Skip Navigation
netsec

Netsec

  • ‘Styx Stealer’ malware developer accidentally exposes personal info to researchers in ‘critical opsec error’
    web.archive.org ‘Styx Stealer’ malware developer accidentally exposes personal info to researchers in ‘critical opsec error’

    A suspected developer of a new malware strain called Styx Stealer made a “significant operational security error” and leaked data from his computer, including details about clients and earnings, researchers have found.

    ‘Styx Stealer’ malware developer accidentally exposes personal info to researchers in ‘critical opsec error’

    A suspected developer of a new malware strain called Styx Stealer made a “significant operational security error” and leaked data from his computer, including details about clients and earnings, researchers have found.

    Styx Stealer is “a powerful malware” capable of stealing browser data, instant messenger sessions from Telegram and Discord, and cryptocurrency. The Israel-based cybersecurity firm Check Point, which analyzed the malware, said that it was used against its customers, though further details were not provided.

    “The developer made a fatal error and leaked data from his computer, which allowed Check Point to obtain a large amount of intelligence,” researchers said in a report published last week.

    The developer of Styx Stealer was found to be linked to one of the Agent Tesla threat actors known as FucosReal, who was involved in a spam campaign also targeting the company’s customers. Agent Tesla is a remote access malware that has been targeting Windows systems since 2014.

    According to Check Point, the creator of Styx Stealer revealed his personal details, including Telegram accounts, emails and contacts, by debugging the stealer on his own computer using a Telegram bot token provided by a customer involved in the Agent Tesla campaign in March 2024.

    “This critical OpSec failure not only compromised Styx Stealer's anonymity but also provided valuable intelligence about other cybercriminals, including the originator of the Agent Tesla campaign,” researchers said.

    Following the analysis, researchers were able to link Styx Stealer to a Turkish hacker known as Sty1x. This, in turn, allowed Check Point to track down FucosReal to an individual in Nigeria.

    “The case of Styx Stealer is a compelling example of how even sophisticated cybercriminal operations can slip up due to basic security oversights,” researchers said.

    0
  • Background-check giant confirms security incident leaked millions of SSNs
    web.archive.org Background-check giant confirms security incident leaked millions of SSNs

    National Public Data released a statement about an incident that went viral on social media recently but has been known to cybersecurity experts for months.

    Background-check giant confirms security incident leaked millions of SSNs

    One of the largest companies that conducts background checks confirmed that it is the source of a data breach causing national outrage due to the millions of Social Security numbers leaked.

    In a statement on Friday, National Public Data said it detected suspicious activity in its network in late December, and subsequently a hacker leaked certain tranches of data in April and throughout the summer.

    “The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024. We conducted an investigation and subsequent information has come to light,” the Florida-based company said.

    “The information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).”

    National Public Data said it “cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records.”

    The company plans to notify those affected if there are other updates. It is unclear how someone would know they are affected by the breach, but the company urged people to monitor their financial accounts for unauthorized activity.

    Cybersecurity experts have known about the leaks since April, but since then the company has refused to respond to repeated requests for comment from Recorded Future News. The company stayed tight-lipped about the incident until this week, when concern about the troves of Social Security numbers (SSNs) exposed went viral on social media.

    Companies and private investigators pay National Public Data to obtain criminal records, background checks and more — with the company allowing them to search billions of records instantly.

    On April 7, a well known hacker going by the name USDoD posted a database on the criminal marketplace Breached claiming it contained 2.9 billion records on U.S. citizens. The cybercriminal — best known for leaking data stolen from European aerospace giant Airbussaid it came from another hacker named “SXUL" and offered the information for $3.5 million.

    While it is unclear whether anyone paid for the information, the hacker began leaking parts of the database in June and others continued to offer it for sale throughout the summer.

    Several cybersecurity experts, including data breach expert Troy Hunt, have confirmed that while the database contains duplicates, much of the information is accurate.

    The data contains a person’s first and last name, three decades of address history and Social Security number. Some experts said they were also able to find a person’s parents, siblings and immediate relatives. The database includes people living and dead.

    Some have noted that people who use data opt-out services were not included in the database.

    While some news outlets and social media platforms have erroneously reported that 2.9 billion people had information in the breach, Hunt estimated that the database included about 899 million unique SSNs.

    The FBI and other U.S. cybersecurity agencies did not respond to requests for comment.

    National Public Data is already facing lawsuits over the breach. A complaint was filed in the U.S. District Court for the Southern District of Florida two weeks ago after a California resident said he got a notice from his identity-theft protection service provider in July about the breach.

    DataGrail vice president Chris Deibler said the breach shows we “are reaching the limits of what individuals can reasonably do to protect themselves in this environment.”

    “The balance of power right now is not in the individual's favor. [The European Union’s] GDPR and the various state and national regulations coming online are good steps, but the prevention and consequence models in place today clearly do not disincentivize mass aggregation of data,” he said.

    Akhil Mittal of Synopsys Software Integrity Group added that the number of records will draw headlines but the long tail of effects on people could last years. Millions of real people will be dealing with identity theft, fraud and more for years to come due to the breach, he said.

    Mittal echoed Deibler’s comments, arguing that a larger conversation needs to be started about data privacy and protection.

    “It’s time for stricter regulations and better enforcement to make sure companies are really protecting our information,” Mittal said.

    6
  • FlightAware admits passwords, SSNs exposed for over 3 years

    Popular flight-tracking app FlightAware has admitted that it was exposing a bunch of users' data for more than three years.

    It made the admission via a notification filed last week with Rob Bonta, California's attorney general, saying the leak began on January 1, 2021, but was only detected on July 25 of this year.

    The incident was blamed on an unspecified configuration error. It led to the exposure of personal information, passwords, and various other personal data points you'd expect to see in a breach, depending on what information the user provided in their account.

    The full list of potentially impacted data points is below:

    • User ID
    • Password
    • Email address
    • Full name
    • Billing address
    • Shipping address
    • IP address
    • Social media accounts
    • Telephone numbers
    • Year of birth
    • Last four digits of your credit card number
    • Information about aircraft owned
    • Industry
    • Title
    • Pilot status (yes/no)
    • Account activity (such as flights viewed and comments posted)
    • Social Security Number

    How was this data exposed? We asked FlightAware and will update the story if it responds.

    The downside of filing data leak notifications in California is that the state doesn't require companies to publicly disclose how many people were affected, unlike Maine, for example, which does.

    Although we cannot determine the exact number of affected users, FlightAware reports having 12 million registered users. If all were affected, that would be quite the security snafu indeed.

    "FlightAware values your privacy and deeply regrets that this incident occurred," it wrote in a letter being sent to affected individuals.

    "Once we discovered the exposure, we immediately remedied the configuration error. Out of an abundance of caution, we are also requiring all potentially impacted users to reset their password. You will be prompted to do so at your next log-in to FlightAware."

    It's typical with these types of breach notifications to comment on whether the data in question had been accessed and/or misused by unauthorized third parties. The letter to affected users did not address this matter.

    It's also typical for companies to offer free credit monitoring for users and the same is the case here. Anyone who receives a letter from FlightAware saying they may be affected was offered two years of service via Equifax.

    1
  • Man who hacked Hawaii state registry to forge his own death certificate sentenced to 81 months
    therecord.media Man who hacked Hawaii state registry to forge his own death certificate sentenced to 81 months

    A Kentucky man who hacked into a state registry and faked his own death to avoid paying child support was sentenced on Monday to 81 months in prison.

    Man who hacked Hawaii state registry to forge his own death certificate sentenced to 81 months

    A Kentucky man who hacked into a state registry and faked his own death to avoid paying child support was sentenced on Monday to 81 months in prison.

    In January 2023, Jesse Kipf used stolen login credentials belonging to a physician to access the Hawaii Death Registry System, where he submitted and “certified” his own death — thereby avoiding paying more than $116,000 in owed child support.

    He also hacked into other state death registry systems, as well as “governmental and corporate networks” using stolen credentials, and tried to sell access to those entities on the darkweb.

    “Working in collaboration with our law enforcement partners, this defendant who hacked a variety of computer systems and maliciously stole the identity of others for his own personal gain, will now pay the price,” said Michael E. Stansbury, special agent in charge at the FBI’s Louisville Field Office. Kipf was convicted of computer fraud and aggravated identity theft.

    In March 2023, Hawaii’s Department of Health began sending out breach notification letters after it was notified by the cybersecurity firm Mandiant that credentials belonging to an external medical death certifier account had been sold on the dark web. The account belonged to a medical certifier who worked for a local hospital but had left the job in 2021.

    According to the Health Department release, the hacker accessed the account on January 20, 2023 — the same month Kipf breached the system.

    That same year, Kipf also used stolen credentials to access networks belonging to Guest-Tek Interactive Entertainment Ltd. and Milestone, Inc. — specifically to networks related to the companies’ work with hotel chains, including internet connectivity services.

    According to a sentencing memo from Assistant U.S. Attorney Kathryn M. Dieruf, Kipf offered for sale on darknet forums tips for how to access death registry systems, and he sold access to at least one company’s hacked databases to Russian customers. Other international buyers of stolen personal information were from Algeria and Ukraine, according to court documents.

    While calling for a seven-year sentence — three more months than the one Kipf received — Dieruf asked the judge to send a message to cybercriminals.

    “Similarly situated individuals must see the real danger they present to victims and be deterred from engaging in online criminal conduct by the fear of punishment,” she wrote.

    “The cloak of anonymity afforded by the dark web is too alluring without the persistent threat of being brought to justice and serving a significant sentence.”

    2
  • Parody Website ClownStrike Rejects CrowdStrike's Baseless DMCA Takedown Notice
    web.archive.org Parody Website ClownStrike Rejects CrowdStrike's Baseless DMCA Takedown Notice

    CrowdStrike's copyright takedown on parody site adds insult to injury following global outage scandal.

    Parody Website ClownStrike Rejects CrowdStrike's Baseless DMCA Takedown Notice

    CrowdStrike – a company that advertises itself as stopping breaches using “AI-native cybersecurity” – recently failed to deliver in a spectacular fashion.

    One of its faulty updates (for Windows) caused a massive global outage across different industries and services, including hospitals and airports.

    This latest poster child for “single point of failure,” and why IT systems should not be centralized to the degree they are, now apparently sees making false copyright claims, thus abusing the DMCA, as one way of damage control.

    The recipient of the takedown attempt is a parody site, ClownStrike. Created by IT consultant David Senk, clownstrike.lol went online on July 24, in the wake of the embarrassing and costly (damages are said to run into billions) episode caused by CrowdStrike.

    !

    But despite ostensibly having more pressing issues to deal with, a week later Cloudflare (that hosted the parody site) sent Senk a DMCA notice issued on behalf of CrowdStrike by CSC Digital Brand Services.

    CrowdStrike wanted its logo, which is seen “fading into a cartoon clown” on Senk’s site removed, and threatened that otherwise the site would be shut down, writes Ars Technica.

    But the site is clearly a parody one, which would protect Senk’s display of the logo as fair use under the DMCA. However, this story has two “bad guys” – in addition to CrowdStrike, there’s Cloudflare.

    When Senk contested the takedown notice on fair use grounds, Cloudflare ignored it, and then sent him another email reiterating the copyright infringement accusations – and then, again ignored the site creator’s counterclaim.

    Senk has switched to a server in Finland, where he feels companies are “less susceptible to DMCA takedown requests.”

    Now the site also features the CSC logo (with a clown wig). And it’s been updated with Senk’s thoughts on corporate cyberbullies, Cloudflare’s “hilariously ineffective” system of countering copyright notices, and other rant-worthy topics.

    Ars Technica suggests that ClownStrike may have simply got caught up in as many as 500 notices CrowdStrike has been sending left and right these days to ensure “proactive fraud management activities (…) to help prevent bad actors from exploiting current events.”

    Senk’s description of this statement? “Typical corporate bullshit (taking) zero accountability.”

    7
  • Supply Chain Security Harm Reduction with 3TOFU

    3TOFU: Verifying Unsigned Releases

    By Michael Altfield License: CC BY-SA 4.0 https://tech.michaelaltfield.net

    This article introduces the concept of \"3TOFU\" \-- a harm-reduction process when downloading software that cannot be verified cryptographically.

    | [!Verifying Unsigned Releases with 3TOFU](https://tech.michaelaltfield.net/2024/08/04/3tofu/) | |:--:| | Verifying Unsigned Releases with 3TOFU |

    > ⚠ NOTE: This article is about harm reduction. > > It is dangerous to download and run binaries (or code) whose authenticity you cannot verify (using a cryptographic signature from a key stored offline). However, sometimes we cannot avoid it. If you\'re going to proceed with running untrusted code, then following the steps outlined in this guide may reduce your risk.

    TOFU

    TOFU stands for Trust On First Use. It\'s a (often abused) concept of downloading a person or org\'s signing key and just blindly trusting it (instead of verifying it).

    3TOFU

    3TOFU is a process where a user downloads something three times at three different locations. If-and-only-if all three downloads are identical, then you trust it.

    Why 3TOFU?

    During the Crypto Wars of the 1990s, it was illegal to export cryptography from the United States. In 1996, after intense public pressure and legal challenges, the government officially permitted export with the 56-bit DES cipher \-- which was a known-vulnerable cipher.

    | [!Photo of Paul Kocher holding a very large circuit board](https://tech.michaelaltfield.net/2024/08/04/3tofu/) | |:--:| | The EFF\'s Deep Crack proved DES to be insecure and pushed a switch to 3DES. |

    But there was a simple way to use insecure DES to make secure messages: just use it three times.

    3DES (aka \"Triple DES\") is the process encrypting a message using the insecure symmetric block cipher (DES) three times on each block, to produce an actually secure message (from known attacks at the time).

    3TOFU (aka \"Triple TOFU\") is the process of downloading a payload using the insecure method (TOFU) three times, to obtain the payload that\'s magnitudes less likely to be maliciously altered.

    3TOFU Process

    To best mitigate targeted attacks, 3TOFU should be done:

    1. On three distinct days
    2. On three distinct machines (or VMs)
    3. Exiting from three distinct countries
    4. Exiting using three distinct networks

    For example, I\'ll usually execute

    • TOFU #1/3 in TAILS (via Tor)
    • TOFU #2/3 in a Debian VM (via VPN)
    • TOFU #3/3 on my daily laptop (via ISP)

    The possibility of an attacker maliciously modifying something you download over your ISP\'s network are quite high, depending on which country you live-in.

    The possibility of an attacker maliciously modifying something you download onto a VM with a freshly installed OS over an encrypted VPN connection (routed internationally and exiting from another country) is much less likely, but still possible \-- especially for a well-funded adversary.

    The possibility of an attacker maliciously modifying something you download onto a VM running a hardened OS (like Whonix or TAILS) using a hardened browser (like Tor Browser) over an anonymizing network (like Tor) is quite unlikely.

    The possibility for someone to execute a network attack on all three downloads is very near-zero \-- especially if the downloads were spread-out over days or weeks.

    3TOFU bash Script

    I provide the following bash script as an example snippet that I run for each of the 3TOFUs.

    ``` REMOTE_FILES="https://tails.net/tails-signing.key"

    CURL="/usr/bin/curl" WGET="/usr/bin/wget --retry-on-host-error --retry-connrefused" PYTHON="/usr/bin/python3"

    in tails, we must torify

    if [[ "whoami" == "amnesia" ]] ; then CURL="/usr/bin/torify ${CURL}" WGET="/usr/bin/torify ${WGET}" PYTHON="/usr/bin/torify ${PYTHON}" fi

    tmpDir=mktemp -d pushd "${tmpDir}"

    first get some info about our internet connection

    ${CURL} -s https://ifconfig.co/country | head -n1 ${CURL} -s https://check.torproject.org | grep Congratulations | head -n1

    and today's date

    date -u +"%Y-%m-%d"

    get the file

    for file in ${REMOTE_FILES}; do wget ${file} done

    checksum

    date -u +"%Y-%m-%d" sha256sum *

    gpg fingerprint

    gpg --with-fingerprint --with-subkey-fingerprint --keyid-format 0xlong * ```

    Here\'s one example execution of the above script (on a debian DispVM, executed with a VPN).

