Netsec
netsec is a community-curated aggregator of technical information security content. Our mission is to extract signal from the noise — to provide value to security practitioners, students, researchers, and hackers everywhere.
Rules
- Don't do unto others what you don't want done unto you.
- No Porn, Gore, or NSFW content. Instant Ban.
- No Spamming, Trolling or Unsolicited Ads. Instant Ban.
- Stay on topic in a community. Please reach out to an admin to create a new community.
One of the largest companies that conducts background checks confirmed that it is the source of a data breach causing national outrage due to the millions of Social Security numbers leaked.
In a statement on Friday, National Public Data said it detected suspicious activity in its network in late December, and subsequently a hacker leaked certain tranches of data in April and throughout the summer.
“The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024. We conducted an investigation and subsequent information has come to light,” the Florida-based company said.
“The information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).”
National Public Data said it “cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records.”
The company plans to notify those affected if there are other updates. It is unclear how someone would know they are affected by the breach, but the company urged people to monitor their financial accounts for unauthorized activity.
Cybersecurity experts have known about the leaks since April, but since then the company has refused to respond to repeated requests for comment from Recorded Future News. The company stayed tight-lipped about the incident until this week, when concern about the troves of Social Security numbers (SSNs) exposed went viral on social media.
Companies and private investigators pay National Public Data to obtain criminal records, background checks and more — with the company allowing them to search billions of records instantly.
On April 7, a well known hacker going by the name USDoD posted a database on the criminal marketplace Breached claiming it contained 2.9 billion records on U.S. citizens. The cybercriminal — best known for leaking data stolen from European aerospace giant Airbus — said it came from another hacker named “SXUL" and offered the information for $3.5 million.
While it is unclear whether anyone paid for the information, the hacker began leaking parts of the database in June and others continued to offer it for sale throughout the summer.
Several cybersecurity experts, including data breach expert Troy Hunt, have confirmed that while the database contains duplicates, much of the information is accurate.
The data contains a person’s first and last name, three decades of address history and Social Security number. Some experts said they were also able to find a person’s parents, siblings and immediate relatives. The database includes people living and dead.
Some have noted that people who use data opt-out services were not included in the database.
While some news outlets and social media platforms have erroneously reported that 2.9 billion people had information in the breach, Hunt estimated that the database included about 899 million unique SSNs.
The FBI and other U.S. cybersecurity agencies did not respond to requests for comment.
National Public Data is already facing lawsuits over the breach. A complaint was filed in the U.S. District Court for the Southern District of Florida two weeks ago after a California resident said he got a notice from his identity-theft protection service provider in July about the breach.
DataGrail vice president Chris Deibler said the breach shows we “are reaching the limits of what individuals can reasonably do to protect themselves in this environment.”
“The balance of power right now is not in the individual's favor. [The European Union’s] GDPR and the various state and national regulations coming online are good steps, but the prevention and consequence models in place today clearly do not disincentivize mass aggregation of data,” he said.
Akhil Mittal of Synopsys Software Integrity Group added that the number of records will draw headlines but the long tail of effects on people could last years. Millions of real people will be dealing with identity theft, fraud and more for years to come due to the breach, he said.
Mittal echoed Deibler’s comments, arguing that a larger conversation needs to be started about data privacy and protection.
“It’s time for stricter regulations and better enforcement to make sure companies are really protecting our information,” Mittal said.
Popular flight-tracking app FlightAware has admitted that it was exposing a bunch of users' data for more than three years.
It made the admission via a notification filed last week with Rob Bonta, California's attorney general, saying the leak began on January 1, 2021, but was only detected on July 25 of this year.
The incident was blamed on an unspecified configuration error. It led to the exposure of personal information, passwords, and various other personal data points you'd expect to see in a breach, depending on what information the user provided in their account.
The full list of potentially impacted data points is below:
- User ID
- Password
- Email address
- Full name
- Billing address
- Shipping address
- IP address
- Social media accounts
- Telephone numbers
- Year of birth
- Last four digits of your credit card number
- Information about aircraft owned
- Industry
- Title
- Pilot status (yes/no)
- Account activity (such as flights viewed and comments posted)
- Social Security Number
How was this data exposed? We asked FlightAware and will update the story if it responds.
