On June 11, 2024, a group of independent security researchers uncovered critical vulnerabilities in Kia vehicles that allowed for remote control of key functionalities—using nothing more than a vehicle’s license plate.
The researchers revealed that attackers could execute remote commands on affected vehicles within 30 seconds, regardless of the status of Kia Connect subscriptions. This discovery also meant that an attacker could obtain sensitive personal information about vehicle owners, including names, phone numbers, and physical addresses, potentially allowing them to add themselves as unseen second users on the vehicles without the owners’ consent.
Although Kia has since patched these vulnerabilities, the incident sets a precedent for broader issues within the automotive industry regarding cybersecurity and data protection.
Identifying Vulnerabilities
The research team—comprised of Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll—has a track record of identifying vulnerabilities across multiple automotive brands. Their investigation into Kia began with a focus on the owners.kia.com website and the Kia Connect mobile app, platforms that facilitate command execution on vehicles via the internet. The researchers found that while the mobile app communicated directly with the API, the website used a backend reverse-proxy to relay commands. This architectural flaw opened a pathway for exploitation, prompting further investigation into Kia’s dealer infrastructure.
Targeting Dealer Infrastructure
The researchers discovered that Kia’s vehicle activation process for new purchases required customers to provide their email addresses at the dealership. They could then receive a registration link to either create a new account or add a vehicle to an existing account. By analyzing the registration links, the researchers identified an intriguing endpoint on the kiaconnect.kdealer.com domain—an area previously unexplored. The researchers proceeded to assess how this endpoint operated, discovering a one-time access token system that Kia dealers used to grant access to vehicles. With this newfound knowledge, the researchers experimented with the Kia dealer portal, probing the infrastructure to determine if they could leverage their access to manipulate vehicle controls.
Uncovering the Exploitation Path
After several attempts, the team successfully registered as a dealer and generated an access token, allowing them to send requests to restricted dealer APIs. This access facilitated a sequence of commands that could be executed to take control of a victim’s vehicle. The vulnerabilities they uncovered provided a clear attack vector, enabling an unauthorized user to gain access to personal data tied to the vehicle, including the owner’s name, phone number, and email address. This discovery caused concern not just for Kia, but for the entire automotive sector, emphasizing how critical security in vehicle software has become.
In a compelling demonstration shown below, Sam Curry showcased the KiaTool, an open-source utility developed by the research team, that can unlock Kia vehicles with minimal effort.
Summary of the Flaws in API, Token Handling, and Data Protection
Insecure API Communication: The Kia Connect app’s reliance on insecure API calls raised immediate red flags. The application failed to implement adequate verification processes, allowing attackers armed with just the vehicle’s license plate to send commands without authentication. During the demo, Curry illustrated how, with the KiaTool, he could easily send requests to the API without any checks in place.
Authentication Bypass: The team uncovered a critical flaw in the vehicle registration process. When vehicle owners purchased their cars, they were required to submit their email addresses to dealerships. This information facilitated the sending of registration links to users. However, the researchers identified that by reverse-engineering these links, they could bypass standard authentication protocols. Curry’s demonstration highlighted this flaw, showing how a simple email manipulation could grant access to vehicle controls—essentially sidestepping the need for legitimate account creation.
Access Token Exploitation: The researchers delved deeper into the access token system used for dealer operations. They discovered that the one-time access tokens generated for dealership transactions were not adequately protected. After gaining access to the dealer portal by registering as a dealer, the team successfully created a dealer account, generating valid access tokens that provided unauthorized access to dealer APIs. In his demonstration, Curry executed remote commands on a locked vehicle, showcasing the profound implications of this access token vulnerability—commanding the car to unlock with a few clicks.
Data Leakage: In addition to remote control, the vulnerabilities allowed attackers to extract sensitive personal information linked to vehicle owners. This included names, phone numbers, and email addresses—data that could be weaponized for targeted phishing attacks or harassment. Curry emphasized the potential for this information to facilitate identity theft and physical vehicle theft, a significant concern for vehicle owners.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
In 2024, cyber attacks have reached a staggering new high. With the average organization experiencing 1,308 attacks per week in the first quarter alone, it’s clear that the landscape is growing more dangerous every day, with the 28% increase from the final quarter of 2023. Cybersecurity Awareness Month offers the perfect moment to reflect on just how pervasive these threats have become—and how businesses can better prepare themselves.
As if the number of attacks wasn’t alarming enough, the financial impact is nothing short of catastrophic. In 2023, cybercrime losses hit a record-breaking $12.8 billion. But brace yourself: experts predict that by 2027, global cybercrime will cost an astounding $23.84 trillion.
Yes, trillion.
These numbers aren’t just statistics—they represent real financial damage, operational disruption, and in some cases, the collapse of businesses.
So, where does that leave your organization? Are you equipped to handle the next wave of attacks? Let’s take a closer look at some key statistics and trends that should raise the hair on the back of your neck—especially if you’re running a small business or operate in sectors like healthcare.
The Global Toll of Cybercrime
Cybercrime isn’t just a buzzword. This year’s numbers paint a grim picture of an ever-growing threat:
In 2024, the U.S. Internet Crime Complaint Center (IC3) received 880,418 complaints—marking a nearly 10% increase from 2023. With losses exceeding $12.5 billion, the urgency of addressing cyber threats has never been clearer.
Phishing and spoofing continue to be the most common forms of attack, impacting nearly 300,000 individuals in 2023. Whether it’s a malicious email or a fraudulent website, these tactics remain the go-to for cybercriminals.
Globally, 39% of consumers were victims of cybercrime in 2022, with many spending upwards of 3.5 billion hours collectively resolving issues stemming from these attacks. The human toll is almost as steep as the financial one.
