Hacking News

  So we’ve all heard of brands like Kia that have been getting issues with them getting hacked, but what if you didn’t even need to get near the car to find out information about it? Well, Volkswagen has 800, 000 EV customers data that have been breached, and this is only the beginning. You should be worried about this, and we need to talk about it.

As well, Mirai Botnets have been expanding, and now they’re targeting industrial routers. That’s also not good news. All this in this episode of Exploit Brokers. Today we are facing an unprecedented array of data breaches, hacking attempts, and surges in digital crime. Why is there such a widespread amount and how little is noticed in our everyday lives?

Malware, dark sites, brute forcing, zero day script kiddies, and nation state hackers are all on the rise. Learn more about the threats we face and gain a bit more knowledge than yesterday. Hey everyone, another episode of Explore Brokers is coming to you now. Hey guys, it’s Cipherceval hosts. Thank you for tuning in.

If you could do me a big favor and hit that like, subscribe, and bell notification icon if you’re on YouTube. And if you’re on a podcast platform like Apple Podcasts or Spotify. If you could please give us a follow and 5 stars if you think we deserve it. It helps the channel grow and I would appreciate it immensely.

So guys, 800, 000 EV customer data. Is out there. I mean, it’s a mind boggling number. Volkswagen had major issues. They got breached and now there’s data is out there. Now I know a lot of you may be wondering, well, I don’t have a Volkswagen. I don’t have an Audi. I don’t have a seat or a Skoda. So why does that matter?

It matters because this is a trend we’ve been seeing. It’s no longer about just a car getting hacked. It’s about the entire infrastructure that gets hacked. And then the car is just kind of. An accessory to that. And what I mean by that is we’re seeing more and more of these cars are hooking up to servers and hooking up to other stuff.

There’s even a bunch of technologies that are going into it. You know, you can do stuff from spoofing GPS to apparently stealing data without ever being near the car. And that’s kind of where my concern lies, with this hyper connectivity of everything, we’re seeing more breaches happen, and information that shouldn’t necessarily be available, becoming available.

Let’s kind of dive into it with this article by Dark Reading. Volkswagen Breach exposes data of 800, 000 EV customers. Ethical Hacking Group Chaos Computer Club uncovered exposed data of electrical vehicle owners across the companies of Volkswagen, Audi, Seat, and Skoda brands. Volkswagen Group experienced a data breach last month exposing sensitive personal information of roughly 800, 000 electrical vehicle owners across its brands including Volkswagen, Audi, Seat, and Skoda.

Initially reported by German publication Spiegel, The breach has been attributed to an Amazon cloud storage system misconfiguration, which is managed by software subsidiary Cariad. The group reportedly left personal and location data openly accessible online for months on end, prompting the breach. So to give a bit of context and to give some information here from a software side, the Amazon cloud storage, which is generally an S3 bucket.

Uh, there is some other stuff, but S3 is kind of the most. Common any kind of cloud storage mechanism you have is kind of what it sounds like you put files and other stuff up there For whatever resources you might need granted when you put in text fields A lot of the stuff is probably held in the database, right whether you’re thinking information such as registration usernames blah blah blah But sometimes there’s stuff that gets put into cloud storage for a variety of reasons here What I’m wondering is why?

This kind of information, which we’ll get to in a second, what was actually leaked, why was this in a cloud storage instead of some kind of database? Who knows? Now, I just, I find that interesting. A lot of times you have, and this is something we’ve seen in the bug bounty community. You have misconfigurations as a bug because you shouldn’t be able to access things just on the open internet, but it does happen.

Let’s continue. The anonymous hacker who discovered the breach reported it to the chaos computer club, CCC. A well known organization of ethical hackers in Europe, the CCC tested the open, insecure access before informing Cariad and Volkswagen. As a good security research group does, you want to verify and confirm that what you’re about to send isn’t just blowing smoke in the air.

The data exposed in the breach included vehicle information, such as when EVs were switched on and off, along with location data, email addresses, phone numbers, and home addresses of car owners. And that’s, that’s where I just find it a bit mind boggling. Electric cars are pretty much just computers with wheels.

If we really want to talk about it, right? Whether it’s Volkswagen, Tesla, some of the Ford lightenings or whatever, all of the electric cars we’re seeing are just computers with electrical motors. At the end of the day, it’s no longer like the old, uh, ice, I believe they’re called internal combustion engine vehicles, where there’s a lot of systems at play, but it’s mostly mechanical.

Okay. Now you have a computer system. That’s pretty much electrical to mechanical and just where we’re seeing this go. And I find it interesting now on the security side, why did they have all this stuff somewhere easily available for months? There probably wasn’t proper auditing of anything. Um, whether that’s, there was a lot of turnover at the company.

I know a lot of the vehicle manufacturers have been having layoffs. I’m not sure if Volkswagen or Audi was one of them, regardless of the reason why it’s something that we’re seeing a lot of companies go to these cloud providers. And you have a lot of novice or even mid tier and even senior software engineers, if I’m being honest, you have a lot of engineers who are just not super familiar with some of the cloud and that’s where you get misconfiguration stuff.

If you have someone who’s done desktop apps and they go to a company that does a lot of cloud stuff. And they’re not sure of the best way to do it. And their it isn’t sure of the best way to do it, or they just have high turnover. That’s where we get into these kinds of scenarios. Is it the only way? No, but it’s something I’ve been seeing.

Because with anything, a lot of hacking tends to be just some kind of human error. And when it comes to misconfiguration bugs, a lot of the time is because there was things that the administrator wasn’t aware of stuff that they didn’t change. Think default passwords, you know, admin, admin, root, root, et cetera.

And just like that, there’s also access control misconfigurations and other stuff. So here, it seems like they just kind of left it open to the public. A wide variety of individuals have been affected by the breach, including at least two German politicians and the Hamburg police. While most affected vehicles were located in Germany, Spiegel’s hired researchers found details about cars in Norway, Sweden, the UK, the Netherlands, France, Belgium, and Denmark.

And I’m honestly kind of surprised it only went that far. I’m surprised it didn’t hit the U S it didn’t hit Australia, et cetera, et cetera. Now part of that also probably is the way that they segment their data, right? When you think about servers and when you think about cloud providers, a lot of times, a lot of the times they will have a cloud in one region.

And you have like, for example, AWS has like East Ohio, the West, they have several in Europe, right? So it just depends where. That S3 bucket was being held and it might not be an S3 bucket. There might be more to it, but wherever that server was being held, that was probably the part that was misconfigured versus, you know, maybe some of their cloud in another, uh, region is not privy to that.

It might be better security. It may have just been that this was. One of the backup or one of the fallbacks or et cetera. And that was not properly, not probably put behind access controls. It’s stuff we see. It’s kind of sad to see this kind of stuff happen, but it does happen. And with that, let’s go ahead and jump into the next one.

So this is by the hacker news. Mirai botnet variant exploits for faith router vulnerability for DDoS attacks. So for those of my listeners who either have been with me for a little while or haven’t been with me for a little while. I want to give a bit of context for those who haven’t been, or who aren’t privy to it, or aren’t aware of it.

The Mirai botnet is a botnet that’s been around for a while. They’re pretty powerful. They tend to do a lot of IoT based and other stuff. And the DDoS attacks that they’re mentioning is a distributed denial of service attack. A denial of service attack essentially means that one computer hits a server or a computer as much as they possibly can to try to prevent service.

A distributed denial of service attack is pretty much that scaled up. Where you have a couple thousand computers, a couple hundred, doesn’t matter, more than one. And that computer is sending as much data packets to a server to try to overload it with requests. Because if a server can only handle say a thousand requests per second or a thousand requests per minute.

And you flood them with a million per minute. You’re pretty much going to overload that server to the point that packets are even going to fall that they’re just not going to get picked up by the server at all, because you’ve overloaded it to the point that they can’t even do basic handshakes and stuff like that.

And the, for faith router. Is a brand from China, as far as I can tell. And that’s kind of the main things I would like to know, but I would like you to know before we jump into this and break down some other stuff. So MRI botnet variant has been found exploiting a newly discovered security flaw impacting for faith industrial routers since early November, 2024 with the goal of conducting distributed denial of service attacks, which I already explained.

The botnet maintains approximately 15, 000 daily active IP addresses with the infections primarily scattered across China, Iran, Russia, Turkey, and the United States. So if they have 15, 000 daily active IP addresses, that means They should have 15, 000 bots online daily. Could there be other bots? And, um, we’re seeing, you know, they just get taken down.

Some get brought back online. Very possible. But if we’re seeing about 15, 000, that’s a pretty good amount of bots that we’re seeing exploiting an arsenal of over 20 known security vulnerabilities and weak telnet credentials for initial access. The Mauer is known to have been active since February, 2024.

The botnet has been dubbed something I’m not going to say on this channel. And you’re welcome to look up the article to, to read what that is in reference to the offensive term present in the source code that should say a lot. So before I continue, when you’re talking about weak credentials, telnet is Another way to remote into a server.

If you want to think like SSH or, you know, a secure shell and you want to think like a FTP, right, a file transfer protocol, whenever you remote into a server to either do stuff, pull files, push files, telnet is just another way of doing that telnet is, I think not used as often as SSH is, or at least it shouldn’t be used as often as SSH is.

But it’s still around. It’s, it’s been around for a while and it’s going to be around for a while. Now, GQ Engine X Lab said it observed the malware leveraging a zero day vulnerability in industrial routers manufactured by China based Forfaith to deliver the artifacts as early as November 9th, 2024. So, a zero day being anything that is a vulnerability or a bug that the vendor doesn’t know about.

