Meta Addresses Pig-Butchering, Claims Two-Year Collaboration with Law Enforcement

Sponsor Message

In today's digital landscape, protecting your software supply chain from rising threats is essential. This free whitepaper offers five key strategies for enhancing container security, one of the main attack surfaces in dynamic software development practices. Learn about using SBOMs for transparency, shifting vulnerability detection left, and automating policy enforcement, all for a superior developer experience and securing third-party code.

Interested in reaching the elite audience of cybersecurity decision-makers, public policy professionals, and journalists who read Metacurity? Send an email to info [at] Metacurity.com with the subject line "Sponsorship."

Social media giant Meta released information for the first time about its approach to combating the forced-labor compounds that fuel pig butchering scam activity on its platforms and across the web.

The company says that for more than two years, it has been focused on collaborating with global law enforcement and other tech companies to address the underlying problem of organized crime syndicates driving scam activity in Southeast Asia and the United Arab Emirates.

Meta says that this year, it has taken down more than 2 million accounts connected to scam compounds in Myanmar, Laos, Cambodia, the Philippines, and the UAE. The company has also collaborated with external experts, including tech companies, NGOs, and coalitions, to counter online scams.

As pig butchering scams generate significant revenue for criminals and spread worldwide, Meta notes that it has focused on working directly with law enforcement to track criminal syndicates.

Longtime pig butchering researchers say that Meta has been slow to publicly and directly acknowledge the problem and its many platforms' role in connecting scammers with potential victims. They emphasize that Meta’s services are far from the only platforms scammers use to reach victims.

However, platforms like Facebook and Instagram are recognizable and trusted worldwide, so it is inevitable, the researchers say, that scammers will gravitate to them. And Meta has warned its users broadly about investment and romance scams. (Lily Hay Newman and Matt Burgess / Wired)

Related: Meta, Washington Post, The Hill, NBC News, CNET, The Record, Engadget, Social Media Today, Cyberscoop, Silicon Angle, Cybernews, PCMag

In its Digital Defense Report 2024, Microsoft says ​it has seized 240 domains used by customers of ONNX, a phishing-as-a-service (PhaaS) platform, to target companies and individuals across the United States and worldwide since at least 2017.

ONNX (also known as Caffeine and FUHRER) was the top adversary in the Middle (AitM) phishing service, based on the volume of phishing messages during the first half of 2024. Tens to hundreds of millions of phishing emails targeted Microsoft 365 accounts each month and customers of various other tech companies.

Microsoft said, "The fraudulent ONNX operation offered phishing kits designed to target various companies across the technology sector, including Google, DropBox, Rackspace, and Microsoft."

ONNX promoted and sold the phish kits on Telegram using several subscription models (Basic, Professional, and Enterprise), ranging from $150 to $550 monthly.

The attacks, also controlled via Telegram bots, came with built-in two-factor authentication (2FA) bypass mechanisms and most recently targeted financial firms' employees (at banks, credit union service providers, and private funding firms) using QR code phishing (also known as quashing) tactics.

These emails included PDF attachments containing malicious QR codes that redirected potential victims to pages resembling legitimate Microsoft 365 login pages and asked them to enter their credentials.

​Cybercriminals using ONNX have been particularly effective in carrying out their attacks as the phishing kits help bypass two-factor authentication (2FA) by intercepting 2FA requests. They also use bulletproof hosting services that delay phishing domains' takedowns and encrypted JavaScript code that decrypts itself during page load, adding an extra layer of obfuscation to evade detection by anti-phishing scanners. (Sergiu Gatlan / Bleeping Computer)

Related: Microsoft, The Record, PCMag, Dark Reading, Computer Weekly, Cyberscoop

According to Amnesty International, a Thai civil court dismissed a high-profile lawsuit filed by a prominent Thai activist, Jatupat Boonpattararaksa, allegedly targeted with powerful spyware manufactured by the NSO Group.

The activist sued the surveillance technology company for allegedly “failing to prevent him” from being targeted with spyware.

Jatupat was sentenced to two-and-a-half years in prison in 2017 for criticizing the Thai monarchy. Thailand is considered to be an autocratic regime.

The lawsuit alleged that NSO Group facilitated his targeting and violated his and the other Thai activists’ rights. According to the press release, he sought 2,500,000 Thai baht ($72,129) in damages, along with access to the data taken from his device and its deletion from the spyware firm’s database.

