A free VPN app called Big Mama is selling access to people’s home internet networks. Kids are using it to cheat in a VR game while researchers warn of bigger security risks.

In the hit virtual reality game _Gorilla Tag_, you swing your arms to pull your primate character around—clambering through virtual worlds, climbing up trees and, above all, trying to avoid an infectious mob of other gamers. If you’re caught, you join the horde. However, some kids playing the game claim to have found a way to cheat and easily “tag” opponents.

Over the past year, teenagers have produced video tutorials showing how to side-load a virtual private network (VPN) onto Meta’s virtual reality headsets and use the location-changing technology to get ahead in the game. Using a VPN, according to the tutorials, introduces a delay that makes it easier to sneak up and tag other players.

While the workaround is likely to be an annoying but relatively harmless bit of in-game cheating, there’s a catch. The free VPN app that the video tutorials point to, Big Mama VPN, is also selling access to its users’ home internet connections—with buyers essentially piggybacking on the VR headset’s IP address to hide their own online activity.

This technique of rerouting traffic, which is best known as a residential proxy and more commonly happens through phones, has become increasingly popular with cybercriminals who use proxy networks to conduct cyberattacks and use botnets. While the Big Mama VPN works as it is supposed to, the company’s associated proxy services have been heavily touted on cybercrime forums and publicly linked to at least one cyberattack.

Researchers at cybersecurity company Trend Micro first spotted Meta’s VR headsets appearing in its threat intelligence residential proxy data earlier this year, before tracking down that teenagers were using Big Mama to play _Gorilla Tag_. An unpublished analysis that Trend Micro shared with WIRED says its data shows that the VR headsets were the third most popular devices using the Big Mama VPN app, after devices from Samsung and Xiaomi.

“If you’ve downloaded it, there’s a very high likelihood that your device is for sale in the marketplace for Big Mama,” says Stephen Hilt, a senior threat researcher at Trend Micro. Hilt says that while Big Mama VPN may be being used because it is free, doesn’t require users to create an account, and apparently doesn’t have any data limits, security researchers have long warned that using free VPNs can open people up to privacy and security risks.

These risks may be amplified when that app is linked to a residential proxy. Proxies can “allow people with malicious intent to use your internet connection to potentially use it for their attacks, meaning that your device and your home IP address may be involved in a cyberattack against a corporation or a nation state,” Hilt says.

"Gorilla Tag is a place to have fun with your friends and be playful and creative—anything that disturbs that is not cool with us,” a spokesperson for Gorilla Tag creator Another Axiom says, adding they use “anti-cheat mechanisms” to detect suspicious behavior. Meta did not respond to a request for comment about VPNs being side-loaded onto its headsets.

**Proxies Rising**

Big Mama is made up of two parts: There’s the free VPN app, which is available on the Google Play store for Android devices and has been downloaded more than 1 million times. Then there’s the Big Mama Proxy Network, which allows people (among other options) to buy shared access to “real” 4G and home Wi-Fi IP addresses for as little as 40 cents for 24 hours.

Vincent Hinderer, a cyber threat intelligence team manager who has researched the wider residential proxy market at Orange Cyberdefense, says there are various scenarios where residential proxies are used, both for people who are having traffic routed through their devices and also those buying and selling proxy services. “It’s sometimes a gray zone legally and ethically,” Hinderer says.

For proxy networks, Hinderer says, one end of the spectrum is where networks could be used as a way for companies to scrape pricing details from their competitors' websites. Other uses can include ad verification or people scalping sneakers during sales. They may be considered ethically murky but not necessarily illegal.

At the other end of the scale, according to Orange’s research, residential proxy networks have broadly been used for cyber espionage by Russian hackers, in social engineering efforts, as part of DDoS attacks, phishing, botnets, and more. “We have cybercriminals using them knowingly,” Hinderer says of residential proxy networks generally, with Orange Cyberdefense having frequently seen proxy traffic in logs linked to cyberattacks it has investigated. Orange’s research did not specifically look at uses of Big Mama's services.

Some people can consent to having their devices used in proxy networks and be paid for their connections, Hinderer says, while others may be included because they agreed to it in a service’s terms and conditions—something research has long shown people don’t often read or understand.

Big Mama doesn’t make it a secret that people who use its VPN will have other traffic routed through their networks. Within the app it says it “may transport other customer’s traffic through” the device that’s connected to the VPN, while it is also mentioned in the terms of use and on a FAQ page about how the app is free.

The Big Mama Network page advertises its proxies as being available to be used for ad verification, buying online tickets, price comparison, web scraping, SEO, and a host of other use cases. When a user signs up, they’re shown a list of locations proxy devices are located in, their internet service provider, and how much each connection costs.

This marketplace, at the time of writing, lists 21,000 IP addresses for sale in the United Arab Emirates, 4,000 in the US, and tens to hundreds of other IP addresses in a host of other countries. Payments can only be made in cryptocurrency. Its terms of service say the network is only provided for “legal purposes,” and people using it for fraud or other illicit activities will be banned.

Despite this, cybercriminals appear to have taken a keen interest in the service. Trend Micro’s analysis claims Big Mama has been regularly promoted on underground forums where cybercriminals discuss buying tools for malicious purposes. The posts started in 2020. Similarly, Israeli security firm Kela has found more than 1,000 posts relating to the Big Mama proxy network across 40 different forums and Telegram channels.

Kela’s analysis, shared with WIRED, shows accounts called “bigmama\_network” and “bigmama” posted across at least 10 forums, including cybercrime forums such as WWHClub, Exploit, and Carder. The ads list prices, free trials, and the Telegram and other contact details of Big Mama.

It is unclear who made these posts, and Big Mama tells WIRED that it does not advertise.

