Thai police blew up a Myanmar cyberscam compound

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

Maj. Gen. Maitree Chupreecha, commander of the Thai regional army's Naresuan Task Force, said the number of people fleeing from Myanmar to Thailand after Myanmar’s military used explosives to shut down a major online scam center has slowed to a trickle after more than 1,500 had left in the past week following a military raid.

The KK Park site, identified by Thai officials and independent experts as housing a major cybercrime operation, was raided by Myanmar’s army in mid-October as part of operations starting in early September to suppress cross-border online scams and illegal gambling.

The center is located on the outskirts of Myawaddy, a significant trading town on the border across from the Thai city of Mae Sot. The Myawaddy area is only loosely under the control of Myanmar’s military government, and shares power there with an allied local militia of the Karen ethnic minority operating as a Border Guard Force.

Witnesses on the Thai side of the border reported hearing explosions and seeing smoke coming from the center over the past several nights, starting on Friday.

The Thai army’s Naresuan Task Force, which operates in Thailand’s northern region, said Monday that parts of KK Park were demolished by explosions carried out by Myanmar’s military and its Border Guard Force allies. Debris from the blasts caused damage to several houses on the Thai side of the border.

Those who fled Myanmar are mostly believed to have worked at the center, often under duress. The authorities in Thailand’s Tak province, who have set up temporary shelters for them, said they come from 28 countries, including Thailand. They are being processed to determine if they were victims of human trafficking and then can be repatriated to their home countries, which include India, China, the Philippines, Vietnam, Ethiopia, and Kenya.

Related: Reuters, Business Standard

The US Federal Communications Commission voted 3-0 to block new approvals for devices with parts from companies on its "Covered List" and to allow the agency to bar previously approved equipment in some instances.

"These present loopholes that bad actors could use to threaten the security of our networks," FCC Chair Brendan Carr said. "America's foreign adversaries are constantly looking for ways to exploit any vulnerabilities in our system."

The telecoms regulator previously named companies, including Huawei, ZTE, China Mobile, and China Telecom, to the so-called "Covered List," which bars the FCC from authorizing the import or sale of new equipment from those companies.

This month, Carr said major US online retail websites had removed several million listings for prohibited Chinese electronics as part of a crackdown by the agency.

The items removed were on the list or were not authorized by the agency, such as home security cameras and smart watches from companies including Huawei, Hangzhou Hikvision, ZTE, and Dahua Technology Co. (David Shepardson / Reuters)

Related: FCC, Global Times, PoliticoPro, TechInformed

Researchers from Kaspersky say they’ve unearthed a malware campaign they’re linking to the successor company of the infamous Italy-based surveillance tech firm Hacking Team, and at the same time discovered new commercial malware tied to the same firm.

The malware campaign that Kaspersky dubbed Operation ForumTroll targeted government organizations, media outlets, financial institutions, universities, research centers, and other organizations in Russia, with an apparent goal of conducting espionage. It identified it as an advanced persistent threat campaign, a term generally applied to nation-state attackers.

Hacking Team was active from the early 2000s until 2019, when it was acquired and rebranded as Memento Labs. Kaspersky said that it detected a wave of malware infections in March that it traced back to 2022 and tied to Memento Labs.

While analyzing that malware, researchers found a previously undiscovered commercial spyware product, Memento Labs, developed known as “Dante,” according to Kaspersky.

Kaspersky said the malware infections occurred when victims clicked on personalized phishing links via email. It was disguised as an invitation from organizers of the scientific and expert forum for Primakov Readings, an international summit on global politics and economics.

Memento chief executive Paolo Lezzi confirmed to TechCrunch that the spyware caught by Kaspersky does indeed belong to Memento.

In a call, Lezzi blamed one of the company’s government customers for exposing Dante, saying the customer used an outdated version of the Windows spyware that will no longer be supported by Memento by the end of this year. (Tim Starks / CyberScoop and Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Securelist, SC Media

Aisuru, the botnet responsible for a series of record-smashing distributed denial-of-service (DDoS) attacks this year, was recently overhauled to support a more low-key, lucrative, and sustainable business: Renting hundreds of thousands of infected Internet of Things (IoT) devices to proxy services that help cybercriminals anonymize their traffic.

