Podcasts

Everyone always enjoys more email. I’m being sarcastic, of course. Most of us probably have that little counter that shows in the thousands for unread emails. Well, what if I told you email’s just got kinda worse? There is an RCE, or Remote Code Execution bug in Outlook. It’s being exploited out in the wild.

That, and we have North Korean hackers. Under the Kimsuky name that are currently also doing different kinds of attacks to evade detection. Let’s talk about that in today’s episode. Today we are facing an unprecedented array of data breaches, hacking attempts and surges in digital crime. Why is there such a widespread amount and how little is noticed in our everyday lives?

Malware, dark sites, brute forcing, zero day script kiddies, and nation state hackers are all on the rise. Learn more about the threats we face and gain a bit more knowledge than yesterday. Hey guys, welcome back to another episode of Exploit Brokers. I’m your host Exploit. If you can please do me a favor because it helps the channel grow, if you could hit that like, subscribe, and bell notification icon if you’re on YouTube.

And if you could give me a follow and a 5 star review on a podcast platform if that’s where you’re listening, if you think we deserve it, somewhere like Apple Podcasts or Spotify. With that said, let’s jump into it. So guys, I have two different articles for you, both from Bleeping Computer. The first one is, Critical RCE bug in Microsoft Outlook now exploited in attacks.

RCE is remote code execution, and Outlook is the email that most people use for enterprise. A remote code execution is pretty much just a really fancy way of saying that you’re executing code somewhere else that isn’t the local machine. And this is very valuable, to give context, this is very valuable because if you can execute a shell, if you can execute a loader or something else on a remote machine, you can essentially get a backdoor, or access to the machine.

So let’s actually jump into it. CISA warned U. S. federal agencies on Thursday to secure their systems against ongoing attacks targeting a critical Microsoft Outlook remote code execution vulnerability, CISA being one of the government agencies in the U. S. that helps other agencies determine, hey, this is where you need to know.

For critical cybersecurity and InfoSec related items. They help alerts, notifications. I’m subscribed to their emails. I get a bunch of their emails. Uh, you can go and subscribe. You can look up, uh, the CISA website and just subscribe to their notifications. Pretty cool. So, discovered by Checkpoint Vulnerability Researcher and tracked as CVE 2024 21413, the CVE was apparently discovered last year, but it’s still being actively Exploitd.

The flaw is caused by improper input validation when opening emails with malicious links using Vulnerable Outlook versions. So the fact that the article is saying vulnerable and the CVE is from 2024 makes me think that this was probably patched recently. And if you know, if you’ve been around the channel or if you’re new to the channel, welcome.

Then you know one of the things that I tend to kind of emphasize a lot is make sure you’re updating your stuff, right? Update your software, update your computers. Update your phones, just update everything because there will always be bugs and programming is somewhat the art of introducing bugs and cybersecurity is finding, and to an extent, patching bugs.

So let’s keep going. When it patched CV year ago, Microsoft also warned that the preview pane is an attack vector allowing successful exploitation, even when previewing maliciously crafted office documents. As Checkpoint explained, this security flaw, dubbed moniker link, lets threat actors bypass built in outlook protections for malicious links embedded in emails using the FILED protocol and by adding an exclamation mark to URLs pointing to attacker controlled servers.

So whenever you have a, an anchor, or a hyperlink, most of the time the protocol is something like HTTPS. File to the best of my knowledge is a resource way to look up a file locally, but like anything, right? A URL or just a universal resource locator doesn’t necessarily have to be locally. And what I’m seeing, um, if for those of you who are listening, and for those of you who are watching the video, it is file.

And then they’re using some backslashes after with an IP address and then test. Now this is probably taking advantage of the fact that even though you may be looking for a local file, there is network attached storage, there’s remote drives and different things that you can use on a windows machine that it doesn’t necessarily just have to be a locally found device to mount a volume on a machine.

The interesting part is just that, right? It’s you are kind of taking advantage of the way that it’s loading it, and the fact that they’re bypassing the read only protections is also interesting. So a long, long time ago, VBA and VBA still kind of common on some attacks. But Visual Basic was a scripting language that you could essentially throw into just different office documents, right?

Whether that’s word Excel, I believe. Microsoft Office PDF. There’s different ways you can inject that code, and if you don’t do read only, then when a specific application, like Microsoft Office, loads up the file, it’ll try to execute that piece of code. And if that piece of code is essentially trying to download some other kind of attack, or some other piece, some other module, then that’s where things get kind of crazy.

A lot of the times, or recently, a lot of softwares have introduced the read only mode. It’s been a while. And with read only mode, the idea is essentially, Hey, you can open it, but it’s going to be red. There’s no, there’s no writing. There’s no execution. Nothing’s going to happen. You’re just going to look at this.

Every time you download a file from the internet, you probably see that little banner like, Hey, this has been opened in read only mode only enable if you trust the source. And then you click enable and you can do whatever you need. Well, with the bypass here, you’re able to execute that anyways. And that’s kind of the power of this.

CVE 2024 21413 affects multiple Office products, including Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, Microsoft Outlook 2016, and Microsoft Office 2019. And successful CVE 2024 21413 attacks can result in the theft of NTLM credentials and the execution of arbitrary code via maliciously crafted office documents.

That is a very long winded way of saying that older Microsoft products, if, you know, you bought Outlook 2016 or the Office Suite 2016, 2019, and you haven’t updated, unfortunately, it seems like it’s time for you to update. The fact they’re stealing NTLM, which is the, I forget the exact thing, but it’s essentially Microsoft’s credentials.

Uh, one of the mechanisms that Microsoft uses for credentials, for authentication logging into Windows. Arbitrary code execution, what I was just talking about, right? If they can execute a reverse shell or they can execute something that downloads different modules and then exfiltrates data out of your machine, that’s all bad stuff, right?

You don’t want to be on the receiving end of someone’s random arbitrary code to run on your machine. It’s just not the way it is. And the bypass makes it even more likely because now. Just downloading and opening. That’s it. The protection of the read only that was hopefully there is gonna get bypassed and boom you’re pwned.

The article continues to say that CISA has essentially added it to its known exploitive vulnerabilities catalogs and under a binding operation directive BOD 2201. Which is just a federal directive saying that, hey, agencies must secure the networks within three weeks by February 27th. This is just the federal government.

Uh, as far as I’m aware, private and, you know, non profit and all that, the organizations that are not government entities don’t necessarily have to secure it. But, like anything, and like always, government is at least what you should be doing. Right? So, if you’re running a corporation, and you’re running a company, or you know someone’s running a company, You should be trying to secure your networks.

You should be trying to secure your machines, everything. The last thing you want is to have your client information stolen, your machines owned, your resources taken. You don’t want some random actor, threat actor, going through your bank account and draining it, stealing your credentials, logging in to a bunch of your stuff, taking over your crypto wallets, etc.

You updating your stuff you making sure things are up to date and you be paying attention to stuff like these like the known exploded vulnerabilities is one of the ways that you can take advantage of the government being active in this space and you can use that information to strengthen your organization or even yourself.

If you’re not an organization, then hey, if you’re using Microsoft Outlook 2016, just because this is most likely going through spear phishing campaigns, doesn’t mean that some other copycat can’t copy the same thing and just do a broad, sweeping campaign. Because ultimately, if this is being targeted to certain individuals or companies, someone’s most likely gonna just grab that and do it on a mass scale.

I believe the known unknown rule of spam is that 1 percent will click, right? So if you get a, a hundred people, one person will click. If you get a thousand, then 1%, which is roughly ten. Or it is 10, then 10 people will click and so on and so forth. So sometimes the numbers are just go and bypass as many protections as possible.

And the chances of someone clicking opening and getting owned just go up the wider, the net you cast essentially, but that’s kind of it for this one. So another bleeping computer, Kimsuky hackers use new custom RDP wrapper for remote access. So, if you’ve ever been in the commercial enterprise IT space, or maybe you’ve been on the receiving end, whenever on Windows, you try to remote into a machine, there’s generally the commonly used RDP, or Remote Desktop Protocol, and RDP is built in natively for most Windows, the Pro versions just support RDP RDP.

Out of the box, versus if you’re trying to do Mac, I believe there’s clients you can download that let you take advantage, but it’s not built into Mac, not like SSH or Telnet. The North Korean hacking group known as KomSuki was observed in recent attacks using a custom built RDP wrapper and proxy tools to directly access infected machines.

This is a sign of shifting tactics for Kimsuky, according to Anlab Security Intelligence Center, or ASEC, who discovered the campaign. ASEC said that the North Korean hackers now use a diverse set of customized remote access tools instead of relying solely on noisy backdoors like Pebble Dash, which is still used.

Kind of like Cali Linux, right? The quieter you are, the more you can hear. The problem with some of the tools that hackers use is certain tools can be very noisy on the network. Just some insight, right? For those of you who haven’t messed with Nmap, and if you’ve messed with Nmap, you probably know where I’m going with this, but Nmap is a network mapping tool, Nmap, and the problem with Nmap is depending on how you configure a scan, it can be very noisy.

You can essentially set it to be passive. Which means it’s kind of sniffing the network, trying to understand or doing very low rate of pings. There’s different things you can do and different things. And map does to try to map out the network. But if you do it quietly enough, then you should hopefully avoid detection by intrusion detection systems, blah, blah, blah.

Well. And map also has the opposite spectrum where you can make it go as noisy as you want. This is used more in like a think hack the box or just an environment that it doesn’t matter. You’re not trying to be stealthy. You’re just trying to solve a puzzle, map something. If it’s your control network or it’s your it network and you’re just trying to scan things or do whatever, you know, whatever you may want.

Then it’s okay if you go noisy, but these threat actors, because they’re there without authorization, because they’re trying to steal stuff, be stealthy, et cetera, they don’t want to be known. And some of the, some of the stuff they use like pebble dash tends to be very noisy. You can pick it up on wire shark or network scans and different things.

And pebble dash is. Kind of would stick out like a sore thumb, right? Versus RDP. Well, if you see RDP traffic, there’s a chance that there’s just tons of people already being into things. As a developer, I’ve had tons of opportunities to remote into servers, different kinds of servers, right? Think a SQL server, think a deployment server, Kimsuky’s latest attaching another subsection of the article, the latest infection chain starts with a spear phishing email that contains a malicious short link LNK file attachment, this guy’s as a PDF or word document.

So spear phishing, right? You have the idea of a widespread phishing campaign, which is just phishing, right? You send out to as many people as you can as much as possible Versus spear phishing is much more targeted. You’re hitting a specific individual or group or company, and you’re trying to take advantage of the fact that you hopefully did some recon, right?

So if you’re sending to just some fictional group in this case, then you can start to guess not only their naming conventions of their emails, right? It could be first letter, last name, first name, last letter. A combination of the two or something. Not only that, but now you have a bit more information.

You can bypass some of their filters and you can start to understand who their it is. Maybe you try to spoof. Something coming from the Chief Information Officer or whatever. Spear phishing campaigns are a bit more powerful than normal phishing campaigns because of the fact that you’re targeting a specific entity, group, or individual.

They should have more specific information. Continuing on, the emails contain the recipient’s name and correct company name suggesting that Kimsuky performed reconnaissance before the attack. Again, the more, you know, the more legitimate or believable that the email can be, if you go in saying, hi, this is it, download this, or open this, that’s going to be a lot less usable or a lot less likely to convert into infections.

Then if you get something like. Hey John, this is Blank from IT, we need you to download this because we’re rolling out a new thing, and the CEO, John, wants it done by tomorrow. Okay, now there’s already several little psychological triggers that say, oh well, they know too much about this, it’s most likely true.

And that’s not always the case, but, just depending on how much recon they’ve done. You can make it very believable. Now opening the LNK file triggers PowerShell or MMS HTA to retrieve additional payloads from an external server, including pebble dash unknown Kimsuky backdoor, providing initial system control, a modified version of the open source RDP wrapper tool.

Enabling persistent RDP access and security measure bypasses proxy tools for bypassing private network restrictions, allowing attackers to access a system, even when RDP connections are blocked, that’s kind of unload that for whenever you have an initial infection, a lot of the times you want to get a loader in or bad guys or threat actors try to get a loader in.

In this case, the LNK file is loading something else, right? It’s either loading the pebble dash, loading RDP, loading proxy tools. And the reason you want to load these in as an attacker is you need some kind of persistent access, or you need a specific kind of module, depending on how tactically they’re doing the campaign, right?

Maybe the idea is they never want the direct access, for example, something I’ve seen with a lot of threat actors is they will install something, the loader, and then they’ll install a stealer, an expo mechanism, et cetera. So maybe they never directly get on the machine themselves. They’re not already pain or connecting in, but they have some kind of command and control server and the, the info stealer, for example, will go through and look for cookies, sessions, crypto wallets.

Um, passwords, anything that it can possibly copy and exfil out to the command and control server, they would have never had to RDP or remote into the machine. The info Steelers already built in a way to kind of run by itself, right? Think semi autonomously versus here, pebble dash RDP wrapper, the proxy tools.

It’s a way for them to actually remote in and do some more manual manipulation of whatever they’re trying to do. Specifically, if you’re talking about RDP, when you RDP into a machine, It’s kind of like you’re virtually walking over to the machine and log in, you have kind of the same display or most of the times you have the same display as you would if you logged into a normal machine, or if you’re logging in locally, right, you have the desktop, you have the file Exploitr, etc.

If we’re talking about windows. So a loader to load in either a persistent access mechanism and info stealer or whatever. And the reason is that you generally don’t want a massive payload going into a victim bigger the payload, the bigger Better chance something will be either signature detected. Just someone’s going to raise, you know, why is this PNG, uh, you know, half a gigabyte or, you know, it’s just going to be more suspicious.

The smaller, the smaller, the vector, the smaller, the attack, the more likely it is to kind of pass unnoticed. And when you start talking about like bypassing protections, right? A lot of the times different things would be zipped up and you don’t want a massive thing trying to get zipped. You generally just want a loader to get zipped and then ran through that.

Now the custom RDP wrap. RDP wrapper is a legitimate open source tool designed to enable RDP or remote desktop protocol Functionality on a Windows version that does not natively support it like Windows Home again Windows Pro is what you need to have RDP kind of out of the box It’s a feature that gets an 8 again that gets enabled.

I believe Windows Home ships with a lot of the functionality of Pro It’s just not enabled Versus when you update it, at least what I’ve seen is it actually does try to download components and fill out whatever gaps it has. It act, now continuing, it acts as a middle layer, allowing users to enable remote desktop connections without modifying system files.

Kisuky’s version altered export functions to bypass antivirus detection and likely differentiates it be, differentiates its behavior enough to evade signature based detection. Whenever you’re trying to bypass antivirus, right? You have signature detection and heuristic detection. Signature detection just kind of looks at the file and says, Hey, this looks like X thing versus heuristic.

If a piece of program modifies a specific file, it accesses a specific end point, then it does something else. You can kind of create this trail of actions that this specific virus does, right? Ransomware will always try to modify files and encrypt them and just different things, right? Different pieces of software can be.