Posts from these accounts also said, among other things, that “anonymous” bitcoin payments are available. The majority of the posts, Kela’s analysis says, were made by the accounts around 2020 and 2021. Although, an account called “bigmama\_network” has been posting on the clearweb Blackhat World SEO forum until October this year, where it has claimed its Telegram account has been deleted multiple times.

In other posts during the last year, according to the Kela analysis, cybercrime forum users have recommended Big Mama or shared tips about the configurations people should use. In April this year, security company Cisco Talos said it had seen traffic from the Big Mama Proxy, alongside other proxies, being used by attackers trying to brute force their way into a variety of company systems.

**Mixed Messages**

Big Mama has few details about its ownership or leadership on its website. The company’s terms of service say that a business called BigMama SRL is registered in Romania, although a previous version of its website from 2022, and at least one live page now, lists a legal address for BigMama LLC in Wyoming. The US-based business was dissolved in April and is now listed as inactive, according to the Wyoming Secretary of State’s website.

A person using the name Alex A responded to an email from WIRED about how Big Mama operates. In the email, they say that information about free users’ connections being sold to third parties through the Big Mama Network is “duplicated on the app market and in the application itself several times,” and people have to accept the terms of conditions to use the VPN. They say the Big Mama VPN is officially only available from the Google Play Store.

“We do not advertise and have never advertised our services on the forums you have mentioned,” the email says. They say they were not aware of the April findings from Talos about its network being used as part of a cyberattack. “We do block spam, DDOS, SSH as well as local network etc. We log user activity to cooperate with law enforcement agencies,” the email says.

The Alex A persona asked WIRED to send it more details about the adverts on cybercrime forums, details about the Talos findings, and information about teenagers using Big Mama on Oculus devices, saying they would be “happy” to answer further questions. However, they did not respond to any further emails with additional details about the research findings and questions about their security measures, whether they believe someone was impersonating Big Mama to post on cybercrime forums, the identity of Alex A, or who runs the company.

During its analysis, Trend Micro’s Hilt says that the company also found a security vulnerability within the Big Mama VPN, which could have allowed a proxy user to access someone’s local network if exploited. The company says it reported the flaw to Big Mama, which fixed it within a week, a detail Alex A confirmed.

Ultimately, Hilt says, there are potential risks whenever anyone downloads and uses a free VPN. “All free VPNs come with a trade-off of privacy or security concerns,” he says. That applies to people side-loading them onto their VR headsets. “If you’re downloading applications from the internet that aren't from the official stores, there’s always the inherent risk that it isn’t what you think it is. And that comes true even with Oculus devices.”

This VPN Lets Anyone Use Your Internet Connection. What Could Go Wrong?

KEY SUMMARY POINTS The FBI has issued a Private Industry Notification (PIN) to highlight new malware campaigns targeting…

****KEY SUMMARY POINTS****

*   **FBI Alert on HiatusRAT**: The FBI issued a Private Industry Notification (PIN) warning about HiatusRAT malware campaigns targeting Chinese-branded web cameras and DVRs, leveraging remote access for device infiltration.

*   **Evolving Cyber Threat**: HiatusRAT, active since 2022, has been used to exploit outdated network devices, Taiwanese organizations, and a US government server. Recent campaigns focus on webcams and DVRs across the US, Canada, the UK, Australia, and New Zealand.

*   **Exploitation of Vulnerabilities**: Hackers are exploiting unpatched security flaws in devices like Hikvision and D-Link using tools like Ingram and Medusa, targeting TCP ports such as 23, 554, and 8080.

*   **Mitigation Efforts**: The FBI recommends isolating vulnerable devices from networks, implementing multi-factor authentication, enforcing strong password policies, and promptly updating firmware and software.

*   **Collaborative Response**: Sonu Shankar, a former federal critical infrastructure official, is collaborating with CISOs to address the escalating threat posed by these campaigns.

The FBI has issued a Private Industry Notification (PIN) to highlight new malware campaigns targeting Chinese-branded web cameras and DVRs. These attacks leverage a remote access trojan (RAT) called HiatusRAT, which grants remote access to compromised devices. 

HiatusRAT has been evolving since at least July 2022, and cybercriminals have used it to infiltrate outdated network devices, Taiwanese organizations, and even a US government server. Previous HiatusRAT campaigns have targeted edge routers to collect traffic passively and function as a covert command-and-control network. In March 2024, HiatusRAT actors launched a large-scale scanning campaign focusing on webcams and DVRs in the US, Canada, UK, Australia, and New Zealand.

Hackers are exploiting security weaknesses in devices like Hikvision cameras and D-Link devices as many vendors haven’t addressed critical vulnerabilities like CVE-2017-7921 (Hikvision cameras), CVE-2020-25078 (D-Link devices), CVE-2018-9995, CVE-2021-33044, and CVE-2021-36260, among others.

They are exploiting unpatched flaws targeting devices with telnet access, an insecure remote access protocol, and even brute-forcing access. The actors targeted Xiongmai and Hikvision devices with telnet access using webcam-scanning tools Ingram and Medusa.

“They used Ingram—a webcam-scanning tool available on Github—to conduct scanning activity. And they used Medusa—an open-source brute-force authentication cracking tool—to target Hikvision cameras with telnet access,” the **PIN** (PDF) read. Targeted TCP ports included 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575.

The FBI advises companies to limit the use of devices mentioned in the PIN and isolate them from their network. They should regularly monitor networks and employ best cybersecurity practices, including reviewing security policies, user agreements, and patching plans.

Furthermore, companies should patch and update operating systems, software, and firmware as soon as manufacturer updates are available change network system and account passwords regularly, enforce a strong password policy, and require multi-factor authentication whenever possible.