Experts say a glut of proxies from Aisuru and other sources is fueling large-scale data harvesting efforts tied to various artificial intelligence (AI) projects, helping content scrapers evade detection by routing their traffic through residential connections that appear to be regular Internet users.

“Multiple broadband access network operators have experienced significant operational impact due to outbound DDoS attacks in excess of 1.5Tb/sec launched from Aisuru botnet nodes residing on end-customer premises,” wrote Roland Dobbins, principal engineer at Netscout, in a recent executive summary on Aisuru. “Outbound/crossbound attack traffic exceeding 1Tb/sec from compromised customer premise equipment (CPE) devices has caused significant disruption to wireline and wireless broadband access networks. High-throughput attacks have caused chassis-based router line card failures.”

The incessant attacks from Aisuru have caught the attention of federal authorities in the United States and Europe (many of Aisuru’s victims are customers of ISPs and hosting providers based in Europe). Quite recently, some of the world’s largest ISPs have started informally sharing block lists identifying the rapidly shifting locations of the servers that the attackers use to control the activities of the botnet.

Experts say the Aisuru botmasters recently updated their malware so that compromised devices can more easily be rented to so-called “residential proxy” providers. These proxy services allow paying customers to route their Internet communications through someone else’s device, providing anonymity and the ability to appear as a regular Internet user in almost any major city worldwide. (Brian Krebs / Krebs on Security)

Related: Security Affairs, Security Week, Netscout

Researchers at Threat Fabric report that a new Android malware family, Herodotus, uses random delay injection in its input routines to mimic human behavior on mobile devices and evade timing-based detection by security software.

Herodotus, according to Threat Fabric, is offered as a malware-as-a-service (MaaS) to financially motivated cybercriminals, believed to be the same operators behind Brokewell.

Although the malware is still in development, clients of the new MaaS platform are currently deploying it against Italian and Brazilian users through SMS phishing (smishing) text messages.

The malicious SMS contains a link to a custom dropper that installs the primary payload and attempts to bypass Accessibility permission restrictions present in Android 13 and later. The malicious SMS includes a link to a custom dropper that installs the primary payload and attempts to bypass Accessibility permission restrictions present in Android 13 and later. (Bill Toulas / Bleeping Computer)

Related: ThreatFabric, Security Affairs, The Register, Hot Hardware, The Record, BankInfoSecurity

Japanese advertising giant Dentsu has disclosed that its US-based subsidiary Merkle suffered a cybersecurity incident that exposed staff and client data.

The company states that the incident forced them to take certain systems offline as part of their response plan.

“We detected abnormal activity within part of the network of Merkle, a company leading the CXM (Customer Experience Management) area of our group’s overseas business,” reads Dentsu’s announcement.

“We immediately initiated our incident response procedures, proactively shut down certain systems as a precaution, and took swift measures to minimize the impact.”

The company says it reported the incident to relevant authorities in each impacted country, according to its legal obligations, without specifying the incident’s scope.

A report from DecisionMarketing says that Dentsu circulated a memo internally to inform staff that their bank and payroll details, salary, National Insurance numbers, and personal contact details had been exposed.

A Dentsu spokesperson confirmed that data had been stolen during the attack and that impacted individuals are in the process of being notified.

"A review of those files determined that they contained information relating to some clients, suppliers, and current and former employees," the company representative said.

The company has noted that its Japan-based network systems were not impacted, though the incident is expected to have “some financial impact” on them.

Currently, the company's investigation is trying to determine the scale of the incident and its full impact. A third-party incident response service has been engaged to assist. (Bill Toulas / Bleeping Computer)

Related: Dentsu, Storyboard18, Mediapost, HR Grapevine, The Media Leader, Campaign, DecisionMarketing

Newly published figures from US Customs and Border Patrol show that over the Past year, CBP staff searched more phones and electronic devices at the border than ever before, according to new statistics published by the government agency, with the number of phone searches jumping by 17% over the past six months.

