Hackable bugs can remotely control connected cars and track their movements

Don't miss my latest piece for CSO that takes a deep dive into deception technology, which extends far beyond just honeypots.

Please consider supporting Metacurity with an upgraded subscription so that you can continue receiving our daily missives, packed with the top infosec developments you should know.

If you can't commit to a subscription today, consider tipping or donating to help keep Metacurity going.

Security researcher Sam Curry and fellow researcher Shubham Shah discovered vulnerabilities in a Subaru web portal that let them hijack the ability to unlock an internet-connected 2023 Impreza, honk its horn, and start its ignition, reassigning control of those features to any phone or computer they chose.

Most disturbing for Curry was that they found they could also track the Subaru's location, not merely where it was at the moment but also where it had been for the entire year that his mother had owned it. The map of the car’s whereabouts was so accurate and detailed, Curry says, that he could see her doctor visits, the homes of the friends she visited, and even the exact parking space his mother parked in every time she went to church.

Curry and Shah have revealed their method for hacking and tracking millions of Subarus, which they believe would have allowed hackers to target any of the company's vehicles equipped with its digital features known as Starlink in the US, Canada, or Japan.

Vulnerabilities they found in a Subaru website intended for the company's staff allowed them to hijack an employee's account, reassign control of cars’ Starlink features, and access all the vehicle location data available to employees, including the car’s location every time its engine started, as shown in their video below.

Curry and Shah reported their findings to Subaru in late November, and Subaru quickly patched its Starlink security flaws. But the researchers warn that the Subaru web vulnerabilities are just the latest in a long series of similar web-based flaws they and other security researchers working with them have found that have affected well over a dozen carmakers, including Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota, and many others.

There’s little doubt, they say, that similarly serious hackable bugs exist in other auto companies' web tools that have yet to be discovered. (Andy Greenberg / Wired)

Related: SamCurry.net, Fast Company, Techzine, TechCrunch, 9to5Mac, Gigazine, Motor Illustrated, iPhone in Canada, Engadget, CarScoops, Jalopnik, Hacker News (ycombinator), r/SubaruForester, r/subaru, r/technews, Databreaches.net

The US FBI warned that North Korean IT workers are abusing their access to steal source code and extort US companies that have been tricked into hiring them, while the US Justice Department announced it had indicted two North Korean nationals and three facilitators for their involvement in a multi-year fraudulent remote IT work scheme.

The security service alerted public and private sector organizations in the United States and worldwide that North Korea's IT army will facilitate cyber-criminal activities and demand ransoms not to leak online exfiltrated sensitive data stolen from their employers' networks.

"North Korean IT workers have copied company code repositories, such as GitHub, to their own user profiles and personal cloud accounts. While not uncommon among software developers, this activity represents a large-scale risk of theft of company code," the FBI said.

To mitigate these risks, the FBI advised companies to follow the principle of least privilege by deactivating local administrator accounts and limiting permissions for remote desktop applications. Organizations should also monitor for unusual network traffic, especially remote connections since North Korean IT personnel often log into the same account from various IP addresses over a short period.

It also recommended reviewing network logs and browser sessions for potential data exfiltration through shared drives, cloud accounts, and private code repositories.

To strengthen their remote hiring process, companies should verify identities during interviews and onboarding and cross-check HR systems for applicants with similar resume content or contact details.

Separately, the US Justice Department indicted five people for their role in a scheme that allowed North Koreans to gain employment with at least 64 US companies and earn hundreds of thousands of dollars for Pyongyang’s government.

North Korean nationals Jin Sung-Il and Pak Jin-Song were indicted alongside Americans Erick Ntekereze Prince and Emanuel Ashtor, as well as Mexican national Pedro Ernesto Alonso De Los Reyes.

Ntekereze and Ashtor were arrested by the FBI, who found evidence of a “laptop farm” at Ashtor’s home during a raid. The devices helped the North Koreans appear as if they worked from the United States, according to the indictment.

Alonso De Los Reyes lives in Sweden but was arrested in the Netherlands on January 10 after a US warrant was issued.

According to the indictment, the team made about $866,255 through the scheme and laundered the funds through a Chinese bank account. The scheme ran from April 2018 to August 2024. (Sergiu Gatlan / Bleeping Computer and Jonathan Greig / The Record)

Related: ic3.gov, Justice Department, Cyberscoop, Newsweek, TechCrunch, The Record, Indictment, NK News, Cyber Express

China, Thailand, and other nations have reached a deal to target cybercrime centers that have taken root in Southeast Asian countries, a sign the governments are keen to crack down on gangs stealing millions of dollars from their people and damaging tourism.

According to China's Global Times, officials from the countries, along with Myanmar, Laos, Cambodia, and Vietnam, gathered in Kunming, where they pledged to extend law-enforcement efforts that have already led to the arrest of more than 70,000 suspects. Police will also target the leaders of an illegal industry that has trafficked thousands of people to work in the centers.