The downside of filing data leak notifications in California is that the state doesn't require companies to publicly disclose how many people were affected, unlike Maine, for example, which does.
Although we cannot determine the exact number of affected users, FlightAware reports having 12 million registered users. If all were affected, that would be quite the security snafu indeed.
"FlightAware values your privacy and deeply regrets that this incident occurred," it wrote in a letter being sent to affected individuals.
"Once we discovered the exposure, we immediately remedied the configuration error. Out of an abundance of caution, we are also requiring all potentially impacted users to reset their password. You will be prompted to do so at your next log-in to FlightAware."
It's typical with these types of breach notifications to comment on whether the data in question had been accessed and/or misused by unauthorized third parties. The letter to affected users did not address this matter.
It's also typical for companies to offer free credit monitoring for users and the same is the case here. Anyone who receives a letter from FlightAware saying they may be affected was offered two years of service via Equifax.
A Kentucky man who hacked into a state registry and faked his own death to avoid paying child support was sentenced on Monday to 81 months in prison.
In January 2023, Jesse Kipf used stolen login credentials belonging to a physician to access the Hawaii Death Registry System, where he submitted and “certified” his own death — thereby avoiding paying more than $116,000 in owed child support.
He also hacked into other state death registry systems, as well as “governmental and corporate networks” using stolen credentials, and tried to sell access to those entities on the darkweb.
“Working in collaboration with our law enforcement partners, this defendant who hacked a variety of computer systems and maliciously stole the identity of others for his own personal gain, will now pay the price,” said Michael E. Stansbury, special agent in charge at the FBI’s Louisville Field Office. Kipf was convicted of computer fraud and aggravated identity theft.
In March 2023, Hawaii’s Department of Health began sending out breach notification letters after it was notified by the cybersecurity firm Mandiant that credentials belonging to an external medical death certifier account had been sold on the dark web. The account belonged to a medical certifier who worked for a local hospital but had left the job in 2021.
According to the Health Department release, the hacker accessed the account on January 20, 2023 — the same month Kipf breached the system.
That same year, Kipf also used stolen credentials to access networks belonging to Guest-Tek Interactive Entertainment Ltd. and Milestone, Inc. — specifically to networks related to the companies’ work with hotel chains, including internet connectivity services.
According to a sentencing memo from Assistant U.S. Attorney Kathryn M. Dieruf, Kipf offered for sale on darknet forums tips for how to access death registry systems, and he sold access to at least one company’s hacked databases to Russian customers. Other international buyers of stolen personal information were from Algeria and Ukraine, according to court documents.
While calling for a seven-year sentence — three more months than the one Kipf received — Dieruf asked the judge to send a message to cybercriminals.
“Similarly situated individuals must see the real danger they present to victims and be deterred from engaging in online criminal conduct by the fear of punishment,” she wrote.
“The cloak of anonymity afforded by the dark web is too alluring without the persistent threat of being brought to justice and serving a significant sentence.”
CrowdStrike – a company that advertises itself as stopping breaches using “AI-native cybersecurity” – recently failed to deliver in a spectacular fashion.
One of its faulty updates (for Windows) caused a massive global outage across different industries and services, including hospitals and airports.
This latest poster child for “single point of failure,” and why IT systems should not be centralized to the degree they are, now apparently sees making false copyright claims, thus abusing the DMCA, as one way of damage control.
The recipient of the takedown attempt is a parody site, ClownStrike. Created by IT consultant David Senk, clownstrike.lol went online on July 24, in the wake of the embarrassing and costly (damages are said to run into billions) episode caused by CrowdStrike.
But despite ostensibly having more pressing issues to deal with, a week later Cloudflare (that hosted the parody site) sent Senk a DMCA notice issued on behalf of CrowdStrike by CSC Digital Brand Services.
CrowdStrike wanted its logo, which is seen “fading into a cartoon clown” on Senk’s site removed, and threatened that otherwise the site would be shut down, writes Ars Technica.