The High Stakes of Cyber Risk
For businesses, the threat landscape is evolving at a rapid pace, and many aren’t fully prepared. As threat actors become more sophisticated, cyber risk management has shifted to the forefront of executive priorities:
A staggering 58% of organizations now consider themselves at high or very high risk of cyberattacks. This has led to enterprises deploying an average of 53 different security solutions to mitigate their exposure—some using more than 76.
One worrying trend? 97% of organizations have significant gaps in their cloud security strategies, leaving them vulnerable to exploitation. With more employees working from home than ever before, 62% of businesses agree that their attack surface has increased as a result.
Artificial Intelligence (AI) is beginning to play a major role in cybersecurity defense. In 2024, 69% of executives say they will use generative AI to bolster their defenses—yet many remain unsure how to effectively deploy these tools to mitigate actual risks.
The Hidden Dangers of Insider Threats
While external attacks often grab the headlines, insider threats represent an equally dangerous—yet often overlooked—risk. The largest cybersecurity vulnerability for most businesses comes not from technology, but from people:
In 2024, 76% of organizations reported insider attacks, up from 66% in 2019. With 74% admitting they are moderately to extremely vulnerable to these threats, it’s no wonder that the focus has shifted to managing employee behavior as well as external intrusions.
Compromised accounts and machines remain the top concern, with 71% of security professionals citing them as the most dangerous form of insider threat. Negligent data breaches follow closely behind, impacting organizations’ critical data, brand reputation, and operational stability.
Alarmingly, 90% of cybersecurity professionals find detecting insider threats as difficult—if not more challenging—than combating external cyberattacks.
Ransomware and the Road Ahead
Ransomware remains a significant threat in 2024. After a brief lull, incidents surged again, with reported losses rising by 74% year-over-year:
The manufacturing sector has been particularly hard-hit, with ransomware attacks accounting for 29% of all incidents in Q1 2024 alone. The financial damage from ransomware incidents is equally jaw-dropping, with losses skyrocketing from $34.3 million to $59.6 million in just one year.
The median cost of a ransomware attack rose by 29% in 2022, with businesses now facing a median cost of nearly $17,000 per incident. For many, the aftermath of these attacks includes not just financial loss but business continuity issues and brand damage that can last for years.
Preparing for What’s Next
If these statistics make you uneasy, they should. As we navigate an increasingly interconnected world, cybersecurity is no longer just the IT department’s problem—it’s a business-wide concern that demands attention at every level.
What can you do to protect your organization?
Prioritize Cyber Risk Management: Don’t wait until your organization becomes a victim. Start by assessing your current risk exposure and implementing a comprehensive cybersecurity strategy that includes employee training, threat detection, and response protocols.
Invest in Employee Awareness: Insider threats can be difficult to detect, but training your workforce on best practices can significantly reduce risk. Ensure that cybersecurity policies are clear, accessible, and enforced across all departments.
Strengthen Cloud Security: As more businesses rely on cloud-based solutions, cloud security must be a top priority. Regularly audit your cloud infrastructure for vulnerabilities, and close any security gaps that might expose you to an attack.
Prepare for Ransomware: Make sure you have up-to-date backups and a tested recovery plan. Being proactive about ransomware can save you from crippling costs and long-term damage.
By taking these steps, you’ll not only be better prepared for today’s threats but also ensure that your organization is positioned to face whatever comes next. Cybersecurity isn’t just an IT issue anymore—it’s a business imperative that demands attention from every corner of your organization. There’s no better time than now to start making serious strides toward a more secure future.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Windows Recall Reboot: A Safer, Opt-In AI Tool with Enhanced Data Privacy Controls
Patelco Credit Union Breach Affects Over 1 Million Members in Major Ransomware Attack
How can Netizen help?
Windows Recall Reboot: A Safer, Opt-In AI Tool with Enhanced Data Privacy Controls
Microsoft has reintroduced the Windows Recall feature, which was initially met with heavy criticism due to privacy concerns. After a complete security overhaul, the feature now includes proof-of-presence encryption, anti-tampering mechanisms, and secure enclave data storage.
The original Recall feature generated controversy because it took snapshots of a user’s screen every five seconds for AI-based search functionality. These screenshots were stored locally, which raised alarms about potential misuse or exploitation. In response, Microsoft temporarily removed the feature from previews and has since made significant changes to its security infrastructure.
David Weston, Microsoft’s Vice President of Enterprise and OS Security, stated in an interview that the new version of Windows Recall will be optional—users must proactively enable it during setup. The tool is also designed to be easily removed from the system if desired. Additionally, any screenshots or related data are now encrypted, and access is controlled by Microsoft’s Trusted Platform Module (TPM) in conjunction with Windows Hello Enhanced-Sign-in Security.
One of the most critical changes is that Recall will only operate within secure Virtualization-Based Security (VBS) enclaves. This ensures that data is fully isolated, and even system administrators cannot access it. Weston also pointed out that this enclave system uses a just-in-time authorization model to prevent unauthorized access, similar to how password managers function.
Additionally, the service now integrates Microsoft’s Purview Data Loss Prevention (DLP) technology to prevent sensitive information such as passwords and national ID numbers from being stored. This adds a crucial layer of protection for users concerned about data exposure. Moreover, the feature provides flexibility, allowing users to filter out data from certain apps or websites and manage retention times. If any unwanted content is stored, it can easily be deleted through a system tray icon that gives real-time updates and control over snapshots.
This new security-focused design aims to assuage fears and provide users with greater control over what data is saved, ensuring privacy is a top priority while still offering powerful search functionality.
Patelco Credit Union Breach Affects Over 1 Million Members in Major Ransomware Attack
In a ransomware attack earlier this summer, Patelco Credit Union has reported that over 1 million individuals had their personal information stolen. The breach was first detected on June 29, prompting Patelco to take some of its banking systems offline. This led to service outages, affecting their online banking platform, mobile app, and call center operations.