1.  **FBI: Chinese Hackers Compromised US Telecom Networks**
2.  **Tech Support Courier Scam Aiming at Cash and Metals, FBI**
3.  **FBI Alert: Russian Hackers Target Ubiquiti Routers for Botnet**
4.  **FBI: Androxgh0st Malware Building Botnet for Credential Theft**
5.  **FBI Targets 764 Network: Man Faces 30 Years for Cyberstalking**

FBI Warns of HiatusRAT Malware Targeting Webcams and DVRs

Androxgh0st, a botnet targeting web servers since January 2024, is also deploying IoT-focused Mozi payloads, reveals CloudSEK’s latest research.

****KEY POINTS****

*   **Rapid Vulnerability Exploitation**: The Androxgh0st botnet has expanded its arsenal, exploiting 27 vulnerabilities across web servers, IoT devices, and various technologies, including Cisco ASA, Atlassian JIRA, and TP-Link routers.

*   **Integration with Mozi Botnet**: The botnet incorporates Mozi payloads, targeting IoT devices and potentially sharing command-and-control infrastructure, signaling increased coordination and sophistication.

*   **Focus on Weak Security Practices**: Androxgh0st employs brute-force attacks, credential stuffing, and exploitation of devices with default or weak passwords to gain administrative access and maintain persistence.

*   **Global and Chinese-Specific Targets**: The botnet exploits vulnerabilities in both global systems and Chinese-specific technologies, with evidence pointing to links to Chinese CTF communities and Mandarin-based phishing tactics.

*   **Urgent Call for Patching**: Researchers recommend immediate patching of all affected systems to mitigate risks, including remote code execution, data breaches, and ransomware attacks.

CloudSEK’s contextual AI digital risk platform Xvigil has uncovered a significant evolution in the Androxgh0st botnet, revealing its exploitation of over 20 vulnerabilities and operational **integration with the Mozi botnet** with expected rise of, at least, 75% more web-application vulnerabilities by mid- 2025.This indicates a significant increase in Androxgh0st’s initial attack vector arsenal from 11 in November 2024 to around 27 within a month.

For your information, CISA **issued** an advisory earlier this year regarding Androxgh0st’s expanding attack surface, including Cisco ASA, Atlassian JIRA, and PHP frameworks, allowing unauthorized access and remote code execution.

CloudSEK’s research highlights Androxgh0st’s expansion beyond its initial focus on web servers, now incorporating IoT-focused Mozi payloads. It is actively exploiting 27 vulnerabilities across various technologies.

These include exploiting a web script injection vulnerability (**CVE-2014-2120**) in Cisco ASA, leveraging a path traversal vulnerability (**CVE-2021-26086**) for remote file reading, exploiting a local file inclusion vulnerability (**CVE-2021-41277**) for arbitrary file downloads, and targeting vulnerabilities in PHPUnit, Laravel, PHP-CGI, TP-Link routers, Netgear devices, and GPON routers.

Numerous other vulnerabilities are exploited now, including those in Sophos Firewall, Oracle EBS, OptiLink ONT1GEW, Spring Cloud Gateway, and various Chinese-specific software. The Sophos Authentication bypass vulnerability leads to Remote Code Execution (RCE) in the firewall’s User Portal and Webadmin web interfaces, allowing an unauthenticated attacker to execute arbitrary code.

This vulnerability is also present in Oracle E-Business Suite (EBS) Unauthenticated Arbitrary File Upload, which can be exploited to gain remote code execution as an Oracle user. OptiLink ONT1GEW GPON 2.1.11\_X101 Build 1127.190306 also allows remote code execution (authenticated). Finally, PHP CGI argument injection issue (**CVE-2024-4577**) is another issue affecting PHP-CGI.

This exploitation enables unauthorized access and remote code execution, posing significant risks to global web servers and IoT networks. Moreover, the botnet’s growing sophistication is evident in its shared infrastructure, persistent backdoor tactics, and the incorporation of Mozi payloads, the **report** read.

The research indicates a significant operational overlap between Androxgh0st and the Mozi botnet, with Androxgh0st deploying Mozi payloads to infect IoT devices and potentially sharing command and control infrastructure, suggesting a high level of coordination or unified control structure.

Further probing revealed that Androxgh0st **employs sophisticated tactics** such as code injection and file appending to maintain persistent access to compromised systems. It targets WordPress installations using brute-force attacks and **credential stuffing** to gain administrative access, and frequently exploits devices with default, weak or easily guessable passwords.

Although definitive attribution is complex, the research suggests links to Chinese CTF communities due to targeting of Chinese-specific technologies and software. This includes the use of the “PWN\_IT” string in injected payloads and command infrastructure, using Mandarin in phishing baits and source code, and potential connections to Chinese Kanxue-hosted CTF events. Successful exploitation can lead to data breaches, theft, system disruption, ransomware attacks, botnet amplification, and espionage and surveillance activities.

Screenshot shoes countries where devices have been most impacted for and the Chinese connection detailed by researchers in their blog (Via CloudSec)

“CloudSEK recommends immediate patching of these vulnerabilities to mitigate risks associated with the Androxgh0st botnet, which is known for systematic exploitation and persistent backdoor access,” researchers noted.

1.  **Legion: Credential Harvesting Malware Sold on Telegram**
2.  **Malware in Fake Business Proposals Hits YouTube Creators**
3.  **Cisco Urges Immediate Patch for Decade-Old WebVPN Flaw**
4.  **Black Basta Uses MS Teams, Email Bombing to Spread Malware**
5.  **Goldoon Botnet Hits D-Link Devices by Exploiting 9-Year-Old Flaw  
    **

Androxgh0st Botnet Targets IoT Devices, Exploiting 27 Vulnerabilities

A sophisticated social engineering cybercrime campaign bent on financial gain was observed being run from Tencent servers in Singapore.