But the site is clearly a parody one, which would protect Senk’s display of the logo as fair use under the DMCA. However, this story has two “bad guys” – in addition to CrowdStrike, there’s Cloudflare.
When Senk contested the takedown notice on fair use grounds, Cloudflare ignored it, and then sent him another email reiterating the copyright infringement accusations – and then, again ignored the site creator’s counterclaim.
Senk has switched to a server in Finland, where he feels companies are “less susceptible to DMCA takedown requests.”
Now the site also features the CSC logo (with a clown wig). And it’s been updated with Senk’s thoughts on corporate cyberbullies, Cloudflare’s “hilariously ineffective” system of countering copyright notices, and other rant-worthy topics.
Ars Technica suggests that ClownStrike may have simply got caught up in as many as 500 notices CrowdStrike has been sending left and right these days to ensure “proactive fraud management activities (…) to help prevent bad actors from exploiting current events.”
Senk’s description of this statement? “Typical corporate bullshit (taking) zero accountability.”
3TOFU: Verifying Unsigned Releases
By Michael Altfield
License: CC BY-SA 4.0
https://tech.michaelaltfield.net
This article introduces the concept of "3TOFU" -- a harm-reduction process when downloading software that cannot be verified cryptographically.
Verifying Unsigned Releases with 3TOFU |
⚠ NOTE: This article is about harm reduction.
It is dangerous to download and run binaries (or code) whose authenticity you cannot verify (using a cryptographic signature from a key stored offline). However, sometimes we cannot avoid it. If you're going to proceed with running untrusted code, then following the steps outlined in this guide may reduce your risk.
TOFU
TOFU stands for Trust On First Use. It's a (often abused) concept of downloading a person or org's signing key and just blindly trusting it (instead of verifying it).
3TOFU
3TOFU is a process where a user downloads something three times at three different locations. If-and-only-if all three downloads are identical, then you trust it.
Why 3TOFU?
During the Crypto Wars of the 1990s, it was illegal to export cryptography from the United States. In 1996, after intense public pressure and legal challenges, the government officially permitted export with the 56-bit DES cipher -- which was a known-vulnerable cipher.
The EFF's Deep Crack proved DES to be insecure and pushed a switch to 3DES. |
But there was a simple way to use insecure DES to make secure messages: just use it three times.
3DES (aka "Triple DES") is the process encrypting a message using the insecure symmetric block cipher (DES) three times on each block, to produce an actually secure message (from known attacks at the time).
3TOFU (aka "Triple TOFU") is the process of downloading a payload using the insecure method (TOFU) three times, to obtain the payload that's magnitudes less likely to be maliciously altered.
3TOFU Process
To best mitigate targeted attacks, 3TOFU should be done:
- On three distinct days
- On three distinct machines (or VMs)
- Exiting from three distinct countries
- Exiting using three distinct networks
For example, I'll usually execute
- TOFU #1/3 in TAILS (via Tor)
- TOFU #2/3 in a Debian VM (via VPN)
- TOFU #3/3 on my daily laptop (via ISP)
The possibility of an attacker maliciously modifying something you download over your ISP's network are quite high, depending on which country you live-in.
The possibility of an attacker maliciously modifying something you download onto a VM with a freshly installed OS over an encrypted VPN connection (routed internationally and exiting from another country) is much less likely, but still possible -- especially for a well-funded adversary.
The possibility of an attacker maliciously modifying something you download onto a VM running a hardened OS (like Whonix or TAILS) using a hardened browser (like Tor Browser) over an anonymizing network (like Tor) is quite unlikely.
The possibility for someone to execute a network attack on all three downloads is very near-zero -- especially if the downloads were spread-out over days or weeks.
3TOFU bash Script
I provide the following bash script as an example snippet that I run for each of the 3TOFUs.