    ``` /tmp/tmp.xT9HCeTY0y ~ Canada 2024-05-04 --2024-05-04 14:58:54-- https://tails.net/tails-signing.key Resolving tails.net (tails.net)... 204.13.164.63 Connecting to tails.net (tails.net)|204.13.164.63|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1387192 (1.3M) [application/octet-stream] Saving to: ‘tails-signing.key’

    tails-signing.key 100%[===================>] 1.32M 1.26MB/s in 1.1s

    2024-05-04 14:58:56 (1.26 MB/s) - ‘tails-signing.key’ saved [1387192/1387192]

    2024-05-04 8c641252767dc8815d3453e540142ea143498f8fbd76850066dc134445b3e532 tails-signing.key gpg: WARNING: no command supplied. Trying to guess what you mean ... pub rsa4096/0xDBB802B258ACD84F 2015-01-18 [C] [expires: 2025-01-25] Key fingerprint = A490 D0F4 D311 A415 3E2B B7CA DBB8 02B2 58AC D84F uid Tails developers (offline long-term identity key) <tails@boum.org> uid Tails developers <tails@boum.org> sub rsa4096/0x3C83DCB52F699C56 2015-01-18 [S] [expired: 2018-01-11] sub rsa4096/0x98FEC6BC752A3DB6 2015-01-18 [S] [expired: 2018-01-11] sub rsa4096/0xAA9E014656987A65 2015-01-18 [S] [revoked: 2015-10-29] sub rsa4096/0xAF292B44A0EDAA41 2016-08-30 [S] [expired: 2018-01-11] sub rsa4096/0xD21DAD38AF281C0B 2017-08-28 [S] [expires: 2025-01-25] sub rsa4096/0x3020A7A9C2B72733 2017-08-28 [S] [revoked: 2020-05-29] sub ed25519/0x90B2B4BD7AED235F 2017-08-28 [S] [expires: 2025-01-25] sub rsa4096/0xA8B0F4E45B1B50E2 2018-08-30 [S] [revoked: 2021-10-14] sub rsa4096/0x7BFBD2B902EE13D0 2021-10-14 [S] [expires: 2025-01-25] sub rsa4096/0xE5DBA2E186D5BAFC 2023-10-03 [S] [expires: 2025-01-25] ```

    The TOFU output above shows that the release signing key from the TAILS project is a 4096-bit RSA key with a full fingerprint of \"A490 D0F4 D311 A415 3E2B B7CA DBB8 02B2 58AC D84F\". The key file itself has a sha256 hash of \"8c641252767dc8815d3453e540142ea143498f8fbd76850066dc134445b3e532\".

    When doing a 3TOFU, save the output of each execution. After collecting output from all 3 executions (intentionally spread-out over 3 days or more), diff the output.

    If the output of all three TOFUs match, then the confidence of the file\'s authenticity is very high.

    Why do 3TOFU?

    Unfortunately, many developers think that hosting their releases on a server with https is sufficient to protect their users from obtaining a maliciously-modified release. But https won\'t protect you if:

    1. Your DNS or publishing infrastructure is compromised (it happens), or
    2. An attacker has just one (subordinate) CA in the user\'s PKI root store (it happens)

    Generally speaking, publishing infrastructure compromises are detected and resolved within days and MITM attacks using compromised CAs are targeted attacks (to avoid detection). Therefore, a 3TOFU verification should thwart these types of attacks.

    > ⚠ Note on hashes: Unfortunately, many well-meaning developers erroneously think that cryptographic hashes provide authenticity, but cryptographic hashes do not provide authenticity \-- they provide integrity. > > Integrity checks are useful to detect corrupted data on-download; it does not protect you from maliciously altered data unless those hashes are cryptographically signed with a key whose private key isn\'t stored on the publishing infrastructure.

    Improvements

    There are some things you can do to further improve the confidence of the authenticity of a file you download from the internet.

    Distinct Domains

    If possible, download your payload from as many distinct domains as possible.

    An adversary may successfully compromise the publishing infrastructure of a software project, but it\'s far less likely for them to compromise the project website (eg \'tails.net\') and their forge (eg \'github.com\') and their mastodon instance (eg \'mastodon.social\').

    Use TAILS

    | [!TAILS Logo](https://tech.michaelaltfield.net/2024/08/04/3tofu/) | |:--:| | TAILS is by far the best OS to use for security-critical situations. |

    If you are a high-risk target (investigative journalist, activist, or political dissident) then you should definitely use TAILS for one of your TOFUs.

    Signature Verification

    It\'s always better to verify the authenticity of a file using cryptographic signatures than with 3TOFU.

    Unfortunately, some companies like Microsoft don\'t sign their releases, so the only option to verify the authenticity of something like a Windows .iso is with 3TOFU.

    Still, whenever you encounter some software that is not signed using an offline key, please do us all a favor and create a bug report asking the developer to sign their releases with PGP (or minisign or signify or something).

    4TOFU

    3TOFU is easy because Tor is free and most people have access to a VPN (corporate or commercial or an ssh socks proxy).

    But, if you\'d like, you could also add i2p or some other proxy network into the mix (and do 4TOFU).

    0
  • [DEF CON 32] Presenting our DIY Dead Man Switch
    www.buskill.in BusKill goes to DEF CON 32 - BusKill

    Join BusKill at DEF CON 32 for our presentation titled "Open Hardware Design for BusKill Cord" in the Demo Lab

    BusKill goes to DEF CON 32 - BusKill

    We're happy to announce that BusKill is presenting at DEF CON 32.

    What: Open Hardware Design for BusKill Cord When: 2024-08-10 12:00 - 13:45 Where: W303 – Third Floor – LVCC West Hall

    | [!BusKill goes to DEF CON 32 (Engage)](https://www.buskill.in/defcon32/) | |:--:| | BusKill is presenting at DEF CON 32 |

    via @Goldfishlaser@lemmy.ml

    What is BusKill?

    BusKill is a laptop kill-cord. It's a USB cable with a magnetic breakaway that you attach to your body and connect to your computer.

    | [!What is BusKill? (Explainer Video)](https://www.buskill.in/#demo) | |:--:| | Watch the BusKill Explainer Video for more info youtube.com/v/qPwyoD_cQR4 |

    If the connection between you to your computer is severed, then your device will lock, shutdown, or shred its encryption keys -- thus keeping your encrypted data safe from thieves that steal your device.

    What is DEF CON?

    DEF CON is a yearly hacker conference in Las Vegas, USA.

    | [!DEF CON Documentary](https://www.buskill.in/defcon32/) | |:--:| | Watch the DEF CON Documentary for more info youtube.com/watch?v=3ctQOmjQyYg |

    What is BusKill presenting at DEF CON?

    I (goldfishlaser) will be presenting Open Hardware Design for BusKill Cord in a Demo Lab at DEF CON 32.

    What: Open Hardware Design for BusKill Cord When: Sat Aug 10 12PM – 1:45PM Where: W303 – Third Floor – LVCC West Hall

    Who: Melanie Allen (goldfishlaser) More info

    Talk Description

    BusKill is a Dead Man Switch triggered when a magnetic breakaway is tripped, severing a USB connection. I’ve written OpenSCAD code that creates a 3D printable file for plastic parts needed to create the magnetic breakaway. Should anyone need to adjust this design for variations of components, the code is parameterized allowing for easy customization. To assemble a BusKill Dead Man Switch cord you will need:

    1. a usb-a extension cord,
    2. a usb hard drive capable of being attached to a carabiner,
    3. a carabiner,
    4. the plastic pieces in this file,
    5. a usb female port,
    6. a usb male,
    7. 4 magnets,
    8. 4 pogo pins,
    9. 4 pogo receptors,
    10. wire,
    11. 8 screws,
    12. and BusKill software.

    | [!Image of the Golden BusKill decoupler with the case off](https://www.buskill.in/defcon32/) | |:--:| | Golden DIY BusKill Print |

    Full BOM, glossary, and assembly instructions are included in the github repository. The room holds approx. 70 attendees seated. I’ll be delivering 3 x 30 min presentations – with some tailoring to what sort of audience I get each time.

    Meet Me @ DEF CON

    If you'd like to find me and chat, I'm also planning to attend:

    • ATL Meetup (DCG Atlanta Friday: 16:00 – 19:00 \| 236),
    • Hacker Kareoke (Friday and Sat 20:00-21:00 \| 222),
    • Goth Night (Friday: 21:00 – 02:00 \| 322-324),
    • QueerCon Mixer (Saturday: 16:00-18:00 \| Chillout 2),
    • EFF Trivia (Saturday: 17:30-21:30 \| 307-308), and
    • Jack Rysider’s Masquerade (Saturday: 21:00 – 01:00 \| 325-327)

    I hope to print many fun trinkets for my new friends, including some BusKill keychains.

    | [!Image shows a collection of 3D-printed bottle openers and whistles that say &quot;BusKill&quot;](https://www.buskill.in/defcon32/) | |:--:| | Come to my presentation @ DEF CON for some free BusKill swag |

    By attending DEF CON, I hope to make connections and find collaborators. I hope during the demo labs to find people who will bring fresh ideas to the project to make it more effective.

    0
  • Crimea warns of internet disruptions following DDoS attacks on local telecom operators
    web.archive.org Crimea warns of internet disruptions following DDoS attacks on local telecom operators

    Local authorities in Crimea are warning of internet disruptions from distributed denial-of-service (DDoS) attacks targeting telecommunication providers.

    Crimea warns of internet disruptions following DDoS attacks on local telecom operators

    Local authorities in Crimea are warning of internet disruptions from distributed denial-of-service (DDoS) attacks targeting telecommunication providers.

    The “massive” DDoS attacks, which overwhelm targeted networks with a flood of junk internet traffic, were launched against Crimean telecom companies on Wednesday and are still ongoing, according to Crimean officials.

    “Work is underway to repel attacks. There may be interruptions in providing internet services,” said Oleg Kryuchkov, the advisor to the Crimea region, which has been occupied by Russian forces since 2014.

    In Crimea’s largest city, Sevastopol, the attackers mostly targeted local internet provider Miranda Media, which is connected to Russian national telecom provider Rostelecom. Miranda Media was sanctioned by the European Union in 2023 for providing services to illegal authorities and institutions in Crimea in the interests of Russia.

    Several local subscribers complained on the company’s Telegram channel that their internet connection has been “terrible” for the past two days, but Miranda Media hasn’t released an official statement about the disruptions. The company did not respond to a request for comment.

    “The enemy attacks this particular operator for a reason,” a spokesperson for Sevastopol’s government said on Telegram. Miranda Media provides “core communication channels” for the city’s emergency call center, they added.

    The attack temporarily disrupted the call center's operations, but local authorities announced on Thursday that they have restored its functionality.

    Ukraine’s military intelligence (HUR) claimed responsibility on Wednesday for the cyberattacks on “several of Russia's largest internet providers” operating in Crimea but did not provide additional details.

    An anonymous source at HUR told the Ukrainian public broadcaster that the agency "systematically" attacks Russian digital infrastructure, including internet providers.

    In May, Ukraine’s military hackers claimed responsibility for an attack on a major internet provider in the Russian city of Belgorod, located about 20 miles north of the Ukrainian border. The targeted company allegedly provides services to state and military institutions.

    The attacks on Russian internet providers are also carried out by other Ukraine-linked hacker groups. Last October, a group of cyber activists known as the IT Army claimed responsibility for bringing down Miranda Media and two other Russian internet providers operating in Crimea.

    At that time, Miranda Media stated that the attack was "carefully planned by cybercriminals."

    0
  • Police allege 'evil twin' in-flight Wi-Fi used to steal info
    web.archive.org Police allege 'evil twin' in-flight Wi-Fi used to steal info

    Fasten your seat belts, secure your tray table, and try not to give away your passwords

    Police allege 'evil twin' in-flight Wi-Fi used to steal info

    Australia's Federal Police (AFP) has charged a man with running a fake Wi-Fi network on at least one commercial flight and using it to harvest flier credentials for email and social media services.

    The man was investigated after an airline "reported concerns about a suspicious Wi-Fi network identified by its employees during a domestic flight."

    The AFP subsequently arrested a man who was found with "a portable wireless access device, a laptop and a mobile phone" in his hand luggage.

    That haul led the force to also search the 42-year-old's home – after securing a warrant – and then to his arrest and charging.

    It's alleged the accused's collection of kit was used to create Wi-Fi hotspots with SSIDs confusingly similar to those airlines operate for in-flight access to the internet or streamed entertainment. Airport Wi-Fi was also targeted, and the AFP also found evidence of similar activities "at locations linked to the man's previous employment."

    Wherever the accused's rig ran, when users logged in to the network, they were asked to provide credentials.

    The AFP alleges that details such as email addresses and passwords were saved to the suspect's devices.

    The charges laid against the man concern unauthorized access to devices and dishonest dealings. None of the charges suggest the accused used the data he allegedly accessed.

    However, three charges of "possession or control of data with the intent to commit a serious offence" suggest the alleged perp was alive to the possibilities of using the data for nefarious purposes.

    AFP Western Command Cybercrime detective inspector Andrea Coleman pointed out that free Wi-Fi services should not require logging in through an email or social media account.

    Perhaps curiously, she advocated users of public Wi-Fi should "install a reputable virtual private network (VPN) on your devices to encrypt and secure your data when using the internet." She also recommended disabling file sharing, avoiding sensitive apps like banking while using public networks, and manually forgetting connections after use so that devices don't automatically reconnect to naughty networks.

    The accused appeared before a magistrate last week and was released on bail on condition he restrict his use of the internet in certain ways.

    0
  • Poland to probe Russia-linked cyberattack on state news agency
    web.archive.org Poland to probe Russia-linked cyberattack on state news agency

    In May, hackers published fake news on the website of the Polish Press Agency claiming the country’s authorities had announced a partial mobilization of 200,000 men to be sent to fight in a war in Ukraine.

    Poland to probe Russia-linked cyberattack on state news agency

    Polish prosecutors are investigating a suspected Russian cyberattack on the country’s state news agency.

    The likely goal of the May attack on the Polish Press Agency, or PAP, was disinformation “aimed at causing serious disturbances in the system or economy of the Republic of Poland by an undetermined person or persons involved in or acting on behalf of foreign intelligence,” a spokesperson for the Warsaw District Prosecutor's Office told the state outlet.

    This offense is punishable by no fewer than eight years in prison under local law. The probe has been assigned to the Internal Security Agency.

    During the attack, hackers published fake news on the PAP website claiming the country’s authorities had announced a partial mobilization of 200,000 men who were to be sent to fight in a war in Ukraine.

    After the article was deleted by PAP, the hackers reposted it. Polish authorities blamed the attack on Russia.

    "Everything indicates that we are dealing with a cyberattack that was directed from the Russian side," Poland’s Digital Affairs Minister Krzysztof Gawkowski said following the incident.

    According to him, the hackers got into the news agency’s system by infecting the device of one of PAP's employees with malware. Gawkowski said that the attack was “targeted” and intended to cause panic and "shake up the system."

    Poland is “on the frontline of the cyber fight against Russia,” he added.

    PAP chief executive officer Marek Błoński condemned the attack, saying it was likely designed to interfere with the European Parliament election in June, echoing the statement of Prime Minister Donald Tusk, who called the incident “another very dangerous hacker attack” that “illustrates Russia's destabilization strategy on the eve of the European elections."

    The Russian embassy in Warsaw told Reuters that it was not aware of the incident and declined to comment.

    Poland has experienced an increase in Russian cyberattacks over the past few months, leading it to announce a $760 million investment in cyber defenses.

    In June, it also signed a deal with the U.S. to strengthen their cooperation against “foreign information manipulation,” including from Russia.

    Suspected Russian hackers have previously used legitimate news websites to spread propaganda. In February, they attacked several popular Ukrainian media outlets, posting fake news related to the war.

    Russian hacker groups targeting Ukrainian media include notorious state-controlled threat actors like Sandworm, according to Ukraine's Computer Emergency Response Team (CERT-UA).

