The Halcyon RISE Team has identified a new Codefinger ransomware campaign targeting Amazon S3 buckets. This attack leverages…

The Halcyon RISE Team has identified a new Codefinger ransomware campaign targeting Amazon S3 buckets. This attack leverages AWS’s Server-Side Encryption with Customer-Provided Keys (SSE-C) to encrypt data, demanding ransom payments for the symmetric AES-256 keys required to decrypt it.

The Halcyon RISE Team has uncovered a novel ransomware campaign targeting Amazon S3 buckets, marking a significant escalation in sophistication. This campaign leverages AWS’s own Server-Side Encryption with Customer-Provided Keys (SSE-C) to encrypt victim data, turning a powerful security feature into a weapon against its intended users.

Unlike traditional ransomware that encrypts files locally, this attack operates directly within the AWS environment, exploiting the inherent security of SSE-C to render data irretrievable without the attacker’s decryption keys.

According to Halcyon’s investigation, shared with Hackread.com, this campaign is attributed to a threat actor dubbed “Codefinger.” The attack begins by acquiring AWS credentials, either through social engineering, phishing attacks, or exploiting vulnerabilities in other parts of the victim’s infrastructure.

Once in possession of these credentials, Codefinger utilizes them to gain access to S3 buckets and initiate the encryption process. Leveraging SSE-C, the attackers encrypt the data using a unique, self-generated AES-256 key. 

It is important to note that this attack does not exploit any vulnerabilities within AWS itself. Instead, it relies on the threat actor first obtaining an AWS customer’s account credentials. With no known method to recover the data without paying the ransom, this tactic represents a concerning evolution in ransomware capabilities.   

A critical aspect of this attack lies in the fact that AWS only logs an HMAC (Hash-based Message Authentication Code) of the encryption key, not the key itself. This HMAC, while providing integrity verification, is insufficient for data recovery, leaving victims with no viable means of decryption without paying the ransom.

To further pressure victims, Codefinger implements an aggressive deletion schedule. Files are marked for automatic deletion within seven days of encryption, creating a sense of urgency and increasing the likelihood of victims paying the ransom demand. To facilitate payment and communication, attackers typically leave a ransom note within the affected S3 buckets, providing instructions for Bitcoin payments and a unique client ID for each victim.

The implications of this campaign are significant. By exploiting a core AWS security service, attackers have effectively weaponized a trusted mechanism, making data recovery significantly more challenging.

This method not only renders data inaccessible but also limits forensic analysis and recovery options. Moreover, the success of this campaign could incentivize other threat actors to adopt similar tactics, potentially leading to a surge in attacks leveraging native cloud services for malicious purposes.

To mitigate cloud attack risks, organizations should adopt a multi-layered security approach. It is essential to prioritize access controls, implement least privilege principles, and rotate AWS keys. Implementing strong IAM policies that restrict the use of SSE-C to authorized personnel and specific use cases is crucial.

Furthermore, proactive monitoring of AWS CloudTrail logs for unusual activity, such as bulk encryption events or suspicious access patterns, is essential for early detection and response.

****AWS – A Lucrative Target for Hackers****

AWS has become a lucrative target for cybercriminals, with top groups like ShinyHunters and Nemesis exploiting it. Even in third-party cyberattacks, extracting AWS keys has become a preferred tactic for threat actors. This trend extends to newer groups such as EC2 Grouper.

In a comment to Hackread.com, Darren James, Senior Product Manager at Specops Software stated “This is a great example of where password reuse or sticking with easy-to-guess passwords, along with no two-factor authentication, will come back to bite admins.”

Darren also highlighted that poor password practices, such as reusing or using default passwords without two-factor authentication, often lead to issues like ransomware attacks. He emphasized the need for unique passwords and phishing-resistant 2FA to prevent such incidents.

1.  **In the jungle of AWS S3 Enumeration**
2.  **Russian Cozy Bear Phish Critical Sectors with AWS Lures**
3.  **EMERALDWHALE Steals Credentials, Stores Data in S3 Bucket**
4.  **Fabrice Malware on PyPI Stealing AWS Credentials for 3 Years**
5.  **ALBeast: Misconfiguration Flaw Exposes AWS Load Balancers to Risk**

New Codefinger Ransomware Exploits AWS to Encrypt S3 Buckets

Prepare for the 2025 altcoin season: experts predict rising interest in altcoins like WorldCoin, driven by Web3, blockchain,…

Prepare for the 2025 altcoin season: experts predict rising interest in altcoins like WorldCoin, driven by Web3, blockchain, and metaverse innovations.

As experts predict 2025 will be the year an upcoming altcoin season will take users by surprise, preparing them for new asset allocation and portfolio diversification. Altcoin seasons happen when coins outperform Bitcoin, meaning their entire value exceeds that of Bitcoin. 

2025 might be the year of altcoins since there’s more interest in Web3, blockchain, and metaverse projects rather than store-of-value cryptocurrencies. An example of such projects includes WorldCoin, a globally inclusive financial network that focuses on empowering people with innovative blockchain technology. As the project gains traction, a WLD price prediction regards innovation and token adoption. 

So, let’s see what’s so special about altcoins and what are some promising projects to look out for this year. 

****Understanding altcoins** **

Every coin other than Bitcoin is considered an altcoin, known as an alternative. Since Bitcoin has become more challenging to acquire and is having a massive negative impact on nature, projects with less demanding energy resources and more efficient networks have entered the market to counteract it.