REMOTE_FILES="https://tails.net/tails-signing.key"
CURL="/usr/bin/curl"
WGET="/usr/bin/wget --retry-on-host-error --retry-connrefused"
PYTHON="/usr/bin/python3"
# in tails, we must torify
if [[ "`whoami`" == "amnesia" ]] ; then
CURL="/usr/bin/torify ${CURL}"
WGET="/usr/bin/torify ${WGET}"
PYTHON="/usr/bin/torify ${PYTHON}"
fi
tmpDir=`mktemp -d`
pushd "${tmpDir}"
# first get some info about our internet connection
${CURL} -s https://ifconfig.co/country | head -n1
${CURL} -s https://check.torproject.org | grep Congratulations | head -n1
# and today's date
date -u +"%Y-%m-%d"
# get the file
for file in ${REMOTE_FILES}; do
wget ${file}
done
# checksum
date -u +"%Y-%m-%d"
sha256sum *
# gpg fingerprint
gpg --with-fingerprint --with-subkey-fingerprint --keyid-format 0xlong *
Here's one example execution of the above script (on a debian DispVM, executed with a VPN).
/tmp/tmp.xT9HCeTY0y ~
Canada
2024-05-04
--2024-05-04 14:58:54-- https://tails.net/tails-signing.key
Resolving tails.net (tails.net)... 204.13.164.63
Connecting to tails.net (tails.net)|204.13.164.63|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1387192 (1.3M) [application/octet-stream]
Saving to: ‘tails-signing.key’
tails-signing.key 100%[===================>] 1.32M 1.26MB/s in 1.1s
2024-05-04 14:58:56 (1.26 MB/s) - ‘tails-signing.key’ saved [1387192/1387192]
2024-05-04
8c641252767dc8815d3453e540142ea143498f8fbd76850066dc134445b3e532 tails-signing.key
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa4096/0xDBB802B258ACD84F 2015-01-18 [C] [expires: 2025-01-25]
Key fingerprint = A490 D0F4 D311 A415 3E2B B7CA DBB8 02B2 58AC D84F
uid Tails developers (offline long-term identity key) <[email protected]>
uid Tails developers <[email protected]>
sub rsa4096/0x3C83DCB52F699C56 2015-01-18 [S] [expired: 2018-01-11]
sub rsa4096/0x98FEC6BC752A3DB6 2015-01-18 [S] [expired: 2018-01-11]
sub rsa4096/0xAA9E014656987A65 2015-01-18 [S] [revoked: 2015-10-29]
sub rsa4096/0xAF292B44A0EDAA41 2016-08-30 [S] [expired: 2018-01-11]
sub rsa4096/0xD21DAD38AF281C0B 2017-08-28 [S] [expires: 2025-01-25]
sub rsa4096/0x3020A7A9C2B72733 2017-08-28 [S] [revoked: 2020-05-29]
sub ed25519/0x90B2B4BD7AED235F 2017-08-28 [S] [expires: 2025-01-25]
sub rsa4096/0xA8B0F4E45B1B50E2 2018-08-30 [S] [revoked: 2021-10-14]
sub rsa4096/0x7BFBD2B902EE13D0 2021-10-14 [S] [expires: 2025-01-25]
sub rsa4096/0xE5DBA2E186D5BAFC 2023-10-03 [S] [expires: 2025-01-25]
The TOFU output above shows that the release signing key from the TAILS project is a 4096-bit RSA key with a full fingerprint of "A490 D0F4 D311 A415 3E2B B7CA DBB8 02B2 58AC D84F
". The key file itself has a sha256 hash of "8c641252767dc8815d3453e540142ea143498f8fbd76850066dc134445b3e532
".
When doing a 3TOFU, save the output of each execution. After collecting output from all 3 executions (intentionally spread-out over 3 days or more), diff the output.
If the output of all three TOFUs match, then the confidence of the file's authenticity is very high.
Why do 3TOFU?
Unfortunately, many developers think that hosting their releases on a server with https is sufficient to protect their users from obtaining a maliciously-modified release. But https won't protect you if:
- Your DNS or publishing infrastructure is compromised (it happens), or
- An attacker has just one (subordinate) CA in the user's PKI root store (it happens)
Generally speaking, publishing infrastructure compromises are detected and resolved within days and MITM attacks using compromised CAs are targeted attacks (to avoid detection). Therefore, a 3TOFU verification should thwart these types of attacks.
