Attackers are smuggling payment card-skimming malicious code into checkout pages on Magento-based e-commerce sites by abusing the Google Tag Manager ad tool.

Source: Diana Vyshniakova via Alamy Stock Photo

Attackers are exploiting Google Tag Manager by planting malicious code within e-commerce sites built on the Magento platform. The code can steal payment card data, demonstrating a new type of Magecart attack that leverages Google's free, legitimate website marketing tool.

Researchers from Sucuri discovered an ongoing Magecart campaign in which attackers load code that appears to be a standard Google Tag Manager (GTM) and Google Analytics tracking script from a database onto e-commerce sites. These tracking scripts are typically used for website analytics and advertising purposes; however, the code used in the campaign has been tweaked to act as a card skimmer for the infected site, the researchers revealed in a recent blog post.

"Within the GTM tag, there was an encoded JavaScript payload that acted as a credit card skimmer," Sucuri security analyst Puja Srivastava wrote in the post. "This script was designed to collect sensitive data entered by users during the checkout process and send it to a remote server controlled by the attackers."

So far, Sucuri has uncovered at least six sites affected by the campaign, "indicating that this threat is actively affecting multiple sites," Srivastava wrote.

**Exploiting a Legitimate Google Tool for Card Skimming**

Related:Canadian Man Charged in $65M Cryptocurrency Hacking Schemes

The attack demonstrates a nontypical Magecart attack that leverages a legitimate free tool from Google that allows website owners to manage and deploy marketing tags on their website without needing to modify the site's code directly. GTM eliminates the need for developer intervention each time a marketer aims to track or modify an ad or marketing campaign.

Sucuri researchers were alerted to the Magecart activity by a customer who found that someone was stealing credit card payment data from its e-commerce site. An investigation led to the discovery of malware being loaded from a database table cms\_block.content file for the website. The malware abused a GTM tag, which was altered by embedding an encoded JavaScript payload that acted as a credit card skimmer.

Attackers obfuscated the script using the technique function \_0x5cdc, which maps index values to specific characters in the array. This makes it difficult for someone to immediately understand the purpose of the script, Srivastava wrote.

The script also uses a series of mathematical operations in a loop, further scrambling the code, and also uses Base64 encoding. "This is a trick often used by attackers to disguise the true purpose of the script," she wrote.

The researchers also discovered an undeployed backdoor in one of the website's files that "could have been exploited to further infect the site, providing attackers with persistent access," Srivastava added. Indeed, Magecart attackers last year demonstrated a new tactic of stashing backdoors on websites to deploy malware automatically.

Related:Behavioral Analytics in Cybersecurity: Who Benefits Most?

Sucuri also previously investigated malicious activity that abused GTM to hide other types of malicious activity, including malvertising as well as malicious pop-ups and redirects.

**Mitigation & Remediation of Magecart Attacks**

"Magecart" refers to a loose collective of cybercriminal groups involved in online payment card-skimming attacks. These attacks typically inject card skimmers into websites to steal payment card data that can later be monetized. Big-name organizations that have been targeted by these attacks include Ticketmaster, British Airways, and the Green Bay Packers NFL team.

Once they identified the source of infection on their customer's site, Sucuri researchers removed the malicious code from any other compromised areas of the site, as well as cleaned up the obfuscated script and the backdoor to prevent the malware from being reintroduced.

To ensure an organization's e-commerce site has not been affected by the campaign, administrators should log in to GTM, and then identify and delete any suspicious tags that are being used on the site, Sucuri recommended. They also should perform a full website scan to detect any other malware or backdoors, and remove any malicious scripts or backdoor files.

Related:Cybercrime Forces Local Law Enforcement to Shift Focus

E-commerce sites built on Magento and their extensions also should be updated with the latest security patches, while all site administrators should regularly monitor e-commerce site traffic as well as GTM activity for anything unusual.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Magecart Attackers Abuse Google Ad Tool to Steal Data

Threat actors have been observed leveraging Google Tag Manager (GTM) to deliver credit card skimmer malware targeting Magento-based e-commerce websites.
Website security company Sucuri said the code, while appearing to be a typical GTM and Google Analytics script used for website analytics and advertising purposes, contains an obfuscated backdoor capable of providing attackers with persistent

Hackers Exploit Google Tag Manager to Deploy Credit Card Skimmers on Magento Stores

Plus: Benjamin Netanyahu gives Donald Trump a golden pager, Hewlett Packard Enterprise blames Russian government hackers for a breach, and more.

