Login
Microsoft today released security updates to fix at least 67 vulnerabilities in its Windows operating systems and software. Redmond warns that one of the flaws is already under active attack, and that software blueprints showing how to exploit a pervasive Windows bug patched this month are now public.
The sole zero-day flaw this month is CVE-2025-33053, a remote code execution flaw in the Windows implementation of WebDAV β an HTTP extension that lets users remotely manage files and directories on a server. While WebDAV isnβt enabled by default in Windows, its presence in legacy or specialized systems still makes it a relevant target, said Seth Hoyt, senior security engineer at Automox.
Adam Barnett, lead software engineer at Rapid7, said Microsoftβs advisory for CVE-2025-33053 does not mention that the Windows implementation of WebDAV is listed as deprecated since November 2023, which in practical terms means that the WebClient service no longer starts by default.
βThe advisory also has attack complexity as low, which means that exploitation does not require preparation of the target environment in any way that is beyond the attackerβs control,β Barnett said. βExploitation relies on the user clicking a malicious link. Itβs not clear how an asset would be immediately vulnerable if the service isnβt running, but all versions of Windows receive a patch, including those released since the deprecation of WebClient, like Server 2025 and Windows 11 24H2.β
Microsoft warns that an βelevation of privilegeβ vulnerability in the Windows Server Message Block (SMB) client (CVE-2025-33073) is likely to be exploited, given that proof-of-concept code for this bug is now public. CVE-2025-33073 has a CVSS risk score of 8.8 (out of 10), and exploitation of the flaw leads to the attacker gaining βSYSTEMβ level control over a vulnerable PC.
βWhat makes this especially dangerous is that no further user interaction is required after the initial connectionβsomething attackers can often trigger without the user realizing it,β said Alex Vovk, co-founder and CEO of Action1. βGiven the high privilege level and ease of exploitation, this flaw poses a significant risk to Windows environments. The scope of affected systems is extensive, as SMB is a core Windows protocol used for file and printer sharing and inter-process communication.β
Beyond these highlights, 10 of the vulnerabilities fixed this month were rated βcriticalβ by Microsoft, including eight remote code execution flaws.
Notably absent from this monthβs patch batch is a fix for a newly discovered weakness in Windows Server 2025 that allows attackers to act with the privileges of any user in Active Directory. The bug, dubbed βBadSuccessor,β was publicly disclosed by researchers at Akamai on May 21, and several public proof-of-concepts are now available. Tenableβs Satnam Narang said organizations that have at least one Windows Server 2025 domain controller should review permissions for principals and limit those permissions as much as possible.
Adobe has released updates for Acrobat Reader and six other products addressing at least 259 vulnerabilities, most of them in an update for Experience Manager. Mozilla Firefox and Google Chrome both recently released security updates that require a restart of the browser to take effect. The latest Chrome update fixes two zero-day exploits in the browser (CVE-2025-5419 and CVE-2025-4664).
For a detailed breakdown on the individual security updates released by Microsoft today, check out theΒ Patch Tuesday roundup from the SANS Internet Storm Center. Action 1 has a breakdown of patches from Microsoft and a raft of other software vendors releasing fixes this month. As always, please back up your system and/or data before patching, and feel free to drop a note in the comments if you run into any problems applying these updates.
An employee at Elon Muskβs artificial intelligence company xAIΒ leaked a private key on GitHub that for the past two months could have allowed anyone to query private xAI large language models (LLMs) which appear to have been custom made for working with internal data from Muskβs companies, including SpaceX, Tesla and Twitter/X, KrebsOnSecurity has learned.
Image: Shutterstock, @sdx15.
Philippe Caturegli, βchief hacking officerβ at the security consultancy Seralys, was the first to publicize the leak of credentials for an x.ai application programming interface (API) exposed in the GitHub code repository of a technical staff member at xAI.
Caturegliβs post on LinkedIn caught the attention of researchers at GitGuardian, a company that specializes in detecting and remediating exposed secrets in public and proprietary environments. GitGuardianβs systems constantly scan GitHub and other code repositories for exposed API keys, and fire off automated alerts to affected users.
GitGuardianβs Eric Fourrier told KrebsOnSecurity the exposed API key had access to several unreleased models of Grok, the AI chatbot developed by xAI. In total, GitGuardian found the key had access to at least 60 fine-tuned and private LLMs.
βThe credentials can be used to access the X.ai API with the identity of the user,β GitGuardian wrote in an email explaining their findings to xAI. βThe associated account not only has access to public Grok models (grok-2-1212, etc) but also to what appears to be unreleased (grok-2.5V), development (research-grok-2p5v-1018), and private models (tweet-rejector, grok-spacex-2024-11-04).β
Fourrier found GitGuardian had alerted the xAI employee about the exposed API key nearly two months ago β on March 2. But as of April 30, when GitGuardian directly alerted xAIβs security team to the exposure, the key was still valid and usable. xAI told GitGuardian to report the matter through its bug bounty program at HackerOne, but just a few hours later the repository containing the API key was removed from GitHub.
βIt looks like some of these internal LLMs were fine-tuned on SpaceX data, and some were fine-tuned with Tesla data,β Fourrier said. βI definitely donβt think a Grok model thatβs fine-tuned on SpaceX data is intended to be exposed publicly.β
xAI did not respond to a request for comment. Nor did the 28-year-old xAI technical staff member whose key was exposed.
Carole Winqwist, chief marketing officer at GitGuardian, said giving potentially hostile users free access to private LLMs is a recipe for disaster.
βIf youβre an attacker and you have direct access to the model and the back end interface for things like Grok, itβs definitely something you can use for further attacking,β she said. βAn attacker could it use for prompt injection, to tweak the (LLM) model to serve their purposes, or try to implant code into the supply chain.β
The inadvertent exposure of internal LLMs for xAI comes as Muskβs so-called Department of Government Efficiency (DOGE) has been feeding sensitive government records into artificial intelligence tools. In February, The Washington Post reported DOGE officials were feeding data from across the Education Department into AI tools to probe the agencyβs programs and spending.
The Post said DOGE plans to replicate this process across many departments and agencies, accessing the back-end software at different parts of the government and then using AI technology to extract and sift through information about spending on employees and programs.
βFeeding sensitive data into AI software puts it into the possession of a systemβs operator, increasing the chances it will be leaked or swept up in cyberattacks,β Post reporters wrote.
Wired reported in March that DOGE has deployed a proprietary chatbot called GSAi to 1,500 federal workers at the General Services Administration, part of an effort to automate tasks previously done by humans as DOGE continues its purge of the federal workforce.
A Reuters report last month said Trump administration officials told some U.S. government employees that DOGE is using AI to surveil at least one federal agencyβs communications for hostility to President Trump and his agenda. Reuters wrote that the DOGE team has heavily deployed Muskβs Grok AI chatbot as part of their work slashing the federal government, although Reuters said it could not establish exactly how Grok was being used.
Caturegli said while there is no indication that federal government or user data could be accessed through the exposed x.ai API key, these private models are likely trained on proprietary data and may unintentionally expose details related to internal development efforts at xAI, Twitter, or SpaceX.
βThe fact that this key was publicly exposed for two months and granted access to internal models is concerning,β Caturegli said. βThis kind of long-lived credential exposure highlights weak key management and insufficient internal monitoring, raising questions about safeguards around developer access and broader operational security.β
A whistleblower at the National Labor Relations Board (NLRB) alleged last week that denizens of Elon Muskβs Department of Government Efficiency (DOGE) siphoned gigabytes of data from the agencyβs sensitive case files in early March. The whistleblower said accounts created for DOGE at the NLRB downloaded three code repositories from GitHub. Further investigation into one of those code bundles shows it is remarkably similar to a program published in January 2025 by Marko Elez, a 25-year-old DOGE employee who has worked at a number of Muskβs companies.