The California-based credit union, which operates as a not-for-profit entity, later found that attackers had gained access to its systems as early as May 23. During this time, the cybercriminals were able to exfiltrate a database containing sensitive personal information.
Patelco initially informed the Maine Attorney General’s Office in August that data belonging to 726,000 customers and employees had been compromised. However, the company recently updated the number of affected individuals to 1,009,472.
The types of data stolen in the attack include names, dates of birth, Social Security numbers, driver’s license information, and email addresses. Patelco has clarified that the specific information taken varies from person to person. In response, the credit union is offering impacted individuals two years of free credit monitoring and identity protection services, along with guidance on how to safeguard their personal details.
While Patelco has not officially disclosed the ransomware group behind the attack, the RansomHub gang has taken credit. The group listed Patelco on its Tor-based leak site in mid-August after failed ransom negotiations, claiming to auction the stolen data. According to RansomHub, the stolen information goes beyond what Patelco initially disclosed, including details such as gender, physical addresses, phone numbers, passwords, and credit scores.
Patelco continues to work with law enforcement and cybersecurity experts to manage the fallout from the breach.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled four critical vulnerabilities from September that should be immediately patched or addressed if present in your environment. Detailed writeups below:
CVE-2024-47176
CVE-2024-47176 describes a high-severity remote code execution vulnerability found in CUPS (Common UNIX Printing System) and specifically in the cups-browsed component. The vulnerability stems from improper binding to INADDR_ANY:631, which causes cups-browsed to trust any packet from any source. This flaw can allow an attacker to send a malicious Get-Printer-Attributes IPP (Internet Printing Protocol) request to a controlled URL, enabling the introduction of a rogue printer on the network. This can be exploited in a sequence of bugs within cups-browsed, ultimately allowing the execution of arbitrary commands remotely on the target machine when a print job is initiated, without any authentication.
This vulnerability poses significant risks, particularly in networked environments, as it can be exploited from the public internet—leaving systems with exposed CUPS services vulnerable to remote attacks. The vulnerability has been assigned a CVSS v3 base score of 8.3, with a vector of CVSS:3.0/AV/AC/PR/UI/S/C/I/A, indicating severe impacts on confidentiality, integrity, and availability, requiring no privileges but some user interaction.
Due to its critical nature, this vulnerability is listed in several security advisories, urging organizations to apply patches provided by OpenPrinting. The fix for this issue was released as part of ongoing security advisories from OpenPrinting, which addressed multiple related vulnerabilities across CUPS components. Organizations using vulnerable versions are advised to apply the patches immediately to mitigate potential exploitation risks. More information is available in the official advisories, including those from GitHub Security Advisories for detailed remediation steps.
CVE-2024-47076
CVE-2024-47076 describes a high-severity vulnerability found in the libcupsfilters library, part of the open-source CUPS printing system. The vulnerability lies within the cfGetPrinterAttributes5 function, which fails to properly sanitize IPP (Internet Printing Protocol) attributes returned from an IPP server. This can result in the injection of attacker-controlled data into the CUPS system, potentially compromising system security by allowing the manipulation of printer attributes used to generate PPD (PostScript Printer Description) files. This flaw poses a significant risk due to its impact on the overall print system, particularly in networked environments.
The vulnerability has a CVSS v3 base score of 8.6, indicating a high risk with the vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N. This means the exploit can be performed remotely over a network without user interaction, leading to high impacts on integrity.
Given the seriousness of this vulnerability, it is strongly advised that organizations using CUPS ensure they apply the appropriate patches or updates from the vendor. For further details, references such as the official advisories from GitHub and CUPS maintainers should be consulted.
CVE-2024-47175
CVE-2024-47175 is a high-severity vulnerability affecting the libppd library, a component of the CUPS printing system. The issue arises in the ppdCreatePPDFromIPP2 function, which fails to properly sanitize IPP (Internet Printing Protocol) attributes when generating PPD (PostScript Printer Description) buffers. When used in conjunction with other functions, like cfGetPrinterAttributes5, this vulnerability could allow user-controlled input to be processed, potentially leading to remote code execution via Foomatic, a printing filter.
This vulnerability can be part of an exploit chain, which may ultimately result in remote code execution (RCE), further exacerbating the potential impact. The severity of this flaw is underlined by its CVSS v3 base score of 8.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N), indicating that it can be exploited remotely, without user interaction, with high impacts on integrity.
Organizations utilizing CUPS and related libraries should prioritize patching and updating their systems to mitigate the risk of exploitation. The detailed exploit path and security advisories can be found in official repositories and advisories, such as those from GitHub and CUPS maintainers.
CVE-2024-47177
CVE-2024-47177 is a critical vulnerability affecting the CUPS printing system, specifically in environments using the cups-filters package, which provides essential backends, filters, and other utilities for non-Mac OS systems using CUPS 2.x. The issue lies in the FoomaticRIPCommandLine parameter, which can be exploited via a PPD (PostScript Printer Description) file. Any value passed to FoomaticRIPCommandLine is executed as a user-controlled command, allowing for potential remote command execution.
This vulnerability, when exploited in conjunction with other issues like those in CVE-2024-47176, could allow an attacker to achieve full remote command execution, greatly increasing the security risk. The attack is made even more severe by its critical CVSS v3 base score of 9.0 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating that exploitation can occur remotely with high impacts on confidentiality, integrity, and availability.
Security teams using CUPS with the cups-filters package should urgently apply patches to mitigate this threat. Detailed guidance on addressing this vulnerability can be found in security advisories provided by the CUPS maintainers and relevant GitHub repositories
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Lowering the Bar: AI’s Role in Helping Novice Hackers Create Sophisticated Malware
CrowdStrike Apologizes for Global System Crash, Unveils New Update Controls
How can Netizen help?
