Cell Site Simulator Was Likely Deployed at DNC Convention in Chicago

Please consider supporting Metacurity with an upgraded subscription so that you can continue to receive our daily missives packed with the top infosec developments you should know.

If you can't commit to a subscription today, consider tipping or donating to help keep Metacurity going.

A cell-site simulator, IMSI (international mobile subscriber identity), was identified by the Electronic Frontier Foundation (EFF) capable of intercepting phone signals was likely deployed during the 2024 Democratic National Convention (DNC) in Chicago.

Cell-site simulators mimic cell towers to intercept communications, indiscriminately collecting sensitive data such as call metadata, location information, and app traffic from all phones within their range. Their use has drawn widespread criticism from privacy advocates and activists, who argue that such technology can be exploited to monitor protesters and suppress dissent covertly.

Concerns over potential surveillance prompted WIRED to conduct a first-of-its-kind wireless survey to investigate whether cell-site simulators were being deployed. Reporters, equipped with two rooted Android phones and Wi-Fi hot spots running detection software, used Rayhunter, a tool developed by the EFF to detect data anomalies associated with these devices. WIRED’s reporters monitored signals at protests and event locations across Chicago, collecting extensive data during the political convention.

Initial tests conducted during the DNC revealed no conclusive evidence of cell-site simulator activity. However, months later, EFF technologists reanalyzed the raw data using improved detection methods. According to Cooper Quintin, a senior technologist at the EFF, the Rayhunter tool stores all interactions between devices and cell towers, allowing for deeper analysis as detection techniques evolve.

A breakthrough came when EFF technologists applied a new heuristic to examine situations where cell towers requested IMSI (international mobile subscriber identity) numbers from devices. According to the EFF’s analysis, on August 18, the day before the convention officially began, a device carried by WIRED reporters en route to a hotel housing Democratic delegates from states in the US Midwest abruptly switched to a new tower. That tower asked for the device’s IMSI and then immediately disconnected—a sequence consistent with the operation of a cell-site simulator.

It is unclear who deployed the simulator. Under Illinois law, law enforcement agencies must obtain a warrant to deploy cell-site simulators, although the Secret Service and Homeland Security Investigations don't always comply with these laws. (Dhruv Mehrotra / Wired)

Related: Gizmodo

Spanish telecommunications company Telefónica confirmed an internal ticketing system was breached after stolen data was leaked on a hacking forum.

This confirmation comes after a Telefónica Jira database was leaked on a hacking forum, with the breach claimed by four people using the aliases DNA, Grep, Pryx, and Rey. 

One of the attackers, Pryx, said that the "internal ticketing system" is an internal Jira development and ticketing server used by the company to report and resolve internal issues.

The system was reportedly breached yesterday using compromised employee credentials, with Telefónica blocking their access today after performing password resets on impacted accounts.

Using the compromised employee accounts, the threat actors say they were able to scrape approximately 2.3 GB of documents, tickets, and various data. While some of this data was labeled as customers, the tickets were opened with @telefonica.com email addresses, so there may have been tickets opened on behalf of customers.

Pryx says they did not contact the company or attempt to extort them before leaking the data online.

Three people behind this attack, Grep, Pryx, and Rey, are also members of a recently launched ransomware operation known as Hellcat Ransomware.

Hellcat is responsible for a recent breach of Schneider Electric, where 40GB of data was stolen from the company's JIRA server. (Lawrence Abrams / Bleeping Computer)

Related: HackRead, Infostealers, Infosecurity Magazine

Slovakia's minister of agriculture said that the country's land registry was hit with a cyberattack, the biggest cyber incident in the country's history.

The attack targeted the Slovakian Geodesy, Cartography, and Cadastre Office (UGKK), which manages land and property data. Last Tuesday, the agency shut down its systems and closed its physical offices following an alleged ransomware attack.

The attackers are reportedly demanding millions of euros in ransom.

Agriculture Minister Richard Takac said the systems would be restored with backups. He also assured no risk of changes or fraudulent transcriptions of ownership data. Takac did not provide further details about the attack, mentioning only that there were “strong indications” it originated from Ukraine.

