Hacking Crosswalks and Attacking Boilers – PSW #871

Paul Asadoorian

1. Mitigating ELUSIVE COMET Zoom remote control attacks
2. VulnCheck – Outpace Adversaries
3. The Windows Registry Adventure #6: Kernel-mode objects
4. GNOME’s Help Browser Affected By A Serious Security Issue For Arbitrary File Reads – Phoronix
5. Incomplete NVIDIA Patch to CVE-2024-0132 Exposes AI Infrastructure and Data to Critical Risks

   More evidence that patching is not enough: "Further research, however, uncovered that the patch was incomplete. While analyzing the patch in October 2024, we identified a related performance flaw affecting Docker on Linux. These issues could enable attackers to escape container isolation, access sensitive host resources, and cause severe operational disruptions."

6. Security audit of PHP-SRC

   I was expecting to read about more high-severity vulnerabilities, however, much of the PHP native vulnerabilities and misconfiguration has been remmediated some time ago. Summary:

   "During the time frame of the security audit, Quarkslab has discovered several security issues and vulnerabilities, among which: 2 security issues considered as high severity; 6 security issues considered as medium severity; 9 security issues considered as low severity; 10 issues considered informative."

   Pretty neat to see this level of testing on widely used OSS.

7. T-Pico-2350 is a fully integrated devkit with Raspberry Pi RP2350, ESP32-C6, 2.33-inch color touchscreen display, and HDMI video output – CNX Software

   I am excited to see what we can build with a RP2350 and an ESP32 on the same board. Should be interesting. I ordered one!

8. That groan you hear is users’ reaction to Recall going back into Windows

   We can't trust Microsoft or anyone using Windows once Recall is rolled out: "First, even if User A never opts in to Recall, they have no control over the setting on the machines of Users B through Z. That means anything User A sends them will be screenshotted, processed with optical character recognition and Copilot AI, and then stored in an indexed database on the other users’ devices. That would indiscriminately hoover up all kinds of User A's sensitive material, including photos, passwords, medical conditions, and encrypted videos and messages." - I am just baffled as to why MS is pushing this feature that seemingly NO ONE wants?

9. Funding Expires for Key Cyber Vulnerability Database

   It is important to maintain a CVE program for, well, reasons:

   • We need a standard identifier and a program to track vulnerabilities across the globe - otherwise we get into the malware and threat actor naming debacle
   • The CVE, or any similar program, has to be run by an entity with as little bias as possible. This eliminates any private entity (or entities) from having control over the CVE program in any way. There are already backwards incentives.
   • While there are many problems with the current CVE system, including the fact that the US government funds it, it is better than 1) not having one 2) everyone trying to create their own standard (oh, we have 6 standards, but there are problems with each of them, so lets create a 7th standard, and so on).
10. Infamous message board 4chan taken down following major hack

    Well, there you have it: "While those who claimed the attack didn't share how they gained access to 4chan's systems, some said the forum was likely breached because it used a severely outdated PHP version from 2016, unpatched against many security vulnerabilities that could've been exploited in the attack." - There is also a pretty cool 4chan documentary on Netflix: The Antisocial Network: Memes to Mayhem (https://www.netflix.com/title/81456528)

11. GitHub – ProDefense/CVE-2025-32433: CVE-2025-32433 https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2

    This is the exploit for the SSH Erlang vulnerability

12. How I Used AI to Create a Working Exploit for CVE-2025-32433 Before Public PoCs Existed

    Several things to explore in this article:

    • Erlang is an interesting language, and is used in telecommunications gear and other popular applications (e.g., WhatsApp).
    • There is a vulnerability that allows for RCE in SSH as implemented in Erlang, CVSS 10.0
    • Some folks were posting that the exploit was pretty easy to create
    • Then someone, who likely stated "Hold my beer", did this: "GPT-4 not only understood the CVE description, but it also figured out what commit introduced the fix, compared that to the older code, found the diff, located the vuln, and even wrote a proof of concept. When it didn't work? It debugged it and fixed it too."

    This is so awesome!