The court dismissed the case, saying there was insufficient evidence to prove his device was infected.

The case was considered a potentially landmark challenge to NSO, which manufactures a powerful zero-click spyware known as Pegasus. Pegasus has been found on scores of devices belonging to human rights activists, journalists, and opposition politicians worldwide.

An NSO spokesperson said that it welcomes the court’s decision “reaffirming the lack of evidence to support the claims against our company.” (Suzanne Smalley / The Record)

Related: Amnesty International, Associated Press

Sen. Mark R. Warner (D-VA), chairman of the Senate Intelligence Committee and a former telecom venture capitalist, said the Chinese government espionage campaign by a group known as Salt Typhoon, which has deeply penetrated more than a dozen US telecommunications companies, is the “worst telecom hack in our nation’s history—by far.”

The hackers have been able to listen in on audio calls in real-time and have, in some cases, moved from one telecom network to another, exploiting relationships of “trust,” said Waner, who added that intruders are still in the networks.

Though fewer than 150 victims have been identified and notified by the FBI — most of them in the D.C. region, the records of people those individuals have called or sent text messages to run into the “millions,” he said, “and that number could go up dramatically.”

Those records could provide further information to help the Chinese identify other people whose devices they want to target, he said. “My hair’s on fire,” Warner said. (Ellen Nakashima / The Washington Post)

Related: Reuters

Several lawmakers have asked the Federal Communications Commission to launch a formal proceeding to reform the key law that governs wiretapping procedures in the wake of an unprecedented Chinese intrusion by Salt Typhoon into US telecommunications companies.

The breaches were first reported in October and have called into question the security frameworks governed by the Communications Assistance for Law Enforcement Act (CALEA). CALEA requires carriers to engineer their systems to allow law enforcement authorities and the FBI to wiretap them for surveillance purposes.

“The FCC has the legal authority — right now it has the power — to set and enforce security standards,” Sen. Richard Blumenthal, D-Conn., said in a hearing on Chinese cyber threats. Previously, Sen. Ron Wyden, D-Ore., wrote a letter to agency chief Jessica Rosenworcel asking the commission to update CALEA law to mandate baseline cybersecurity standards.

“I’ve gotten some briefings on Salt Typhoon. And there are additional multi-layers of briefings on this, and I hope to be continuing to go deeper and deeper on that,” incoming FCC Chairman Brendan Carr told reporters Thursday on the sidelines of the open meeting.

“I don’t have a thought on that one at this point,” he said when asked about potential CALEA reform, adding that he plans to view the inquiries from Capitol Hill. “I’ll continue to get more in-depth briefings. I think I’ve had a pretty good level [of understanding], but I think there’s more that I need to dig down on there.” (David DiMolfetta / NextGov/FCW)

Related: Cyberscoop

Researchers at Palo Alto Networks say they have observed a “limited set of exploitation activity” related to two zero day vulnerabilities in PAN-OS, the operating system that runs on all of Palo Alto’s next-generation firewalls. 

The company said it has observed exploitation of the two bugs, including CVE-2024-0012, which allows an attacker with network access to the management web interface to gain administrator privileges. The second bug tracked as CVE-2024-9474, allows an attacker to perform actions on the compromised firewall with higher root privileges.

When these vulnerabilities are used together, an attacker can remotely plant malicious code on affected firewalls with the highest possible privileges, allowing deeper access to a company’s network.

Palo Alto Networks says attackers are now using their own functional exploit to chain the two flaws together to target a “limited number of device management web interfaces” exposed to the internet.

According to the Shadowserver Foundation, a nonprofit organization that scans and monitors the internet for vulnerability exploitation, hackers have already compromised over 2,000 affected Palo Alto Networks firewalls by leveraging the two recently patched flaws.

The nonprofit found that the highest number of compromised devices were in the United States, followed by India, where hackers also exploited firewalls across the United Kingdom, Australia, and China. (Carly Page / TechCrunch)

Related: Bleeping Computer, Security Affairs, CRN, Security Week, Cybernews

Mexico’s president Claudia Sheinbaum said that the government is investigating an alleged ransomware hack of her administration’s legal affairs office after what appeared to be samples of personal information from a database of government employees were posted online.

