A coalition of international law enforcement agencies say they have disrupted the operations of two prolific infostealers that stole the sensitive data of millions of people.
The Dutch National Police, who led the so-called “Operation Magnus” takedown, reports it gained “full access” to the servers used by the Redline and Meta infostealers.
Infostealers are a type of malware specifically designed to extract sensitive information, such as passwords, credit card data, search histories, and the contents of cryptocurrency wallets, from an infected system.
Meta is a relatively new infostealer, though Operation Magnus notes: “We gained full access to all Redline and Meta servers. Did you know they were actually pretty much the same?”
In a video posted to the website on Monday, the agencies say they were able to access the usernames, passwords, IP addresses, timestamps and registration dates, along with the source code for both infostealers, and the Telegram bots used by the operators of the malware.
The agencies also teased a list of usernames belonging to “VIP” — or “very important to the police” — users of the Redline and Meta infostealers. It’s not yet clear if any arrests have been made as part of the operation, but the website claims that “legal actions are underway.”
Operation Magnus, which was supported by the U.S. Federal Bureau of Investigation and the U.K.’s National Crime Agency, was announced on a newly created website outing the Redline and Meta operations. Simone van Wordragen, a spokesperson for the Dutch National Police, told TechCrunch that it will release more information about the takedown on Tuesday.
A similar takedown approach was taken during the recent operation targeting LockBit, which saw police take control of the ransomware gang’s dark web leak site to post details of the operation.
Russian, Chinese, and Iranian state-backed hackers have been active throughout the 2024 United States campaign season, compromising digital accounts associated with political campaigns, spreading disinformation, and probing election systems. But in a report from early October, the threat-sharing and coordination group known as the Election Infrastructure ISAC warned that cybercriminals like ransomware attackers pose a far greater risk of launching disruptive attacks than foreign espionage actors.
While state-backed actors were emboldened following Russia’s meddling in the 2016 US presidential election, the report points out that they favor intelligence-gathering and influence operations rather than disruptive attacks, which would be viewed as direct hostility against the US government. Ideologically and financially motivated actors, on the other hand, generally aim to cause disruption with hacks like ransomware or DDoS attacks.
The document was first obtained by the national security transparency nonprofit Property of the People and viewed by WIRED. The US Department of Homeland Security, which contributed to the report and distributed it, did not return WIRED’s requests for comment. The Center for Internet Security, which runs the Election Infrastructure ISAC, declined to comment.
“Since the 2022 midterm elections, financially and ideologically motivated cyber criminals have targeted US state and local government entity networks that manage or support election processes,” the alert states. “In some cases, successful ransomware attacks and a distributed denial-of-service (DDoS) attack on such infrastructure delayed election-related operations in the affected state or locality but did not compromise the integrity of voting processes … Nation-state-affiliated cyber actors have not attempted to disrupt US elections infrastructure, despite reconnaissance and occasionally acquiring access to non-voting infrastructure.”
According to DHS statistics highlighted in the report, 95 percent of “cyber threats to elections” were unsuccessful attempts by unknown actors. Two percent were unsuccessful attempts by known actors, and 3 percent were successful attempts “to gain access or cause disruption.” The report emphasizes that threat intelligence sharing and collaboration between local, state, and federal authorities help prevent breaches and mitigate the fallout of successful attacks.
In general, government-backed hackers may stoke geopolitical tension by conducting particularly aggressive digital espionage, but their activity isn’t inherently escalatory so long as they are abiding by espionage norms. Criminal hackers are bound by no such restrictions, though they can call too much attention to themselves if their attacks are too disruptive and risk a law enforcement crackdown.
We’re almost at the end of 2024, a year that will go down as having seen some of the biggest, most damaging data breaches in recent history. And just when you think that some of these hacks can’t get any worse, they do.
From huge stores of customers’ personal information getting scraped, stolen and posted online, to reams of medical data covering most people in the United States getting stolen, the worst data breaches of 2024 have surpassed the 1 billion stolen records and rising. These breaches not only affect the individuals whose data was irretrievably exposed, but also embolden the criminals who profit from their malicious cyberattacks.
Travel with us to the not-so-distant past to look at how some of the biggest security incidents of 2024 went down, their impact and, in some cases, how they could have been stopped.