13. Attacking My Landlord’s Boiler – videah’s blog

    Great work! The author used a HackRF to emulate the signals for the thermostat so he could control it remotely. Good example of how to do this as you may be doing some hardware/RF hacking and need to do this. However, I was upset to read this: "And then I say haddd because, writing this months later, AliExpress has removed pretty much every listing you could find just searching "HackRF". From my understanding, they were getting nabbed at customs in a lot of countries that were getting pissy about importing a scawy hacking tool, so they just decided to nuke all the listings rather than deal with it. Newer clones can be bought from here, but they aren't nearly as cheap as they used to be... " - This is where I got my HackRF for a significant discount. Glad I got one, but bummer that this has been removed. This sort of "ban" is just silly as it doesn't really protect anyone from harm (hackers still gonna hack, and criminals are still going to commit crimes, and likely more crimes to buy things that are now more expensive). What does it accomplish? If you want to learn things you won't be able to buy gear like this for cheap. Sucks for students and people on a budget. It should not be this way.

14. Florida draft law mandating encryption backdoors for social media accounts billed ‘dangerous and dumb’

    We need smart laws, not dumb ones: "the digital rights group Electronic Frontier Foundation criticized the bill, arguing that encryption is the “best tool we have to protect our communications online,” and that passing the law would likely result in companies removing encryption for minors and making those users less safe. “The idea that Florida can ‘protect’ minors by making them less safe is dangerous and dumb,” wrote the EFF."

15. Release 1.3.4 · flipperdevices/flipperzero-firmware

    Time to update! It will take a bit of time before 3rd party firmware distros pickup these changes, most notably:

    • NFC: Improvements for FeliCa, MIFARE DESFire and MIFARE Classic support; various minor fixes
    • BLE: Improved support for custom profiles and advertising modes
    • Sub-Ghz, LF RFID: Support for new protocols

    Oh, and this one is HUGE:

    • Dolphin: New animations; check out to see your dolphin doing parkour and more

    I so hate the dolphin and it was a glorious day when I found firmware that disabled it LOL.

16. Tales of Too Many RMMs

    Wow, people really love RMM tools: " Huntress has observed incidents where multiple RMM tools were in legitimate use, sometimes by multiple vendors or service providers. In these incidents, the time it takes to determine the scope of the incident is extended, as such tools often require identification, then retrieval of and detailed examination of individual log files to determine “normal” usage." Also, attackers love them too (well, attackers are people too, I suppose): "The threat actor moved laterally between the endpoints via RDP, and within minutes of accessing the reported endpoint, installed the Chrome Remote Desktop Host, RustDesk, and AnyDesk, all in rapid succession." For defenders:

    • Agree upon a universal standard for RMM tools and pair them with a PAM, even if that means selecting an MSP that follows your policies
    • Tell your EDR to eat RMM tools, especially on critical devices (Except for the one that you use and have configured securely, e.g. PAM)
    • Tie remote access back to a single authenticator (e.g. Active Directory) and use MFA
    • Don't allow single passwords and unencrypted RMM protocols
    • Block all RMM traffic other than what you need
17. Who Reads Mega-advisories? No one! (Almost)

    So yea, I read some of them. Though Jericho runs through how there can be minor discrepancies in the data and you'd really have to pay attention and do some research to find them. Thankfully, Jericho walks us through it. This is what we're dealing with: "The advisory I am using for this example is “DSA-2025-116: Security Update for Dell Unity, Dell UnityVSA and Dell Unity XT Security Update for Multiple Vulnerabilities“. If you aren’t familiar with the products, Dell EMC Unity is part of Dell EMC’s “mid-range storage array product lines”. There we go, a storage array! So we have an appliance that is running a LAMP (Linux, Apache, MySQL, Perl/PHP/Python) stack which means it will need constant updates to remain secure. This fully explains a single Dell advisory (DSA-2025-116) covering over 700 vulnerabilities. Of those, only 16 of which are in Dell’s code while the rest are in third-party software used by the appliance." A couple of things:

    • I do like to see this type of advisory as it tells me the vendor is paying attention to supply chain security (e.g., NetApp released these on a regular basis)
    • Vendors use A LOT of open-source software, which requires updates. The good ones are actually keeping up with the updates, but its striking to me just how much OSS is used in (insert any large vendor here) products. Not all keep up.
    • The vulnerabilities that matter most in these situations deal with running services that listen on an exposed port. We need a better way to tag and categorize vulnerabilities that are associated with 1) A running process (not just a binary) and 2) a running process that listens on a socket.
    • Of course, this model falls down when we get to firmware and bootloaders that run once when the system is booted, then lay dormant until the next reboot. I like to see vendors patch these things too, but that gets more complicated as 1) if you mess up the bootloader you can hose the system and 2) The (big vendor) may procure the hardware and firmware from another supplier and whether or not the firmware/UEFI/BIOS gets updated is a crap shoot

    The point being: This stuff is complex and if you are relying on simple metrics and every-once-and-a-while patching processes you will be pwned.