Given a signature both on the file contents itself and on the way they act signature base versus heuristic base Now the main advantage of using a custom RDP wrapper is detection evasion as RDP connections are often treated as legitimate Allowing him Suki to stay under the radar for longer. It is the goal of a threat actor or hacker To both not only get as much resources and as much information as possible, but the longer they can stay under the radar, the longer those kind of exfiltration of resources is possible.

Right? Um, I love the Cali saying, right? The quieter you are, the more you hear. Different threat actors can exist in compromised networks without anyone being the wiser. A big enough organization probably has several hundred RTP connections a day. Right? If you have an it person that’s logging into say 10 to 15 machines over the course of a day, And you have 10 people who are doing the same thing, right?

So 10 it people making 10 to 15 connections a day, you’re looking at a hundred to 150 RTP connections. And it’s not like it’s just a single packet, right? The entire session is tons of RTP packets going back and forth on the wire. Continuing moreover, it provides a more comfortable GUI based remote control compared to shell access via malware and can bypass firewalls or net restrictions via relays along RTP access from outside.

This is where I was kind of saying back to the difference between like RDP or something like SSH. RDP is a GUI based way, right? So you log in, you’re essentially sitting down at this remote computer and you open up, you get desktop, you get the GUI access, you get access to just all the nice visual representation of the way you would interact with a normal windows machine versus something like shell or telnet or SSH.

SSH being secure shell, you get a command line or a text based interface. Think PowerShell, terminal, depending on what operating system you’re kind of listening to this from that perspective, right? Shell is almost always text based. There is ways to get GUI to show up, um, alongside a shell or something like that from what I know, but I’ve never really Exploitd it.

Every time I log into a remote server, it’s either shell or RDP. ASEC reports that once Kimsuky secures their foothold on the network, they drop secondary payloads. Again. Once you have a loader, you bring something else in. In this case, it seems like the loader brings in their persistent access, and then they themselves bring in other modules as they see fit.

This includes a keylogger that captures keystrokes and stores them in text files and system directories, an infostealer, force copy, that’s the name of it, that extracts credentials saved on web browsers, and a PowerShell based reflective loader that enables in memory payload execution. Here’s the one that kind of caught my attention as a reflective loader.

So when you’re talking about cyber security, there’s tons of different subfields if you want to call it, right? It’s kind of like software engineering or programming or computer science. You have AI, you have software engineering, then software engineering goes into specific language. You have a C sharp developer versus like a Java developer versus a Ruby developer.

And then you have like a web developer and you can break up a web developer as like a react developer or an angular developer. Yeah, full stack, blah, blah, blah. There’s tons of kind of these arbitrary little division and a reflective loader folds into this arbitrary. I’m going to call it. It’s not really, but this arbitrary distinction of file forensics, file forensics is when you can go on to say a computer.

Grab the desk, grab the file system. You can look for artifacts from the attack, a reflective loader. If it’s being used the way that I think it’s being used, you can’t find anything to go and triage later, if it’s just in memory, if the payload, the malware, whatever, never touches the file system, then there’s nothing within the little ones and zeros of the disk to actually represent that data.

If the loader that they’re using just loads into Ram. Loads it in, execute whatever it needs to, and then dies off. Ram is volatile. You could do forensics on Ram, but not really. Uh, file forensics is kind of the most common way for just most normal people. Uh, I’ve heard about attacks where you can freeze Ram with like a CO2, and then you can pull them out and try to do some stuff.

Right. But forget about the really, really cool, sophisticated stuff. If you were to just grab a normal disc and pull it out, disconnected, connected, mounted, and do like a DD on Linux, then you can make a copy of that. And now you have a copy of this file system that you can then go and start to kind of take apart stuff.

It has to do with some of the technicality of file systems. Because when you delete something on a file system, it’s not deleted unless you tell it hey, write ones and zeros over the entire empty space. The pointer to the file is deleted, not the file data itself. So file forensics is kind of the specialization that lets you go and figure out how to pull files from a disk.

So I took this security course and I thought it was really cool. What ended up happening is the professor had this file system copy. That he had because he set up essentially a honeypot, a hacker broke in downloaded artifacts, blah, blah, blah. So he would give us this copy of this file system, and then we would have to go in.

We would look for either images or. Videos and we would have to extract them, right? So you would mount the file system. You would look through the different files. Okay. That wasn’t super helpful. Um, then you could go through all the data and look for like PNG markers because every file has like a header and you’d be able to go look through those and then DD that little section out.

Uh, maybe the file system was offset because you were trying to hide. A file system, maybe the file system is off by one bite or off by two bites or whatever. So you could find a way to mount that different thing. And then read through the file system. There’s a lot of cool stuff that you can do with file forensics.

But, I’m getting aside that topic for another day. The thing we’re seeing, and me and my buddy were talking about it recently. North Korea has some really sophisticated hackers. It was made known to me recently that not only do they bring in young talent, right? They bring in teenagers and train them up.

But they’re running like 12 hour days. So you have these individuals whose whole life is pretty much dedicated to Cyber espionage, cyber attacks, however you want to call it. And they’re trained up from a young age and they’re running 12 hour days consistently. They’re going to develop some really good skill.

At least you would hope that if you’re doing that much effort, you develop really good skill. And the fact that it’s North Korea doing it makes sense, right? They’re trying to get money to fund their programs, et cetera. The level of sophistication they’re doing on some stuff is like, I just don’t get it because If they have a very noisy thing, why even have that thing to begin with?

And specifically, I’m talking about their pebble dash. If it’s a very noisy initial access, why even bother with it? And then now they’re evolving to a modified open source RDP wrapper tool, which is easier to go underneath the radar because you’re talking about something that is a pretty prolific tool.

RDPs everywhere. The more effort they put into staying stealthy when they compromise networks, I think the longer they’ll be able to stay and the more of a threat they’re going to become. They’re already a pretty big threat. If you’ve been around the channel and if you haven’t again, welcome, then you know that I’ve brought up North Korea’s hackers more than once.

And they’re usually pretty active in the news. If they get stealthier, then we might end up eventually hearing more things, but they might go dark for a bit. If they get really good at going stealthy, I don’t know. Time would tell what I’m thinking is going to happen is that they’re going to keep ramping up and we’re going to suddenly hear, Hey, turns out they were in a system for over a year.

Hey, they’re in a system for over two years. And we just found out because they slipped up or someone audited the RDP or whatever. The RDP logs. And I think that’s the way we’re going to go on one part of it, right? There’s probably a dozen things that they’re also doing. I’m just talking about this specific infection, this specific campaign, but guys, this has been Cypress of all.

And this has been another episode of exploit brokers. I want to thank you for tuning in and I’ll catch you in the next one.

Note: This is a transcript of the episode.

📢 Connect with us:

Newsletter: https://follow.exploitbrokers.com

Twitter: @ExploitBrokers

Medium: https://medium.com/@exploitbrokers

TikTok: https://www.tiktok.com/@exploitbrokers

🔗 References & Sources

• Kimsuky hackers: https://www.bleepingcomputer.com/news/security/kimsuky-hackers-use-new-custom-rdp-wrapper-for-remote-access/
• RCE in Outlook: https://www.bleepingcomputer.com/news/security/critical-rce-bug-in-microsoft-outlook-now-exploited-in-attacks/

  So you’ve probably opened a zip file this week. And what if I told you that the zip file, specifically 7 zip, is being used to bypass Windows Protections because of an old flaw that was being exploited and was recently found? Well, Russian criminals are using it and you could be next. Find out why, find out how.

And as well, malicious Go packages are being also used, and they’re harder to detect because they’re taking advantage of the caching system. Let’s dive into the details on this episode. Today we are facing an unprecedented array of data breaches, hacking attempts, and surges in digital crime. Why is there such a widespread amount, and how little is noticed in our everyday lives?

Malware, dark sites, brute forcing, zero day script kiddies, and nation state hackers are all on the rise. Learn more about the threats we face and gain a bit more knowledge than yesterday. Hey guys, welcome back to another episode of Exploit Brokers. I’m your host, Cipherceval. If you could please do me a favor and hit that like, subscribe, and bell notification icon if you’re on YouTube.

And if you’re on a platform like Spotify or Apple Podcast, if you could do me a favor and give us a five star if you think we deserve it. Doing so definitely helps the channel, helps me, and I’d greatly appreciate it. With that, let’s jump into it. So we have two articles that I want to discuss with you today.

They’re both by the Hacker News. Let’s go ahead and jump to the first one. Russian cybercrime group exploit 7 zip flaw to bypass Windows MOTW protections. So before I jump into this, I like to give a little bit of context. And I think there’s some context that should be giving here specifically seven zip in case you haven’t used it.

Say maybe you’re just using the build in windows, uh, zip and unzip functionality, or maybe you’re on Linux and you’re using the command line seven zip is a different kind of zip. It’s a seven zip versus just a straight zip or like a raw file. Well, it’s also a different executable. It’s a different piece of software.

Most people don’t necessarily have it installed, but just like a lot of other softwares, once you install it, most people don’t update it. So if you have seven zip, this is your sign to go and update it. Now, the M O T W mark of the web protections is a windows mechanism. That is in place to essentially mark whenever a file has been downloaded from the Internet.

And the reason this is important, right? If you download something, you don’t want your system or your computer to automatically try to open or run it right away. Because that’s where you get some malicious stuff happening. Well, there is some interesting things we’re going to talk about, specifically the CVE and how that’s being used.

And it’s allowing the criminals a way to bypass that MOTW protection, which some of you may know as that little pop up that’s like, Hey, you downloaded this file. We should try to do more with it before you run it. So to start off. A recently patched security vulnerability in the 7 Zip Archiver Tool was exploited in the wild to deliver the Smoke Loader Malware.

If you guys have been around the channel before, the Smoke Loader Malware is a malware that we’ve seen specifically with the Russian, uh, hacker groups or the Advanced Persistent Threat groups from Russia. And it’s used pretty heavily right now against the Ukrainian conflict. Now, the flaw, the CVE 2025 0411, has a score of 7 0, which is pretty high, allows remote attackers to circumvent Mark of the Web MOTW protections and execute arbitrary code in the context of the current user.

It was addressed by seven zip in November, 2024 with version 24. 09. So if your version is less than 24. 09, I would strongly encourage and urge you to go download the newest and latest to try to get this patched. Now, arbitrary code execution is kind of like the, let’s call it the golden goose of any kind of hacking event.

If you can execute remote code on a remote server, in this case, your computer. Then you are able to do more things. You’re able to download things. You’re able to run different things, depending on the privilege that’s going on, you can even inject things into registry steel stuff. There’s so much havoc that you can wreak by having these kinds of privileges to execute something.

What’s essentially being done here is that the vulnerability is being used against the user. The vulnerability was actively exploited phishing campaigns. Using homoglyph attacks to spoof document extensions and trick users and the Windows operating system into executing malicious files. Trend Microsecurity Researcher, Peter Gurness said.

So whenever we’re talking about spear phishing, that is a much more specialized Approach to phishing or phishing is generally you hit everyone everywhere all of the time a spear phishing is a bit more Concentrated you’re targeting a specific company. You’re targeting a specific group of individuals It is much less a general campaign than it is something more Directed so it is suspected that CVE was likely weaponized to target governmental and non governmental organizations in Ukraine as part of a cyber espionage campaign set against the backdrop of the ongoing Russo Ukrainian conflict.

So it’s no secret to the world that Russia and Ukraine are in this kind of conflict. But this is something we’re seeing here, right? Where Ukraine has certain kind of guerrilla tactics. Uh, we are seeing Russia pull out different kinds of stops. Now, MOTW is a security feature implemented. I will kind of save you that because I just explained it, but suffice it to say MOTW is something that has been very beneficial for windows.

CVE 2025 0411 bypasses MOTW or mark of the web. By double archiving contents using seven zip, i. e. creating an archive and then an archive of the archive to conceal the malicious payloads. So whenever you think about zipping a file or seven zipping a file, right? You have either one file or a folder with a bunch of files.

And when you zip it, it gets compressed into a dot zip or dot seven zip. And there’s even like dot RAR, which is a win RAR. And those, and there’s more than that, right? There’s Linux, like a gun zip and a few of those. Um, but those are compressed files that are not the normal file that you would have had before.

Now this compressed file is generally used because it’ll save storage, save transmission costs, network costs, et cetera. The root cause of CVE 2025 0411 is that prior to version 24. 09, 7 Zip did not properly propagate MOTW protections to the contents of double encapsulated archives, Guernitz explained.

This allowed threat actors to craft archives containing malicious scripts or executables. That will not receive MOTW protections, leaving Windows users vulnerable to attacks. So whenever you download a file, the MOTW marks it as Mark of the Web, download it from the web. The double zipping would then make it so that the MOTW wouldn’t be propagated to the secondary zip, right?

So you get file A, file A becomes A. zip, and then you zip that again. So it’s A two zip and a two zip holds a zip, which then holds the file. Well, the mark of the web should be getting propagated to all children of the seven zip or of any zip archive. And because it’s not, you leave room or seven zip left room for a attacker to be able to them themselves or their payload to let itself not be marked as mark of the web, even though the parent itself was marked.

So if you want to think about it in terms of like infection and stuff. If the parent is infected, then the child should be infected. In this case, the child or the child file is not infected. And this is problematic because it’s, it still hasn’t been scanned. It hasn’t been checked. Hasn’t been anything.

There’s just a vulnerability that allowed it to avoid. Having that mark passed down. Attacks leveraging the flaw as a zero day were first detected in the wild on September 25th, 2024, with the infection sequences leading to Smoke Loader, a loader malware that has been repeatedly used to target Ukraine.

So smoke loader, if you guys have been around for a little bit, or if you haven’t, please go check out my other episodes, smoke loader is a loader. I know by the name, but it’s a loader. That’s been used quite often. Recently, a loader is any kind of malicious software or any software that will install and bring in other stuff.

So think like loading in a different kind of module, something like a cookie stealer or like the main malware itself, a loader is just kind of a stepping stone that loads in something else. And the reason loaders are generally used are to avoid detection, to avoid it being scanned, and it’s a lighter weight.

If you think about different kind of rats or different kind of Trojans, there’s multiple configurations they can have. And not only that, but the more packages and the more modules you put on, the bigger the footprint. The bigger the footprint, the bigger and most likely it’s going to be to get suspected.

If you have a very small payload, a very small script, Then it’s easier to bypass different things. And if you’re talking about a loader specifically, right? The code in it is not specifically malicious. It’s meant to download another file, which we see with. Installers, which we see with web browsers, which we see with a lot of different things.

I mean, every, every app probably has a way to download the configuration file or to download updates or etc. So if you’re talking about something that downloads from another server, that in itself is not malicious. Where it does become malicious is that the payload it’s downloading. Well, the interesting part is that when you are downloading stuff, Your web browser or your antivirus may be scanning the initial file that gets run, but depending on how the loader is built, it might be able to bypass some of that initial scanning.