So, there’s been zero days that they’ve known to fix it. Last month, Volchek told the Hacker News that the vulnerability has been explored in the wild to drop reverse shells and a Mirai like payload on compromised devices. So the way that botnets will generally operate is they’ll have some kind of mode of infection.

They’ll have a dropper or something like that. And then they’ll have the actual botnet payload, the thing that does infection. Now I’ve seen this play out in very different ways. Sometimes they’ll have different versions of the bot. Sometimes there’ll be just one bot that tends to change over time. You have like version one, version two, version three, and as the developers get better at it, they’ll make new versions.

Um, and I bring that up because the fact that dropping a reverse shell means that they want some kind of remote access to do stuff, and you have to be careful of the kind of vulnerabilities used there. Some vulnerabilities can give you root access, and those are like the most dangerous because if it’s root access with a remote code execution, RCE, That’s where you can pretty much take over a system pretty quickly.

Now, some CVS could be something like you get in, but you have low level. So you need a chain it with something akin to a privilege escalation attack, right? Where you get in as a weaker user, but use privilege escalation tax to kind of go up. And I bring that up because right here, some of the other security flaws exploited by the botnet to extend its reach and scale include.

Several CVEs, but I’ll go through them really quick. CVE 2013 3307, CVE 2013 7471, CVE 2014 8361, CVE 2016 20016, CVE 2017 17215, CVE 2017 5259, CVE 2020 25499, CVE 2020 9054, CVE 2021 35394, CVE 2023 26801, CVE 2024 8956, and CVE 2024 8957. You’re probably wondering, you, you know, why did I just go over all those?

Good question. The biggest problem I have with this list is some of these CVEs are from 2013. The first ones on that list Surprised me the most because something from 2024 may not get patched as quickly, but something from 2023 probably has a patch. And if it doesn’t have a patch, then, oh my, that’s bad.

But the 2013 CVE should have a patch, which means it’s just harder to patch this stuff. The problem with routers, the problem with IoT devices, the problem with embedded devices, and that’s something you’ve heard me talk about on this channel before, the problem with these devices is, once they’re set up, they’re generally not maintained the way you would like your phone, or your tablet, or your computer.

When you get on your phone, most of the times you’ll be prompted, hey, there’s an update. But how many times do you update your router if you’ve ever updated a router? Because those are just not as easy to update from a user perspective. If you think about security cameras, routers, Heck, your fridge or your, I would hope not, but your range or your oven.

If they have any kind of firmware, how easy is it to update them? Now, if they’re not connected to the internet, that’s less of a concern, but if they’re connected to the internet and you have one of those smart fridges, what if that has CVEs in it and they’re stuff from 2013, 2015, they just never patched?

But the biggest problem with routers compared to the smart devices is the smart device isn’t necessarily facing the internet. You could misconfigure it, of course, but a router by definition is always facing the internet. And that’s what makes it much more problematic. And when you talk about industrial routers, you probably have a bunch of old outdated routers in the middle of a facility that just don’t get touched because they work and they’ve been there for a long time.

Now, to continue on, once launched, the malware attempts to hide malicious processes and implements a Mirai based command format to scan for vulnerable devices, update itself, and launch DDoS attacks against targets of interest. Now, like any good malware, or any Advanced malware. It tries to hide itself, which, you know, if we’re assuming a piece of malware is good, they should at least try to hide themselves, obfuscate their activity, things like that.

And then they pretty much look for ways to propagate. If you find other vulnerable devices, you can start a spread like a worm and so on and so forth. So DDoS attacks leveraging the botnet have targeted hundreds of different entities on a daily basis. With the activity scaling a new peak in October and November 2024.

The attacks while lasting between 10 and 30 seconds generate traffic around 100 gigabits per second, which comes out to roughly 12. 5 gigabytes per second, which if you kind of extrapolate that out, that’s roughly 750 gigs a minute. I don’t know about you, but that’s a good amount of data to be hit at once.

Now, the disclosure comes weeks after Juniper Networks warned that the Smart Session Router SSR products with default passwords are being targeted by malicious actors to drop the Mirai Botnet malware. Akami has also revealed Mirai malware infections that weaponize a remote code execution flaw in DG Ever DVRs.

Which going back, RCE, whenever you have an RCE that makes it so much easier to do stuff because if you can run a command that says download this bot, it’s just, it’s just that much easier. Now, the DigiEver DVRs, I have not come across this brand, but a DVR generally is a digital video recorder, I’m assuming that’s what they’re talking about here.

And DVRs is kind of one of those other, like, It’s one of those other devices. Sure. You may interact with it, but if they don’t have a very good way to run updates, if they don’t prompt you, Hey, do you want to update? If you got to go into some obscure setting and see if there’s an update functionality in it, then that’s where a lot of this.

Becomes more vulnerable to old CVs, right? Because even if they find a way to patch these digi ever DVRs, if the way to update it is plugging in a USB, downloading some zip off the internet, um, and plugging it in, booting it up into some special mode and running it, you’re going to have almost nobody update that router and nobody update that DVR or embedded device or camera or whatever.

The same kind of applies to all of them because. I’m not sure about you, but I’m pretty sure most people won’t do that. Most people that I know won’t do that. Most of my family members won’t do that. Because it’s kind of difficult. You gotta be a techie, you gotta be technically savvy. And even if you are technically savvy, how many of us are trying to download a zip to install on our fridge?

It’s just not something that’s done. Not often. Anyways, I know that I’ve had to update like old lenses on some camera that I had. And I was shocked because it was like, you left it connected to the camera. Then the camera would get connected to the computer and then you could update it that way. They didn’t have any, like connect to wifi and just update the camera.

Now this is a, you know, and a DSLR. And that is often not connected to the internet, but still, it’s just kind of crazy that there’s in the modern day, you have expensive equipment like DVRs, cameras, and all this other stuff that don’t have some better mechanism to update or even to be able to update themselves.

Now, the final part of the article, DDoS has become one of the most common and destructive forms of cyber attacks, X Lab researchers said. Its attack modes are diverse, attack paths are highly concealed, and it can employ continuously evolving strategies and techniques to conduct precise strikes against various industries and systems.

Posing a significant threat to enterprises, government organizations, and individual users. The development also comes as threat actors are leveraging susceptible and misconfigured PHP servers to deploy cryptocurrency miner called a packet. And this goes back, right? Misconfigurations, misconfigurations are probably much more common that they should be.

If you have a misconfigured SQL, misconfigured ports, misconfigured service, misconfigured anything. It’s just a lack of knowledge on the admin, the developer, the it, whoever’s controlling, maintaining, and updating that piece of software. Now, could it be that there’s some obscure configuration that no one’s aware of?

Sure. But we are seeing a lot of like admin admin, whoever set it up did not even bother to change the default creds. And that’s bad because that is like an easy thing to fix. That should be like day one. You go in, you do your best to wipe everything that has default creds, updated, secure it, harden it. Um, especially when you’re talking about devices that may never get updated ever again, I would hope that the tech or the it people who set it up should at least configure it where it should be.

Harder than admin admin. Was it admin admin in this case? No, but if they’re using default credentials, it could be pretty easy to just brute force, but guys, I want to thank you for tuning back in. I am trying a new format. I am getting rid of the music. So if you’ve gotten this far and you prefer that format, please leave a comment or send me an email through exploitbrokers.

com. There’s a contact form on there. You want to reach me. And you can always email me at support or support at exploitbrokers. com. This has been your host Cipherceval. I want to thank you for staying this long and I’ll see you in the next one.

Note: This is a transcript of the episode.

📢 Connect with us:

Newsletter: https://follow.exploitbrokers.com

Twitter: @ExploitBrokers

Medium: https://medium.com/@exploitbrokers

TikTok: https://www.tiktok.com/@exploitbrokers

🔗 References & Sources

* Volkswagen: https://www.darkreading.com/cyberattacks-data-breaches/volkswagen-breach-exposes-data-of-800k-customers

* Mirai: https://thehackernews.com/2025/01/mirai-botnet-variant-exploits-four.html

 So, everyone’s been talking lately about the telecoms getting hacked by Salt Typhoon, the Chinese threat actor. And, well, things just got kind of worse for the U. S. government because the U. S. Treasury Department just also got hacked by Chinese threat actors. That, and we have millions of fake stars on GitHub, which is helping malware and other stuff get spread.

Let’s talk about that in today’s episode. Today we are facing an unprecedented array of data breaches, hacking attempts and surges in digital crime. Why is there such a widespread amount and how little is noticed in our everyday lives? Malware, dark sites, brute forcing, zero day script kitties, and nation state hackers are all on the rise.

Learn more about the threats we face and gain a bit more knowledge than yesterday. Hey everyone, another episode of Exploit Brokers is coming to you now. Hey guys, welcome to another episode, if you could please do me a favor because it helps the channel grow. If you’re on YouTube, if you could hit that like, subscribe, and bell notification icon.

It would be great. And if you’re on something like Spotify or Apple Podcasts, if you could please give a subscriber or follow, so that way you can get updated with new episodes. And if you think we deserve it, give us a 5 star review to help us reach more people. With all that said, I am Cipherceval, your host, and let’s get into it.