Still, considering Bitcoin’s considerable value and importance in the market, altcoins can only overturn it altogether. This makes about 10,000 active coins on the market as of November 2024, according to Statista. 

Altcoins are special due to their numerous use cases and long-term impacts. Ether, for example, is backed by one of the most efficient blockchains known in the industry, while Sol is popular for its environmental-focused technology. 

Altcoins fall into the following categories: 

*   Stablecoins, which are supported by fiat currencies or precious metals;

*   Security tokens can be tokenized assets or tools for ownership;

*   Utility tokens allow for purchasing services of paying fees;

*   Governance tokens support people’s rights within a network;

*   Meme coins are backed by memes and have less prominent use cases in the market; 

****How should you invest in altcoins?** **

A balanced portfolio means investing in Bitcoin and all sorts of altcoins from different asset classes, industries, and use cases. This mix offers enough stability to endure moments of high volatility and support the portfolio’s increasing value with less risk. 

Altcoins have a wide array of use cases, and there are thousands to choose from, leaving investors to make their own decisions based on their research efforts. Indeed, their flaws, lower popularity, less liquidity, and scam possibilities, make them unreliable investments, which is why choosing an altcoin requires intensive research and knowledge of the market. 

Therefore, it’s best to invest in altcoins that are closer to safety. This means their projects are backed by trustworthy teams, and their technology allows for development and true usability for the market. This makes newer ICOs of altcoins less safe, even if they’re more profitable. 

****What are the best altcoin investments for 2025?** **

Determining how good an altcoin is can be difficult, especially when predicting its prices and popularity for such a long period. However, there are signs to look for in an altcoin to ensure they’re worth the shot for the upcoming altcoin season, so let’s analyze several options. 

****WorldCoin** **

WorldCoin aims to democratize access to cryptocurrency, which is important for worldwide adoption. The underlying blockchain uses biometric verification (PDF) for authentication and transactions, making it safe. At the same time, the project pushes for financial equality with the help of decentralization. 

****Mantra** **

The Mantra on-chain ecosystem provides innovative tools for developers who want to contribute to the dApp industry. What sets them apart from the competition is their willingness to get involved in the regulatory infrastructure and empower developers with confidence in their skills and the value of their decentralized applications.

****Ondo** **

The institutional financial infrastructure Ondo focuses on market efficiency, transparency, and accessibility. With the help of autonomous infrastructure, Ondo builds the future of finance on public blockchains. Ondo incorporated concepts of traditional finance, like investor protection and transparent reporting, with decentralization and innovation. 

****Why is the altcoin season so important?** **

The altcoin season allows smaller projects to shine as the entire sector spikes when Bitcoin’s value diminishes. This happens when market enthusiasm shifts from Bitcoin to altcoins, making large-cap cryptocurrencies, like Ethereum, reach or exceed their previous all-time highs again. 

What’s special about the altcoin season is that it usually triggers a period of considerable innovation and technological development. For example, the altcoin season of 2017 was defined by the support for NFT popularity, while the 2021 event shaped better layer-2 solutions through which numerous blockchains evolved and new projects emerged. 

Considering the latest AI craze, we may expect AI-based cryptocurrencies and blockchains to become more important in the market. Artificial intelligence can be highly efficient in forecasting prices and trends in the market cycle. 

****What are some tale-telling signs of an altcoin season?** **

While every altcoin season is different from the previous one, investors should be wary of a specific set of signs. For example, when Bitcoin’s market dominance slows down, this might be the cue for less trust in the cryptocurrency and more interest in altcoins. 

This translates to a surge in the altcoin market value when investors are more positive about its upcoming trading volumes. Of course, this sentiment is shared on social media and crypto communities, from which the Fear and Greed Index offers a clear image of people’s interests. When the tools show excessive fear, prices go down, but when there’s too much greed, prices go up. 

The final and most obvious sign of an altcoin season is an increasing number of innovations in the sector. Developments in blockchain protocols, decentralized finance, and Web3 applications show an inclination to leverage technologies, as developers are more confident in their efforts. 

****What altcoins will you include in your portfolio in 2025?** **

As the 2024 crypto year has ended, investors should prepare for the following challenges of 2025. Luckily, experts forecasted the altcoin season to happen, meaning more technological innovations will occur, so the overall positive sentiment should help investors capitalize on their portfolio efforts. Altcoins like WorldCoin are getting traction due to their contribution to a decentralized finance future, and their emerging services and products can trigger a flow of capital toward the altcoin season. 

_**Editor’s Note:** This content is for informational purposes only and should not be considered financial, investment, or legal advice. Always consult a professional for guidance tailored to your specific situation._

1.  **Biggest Crypto Scam Tactics in 2024, How to Avoid Them**
2.  **The Growing Importance of Secure Crypto Payment Gateways**
3.  **Web hosting providers have started to accept crypto payments**
4.  **Crypto + Cybersecurity: How to Keep Your Crypto Safe in 2025**
5.  **Blockchain and Smart Contracts in Securing Digital Transactions**

Top/Featured Image via: Unsplash

AI, Web3 and Decentralization: Tech Trends Shaping 2025’s Altcoin Season

A critical security breach in the software supply chain has been detected. An attacker accessed Kong’s DockerHub account…

A critical security breach in the software supply chain has been detected. An attacker accessed Kong’s DockerHub account and replaced the legitimate Kong Ingress Controller v.3.4.0 image with a malicious version.

A critical security vulnerability was identified in Kong Ingress Controller version 3.4.0. This vulnerability stemmed from an unauthorized image uploaded to DockerHub on December 23rd, 2024. The affected image (hash: sha256:a00659df0771d076fc9d0baf1f2f45e81ec9f13179f499d4cd940f57afc75d43) contained malicious code that enabled cryptojacking. 