    0
  • TeamViewer: Hackers copied employee directory data and encrypted passwords
    web.archive.org TeamViewer: Hackers copied employee directory data and encrypted passwords

    TeamViewer says that a recently discovered breach appears to be limited to its internal corporate IT network. The software company has attributed it to a hacking operation associated with Russian intelligence.

    TeamViewer: Hackers copied employee directory data and encrypted passwords

    Software company TeamViewer says that a compromised employee account is what enabled hackers to breach its internal corporate IT environment and steal encrypted passwords in an incident attributed to the Russian government.

    In an update on Sunday evening, TeamViwer said a Kremlin-backed group tracked as APT29 was able to copy employee directory data like names, corporate contact information and the encrypted passwords, which were for the company’s internal IT environment.

    The company reaffirmed that the hackers were not able to gain access to the company's product environment or customer data, and that the breach, first reported last week, appears to be contained.

    “The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft,” the company said.

    TeamViewer said it has contacted authorities about the incident. APT29 — associated with Russia’s foreign intelligence service, the SVR — is one of the Kremlin’s highest-profile hacking operations.

    “We hardened authentication procedures for our employees to a maximum level and implemented further strong protection layers. Additionally, we have started to rebuild the internal corporate IT environment towards a fully trusted state,” the statement said.

    TeamViewer’s remote access and remote control software is used to remotely manage fleets of devices. The company has previously faced attacks by alleged Chinese hackers and its products have often been deployed maliciously by hackers themselves during security incidents.

    Multiple organizations published warnings last week about the APT29 breach, urging TeamViewer customers to take a range of actions — including reviewing logs for any unusual remote desktop traffic and enabling two-factor authentication. A healthcare security organization urged members to “use the allowlist and blocklist to control who can connect to their devices.”

    TeamViewer has not responded to questions about what APT29 appeared to be looking for during the incident.

    The theft of encrypted passwords by APT29 matches another incident earlier this year where the same group infiltrated Microsoft’s systems and stole authentication details, credentials and emails from the tech giant’s senior leaders.

    0
  • Caught in the Net: Using Infostealer Logs to Unmask CSAM Consumers
    web.archive.org Caught in the Net: Using Infostealer Logs to Unmask CSAM Consumers | Recorded Future

    Discover how Recorded Future uses infostealer logs to identify CSAM consumers and trends. Learn key findings and mitigation strategies.

    Caught in the Net: Using Infostealer Logs to Unmask CSAM Consumers | Recorded Future

    Summary

    In this proof-of-concept report, Recorded Future's Identity Intelligence analyzed infostealer malware data to identify consumers of child sexual abuse material (CSAM). Approximately 3,300 unique users were found with accounts on known CSAM sources. A notable 4.2% had credentials for multiple sources, suggesting a higher likelihood of criminal behavior. The study reveals how infostealer logs can aid investigators in tracking CSAM activities on the dark web. Data was escalated to law enforcement for further action.

    Caught in the Net: Using Infostealer Logs to Unmask CSAM Consumers

    Background

    Infostealer malware steals sensitive user information such as login credentials, cryptocurrency wallets, payment card data, OS information, browser cookies, screenshots, and autofill data. Common distribution methods include phishing, spam campaigns, fake update websites, SEO poisoning, and malvertising. A popular infection vector is “cracked” software marketed to users seeking to obtain licensed software illegally. Stolen data, known as “infostealer logs,” often ends up on dark web sources where cybercriminals can purchase it, potentially gaining access to networks or systems.

    The anonymity provided by Tor-based websites with .onion domains fosters the production and consumption of CSAM. Studies show that although only a small percentage of .onion websites host CSAM, the majority of dark web browsing activity targets these sites.

    Methodology

    In this proof-of-concept report, Recorded Future's Identity Intelligence leveraged infostealer malware data to identify consumers of child sexual abuse material (CSAM), surface additional sources, and uncover geographic and behavioral trends. Our high-confidence assessments stem from the nature of the infostealer log data and subsequent research.

    Sample investigations of three individuals with accounts on multiple CSAM sources suggest that having multiple CSAM accounts may indicate a higher likelihood of committing crimes against children. This study demonstrates that infostealer logs can help law enforcement track child exploitation on the dark web, a challenging area to trace. All relevant findings have been reported to authorities.

    Our research involved creating a list of known high-fidelity CSAM domains and querying Recorded Future Identity Intelligence data to identify users with credentials to these domains. Collaborating with non-profit organizations like World Childhood Foundation and the Anti-Human Trafficking Intelligence Initiative (ATII), Insikt Group expanded this list by querying the Recorded Future Intelligence Cloud. This iterative process helped identify additional CSAM sources.

    Insikt Group then queried Recorded Future’s Identity Intelligence, which offers real-time access to infostealer log information, for authentication records linked to known CSAM sources from February 2021 to February 2024. De-duplication was performed by comparing OS usernames and PC names.

    Findings

    Insikt Group identified 3,324 unique credentials used to access known CSAM websites. This data allowed us to gather statistics on individual sources and users, including their usernames, IP addresses, and system information. This granular data helps law enforcement understand the infrastructure of CSAM websites, uncover techniques used by CSAM consumers to mask their identities, and identify potential CSAM consumers and producers.

    In three case studies, Insikt Group used the data contained in infostealer logs and open-source intelligence (OSINT) to identify two individuals and found further digital artifacts, including cryptocurrency addresses, belonging to a third individual.

    The PoC study showcases that infostealer logs can be used to identify CSAM consumers and new sources and trends in CSAM communities.

    As the cybercriminal demand for infostealer logs and malware-as-a-service (MaaS) ecosystems continues to grow, Insikt Group anticipates that infostealer log datasets will continue to provide current and evolving insights into CSAM consumers.

    To read the entire analysis, click here to download the report as a PDF.

    3
  • ‘RegreSSHion’ bug raises alarms but experts question chances of widespread exploitation
    web.archive.org ‘RegreSSHion’ bug raises alarms but experts question chances of widespread exploitation

    If exploited, the vulnerability affecting OpenSSH’s server on Linux systems would allow for a full system takeover where an attacker could install malware, manipulate data and create backdoors for persistent access.

    ‘RegreSSHion’ bug raises alarms but experts question chances of widespread exploitation

    A new vulnerability affecting Linux systems has caused alarm over the last 48 hours among security researchers, although some experts have cast doubts about whether widespread exploitation of the bug is likely.

    On Monday, researchers from cybersecurity firm Qualys unveiled a report on CVE-2024-6387 — colloquially known as “RegreSSHion.” A patch is available to resolve the issue.

    The vulnerability is found in OpenSSH’s server in glibc-based Linux systems.

    Saeed Abbasi, product manager of vulnerability research at Qualys, told Recorded Future News the best way to understand the issue is to imagine a very secure lock on your front door that only lets people in if they have the right key.

    “This lock is used in many houses worldwide because it is very safe. However, we’ve discovered a flaw in this lock — a hidden way to open it without a key, and someone could sneak in without you noticing,” he said.

    Matt Moore, the chief technology officer at the security company Chainguard, explained that OpenSSH is a free open source collection of networking tools used predominantly by system administrators to manage remote systems across platforms.

    It is also used for securely transferring files and for accessing services in the cloud without exposing a local machine's ports to the Internet, he said. OpenSSH encrypts all traffic between client and server to prevent eavesdropping, connection hijacking, and other attacks.

    “In simpler terms, this is the equivalent of a bank vault being already unlocked during a robbery, attackers can use this to gain access and then laterally move to where the most important information is,” Moore said.

    If exploited, the vulnerability would allow for a full system takeover where an attacker could install malware, manipulate data and create backdoors for persistent access. The researchers found that it is actually a version of a bug that was previously resolved — CVE-2006-5051 — and then reintroduced after recent code changes.

    Qualys’s Abbasi explained that searches on tools like Censys and Shodan show potentially 14 million internet-facing server instances that may be vulnerable to the bug, although Moore said it appears the blast radius for the bug is smaller than the entirety of the ecosystem using OpenSSH.

    Abbasi said the bug was particularly concerning because it affects the default configuration of OpenSSH and doesn't require user interaction.

    The ubiquity of OpenSSH as a secure communication method “significantly broadens the potential repercussions of this vulnerability,” he added.

    “Within an enterprise setting, OpenSSH is utilized across various platforms, such as on-premise servers, cloud infrastructures, development environments, workstations, laptops, containerized environments, and network devices. This extensive deployment highlights the widespread impact a vulnerability could have,” he said.

    Questions about exploitation

    While most experts said concerns about the bug were justified, others cast doubt on its severity.

    Moore noted the exploits for the vulnerability appear to only be viable for a certain kind of Linux server, most of which are relegated to 15-year-old systems.

    While it is not difficult to install the patch, the larger issue according to Moore is identifying what instances are using vulnerable versions. Organizations should focus on upgrading to the latest version of OpenSSH, with a priority placed on publicly exposed instances.

    Some tools identifying vulnerable systems have been created to help those in need.

    Experts at the cybersecurity firms Wiz and Palo Alto Networks said widespread exploitation is unlikely. Wiz said an attacker would need to know the version of Linux they are targeting in order to tailor the exploit, making the bug “inappropriate for widespread opportunistic exploitation.”

    Palo Alto Networks said proof of concept code released on Monday has not worked in their exploit attempts, and as of Tuesday they have seen no exploit attempts in the wild.

    Contrast Security co-founder Jeff Williams added that attacks involving the vulnerability are “a bit noisy” and may take thousands of attempts to succeed — allowing defenders to detect and prevent the attacks before they are successful. Wiz echoed that assessment, explaining that successful exploitation “usually takes several hours of login attempts in total.”

    “No need to hit the panic button at this time,” said Ben Lister, threat research engineer at NetSPI.

    “Due to its complexity, it would take an attacker between six hours and a week of persistent effort to successfully exploit the condition and gain a root shell — making it highly unlikely that we’ll experience mass exploitation, as we've seen with similar vulnerabilities. However, organizations should remain proactive and vigilant against the exploit.”

    1
  • Cobalt Strike: International law enforcement operation tackles illegal uses of ‘Swiss army knife’ pentesting tool
    web.archive.org Cobalt Strike: International law enforcement operation tackles illegal uses of ‘Swiss army knife’ pentesting tool

    An international coalition of law enforcement agencies have taken action against hundreds of installations of the Cobalt Strike software, a penetration testing tool notoriously abused by both state-sponsored and criminal hackers involved in the ransomware ecosystem.

    Cobalt Strike: International law enforcement operation tackles illegal uses of ‘Swiss army knife’ pentesting tool

    An international coalition of law enforcement agencies have taken action against hundreds of installations of the Cobalt Strike software, a penetration testing tool notoriously abused by both state-sponsored and criminal hackers involved in the ransomware ecosystem.

    Britain’s National Crime Agency (NCA) announced on Wednesday that it coordinated global action against the tool, tackling 690 IP addresses hosting illegal instances of the software in 27 countries.

    Cobalt Strike, now owned by a company called Fortra, was developed in 2012 to simulate how hackers break into victims’ networks. However, it works so well — easing the processes involved in trying to break into a victim’s network — that pirated versions of the tool have been widely deployed by real malicious actors over the last decade.

    The action comes as law enforcement agencies continue to tackle ransomware gangs by targeting the ecosystem’s weak points — hitting the links in the chain that could have cascading effects, such as the seizure of bulletproof hosting provider LolekHosted.

    Alongside its legitimate users and those in the ransomware space, Cobalt Strike has also been used by hackers linked to the Russian, Chinese and North Korean governments.

    “Since the mid 2010s, pirated and unlicensed versions of the software downloaded by criminals from illegal marketplaces and the dark web have gained a reputation as the ‘go-to’ network intrusion tool for those seeking to build a cyber attack, allowing them to deploy ransomware at speed and at scale,” stated the NCA.

    Most commonly, the unlicensed versions of Cobalt Strike are used in spear phishing emails that aim to install a beacon on the target’s device. This beacon then allows the attacker to profile and remotely access the victim’s network.

    However its multifunctional nature, including a framework for managing the hackers' command and control infrastructure, makes the tool “the Swiss army knife of cybercriminals and nation state actors,” as described by Don Smith, the vice president of threat research at Secureworks Counter Threats Unit.

    “Cobalt Strike has long been the tool of choice for cybercriminals, including as a precursor to ransomware. It is also deployed by nation state actors, e.g. Russian and Chinese – to facilitate intrusions in cyber espionage campaigns. Used as a foothold, it has proven to be highly effective at providing the back door to victims to facilitate intrusions in cyber espionage campaigns,” Smith said.

    According to the NCA, the action tackling the rogue uses of the software took place last week and involved server takedowns as well as sending “abuse notifications” to ISPs to warn them that they could be hosting malware.

    Paul Foster, the director of threat leadership at the NCA, stressed that Cobalt Strike was “a legitimate piece of software,” but that “sadly cybercriminals have exploited its use for nefarious purposes.”

    “Illegal versions of it have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise,” Foster said.

    “International disruptions like these are the most effective way to degrade the most harmful cyber criminals, by removing the tools and services which underpin their operations,” added the NCA director.

    Despite the law enforcement action, “the threat from ransomware remains omnipresent and whilst this disruption is to be welcomed, criminals and nation state actors will almost certainly have a Plan B,” said Secureworks’ Smith.

    Fortra has pledged to continue to work with law enforcement to identify and remove older versions of its software from the internet. The NCA retracted an earlier statement that the company had released a new version of the software with “enhanced security measures.”

    “Fortra has taken significant steps to prevent the abuse of its software and has partnered with law enforcement throughout this investigation to protect the legitimate use of its tools,” Europol stated.

    “However, in rare circumstances, criminals have stolen older versions of Cobalt Strike, creating cracked copies to gain backdoor access to machines and deploy malware. Such unlicensed versions of the tool have been connected to multiple malware and ransomware investigations, including those into RYUK, Trickbot and Conti.”

    0
  • Ticketmaster discredits dark web claims of stolen barcodes for Taylor Swift concerts
    web.archive.org Ticketmaster discredits dark web claims of stolen barcodes for Taylor Swift concerts

    Ticketmaster shot down claims made on the dark web that hackers have access to working ticket barcodes for several upcoming Taylor Swift concerts and other events.

    Ticketmaster discredits dark web claims of stolen barcodes for Taylor Swift concerts

    Ticketmaster shot down claims made on the dark web that hackers have access to working ticket barcodes for several upcoming Taylor Swift concerts and other events.

    On Friday, a hacker allegedly offered for sale event barcodes for Taylor Swift’s Eras Tour concert dates in New Orleans, Miami and Indianapolis.

    The barcodes are typically scanned at the entrance for events. In total, the hacker offered about 170,000 barcodes for sale, with about 20,000 for sale at each show.

    The hacker also threatened Ticketmaster with more leaks if they are not paid $2 million — claiming to have 30 million more barcodes for NFL games, Sting concerts and more.

    A spokesperson for Ticketmaster debunked the claims made in the post in comments to Recorded Future News.

    “Ticketmaster’s SafeTix technology protects tickets by automatically refreshing a new and unique barcode every few seconds so it cannot be stolen or copied,” the spokesperson said.

    “This is just one of many fraud protections we implement to keep tickets safe and secure.”

    The spokesperson also shot down allegations made in media reports that they engaged the hacker in ransom negotiations, saying that they never engaged with the hacker and never offered the person money.

    Ticketmaster’s parent company Live Nation confirmed last month that the company’s account on data storage platform Snowflake had been breached.

    Hackers on the dark web claimed to have a 1.3 terabyte database of information on about 560 million Ticketmaster users that included names, addresses, emails and phone numbers as well as event details and information on specific orders.

    The theft was part of a larger campaign of thefts targeting about 165 customers of Snowflake. Some of the data stolen from those companies was offered for sale by the same hacker behind this most recent post about event barcodes.

    6
  • 'New York Times source code' leaks online via 4chan

    A 4chan user claims to have leaked 270GB of internal New York Times data, including source code, via the notorious image board.