A screenshot shared by NLRB whistleblower Daniel Berulis shows three downloads from GitHub.
According to a whistleblower complaint filed last week byΒ Daniel J. Berulis, a 38-year-old security architect at the NLRB, officials from DOGE met with NLRB leaders on March 3 and demanded the creation of severalΒ all-powerful βtenant adminβ accounts that were to be exempted from network logging activity that would otherwise keep a detailed record of all actions taken by those accounts.
Berulis said the new DOGE accounts had unrestricted permission to read, copy, and alter information contained in NLRB databases. The new accounts also could restrict log visibility, delay retention, route logs elsewhere, or even remove them entirely β top-tier user privileges that neither Berulis nor his boss possessed.
Berulis said he discovered one of the DOGE accounts had downloaded three external code libraries from GitHub that neither NLRB nor its contractors ever used. A βreadmeβ file in one of the code bundles explained it was created to rotate connections through a large pool of cloud Internet addresses that serve βas a proxy to generate pseudo-infinite IPs for web scraping and brute forcing.β Brute force attacks involve automated login attempts that try many credential combinations in rapid sequence.
A search on that description in Google brings up a code repository at GitHub for a user with the account name βGe0rg3β who published a program roughly four years ago called βrequests-ip-rotator,β described as a library that will allow the user βto bypass IP-based rate-limits for sites and services.β
The README file from the GitHub user Ge0rg3βs page for requests-ip-rotator includes the exact wording of a program the whistleblower said was downloaded by one of the DOGE users. Marko Elez created an offshoot of this program in January 2025.
βA Python library to utilize AWS API Gatewayβs large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing,β the description reads.
Ge0rg3βs code is βopen source,β in that anyone can copy it and reuse it non-commercially. As it happens, there is a newer version of this project that was derived or βforkedβ from Ge0rg3βs code β called βasync-ip-rotatorβ β and it was committed to GitHub in January 2025 by DOGE captain Marko Elez.
The whistleblower stated that one of the GitHub files downloaded by the DOGE employees who transferred sensitive files from an NLRB case database was an archive whose README file read: βPython library to utilize AWS API Gatewayβs large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing.β Elezβs code pictured here was forked in January 2025 from a code library that shares the same description.
A key DOGE staff member who gained access to the Treasury Departmentβs central payments system, Elez has worked for a number of Musk companies, including X, SpaceX, and xAI. Elez was among the first DOGE employees to face public scrutiny, after The Wall Street Journal linked him to social media posts that advocated racism and eugenics.
Elez resigned after that brief scandal, but was rehired after President Donald Trump and Vice President JD Vance expressed support for him. Politico reports Elez is now a Labor Department aide detailed to multiple agencies, including the Department of Health and Human Services.
βDuring Elezβs initial stint at Treasury, he violated the agencyβs information security policies by sending a spreadsheet containing names and payments information to officials at the General Services Administration,β Politico wrote, citing court filings.
KrebsOnSecurity sought comment from both the NLRB and DOGE, and will update this story if either responds.
The NLRB has been effectively hobbled since President Trump fired three board members, leaving the agency without the quorum it needs to function. BothΒ AmazonΒ and MuskβsΒ SpaceXΒ haveΒ been suingΒ the NLRB over complaints the agency filed in disputes about workersβ rights and union organizing, arguing that the NLRBβs very existence is unconstitutional. On March 5, a U.S. appeals courtΒ unanimously rejectedΒ Muskβs claim that the NLRBβs structure somehow violates the Constitution.
Berulisβs complaint alleges the DOGE accounts at NLRB downloaded more than 10 gigabytes of data from the agencyβs case files, a database that includes reams of sensitive records including information about employees who want to form unions and proprietary business documents. Berulis said he went public after higher-ups at the agency told him not to report the matter to the US-CERT, as theyβd previously agreed.
Berulis told KrebsOnSecurity he worried the unauthorized data transfer by DOGE could unfairly advantage defendants in a number of ongoing labor disputes before the agency.
βIf any company got the case data that would be an unfair advantage,β Berulis said. βThey could identify and fire employees and union organizers without saying why.β
Marko Elez, in a photo from a social media profile.
Berulis said the other two GitHub archives that DOGE employees downloaded to NLRB systems included Integuru, a software framework designed to reverse engineer application programming interfaces (APIs) that websites use to fetch data; and a βheadlessβ browser called Browserless, which is made for automating web-based tasks that require a pool of browsers, such as web scraping and automated testing.
On February 6, someone posted a lengthy and detailed critique of Elezβs code on the GitHub βissuesβ page for async-ip-rotator, calling it βinsecure, unscalable and a fundamental engineering failure.β
βIf this were a side project, it would just be bad code,β the reviewer wrote. βBut if this is representative of how you build production systems, then there are much larger concerns. This implementation is fundamentally broken, and if anything similar to this is deployed in an environment handling sensitive data, it should be audited immediately.β
Further reading:Β Berulisβs complaintΒ (PDF).
Update 7:06 p.m. ET: Elezβs code repo was deleted after this story was published. An archived version of it is here.
Microsoft today released updates to plug at least 121 security holes in its Windows operating systems and software, including one vulnerability that is already being exploited in the wild. Eleven of those flaws earned Microsoftβs most-dire βcriticalβ rating, meaning malware or malcontents could exploit them with little to no interaction from Windows users.
The zero-day flaw already seeing exploitation is CVE-2025-29824, a local elevation of privilege bug in the Windows Common Log File System (CLFS) driver.Β Microsoft rates it as βimportant,β but as Chris Goettl from Ivanti points out, risk-based prioritization warrants treating it as critical.
This CLFS component of Windows is no stranger to Patch Tuesday: According to Tenableβs Satnam Narang, since 2022 Microsoft has patched 32 CLFS vulnerabilities β averaging 10 per year β with six of them exploited in the wild. The last CLFS zero-day was patched in December 2024.
Narang notes that while flaws allowing attackers to install arbitrary code are consistently top overall Patch Tuesday features, the data is reversed for zero-day exploitation.
βFor the past two years, elevation of privilege flaws have led the pack and, so far in 2025, account for over half of all zero-days exploited,β Narang wrote.
Rapid7βs Adam Barnett warns that any Windows defenders responsible for an LDAP server β which means almost any organization with a non-trivial Microsoft footprint β should add patching for the critical flaw CVE-2025-26663Β to their to-do list.
βWith no privileges required, no need for user interaction, and code execution presumably in the context of the LDAP server itself, successful exploitation would be an attractive shortcut to any attacker,β Barnett said. βAnyone wondering if today is a re-run of December 2024 PatchΒ TuesdayΒ can take some small solace in the fact that the worst of theΒ trio of LDAP critical RCEs published at the end of last yearΒ was likely easier to exploit than todayβs example, since todayβsΒ CVE-2025-26663 requires that an attacker win a race condition. Despite that, Microsoft still expects that exploitation is more likely.β
Among the critical updates Microsoft patched this month are remote code execution flaws in Windows Remote Desktop servicesΒ (RDP), including CVE-2025-26671, CVE-2025-27480 and CVE-2025-27482; only the latter two are rated βcritical,β and Microsoft marked both of them as βExploitation More Likely.β
Perhaps the most widespread vulnerabilities fixed this month were in web browsers. Google Chrome updated to fix 13 flaws this week, and Mozilla Firefox fixed eight bugs, with possibly more updates coming later this week for Microsoft Edge.
As it tends to do on Patch Tuesdays, Adobe has released 12 updates resolving 54 security holes across a range of products, including ColdFusion, Adobe Commerce, Experience Manager Forms, After Effects, Media Encoder, Bridge,Β Premiere Pro, Photoshop, Animate, AEM Screens, and FrameMaker.