This malicious code directed the controller to pool.supportxmr.com, a crypto mining site, which means the image contained code that secretly mined cryptocurrency. Moreover, it would have been executed by any system running the compromised image, effectively turning those systems into unintended mining rigs.

The Kong team became aware of the issue on January 2nd, 2025 and took swift action. They removed version 3.4.0 and all associated tags from DockerHub. Additionally, they rotated all access keys used for DockerHub access. Finally, a patched version, 3.4.1, was released on January 2nd, 2025. This version removed the unauthorized cryptojacking code.

There is currently no evidence to suggest that any Kong Ingress Controller versions besides 3.4.0 (specifically the image hash mentioned above) were affected.

****What You Should Do:****

If you deployed Kong Ingress Controller version 3.4.0 between December 22nd, 2024 and January 3rd, 2025, immediate action is required. You should remove this image from all internal registries and clusters.

To fix the issue, remove the vulnerable image (sha256:a00659df0771d076fc9d0baf1f2f45e81ec9f13179f499d4cd940f57afc75d43) from internal registries and clusters, pull a remediated image from either the patched version 3.4.1 or a clean version 3.4.0.

The fixed image hashes for the clean, re-tagged version of 3.4.0 are:

AMD64: sha256:b358296fa6a1458c977c0513ff918e80b708fa9d7721f9d438f3dfce24f60f4f

ARM64: sha256:e0125aa85a4c9eef7822ba5234e90958c71e1d29474d6247adc3e7e21327e8ee

By taking these steps, you can ensure you are no longer running a vulnerable image and protect your systems from cryptojacking attempts.

Dan Lorenc, CEO and founder of software supply chain security platform Chainguard provided Hackread.com with a detailed comment addressing the core issues within this attack stating, “Supply-chain breaches happen, and it looks like the kong/kubernetes-ingress-controller images are the latest to fall victim. Here’s what we know so far:

*   A DockerHub PAT used to upload release images was compromised sometime before Dec. 23rd
*   The attacker used this PAT to upload a malicious version of the 3.4.0 release image directly to DockerHub
*   This image contained code to mine cryptocurrency and send results to a specific wallet
*   High CPU usage was reported by a user on December 29th, and the malicious images were taken down by January 2nd
*   New versions were uploaded, and the keys used to upload were revoked/rotated by the maintainers

“How should you protect against attacks like this? As a maintainer, any key you have is a key that you can leak,” said Dan. “Lock down and regularly audit all systems that have access to PATs like this, or choose systems that allow OIDC-based authentication to avoid this altogether. CI/CD pipelines are notoriously hard to configure securely; tools like Zizmor (lnkd.in/eGSGrMqm) help here. Signing artefacts can help even if you can’t use OIDC to publish or users pull from mirrors out of your control.”

“As an end-user, pin images you receive from third-parties by digest and test/malware scan them before upgrading. Check signatures if they exist,” Dan explained.

Nevertheless, a crypto mining attack on organizations could have drastic implications, including increased resource consumption, higher energy costs, and a multitude of security risks. The compromised image could have introduced vulnerabilities or backdoors, allowing attackers to gain further access, highlighting the importance of software supply chain security, particularly for critical components like container images. Organizations should employ image integrity verification mechanisms, and conduct regular security audits to identify and mitigate vulnerabilities.

1.  **OracleIV DDoS Botnet Hits Docker Engine API Instances**
2.  **Malware Hits 9Hits, Turns Docker Servers into Crypto Miners**
3.  **Hackers hijacking Bitbucket and Docker Hub for Monero mining**
4.  **TeamTNT Exploits 16M IPs in Malware Attack on Docker Clusters**
5.  **Linux Malware Alert: ‘Spinning YARN’ Hits Docker, Other Key Apps**

Malicious Kong Ingress Controller Image Found on DockerHub

SUMMARY Three Russian nationals have been indicted for their alleged roles in running cryptocurrency mixing services Blender.io and…

****SUMMARY****

*   **Indictment Filed:** Three Russian nationals have been indicted for operating cryptocurrency mixers Blender.io and Sinbad.io, used to launder cybercrime proceeds.

*   **Criminal Links:** The mixers allegedly facilitated laundering for the Lazarus Group, a North Korean hacking organization, including $20.5M stolen from Axie Infinity.

*   **Arrests Made:** Roman Vitalyevich Ostapenko and Alexander Evgenievich Oleynik were arrested in December 2024; a third suspect, Anton Vyachlavovich Tarasov, remains at large.

*   **Charges:** The defendants face conspiracy to commit money laundering and operating an unlicensed money-transmitting business, with potential 20-year prison sentences.

*   **Global Effort:** The case highlights international collaboration to combat cybercrime and hold cryptocurrency laundering facilitators accountable.

Three Russian nationals have been indicted for their alleged roles in running cryptocurrency mixing services Blender.io and Sinbad.io, used to launder money from cybercrimes. The indictment, filed on January 7 in the Northern District of Georgia, targets Roman Vitalyevich Ostapenko and Alexander Evgenievich Oleynik, who were arrested in December 2024. A third suspect, Anton Vyachlavovich Tarasov, remains at large.

For your information, in November 2023, the US Treasury sanctioned Sinbad.io and seized its domain for providing its services to the North Korean Lazarus group to launder money stolen from numerous data breaches. On the other hand, the Treasury’s Office of Foreign Assets Control (OFAC) also sanctioned Blender.io for assisting the Lazarus Group in laundering millions of dollars worth of cryptocurrency stolen from the crypto-based game Axie Infinity back in July 2022.