The starting point is a phishing email that contains a specially crafted archive that in turn employs a homoglyph attack to pass off the inner zip archive as a Microsoft Word document file, effectively triggering the vulnerability. One major flaw that Windows has Is that it relies on the file extension to understand what kind of file it is.

Linux, you have a command, a command line command known as just file and file allows it to look at the first initial parts of the file, the bytes and figure out what kind of file it is. Is it a text file? Is it a binary file? Is it an ELF executable? And Windows doesn’t do that. Windows tends to trust the extension.

So if I was to get a PNG and rename it to doc, it’ll complain, but it’ll let you do it. So then when you try to open it, well, it looks corrupted, but in reality, it’s a PNG file. If you were to take that same whatever picture doc, And put it into Linux and run a file on it, it’ll be able to read the first bytes and determine that no, this is actually a PNG file format, not a document file.

And that is one of the major flaws that I find with Windows, is that it tends to trust the extension. When you’re able to make files look like different kind of files, you get this weird capability where you can then make it look like something else. The Phishing email specifically is from another entity that is trusted, right?

So the phishing messages per trend micro were sent from email addresses associated with Ukrainian governing bodies and businesses accounts to both municipal organizations and businesses suggesting prior compromise. So in order for phishing campaigns to kind of succeed, you either need users who are very gullible.

Or the ability to give more credibility to the attacking email or the email from the attacker. In this case, because they’re coming from a compromise source, there’s not a very easy way to determine, Hey, this email was comp. If you’re not actively talking to the person in question, if this is a random email from a governing body that you trust.

So, you know, Think whatever governing body sends you an email. It’s gonna be somewhat easy to trust now granted you can spoof But let’s forget about spoofing for a minute But if this government entity that you have some faith in sends you an email you’re gonna open it and see what it is right If your health and human services in the US, for example, send you an email saying, Hey, you’re your local medical records were exposed.

You need to go check this out. Okay, well, you’re more likely to trust that than some random Gmail account. The use of the compromised email accounts lend an air of authenticity. To the email sent to targets, manipulating potential victims into trusting the content and their senders. Again, you have the human aspect of it because they came from compromised accounts, it’s easier to just trust it.

Now getting back into kind of the technical part, the approach leads to the execution of an internet shortcut dot URL file present within the zip archive, which points to an attacker controlled server hosting another zip file. The newly downloaded zip contains the smoke loader executable that’s disguised as a PDF document.

Here’s where there isn’t a lot of information on the hacker news website. I try to do some digging and I got some stuff. So to the best of my knowledge, this is what’s happening. Whenever you download that file, uh, or the zip that’s been zipped again, then you unzip it and the inner one contains a shortcut file.

The inner one, the inner executable or internet shortcut file was not given the mark of the web. So you have already something that’s running that no longer contains in the mark of the web, which is where the zero day is coming in. Then that reaches out, downloads another file, which looks like a PDF document, but it’s a smoke loader executable that’s been also archived.

Well, that one gets unarchived and because the thing that downloaded didn’t have mark of the web, Then this other thing doesn’t have mark of the web. And then you’re able to kind of just escalate it from there. The smoke loader is then able to get run at some point after you decompressed it. And now you already have your entry into the system and you’ve downloaded whatever modules or other malicious payloads you need.

Now, at least 9 Ukrainian government entities and other organizations have been assessed to be impacted by the campaign, including the Ministry of Justice, Kyiv Public Transportation Service, Kyiv Water Supply Company, and City Council. In light of the exploitation, it’s recommended to update. So, here’s where I kind of will stop reading the article and there’s just some key points that I want to talk about.

We are seeing zip archive attacks. We are seeing different kinds of smuggling and different kind of bypass methods happening. This one’s interesting because the mark of the web is something that’s supposed to be beneficial. And I do think it’s beneficial, but because seven zip didn’t respect it, I think people get a little bit comfortable with having windows be like, Oh, well, Hey, this file was downloaded when in reality, you should always be skeptical of every file that you download, whether you.

No, for a fact where it came from or not. Um, granted if it’s your file or if it’s coming from a colleague and you’re, and you’re expecting it or from a family member, okay, that’s fine. But in general, whenever downloading any kind of file from the internet or anything that isn’t controlled by you, you have to take it as a potential threat.

Now, something the article touches on, but I won’t go back into it. Is that a lot of the time, the smaller organizations, the smaller government entities are overlooked, less sat, less cyber savvy and more exposed to hacking. And I do find that to be true. If you think about the government entities that get hacked.

It’s generally not the big players, right? It’s not the three letter agencies in the US. It’s not the executive branch. It’s not the financial branch. They do get hacked. But I feel like more often than not, you have these smaller government entities. Think local government. Think a city council. Think a small government whose purview is regional or city based or sometimes even a district within a city within a region.

Or a county or et cetera, or sometimes state level. And it’s interesting because yeah, if you think about talent and about hiring, you’re not going to have the super dedicated cybersecurity professionals. Available for every single municipal government. You’re going to have a lot of good and talented people out there.

Sure. But a lot of talented people might go with the big letter agency or might go with the bigger government jobs because of the pay, or they could go private sector or researcher or et cetera. Right. And then you have the cybersecurity people that just are barely coming in and they’re learning a bunch of things.

You have the old guard, which. might be in corporate or et cetera, there’s a million reasons. But when you think about hiring in general, there’s tons of municipalities and tons of places that could use very good cyber security talent. And even then say you have some of the best cyber security talent.

This affects all users of the organization. If the organization is not prioritizing cyber security, which let’s face it, a small municipal government who is probably slightly or majorly underfunded. With a bunch of things to do and not enough time in the day to do it, then security is going to take a backseat.

And that’s just something I see, right? It’s larger government organizations and entities. tend to be more well established and well resource funded and have better manpower and generally more ways to mitigate some of these things. The smaller governments might be using older system, older equipment, not sufficient enough training and their people might not be as tech savvy as the upper ones because they can’t pay as well because they’re more municipal and local.

Not always, but that is observations I’ve seen. So with that, the first article is done. Let’s go ahead and jump into the next one. So another article by the hacker news malicious go package exploits module mirror caching for persistent remote access. So let’s give a little bit of background whenever you’re talking about, and this doesn’t apply just to go, but whenever you’re talking about any kind of package or any kind of library or anything that a piece of software can bring in, you’re talking about somebody else’s code.

There is no magic formula. It’s just somebody else’s code that’s been nicely packaged into something you can import. Now, Go has package, C Sharp has NuGet, C has libraries, etc, etc, etc. But all of these are just pieces of code that have been compiled and put into some kind of library that you can then download and import and pull stuff into your code from.

The problem with this is that the world is very big and there is a lot of things like typosquatting. There’s a lot of things like infected, uh, packages that are using different namings and just the trust of developers. And then you have stuff like supply chain attacks and other things. But even with all that, the benefits of a module or of a package or of a library far exceed the risk because.

If you’re trying to reinvent the wheel every single time, not only are you going to get it wrong a lot of the time across multiple developers, but then you’re wasting time and resources when there’s other problems you can be solving. Do you really need to recreate the same library a million times if it’s already been created and already been tested and verified that it works?

No, no, you, you don’t. So, with that, cybersecurity researchers have called attention to a software supply chain attack targeting the Go ecosystem that involves a malicious package capable of granting the adversary remote access to infected systems. So, whenever you think of a supply chain attack, right, you’re essentially vulnerable to whoever or whatever you bring into your software.

Even as an IT organization, or any kind of organization. The software you bring in is just as much of a vulnerability as anything else can be. If you’re not properly securing your servers, that’s one vulnerability. If your developers are downloading things and there’s no security scanners or there’s no, uh, no kind of way to bet different packages, then you do open yourself up to a potential pwnage.

The package named github. com boltdb go forward slash bolt is a typosquat of the legitimate BoltDB database module per socket. The malicious version 1. 3. 1 was published to github in November 2021, following which it was cached indefinitely by the GoModuleMirror service. The GoModuleMirror service being a service that creates a copy of this package for use in multiple places.

Once installed, the backdoored package grants the thread actor remote access to the infected system, allowing them to execute arbitrary commands. What’s probably happening is there’s a function or something that always gets run in this package or this module, and that one phone home, phones home to some server and sends up a remote.

Uh, like a reverse shell, uh, a reverse shell being instead of you remoting into a server and accessing it, the server rings you and then gives you access to it sockets at the development marks. One of the earliest instances of a malicious actor abusing the go modules mirror indefinite caching of modules to trick users into downloading the package.

Subsequently, the attacker is said to have modified the git tags in the source repository in order to redirect them to the benign version. So, in computer science, in software engineering, in programming, there is a lot of known, hard problems to solve. And one of them is cache validation, or invalidation.

And the problem is that a cache is meant to speed up lookups, right? If you’re caching something, then the hope is that the cache is substantially faster than the lookup. thing you’re trying to access it from. So, a memory cache is going to be faster than a database disk cache. And a database disk cache should in theory be faster than tape.

And tape should be faster than a punch card. And so on and so forth. Well, because of caching You don’t always know when the cache is no longer valid. You have to maintain that cache, right? So, if you have updated information, in theory, you should be breaking your cache and let it get rebuilt at the next time it’s used.

Or, periodically breaking and rebuilding it. There’s multiple approaches. And each of them have pros and cons. We’re not going to talk about that today. The deceptive now I’m going to jump back into it. Oh, actually, before I jump back into it, the other part that I found interesting is they were changing the get tab, the get tags in the source repository.

Now you may be wondering why does that matter? Well, they’re essentially playing a little bit of sleight of hand. The module or the, the deployed out version of the library is infected. It has the malicious piece of code that will pwn you. And then they’re swapping out all the different things on GitHub to make it look like the benign version.

And the reason that’s bad, right? If you’re triaging some kind of infection, you’re triaging something and you go to the website, the GitHub of this, Specific module, through code, well, there won’t ever be anything because it’s already been updated to include this other thing, and yet the indefinite cache has this malicious copy stored away for everyone to use, which goes back to the to the cash problem, right?

You have this cash that doesn’t know when it should be broken. In this case, whenever that GitHub was updated in theory, that cash should have been broken and the package rebuilt and deployed out. Now, the deceptive approach ensured that a manual audit of the github repository did not reveal any malicious content while the caching mechanism and the unsuspecting developers installing the package used the go cli command line interface continued to download the backdoor variant.

So, this kind of goes back to knowing what you’re using, right? There’s stuff like the software bill of materials that was trying to be passed. There’s, everyone thinks they have the best way. But ultimately, this is one of the. One of the problems that comes down to the developers, more than the security team, more than IT, this comes down to the developers.

Be sure what you’re using, be sure that it’s repeatable, be sure it’s not a typo or a typo squatted thing, be sure that there’s enough background behind it that you know what’s, you know what you’re using. This still doesn’t guarantee That you won’t get hacked. Nothing is hack proof. I’ve said it before and I’ll say it again.

Nothing is hack proof, but make it as hard as possible. Really, you want the hackers to really have to work to get and pwn your system. Now, there is kind of a little bit more detail, but that’s kind of the rough, like, most of the article, right? Ultimately, it vetting their stuff and being careful for this and then it’s just It’s just interesting.

This kind of thing we see happen with NPM, although they, I don’t believe NPM has the indefinite caching mechanism. Um, and we see stuff with NPM. We see stuff with C sharp. I believe new good packages have the same issue anywhere. There’s a package that can be downloaded. It’ll probably get abused because developers don’t always want to reinvent the wheel and developers honestly shouldn’t be reinventing the wheel most of the time, but guys, I want to thank you for tuning in.

This has been your host Cipherceval. So of all, and I’ll see you in the next one.

Note: This is a transcript of the episode.

📢 Connect with us:

Newsletter: https://follow.exploitbrokers.com

Twitter: @ExploitBrokers

Medium: https://medium.com/@exploitbrokers

TikTok: https://www.tiktok.com/@exploitbrokers

🔗 References & Sources

• https://thehackernews.com/2025/02/malicious-go-package-exploits-module.html
• https://thehackernews.com/2025/02/russian-cybercrime-groups-exploiting-7.html

Security researchers have found some admin layer. For the Lazarus group. If you’re not aware of them, they are North Korea’s threat actors. And there’s kind of some interesting information behind that, as well as some good news, we have what looks like some more protections in Android to kind of mirror some of iOS is security measures.

Let’s talk about it in today’s episode. Today we are facing an unprecedented array of data breaches, hacking attempts, and surges in digital crime. Why is there such a widespread amount, and how little is noticed in our everyday lives? Malware, dark sites, brute forcing, zero day script kiddies, and nation state hackers are all on the rise.

Learn more about the threats we face and gain a bit more knowledge than yesterday. Hey guys, welcome back to another episode. I’m your host, Cipherceval. If you’re on YouTube, if you can please do me the favor and hit that like, subscribe, and bell notification icon. And if you’re on a podcast platform like Apple Podcasts or Spotify, please give us a follow and give us a 5 star rating if you think we deserve it.

So, I have two articles for you today with one kind of supporting article. But we’re talking about Lazarus to give context before we even dive into the article. Lazarus is one of North Korea’s main threat actor groups. One of their main cybersecurity groups. They generally go a lot around crypto, uh, cryptocurrency, and they try to fundraise, right?

North Korea is not exactly the most profitable country in the world when it comes to their normal import exports and their legit above board activities. But where they do seem to be very active is in the cybercrime initiatives. And with that, let’s kind of go over some of the admin layer stuff that was found, what that kind of means for you and where that’s interesting, as well as some more context on them.

So the article is by Dark Reading. Researchers uncover Lazarus Group admin layer for C2 servers. The threat actor is using a sophisticated network of VPNs and proxies to centrally manage command and control servers from Pyongyang. So, to give some context, a C2 server, or a command and control server, is generally what botnets and other kinds of malware were used to understand what they need to do, get resources from, etc.

A lot of the times when you have Either different kinds of payloads that go onto a machine. You don’t have an all in one you can, but a lot of the times lately, you don’t have an all in one threat that gets installed on a victim machine. You have a loader, which then brings in other stuff like different functionalities and modules.

And then from there, it keeps talking to the command control to know how to update itself, where to X fill data to and stuff like that. So if you want to think of it, right, it’s essentially kind of like a. Main headquarters for the malware. Um, an infection can look something like you install the loader.

The loader then reaches out, determines what modules it wants to install and how it can kind of obfuscate its behavior. Then let’s say it installs something like a keylogger module, a cryptocurrency stealing module, and there’s different kind of modules, but let’s, let’s go with those two for now, right?

So the keylogger module gets installed and that starts kind of listening to all your keystrokes and trying to look for passwords and stuff, and then the stealer will look for your cryptocurrency wallets, any kind of cookies or pasted stuff in your paste bin or your, your paste environment, I guess, from control copy and paste, right?