18. Not everything in a data leak is real

    In the category of "Trust but verify" can you believe that threat actors lie? No way! As with any finding, its important to verify all the data. Threat actors often will fake at least some of the data in a leak, according to the article these are the reasons why: "To make the leak look better, To confuse the people investigating, To cause more trouble (making the company look worse)" - Agree? More reasons? Do we just use AI to validate the data? (joking).

Bill Swearingen

1. Hacking US crosswalks to talk like Zuck is as easy as 1234

   Remember the crosswalk hack? Here's how it was probably done. A freely downloadable service app and poorly secured equipment with documented default credentials. SHOCKING! It seems like they have pulled the software from the stores, but you can still download it from https://apkpure.com/polara-field-service/com.polara.eng.polarafieldservice

2. How to stay on Windows 10 instead of installing Linux

   Happy with Windows 10, but your perfectly capable PC doesn't meet the requirements to run Windows 11? Don't panic. You don't need to buy fresh hardware, or switch to Linux.

3. Fast charging technologies in detail

   How to quickly charge your smartphone: fast charging technologies in detail

4. This blog is hosted on a Nintendo Wii

   While browsing the NetBSD website recently, I noticed the fact that there was a ‘Wii’ option listed right there on the front page in the ‘Install Media’ section, nestled right next to the other first-class targets like the Raspberry Pi, and generic x86 machines.

   Unlike the other outdated and unmaintained examples above, clicking through to the NetBSD Wii port takes you to the latest stable NetBSD 10.1 release from Dec 2024. Even the daily HEAD builds are composed for the Wii.

   As soon as I discovered this was fully supported and maintained, I knew I had to try deploying an actual production workload on it. That workload is the blog you’re reading now.

5. PiLiDAR – DIY 360° 3D Panorama Scanner

   Build a DIY Lidar scanner powered by raspberrypi!

6. Android phones will soon reboot themselves after sitting unused for 3 days

   A silent update rolling out to virtually all Android devices will make your phone more secure, and all you have to do is not touch it for a few days. The new feature implements auto-restart of a locked device, which will make your personal data harder to extract. It's coming as part of a Google Play Services update, though, so there's nothing you can do to speed along the process.

Jeff Man

1. US Data Breach Victim Count Surges 26% Annually

   The good news - the number of reported breaches is down. Bad news - the number of people impacted has gone up.

   Do you ever wonder if anything we do makes a difference?

2. More than 100,000 had information stolen from Hertz through Cleo file share tool

   Dang it - I am a Hertz Gold customer (not that I rent cars all that much anymore). I wonder why I haven't received any notice. Oh, and the cause of the breach is a zero-day vulnerability in the Cleo file sharing platform.

   "The information stolen includes contact information, payment card information, driver’s licenses and information related to worker’s compensation claims. Others had Social Security numbers, government IDs, passports, Medicare or Medicaid ID, or injury-related information associated with vehicle accident claims leaked through the hack."

3. CISA warns of ransomware gangs exploiting Cleo, CyberPanel bugs

   Information on the aforementioned zero-day found in Cleo. 9.8 Critical. We know that because CVE is still funded.

4. Lemonade attributes data breach to technical issue in auto insurance quote system

   The article states, "Insurtech firm Lemonade Inc. disclosed that a technical issue within its auto insurance quoting system led to a data breach that inadvertently exposed the driver’s license numbers of approximately 190,000 insurance applicants."

   Which means they discovered a vulnerability and fixed it. "Exposed" means they don't have any evidence of an actual breach or compromise -just exposure.

   So is this really a data breach?

5. Ahold Delhaize confirms data stolen after threat group claims credit for November attack

   Who says lightning doesn't strike twice? Ahold companies were victims of the Alberto Gonzalez hacking group back in the early 00's. (Which means they had credit cards stolen...enter PCI).

   They don't really go into details but say that their ecommerce systems were impacted.

6. Cyber attack downs systems at Marks & Spencer

   Another retailer managing a cyber incident which impacted ”contactless payments and online click-and-collect services". Hmmm.....