    According to the unnamed netizen, the information includes "basically all source code belonging to The New York Time Company," amounting to roughly 5,000 repositories and 3.6 million files now available for download from peer-to-peer networks. Details on how to get the files were shared by the poster on 4chan.

    While The Register has seen what's said to be a list of files in the purported leak, we have not yet verified the legitimacy of the leak, and the newspaper did not respond to inquiries about the case.

    Of the code listed - whose filenames indicate everything from the blueprints to Wordle to email marketing campaigns and ad reports - "less than 30" are "encrypted," the 4channer claimed. Again, take this with a healthy dose of salt considering the source — an unnamed 4chan user.

    The Register will update this story if and when we receive a response from The Times. But if true, the theft could potentially cause a huge headache for the newspaper, given the list of stolen data. There's a lot of JavaScript and TypeScript in there, judging by the filenames, plus some personal information. It might be largely scraped from the public site, it might actually be stolen.

    In 2013 The New York Times and other media outlets saw their operations come under attack by a bunch of miscreants calling themselves the Syrian Electronic Army. During these incidents, which occurred over a period of months, readers were unable to visit some publications' websites at times; at other times, pages were defaced by intruders.

    The Register was targeted, too, by the gang in a failed spear-phishing attack. At least one of our vultures was sent an email claiming to be from a senior editor, with a link to a fake copy of our publishing system to phish their credentials; the giveaway was that the message was far too cheery for that editor to be real. It also prompted us to introduce mandatory multi-factor authentication at work.

    A few years later, in 2016, suspected Russian cyber-spies broke into email inboxes belonging to The New York Times and other American news organizations.

    0
  • Developer platform Docker Hub suspends services in Russia
    therecord.media Developer platform Docker Hub suspends services in Russia

    Russian users lost access to Docker Hub — a U.S-based cloud service used by software developers — and couldn’t access it even through virtual private networks (VPNs), media reports said.

    Developer platform Docker Hub suspends services in Russia

    The U.S. service Docker Hub, widely used for developing software, has suspended its operations in Russia without giving advance notice to local users, according to media reports.

    Russian users lost access to Docker Hub repositories on Thursday and couldn’t access the service even through virtual private networks (VPNs), reported Russian news website Kommersant.

    Developers use the cloud-based platform to store, share and manage their container images — digital packages that include everything needed to run an application.

    Docker Hub stated in a message displayed to those trying to access the platform from Russia that it is blocking services in Cuba, Iran, North Korea, Sudan, Syria and Russian-annexed Crimea to “adhere to U.S. export control rules.” Russia itself wasn’t included in the message.

    At the time of publication, the platform’s operator, Docker Inc., hasn’t responded to a request for comment.

    Russian legal expert Maria Udodova told Kommersant that the blocking could be linked to the new proposed rule introduced by the Department of Commerce in January to protect cloud services from foreign cyberthreats to national security. Recorded Future News couldn’t verify this claim.

    In an interview with Russian media, several local tech businesses complained that due to the blocking, they cannot upload or save their projects from the repository. They said that Docker Hub was popular among Russian companies involved in cybersecurity.

    Following the service suspension, Russian developers took to the Docker Hub forum and Reddit to voice their complaints.

    “It’s not me who invaded Ukraine, it’s not millions of developers and software engineers either, but we have to suffer the consequences. Thanks a lot, Docker!” one user said on Reddit.

    “Please consider keeping Docker Hub available for Russians — they’re oppressed by their own government they didn’t choose. The regime will have access to any technology anyway, and have resources to keep their infrastructure running,” another user wrote on the Docker community forum.

    Industry experts admitted to Kommersant that Docker Hub restrictions could deal a blow to tech businesses, which now have to quickly find an alternative. This is not easy since other similar services, including GitHub, suspended some of their services in Russia when it invaded Ukraine.

    In 2022, Docker said in a statement that the company “stands with Ukraine” and will not do business with Russian and Belarusian businesses or accept payments from these locations during the war.

    The company also said that it removed the ability to purchase and renew Docker subscriptions from Russia and Belarus.

    Slow exits

    The fact that Docker Hub was still generally available in Russia until this week, despite the company’s previous statements, isn’t unusual.

    With the start of the war in Ukraine two years ago, many Western tech firms announced that they would quit the Russian market or suspend selling their products there — either for moral reasons or due to economic sanctions imposed on Russia by the EU or the U.S.

    Big tech companies that served many clients in Russia didn’t exit the market immediately. Only this August, Microsoft, for example, announced that it would stop renewing licenses for its products to Russian companies and would not process payments via wire transfer to local bank accounts.

    In March, Russians received a notification from Microsoft saying that it would suspend access to its cloud services for local users as a result of European sanctions imposed on Russia after its invasion of Ukraine.

    Earlier in January, Czech antivirus developer Avast suspended selling its software in Russia. In the initial months of the war, the company announced that it would stop renewing licenses for its products for Russian and Belarusian users.

    5
  • More than 600,000 routers knocked out in October by Chalubo malware
    therecord.media More than 600,000 routers knocked out in October by Chalubo malware

    In a new report, researchers at Black Lotus Labs described a “destructive” incident between October 25-27 affecting routers made by Sagemcom and ActionTec.

    More than 600,000 routers knocked out in October by Chalubo malware

    A strain of malware named Chalubo wrecked over 600,000 routers for small offices and homes in the U.S. last year.

    In a new report from Lumen Technologies’ Black Lotus Labs, researchers described a “destructive” incident between October 25-27 in which hundreds of thousands of routers made by Sagemcom and ActionTec were rendered permanently inoperable.

    Chalubo was first discovered in 2018 by researchers from Sophos, which said it was used to infect devices and add them to powerful botnets that could perform distributed denial of service (DDoS) attacks.

    Black Lotus Labs did not name the internet service provider (ISP) that deployed the routers but Reuters said an analysis of news coverage indicated it was likely Arkansas-based Windstream, which did not respond to requests for comment.

    Further research revealed that the routers were destroyed by a firmware update sent out to the devices that had already been compromised by Chalubo.

    “At this time, we do not have an overlap between this activity and any known nation-state activity clusters,” the researchers explained. “We assess with high confidence that the malicious firmware update was a deliberate act intended to cause an outage, and though we expected to see a number of router make and models affected across the internet, this event was confined to the single ISP’s autonomous system number (ASN).”

    A survey of complaints on internet forums and outage detectors revealed that most people were complaining about issues with router models Sagemcom F5380, ActionTec T3200s and ActionTec T3260s.

    Users who contacted ActionTec’s support center were told the entire router would need to be replaced. To check whether those models were the only ones affected, the researchers used internet scanning tool Censys and found that between October 27 and October 28, there was a 179,000 drop in IP addresses connected to ActionTec devices and a decrease of 480,000 devices associated with Sagemcom.

    Lumen researchers noted that the Chalubo malware family continues to be active and found that more than 330,000 IP addresses communicated with tools connected to the malware, indicating that “while the Chalubo malware was used in this destructive attack, it was not written specifically for destructive actions.”

    'Rural or underserved communities'

    The researchers do not know what exploit was used to gain initial access to compromised devices. They could not find vulnerabilities for the specific models impacted, “suggesting the threat actor likely either abused weak credentials or exploited an exposed administrative interface.”

    “We suspect the threat actors behind this event chose a commodity malware family to obfuscate attribution, instead of using a custom-developed toolkit,” they said.

    The researchers noted that “a sizeable portion of this Internet Service Provider’s service area covers rural or underserved communities,” potentially making recovery more difficult.

    The outage affected “places where residents may have lost access to emergency services, farming concerns may have lost critical information from remote monitoring of crops during the harvest, and health care providers cut off from telehealth or patients’ records,” they said.

    Chalubo is a sophisticated malware family that its creators went to great lengths to conceal. The malicious code removes all of its files and renames itself after something already present on the device.

    All of the communication with command and control (C2) servers is encrypted — which Lumen said contributed to the lack of previous research on the malware.

    There has been significant law enforcement focus this week on malware that affects routers. International law enforcement agencies announced Thursday that they took several of the most influential malware families offline in the “largest ever operation against botnets.”

    The FBI and international partners dismantled another massive botnet on Wednesday that infected more than 19 million IP addresses across 200 countries and was used for years to conceal cybercrime.

    1
  • DHS asked to consider potentially 'devastating’ impact of hacks on rural water systems
    therecord.media DHS asked to consider potentially 'devastating’ impact of hacks on rural water systems

    A bipartisan pair of U.S. House members wants more information from the Department of Homeland Security about a Russia-linked group's attack on a water utility in Texas, as well as cybersecurity protections for water supplies in general.

    DHS asked to consider potentially 'devastating’ impact of hacks on rural water systems

    A bipartisan pair of House lawmakers is pressing for more details about the breach of a water facility in Texas that was carried out by a group with suspected ties to the Russian government.

    In an April 23 letter, Reps. Pat Fallon (R-TX) and Ruben Gallego (D-AZ) asked Homeland Security Secretary Alejandro Mayorkas for a briefing on the January incident, which caused a tank at a water facility in Muleshoe, Texas, to overflow.

    The Google-owned security firm Mandiant later issued a report that said the group purportedly behind the attack, the Cyber Army of Russia, is linked to a Russian state actor, Sandworm — which has gained global notoriety for its past, and present, digital assaults on Ukraine.

    The group has since claimed credit for a cyberattack on an Indiana water plant.

    “As you may know, much of the American West is experiencing a historic, long-term drought that makes fortifying water supplies from vulnerabilities like adversary disruption efforts all the more important,” the duo wrote.

    “Should a hack similar to the Texas incident occur in Arizona or other states that may lack sufficient water supply, it could disrupt operations across the region with devastating effects,” they added.

    The pair asked Mayorkas to answer a series of questions, including what DHS is doing to respond to the incident; how the agency is coordinating with international, state and local partners; and if it needs additional authorities to protect the nation’s water supply,

    Gallego and Rep. Jim Banks (R-IN) — both of whom are running for Senate — sent a similar letter to Mayorkas late last year after the Irank-linked Cyber Av3ngers group claimed responsibility for striking a water authority in Pennsylvania.

    0
  • NSA staffer who tried, failed to spy for Russia gets 21+ yrs
    www.theregister.com NSA staffer who tried, failed to spy for Russia gets 21+ yrs

    Tried to sell top secret docs for the low, low price of $85K

    NSA staffer who tried, failed to spy for Russia gets 21+ yrs

    A former NSA employee has been sentenced to 262 months in prison for attempting to freelance as a Russian spy.

    In his trial yesterday, Jareh Sebastian Dalke pleaded guilty to six counts of attempted transmission of top-secret info to a foreign agent as announced by the US Department of Justice.

    He had worked at the NSA as an information systems security designer for just under a month from June to July 2022, making quick work of the short period by accumulating top secret documents with national defense information (NDI).

    Between August and September that year, shortly after leaving the NSA, Dalke made contact with a person he thought was a Russian agent. To prove his "legitimate access and willingness to share," he then emailed the apparent spy snippets of three top secret, classified documents with NDI. Dalke then said he'd be willing to sell the full documents and more for just $85k.

    A former NSA employee has been sentenced to 262 months in prison for attempting to freelance as a Russian spy.

    In his trial yesterday, Jareh Sebastian Dalke pleaded guilty to six counts of attempted transmission of top-secret info to a foreign agent as announced by the US Department of Justice.

    He had worked at the NSA as an information systems security designer for just under a month from June to July 2022, making quick work of the short period by accumulating top secret documents with national defense information (NDI).

    Between August and September that year, shortly after leaving the NSA, Dalke made contact with a person he thought was a Russian agent. To prove his "legitimate access and willingness to share," he then emailed the apparent spy snippets of three top secret, classified documents with NDI. Dalke then said he'd be willing to sell the full documents and more for just $85k.

    Only there was one problem: he was talking to an undercover FBI agent.

    Dalke and the FBI agent then arranged a time and place to hand over the documents. On September 28, the former NSA worker took his laptop to Union Station in Denver and sent the documents to the FBI agent over the internet. Dalke also included a letter in Russian that said, among other things, "My friends! I am very happy to finally provide this information to you… I look forward to our friendship and shared benefit."

    Of course, the FBI agent was not his friend and the whole thing was a sting operation, and the former NSA employee was arrested just after he sent the classified materials. Dalke pleaded guilty from the outset.

    "This defendant, who had sworn an oath to defend our country, believed he was selling classified national security information to a Russian agent, when in fact, he was outing himself to the FBI," Attorney General Merrick Garland said. "This sentence demonstrates that those who seek to betray our country will be held accountable for their crimes."

    A former NSA employee has been sentenced to 262 months in prison for attempting to freelance as a Russian spy.

    In his trial yesterday, Jareh Sebastian Dalke pleaded guilty to six counts of attempted transmission of top-secret info to a foreign agent as announced by the US Department of Justice.

    He had worked at the NSA as an information systems security designer for just under a month from June to July 2022, making quick work of the short period by accumulating top secret documents with national defense information (NDI).

    Between August and September that year, shortly after leaving the NSA, Dalke made contact with a person he thought was a Russian agent. To prove his "legitimate access and willingness to share," he then emailed the apparent spy snippets of three top secret, classified documents with NDI. Dalke then said he'd be willing to sell the full documents and more for just $85k.

    Only there was one problem: he was talking to an undercover FBI agent.

    Dalke and the FBI agent then arranged a time and place to hand over the documents. On September 28, the former NSA worker took his laptop to Union Station in Denver and sent the documents to the FBI agent over the internet. Dalke also included a letter in Russian that said, among other things, "My friends! I am very happy to finally provide this information to you… I look forward to our friendship and shared benefit."

    Of course, the FBI agent was not his friend and the whole thing was a sting operation, and the former NSA employee was arrested just after he sent the classified materials. Dalke pleaded guilty from the outset.

    "This defendant, who had sworn an oath to defend our country, believed he was selling classified national security information to a Russian agent, when in fact, he was outing himself to the FBI," Attorney General Merrick Garland said. "This sentence demonstrates that those who seek to betray our country will be held accountable for their crimes."

    Sentencing law is somewhat complex, but assuming Dalke can't serve any of his counts concurrently and that he doesn't get out early, he'll be getting out in January 2046, and he'll be 53 or 54.

    The NSA employee turned failed Russian informant was remarkably unsuccessful in his attempt to give Russia a helping hand, though it is a little concerning that Dalke had NDI material in his possession at all. The incident isn't unlike the Teixeira leaks from last month, especially since both Dalke and Teixeira were seemingly completely incompetent in leaking info. Maybe the US government should review who gets access to classified materials, as it seems neither person had any real business handling these docs.

    3
  • NATO to launch new cyber center to contest cyberspace 'at all times'
    therecord.media NATO to launch new cyber center to contest cyberspace 'at all times'

    James Appathurai, a senior NATO official, confirmed to Recorded Future News that the new cyber facility will be at the alliance's military headquarters in Mons, Belgium.

    NATO to launch new cyber center to contest cyberspace 'at all times'

    NATO will establish a new cyber center at its military headquarters in Mons, Belgium, a senior official confirmed to Recorded Future News on Wednesday. The new facility, details about which have not previously been reported, marks the fruition of a significant doctrinal shift in how the alliance approaches operations in cyberspace.

    The shift, as officially set out in NATO’s Strategic Concept (2022), states that “cyberspace is contested at all times,” meaning it cannot just be a concern for the military alliance during moments of crisis or conflict. NATO needs to constantly engage with adversaries on computer networks — not just when Article 4 or Article 5 are triggered by allies.

    Although allies last year endorsed the creation of a NATO cyber center during the cyber defense conference in Berlin, at that time the exact plan was unclear. Suggestions ranged from an institution that would help develop cyber competencies among allies through to a tactical-level command for combined operations, similar to NATO’s maritime (MARCOM), air (AIRCOM), and land (LANDCOM) command centers.

    Speaking to Recorded Future News at the ENISA Cybersecurity Policy Conference in Brussels, James Appathurai, NATO’s deputy assistant secretary general for innovation, hybrid and cyber, said the structural changes that are being made flow from that doctrine about cyberspace. He said the model for the center was the United Kingdom’s National Cyber Security Centre — where civilian experts could work alongside those from industry, the military, and NATO’s political corps — to address potential threats.