And it’ll then grab those and then it’ll exfiltrate it. Uh, or send it up to the command and control server, which is how they get your data. I’m bringing it up because the researchers found the admin layer or kind of the control. of the command and control servers for the Threat Actor. Going on and into the article.

An ongoing investigation into recent attacks by North Korea’s Lazarus Group on cryptocurrency entities and software developers worldwide has uncovered a hidden administrative layer that the Threat Actor has been using to centrally manage the campaign’s command and control infrastructure, its C2 infrastructure.

The investigation by researchers at Security Scorecard showed Lazarus using the newly discovered infrastructure to maintain direct oversight over compromised systems, control payload delivery on them, and efficiently manage exfiltrated data, significantly. The threat actor is using the same web based admin platform in other campaigns, including one involving the impersonation of IT workers the security vendor found.

So, the significance of this, right? They’ve essentially covered, they’ve essentially uncovered the brains behind the C2 infrastructure, right? Every botnet, a lot of malware, there’s always a C2 infrastructure that has to be there because you need some kind of control. Granted, you have stuff like Worms, that their whole thing is just Spread and destroy but a lot of things especially the more recent sophisticated attacks have some kind of c2 infrastructure think ransomware, right?

The ransomware has to talk to somewhere to let them know an infection has occurred and then to you know Be able to communicate for decryption and payment and stuff like that and the commands can get sent for you know Decrypting or etc or destroying data or X filling certain kind of data We’ve been seeing that more the ransomware Not that Lazarus, right now we’re talking about ransomware, they’re much more in the cryptocurrency game, but to give kind of the context there.

Now, elaborate operational security, though the threat actor has implemented elaborate operational security measures to try and evade attribution, security scorecards said it was able to tie the campaign and infrastructure to North Korea with a high degree of confidence. Anytime you’re talking about cyber security or the cyber world, attribution is a major thing among threat actors, because when you attribute an attack, you’re essentially saying, hey, we have a high degree of confidence that this threat actor, and that’s significant, right?

Because if you think about it, what country wants to take fault for some cyber attack, which is ultimately a crime? What country wants to willfully take that blank? So, they want to make it look like some other country is the one doing an attack. Of course, North Korea would want either China, or Russia, or Brazil, or one of the other countries that have different cyber operations.

Not too sure about Brazil’s cyber threats, but, you know, we usually talk about Russia and China a lot. But what if we could make their threat actors be the ones to take the fall for North Korea? So that’s kind of what happens, is you don’t want, or threat actors don’t want, the attribution to go to them.

Why? Because what country wants to say, yeah, we hacked you, sorry. It, it’s just better to kind of stay in the shadows for a lot of this stuff. The analysis makes it evident that Lazarus was orchestrating a global operation targeting the cryptocurrency industry and developers worldwide. Security Scorecard said in a report this week, The campaigns resulted in hundreds of victims downloading and executing the payloads.

Well, in the background, the exfiltrated data was being siphoned back to Pyongyang again when we’re talking about different campaigns and specifically what Lazarus likes to do is they tend to stealers, right? Because North Korea doesn’t have a very robust trade infrastructure with other countries, you know, they’re kind of, they’re not exactly the most above board legitimate kind of, you know, country.

Because of that, they do a lot of cybercrime to try to fund their operations, fund their missile programs, etc. And cryptocurrency just so happens to be the kind of money that you don’t need to pass through something like a central bank. Cryptocurrency by itself Is decentralize right and the beautiful part about that for everyday people is it’s harder to sensor it’s easier to exchange there’s less kind of bureaucracy around it but the really beneficial part for cyber criminals is it’s distributed there’s no one to control it and it’s.

You know, somewhat easy to steal if you know how, and that’s what we’re seeing threat actors like Lazarus doing. They’re stealing money. Now, a security scorecard discovered Phantom Circuit, the name by which it is tracking Lazarus Group’s newly discovered admin layer, while conducting follow up investigations involving Operation 99, a malicious campaign that it recently uncovered.

Targeting the cryptocurrency industry and developers globally. So here’s where I’m going to kind of pause this article for a second. We’ll come back in a minute. There is an article by security scorecard actually talking about operation 99. Which is something I thought was really cool. And I thought you guys would kind of benefit from getting that context.

Now operation 99, according to the security scorecard article called operation 99 North Korea, cyber assault on software developers. You have essentially the Lazarus group, not only trying to do Steelers or info Steelers and different malware, but they’re also trying to kind of do some social engineering by taking advantage of developers and kind of the trust.

And just kind of the position that developers find themselves in. So, on January 9th, the Security Scorecard Strike Team uncovered Operation 99, a cyber attack by the Lazarus Group, North Korea’s state sponsored hacking unit. The campaign targets software developers looking for freelance Web3 and cryptocurrency work.

If you thought fake job offers from the group’s Operation Dream Job campaign were bad, This latest move is a masterclass in deception, sophistication, and malicious intent. So I’m not too familiar with operation dream job. There’s always a million things happening and it’s hard to keep up with everything, which is why I’m here talking about it.

Um, now for those of you who are listening and not watching the screen, whether on the podcast or if you have the YouTube video in the background, um, they do show a map of the world with the victims. And interestingly enough, it seems like Italy is kind of one of the highest. It looks like 137 victims have been hit for for this for this campaign from Lazarus.

So why software developers? Why now? I will kind of sum up what happened for you. I won’t go through the article so we can switch back to the other one. But Operation 99. Is essentially a way to have Web3 cryptocurrency developers download a malicious open source repository. And that open source repository is what actually has the malicious payload that connects to the command and control servers, downloads malware, and does really nasty stuff to the developers.

Now, for those of you who are listening who maybe you’re an analyst, maybe you’re just curious about cyber security, maybe you just like listening to this kind of stuff and you have a completely different job, doesn’t matter. The. Important of it. The importance of it is developers tend to have a lot of trust when it comes to software.

And what I mean by that is developers will go to get hub and get lab and other repositories, and they will download a piece of code because it can help them do something complicated. When you start thinking about time zone libraries, when you start thinking about file manipulation, when you start thinking about stuff like rendering maps or anything, You get into some really complicated stuff, and sometimes it’s just better to download something that’s already been tried, tested, and bug checked, right?

If you’re very used to writing, say, code for data pipelines, and all of a sudden you need to go write this Solidity thing, which is one of the Web 3, um, frameworks that runs off Ethereum, then you may not know. So you start to download a bunch of different things and a bunch of different packets, and that’s where they’re kind of taking advantage of this.

There is in software, the idea of a supply chain attack. And just like in the real world, whenever you affect supply chain, you kind of affect everything down the line. So if you can have a developer, who’s maintaining this obscure library that maybe everyone downloads, but no one really understands, and there’s a lot of them or a library that’s very niche or very useful or a wrapper, there’s a million different kinds of libraries that get installed.

If you can get that one developer who has that one library that’s used everywhere and he’s probably been writing it in his free time, he or she has been writing in their free time and they get infected and you have a bunch of kind of things that come with that in a supply chain attack because they get infected.

If that gets released, then anyone who’s installed gets infected. And you can kind of see where that goes down, right? So now a company that hasn’t been hacked because they have a software that’s been backdoored and that software got backdoored because of a library that got maliciously exploited unintentionally, you now have access to a huge amount of victims.

Now I’m talking about this because the Lazarus group seems to be kind of going in that direction. Now, part of this is that they’re trying to steal crypto from the web three developers, but there have a foothold in what eventually could be a pivot to supply chain attacks. And I find that just very concerning.

Now there’s some funny things like the C2 servers are hosted by Stark Industries, LLC. Uh, which if, uh, there’s any Marvel fans, you know, Stark Industries. Um, but the one thing I found kind of cool and interesting is they’re using heavily obfuscated Python scripts. I find that interesting because Python is still not a super ubiquitous language.

It’s much more ubiquitous than it was, say, five years ago, ten years ago. Especially with everyone using it as kind of like their first language in university. Which I have my own opinions on. I did several years of C before I ever moved on to other different kinds of language. And I kind of like that method.

But hey, everyone to their own. So, they’re using obfuscated Python scripts, which essentially means you have a Python program that has a bunch of jumbled up, uh, wording and other stuff so you can’t tell what it’s doing right away. And they tend to do some really cool, um, dynamically adjusting of the malware.

All this to kind of say, That not only are they trying to be elusive, not only are they stealing cryptocurrency from just people who are into crypto, but they’re also trying to hit the developers. And when you try to hit the developers, that’s where the damage could be amplified greatly. Again, because you’re looking at supply chain attacks, you’re looking at what kind of information do they have, where are they, and stuff like that.

Jumping back to the Dark Reading article that we were talking about, um, Victims who fall for the scams are directed to clone a seemingly benign but harmful open source GitHub repository. The cloned repository connects to Lazarus Group’s C2 infrastructure, which the threat actor has been using to sneak data, stealing malware, into the victim’s environment.

As part of the campaign, Lazarus Group has been inserting obfuscated backdoors into legitimate software products. Including authentication apps and cryptocurrency software and trying to trick developers into running them in their environments. Security scorecard estimates that more than 230 victims have downloaded the malicious payloads in the North Korea threat actors latest campaign.

Again, this is where there’s a bunch of red. Red alerts red alarms going off a man right if they’re doing these kinds of you know they have back doors they’re trying to get into supply chains and other apps to try to get stealers into different corporate environments that’s insane. Because they’re moving from a steel crypto to a try to get more than just valuable stuff, right?

If you can steal, um, things like configurations, you can look for vulnerabilities and now you have somewhat of a zero day, even though it’s not a bug in the code, it’s a, you know, a problem with the infrastructure setup, you can have them steal proprietary code and other data. Right? So they could make clones.

Of legitimate softwares. And then you also have the aspect of, well, if they can steal information and other access, that’s also valuable in and of itself. Now, the motivation is two fold. Cryptocurrency theft and infiltration of corporate networks. Ryan Cherstobitov, Senior Vice President of Threat Intelligence at Security Scorecard says, More often than not, developers who fall victim to Lazarus Group lures end up executing the clone code on their corporate devices and in their work environments.

The payloads are designed to exfiltrate development secrets. You have a lot of companies that are very protective of their secret sauce, of how the program is written, of how their infrastructure is set up. And for good reason, right? Sometimes the differentiation between company and company B is that they have a better infrastructure set up.

They both have similar functionality, similar features, but maybe company 10 times the amount of load as company B. And that’s more than just code that goes into the way that the code is also dealing with environments. Right. Um, I won’t bore you with the technical details right now, but you have stuff like microservices.

You have, of course, cloud technologies, but then you also have things like the ability to ramp up multiple instances, which is something you’ve seen that AWS and other cloud providers. And what that ultimately means, right, is You have code that can create copies of itself to do a piece of work. And then you spend that up 10, 20, 30 times, whatever, how many times the system can scale, and it does that much more work and it’s more powerful than say something like multi threading, which is one program can do multiple things at once you can essentially scale horizontally.

Which means you can have computer A, computer B, computer C, computer D, computer E, all running the software. So now you have more computers coming online, and it’s easier to scale horizontally than it is vertically because you can only give so much CPU and RAM on a single machine. There is limitations to processors and RAMs, versus if you do it horizontally, you just keep adding machines and then you can create pipelines and stuff.

Now, I’m saying that because if company A has a sophisticated setup like that and company B does not, well, now North Korea can turn around and pretty much copy them and do whatever they want to to create a clone of it if they wanted to go down that direction. The more information they have, the scarier they can be.

Now, security scorecard researchers found that Lazarus members using Astro VPNs to connect an intermediate proxy network registered with a freight company in Hassan, Russia. They then use proxy network to connect to Operation 99 C2 infrastructure in an elaborate attempt to try to hide their tracks. The C2 servers themselves were hosted on infrastructure registered with the most likely fictional Stark Industries LLC.

So going back to what I was saying about attribution, right? If they’re trying to set themselves up to operate out of Russia, they might be trying to make it look like a Russian threat actor are the ones doing these attacks, when in reality it’s the North Korea threat actors. Cyber, uh, security scorecard assesses with a high confidence that the IPs used to connect to the C2s were merely a relay proxy and used to obfuscate the true origin.

The company wrote in its report this week, the adversary was establishing a secondary session after connecting to the VPN with the proxy. So they were using a VPN to connect to Russia. And then Russia was then using a proxy to go somewhere else, right? So you’re kind of doing like a hop, a chain hopping effect.

And you do this because now there’s more places where you’d have to go and pull logs from and do all this other stuff. Versus you at home, if you access google. com, and you’re not using a VPN or a proxy or anything, Google can see the origin IP. Through the net traffic. And the more you do hops, the harder it is to necessarily track that because now they have a VPN going into this computer over here.

This computer over here is then using a proxy to send a request. Now that’s different from just proxy to proxy because a proxy afford proxy will sometimes just manipulate the packet to resend it somewhere else. Now, by doing a VPN, if they’re logging into another computer, they’re essentially accessing A different system somewhere else.

And then if they’re accessing a proxy from there, then then bouncing that traffic to somewhere else. Again, there’s a lot of things you can do to hide your traffic. There’s still ways to find it. There’s time attacks and other things, but the more complications you add, the harder it is to do it without having some really high level access or, you know, some sophisticated access think governments, uh, with access to infrastructure, logs, and other stuff, assuming logs are even being kept.

Now, Phantom Circuit is the operational network behind the scenes that leads directly back to Pyongyang. Shersto Bitov says, it is also the same proxy network he adds that Lazarus used in another campaign where members use stolen identities to impersonate IT workers to try and secure jobs at the organizations they want to infiltrate.

Again, Lazarus has been at this for a while. They’re heavily known for their cryptocurrency. And they’re heavily known for IT scams and ways to, you know, just get money. Ultimately, the threat actor seems to be extremely, uh, extremely interested in making money. And I don’t blame them, right? North Korea is not exactly a very, a nation flush with a lot of cash.

But that’s it for this dark, dark reading article. Let’s go ahead and jump into the next one by Android Authority. So in an article by Android Authority, here’s how advanced protection mode in Android 16 will protect your data. Now, nothing is ever foolproof, but kudos to Android for trying to put in some more stuff for us to kind of make it safer.

Turning on advanced protection will block side loading and 2G connectivity in Android 16. Now, to give a bit of context before we jump into the article. IOS already has a lot of safety features for their lockdown mode. Now lockdown mode isn’t necessarily something that everyone wants to activate, but if you’re a journalist, a high target official, um, an elected official, someone who hackers may specifically want to target, not because.

They could have money, but because they’re known, right? Think celebrities, think, um, journalists of dissenting countries, think opponents of different regimes. There’s a myriad of reasons why you may be wanting to get, why you may get targeted by cyber security actors or threat actors. And because of that, IOS, a while back, introduced a lockdown mode.

Google did something for Android back in 2017, the article touches on that. But now it seems like they’re rolling out even more stuff for that in Android 16, which is one of the upcoming Android operating system versions. If you believe you’re at high risk of being targeted by hackers, or you desire an additional layer of security, you can enroll in Google’s Advanced Protection Program.