As Elon Musk and his so-called Department of Government Efficiency rampage through United States federal institutions, WIRED reported extensively this week on DOGE’s members, activity, and digital access to some of the US government's most delicate and critical software systems. One DOGE technologist, 19-year-old high school graduate Edward Coristine, established at least five different companies in the past four years—including Tesla.Sexy LLC—and briefly worked at a network monitoring company that has hired convicted hackers. Experts question whether Coristine, who has gone by the name “Big Balls” online, would pass the background check typically required for access to sensitive US government systems.

Meanwhile, DOGE’s apparent dismantling of USAID coupled with the US State Department's funding freeze have dramatically disrupted efforts to help people escape forced labor camps in Southeast Asia run by criminal scammers.

Outside of US government news, WIRED conducted an investigation into more than 300 cyberattacks in the past five years against US K–12 schools and found that victim schools sometimes withhold critical information about the scale and scope of the breaches from impacted students and parents. In slightly better news, data from the cryptocurrency tracing firm Chainalysis shows that ransomware payments fell precipitously in the second half of 2024. Experts fear, though, that the brief reprieve could be short-lived and may not be easy for defenders to sustain.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**UK Home Secretary Orders Apple Enable Access to Encrypted iCloud Backups**

The Washington Post reported on Friday that Apple has received a secret order from the UK office of the Home Secretary mandating the company to provide a way to access any user data protected by the company’s Advanced Data Protection for iCloud. The feature, which debuted at the end of 2022, is designed with end-to-end encryption so only users themselves, not Apple, have access to their data. As a result, complying with the UK demand would require Apple to break the feature by building a backdoor into it. Sources told the Post that rather than install a backdoor, Apple is likely to withdraw support for Advanced Data Protection for iCloud in the UK. “Yet that concession would not fulfill the UK demand for backdoor access to the service in other countries, including the United States,” the Post noted.

The order was issued under the UK’s broad 2016 Investigatory Powers Act. UK law enforcement agencies, not to mention cops in the US and other countries, have championed encryption backdoors for years, and lawmakers have tried at various times to mandate backdoors. The Home Office told the Post in a statement, “We do not comment on operational matters, including for example confirming or denying the existence of any such notices.” An Apple spokesperson declined to comment to the Post.

**Israel’s Netanyahu Gave Trump a Golden Pager During Washington Meeting**

Israeli prime minister Benjamin Netanyahu gave President Donald Trump a golden pager when the two met in Washington on Tuesday. The gift references a September attack in Lebanon against the militant group Hezbollah in which booby-trapped pagers (and walkie-talkies) detonated in coordinated explosions around the country. The operation killed at least 42 people, including some civilians, and injured at least 4,000 civilians, according to Lebanese officials. The attack has been widely attributed to Israel, but the country has neither confirmed nor denied its involvement. At the meeting Trump apparently gave Netanyahu a signed photograph of the two of them, which he signed, “To Bibi, a great leader!”

**Hewlett Packard Enterprise Says Russian Government Hackers Stole Some Users’ Sensitive Data**

Hewlett Packard Enterprise has been notifying dozens of users that their personal information was stolen during a 2023 breach. The company is attributing the attack to Russian state-backed hackers. The stolen data included Social Security numbers, driver’s license information, and credit card numbers. The incident began as a system intrusion in May 2023 into HPE’s email mailboxes and Microsoft SharePoint systems. HPE publicly disclosed the incident in January 2024.

**PowerSchool Data Breach Impacted Students Outside the US, Including 16,000 in the UK**

The edtech giant PowerSchool says that at least 16,000 students in the United Kingdom had their data stolen as part of a massive December data breach that may have affected 62 million students and 9.5 million teachers, most of them in the US and Canada. Attackers used compromised credentials to infiltrate the company’s customer support portal and then access user data.