⚠ Note on hashes: Unfortunately, many well-meaning developers erroneously think that cryptographic hashes provide authenticity, but cryptographic hashes do not provide authenticity -- they provide integrity.
Integrity checks are useful to detect corrupted data on-download; it does not protect you from maliciously altered data unless those hashes are cryptographically signed with a key whose private key isn't stored on the publishing infrastructure.
Improvements
There are some things you can do to further improve the confidence of the authenticity of a file you download from the internet.
Distinct Domains
If possible, download your payload from as many distinct domains as possible.
An adversary may successfully compromise the publishing infrastructure of a software project, but it's far less likely for them to compromise the project website (eg 'tails.net
') and their forge (eg 'github.com
') and their mastodon instance (eg 'mastodon.social
').
Use TAILS
TAILS is by far the best OS to use for security-critical situations. |
If you are a high-risk target (investigative journalist, activist, or political dissident) then you should definitely use TAILS for one of your TOFUs.
Signature Verification
It's always better to verify the authenticity of a file using cryptographic signatures than with 3TOFU.
Unfortunately, some companies like Microsoft don't sign their releases, so the only option to verify the authenticity of something like a Windows .iso
is with 3TOFU.
Still, whenever you encounter some software that is not signed using an offline key, please do us all a favor and create a bug report asking the developer to sign their releases with PGP (or minisign or signify or something).
4TOFU
3TOFU is easy because Tor is free and most people have access to a VPN (corporate or commercial or an ssh socks proxy).
But, if you'd like, you could also add i2p or some other proxy network into the mix (and do 4TOFU).
Local authorities in Crimea are warning of internet disruptions from distributed denial-of-service (DDoS) attacks targeting telecommunication providers.
The “massive” DDoS attacks, which overwhelm targeted networks with a flood of junk internet traffic, were launched against Crimean telecom companies on Wednesday and are still ongoing, according to Crimean officials.
“Work is underway to repel attacks. There may be interruptions in providing internet services,” said Oleg Kryuchkov, the advisor to the Crimea region, which has been occupied by Russian forces since 2014.
In Crimea’s largest city, Sevastopol, the attackers mostly targeted local internet provider Miranda Media, which is connected to Russian national telecom provider Rostelecom. Miranda Media was sanctioned by the European Union in 2023 for providing services to illegal authorities and institutions in Crimea in the interests of Russia.
Several local subscribers complained on the company’s Telegram channel that their internet connection has been “terrible” for the past two days, but Miranda Media hasn’t released an official statement about the disruptions. The company did not respond to a request for comment.
“The enemy attacks this particular operator for a reason,” a spokesperson for Sevastopol’s government said on Telegram. Miranda Media provides “core communication channels” for the city’s emergency call center, they added.
The attack temporarily disrupted the call center's operations, but local authorities announced on Thursday that they have restored its functionality.
Ukraine’s military intelligence (HUR) claimed responsibility on Wednesday for the cyberattacks on “several of Russia's largest internet providers” operating in Crimea but did not provide additional details.
An anonymous source at HUR told the Ukrainian public broadcaster that the agency "systematically" attacks Russian digital infrastructure, including internet providers.
In May, Ukraine’s military hackers claimed responsibility for an attack on a major internet provider in the Russian city of Belgorod, located about 20 miles north of the Ukrainian border. The targeted company allegedly provides services to state and military institutions.
The attacks on Russian internet providers are also carried out by other Ukraine-linked hacker groups. Last October, a group of cyber activists known as the IT Army claimed responsibility for bringing down Miranda Media and two other Russian internet providers operating in Crimea.
At that time, Miranda Media stated that the attack was "carefully planned by cybercriminals."
Australia's Federal Police (AFP) has charged a man with running a fake Wi-Fi network on at least one commercial flight and using it to harvest flier credentials for email and social media services.
The man was investigated after an airline "reported concerns about a suspicious Wi-Fi network identified by its employees during a domestic flight."