Dark Reading, we have an article from them, Chinese state hackers breach U. S. Treasury Department in what’s being called a major cybersecurity incident. Major cyber security incident kind of being easiest way to say it Beijing backed adversaries broke into cyber vendor Beyond trust to access the US Department of the Treasury’s workstations and steal unclassified data according to a letter sent to lawmakers So before I jump into some of the nitty gritty of the article I kind of want to give a bit of context what you have a lot of companies agencies governments do is They have a way to access secure stuff, right?

so You have a VPN or a portal, there’s stuff like even Citrix, Beyond Trust, and a few different other solutions that essentially let you remote in to a secure environment from a nonce, relatively non secure environment, right, from, think laptops and other stuff that maybe personnel carry with them, and that’s kind of where the root of all this happened, it’s because of a vendor that they were using, Beyond Trust, Beyond Trust.

That all this kind of played out, but we’ll get into that right now with the article. I just kind of want to give you a heads up on that. It’s nothing that the U S treasury department themselves did, but they’re kind of in the middle of this because of fallout from a vendor. Now the U S the U S department of the treasury alerted lawmakers on Monday, that Chinese state backed threat actors were able to compromise his systems and steal data from workstations earlier this month.

Because an Advanced Persistent Threat, APT group, is suspected to be behind the hack, it is being treated as a major cyber security incident. The disclosure letter from the Treasury Department said, The letter was sent to the chairman and ranking member of the senate committee that oversees the agency.

So, you have, and we’re seeing it more and more, you have these threat actors, APTs, that, pretty much, are trying to do different things, right? Some of them trying to wreak havoc, some of them are trying to steal intel, It just depends on which threat actor is happening, or which threat actor we’re talking about.

In this case, we’re talking about one of the threat actors from China. Whether that’s Salt Typhoon or not, I don’t think the article even goes into that and I haven’t heard anything else on it, but it could be them. But essentially, that’s just who we’re talking about right now. Adversaries broke into the Treasury Department through third party cybersecurity vendor BeyondTrust, and gained access to a remote key used by the vendor to secure a cloud based service used to remotely provide technical support for Treasury Departmental Offices.

D. O. End users. The letter explained, with access to the stolen key, the threat actor was able to override the service’s security, remotely access certain treasury DO user workstations, and access certain unclassified documents maintained by those users. So, what happens a lot in IT development, developers, just in the world of tech, right?

You have privilege levels when you’re talking about remote access. You’re going to have the lowest level, which is say a user, right? You generally only give them access to applications and workstations that they need. And that’s it, right? You shouldn’t have an analyst per se, trying to access the workstation of every other analyst.

Maybe they have a shared, you know, a SharePoint or somewhere that they can exchange data or stuff, but generally you don’t want them to have full access over each other’s workstations versus something like an admin. Think, you know, like a network admin says admin, they need more than just that, right?

They have the trust to not do anything. And then they have to maintain workstations, troubleshoot, user accounts, troubleshoot, use workstations, applications, and different things like that. And then you have developer accounts, which are generally can be more privileged than the system admins. Even then, developer accounts, there is ways to segment it where, you know, maybe the primary account the developer uses is still somewhat limited, and then they have a super admin account, which they shouldn’t be using often.

Maybe they just have, they don’t have the permission, and they have to send out work tickets for other specific things, right? Whenever you go for more security, you kind of inconvenience developers and admins, so there’s trade offs, right? You Can’t give a developer necessarily admin to everything and anything, but if you want them to maintain databases, well, they need database access.

If you want them to be able to troubleshoot production issues, well, now they need production access. So there’s kind of, there’s a trade off for a lot of this, right? And if you steal an access key from a developer or an admin or one of those, you’ve essentially stolen keys to the kingdom. When you think about the valuable targets or what these, whether it’s cyber criminals or threat actors are going after when they are trying to steal credentials or they’re trying to steal stuff.

There isn’t a whole lot of value in lower end users, but if those lower end users let you pivot and go laterally until you find a machine where you can do privilege escalation or in this case, steal a key that’s very valuable that gives more access to be able to override certain security measures.

Well, then that’s a valuable goldmine. So those are just some things to think about right? It’s not super cut and dry where if you steal a key, that’s it. You’ve got keys to the kingdom. If you steal the key to a low level user account, well, then you still got to try to do lateral, but if you steal the key to say the admin, Or the, one of the main developers, then that becomes a wider area of influence.

So it’s things just to keep in mind. Beyond trust has more than 20, 000 customers across more than 100 countries who use its privileged remote access tools, according to its website, which also states that the company is used among 75 percent of fortune, 100 organizations going back again, right? You have a lot of companies and agencies and both private, public, et cetera.

Who want their employees and contractors and other stuff to be able to access stuff securely. The problem is that the vendors who set this up sometimes have more access over the system, depending how on how the whole thing is set up, right? They may need more access to troubleshoot this. If the stuff is not necessarily provisioned in the right way, then more people might have access than they need.

It’s just kind of a back and forth auditing a privileges of user accounts is something that I believe is somewhat normal when it comes to the IT world, but there’s always more auditing that could be done, but then that takes money, time, resources, etc. Beyond Trust told the Treasury Department about the issue on December 8th.

The department, along with the Cybersecurity and Infrastructure Security Agency, CISA, and the FBI is investigating the compromise according to the letter. A Beyond Trust advisory said the company was alerted on December 5th to a compromised API key. Which was immediately revoked. Impacted customers have already been notified and the company is working with them on remediation according to a statement from a beyond trust Spokesperson.

So we’re talking about an API key. That’s an application programming interface It’s essentially a way for another program to talk to a target program, right? You may log into your bank’s website and do certain things on there But that backend and maybe other services need to talk to the program directly.

And you have two programs that can talk to each other through this kind of API. And an API is really a fancy way of saying you’re doing text based requests going back and forth that are kind of predetermined or do certain things, but you do them programmatic. I’m kind of oversimplifying, but that’s kind of what I’m talking about.

So, Biontrust previously identified and took measures to address a security incident in early December 2024 that involved the remote support product, the statement said. No other Biontrust products were involved. So that’s just the statement, right? They have to kind of give some information, but maybe they’re not ready to give all the information out.

It’s something we’re seeing, right? You don’t want to freak everyone out that they’ve, you know, been completely owned through a supply chain attack or something else when that hasn’t been the case and they haven’t confirmed it. So I can understand them saying that, but hey. Once we get more information, that’s obviously going to be more interesting to kind of go and dissect.

Now, there is more of the article that talks about the epic Chinese hack of the US Treasury, because something that we’re seeing is that recently, Salt Typhoon, and I haven’t covered this, but it’s several other YouTubers, several articles, and other stuff I’ve covered it. Salt Typhoon recently has been found to have been in more telecommunication companies than originally thought.

I believe I touched on some of them, but I think as more information is coming out that more and more of the telecom agencies are actually hacked. And there was even, I believe, a safety advisory or some kind of notice that the government was saying, urging people to pretty much switch from SMS, which is text based, to To some kind of encryption think like signal because what happens with text communication specifically I don’t know about RCS, which is kind of a new tech But SMS whenever you send a message that message is sent via plain text that plain text message is generally held in some reservoir that the telecom companies have think of a database essentially and They do that because from when you send it to when the recipient is found.

It’s not instantaneous, right? It’s not like you’re pinging some IP network The network has to do resolution and figure out where this client is. What’s the closest antenna to them. And, you know, it’s more sophisticated than just trying to reach a server because this is a moving target, right? So there’s much more noise and chaos that get mixed into it versus just a normal DNS and it seems like salt typhoon has accessed a bunch of that information.

And depending on how long they’ve been in the system, the amount of stuff they can exfil. Or exfiltrate is enormous, right? Imagine being able to see every text message from the United States or anyone in the United States or anyone in the Philadelphia area, anyone in the Washington DC area, right? It starts to get really crazy when you think about the implications of it, but right now the government was just dealing with that only for the U.

S. Treasury Department to get hacked. It really seems like. Chinese threat actors are really taking advantage of kind of the turmoil between the elections and you know, the dysfunctional nature of government and they’re mounting more and more cyber attacks. So it’s going to be interesting to see where that goes, but that is kind of the gist of this article.

Um, and just kind of breaking down some of the major points on this. Now that we talked about that, let’s talk about GitHub. Now in an article by bleeping computer, Over 3. 1 million fake stars on github projects used to boost rankings. So, whenever you’re talking about stars on github, again, to give a bit more context before we jump into the article, whenever you’re talking about stars, think of it kind of like a, like the like button on social media.

A star on a github project, which are open source projects, is a way of saying, hey, I like this repository, and that signals to other users of github, hey, this could be a worthwhile and or trustworthy repository. And the reason that’s important, right, is you have a lot of developers, whether it’s, you know, new novice developers or seasoned developers or et cetera, who use GitHub because you can’t necessarily write every piece of code yourself.

You can, but then you’re going to be spending maybe months rewriting a library that already exists and it’s useful. Think cryptography, right? You want to use a tried and tested cryptography library. Because you trying to roll your own cryptography is pretty much guaranteed to fail in one form or another.

Whether it’s implementation, typos, you name it. Rolling your own crypto, cryptography, and I’m not talking about crypto like bitcoin, but cryptography like encryption, is kind of one of the easy ways to mess something up. So because of this, a lot of developers rely on github. Not only github, but that’s kind of the most popular one and it got bought out by Microsoft a while back.

So now that you have this repository of open source projects, And the stars are being used to manipulate it where you’re like, well, why does that matter? Well, when you have the ability to influence rankings of top packages, you start to get malicious things happening because at that point you can buy stars away.

