Cybercriminals are abusing Google’s infrastructure, creating emails that appear to come from Google in order to persuade people into handing over their Google account credentials. This attack, first flagged by Nick Johnson, the lead developer of the Ethereum Name Service (ENS), a blockchain equivalent of the popular internet naming convention known as the Domain Name System (DNS). Nick received a very official looking security alert about a subpoena allegedly issued to Google by law enforcement to information contained in Nick’s Google account. A URL in the email pointed Nick to a sites.google.com page that looked like an exact copy of the official Google support portal.

As a computer savvy person, Nick spotted that the official site should have been hosted on accounts.google.com and not sites.google.com. The difference is that anyone with a Google account can create a website on sites.google.com. And that is exactly what the cybercriminals did. Attackers increasingly use Google Sites to host phishing pages because the domain appears trustworthy to most users and can bypass many security filters. One of those filters is DKIM (DomainKeys Identified Mail), an email authentication protocol that allows the sending server to attach a digital signature to an email. If the target clicked either “Upload additional documents” or “View case”, they were redirected to an exact copy of the Google sign-in page designed to steal their login credentials. Your Google credentials are coveted prey, because they give access to core Google services like Gmail, Google Drive, Google Photos, Google Calendar, Google Contacts, Google Maps, Google Play, and YouTube, but also any third-party apps and services you have chosen to log in with your Google account. The signs to recognize this scam are the pages hosted at sites.google.com which should have been support.google.com and accounts.google.com and the sender address in the email header. Although it was signed by accounts.google.com, it was emailed by another address. If a person had all these accounts compromised in one go, this could easily lead to identity theft.

How to avoid scams like this

Don’t follow links in unsolicited emails or on unexpected websites.

Carefully look at the email headers when you receive an unexpected mail.

Verify the legitimacy of such emails through another, independent method.

Don’t use your Google account (or Facebook for that matter) to log in at other sites and services. Instead create an account on the service itself.

Technical details Analyzing the URL used in the attack on Nick, (https://sites.google.com[/]u/17918456/d/1W4M_jFajsC8YKeRJn6tt_b1Ja9Puh6_v/edit) where /u/17918456/ is a user or account identifier and /d/1W4M_jFajsC8YKeRJn6tt_b1Ja9Puh6_v/ identifies the exact page, the /edit part stands out like a sore thumb. DKIM-signed messages keep the signature during replays as long as the body remains unchanged. So if a malicious actor gets access to a previously legitimate DKIM-signed email, they can resend that exact message at any time, and it will still pass authentication. So, what the cybercriminals did was: Set up a Gmail account starting with me@ so the visible email would look as if it was addressed to “me.” Register an OAuth app and set the app name to match the phishing link Grant the OAuth app access to their Google account which triggers a legitimate security warning from [email protected] This alert has a valid DKIM signature, with the content of the phishing email embedded in the body as the app name. Forward the message untouched which keeps the DKIM signature valid. Creating the application containing the entire text of the phishing message for its name, and preparing the landing page and fake login site may seem a lot of work. But once the criminals have completed the initial work, the procedure is easy enough to repeat once a page gets reported, which is not easy on sites.google.com. Nick submitted a bug report to Google about this. Google originally closed the report as ‘Working as Intended,’ but later Google got back to him and said it had reconsidered the matter and it will fix the OAuth bug.

Fortinet: Cybercriminals Exploit Vulnerabilities 43% Faster, Urgent Action

Fortinet’s 2H 2023 Global Threat Landscape Report reveals that cybercriminals are exploiting industry vulnerabilities 43% faster than in the first half of 2023. Key findings highlight the need for better cyber hygiene, faster patch management, and adherence to vulnerability disclosure best practices. Notably, 44% of ransomware and wiper attacks targeted the industrial sector, and botnets showed…

View On WordPress

Beware Of These Techniques That Cybercriminals Use To Steal Cryptocurrency

While the rise of cryptocurrency has brought about revolutionary changes in the financial landscape, it has also opened doors to new forms of cybercrime. The decentralized and anonymous nature of cryptocurrencies has made them attractive targets for cybercriminals.

Understanding the techniques that cybercriminals use to steal these digital assets is crucial for protecting oneself in the evolving landscape of cybersecurity. It is important that you stay vigilant, and informed, and prioritize security to protect yourself against these evolving threats.

Check out this list of techniques that cybercriminals use to steal cryptocurrency.  

1. Phishing Attacks

One of the most common techniques used by cybercriminals is phishing. They employ misleading emails, websites, or messages that look similar to legitimate platforms or communication from trusted entities. Unsuspecting users are tricked into revealing their private keys, passwords, or wallet information which allows the criminals to gain access to their cryptocurrency holdings.

To Read More Click here...