Source: Rastislav Sedlak via Alamy Stock Photo

The Dubai Police are the latest victims of impersonation by fraudsters in the United Arab Emirates (UAE), who are sending thousands of text messages out to unwitting mobile users while purporting to represent the law enforcement agency.

Researchers at BforeAI observed a recent surge in phishing attacks leveraging alleged police communications, which encourage text recipients to click on a malicious URL to respond to supposed legal trouble or to register with an "official" online portal. The included links redirect victims to fake websites designed to harvest sensitive information, including bank details or personal identification details.

The campaign uses well-crafted lures with official branding, suggesting a moderate level of sophistication, according to BforeAI. But while the lures are tailored to UAE citizens, the phishing methodology resembles a 'spray-and-pray' model in its broad reach.

"The campaign targets individuals likely to respond to law enforcement-related communications, of which legitimate comms of this nature are not uncommon in the UAE — targeting particularly those with a limited understanding of digital threats," Abu Qureshi, lead for threat intelligence and mitigation at BforeAI, tells Dark Reading.

"The most striking aspect of this campaign is the calculated misuse of Dubai Police branding to establish credibility and deceive victims," he adds. "This demonstrates a sophisticated understanding of social engineering techniques and reliance on psychological manipulation, exploiting fear and trust in law enforcement — which for citizens of the UAE is of utmost importance."

Related:Governments, Telcos Ward Off China's Hacking Typhoons

**Cybercriminals Increasingly Target UAE, Middle East**

Cybercrime campaigns targeting organizations and individuals in Dubai and other parts of the UAE are noticeably on the rise. According to research from Kaspersky earlier this year, 87% of companies in UAE have faced some form of cyber incident in the past two years.

"The UAE is a high-value target due to its affluent population, high Internet penetration, and reliance on digital services," Qureshi says. "Cybercriminals exploit these factors alongside vulnerabilities in newly adopted technologies."

The cybercrime spree is part of a larger trend in the targeting of individuals and organizations in some areas of the Middle East in general, he notes.

"There's a focus on wealthy regions and individuals to maximize financial gain," he says. "There are also regional geopolitical interests and an increased focus on Middle Eastern entities due to economic and political dynamics."

Related:African Law Enforcement Nabs 1,000+ Cybercrime Suspects

To boot, because the area has embraced digital transformation and IT modernization with gusto, cybercriminals are targeting digital adoption vulnerabilities that come from the rapid implementation of advanced technologies without adequate protections, according to Qureshi.

**Anchoring a UAE Cybercrime Campaign in Singapore**

The cyberattackers behind the Dubai Police offensive appear to have used an automated domain generation algorithm (DGA) or bulk registration to quickly cycle through different domains to host malicious Web pages bent on financial fraud. Each domain is short-lived, in order to better avoid detection.

Most of those domains originated from Tencent servers based in Singapore, according to BforeAI researchers, who noted the company's servers have hosted malicious activity before, including spam, phishing, and botnets.

"Tencent, a Chinese-based technology giant, maintains a significant hub in Singapore, leveraging the city-state's strategic location and robust digital infrastructure," says Qureshi. "Despite Singapore's strong cyber-resilience and rigorous policies to address malicious activity, its status as a global tech hub makes it a prime location for abuse of legitimate platforms by cybercriminals."

Related:Yakuza Victim Data Leaked in Japanese Agency Attack

Qureshi adds that the presence of malicious activity on Tencent servers could be due to the exploitation of legitimate services.

"High-traffic servers can be abused to host or relay malicious content without the company's direct knowledge," he explains, adding that jurisdictional complexity could also be at play: "Singapore's law enforcement may face challenges in coordinating with foreign entities and differentiating criminal use from legitimate operations. While Tencent is based in Singapore — they are a Chinese firm."

Two of the registrants were found to be from India and Dubai itself, with suspicious names suggesting that they originate from a legitimate company, according to the research. For the most part though, the cyberattackers have managed to keep their identity anonymous.

Tencent did not immediately return a request for comment.

**How Organizations in the Middle East Can Protect Against Cyber Fraud**

For organizations in the region, campaigns like this should prompt changes in risk management, Qureshi advises. Although the phishing messages are broad-based, in the age of the mobile office, even campaigns designed to hit individuals can end up affecting companies.

Common-sense security hygiene includes the basics, like double-checking the official domain of the Dubai government and the payment portal before proceeding with any payment, as well as looking for red flags like missing HTTPs protocol, broken links, out-of-place Web designs, or suspicious phrasing or grammar.

Qureshi advises organizations to take several additional steps to mitigate their risk, including:

*   Enhanced monitoring: Implement robust predictive phishing detection systems and actively monitor for misuse of branding;
    
*   Awareness programs: Train employees on phishing recognition and reporting;
    
*   Collaboration: Work with CERTs and law enforcement to address identified threats;
    
*   Incident response: Develop and test response plans to address phishing-related breaches;
    
*   Reporting: Alert phishing reporting websites such as Etisalat and DU when employees receive phishing messages;
    
*   And continuous vigilance: Adopt a proactive cybersecurity stance to protect brand reputation and customer trust.
    

And finally, "this Dubai Police campaign highlights the globalized nature of cybercrime, where local targets are exploited using international infrastructure," Qureshi warns. "The importance of cross-border cooperation and leveraging threat intelligence to stay ahead of evolving tactics cannot be overstated."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

Researchers demonstrate how to hack Ruijie Reyee access points without Wi-Fi credentials or even physical access to the device.