7. Ransomware Group Claims Hacking of Oregon Regulator After Data Breach Denial

   "A ransomware group claims to have stolen a significant amount of files from a regulatory agency in Oregon after the organization said it had no evidence of a data breach." Why would they be able to detect a breach? They're a typical under-funded, under-staffed critical infrastructure organization.

8. Legends International notifies customers, employees of data breach

   "While extensive details of the attack were not released, the company told the Texas Office of the Attorney General that the compromised information includes the following: dates of birth, Social Security numbers, driver’s license and government ID numbers, and payment card, medical, and health insurance information." It's a banner week for companies subject to PCI security.

Lee Neely

1. Microsoft SFI update: Five of 28 security objectives nearly complete

   Microsoft’s most recent Secure Future Initiative (SFI) Progress Report details steps the company has taken toward "improv[ing] the security posture of Microsoft, [their] customers, and the industry at large." Of the 28 objectives identified at SFI’s outset nearly a year-and-a-half ago, five are nearly complete and significant progress has been made on 11 more.  The accomplishments recognized in the report include the launch of a Secure by Design Toolkit for Microsoft developers that has been deployed to 22,000 employees; phishing-resistant multi-factor authentication is being used on 92 percent of employee productivity accounts and 100 percent of production system accounts; and "90% of identity tokens from Microsoft Entra ID for Microsoft apps are validated using one standard identity SDK."

2. ASUS Confirms Critical Flaw in AiCloud Routers; Users Urged to Update Firmware

   ASUS has released firmware updates to address a critical authentication bypass flaw affecting routers with the AiCloud remote access feature enabled. The "vulnerability can be triggered by a crafted request, potentially leading to unauthorized execution of functions." ASUS has released firmware updates for 3.0.0.4382, 3.0.0.4386, 3.0.0.4388, 3.0.0.6102 series. VE-2025-2492, improper authentication control, CVSS score 9.2, can be triggered by an unauthenticated user. The fix is to both apply the firmware update and make sure that you're both using strong, unique, passwords as well as limiting access to the admin interface. If you're on an EOL ASUS product, there is no update, you should replace it. Until you do, disable internet facing services (AiCloud, WAN Internet access, port forwarding, DDNS, VPN Server, DMZ, port triggering, and FTP). https://www.asus.com/content/asus-product-security-advisory/#Latestsecurityupdates

3. Company apologizes after AI support agent invents policy that causes user uproar

   The AI chatbot for AI-powered code editor Cursor appears to have invented a policy that upset some users enough to cancel their subscriptions with the service. Last week, a developer using Cursor noticed that switching between devices immediately logged those devices out. The developer contacted Cursor support by email and received a reply from an “agent” named Sam saying that the logouts were "expected behavior" under a new company policy. However, the agent was a bot, and Cursor has no such policy. Cursor has apologized for the incident and says that "any AI responses used for email support are now clearly labeled as such."

   More and more auto-response services are leveraging AI to provide an improved customer experience in an attempt to reduce reliance on humans. Unfortunately, AI hallucinations, which you may also see called confabulations, are a challenge, so you really need to monitor and train your responder carefully. Unlike the Air Canada issue from February 2024, Cursor acknowledged the issue and took steps to make ammends.

4. The Shadow AI Surge: Study Finds 50% of Workers Use Unapproved AI Tools

   An October 2024 study by Software AG suggests that half of all employees are Shadow AI users, and most of them wouldn’t stop even if it was banned. This is third-party security in a different context. When sharing data between systems, the data owner has the responsibility to ensure the system extracting their data has an equivalent or higher security posture and verify it adheres to any relevant security standards, to include any privacy requirements.  While the data owner has the onus to approve the sharing of data, to include how it is to be used, it's difficult to regulate the analysis and conclusions made from the provided data. As more unapproved AI sources are being discovered, take the opportunity to reinforce the need for these services to be vetted and approved as appropriate for protecting your data.

5. Cisco Webex bug lets hackers gain code execution via meeting links

   Cisco released updates to address a high-severity in the custom URL parser of Cisco Webex App. The flaw "is due to insufficient input validation when Cisco Webex App processes a meeting invite link. An attacker could exploit this vulnerability by persuading a user to click a crafted meeting invite link and download arbitrary files. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the targeted user."