Global events fuel DDoS attack campaigns - Help Net Security

Cybercriminals launched approximately 7.9 million DDoS attacks in 1H 2023, representing a 31% year-over-year increase, according to NETSCOUT. Global events like the Russia-Ukraine war and NATO bids have driven recent DDoS attack growth. Finland was targeted by pro-Russian hacktivists in 2022 during its bid to join NATO. Turkey and Hungary were targeted with DDoS attacks for opposing Finland’s…

View On WordPress

The child sextortion group 764 and the global collective of loosely associated groups known as “The Com” are using tools and techniques normally used for financially motivated cybercrime tactics — such as SIM swapping, IP grabbing and social engineering — to commit violent crimes, according to exclusive law enforcement and intelligence reports reviewed by CyberScoop.  The reports offer insight into the underbelly of the global network, showing how they are using traditional cybercriminal tools to identify, target, groom, extort, and cause physical and psychological harm to victims as young as 10. They were shared with police nationwide and in some cases, with foreign-allied governments. [...] The group “appears to be situated at the nexus of communities of users who share gore material, [Racially or Ethnically Motivated Violent Extremist-White Supremacist] adherents such as M.K.U. and child exploitation actors like 764.” M.K.U., it says, is a neo-Nazi group with a presence in Russia and Ukraine. [...] The groups use methods to trick children into sending sexually explicit photos of themselves, threaten to make the photos public unless they harm themselves, and kill or harm animals, among other crimes. The group’s members have coerced children into attempting suicide, harming themselves, siblings and animals. (x)

///

Wired reported this week that a 19-year-old working for Elon Musk‘s so-called Department of Government Efficiency (DOGE) was given access to sensitive US government systems even though his past association with cybercrime communities should have precluded him from gaining the necessary security clearances to do so. As today’s story explores, the DOGE teen is a former denizen of ‘The Com,’ an archipelago of Discord and Telegram chat channels that function as a kind of distributed cybercriminal social network for facilitating instant collaboration. [...] Internet routing records show that Coristine runs an Internet service provider called Packetware (AS400495). Also known as “DiamondCDN,” Packetware currently hosts tesla[.]sexy and diamondcdn[.]com, among other domains. DiamondCDN was advertised and claimed by someone who used the nickname “Rivage” on several Com-based Discord channels over the years. A review of chat logs from some of those channels show other members frequently referred to Rivage as “Edward.” From late 2020 to late 2024, Rivage’s conversations would show up in multiple Com chat servers that are closely monitored by security companies. In November 2022, Rivage could be seen requesting recommendations for a reliable and powerful DDoS-for-hire service. Rivage made that request in the cybercrime channel “Dstat,” a core Com hub where users could buy and sell attack services. Dstat’s website dstat[.]cc was seized in 2024 as part of “Operation PowerOFF,” an international law enforcement action against DDoS services. (x)

DOGE teen is a pedophile cybercriminal involved in a neonazi CSA-producing cybergang. and he has access to your SSN.

He should be arrested for violating our privacy. He was not vetted by congress and has no security clearance.

Contact your state’s attorney general and request help.

Can we ask the ACLU to file a class action suit? Who’s with me?

“Let’s get into the details. Musk’s staffers have been caught plugging external hard drives into federal agency systems and reportedly locking others out of private rooms to perform—who knows what actions. This behavior violates key cybersecurity laws under FISMA and NIST guidelines, which are designed to protect sensitive federal information. Here’s why this is a serious problem.

Federal systems are strictly regulated, allowing only approved devices to connect. Unauthorized external drives can introduce viruses, ransomware, or other harmful software that may compromise entire networks and disrupt essential operations. This puts system stability and continuity of services at risk, endangering critical infrastructure.

These devices could also be used to steal or damage critical information, including personal data for millions of Americans—such as Social Security recipients and taxpayers. Unauthorized access creates significant vulnerabilities, exposing sensitive data to the risk of cyberattacks. Such attacks could cripple vital services and compromise the privacy and safety of millions of people.

Additionally, federal agencies have strict access controls to prevent unauthorized data manipulation or theft. When unauthorized devices are connected, these protections are bypassed, allowing unauthorized users to potentially alter or extract sensitive data. This undermines system integrity and opens the door to both internal and external threats.

External drives also often lack essential security features, such as encryption and antivirus scanning, making them vulnerable to cybercriminal exploitation. These security gaps further increase the risk of data breaches and system compromise, which can have far-reaching consequences.

Federal systems handle trillions of dollars in payments and manage personal data for millions of U.S. citizens. By bypassing cybersecurity laws and protocols, Musk’s staffers are putting these systems—and the public—at serious risk. This activity is illegal, reckless, and unacceptable. Immediate oversight and intervention are necessary to stop these violations!” ~ A N P S

alt text under cut

Alt National Park Service·

Let’s get into the details. Musk’s staffers have been caught plugging external hard drives into federal agency systems and reportedly locking others out of private rooms to perform—who knows what actions. This behavior violates key cybersecurity laws under FISMA and NIST guidelines, which are designed to protect sensitive federal information. Here’s why this is a serious problem.

Federal systems are strictly regulated, allowing only approved devices to connect. Unauthorized external drives can introduce viruses, ransomware, or other harmful software that may compromise entire networks and disrupt essential operations. This puts system stability and continuity of services at risk, endangering critical infrastructure.

These devices could also be used to steal or damage critical information, including personal data for millions of Americans—such as Social Security recipients and taxpayers. Unauthorized access creates significant vulnerabilities, exposing sensitive data to the risk of cyberattacks. Such attacks could cripple vital services and compromise the privacy and safety of millions of people.