For the full fiscal year of 2025—running from October 2024 to the end of September 2025—border agents conducted around 55,424 searches of electronic devices. This is up from around the 47,000 searches that were completed during the government’s 2024 fiscal year.

Since the Trump administration took power in January, several travelers to the US have reported lengthy detentions or alleged they were denied entry because of messages on their phones. (Matt Burgess and Dell Cameron / Wired)

Related: CBP, WebProNews, Android Authority

US Immigration and Customs Enforcement (ICE) Technologies has been rapidly building out its surveillance capabilities with recent purchases made by ICE, including an iris-scanning app that agents plan to use in the field, spyware that can hack into smartphones remotely, and cellphone location software that can enable the tracking of a phone’s movements without a court warrant.

“The acquisition and deployment of this technology in this environment is going to raise substantial concerns,” said John Sandweg, who was an acting director of ICE under the Obama administration.

In one contract that ICE signed last month for Clearview AI facial recognition software, the agency said in a filing that it would be used to investigate “assaults against law enforcement officers.” Other federal contracts show ICE has been expanding its fleet of small, remote-controlled drones, which it has said it is using to film protesters.

In early October, ICE also informed prospective vendors that it planned to set up a new social media monitoring hub to trawl platforms like Facebook, WhatsApp, and TikTok to collect information on targets. The document identifies undocumented immigrants who have committed serious crimes as the primary focus, but also deems domestic terrorism a top priority and says the contractor must be “flexible [about] shifting priorities.”

The blitz of surveillance purchases is motivated in large part by ICE’s intensive, nationwide campaign to find and deport undocumented immigrants. But documents show that some of the technology may also be used to target what the administration regards as anti-ICE extremist groups. (Eva Dou / Washington Post)

At-Bay, a provider of cyber insurance and a vendor of managed detection and response products, reports that organizations using Cisco and Citrix VPN devices were nearly seven times as likely to suffer a ransomware infection over a 15-month period.

For comparison, SonicWall VPN users clocked in No. 2, at 5.8 times more likely to fall victim to ransomware, Palo Alto Global Protect VPN users were 5.5X, followed by Fortinet at 5.3X. "Additionally, businesses using an on-premise VPN of any kind were 3.7X more likely to fall victim to an attack than those using a cloud-based VPN or no VPN detected," according to the report.

These numbers reflect ransomware insurance claims made between January 2024 and March 2025, and the report's overall findings come from At-Bay's analysis of "more than 100,000 policy years of cyber claims data." While it doesn't say how many organizations this includes, the company has about 40,000 customers in the US.

The report notes that 80 percent of ransomware attacks against companies insured by At-Bay last year started with attackers using a remote access tool to gain access, and 83 percent of those cases involved a VPN device. (Jessica Lyons / The Register)

Related: At-Bay, Techzine

Indian automotive giant Tata Motors fixed a series of security flaws that exposed sensitive internal data, including personal information of customers, company reports, and data related to its dealers.

Security researcher Eaton Zveare said that he discovered the flaws in Tata Motors’ E-Dukaan unit, an e-commerce portal for buying spare parts for Tata-made commercial vehicles. Headquartered in Mumbai, Tata Motors produces passenger cars, as well as commercial and defense vehicles. The company has a presence in 125 countries worldwide and seven assembly facilities, per its website.

Zveare said he found that the portal’s web source code included the private keys to access and modify data within Tata Motors’ account on Amazon Web Services, the researcher said in a blog post.

The exposed data, Zveare told TechCrunch, included hundreds of thousands of invoices containing customer information, such as their names, mailing addresses, and permanent account number, or PAN, a ten-character unique identifier issued by the Indian government.

“Out of respect for not causing some type of alarm bell or massive egress bill at Tata Motors, there were no attempts to exfiltrate large amounts of data or download excessively large files,” the researcher said.