PowerSchool spokesperson Beth Keebler confirmed to TechCrunch in a statement that students at four UK schools were affected totaling “approximately 16,000 students.” It is not clear if this is the total number of UK victims. The compromised data includes students’ dates of birth, contact information, some medical data, and “other related information.”

UK Secret Order Demands That Apple Give Access to Users’ Encrypted Data

Microsoft cybersecurity experts have identified a vulnerability flaw affecting ASP.NET applications, putting thousands of web servers at risk.…

Microsoft cybersecurity experts have identified a vulnerability flaw affecting ASP.NET applications, putting thousands of web servers at risk. The issue originates from developers using publicly available ASP.NET machine keys in their configurations; keys that hackers are now exploiting to execute ViewState code injection attacks.

A recent attack in December 2024 used this vulnerability to deliver Godzilla, a dangerous post-exploitation framework capable of executing commands, injecting shellcode, and maintaining persistent access to compromised servers. Microsoft warns that over 3,000 publicly disclosed machine keys could be weaponized for similar attacks.

****Why This Matters****

ASP.NET machine keys are meant to protect web applications by encrypting and validating ViewState data, ensuring that attackers cannot tamper with it. However, some developers have mistakenly copied these keys from online resources, unknowingly allowing hackers to generate and inject malicious ViewState data into their servers.

Once a hacker has access to the right machine key, they can craft a malicious payload and send it to a vulnerable website. The server, trusting the key, decrypts and executes the attacker’s code—leading to full remote code execution.

****What Happened in December 2024?****

An unidentified hacker took advantage of a publicly known ASP.NET machine key to deploy Godzilla, a post-exploitation tool that provides remote access to compromised servers. The attack began with injection, where the attacker sent a malicious ViewState payload using a leaked machine key.

Once received, the server decrypted and executed the code, unknowingly running the attacker’s instructions. This led to Godzilla deployment, where the payload triggered the execution of _assembly.dll_, loading the framework and allowing further exploitation.

Injection chain shows ViewState code leading to Godzilla. (Via Microsoft)

****Microsoft’s Response****

According to Microsoft’s **blog post**, the company has removed machine key samples from public documentation to discourage bad security practices. The company has also issued new detection alerts via Microsoft Defender for Endpoint to flag any usage of publicly disclosed machine keys.

If your system is compromised, simply rotating the machine keys may not be enough. Microsoft advises a full forensic investigation, as attackers may have installed backdoors or additional malware.

**Tim Mackey**, Head of Software Supply Chain Risk Strategy at Black Duck commented on the new development stating, _“_This misconfiguration allows attacks by using ViewState payloads encrypted with publicly available keys, often from demo code. Developers should replace sample keys, but some copy them without understanding the risk. Hardcoded keys in production signal poor configuration. Checking against Microsoft’s public key list helps, but DevOps teams should also use tools to detect and remove hardcoded secrets.”

****Protecting Yourself****

To protect your web servers from attacks, start by replacing any publicly available machine keys if they were copied from online sources. Next, rotate and secure your keys by generating new ones and applying them consistently across all servers in your web farm.

Additionally, encrypting machine keys in the web.config file will help prevent exposure. Monitoring for suspicious activity is also essential. Microsoft Defender now detects publicly disclosed ASP.NET machine keys, and enabling attack surface reduction rules can help block web shell attacks.

Upgrading to ASP.NET 4.8 enhances security by incorporating Antimalware Scan Interface (AMSI) support. Finally, conducting a security audit is important. If a machine key has been exposed, assume a breach, investigate thoroughly, and check for unauthorized access.

ASP.NET Vulnerability Lets Hackers Hijack Servers, Inject Malicious Code

The application has a hidden administrative account 'cxpro' that has write access permissions to the device.

Title: ABB Cylon FLXeon 9.3.4 (runtimeSetup.sh) Hidden Backdoor Account  
Advisory ID: ZSL-2025-5914  
Type: Local/Remote  
Impact: Security Bypass, System Access, DoS, Privilege Escalation  
Risk: (5/5)  
Release Date: 07.02.2025

**Summary**

BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions.