Apple users may need to patch as well. On March 31, Apple released a huge security update (more than three gigabytes in size) to fix issues in a range of their products, including at least one zero-day flaw.
And in case you missed it, on March 31, 2025 Apple released a rather large batch of security updates for a wide range of their products, from macOS to the iOS operating systems on iPhones and iPads.
Earlier today, Microsoft included a note saying Windows 10 security updates werenβt available but would be released as soon as possible. It appears from browsing askwoody.com that this snafu has since been rectified. Either way, if you run into complications applying any of these updates please leave a note about it in the comments below, because the chances are good that someone else had the same problem.
As ever, please consider backing up your data and or devices prior to updating, which makes it far less complicated to undo a software update gone awry. For more granular details on todayβs Patch Tuesday, check out the SANS Internet Storm Centerβs roundup. Microsoftβs update guide for April 2025 is here.
For more details on Patch Tuesday, check out the write-ups from Action1 andΒ Automox.
A Minnesota cybersecurity and computer forensics expert whose testimony has featured in thousands of courtroom trials over the past 30 years is facing questions about his credentials and an inquiry from the Federal Bureau of Investigation (FBI). Legal experts say the inquiry could be grounds to reopen a number of adjudicated cases in which the expertβs testimony may have been pivotal.
One might conclude from reading Mr. Lantermanβs LinkedIn profile that has a degree from Harvard University.
Mark Lanterman is a former investigator for the U.S. Secret Service Electronics Crimes Task Force who founded the Minneapolis consulting firm Computer Forensic Services (CFS). The CFS website says Lantermanβs 30-year career has seen him testify as an expert in more than 2,000 cases, with experience in cases involving sexual harassment and workplace claims, theft of intellectual property and trade secrets, white-collar crime, and class action lawsuits.
Or at least it did until last month, when Lantermanβs profile and work history were quietly removed from the CFS website. The removal came after Hennepin County Attorneyβs Office said it was notifying parties to ten pending cases that they were unable to verify Lantermanβs educational and employment background. The county attorney also said the FBI is now investigating the allegations.
Those allegations were raised by Sean Harrington, an attorney and forensics examiner based in Prescott, Wisconsin. Harrington alleged that Lanterman lied under oath in court on multiple occasions when he testified that he has a Bachelor of Science and a Masterβs degree in computer science from the now-defunct Upsala College, and that he completed his postgraduate work in cybersecurity at Harvard University.
Harringtonβs claims gained steam thanks to digging by the law firm Perkins Coie LLP, which is defending a case wherein a clientβs laptop was forensically reviewed by Lanterman. On March 14, Perkins Coie attorneys asked the judge (PDF) to strike Lantermanβs testimony because neither he nor they could substantiate claims about his educational background.
Upsala College, located in East Orange, N.J., operated for 102 years until it closed in 1995 after a period of declining enrollment and financial difficulties. Perkins Coie told the court that theyβd visited Felician University, which holds the transcripts for Upsala College during the years Lanterman claimed to have earned undergraduate and graduate degrees. The law firm said Felician had no record of transcripts for Lanterman (PDF), and that his name was absent from all of the Upsala College student yearbooks and commencement programs during that period.
Reached for comment, Lanterman acknowledged he had no way to prove he attended Upsala College, and that his βpostgraduate workβ at Harvard was in fact an eight-week online cybersecurity class called HarvardX, which cautions that its certificates should not be considered equivalent to a Harvard degree or a certificate earned through traditional, in-person programs at Harvard University.
Lanterman has testified that his first job after college was serving as a police officer in Springfield Township, Pennsylvania, although the Perkins Coie attorneys noted that this role was omitted from his resume. The attorneys said when they tried to verify Lantermanβs work history, βthe police department responded with a story that would be almost impossible to believe if it was not corroborated by Lantermanβs own email communications.β
As recounted in the March 14 filing, Lanterman was deposed on Feb. 11, and the following day he emailed the Springfield Township Police Department to see if he could have a peek at his old personnel file. On Feb. 14, Lanterman visited the Springfield Township PD and asked to borrow his employment record. He told the officer he spoke with on the phone that heβd recently been instructed to βget his affairs in orderβ after being diagnosed with a grave heart condition, and that he wanted his old file to show his family about his early career.
According to Perkins Coie, Lanterman left the Springfield Township PD with his personnel file, and has not returned it as promised.
βIt is shocking that an expert from Minnesota would travel to suburban Philadelphia and abscond with his decades-old personnel file to obscure his background,β the law firm wrote. βThat appears to be the worst and most egregious form of spoliation, and the deception alone is reason enough to exclude Lanterman and consider sanctions.β
Harrington initially contacted KrebsOnSecurity about his concerns in late 2023, fuming after sitting through a conference speech in which Lanterman shared documents from a ransomware victim and told attendees it was because theyβd refused to hire his company to perform a forensic investigation on a recent breach.
βHe claims he was involved in the Martha Stewart investigation, the Bernie Madoff trial, Paul McCartneyβs divorce, the Tom Petters investigation, the Denny Hecker investigation, and many others,β Harrington said. βHe claims to have been invited to speak to the Supreme Court, claims to train the βentire federal judiciaryβ on cybersecurity annually, and is a faculty member of the United States Judicial Conference and the Judicial College β positions which he obtained, in part, on a house of fraudulent cards.β
In an interview this week, Harrington said court documents reveal that at least two of Lantermanβs previous clients complained CFS had held their data for ransom over billing disputes. In a declaration (PDF) dated August 2022, the co-founder of the law firm MoreLaw Minneapolis LLC said she hired Lanterman in 2014 to examine several electronic devices after learning that one of their paralegals had a criminal fraud history.
But the law firm said when it pushed back on a consulting bill that was far higher than expected, Lanterman told them CFS would βescalateβ its collection efforts if they didnβt pay, including βa claim and lien against the data which will result in a public auction of your data.β
βAll of us were flabbergasted by Mr. Lantermanβs email,β wrote MoreLaw co-founder Kimberly Hanlon. βI had never heard of any legitimate forensic company threatening to βauctionβ off an attorneyβs data, particularly knowing that the data is comprised of confidential client data, much of which is sensitive in nature.β
In 2009, a Wisconsin-based manufacturing company that had hired Lanterman for computer forensics balked at paying an $86,000 invoice from CFS, calling it βexcessive and unsubstantiated.β The company told a Hennepin County court that on April 15, 2009, CFS conducted an auction of its trade secret information in violation of their confidentiality agreement.
βCFS noticed and conducted a Public Sale of electronic information that was entrusted to them pursuant to the terms of the engagement agreement,β the company wrote. βCFS submitted the highest bid at the Public Sale in the amount of $10,000.β
Lanterman briefly responded to a list of questions about his background (and recent heart diagnosis) on March 24, saying he would send detailed replies the following day. Those replies never materialized. Instead, Lanterman forwarded a recent memo he wrote to the court that attacked Harrington and said his accuser was only trying to take out a competitor. He has not responded to further requests for comment.
βWhen I attended Upsala, I was a commuter student who lived with my grandparents in Morristown, New Jersey approximately 30 minutes away from Upsala College,β Lanterman explained to the judge (PDF) overseeing a separate ongoing case (PDF) in which he has testified. βWith limited resources, I did not participate in campus social events, nor did I attend graduation ceremonies. In 2023, I confirmed with Felician University β which maintains Upsala Collegeβs records β that they could not locate my transcripts or diploma, a situation that they indicated was possibly due to unresolved money-related issues.β
Lanterman was ordered to appear in court on April 3 in the case defended by Perkins Coie, but he did not show up. Instead, he sent a message to the judge withdrawing from the case.