Shortly after discovering the issues, Zveare reported them to Tata Motors through the Indian computer emergency response team, known as CERT-In, in August 2023. Later in October 2023, Tata Motors told Zveare that it was working on fixing the AWS issues after securing the initial loopholes. However, the company did not say when the problems were fixed.

Tata Motors confirmed that all the reported flaws were fixed in 2023, but would not say if it had notified affected customers that their information was exposed. (Jagmeet Singh / TechCrunch)

Related: Outlook Business, The Financial Express

In the wake of a high-profile breach, SK Telecom's CEO is expected to be replaced.

A communication industry insider said on the 29th, “I understand that the SK Group's control tower, the Suprex Pursuit Council, will hold a temporary meeting on the morning of the 30th and announce personnel decisions for the heads of group affiliates, including SK Telecom. It is reported that each affiliate will report the CEO appointment agenda to their board of directors on the 29th.”

Current CEO Ryu Young-sang is expected to step down, with Jung Jai-hun, SK Telecom's President, in charge of external cooperation, emerging as a strong candidate. Ryu Young-sang will only serve as the ICT Committee Chairman of the Suprex Pursuit Council.

The president of SK Broadband, a subsidiary of SK Telecom, is also expected to be replaced. It is reported that Kim Sung-soo, Head of the Wired and Media Business Division, is being considered as the next president. Mr. Kim has overseen SK Broadband's media and wired business.

The telecommunications industry views this personnel change as having a strong character of attempting to shift the atmosphere following the SK Telecom hacking incident. In April, the personal information of 27 million subscribers was leaked, and the subscriber market share of 40% also collapsed.

With the implementation of a customer compensation program worth 500 billion Korean won and an unprecedented measure to waive contract termination penalties, the securities industry forecasts that SK Telecom's third-quarter operating profit will decrease by more than 90% compared to the same period last year. (Kim Kang-han / The Chosun)

Related: Maeil Business Newspaper

To improve the security of users, Google will change Chrome’s default settings next year so that the browser will navigate only to websites that support HTTPS.

The ‘Always Use Secure Connections’ setting was introduced in Chrome in 2022, as an opt-in feature, and was turned on by default in Chrome 141 for a small percentage of users, for testing.

Starting October 2026, when Chrome 154 is projected to arrive, the ‘Always Use Secure Connections’ setting will be on by default for all users, for all public sites.

When encountering a site that does not use a secure connection, Chrome will display a warning and ask for the user’s explicit permission to navigate to it.

The use of HTTPS connections, Google explains, makes the browsing experience more secure for Chrome users, as it prevents attackers from hijacking the navigation.

“When links don’t use HTTPS, an attacker can hijack the navigation and force Chrome users to load arbitrary, attacker-controlled resources, and expose the user to malware, targeted exploitation, or social engineering attacks,” Google says.

Even websites that have adopted HTTPS may prove risky if they serve a single HTTP connection. The user, Google says, may not notice the insecure connection if the site immediately redirects to HTTPS domains and Chrome does not display the ‘Not Secure’ URL warning. (Ionut Arghire / Security Week)

Related: Google Security Blog, WebProNews

ConductorOne, which has developed an AI-native identity security platform, announced it had raised $79 million in a Series B venture funding round.

Greycroft led the round with participation from strategic investor CrowdStrike Falcon Fund and existing investors Accel, Felicis Ventures, and others. (Alicia Park / Forbes)

Related: Business Wire, Silicon Florist

Best Thing of the Day: Nice Little Museum You Got There...

The Mob Museum in downtown Las Vegas opened a groundbreaking new exhibit called Digital Underworld that explores how organized crime has evolved from "street shakedowns" to "cyber shakedowns" in the digital age.

Bonus Best Thing of the Day: That Slays

Australia’s Federal Police (AFP) is working on an AI to interpret emojis and the slang used online by Generation Z and Generation Alpha, so it can understand them when they discuss crime online.

Worst Thing of the Day: Basically, Everyone in Germany Is Out of Date

Germany's BSI found that 92 percent of the nation's Exchange boxes are still running out-of-support software, a fortnight after Microsoft axed versions 2016 and 2019.

Closing Thought