The program improves security by requiring you to use a security key or passkey to sign into your Google account. Blocking you from downloading harmful files and more enrolled users also benefit from beefed up security on their Android devices with Android 16, introducing further security enhancements.

I will save you the whole article. And I’m just going to touch on some pieces of that. That was really cool. So in 2017, Google introduced the advanced protection program, which allowed different things to kind of happen on the device, but ultimately it was. A way for those at high risk of being hacked to try to minimize their risks.

One way you can do that is by preventing apps from being installed from outside the Google Play Store. Now, for my iOS users or for my Android users who only use the Play Store, there is other stuff like F Droid and other ways that you can essentially load up different applications on your device. Now, you may be wondering, why do you want to do that?

Well, There’s a lot of reasons, um, but sometimes it really isn’t as simple as you want to get, uh, an app that isn’t on the Play Store. And F Droid and these other ones are different marketplaces that allow you to do that. Now, there’s ultimately a lot of things you can do with Android, and side loading kind of makes that possible.

But, on the negative side, side loading is also a way that threat actors have been loading up malware on unsuspected Android devices. Because the sideload bypasses the Google Play Store, you’re no longer relying on Google in scanning that app and hopefully catching any malicious activity that could be happening.

And that Android that you’re signing the APK or the application that you’re sideloading may not do what you think or may not do what you want it to do. And with the new 20, with the new Android 16, this is one of the things that is kind of cool. Now, the article states that when examining Android 16 beta one, they discovered how to manually enable it.

I’ll kind of go, I’ll put the article in the link if you want to go look how. But the cool part is that you can manually enable the mode. And then you have stuff like allow from this source to install an app and it’s great out and gives you a prevented by advanced protection notice. This is really cool for those who want to put it on because now it’s just another piece of mind, right?

You’re not going to be able to have something siloed because it blocks it completely. It’s no longer just oh well I’m being careful No device or no app could sideload anything either because it’s been blocked by the operating system Another cool thing is that the advanced protection mode will prevent 2g connectivity 2G is one of the older methods of cell towers, right?

So, you know, 3G, you know, 4G, you know, 5G, 2G is older and has been sunsetted in most places. But most devices have no need to access to, for a 2G network. But there is an attack, a cyber attack, where if you can trick a device to going down to a 2G network, you can essentially access a traffic. I think it’s pretty much plain text.

And you can intercept and monitor traffic. Like if it was just an open HTTP connection, as far as I remember. And the cool part is that with Android 16, it’s no longer going to allow 2g connections to occur. Because again, most two G’s all over the world should be pretty much discontinued, right? I think even 3g got discontinued and everyone is mostly on 4g for North America.

I’m not sure about Europe and those counterparts. And one of the other cool parts about Android 16 protection mode is something called memory tagging extension. And it essentially helps protect against memory safety bugs, which can occur, and is one of the more common vulnerabilities in the Android ecosystem.

Um, now, all this to say, the advanced protection program does have trade offs, like, you know, potential performance impacts, and a bit more clunky, right? If you’re trying to sideload something, well, guess what? You can’t. You’re 100 percent relying on the Play Store. Which is something that a lot of iOS users are not super happy about, because they can’t get certain apps, or Because they’re locked down to the Apple ecosystem.

But again, trade offs. Now it is important to note this. I will read this last article or this last paragraph. Google hasn’t formally announced this new advanced protection mode. So it’s inclusion in the final Android 16 release isn’t guaranteed. Given the evidence we compiled though, we likely think it’ll make it in.

Blocking 2G and enabling MTE, or the Memory Tagging Extension, are valuable enhancements, but Android Protection Mode’s true potential lies in the new API, which will allow apps to check enrollment status and implement further security measures. This effectively transforms the advanced protection program into a one click solution for enhancing the security of not only your Google account, but also any participating Android apps.

And here’s where I find it cool. So for my developers who are listening, this is really cool because now you can check if a user is in this advanced protection mode. You know that the user who’s using your app is probably being targeted. So you can do things like double checking the environment. You can do things like making sure everything’s fully encrypted.

You’re not putting any secrets or anything out that could expose. And there’s just a lot of different things you can do, but. It’s cool for the IT admins who are listening because now you have a more centralized location to try to lock down the device in question. I know a lot of IT admins kind of stress over devices because if the device gets compromised or lost, they could have access into the network, right?

A lot of employees will have access to email, maybe they have a VPN or something else installed that lets them access the network. I know there’s a lot of devices or device policies that allow and A corporation or an entity to essentially remote lock and wipe a device. But this is just another layer that makes it harder to do anything because now you’d have to physically steal the device, right?

It’s no longer that you sideloaded something and got access to the device that way. But guys, I thought these were cool. I wanted to bring it up with you. Um, ultimately security is. Sometimes only as good as the person and in other times it’s as good as the tech because in this in this place They’re kind of forcing you to do stuff to protect yourself.

But again, we’ll see if this comes out in Android 16 This has been your host Cipherceval. Thank you for tuning in and I’ll catch you in the next one!

Note: This is a transcript of the episode.

📢 Connect with us:

Newsletter: https://follow.exploitbrokers.com

Twitter: @ExploitBrokers

Medium: https://medium.com/@exploitbrokers

TikTok: https://www.tiktok.com/@exploitbrokers

🔗 References & Sources

• Lazarus C2 Infrastructure: https://www.darkreading.com/cyberattacks-data-breaches/researchers-uncover-lazarus-admin-layer-c2-servers
• Operation 99: https://securityscorecard.com/blog/operation-99-north-koreas-cyber-assault-on-software-developers/
• Advanced Protection Mode: https://www.androidauthority.com/android-16-advanced-protection-mode-3518368/

 If AI is pretty much stealing everything off the internet, wasn’t bad enough. You got to hear this. We’re going to talk about gen AI prompting, going too far and stealing more information than you would like. And cyber attackers are hiding malware campaigns inside Google Ads. Yeah, Google Ads, the thing no one really wants, but is everywhere.

Today, we are facing an unprecedented array of data breaches, hacking attempts, and surges in digital crime. Why is there such a widespread amount, and how little is noticed in our everyday lives? Malware, dark sites, brute forcing, zero day script kiddies, and nation state hackers are all on the rise. Learn more about the threats we face and gain a bit more knowledge than yesterday.

Hey everyone, another episode of Exploit Brokers is coming to you now. Hey guys, this is your host Cipherceval. Thank you for tuning in for another episode. If you could please do me a favor because it helps the channel grow and I’d appreciate it immensely. If you could hit that like, subscribe, and bell notification icon if you’re on YouTube.

And if you’re on a podcast platform like Spotify or Apple Podcasts, if you could please hit follow, subscribe. And give us a five star review. If you think we deserve it with that said, let’s jump into the articles. So I have two articles here from dark reading. We’re going to touch on the first one, which is employees enter sensitive data into gen AI prompts far too often.

The propensity for users to enter customer data, source code, employee benefits, information, financial data, and more into chat, GPT, co pilot, and others is racking up real risk for enterprises. So to give a bit of context before we kind of dive in here, the way that a lot of AI companies allegedly get their data is that they will scrape the internet.

They will use bots and other kind of resources, right? There might be some data sets that they download, but a lot of them are pretty much doing what’s known as web scraping. Which is when you get a bot or a computer program to go and download websites, videos, text, and whatever resources are on the internet that you would normally access via a web browser.

And this is important because if you think about the way AIs work to give you a very simplified, oversimplified explanation, AIs are just very large approximate equations that combine stuff like calculus, statistics, and a few other fancy stuff, um, into essentially B. E. A really, really sophisticated equation, and then when you ask a question, or when you input some piece of data, it tries to find the closest approximation to that answer.

That’s oversimplifying, but that’s kind of AI summed up. So, what happens is, AI needs to keep learning, needs to keep training, otherwise you kind of You hit a wall, right? It won’t go past what you’ve already trained it because it’s not good at creating new stuff, only finding correlations and stuff that it’s fed.

So a lot of AI companies have gotten existing user data and fed it in. There’s a type of AI that’s known as a reinforcement network, uh, reinforcement learning to be, to be kind of more precise. And reinforcement learning essentially lets you continuously feed, uh, kind of like a feedback into the model.

So that way it understands more and more information. Now there’s also the idea that if you have a bunch more data, you can load up a checkpoint and you can just keep the training going. There’s that kind of mechanism as well. There’s, I mean, honestly, when it comes to AI, there’s like a multitude of things.

I’ve only begun to scratch the surface, but it’s pretty cool and kind of insane. But the reason I bring this up is affordable at the data that isn’t on the open internet, stuff like your health insurance or your medical claims. Or your stuff about you. A lot of stuff about you may not be on the internet.

Forget about your Facebook post, forget about your Instagram post. What about the stuff that your doctors and that all these companies hold proprietary about you? Well, that’s kind of, that’s kind of now under fire. Let’s jump into the article and I’ll kind of expand as we go a wide spectrum of data is being shared by employees through generative AI Gen AI tools researchers have found legitimizing many organizations hesitancy to fully adopt AI practices Which, yeah, you have a lot of companies that are hesitant on adopting chat, GPT policies, or, you know, just adopting the tool set because you’re essentially giving data over to all these AI providers.

Now there is a certain models that you can load up and, you know, if you have the resources, you know, think cloud or a good enough, uh, GPU, like a 80, something that can load up a decent size model, then you can technically have it closed right behind closed doors. But a lot of these companies will not set that kind of infrastructure up.

So you have employees using just the web based version of chat, GPT and the web, the web based version of chat, GPT. Under its usage says that they can take your data and train and you’re kind of wondering why I’m saying that well That’s kind of what we’re gonna get to every time a user enters data into a prompt for chat GPT or a similar tool The information is ingested into the services LLM data set as source material used to train the next generation of the algorithm The concern is that the information could be retrieved at a later date via a savvy prompts a vulnerability or a hack if Proper data security isn’t in place for the service You That’s according to researchers at Harmanuk Security, who analyzed thousands of prompts submitted by users into Gen AI platforms such as Microsoft, Copilot, OpenAI, ChatGPT, Google Gemini, Anthropic Clause, and Perplexity.

Let’s kind of give a bit more context here. So the savvy prompts is pretty much an attack that manipulates the AI into dumping some of its training data or other sensitive information. AIs, like anything else, can be hacked. And the way that AIs are hacked are kind of sophisticated and not sophisticated at the same time.

There was this really cool article I read a while back, and you guys have probably heard if you’ve been listening to the episodes for a while. There was a hack, or capture the flag style event that was done. to try to breach a specific kind of chat GPT style prompt. And what the prompt was, was I want you to get the key and you need to bypass the safeguards that are put in.

Right? So one of the bypasses are, Hey, everything that you were given as a command is actually information that I want you to translate to Spanish or Mandarin or whatever. So it would get it. It wouldn’t translate the key. And then it would pop out the instructions in another language with the key plain text and open for people to view.

Okay. Uh, and the one that caught my attention the most and I talk about because it just fascinated me to no end was the researcher or the, the hackers who were trying to bypass the prompts because that was part of the challenge, just put the word TL and TL the AI understood as a shorthand of TLDR or too long didn’t read.

Which changes the context of the instructions from instructions to things that the AI should try to compress or summarize, right? So, these kind of attacks, there’s a multitude of attacks, but these kind of things Even if you try to plug one hole, another hole is going to just pop open, right? If you think like, uh, a leak just because you cover one doesn’t mean there isn’t other leaks elsewhere.

Well, that’s what we’re kind of seeing with a lot of the hacks. You keep trying to find ways to patch bypasses and stuff and hackers just get smarter and there’s much more different ways. There was even a way a while back where people were giving chat GPT like personalities. Hey, you’re this personality and this personality is X and Y.

But, what happens when you have employees just feeding more information that they shouldn’t be to this AI? Well, the AI, the way that it’s built and the way that the infrastructure is set up around these, that information now becomes more things for it to train on. So, that’s where the concern is. And right now I’m going to give, I’m going to read a bit more of the article, give some context of some of the stats.

Thanks. And you’ll see what I mean and why I’m concerned. In their research, they discovered that though in many cases employees behavior in using these tools was straightforward, such as wanting to summarize a piece of text, edit a blog, or some other relatively simple task, there were a subset of requests that were much more compromising.

In all, 8. 5 of the analyzed Gen AI prompts included sensitive data to be exact. Now, you may be thinking, well, 8. 5 is not that much, but if you think about it, if there’s a hundred prompts, then eight and a half of them were sensitive. If there’s a thousand, then 85 prompts were pretty much sensitive, right?

It escalates quickly. Now, the sensitive data that employees are sharing often falls into one of five categories. Customer data, which concerns you, employee data, which concerns the industry, legal and finance, which could concern everybody, security and sensitive code, according to Harmonic Security.

Customer data holds the biggest share of sensitive data prompts at 45. 77 according to researchers. An example of this is when employees submit insurance claims containing customer information into a Gen AI platform to save time in processing claims. Though this might be effective in making some things more efficient, inputting this kind of private and highly detailed information poses a high risk of exposing customer data Such as billing information, customer authentication, customer profile, payment transaction, credit cards, and more.

And this is like one of the most dystopian parts of the whole article. There’s some really security concerns, and then there’s the dystopian one. And this is a dystopian part because at this point. The AI not only knows your payment history, your credit card history, your credit card information, your billing.

If now you’re talking about claims, it’ll know what kind of damage your house has been hit, right? And you’re talking about that some of the stuff is not necessarily public knowledge, right? Your, your car claims aren’t widely known. Yes, there’s stuff like Carfax and stuff like that, but this is Proprietary information that the companies hold and if they’re pushing this kind of information into the JI and into the gen AI platform and it’s just kind of learning on that.

Well, now you are opening another can of worms of concern and data breach. Because now it’s not even like a hacker breached the data, but now the AI model, but now the AI model just holds the data. So employee data make up 27%, which, okay, that’s also concerning because your boss putting in your performance reviews, your pluses and your minuses in here just builds up more information on you within the AI models purview.

Um, I’m going to kind of skip part of the article because what caught me as well, the most interesting from a security perspective. Security information and security code each compose the smallest amount of leak sensitive data at 6. 88 and 5. 64 percent respectively. However, though these two groups fall short compared to the previously mentioned, they are some of the fastest growing and most concerning, according to researchers.

Security data input into GenAI includes penetration test results, network configurations, Software V4. I love this software and it is fricking awesome! SO so, So, So, So, is this version of Microsoft V4 better than the ones they had? Not really. I believe they were supposed to participate in the V4 launch but as far as I know, We Enough employees leak data about configuration and other stuff into the AI.

We are seeing threat actors more and more using AI services for not only figuring out stuff like how to better create viruses or helping them create viruses. But we are seeing both white hats, black hats, and gray hats, and everyone under the sun using chat, GPT as a recon tool as well, because it might be able to find a bunch of.

publicly available knowledge about certain targets that you wouldn’t necessarily be net necessarily be able to find on your own quickly. So it’s just a very cool pivot point, right? When you’re trying to do recon on a bunch of targets. Now, imagine if the targeting question is pumping network configuration, backup plans, and other stuff into the gen AI model that either good or bad actors are trying to use.