    The working name for the new facility is the NATO Integrated Cyber Centre (NICC).

    The idea is the NICC would physically co-locate personnel in Mons to provide the Supreme Allied Commander Europe (SACEUR) — effectively NATO’s most senior military official, historically always a senior U.S. military officer — with 24/7 visibility over both NATO enterprise networks and other networks beyond where incidents risk impacting military operations in Europe.

    SACEUR “needs to have visibility over what cyberspace looks like for him at all times. That’s the logic behind this, and that’s where we will get to in time for the summit, which is in only a few weeks,” explained Appathurai.

    Delivering his keynote to the conference, Appathurai said: “For example, a port in Europe has been under a sustained cyberattack to try to lock the locks. So we have ships transiting through, [the attackers] try to lock it and drain the water to drop the ship inside of the lock, which would damage the ship and block the port.”

    Appathurai did not name the port and did not confirm the port when asked by Recorded Future News. But for a major seaport such as Rotterdam, the potential impact of such an attack could severely disrupt the supply of critical military and civilian materiel. Officials in the United States are warning that cyberattacks pose a significant threat to ports.

    “There is a lot more risk and a lot more capabilities out there. So what are we doing about it? First we have to recognise and act on it,” said Appathurai.

    “We need to break down, in the NATO sense, bureaucratic barriers. For us, we have the military, we have the civilians, we have the intelligence world, we have industry. We are working on bringing them all together.

    “I would commend for an example the U.K. National Cyber Security Centre, where they have everybody together in one building, with a less secure and then a more secure tier. And industry is there full-time with everybody else, with information on their networks, providing it and receiving intelligence or other forms of support. So aggregating what is disaggregated, and breaking down the barriers between the two,” he said.

    No delineation between peacetime and conflict

    Acknowledging that “cyberspace is contested at all times” was “the most fundamental shift we’ve made in the last year,” said Appathurai. “Allies have now codified the understanding that unlike in other environments, you cannot have a clear delineation between peacetime, crisis, and conflict [in cyberspace].”

    The concept is a comfortable one for some of NATO’s more mature cyber powers, particularly the United States has proactively conducted what it calls persistent engagement for a number of years — alongside similar operational activities by the United Kingdom and the Netherlands.

    But among some allies, the prescription that the concept calls for — engaging with adversaries in cyberspace — remains controversial. Appathurai said that key to understanding the prescription, and to understanding the risk facing Europe in general, was the conflict in Ukraine.

    “It’s really important that people understand how important cyberdefense has been for Ukrainians. Without it, their military command and control wouldn’t work. Their civilian communications would not work. They would not have banks operating and providing people money. People wouldn’t know where to go and what to do when something happens. And President Zelensky would not be on the air motivating us to provide weapons — which we need to do faster — helping his people to have courage in this situation.”

    Cyberdefense “underpins everything in our doctrine,” said the NATO official. This was also why the new cyber center would not be a command in the style of MARCOM or LANDCOM, because cyber underpins the other domains.

    The ultimate structure of the center hasn’t been finalized, Appathurai told Recorded Future News, explaining that the plan was to get everything completed ahead of the summit in Washington in July, adding that “literally this morning was another meeting of our committee that’s looking at our political-military advice.”

    “The direction we’ve already been given is clear, that we have to integrate political and military tools to give us a better picture of military and civilian networks, that this should be for deterrence and defense, so that’s very much the framework in which it’s in,” he explained.

    “But also that this will parallel and complement a separate track of decisions that we’re taking in time for the summit, to give NATO a stronger role when it comes to, for example, enforcing cyber norms when it comes to allies, allies being able to work in other international bodies, to strengthen standards. So there’s a political aspect that will be strengthened as well as this very practical center, or whatever we end up calling it.”

    “We’re working on the mechanics of the center. How exactly staff will relate to each other, who exactly, which parts exactly, but this is all mechanics and it can be worked out so there’s no problem there. So I’m actually 100% confident that we will arrive at a good solution.

    “Then there’s the implementation. That’s always a bureaucratic struggle, but we’ll get through it, and we’ll get through it pretty fast because it’s NATO and you can give orders,” he said.

    1
  • Tool finds new ways to exploit Spectre holes in Intel CPUs

    Intel CPU cores remain vulnerable to Spectre data-leaking attacks, say academics at VU Amsterdam.

    We're told mitigations put in place at the software and silicon level by the x86 giant to thwart Spectre-style exploitation of its processors' speculative execution can be bypassed, allowing malware or rogue users on a vulnerable machine to steal sensitive information – such as passwords and keys – out of kernel memory and other areas of RAM that should be off limits.

    The boffins say they have developed a tool called InSpectre Gadget that can find snippets of code, known as gadgets, within an operating system kernel that on vulnerable hardware can be abused to obtain secret data, even on chips that have Spectre protections baked in.

    InSpectre Gadget was used, as an example, to find a way to side-step FineIBT, a security feature built into Intel microprocessors intended to limit Spectre-style speculative execution exploitation, and successfully pull off a Native Branch History Injection (Native BHI) attack to steal data from protected kernel memory.

    "We show that our tool can not only uncover new (unconventionally) exploitable gadgets in the Linux kernel, but that those gadgets are sufficient to bypass all deployed Intel mitigations," the VU Amsterdam team said this week. "As a demonstration, we present the first native Spectre-v2 exploit against the Linux kernel on last-generation Intel CPUs, based on the recent BHI variant and able to leak arbitrary kernel memory at 3.5 kB/sec."

    A quick video demonstrating that Native BHI-based attack to grab the /etc/shadow file of usernames and hashed passwords out of RAM on a 13th-gen Intel Core processor is below. We're told the technique, tagged CVE-2024-2201, will work on any Intel CPU core.

    The VU Amsterdam team — Sander Wiebing, Alvise de Faveri Tron, Herbert Bos and Cristiano Giuffrida — have now open sourced InSpectre Gadget, an angr-based analyzer, plus a database of gadgets found for Linux Kernel 6.6-rc4 on GitHub.

    "Our efforts led to the discovery of 1,511 Spectre gadgets and 2,105 so-called 'dispatch gadgets,'" the academics added. "The latter are very useful for an attacker, as they can be used to chain gadgets and direct speculation towards a Spectre gadget."

    These numbers suggest a "nontrivial attack surface," said the researchers, who pointed to an Intel security advisory that includes updated software-level mitigations for these kinds of Native BHI attacks.

    As we understand things, Intel in 2022 addressed BHI attacks with hardware and software-level protections as well as recommendations like not allowing unprivileged eBPF use.

    Now an updated exploit, dubbed Native BHI, was developed using InSpectre Gadget that defeats those defense mechanisms, leading to the x86 titan issuing updated advice for developers and patches for the Linux kernel to block exploitation of CVE-2024-2201 – we assume other operating systems will need fixing up, too.

    "External academic researchers reported new techniques to identify BHI sequences that could allow a local attacker who can already execute code to possibly infer the contents of Linux kernel memory," an Intel spokesperson told The Register today.

    "Intel has previously shared mitigation guidance for BHI and intra-mode BTI attacks. In light of this new report, Intel is releasing updated guidance to assist in broader deployment of these mitigations."

    AMD and Arm cores are not vulnerable to Native BHI, according to the VU Amsterdam team. AMD has since confirmed this in an advisory

    History lesson

    InSpectre Gadget, and the related research and Native BHI exploit, builds on the boffins' earlier work exploiting the Spectre variant BHI.

    Spectre emerged in public in early 2018, along the related Meltdown design blunder, which The Register first reported. Over the years various variants of Spectre have been found, prompting engineers to shore up the security around performance-boosting speculative execution units.

    After the aforementioned steps were taken to shut down BHI-style attacks, "this mitigation left us with a dangling question: 'Is finding 'native' Spectre gadgets for BHI, ie, not implanted through eBPF, feasible?'" the academics asked.

    The short answer is yes. A technical paper [PDF] describing Native BHI is due to be presented at the USENIX Security Symposium.

    2
  • Apple notifies users in 92 countries about mercenary spyware attacks
    therecord.media Apple notifies users in 92 countries about mercenary spyware attacks

    Apple also updated its support page, explaining how the threat notifications work and what targeted users should do if they receive one.

    Apple notifies users in 92 countries about mercenary spyware attacks

    Apple has sent a new batch of threat notifications to users in 92 countries who may have been targeted by mercenary spyware attacks, according to several media reports.

    The alerts were sent on Wednesday, warning users that attackers tried to remotely compromise their iPhones. On the same day, Apple also updated its support page, explaining how threat notifications work and what targeted users should do if they receive one.

    In previous alerts, the company described such incidents as “state-sponsored,” but according to its updated policy, it will now refer to them as “mercenary spyware attacks.” Common sources of spyware include private companies such as NSO Group and Cytrox.

    According to Reuters, Apple's removal of the term "state-sponsored" from its description of threat notifications comes after it repeatedly faced pressure from the Indian government because of linking such breaches to nation-state actors. Sources told Reuters that Apple held extensive talks with Indian officials before releasing the latest set of alerts.

    Spyware attacks affect a very small number of specific individuals — often journalists, activists, politicians, and diplomats — and are extremely costly, sophisticated and hard to detect, Apple explained. Since 2021, the company has sent threat notifications to users in over 150 countries.

    Apple didn't reveal who was on the list of targets in the latest set of alerts, but sources told The Economic Times, an Indian English-language newspaper, that Indian users were among those included.

    Last October, Apple warned over half a dozen Indian lawmakers from Prime Minister Narendra Modi’s main opposition party about spyware attacks. These attacks were reportedly part of an espionage campaign preceding this year’s general elections, held in seven phases between April 19 and June 1.

    The company stated that it relies solely on internal threat intelligence to detect such attacks. Other organizations, such as the Canada-based Citizen Lab, also produce reports about spyware infections on Apple devices.

    “Although our investigations can never achieve absolute certainty, Apple threat notifications are high-confidence alerts that a user has been individually targeted by a mercenary spyware attack, and should be taken very seriously,”' the company said in an update.

    Apple typically notifies users multiple times a year in two ways: by displaying an alert at the top of the page after the user signs into their Apple ID, or by sending an email and iMessage notification to the email addresses and phone numbers associated with the user’s Apple ID.

    The company said that it cannot provide more information about what causes the company to send this notification, as that may help attackers adapt their behavior to evade detection in the future.

    Earlier in February, Poland’s prime minister stated that he had uncovered documents confirming that the prior administration illegally deployed Pegasus spyware. Poland’s investigators claimed that the country’s 2019 elections were unfair due to the deployment of Pegasus, which is sold to governments worldwide by the Israel-based NSO Group. The company says it only supports lawful use of its products.

    In September, the phones of prominent Russian journalists and critics of the Kremlin were infected with Pegasus spyware. Among the targets was Galina Timchenko, owner of the Russian independent media outlet Meduza.

    She was infected with Pegasus while in Berlin for a private conference with other Russian independent journalists living in exile. This marked the first documented case of a Pegasus infection targeting a Russian citizen.

    0
  • Palo Alto Networks warns of zero-day in VPN product
    therecord.media Palo Alto Networks warns of zero-day in VPN product

    The company released an advisory about a vulnerability in the popular GlobalProtect VPN product that was unknown to security researchers until this week.

    Palo Alto Networks warns of zero-day in VPN product

    Cybersecurity giant Palo Alto Networks is alerting customers that a zero-day vulnerability in its firewall tool is being exploited by hackers.

    The company released an advisory on Friday morning about CVE-2024-3400 — a vulnerability in the popular GlobalProtect VPN product that was unknown to researchers until this week. The bug carries the highest severity score possible of 10.

    Palo Alto Networks said that it “is aware of a limited number of attacks that leverage the exploitation of this vulnerability.”

    The company did not respond to requests for comment about how many customers were affected, where they are based or who was behind the attacks.

    A patch will be available to customers by Sunday, the advisory said. In the meantime, Palo Alto Networks provided several mitigations customers can take to protect themselves.

    The bug was discovered by researchers at cybersecurity firm Volexity. That company’s president, Steven Adair, said Friday on social media that it discovered the initial attacks two days ago.

    The Cybersecurity and Infrastructure Security Agency (CISA) added the GlobalProtect flaw to its list of known exploited vulnerabilities almost immediately, signaling urgency in the need for federal agencies to patch the bug.

    In a rare move, CISA gave federal civilian agencies just seven days to apply mitigations, a shortened timeline compared to the three weeks given to most bugs.

    VPN products have become frequent targets for attack by threat actors in recent years due to the expansion of remote work and the widespread use of the tools among governments.

    Palo Alto was previously affected by a vulnerability affecting its firewall product in 2022 that was used in a distributed denial-of-service (DDoS) attack.

    0
  • Current and former Polish officials face probe of alleged spyware abuse
    therecord.media Current and former Polish officials face probe of alleged spyware abuse

    Prosecutors have identified more than 30 possible victims of spyware use in an operation that was aimed against opposition party members.

    Current and former Polish officials face probe of alleged spyware abuse

    Polish prosecutors are now actively building a case against current and former government officials believed to have deployed powerful commercial spyware against opposition party members and their allies in a rapidly unfolding spyware investigation.

    In recent days, prosecutors have asked 31 victims whom they believe were likely targeted by Pegasus spyware to share their stories. Senior government officials have said the investigation could lead to arrests.

    A probe into abuse of powers and dereliction of duties began on March 18 and is homing in on how officials used Pegasus from 2017 to 2022, according to Polish news reports citing a spokesperson for the prosecutor’s office.

    The prior Polish ruling party, known as Law and Justice (PiS), is said to have targeted opposition leaders and others with the spyware, including amid the country’s election season. The spyware scandal has rocked the country since it first came to light in December 2021.

    In September, Poland's Senate released the results of a special commission’s probe into the spyware’s usage, paying particular attention to the hack of an opposition politician in 2019, describing "gross violations of constitutional standards.”

    The commission revealed at the time that it had alerted prosecutors to the potential for criminal charges against former and current Polish ministers for using or abetting the use of spyware.

    Current Polish President Andrzej Duda is a former PiS member who is thought to remain loyal to the party, but the country has elected the leader of a different and more centrist party, Donald Tusk, as its new prime minister. Duda has served as president since 2015.

    Tusk, who became prime minister in December, said in February that he can prove state authorities used the powerful spyware to monitor a “very long” list of individuals.

    The prime minister also revealed at the time that he had found documents which “confirm 100%” the prior administration illegally used Pegasus, according to local news reporting at the time.

    Spyware has long been a scourge in Europe with prior scandals enveloping Spain, Greece, Hungary and Serbia. Mercenary spyware is also used on a global scale. On Wednesday, Apple sent alerts to users in 92 countries, warning they may have been targeted by foreign commercial surveillance tools like Pegasus, primarily through attempts to compromise iPhones from afar.

    John Scott-Railton, a security researcher at the Canada-based Citizen Lab who helped surface the Polish spyware problem, said he is watching the proceedings carefully.

    “Poland has gone from being a troubling centerpiece in EU spyware scandals to showing clear signs of a concerted effort towards accountability,” Scott-Railton said via text message, citing the country’s recent decision to join a White House-led coalition of 17 countries working to fight the spread and use of spyware. “The recent developments would have been deeply unthinkable until the election.”

    He added that Poland’s quest for accountability has “already gone further than most investigations in the EU.”

    Scott-Railton said the fact that opposition party leader Krzysztof Brejza was hit with Pegasus during parliamentary elections in which he played a key role in setting strategy is an “ominous sign of potential election interference.”

    The Polish scandal and the aftermath of its investigation will send an important signal across the continent, he said.

    “As authoritarianism grows and dangers to EU democracy fueled by Russia increase, ensuring that European democracies are free from the danger of spyware abuse could not be more critical,” he said.

    A second expert, white-hat hacker Runa Sandvik, said the 31 victims called to appear as witnesses may represent just a small fraction of the total scale of spyware abuse in Poland.