βI am 60 years old,β Lanterman told the judge. βI created my business from nothing. I am done dealing with the likes of individuals like Sean Harrington. And quite frankly, I have been planning at turning over my business to my children for years. That time has arrived.β
Lantermanβs letter leaves the impression that it was his decision to retire. But according to an affidavit (PDF) filed in a Florida case on March 28, Mark Lantermanβs son Sean said heβd made the difficult decision to ask his dad to step down given all the negative media attention.
Mark Rasch, a former federal cybercrime prosecutor who now serves as counsel to the New York cybersecurity intelligence firm Unit 221B, said that if an expert witness is discredited, any defendants who lost cases that were strongly influenced by that expertβs conclusions at trial could have grounds for appeal.
Rasch said law firms who propose an expert witness have a duty in good faith to vet that expertβs qualifications, knowing that those credentials will be subject to cross-examination.
βFederal rules of civil procedure and evidence both require experts to list every case they have testified in as an expert for the past few years,β Rasch said. βPart of that due diligence is pulling up the results of those cases and seeing what the nature of their testimony has been.β
Perhaps the most well-publicized case involving significant forensic findings from Lanterman was the 2018 conviction of Stephen Allwine, who was found guilty of killing his wife two years earlier after attempts at hiring a hitman on the dark net fell through. Allwine is serving a sentence of life in prison, and continues to maintain that he was framed, casting doubt on computer forensic evidence found on 64 electronic devices taken from his home.
On March 24, Allwine petitioned a Minnesota court (PDF) to revisit his case, citing the accusations against Lanterman and his role as a key witness for the prosecution.
A message posted on Monday to the homepage of the U.S. Cybersecurity & Infrastructure Security Agency (CISA) is the latest exhibit in the Trump administrationβs continued disregard for basic cybersecurity protections. The message instructed recently-fired CISA employees to get in touch so they can be rehired and then immediately placed on leave, asking employees to send their Social Security number or date of birth in a password-protected email attachment β presumably with the password needed to view the file included in the body of the email.
The homepage of cisa.gov as it appeared on Monday and Tuesday afternoon.
On March 13, a Maryland district court judge ordered the Trump administration to reinstate more than 130 probationary CISA employees who were fired last month. On Monday, the administration announced that those dismissed employees would be reinstated but placed on paid administrative leave. They are among nearly 25,000 fired federal workers who are in the process of being rehired.
A notice covering the CISA homepage said the administration is making every effort to contact those who were unlawfully fired in mid-February.
βPlease provide a password protected attachment that provides your full name, your dates of employment (including date of termination), and one other identifying factor such as date of birth or social security number,β the message reads. βPlease, to the extent that it is available, attach any termination notice.β
The message didnβt specify how affected CISA employees should share the password for any attached files, so the implicit expectation is that employees should just include the plaintext password in their message.
Email is about as secure as a postcard sent through the mail, because anyone who manages to intercept the missive anywhere along its path of delivery can likely read it. In security terms, thatβs the equivalent of encrypting sensitive data while also attaching the secret key needed to view the information.
Whatβs more, a great many antivirus and security scanners have trouble inspecting password-protected files, meaning the administrationβs instructions are likely to increase the risk that malware submitted by cybercriminals could be accepted and opened by U.S. government employees.
The message in the screenshot above was removed from the CISA homepage Tuesday evening and replaced with a much shorter notice directing former CISA employees to contact a specific email address. But a slightly different version of the same message originally posted to CISAβs website still exists at the website for the U.S. Citizenship and Immigration Services, which likewise instructs those fired employees who wish to be rehired and put on leave to send a password-protected email attachment with sensitive personal data.
A message from the White House to fired federal employees at the U.S. Citizenship and Immigration Services instructs recipients to email personal information in a password-protected attachment.
This is hardly the first example of the administration discarding Security 101 practices in the name of expediency. Last month, the Central Intelligence Agency (CIA) sent an unencrypted email to the White House with the first names and first letter of the last names of recently hired CIA officers who might be easy to fire.
As cybersecurity journalist Shane Harris noted in The Atlantic, even those fragments of information could be useful to foreign spies.
βOver the weekend, a former senior CIA official showed me the steps by which a foreign adversary who knew only his first name and last initial could have managed to identify him from the single line of the congressional record where his full name was published more than 20 years ago, when he became a member of the Foreign Service,β Harris wrote. βThe former official was undercover at the time as a State Department employee. If a foreign government had known even part of his name from a list of confirmed CIA officers, his cover would have been blown.β
The White House has also fired at least 100 intelligence staffers from the National Security Agency (NSA), reportedly for using an internal NSA chat tool to discuss their personal lives and politics. Testifying before the House Select Committee on the Communist Party earlier this month, the NSAβs former top cybersecurity official said the Trump administrationβs attempts to mass fire probationary federal employees will be βdevastatingβ to U.S. cybersecurity operations.
Rob Joyce, who spent 34 years at the NSA, told Congress how important those employees are in sustaining an aggressive stance against China in cyberspace.
βAt my former agency, remarkable technical talent was recruited into developmental programs that provided intensive unique training and hands-on experience to cultivate vital skills,β Joyce told the panel. βEliminating probationary employees will destroy a pipeline of top talent responsible for hunting and eradicating [Chinese] threats.β
Both the message to fired CISA workers and DOGEβs ongoing efforts to bypass vetted government networks for a faster Wi-Fi signal are emblematic of this administrationβs overall approach to even basic security measures: To go around them, or just pretend they donβt exist for a good reason.
On Monday, The New York Times reported that U.S. Secret Service agents at the White House were briefly on alert last month when a trusted captain of Elon Muskβs βDepartment of Government Efficiencyβ (DOGE) visited the roof of the Eisenhower building inside the White House compound β to see about setting up a dish to receive satellite Internet access directly from Muskβs Starlink service.
The White House press secretary told The Times that Starlink had βdonatedβ the service and that the gift had been vetted by the lawyer overseeing ethics issues in the White House Counselβs Office. The White House claims the service is necessary because its wireless network is too slow.
Jake Williams, vice president for research and development at the cybersecurity consulting firm Hunter Strategy, told The Times βitβs super rareβ to install Starlink or another internet provider as a replacement for existing government infrastructure that has been vetted and secured.
βI canβt think of a time that I have heard of that,β Williams said. βIt introduces another attack point,β Williams said. βBut why introduce that risk?β
Meanwhile, NBC News reported on March 7 that Starlink is expanding its footprint across the federal government.
βMultiple federal agencies are exploring the idea of adopting SpaceXβs Starlink for internet access β and at least one agency, the General Services Administration (GSA), has done so at the request of Muskβs staff, according to someone who worked at the GSA last month and is familiar with its network operations β despite a vow by Musk and Trump to slash the overall federal budget,β NBC wrote.
The longtime Musk employee who encountered the Secret Service on the roof in the White House complex was Christopher Stanley, the 33-year-old senior director for security engineering at X and principal security engineer at SpaceX.
On Monday, Bloomberg broke the news that Stanley had been tapped for a seat on the board of directors at the mortgage giant Fannie Mae. Stanley was added to the board alongside newly confirmed Federal Housing Finance Agency director Bill Pulte, the grandson of the late housing businessman and founder of PulteGroup β William J. Pulte.
In a nod to his new board role atop an agency that helps drive the nationβs $12 trillion mortgage market, Stanley retweeted a Bloomberg story about the hire with a smiley emoji and the comment βTech Support.β
But earlier today, Bloomberg reported that Stanley had abruptly resigned from the Fannie board, and that details about the reason for his quick departure werenβt immediately clear. As first reported here last month, Stanley had a brush with celebrity on Twitter in 2015 when he leaked the user database for the DDoS-for-hire service LizardStresser, and soon faced threats of physical violence against his family.