A “coalition will be launched, and will fight against communication fraud and serial crimes continuously,” China’s embassy in Myanmar said in a Facebook post. “Especially the lost and imprisoned citizens from each country will be rescued with all our capacity.” (Philip Heijmans and Khine Lin Kyaw / Bloomberg)

Related: The Diplomat

Donald Trump signed an executive order on artificial intelligence Thursday that will revoke past government policies his order says “act as barriers to American AI innovation.”

To maintain global leadership in AI technology, “we must develop AI systems that are free from ideological bias or engineered social agendas,” Trump’s order says.

The new order doesn’t name which existing policies are hindering AI development but sets out to track down and review “all policies, directives, regulations, orders, and other actions taken” as a result of former President Joe Biden’s sweeping AI executive order of 2023, which Trump rescinded Monday. Any of those Biden-era actions must be suspended if they don’t fit Trump’s new directive that AI should “promote human flourishing, economic competitiveness, and national security.” (Matt O'Brien and Sarah Parvini / Associated Press)

Related: The White House, iTnews, The White House, TechIssuesToday.com, Time, Press Trust of India, SiliconANGLE, Republic World, The Information, Healthcare IT News, Unite.AI, Slashdot

Sekoia researcher crep1x discovered that hackers are distributing nearly 1,000 web pages mimicking Reddit and the WeTransfer file-sharing service, which led to downloading the Lumma Stealer malware.

The threat actor is abusing the Reddit brand on fake pages by showing fake discussion threads on specific topics. The thread creator asks for help downloading a specific tool; another user offers to help by uploading it to WeTransfer and sharing the link, and a third thanks him for making everything appear legitimate.

Unsuspecting victims clicking on the link are taken to a fake WeTransfer site that mimics the interface of the popular file-sharing service. The ‘Download’ button leads to the Lumma Stealer payload hosted on “weighcobbweo[.]top.

All sites used in this campaign contain a string of the brand they impersonate followed by random numbers and characters to appear legitimate at a quick glance. The top-level-domains are either “.org” or “.net.” (Bill Toulas / Bleeping Computer)

Related: Tom's Guide

Researchers at Abnormal Security report that cybercriminals are selling access to a new malicious generative AI chatbot called GhostGPT, which is designed to assist with malicious activities such as malware creation and phishing emails.

They believe GhostGPT uses a wrapper to connect to a jailbroken version of ChatGPT or another open-source large language model (LLM), ensuring customers' uncensored responses.

The new tool follows the creation of the WormGPT AI Chatbot in 2023, designed specifically to assist threat actors with business email compromise (BEC) attacks.

Several other variants of these models have since emerged, including WolfGPT and EscapeGPT.

The researchers said the new GhostGPT chatbot has received thousands of views on online forums, demonstrating a growing interest among cybercriminals in leveraging AI tools for nefarious activities. (James Coker / Infosecurity Magazine)

Related: Abnormal Security, SC Media, Forbes, HackRead, TechRepublic, Cyber Daily

Researchers at Black Lotus Labs, Lumen’s threat research and operations arm, report that a malicious campaign has been specifically targeting Juniper edge devices, many acting as VPN gateways, with malware dubbed J-magic that starts a reverse shell only if it detects a “magic packet” in the network traffic.

The J-magic malware is a custom variant of the publicly available cd00r backdoor. This proof-of-concept stays silent and passively monitors network traffic for a specific packet before opening a communication channel with the attacker.

The J-magic attacks appear to target organizations in the semiconductor, energy, manufacturing (marine, solar panels, heavy machinery), and IT sectors.

According to the researchers, the J-magic campaign was active between mid-2023 and at least mid-2024 and was orchestrated for “low-detection and long-term access.”

Based on the telemetry available, the researchers say that about half of the targeted devices seemed configured as a virtual private network gateway for their organization.

Similarly to cd00r, J-magic watches the TCP traffic for a packet with specific characteristics - “magic packet” - sent by the attacker. It does this by creating an eBPF filter on the interface and port specified as a command line argument when executed.

A remote IP receives a random, five-character alphanumeric string encrypted with a hardcoded public RSA key. The connection closes if the received response is not equal to the original string.

Black Lotus Labs says, “We suspect that the developer has added this RSA challenge to prevent other threat actors from spraying the internet with magic packets to enumerate victims and then simply repurposing the J-Magic agents for their own purposes." (Ionut Ilascu / Bleeping Computer)

Related: Lumen, Help Net Security, Ars Technica, Cyberscoop

PayPal will pay a $2 million penalty to New York State to settle the state’s allegations that the company had cybersecurity failures that led to a data breach.