Additionally, federal agencies have strict access controls to prevent unauthorized data manipulation or theft. When unauthorized devices are connected, these protections are bypassed, allowing unauthorized users to potentially alter or extract sensitive data. This undermines system integrity and opens the door to both internal and external threats.

External drives also often lack essential security features, such as encryption and antivirus scanning, making them vulnerable to cybercriminal exploitation. These security gaps further increase the risk of data breaches and system compromise, which can have far-reaching consequences.

Federal systems handle trillions of dollars in payments and manage personal data for millions of U.S. citizens. By bypassing cybersecurity laws and protocols, Musk’s staffers are putting these systems—and the public—at serious risk. This activity is illegal, reckless, and unacceptable. Immediate oversight and intervention are necessary to stop these violations!

Let’s get into the details. Musk’s staffers have been caught plugging external hard drives into federal agency systems and reportedly locking others out of private rooms to perform—who knows what actions. This behavior violates key cybersecurity laws under FISMA and NIST guidelines, which are designed to protect sensitive federal information. Here’s why this is a serious problem.

Federal systems are strictly regulated, allowing only approved devices to connect. Unauthorized external drives can introduce viruses, ransomware, or other harmful software that may compromise entire networks and disrupt essential operations. This puts system stability and continuity of services at risk, endangering critical infrastructure.

These devices could also be used to steal or damage critical information, including personal data for millions of Americans—such as Social Security recipients and taxpayers. Unauthorized access creates significant vulnerabilities, exposing sensitive data to the risk of cyberattacks. Such attacks could cripple vital services and compromise the privacy and safety of millions of people.

Additionally, federal agencies have strict access controls to prevent unauthorized data manipulation or theft. When unauthorized devices are connected, these protections are bypassed, allowing unauthorized users to potentially alter or extract sensitive data. This undermines system integrity and opens the door to both internal and external threats.

External drives also often lack essential security features, such as encryption and antivirus scanning, making them vulnerable to cybercriminal exploitation. These security gaps further increase the risk of data breaches and system compromise, which can have far-reaching consequences.

Federal systems handle trillions of dollars in payments and manage personal data for millions of U.S. citizens. By bypassing cybersecurity laws and protocols, Musk’s staffers are putting these systems—and the public—at serious risk. This activity is illegal, reckless, and unacceptable. Immediate oversight and intervention are necessary to stop these violations!

So with the pandora's box of AI being released into the world, cybersecurity has become kind of insane for the average user in a way that's difficult to describe for those who aren't following along. Coding in unfamiliar languages is easier to do now, for better and worse. Purchasable hacking "kits" are a thing on the dark web that basically streamline the process of deploying ransomware. And generative AI is making it much easier for more and more people to obscure their intentions and identities, regardless of their tech proficiency.

The impacts of this have been Really Bad in the last year or two in particular. For example:

(I'm about to link to sources, and you better be hovering and checking those links before clicking on them as a habit)

Ransomware attacks have become increasingly lucrative for private and state-sponsored hacking groups, with at least one hack recently reported to have resulted in a $75 MILLION payout from the victim. This in combination with the aforementioned factors has made it a bigger and bigger risk for companies and organizations holding your most sensitive data.

In the US, the Salt Typhoon hack over the past year or so has compromised virtually all major phone networks--meaning text and phone calls are no longer secure means of communication. While this won't affect most people in day-to-day, it does make basically all the information you share over traditional phone comms very vulnerable. You should avoid sharing sensitive information over the phone when you can.

CISA updated their security recommendations late last year in response to this compromise. One of the recommendations is to use a separate comms app with end-to-end encryption. I personally prefer Signal, since it's open source and not owned by Meta, but the challenge can be getting people you know on the same service. So... have fun with that.

2FA is no longer as secure as it was--because SMS itself is no longer secure, yeah, but even app-based 2FA has been rendered useless in certain circumstances. One reason for this is because...

A modern version of the early-2000's trick of gaining access to people's accounts via hijacked cookies has come back around for Chromium browsers, and hackers are gaining access to people's Google accounts via OAuth session hijacking. Meaning they can get into your already-logged-in accounts without passwords or 2FA even being needed to begin with. This has been achieved both through hackers compromising chrome browser extensions, and via a reinvigorated push to send out compromising links via email.

Thanks to AI, discerning compromised email is harder now. Cybercriminals are getting better at replicating legitimate email forms and website login screens etc., and coming up with ways to time the emails around times when you might legitimately expect them. (Some go so far as to hack into a person's phone to watch for when a text confirmation might indicate a recent purchase has been made via texted shipping alerts, for example)

If you go to a website that asks you to double-click a link or button--that is a major red flag. A potential method of clickjacking sessions is done via a script that has to be run with the end user's approval. Basically, to get around people who know enough to not authenticate scripts they don't recognize, hackers are concealing the related pop ups behind a "double-click" prompt instruction that places the "consent" prompt's button under the user's mouse in disguised UI, so that on the second click, the user will unwittingly elevate the script without realizing they are doing it.

Attachments are also a fresh concern, as hackers have figured out how to intentionally corrupt key areas of a file in a way that bypasses built-in virus check--for the email service's virus checker as well as many major anti-virus installed on endpoint systems

Hackers are also increasingly infiltrating trusted channels, like creating fake IT accounts in companies' Office 365 environment, allowing them to Teams employees instead of simply email them. Meaning when IT sends you a new PM in tools like Zoom, Slack, or Teams, you need to double-check what email address they are using before assuming it's the real IT person in question.