The incident comes amid rising tensions between Slovakia and Ukraine following Kyiv’s suspension of Russian gas transit through Slovakian territory. The country has warned Kyiv of potential “severe consequences” for cutting off the gas supply, which will have a significant economic impact on Slovakia.

Slovakia’s nationalist political party (SNS) called on the foreign minister to summon the Ukrainian ambassador to discuss Ukraine’s alleged involvement in the attack. (Daryna Antoniuk / The Record)

Related: TA3, Spectator, Infosecurity Magazine, tasr

In a filing with the Eastern District Court of Virginia, Microsoft brought a lawsuit against ten foreign cybercriminals for using stolen credentials and custom software to break into computers running Microsoft’s Azure OpenAI services to generate “harmful content.”

In a complaint filed on Dec. 19, 2024, the company accuses the group of violating the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, the Lanham Act, and the Racketeer Influence and Corrupt Organizations Act, as well as trespass to chattels and tortious interference under Virginia state law.

Microsoft claims the defendants used stolen API keys to gain access to devices and accounts with Microsoft’s Azure OpenAI service, which they then used to generate “thousands” of images that violated safety protocols in place to prevent misuse. The activity was first discovered in July 2024 through August 2024, and Microsoft said some of the stolen API keys belonged to US companies located in Pennsylvania and New Jersey.

According to Microsoft, the defendants used a software tool to gain insight into Microsoft and OpenAI’s filtering system. The tool allowed them to identify specific phrases flagged as safety violations and reverse engineer language to circumvent those restrictions. The software also allowed users to strip metadata from created media used to watermark and digitally identify AI-generated content.

In a blog describing the action, Steven Masada, assistant general counsel for Microsoft’s digital crimes unit, wrote that the court order and seizure “will allow us to gather crucial evidence about the individuals behind these operations, decipher how these services are monetized, and disrupt additional technical infrastructure we find.” (Derek B. Johnson / Cyberscoop)

Related: Microsoft on the Issues, Complaint, TechMonitor, TechCrunch, PCMag

The US Department of Justice announced the indictments of Russian citizens Roman Vitalyevich Ostapenko, Alexander Evgenievich Oleynik, and Anton Vyachlavovich Tarasov, accusing them of operating services that helped criminals launder cryptocurrency.

The three were allegedly involved in operating Bender.io and Sinbad.io, two cryptocurrency mixers “that served as safe havens for laundering criminally derived funds, including the proceeds of ransomware and wire fraud,” principal deputy assistant attorney general Brent Wible, the head of the Justice Department’s Criminal Division, was quoted as saying in a press release.

Blender.io and Sinbad.io were seized in an international law enforcement operation in 2023 and suspected to have been used by North Korean hackers, who have become proficient at stealing and laundering millions of dollars in crypto, as well as ransomware gangs, who profit from extorting financial ransoms from hacked companies.

Ostapenko and Oleynik were arrested on December 1, 2024, while Tarasov is still at large. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Justice Department, Infosecurity Magazine, CyberScoop, The Record, BleepingComputer, PaymentSecurity.io, CryptoSlate, Cointelegraph

UK domain registry Nominet is investigating a potential intrusion into its network related to the latest Ivanti zero-day exploits.

Nominet told customers via an email sent on January 8: "We became aware of suspicious activity on our network late last week. The entry point was through third-party VPN software supplied by Ivanti that enables our people to access systems remotely."

"The unauthorized intrusion into our network exploited a zero-day vulnerability," the email added.

Nominet said there is no evidence that its data has been stolen or leaked, and no backdoors or other forms of unauthorized access to its network have been identified.

All signs point to Nominet being the first organization to be publicly identified as a victim of the ongoing exploitation of CVE-2025-0282, the zero-day vulnerability affecting Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. (Connor Jones / The Register)

Related: TechCrunch, ISPreview

Eindhoven University of Technology, a top Dutch technical university that’s a key talent feeder for chip machine maker ASML Holding NVm, shut down its computer network after a cyber attack.