Phish Tale of the Week
Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as Microsoft. The message tells us that we need to sign in to complete our multi-factor authentication because it will expire today. It seems both urgent and genuine, so why shouldn’t we visit the link they sent us? Luckily, there’s plenty of reasons that point to this being a scam.
Here’s how we can tell not to click on this link:
The first warning sign for this email is the sender’s email address. While the messaging tells you they are Microsoft, the sender tells a different story: “nhts20to@nhtschool.co.uk” is very clearly not a Microsoft alert bot like they want you to believe. Companies that send out alerts through email like this always have a dedicated email address from the trusted domain, in our case it would be microsoft.com, that the alerts send from.
The second warning signs in this email is the messaging. This message tries to create a sense of fear and urgency in order to get you to take action by using language such as “To continue accessing.” Phishing and smishing scams commonly attempt to create a sense of urgency/confusion in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all emails/texts before following a link or other attachment sent through email or SMS.
The final warning sign for this email is the wording. This particular phishing email seems dead-set on convincing us that the link they want us to click on is “very secure,” naming the link button “Secure Link,” and urging us to “scan the Secure QR code,” even the sender is called SecurityMessage Center. All of these factors point towards the above being a phishing email, and a very simple and unsophisticated one at that.
General Recommendations:
A phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages.
Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
Verify that the sender is actually from the company sending the message.
Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
Do not give out personal or company information over the internet.
Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.
Cybersecurity Brief
In this month’s Cybersecurity Brief:
Lowering the Bar: AI’s Role in Helping Novice Hackers Create Sophisticated Malware
The widespread adoption of artificial intelligence (AI) by software developers has led to significant improvements in productivity, particularly in areas such as code generation. Unfortunately, hackers and malware creators have also begun to exploit this same technology—resulting in a surge of AI-generated malicious code. Recent reports indicate that several real-world malware attacks have involved the use of AI, raising alarm among cybersecurity experts.
One notable example of this trend was reported by HP, who recently intercepted an email campaign involving malware delivered by a dropper believed to have been created with AI assistance. This marks a significant milestone—indicating that AI-generated malware is not only a possibility but is already evolving in real-world attacks. Although current AI involvement seems to be concentrated on creating droppers, experts predict that AI will soon be responsible for generating entirely new malware strains.
In June 2024, HP discovered a phishing email that used a common “invoice” lure and contained an encrypted HTML attachment. This method—known as HTML smuggling—is designed to evade detection. Although HTML smuggling is not new, the level of encryption used in this case caught the attention of HP’s research team. Typically, attackers send a pre-encrypted file, but in this instance, the AES decryption key was embedded directly within the attachment’s JavaScript. This unusual feature prompted further investigation by the team, led by Patrick Schlapfer.
Once the attachment was decrypted, it imitated a legitimate website but secretly deployed a VBScript dropper that installed the infostealer known as AsyncRAT. The dropper performed several actions, such as modifying Registry variables, placing a JavaScript file into the user’s directory, scheduling it as a task, and launching a PowerShell script that ultimately delivered the AsyncRAT payload. While the overall attack pattern was familiar, the structure and comments found in the VBScript set this attack apart.
What made this dropper unique was its organized layout, complete with comments explaining the purpose of each command. Schlapfer noted that malware typically avoids such transparency—scripts are usually obfuscated, with no helpful instructions. Furthermore, the script was written in French, which suggested that AI might have been used to generate it. To test their hypothesis, HP’s team generated a similar script using an AI language model, and the results closely matched the malicious script, supporting the theory of AI involvement.
Despite this breakthrough, some aspects of the attack remained puzzling. The script was not obfuscated, and the comments were left in place. One theory is that the attacker was a novice who relied on AI-generated code without fully understanding it—or realizing how to conceal their tracks.
Alex Holland, a principal threat researcher at HP, pointed out that this incident illustrates how AI is lowering the entry barrier for new cybercriminals. The attack required minimal resources—AsyncRAT is free, HTML smuggling requires limited expertise, and the infrastructure consisted of a single command-and-control (C&C) server. The malware itself was unsophisticated, with no obfuscation, leading to the conclusion that a newcomer was behind it.
This raises a troubling question: if inexperienced hackers are already using AI to generate malware, how are more seasoned cybercriminals employing this technology? Skilled adversaries could be deploying AI-generated malware that leaves no telltale signs of AI involvement, making these attacks far more difficult to trace. Such scenarios may already be occurring, but without obvious indicators like comments or a lack of obfuscation, these attacks could go unnoticed.
While AI-generated malware is still in its early stages, the implications are concerning. The attack discussed here was relatively basic, but it highlights the potential for AI to significantly improve the efficiency of malware creation. In the hands of a skilled hacker, AI could streamline the development of more sophisticated attacks—possibly leading to a surge in low-effort but highly effective malware campaigns.
As AI continues to advance, cybercriminals are likely to refine their techniques, creating new challenges for cybersecurity professionals. For individuals and organizations, vigilance will be key. It’s important to keep antivirus tools up to date, avoid downloads from unknown sources, and maintain strong security practices to mitigate the growing threat posed by AI-generated malware.
CrowdStrike Apologizes for Global System Crash, Unveils New Update Controls
CrowdStrike has introduced a series of changes aimed at preventing another widespread failure like the one caused by its July 2024 software update. The update led to a global IT disruption, impacting millions of Microsoft Windows devices. Adam Meyers, senior vice president at CrowdStrike, appeared before the U.S. House of Representatives’ Cybersecurity subcommittee to outline the company’s efforts to ensure such an event doesn’t happen again.
Meyers apologized for the disruption, which occurred after a configuration update to CrowdStrike’s Falcon Sensor software led to system crashes, particularly in Windows environments. The outage affected several industries, including airlines, healthcare, and financial services. Delta Air Lines, which was especially hard hit, had to cancel 7,000 flights and reported losses of $500 million as a result. Meyers clarified that the incident was not the result of any external cyberattack or artificial intelligence malfunction, but rather an internal issue within the company’s software configuration.