Blender.io and Sinbad.io domains (Credit: Hackread.com)

****What are Cryptocurrency Mixers?****

Imagine trying to wash dirty money. In the physical world, criminals might use shell companies or complex transactions to make it hard to trace where the money came from. Cryptocurrency mixers do something similar in the digital world. They take cryptocurrency from multiple users, mix it all, and then send it out to the intended recipients. This process makes it very difficult to follow the money trail and connect the source of the funds to the final destination.

****The Allegations****

According to the indictment, Roman Vitalyevich Ostapenko, Alexander Evgenievich Oleynik, and Anton Vyachlavovich Tarasov operated Blender.io from around 2018 to 2022. The service promised complete anonymity, claiming a “No Logs Policy” and deleting all user transaction data. When Blender.io was shut down, Sinbad.io quickly took its place, offering similar services.

****Arrests and Charges****

Ostapenko and Oleynik were arrested on December 1, 2024. Tarasov is still being sought by authorities. The men are charged with conspiracy to commit money laundering and operating an unlicensed money-transmitting business. If found guilty, they could face up to 20 years in prison.

“This case shows the power of working together across borders to fight cybercrime,” said an FBI spokesperson in a DoJ press release. Authorities are determined to hold those who facilitate online criminal activity accountable.

1.  Crypto tumbler BestMixer.io seized for money laundering
2.  US Sanctions Chinese Cybersecurity Firm for Firewall Exploit
3.  U.S. Sanctions Chinese Cybersecurity Firm Over Cyberattacks
4.  US Sanctions Intellexa Spyware Over Threat to National Security
5.  China Arrests 4 Who Weaponized ChatGPT for Ransomware Attacks

3 Russians Indicted for Operating Blender.io and Sinbad.io Crypto Mixers

Telefónica faces a data breach impacting its internal systems, linked to hackers using compromised credentials. Learn more about this alarming cyber threat.

****SUMMARY****

*   **Telefonica confirmed a data breach involving its internal Jira ticketing system, with stolen data leaked online.**

*   **Hackers used compromised employee credentials to access and scrape 2.3 GB of internal data.**

*   **The breach is linked to Hellcat Ransomware, also tied to a Schneider Electric cyberattack.**

*   **No extortion attempts were made; data was leaked without contacting Telefonica.**

*   **The attack highlights increasing cyber threats against global telecommunications firms.**

Telefonica, a Spanish multinational telecommunications company, confirmed a data breach of their internal ticketing system. The confirmation came after stolen data appeared on Breach Forums, a cybercrime and hacking forum.

Screenshot from Breach Forums (Credit: Hackread.com)

Telefonica, the largest telecommunications firm in Spain, operates in twelve countries with over 104,000 employees. The Telefonica cyberattack. The company has confirmed that its ticketing system was breached and that it is currently investigating the incident’s extent and has taken steps to prevent further unauthorized access. The leak on the hacking forum included a Telefonica Jira database. 

Four individuals using aliases DNA, Grep, Pryx, and Rey claimed responsibility for the breach. According to Pryx, one of the attackers, the “internal ticketing system” is an internal Jira development and ticketing server utilized by Telefonica for reporting and resolving internal issues. 

According to sources, compromised employee credentials were used to breach the system on the prior day. Telefonica responded by blocking their access and resetting passwords on impacted accounts. The attackers say they were able to scrape roughly 2.3 GB of documents, tickets, and various data using the compromised employee accounts. While some of this data was labeled as customers, the tickets were opened with @telefonica.com email addresses, indicating they might have been opened on behalf of customers.

Screenshot from the leaked data (Credit: Hackread.com)

Pryx claims they did not contact Telefonica or attempt extortion before leaking the data online. Three individuals behind the attack, Grep, Pryx, and Rey, are also part of a recently launched ransomware operation known as Hellcat Ransomware. Hellcat is responsible for a recent data breach at Schneider Electric, where 40GB of data was stolen from the company’s JIRA server.

This Telefonica cyberattack reportedly involves Fortinet, a crucial component of the company’s network infrastructure. While the extent of the data breach and the nature of the compromised data remain undisclosed, concerns have arisen regarding the potential impact. Despite the claim, Telefonica’s official website remains functional, raising questions about the authenticity of the alleged cyberattack.

This, however, is not the first time that Telefonica has suffered a data breach. In July 2018, millions of Telefonica customers had their data exposed after a security breach. Nevertheless, as the telecommunications industry faces cyber threats, companies must maintain their collaboration to establish proper cybersecurity measures against critical infrastructure. 

1.  **Telecom Giant BT Group Hit by Black Basta Ransomware**
2.  **8220 Gang Targets Telecom in Global Cryptojacking Attack**
3.  **Hackers Breach TPG Telecoms’ Email Host to Steal Client Data**
4.  **US Telecom Breaches Widen as 9 Firms Hit by Chinese Hackers**
5.  **New XorDdos-Linked Linux RAT Krasue Targeting Telecom Firms**

Hackers Breach Telefonica Network, Leak 2.3 GB of Data Online

With the advent of virtual reality, everyone got scared that the life we ​​know will disappear, and only…

With the advent of **virtual reality**, everyone got scared that the life we ​​know will disappear, and only those who understand new technologies will be able to find work. Remember what they said about newspapers. And about television. Radio. It seems likely that the same will play out in real life. Just consider what’s already unfolding in virtual reality, within metaverses like Fortnite, Roblox, Holiverse, and Decentraland.

