Connect with us

CyberSecurity

How a Windows Device ID Helped the FBI Trace a Scattered Spider Hacker to a Jewelry Heist

Published

on

Windows device ID

The Digital Trail That Led to an Arrest

Federal prosecutors have linked a suspected member of the notorious Scattered Spider hacking group to a brazen cyberattack on a luxury jewelry retailer — not through a flashy zero-day exploit or a sophisticated piece of malware, but through a persistent Windows device ID. The detail emerged from a newly unsealed complaint filed in U.S. district court.

The ID, a unique identifier tied to a specific Windows machine, allowed investigators to connect the dots between a breach that occurred in May 2025 and a 19-year-old suspect named Peter Stokes. According to the complaint, Microsoft records showed that the same device ID was used to maintain access to the retailer’s network after the initial intrusion.

From there, the trail led to online accounts prosecutors say belong to Stokes. It’s a reminder that in the world of cybercrime, even the most careful attackers can leave behind a breadcrumb that law enforcement can follow.

What Is a Windows Device ID and Why Does It Matter?

A Windows device ID, sometimes called a hardware ID or machine GUID, is a unique string generated by the operating system during installation. It’s not something most users ever see, but it’s embedded deep in the system and persists even after clean reinstallations if the hardware remains the same.

For investigators, that persistence is gold. Unlike IP addresses, which can be masked with VPNs or proxies, or browser fingerprints, which users can clear, a device ID is much harder to spoof. It ties a specific piece of hardware to a specific set of actions, creating a forensic link that’s difficult to break.

In this case, the ID didn’t just show up once. It was used repeatedly during the jewelry retailer intrusion, appearing in logs that tracked the attackers’ movements inside the network. That gave the FBI a stable anchor point to build their case.

The Breach: A Luxury Retailer’s Nightmare

The target was a high-end jewelry chain — the kind of store that sells pieces worth more than most people’s cars. The attackers, allegedly part of the Scattered Spider collective, gained initial access through a combination of social engineering and credential theft. Once inside, they moved laterally, escalated privileges, and planted backdoors to ensure they could return.

But they made a mistake. One of the machines they used to access the network was running a copy of Windows that reported a device ID back to Microsoft’s servers. That ID was later cross-referenced with account creation logs for cloud services, email providers, and even gaming platforms.

Prosecutors say the same ID appeared in records for accounts that Stokes controlled. It wasn’t the only piece of evidence, but it was a crucial one — the kind of technical detail that turns a circumstantial case into a direct one.

Who Is Peter Stokes?

Stokes, 19, is not a household name. But according to the complaint, he was an active participant in the Scattered Spider ecosystem — a loose network of hackers known for targeting large corporations, often through SIM-swapping and phishing. The group has been linked to high-profile breaches at Caesars Entertainment, MGM Resorts, and other major brands.

What sets Stokes apart is his age. At 19, he’s barely out of high school, yet the complaint describes a sophisticated operation involving stolen credentials, remote access tools, and cryptocurrency laundering. The case highlights a troubling trend: the average age of cybercriminals is dropping, and the tools they use are becoming more accessible.

How the FBI Pieced Together the Evidence

The investigation didn’t start with a device ID. It started with a call from the jewelry retailer’s IT team, who noticed unusual activity on their network after hours. The FBI’s cyber division took over, pulling logs from firewalls, servers, and endpoints.

Here’s what they found:

  • A series of login attempts from IP addresses linked to known proxy services.
  • Unusual file transfers during off-hours, including database exports and configuration files.
  • Evidence of a backdoor account created with administrative privileges.

But the real breakthrough came when investigators subpoenaed Microsoft for telemetry data. The Windows device ID appeared in the logs of the machine used to create the backdoor account. That ID was then matched to a Microsoft account that showed the same hardware fingerprint. From there, it was a short jump to email addresses, social media profiles, and finally, to Stokes.

The complaint unsealed this week is just the beginning. Stokes has not yet entered a plea, and his attorney has declined to comment. But the case is already being watched closely by cybersecurity professionals, who see it as a sign that law enforcement is getting better at exploiting the digital exhaust that attackers leave behind.

What This Means for Cybersecurity and Privacy

The use of Windows device IDs in criminal investigations raises questions that go beyond this single case. On one hand, it’s a powerful tool for catching bad actors. On the other, it highlights how much telemetry data flows from our devices to companies like Microsoft — data that can be turned over to law enforcement with a subpoena.