AT&T’s data breaches affect “nearly all” of its customers, and many more non-customers
For AT&T, 2024 has been a very bad year for data security. The telecoms giant confirmed not one, but two separate data breaches just months apart.
Although the stolen AT&T data isn’t public (and one report suggests AT&T paid a ransom for the hackers to delete the stolen data) and the data itself does not contain the contents of calls or text messages, the “metadata” still reveals who called who and when, and in some cases the data can be used to infer approximate locations. Worse, the data includes phone numbers of non-customers who were called by AT&T customers during that time. That data becoming public could be dangerous for higher-risk individuals, such as domestic abuse survivors.
That was AT&T’s second data breach this year. Earlier in March, a data breach broker dumped online a full cache of 73 million customer records to a known cybercrime forum for anyone to see, some three years after a much smaller sample was teased online.
But it wasn’t until a security researcher discovered that the exposed data contained encrypted passcodes used for accessing a customer’s AT&T account that the telecoms giant took action. The security researcher told TechCrunch at the time that the encrypted passcodes could be easily unscrambled, putting some 7.6 million existing AT&T customer accounts at risk of hijacks. AT&T force-reset its customers’ account passcodes after TechCrunch alerted the company to the researcher’s findings.
The lengthy downtime caused by the cyberattack dragged on for weeks, causing widespread outages at hospitals, pharmacies and healthcare practices across the United States. But the aftermath of the data breach has yet to be fully realized, though the consequences for those affected are likely to be irreversible. UnitedHealth says the stolen data — which it paid the hackers to obtain a copy — includes the personal, medical and billing information on a “substantial proportion” of people in the United States.
UnitedHealth has yet to attach a number to how many individuals were affected by the breach. The health giant’s chief executive, Andrew Witty, told lawmakers that the breach may affect around one-third of Americans, and potentially more. For now, it’s a question of just how many hundreds of millions of people in the U.S. are affected.
Synnovis ransomware attack sparked widespread outages at hospitals across London
A June cyberattack on U.K. pathology lab Synnovis — a blood and tissue testing lab for hospitals and health services across the U.K. capital — caused ongoing widespread disruption to patient services for weeks. The local National Health Service trusts that rely on the lab postponed thousands of operations and procedures following the hack, prompting the declaration of a critical incident across the U.K. health sector.
A Russia-based ransomware gang was blamed for the cyberattack, which saw the theft of data related to some 300 million patient interactions dating back a “significant number” of years. Much like the data breach at Change Healthcare, the ramifications for those affected are likely to be significant and life-lasting.
One of the NHS trusts that runs five hospitals across London affected by the outages reportedly failed to meet the data security standards as required by the U.K. health service in the years that ran up to the June cyberattack on Synnovis.
Ticketmaster had an alleged 560 million records stolen in the Snowflake hack
A series of data thefts from cloud data giant Snowflake quickly snowballed into one of the biggest breaches of the year, thanks to the vast amounts of data stolen from its corporate customers.
Cencora notifies over a million and counting that it lost their data:
U.S. pharma giant Cencora disclosed a February data breach involving the compromise of patients’ health data, information that Cencora obtained through its partnerships with drug makers. Cencora has steadfastly refused to say how many people are affected, but a count by TechCrunch shows well over a million people have been notified so far. Cencora says it’s served more than 18 million patients to date.
MediSecure data breach affects half of Australia:
Close to 13 million people in Australia — roughly half of the country’s population — had personal and health data stolen in a ransomware attack on prescriptions provider MediSecure in April. MediSecure, which distributed prescriptions for most Australians until late 2023, declared insolvency soon after the mass theft of customer data.
Kaiser shared health data on millions of patients with advertisers:
U.S. health insurance giant Kaiser disclosed a data breach in April after inadvertently sharing the private health information of 13.4 million patients, specifically website search terms about diagnoses and medications, with tech companies and advertisers. Kaiser said it used their tracking code for website analytics. The health insurance provider disclosed the incident in the wake of several other telehealth startups, like Cerebral, Monument and Tempest, admitting they too shared data with advertisers.