The AFP subsequently arrested a man who was found with "a portable wireless access device, a laptop and a mobile phone" in his hand luggage.
That haul led the force to also search the 42-year-old's home – after securing a warrant – and then to his arrest and charging.
It's alleged the accused's collection of kit was used to create Wi-Fi hotspots with SSIDs confusingly similar to those airlines operate for in-flight access to the internet or streamed entertainment. Airport Wi-Fi was also targeted, and the AFP also found evidence of similar activities "at locations linked to the man's previous employment."
Wherever the accused's rig ran, when users logged in to the network, they were asked to provide credentials.
The AFP alleges that details such as email addresses and passwords were saved to the suspect's devices.
The charges laid against the man concern unauthorized access to devices and dishonest dealings. None of the charges suggest the accused used the data he allegedly accessed.
However, three charges of "possession or control of data with the intent to commit a serious offence" suggest the alleged perp was alive to the possibilities of using the data for nefarious purposes.
AFP Western Command Cybercrime detective inspector Andrea Coleman pointed out that free Wi-Fi services should not require logging in through an email or social media account.
Perhaps curiously, she advocated users of public Wi-Fi should "install a reputable virtual private network (VPN) on your devices to encrypt and secure your data when using the internet." She also recommended disabling file sharing, avoiding sensitive apps like banking while using public networks, and manually forgetting connections after use so that devices don't automatically reconnect to naughty networks.
The accused appeared before a magistrate last week and was released on bail on condition he restrict his use of the internet in certain ways.
Polish prosecutors are investigating a suspected Russian cyberattack on the country’s state news agency.
The likely goal of the May attack on the Polish Press Agency, or PAP, was disinformation “aimed at causing serious disturbances in the system or economy of the Republic of Poland by an undetermined person or persons involved in or acting on behalf of foreign intelligence,” a spokesperson for the Warsaw District Prosecutor's Office told the state outlet.
This offense is punishable by no fewer than eight years in prison under local law. The probe has been assigned to the Internal Security Agency.
During the attack, hackers published fake news on the PAP website claiming the country’s authorities had announced a partial mobilization of 200,000 men who were to be sent to fight in a war in Ukraine.
After the article was deleted by PAP, the hackers reposted it. Polish authorities blamed the attack on Russia.
"Everything indicates that we are dealing with a cyberattack that was directed from the Russian side," Poland’s Digital Affairs Minister Krzysztof Gawkowski said following the incident.
According to him, the hackers got into the news agency’s system by infecting the device of one of PAP's employees with malware. Gawkowski said that the attack was “targeted” and intended to cause panic and "shake up the system."
Poland is “on the frontline of the cyber fight against Russia,” he added.
PAP chief executive officer Marek Błoński condemned the attack, saying it was likely designed to interfere with the European Parliament election in June, echoing the statement of Prime Minister Donald Tusk, who called the incident “another very dangerous hacker attack” that “illustrates Russia's destabilization strategy on the eve of the European elections."
The Russian embassy in Warsaw told Reuters that it was not aware of the incident and declined to comment.
Poland has experienced an increase in Russian cyberattacks over the past few months, leading it to announce a $760 million investment in cyber defenses.
In June, it also signed a deal with the U.S. to strengthen their cooperation against “foreign information manipulation,” including from Russia.
Suspected Russian hackers have previously used legitimate news websites to spread propaganda. In February, they attacked several popular Ukrainian media outlets, posting fake news related to the war.
Russian hacker groups targeting Ukrainian media include notorious state-controlled threat actors like Sandworm, according to Ukraine's Computer Emergency Response Team (CERT-UA).
Software company TeamViewer says that a compromised employee account is what enabled hackers to breach its internal corporate IT environment and steal encrypted passwords in an incident attributed to the Russian government.
In an update on Sunday evening, TeamViwer said a Kremlin-backed group tracked as APT29 was able to copy employee directory data like names, corporate contact information and the encrypted passwords, which were for the company’s internal IT environment.