Source: Hilke Maunder via Alamy Stock Photo

Internet of Things (IoT) vendor Ruijie Networks has shored up its Reyee cloud management platform against 10 newly discovered vulnerabilities that could have given adversaries control of thousands of connected devices in a single cyberattack.

The Fuzhou, China-based infrastructure maker's Ruijie Networks devices, are commonly used to provide free Wi-Fi in public settings like airports, schools, shopping malls, and governments across more than 90 countries.

A pair of researchers from Claroty Team82 have developed an attack they named "Open Sesame" that they used to successfully take control of Rujie Networks devices through its cloud-based Web management portal for remote monitoring and configuration.

"The Ruijie Reyee cloud platform lets admins remotely manage their access points and routers," researchers Noam Moshe and Tomer Goldschmidt explained in a statement. "By exploiting these vulnerabilities, attackers could access these devices and the internal networks to which they connect. Our research found tens of thousands of potentially affected devices worldwide."

Moshe and Goldschmidt presented their findings in a presentation titled "The Insecure IoT Cloud Strikes Again: RCE on Ruijie Cloud-Connected Devices" at Black Hat Europe 2024 this week.

Of the 10 CVEs outlined by a new Claroty Team82 report, all of which have been patched by Ruijee, three received CVSS scores of 9 or higher: CVE-2024-47547, a weak password recovery bug with a CVSS score of 9.4; CVE-2024-48874, a server-side request forgery vulnerability with a CVSS score of 9.8; and CVE-2024-52324, flagged as a "use of inherently dangerous function," also with a 9.8 CVSS score.

"The most serious vulnerability we discovered was the vulnerability allowing devices to impersonate the Ruijie cloud platform, sending commands to other devices," the Clarity researchers said.

The collection of bugs allowed remote code execution (RCE) on devices connected to the Ruijie cloud platform, they explained.

"An attacker would be able to exploit weak authentication mechanisms to generate valid device credentials," the research team commented. "After authenticating as a device, we discovered that the attacker could impersonate the Ruijie cloud platform and send malicious payloads to other devices in its stead, gaining full control through legitimate cloud functionality."

**Open Sesame Attack**

As spectacular as taking over 50,000-plus IoT devices at one time would be, the Claroty researchers suspect that not many adversaries want that kind of attention. Instead, they predicted, threat actors armed with these bugs would take a more low-profile approach, taking over specific devices in distinct locations.

"Exploiting this vulnerability at scale could alert the vendor, who would issue a fix to the vulnerabilities needed for this exploit," according to a blog post detailing Claroty's findings. "In addition, many attackers would simply not gain anything by mass-exploiting tens of thousands of devices; this is only relevant in the case of an attacker attempting to build a botnet. Instead, most attackers would take a more targeted, stealthy approach."

With this in mind, the Claroty team built the Open Sesame attack scenario, allowing them to execute code on a vulnerable Ruijie device with nothing more than a serial number.

To make it work, an attacker needs close proximity to a Wi-Fi network using Ruijie access points to sniff out the raw beacons sent out by the Wi-Fi network for users to find and connect. That beacon also contains the device's serial number.

"Then, using the vulnerabilities in Ruijie's MQTT communication, an attacker could impersonate the cloud and send a message to the target device (identified by its SN the attacker leaked)," the blog post added. "This will result in the attacker supplying a malicious OS command for the device to execute, resulting in a reverse shell on the attacked Ruijie access point, giving the attacker access to the device internal network."

The researchers went on to explain that they hope this work highlights how the porousness of clouds can become a big vulnerability for IoT networks.

"Team82's research on Ruijie's infrastructure further exposes how vulnerable devices that are insecurely connected to, and managed through, the cloud can be," the report said.

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

IoT Cloud Cracked by 'Open Sesame' Over-the-Air Attack

BforeAI has discovered a surge in phishing attacks targeting the Dubai Police, a government-run entity. Learn how cybercriminals are exploiting the Dubai Police name to steal personal information and money.

****SUMMARY:****

*   **Researchers found a rise in phishing attacks in the UAE impersonating Dubai Police via SMS.**

*   **Attackers use fake domains with typosquatting and suspicious extensions like “.xyz” and “.top.”**

*   **Many domains originate from Singapore servers linked to prior malicious activity.**

*   **The scams aim to steal financial data and exploit fear using emergency numbers like 999.**

*   **Residents should verify websites, avoid unknown contacts, and check for “HTTPS” to stay safe.**

Cybersecurity researchers at BforeAI have identified a rise in phishing attacks targeting residents of the United Arab Emirates (**UAE**) by impersonating the Dubai Police. The attacks are primarily relayed via SMS texts and redirect users to malicious domains.

The researchers analyzed 268 domains from September 17 to November 22 to identify patterns and trends. Most domains originated from Singapore servers and have a history of malicious activity, including spam, phishing, and botnets. Around 50% of these domains were registered by Gname, and the rest by NameSilo, and Dominet.

One such SMS with a malicious link (Via BforeAI)

Further probing revealed that over two dozen domains have expired, with some registered as recently as November. Two registrants, from India and Dubai, have suspicious names suggesting legitimate company origins. Threat actors, however, have managed to keep their identities anonymous, revealed BeforeAI’s **advisory** shared exclusively with Hackread.com ahead of its publishing.

This update follows **last month’s revelations** that 99% of UAE’s .ae domains are vulnerable to phishing and spoofing attacks due to insufficient DMARC implementation.

