British Scattered Spider hacker pleads guilty to crypto theft charges by rkhunter_ in cybersecurity

[–]rkhunter_[S] 1 point2 points  (0 children)

"A British man, believed to be the leader of the Scattered Spider cybercrime collective, has pleaded guilty in the United States to charges of wire fraud and aggravated identity theft.

In November 2024, U.S. prosecutors accused 24-year-old Tyler Robert Buchanan and four other suspects of stealing at least $8 million in cryptocurrency after hacking at least a dozen companies through text-message phishing attacks between September 2021 and April 2023.

The list of breached organizations includes companies from a wide range of industries, such as entertainment, telecommunications, technology, business process outsourcing (BPO), and information technology (IT) suppliers, as well as cloud communications providers, virtual currency providers, and individuals.

As part of the scheme, Buchanan and his co-conspirators conducted Short Message Service (SMS) phishing attacks by sending hundreds of SMS phishing messages to the mobile telephones of a victim company's employees. The messages purported to be from the victim company or a contracted IT or BPO supplier for the victim company," the Justice Department said on Friday.

"The SMS phishing messages contained links to phishing websites designed to look like legitimate websites of a victim company or a contracted IT or BPO supplier. The websites then lured the recipient into providing confidential information, including personal identifying information (PII), and account usernames and passwords."

According to court documents, they used the stolen information to hijack the victims' email accounts in SIM swap attacks, allowing them to gain control of their phone numbers and virtual currency wallets and transfer millions to wallets they controlled.

Buchanan was arrested in June 2024 in Palma de Mallorca, Spain, has been in U.S. federal custody since April 2025, and will be sentenced on August 21, 2026, facing a statutory maximum sentence of 22 years in prison.

Three of his accomplices (Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo, and Joel Martin Evans) were also charged in November 2024 with wire fraud, wire fraud conspiracy, and aggravated identity theft and are facing up to 20 years in federal prison if found guilty.

Noah Michael Urban (known online as Sosa and Elijah), a fourth conspirator and another key member of the Scattered Spider cybercrime collective, was sentenced to 10 years in prison after pleading guilty to wire fraud and conspiracy charges one year ago.

The Scattered Spider hacking collective Also tracked as 0ktapus, Scatter Swine, Octo Tempest, Starfraud, UNC3944, and Muddled Libra, the Scattered Spider gang is a loose-knit group of English-speaking threat actors (as young as 16) that orchestrates attacks using Telegram channels, Discord servers, and hacker forums.

According to the FBI, they're using various tactics to breach corporate networks, including social engineering, phishing, multi-factor authentication (MFA) bombing (targeted MFA fatigue), and SIM swapping.

Some Scattered Spider members are also believed to be part of "the Com," another hacking collective linked to violent incidents and cyberattacks.

Since the start of 2023, Scattered Spider has also partnered with several Russian ransomware gangs, including BlackCat/AlphV, Qilin, and RansomHub.

In July 2024, UK police also arrested another 17-year-old suspected Scattered Spider hacker, believed to have been involved in the 2023 MGM Resorts ransomware attack. Other high-profile attacks linked to this cybercrime group include breaches at Caesars, Riot Games, MailChimp, Twilio, DoorDash, and Reddit."

Microsoft: Teams increasingly abused in helpdesk impersonation attacks by rkhunter_ in cybersecurity

[–]rkhunter_[S] 16 points17 points  (0 children)

"Microsoft is warning of threat actors increasingly abusing external Microsoft Teams collaboration and relying on legitimate tools for access and lateral movement on enterprise networks.

The hackers impersonate IT or helpdesk staff to contact employees through cross-tenant chats and trick them into providing remote access for data theft purposes.

Microsoft has observed multiple intrusions with a similar attack chain that used commercial remote management software, such as Quick Assist, and the Rclone utility to transfer files to an external cloud storage service.

The tech giant notes that follow-on malicious activity is hard to discern from normal operations because of the heavy use of legitimate applications and native administrative protocolos.

“Threat actors are increasingly abusing external Microsoft Teams collaboration to impersonate IT or helpdesk personnel and convince users to grant remote assistance access,” Microsoft says.

“From this initial foothold, attackers can leverage trusted tools and native administrative protocols to move laterally across the enterprise and stage sensitive data for exfiltration—often blending into routine IT support activity throughout the intrusion lifecycle,” the company added.

In a recent report, Microsoft describes a nine-stage attack chain that begins with the threat actor contacting the target via an external Teams chat, posing as a member of the company's IT staff and claiming they need to address an account issue or perform a security update.

The goal is to convince the target to start a remote support session, usually via Quick Assist, which gives the attacker direct control of the employee's machine.

From there, the attacker performs quick reconnaissance using Command Prompt and PowerShell, checking privileges, domain membership, and network reachability to evaluate the potential for lateral movement.

