important step” toward reducing risk across the federal civilian enterprise, though threats loom in “every sector.”
“Malicious threat actors are increasingly targeting cloud environments and evolving their tactics to gain initial cloud access,” Easterly said. “We urge all organizations to adopt this guidance. When it comes to reducing cyber risk and ensuring resilience, we all have a role to play.”
During a call with reporters Tuesday, Matt Hartman, CISA’s deputy executive assistant director for cybersecurity, said that while the directive was “not focused” on any “one specific, recent threat,” it is “responsive to recent threat activity” and part of a post-SolarWinds campaign aimed at creating “a centralized and consistent approach to securing federal cloud configurations.”
The tactics that this directive guards against, Hartman added, “are used consistently by both sophisticated, well-funded actors and common cyber criminals.”
Hartman reiterated during Tuesday’s call that the timing of the new directive was not tied to any specific incident but simply “recognition of the fact that the SCuBA program has matured significantly over the last couple of years. We have completed a number of pilot implementations with a wide range of federal civilian agencies.”
A CISA official said they received plenty of feedback on the directive’s feasibility and control policies from the 13 agencies that participated in those pilots. Hartman, meanwhile, said CISA pursued “a proactive and deliberate approach” in working with CIOs and CISOs ahead of the directive’s release.
As part of the Microsoft 365-specific requirements in the directive, agencies have until Feb. 21, 2025, to provide CISA with the instance name and the system-owning agency or component for each instance. That inventory must be updated yearly in the first quarter, in accordance with CISA reporting instructions.
All SCuBA assessment tools for in-scope cloud instances must be deployed by April 25, 2025, with continuous reporting on the requirements activated. All required SCuBA policies called out in the directive should be implemented by June 20, 2025.
“As federal civilian agencies implement this mandate, CISA will monitor and support agency adherence and provide additional resources as required,” the agency said in a statement. “CISA is committed to using its cybersecurity authorities to gain greater visibility and drive timely risk reduction across federal civilian agencies.”
Unknown hackers are targeting individuals associated with Thailand’s government, using a new and unwieldy backdoor dubbed “Yokai,” potentially named after a type of ghost found in the video game Phasmophobia, or after spirits in Japanese folklore.
Researchers from Netskope recently came across two shortcut (LNK) files disguised as .pdf and .docx files, unsubtly named as if they pertained to official US government business with Thailand. The attack chain tied to these fake documents cleverly used legitimate Windows binaries to deliver the previously unknown backdoor, which appears to be a hastily developed program designed to run shell commands. It carries a risk of unintended system crashes, the researchers noted.
Ghost in the Machine: US-Themed Lures in Phishing Attack
From Thai, the lure documents translate to “United States Department of Justice.pdf” and “Urgently, United States authorities ask for international cooperation in criminal matters.docx.” Specifically, they made reference to Woravit “Kim” Mektrakarn, a former factory owner in California tied to the disappearance and suspected murder of an employee in 1996. Mektrakarn was never apprehended and is believed to have fled to Bangkok.
“The lures also suggest they are addressed to the Thai police,” notes Nikhil Hegde, senior engineer for Netskope. “Considering the capabilities of the backdoor, we can speculate that the attacker’s motive was to get access to the systems of the Thai police.”
Like any other phishing attack, opening either of these documents would cause a victim to download malware. But the path from A to B wasn’t so jejune as that might suggest.
Abusing Legitimate Windows Utilities
To begin their attack chain, the attackers made use of “esentutl,” a legitimate Windows command line tool used to manage Extensible Storage Engine (ESE) databases. Specifically, they abused its ability to access and write to alternate data streams (ADS).
In Windows’ New Technology File System (NTFS), files commonly contain more than just their primary content — their main “stream.” An image or text document, for example, will also come packed with metadata — even hidden data — which won’t be visible in the normal listing of the file, because it is not so pertinent to users. An unscrutinized channel for appending hidden data to a seemingly harmless file, however, is a luxury to a cyberattacker.