****What’s going on****

The attackers are deploying a multi-sided approach to deceive victims. This includes registering numerous domains in fast succession, often with sequential numbering, hinting at the use of automated tools, and using **Typosquatting**. This means they are creating misspelled variations of “Dubai Police” (e.g., “dubaiploce”) to trick unsuspecting recipients into clicking on illegitimate links.

Furthermore, attackers are adding terms like “police,” “gov,” “portal,” and “online” to the domain names to appear official and trustworthy.

Beyond the “.com” domain, the attackers are heavily utilizing less-regulated extensions like “.top,” “.xyz,” and “.click,” which provide them with more anonymity. Interestingly, a significant portion of the domains were registered using Tencent servers in Singapore, previously linked to malicious activities.

****Who are the Targets?****

These fraudulent campaigns seem to have two main targets- stealing financial information from individuals who believe they’re interacting with a legitimate government entity and exploiting fear by incorporating emergency numbers like 999 (UAE emergency services) to target those worried about supposed fines or seeking genuine assistance from Dubai Police.

Researchers observed a quick turnaround time for these phishing campaigns.  Many domains expire within weeks, suggesting the attackers launch frequent, short-lived operations to evade detection.

To avoid falling victim to such scams, UAE residents should verify official websites, be cautious of unfamiliar contacts, and be wary of websites lacking the “HTTPS” protocol, broken links, or unprofessional design.

1.  **Stolen UAE InvestBank Data Sold on Dark Web**
2.  **Anonymous Sudan Hits UAE’s Flydubai with DDoS Attack**
3.  **US Gov Agencies Impersonated in DocuSign Phishing Scams**
4.  **In UAE Supporting Qatar on the Internet is Now a Cybercrime**
5.  **Google takes on sites with ties to hack-for-hire groups in UAE**

Scammers Exploit Fake Domains in Dubai Police Phishing Scams

Proxy and anonymization networks have been dominating the headlines, this piece discusses its origins and evolution on the threat landscape with specific focus on state sponsored abuse.

Thursday, December 12, 2024 06:00

As long as we've had the internet, users have tried to obfuscate how and what they are connecting to. In some cases, this is to work around restrictions put in place by governments or a desire to access content that is not otherwise available in a given region.

This is why technologies like VPNs and The Onion Router (TOR) become popular: They allow users to easily access content without exposing their IP address or location. These technologies are intended to protect users and information and have done a good job of doing so. However, adversaries have taken notice and are using proxy networks for malicious activities.

**Proxy Chain Services**

It is important to distinguish the different proxy chain services, as there are legitimate reasons for some of them to exist. From a privacy/defender point-of-view, they can be split into the following groups:

*   **VPN and TOR:** These services provide the user anonymity, but the defender can, for the most part, determine that it's receiving requests from these networks. As such, there is no expectation that the origin of the connection is the exact same as the user’s physical location. The user has no control of the path or exit node location. 
*   **Commercial residential services:** These provide anonymity to users, while at the same time allowing them to choose the exit point. These services do not provide any clues to the defender about the nature of the connection. 
*   **Malicious proxy services:** Threat actors use these networks to hide their location and choose their exit node. These are set up to be used by malicious operators from multiple sources. They can take two shapes: The nodes are installed on leased servers from different providers in different regions, or their nodes can be compromised edge devices that bounce connections in chains.

The first group has a clear legitimate use case, and the second has been advertised as a means to measure marketing engagement. However, threat actors can also use them without the bandwidth owner understanding what is at risk. The third case is clear: The networks are built to be rented for distributed denial-of-service (DDoS) attacks or access to be sold so other actors can anonymize their activities.

**History**

Leveraging proxy networks for malicious purposes was something we first stumbled on with our research into Honeygain. This was one of the first times we saw technologies like proxyware being abused maliciously. 

Proxyware is a type of technology that uses agents installed by users to act as proxies for other users. The users installing these agents are typically compensated for adding their node to the proxy network. Criminals stumbled upon this quickly and began to weaponize and monetize it, allowing them to benefit from the anonymity these technologies provide since it traces back to a random computer in a random location. At the time, the focus was purely criminal in nature, but state-sponsored groups have been leveraging TOR and VPNs for decades to launch their attacks, typically dropping out of a VPN near the target.

State-sponsored groups also realize that TOR and VPNs have limitations and could potentially expose their operations, so they needed something more opaque and less traceable. Enter VPNFilter.

VPNFilter was the first large-scale proxy network leveraged by state-sponsored actors, in this case Russia. This completely changed how proxy networks were operated and would set the tradecraft for state-sponsored proxy networks for the next several years. The most unique aspect of VPNFilter was the targeting: small office and home office (SOHO) routers. 

The network was made up of SOHO routers that were being compromised with malicious firmware providing a variety of capabilities, including interception and proxy capabilities. 

This was also a fairly significant botnet, consisting of some 500,000 devices that created a massive network from which to launch attacks without repercussions. Fortunately, we worked with affected vendors, and they resolved many of the issues that were being exploited, both vulnerability and otherwise. 

This wasn't the last time we saw Russian-aligned actors leveraging these types of botnets. A few years later, Cyclops Blink was uncovered. Another Russian actor controlled a proxy network that again primarily consisted of consumer devices. 

The targeting of consumer devices for this type of activity has become the focus of state-sponsored groups’ foray into this space. They also make excellent targets, since many users leave default configurations in place and rarely think to update their devices. Fortunately, post-VPNFilter, many vendors have switched to automatic updates, allowing for more frequent patching. This has resulted in state-sponsored groups widening their targeting. 

Today, we see not just SOHO routers, but also NAS and a variety of IoT devices being targeted and added to these networks. This problem has just gotten worse in the past several years.