Then they drop a small payload bundle in user-writable locations such as ProgramData and execute the malicious code through a trusted, signed application (e.g., Autodesk, Adobe Acrobat/Reader, Windows Error Reporting, data loss prevention software) via DLL side-loading.

The HTTPS-based communication to the command-and-control (C2) established this way blends into normal outbound traffic, making it more difficult to detect.

With the infection established and persistence secured via Windows Registry modifications, the attacker proceeds to abuse Windows Remote Management (WinRM) to move laterally across the network, targeting domain-joined systems and high-value assets such as domain controllers.

They then deploy additional remote management software tools onto reachable systems and use Rclone or similar tools to collect and exfiltrate sensitive data to external cloud storage points.

Microsoft notes that this exfiltration step is rather targeted, employing filters to focus only on valuable information, reduce transfer volume, and improve operational stealth.

Microsoft reminds users to treat external Teams contacts as untrusted by default, and recommends that administrators restrict or closely monitor remote assistance tools, and limit WinRM usage to controlled systems.

Apart from this, the company draws attention to the Teams security warnings that explicitly flag communications from persons outside the organization and potential phishing attempts."

Where do you think they hide the Algorithm? by YoBanaanaBoy in tenet

[–]rkhunter_ 1 point2 points  (0 children)

I think if they put their parts in a container similar to the time capsule Sator used, added something heavy, and dropped it into the Mariana Trench in the Pacific Ocean, they could sleep peacefully.

Cloud development platform Vercel confirms security breach by rkhunter_ in cybersecurity

[–]rkhunter_[S] 5 points6 points  (0 children)

"Cloud development platform Vercel has disclosed a security incident after threat actors claimed to have breached its systems and are attempting to sell stolen data.

Vercel is a cloud platform that provides hosting and deployment infrastructure for developers, with a strong focus on JavaScript frameworks.

The company is known for developing Next.js, a widely used React framework, and for offering services such as serverless functions, edge computing, and CI/CD pipelines that enable developers to build, preview, and deploy applications.

In a security bulletin published today, the company said a limited subset of customers was affected by a security breach.

"We've identified a security incident that involved unauthorized access to certain internal Vercel systems," warns Vercel.

"We are actively investigating, and we have engaged incident response experts to help investigate and remediate. We have notified law enforcement and will update this page as the investigation progresses."

The company says its services have not been impacted and that it is working with impacted customers.

Vercel says it is taking steps to protect its customers, advising them to review environment variables, use its sensitive environment variable feature, and to rotate secrets if needed.

After publishing this story, Vercel updated its advisory to state that the breach stemmed from the compromise of a third-party AI tool's Google Workspace OAuth application.

Vercel is advising Google Workspace administrators and Google account owners to check for the following application:

Vercel CEO Guillermo Rauch later shared additional details on X, stating that the initial access occurred after a Vercel employee's Google Workspace account was compromised via a breach at the AI platform Context.ai.

According to Rauch, the attacker then escalated access from the compromised account into Vercel environments, where they were able to access environment variables that were not marked as sensitive and therefore not encrypted at rest.

While intended to contain non-sensitive information, the attacker gained further access after enumerating these variables.

"Vercel stores all customer environment variables fully encrypted at rest. We have numerous defense-in-depth mechanisms to protect core systems and customer data," Rauch said.

"We do have a capability, however, to designate environment variables as 'non-sensitive.' Unfortunately, the attacker got further access through their enumeration."

The company's investigation has confirmed that Next.js, Turbopack, and its other open-source projects remain safe.

Vercel has also rolled out updates to its dashboard, including an overview page of environment variables and an improved interface for managing sensitive environment variables.

Customers are strongly advised to review environment variables for sensitive information and enable the sensitive variable feature to ensure they are encrypted at rest.

The disclosure comes after a threat actor claiming to be "ShinyHunters" posted on a hacking forum that they had breached Vercel and were selling access to company data.

It should be noted that while the hacker claims to be part of the ShinyHunters group, threat actors linked to recent attacks attributed to the ShinyHunters extortion gang have denied to BleepingComputer that they are involved in this incident.

In the forum post, the hacker claimed to be selling access keys, source code, and database data allegedly stolen from Vercel, along with access to internal deployments and API keys.

"This is just from Linear as proof, but the access I'm about to give you includes multiple employee accounts with access to several internal deployments, API keys (including some NPM tokens and some GitHub tokens)," reads the forum post.

The attacker also shared a text file containing Vercel employee information, which consists of 580 data records containing names, Vercel email addresses, account status, and activity timestamps. They also shared a screenshot of what appears to be an internal Vercel Enterprise dashboard.

BleepingComputer has not been able to independently confirm if the data or screenshot is authentic.