The company reaffirmed that the hackers were not able to gain access to the company's product environment or customer data, and that the breach, first reported last week, appears to be contained.
“The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft,” the company said.
TeamViewer said it has contacted authorities about the incident. APT29 — associated with Russia’s foreign intelligence service, the SVR — is one of the Kremlin’s highest-profile hacking operations.
“We hardened authentication procedures for our employees to a maximum level and implemented further strong protection layers. Additionally, we have started to rebuild the internal corporate IT environment towards a fully trusted state,” the statement said.
TeamViewer’s remote access and remote control software is used to remotely manage fleets of devices. The company has previously faced attacks by alleged Chinese hackers and its products have often been deployed maliciously by hackers themselves during security incidents.
Multiple organizations published warnings last week about the APT29 breach, urging TeamViewer customers to take a range of actions — including reviewing logs for any unusual remote desktop traffic and enabling two-factor authentication. A healthcare security organization urged members to “use the allowlist and blocklist to control who can connect to their devices.”
TeamViewer has not responded to questions about what APT29 appeared to be looking for during the incident.
The theft of encrypted passwords by APT29 matches another incident earlier this year where the same group infiltrated Microsoft’s systems and stole authentication details, credentials and emails from the tech giant’s senior leaders.
Summary
In this proof-of-concept report, Recorded Future's Identity Intelligence analyzed infostealer malware data to identify consumers of child sexual abuse material (CSAM). Approximately 3,300 unique users were found with accounts on known CSAM sources. A notable 4.2% had credentials for multiple sources, suggesting a higher likelihood of criminal behavior. The study reveals how infostealer logs can aid investigators in tracking CSAM activities on the dark web. Data was escalated to law enforcement for further action.
Caught in the Net: Using Infostealer Logs to Unmask CSAM Consumers
Background
Infostealer malware steals sensitive user information such as login credentials, cryptocurrency wallets, payment card data, OS information, browser cookies, screenshots, and autofill data. Common distribution methods include phishing, spam campaigns, fake update websites, SEO poisoning, and malvertising. A popular infection vector is “cracked” software marketed to users seeking to obtain licensed software illegally. Stolen data, known as “infostealer logs,” often ends up on dark web sources where cybercriminals can purchase it, potentially gaining access to networks or systems.
The anonymity provided by Tor-based websites with .onion domains fosters the production and consumption of CSAM. Studies show that although only a small percentage of .onion websites host CSAM, the majority of dark web browsing activity targets these sites.
Methodology
In this proof-of-concept report, Recorded Future's Identity Intelligence leveraged infostealer malware data to identify consumers of child sexual abuse material (CSAM), surface additional sources, and uncover geographic and behavioral trends. Our high-confidence assessments stem from the nature of the infostealer log data and subsequent research.
Sample investigations of three individuals with accounts on multiple CSAM sources suggest that having multiple CSAM accounts may indicate a higher likelihood of committing crimes against children. This study demonstrates that infostealer logs can help law enforcement track child exploitation on the dark web, a challenging area to trace. All relevant findings have been reported to authorities.
Our research involved creating a list of known high-fidelity CSAM domains and querying Recorded Future Identity Intelligence data to identify users with credentials to these domains. Collaborating with non-profit organizations like World Childhood Foundation and the Anti-Human Trafficking Intelligence Initiative (ATII), Insikt Group expanded this list by querying the Recorded Future Intelligence Cloud. This iterative process helped identify additional CSAM sources.
Insikt Group then queried Recorded Future’s Identity Intelligence, which offers real-time access to infostealer log information, for authentication records linked to known CSAM sources from February 2021 to February 2024. De-duplication was performed by comparing OS usernames and PC names.
Findings
Insikt Group identified 3,324 unique credentials used to access known CSAM websites. This data allowed us to gather statistics on individual sources and users, including their usernames, IP addresses, and system information. This granular data helps law enforcement understand the infrastructure of CSAM websites, uncover techniques used by CSAM consumers to mask their identities, and identify potential CSAM consumers and producers.