USPS shared postal address with tech giants, too:
And then it was the turn of the U.S. Postal Service caught sharing postal addresses of logged-in users with advertisers like Meta, LinkedIn and Snap, using a similar tracking code provided by the companies. USPS removed the tracking code from its website after TechCrunch notified the postal service in July of the improper data sharing, but the agency wouldn’t say how many individuals had data collected. USPS has over 62 million Informed Delivery users as of March 2024.
Evolve Bank data breach affected fintech and startup customers:
A ransomware attack targeting Evolve Bank saw the personal information of more than 7.6 million people stolen by cybercriminals in July. Evolve is a banking-as-a-service giant serving mostly fintech companies and startups, like Affirm and Mercury. As a result, many of the individuals notified of the data breach had never heard of Evolve Bank, let alone have a relationship with the firm, prior to its cyberattack.
National Public Data goes broke after millions of SSNs stolen
The company behind the data broker National Public Data filed for Chapter 11 bankruptcy protection in October, months after a massive data breach exposed some three billion records affecting around 270 million individuals, according to various analyses by security researchers. The data broker allowed its paying customers access to its vast databases of names, dates of birth, email and postal addresses, phone numbers, and Social Security numbers (even if not all of the data was accurate). The company said it had to file for bankruptcy as it can no longer generate the revenue to address the deluge of class-action lawsuits and mounting liability from state and federal regulators.
First published on June 28 and updated on October 14.
Marriott International is being taken to task after the hotel chain suffered multiple data breaches that exposed sensitive information for more than 344 million customers around the world. First, Marriott agreed to a settlement of with a group of 50 US attorneys general. According to Connecticut Attorney General William Tong, 131.5 million hotel customers in the states had their information compromised in the attacks on the hotels.
Second, a settlement with the Federal Trade Commission will require Marriott and its Starwood Hotels & Resorts subsidiary to implement a new information security system to protect against future data exposures. The FTC agreement includes measures such as data minimization, account review tools for its loyalty rewards programs and a link for guests to request deletion of their personal information.
Today’s settlements center on three separate data breaches at Marriott and Starwood between 2014 and 2020 that allowed malicious actors to access passport information, payment card numbers, loyalty numbers, dates of birth, email addresses and other personal information. But cybersecurity issues have been an ongoing concern for these two businesses over the past decade. Hackers used “social engineering techniques” to access an employee computer and steal about . Marriott was also part of a larger attack in 2019. Starwood was victim of discovered in 2018; the company faced a fine of about in the UK for that incident.
Three weeks later, on Friday, Apple released the first update to macOS 15, and it claims to have fixed those issues. In the macOS 15.0.1 release notes, Apple says that the update “improves compatibility with third-party security software.”
Apple flagged the update in an email to TechCrunch on Thursday, and a spokesperson did not respond to a follow-up asking for more information.
Patrick Wardle, the founder of macOS and iOS security startup DoubleYou, and a longtime expert on Apple security and the developer of several free security tools for macOS, wrote on X that the macOS update includes “a fix for the networking issues that plagued the initial macOS 15 release.”
“And to any Apple apologist who blamed 3rd-party vendors, you deserve to be slapped with a large trout as this was an Apple bug reported before [golden master],” Wardle wrote, referring to the first public release of the macOS 15 software.
When Apple first released macOS 15, several cybersecurity professionals said they were unable to use some security tools, such as CrowdStrike’s Falcon and Microsoft Defender, because of an apparent bug in the new macOS operating system.
At the time, CrowdStrike spokesperson Kevin Benacci said that the company was “waiting for a macOS Sequoia update” to provide official support for its cybersecurity products on Apple’s operating system.
Ugur Koc, a developer who works as a cloud engineer for for cloud managed service provider Glueckkanja, said on X that the new macOS update “resolves the issue with [Microsoft] Defender for Endpoint and other antivirus software, where the network filter was causing issues with the internet connectivity.”
Neither CrowdStrike nor Microsoft responded to a request for comment.
After exploiting a vulnerability or misconfiguration, the exploit code downloads the main payload from a server, which, in most cases, has been hacked by the attacker and converted into a channel for distributing the malware anonymously. An attack that targeted the researchers’ honeypot named the payload httpd. Once executed, the file copies itself from memory to a new location in the /temp directory, runs it, and then terminates the original process and deletes the downloaded binary.