**State of the Art**

As recently as September, the FBI took down a botnet associated with Chinese hacking activities. This was just the latest in a spate of attacks originating from proxy networks. This activity has been largely associated with Volt Typhoon by the U.S. Government, with a broader attribution of China-linked activities in the recent FBI takedown.

Currently, there are several proxy-based networks, with a focus on SOHO devices (e.g., routers, NAS, etc.) and a variety of IoT components (e.g., security cameras) being compromised and added to a botnet that, in some ways, mirrors Mirai botnet activities. 

The basic operating model for these botnets is that they are peer-to-peer, meaning there is no discernable routing. This model provides a sophisticated network of devices to obfuscate the true origin of an attack, and in many circumstances, allows the attacker to appear in close proximity to the victim, including coming from geographically adjacent residential networks. 

The attacks originating from these networks have been tied to espionage and the targeting of critical infrastructure in the U.S. and globally. Most countries are concerned with this escalation, and it has the attention of the majority of vendors in this space. 

These networks have also grown with staggering efficiency, with new nodes being added constantly as other nodes fall off and need to be compromised again. Based on reporting, the majority of these infections are using N-Day vulnerabilities or weak credentials to gain access, something we've seen repeatedly out of botnets like Mirai for the last decade. The major difference is that Mirai is used to conduct DDoS attacks, and the new iterations are being used to launch state-sponsored attacks with anonymity.

**Network Resiliency Coalition**

The repeated use of N-Day vulnerabilities and weak credentials ties into the work that Cisco has been doing for some time related to old and outdated networking equipment and the risks they introduce. The Network Resiliency Coalition is one of the projects aimed at trying to resolve this difficult problem. Anonymization networks' reliance on networking equipment, specifically exploiting known vulnerabilities, adds more weight to the importance of this effort. By working with industry peers, Cisco is trying to help remove many of the systems that are being abused in these attacks by working with vendors to ensure proper patching is provided to mitigate these known vulnerabilities, in a timely manner.  

More projects like this that encompass the IoT industry and the non-edge SOHO appliances like NAS devices would also have a contribution to the fight against anonymization networks. This combined with better credential management, most notably ensuring that default credentials are complex and unique, could make a huge impact on how successful these networks are in continuing to grow. Vendors are working to try and resolve some of these weaknesses, but it also is paramount for defenders to take note.

**Impact on Defenders**

This continued focus by state-sponsored groups to leverage these networks presents problems for defenders. Attacks from these groups are likely to be coming from residential networks, potentially even from residential networks in the same cities and countries as your organization operates, making identification and attribution increasingly difficult. 

Organizations need to realize that attacks can come from anywhere, even the same IP space that your employees connect to their VPNs, so plan accordingly. 

This is further complicated by the increased focus by state-sponsored groups on the use of legitimate credentials. If you have a connection coming from the same IP space as your employees, using legitimate credentials organizations have little hope to stop it. This is where the increased focus on identity comes into play — organizations need to start taking additional steps to be able to distinguish between the illegitimate and legitimate use of credentials, and that ties back to behavior. 

Increasingly, organizations should be looking at users’ behavior when it comes to connections.

*   Are they using their typical device type? (e.g., Windows desktop/MacOS laptop)
*   Are they logging on during their typical hours? (e.g., 9-5 M-F)
*   Are there other managed devices in proximity?
*   Are they using their managed device?

This last point is a critical one. For organizations particularly concerned with credential abuse, managed device access restriction may be the best option. 

This ensures that only managed devices can connect to corporate VPNs through technologies like certificates. 

The downside to this approach is that it's expensive, and for many organizations not practical, but for those with the budgets and the concern, it's a needed escalation beyond just multi-factor authentication (MFA). 

You may have noticed we haven’t mentioned MFA until now. But that’s because in 2024, it's assumed you've already rolled out MFA for medium to large enterprises. It is no longer an optional security feature. 

Defenders need to adjust for the state-sponsored threats they will be facing in 2024 and beyond. This means adding more identity capabilities in the near term and looking at additional security protections like managed device-only access in the future.

The evolution and abuse of proxy networks

SUMMARY Cybersecurity researchers at Oasis Security have identified a vulnerability in Microsoft’s Multi-Factor Authentication (MFA), known as AuthQuake,…

****SUMMARY****

*   **Dubbed AuthQuake; the flaw in Microsoft MFA allowed attackers to bypass security measures and access accounts.**

*   **Vulnerability impacted Azure, Office 365, and other Microsoft services with over 400 million users at risk.**

*   **Exploit leveraged the lack of rate limiting and extended validity of TOTP codes for login sessions.**

*   **Attackers could bypass MFA in under 70 minutes with a 50% success rate without user interaction.**

*   **Microsoft patched the flaw permanently on October 9, 2024, with stricter rate-limiting mechanisms.**

Cybersecurity researchers at Oasis Security have identified a vulnerability in Microsoft’s Multi-Factor Authentication (MFA), known as AuthQuake, which allows attackers to bypass security measures and gain unauthorized access to user accounts. 

With over 400 million paid Office 365 subscriptions, the vulnerability could be a highly lucrative opportunity for cyber criminals to steal sensitive information such as emails, files, and communications across Microsoft’s platforms like Outlook, OneDrive, Teams, Azure, etc.

****Exploiting Rate Limit and Time-Based One-Time Password (TOTP)****

The exploit takes advantage of two key weaknesses in the MFA setup: Lack of Rate Limiting and Extended Timeframe for TOTP Codes. When users log in, they’re assigned a session ID and asked to verify their identity using a Time-Based One-Time Password (TOTP) from an authenticator app. The problem is that the system permits up to 10 failed login attempts per session without notifying the user or triggering any alerts.