**Description**

The application has a hidden administrative account 'cxpro' that has write access permissions to the device.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

FLXeon Series (FBXi Series, FBTi Series, FBVi Series)  
CBX Series (FLX Series)  
CBT Series  
CBV Series  
Firmware: <=9.3.4

**Tested On**

Linux Kernel 5.4.27  
Linux Kernel 4.15.13  
NodeJS/8.4.0  
Express

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[20.01.2025\] Vendor releases version 9.3.5 to address this issue.  
\[07.02.2025\] Coordinated public security advisory released.

**PoC**

abb\_flxeon\_bd1.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5684&LanguageCode=en&DocumentPartId=PDF&Action=Launch

**Changelog**

\[07.02.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon FLXeon 9.3.4 (runtimeSetup.sh) Hidden Backdoor Account

CISA and the FDA are warning that Contec CMS8000 and Epsimed MN-120 patient monitors are open to meddling and data theft; Claroty Team82 flagged the vulnerability as an avoidable insecure design issue.

Source: BMumin Mutlu via Alamy Stock Photo

Last week, the Cybersecurity and Infrastructure Security Agency (CISA), alongside the US Food and Drug Administration (FDA), raised an alert for Contec CMS8000 and Epsimed MN-120 healthcare monitors, warning they potentially put patients at risk once connected to the Internet, due to a malicious, hidden backdoor embedded into the devices. But security researchers say the issue isn't actually intentional malware but, rather, just insecure design.

The devices continuously monitor patient vital signs, such as heart rate, blood oxygen saturation, temperature, respiration rate, and more. CISA and the FDA reported findings for three cybersecurity risks in the gear thanks to the "backdoor": an unauthorized user could remotely control a monitor and cause it to function in an unintended manner; attackers could compromise the device and pivot to a network; and an attacker could exfiltrate the data that the monitor collects. 

From a patient health perspective, if an attacker were able to manipulate the information the monitor gives patients, that could prevent them from realizing that there's something wrong. Though they reported no known cybersecurity incidents, deaths, or injuries related to the findings, the FDA still provided recommendations for patients and caregivers: talking to healthcare providers about evaluating their patient monitoring device and following certain steps if it does rely on an Internet connection.

Related:The Cyber Savanna: A Rigged Race You Can't Win, but Must Run Anyway

The FDA also tasked healthcare providers with checking their patients' Contec CMS8000 or Epsimed MN-120 patient monitors to determine if they have been functioning unusually.

**Patient Monitor Cyber Bug: Not Malicious, Just Problematic**

After learning of the alerts, Claroty's Team82 investigated the firmware and reached a different conclusion from CISA and the FDA: It is likely not a hidden backdoor that makes these devices a liability to patients and their medical information, but rather an insecure design that creates a vulnerability open for exploit by threat actors.

The researchers pointed out that the vendors, and any resellers interested in relabeling and selling the monitor publicly, list the IP address on the instruction manuals.

"The CONTEC operator manual specifically mentions this 'hard-coded' IP address as the central management system (CMS) IP address that organizations should use, so it is not hidden functionally as stated by CISA," wrote the Team82 researchers. "This nuance is important because it demonstrates a lack of malicious intent and therefore changes the prioritization of remediation activities."

Related:How Are Modern Fraud Groups Using GenAI and Deepfakes?

The vulnerability still poses real-world consequences, but Noam Moshe, a Team82 researcher, notes that a threat actor would first require knowledge of the device's architecture and protocols. 

"To gain code execution, first the device needs to be put on a system-upgrade process," says Moshe. "From our research, this requires physical access to the device."

After that though, the hardcoded nature of the IP address opens the door to easier exploitation.

"To exploit this vulnerability, an attacker would need to serve devices with malicious binaries on the hardcoded public IP address, giving them code execution on the device," Moshe says. "In the case of the device trying to send personally identifiable information (PII) or personal health information (PHI) to the hardcoded IP address, using the HL7 protocol, this could occur if a certain feature of the device would be enabled."