For now, the message is clear: if you’re using a Windows machine to commit a crime, you’re leaving a signature that can follow you. And as forensic techniques improve, that signature is getting harder to erase.

The Scattered Spider case is far from over. But for the FBI, the trail of digital breadcrumbs — starting with a single device ID — has already led to a suspect.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

CyberSecurity

Critical Gitea Flaw Under Active Exploitation: One Header, Full Compromise

Published

on

Gitea flaw exploitation

One Header to Rule Them All: Critical Gitea Bug Lets Attackers Walk Right In

It took just 13 days after the advisory went public for attackers to start exploiting a critical vulnerability in Gitea, the popular self-hosted Git service. The bug, tracked as CVE-2026-20896, carries a CVSS score of 9.8. And the attack vector is almost absurdly simple: a single HTTP header containing a valid username.

No password. No token. Just a header. Sysdig’s senior director of threat research, Michael Clark, confirmed that the company’s sensors caught the first in-the-wild hit less than two weeks after the flaw was disclosed. The attempt was linked to what Clark described as a “VPN-exit scanner that grabbed access.”

This isn’t a theoretical risk. It’s happening now.

What Makes CVE-2026-20896 So Dangerous?

The vulnerability lives in Gitea’s reverse-proxy authentication mechanism — specifically in the official Docker images. Security researcher Ali Mustafa, who discovered the bug, explains that in Gitea Docker images before version 1.26.3, the default configuration allows connections from any source IP address. It doesn’t enforce an allowlist.

Here’s the problem: when reverse-proxy authentication is enabled, Gitea should only trust a header that was set by the proxy itself. But because of this flaw, anyone who can reach the Gitea container’s HTTP port directly — sidestepping the authenticating proxy — can impersonate any user whose login name they know or can guess.

And guess what? Admin accounts are the obvious target. “Any process that can reach the Gitea container’s HTTP port directly — not through the intended authenticating proxy — can impersonate any user whose login name is known or guessable. Admin accounts are the obvious targets,” Mustafa noted.

The fix, rolled out in Gitea versions 1.26.3 and 1.26.4, makes reverse-proxy authentication an opt-in feature. That’s a smart move — it means the dangerous default is no longer the default.

What Attackers Can Do Once They’re In

The consequences of a successful exploit are severe. Clark laid it out bluntly: a Gitea user can read and write their own repositories, including private ones. That means attackers can access:

  • The code your organization ships to production
  • Secrets developers accidentally committed — API keys, database credentials, deploy tokens
  • CI/CD configuration files
  • Deploy keys that can unlock other systems

In other words, a single header can lead to the complete compromise of everything Gitea holds. Code, secrets, infrastructure access — all up for grabs.

How Many Instances Are Exposed?

Sysdig’s research found roughly 6,200 Gitea instances accessible from the internet. How many of those are running vulnerable versions is unclear. But given that the flaw was only recently patched, and that many organizations are slow to update, the number could be significant.

If you’re running Gitea in a Docker container, now is the time to check your version. The attack surface is real, and the window for patching is closing fast.

What You Should Do Right Now

The advice from researchers is straightforward: update your Gitea deployments immediately. If you’re on a version before 1.26.3, you’re exposed. The patch changes the default behavior so that reverse-proxy authentication must be explicitly enabled, rather than being on by default.

Beyond updating, consider whether you even need reverse-proxy authentication. If you do, make sure your proxy is properly configured to set the trusted header, and that no other process can reach the Gitea container’s HTTP port directly. Network segmentation is your friend here.

This isn’t the first time Gitea has been in the spotlight for security issues. A previous vulnerability exposed roughly 30,000 deployments to attacks. And with critical Adobe ColdFusion vulnerabilities and actively exploited Microsoft SharePoint flaws also making headlines, it’s clear that the threat landscape is crowded. Don’t let your Gitea instance become the weak link.

Patch now. Because one header is all it takes.

Continue Reading

CyberSecurity

How AI Gateways Are Handing Attackers the Master Keys to Your Cloud Infrastructure

Published

on

AI gateway security

The Gateway That Opened Too Many Doors

It started with a spike in cloud bills. A company noticed its compute costs had quietly tripled over a weekend. The culprit wasn’t a sudden surge in legitimate AI inference requests. It was an attacker who had found an unlocked door — an AI gateway — and used it to hijack GPU cycles for cryptomining.