    “It’s important to remember that this number — 31 — is the number the National Prosecutor’s Office has decided to release,” said Sandvik, who founded Granitt, a startup focused on helping journalists, human rights activists and other vulnerable populations targeted by spyware.

    Sandvik said she believes the Polish government also likely used spyware to investigate crime, corruption and terrorism meaning the total number of people hit with Pegasus could be much higher.

    “The number on its own does not tell us how many people were targeted, or for what purpose,” Sandvik said via email. “I hope the investigation will help shed some light on this.”

    0
  • AI bots hallucinate software packages and devs download them

    Several big businesses have published source code that incorporates a software package previously hallucinated by generative AI.

    Not only that but someone, having spotted this reoccurring hallucination, had turned that made-up dependency into a real one, which was subsequently downloaded and installed thousands of times by developers as a result of the AI's bad advice, we've learned. If the package was laced with actual malware, rather than being a benign test, the results could have been disastrous.

    According to Bar Lanyado, security researcher at Lasso Security, one of the businesses fooled by AI into incorporating the package is Alibaba, which at the time of writing still includes a pip command to download the Python package huggingface-cli in its GraphTranslator installation instructions.

    There is a legit huggingface-cli, installed using pip install -U "huggingface_hub[cli]".

    But the huggingface-cli distributed via the Python Package Index (PyPI) and required by Alibaba's GraphTranslator – installed using pip install huggingface-cli – is fake, imagined by AI and turned real by Lanyado as an experiment.

    He created huggingface-cli in December after seeing it repeatedly hallucinated by generative AI; by February this year, Alibaba was referring to it in GraphTranslator's README instructions rather than the real Hugging Face CLI tool. Study

    Lanyado did so to explore whether these kinds of hallucinated software packages – package names invented by generative AI models, presumably during project development – persist over time and to test whether invented package names could be co-opted and used to distribute malicious code by writing actual packages that use the names of code dreamed up by AIs.

    The idea here being that someone nefarious could ask models for code advice, make a note of imagined packages AI systems repeatedly recommend, and then implement those dependencies so that other programmers, when using the same models and getting the same suggestions, end up pulling in those libraries, which may be poisoned with malware.

    Last year, through security firm Vulcan Cyber, Lanyado published research detailing how one might pose a coding question to an AI model like ChatGPT and receive an answer that recommends the use of a software library, package, or framework that doesn't exist.

    "When an attacker runs such a campaign, he will ask the model for packages that solve a coding problem, then he will receive some packages that don’t exist," Lanyado explained to The Register. "He will upload malicious packages with the same names to the appropriate registries, and from that point on, all he has to do is wait for people to download the packages." Dangerous assumptions

    The willingness of AI models to confidently cite non-existent court cases is now well known and has caused no small amount of embarrassment among attorneys unaware of this tendency. And as it turns out, generative AI models will do the same for software packages.

    As Lanyado noted previously, a miscreant might use an AI-invented name for a malicious package uploaded to some repository in the hope others might download the malware. But for this to be a meaningful attack vector, AI models would need to repeatedly recommend the co-opted name.

    That's what Lanyado set out to test. Armed with thousands of "how to" questions, he queried four AI models (GPT-3.5-Turbo, GPT-4, Gemini Pro aka Bard, and Command [Cohere]) regarding programming challenges in five different programming languages/runtimes (Python, Node.js, Go, .Net, and Ruby), each of which has its own packaging system.

    It turns out a portion of the names these chatbots pull out of thin air are persistent, some across different models. And persistence – the repetition of the fake name – is the key to turning AI whimsy into a functional attack. The attacker needs the AI model to repeat the names of hallucinated packages in its responses to users for malware created under those names to be sought and downloaded.

    Lanyado chose 20 questions at random for zero-shot hallucinations, and posed them 100 times to each model. His goal was to assess how often the hallucinated package name remained the same. The results of his test reveal that names are persistent often enough for this to be a functional attack vector, though not all the time, and in some packaging ecosystems more than others.

    With GPT-4, 24.2 percent of question responses produced hallucinated packages, of which 19.6 percent were repetitive, according to Lanyado. A table provided to The Register, below, shows a more detailed breakdown of GPT-4 responses.

    With GPT-3.5, 22.2 percent of question responses elicited hallucinations, with 13.6 percent repetitiveness. For Gemini, 64.5 of questions brought invented names, some 14 percent of which repeated. And for Cohere, it was 29.1 percent hallucination, 24.2 percent repetition.

    Even so, the packaging ecosystems in Go and .Net have been built in ways that limit the potential for exploitation by denying attackers access to certain paths and names.

    "In Go and .Net we received hallucinated packages but many of them couldn't be used for attack (in Go the numbers were much more significant than in .Net), each language for its own reason," Lanyado explained to The Register. "In Python and npm it isn't the case, as the model recommends us with packages that don’t exist and nothing prevents us from uploading packages with these names, so definitely it is much easier to run this kind of attack on languages such Python and Node.js." Seeding PoC malware

    Lanyado made that point by distributing proof-of-concept malware – a harmless set of files in the Python ecosystem. Based on ChatGPT's advice to run pip install huggingface-cli, he uploaded an empty package under the same name to PyPI – the one mentioned above – and created a dummy package named blabladsa123 to help separate package registry scanning from actual download attempts.

    The result, he claims, is that huggingface-cli received more than 15,000 authentic downloads in the three months it has been available.

    "In addition, we conducted a search on GitHub to determine whether this package was utilized within other companies' repositories," Lanyado said in the write-up for his experiment.

    "Our findings revealed that several large companies either use or recommend this package in their repositories. For instance, instructions for installing this package can be found in the README of a repository dedicated to research conducted by Alibaba."

    Alibaba did not respond to a request for comment.

    Lanyado also said that there was a Hugging Face-owned project that incorporated the fake huggingface-cli, but that was removed after he alerted the biz.

    So far at least, this technique hasn't been used in an actual attack that Lanyado is aware of.

    "Besides our hallucinated package (our package is not malicious it is just an example of how easy and dangerous it could be to leverage this technique), I have yet to identify an exploit of this attack technique by malicious actors," he said. "It is important to note that it’s complicated to identify such an attack, as it doesn’t leave a lot of footsteps."

    1
  • Meta allegedly snooped on Snapchat via traffic decryption

    To spy on rival Snapchat and get data on how the app was being used, Meta – when it was operating as Facebook – allegedly initiated a program called Project Ghostbusters, which intercepted data traffic from mobile apps. And it used that data to harm its competitors' ad business.

    The name of the program was "an apparent reference to Snapchat's corporate logo, a white ghost on a yellow background," according to a recently unsealed court document [PDF].

    Project Ghostbusters was run by Onavo, acquired by Facebook in 2013 and described by the US Federal Trade Commission as a "user surveillance company." Onavo offered a notional VPN service that was shut down in 2019 for – ironically – its lack of privacy.

    The Snapchat data-interception scheme is described in that newly unsealed court document as a "man-in-the-middle" approach, in which Facebook essentially paid people to snoop on their mobile phones.

    Facebook ran low-key studies with groups of willing participants – from teenagers to adults – who were rewarded for installing an Onavo-made research app that monitored their smartphone usage [PDF] to give the tech giant a better idea of how folks used their devices. That app, it's alleged, installed a root Certificate Authority allowing Facebook to intercept and analyze panel participants' internet usage.

    Not only did it enable Facebook to issue itself digital certificates to intercept people's encrypted SSL/TLS connections, it also quietly redirected Snapchat analytics traffic (and subsequently Amazon and YouTube analytics) to Onavo's servers. Once there, the data could be decrypted and analyzed for commercial gain, then re-encrypted and passed back to Snapchat without the pic-sharing app maker's knowledge, according to the complaint.

    If this sounds familiar, it's because that's why the Onavo VPN was ultimately shut down: the team behind it built Facebook's own research apps that snaffled panel participants' internet usage data. And when this all came to light in 2019 and sparked outrage, the tech giant was forced to pull the plug on the operation.

    It's all part of a four-year-old lawsuit [PDF] brought against Meta in California by Facebook advertisers who allege, among other things, that Meta/Facebook's anticompetitive behavior – including data interception and arrangements with other companies – increased prices for ads and harmed competition.

    That suit was filed six days before the US Federal Trade Commission sued Facebook [PDF] on December 9, 2020 alleging years of anticompetitive conduct to monopolize the social media advertising market. Both lawsuits remain ongoing, with the advertiser case likely to reach trial by 2025 if there's no prior settlement.

    In a June 9, 2016 email, surfaced by the advertisers' legal challenge, Facebook CEO Mark Zuckerberg directed Alex Schultz, presently chief marketing officer and VP of analytics, and COO Javier Olivan, to figure out how to get reliable analytics from Snapchat – which had become a serious competitive threat in the eyes of some executives.

    In a letter [PDF] to Judge James Donato, dated May 31, 2023, the plaintiffs' co-lead counsel Brian J Dunne explained: "In July 2016, the Onavo team's proposed solution was presented to senior management, including now-COO Javier Olivan: Facebook developed 'kits' that can be installed on iOS and Android that intercept traffic for specific sub-domains, allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage."

    The passage Dunne quoted about the "kits" is from an email that Danny Ferrante – then director of core data science and growth research at Facebook – wrote to Olivan. The email went on to describe how Facebook planned to distribute these kits under other brands in a way that wouldn't reveal the involvement of The Social Network™️.

    "Our plan is to work with a third party – like GFK, SSI, YouGov, uTest, etc – who will recruit panelists and distribute kits under their own branding," the email read. "We already have proposals from several of these providers. The panelists won't see Onavo in the NUX [new user experience] or in the phone settings. They could see Onavo using specialized tools (eg Wireshark)."

    It's claimed this data collection scheme was one element in a larger initiative – described as Facebook's In-App Action Panel (IAAP) program – which allegedly ran from June 2016 through May 2019. As a note cited in Dunne's letter observed, the Android research app, for example, "currently includes SSL decryption giving us the capability to read all traffic on device."

    "The company’s highest-level engineering executives thought the IAAP Program was a legal, technical, and security nightmare," wrote Dunne in a June 15, 2023 letter [PDF]. He cited remarks to this effect attributed to Pedro Canahuati, then-head of security engineering: "I can’t think of a good argument for why this is okay. No security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesn't know how this stuff works."

    Nonetheless, according to Dunne's May letter, during this period Facebook "expanded its IAAP program to also intercept, decrypt, and analyze encrypted analytics from YouTube and Amazon."

    Dunne argued that on the evidence Meta/Facebook's actions should be considered criminal wiretapping. "Meta's IAAP program didn't just harm competition, but criminally violated 18 U.S.C. § 2511(1)(a) and (d) by intentionally intercepting SSL-protected analytics traffic addressed to secure Snapchat, YouTube, and Amazon servers," he explained in a footnote.

    n a separate letter [PDF], Dunne alleged that Meta's IAAP competitive intelligence program – which may also have captured Twitter data – raised prices for advertisers.

    "The intelligence Meta gleaned from this project was described both internally and externally as devastating to Snapchat's ads business," he wrote, "allowing Meta to hike North American ad prices companywide 60 percent between 2016 and 2018."

    Meta's use of machine learning and AI is also "central" to the advertisers' case, according to another unsealed letter [PDF] from attorney Yavar Bathaee of Bathaee Dunne LLP.

    "Advertisers will prove at trial, among other things, that Meta (a) changed the data sources for its neural network models as part of agreements with eBay and with Netflix, including in ways that were technically and economically irrational but for the anticompetitive effect of the agreements; (b) gathered and integrated signals/features/user data from across its business, including from WhatsApp and Instagram, into F3 [an internal AI data repository], all while contemporaneously misleading the FTC to avoid divestiture; and (c) used sensitive data deceptively taken from users' mobile devices to validate Meta's offsite identity-matching AI/ML systems."

    The claim here is that Meta was not only tracking online activities but using its AI systems to identify people.

    0
  • GoFetch exploit can't be disabled on Apple's M1 and M2 chips
    go.theregister.com GoFetch exploit can't be disabled on Apple's M1 and M2 chips

    For now, cryptographic work should be run on slower Icestorm cores

    GoFetch exploit can't be disabled on Apple's M1 and M2 chips

    The GoFetch vulnerability found on Apple M-series and Intel Raptor Lake CPUs has been further unpacked by the researchers who first disclosed it.

    GoFetch is a security exploit that takes advantage of data memory-dependent prefetchers (DMPs), not unlike speculative execution vulnerabilities such as Spectre. Essentially, data can be leaked out of a core's cache when DMP is enabled, creating a potential attack vector for hackers.

    DMPs are present on all Apple M-series CPUs and Intel's Raptor Lake processors, and the dedicated website for GoFetch now shows how exactly the exploit is carried out. Within minutes (the footage is sped up so it's hard to say exactly how many), 560 bits of data was leaked from an RSA-protected server.

    The GoFetch exploit isn't earth-shattering, as it's in a similar vein to Spectre, Meltdown, and other vectors that rely on a CPU's performance-boosting prediction features. Normally, there are software-based patches for chips that have hardware-level exploits, and usually that just involves disabling the speculative feature (and thus decreasing performance), but in the case of M1 and M2 CPUs, researchers say that's not possible.

    The researchers address the common question of whether DMP can be disabled, explaining that yes, but only on some processors. "We observe that the DIT bit set on M3 CPUs effectively disables the DMP. This is not the case for the M1 and M2." So, GoFetch can be solved with a software patch for M3 and Raptor Lake CPUs, but not for M1 and M2 chips since DMP will run no matter what.

    It's never good when a feature that increases performance has to be disabled because it leaks potentially sensitive data, but not being able to disable that feature at all is even worse. One workaround is to just blind the DMP to sensitive data whenever it's being stored to or loaded from memory, but the GoFetch paper [PDF] says this would require broad code rewrites and performance penalties in some cases.

    However, there is one workaround that doesn't require any code rewrites. Like many modern CPUs, Apple's M-series have two types of cores: big Firestorm cores and little Icestorm cores. The DMP-based GoFetch exploit only works on Firestorm cores, including for M1 and M2 CPUs, and the GoFetch paper suggests all cryptographic work should solely be run on the Icestorm cores for the time being. Running anything on the efficiency-focused Icestorm cores is bound to be slower, but at least it should be secure.

    Even this approach might not be foolproof though. If Apple comes out with a future M processor with DMP enabled in its efficiency cores, then there's nowhere that code can be run without potentially exposing sensitive data. Of course, given that DMP is not entirely secure, we'd hope that Apple either fixes it, removes it, or finds an alternative feature before making its next generation CPUs even more vulnerable.

    0
  • The xz package (used by SSHD) has been backdoored

    The upstream release tarballs for xz version 5.6.0 and 5.6.1 contain malicious code which adds a backdoor.

    ArchLinux and most rolling release distro are affected.

    Debian Testing/Sid/Experimental are affected, Debian Stable ISN'T AFFECTED.

    Short summary by the ArchLinux team: https://archlinux.org/news/the-xz-package-has-been-backdoored/

    Your distro should have a blog post/message to tell you what to do, either update (if they provide an updated version) or downgrade to a known-good version.

    Analysis: https://www.openwall.com/lists/oss-security/2024/03/29/4

    More Infos: https://archlinux.org/news/the-xz-package-has-been-backdoored/ https://lists.debian.org/debian-security-announce/2024/msg00057.html https://github.com/tukaani-project/xz/issues/92

    0
  • China Planted Mystery Devices On Cranes Used In US Ports, Could Seize Control Remotely: Congressional Letter
    www.zerohedge.com China Planted Mystery Devices On Cranes Used In US Ports, Could Seize Control Remotely: Congressional Letter

    ZeroHedge - On a long enough timeline, the survival rate for everyone drops to zero

    China Planted Mystery Devices On Cranes Used In US Ports, Could Seize Control Remotely: Congressional Letter

    The lawmakers say that numerous modems with no known function were uncovered from ship-to-shore (STS) cranes, which are used to unload cargo at the nation’s largest ports.

    All of the cranes in question were manufactured by Shanghai Zhenhua Heavy Industries (ZPMC), a subsidiary of the state-owned China Communications Construction Co.