Once moved to the /tmp directory, the file executes under a different name, which mimics the name of a known Linux process. The file hosted on the honeypot was named sh. From there, the file establishes a local command-and-control process and attempts to gain root system rights by exploiting CVE-2021-4043, a privilege-escalation vulnerability that was patched in 2021 in Gpac, a widely used open source multimedia framework.
The malware goes on to copy itself from memory to a handful of other disk locations, once again using names that appear as routine system files. The malware then drops a rootkit, a host of popular Linux utilities that have been modified to serve as rootkits, and the miner. In some cases, the malware also installs software for “proxy-jacking,” the term for surreptitiously routing traffic through the infected machine so the true origin of the data isn’t revealed.
The researchers continued:
As part of its command-and-control operation, the malware opens a Unix socket, creates two directories under the /tmp directory, and stores data there that influences its operation. This data includes host events, locations of the copies of itself, process names, communication logs, tokens, and additional log information. Additionally, the malware uses environment variables to store data that further affects its execution and behavior.
All the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defense mechanisms and hinder reverse engineering attempts. The malware also uses advanced evasion techniques, such as suspending its activity when it detects a new user in the btmp or utmp files and terminating any competing malware to maintain control over the infected system.
By extrapolating data such as the number of Linux servers connected to the internet across various services and applications, as tracked by services such as Shodan and Censys, the researchers estimate that the number of machines infected by Perfctl is measured in the thousands. They say that the pool of vulnerable machines—meaning those that have yet to install the patch for CVE-2023-33426 or contain a vulnerable misconfiguration—is in the millions. The researchers have yet to measure the amount of cryptocurrency the malicious miners have generated.
People who want to determine if their device has been targeted or infected by Perfctl should look for indicators of compromise included in Thursday’s post. They should also be on the lookout for unusual spikes in CPU usage or sudden system slowdowns, particularly if they occur during idle times. Thursday’s report also provides steps for preventing infections in the first place.
Even those of you who do everything you can to secure those secrets can find yourself vulnerable—especially if you’re using a YubiKey 5 authentication token. The multifactor authentication devices can be cloned thanks to a cryptographic flaw that can’t be patched. The company has rolled out some mitigation measures—and the attack itself is relatively difficult to pull off. But it may be time to invest in a new dongle.
That’s not all, folks. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
At the end of August, cybercriminals from the ransomware group RansomHub appear to have hacked into the systems of Planned Parenthood’s Montana branch. The organization this week confirmed it had suffered from a “cybersecurity incident” on August 28 and said its staff immediately took parts of its network offline, reporting the incident to law enforcement.
Days after the incident took place, RansomHub claimed to be behind the attack, posting Planned Parenthood on its leak website. The criminal group said it would publish 93 GB of data. It is unclear what, if anything, the ransomware group has obtained, but Planned Parenthood clinics can hold a huge array of highly sensitive data about patients, including information on abortion appointments. (Around 400,000 Planned Parenthood patients in Los Angeles were impacted following a similar ransomware incident in 2021.)
In recent months, RansomHub has emerged as one of the most active ransomware-as-a-service groups, following the law enforcement disruption of LockBit. According to an FBI and Cybersecurity and Infrastructure Security Agency alert at the end of August, the group is “efficient and successful” and has stolen data from at least 210 victims since it formed in February. “The affiliates leverage a double-extortion model by encrypting systems and exfiltrating data to extort victims,” the alert said.
The Nigeria-based scammers known as the Yahoo Boys run almost every scam in the playbook—from romance scams to pretending to be FBI agents. Yet there’s little-more devious than the increase in sextortion cases linked to the West African scammers. This week, Nigerian brothers Samuel Ogoshi and Samson Ogoshi were sentenced to more than 17 years in US jail for running sextortion scams, following their extradition earlier this year. It is the first time Nigerian scammers have been prosecuted for sextortion in the US, the BBC reported.
The Ogoshi brothers, who pleaded guilty in April, have been linked to the death of 17-year-old Jordan DeMay, who took his life six hours after he started talking to the scammers, who posed as a girl, on Instagram. The teenager had been duped into sending the brothers explicit images, and after he had done so, they threatened to post the images online unless he paid them hundreds of dollars. US prosecutors said the brothers sexually exploited and extorted more than 100 victims, with at least 11 of them being minors. There has been a huge spikein sextortion cases in recent years.