Cybernews said a group called Ransomhub had posted a sample of apparently hacked government files on the dark web. Ransomhub is reportedly giving the government 10 days to pay an undisclosed sum, or it will make public about 313 gigabytes of files.

Asked about the reported hacking, Sheinbaum said, “Today they are going to send me a report on the supposed hacking.” (Stefanie Schappert / Cybernews and Associated Press)

Related: Security Affairs, SC Media, Cyber Daily

Researchers at SentinelOne say the fraudulent North Korean IT worker scheme took on a new twist when it was reported that four companies disrupted by the US government on Oct. 10 were traced back to a broader network of front companies originating from China.

This new report stands out because of its link to China, the threat actors' ability to appear as fraudulent companies rather than personas, and the discovery of four previously unreported front companies.

DPRK actors are using front companies based in China, Russia, Southeast Asia, and Africa to manage payments and obscure their connection to the North Korean regime. (Steve Zurier / SC Media)

Related: Sentinel One, NK News, Help Net Security

ESET researchers discovered a new Linux backdoor called Wolfsbane, which is believed to be part of Windows malware used by the Chinese Gelsemium hacking group.

They say WolfsBane is a complete malware tool featuring a dropper, launcher, and backdoor. It also uses a modified open-source rootkit to evade detection.

The researchers also discovered FireWood, another Linux malware that appears linked to the Project Wood Windows malware.

However, FireWood is more likely a shared tool used by multiple Chinese APT groups rather than an exclusive/private tool created by Gelsemium.

ESET says the two malware families appearing on VirusTotal over the last year are part of a broader trend where APT groups increasingly target Linux platforms due to Windows security getting stronger. (Bill Toulas / Bleeping Computer)

Related: We Live Security, Dark Reading, Help Net Security

An online course known as The Real World, founded by far-right influencer Andrew Tate, was breached by hacktivists, revealing the email addresses of roughly 325,000 users.

The self-described university offers users “advanced training and mentoring” for around $50 per month. Formerly known as Hustler’s University, the platform focuses on health and fitness, financial investment, and e-commerce businesses.

The hackers made their actions known by flooding the course’s primary chatroom with emojis they uploaded while Tate was streaming an episode of his show “Emergency Meeting” on Rumble.

The emojis included a transgender flag, a feminist fist, an AI-generated image of Tate draped in a rainbow flag, another where his buttocks are enlarged, and the cat character used in the “boykisser” meme.

The hackers claimed that after accessing the data, they were able to leverage a vulnerability “to upload emojis, delete attachments, crash everyone’s clients, and temporarily ban people” from the platform.

The hackers provided the email addresses from the dump to HaveIBeenPwned, a service that alerts users when their credentials are leaked. Those email addresses and the chat data were also handed over to the journalism collective DDoSecrets, which hosts hacked and leaked data in the public interest. (Mikael Thalen / DailyDot)

Related: TechCrunch

Cloud security giant Wiz announced it is buying security remediation and risk management company Dazz in a cash-and-share deal that sources say is worth $450 million.

Dazz will continue to operate as a separate entity while it’s integrated into the larger company’s stack. (Ingrid Lunden / TechCrunch)

Related: Data Breach Today, Silicon Republic, Globes Online, Wiz Blog, SecurityWeek, CTech, Dark Reading, CRN, Techzine, Channel Futures, Greylock Partners, The Times of Israel

AI-powered third-party risk management Viso Trust announced it had raised $24 million in a venture funding round.

Backers included existing investors Bain Capital Ventures, Work-Bench, Sierra Ventures, and Lytical Ventures, and new investors, Allstate Strategic Ventures, Cisco Investments, EnvisionX Capital, and Scale Asia Ventures. (FinSMEs)

Related: Dark Reading, Pulse 2.0

Best Thing of the Day: This is Why CISA Is a National Treasure

The Cybersecurity and Infrastructure Security Agency (CISA) conducted a red team assessment (RTA) at the request of a critical infrastructure organization and was able to compromise the domain and SBSs of the organization because it lacked sufficient controls to detect and respond to their activities.

Worst Thing of the Day: Jesus Would Just Say No

 A small chapel in the Swiss city of Lucerne installed an artificial intelligence-powered Jesus called Deus in Machina, capable of speaking in 100 different languages

Closing Thought