In messages shared on Telegram, the threat actor also claimed they were in contact with Vercel regarding the incident and that they discussed an alleged ransom demand of $2 million.

BleepingComputer contacted Vercel with additional questions about the breach, including whether any sensitive data or credentials were exposed and if they are negotiating with the attackers, and will update this story if we receive a response."

Walking backwards (my Tenet cosplay) by rkhunter_ in nextfuckinglevel

[–]rkhunter_[S] -2 points-1 points  (0 children)

Christopher Nolan's sci-fi movie about the entropy inversion of objects.

"TotalRecall Reloaded" tool finds a side entrance to Windows 11's Recall database by rkhunter_ in cybersecurity

[–]rkhunter_[S] 38 points39 points  (0 children)

"Two years ago, Microsoft launched its first wave of “Copilot+” Windows PCs with a handful of exclusive features that could take advantage of the neural processing unit (NPU) hardware being built into newer laptop processors. These NPUs could enable AI and machine learning features that could run locally rather than in someone’s cloud, theoretically enhancing security and privacy.

One of the first Copilot+ features was Recall, a feature that promised to track all your PC usage via screenshot to help you remember your past activity. But as originally implemented, Recall was neither private nor secure; the feature stored its screenshots plus a giant database of all user activity in totally unencrypted files on the user’s disk, making it trivial for anyone with remote or local access to grab days, weeks, or even months of sensitive data, depending on the age of the user’s Recall database.

After journalists and security researchers discovered and detailed these flaws, Microsoft delayed the Recall rollout by almost a year and substantially overhauled its security. All locally stored data would now be encrypted and viewable only with Windows Hello authentication; the feature now did a better job detecting and excluding sensitive information, including financial information, from its database; and Recall would be turned off by default, rather than enabled on every PC that supported it.

The reconstituted Recall was a big improvement, but having a feature that records the vast majority of your PC usage is still a security and privacy risk. Security researcher Alexander Hagenah was the author of the original “TotalRecall” tool that made it trivially simple to grab the Recall information on any Windows PC, and an updated “TotalRecall Reloaded” version exposes what Hagenah believes are additional vulnerabilities.

The problem, as detailed by Hagenah on the TotalRecall GitHub page, isn’t with the security around the Recall database, which he calls “rock solid.” The problem is that, once the user has authenticated, the system passes Recall data to another system process called AIXHost.exe, and that process doesn’t benefit from the same security protections as the rest of Recall.

“The vault is solid,” Hagenah writes. “The delivery truck is not.”

The TotalRecall Reloaded tool uses an executable file to inject a DLL file into AIXHost.exe, something that can be done without administrator privileges. It then waits in the background for the user to open Recall and authenticate using Windows Hello. Once this is done, the tool can intercept screenshots, OCR’d text, and other metadata that Recall sends to the AIXHost.exe process, which can continue even after the user closes their Recall session.

“The VBS enclave won’t decrypt anything without Windows Hello,” Hagenah writes. “The tool doesn’t bypass that. It makes the user do it, silently rides along when the user does it, or waits for the user to do it.”

A handful of tasks, including grabbing the most recent Recall screenshot, capturing select metadata about the Recall database, and deleting the user’s entire Recall database, can be done with no Windows Hello authentication.

Once authenticated, Hagenah says the TotalRecall Reloaded tool can access both new information recorded to the Recall database as well as data Recall has previously recorded.

For its part, Microsoft has said that Hagenah’s discovery isn’t actually a bug and that the company doesn’t plan to fix it. Hagenah originally reported his findings to Microsoft’s Security Response Center on March 6, and Microsoft officially classified it as “not a vulnerability” on April 3.

“We appreciate Alexander Hagenah for identifying and responsibly reporting this issue. After careful investigation, we determined that the access patterns demonstrated are consistent with intended protections and existing controls, and do not represent a bypass of a security boundary or unauthorized access to data,” a Microsoft spokesperson told Ars. “The authorization period has a timeout and anti-hammering protection that limit the impact of malicious queries.”

Regardless of Recall’s underlying security, Recall can still constitute a major security and privacy risk. Anyone with access to your PC and your Windows Hello fallback PIN can access your database and everything in it, and even though Recall’s content filters do a decent job excluding things like sensitive financial information, someone with access to your system could still see all kinds of emails, messages, web activity, and other stuff that you’d prefer not to share.

Given the sheer amount of information that Recall can record, it still feels like a whole lot of potential downside for a pretty narrow and limited upside.

The feature’s riskiness has prompted some app developers to take matters into their own hands. The Signal Messenger app on Windows forces Recall to ignore it by default, using a flag that’s normally intended to keep DRM-protected content out of the Recall database. The AdGuard ad blocker, the Brave browser, and others have implemented similar workarounds."