The root of the problem lay in a new threat detection configuration that didn’t work well with the Falcon sensor’s rules engine. This mismatch caused the sensors to malfunction, leading to global system crashes. To prevent this from happening again, CrowdStrike has revised its update process. The company will now deploy updates gradually in a controlled environment, allowing them to detect and address issues before they affect a wider group of users.
A key part of this strategy involves releasing updates in stages, referred to as “rings of deployment.” This phased approach ensures that any potential issues can be identified and corrected early on. Additionally, the company has implemented stricter validation checks to make sure that the configurations sent to sensors align with predefined rules and expectations, minimizing the chance of future conflicts.
CrowdStrike has also strengthened its testing protocols. Software engineers are now required to conduct broader and more thorough tests, checking every aspect of the configuration process to catch potential problems before updates are distributed. Customers will also have more flexibility in managing how and when updates are applied to their systems, reducing the risk of unexpected disruptions.
Another measure introduced is a series of real-time checks within the system. These checks ensure that the data being processed meets the system’s requirements, helping to prevent errors from escalating into larger problems.
The July outage has also spurred changes at Microsoft, prompting the company to reconsider how security software interacts with the Windows kernel. As a result, Microsoft is planning to include new capabilities in future versions of Windows, particularly in Windows 11, that will allow security software vendors to operate outside of kernel mode. This shift aims to improve stability and reduce the likelihood of critical failures caused by third-party software.
While detailed information on these new capabilities is not yet available, the collaboration between Microsoft and companies like CrowdStrike points to an increased focus on system reliability and security in future Windows updates.
CrowdStrike’s revamped approach is aimed at regaining customer trust and preventing future disruptions of this scale. With tighter controls and more thorough testing procedures in place, along with ongoing collaboration with Microsoft, the cybersecurity industry could see a significant reduction in system failures tied to software updates.
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Penetration Testing as a Service (PTaaS) is necessary to enhance an entity’s cybersecurity. It combines robotic and human factors to detect and exploit vulnerabilities that traditional tools may miss. The manual and automated testing of PTaaS intensifies the ability of organizational IT professionals to conduct point-in-time as well as continuous penetration tests, resulting in highly robust vulnerability management programs. PTaaS, like traditional penetration testing, incorporates tools, techniques, and procedures used by attackers to disclose vulnerabilities. PTaaS supports multiple evaluations of infrastructures, such as web and mobile apps, networks, and APIs, across the web, app stores, and the API marketplace on a more frequent basis.
What is Penetration Testing as a Service (PTaaS)?
PTaaS is a penetration testing method that involves both manual and automated testing on a dedicated platform. It was one of the first types of penetration testing recommended. IT professionals are now able to conduct both point-in-time and continuous penetration tests, leading to stronger and more resilient vulnerability management programs. As with general penetration testing, PTaaS employs security techniques as well as the tools and procedures that hackers use to test systems for vulnerabilities. PTaaS conducts frequent checks in the environment where applications are located, taking penetration testing to the next level by upgrading the infrastructural level, which includes testing web and mobile apps, networks, and APIs more frequently than before.
How Does PTaaS Work?
PTaaS delivers a more flexible approach than traditional methods. It is used for daily penetration tests, even after each code change. Dashboards offer resources for understanding vulnerabilities and fixing them in a short period. Additionally, they provide resources for enabling users to recover data cautiously. This custom-tailored mode allows entities to have a higher level of discretion regarding their penetration test programs.
PTaaS is a continuous and automatic system, unlike traditional examinations which are point-in-time assessments conducted through manual tests. Traditional tools give a clear picture of vulnerabilities at a particular point in time, while the PTaaS system offers ongoing, real-time evaluations. This continuous method ensures the immediate detection and removal of new weaknesses, thus greatly diminishing the probability of cyber-attacks. PTaaS combines both manual and automatic testing for a thorough and continuous security assessment.
PTaaS Features
Typically, PTaaS promises the visualization of vulnerabilities. The PTaaS route guarantees comprehensive defense and effective handling of vulnerabilities. Ongoing monitoring helps companies diagnose and identify causes immediately. Moreover, the approaches used for testing are flexible to fit specific security needs, and experts provide professional assistance along with discussions of the findings.
The PTaaS Process
The PTaaS process generally involves initial scoping and base testing, manual testing and exploitation, real-time reporting of findings, strategic recommendations, and rerun testing. Initial scoping is a comprehensive stage where the IT consultant guides the client and conducts automated scanning to create maps of systems, applications, and networks, giving an initial security posture overview. Security experts then simulate real-time attacks to confirm weaknesses and attempt hostile actions. Reports of weak spots are presented and resolved quickly. Summary reports include key suggestions to solve vulnerability issues, and periodic testing ensures compliance.
PTaaS Benefits
PTaaS embraces the aspect of security as a full-time operation, offering instant access to security professionals, low costs, high conformity to industry standards, quick response times, on-the-spot testing and remediation, and increased control. Deployment of real-time testing on a larger scale facilitates new tests, retests, and feature-specific tests. Different communication channels lead to the speedy resolution of key security issues. Automation maximizes investments and prevents tools from becoming obsolete. The implementation of standards like SANS and OWASP is simpler, and the outcomes are quicker than traditional tests. The system offers functionality close to real-time vulnerability visibility, enabling organizations to initiate tests, define exploration areas, and escalate engagements instantly.
What to Look for in a PTaaS Provider
When selecting a PTaaS provider, consider the following:
Proven Track Record: Ensure the provider has specific expertise in PTaaS and experience with a range of clients, particularly in your industry.
Security Expertise: Verify the level of dedicated security expertise and support available.