You can buy likes, and that’s where kind of this problem arises. So let’s jump into the article and I’ll be back and forth the way I normally get hub has a problem with inauthentic stars used to artificially inflate the popularity of scam and malware distribution repositories. Okay. Help with them reach more unsuspecting users stars are similar to the like button So social media allowing github users to favorite a repository.

So I’m gonna skip over some of the stuff I’ve kind of already explained one interesting thing to kind of discuss and to kind of bring to light is I know maybe some of my audience aren’t software engineers, software developers, maybe some of you are just cyber security people, maybe some of you are just people who are interested in this and are just seeing from the outside looking in, or maybe you’re new to cyber security or programming, but the problem with manipulating rankings on this level, right, the amount of packages that modern applications use is massive.

If you think something like NPM, there’s a running joke where NPM is like 50 gigs for a Hello World. Um, that’s not the exact joke that I’m paraphrasing, but it might as well be. Because what happens is, you have a lot of libraries that don’t necessarily need to exist, but some of them are extremely useful.

And there’s so much bloat in the amount of packages that a piece of software has now. And a package is just pre written code by someone else. With that said, just continue. The problem has been documented previously, like last summer when Checkpoint uncovered a malware delivery service named the Stargazer’s Ghost Network, which used an extensive network of inauthentic users starring fake projects to push information stealing malware.

Non malicious projects also use fake stars to boost their popularity, increase their reach, and attract legitimate user attention, real stars, and adoption. Whenever you get a malicious thing, And you, whenever you get a malicious package and you push it up and it makes it popular, now you’re kind of thinking about this from, okay, say 10, 000 applications installed.

Now you have a supply chain attack because those 10, 000 applications are legitimate applications and they might actually have ways to sign. So you have this malicious thing being Trojaned in without the developer wanting to Trojan in, and then they can distribute this piece of software. Say it’s a trusted thing, right?

It’s. One of the apps that we’ve used on Windows. Think like WinRar, or 7 Zip, or, you know, Chrome, or any of those applications. Imagine if they installed this malicious package, and now it affects pretty much everyone. Because if you’re thinking Chrome and Firefox, if they were to install any of these malicious packages, now that’s a huge target base.

And it’s a supply chain attack. We’re seeing these more and more. But now, the ability to manipulate the rankings with the stars and the bots. Makes it easier to implement this right because you’re not just hoping a developer finds your package You’re now making it more likely that a developer will find your package And if developers are under deadlines and stress, they may not read everything and that’s just the human nature of it Now there are saying non malicious projects use this, you know, kind of like social media Sure You may have some bad actors trying to push up their likes to push some scammy Product but you also have people that are trying to just become influencers and they might buy it likes you might have Legit projects that are like hey, I think this is useful, but no one seems to be picking this up So they’re paying to kind of get this up buying Users and all that is generally frowned upon because there should be unique or not unique There should be you know, authentic interaction My problem with buying with using bots, right?

Is you’re not driving real traffic. Sure. You might get a spike in traffic, which then lets you find other people, but the way algorithms work or at least, you know, search algorithms work is they rely on a lot of signals and very, I would say complex markers. And if you start to mess with that by introducing bots, which have no personality, it’s just wherever the money’s coming from, right?

You could have just a complete messing up of. The characteristics or the metadata of your channel or get up or whatever you’re doing. So I generally don’t like bots because it skews in directions that you may not anticipate. If all the bots are liking prank channels, let’s talk about YouTube for a second.

If all the bots are liking prank channels and you push a cooking channel, well, now they may be incentivized or YouTube might be incentivized or one of the other video sharing sites might be incentivized. To share your cooking video to even more prank channels because the bots that are liking prank channels are liking yours So there has to be some overlap and that’s not necessarily what’s happening with github, but that’s why I dislike bots Anyways, so the researchers here were actually using some let’s call it AI ish Methodologies, they’re using math and whenever you talk about math you start to kind of veer into like The precursors to AI, because AI is just really fancy math, calculus, and stats.

Um, pretty much. So looking for fake stars, it’s a subheader in the article. The researchers developed and used a tool called Starscout to analyze 20 terabytes of data from GH Archive to find inauthentic stars. GH Archive contains metadata of over 6 billion GitHub events from July 2019 to October 2024, including 60.

5 million user actions on 310 million repositories and 610 million stars. In other words, they just have a lot of log data. But, it’s, it’s just that, right? You need log data to see what’s going on and try to do some analysis. So, StarScout detects users who show minimal activity on GitHub, like star in a single repository, have bot or temporary account activity patterns, and account groups that act in coordinations such as starring the same repositories within a short time.

Their method is based on the CopyCatch, an algorithm designed to detect fraudulent patterns in social networks. So, from a math perspective, right, you will have some kind of data patterns that will naturally emerge. Whenever you’re looking at large pieces of data just like before elections There’s a certain amount of searches or if you look at Google Trends, for example those all tend to go up just before an election cycle or when you look at like Shopping it tends to go up just before the Christmas season There’s certain patterns that are just inherent from a psychological perspective that human nature happens with But when you start talking about bots, they don’t exhibit the same thing Here, one of the easy ways to kind of figure out is if you have all these accounts that are starring or liking this specific account, and you see them doing that consistently for multiple accounts, that’s not very likely.

The likelihood that user A, user B, and user C all like the same account within the same day, and then they do that 10, 20, 30 times, so 10, 20, 30 different repos or user accounts or whatever, is not likely. Because the amount of data and accounts and social media and just the internet is massive. So that’s where you see these outliers and you can essentially do something like a k nearest neighbor and all these graphs.

There’s a bunch of kind of algorithms and mathematical ways to do this and that’s what they’re talking about here. Copycatch. It’s an algorithm that’s been fine tuned. Or at least the concept has been tuned to preventing or detecting fraud in social networks. Now they found 4. 5 million stars, but then they actually tried to, they did some sampling and did some other stuff and they reduced that to 3.

1 million fake stars given by 278, 000 accounts to 15, 835 repositories, which is still massive. When you think about the amount of accounts or bots and the amount of repositories that are paying, because you have to pay money for this, right? And. Now, now there is kind of a good side, which is the researchers did report this to github and it seems like they’re taking action against it but you can’t just do a massive ban, you have to make sure that you’re actually using some kind of metrics on the github side to validate this information, right?

Trust but verify, and that’s kind of the gist of this. There will always be a way to hack the system, in a way. Um, because whenever you’re talking about social media or rankings or something else, just like we’ve seen with SEO and the internet, there’s ways to game the system. So it will always be a can and mouse.

That is ultimately what cybersecurity is. It simplifies to, you find a loophole, they patch the loophole, you find another loophole, they patch the other loophole, and it just goes back and forth. Uh, and sometimes it’s legitimate loopholes that get patched and sometimes it’s just fraudulent stuff and malicious stuff.

Bugs could, you know, could make the application unusable or bugs could make the application super insecure. And that’s the world of software development. But guys, I want to thank you for tuning in to another episode. This has been your host Cipherceval and I will catch you in the next one.

Note: This is an autogenerated transcript

📢 Connect with us:

Newsletter: https://follow.exploitbrokers.com

Twitter: @ExploitBrokers

Medium: https://medium.com/@exploitbrokers

TikTok: https://www.tiktok.com/@exploitbrokers

🔗 References & Sources

* US Treasury Hacked: https://www.darkreading.com/cyberattacks-data-breaches/chinese-state-hackers-breach-us-treasury-department

* Github Fake Stars: https://www.bleepingcomputer.com/news/security/over-31-million-fake-stars-on-github-projects-used-to-boost-rankings/

Imagine this, you buy a webcam off Amazon, you don’t really think much of it, and then a couple of years later, it’s no longer getting updates. You still don’t think anything of it. But then, suddenly you find out that you’re not the only one who’s looking through the webcam. It’s creepy. Not only that, but we have another article that we’re gonna touch on where over 900, 000 people’s medical information got shared or breached.

So imagine your private, intimate information going back and forth with the doctor, or stuff like your prescriptions, or what you’ve been Diagnosed with has kind of been thrown out on the internet There’s been a new breach and we need to talk about it today We’re facing an unprecedented array of data breaches hacking attempts and surges in digital crime Why is there such a widespread amount and how little is noticed in our everyday lives?

Malware dark sites brute forcing zero day script kitties and nation state hackers are all on the rise Learn more about the threats we face and gain a bit more knowledge than yesterday. Hey everyone, another episode of Exploit Brokers is coming to you now. Welcome to another episode of Exploit Brokers.

I’m your host, Cipherceval, and if you could please do me a big favor because it helps the channel grow, if you can hit that like, subscribe, and bell notification icon, and If you’re on YouTube, if you’re on a podcast platform like Spotify or Apple Podcasts, if you could please give us a subscribe or a follow, and give us a 5 star rating if you think we deserve it.

With that said, if you are on YouTube, check out our podcast, which is the audio version of this, and if you’re on the podcast, check out our YouTube. I’m hoping to try to get some educational content out, and as much as I can, But with that, let’s jump into it. So, let’s talk about the first article by Bleeping Computer.

FBI spots hiatus rat malware attacks targeting web cameras, DVRs. I know, creepy, but let’s jump into it. The FBI warned today that the new hiatus rat malware attacks are now scanning for and infecting vulnerable web cameras and DVRs that are exposed online. As a private industry notification, a pin, published on Monday explains the attackers focus their attacks on Chinese branded devices that are still waiting for security patches or have already reached end of life.