MyΒ 2015 story on that leakΒ did not name Stanley, but he exposed himself as the source by posting a video about it on his Youtube channel. A review of domain names registered by Stanley shows he went by the nickname βenKrypt,β and was the former owner of a pirated software and hacking forum calledΒ error33[.]net, as well asΒ theC0re, a video game cheating community.
Stanley is one of more than 50 DOGE workers, mostly young men and women who have worked with one or more of Muskβs companies. The Trump administration remains dogged by questions about how many β if any β of the DOGE workers were put through the gauntlet of a thorough security background investigation before being given access to such sensitive government databases.
Thatβs largely because in one of his first executive actions after being sworn in for a second term on Jan. 20, President Trump declared that the security clearance process was simply too onerous and time-consuming, and that anyone so designated by the White House counsel would have full top secret/sensitive compartmented information (TS/SCI) clearances for up to six months. Translation: We accepted the risk, so TAH-DAH! No risk!
Presumably, this is the same counsel who saw no ethical concerns with Musk βdonatingβ Starlink to the White House, or with President Trump summoning the media to film him hawking Cybertrucks and Teslas (a.k.a. βTeslersβ) on the White House lawn last week.
Mr. Muskβs unelected role as head of an ad hoc executive entity that is gleefully firing federal workers and feeding federal agencies into βthe wood chipperβ has seen his Tesla stock price plunge in recent weeks, while firebombings and other vandalism attacks on property carrying the Tesla logo are cropping up across the U.S. and overseas and driving down Tesla sales.
President Trump and his attorney general Pam Bondi have dubiously asserted that those responsible for attacks on Tesla dealerships are committing βdomestic terrorism,β and that vandals will be prosecuted accordingly. But itβs not clear this administration would recognize a real domestic security threat if it was ensconced squarely behind the Resolute Desk.
Or at the pinnacle of the Federal Bureau of Investigation (FBI). The Washington Post reported last month that Trumpβs new FBI director Kash PatelΒ was paid $25,000 last year by a film company owned by a dual U.S. Russian citizen that has made programs promoting βdeep stateβ conspiracy theories pushed by the Kremlin.
βThe resulting six-part documentary appeared on Tucker Carlsonβs online network, itself a reliable conduit for Kremlin propaganda,β The Post reported. βIn the film, Patel made his now infamous pledge to shut down the FBIβs headquarters in Washington and βopen it up as a museum to the deep state.'β
When the head of the FBI is promising to turn his own agency headquarters into a mocking public exhibit on the U.S. National Mall, it may seem silly to fuss over the White Houseβs clumsy and insulting instructions to former employees they unlawfully fired.
Indeed, one consistent feedback Iβve heard from a subset of readers here is something to this effect: βI used to like reading your stuff more when you werenβt writing about politics all the time.β
My response to that is: βYeah, me too.β Itβs not that Iβm suddenly interested in writing about political matters; itβs that various actions by this administration keep intruding on my areas of coverage.
A less charitable interpretation of that reader comment is that anyone still giving such feedback is either dangerously uninformed, being disingenuous, or just doesnβt want to keep being reminded that theyβre on the side of the villains, despite all the evidence showing it.
Article II of the U.S. Constitution unambiguously states that the president shall take care that the laws be faithfully executed. But almost from Day One of his second term, Mr. Trump has been acting in violation of his sworn duty as president by choosing not to enforce laws passed by Congress (TikTok ban, anyone?), by freezing funds already allocated by Congress, and most recently by flouting a federal court order while simultaneously calling for the impeachment of the judge who issued it. Sworn to uphold, protect and defend The Constitution, President Trump appears to be creating new constitutional challenges with almost each passing day.
When Mr. Trump was voted out of office in November 2020, he turned to baseless claims of widespread βelection fraudβ to explain his loss β with deadly and long-lasting consequences. This time around, the rallying cry of DOGE and White House is βgovernment fraud,β which gives the administration a certain amount of cover for its actions among a base of voters that has long sought to shrink the size and cost of government.
In reality, βgovernment fraudβ has become a term of derision and public scorn applied to anything or anyone the current administration doesnβt like. If DOGE and the White House were truly interested in trimming government waste, fraud and abuse, they could scarcely do better than consult the inspectors general fighting it at various federal agencies.
After all, the inspectors general likely know exactly where a great deal of the federal governmentβs fiscal skeletons are buried. Instead, Mr. Trump fired at least 17 inspectors general, leaving the government without critical oversight of agency activities. That action is unlikely to stem government fraud; if anything, it will only encourage such activity.
As Techdirt founder Mike Masnick noted in a recent column βWhy Techdirt is Now a Democracy Blog (Whether We Like it or Not),β when the very institutions that made American innovation possible are being systematically dismantled, itβs not a βpoliticalβ story anymore: Itβs a story about whether the environment that enabled all the other stories we cover will continue to exist.
βThis is why tech journalismβs perspective is so crucial right now,β Masnick wrote. βWeβve spent decades documenting how technology and entrepreneurship can either strengthen or undermine democratic institutions. We understand the dangers of concentrated power in the digital age. And weβve watched in real-time as tech leaders who once championed innovation and openness now actively work to consolidate control and dismantle the very systems that enabled their success.β
βBut right now, the story that matters most is how the dismantling of American institutions threatens everything else we cover,β Masnick continued. βWhen the fundamental structures that enable innovation, protect civil liberties, and foster open dialogue are under attack, every other tech policy story becomes secondary.β
Article tags
A clever malware deployment scheme first spotted in targeted attacks last year has now gone mainstream. In this scam, dubbed βClickFix,β the visitor to a hacked or malicious website is asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware.
ClickFix attacks mimic the βVerify You are a Humanβ tests that many websites use to separate real visitors from content-scraping bots. This particular scam usually starts with a website popup that looks something like this:
This malware attack pretends to be a CAPTCHA intended to separate humans from bots.
Clicking the βIβm not a robotβ button generates a pop-up message asking the user to take three sequential steps to prove their humanity.
Executing this series of keypresses prompts Windows to download password-stealing malware.
Step 1 involves simultaneously pressing the keyboard key with the Windows icon and the letter βR,β which opens a Windows βRunβ prompt that will execute any specified program that is already installed on the system.
Step 2 asks the user to press the βCTRLβ key and the letter βVβ at the same time, which pastes malicious code from the siteβs virtual clipboard.
Step 3 β pressing the βEnterβ key β causes Windows to download and launch malicious code through βmshta.exe,β a Windows program designed to run Microsoft HTML application files.
βThis campaign delivers multiple families of commodity malware, including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT,β Microsoft wrote in a blog post on Thursday. βDepending on the specific payload, the specific code launched through mshta.exe varies. Some samples have downloaded PowerShell, JavaScript, and portable executable (PE) content.β
According to Microsoft, hospitality workers are being tricked into downloading credential-stealing malware by cybercriminals impersonating Booking.com. The company said attackers have been sending malicious emails impersonating Booking.com, often referencing negative guest reviews, requests from prospective guests, or online promotion opportunities β all in a bid to convince people to step through one of these ClickFix attacks.
In November 2024, KrebsOnSecurity reported that hundreds of hotels that use booking.com had been subject to targeted phishing attacks. Some of those lures worked, and allowed thieves to gain control over booking.com accounts. From there, they sent out phishing messages asking for financial information from people whoβd just booked travel through the companyβs app.
Earlier this month, the security firm Arctic Wolf warned about ClickFix attacks targeting people working in the healthcare sector. The company said those attacks leveraged malicious code stitched into the widely used physical therapy video site HEP2go that redirected visitors to a ClickFix prompt.
An alert (PDF) released in October 2024 by the U.S. Department of Health and Human Services warned that the ClickFix attack can take many forms, including fake Google Chrome error pages and popups that spoof Facebook.