   CVE-2025-20236, URL parser flaw, CVSS score 8.8, is another example of not validating input, reminding us that you need to do this comprehensively. If you're a Webex shop, you should have auto-updates set for the client. There are no workarounds, you need to update the client, regardless of configuraion or OS.  Consider that while version 44.6 has a fix, you really need to get to 44.8.

6. Japan warns of hundreds of millions of dollars in unauthorized trades from hacked accounts

   Japan’s Financial Services Agency (FSA) has published a warning regarding "a sharp increase in the number of cases of unauthorized access and unauthorized trading (trading by third parties) on Internet trading services using stolen customer information (login IDs, passwords, etc.) from fake websites (phishing sites) disguised as websites of real securities companies." Between February 1 and April 16 of this year, FSA recorded reports of 3,312 unauthorized accesses of securities firms resulting in 1,454 fraudulent transactions. In all, a dozen securities companies reported fraudulent transactions totaling $350 million in sales and $315 million in purchases.

   As a customer, keep a sharp eye on your credentials associated with your finances, both financial institutions and investments.  Make sure these are unique and strong, and any MFA capabilities are enabled and required. Make sure you've implemented available transaction monitoring/alerting. If you're a broker or other financial services provider, verify your MFA is comprehensively applied and that you've got automated credential breach monitoring, in addition to existing transaction limits and monitoring. Verify alerts are properly logged and responded to.

7. Cybersecurity Firm CEO Charged with Installing Malware on a Hospital Computer

   Police in Oklahoma City have arrested Jeffrey Bowie, charging him with two counts of violating Oklahoma’s Computer Crimes Act. Bowie, who is the CEO of a cybersecurity firm in Oklahoma, allegedly deliberately placed malware on a computer at SSM Health’s St. Anthony Hospital in August 2024. While Bowie maintained he needed to use the computer while a family member was undergoing surgery at the hospital, security camera footage revealed that he attempted to enter several offices in the hospital and used two computers, one of which was for employees only. A forensic investigation revealed "malware [on one of the computers that] was programmed to take screenshots every 20 seconds and transmit the images to an external IP address."

   Note that the hospital was able to detect the malware in real-time, shut it down and launch an investigation. Beyond EDR, having external/environment monitoring, such as security cameras, is valuable for investigations.

8. Florida’s New Social Media Bill Says the Quiet Part Out Loud and Demands an Encryption Backdoor

   Draft bill SB 868, "Social Media Use by Minors," has passed committee votes and will soon reach the Florida State Senate floor, amending existing law to include an obligation by social media platforms "to provide a mechanism to decrypt end-to-end encryption when law enforcement obtains a subpoena," as well as opening minor account holders' messages to their parents and guardians, and prohibiting minors' use and access to disappearing message features. The Electronic Frontier Foundation urges senators to reject the bill, stating in concert with other advocates that by weakening encrypted privacy these changes further endanger those the bill aims to protect. This bill follows similar legislative initiatives in the UK and EU to break end-to-end-encrypted communication on behalf of law enforcement. The EFF notes that there are other forensic approaches which can be used without requiring decryption or weakened security. Sadly, until we get legal precedence, initiatives such as this will continue to arise.

9. FBI: Scammers pose as FBI IC3 employees to ‘help’ recover lost funds

   The FBI has published a public service announcement warning of scammers pretending to be FBI Internet Crime Complaint Center (IC3) employees. "Between December 2023 and February 2025, the FBI received more than 100 reports of IC3 impersonation scams." The scammers have reached out to victims, who have already lost money to scammers, in a variety of ways: phone calls, email, social media, or online forums. They them claim "to have recovered the victim's lost funds or offered to assist in recovering funds," but instead gain access to the victims’ account information and steal from them again. https://www.ic3.gov/PSA/2025/PSA250418

Mandy Logan

1. AI hallucinations lead to a new cyber threat: Slopsquatting

   Cybersecurity researchers are warning of a new type of supply chain attack, Slopsquatting, induced by a hallucinating generative AI model recommending non-existent dependencies. According to the researchers, threat actors can register hallucinated packages and distribute malicious codes using them.

   “If a single hallucinated package becomes widely recommended by AI tools, and an attacker has registered that name, the potential for widespread compromise is real,” according to a Socket analysis of the research. “And given that many developers trust the output of AI tools without rigorous validation, the window of opportunity is wide open.”