So, when you have a lot of devices that reach end of life, and this is also for software, for devices, devices are kind of a bit different. More extreme because if the devices don’t have a very good way of updating over there, updates or stuff like that, they can get out of a, you know, stable and safe operating system or safe firmware software that they’re running quicker.

But what’s happening is you have a lot of these devices that either users aren’t technically aware how, or there’s just no good method of updating or patching the firmware. Or, if they’ve reached end of life, there’s just no more firmware that’s gonna be made for these devices. You see this a lot with like, older devices, as well as devices whose company just decided it wasn’t worth the effort, or the time, or the money, to keep updating these devices.

In March 2024, Hiatus Rat Actors conducted a scanning campaign targeting Internet of Things, IOT devices. In the us, Australia, Canada, New Zealand, and the United Kingdom. The FBI said, the actors scanned we cameras and DVRs, which is I believe digital video recorders for vulnerabilities including CVE 20 17, 7 9 2 1 CVE 20 18, 9 9 9 5.

There’s three nines, CV 20 22, 5 0 7, 8 C, V, 20, 21, 3, 3, 0, 4, 4, C, v, 20, 21, 3, 6, 2, 6, 0. And weak vendor supply passwords. Yes. The admin admin is, I know, shocking. The threat actors predominantly targeted HikeVision and Zhongmai devices with Telnet access using Ingram, an open source webcam vulnerability scanning tool, and Medusa, an open source authentication brute force tool.

So the CVEs are as old as 2017 kind of gets at what I’m saying, right? You have a vulnerability that was found back in 2017 at this point. It’s no longer a zero day It is a known vulnerability. I would have assumed at some point after a patch would have been made available But if a camera or device is still vulnerable to the cve It’s been what we’re in 2024.

So you’re talking like seven ish years if they couldn’t Find a way to patch that device or if they don’t have a good over the air update method You Or if it’s just a very, you know, not straightforward user friendly way for that device to get updated, like a lot of IOT devices are, um, I’m not an IOT expert, so if you know about IOT devices and you think there’s a easy way for a bunch of them to get updated, please reach out to me.

I’d love to find out more, but. In this case, there’s 2017, right? Followed by a 2018, 2020. CVEs, for those of my listeners who are not aware of the nomenclature, is essentially CVE dash the year it was found, and then I believe the next number is the number in the list of vulnerabilities found in that year.

Now, their attacks targeted web cameras and DVRs with the 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575 TCP ports exposed to internet access. So, whenever you expose any port to the internet, you are bound to get a flood of bots, a flood of Hacking attempts on that because you’re opening up to the internet, right?

This isn’t something that’s kept within your internal network If these devices are purposefully exposing them to stream data to open up an admin Website to do anything like that, right? You’re opening up a new way for people to hit it Which is probably where some of these CVEs are located if I had to be honest Now, the FBI advised network defenders to limit the use of devices mentioned in today’s PIN and or isolate them from the rest of their networks to block breach and lateral movement attempts following successful hiatus rat malware attacks.

It has also urged system administrators and cybersecurity professionals to send suspected indications of compromise, IOC, to the FBI’s Internet Crime Complaint Center or their local FBI field office. So the isolation part, I want to touch on that because some people might know what that is. Some people might not.

Whenever you break into or a hacker breaks into a system, right? Ultimately IOT devices and all this, they generally will run some kind of Linux or something else in them. Or if not, they still run a way to be able to run a shell. So when you do a lateral movement, that’s you’ve successfully breached. A computer in this case, let’s, let’s assume for simplicity sake, the camera is running a Linux operating system.

So you’re in the camera and it has Linux operating system. And because it has something, some kind of Linux on there, you have a shell and some other capabilities. Now that you have a pivot point on a network, you can start to scan other devices. And if another device on that network also has some kind of CVE or also is weak password or something, then you can start hopping between the initial entry point and other devices on the network.

And the reason that’s bad is right. Say your camera is mostly locked down. You have a mostly locked on camera. But there’s a CVE so they get it. If they’re able to pivot to another machine and that machine has higher privileges Then you can start to kind of work laterally and start to get more information and eventually you’ll be able to get us like Really really interesting data.

I’m oversimplifying that but that’s kind of why this is bad No, that is why this is bad Now if we keep going the campaign followed two other series of attacks one that also targeted a Defense Department server in a reconnaissance attack and an earlier wave of attacks in which more than a hundred businesses from North America Europe and And South America had their Draytek Vigor VPN routers infected with HiatusRat to create a covert proxy network.

So proxy networks being, you know, you have a machine in between you and the target server that you’re trying to get to, so you use that as a way to bounce the traffic off. Lumen, the cyber security company that first spotted HiatusRat, said the malware is mainly used to deploy additional payloads on infected devices.

Converting the Compromise Systems into SOCKS 5 proxies for command and control server communication. HIDAS RAT shifting in targeting preference and information gathering aligns with Chinese strategic interests. A link also highlighted in the Office of the Director of National Intelligence’s 2023 Annual Threat Assessment.

So when you have threat actors, like in this case, China, they are trying to get Intel, anything that could potentially give them an edge, anything they can find that is worth a lot of money. So if they’re deploying these rats and all this other stuff through their threat actors and efforts to get as much information, right?

The more devices you have hacked, especially stuff like webcams, the more information you can literally see, right? A webcam, if you hack it, you can get a bunch of data. Now, the reason that’s also very. Interesting and important, right? You have a lot of IOT devices that may go years with never being touched, right?

It’s not like your computer where you get a virus, you notice it’s slower, you take it to Geek Squad, and stuff like that, right? There’s IOT devices, and just their devices in general, have this kind of set it and forget it that I think a lot of average consumers and just most consumers have that mentality.

There was um, there’s two interesting things that come to mind one was a Twitter post and if I can find it I’ll tag it in the description, but there was a Twitter post that was showing how someone’s washing machine was like downloading three gigs of data a day and I don’t remember what the reason was it might have been something legitimate might have been malware.

I don’t remember But the fact that your washing machine can download any kind of data over the internet is just miles, right? We went from Devices being like these huge things that would fit, you know in a bag or somewhere else So, I mean almost everything’s internet connected now you have stuff like stoves which are concerning to me You have the fridges you have smart air fryers.

Everything has a chip in it Now everything’s an IOT device technically But You are seeing the shift with that and that’s where it’s just, it’s concerning, right? You don’t want your microwave to phone home to some threat actor and get information or, you know, maybe there’s other things that they can steal from the network, move laterally from your coffee machine to your computer devices.

There’s so much to this. I could probably list a bunch of things and keep going, but. Let’s jump into the next article because it’s just as concerning as someone looking at you through your webcam. So, in an article by Bleeping Computer, again, Connect on Call breach exposes health data of over 910, 000 patients.

Healthcare software as a service company, Freesia, is notifying over 910, 000 people that their personal and health data was exposed in a May breach of its subsidiary, Connect on Call, acquired in October 2023. Connect OnCall is a telehealth platform and after hours on call answering service with automated patient call tracking for healthcare providers.

So, for my listeners in the other parts of the world, in the U. S. you have, uh, telehealth, which I imagine different countries, uh, probably do also have telehealth. I’m not familiar with telehealth. Other countries health, but for this case, I just kind of want to give some context the u. s A lot of insurance providers and there’s a lot of these popping up where you can call a doctor, right?

If you have something like a ear infection Or a throat infection stuff that’s kind of easy to diagnose Then stuff like a telehealth visit is sometimes more accessible and easier to get to especially with the I believe it was like 24 7 or at least I know there’s some services that are 24 7 where you just need maybe some nausea meds or you need some cortical steroid or you need Antibiotics something right where getting to a doctor would be prohibitively expensive Otherwise, because some of these services are offered through insurance providers for free, or maybe you have to take half a day from work to go to this doctor when you could just telehealth and get something in a couple of hours.

Um, it’s just becoming more, more ubiquitous. Now, on May 12th, 2024, Connect On Call learned of an issue impacting Connect On Call and immediately began an investigation and took steps to secure the product and overall security of its environment the company revealed. Connect on Call’s investigation revealed that between February 16th, 2024 and May 12th, 2024, which is several months mind you, an unknown third party had access to Connect on Call and certain data within the application including certain information in provider patient communications.

After discovering the breach, Freesia notified federal law enforcement of the incident and hired external cybersecurity specialists to investigate its nature and impact. So, at that point, you have to escalate. If you have, especially when it comes to healthcare, you have such sensitive information that if exposed, it just becomes more problematic.

And I’ll get to why I think it’s problematic in a minute. So, Freesia also took Connect On Call offline and has since been working to restore the systems within a new and more secure environment. Be cool to see a write up on what they did, but don’t worry. I don’t know if they would release that. While the statement does not include the total number of people impacted, Kinect On Call told the U.

S. Department of Health and Human Services. Or the HHS, that the breach affected the protected health information of 914, 138 patients. The personal information exposed during the almost 3 month long breach, not an insignificant amount of time, includes information shared in communication between patients and their healthcare providers, such as names and phone numbers.

But wait, there’s more! This may have also included medical record numbers. dates of birth, as well as information related to health conditions, treatments, or prescriptions. And in a small number of cases, the affected individual’s social security number. Oh my. This is, this is where it gets bad. Like, it wasn’t bad enough that there’s another data breach.