****What does the “reality disappearance” mean?****

The disappearance of reality in the context of the popularity of the **metaverse** does not mean the disappearance of the physical world. It is rather a transformation of our perception and the usage of the real world. Here is how such transformation can happen. 

****Psychological disappearancе****

Let’s start with a simple example. Remember how, as children, we used to play the console for hours, forgetting about lunch? Or look at your children. How many times do you have to say it before they finally sit at the table? Now imagine this feeling, but taken to a new level, where the virtual world feels more interesting and important than the real one.

But haven’t you noticed that we’ve been living this way for the past ten years? Tinder, Facebook, Instagram, and TikTok are gradually consuming several hours of our time every day.

Here’s an example of how a man psychologically disappears in a game. There is a character in World of Warcraft. In virtual reality, this person is a hero, an idol who is looked up to. And what about real life?

There is an ordinary office worker in glasses in a cool unit, whom sometimes even the cleaning lady does not notice. Where would this person be more comfortable? Of course, where he or she is a role model. It’s like choosing what to have for tea: a sweet cake with thick whipping cream or sauerkraut. Well, obviously, in terms of psychology, the man will choose the virtual world in the given situation.

Now imagine that all your communication, work, and even cultural events have shifted to the digital world, the metaverse. Without leaving home, you arrange business meetings, go to concerts, and have fun with friends. It seems like science fiction but it is already a reality.

Travis Scott has collected 12 million viewers in Fortnite. Why go to a real stadium if you can go to a popular rapper’s concert without leaving your home? And without being afraid of a crowd of fans or risking being trampled. Convenient, right?

More and more people understand that there is no point in wasting time in traffic jams if you can solve everything online. And this is just the beginning.

****Economic disappearancе****

Now imagine that money also goes into the virtual world. No, it’s not just about cryptocurrency. People buy virtual land for millions of dollars, sew clothes for avatars, and collect NFTs, like previous stamps or coins.

Here’s an example. Someone bought a Gucci bag in Roblox for $4,000. Although it cost more than in real life, it was still bought. For some, this bag is a way to show status, even in the game.

****Land in Decentraland, avatars in Holiverse and turning tеxt into vidео** **

If you look closely, the “disappearance of reality” has already begun. The only thing is that it’s not as bright as in science fiction movies. We do not connect wires to our heads to get into the virtual world, but, it looks like, we are gradually disappearing there. 

****People buy plots of virtual land for millions of dollars and hope****

For example, in 2021, someone bought a plot of land in Decentraland for $2 million. This is virtual land, you can’t even touch it! Tomorrow the server will burn out, the Internet will be turned off, and no one will remember it. However, for such people, this is not a game, but an investment. They believe that tomorrow virtual real estate will become even more valuable.

The same thing with clothes, which we love to buy in reality. Now imagine that you are buying not a jacket or sneakers, but a skin for your avatar. You do not understand why, but thousands of people around the world do this. In games like Fortnite or Holiverse, this is completely normal because people pursue their own goals there.

For the buyer, this is a matter of status. Because this bag makes his avatar authentic. And that’s cool.

Why is this cool? Here’s an example. A virtual character under the nickname Lil Мiquelа lives only on the Internet. In reality, no one fully understands how she appeared.

Although Miquela does not exist in real life, millions of subscribers follow her on Instagram. She advertises brands, stars in campaigns, and even releases music. Her creators earn millions, and for subscribers, she is “more than real.”

**Holiverse: аvatar as a digital twin**

Just imagine: you take a sample of your DNA at home, and within a couple of days, you receive a digital copy of yourself, an avatar that lives in a virtual world, mimics your behaviour, and adapts to reflect any changes. This avatar does not just copy your body, it knows exactly how your body will react to different physical loads, food products and even cosmetics. This concept is being developed by the **Holiverse** startup, led by Lado Okhotnikov.

The idea looks fresh. Instead of wasting time and money on trying different medicines, you can use your virtual double. For example, you can:

*   find out how your physical condition will change if you add new workouts;
*   try which products will improve your life and which ones you better exclude;
*   test supplements or medicine that you are planning to take.

Lado Okhotnikov and his team emphasize user accessibility. To create a digital copy, you just need to take a DNA test at home, using a test kit that can be purchased at a pharmacy near your home or on a marketplace. Then you will need to send this sample to the lab, and after a short period, you will receive an exact copy of yourself: an avatar that can predict your body’s reactions with incredible accuracy.

The main advantage of Holiverse is the cost of the service. Lado Okhotnikov aims to make this technology available to everyone, turning personalized medicine from luxury into a necessity.

**Luma: turns text into video**

**Luma AI** presented Dream Machine; a service that “brings the text to life.” In terms of quality, the neural network is almost as good as Sora, one of the most powerful generative models. But this startup has a big advantage; Dream Machine is available to everyone. The neural network works on a new architecture and is already bypassing competitors like Runway Gen-2 or Pika. The video is realistic: without jerks, and the characters look natural and are not distorted.

Although the videos are short, a year ago this was considered science fiction. In a year or two, the service may be able to offer something truly significant. For example, tools for generating full-fledged virtual worlds.

Who knows, maybe in a few years we will be able to design entire virtual cities at home in a couple of minutes, simply by describing them in words. Or turn our ideas into animated films available to a million audience in metaverses.