“ADS is often used by attackers to conceal malicious payloads within seemingly benign files,” Hegde explains. “When data is hidden in an ADS, it does not alter the visible size or properties of the primary file. This allows attackers to evade basic file scanners that only inspect the primary stream of a file.”
Opening the shortcut files associated with this campaign would trigger a hidden process, during which Esentutl would be used to pull decoy government documents, and a malicious dropper, from two alternate data streams. The dropper would carry with it a legitimate copy of the iTop Data Recovery tool, used as a gateway for sideloading the Yokai backdoor.
Inside the Yokai Backdoor Malware
Upon entering a new system, Yokai checks in with its command-and-control (C2) base, arranges an encrypted channel for communication, then waits for its orders. It can run any ordinary shell commands in order to steal data, download additional malware, etc.
“There are some sophisticated elements in Yokai,” Hegde says. For example, “Its C2 communications, when decrypted, are very structured.” In other ways, though, it proves rough around the edges.
If run using administrator privileges, Yokai creates a second copy of itself, and its copy creates a third copy, ad infinitum. On the other hand, to prevent itself from running multiple times on the same machine, it checks for the presence of a mutex file — if the file exists, it terminates itself, and if it doesn’t, it creates it. This check occurs after the self-replication step, however, only after the malware has begun spawning out of control. “This leads to repetitive, rapid duplicate executions that immediately terminate upon finding the mutex. This behavior would be clearly visible to an EDR, diminishing the stealth aspect of the backdoor,” Hegde says.
Even a regular user might notice the strange effects to their machine. “The rapid spawning creates a noticeable slowdown. If the system is already under heavy load, process creation and execution might already be slower due to resource contention, further exacerbating the system’s performance issues,” he says.
In all, Hegde adds, “This juxtaposition of sophistication and amateurism stands out the most to me, almost as if two different individuals were involved in its development. Given the version strings found in the backdoor and its variants, it is likely still being continuously developed.”
Nvidia has shared a temporary fix for a known issue impacting systems running its recently unveiled NVIDIA App and causing gaming performance to drop by up to 15%.
The company confirmed that these performance issues are triggered when the Game Filters option is enabled in the application and it recommends disabling it and restarting the game as a workaround.
“We are aware of a reported performance issue related to Game Filters and are actively looking into it,” Nvidia staff said in a support forum thread published earlier today.
“You can turn off Game Filters from the NVIDIA App Settings > Features > Overlay > Game Filters and Photo Mode, and then relaunch your game.”
This comes following widespread userreports regarding the app crippling PC gaming performance after enabling Game Filters or Photo Mode, with affected customers saying they were forced to uninstall the buggy app as it was still causing issues even after disabling the overlays and other filters.
“I uninstalled nVidia app for now because it’s causing a lot of problems even though i disabled overlay and other filter stuff. We’ll see how it goes,” one affected user said.
“I did that yesterday, and there are no more random crashes in games. I couldn’t even start delta force. After I uninstalled, it worked first try,” another replied.
NVIDIA App Game filters and Photo Mode setting (BleepingComputer)
These claims were also tested by Tom’s Hardware, which confirmed that the drop in framerates can reach up to 15%. This is a huge performance hit, considering this is usually the difference between standard GPU models and their Ti versions (which come with more memory and CUDA cores).
The NVIDIA App companion application for Windows 10 and Windows 11 laptops and PCs with NVIDIA GPUs was officially released in mid-November following several betas.
The app is designed to keep GeForce Game Ready and NVIDIA Studio drivers up to date and provide gamers with optimal settings for over 1000 games.
“The NVIDIA app incorporates many of the top features from GeForce Experience and RTX Experience, includes an optional login to redeem bundles and rewards, and introduces new RTX capabilities to elevate your gaming and creative experiences,” the company says.