In June, the US Commerce Department banned the sale of Kaspersky’s antivirus tools over national security concerns about its links to the Russian government. (Kaspersky has, for years, denied connections). The firm later fired its workers and said it was closing its US business. This week, cybersecurity company Pango Group announced it is purchasing Kaspersky Lab’s US antivirus customers, according to Axios. This equates to around 1 million customers, who will be transitioned to Pango’s antivirus software Ultra AV. Ahead of the Kaspersky deal, parent company Aura also announced it was spinning out Pango Group into its own business. Pango’s president said customers would not need to take any action and that it would allow subscribers to continue to receive updates after September 29, when Kaspersky updates will stop.
For years, the EU has been trying to introduce new child protection laws that would require private chats to be scanned for child sexual abuse material—something that would potentially undermine encrypted messaging apps that provide everyday privacy to billions of people. The plans have been highly controversial and were shelved earlier this year. However, the proposed law, which has been dubbed “chat control,” reappeared in legislators’ in-trays this week. The Council of the EU, which is currently chaired by Hungary, wants to pass legislation by October, but reports say strong resistance to the plans still remain.
X today that it is rolling out support for passkeys on its Android app. The social media platform formerly known as Twitter introduced this security option for iOS users in January, then in April.
Passkeys started to take off as an option from tech companies and online services last year. We have a detailed , but in short, this approach to protecting an account creates a digital authentication credential. It’s a stronger alternative to passwords, which can be guessed or stolen. Even have been moving to offer a passkey option for customers.
For X users, you’ll still need a password in order to create an account. But once you’re in the app, you’ll need to click through some menu options to a passkey. It’s listed under “Additional password protection” in the Security tab.
Thousands of electronic lockers found in gyms, offices, and schools could be vulnerable to attacks by criminals using cheap hacking tools to access administrator keys, according to new research.
At the Defcon security conference on Sunday, security researchers Dennis Giese and “braelynn” demonstrated a proof-of-concept attack showing how digital management keys could be extracted from lockers, copied, and then used to open other lockers in the same location. The researchers focused on various models of electronic locks from two of the world’s biggest manufacturers, Digilock and Schulte-Schlagbaum.
Over the past few years, the researchers, who both have backgrounds in lock picking, have been examining various electronic locks that use numerical keypads, allowing people to set and open them with a PIN. The work comes on the back of various examples of hotel door locks being found to be hackable, vulnerabilities in high-security locks, and commercial safes being alleged to have backdoors.
For the research, Giese and braelynn purchased electronic locks on eBay, snapping up those sold after some gyms closed during the Covid-19 pandemic and from other failed projects. Giese focused on Digilock, while braelynn looked at Schulte-Schlagbaum. Over the course of the research, they looked at legacy models from Digilock dating from 2015 to 2022 and models from Schulte-Schlagbaum from 2015 to 2020. (They also purchased some physical management keys for Digilock systems.)
Showing how security flaws could be abused by a prepared hacker, the researchers say they can take the electronic lock apart, then extract the device’s firmware and stored data. This data, Giese says, can contain PINs that have been set, management keys, and programming keys. The manager key ID can be copied to a Flipper Zero or cheap Arduino circuit board and used to open other lockers, Giese says.
“If you access one lock, we can open all of them in whatever the unit is—the whole university, the whole company,” Giese says. “We can clone and emulate keys very easily, and the tools aren’t that complicated.” Whoever owns the lockers manages them, Giese says.
Ahead of developing this proof-of-concept attack, Giese says, it took some time and effort to understand how the locker systems function. They took the locks apart and used cheap debugging tools to access the devices’ erasable, programmable read-only memory, known as EEPROM. Often, in the locks they tested, this was not secured, allowing data to be pulled from the system.
“From the EEPROM, we can pull out the programming key ID, all manager key IDs, and the user PIN/ User RFID UID,” Giese says. “Newer locks erase the set user PIN when the locker is unlocked. But the PIN remains if the locker was opened with a manager key/programming key.”