Spearphishing's growing sophistication has accelerated the theft of large, sensitive databases like the United/Change Healthcare hacks, the NHS hack & the recent Powerschool hack. Cybercriminals are not only gaining access to emails and accounts, but also using generative AI tools to clone the voices (written and spoken) of key individuals close to them, in order to more thoroughly fool targets into giving away sensitive data that compromises access to bigger accounts and databases.

This is mostly being used to target big-ticket targets, like company CSO's and other executives or security/IT personnel. But it also showcases the way scammers are likely to start trying to manipulate the average person more thoroughly as well. The amount of sensitive information--like the health databases being stolen and sold on the darkweb--means people's most personal details are up for sale and exploitation. So we're not too far off from grandparents being fooled by weaponized AI trained off a grandchild's scraped tiktok videos or other public-facing social media, for example. And who is vulnerable to believing these scams will expand, as scammers can potentially answer sensitive questions figured out from stolen databases, to be even more convincing.

And finally, Big Tech's interest in replacing their employees with AI to net higher profits has resulted in cybersecurity teams who are overworked, even more understaffed they already were before, and increasingly lacking the long-term industry experience useful to leading effective teams and finding good solutions. We're effectively in an arms race that is burning IT pros out faster and harder than before, resulting in the circumvention of crucial QA steps, and mistakes like the faulty release that created the Crowdstrike outage earlier last year.

Most of this won't impact the average person all at once or to the same degree big name targets with potential for big ransoms. But they are little things that have combined into major risks for people in ways that aren't entirely in our control. Password security has become virtually obsolete at this point. And 2FA's effectiveness is tenuous at best, assuming you can maintain vigilance.

The new and currently best advice to keeping your individual accounts secure is to switch to using Passkeys and FIDO keys like Yubikeys. However, the effectiveness of passkeys are held back somewhat as users are slow to adopt them, and therefore websites and services are required to continue to support passwords on people's accounts anyway--keeping password vulnerabilities there as a back door.

TLDR; it's pretty ugly out there right now, and I think it's going to get worse before it gets better. Because even with more sophisticated EDR and anti-virus tools, social engineering itself is getting more complex, which renders certain defensive technologies as somewhat obsolete.

Try to use a passkey when you can, as well as a password locker to create strong passwords you don't have to memorize and non-SMS 2FA as much as possible. FIDO keys are ideal if you can get one you won't lose.

Change your passwords for your most sensitive accounts often.

Don't give websites more personal info about yourself than is absolutely necessary.

Don't double-click links or buttons on websites/captchas.

Be careful what you click and download on piracy sources.

Try to treat your emails and PMs with a healthy dose of skepticism--double-check who is sending them etc for stealthily disguised typos or clever names. It's not going to be as obvious as it used to be that someone is phishing you.

It doesn't hurt to come up with an offline pass phrase to verify people you know IRL. Really.

And basically brace for more big hacks to happen that you cannot control to begin with. The employees at your insurance companies, your hospital, your telecomms company etc. are all likely targets for a breach.

Preventing Ransomware Attacks: Proactive Measures to Shield Your Business

New Post has been published on https://thedigitalinsider.com/preventing-ransomware-attacks-proactive-measures-to-shield-your-business/

Preventing Ransomware Attacks: Proactive Measures to Shield Your Business

All forms of cyber attacks are dangerous to organizations in one way or another. Even small data breaches can lead to time-consuming and expensive disruptions to day-to-day operations.

One of the most destructive forms of cybercrime businesses face is ransomware. These types of attacks are highly sophisticated both in their design and in the way they’re delivered. Even just visiting a website or downloading a compromised file can bring an entire organization to a complete standstill.

Mounting a strong defense against ransomware attacks requires careful planning and a disciplined approach to cyber readiness.

Strong Endpoint Security

Any device that’s used to access your business network or adjacent systems is known as an “endpoint.” While all businesses have multiple endpoints they need to be mindful of, organizations with decentralized teams tend to have significantly more they need to track and protect. This is typically due to remote working employees accessing company assets from personal laptops and mobile devices.

The more endpoints a business needs to manage, the higher the chances that attackers can find hackable points of entry. To mitigate these risks effectively, it’s essential to first identify all the potential access points a business has. Businesses can then use a combination of EDR (Endpoint Detection and Response) solutions and access controls to help reduce the risk of unauthorized individuals posing as legitimate employees. 

Having an updated BYOD (Bring Your Own Device) policy in place is also important when improving cybersecurity. These policies outline specific best practices for employees when using their own devices for business-related purposes – whether they’re in the office or working remotely. This can include avoiding the use of public Wi-Fi networks, keeping devices locked when not in use, and keeping security software up-to-date.

Better Password Policies and Multi-Factor Authentication

Whether they know it or not, your employees are the first line of defense when it comes to avoiding ransomware attacks. Poorly configured user credentials and bad password management habits can easily contribute to an employee inadvertently putting an organization at more risk of a security breach than necessary. 