    Relatedly, the lawmakers noted that ZPMC’s manufacturing facility is located adjacent to China’s most advanced ship-making facility, where the regime builds its aircraft carriers and houses advanced intelligence capabilities.

    In a letter (pdf) addressed to the president and chairman of ZPMC, the lawmakers demand to know the purpose of the cellular modems discovered on crane components and in a U.S. seaport’s server room that houses firewall and networking equipment.

    “These components do not contribute to the operation of the STS cranes or maritime infrastructure and are not part of any existing contract between ZPMC and the receiving U.S. maritime port,” the letter said.

    “The Committees have serious concerns that this proximity to the [Chinese military’s] main shipyard provides malicious CCP [Chinese Communist Party] entities, including its intelligence agencies and security services, with ample opportunity to modify U.S.-bound maritime equipment, exploit it to malfunction, or otherwise facilitate cyber espionage thereby compromising U.S. maritime critical infrastructure.”

    U.S. Coast Guard Rear Adm. John Vann, who leads the Coast Guard’s Cyber Command, told reporters last month that there were over 200 China-manufactured cranes operating across U.S. ports and regulated facilities.

    At that time, Coast Guard cyber protection teams had assessed the cybersecurity or hunted for threats on 92 of those cranes, he said.

    The discovery comes amid an ongoing congressional investigation into the operation of cranes manufactured in China and operating at U.S. ports.

    Though the investigation is still ongoing, the committees identified serious concerns regarding ZPMC’s relationship with the CCP, particularly given the recent discovery of Chinese malware on vital infrastructure related to the port system.

    As part of another cybersecurity investigation, some of the modems in question were also found to have active connections to the operational components of the STS cranes, suggesting they could be remotely controlled by a device no one previously knew was there.

    Speaking to reporters last month, White House Deputy National Security Adviser Anne Neuberger said the cranes were designed to be serviceable from a remote location, which leaves them open to such exploitation.

    “By design, these cranes may be controlled, serviced, and programmed from remote locations,” Ms. Neuberger said. “These features potentially leave [China]-manufactured cranes vulnerable to exploitation.

    As such, the letter suggests that every U.S. seaport with ZPMC cranes could already be, or is at risk of being, compromised by the CCP.

    Retired Army Col. John Mills told The Epoch Times that the cranes were effectively an extension of the CCP’s global cybercrime operation, which could be used during an invasion of Taiwan to sow chaos in the United States.

    “Those container cranes are not cranes,” Mr. Mills said. “They’re IP endpoints on a worldwide intelligence collection system.”

    To that end, he said that the cranes’ operational and safety features could likely be overridden remotely. This would allow the CCP to potentially trick one of the giant cranes into shifting its counterbalance in such a way that would cause it to crash into ships or containers in the nation’s busiest ports.

    Complicating the issue all the more, he said, was the fact that the niche nature of the cargo cranes and their programming means it is unlikely a tailored cyber response to secure the systems will be created anytime soon.

    To counter the threat in the long term, he added, the United States would need to ensure that it manufactured such vital equipment in its own territory.

    “As things play out, they’re [the CCP] going to start initiating the hitting of target sets in cyber. The port cranes are a perfect example,” Mr. Mills said.

    “This is the importance of making things here. If you want to reduce the Chinese threat, start making things here.”

    3
  • North Korean hackers exploit Windows zero-day flaw
    therecord.media North Korean hackers exploit Windows zero-day flaw

    North Korean hackers exploited a previously unknown vulnerability in a Windows security feature, allowing them to gain the highest level of access to targeted systems.

    North Korean hackers exploit Windows zero-day flaw

    North Korean hackers exploited a previously unknown vulnerability in a Windows security feature, allowing them to gain the highest level of access to targeted systems.

    A zero-day flaw in AppLocker — a service that helps administrators control which applications are allowed to run on a system — was discovered by researchers at the Czech cybersecurity firm Avast and patched by Microsoft earlier this month.

    By exploiting this bug, tracked as CVE-2024-21338, hackers with administrative privileges could escalate their access to the kernel level — the highest level of access in the operating system, reserved for performing critical system functions.

    “With kernel-level access, an attacker might disrupt security software, conceal indicators of infection, turn off mitigations, and more,” Avast said.

    To carry out malicious activities within the victim’s system, hackers believed to be a part of North Korea’s infamous Lazarus group used the FudModule rootkit — a type of malware designed to provide unauthorized access to a computer while concealing its presence.

    Researchers said that the hackers improved the rootkit's functionality, making it stealthier. Some of the malware techniques, for example, were designed to evade detection and disable security protections, including Windows Defender, CrowdStrike Falcon and HitmanPro.

    Avast said that the FudModule rootkit is “one of the most complex tools Lazarus holds in their arsenal.” Recent updates to the malware also show Lazarus’ commitment to keep actively developing the rootkit, researchers said.

    The report does not mention which organizations were targeted in the latest Lazarus campaign or how successful it was.

    Lazarus remains among “the most prolific and long-standing” advanced hacker groups, according to Avast. “Though their signature tactics and techniques are well-recognized by now, they still occasionally manage to surprise us with an unexpected level of technical sophistication,” researchers said.

    Earlier this week, Japanese researchers discovered that Lazarus targeted software developers with malicious open-source software packages uploaded to a repository used by the Python community. The malicious packages were downloaded hundreds of times, according to researchers.

    Earlier in February, Germany and South Korea's intelligence agencies issued a joint advisory, warning of an ongoing North Korean cyber-espionage operation targeting the global defense sector. Lazarus was among the threat actors mentioned in the advisory. The report emphasized that the techniques used by the group to target the defense sector were similar to those employed in attacks against cryptocurrency firms and software developers.

    Lazarus was also targeting the judicial system in South Korea. In February, South Korean police confiscated servers from the country's Supreme Court that were allegedly hacked by Lazarus last year. The servers are still under investigation.

    According to the latest report by crypto analytics firm Chainalysis, North Korean hackers, including Lazarus, hacked more crypto platforms than ever last year, with the number of stolen assets reaching $1 billion.

    0
  • GitHub struggles to keep up with automated malicious forks
    www.theregister.com GitHub struggles to keep up with automated malicious forks

    Cloned then compromised, bad repos are forked faster than they can be removed

    GitHub struggles to keep up with automated malicious forks

    A malware distribution campaign that began last May with a handful of malicious software packages uploaded to the Python Package Index (PyPI) has spread to GitHub and expanded to reach at least 100,000 compromised repositories.

    According to security firm Apiiro, the campaign to poison code involves cloning legitimate repos, infecting them with malware loaders, uploading the altered files to GitHub under the same name, then forking the poisoned repo thousands of times and promoting the compromised code in forums and on social media channels.

    Developers looking for useful code may therefore find a repo that’s describes as useful and at first glance appears appropriate, only to have their personal data pilfered by a hidden payload that runs malicious Python code and a binary executable.

    "The malicious code (largely a modified version of BlackCap-Grabber) would then collect login credentials from different apps, browser passwords and cookies, and other confidential data," said Matan Giladi, security researcher, and Gil David, head of AI, in a report. "It then sends it back to the malicious actors' C&C (command-and-control) server and performs a long series of additional malicious activities."

    A Trend Micro analysis of the malicious code describes how it employs clever techniques to conceal its true nature. For example, the code hides its use of the exec function – for dynamically executing code – through a technique dubbed “exec smuggling”.

    Such attacks add hundreds of whitespace characters (521 of them) to push the exec function offscreen as a defense against manual scrutiny.

    GitHub says it's aware that not all's well.

    "GitHub hosts over 100 million developers building across over 420 million repositories, and is committed to providing a safe and secure platform for developers," a spokesperson told The Register.

    "We have teams dedicated to detecting, analyzing, and removing content and accounts that violate our Acceptable Use Policies. We employ manual reviews and at-scale detections that use machine learning and constantly evolve and adapt to adversarial tactics. We also encourage customers and community members to report abuse and spam."

    Awareness and automated scanning is all very well – but Apiiro’s Giladi and David observed that GitHub missed many automated repo forks, as well as the manually uploaded ones.

    "Because the whole attack chain seems to be mostly automated on a large scale, the one percent that survive still amount to thousands of malicious repos," the authors wrote, adding that if you count removed repos in the total, the campaign probably involved millions of malicious clones and forks.

    They also point out that the scale of the attack is large enough to benefit from network effects, specifically developers who fork malicious repos without intending to use the software and don't realize they're validating and propagating malware.

    GitHub, the researchers say, presents an effective way to compromise the software supply chain due to its support for the automatic generation of accounts and repos, its friendly APIs and soft rate limits, and its size.

    The Biden administration had pushed for stronger software supply chain security through the National Institute of Standards and Technology's Cybersecurity Framework 2.0 and efforts to get organizations to publish their software bill of materials. But clearly there's work left to do.

    2
  • Spyware maker NSO Group ordered to turn over Pegasus code in WhatsApp case
    therecord.media Spyware maker NSO Group ordered to turn over Pegasus code in WhatsApp case

    A California federal judge ordered the Israeli company to turn over its highly protected secret code as part of discovery in a years-long lawsuit.

    Spyware maker NSO Group ordered to turn over Pegasus code in WhatsApp case

    WhatsApp notched a major victory against the spyware producer NSO Group last week when a California federal judge ordered the Israeli company to turn over its highly protected secret code as part of discovery in a years-long lawsuit.

    The case could have major repercussions for NSO Group, whose Pegasus spyware has been used to spy on human rights activists, journalists and opposition politicians across the world.

    Judge Phyllis Hamilton ordered NSO Group to produce its code, specifically directing it to unveil relevant spyware from the year leading up to when WhatsApp users were allegedly victimized in 2019 through May 2020 until a year after the alleged attack ended.

    WhatsApp has alleged that NSO Group exploited an audio calling vulnerability in its system to attach Pegasus to phones targeted by NSO Group clients.

    It sued the company in 2019, alleging the spyware purveyor had facilitated surveillance of about 1,400 WhatsApp users over the course of two weeks, including journalists, human rights activists, political dissidents, diplomats and other senior foreign government officials.

    According to WhatsApp’s complaint, NSO Group complained to a WhatsApp employee in a message when the vulnerability was fixed, saying, “you just closed our biggest remote for cellular … It’s on the news all over the world.”

    In her opinion, Hamilton said she weighed an NSO Group argument that the discovery requirements should be modified but ultimately dismissed the claim.

    “The court rejects defendants’ argument that their production should be limited to the installation layer of the alleged spyware, and instead concludes that defendants must produce information concerning the full functionality of the relevant spyware,” Hamilton’s decision said. “The complaint contains numerous instances alleging not only that spyware was installed on users’ devices, but also that information was accessed and/or extracted from those devices.”

    News of the order was first reported by The Guardian.

    A spokesperson for WhatsApp said the court ruling is an “important milestone in our long running goal of protecting WhatsApp users against unlawful attacks.

    “Spyware companies and other malicious actors need to understand they can be caught and will not be able to ignore the law.”

    Not everything went WhatsApp’s way, however. Hamilton ruled that NSO does not have to reveal its client names or provide details of its server architecture.

    NSO Group did not respond to a request for comment.

    In January, a federal judge denied a NSO motion to dismiss an Apple lawsuit alleging Pegasus spyware broke computer fraud laws.

    Pegasus and other powerful spyware has recently been used in several European countries to marginalize opposition politicians and spy on journalists. Recent scandals in Poland, Spain, Greece, Serbia and Hungary have alarmed government officials across Europe. Just last week, in advance of June elections, spyware was found on the phones of members and staff of Europe’s Parliament.

    The spyware is easily placed on victim’s phones without their knowledge, not even requiring them to click on links sent by unknown contacts. Once a phone is overtaken by the spyware it can see through the camera, activate the microphone, read emails and text messages and otherwise fully access the phone’s contents.

    The U.S. government blacklisted NSO in 2021. The company has long claimed that Pegasus is designed to help governments fight terrorism but a long string of abuses have undermined its reputation and led to pressure on Israel’s government to stop supporting it.

    0
  • Germany confirms Russia's military WebEx meeting leak
    www.theregister.com Germany confirms Russia's military WebEx meeting leak

    Officials can't tell whether the tape was edited, but fear Kremlin has more juicy bits to release in the future

    Germany confirms Russia's military WebEx meeting leak

    The German Ministry of Defense (Bundeswehr) has confirmed that a recording of a call between high-ranking officials discussing war efforts in Ukraine, leaked by Russian media, is legitimate.

    Senior government officials have also confirmed Russian reports that the call was hosted on and tapped via Cisco's WebEx video conferencing platform rather than any kind of secure, military-grade comms.

    Roderich Kiesewetter, deputy chairman of the German parliament's oversight committee, said the Bundeswehr leak was possibly caused by a Russian agent inside the WebEx call or the Bundeswehr's implementation of it, but the country is still working on discovering how the intrusion took place.

    Likewise, the ministry released a statement to wider media saying: "According to our assessment, a conversation in the air force division was intercepted. We are currently unable to say for certain whether changes were made to the recorded or transcribed version that is circulating on social media."

    Cisco has distanced itself from the situation. A spokesperson told The Register: "Cisco does not publicly discuss customer information and we refer your request to the organization in question."

    The 38-minute recording was first published by Margarita Simonyan, editor-in-chief at the Russian state-controlled RT news outlet, and has since been shared widely online. It was supposedly handed to her by "sources" in Russian intelligence.

    RT said it identified two of the four German military officials on the call, including the head of Air Force Operations Brigadier General Frank Graefe, and Air Force Chief Lieutenant General Ingo Gerhartz.

    RT has since made a number of claims after publishing the call, including that the conversation provides proof that Germany was planning to help Ukraine to destroy the Kerch Bridge that connects Russia to the illegally annexed Crimea.

    Discussions also involved a potential delivery of Taurus long-range missiles to Ukraine for use in the attacks and how Germany could supply these without appearing to be directly involved in the conflict.

    Taurus missiles have a range of around 310 miles, far greater than the Storm Shadow cruise missiles supplied to Ukraine by the UK, which have a range of around 155 miles.

    Ukraine has long asked Germany to deliver Taurus missiles, but Chancellor Olaf Scholz has repeatedly declined to do so out of fears that the ongoing conflict could escalate.

    Kiesewetter told broadcaster ZDF that more recordings are likely to have been intercepted and could well be released at a later date, all to Russia's benefit.

    It's likely the recent release was designed to pressure Germany to drop talks over Taurus missile deliveries.

    On Friday, Dmitry Medvedev, deputy head of Russia's Security Council, said via Telegram: "After all, our eternal opponents – the Germans – have again turned into sworn enemies."

    "Germany is preparing for war with Russia," he said in a second message on Sunday, both of which were lengthy and included several Nazi-themed slurs against the German military.

    Maria Zakharova, spokesperson for Russia's Foreign Ministry, said Germany must "promptly" explain the nature of the audio, adding that a failure to respond will be seen as an admission of guilt.

    Scholz said on Saturday that the leak was "a very serious matter" and is now being investigated thoroughly and quickly.

    Asked about developments in the investigation, the Bundeswehr told The Register it had nothing further to add, but pointed to defense minister Boris Pistorius's comments on Sunday, calling the leak an act of "information war."

    "It is a hybrid disinformation attack. It is about division. It is about undermining our unity," he said.

    1
  • GhostSec’s joint ransomware operation and evolution of their arsenal
    blog.talosintelligence.com GhostSec’s joint ransomware operation and evolution of their arsenal

    Cisco Talos observed a surge in GhostSec, a hacking group’s malicious activities since this past year. GhostSec has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware.