**Healthcare Devices: Monitoring the Threat**

Perhaps exploitation of this particular vulnerability doesn't seem all that likely, but medical devices have been a point of cyber contention for years.

All the way back in 2011 for instance, Jay Radcliffe took to the Black Hat USA stage to show the audience how insulin pumps like the one he wore could be hacked, in a presentation entitled "Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System."

Related:Backline Tackles Enterprise Security Backlogs With AI

And as healthcare institutions are ravaged by ransomware attacks compromising their resources and putting patient lives at risk, many medical devices still haven't caught up when it comes to bolstering cybersecurity guardrails. Specifically, many of them are aging and running legacy software that hasn't been updated in years, offering plenty of holes for attackers.

However, agencies like the FDA are pushing companies to make strides, such as in 2023 when it began to reject medical devices that don't comply with recent cybersecurity regulation.

But there is still a long way to go: In 2024, researchers cited healthcare and the Internet of Medical Things (IoMT) as the riskiest device sector, even it did have the biggest decline overall in the number of risky devices deployed.

As for the patient monitor, Team82 researchers recommend that healthcare organizations take steps to protect patients, such blocking all access to the subnet from their internal network, and blocking devices attempting to upgrade firmware from a WAN server or potentially send PII.

"Hospitals should implement vulnerability detection and patching processes," Moshe says, "alongside network segmentation, driven by high-quality passive visibility that will ensure the most secure network layout."

Agencies Sound Alarm on Patient Monitors With Hardcoded Backdoor

Thorsten examines last year’s CVE list and compares it to recent Talos Incident Response trends. Plus, get all the details on the new vulnerabilities disclosed by Talos’ Vulnerability Research Team.

Thursday, February 6, 2025 14:03

> “Enough Ripples, And You Change The Tide. For The Future Is Never Truly Set.” X-Men: Days of Future Past

In January, I dedicated some time to examine threat data from 2024, comparing it with the previous years to identify anomalies, spikes, and changes.  

As anticipated, the number of Common Vulnerabilities and Exposures (CVEs) rose significantly, from 29,166 in 2023 to 40,289 in 2024, marking a substantial 38% increase. Interestingly, the severity levels of the CVEs remained centered around 7-8 for both years. 

When taking a closer look at the known exploited vulnerabilities reported by the Cybersecurity and Infrastructure Security Agency (CISA), I observed that the numbers remained relatively stable, with 186 in 2024 compared to 187 in 2023. However, there was a noteworthy 36% increase for the critical vulnerabilities scored (9-10).  

There is more to uncover from this data, and the analysis is still ongoing.  

It was also time to “stack” the data of our Quarterly Incident Response Reports. The standout aspects are the initial access vectors to me. "Exploiting Public Facing Applications" and "Valid Accounts" were dominant, outperforming other methods. This serves as a timely reminder to implement (proper) MFA and other identity and access control solutions as well as patch regularly and replace end-of-life assets. 

Reflecting on CVEs, patching, initial access vectors and also lateral movement, it's important to remember that the "free" support for Windows 10 will end on October 14, 2025.  

Mark.your.calendars. Please. And plan accordingly to ensure your systems remain secure.  

**The one big thing**

Cisco Talos’ Vulnerability Research team recently disclosed three vulnerabilities in Observium, three vulnerabilities in Offis, and four vulnerabilities in Whatsup Gold.   

**Why do I care?**

Observium and WhatsUp Gold can be categorized as Network Monitoring Systems (NMS). A NMS as such holds a lot of valuable information such as Network Topology, Device Inventory, Log Files, Configuration Data and more, making them an attractive for the bad guys. 

**So now what?**

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, make sure your installation is up to date. 