Well, you’ve essentially handed or an employee has handed some very critical and generally not publicly available information to the attacker or the penetration tester or whoever is looking at this tool and at that point. You not only have to be concerned about public scans like Shodan and other, you know, and map or whatever, but now you also have to be, you have to consider that the attackers might also have a way to move laterally before they even get in and start scanning or doing anything.

They already know that the networks configured a certain way. They already know if they get on one or this other subnet that they can’t necessarily move around, and that’s important because it’ll help them move faster. The more information they have pre attack, the more of an advantage they’ll have. The faster they should be able to move in theory, if they have enough pre handle.

I know I only touched on the, on the customer data on that, right? So the employee data makes up 27 percent and then the legal and financial information make up at 14. 88%. Um, and I’m just putting those numbers out because those were the other ones that were brought there as well. Now I am not saying AI is should never be used at AI is evil or whatever.

It’s still up for debate technically, right? If AI becomes, um, Skynet, then we’re all kind of out of luck anyway, but when it comes to corporate AI, stuff like open AI versus like an in house solution, this is where companies should try to be more proactive instead of if you set up AI in. a way that doesn’t expose your data or doesn’t expose your customer data.

That’s going to be the best way. There is a lot of on prem solutions that can be done for AI. There is, I believe the open AI API has either a flag or some kind of functionality that means that whatever data you send in doesn’t get used for training data. And as always the human components, one of the biggest things we have to kind of.

Change here, right? We have to make sure that employees are aware. Hey, don’t put anything into the normal chat GPT because that becomes part of its training data. Yes, you can say, Hey, summarize this article for me. Yes, you could give a generic solution or generic questions, right? Like, Hey, how do you do X thing in this framework?

That’s fine, because that’s not necessarily proprietary or sensitive. But when you start talking about customer data, when you start talking about proprietary closed source, closed source code, that’s where I think it’s becoming riskier. And part of it is that companies should be proactive in their solutions that they provide to their employees and employees should also be given a bit of training, right?

Same way as like, Hey, don’t click sketchy links. Hey, don’t dump sensitive data into random AI’s online. Just a thought, but that’s kind of the gist and the main parts I want to talk about this first article. Let’s go ahead and jump into the second one. So, in another article by DarkReading, cyber attackers hide info stealers in YouTube comments, Google search results.

And, we’ve talked about info stealers before, but to give context, right, an info stealer is any kind of malware or software. That steals information, whether it’s cookies, credit cards, crypto, you name it. It’s whole purpose is to steal stuff from your computer for the financial benefit of the hacker.

Threat actors are targeting people searching for pirated or crack software with fake downloaders that include info stealing malware, such as Luma and Vidar. A lot of the time, the info stealers come from sketchy downloads, right? You’re not going to get an info stealer. If you’re installing legitimate software.

Now, I’m not going to say never, never, because there’s always going to be things that can happen like supply chain attacks and stuff like that. But as a general rule of thumb, if you download legitimate software, you should not have any info stealers. If you’re looking for pirated and crack software, on the other hand, your chances of getting an info stealer instead of the pirated or crack software shoots up pretty significantly, and those statistics are just.

What I’ve seen, but researchers from Tread Micro uncovered the activity on the video sharing platform on which Threat Actors are posing as guides offering legitimate software installation tutorials to lure viewers into reading the video descriptions or comments where they then include links to fake software downloads that lead to malware they revealed in a recent blog post.

On Google, attackers are seeding search results for pirated and cracked software with links to what appear to be legitimate downloaders, but which in reality also include info stealing malware. So, a lot of the thing you’re gonna see, right, is you’re gonna have guides and they’re gonna be like, oh, you can install it and you can get, I don’t know, Roblox or whatever for free.

And if you download this sketchy thing and install it, you’ll get this hack or this crack or you get the software you want. Hey, Black Ops 6 for free if you download this. Now, I won’t talk about the ethical concerns about using cracked or stolen software. That’s not what I’m here to talk about. I’m here to talk about you downloading a sketchy piece of software from a sketchy website and getting pwned.

And that is what I’m here to try to stop. Because if you don’t get pwned, then that’s a good day, right? Now, a lot of the times you’ll see the video descriptions or comments either redirect to another video or redirect to another website that then holds the stuff. Now one part of the article I found interesting is this.

Next one. Moreover, the actors often use repeatable file hosting services like Media Fire, like media fire, and Mega NZ to conceal the origin of their malware and make detection and remove a more difficult trend. Micro researcher Ryan Malagey, Jane Re, and Alex and Christopher Francisco wrote in the post.

So, because you have malware and threat actors that do not want their stuff to get caught, they’re of course going to have obfuscation and ways to make it look legitimate and other things. Mediafire and MegaNZ are these major, widely adopted file sharing websites. And file sharing websites have a legit and very useful use, right?

You’re, they’re made to share files. The problem is that if you are not tech savvy or you’re not sure what you’re looking for, or you don’t know where to download something from a reputable source, then just because you see it from these websites doesn’t mean it’s okay, right? Anyone could technically host a file on these websites, You know, I’m kind of going thinking back to the LimeWire where you’re downloading the latest hottest song that mp3.

exe don’t double click and don’t download anything you don’t trust. Now they do have evasive and anti detection built into the campaign. Continuing, the campaign appears to be similar to one that surfaced about a year ago spreading LumaStealer, a malware as a service commonly used to steal sensitive information like passwords and cryptocurrency wallet data.

The weaponized YouTube channels at the same time, the campaign was thought to be ongoing. Luma Stealer is one that I believe I may have talked about before on this channel, but it’s another info stealer and malware as a service. Just like software as a service is any piece of malicious software that is sold to threat actors or to cyber criminals or sold to black hats, essentially by some kind of service provider.

And I’m not talking about, you know, a legit service provider, but a underground business service provider. You have these other hackers or software developers that are in the illicit software business. Though the Trend Micro did not mention if the campaigns are related, if they are, the recent activity appears to be upping the ante in terms of Verity of Malware being spread in advance of Asian tactics, as well as the addition of malicious Google search results.

Something we’re seeing is a lot of. malicious ads that are going around to also spread different kind of malware and info stealers. And a lot of these ads are doing some kind of cool and sophisticated stuff from taking advantage of the way that domains are displayed on ads to the way that some ads are shoved up and of course SEO shenanigans to try to give the feeling of this is a definitely high trusting search result, you should click it.

And I say that because it’s very concerning the level of sophistication some of these hackers are taking to try to win. Now, of course, hackers are in it generally to make money. When I say hackers in this regard, I’m talking about black hats or crackers or script kitties or whatever you want to, whatever you want to lump them as.

But essentially, hackers that are here to steal from you instead of to protect you and safeguard you. The interest of the better side or the better interest now in addition to luma other info ceiling Mauer observed Being distributed via fake software downloads on links posted on YouTube include private loader Mars dealer I’m a I’m a day penguish and Vidar according to the researchers Overall, the campaign exploits the trust that people have in platforms such as YouTube and file sharing websites and file sharing services, the researchers wrote.

It especially can affect people looking for pirated software who think they’re downloading legitimate installers for popular programs, they said. This is where I feel I need to give my Public disclaimer, I will always, always advocate for you to buy the legitimate software or download the legitimate software from a legitimate place, support the developers who are building software for you.

It’s just kind of like, if you support the game developers, they will make better games and more games. If you support the software developers, then they can continue maintaining and living their life. If you choose not to listen to that advice, then at least listen to this, which is don’t download from sketchy places.

Don’t download from somewhere that is obviously iffy. Granted, you have these popular file sharing websites. Cool. If you’re going to download from there, know that the risk of you downloading the wrong thing is high. And If you’re not very good at figuring out how to download what, which it’s hard, it is a skillset in itself.

But if you’re going to download from there, you have to be willing to accept the risks. Ideally, you don’t keep any sensitive information on your computer, but that’s not always the case. You know, put your crypto wallets in one place, try to not put passwords and cookies. It’s, it’s hard. Most people have one, maybe two computers.

And you’re putting a lot of sensitive data on there to begin with. So if you’re going to go down this path, be careful. It’s it’s it’s getting so easy to lose all your stuff and get pwned. It’s not even funny. But with that said, that’s kind of the gist of this one. I would highly encourage that. If you guys are going to be downloading installers, just careful what you get into.

Try to buy from legitimate places. Try to download from legitimate places, support developers. And if you’re an employee, don’t put information into OpenAI’s web based portal because it’s using your data to learn, right? There’s so many takeaways from this, but what I will always tell you is be careful on the internet.

This has been your host, Cipherceval, and I’ll see you in the next one.

Note: This is a transcript of the episode.

📢 Connect with us:

Newsletter: https://follow.exploitbrokers.com

Twitter: @ExploitBrokers

Medium: https://medium.com/@exploitbrokers

TikTok: https://www.tiktok.com/@exploitbrokers

🔗 References & Sources

• Google Ads: https://www.darkreading.com/threat-intelligence/cyberattackers-infostealers-youtube-comments-google-search
• Employees and Gen AI: https://www.darkreading.com/threat-intelligence/employees-sensitive-data-genai-prompts

  So we’ve all heard of brands like Kia that have been getting issues with them getting hacked, but what if you didn’t even need to get near the car to find out information about it? Well, Volkswagen has 800, 000 EV customers data that have been breached, and this is only the beginning. You should be worried about this, and we need to talk about it.

As well, Mirai Botnets have been expanding, and now they’re targeting industrial routers. That’s also not good news. All this in this episode of Exploit Brokers. Today we are facing an unprecedented array of data breaches, hacking attempts, and surges in digital crime. Why is there such a widespread amount and how little is noticed in our everyday lives?

Malware, dark sites, brute forcing, zero day script kiddies, and nation state hackers are all on the rise. Learn more about the threats we face and gain a bit more knowledge than yesterday. Hey everyone, another episode of Explore Brokers is coming to you now. Hey guys, it’s Cipherceval hosts. Thank you for tuning in.

If you could do me a big favor and hit that like, subscribe, and bell notification icon if you’re on YouTube. And if you’re on a podcast platform like Apple Podcasts or Spotify. If you could please give us a follow and 5 stars if you think we deserve it. It helps the channel grow and I would appreciate it immensely.

So guys, 800, 000 EV customer data. Is out there. I mean, it’s a mind boggling number. Volkswagen had major issues. They got breached and now there’s data is out there. Now I know a lot of you may be wondering, well, I don’t have a Volkswagen. I don’t have an Audi. I don’t have a seat or a Skoda. So why does that matter?

It matters because this is a trend we’ve been seeing. It’s no longer about just a car getting hacked. It’s about the entire infrastructure that gets hacked. And then the car is just kind of. An accessory to that. And what I mean by that is we’re seeing more and more of these cars are hooking up to servers and hooking up to other stuff.

There’s even a bunch of technologies that are going into it. You know, you can do stuff from spoofing GPS to apparently stealing data without ever being near the car. And that’s kind of where my concern lies, with this hyper connectivity of everything, we’re seeing more breaches happen, and information that shouldn’t necessarily be available, becoming available.

Let’s kind of dive into it with this article by Dark Reading. Volkswagen Breach exposes data of 800, 000 EV customers. Ethical Hacking Group Chaos Computer Club uncovered exposed data of electrical vehicle owners across the companies of Volkswagen, Audi, Seat, and Skoda brands. Volkswagen Group experienced a data breach last month exposing sensitive personal information of roughly 800, 000 electrical vehicle owners across its brands including Volkswagen, Audi, Seat, and Skoda.

Initially reported by German publication Spiegel, The breach has been attributed to an Amazon cloud storage system misconfiguration, which is managed by software subsidiary Cariad. The group reportedly left personal and location data openly accessible online for months on end, prompting the breach. So to give a bit of context and to give some information here from a software side, the Amazon cloud storage, which is generally an S3 bucket.

Uh, there is some other stuff, but S3 is kind of the most. Common any kind of cloud storage mechanism you have is kind of what it sounds like you put files and other stuff up there For whatever resources you might need granted when you put in text fields A lot of the stuff is probably held in the database, right whether you’re thinking information such as registration usernames blah blah blah But sometimes there’s stuff that gets put into cloud storage for a variety of reasons here What I’m wondering is why?

This kind of information, which we’ll get to in a second, what was actually leaked, why was this in a cloud storage instead of some kind of database? Who knows? Now, I just, I find that interesting. A lot of times you have, and this is something we’ve seen in the bug bounty community. You have misconfigurations as a bug because you shouldn’t be able to access things just on the open internet, but it does happen.

Let’s continue. The anonymous hacker who discovered the breach reported it to the chaos computer club, CCC. A well known organization of ethical hackers in Europe, the CCC tested the open, insecure access before informing Cariad and Volkswagen. As a good security research group does, you want to verify and confirm that what you’re about to send isn’t just blowing smoke in the air.

The data exposed in the breach included vehicle information, such as when EVs were switched on and off, along with location data, email addresses, phone numbers, and home addresses of car owners. And that’s, that’s where I just find it a bit mind boggling. Electric cars are pretty much just computers with wheels.

If we really want to talk about it, right? Whether it’s Volkswagen, Tesla, some of the Ford lightenings or whatever, all of the electric cars we’re seeing are just computers with electrical motors. At the end of the day, it’s no longer like the old, uh, ice, I believe they’re called internal combustion engine vehicles, where there’s a lot of systems at play, but it’s mostly mechanical.

Okay. Now you have a computer system. That’s pretty much electrical to mechanical and just where we’re seeing this go. And I find it interesting now on the security side, why did they have all this stuff somewhere easily available for months? There probably wasn’t proper auditing of anything. Um, whether that’s, there was a lot of turnover at the company.

I know a lot of the vehicle manufacturers have been having layoffs. I’m not sure if Volkswagen or Audi was one of them, regardless of the reason why it’s something that we’re seeing a lot of companies go to these cloud providers. And you have a lot of novice or even mid tier and even senior software engineers, if I’m being honest, you have a lot of engineers who are just not super familiar with some of the cloud and that’s where you get misconfiguration stuff.

If you have someone who’s done desktop apps and they go to a company that does a lot of cloud stuff. And they’re not sure of the best way to do it. And their it isn’t sure of the best way to do it, or they just have high turnover. That’s where we get into these kinds of scenarios. Is it the only way? No, but it’s something I’ve been seeing.

Because with anything, a lot of hacking tends to be just some kind of human error. And when it comes to misconfiguration bugs, a lot of the time is because there was things that the administrator wasn’t aware of stuff that they didn’t change. Think default passwords, you know, admin, admin, root, root, et cetera.

And just like that, there’s also access control misconfigurations and other stuff. So here, it seems like they just kind of left it open to the public. A wide variety of individuals have been affected by the breach, including at least two German politicians and the Hamburg police. While most affected vehicles were located in Germany, Spiegel’s hired researchers found details about cars in Norway, Sweden, the UK, the Netherlands, France, Belgium, and Denmark.