While most people like having a fair amount of flexibility when creating a password they can easily remember, it’s important as a business to establish certain best practices that need to be followed. This includes ensuring employees are creating longer and more unique passwords, leveraging MFA (multi-factor authentication) security features, and refreshing their credentials at regular intervals throughout the year.

Data Backup and Recovery

Having regular backups of your databases and systems is one way to increase your operational resilience in the wake of a major cyberattack. In the event your organization is hit with ransomware and your critical data becomes inaccessible, you’ll be able to rely on your backups to help recover your systems. While this process can take some time, it’s a much more reliable alternative to paying a ransom amount.

When planning your backups, there is a 3-2-1 rule you should follow. This rule stipulates that you should:

Have three up-to-date copies of your database

Use two different data storage formats (internal, external, etc.)

Keep at least one copy stored off premises

Following this best practice lowers the likelihood that “all” your backups become compromised and gives you the best chance for recovering your systems successfully.

Network Segmentation and Access Control

One of the most challenging things about ransomware is its ability to spread rapidly to other connected systems. A viable strategy for limiting this ability is to segment your networks, breaking them up into smaller, isolated strings of a wider network. 

Network segmentation makes it so that if one system becomes compromised, attackers still won’t have open access to a system. This makes it much harder for malware to spread.

Maintaining strict access control policies is another way you can reduce your attack surface. Access control systems limit the amount of free access that users have in a system at any given time. In these types of systems, the best practice is to ensure that regardless of who someone is, they should still only ever have just enough permissions in place to access the information they need to accomplish their tasks – nothing more, nothing less.

Vulnerability Management and Penetration Testing

To create a safer digital environment for your business, it’s important to regularly scan systems for new vulnerabilities that may have surfaced. While businesses may spend a lot of time putting various security initiatives into place, as the organization grows, these initiatives may not be as effective as they used to be. 

However, identifying security gaps across business infrastructures can be incredibly time-consuming for many organizations. Working with penetration testing partners is a great way to fill this gap.

Pentesting services can be invaluable when helping businesses pinpoint precisely where their security systems are failing. By using simulated real-world attacks, penetration testers can help businesses see where their most significant security weaknesses are and prioritize the adjustments that will bring the most value when protecting against ransomware attacks.

Data Security Compliance and Ethical AI Practices

There are various considerations you want to make when implementing new security protocols for your business. Ransomware attacks can do much more than disrupt day-to-day operations. They can also lead to data security compliance issues that can lead to a long list of legal headaches and do irreparable damage to your reputation.

Because of this, it’s important to ensure all critical business data uses active encryption protocols. This essentially makes data inaccessible to anyone not authorized to view it. While this in itself won’t necessarily stop cybercriminals from accessing stolen data, it can help to protect the information from being sold to unauthorized parties. Leveraging data encryption may also already be a requirement for your business depending on the regulatory bodies that govern your industry.

Another thing to consider is that while AI-enabled security solutions are becoming more widely used, there are certain compliance standards that need to be followed when implementing them. Understanding any implications associated with leveraging data-driven technologies will help ensure you’re able to get maximum benefit out of using them without inadvertently breaching data privacy rights. 

Keep Your Business Better Protected

Protecting your business from ransomware attacks requires a proactive approach to risk management and prevention. By following the strategies discussed, you’ll be able to lower your susceptibility to an attack while having the right protocols in place if and when you need them.

My leverage redemption s3 wishlist:

Flashback episode about a job the team pulled between the old and the new series; so eliot-parker-hardison only. Alternatively i accept an episode in which sophie is incapacited for whatever reason and parker steps up as the one calling the shots (bonus points if it's actually parker and eliot making the plans together, extra bonus points if they somehow pull hardison into it too)

An episode when they team up with another leverage international team; but like properly. Not just 'these background randos are actually leverage-people and on their side'

Eliot blatantly being sophie's attack/guard dog

Sterling

A completely new kind of bonkers narrative framing in one single episode. Can coincide with the first item

Maggie cameo, preferably via sophie inviting her because they are Very Good Friends

During a job, someone recognises Breanna('s name) as a known and famed cybercriminal

Robot bodies mention

SILLY GUAYYYYYYYYYYYYYYYYYYYY <3 closeups, human form, and ✨document✨under cut!

i have been putting him off for way too long tbh Transcript of doc:

Z-256 - Codename: "The Technician", real name "Hade Parabellum", is to be shot on sight by the EXR-P teams and any personnel without hesitation. Z-256 is a high-level threat in Urbanshade; caution is required if encountered. Given his partnership with Z-779, extreme caution should be taken when in a room equipped with turrets. It has been reported on multiple occasions that 256 is armed with a long range taser and a .45 ACP revolver. Z-256 was brought in as a LR-P in 2014, after he was found guilty of a worldwide DDOS attack, causing companies big and small to lose over $7.1 trillion USD collectively, as well as mining cryptocurrency for use in illicit trades. He had a natural knack for computers, and had a bachelor's in computer sciences. Given this, Urbanshade swept him away to be held in the Hadal division, and in his wake, created a cover story that he took his own life in his cell. From late 2016 onward, 256 was our lead programmer before the breach, despite his history as a cybercriminal. It was later realized his technological prowess could be put to better use outside Urbanshade's facilities, so the DNA of Penaeidae was spliced into his so he could work under the pressure of the Hadal zone comfortably. However, the changes to his appearance from experimentation left him appearing extremely nonhuman, earning him the classification of Z-256. After several months of planning, Z-256 momentarily formed an alliance with Z-13 and Z-763 to escape, additionally causing a breach in many of the other containment cells holding experiments at the Blacksite. He reportedly handled opening electronic locks with his sentient computer Z-779, who enthusiastically complied and assisted. Afterwards, as revenge, he proceeded to destroy several generators that powered the facility, as well as rip up several cables connected to the main power of the External Repellent System, causing several Vultus Linunaria to gather at the newly safened area around the cannon. At the Blacksite: EXR-P teams should report sightings of 2-256 immediately to HQ. Most commonly reported in proximity to Z-779. (Personnel Note: Look up you dimwits. Z-256 often resides in the control pits of rooms with artillery taken over by Z-779, outside of the action. He will try to turn the machine guns back on after they are disabled on the ground; shoot him so he does not succeed.) Under no circumstances can Z-256 be allowed to leave the Blacksite alive. Abandon previous objectives and, as Mr. Shade himself stated, 'Shred their mags until their trigger-finger bleeds."

Every year has its own mix of digital security debacles, from the absurd to the sinister, but 2024 was particularly marked by hacking sprees in which cybercriminals and state-backed espionage groups repeatedly exploited the same weakness or type of target to fuel their frenzy. For attackers, the approach is ruthlessly efficient, but for compromised institutions—and the individuals they serve—the malicious rampages had very real consequences for people's privacy, safety, and security.

As political turmoil and social unrest intensify around the world, 2025 will be a complicated—and potentially explosive—year in cyberspace. But first, here's WIRED's look back on this year's worst breaches, leaks, state-sponsored hacking campaigns, ransomware attacks, and digital extortion cases. Stay alert, and stay safe out there.

China's Salt Typhoon Telecom Breaches

Espionage operations are a fact of life, and relentless Chinese campaigns have been a constant in cyberspace for years now. But the China-linked espionage group Salt Typhoon carried out a particularly noteworthy operation this year, infiltrating a slew of US telecoms including Verizon and AT&T (plus others around the world) for months. And US officials told reporters earlier this month that many victim companies are still actively attempting to remove the hackers from their networks.

The attackers surveilled a small group of people—less than 150 by current count—but they include individuals who were already subject to US wiretap orders as well as state department officials and members of both the Trump and Harris presidential campaigns. Additionally, texts and calls from other people who interacted with the Salt Typhoon targets were inherently also caught up in the espionage scheme.

Snowflake Customer Breaches

Throughout the summer, attackers were on a tear, breaching prominent companies and organizations that were all customers of the cloud data storage company Snowflake. The spree barely qualifies as hacking, since cybercriminals were simply using stolen passwords to log in to Snowflake accounts that didn't have two-factor authentication turned on. The end result, though, was an extraordinary amount of data stolen from victims including Ticketmaster, Santander Bank, and Neiman Marcus. Another prominent victim, the telecom giant AT&T, said in July that “nearly all” records relating to its customers' calls and texts from a seven-month stretch in 2022 were stolen in a Snowflake-related intrusion. The security firm Mandiant, which is owned by Google, said in June that the rampage impacted roughly 165 victims.

In July, Snowflake added a feature so account administrators could make two-factor authentication mandatory for all of their users. In November, suspect Alexander “Connor” Moucka was arrested by Canadian law enforcement for allegedly leading the hacking spree. He was indicted by the US Department of Justice for the Snowflake tear and faces extradition to the US. John Erin Binns, who was arrested in Turkey for an indictment related to a 2021 breach of the telecom T-Mobile, was also indicted on charges related to the Snowflake customer breaches.

Change Healthcare Ransomware Attack

At the end of February, the medical billing and insurance processing company Change Healthcare was hit with a ransomware attack that caused disruptions at hospitals, doctor's offices, pharmacies, and other health care facilities around the US. The attack is one of the all-time largest breaches of medical data, impacting more than 100 million people. The company, which is owned by UnitedHealth, is a dominant medical billing processor in the US. It said days after the attack started that it believed ALPHV/BlackCat, a notorious Russian-speaking ransomware gang, was behind the assault.

Personal data stolen in the attack included patient phone numbers, addresses, banking and other financial information, and health records including diagnoses, prescriptions, and treatment details. The company paid a $22 million ransom to ALPHV/BlackCat at the beginning of March in an attempt to contain the situation. The payment seemingly emboldened attackers to hit health care targets at an even greater rate than usual. With ongoing, rolling notifications to more than 100 million victims—with more still being discovered—lawsuits and other blowback has been mounting. This month, for example, the state of Nebraska sued Change Healthcare, alleging that “failures to implement basic security protections” made the attack much worse than it should have been.

Russia's Midnight Blizzard Hit Microsoft

Microsoft said in January that it had been breached by Russia's “Midnight Blizzard” hackers in an incident that compromised company executives' email accounts. The group is tied to the Kremlin's SVR foreign intelligence agency and is specifically linked to SVR's APT 29, also known as Cozy Bear. After an initial intrusion in November 2023, the attackers targeted and compromised historic Microsoft system test accounts that then allowed them to access what the company said were “a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions.” From there, the group exfiltrated “some emails and attached documents.” Microsoft said that the attackers seemed to be looking for information about what the company knew about them—in other words, Midnight Blizzard doing reconnaissance on Microsoft's research into the group. Hewlett-Packard Enterprise (HPE) also said in January that it had suffered a corporate email breach attributed to Midnight Blizzard.