**Top security headlines of the week**

The Cybersecurity and Infrastructure Security Agency analyzed a patient monitor used by the Healthcare and Public Health sector and discovered an embedded backdoor. (CISA) 

Apple has released software updates to address several security flaws across its portfolio, including a zero-day vulnerability that it said has been exploited in the wild. (Hacker News) 

Nearly 100 journalists and other members of civil society using WhatsApp were targeted by a “zero-click” attack (Guardian) 

DeepSeek AI tools impersonated by infostealer malware on PyPI (Bleeping Computer) 

**Can't get enough Talos?**

*   Web shell frenzies, the first appearance of Interlock, and why hackers have the worst cybersecurity: IR Trends Q4 2024 
*   New TorNet backdoor seen in widespread campaign 

**Upcoming events where you can find Talos**

Talos team members: Martin LEE, Thorsten ROSENDAHL, Yuri KRAMARZ, Giannis TZIAKOURIS, and Vanja SVAJCER will be speaking at Cisco Live EMEA. Amsterdam, Netherlands, 9-14 February.   

S4x25 (February 10-12, 2025)  
Tampa, FL

RSA (April 28-May 1, 2025)  
San Francisco, CA

TIPS 2025 (May 14-15, 2025)  
Arlington, VA

**Most prevalent malware files from the week**

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

Typical Filename: VID001.exe 

Claimed Product: N/A 

Detection Name: Win.Worm.Coinminer::1201 

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

Typical Filename: VID001.exe 

Claimed Product: n/a  

Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA256:873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f  

MD5: d86808f6e519b5ce79b83b99dfb9294d   

VirusTotal: 

https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f 

Typical Filename: n/a  

Claimed Product: n/a   

Detection Name: Win32.Trojan-Stealer.Petef.FPSKK8   

SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   

MD5: ff1b6bb151cf9f671c929a4cbdb64d86   

VirusTotal: https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  

Typical Filename: endpoint.query   

Claimed Product: Endpoint-Collector   

Detection Name: W32.File.MalParent   

SHA 256: 744c5a6489370567fd8290f5ece7f2bff018f10d04ccf5b37b070e8ab99b3241 

MD5: a5e26a50bf48f2426b15b38e5894b189 

VirusTotal: https://www.virustotal.com/gui/file/744c5a6489370567fd8290f5ece7f2bff018f10d04ccf5b37b070e8ab99b3241 

Typical Filename: a5e26a50bf48f2426b15b38e5894b189.vir 

Claimed Product: N/A 

Detection Name: Win.Dropper.Generic::1201

Changing the tide: Reflections on threat data from 2024

New research highlights how bad actors could abuse deleted AWS S3 buckets to create all sorts of mayhem, including a SolarWinds-style supply chain attack.

Source: kovop via Shutterstock

Abandoned cloud storage buckets present a major, but largely overlooked, threat to Internet security, new research has shown.

The risks arise when bad actors discover and re-register these neglected digital repositories under their original name, and then use them to deliver malware or carry out other malicious actions against anyone still requesting files from them.

**A Far From Theoretical Threat**

The threat is far from theoretical, and the weakness is, in fact, incredibly easy to exploit, researchers from watchTowr discovered recently. The findings came as a follow-up to previous research they conducted last year on risks tied to expired and abandoned Internet domain names.

For the latest study, the researchers first searched the Internet for Amazon AWS S3 buckets referenced in deployment code or a software update mechanism. They then checked to see if those mechanisms were pulling down unsigned or unverified executables or code from the S3 buckets. The researchers discovered some 150 S3 buckets that at some time a government organization, Fortune 500 company, technology company, cybersecurity vendor or major open source project had used for software deployment, updates, configurations and similar purposes, and then abandoned.

To check what would happen, watchTowr registered the unused buckets using their original names for a total of around $400, and enabled logging on them to see who might request files from each S3 bucket. The company also wanted to find out what these users would request from the storage resources. To their surprise, in a two-month period, the S3 buckets received a staggering 8 million file requests, many of which the researchers could have very easily responded to with malware or some other malicious action.

Related:Name That Toon: Incentives

Among those requesting files from the abandoned S3 buckets were government agencies in the US, the UK, Australia, and other countries, Fortune 100 companies, a major payment card network, an industrial product company, global and regional banks, and cybersecurity companies.  

"We were not 'sniping' S3 buckets as they were deleted, nor employing any 'advanced' technique to register these S3 buckets," watchTowr researchers said in their report. "We just ... typed the name into the input box, and used the power of one finger to click register."