****And what’s next?****

Being scared of technology is the same as trying to stop progress. However, even with the advent of that very virtual reality which everyone is talking about, real life will not go anywhere. You will still go to stores, equipment will still break down, and someone will still come to fix it. The virtual world can captivate, but it will not replace everything. It will not be possible to give up reality quickly and painlessly.

1.  **What is the Fediverse?**
2.  **Google Wants to Put Our Memories in a Database**
3.  **What Is Programmatic Advertising And How To Use It**
4.  **Microsoft patent reveals chatbot to talk to dead people**
5.  **What is Blockchain Gaming and its Play-to-Earn Model?**

The Metaverse Will Become More Popular Than the Real World: Will Reality Disappear?

SUMMARY Cybercriminals are deploying a tricky new phishing campaign impersonating the cybersecurity firm CrowdStrike‘s recruiters to distribute a…

****SUMMARY****

*   **Phishing Scam Targets Job Seekers: Cybercriminals impersonate CrowdStrike recruiters to distribute cryptominer malware via fake job offers.**

*   **Malware Delivery: Victims are tricked into downloading a malicious app from a fake CrowdStrike website, and installing XMRig to mine Monero cryptocurrency.**

*   **Evasion Tactics: The malware limits CPU usage, scans for security tools, and uses startup scripts to remain undetected and persistent.**

*   **Rising Fake Job Scams: Similar tactics are increasingly common, with groups like Lazarus using fake job offers to deploy malware.**

*   **Safety Tips: Verify job offers through official channels, avoid unsolicited software downloads, and use endpoint protection to detect threats.**

Cybercriminals are deploying a tricky new phishing campaign impersonating the cybersecurity firm CrowdStrike‘s recruiters to distribute a cryptominer on unsuspecting job seekers’ devices. This malicious scheme leverages the allure of employment at a reputable cybersecurity firm to trick victims into downloading malware.

According to CrowdStrike’s blog post, the attack was detected on 7 January 2025 and began with a phishing email that appears to be part of CrowdStrike’s recruitment process. The email entices the target with the prospect of a junior developer interview and provides a link to schedule the meeting. Clicking the link directs the victim to a cleverly designed imposter website that mimics CrowdStrike’s branding.

This deceptive website offers downloadable “employee CRM applications” for both Windows and macOS users. Regardless of the chosen platform, downloading the application triggers the installation of a malicious Windows executable written in Rust. This executable acts as a downloader for XMRig, a well-known cryptominer, which starts mining Monero cryptocurrency. This privacy coin is a popular choice for cybercriminals because it is hard to trace.

The screenshot shows the malicious phishing site containing download links for the fake CRM application (Via CrowdStrike)

The executable is designed to evade detection by scanning the system’s processes for malware analysis tools or virtualization software, verifying the presence of at least two CPU cores, and checking for debuggers. If successful, it displays a fake error message to lull the victim into a false sense of security, while downloading additional payloads to establish persistence on the infected device and initiate the XMRig cryptomining process.

However, in this attack, XMRig’s power consumption has been limited to 10% to avoid detection. Moreover, attackers added a batch script in the Start Menu Startup directory to ensure it runs on boot. 

For your information, cryptominers are a type of malware that surreptitiously hijack a computer’s processing power to mine cryptocurrency for the attacker’s benefit. This unauthorized use of resources can cause the device to overheat, potentially leading to hardware damage and a shortened lifespan.

This isn’t a new trend, as fake job scams are becoming more prevalent online, with North Korean group Lazarus persistently using this method to trick unsuspecting users. Hackread recently reported Lazarus group deploying a new macOS trojan called “RustyAttr” since May 2024 to carry out its operations undetected.

Remember, legitimate recruiters rarely request candidates to download software or conduct interviews through unconventional channels. Always verify the authenticity of any job offer before proceeding and rely on official company websites for career opportunities and application processes.

CrowdStrike advises job seekers to be cautious of unsolicited interview offers, including those conducted via instant messaging or group chat, requests for product purchases or payment processing, and software download requirements. 

> _“Organizations can reduce the risk of such attacks by educating employees on phishing tactics, monitoring for suspicious network traffic and employing endpoint protection solutions to detect and block malicious activity.”_
> 
> CrowdStrike

To verify the legitimacy of any communication from CrowdStrike, job seekers should contact the company’s recruiting team at \[email protected\].

1.  **World’s Leading Cybersecurity Firm Kaspersky Hacked**
2.  **X Account of Google Cybersecurity Firm Mandiant Hacked**
3.  **U.S. Sanctions Chinese Cybersecurity Firm Over Cyberattacks**
4.  **Cybersecurity Firm KnowBe4 Hired North Korean Hacker as IT Pro**
5.  **Cybersecurity Firm Hacks Itself, Finds DNS Flaw Leak AWS Credentials**

Fake CrowdStrike Recruiters Distribute Malware Via Phishing Emails

A fake proof-of-concept (PoC) exploit designed to lure cybersecurity researchers into downloading malicious software. This deceptive tactic leverages a recently patched critical vulnerability in Microsoft's Windows LDAP service (CVE-2024-49113), which can cause denial-of-service attacks.

****SUMMARY****

*   **Fake PoC Exploit for CVE-2024-49113**: A malicious exploit, “LDAPNightmare,” targets researchers by disguising it as a PoC for a patched Windows LDAP vulnerability.

*   **Data Theft**: The malware steals computer and network information, sending it to attackers’ servers.

*   **Sophisticated Attack**: A fake repository mimics a legitimate one, using malicious files and scripts to deploy the malware.