National Public Data

The background check company National Public Data suffered a breach in December 2023, and data from the incident started showing up for sale on cybercriminal forums in April 2024. Different configurations of the data cropped up again and again over the summer, culminating in public confirmation of the breach by the company in August. The stolen data included names, Social Security numbers, phone numbers, addresses, and dates of birth. Since National Public Data didn't confirm the breach until August, speculation about the situation grew for months and included theories that the data included tens or even hundreds of millions of Social Security numbers. Though the breach was significant, the true number of impacted individuals seems to be, mercifully, much lower. The company reported in a filing to officials in Maine that the breach affected 1.3 million people. In October, National Public Data's parent company, Jerico Pictures, filed for Chapter 11 bankruptcy reorganization in the Southern District of Florida, citing state and federal investigations into the breach as well as a number of lawsuits that the company is facing over the incident.

Honorable Mention: North Korean Cryptocurrency Theft

A lot of people steal a lot of cryptocurrency every year, including North Korean cybercriminals who have a mandate to help fund the hermit kingdom. A report from the cryptocurrency tracing firm Chainalysis released this month, though, underscores just how aggressive Pyongyang-backed hackers have become. The researchers found that in 2023, hackers affiliated with North Korea stole more than $660 million across 20 attacks. This year, they stole roughly $1.34 billion across 47 incidents. The 2024 figures represent 20 percent of total incidents Chainalysis tracked for the year and a whopping 61 percent of the total funds stolen by all actors.

The sheer domination is impressive, but the researchers emphasize the seriousness of the crimes. “US and international officials have assessed that Pyongyang uses the crypto it steals to finance its weapons of mass destruction and ballistic missiles programs, endangering international security,” Chainalysis wrote.

Weekly Malware & Threats Roundup | 24 Feb - 02 Mar 2025

1️⃣ 𝗡𝗼𝗿𝘁𝗵 𝗞𝗼𝗿𝗲𝗮𝗻 𝗛𝗮𝗰𝗸𝗲𝗿𝘀 𝗟𝗶𝗻𝗸𝗲𝗱 𝘁𝗼 $𝟭.𝟱 𝗕𝗶𝗹𝗹𝗶𝗼𝗻 𝗕𝘆𝗕𝗶𝘁 𝗖𝗿𝘆𝗽𝘁𝗼 𝗛𝗲𝗶𝘀𝘁 North Korea's Lazarus hacking group has been identified as responsible for the largest cryptocurrency heist in history, stealing over $1.5 billion from ByBit. Source: https://www.bleepingcomputer.com/news/security/north-korean-hackers-linked-to-15-billion-bybit-crypto-heist/

2️⃣ 𝗚𝗶𝘁𝗩𝗲𝗻𝗼𝗺 𝗖𝗮𝗺𝗽𝗮𝗶𝗴𝗻 𝗗𝗶𝘀𝘁𝗿𝗶𝗯𝘂𝘁𝗲𝘀 𝗠𝗮𝗹𝘄𝗮𝗿𝗲 𝘃𝗶𝗮 𝗙𝗮𝗸𝗲 𝗚𝗶𝘁𝗛𝘂𝗯 𝗥𝗲𝗽𝗼𝘀𝗶𝘁𝗼𝗿𝗶𝗲𝘀 Attackers are using fake GitHub projects to distribute stealers, backdoors, and cryptocurrency wallet clippers, targeting developers globally. Source: https://securelist.com/gitvenom-campaign/115694/

3️⃣ 𝟮,𝟱𝟬𝟬+ 𝗧𝗿𝘂𝗲𝘀𝗶𝗴𝗵𝘁.𝘀𝘆𝘀 𝗗𝗿𝗶𝘃𝗲𝗿 𝗩𝗮𝗿𝗶𝗮𝗻𝘁𝘀 𝗘𝘅𝗽𝗹𝗼𝗶𝘁𝗲𝗱 𝘁𝗼 𝗗𝗲𝗽𝗹𝗼𝘆 𝗛𝗶𝗱𝗱𝗲𝗻𝗚𝗵𝟬𝘀𝘁 𝗥𝗔𝗧 A large-scale campaign abuses a vulnerable Windows driver to evade EDR systems and deploy remote access trojans. Source: https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/

4️⃣ 𝗡𝗲𝘄 𝗠𝗮𝗹𝘄𝗮𝗿𝗲 𝗖𝗮𝗺𝗽𝗮𝗶𝗴𝗻 𝗨𝘀𝗲𝘀 𝗖𝗿𝗮𝗰𝗸𝗲𝗱 𝗦𝗼𝗳𝘁𝘄𝗮𝗿𝗲 𝘁𝗼 𝗦𝗽𝗿𝗲𝗮𝗱 𝗟𝘂𝗺𝗺𝗮 𝗮𝗻𝗱 𝗔𝗖𝗥 𝗦𝘁𝗲𝗮𝗹𝗲𝗿 Cybercriminals are distributing malware via cracked software downloads, leveraging Dead Drop Resolver techniques to avoid detection. Source: https://asec.ahnlab.com/en/86390/