It’s bad, right? You have more information that you can use to build a profile on potential victims. Which is just, oh my, that’s horrible. Okay. So, you already have a bunch of social securities. Social security numbers that are out there. If you can start correlating someone’s social security number. With their conditions, their treatments, their prescriptions, their house location, their phone number.

You can start to build a very, very detailed profile on some individuals. Which, I mean, it’s no surprise that people’s data is out there on the dark web and on the internet. Fine. But now you’re getting stuff that should be better secured. Stuff that should be encrypted and hard to get to. And it’s just out there.

I mean, oh my, it’s just out there. And this is where I’m going to put on my developer hat for a second. This is where I think best practices would be a great way to kind of mitigate some of this, right? If we do proper encryption, if we do proper storing of data, if we do more things to protect the information, so if it gets leaked or, you know, Breached or whatever, then it just becomes harder for a hacker to use.

If a hacker pulls something with a 256 bit encryption on all of the data, and you know, assuming you’re doing it properly and other stuff, then it It’s almost garbage to them. If the keys are properly sanit Not sanitized, but if the keys are properly loaded in a way that doesn’t expose them. You have stuff like AWS secrets and other things you can do where they would have to not only breach the server, but they’d also have to breach an AWS account.

There’s, like, other things that a hacker would have to breach into. But even then, three months is not an insignificant amount of time. To get data. Um, I think it was Kali Linux that popularized it around or who popularized it, but it was the quieter you are, the more you can listen to. And I, yeah, I mean, three months, they were either really good at hiding or the mechanisms that they had for finding like individuals that shouldn’t be on the network on the network were just lacking.

I don’t know. It’s one of the two, either they were really good or the company was not as good as they need it to be. The connect on call service is separate from freesia’s other services including our patient intake platform based on an investigation to date there is no evidence that our other services has been affected freesia said in a separate statement on its official website so freesia Acquire Connect On Call.

So that kind of doesn’t surprise me. When you have a company acquire another company, generally the way that I know, you don’t have an instant like, oh, they’re integrated, they’re in next day, right? You have these two different entities that are merging, right? An acquisition. But that means you have employees that have to get onboarded to the new one, assuming they’re not laid off.

You have different resources, different systems, even just simple stuff like, well not simple, but even stuff like payroll, from one company to another, or the HR software, or the IT software, or the ticketing software. There’s like dozens upon dozens of different things that need to get migrated, and merged together, and even then you can’t just smush it together and hope it works, because if you lose critical information, that’s bad.

Continuing, we understand the importance of this service to our client’s business and we are working to restore the Connect On Call service as quickly as possible. Freesia also advised to potentially impact individuals to report suspected identity theft or fraud to their insurer, health plan, or financial institution even though the company has no evidence that the exposed personal information has been misused.

Just because you don’t have any evidence it’s been misused doesn’t mean it’s not going. If the data was breached, it’s gonna end up on a dump somewhere. And when I say dump, I mean literally a copy paste dump. Like, that information’s somewhere on the dark web, normal web, somewhere. Pastebin. So, the fact that they don’t know of any that hasn’t been misused doesn’t mean it’s not going to be.

It, it’s out there now. And just like everything else, there’s gonna be more and more data that’s out there. So, the advice I would give, Is always check your credit scores, always check your stuff and find a way to get access to it. Um, not sponsored, but you know, stuff like Experian, even Credit Karma, just something that lets you view your credit reports.

And if you see an account that you don’t know, or that shouldn’t be there, You can start to take action against it, right? Identity theft sucks. It’s not good, but there is ways we can do to kind of fight back against that. Freezing your credit helps. There’s different things. I’m not a financial advisor, but you know, there’s a huge financial burden that comes with identity.

Now putting my developer hat back on, there was probably a lot of mistakes that were made on the connect on call, right? The fact that they caught acquired means that there was probably a bunch of scrambling. You might have had IT that wasn’t sure on the best way or the most timely way to migrate the systems.

Maybe they were just running old systems and they didn’t have the capabilities or the resources to patch everything. There, there could be dozens of ways, right? If they got in, I don’t think I saw any reason or any, any information on how they were breached, right? Could it be, you know, some user reused passwords and they got in that way?

I don’t know. If you guys know anything about that, please feel free to leave a comment in the, send me a message or leave a comment on the YouTube comments. But, this is something that we’re seeing more and more. There is more data breaches. There is more stuff that’s out there to build profiles on potential victims.

And, it’s, it’s gonna get easier for some threat actors and some hackers to just get that and abuse it. And, we We, the collective we, we as whether you’re a developer or a cybersecurity person just someone who’s interested in this and wanting to find out more. I think it’s up to people who know about it to spread it to other people who may not, right?

Granny may not know, now granted, I don’t know if granny would be using connect on call, but granny won’t know that it was breached. I know a lot of these companies send out email, or not emails, but letters saying, hey, We had a breach and we’re offering like three months of identity theft or something like that.

We’re, I get those cards go out, right? But that’s not going to be enough. And I don’t think we’re going to get to a point where we have no data breaches. And that’s just the reality of it. Um, bugs exist, bugs will always exist and we’ll always have to patch them. Um, and that’s kind of, kind of the gist of it.

Um, now. To circle back to the first article, if you have a webcam by HikeVision or the other one, so pulling that name up, HikeVision or Zhongmai Devices. I would decommission it, if you can’t patch it, right? If it’s one of their end of life devices, just, just dump it. Uh, get rid of it. If it’s, needs a security patch, patch it.

And this goes for any of your devices, right? Make sure your stuff’s up to date, make sure you’re running updates on everything. And if it’s connected to Wi Fi, see if you can update it. Um, there’s another horror story that I read a while back where, um, there’s certain light bulbs, I would assume a lot of the light bulbs, when you connect it up to Wi Fi and all this other stuff, that Wi Fi information is stored on the light bulb.

So if you were to go throw it away, there is a way to pull the Wi Fi and Wi Fi password off the device, and now you have an entry point into the Wi Fi, right? Granted, stuff like WEP and all that, there is ways to hack Wi Fi, that isn’t new. Now you can literally just go and try to pull it off the device itself, for, you know, for the case of the lightbulb, not pertaining to this per se.

But here, if they’re opening up to the internet, and there’s already tools, Ingram and Medusa, then, it’s really, really the best way to combat this. From a consumer perspective is to pull vulnerable and end of life devices offline, try to patch the ones that can be patched and upgrade to either newer stuff, a different vendor.

There’s just a couple of different avenues. And if you’re a cybersecurity researcher and you find indicators compromise, send them over to the right people. See if we can get more information on it. And if you were hit with, uh, if you were using connect on call or know someone who was, uh, affected by the connect on call thing.

Just check your credit reports and that’s all we really can do. It’s up to us to put pressure on these kinds of companies to make sure that companies are more responsible in the way they develop their software to make sure that we’re encrypting sensitive information and making environments as secure as possible.

There will never be a 100 percent unhackable system. There just won’t be. But if we can make it harder and harder, then I’m hoping we can see less and less data breaches. But guys, With that, it’s been fun. I am your host Cipherceval, also known as Lauro, and I will see you in the next one.

Note: This is a transcript

🔗 References & Sources

* Webcams Hacked: https://www.bleepingcomputer.com/news/security/fbi-spots-hiatusrat-malware-attacks-targeting-web-cameras-dvrs/

* Health Data breach: https://www.bleepingcomputer.com/news/security/connectoncall-breach-exposes-health-data-of-over-910-000-patients/

 

Hey guys, welcome back. I have another episode for you. I got two articles to talk about, both game related. We have one from Bleeping Computer and one from Dark Reading, both involving video games. One is about the FTC distributing 72 million in Fortnite refunds. And the other is about a cryptocurrency game, or crypto game, that is being exploited to pretty much steal money.

But it’s not by the developer and you’ll see what I mean when I talk about it today. We’re facing an unprecedented array of data breaches hacking attempts and surges in digital crime Why is there such a widespread amount and how little is noticed in our everyday lives? Malware dark sites brute forcing zero day script kiddies and nation state hackers are all on the rise Learn more about the threats we face and gain a bit more knowledge than yesterday Hey everyone, another episode of Exploit Brokers is coming to you now.

Hey guys, if you can do me a favor because it helps the channel grow, if you can hit like, subscribe, and the bell notification icon if you’re on YouTube. If you’re on the podcast platforms like Spotify or Apple Podcast or any of those, please give us a follow or subscribe and give us a five star rating.

It helps the show if you think we deserve it. And with that said, let’s get into it. So, the first article is by Bleeping Computer, FTC distributes 72 million in Fortnite refunds from Epic Games. So, the Federal Trade Commission, FTC, is distributing over 72 million in Epic Game Fortnite refunds for the company’s use of Dark Patterns to trick players into making unwanted purchases.

So Dark Patterns, this kind of goes more into the world of social engineering, which is kind of like human hacking, if you want to call it that. But Dark Patterns is any kind of pattern, and I’m pretty sure you’ve seen them before. That kind of gets the player to go in a direction that favors the business or the company or the entity leveraging dark patterns If you’ve ever seen like a big button that says, you know continue with pay and then at the very bottom in almost transparent letters um, like cancel or in emails if you’ve ever seen the unsubscribe button is kind of Like built into that long text at the bottom with the same color, and it’s not very obvious.

That’s a dark pattern a lot of the Loot boxes and things that make it very flashy and almost like gambling is also a dark pattern. You’re exploiting human behavior and human emotions to try to get some kind of outcome that the business or entity wants. It is commonplace, it probably shouldn’t be, but it is pretty commonplace in a lot of places.