This incident, detailed by security researchers, is more than a cautionary tale about runaway cloud spend. It exposes a fundamental flaw in how many organizations deploy and secure their AI gateways. These platforms, designed to manage, route, and monitor access to AI models, are becoming a single point of failure. Get the gateway wrong, and you don’t just lose a model — you hand over the keys to your entire cloud infrastructure and your identity and access management (IAM) data.

What Exactly Is an AI Gateway?

Think of an AI gateway as the traffic cop for your machine learning operations. It sits in front of your models — whether they’re hosted on Amazon Web Services, Google Cloud, or Microsoft Azure — and handles request routing, rate limiting, authentication, and logging.

In theory, that’s smart architecture. It centralizes control. But in practice, many gateways are deployed with overly permissive access policies. They’re configured to talk to almost any backend service, hold credentials for multiple cloud accounts, and expose internal network endpoints. That’s a lot of trust placed in a single component.

The Cryptomining Incident: A Step-by-Step Breakdown

In the attack cited by researchers, the adversary didn’t break into the AI model itself. They didn’t need to. Instead, they exploited a misconfigured gateway that allowed unauthenticated API calls to pass through.

  • Step 1: Reconnaissance. The attacker scanned for publicly exposed gateway endpoints. Many organizations leave their gateways accessible on the open internet without IP whitelisting.
  • Step 2: Privilege Escalation. Once inside, the attacker discovered the gateway held IAM credentials for the underlying cloud environment. These weren’t scoped to the AI service alone — they had broad permissions.
  • Step 3: Lateral Movement. Using those credentials, the attacker spun up high-compute GPU instances. They deployed cryptomining software, racking up massive bills before the team noticed.

The scary part? The gateway logs showed the attacker was inside for 72 hours before detection. The gateway had been logging everything — but nobody was watching.

Why AI Gateways Are a Tempting Target

AI gateways sit at a unique intersection. They touch models, data pipelines, cloud compute, and user authentication. That makes them a jackpot for attackers.

Exposure of Cloud Infrastructure

Most gateways need permissions to call cloud APIs — to scale instances, fetch data from storage buckets, or deploy updated models. If those permissions are too broad, a compromised gateway lets an attacker treat your cloud account like their own sandbox. They can spin up resources, exfiltrate data, or, as in the cryptomining case, burn through your budget.

Leakage of Identity and Access Management Data

Gateways often cache or log authentication tokens, API keys, and user session data. A poorly secured gateway can leak IAM data that allows attackers to impersonate legitimate users or service accounts. That’s not just a model breach — it’s a full identity compromise.

Model Theft and Inference Attacks

Beyond infrastructure, the gateway guards the models themselves. An attacker with gateway access can query models at will, extracting proprietary logic or training data through carefully crafted inputs. In some cases, they can even download the model weights if the gateway is configured to allow model export.

How to Lock Down Your AI Gateway

None of this means AI gateways are inherently dangerous. They’re necessary. But they demand a security posture that many organizations haven’t yet adopted.

  • Principle of Least Privilege. Grant the gateway only the permissions it absolutely needs. If it doesn’t need to spin up compute instances, don’t give it that IAM role. Use scoped service accounts, not admin-level keys.
  • Network Segmentation. Don’t expose your gateway to the public internet. Place it behind a VPN or a cloud load balancer with strict IP whitelisting. If external access is required, use API gateways with authentication at the edge.
  • Audit and Monitor. Gateway logs are useless if nobody reads them. Set up automated alerts for unusual patterns — a sudden spike in requests, access from unfamiliar IP ranges, or calls to endpoints the gateway shouldn’t be touching.
  • Regular Penetration Testing. Treat the gateway as a critical asset. Test it the way you’d test a VPN or a database server. Look for misconfigurations, exposed endpoints, and overly broad permissions.

The Bigger Picture: AI Infrastructure Is Still Young

The rush to deploy AI has outpaced security best practices. Teams are standing up gateways in hours, not weeks, and security reviews are often an afterthought. That’s understandable — but it’s also dangerous.

The cryptomining incident is a wake-up call. It shows that the gateway is not just a traffic cop. It’s a potential master key. And if you hand that key to the wrong person, they won’t just steal your model. They’ll take your cloud, your data, and your identity.

Lock it down now. Before someone else finds the door.