   Researchers found CodeLlama ( hallucinating over a third of the outputs) to be the worst offender, and GPT-4 Turbo ( just 3.59% hallucinations) to be the best performer.

2. We Have a Package for You! A Comprehensive Analysis of Package Hallucinations by Code Generating LLMs

   Ensemble Defense Combining RAG, self-refinement, and fine-tuning in an ensemble reduced hallucinations by 89% for models like DeepSeek Coder 6.7B and CodeLlama 7B. For cybersecurity teams, prioritizing RAG integration into CI/CD pipelines and auditing tools is essential to block adversarial exploits like typosquatting or poisoned package uploads. Self-refinement adds a lightweight secondary check, while fine-tuning remains a high-risk/high-reward option for organizations with robust validation workflows.

Sam Bowne

1. Tell Congress: No to Internet Blacklists

   Congress is once again pushing dangerous website-blocking laws, including the Foreign Anti-Digital Piracy Act (FADPA). These bills would let copyright holders get court orders to block entire websites, without due process, based on nothing but a hollow promise not to abuse their new power.

2. Microsoft Recall on Copilot+ PC: testing the security and privacy implications

   The local storage is now encrypted, but only with a PIN. These users should make sure Recall is disabled:

   those in domestic violence and partner control situations journalists (and their confidential sources) minority at risk groups, e.g. Uyghurs politically exposed persons companies unless they’ve risk assessed the privacy implications people crossing borders into countries hostile to civil liberties, for example the United States of America

3. Thieves took their iPhones. Apple won’t give their digital lives back.

   Thieves have learned they can extract more value from one if they learn their victims’ passcodes. Once they have unlocked the stolen iPhone, the next step is often to change the password tied to a user’s Apple ID, making it harder to locate. And if a thief is thorough, they may create a "recovery key," disabling Apple’s usual account recovery process. Apple says “you’ll be locked out of your account permanently.”

4. Elon Musk Cuts Funding for Internet Archive

   The nonprofit was halfway through an NEH grant of $345,000 when its funding was abruptly cut. Fortunately, the Internet Archive has other independent streams of funding that will keep it afloat for now.

5. To Make Language Models Work Better, Researchers Sidestep Language

   By performing reasoning in "latent space," the stage of computation that merely works in weights and signal strengths without resolving the answer to words (tokens), reasoning models can run far more efficiently.

6. New Okta Platform features help control surge of non-human identities

   Most of the user identities in the modern workplace aren't human, and the number of NHIs is rapidly growing. Their passwords tend to not be regularly rotated, they often have more privileges than they need, they may not be adequately monitored, and they may not use multi-factor authentication (MFA). Even worse, a NHI can cause a very big mess if it's compromised, as it can give attackers a hidden, powerful way into a network.

   Okta limits NHI's duration of privileges and access to secrets, rotates secrets, and audits access logs.

7. Monk Trapped in Fake Police Call, Loses Rs 2.5 Crore During 26-Day Virtual Arrest

   The monk was virtually held hostage via video calls for nearly a month and manipulated into transferring Rs 2.52 crore to accounts spread across India.

8. Ripple’s recommended XRP library xrpl.js hacked to steal wallets

   The recommended Ripple cryptocurrency NPM JavaScript library named "xrpl.js" was compromised to steal XRP wallet seeds and private keys and transfer them to an attacker-controlled server, allowing threat actors to steal all the funds stored in the wallets. The malicious code appears to have been added by a developer account associated with the Ripple organization, likely through compromised credentials.

9. Hacking US crosswalks to talk like Zuck is as easy as 1234

   The hacked crosswalks all appear to come from a common source: Polara, America's leading manufacturer of pedestrian signal systems. They can be managed using the Polara Field Service app, which until recently was freely available on both the Google Play and Apple App Store. An attacker can connect to a nearby crosswalk system via Bluetooth, and the defauilt passcode is 1234.

10. Hackers abuse Zoom remote control feature for crypto-theft attacks

    A hacking group dubbed 'Elusive Comet' targets cryptocurrency users in social engineering attacks that exploit Zoom's remote control feature to trick users into granting them access to their machines. After changing their screen name to "Zoom", the permission request says "Zoom is requesting remote control of your screen", very similar to normal permission boxes Zoom pops up in normal use, making it likely that the target will click "Approve."