ClickFix tactic used by malicious websites impersonating Google Chrome, Facebook, PDFSimpli, and reCAPTCHA. Source: Sekoia.
The ClickFix attack β and its reliance on mshta.exe β is reminiscent of phishing techniques employed for years that hid exploits inside Microsoft Office macros. Malicious macros became such a common malware threat that Microsoft was forced to start blocking macros by default in Office documents that try to download content from the web.
Alas, the email security vendor Proofpoint has documented plenty of ClickFix attacks via phishing emails that include HTML attachments spoofing Microsoft Office files. When opened, the attachment displays an image of Microsoft Word document with a pop-up error message directing users to click the βSolutionβ or βHow to Fixβ button.
HTML files containing ClickFix instructions. Examples for attachments named βReport_β (on the left) and βscan_doc_β (on the right). Image: Proofpoint.
Organizations that wish to do so can take advantage of Microsoft Group Policy restrictions to prevent Windows from executing the βrunβ command when users hit the Windows key and the βRβ key simultaneously.
The FBI joined authorities across Europe last week in seizing domain names for Cracked and Nulled, English-language cybercrime forums with millions of users that trafficked in stolen data, hacking tools and malware. An investigation into the history of these communities shows their apparent co-founders quite openly operate an Internet service provider and a pair of e-commerce platforms catering to buyers and sellers on both forums.
In this 2019 post from Cracked, a forum moderator told the author of the post (Buddie) that the owner of the RDP service was the founder of Nulled, a.k.a. βFinndev.β Image: Ke-la.com.
On Jan. 30, the U.S. Department of Justice said it seized eight domain names that were used to operate Cracked, a cybercrime forum that sprang up in 2018 and attracted more than four million users. The DOJ said the law enforcement action, dubbed Operation Talent, also seized domains tied to Sellix, Crackedβs payment processor.
In addition, the government seized the domain names for two popular anonymity services that were heavily advertised on Cracked and Nulled and allowed customers to rent virtual servers: StarkRDP[.]io, and rdp[.]sh.
Those archived webpages show both RDP services were owned by an entity called 1337 Services Gmbh. According to corporate records compiled by Northdata.com, 1337 Services GmbH is also known as AS210558Β and is incorporated in Hamburg, Germany.
The Cracked forum administrator went by the nicknames βFlorainNβ and βStarkRDPβ on multiple cybercrime forums. Meanwhile, a LinkedIn profile for a Florian M. from Germany refers to this person as the co-founder of Sellix and founder of 1337 Services GmbH.
Northdataβs business profile for 1337 Services GmbH shows the company is controlled by two individuals: 32-year-old Florian Marzahl and Finn Alexander Grimpe, 28.
An organization chart showing the owners of 1337 Services GmbH as Florian Marzahl and Finn Grimpe. Image: Northdata.com.
Neither Marzahl nor Grimpe responded to requests for comment. But Grimpeβs first name is interesting because it corresponds to the nickname chosen by the founder of Nulled, who goes by the monikers βFinnβ and βFinndev.β NorthData reveals that Grimpe was the founder of a German entity called DreamDrive GmbH, which rented out high-end sports cars and motorcycles.
According to the cyber intelligence firm Intel 471, a user named Finndev registered on multiple cybercrime forums, including Raidforums [seized by the FBI in 2022], Void[.]to, and vDOS, a DDoS-for-hire service that was shut down in 2016 after its founders were arrested.
The email address used for those accounts was f.grimpe@gmail.com. DomainTools.com reports f.grimpe@gmail.com was used to register at least nine domain names, including nulled[.]lol and nulled[.]it. Neither of these domains were among those seized in Operation Talent.
Intel471 finds the user FlorainN registered across multiple cybercrime forums using the email address olivia.messla@outlook.de. The breach tracking service Constella Intelligence says this email address used the same password (and slight variations of it) across many accounts online β including at hacker forums β and that the same password was used in connection with dozens of other email addresses, such as florianmarzahl@hotmail.de, and fmarzahl137@gmail.com.
The Justice Department said the Nulled marketplace had more than five million members, and has been selling stolen login credentials, stolen identification documents and hacking services, as well as tools for carrying out cybercrime and fraud, since 2016.
Perhaps fittingly, both Cracked and Nulled have been hacked over the years, exposing countless private messages between forum users. A review of those messages archived by Intel 471 showed that dozens of early forum members referred privately to Finndev as the owner of shoppy[.]gg, an e-commerce platform that caters to the same clientele as Sellix.
Shoppy was not targeted as part of Operation Talent, and its website remains online. Northdata reports that Shoppyβs business name β Shoppy Ecommerce Ltd. β is registered at an address in Gan-Ner, Israel, but there is no ownership information about this entity. Shoppy did not respond to requests for comment.
Constella found that a user named Shoppy registered on Cracked in 2019 using the email address finn@shoppy[.]gg. Constella says that email address is tied to a Twitter/X account for Shoppy Ecommerce in Israel.
The DOJ said one of the alleged administrators of Nulled, a 29-year-old Argentinian national named Lucas Sohn, was arrested in Spain.Β The government has not announced any other arrests or charges associated with Operation Talent.
Indeed, both StarkRDP and FloraiN have posted to their accounts on Telegram that there were no charges levied against the proprietors of 1337 Services GmbH. FlorainN told former customers they were in the process of moving to a new name and domain for StarkRDP, where existing accounts and balances would be transferred.
βStarkRDP has always been operating by the law and is not involved in any of these alleged crimes and the legal process will confirm this,β the StarkRDP Telegram account wrote on January 30. βAll of your servers are safe and they have not been collected in this operation. The only things that were seized is the website server and our domain. Unfortunately, no one can tell who took it and with whom we can talk about it. Therefore, we will restart operation soon, under a different name, to close the chapter [of] βStarkRDP.'β
Microsoft today unleashed updates to plug a whopping 161 security vulnerabilities in Windows and related software, including three βzero-dayβ weaknesses that are already under active attack. Redmondβs inaugural Patch Tuesday of 2025 bundles more fixes than the company has shipped in one go since 2017.
Rapid7βs Adam Barnett says January marks the fourth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today also saw the publication of nine critical remote code execution (RCE) vulnerabilities.
The Microsoft flaws already seeing active attacks include CVE-2025-21333, CVE-2025-21334 and, you guessed itβ CVE-2025-21335. These are sequential because all reside in Windows Hyper-V, a component that is heavily embedded in modern Windows 11 operating systems and used for security features including device guard and credential guard.
Tenableβs Satnam Narang says little is known about the in-the-wild exploitation of these flaws, apart from the fact that they are all βprivilege escalationβ vulnerabilities. Narang said we tend to see a lot of elevation of privilege bugs exploited in the wild as zero-days in Patch Tuesday because itβs not always initial access to a system thatβs a challenge for attackers as they have various avenues in their pursuit.
βAs elevation of privilege bugs, theyβre being used as part of post-compromise activity, where an attacker has already accessed a target system,β he said. βItβs kind of like if an attacker is able to enter a secure building, theyβre unable to access more secure parts of the facility because they have to prove that they have clearance. In this case, theyβre able to trick the system into believing they should have clearance.β
Several bugs addressed today earned CVSS (threat rating) scores of 9.8 out of a possible 10, including CVE-2025-21298, a weakness in Windows that could allow attackers to run arbitrary code by getting a target to open a malicious .rtf file, documents typically opened on Office applications like Microsoft Word. Microsoft has rated this flaw βexploitation more likely.β
Ben Hopkins at Immersive Labs called attention to the CVE-2025-21311, a 9.8 βcriticalβ bug in Windows NTLMv1 (NT LAN Manager version 1), an older Microsoft authentication protocol that is still used by many organizations.