WatchTowr's analysis showed the S3 buckets receiving requests for a wide range of files, including software updates; unsigned Windows, Linux ad macOS binaries; virtual machine images; JavaScript files; SSL VPN configurations; and CloudFormation templates for defining and provisioning AWS cloud infrastructure services as code.

Related:Name That Toon: Meeting of Minds

Had the researchers wanted to, they could have trivially responded to any of these requests with things like a malicious software update, or a template that would have allowed them access to the requesting organization's AWS environment, or a backdoored virtual machine.

**A 'Terrifyingly Simple' Cloud Cyberattack Vector?**

"The main takeaway," says Benjamin Harris, CEO of watchTowr, "is the terrifyingly simple way by which hackers can create a major, SolarWinds-scale supply chain attack by abusing the relatively unknown vulnerability class of abandoned infrastructure."

While the study focused on AWS buckets, the same risks exist with any abandoned cloud storage resource that someone is able to find and re-register using the original name, according to watchTowr.   

"This is certainly not an AWS issue," Harris tells Dark Reading. "However, what is vital is that AWS customers understand that once a cloud resource is created, leveraged, and referenced in code — for example, in a software update process, or in a deployment manual or otherwise — that reference will exist forever," he says. The implications of that reference will survive in perpetuity as the watchTowr study showed, he cautions.

Related:New Essay Competition Explores AI's Role in Cybersecurity

According to Harris, watchTowr has tried to get AWS to stop allowing registration of S3 buckets under previously used names.

"We have repeatedly, like a broken record, shared our belief with the AWS teams that engaged with us that the most logical solution to the challenge here is to prevent the registration of S3 buckets using names that had been used previously," he says. This approach would entirely kill this vulnerability class — abandoned infrastructure — in the context of AWS S3 buckets.

"As always, there is likely an argument about the usability tradeoff, the ability to transfer S3 buckets between accounts, etc.," he adds. "But we do wonder if these requirements outweigh the impact we have demonstrated through our research."

**AWS Responds to Abandoned S3 Bucket Threat**

AWS itself quickly sinkholed the S3 buckets that watchTowr identified, so the attack scenarios the security vendor highlighted in its report won't work against the same resources, though the broader issue remains.

"The issues described in this blog occurred when customers deleted S3 buckets that were still being referenced by third-party applications," an AWS spokesperson tells Dark Reading. "After conducting their research without notifying AWS, watchTowr provided the bucket names to AWS, and to protect our customers, we blocked these specific buckets from being re-created."

A statement the person provided mentioned guidance that AWS has provided customers on best cloud bucket practices, and on using unique identifiers when creating bucket names to prevent unintended reuse. The company has also provided guidance on ensuring applications are properly configured to reference only customer-owned buckets, the statement said: "In 2020 we launched the bucket ownership condition feature and encouraged customers to use this mechanism, specifically designed to prevent unintended reuse of bucket names."

The statement went on to request that researchers engage with the company's security team before conducting research involving the company's services.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Abandoned AWS Cloud Storage: A Major Cyberattack Vector

Targets are lured into a fake interview process that convinces them to download malware needed for a virtual interview.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

NEWS BRIEF

In a new patch for its on-device malware tool, Apple is pushing signature updates to XProtect in order to block variants of a malware belonging to what is known as the macOS Ferret family.

This malware has been identified as part of "Contagious Interview," a North Korean campaign involving threat actors luring in targets and convincing them to install malware onto their devices through a fake job interview process. The other variants in the campaign include: FROSTYFERRET\_UI, FRIENDLYFERRET\_SECD, and MULTI\_FROSTYFERRET\_CMDCODES.

The DPRK malware family was first detailed by researchers in December 2024 and again in January where, as part of the campaign, targets are asked to communicate with an "interviewee" through a link that requests to install a piece of software required for virtual meetings.

Once installed, it runs a malicious shell script and installs a persistence agent, as well as an executable impersonating a Google Chrome update. 

The Contagious Interview attack chains are designed to drop JavaScript-based malware "BeaverTail," which delivers a Python backdoor known as InvisibleFerret, and harvests sensitive data from Web browsers and crypto wallets.