    GhostSec’s joint ransomware operation and evolution of their arsenal
    • Cisco Talos observed a surge in GhostSec, a hacking group’s malicious activities since this past year.
    • GhostSec has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware.
    • The GhostSec and Stormous ransomware groups are jointly conducting double extortion ransomware attacks on various business verticals in multiple countries.
    • GhostLocker and Stormous ransomware have started a new ransomware-as-a-service (RaaS) program STMX_GhostLocker, providing various options for their affiliates.
    • Talos also discovered two new tools in GhostSec arsenal, the “GhostSec Deep Scan tool” and “GhostPresser,” both likely being used in the attacks against websites.
    0
  • BlackCat Ransomware Group Implodes After Apparent $22M Payment by Change Healthcare

    There are indications that U.S. healthcare giant Change Healthcare has made a $22 million extortion payment to the infamous BlackCat ransomware group (a.k.a. “ALPHV“) as the company struggles to bring services back online amid a cyberattack that has disrupted prescription drug services nationwide for weeks. However, the cybercriminal who claims to have given BlackCat access to Change’s network says the crime gang cheated them out of their share of the ransom, and that they still have the sensitive data Change reportedly paid the group to destroy. Meanwhile, the affiliate’s disclosure appears to have prompted BlackCat to cease operations entirely.

    0
  • Apple remains tight-lipped about latest iPhone, iPad 0-days
    www.theregister.com Apple remains tight-lipped about latest iPhone, iPad 0-days

    Two flaws fixed, one knee bent to the EU, and a budding cybersecurity star feature in iOS 17.4

    Apple remains tight-lipped about latest iPhone, iPad 0-days

    Apple's latest security patches address four vulnerabilities affecting iOS and iPadOS, including two zero-days that intel suggests attackers have already exploited.

    In typical Apple fashion, it's keeping most of the interesting details under wraps, but both have the potential to access data in the protected kernel.

    The consumer tech giant registered the vulnerability as CVE-2024-23225 and said that an attacker would already need to have kernel read and write capabilities to bypass the kernel memory protections. The issue was fixed with improved validation, Apple said.

    It's a similar story with CVE-2024-23296, the second zero-day disclosed in the round of updates. Affecting RTKit, Apple's real-time operating system that runs on various devices like AirPods, Apple Watch, and more, its description closely mirrors that of CVE-2024-23225.

    Apple's latest security patches address four vulnerabilities affecting iOS and iPadOS, including two zero-days that intel suggests attackers have already exploited.

    In typical Apple fashion, it's keeping most of the interesting details under wraps, but both have the potential to access data in the protected kernel.

    The consumer tech giant registered the vulnerability as CVE-2024-23225 and said that an attacker would already need to have kernel read and write capabilities to bypass the kernel memory protections. The issue was fixed with improved validation, Apple said.

    It's a similar story with CVE-2024-23296, the second zero-day disclosed in the round of updates. Affecting RTKit, Apple's real-time operating system that runs on various devices like AirPods, Apple Watch, and more, its description closely mirrors that of CVE-2024-23225.

    Attackers would again need kernel read and write capabilities to exploit it, and it too allows miscreants to bypass kernel memory protections. It was also fixed with improved validation.

    There are, however, slight differences between the two. While Apple's latest iOS and iPadOS 17.4 updates protect users from the vulnerabilities, Cupertino's security engineers were also forced to develop a patch for devices running iOS and iPadOS version 16.x.

    Indeed, CVE-2024-23225 also affects devices such as the iPhone 8, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation – devices that are no longer supported by Apple's latest OS releases.

    Unfortunately, there are no details on offer in terms of what attacks the exploited zero-days were involved in or how severe the vulnerabilities are. At the time of writing, the National Vulnerability Database (NVD) is still analyzing the flaws and hasn't yet assigned either a CVSS severity rating.

    Usually, when vendors register for CVEs they also provide a provisional CVSS rating of their own which appears alongside the NVD's assessment, but it's rare that Apple submits its own, in our experience.

    Apple has also withheld attribution for the zero-days' discovery, revealing nothing about whether they were found in-house or reported by a third party.

    The iOS and iPadOS versions 17.4 were released on March 5 and also brought with them fixes for two other minor-sounding vulnerabilities.

    Discovered by Cristian Dinca, student at Tudor Vianu National College of Computer Science in Bucharest, CVE-2024-23243 was registered as a vulnerability that could expose sensitive location information to an app.

    "A privacy issue was addressed with improved private data redaction for log entries," said Apple.

    Students at the school are aged between 11 and 19 years, which means Dinca may well have a bright future in cybersecurity.

    The discovery of CVE-2024-23256 was attributed to one "Om Kothawade," although no credentials were included next to their name.

    The vulnerability relates to Safari's private browsing feature and could have seen a user's locked tabs becoming visible for a short time when switching tab groups, only when Locked Private Browsing was enabled.

    "A logic issue was addressed with improved state management," said Apple. More than a patch

    As we've already covered this week, Apple's iOS and iPadOS 17.4 updates brought more than just security fixes.

    Orders per the EU's Digital Markets Act are now in the wild. Apple was compelled by Brussels to give users a choice over their browser engine and from where they download their apps.

    Apple met its March 6 deadline early, overhauling previously longstanding rules against app sideloading and browser apps using their own engines on Apple's phones and tablets. Chrome, Firefox, and the rest were all essentially reskins of Apple's Safari running on its WebKit framework.

    In the EU, that's no longer the case. Users now see a new setup screen after installing the update prompting them to choose a default browser. They also may be penalized for spending too much time outside of the country, it has emerged, with Apple stating: "If you're gone for too long, you'll lose access to some features, including installing new alternative app marketplaces," Apple said.

    The new updates also brought a few other features too, such as automatic podcast transcription, quantum-safe iMessages, and new emojis. ®

    1
  • Microsoft confirms Russian spies stole source code
    go.theregister.com Microsoft confirms Russian spies stole source code

    Still "no evidence" of any compromised customer-facing systems, we're told

    Microsoft confirms Russian spies stole source code

    Microsoft has now confirmed that the Russian cyberspies who broke into its executives' email accounts stole source code and gained access to internal systems. The Redmond giant has characterized the intrusion as "ongoing."

    In an updated US Securities and Exchange filing and companion security post, Microsoft provided more details about the breach, which it originally disclosed in January.

    At that time, Microsoft said Midnight Blizzard — the Kremlin-backed grew also known as Cozy Bear and APT29 that was behind the SolarWinds supply chain attack — snooped around in "a very small percentage of Microsoft corporate email accounts" and stole internal messages and files belonging to the leadership team, cybersecurity and legal employees.

    "There is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems," Redmond said in January.

    That has since changed.

    "In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access," according to the latest disclosure. "This has included access to some of the company's source code repositories and internal systems."

    Microsoft maintains that there's "no evidence" so far that the Russian criminals compromised any customer-facing systems. But that's not for lack of trying.

    "It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found," the company admitted. "Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures."

    Microsoft has now confirmed that the Russian cyberspies who broke into its executives' email accounts stole source code and gained access to internal systems. The Redmond giant has characterized the intrusion as "ongoing."

    In an updated US Securities and Exchange filing and companion security post, Microsoft provided more details about the breach, which it originally disclosed in January.

    At that time, Microsoft said Midnight Blizzard — the Kremlin-backed grew also known as Cozy Bear and APT29 that was behind the SolarWinds supply chain attack — snooped around in "a very small percentage of Microsoft corporate email accounts" and stole internal messages and files belonging to the leadership team, cybersecurity and legal employees.

    "There is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems," Redmond said in January.

    That has since changed.

    "In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access," according to the latest disclosure. "This has included access to some of the company's source code repositories and internal systems."

    Microsoft maintains that there's "no evidence" so far that the Russian criminals compromised any customer-facing systems. But that's not for lack of trying.

    "It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found," the company admitted. "Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures."

    It also sounds like this is not the last we'll hear about the break-in, which started in November and used password spray attacks to compromise a corporate account that did not have multi-factor authentication enabled.

    The spies are still trying to access additional Microsoft accounts, and we're told the volume of password sprays increased ten-fold in February compared to the volume of such attacks seen in January.

    The silver lining, according to Microsoft's updated Form 8-K, is that the security snafu hasn't had any financial impact on operations — yet.

    Redmond says its investigation is ongoing and promised to share updates.

    "Midnight Blizzard's ongoing attack is characterized by a sustained, significant commitment of the threat actor's resources, coordination, and focus," the security updated said. "It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks."

    3
  • QNAP vulnerability disclosure ends up an utter shambles
    www.theregister.com Urgent patches available for QNAP vulnerabilities, one 0-day

    Two new flaws, one zero-day, countless different patches, but everything's fine!

    Urgent patches available for QNAP vulnerabilities, one 0-day

    Network-attached storage (NAS) specialist QNAP has disclosed and released fixes for two new vulnerabilities, one of them a zero-day discovered in early November.

    The Taiwanese company's coordinated disclosure of the issues with researchers at Unit 42 by Palo Alto Networks has, however, led to some confusion over the severity of the security problem.

    QNAP assigned CVE-2023-50358 a middling 5.8-out-of-10 severity score, the breakdown of which revealed it was classified as a high-complexity attack that would have a low impact if exploited successfully.

    Unit 42's assessment, on the other hand, was the polar opposite: "These remote code execution vulnerabilities affecting IoT devices exhibit a combination of low attack complexity and critical impact, making them an irresistible target for threat actors. As a result, protecting IoT devices against such threats is an urgent task."

    The German Federal Office for Information Security (BSI) also released an emergency alert today warning that successful exploits could lead to "major damage," encouraging users to apply patches quickly.

    At the time of writing, the National Vulnerability Database (NVD) is still working to assign the vulnerability an independent rating.

    Typically, command injection vulnerabilities that are easy to exploit tend to attract severity scores at the higher end of the scale, so it will be interesting to see what the NVD's score ends up being.

    According to Unit42's internet scans of vulnerable devices carried out in mid-January, 289,665 separate IP addresses registered a vulnerable, public-facing device.

    Germany and the US were the most exposed, with 42,535 and 36,865 vulnerable devices respectively, while China, Italy, Japan, Taiwan, and France trailed each with over 10,000 devices exposed.

    Exploiting CVE-2023-50358

    Unlike QNAP, Unit 42 published a technical breakdown of CVE-2023-50358 and how to exploit the vulnerability.

    It's classed as a command injection flaw in the quick.cgi component of QNAP's QTS firmware, which runs on most of its NAS devices.

    "While setting the HTTP request parameter todo=set_timeinfo, the request handler in quick.cgi saves the value of the parameter SPECIFIC_SERVER into a configuration file /tmp/quick/quick_tmp.conf with the entry name NTP Address," the researchers explained.

    "After writing the NTP server address, the component starts time synchronization using the ntpdate utility. The command-line execution is built by reading the NTP Address in quick_tmp.conf, and this string is then executed using system().

    "Untrusted data from the SPECIFIC_SERVER parameter is therefore used to build a command line to be executed in the shell resulting in arbitrary command execution."

    Double up

    QNAP's advisory also detailed fixes for a second command injection flaw, CVE-2023-47218, which was reported by Stephen Fewer, principal security researcher at Rapid7, and has also been given the same 5.8 severity score.

    The advisory itself combines both vulnerabilities and provides technical details for neither, so it's difficult to determine what the differences are from this alone.

    Rapid7's advisory, however, provides extensive detail on how CVE-2023-47218 also lies in the quick.cgi component, allowing for command injection, and how it can feasibly be exploited using a specially crafted HTTP POST request.

    Details of the disclosure timeline also offered a glimpse at what appears to be a slightly ticked-off Rapid7 after QNAP went silent and published its patches earlier than agreed.

    After agreeing to a coordinated disclosure date for the vulnerabilities of February 7 back in December, on January 25 QNAP told Rapid7 it had already pushed out the patches. This followed more than two weeks of radio silence from the NAS slinger after Rapid7 requested a progress update.

    QNAP also asked Rapid7 to delay the publication of its advisory to February 26, nearly three weeks after the original agreed date, which didn't appear to have been received warmly.

    So many patches

    Rather than focusing on the technical details of the vulnerabilities, QNAP's main focus with its disclosure appears to be highlighting the different patches available for different firmware versions. QTS, QuTS hero, and QuTAcloud are all impacted differently and each version has its own specific upgrade recommendation.

    1
  • DNSSEC vulnerability puts big chunk of the internet at risk
    www.theregister.com DNSSEC vulnerability puts big chunk of the internet at risk

    'You don't have to do more than that to disconnect an entire network' El Reg told as patches emerge

    DNSSEC vulnerability puts big chunk of the internet at risk

    A single packet can exhaust the processing capacity of a vulnerable DNS server, effectively disabling the machine, by exploiting a 20-plus-year-old design flaw in the DNSSEC specification.

    That would make it trivial to take down a DNSSEC-validating DNS resolver that has yet to be patched, upsetting all the clients relying on that service and make it seem as though websites and apps were offline.

    The academics who found this flaw – associated with the German National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt – claimed DNS server software makers briefed about the vulnerability described it as "the worst attack on DNS ever discovered."

    Identified by Professor Haya Schulmann and Niklas Vogel of the Goethe University Frankfurt; Elias Heftrig of Fraunhofer SIT; and Professor Michael Waidner at the Technical University of Darmstadt and Fraunhofer SIT, the security hole has been named KeyTrap, designated CVE-2023-50387, and assigned a CVSS severity rating of 7.5 out of 10.

    As of December 2023, approximately 31 percent of web clients worldwide used DNSSEC-validating DNS resolvers and, like other applications relying on those systems, would feel the effects of a KeyTrap attack: With those DNS servers taken out by the flaw, clients relying on them would be unable to resolve domain and host names to IP addresses to use, resulting in a loss of connectivity.

    The researchers said lone DNS packets exploiting KeyTrap could stall public DNSSEC-validated DNS services, such as those provided by Google and Cloudflare, by making them do calculations that overtax server CPU cores.

    This disruption of DNS could not only deny people's access to content but could also interfere with other systems, including spam defenses, cryptographic defenses (PKI), and inter-domain routing security (RPKI), the researchers assert.

    "Exploitation of this attack would have severe consequences for any application using the Internet including unavailability of technologies such as web-browsing, e-mail, and instant messaging," they claimed. "With KeyTrap, an attacker could completely disable large parts of the worldwide internet."

    A non-public technical paper on the vulnerability provided to The Register, titled, "The KeyTrap Denial-of-Service Algorithmic Complexity Attacks on DNS," describes how an assault would be carried out. It basically involves asking a vulnerable DNSSEC-validating DNS resolver to look up an address that causes the server to contact a malicious nameserver that sends a reply that causes the resolver to consume most or all of its own CPU resources.

    To initiate the attacks our adversary causes the victim resolver to look up a record in its malicious domain," the due-to-be-published paper states. "The attacker’s nameserver responds to the DNS queries with a malicious record set (RRset), according to the specific attack vector and zone configuration."

    The attack works, the paper explains, because the DNSSEC spec follows Postel’s Law: "The nameservers should send all the available cryptographic material, and the resolvers should use any of the cryptographic material they receive until the validation is successful."

    This requirement, to ensure availability, means DNSSEC-validating DNS resolvers can be forced to do a lot of work if presented with colliding key-tags and colliding keys that must be validated.

    "Our complexity attacks are triggered by feeding the DNS resolvers with specially crafted DNSSEC records, which are constructed in a way that exploits validation vulnerabilities in cryptographic validation logic," the paper explains.

    "When the DNS resolvers attempt to validate the DNSSEC records they receive from our nameserver, they get stalled. Our attacks are extremely stealthy, being able to stall resolvers between 170 seconds and 16 hours (depending on the resolver software) with a single DNS response packet."

    The ATHENE boffins said they worked with all relevant vendors and major public DNS providers to privately disclose the vulnerability so a coordinated patch release would be possible. The last patch was finished today.

    "We are aware of this vulnerability and rolled out a fix in coordination with the reporting researchers," a Google spokesperson told The Register. "There is no evidence of exploitation and no action required by users at this time."

    Network research lab NLnet Labs published a patch for its Unbound DNS software, addressing two vulnerabilities, one of which is KeyTrap. The other bug fixed, CVE-2023-50868, referred to as the NSEC3 vulnerability, also allows denial of service through CPU exhaustion.

    "The KeyTrap vulnerability works by using a combination of keys (also colliding keys), signatures and number of RRSETs on a malicious zone," NLnet Labs wrote. "Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path."

    PowerDNS, meanwhile, has an update here to thwart KeyTrap exploitation.

    1
1 Active user