The university, located about five miles from ASML’s global headquarters, will not hold lectures or educational activities until Tuesday. The university's vice president, Patrick Groothuis, said switching off the network was a “necessary intervention to prevent worse outcomes. "

The university said in the statement that experts are investigating the nature and extent of the hack. Late Saturday, officials noticed “a lot of suspicious activity” on the institution’s servers. Ivo Jongsma, the university’s spokesman, said there had been no contact with the hackers, whose identities were unknown.

Eindhoven University of Technology has been caught in the crosshairs of the US-China chip war as Washington seeks to limit Beijing’s ability to produce semiconductors. (Cagan Koc / Bloomberg)

Related: Eindhoven University, South China Morning Post, Cybernews, Fortune, The Cyber Express, Techzine, Teiss, DutchNews, NL Times

Blockchain security firm SlowMist’s chief information security officer, “23pds,” said that over seven million email addresses compromised in an OpenSea email vendor leak in 2022 have recently been “fully publicized” online, giving scammers a new treasure trove of information to work with.

While the attack occurred in June 2022, the data had not been made public until recently, meaning “all groups of attackers can use this information to go phishing and scamming.”

“The amount of leaked data reached 7 million, including a large number of email information of overseas cryptocurrency practitioners, including many well-known people, companies and key opinion leaders (KOLs) in the industry,” 23pds said on X, in a post originally written in Chinese.

OpenSea, one of the world’s most significant non-fungible token (NFT) marketplaces, first warned customers of a data leak on June 29, 2022, after discovering that an employee of Customer.io — its email automation platform — leaked the list of OpenSea customer emails to an outside party. (Felix Ng / Cointelegraph)

Related: BeInCrypto, digwatch, crypto.news, The Crypto Times, Cryptopolitan, Coinspeaker

Solana-based decentralized exchange Mango Markets is winding down its operations following an SEC settlement, governance votes, and legal troubles stemming from a 2022 exploit.

This follows governance proposals to adjust interest rates and collateral requirements, effectively ending borrowing and lending on the platform. These proposals, which were unanimously supported, will take effect on Jan. 13.

The closure comes after a settlement with the US Securities and Exchange Commission (SEC).

The shutdown of Mango Markets is rooted in an exploit in October 2022. Crypto trader Avraham “Avi” Eisenberg exploited a vulnerability in Mango’s protocol, draining over $100 million from the platform and causing significant financial losses.

While he returned $67 million as part of a community governance vote, he retained $40 million. US authorities arrested Eisenberg in December 2022, charging him with fraud and market manipulation.

Eisenberg has remained in custody since his arrest, and his sentencing has been postponed multiple times. Initially scheduled for Dec. 12, 2024, it was later delayed to Feb. 11, 2025, and now April 10, 2025. His legal team cited “the complexity of some of the sentencing issues” for the delay. (Mehab Qureshi / Cointelegraph)

Related: The Crypto Times, Daily Coin, Blockhead, Coinpedia, DailyCoin, crypto.news, ihodl

A fresh wave of DDoS attacks on Sunday morning claimed by pro-Russian crew Noname057(16) hit Italian targets, including the websites of banks such as Intesa Sanpaolo and Monte dei Paschi (MPS), the ports of Taranto and Trieste and companies including Vulcanair.

On Sunday, some of the cyber attacks were also claimed by another group, the Palestinian Alixsec, which targeted Olidata, among others.

On Saturday, hackers targeted around ten official websites in Italy, including those of the ministries of foreign affairs, infrastructure and transport, stock-market regulator Consob, the Carabinieri police, the Navy and Air Force.

The country's cyber security agency said the sites of public transport companies such as Atac in Rome, Amat in Palermo, Amt in Genoa, and Milan's two airports were also targeted, temporarily putting them out of action.

The pro-Russian hacker group Noname057(16) also claimed Saturday's cyber attacks, criticizing Premier Giorgia Meloni on Telegram. (ANSA.it)

Related: Security Affairs, L'Unione Sarda

According to Norwegian public broadcaster NRK, location tracking company Unacast has confirmed to the Norwegian government that it was the victim of a hack.

Last week, claims began circulating online that Unacast's data broker subsidiary Gravy Analytics had been the victim of a digital heist. The leaked data published to the internet by the hacker or hackers appeared to be genuine, but the company has so far not returned repeated messages seeking comment.