And I’m honestly kind of surprised it only went that far. I’m surprised it didn’t hit the U S it didn’t hit Australia, et cetera, et cetera. Now part of that also probably is the way that they segment their data, right? When you think about servers and when you think about cloud providers, a lot of times, a lot of the times they will have a cloud in one region.

And you have like, for example, AWS has like East Ohio, the West, they have several in Europe, right? So it just depends where. That S3 bucket was being held and it might not be an S3 bucket. There might be more to it, but wherever that server was being held, that was probably the part that was misconfigured versus, you know, maybe some of their cloud in another, uh, region is not privy to that.

It might be better security. It may have just been that this was. One of the backup or one of the fallbacks or et cetera. And that was not properly, not probably put behind access controls. It’s stuff we see. It’s kind of sad to see this kind of stuff happen, but it does happen. And with that, let’s go ahead and jump into the next one.

So this is by the hacker news. Mirai botnet variant exploits for faith router vulnerability for DDoS attacks. So for those of my listeners who either have been with me for a little while or haven’t been with me for a little while. I want to give a bit of context for those who haven’t been, or who aren’t privy to it, or aren’t aware of it.

The Mirai botnet is a botnet that’s been around for a while. They’re pretty powerful. They tend to do a lot of IoT based and other stuff. And the DDoS attacks that they’re mentioning is a distributed denial of service attack. A denial of service attack essentially means that one computer hits a server or a computer as much as they possibly can to try to prevent service.

A distributed denial of service attack is pretty much that scaled up. Where you have a couple thousand computers, a couple hundred, doesn’t matter, more than one. And that computer is sending as much data packets to a server to try to overload it with requests. Because if a server can only handle say a thousand requests per second or a thousand requests per minute.

And you flood them with a million per minute. You’re pretty much going to overload that server to the point that packets are even going to fall that they’re just not going to get picked up by the server at all, because you’ve overloaded it to the point that they can’t even do basic handshakes and stuff like that.

And the, for faith router. Is a brand from China, as far as I can tell. And that’s kind of the main things I would like to know, but I would like you to know before we jump into this and break down some other stuff. So MRI botnet variant has been found exploiting a newly discovered security flaw impacting for faith industrial routers since early November, 2024 with the goal of conducting distributed denial of service attacks, which I already explained.

The botnet maintains approximately 15, 000 daily active IP addresses with the infections primarily scattered across China, Iran, Russia, Turkey, and the United States. So if they have 15, 000 daily active IP addresses, that means They should have 15, 000 bots online daily. Could there be other bots? And, um, we’re seeing, you know, they just get taken down.

Some get brought back online. Very possible. But if we’re seeing about 15, 000, that’s a pretty good amount of bots that we’re seeing exploiting an arsenal of over 20 known security vulnerabilities and weak telnet credentials for initial access. The Mauer is known to have been active since February, 2024.

The botnet has been dubbed something I’m not going to say on this channel. And you’re welcome to look up the article to, to read what that is in reference to the offensive term present in the source code that should say a lot. So before I continue, when you’re talking about weak credentials, telnet is Another way to remote into a server.

If you want to think like SSH or, you know, a secure shell and you want to think like a FTP, right, a file transfer protocol, whenever you remote into a server to either do stuff, pull files, push files, telnet is just another way of doing that telnet is, I think not used as often as SSH is, or at least it shouldn’t be used as often as SSH is.

But it’s still around. It’s, it’s been around for a while and it’s going to be around for a while. Now, GQ Engine X Lab said it observed the malware leveraging a zero day vulnerability in industrial routers manufactured by China based Forfaith to deliver the artifacts as early as November 9th, 2024. So, a zero day being anything that is a vulnerability or a bug that the vendor doesn’t know about.

So, there’s been zero days that they’ve known to fix it. Last month, Volchek told the Hacker News that the vulnerability has been explored in the wild to drop reverse shells and a Mirai like payload on compromised devices. So the way that botnets will generally operate is they’ll have some kind of mode of infection.

They’ll have a dropper or something like that. And then they’ll have the actual botnet payload, the thing that does infection. Now I’ve seen this play out in very different ways. Sometimes they’ll have different versions of the bot. Sometimes there’ll be just one bot that tends to change over time. You have like version one, version two, version three, and as the developers get better at it, they’ll make new versions.

Um, and I bring that up because the fact that dropping a reverse shell means that they want some kind of remote access to do stuff, and you have to be careful of the kind of vulnerabilities used there. Some vulnerabilities can give you root access, and those are like the most dangerous because if it’s root access with a remote code execution, RCE, That’s where you can pretty much take over a system pretty quickly.

Now, some CVS could be something like you get in, but you have low level. So you need a chain it with something akin to a privilege escalation attack, right? Where you get in as a weaker user, but use privilege escalation tax to kind of go up. And I bring that up because right here, some of the other security flaws exploited by the botnet to extend its reach and scale include.

Several CVEs, but I’ll go through them really quick. CVE 2013 3307, CVE 2013 7471, CVE 2014 8361, CVE 2016 20016, CVE 2017 17215, CVE 2017 5259, CVE 2020 25499, CVE 2020 9054, CVE 2021 35394, CVE 2023 26801, CVE 2024 8956, and CVE 2024 8957. You’re probably wondering, you, you know, why did I just go over all those?

Good question. The biggest problem I have with this list is some of these CVEs are from 2013. The first ones on that list Surprised me the most because something from 2024 may not get patched as quickly, but something from 2023 probably has a patch. And if it doesn’t have a patch, then, oh my, that’s bad.

But the 2013 CVE should have a patch, which means it’s just harder to patch this stuff. The problem with routers, the problem with IoT devices, the problem with embedded devices, and that’s something you’ve heard me talk about on this channel before, the problem with these devices is, once they’re set up, they’re generally not maintained the way you would like your phone, or your tablet, or your computer.

When you get on your phone, most of the times you’ll be prompted, hey, there’s an update. But how many times do you update your router if you’ve ever updated a router? Because those are just not as easy to update from a user perspective. If you think about security cameras, routers, Heck, your fridge or your, I would hope not, but your range or your oven.

If they have any kind of firmware, how easy is it to update them? Now, if they’re not connected to the internet, that’s less of a concern, but if they’re connected to the internet and you have one of those smart fridges, what if that has CVEs in it and they’re stuff from 2013, 2015, they just never patched?

But the biggest problem with routers compared to the smart devices is the smart device isn’t necessarily facing the internet. You could misconfigure it, of course, but a router by definition is always facing the internet. And that’s what makes it much more problematic. And when you talk about industrial routers, you probably have a bunch of old outdated routers in the middle of a facility that just don’t get touched because they work and they’ve been there for a long time.

Now, to continue on, once launched, the malware attempts to hide malicious processes and implements a Mirai based command format to scan for vulnerable devices, update itself, and launch DDoS attacks against targets of interest. Now, like any good malware, or any Advanced malware. It tries to hide itself, which, you know, if we’re assuming a piece of malware is good, they should at least try to hide themselves, obfuscate their activity, things like that.

And then they pretty much look for ways to propagate. If you find other vulnerable devices, you can start a spread like a worm and so on and so forth. So DDoS attacks leveraging the botnet have targeted hundreds of different entities on a daily basis. With the activity scaling a new peak in October and November 2024.

The attacks while lasting between 10 and 30 seconds generate traffic around 100 gigabits per second, which comes out to roughly 12. 5 gigabytes per second, which if you kind of extrapolate that out, that’s roughly 750 gigs a minute. I don’t know about you, but that’s a good amount of data to be hit at once.

Now, the disclosure comes weeks after Juniper Networks warned that the Smart Session Router SSR products with default passwords are being targeted by malicious actors to drop the Mirai Botnet malware. Akami has also revealed Mirai malware infections that weaponize a remote code execution flaw in DG Ever DVRs.

Which going back, RCE, whenever you have an RCE that makes it so much easier to do stuff because if you can run a command that says download this bot, it’s just, it’s just that much easier. Now, the DigiEver DVRs, I have not come across this brand, but a DVR generally is a digital video recorder, I’m assuming that’s what they’re talking about here.

And DVRs is kind of one of those other, like, It’s one of those other devices. Sure. You may interact with it, but if they don’t have a very good way to run updates, if they don’t prompt you, Hey, do you want to update? If you got to go into some obscure setting and see if there’s an update functionality in it, then that’s where a lot of this.

Becomes more vulnerable to old CVs, right? Because even if they find a way to patch these digi ever DVRs, if the way to update it is plugging in a USB, downloading some zip off the internet, um, and plugging it in, booting it up into some special mode and running it, you’re going to have almost nobody update that router and nobody update that DVR or embedded device or camera or whatever.

The same kind of applies to all of them because. I’m not sure about you, but I’m pretty sure most people won’t do that. Most people that I know won’t do that. Most of my family members won’t do that. Because it’s kind of difficult. You gotta be a techie, you gotta be technically savvy. And even if you are technically savvy, how many of us are trying to download a zip to install on our fridge?

It’s just not something that’s done. Not often. Anyways, I know that I’ve had to update like old lenses on some camera that I had. And I was shocked because it was like, you left it connected to the camera. Then the camera would get connected to the computer and then you could update it that way. They didn’t have any, like connect to wifi and just update the camera.

Now this is a, you know, and a DSLR. And that is often not connected to the internet, but still, it’s just kind of crazy that there’s in the modern day, you have expensive equipment like DVRs, cameras, and all this other stuff that don’t have some better mechanism to update or even to be able to update themselves.

Now, the final part of the article, DDoS has become one of the most common and destructive forms of cyber attacks, X Lab researchers said. Its attack modes are diverse, attack paths are highly concealed, and it can employ continuously evolving strategies and techniques to conduct precise strikes against various industries and systems.

Posing a significant threat to enterprises, government organizations, and individual users. The development also comes as threat actors are leveraging susceptible and misconfigured PHP servers to deploy cryptocurrency miner called a packet. And this goes back, right? Misconfigurations, misconfigurations are probably much more common that they should be.

If you have a misconfigured SQL, misconfigured ports, misconfigured service, misconfigured anything. It’s just a lack of knowledge on the admin, the developer, the it, whoever’s controlling, maintaining, and updating that piece of software. Now, could it be that there’s some obscure configuration that no one’s aware of?

Sure. But we are seeing a lot of like admin admin, whoever set it up did not even bother to change the default creds. And that’s bad because that is like an easy thing to fix. That should be like day one. You go in, you do your best to wipe everything that has default creds, updated, secure it, harden it. Um, especially when you’re talking about devices that may never get updated ever again, I would hope that the tech or the it people who set it up should at least configure it where it should be.

Harder than admin admin. Was it admin admin in this case? No, but if they’re using default credentials, it could be pretty easy to just brute force, but guys, I want to thank you for tuning back in. I am trying a new format. I am getting rid of the music. So if you’ve gotten this far and you prefer that format, please leave a comment or send me an email through exploitbrokers.

com. There’s a contact form on there. You want to reach me. And you can always email me at support or support at exploitbrokers. com. This has been your host Cipherceval. I want to thank you for staying this long and I’ll see you in the next one.

Note: This is a transcript of the episode.

📢 Connect with us:

Newsletter: https://follow.exploitbrokers.com

Twitter: @ExploitBrokers

Medium: https://medium.com/@exploitbrokers

TikTok: https://www.tiktok.com/@exploitbrokers

🔗 References & Sources

* Volkswagen: https://www.darkreading.com/cyberattacks-data-breaches/volkswagen-breach-exposes-data-of-800k-customers

* Mirai: https://thehackernews.com/2025/01/mirai-botnet-variant-exploits-four.html

 So, everyone’s been talking lately about the telecoms getting hacked by Salt Typhoon, the Chinese threat actor. And, well, things just got kind of worse for the U. S. government because the U. S. Treasury Department just also got hacked by Chinese threat actors. That, and we have millions of fake stars on GitHub, which is helping malware and other stuff get spread.

Let’s talk about that in today’s episode. Today we are facing an unprecedented array of data breaches, hacking attempts and surges in digital crime. Why is there such a widespread amount and how little is noticed in our everyday lives? Malware, dark sites, brute forcing, zero day script kitties, and nation state hackers are all on the rise.

Learn more about the threats we face and gain a bit more knowledge than yesterday. Hey everyone, another episode of Exploit Brokers is coming to you now. Hey guys, welcome to another episode, if you could please do me a favor because it helps the channel grow. If you’re on YouTube, if you could hit that like, subscribe, and bell notification icon.

It would be great. And if you’re on something like Spotify or Apple Podcasts, if you could please give a subscriber or follow, so that way you can get updated with new episodes. And if you think we deserve it, give us a 5 star review to help us reach more people. With all that said, I am Cipherceval, your host, and let’s get into it.

Dark Reading, we have an article from them, Chinese state hackers breach U. S. Treasury Department in what’s being called a major cybersecurity incident. Major cyber security incident kind of being easiest way to say it Beijing backed adversaries broke into cyber vendor Beyond trust to access the US Department of the Treasury’s workstations and steal unclassified data according to a letter sent to lawmakers So before I jump into some of the nitty gritty of the article I kind of want to give a bit of context what you have a lot of companies agencies governments do is They have a way to access secure stuff, right?

so You have a VPN or a portal, there’s stuff like even Citrix, Beyond Trust, and a few different other solutions that essentially let you remote in to a secure environment from a nonce, relatively non secure environment, right, from, think laptops and other stuff that maybe personnel carry with them, and that’s kind of where the root of all this happened, it’s because of a vendor that they were using, Beyond Trust, Beyond Trust.

That all this kind of played out, but we’ll get into that right now with the article. I just kind of want to give you a heads up on that. It’s nothing that the U S treasury department themselves did, but they’re kind of in the middle of this because of fallout from a vendor. Now the U S the U S department of the treasury alerted lawmakers on Monday, that Chinese state backed threat actors were able to compromise his systems and steal data from workstations earlier this month.

Because an Advanced Persistent Threat, APT group, is suspected to be behind the hack, it is being treated as a major cyber security incident. The disclosure letter from the Treasury Department said, The letter was sent to the chairman and ranking member of the senate committee that oversees the agency.

So, you have, and we’re seeing it more and more, you have these threat actors, APTs, that, pretty much, are trying to do different things, right? Some of them trying to wreak havoc, some of them are trying to steal intel, It just depends on which threat actor is happening, or which threat actor we’re talking about.

In this case, we’re talking about one of the threat actors from China. Whether that’s Salt Typhoon or not, I don’t think the article even goes into that and I haven’t heard anything else on it, but it could be them. But essentially, that’s just who we’re talking about right now. Adversaries broke into the Treasury Department through third party cybersecurity vendor BeyondTrust, and gained access to a remote key used by the vendor to secure a cloud based service used to remotely provide technical support for Treasury Departmental Offices.