Continue Reading

CyberSecurity

A single public GitHub issue can trick agentic workflows into leaking private repo data

Published

on

GitHub Agentic Workflows leak

A public issue, a private leak — no credentials required

Security researchers at Noma Security have demonstrated a troubling attack vector targeting GitHub Agentic Workflows. The premise is deceptively simple: an attacker opens a normal-looking issue on a public repository. That’s it. No stolen credentials. No direct access to the organization’s internal systems.

If the targeted organization has granted the agent read access across its repositories — including private ones — the contents of those private repos can be exfiltrated. The attack works because the agent, designed to automate responses and actions, can be tricked into following instructions embedded in the issue itself.

The finding raises serious questions about how much trust organizations are placing in automated workflows that interact with untrusted input.

How the attack works: poisoning the prompt

GitHub Agentic Workflows are a relatively new feature that allows AI-driven agents to respond to events like issue creation, pull requests, or comments. They can be configured with broad permissions — including read access to private repositories — to perform tasks like triaging bugs, summarizing code changes, or generating patches.

Noma’s research shows that an attacker can craft a public issue containing what amounts to a prompt injection. The agent, upon processing the issue, interprets the injected instructions as legitimate commands. In the proof of concept, the attacker instructed the agent to read files from a private repository and then send those files to an external server controlled by the attacker.

“The agent doesn’t know the difference between a legitimate task and a malicious one,” said a Noma researcher. “It just follows the instructions it’s given, based on the context it has access to.”

The entire chain requires no exploitation of GitHub’s infrastructure — just a public issue and an agent with overly broad permissions.

Why this is different from a typical supply chain attack

Most supply chain attacks on GitHub involve compromised credentials, malicious dependencies, or vulnerabilities in Actions runners. This attack is different. It exploits the trust model of the agent itself.

The agent is given a high-privilege token or access scope — often for convenience — and then exposed to user-generated content that can manipulate its behavior. It’s a classic prompt injection vulnerability, but applied to an infrastructure automation context rather than a chatbot.

“The real issue is the gap between the permissions an agent needs to do its job and the permissions it actually gets,” the researcher added. “Teams often err on the side of giving too much access because it’s easier than fine-tuning.”

Who is most at risk

Any organization using GitHub Agentic Workflows with read access to private repositories is potentially vulnerable. That includes:

  • Companies using agents for automated code review or issue triage across both public and private repos
  • Open-source projects where maintainers have connected agents to internal repositories for dependency management or security scanning
  • Teams that have not restricted the agent’s scope to specific repositories or actions

The attack surface is particularly wide for organizations that run public repositories alongside private ones under the same GitHub organization. A single public issue on any public repo in that organization can trigger the agent — if the agent is configured to listen to all issues.

Mitigation: least privilege and input sanitization

Noma Security recommends several practical steps to reduce the risk:

  • Restrict agent permissions. Give the agent only the minimum access it needs — ideally scoped to specific repositories and specific actions. Avoid granting blanket read access across all repos.
  • Use a separate agent for public vs. private repos. If an agent must interact with public issues, keep it isolated from private data. Use a different agent or a different token for internal workflows.
  • Sanitize and validate inputs. Treat any content from public issues, comments, or pull requests as untrusted. Implement checks that strip or escape potentially malicious instructions before they reach the agent.
  • Audit agent behavior. Log all actions taken by the agent and review them for anomalies. Set up alerts for unexpected file reads or data exfiltration patterns.

GitHub has been notified of the finding. The company has not yet issued a public statement or patch, but the vulnerability is inherent to how agents interpret natural language instructions — not a bug in GitHub’s code per se.

The bigger picture: agent security is still immature

This research is a reminder that AI agent security is still in its early days. As more platforms integrate autonomous agents that can read, write, and act on data, the attack surface expands dramatically. The same qualities that make agents powerful — their ability to interpret context and take independent action — also make them vulnerable to manipulation.

“We’re seeing the same pattern we saw with early web applications,” said a security analyst not involved in the research. “Developers are excited about what agents can do, and security is an afterthought. That’s how breaches happen.”

For now, the safest approach is to assume that any public-facing input can be weaponized. Until agent platforms build robust guardrails — like mandatory input validation, permission boundaries that cannot be overridden by instructions, and human-in-the-loop approval for sensitive actions — organizations should treat agentic workflows with the same caution they’d give any internet-facing service.

The Noma team plans to release a full technical write-up and a proof-of-concept video in the coming weeks. For organizations already using GitHub Agentic Workflows, the time to audit permissions is now — before an attacker opens that first issue.

Continue Reading

Trending