*   **High-Profile Target**: Attackers aim to compromise security researchers for valuable intelligence.

*   **Precautions**: Researchers should verify repository authenticity, prioritize official sources, and check for suspicious activity.

According to the latest research from Trend Micro, a fake Proof-of-Concept (PoC) exploit has been identified for CVE-2024-49113, a denial-of-service (DoS) vulnerability previously found in Microsoft’s Windows Lightweight Directory Access Protocol (LDAP). Both vulnerabilities were originally identified by Safebreach.

The attackers have set up a malicious repository containing the fake PoC, leading to the exfiltration of sensitive computer and network information. This attack, known as LDAPNightmare, is designed to lure security researchers into downloading and executing information-stealing malware.

Repository containing “poc.exe” (Via Trendmicro)

When unsuspecting researchers download/execute this harmless-looking code, they inadvertently unleash an information-stealing malware. This malware stealthily collects sensitive data from the infected machine, including computer information, running processes, network details, and installed updates. It then transmits this stolen data to a remote server controlled by the attackers.

The attackers have employed a sophisticated technique to deliver the malware. The malicious repository appears to be a legitimate fork of an original repository, making it difficult to immediately identify as malicious.

The genuine Python files in the repository have been replaced with a malicious executable, which, upon execution, drops and executes a PowerShell script. This script then establishes a scheduled task that downloads and executes another malicious script from Pastebin. This final script collects the victim’s public IP address and exfiltrates stolen data to an external FTP server.

It is worth noting that the vulnerability was addressed in Microsoft’s December 2024 Patch Tuesday release, which addressed two other critical vulnerabilities in LDAP. The first, CVE-2024-49112, is a remote code execution bug that attackers can exploit by sending specially crafted LDAP requests. The second, CVE-2024-49113, is a DoS vulnerability that can be exploited to crash the LDAP service, causing service disruptions. 

For your information, PoC exploits are non-harmful attacks that reveal software security weaknesses, aiding companies in patching vulnerabilities. However, if used incorrectly, PoCs can provide attackers with a blueprint for exploiting a system before users can install fixes, potentially causing harm.

This attack method, as per Trendmicro’s report, while not entirely novel, threatens the cybersecurity community because by exploiting a high-profile vulnerability and targeting security researchers – individuals who are often highly aware of security threats – attackers can gain valuable intelligence and potentially compromise critical security systems.

Therefore, security researchers should be cautious when downloading and executing code from online repositories. They should prioritize official sources, scrutinize repositories for suspicious content, and verify the authenticity of the repository owner or organization.

Moreover, it is essential to consider community feedback for repositories with minimal activity and look for red flags within the repository that may indicate potential security risks. This will help them stay protected from potential threats and ensure their security.

1.  Hackers Use Fake PoCs on GitHub to Steal AWS Keys
2.  Warning: Fake GitHub Repos Delivering Malware as PoCs
3.  Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!
4.  How to Conduct a Cybersecurity Proof of Concept with a Vendor
5.  Fake 7-Zip Exploit Code Traced to AI-Generated Misinterpretation

Fake PoC Exploit Targets Cybersecurity Researchers with Malware

Infoblox cybersecurity researchers investigating the mysterious activities of 'Muddling Meerkat' unexpectedly uncovered widespread use of domain spoofing in malicious spam campaigns.

****SUMMARY****

*   **Infoblox discovered widespread domain spoofing in spam campaigns while investigating ‘Muddling Meerkat.’**

*   **Collaboration with the cybersecurity community linked Muddling Meerkat’s DNS activities to spam distribution.**

*   **Researchers identified multiple spam campaigns through abuse reports and domain analysis.**

*   **Techniques included phishing with QR codes, impersonating brands, extortion, and mysterious financial spam.**

*   **The findings show domain spoofing remains highly effective, bypassing current security measures.**

In its latest report, cybersecurity firm Infoblox has revealed how scammers use domain spoofing in spam campaigns, a discovery made through a collaboration between the cybersecurity and networking community on research about **the Chinese Great Firewall**.

This research project was initially aimed at understanding the activities of a threat actor known as a Muddling Meerkat. Muddling Meerkat is known for conducting strange DNS operations involving fake Chinese Great Firewall responses. The researchers could not determine the ultimate purpose of Muddling Meerkat’s activities, but they did learn a lot about how domain spoofing is used in **malspam**.

The research team, initially perplexed by Muddling Meerkat’s activities, sought external perspectives by sharing their findings with the broader security community. One key observation pointed towards a potential connection between Muddling Meerkat’s operations and spam distribution. 

Several organizations reported receiving abuse notifications for domains they owned, often internal domains with limited external exposure. These notifications indicated large-scale spam campaigns originating from Chinese IP addresses, targeting major email providers. This observation resonated with the team’s own findings, as they had **previously observed** Muddling Meerkat generating fake mail server (MX) records emanating from Chinese IP space.

A significant breakthrough occurred when the researchers discovered that they owned several of the “target” domains identified in the Muddling Meerkat research. By analysing abuse reports related to their own domains, leveraging their authoritative DNS server logs, and examining their internal spam collection, the researchers gained unprecedented insights into the tactics employed by spammers.

The investigation yielded a treasure trove of information about modern **malspam techniques**. Several distinct campaigns were identified, each employing sophisticated domain spoofing tactics to deceive recipients. These include QR Code Phishing, targeting Chinese citizens with emails containing QR codes, which redirect victims to phishing websites. Japanese Phishing campaigns impersonate reputable brands like Amazon and major Japanese banks and lure users to fake login pages.