And now, you know, we’re seeing Epic Games. They’re being forced to pretty much give money back because of this. So, this is part of the record breaking 245 million settlement the agency reached with the game publisher in December 2022. The settlement addressed allegations That Epic games used dark patterns to trick players into unwanted purchases.

The FTC alleged that fortnight’s counterintuitive, inconsistent, and confusing button configuration led to players of all ages to incur unwanted charges based on the press of a single button reads the FTC press release. For example, players could be charged while attempting to wake the game from sleep mode while the game was in a loading screen.

Or pressing the Jason button while attempting to simply preview an item. Additionally, epic Games was accused of allowing unauthorized charges by children and restricting access to purchase content for users who disputed those charges. So as far as I’m aware, when you’re talking about Fortnite, it is very popular among younger crowds.

Granted, there’s probably adults who play it. I’m not saying that it’s only for younger, you know, younger audience kids and stuff like that. But it seems to be that Fortnite specifically has a lot of young audience that are attracted to it, right? You also have stuff like Call of Duty that also brings out some young audience who want to play it, but Fortnite Tends to be this very cartoony over the top game, right?

It’s a battle royale, which for my listeners, um, a battle royale is kind of like, if you’ve ever heard of a first person shooter, a battle royale is like, I don’t know, I think maybe 50, a hundred people, it’s a lot of players that get thrown into a match and then it’s one, one to rule them all pretty much King of the Hill.

And. With that, you have a lot of cosmetic items that go into it, and that’s where the money is getting spent, because Fortnite is a free game to play, but where the money comes in is the skins. You can buy skins and other stuff to give your cosmetic upgrades, and that’s something you’re seeing in a lot of video games now.

Call of Duty does it, Halo Infinite does it. And several other, um, several other genres do it as well. I’m more familiar with the, uh, first person shooter, the FBS genre, but they’re starting to do that where, you know, there’s season passes and the season passes lets you get cosmetic items and stuff like that.

Well, the dark patterns is essentially ways to trick into buying these cosmetic upgrades and other stuff by pretty much making it harder to say no. With through loot boxes through, you know, inconsistent UI according to the FTC. Now, I haven’t played Fortnite enough to tell you, but this is something that we’ve been seeing across the board on several games now using it.

So Fortnite players received the first 72 mil. That’s the subheader. The FTC announced that the first round of refunds has started. 629, 344 Fortnite players who previously submitted a request for reimbursement will receive an average of 114 dollars. Now, I kind of find that significant, and for a very bad reason.

Depending on when you would have played video games, if you ever played video games, video games in the 2000s were like 60. And DLC content wasn’t that, the downloadable content wasn’t really that big. In the early 2000s, once you got to like the mid to late 2000s, I think the DLC content got a bit more, but game passes and all this, or it’s pretty much just DLC content taken up another notch.

And the fact that they’re spending 114, I think right now, if you wanted to buy. Call of Duty outright. It’s like 70 plus thing about the season pass and all that. But you, you have people that are spending on average, according to this 114 on a free to play game to buy cosmetics. And I mean, they, they really figured out the strategy, right?

You get as many people to play on it free, and then you get a bunch of money out of it anyways. So you get a bigger audience reach. Now, those who opted for PayPal payments are given 30 days to redeem the amount while those who chose checks have 90 days to cash the checks. I could understand that if you don’t have PayPal, a check is a check.

I’m gonna skip some part about the money, but if you are affected check out the article in the link description It’s linked in the description and there talk about where to email and stuff like that for the refund Now to continue if you’re an adult who got charged in game currency for unwanted items on fortnight between January 2017 and September 2022 your child made an unauthorized charges to your credit card between January 2017 and November 2018 You’re not eligible for a refund Or, your account was locked between January 2017 and September 2022, after disputing wrongful charges, you may be eligible for a refund.

I know, it’s kind of giving those vibes of like the early 2000’s uh, Mesothelioma campaign. I’m not going to say anymore because I, I, I just, I thought that was a funny comparison. Um, ultimately guys, this is stuff that is Just it’s happening, right? There’s claims that are being made against it and there was a settlement.

That’s just kind of where life is. Now, something that the article says, and I am definitely gonna like double down in a second. The article states, beware of scammers using FTC’s refund round to trick people into giving away personal information, account passwords, or money under the pretense of clearance fees.

Guys, you will always have scammers trying to scam. Scammer no scamming. But what we see often is whenever there’s government programs, I think we saw it during the pandemic in the U. S. when they were giving out stimulus checks, and I figure other countries have similar problems, but whenever the government or any government tries to do something, um, Scammer will take that as a way to impersonate a government because now it gives them authority and right there’s money on the line There’s a deadline.

This is kind of like prime fuel because scammers rely on urgency They rely on a fake authority and several other things to try to get their point across and get your money So if you were affected by this, there is no clearance fees. Go check out the FTC Go straight to the trusted source. Don’t believe anything that you’re just getting a random email about or otherwise.

And be careful the websites you click because I’m assuming there’s probably gonna be a dozen websites all pretending to be Fortnite refund that you can be eligible even if you never played. Something like that. Not sure. With that, let’s go on to the next one. So, our second article is by Dark Reading.

Lazarus Group exploits Chrome Zero Day in latest campaign. The North Korean actor is going after cryptocurrency investors worldwide leveraging a genuine looking game site and AI generated content and images. And before we even jump into the article, I want to break down two things, right? Crypto or cryptocurrency has a lot of avenues that it’s been used, right?

You have the currency itself, think Bitcoin, Ethereum, and then you have stuff that got built on top of it, which is where you get like NFTs, crypto games, and other stuff. And all that to say, right, you have the extension of this technology into. Similar things, right? You have the NFTs and distributed applications, the dApps and stuff like that.

And they’re all tied to the underlying cryptocurrency mechanism. Now the AI generated content, this is something I think I said a couple of episodes ago and check out the other episodes if you guys haven’t, but it’s something I’ve been saying and something that I stand heavily behind, right? AI. Whether you like it or hate it is changing the game.

In this case, AI is being used by a threat actor, North Korea, and that’s who Lazarus is, but you have it being used by this threat actor to generate marketing campaign material, to generate stuff. I believe there was a recent thing I read where You even had a major splash screen of a major game that might be under fire because the zombie had like six fingers and you know Human zombies don’t have six figures, but AI is really horrible at fingers So it kind of became obvious that they most likely use that.

I haven’t looked into it heavily. I’m just kind of going by it based on what I was kind of skimming the other day, but here a threat actor is using AI in both content and images to further expand on their capabilities, right? North Korea is not going to be the most fluent English speaking country. And I would argue, you know, their citizens are oppressed, et cetera.

They don’t have the best education system. There’s a bunch of things going on here, but with. With the advent of AI, you now have a bunch of threat actors, not just, uh, Lazarus, but you have any threat actor in the world, or even any cyber criminal, or just anyone, can take this AI and generate a bunch of content, whether that’s images, video now, which is really cool, or text information, which you can then expand on, right?

So, I think we’re going to see a lot of scams and other stuff leveraging AI because it just becomes really powerful. But with that, let’s kind of go into this case. And don’t worry, I’ll bring up AI and cybercrime down the road again anyway. North Korea’s infamous Lazarus Group is using a well designed fake game website, a now patched Chrome Zero Debug, Professional LinkedIn accounts, AI generated images, and other tricks to try and steal cryptocurrency from users worldwide.

The group appears to have launched the Elaborate campaign in February and has since used multiple accounts on X and tricked influential figures in the cryptocurrency space. to promote their malware infected crypto game site. There’s a lot to unpack. So they’re using LinkedIn, they’re using AI, they’re using X, they’re using as many avenues to spread this, right?

And that’s something you see with video games, right? The really popular video games that are like really trying to squeeze as much money, like pay to win style do really, really good guerrilla. I don’t even want to say guerrilla marketing, but guerrilla marketing, viral marketing, whatever you want to call it to get to the end users who are going to spend money.

In this case, They’re trying to get to users who are going to install it and they can steal money from, right? It’s an interesting different way to go, but it makes sense, right? They’re not in the game development or in any of this other they’re in the hacking game. Over the years We have uncovered many Lazarus attacks on the cryptocurrency industry and one thing is certain these attacks are not going away Said researchers at Kaspersky.

After discovering the latest campaign while investigating a recent malware infection Lazarus has already successfully started using generative AI You And we predict they will come up with even more elaborate attacks using it, the security vendor noted. Yes, I am 100 percent on this. I think we’re gonna see AI just completely augment and enhance and transform the cyber security space.

It’s not just the generative AI, it’s the large language models. It’s just every aspect of AI is being used, right? From the generative side, to the LLMs, to pretty much anything else you can imagine, they’re gonna definitely start to bring this up. Whether it’s code development tools, it’s just gonna keep going, and going, and going.

Now granted, with the current iteration of AI that they may hit a stalemate until, you know, The next generation of GPT model, or the next generation of Lama model comes out and it has better capabilities. But that just means they’re gonna go really quick, hit a plateau, and then go really quick again. The state sponsored group Lazarus Group may not be quite a recognizable name yet, but it is easily among the most prolific and dangerous cyber threat actors in operation.

Which again, Lazarus is North Korea’s, one of their threat actors. Since making headlines with an attack on Sony Pictures back in 2014, Lazarus and subgroups such as Andoril, and Blunarov, have figured in countless notorious security incidents. These have included the WannaCry ransomware outbreak, the 81 million heist at Bank of Bangladesh, and attempts to steal COVID vaccine related secrets from major pharmaceutical companies during the height of the pandemic.