5️⃣ 𝗚𝗿𝗮𝘀𝘀𝗖𝗮𝗹𝗹 𝗠𝗮𝗹𝘄𝗮𝗿𝗲 𝗗𝗿𝗮𝗶𝗻𝘀 𝗖𝗿𝘆𝗽𝘁𝗼 𝗪𝗮𝗹𝗹𝗲𝘁𝘀 𝘃𝗶𝗮 𝗙𝗮𝗸𝗲 𝗝𝗼𝗯 𝗜𝗻𝘁𝗲𝗿𝘃𝗶𝗲𝘄𝘀 A Russian cybercrime group deceived Web3 job seekers into downloading malware through a fraudulent interview platform. Source: https://www.bleepingcomputer.com/news/security/grasscall-malware-campaign-drains-crypto-wallets-via-fake-job-interviews/

Additional Cybersecurity News:

🟢 𝟮𝟬𝟮𝟱 𝗨𝗻𝗶𝘁 𝟰𝟮 𝗜𝗻𝗰𝗶𝗱𝗲𝗻𝘁 𝗥𝗲𝘀𝗽𝗼𝗻𝘀𝗲 𝗥𝗲𝗽𝗼𝗿𝘁: 𝗖𝘆𝗯𝗲𝗿 𝗔𝘁𝘁𝗮𝗰𝗸𝘀 𝗦𝗵���𝗳𝘁 𝘁𝗼 𝗗𝗶𝘀𝗿𝘂𝗽𝘁𝗶𝗼𝗻 86% of major cyber incidents in 2024 resulted in downtime or financial loss, with attackers increasingly focusing on sabotage and data exfiltration. Source: https://www.paloaltonetworks.com/blog/2025/02/incident-response-report-attacks-shift-disruption/

🟠 𝗖𝗵𝗶𝗻𝗲𝘀𝗲 𝗖𝘆𝗯𝗲𝗿 𝗘𝘀𝗽𝗶𝗼𝗻𝗮𝗴𝗲 𝗝𝘂𝗺𝗽𝘀 𝟭𝟱𝟬%, 𝗖𝗿𝗼𝘄𝗱𝗦𝘁𝗿𝗶𝗸𝗲 𝗥𝗲𝗽𝗼𝗿𝘁𝘀 Chinese state-backed cyber espionage activities surged in 2024, targeting finance, media, and manufacturing sectors. Source: https://www.crowdstrike.com/en-us/global-threat-report/

🔴 𝟲𝟭% 𝗼𝗳 𝗛𝗮𝗰𝗸𝗲𝗿𝘀 𝗨𝘀𝗲 𝗡𝗲𝘄 𝗘𝘅𝗽𝗹𝗼𝗶𝘁 𝗖𝗼𝗱𝗲 𝗪𝗶𝘁𝗵𝗶𝗻 𝟰𝟴 𝗛𝗼𝘂𝗿𝘀 𝗼𝗳 𝗗𝗶𝘀𝗰𝗹𝗼𝘀𝘂𝗿𝗲 Cybercriminals are exploiting newly released vulnerabilities faster than ever, with ransomware attacks targeting healthcare at record levels. Source: https://www.sonicwall.com/threat-report

Doughnut chain Krispy Kreme says it has been hit by a cyberattack which has disrupted its online systems.

Some customers have been unable to make online orders as a result of the hack, which occurred in late November but has only just been disclosed.

Krispy Kreme revealed the attack in a regulatory filing with the US Securities and Exchanges Commission (SEC) on Wednesday.

It said the incident was "reasonably likely" to "have a material impact" on the firm's business operations, but clarified that brick-and-mortar shops remain open.

"We're experiencing certain operational disruptions due to a cybersecurity incident, including with online ordering in parts of the United States," reads a message on the Krispy Kreme website.

"We know this is an inconvenience and are working diligently to resolve the issue."

The firm told the BBC in a statement it "immediately" took steps to investigate and contain the incident, and has brought in cybersecurity experts.

"We, along with them, continue to work diligently to respond to and mitigate the impact from the incident, including the restoration of online ordering," it said.

No groups have publicly taken responsibility for the hack.

Krispy Kreme is a large chain in the US, which has more than 1,400 shops worldwide.

In the UK it is smaller, but its 120 locations make it the largest speciality doughnut retailer in the country.

Krispy Kreme stated in its SEC filing that it has cybersecurity insurance, which it expects "to offset a portion of the costs".

It said it expected these costs to arise from a loss of digital sales, fees for the experts it has hired, and the restoration of impacted systems.

Cyber-attacks have caused serious disruption this year, plaguing key infrastructure including hospitals and transport systems.

"The proliferation of cyberattacks in 2024 shows that hackers are willing to target anything and everything," said Spencer Starkey, from cyber-security firm SonicWall.

"It's vital every single business has a robust roadmap in place to deploy if and when an attack happens," he added.

Social media is taking this incident somewhat less seriously, however.

"Anyone messing with Krispy Kreme should be jailed for life," joked one user on X.

"Cybercriminals, you've gone too far this time," posted another.