The document published by NRK is addressed to Norway's data protection authority and says that the breach involved stealing information from a Gravy Analytic's web server using a "misappropriated" key. It quotes Unacast's lawyers, BakerHostetler, as saying that the breach was discovered on Jan. 4, but the timing is still under investigation.

The law firm was also quoted as saying that a preliminary investigation showed that some of the stolen files "could contain personal data." (Raphael Satter and AJ Vicens / Reuters)

Related: NRK, NRK, TechCrunch

Michael Scheuer, a former Disney employee fired for misconduct, admitted to hacking into the company’s menu creation software to alter key details, including food allergy information that could have been dangerous to customers at the resort’s restaurants.

Court Watch reports Scheuer has agreed to pay Disney restitution and a government fine. Scheuer’s lawyer, David Haas, reportedly said: “Mr. Scheuer is prepared to accept responsibility for his conduct. Unfortunately, he has mental health issues that were exacerbated when Disney fired him upon his return from paternity leave.” Haas added: “No one was ever at risk of injury, and he is deeply remorseful for what happened.”

Haas confirmed Court Watch’s report, noting that no plea date had yet been set. The plea date is when a defendant enters a guilty plea after a plea deal has been worked out between the defense attorney and prosecutor.

Court Watch also reveals additional details about what Scheuer did, based on newly revealed court documents, including adding a swastika to the menu, changing the wine regions of alcoholic drinks to locations that had mass shootings, and leaking the link and login he used to change the menus onto the dark web. (Lucas Ropek / Gizmodo)

Related: Court Watch, Court Listener, CNBC, WFTV, Florida Politics, Latin Times

Cybercriminals are exploiting a trick to turn off Apple iMessage's built-in phishing protection for a text and trick users into re-enabling disabled phishing links.

To protect users from such attacks, Apple iMessage automatically disables links in messages received from unknown senders, whether they are email addresses or phone numbers. However, the links will be enabled if a user replies to that message or adds the sender to their contact list.

Over the past few months, there has been a surge in smishing attacks that attempt to trick users into replying to a text so that links are enabled again. For example,  a fake USPS shipping issue and a fake unpaid road toll text were sent from unknown senders, and iMessage automatically disabled the links.

While neither of these phishing lures is new, these smishing texts, and others seen recently, ask users to reply with "Y" to enable the link.

Even if a user doesn't click on the now-enabled link, replying tells the threat actor that they now have a target that responds to phishing texts, making them a bigger target. (Lawrence Abrams / Bleeping Computer)

Related: Tom's Guide, Phone Arena, TechRadar

Researchers at Check Point uncovered a new ransomware group known as FunkSec that has claimed over 80 victims in just one month, more than any other threat actor in December.

FunkSec emerged late last year and likely consists of inexperienced hackers seeking visibility and recognition.

FunkSec demands unusually low ransoms, sometimes as little as $10,000, from its victims, mostly based in the US, India, Italy, Brazil, Israel, Spain, and Mongolia. It then sells stolen data to third parties at reduced prices.

The victims listed on its website include a travel booking company, an energy management service, and a company that sells household appliances. None of them have publicly confirmed the alleged attacks.

Its creator likely uploaded the latest version of the group’s ransomware, FunkSec V1, from Algeria. The malware contains elements that appear to have been created using artificial intelligence. 

Researchers noted the developer likely used AI to quickly develop and improve the tool and supplement their “apparent lack of technical expertise.”

Check Point says FunkSec’s true motivations are unclear, as its activities align with both hacktivism and cybercrime. (Daryna Antoniuk / The Record)

Related: Check Point, ITP, SC Media

Best Thing of the Day: Despite the MAGA Wing, the GOP Might Do OK on Cyber

Rep. Don Bacon (R-NE), who chairs the House Armed Services cyber and innovation subcommittee, said his approach to cyber deterrence is to "speak softly and carry a big-ass stick."

Worst Thing of the Day: Is Four Years Enough Time to Remediate a Ransomware Attack?

The Hackney Council in the UK is still addressing the damage of a ransomware attack four years ago.

Closing Thought