Advanced Technology: Evaluate the dashboard’s insight, detail, usability, and integration with your existing technology stack.
Actionable Reporting: The provider should deliver detailed, actionable reports to strengthen security defenses and support compliance.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
In 2023, a significant cyberattack targeted two leading Las Vegas casinos, including MGM Resorts. What started as a headline-grabbing event soon revealed a far more disturbing trend—an alliance between English-speaking hackers from the U.S. and U.K. and Russian ransomware gangs. These young hackers are not only engaging in cybercrime but are also involved in harmful online communities that target vulnerable teenagers, leading to real-world consequences such as physical and emotional harm.
The MGM Breach and Social Engineering
In September 2023, the Russian ransomware group ALPHV (also known as BlackCat) claimed responsibility for an attack that shut down MGM Resorts’ operations. A 17-year-old hacker from the U.K. involved in the breach disclosed that the attack was initiated by a simple social engineering trick—one of the hackers posed as a staff member and convinced MGM’s tech support to reset a password, allowing access to their systems.
This hacking group, called “Scattered Spider” by CrowdStrike, operates across Telegram and Discord servers, forming part of a larger cybercriminal network known as “The Com.” Within these online communities, hackers collaborate, boast about their attacks, and engage in malicious activities to gain status.
Financial Crime Meets Real-World Violence
Although The Com appears to focus on financial cybercrime, it harbors more dangerous elements. Some of its members are involved in real-world violent activities, often driven by these online interactions. Despite the public spectacle that accompanied Scattered Spider’s actions, including CrowdStrike’s display of action figures at a cybersecurity conference, the truth behind these hackers goes far deeper into criminality.
One of the key figures in this network, known online as “@Holy,” took credit for participating in the MGM attack. However, @Holy’s activities extended far beyond ransomware. In addition to holding high-value Telegram usernames like @bomb and @nazi, this individual was connected to online groups that exploit and extort teenagers. These groups often push victims into self-harm and violent acts, documenting the abuse for further manipulation.
Harm Groups Targeting the Vulnerable
Among the most notorious of these groups is “764,” which preys on children through platforms like Discord, Minecraft, and Telegram. These cybercriminals engage in tactics such as sextortion, not for monetary gain but to exercise control and humiliation. In many cases, their ultimate goal is radicalizing young victims and pushing them toward violence. Other groups involved in these horrific actions include CVLT, Court, and Leak Society, all of which have been linked to incidents involving self-harm, violence against family members, and even suicide.
Arrests and Ongoing Investigations
Authorities arrested @Holy in the U.K. in July 2024, unveiling a history of involvement with other hacking collectives like LAPSUS$, known for attacks on tech giants such as Microsoft, Samsung, and T-Mobile. @Holy’s arrest highlighted the ongoing danger posed by these individuals, who blur the line between cybercrime and personal harm.
In another case, a group led by a hacker known as “@Judische” (also referred to as “Waifu”) stole massive amounts of customer data from companies like AT&T and TicketMaster. This group, attributed to UNC5537 by Mandiant, was involved in SIM-swapping, a tactic used to hijack phone numbers and intercept calls and texts. The group’s global reach includes members from North America and Turkey, such as John Erin Binns, who was previously indicted for a breach at T-Mobile.
The Blending of Cybercrime and Real-World Harm
One of the most troubling cases emerged in 2024 when two American men, Sagar Singh and Nicholas Ceraolo, pleaded guilty to hacking a Drug Enforcement Agency (DEA) portal. They used their access to stalk and harass individuals. Both men were part of the SIM-swapping community and had a history of fabricating fake law enforcement requests to obtain sensitive victim information.
The leader of ViLE, another harm group, runs a doxing forum where personal details of victims are bought and sold, leading to ongoing harassment and swatting incidents. This blend of online harassment and real-world violence represents a growing and alarming trend in cybercrime.
A New Breed of Criminals
As cybercriminals increasingly engage in both financial crime and physical harm, these online networks are becoming a breeding ground for a dangerous new wave of hackers. The Com, along with its associated groups, poses a much broader threat than financial losses—its members are committed to inflicting psychological and physical harm on victims. Without serious intervention, these groups will continue to evolve, bringing their blend of cybercrime and real-world violence to more vulnerable targets.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Infiltration by Resume: How Fake North Korean Workers Tricked Over 300 U.S. Companies
Chinese Hackers Exploit GeoServer Flaw to Target APAC Nations with EAGLEDOOR Malware
How can Netizen help?
Infiltration by Resume: How Fake North Korean Workers Tricked Over 300 U.S. Companies
Google’s Mandiant team recently uncovered a scheme where an American collaborator helped fake North Korean IT workers land jobs at U.S. companies, raking in roughly $6.8 million over three years. The operation, known as UNC5267, involved stealing identities and using fake resumes to infiltrate over 300 companies between 2020 and 2023.
According to Mandiant, North Korea is behind the effort, using these jobs to generate revenue, dodge sanctions, and fund its nuclear and missile programs. The IT workers, mostly based in China and Russia, use clever evasion tactics, such as fake companies and money laundering, to juggle multiple jobs at once. One individual even used over 60 stolen identities to keep the operation going.
These workers gain access to U.S. companies through “laptop farms” run by paid facilitators, who remotely manage company devices using tools like GoToRemote, AnyDesk, and TeamViewer. The workers connect from abroad via VPNs like Astrill and avoid video chats, often producing below-average work, making them difficult to spot without strict vetting.
In one case, security firm KnowBe4 caught a North Korean operative trying to install malware just 25 minutes after getting hired. Mandiant warns that while espionage hasn’t been confirmed yet, the high-level access these workers gain could be leveraged in the future. The report also found that many of the profiles feature AI-generated photos and fake credentials, making it tricky for employers to identify the scam during the hiring process.