βWhat makes this vulnerability so impactful is the fact that it is remotely exploitable, so attackers can reach the compromised machine(s) over the internet, and the attacker does not need significant knowledge or skills to achieve repeatable success with the same payload across any vulnerable component,β Hopkins wrote.
Kev Breen at Immersive points to an interesting flaw (CVE-2025-21210) that Microsoft fixed in its full disk encryption suite Bitlocker that the software giant has dubbed βexploitation more likely.β Specifically, this bug holds out the possibility that in some situations the hibernation image created when one closes the laptop lid on an open Windows session may not be fully encrypted and could be recovered in plain text.
βHibernation images are used when a laptop goes to sleep and contains the contents that were stored in RAM at the moment the device powered down,β Breen noted. βThis presents a significant potential impact as RAM can contain sensitive data (such as passwords, credentials and PII) that may have been in open documents or browser sessions and can all be recovered with free tools from hibernation files.β
Tenableβs Narang also highlighted a trio of vulnerabilities in Microsoft Access fixed this month and credited to Unpatched.ai, a security research effort that is aided by artificial intelligence looking for vulnerabilities in code. Tracked as CVE-2025-21186, CVE-2025-21366, and CVE-2025-21395, these are remote code execution bugs that are exploitable if an attacker convinces a target to download and run a malicious file through social engineering. Unpatched.ai was also credited with discovering a flaw in the December 2024 Patch Tuesday release (CVE-2024-49142).
βAutomated vulnerability detection using AI has garnered a lot of attention recently, so itβs noteworthy to see this service being credited with finding bugs in Microsoft products,β Narang observed. βIt may be the first of many in 2025.β
If youβre a Windows user who has automatic updates turned off and havenβt updated in a while, itβs probably time to play catch up. Please consider backing up important files and/or the entire hard drive before updating. And if you run into any problems installing this monthβs patch batch, drop a line in the comments below, please.
Further reading on todayβs patches from Microsoft:
Article tags
Cybercriminals are selling hundreds of thousands of credential sets stolen with the help of a cracked version of Acunetix, a powerful commercial web app vulnerability scanner, new research finds. The cracked software is being resold as a cloud-based attack tool by at least two different services, one of which KrebsOnSecurity traced to an information technology firm based in Turkey.
Araneida Scanner.
Cyber threat analysts at Silent Push said they recently received reports from a partner organization that identified an aggressive scanning effort against their website using an Internet address previously associated with a campaign by FIN7, a notorious Russia-based hacking group.
But on closer inspection they discovered the address contained an HTML title of βAraneida Customer Panel,β and found they could search on that text string to find dozens of unique addresses hosting the same service.
It soon became apparent that Araneida was being resold as a cloud-based service using a cracked version of Acunetix, allowing paying customers to conduct offensive reconnaissance on potential target websites, scrape user data, and find vulnerabilities for exploitation.
Silent Push also learned Araneida bundles its service with a robust proxy offering, so that customer scans appear to come from Internet addresses that are randomly selected from a large pool of available traffic relays.
The makers of Acunetix, Texas-based application security vendor Invicti Security, confirmed Silent Pushβs findings, saying someone had figured out how to crack the free trial version of the software so that it runs without a valid license key.
βWe have been playing cat and mouse for a while with these guys,β said Matt Sciberras, chief information security officer at Invicti.
Silent Push said Araneida is being advertised by an eponymous user on multiple cybercrime forums. The serviceβs Telegram channel boasts nearly 500 subscribers and explains how to use the tool for malicious purposes.
In a βFun Factsβ list posted to the channel in late September, Araneida said their service was used to take over more than 30,000 websites in just six months, and that one customer used it to buy a Porsche with the payment card data (βdumpsβ) they sold.
Araneida Scannerβs Telegram channel bragging about how customers are using the service for cybercrime.
βThey are constantly bragging with their community about the crimes that are being committed, how itβs making criminals money,β saidΒ Zach Edwards, a senior threat researcher at Silent Push. βThey are also selling bulk data and dumps which appear to have been acquired with this tool or due to vulnerabilities found with the tool.β
Silent Push also found a cracked version of Acunetix was powering at least 20 instances of a similar cloud-based vulnerability testing service catering to Mandarin speakers, but they were unable to find any apparently related sales threads about them on the dark web.
Rumors of a cracked version of Acunetix being used by attackers surfaced in June 2023 on Twitter/X, when researchers first posited a connection between observed scanning activity and Araneida.
According to an August 2023 report (PDF) from the U.S. Department of Health and Human Services (HHS), Acunetix (presumably a cracked version) is among several tools used by APT 41, a prolific Chinese state-sponsored hacking group.
Silent Push notes that the website where Araneida is being sold β araneida[.]co β first came online in February 2023. But a review of this Araneida nickname on the cybercrime forums shows they have been active in the criminal hacking scene since at least 2018.
A search in the threat intelligence platform Intel 471 shows a user by the name Araneida promoted the scanner on two cybercrime forums since 2022, including Breached and Nulled. In 2022, Araneida told fellow Breached members they could be reached on Discord at the username βOrnie#9811.β
According to Intel 471, this same Discord account was advertised in 2019 by a person on the cybercrime forum Cracked who used the monikers βORNβ and βori0n.β The user βori0nβ mentioned in several posts that they could be reached on Telegram at the username β@sirorny.β
Orn advertising Araneida Scanner in Feb. 2023 on the forum Cracked. Image: Ke-la.com.
The Sirorny Telegram identity also was referenced as a point of contact for a current user on the cybercrime forum Nulled who is selling website development services, and who references araneida[.]co as one of their projects. That user, βExorn,β has posts dating back to August 2018.
In early 2020, Exorn promoted a website called βorndorks[.]com,β which they described as a service for automating the scanning for web-based vulnerabilities. A passive DNS lookup on this domain at DomainTools.com shows that its email records pointed to the address ori0nbusiness@protonmail.com.
Constella Intelligence, a company that tracks information exposed in data breaches, finds this email address was used to register an account at Breachforums in July 2024 under the nickname βOrnie.β Constella also finds the same email registered at the website netguard[.]codes in 2021 using the password βceza2003β [full disclosure: Constella is currently an advertiser on KrebsOnSecurity].
A search on the password ceza2003 in Constella finds roughly a dozen email addresses that used it in an exposed data breach, most of them featuring some variation on the name βaltugsara,β including altugsara321@gmail.com. Constella further finds altugsara321@gmail.com was used to create an account at the cybercrime community RaidForums under the username βori0n,β from an Internet address in Istanbul.
According to DomainTools, altugsara321@gmail.com was used in 2020 to register the domain name altugsara[.]com. Archive.orgβs history for that domain shows that in 2021 it featured a website for a then 18-year-old AltuΔ Εara from Ankara, Turkey.
Archive.orgβs recollection of what altugsara dot com looked like in 2021.
LinkedIn finds this same altugsara[.]com domain listed in the βcontact infoβ section of a profile for an Altug Sara from Ankara, who says he has worked the past two years as a senior software developer for a Turkish IT firm called Bilitro Yazilim.
Neither Altug Sara nor Bilitro Yazilim responded to requests for comment.
Invictiβs website states that it has offices in Ankara, but the companyβs CEO said none of their employees recognized either name.
βWe do have a small team in Ankara, but as far as I know we have no connection to the individual other than the fact that they are also in Ankara,β Invicti CEO Neil Roseman told KrebsOnSecurity.
Researchers at Silent Push say despite Araneida using a seemingly endless supply of proxies to mask the true location of its users, it is a fairly βnoisyβ scanner that will kick off a large volume of requests to various API endpoints, and make requests to random URLs associated with different content management systems.
Whatβs more, the cracked version of Acunetix being resold to cybercriminals invokes legacy Acunetix SSL certificates on active control panels, which Silent Push says provides a solid pivot for finding some of this infrastructure, particularly from the Chinese threat actors.