The lack of rate limiting allows attackers to quickly create new login sessions and trial multiple TOTP codes, which are essentially six-digit numbers. Given that there are a million possible combinations for these codes, an attacker could theoretically exhaust all options without encountering any security measures.

On the other hand, TOTP codes are typically valid for only 30 seconds, the testing conducted by Oasis revealed that the system allowed codes to remain valid for up to 3 minutes. This extended time frame significantly increases the chances of success for an attacker attempting to guess the correct code.

****Result?****

According to Oasis Security’s **blog post** shared with Hackread.com ahead of its publishing on Wednesday, December 11, researchers concluded that attackers could bypass MFA in under 70 minutes with a 50% success rate, all without any user interaction or alerts. Here’s a demonstration the researchers created while testing the exploit themselves:

****Microsoft’s Response****

Oasis Security reported the incident to **Microsoft**. The tech giant was quick to respond and implemented a permanent fix on October 9, 2024, after a temporary fix was deployed on July 4, 2024. The fix involved introducing stricter rate limits that activate after a number of failed attempts, lasting for about half a day.

**Jason Soroko**, Senior Fellow at Sectigo, emphasizes the broader implications of this discovery stating, _“_AuthQuake highlights significant flaws in Microsoft’s MFA implementation. It’s a wake-up call for organizations to adopt patches and reconsider their reliance on outdated MFA solutions. The move towards passwordless authentication is not just a trend but a necessity for future-proofing our security measures._“_

****Lesson for Users and Companies****

While the specific flaw has been patched, organizations should inform employees about the importance of cybersecurity and encourage them to report any suspicious login attempts. Moreover, despite the recent issues, MFA remains a critical security measure therefore, use authenticator apps or explore stronger **passwordless methods** for added protection.

1.  **Microsoft Bookings Flaw Enables Account Hijacking**
2.  **Mirai botnet exploiting Azure OMIGOD vulnerabilities**
3.  **Hackers Use Excel Files to Deliver Remcos RAT Variant**
4.  **Azure AI Flaws Lets Attacks Bypass Moderation Safeguards**
5.  **Microsoft Azure Exploited to Create Undetectable Cryptominer**

AuthQuake Flaw Allowed MFA Bypass Across Azure, Office 365 Accounts

SUMMARY Cybersecurity researchers at Deep Instinct have uncovered a novel and powerful Distributed Component Object Model (DCOM) based…

****SUMMARY****

*   **The new DCOM attack leverages Windows Installer service for stealthy backdoor deployment.**

*   **Attack exploits the IMsiServer interface for remote code execution and persistence.**

*   **Malicious DLLs are remotely written, loaded, and executed to compromise systems.**

*   **It requires the attacker and victim to be within the same domain, limiting the scope.**

*   **Consistent DCOM hardening patches can mitigate attack effectiveness.**

Cybersecurity researchers at Deep Instinct have uncovered a novel and powerful Distributed Component Object Model (DCOM) based lateral movement attack method that enables attackers to stealthily deploy backdoors on target Windows systems.

The attack exploits the Windows Installer service to remotely write custom DLLs, load them into an active service, and execute them with arbitrary parameters. For context, a DLL (Dynamic Link Library) is a Windows file that contains code, data, and resources shared by multiple programs.

The attack, detailed in Deep Instinct’s technical blog and shared with Hackread.com, exploits the IMsiServer COM interface. By reversing its internals, attackers can manipulate its functions to achieve remote code execution, bypass traditional security controls and establish persistent footholds on compromised systems.

For your information, DCOM Lateral Movement is a technique used to move sideways within a network by exploiting vulnerabilities in DCOM, which allows communication between programs on different computers.

On the other hand, Computer Objects (COM) are compiled code that provides services to the system, based on interfaces implemented by its class defined by a globally unique Class ID (CLSID) and accessed remotely with a globally unique identifier (GUID) – AppID. All communication among COM components occurs through interfaces.

The technique involves identifying the vulnerable Windows Installer service, exploiting its COM interface, crafting a malicious DLL containing malicious code, writing the DLL remotely, loading the DLL into a running service process, and executing the code. The attacker gains control over the service, manipulating its functions to remotely interact with it.

The malicious DLL is then loaded into the Windows Installer service, allowing the attacker to execute its code, and granting them remote access to the system. This method is particularly effective against Windows Installer due to its broad system privileges and network accessibility.

The DCOM Upload & Execute attack is powerful but has limitations, researchers noted in the technical blog post. It requires both attacker and victim machines to be within the same domain, restricting its applicability to specific organizational boundaries.

Consistent DCOM Hardening patch statuses can reduce the attack’s effectiveness in environments with varying patch levels. Apart from that, the uploaded payload must be a strongly named .NET assembly and must be compatible with the target machine’s architecture, either x86 or x64, which adds complexity to the attack process.

COM interfaces and tables (Credit: Deep Instinct)

Deep Instinct research discusses IDispatch, a fundamental COM interface that enables scripting languages and higher-level languages to interact with COM objects. However, it is not directly involved in the DCOM Upload & Execute attack due to the IMsiServer interface not implementing IDispatch.

This means that traditional scripting languages like PowerShell cannot directly interact with it using standard techniques. Researchers used lower-level techniques to manipulate the IMsiServer interface and achieve remote code execution by directly calling the interface’s methods and passing necessary parameters.

1.  Voice assistant devices manipulated with ultrasonic waves
2.  Hackers can Downgrade Windows to Exploit Patched Flaws
3.  Electromagnetic Waves Steal Data from Air-Gapped Systems
4.  ‘Matrix’ Hackers Deploy Massive IoT Botnet for DDoS Attacks
5.  Hackers Can Steal Data from Air-Gapped PCs via SATA Cables

Tag

#botnet