A phishing QR code and an Amazon phishing page (Via Infoblox)

Extortion campaigns demand ransom **payments in cryptocurrency** to prevent exposure. Mysterious Financial Campaigns, originating from China, send seemingly innocuous spreadsheet attachments purporting to be from a Chinese freight company. The purpose of these campaigns remains unclear, as they lack clear malicious content or motive, Infoblox researchers noted in their **technical blog** shared with Hackread.com.

Nevertheless, the research reveals a disturbing reality: domain spoofing remains a highly effective and prevalent tactic for spammers. Despite the existence of various security mechanisms designed to detect and prevent spoofing, these campaigns continue to evade detection and successfully reach their targets.

Infoblox’s research came just days after another domain abuse-related report was **published by WatchTowr**, which exposed more than 4,000 active hacker backdoors in expired domains and abandoned infrastructure worldwide. This shows the ongoing challenge of combating sophisticated spam techniques and the need for continuous implementation of cybersecurity measures.

1.  **Hackers Use Fake Domains in Trump Trading Card Scam**
2.  **99% of UAE’s .ae Domains Exposed to Phishing and Spoofing**
3.  **“Sitting Ducks” DNS Attack Lets Hackers Easy Domain Takeover**
4.  **Scammers Exploit Fake Domains in Dubai Police Phishing Scams**
5.  **DeFi Hack Alert: Squarespace Domains** **Vulnerable** **to DNS Hijacking**

Muddling Meerkat Linked to Domain Spoofing in Global Spam Scams

Ivanti has issued a critical security advisory addressing two vulnerabilities in its Connect Secure, Policy Secure, and ZTA Gateway products.

****SUMMARY****

*   **Critical Vulnerabilities Identified**: Ivanti has disclosed two critical vulnerabilities (CVE-2025-0282 and CVE-2025-0283) in Connect Secure, Policy Secure, and ZTA Gateways, with CVE-2025-0282 already being actively exploited.

*   **Impact of Vulnerabilities**: CVE-2025-0282 allows unauthenticated remote attackers to execute arbitrary code, potentially gaining full control of affected systems. CVE-2025-0283 enables local authenticated attackers to escalate privileges, posing significant security risks.

*   **Patch Availability**: Ivanti has released a patch for Connect Secure (version 22.7R2.5) addressing both vulnerabilities. Patches for Policy Secure and ZTA Gateways are expected by January 21, 2025.

*   **Recommended Actions**: Ivanti advises organizations to immediately patch Connect Secure systems, isolate vulnerable Policy Secure and ZTA Gateways, and monitor systems closely using tools like the Integrity Checker Tool (ICT).

*   **Expert Warning**: Experts highlight the urgency of patching and maintaining heightened vigilance against potential cyberattacks, citing past incidents like the Akira breach as reminders of the risks involved.

Ivanti has raised concerns about two remotely exploitable vulnerabilities in its enterprise-facing products, with one bug already being exploited in the wild.

According to Ivanti’s security advisory, the company has addressed two critical vulnerabilities (CVE-2025-0282 and CVE-2025-0283) affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways.

CVE-2025-0282, the more critical of the two, is a stack-based buffer overflow vulnerability in Ivanti Connect Secure. This vulnerability allows unauthenticated remote attackers to execute arbitrary code on vulnerable systems. Essentially, attackers can remotely compromise the system without any prior knowledge or credentials, potentially gaining complete control over the affected appliance.

CVE-2025-0283, while still a high-severity vulnerability, is less critical. This vulnerability, also a stack-based buffer overflow, allows local authenticated attackers to escalate their privileges on the system. This means that an attacker who already has legitimate access to the system can exploit this vulnerability to gain higher-level privileges, potentially compromising sensitive data or disrupting critical operations.

Ivanti has released a patch for Connect Secure (version 22.7R2.5), addressing both vulnerabilities. However, patches for Policy Secure and ZTA Gateways are not yet available and are scheduled for release on January 21st, 2025.

Given the active exploitation of CVE-2025-0282, Ivanti strongly urges organizations to prioritize patching their Connect Secure appliances immediately. For Policy Secure and ZTA Gateways, proactive measures such as temporarily isolating affected systems are recommended until the patches become available.

To mitigate the risks associated with these vulnerabilities, Ivanti recommends applying the latest patches as soon as they become available. For Connect Secure, upgrading to version 22.7R2.5 is suggested. Moreover, closely monitoring systems using the Integrity Checker Tool (ICT) and other security monitoring tools is essential to detect any signs of compromise.

In addition, the company recommends Policy Secure and ZTA Gateways users consider isolating affected systems from the network until the patches are applied. Organizations utilizing Ivanti products should prioritize implementing these recommendations to mitigate the risks associated with these vulnerabilities.

Martin Jartelius, CISO at Outpost24 commented on the latest development urging impacted parties to immediately install patches. “Last time we had an Ivanti zero-day exploitation, the attackers shifted to their active/destructive phase as the patch became available, so anyone impacted should firstly patch at once, and secondly, review their readiness in incident response and keep extra eyes on their monitoring for the near future._“_

1.  **Hackers Target Ivanti Users Despite Patches**
2.  **Ivanti VPN Zero-Day Flaws Fuel Widespread Cyber Attacks**
3.  **Ivanti VPN Flaws Exploited to Spread KrustyLoader Malware**
4.  **Magnet Goblin Hackers Using Ivanti Flaws to Drop Linux Malware**
5.  **Dell Urges Immediate Update to Fix Power Manager Vulnerability**

Source

HackRead