The researchers say they reported the findings to both impacted companies, adding they had spoken to Digilock about the findings. Digilock tells WIRED it has issued a fix for vulnerabilities found. The researchers say Schulte-Schlagbaum did not respond to their reports; the company did not respond to WIRED’s request for comment.
A person claiming to be a student in Singapore publicly posted documentation showing lax security in a widely popular school mobile device management service called Mobile Guardian, weeks before a cyberattack on the company resulted in the mass-wiping of student devices and widespread disruption.
In an email with TechCrunch, the student — who declined to provide his name citing fear of legal retaliation — said he reported the bug to the Singaporean government by email in late May but could not be sure that the bug was ever fixed. The Singaporean government told TechCrunch that the bug was fixed prior to Mobile Guardian’s cyberattack on August 4, but the student said that the bug was so easy to find and trivial for an unsophisticated attacker to exploit, that he fears there are more vulnerabilities of similar exploitability.
The U.K.-based Mobile Guardian, which provides student device management software in thousands of schools around the world, disclosed the breach on August 4 and shut down its platform to block the malicious access, but not before the intruder used their access to remotely wipe thousands of student devices.
A day later, the student published details of the vulnerability he had previously sent to the Singaporean Ministry of Education, a major customer of Mobile Guardian since 2020.
In a Reddit post, the student said the security bug he found in Mobile Guardian granted any signed-in user “super admin” access to the company’s user management system. With that access, the student said, a malicious person could perform actions that are reserved for school administrators, including the ability to “reset every person’s personal learning device,” he said.
The student wrote that he reported the issue to the Singaporean education ministry on May 30. Three weeks later, the ministry responded to the student saying the flaw is “no longer a concern,” but declined to share any further details with him, citing “commercial sensitivity,” according to the email seen by TechCrunch.
When reached by TechCrunch, the ministry confirmed it had received word of the bug from the security researcher, and that “the vulnerability had been picked up as part of an earlier security screening, and had already been patched,” as per spokesperson Christopher Lee.
“We also confirmed that the disclosed exploit was no longer workable after the patch. In June, an independent certified penetration tester conducted a further assessment, and no such vulnerability was detected,” said the spokesperson.
“Nevertheless, we are mindful that cyber threats can evolve quickly and new vulnerabilities discovered,” the spokesperson said, adding that the ministry “regards such vulnerability disclosures seriously and will investigate them thoroughly.”
Bug exploitable in anyone’s browser
The student described the bug to TechCrunch as a client-side privilege escalation vulnerability, which allowed anyone on the internet to create a new Mobile Guardian user account with an extremely high level of system access using only the tools in their web browser. This was because Mobile Guardian’s servers were allegedly not performing the proper security checks and trusting responses from the user’s browser.
The bug meant that the server could be tricked into accepting the higher level of system access for a user’s account by modifying the network traffic in the browser.
TechCrunch was provided a video — recorded on May 30, the day of disclosure — demonstrating how the bug works. The video shows the user creating a “super admin” account using only the browser’s in-built tools to modify the network traffic containing the user’s role to elevate that account’s access from “admin” to “super admin.”
The video showed the server accepting the modified network request, and when logged in as that newly created “super admin” user account, granted access to a dashboard displaying lists of Mobile Guardian enrolled schools.
Mobile Guardian CEO Patrick Lawson did not respond to multiple requests for comment prior to publication, including questions about the student’s vulnerability report and whether the company fixed the bug.
After we contacted Lawson, the company updated its statement as follows: “Internal and third party investigations into previous vulnerabilities of the Mobile Guardian Platform are confirmed to have been resolved and no longer pose a risk.” The statement did not say when the previous flaws were resolved nor did the statement explicitly rule out a link between the previous flaws and its August cyberattack.
This is the second security incident to beset Mobile Guardian this year. In April, the Singaporean education ministry confirmed the company’s management portal had been hacked and the personal information of parents and school staff from hundreds of schools across Singapore compromised. The ministry attributed the breach to Mobile Guardian’s lax password policy, rather than a vulnerability in its systems.
Do you know more about the Mobile Guardian cyberattack? Are you affected? Get in touch. You can contact this reporter on Signal and WhatsApp at +1 646-755-8849, or by email. You can send files and documents via SecureDrop.