And now researchers at SentinelOne are highlighting samples they're calling "FlexibleFerret" that went undetected by XProtect as of Feb. 3, suggesting that the threat actors are honing their tactics to evade detection. This component dates as far back as November 2023.

"In an example in late December, one 'commenter' left instructions leading to the download of Ferret family droppers," stated the SentinelOne researchers. "This suggests that the threat actors are happy to expand the vectors by which they deliver the malware beyond the specific targeting of job seekers to developers more generally."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Ferret Malware Added to 'Contagious Interview' Campaign

N. Korean ‘FlexibleFerret’ malware targets macOS with fake Zoom apps, job scams, and bug report comments, deceiving users…

N. Korean ‘FlexibleFerret’ malware targets macOS with fake Zoom apps, job scams, and bug report comments, deceiving users into installation.

A new version of North Korean malware called ‘FlexibleFerret’ is making rounds, specifically targeting macOS devices and developers. This malware, linked to the ‘Contagious Interview’ campaign, uses tricky methods to infect systems, even disguising itself as legitimate software.

****The ‘Contagious Interview’ Trick****

The campaign begins with a **social engineering tactic**. Hackers lure their targets, often job seekers, into downloading malware through fake job interview processes. They send a link that appears to require a software update, like a fake virtual meeting application.

It is worth noting that the ‘Ferret’ malware family was originally discovered in September 2024 targeting Blockchain professionals with fake video conferencing and job scams. The latest variant, ‘FlexibleFerret,’ was discovered by SentinelLabs, and shows that hackers constantly change their methods to avoid detection.

Interestingly, Apple recently strengthened its XProtect security tool to deal with threats like “Ferret,” and other macOS malware. However, despite new security protocols, according to SentinelLabs’ **blog post** shared with Hackread.com, FlexibleFerret remained undetected, at least initially.

****How FlexibleFerret Works****

‘FlexibleFerret’ uses a dropper, which is essentially a package that installs the malware onto the system. This particular dropper contains several components, including fake applications and scripts.

After installation, the malware begins executing several malicious actions. It places and runs hidden components in the computer’s temporary folders, ensuring its presence remains unnoticed. At the same time, it creates a **fake Zoom application** that secretly connects to a suspicious domain.

To further trick victims, it displays a fake error message, making it seem like the installation failed while actually continuing to install itself in the background. Once embedded, it establishes persistence, allowing it to automatically run even after the system is restarted.

****A Signed Threat Against Job Seekers and Developers****

Unlike some older versions, ‘FlexibleFerret’ was initially signed with a valid Apple Developer signature. This helped it bypass some security checks, making it appear more legitimate. Security experts used this signature to discover even more related malware samples. That certificate has since been revoked, but a trail of other signed files has turned up.

The hackers behind ‘FlexibleFerret’ aren’t just focusing on job seekers anymore. They’re also targeting developers directly, using **fake bug reports or comments** on websites like GitHub to trick them into downloading the malware.

A threat actor tricking users into installing FlexibleFerret malware (Via SentinelLabs)

****Links to ChromeUpdate Malware****

FlexibleFerret includes a binary labeled “Mac-Installer.InstallerAlert,” which strongly matches code previously spotted in “**ChromeUpdate**,” an older piece of malware involved in these job interview lures. While Apple’s updated rules catch ChromeUpdate, they currently overlook this newer malware, indicating that attackers have changed minor elements to sneak past protections.

> _“The ‘Contagious Interview’ campaign and the FERRET family of malware represent an ongoing and active campaign, with threat actors pivoting from signed applications to functionally similar unsigned versions as required.”_
> 
>   
> SentinelLabs

1.  **Feds Bust N. Korean Identity Theft Ring Targeting US Firms**
2.  **Hackers used fake job website to scam jobless US veterans**
3.  **KnowBe4 Tricked into Hiring a North Korean Hacker as IT Pro**
4.  **Fake LinkedIn job offers scam spreading More\_eggs backdoor**
5.  **Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!**
6.  **Employee Duped by AI-Generated CFO in $25.6M Deepfake Scam**
7.  **Fake PoC Script Tricked Researchers into Downloading VenomRAT**

Tag

#backdoor