So threat actors will always carry out the will and the wants of the nation that they And in this case, it’s North Korea, and North Korea has, I would argue, a handful of reasons why they’d be doing different things. The article goes into it, so I’ll circle back in a second. Analysts believe that many of the group’s financially motivated attacks include those involving ransomware, card skimming, and cryptocurrency users are really attempts to generate revenue for the money strapped North Korean government’s missile program.

We, you know, it’s no secret, North Korea wants to fund and build out their nuclear and their missile programs, and All their, all their military, right? Major country doesn’t, but I digress here. They’re using a lot of hacker methods because they can get a 1000 X return, right? You spend, call it a hundred thousand for like 10 mil in stolen cryptocurrency, which is already, you know, when you talk about like the banking system, right?

You have Swift and bricks and all these other ones. These are all controlled by major companies, or by major, not companies, these are all controlled by major countries. But cryptocurrency is distributed, right? So, if you can steal something, it’s gone. There is no way to get that money refunded, there’s no way to cancel that transaction once it’s been thrown on the ledger.

It’s, it’s governed by all the entity that exists within, you know, within crypto. It’s, it’s a distributed ledger, right? And if you, once you get that transaction in there, that’s it. You can’t undo it. You can do another transaction to refund the money, but then that’s a new transaction. It’s not undoing of the previous transaction.

In the latest campaign, the group appears to have refined some of the social engineering tricks employed in past campaigns. Central to the new scam is detangzone. com. A professionally designed product page that invites visitors to download an NFT based multiplayer online tank game. Kaspersky researchers found the game to be well designed and functional, but only because Lazarus actors had stolen the source of a legitimate game to build it.

And that’s something you see with threat actors, right? Sometimes they’ll buy it, build it, make it, blah blah. Now, Kaspersky found the website to contain exploit for two Chrome vulnerabilities. One of them is tracked as CVE 4947. It was a previously unknown zero day bug in Chrome’s v8 browser engine. It gave attackers a way to execute arbitrary code inside a browser sandbox via a specially crafted HTML page.

Google addressed the vulnerability in May after Kaspersky reported the flaw to the company. So, most web browsers now use a sandbox. A sandbox is essentially a segmented piece of memory where you can run stuff in. And that’s beneficial because you need to take advantage of flaws to break out of that sandbox.

Inherently, the sandbox makes the web browser safer. You need more sophistication to do more damage, right? You can’t just run a random virus in a sandbox and hope you can do stuff. It really involves doing more. Now, the other Chrome vulnerability, which kind of comes into the sandbox, that Kaspersky observed in the latest Lazarus Group exploit, is that it does not appear to have a formal identifier.

It gave the attackers a way to escape the Chrome V8 sandbox entirely. And gain full access to the system. This is where you see a lot of, a lot of vulnerability chains happen, right? A vulnerability chain, right? You’re chaining one room vulnerability to another vulnerability to another vulnerability.

Maybe one vulnerability gives you access to the system. One vulnerability lets you escalate privileges. One vulnerability lets you break out into a remote code execution. You keep chaining them to get to the ultimate goal, which is control of a system. That’s oversimplifying, but you get where I’m going.

The threat actor used that access to deploy shellcode for collecting information on the compromised system before deciding whether to deploy further malicious payloads on the compromised system, including a backdoor called Manuscript. Shellcode is a piece of software that gives you a shell. A shell being the command line, the CLI, the terminal, depending on the operating system you’re using, different nomenclature, but it all means a a text based way of interacting with the computer that is more powerful than just GUIs.

And I know there’s probably going to be someone listening that can do like GUI stuff on a Linux terminal, I’m talking about just the general run of the mill shell. And a backdoor Most likely, you know, stuff you can call like rats, Trojans, etc. There’s a backdoor that gets installed called Manuscript, and that’s a variant I think that we’ve been seeing Lazarus use.

What makes the campaign noteworthy is the effort that Lazarus group’s actors appear to have into its social engineering angle. They focus on building a sense of trust to maximize the campaign’s effectiveness. Designing details to make the promotional activities appear as genuine as possible. Kaspersky researchers Boris Larin and Vasily Berdkanov wrote, They use multiple fake accounts to promote their site via X and LinkedIn along AI generated content and images to create an illusion of authenticity around their fake game site.

Back to what I was kinda saying earlier, you have these technical AI to be creative on their behalf, right? Once you get really good at prompting, once you get really good at this, You can create something that’s like 80 percent as good as you need, or 90 percent as good as you need to fool most people, right?

There’s this whole debate on whether AI stuff is real art and blah blah blah, but I’m not talking about the, the validity of it being art or not. I’m talking about AI being used. And it’s good enough to make something look really good. That makes most people want to click because most people are not going to look at an AI generated image of a tank and realize that there’s something off about the tracks or realize there’s something off about the driver.

They’re going to glance at, they’re going to say, look, school, they’re going to click and download. Right. And that’s what a lot of these scams, we’re not scams, but that’s what a lot of these campaigns kind of work on, right? Social engineering, you’re. Attacking or you’re hacking the weakest point in security, which most of the time is humans.

A human will click and that’s where it all kind of goes through. Now, the attackers also attempted to engage cryptocurrency influencers for further promotion, leveraging their social media presence, not only to distribute the threat, but also to target their crypto accounts directly. Laren and Bernankoff.

And this is why for any people who do YouTube or any people who are active on the internet, I know you’re listening to this, but to anyone who’s active, You always have to be careful of who you trust and what you click. Just because an influencer says, go do this thing. Don’t do it. There’s been so many scams and so many shill coins that it’s not even funny.

Crypto could be a very cool and useful piece of tech, but there’s so much scam and so much fraud around it that most people I think are starting to shy away from it. And that’s a shame because crypto really holds a useful application, right? And it’s, it’s just a cool piece of tech, right? When you talk about the distributed apps or the dApps, right?

There’s a lot of good use that you can for them. Not just to make a quick buck and not just to make a game. There’s always a use for different things, especially when you consider that the whole point of crypto was a trustless system, right? You don’t have to trust a central authority. It’s all generally approved by the whole network.

Now there’s, I believe, proof of work versus proof of stake. There’s different mechanisms that go into that, but as a general rule, it’s a way for you to be able to buy into a system without having to have inherent trust In a single entity, but guys, I want to thank you for tuning in. This has been Cipherceval, also known as Lauro, and this has been another episode.

I will catch you in the next one.

Note: This is a transcript of the show.

🔗 References & Sources

* Fortnite Refunds: https://www.bleepingcomputer.com/news/gaming/ftc-distributes-72-million-in-fortnite-refunds-from-epic-games/

* Defi Lazarus: https://www.bleepingcomputer.com/news/security/lazarus-hackers-used-fake-defi-game-to-exploit-google-chrome-zero-day/

Welcome to another captivating episode of Exploit Brokers! In this installment, we delve deep into the ever-evolving world of cybercrime and digital security. Join us as we unravel two gripping stories that shed light on the precarious nature of our online existence.

First up, we explore the dark corners of the internet where cybercriminals flood the dark web with stolen X/Twitter gold accounts. Verified accounts, belonging to celebrities and organizations, have become a lucrative target for crooks. Learn how they compromise these accounts, what they do with them, and how you can protect yourself from falling victim to these scams. #Cybercrime #DarkWeb #TwitterGoldAccounts #OnlineSecurity

Next, we tackle the concerning vulnerability in Google’s OAuth system. Password changes are often seen as a quick fix to account compromise, but malicious actors have found a way to circumvent this. Discover how an exploit allows hackers to regain access to your account even after you change your password. We break down the details and share tips on how to safeguard your online presence effectively. #GoogleSecurity #PasswordReset #OnlinePrivacy #cybersecurity  #DigitalThreats #Malware #Cyberattacks #OnlineSafety

Join us as we navigate the complex web of cybercrime and digital security, arming you with the information you need to stay one step ahead of hackers and scammers. Don’t forget to hit that subscribe button and ring the notification bell to stay updated on all things cybersecurity. Your online safety is our priority! #ExploitBrokers #TechNews #CybersecurityAwareness #staysafeonline #oauth #cybercrime #hackers #hackingnews

Sources:

Stolen Twitter/X Accounts: https://www.darkreading.com/application-security/cybercriminals-flood-dark-web-x-twitter-gold-accounts

Google Password Vuln: https://www.theregister.com/2024/01/02/infostealer_google_account_exploit/

In this episode of Exploit Brokers, we delve into a recent online uproar surrounding T-Mobile and its alleged imposition of fines for text messages containing hate speech and other violations. We take a closer look at the image that sparked the controversy, which led many to fear that T-Mobile was turning into a “Big Brother” figure, constantly monitoring and fining consumers. However, as we investigate further, we find that the situation is not as dire as it initially seemed

As we dissect the details, we emphasize the importance of staying informed about evolving policies and industry practices. While there is no immediate cause for consumer alarm, it’s crucial to keep an eye on developments in the telecommunications sector to ensure that user privacy and freedom of communication are protected.

Join us as we separate fact from fiction in this intriguing story of T-Mobile, potential fines, and the evolving landscape of digital communication. Please subscribe to our podcast or YouTube channel for more thought-provoking discussions on tech and cybersecurity.

#tmobile #privacyconcerns #telecommunications #datasecurity #bigbrother #digitalprivacy #internetsecurity #onlineprivacy