To counter these risks, Mandiant advises companies to tighten their background checks with biometric verification and ensure on-camera interviews are conducted. They also recommend monitoring remote tools and VPN usage while training HR and IT teams to spot potential hiring fraud.
Chinese Hackers Exploit GeoServer Flaw to Target APAC Nations with EAGLEDOOR Malware
A sophisticated cyber-espionage campaign, believed to be orchestrated by Chinese hackers, has been targeting government organizations and industries across the Asia-Pacific (APAC) region. According to research conducted by Trend Micro, the attacks exploited a recently patched vulnerability in OSGeo GeoServer GeoTools, and introduced a new malware strain dubbed EAGLEDOOR. The threat actor behind these activities, known as Earth Baxia, has been active since July 2024.
The campaign focused on government agencies, telecommunication companies, and energy organizations in countries like Taiwan, South Korea, Vietnam, Thailand, and the Philippines. Researchers also discovered lure documents written in Simplified Chinese, suggesting that sectors within China may have been targeted as well, though more evidence is needed to confirm this.
The identified method of intrusion involved spear-phishing emails and exploitation of a critical vulnerability in GeoServer (CVE-2024-36401, with a CVSS score of 9.8). This flaw, if exploited, allows attackers to deliver a combination of Cobalt Strike—a common tool used in post-exploitation frameworks—and the newly discovered EAGLEDOOR malware.
EAGLEDOOR is designed for information gathering and remote control, using multiple methods to communicate with its command-and-control (C2) servers over DNS, HTTP, TCP, and even Telegram. While the first three protocols serve to monitor victim status, the core malware capabilities are driven by Telegram Bot API, allowing attackers to upload and download files, execute commands, and further infiltrate compromised systems.
Researchers highlighted that Earth Baxia used the GrimResource and AppDomainManager injection techniques, paired with decoy files, to maintain persistence and deploy additional malware. One notable payload, dubbed RIPCOY, was hidden within a ZIP archive attachment, masquerading as a legitimate file.
Interestingly, Earth Baxia’s tactics mirror those observed in campaigns attributed to APT41, a notorious Chinese cyber-espionage group. Both groups leveraged similar spear-phishing techniques and utilized Cobalt Strike with domains mimicking public cloud providers like Amazon Web Services (AWS) and Microsoft Azure. These domains, such as “s3cloud-azure” and “s3bucket-azure,” helped obscure their malicious activities and made detection more difficult.
Japanese cybersecurity company NTT Security Holdings recently uncovered a cluster of activity that shares many characteristics with the Earth Baxia campaign, specifically targeting military and energy sectors in Taiwan, the Philippines, and Vietnam.
The sophistication of these attacks highlights the evolving tactics used by Earth Baxia and other Chinese-linked APT groups. By exploiting critical vulnerabilities in software and leveraging public cloud services like AWS and Microsoft Azure, these groups can infiltrate systems while maintaining a low profile. The deployment of customized malware, such as EAGLEDOOR, underscores their adaptability and intent to exfiltrate sensitive data from high-value targets.
While the specific end goal of these operations may still be unclear, the elevated system access gained through EAGLEDOOR and Cobalt Strike presents a significant risk for future exploitation or potential espionage.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
GreyNoise Intelligence has been tracking something alarming since early 2020: a phenomenon they’ve named “Noise Storms,” which involves waves of spoofed web traffic originating from millions of IP addresses. These storms have cybersecurity experts on edge as they attempt to piece together what’s really happening. While the exact origins remain murky, GreyNoise’s research suggests a possible link to China—raising serious concerns about global internet security.
Origins and Characteristics of Noise Storms
Noise Storms typically involve TCP connections, though some use ICMP packets as well. Interestingly, there’s never been any UDP traffic involved, which is notable because UDP is often associated with DDoS attacks. This suggests that whoever’s behind these storms is being selective about how the traffic moves, indicating a high level of control. The precision of the attacks further points to a sophisticated player who likely has a specific agenda in mind.
One of the key tactics in these attacks is the use of Time To Live (TTL) spoofing, which makes the traffic look like it’s hopping between legitimate network nodes. Adding to the complexity, the storms spoof window sizes to imitate traffic from various operating systems, making it even harder for cybersecurity teams to distinguish between real and fake data. What’s also puzzling is that the storms seem to avoid big players like AWS, instead focusing on other internet providers like Cogent, Lumen, and Hurricane Electric.
Unusual Traffic Patterns and Tactics
A current Noise Storm GreyNoise is watching involves roughly five million IPs, seemingly based in Brazil. However, deeper analysis points back to China as the true source. The Autonomous System Number (ASN) linked to the ICMP traffic is tied to a Chinese content delivery network (CDN) that supports major platforms like QQ, WeChat, and WePay. This connection has raised suspicions that a sophisticated, state-sponsored actor could be pulling the strings.
In some recent storms, researchers found a curious and somewhat eerie detail: the ASCII string ‘LOVE’ embedded in the ICMP packets. While it seems harmless, this odd inclusion fuels theories that the storms might be more than just cyberattacks—they could be a covert communication channel or something even more complex. The timing of these storms has also coincided with significant military events, adding another layer of suspicion to their purpose.
Suspicious Links to Chinese Infrastructure
China’s involvement in large-scale cyber activities is nothing new, and the evidence pointing to Chinese infrastructure in these Noise Storms is a big red flag. Just this past April, the cybersecurity firm Infoblox reported on the Chinese-linked threat actor “Muddling Meerkat,” which was using China’s Great Firewall to probe the internet via DNS mail server records. It’s clear that China has leveraged its internet infrastructure for cyber espionage and other malicious actions before, and these storms might be yet another example.