D. O. End users. The letter explained, with access to the stolen key, the threat actor was able to override the service’s security, remotely access certain treasury DO user workstations, and access certain unclassified documents maintained by those users. So, what happens a lot in IT development, developers, just in the world of tech, right?

You have privilege levels when you’re talking about remote access. You’re going to have the lowest level, which is say a user, right? You generally only give them access to applications and workstations that they need. And that’s it, right? You shouldn’t have an analyst per se, trying to access the workstation of every other analyst.

Maybe they have a shared, you know, a SharePoint or somewhere that they can exchange data or stuff, but generally you don’t want them to have full access over each other’s workstations versus something like an admin. Think, you know, like a network admin says admin, they need more than just that, right?

They have the trust to not do anything. And then they have to maintain workstations, troubleshoot, user accounts, troubleshoot, use workstations, applications, and different things like that. And then you have developer accounts, which are generally can be more privileged than the system admins. Even then, developer accounts, there is ways to segment it where, you know, maybe the primary account the developer uses is still somewhat limited, and then they have a super admin account, which they shouldn’t be using often.

Maybe they just have, they don’t have the permission, and they have to send out work tickets for other specific things, right? Whenever you go for more security, you kind of inconvenience developers and admins, so there’s trade offs, right? You Can’t give a developer necessarily admin to everything and anything, but if you want them to maintain databases, well, they need database access.

If you want them to be able to troubleshoot production issues, well, now they need production access. So there’s kind of, there’s a trade off for a lot of this, right? And if you steal an access key from a developer or an admin or one of those, you’ve essentially stolen keys to the kingdom. When you think about the valuable targets or what these, whether it’s cyber criminals or threat actors are going after when they are trying to steal credentials or they’re trying to steal stuff.

There isn’t a whole lot of value in lower end users, but if those lower end users let you pivot and go laterally until you find a machine where you can do privilege escalation or in this case, steal a key that’s very valuable that gives more access to be able to override certain security measures.

Well, then that’s a valuable goldmine. So those are just some things to think about right? It’s not super cut and dry where if you steal a key, that’s it. You’ve got keys to the kingdom. If you steal the key to a low level user account, well, then you still got to try to do lateral, but if you steal the key to say the admin, Or the, one of the main developers, then that becomes a wider area of influence.

So it’s things just to keep in mind. Beyond trust has more than 20, 000 customers across more than 100 countries who use its privileged remote access tools, according to its website, which also states that the company is used among 75 percent of fortune, 100 organizations going back again, right? You have a lot of companies and agencies and both private, public, et cetera.

Who want their employees and contractors and other stuff to be able to access stuff securely. The problem is that the vendors who set this up sometimes have more access over the system, depending how on how the whole thing is set up, right? They may need more access to troubleshoot this. If the stuff is not necessarily provisioned in the right way, then more people might have access than they need.

It’s just kind of a back and forth auditing a privileges of user accounts is something that I believe is somewhat normal when it comes to the IT world, but there’s always more auditing that could be done, but then that takes money, time, resources, etc. Beyond Trust told the Treasury Department about the issue on December 8th.

The department, along with the Cybersecurity and Infrastructure Security Agency, CISA, and the FBI is investigating the compromise according to the letter. A Beyond Trust advisory said the company was alerted on December 5th to a compromised API key. Which was immediately revoked. Impacted customers have already been notified and the company is working with them on remediation according to a statement from a beyond trust Spokesperson.

So we’re talking about an API key. That’s an application programming interface It’s essentially a way for another program to talk to a target program, right? You may log into your bank’s website and do certain things on there But that backend and maybe other services need to talk to the program directly.

And you have two programs that can talk to each other through this kind of API. And an API is really a fancy way of saying you’re doing text based requests going back and forth that are kind of predetermined or do certain things, but you do them programmatic. I’m kind of oversimplifying, but that’s kind of what I’m talking about.

So, Biontrust previously identified and took measures to address a security incident in early December 2024 that involved the remote support product, the statement said. No other Biontrust products were involved. So that’s just the statement, right? They have to kind of give some information, but maybe they’re not ready to give all the information out.

It’s something we’re seeing, right? You don’t want to freak everyone out that they’ve, you know, been completely owned through a supply chain attack or something else when that hasn’t been the case and they haven’t confirmed it. So I can understand them saying that, but hey. Once we get more information, that’s obviously going to be more interesting to kind of go and dissect.

Now, there is more of the article that talks about the epic Chinese hack of the US Treasury, because something that we’re seeing is that recently, Salt Typhoon, and I haven’t covered this, but it’s several other YouTubers, several articles, and other stuff I’ve covered it. Salt Typhoon recently has been found to have been in more telecommunication companies than originally thought.

I believe I touched on some of them, but I think as more information is coming out that more and more of the telecom agencies are actually hacked. And there was even, I believe, a safety advisory or some kind of notice that the government was saying, urging people to pretty much switch from SMS, which is text based, to To some kind of encryption think like signal because what happens with text communication specifically I don’t know about RCS, which is kind of a new tech But SMS whenever you send a message that message is sent via plain text that plain text message is generally held in some reservoir that the telecom companies have think of a database essentially and They do that because from when you send it to when the recipient is found.

It’s not instantaneous, right? It’s not like you’re pinging some IP network The network has to do resolution and figure out where this client is. What’s the closest antenna to them. And, you know, it’s more sophisticated than just trying to reach a server because this is a moving target, right? So there’s much more noise and chaos that get mixed into it versus just a normal DNS and it seems like salt typhoon has accessed a bunch of that information.

And depending on how long they’ve been in the system, the amount of stuff they can exfil. Or exfiltrate is enormous, right? Imagine being able to see every text message from the United States or anyone in the United States or anyone in the Philadelphia area, anyone in the Washington DC area, right? It starts to get really crazy when you think about the implications of it, but right now the government was just dealing with that only for the U.

S. Treasury Department to get hacked. It really seems like. Chinese threat actors are really taking advantage of kind of the turmoil between the elections and you know, the dysfunctional nature of government and they’re mounting more and more cyber attacks. So it’s going to be interesting to see where that goes, but that is kind of the gist of this article.

Um, and just kind of breaking down some of the major points on this. Now that we talked about that, let’s talk about GitHub. Now in an article by bleeping computer, Over 3. 1 million fake stars on github projects used to boost rankings. So, whenever you’re talking about stars on github, again, to give a bit more context before we jump into the article, whenever you’re talking about stars, think of it kind of like a, like the like button on social media.

A star on a github project, which are open source projects, is a way of saying, hey, I like this repository, and that signals to other users of github, hey, this could be a worthwhile and or trustworthy repository. And the reason that’s important, right, is you have a lot of developers, whether it’s, you know, new novice developers or seasoned developers or et cetera, who use GitHub because you can’t necessarily write every piece of code yourself.

You can, but then you’re going to be spending maybe months rewriting a library that already exists and it’s useful. Think cryptography, right? You want to use a tried and tested cryptography library. Because you trying to roll your own cryptography is pretty much guaranteed to fail in one form or another.

Whether it’s implementation, typos, you name it. Rolling your own crypto, cryptography, and I’m not talking about crypto like bitcoin, but cryptography like encryption, is kind of one of the easy ways to mess something up. So because of this, a lot of developers rely on github. Not only github, but that’s kind of the most popular one and it got bought out by Microsoft a while back.

So now that you have this repository of open source projects, And the stars are being used to manipulate it where you’re like, well, why does that matter? Well, when you have the ability to influence rankings of top packages, you start to get malicious things happening because at that point you can buy stars away.

You can buy likes, and that’s where kind of this problem arises. So let’s jump into the article and I’ll be back and forth the way I normally get hub has a problem with inauthentic stars used to artificially inflate the popularity of scam and malware distribution repositories. Okay. Help with them reach more unsuspecting users stars are similar to the like button So social media allowing github users to favorite a repository.

So I’m gonna skip over some of the stuff I’ve kind of already explained one interesting thing to kind of discuss and to kind of bring to light is I know maybe some of my audience aren’t software engineers, software developers, maybe some of you are just cyber security people, maybe some of you are just people who are interested in this and are just seeing from the outside looking in, or maybe you’re new to cyber security or programming, but the problem with manipulating rankings on this level, right, the amount of packages that modern applications use is massive.

If you think something like NPM, there’s a running joke where NPM is like 50 gigs for a Hello World. Um, that’s not the exact joke that I’m paraphrasing, but it might as well be. Because what happens is, you have a lot of libraries that don’t necessarily need to exist, but some of them are extremely useful.

And there’s so much bloat in the amount of packages that a piece of software has now. And a package is just pre written code by someone else. With that said, just continue. The problem has been documented previously, like last summer when Checkpoint uncovered a malware delivery service named the Stargazer’s Ghost Network, which used an extensive network of inauthentic users starring fake projects to push information stealing malware.

Non malicious projects also use fake stars to boost their popularity, increase their reach, and attract legitimate user attention, real stars, and adoption. Whenever you get a malicious thing, And you, whenever you get a malicious package and you push it up and it makes it popular, now you’re kind of thinking about this from, okay, say 10, 000 applications installed.

Now you have a supply chain attack because those 10, 000 applications are legitimate applications and they might actually have ways to sign. So you have this malicious thing being Trojaned in without the developer wanting to Trojan in, and then they can distribute this piece of software. Say it’s a trusted thing, right?

It’s. One of the apps that we’ve used on Windows. Think like WinRar, or 7 Zip, or, you know, Chrome, or any of those applications. Imagine if they installed this malicious package, and now it affects pretty much everyone. Because if you’re thinking Chrome and Firefox, if they were to install any of these malicious packages, now that’s a huge target base.

And it’s a supply chain attack. We’re seeing these more and more. But now, the ability to manipulate the rankings with the stars and the bots. Makes it easier to implement this right because you’re not just hoping a developer finds your package You’re now making it more likely that a developer will find your package And if developers are under deadlines and stress, they may not read everything and that’s just the human nature of it Now there are saying non malicious projects use this, you know, kind of like social media Sure You may have some bad actors trying to push up their likes to push some scammy Product but you also have people that are trying to just become influencers and they might buy it likes you might have Legit projects that are like hey, I think this is useful, but no one seems to be picking this up So they’re paying to kind of get this up buying Users and all that is generally frowned upon because there should be unique or not unique There should be you know, authentic interaction My problem with buying with using bots, right?

Is you’re not driving real traffic. Sure. You might get a spike in traffic, which then lets you find other people, but the way algorithms work or at least, you know, search algorithms work is they rely on a lot of signals and very, I would say complex markers. And if you start to mess with that by introducing bots, which have no personality, it’s just wherever the money’s coming from, right?

You could have just a complete messing up of. The characteristics or the metadata of your channel or get up or whatever you’re doing. So I generally don’t like bots because it skews in directions that you may not anticipate. If all the bots are liking prank channels, let’s talk about YouTube for a second.

If all the bots are liking prank channels and you push a cooking channel, well, now they may be incentivized or YouTube might be incentivized or one of the other video sharing sites might be incentivized. To share your cooking video to even more prank channels because the bots that are liking prank channels are liking yours So there has to be some overlap and that’s not necessarily what’s happening with github, but that’s why I dislike bots Anyways, so the researchers here were actually using some let’s call it AI ish Methodologies, they’re using math and whenever you talk about math you start to kind of veer into like The precursors to AI, because AI is just really fancy math, calculus, and stats.

Um, pretty much. So looking for fake stars, it’s a subheader in the article. The researchers developed and used a tool called Starscout to analyze 20 terabytes of data from GH Archive to find inauthentic stars. GH Archive contains metadata of over 6 billion GitHub events from July 2019 to October 2024, including 60.

5 million user actions on 310 million repositories and 610 million stars. In other words, they just have a lot of log data. But, it’s, it’s just that, right? You need log data to see what’s going on and try to do some analysis. So, StarScout detects users who show minimal activity on GitHub, like star in a single repository, have bot or temporary account activity patterns, and account groups that act in coordinations such as starring the same repositories within a short time.

Their method is based on the CopyCatch, an algorithm designed to detect fraudulent patterns in social networks. So, from a math perspective, right, you will have some kind of data patterns that will naturally emerge. Whenever you’re looking at large pieces of data just like before elections There’s a certain amount of searches or if you look at Google Trends, for example those all tend to go up just before an election cycle or when you look at like Shopping it tends to go up just before the Christmas season There’s certain patterns that are just inherent from a psychological perspective that human nature happens with But when you start talking about bots, they don’t exhibit the same thing Here, one of the easy ways to kind of figure out is if you have all these accounts that are starring or liking this specific account, and you see them doing that consistently for multiple accounts, that’s not very likely.

The likelihood that user A, user B, and user C all like the same account within the same day, and then they do that 10, 20, 30 times, so 10, 20, 30 different repos or user accounts or whatever, is not likely. Because the amount of data and accounts and social media and just the internet is massive. So that’s where you see these outliers and you can essentially do something like a k nearest neighbor and all these graphs.

There’s a bunch of kind of algorithms and mathematical ways to do this and that’s what they’re talking about here. Copycatch. It’s an algorithm that’s been fine tuned. Or at least the concept has been tuned to preventing or detecting fraud in social networks. Now they found 4. 5 million stars, but then they actually tried to, they did some sampling and did some other stuff and they reduced that to 3.

1 million fake stars given by 278, 000 accounts to 15, 835 repositories, which is still massive. When you think about the amount of accounts or bots and the amount of repositories that are paying, because you have to pay money for this, right? And. Now, now there is kind of a good side, which is the researchers did report this to github and it seems like they’re taking action against it but you can’t just do a massive ban, you have to make sure that you’re actually using some kind of metrics on the github side to validate this information, right?

Trust but verify, and that’s kind of the gist of this. There will always be a way to hack the system, in a way. Um, because whenever you’re talking about social media or rankings or something else, just like we’ve seen with SEO and the internet, there’s ways to game the system. So it will always be a can and mouse.

That is ultimately what cybersecurity is. It simplifies to, you find a loophole, they patch the loophole, you find another loophole, they patch the other loophole, and it just goes back and forth. Uh, and sometimes it’s legitimate loopholes that get patched and sometimes it’s just fraudulent stuff and malicious stuff.

Bugs could, you know, could make the application unusable or bugs could make the application super insecure. And that’s the world of software development. But guys, I want to thank you for tuning in to another episode. This has been your host Cipherceval and I will catch you in the next one.

Note: This is an autogenerated transcript

📢 Connect with us:

Newsletter: https://follow.exploitbrokers.com

Twitter: @ExploitBrokers

Medium: https://medium.com/@exploitbrokers

TikTok: https://www.tiktok.com/@exploitbrokers

🔗 References & Sources

* US Treasury Hacked: https://www.darkreading.com/cyberattacks-data-breaches/chinese-state-hackers-breach-us-treasury-department

* Github Fake Stars: https://www.bleepingcomputer.com/news/security/over-31-million-fake-stars-on-github-projects-used-to-boost-rankings/