New York alleged that PayPal violated the state’s Cybersecurity Regulation by failing to use qualified personnel to manage cybersecurity and by failing to provide adequate training around cybersecurity risks, the New York State Department of Financial Services (DFS) said in a Thursday (Jan. 23) press release.

Because of these cybersecurity failures, the state alleged that when PayPal changed existing data flows, cybercriminals could use compromised credentials to access IRS Form 1099-Ks, including Social Security numbers and other sensitive information.

A PayPal spokesperson said, “After self-reporting and disclosing this issue, we worked closely with the New York Department of Financial Services to resolve this matter, which occurred in December 2022. "

The DFS said in its press release that “PayPal has since remediated these issues and improved its cybersecurity practices.” (PYMNTS)

Related: DFS.ny.gov, DFS.ny.gov, Seeking Alpha, SC Media, American Banker, Finextra, Databreaches.net

A total of $335,500 was paid out on the second day of the Pwn2Own Automotive 2025 hacking competition organized this week by Trend Micro’s Zero Day Initiative (ZDI) in Tokyo, Japan, which, with the $382,750 awarded on the first day, brings the total to $718,250.

Of the second day’s total, $129,500 was earned for exploits targeting Tesla’s Wall Connector charger.  One team earned $50,000 — the maximum amount for hacking the Tesla Wall Connector — for taking over the device and crashing it.

Two other teams earned $22,500 and $12,500 in rewards for hacking Tesla EV chargers, respectively. The amounts are smaller because the exploits involved previously known bugs.

If the exploit is successful, one more attempt to hack the Tesla Wall Connector is scheduled for Friday, which could add another $50,000 to the $129,500. (Eduard Kovacs / Security Week)

Related: Forbes, International Business Times, Bleeping Computer, Drive Tesla, Dark Reading

SonicWall is warning customers of a critical vulnerability potentially already exploited as a zero-day.

The bug affects SonicWall's Secure Mobile Access (SMA) line, specifically the SMA 1000 product. The company said that a remote unauthenticated attacker could execute arbitrary OS commands "in specific conditions."

SonicWall didn't specify these conditions, likely because it was concerned about giving criminals more details on exploiting CVE-2025-23006. However, given the 9.8 severity rating, it's safe to assume these conditions can be met in many cases.

 CVE-2025-23006 affects the SMA 1000's Appliance Management Console (AMC) and Central Management Console (CMC), both of which are used for admin tasks, including configuring and monitoring hardware and creating new admin accounts. (Connor Jones / The Register)

Related: Cyberscoop, TechTarget, Help Net Security

According to multiple blockchain security experts, North Korean hackers are potentially behind the multi-million dollar exploit of the Singapore-based Phemex, which lost over $70 million in the hack.

The exchange halted withdrawals earlier on Thursday after several blockchain security firms alerted it to suspicious activity. Around $30 million had been drained then, though the attack continued, and more tokens were stolen.

Like many attacks, the attackers appear to have gone after big-ticket assets first, like base-layer tokens, including by draining BTC, ETH, and SOL early on in the attack, alongside stablecoins. The attackers quickly swapped millions in stolen USDC and USDT, which can be frozen, for ETH. (Daniel Kuhn / The Block)

Related: Web3IsGoingJustGreat, Coindesk, Cointelegraph, Coinpedia, BeInCrypto, Coinspeaker, The Crypto Times, Blockchain News, Decrypt

Daniel Stenberg, developer of curl, said the curl project has given up trying to use CVSS to get a severity score and associated severity level and instead gives a rough indication about the severity of a flaw by dividing it into one out of four levels: low, medium, high, critical.

Stenberg believes that because "we are intimately familiar with the code base and how it is used, we can assess and set a better security severity this way," rather than through security scanners that retrieve CVSS scores. "It serves our users better."

Part of the reason for still using the four levels is that curl's bug-bounty‘s reward levels are based on them. Stenberg points out that the Linux kernel does not even provide that course-grained indication, based on reasoning similar to why we don’t provide the numeric scores. (Daniel.haxx.se)

Related: Socket.dev, Hacker News (ycombinator)

Best Thing of the Day: Indefinitely Trapping AI Web Crawlers

A pseudonymous coder has created and released an open source “tar pit” called Nepenthes to indefinitely trap AI training web crawlers in an infinitely, randomly-generating series of pages to waste their time and computing power.

Bonus Best Thing of the Day: Stick to the Man With an Email Address

Check out the options available for establishing anticapitalist/anti-surveillance email addresses.

Worst Thing of the Day: Tell Us Something We Don't Already Know

According to the World Economic Forum's 2025 risks report, misinformation and disinformation is the top global threat while cyberespionage and warfare s the fifth top global threat over the next two years.

Bonus Worst Thing of the Day: Wish We Could Stick It to These M'Fers

Instagram and Facebook have blocked and hidden posts from abortion pill providers.

Closing Thought