Despite years of tracking, no one has definitively figured out the true aim of these Noise Storms. Theories within the cybersecurity world range from misconfigured routers to covert communication systems to efforts to manipulate network traffic for intelligence gathering. Some even believe the storms might represent a new kind of DDoS attack designed to create congestion for nefarious purposes.
These developments have serious implications for internet providers and cybersecurity professionals everywhere. The fact that they’re targeting specific internet infrastructure and selectively avoiding major providers points to a well-funded and highly capable adversary.
The level of these attacks is clear. The attackers are using tactics like TTL manipulation and operating system spoofing, which make it tough to differentiate between legitimate and malicious traffic. Recent storms have set TTL values between 120 and 200, making the traffic look more like standard network behavior. Meanwhile, the selective targeting of internet providers shows that the attackers have a deep understanding of global internet infrastructure and are fine-tuning their approach to have the most impact.
Possible Motivations Behind Noise Storms
The frequency and persistence of Noise Storms raise big questions about the overall strategy at play. Given their connection to major Chinese platforms and the timing of certain storms with geopolitical events, it’s possible that these storms are part of a larger, state-sponsored campaign—whether for espionage, cyber warfare, or something else entirely. While much of this remains speculative, the link to Chinese infrastructure can’t be ignored.
GreyNoise’s Call for Global Collaboration
GreyNoise has urged security leaders to take these threats seriously and to rethink their defense strategies. Traditional methods for detecting DDoS attacks or network anomalies may not be enough to deal with threats like Noise Storms. GreyNoise stresses the need for advanced, real-time monitoring tools that can pick up on unusual patterns in TCP and ICMP traffic, as well as more proactive measures to stay ahead of these sophisticated threats.
In the meantime, GreyNoise is continuing its investigation and has called on the cybersecurity community to help analyze the traffic associated with Noise Storms. The company has shared packet captures (PCAPs) of recent storms on its GitHub, inviting researchers to collaborate and uncover more about this mysterious activity. While much remains unknown, the persistence and evolution of Noise Storms over the past four years show that this is a threat we can’t afford to ignore.
As this situation unfolds, it’s crucial for the cybersecurity community to stay engaged and keep exploring what these Noise Storms might mean. While the full purpose behind them is still unclear, the evidence so far points to a well-coordinated effort by a capable adversary—one whose intentions, though still a mystery, could have serious consequences if left unchecked.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Researchers at Lumen Technologies have uncovered a large botnet operation, code-named Raptor Train, orchestrated by the Chinese cyberespionage group Flax Typhoon. Unlike most botnets, this one has recruited over 200,000 routers, IP cameras, and network storage devices, building an extensive network aimed directly at military and government entities in the U.S. and Taiwan. The scale of this operation is enormous, and since its launch in May 2020, it has continued to expand, with no signs of slowing down.
Behind the Botnet
What makes this botnet particularly concerning is its multi-tiered structure. At the lowest level (Tier 1), everyday devices like routers, IP cameras, and network storage units aren’t just passive tools—they’re actively helping maintain the botnet’s integrity. These compromised devices perform tasks like data relay and sustaining the botnet’s communications. Moving up to Tier 2, servers are responsible for handling exploits, managing botnet activity, and directing traffic across infected nodes. The top level (Tier 3) operates through a cross-platform control app called Sparrow, which allows the attackers to execute commands in real-time, transfer files between compromised devices, and, while not yet observed, execute DDoS attacks with ease. This layered approach demonstrates the technical sophistication of the operation and the attackers’ ability to maintain and scale the botnet without significant disruption.
Nosedive Malware: Stealthy and Dynamic Operations
The malware behind Raptor Train is equally worrisome. Lumen’s research team, Black Lotus Labs, discovered a custom version of the infamous Mirai malware, which they have named Nosedive. This malware is exceptionally stealthy. It resides in the device’s memory, erasing traces of itself from the hard drive to avoid detection. Even more troublesome is the dynamic nature of the botnet—compromised devices rotate in and out of the network regularly. On average, a device like a router might remain part of the botnet for just 17 days before being swapped out for a new victim. This constant rotation makes it challenging for defenders to isolate and eliminate threats, as the infected devices are frequently changing, and the attackers can quickly replace lost assets.
Exploiting Known Vulnerabilities in Consumer and Enterprise Devices
One of the primary factors behind the botnet’s rapid spread is the exploitation of known vulnerabilities in widely used devices. The attackers are focusing on common consumer brands, such as ASUS and Mikrotik routers, Hikvision and Panasonic IP cameras, and even specific enterprise-level software like Atlassian Confluence servers and Ivanti Connect Secure appliances. In some cases, they’re using zero-day vulnerabilities to compromise the devices, while in others, they’re taking advantage of well-known security flaws that have not been patched by users. This highlights a critical issue: despite the availability of security updates, many users neglect to apply them, leaving their devices exposed to such threats.
U.S. Government Response and the Link to Chinese State-Sponsored Activity
In response to the growing threat, the U.S. government has stepped in. A joint advisory from the FBI, CNMF, and NSA has pointed fingers at a Chinese company, Integrity Technology Group, for its role in managing the botnet’s operations. Investigators have traced much of the botnet’s command structure back to China Unicom’s Beijing Province Network, further linking the operation to Chinese state-sponsored activity. Despite these efforts, the constant rotation of infected devices complicates the task of dismantling the botnet, meaning it could take time before significant progress is made.
The Urgent Need for IoT Security and Patching
Raptor Train serves as a stark reminder of the evolving tactics used by nation-state actors. By weaponizing IoT devices—items that most people don’t even consider computers—these attackers are gaining footholds in critical infrastructure systems, with potentially devastating consequences. The need to prioritize patching and securing IoT devices has never been more urgent. Many of these devices are deployed in homes and businesses, often with little thought given to their security, but their compromise could enable future espionage or disruption efforts on a much larger scale.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Netizen Blog and News 
You must be logged in to post a comment.