Further reading: Silent Pushβs research on Araneida Scanner.
Microsoft today released updates to plug at least 70 security holes in Windows and Windows software, including one vulnerability that is already being exploited in active attacks.
The zero-day seeing exploitation involves CVE-2024-49138, a security weakness in the Windows Common Log File System (CLFS) driver β used by applications to write transaction logs β that could let an authenticated attacker gain βsystemβ level privileges on a vulnerable Windows device.
The security firm Rapid7 notes there have been a series of zero-day elevation of privilege flaws in CLFS over the past few years.
βRansomware authors who have abused previous CLFS vulnerabilities will be only too pleased to get their hands on a fresh one,β wrote Adam Barnett, lead software engineer at Rapid7. βExpect more CLFS zero-day vulnerabilities to emerge in the future, at least until Microsoft performs a full replacement of the aging CLFS codebase instead of offering spot fixes for specific flaws.β
Elevation of privilege vulnerabilities accounted for 29% of the 1,009 security bugs Microsoft has patched so far in 2024, according to a year-end tally by Tenable; nearly 40 percent of those bugs were weaknesses that could let attackers run malicious code on the vulnerable device.
Rob Reeves, principal security engineer at Immersive Labs, called special attention to CVE-2024-49112, a remote code execution flaw in the Lightweight Directory Access Protocol (LDAP) service on every version of Windows since Windows 7.Β CVE-2024-49112 has been assigned a CVSS (badness) score of 9.8 out of 10.
βLDAP is most commonly seen on servers that are Domain Controllers inside a Windows network and LDAP must be exposed to other servers and clients within an enterprise environment for the domain to function,β Reeves said. βMicrosoft hasnβt released specific information about the vulnerability at present, but has indicated that the attack complexity is low and authentication is not required.β
Tyler Reguly at the security firm Fortra had a slightly different 2024 patch tally for Microsoft, at 1,088 vulnerabilities, which he said was surprisingly similar to the 1,063 vulnerabilities resolved in 2023 and the 1,119 vulnerabilities resolved in 2022.
βIf nothing else, we can say that Microsoft is consistent,β Reguly said. βWhile it would be nice to see the number of vulnerabilities each year decreasing, at least consistency lets us know what to expect.β
If youβre a Windows end user and your system is not set up to automatically install updates, please take a minute this week to run Windows Update, preferably after backing up your system and/or important data.
System admins should keep an eye on AskWoody.com, which usually has the details if any of the Patch Tuesday fixes are causing problems. In the meantime, if you run into any problems applying this monthβs fixes, please drop a note about in the comments below.
Change Healthcare says it has notified approximately 100 million Americans that their personal, financial and healthcare records may have been stolen in a February 2024 ransomware attack that caused the largest ever known data breach of protected health information.
Image: Tamer Tuncay, Shutterstock.com.
A ransomware attack at Change Healthcare in the third week of February quickly spawned disruptions across the U.S. healthcare system that reverberated for months, thanks to the companyβs central role in processing payments and prescriptions on behalf of thousands of organizations.
In April, Change estimated the breach would affect a βsubstantial proportion of people in America.β On Oct 22, the healthcare giant notified the U.S. Department of Health and Human Resources (HHS) that βapproximately 100 million notices have been sent regarding this breach.β
A notification letter from Change Healthcare said the breach involved the theft of:
-Health Data: Medical record #s, doctors, diagnoses, medicines, test results, images, care and treatment;
-Billing Records: Records including payment cards, financial and banking records;
-Personal Data: Social Security number; driverβs license or state ID number;
-Insurance Data: Health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.
The HIPAA Journal reports that in the nine months ending on September 30, 2024, Changeβs parent firm United Health Group had incurred $1.521 billion in direct breach response costs, and $2.457 billion in total cyberattack impacts.
Those costs include $22 million the company admitted to paying their extortionists β a ransomware group known as BlackCat and ALPHV β in exchange for a promise to destroy the stolen healthcare data.
That ransom payment went sideways when the affiliate who gave BlackCat access to Changeβs network said the crime gang had cheated them out of their share of the ransom. The entire BlackCat ransomware operation shut down after that, absconding with all of the money still owed to affiliates who were hired to install their ransomware.
A breach notification from Change Healthcare.
A few days after BlackCat imploded, the same stolen healthcare data was offered for sale by a competing ransomware affiliate group called RansomHub.
βAffected insurance providers can contact us to prevent leaking of their own data and [remove it] from the sale,β RansomHubβs victim shaming blog announced on April 16. βChange Health and United Health processing of sensitive data for all of these companies is just something unbelievable. For most US individuals out there doubting us, we probably have your personal data.β
It remains unclear if RansomHub ever sold the stolen healthcare data. The chief information security officer for a large academic healthcare system affected by the breach told KrebsOnSecurity they participated in a call with the FBI and were told a third party partner managed to recover at least four terabytes of data that was exfiltrated from Change by the cybercriminal group. The FBI declined to comment.
Change Healthcareβs breach notification letter offers recipients two years of credit monitoring and identity theft protection services from a company called IDX. In the section of the missive titled βWhy did this happen?,β Change shared only that βa cybercriminal accessed our computer system without our permission.β
But in June 2024 testimony to the Senate Finance Committee, it emerged that the intruders had stolen or purchased credentials for a Citrix portal used for remote access, and that no multi-factor authentication was required for that account.
Last month, Sens. Mark Warner (D-Va.) and Ron Wyden (D-Ore.) introduced a bill that would require HHS to develop and enforce a set of tough minimum cybersecurity standards for healthcare providers, health plans, clearinghouses and businesses associates. The measure also would remove the existing cap on fines under the Health Insurance Portability and Accountability Act, which severely limits the financial penalties HHS can issue against providers.
According to the HIPAA Journal, the biggest penalty imposed to date for a HIPAA violation was the paltry $16 million fine against the insurer Anthem Inc., which suffered a data breach in 2015 affecting 78.8 million individuals. Anthem reported revenues of around $80 billion in 2015.
A post about the Change breach from RansomHub on April 8, 2024. Image: Darkbeast, ke-la.com.
There is little that victims of this breach can do about the compromise of their healthcare records. However, because the data exposed includes more than enough information for identity thieves to do their thing, it would be prudent to place a security freeze on your credit file and on that of your family members if you havenβt already.
The best mechanism for preventing identity thieves from creating new accounts in your name is to freeze your credit file with Equifax, Experian,Β andΒ TransUnion. This process is now free for all Americans, and simply blocks potential creditors from viewing your credit file. Parents and guardians can now also freeze the credit files for their children or dependents.
Since very few creditors are willing to grant new lines of credit without being able to determine how risky it is to do so, freezing your credit file with the Big Three is a great way to stymie all sorts of ID theft shenanigans. Having a freeze in place does nothing to prevent you from using existing lines of credit you may already have, such as credit cards, mortgage and bank accounts. When and if you ever do need to allow access to your credit file β such as when applying for a loan or new credit card β you will need to lift or temporarily thaw the freeze in advance with one or more of the bureaus.
All three bureaus allow users to place a freeze electronically after creating an account, but all of them try to steer consumers away from enacting a freeze. Instead, the bureaus are hoping consumers will opt for their confusingly named βcredit lockβ services, which accomplish the same result but allow the bureaus to continue selling access to your file to select partners.
If you havenβt done so in a while, now would be an excellent time to review your credit file for any mischief or errors. By law, everyone is entitled to one free credit report every 12 months from each of the three credit reporting agencies. But the Federal Trade Commission notes that the big three bureaus have permanently extended a program enacted in 2020 that lets you check your credit report at each of the agencies once a week for free.
Article tags
FreshRSS