In three case studies, Insikt Group used the data contained in infostealer logs and open-source intelligence (OSINT) to identify two individuals and found further digital artifacts, including cryptocurrency addresses, belonging to a third individual.
The PoC study showcases that infostealer logs can be used to identify CSAM consumers and new sources and trends in CSAM communities.
As the cybercriminal demand for infostealer logs and malware-as-a-service (MaaS) ecosystems continues to grow, Insikt Group anticipates that infostealer log datasets will continue to provide current and evolving insights into CSAM consumers.
To read the entire analysis, click here to download the report as a PDF.
A new vulnerability affecting Linux systems has caused alarm over the last 48 hours among security researchers, although some experts have cast doubts about whether widespread exploitation of the bug is likely.
On Monday, researchers from cybersecurity firm Qualys unveiled a report on CVE-2024-6387 — colloquially known as “RegreSSHion.” A patch is available to resolve the issue.
The vulnerability is found in OpenSSH’s server in glibc-based Linux systems.
Saeed Abbasi, product manager of vulnerability research at Qualys, told Recorded Future News the best way to understand the issue is to imagine a very secure lock on your front door that only lets people in if they have the right key.
“This lock is used in many houses worldwide because it is very safe. However, we’ve discovered a flaw in this lock — a hidden way to open it without a key, and someone could sneak in without you noticing,” he said.
Matt Moore, the chief technology officer at the security company Chainguard, explained that OpenSSH is a free open source collection of networking tools used predominantly by system administrators to manage remote systems across platforms.
It is also used for securely transferring files and for accessing services in the cloud without exposing a local machine's ports to the Internet, he said. OpenSSH encrypts all traffic between client and server to prevent eavesdropping, connection hijacking, and other attacks.
“In simpler terms, this is the equivalent of a bank vault being already unlocked during a robbery, attackers can use this to gain access and then laterally move to where the most important information is,” Moore said.
If exploited, the vulnerability would allow for a full system takeover where an attacker could install malware, manipulate data and create backdoors for persistent access. The researchers found that it is actually a version of a bug that was previously resolved — CVE-2006-5051 — and then reintroduced after recent code changes.
Qualys’s Abbasi explained that searches on tools like Censys and Shodan show potentially 14 million internet-facing server instances that may be vulnerable to the bug, although Moore said it appears the blast radius for the bug is smaller than the entirety of the ecosystem using OpenSSH.
Abbasi said the bug was particularly concerning because it affects the default configuration of OpenSSH and doesn't require user interaction.
The ubiquity of OpenSSH as a secure communication method “significantly broadens the potential repercussions of this vulnerability,” he added.
“Within an enterprise setting, OpenSSH is utilized across various platforms, such as on-premise servers, cloud infrastructures, development environments, workstations, laptops, containerized environments, and network devices. This extensive deployment highlights the widespread impact a vulnerability could have,” he said.
Questions about exploitation
While most experts said concerns about the bug were justified, others cast doubt on its severity.
Moore noted the exploits for the vulnerability appear to only be viable for a certain kind of Linux server, most of which are relegated to 15-year-old systems.
While it is not difficult to install the patch, the larger issue according to Moore is identifying what instances are using vulnerable versions. Organizations should focus on upgrading to the latest version of OpenSSH, with a priority placed on publicly exposed instances.
Some tools identifying vulnerable systems have been created to help those in need.
Experts at the cybersecurity firms Wiz and Palo Alto Networks said widespread exploitation is unlikely. Wiz said an attacker would need to know the version of Linux they are targeting in order to tailor the exploit, making the bug “inappropriate for widespread opportunistic exploitation.”
Palo Alto Networks said proof of concept code released on Monday has not worked in their exploit attempts, and as of Tuesday they have seen no exploit attempts in the wild.
Contrast Security co-founder Jeff Williams added that attacks involving the vulnerability are “a bit noisy” and may take thousands of attempts to succeed — allowing defenders to detect and prevent the attacks before they are successful. Wiz echoed that assessment, explaining that successful exploitation “usually takes several hours of login attempts in total.”
“No need to hit the panic button at this time,” said Ben Lister, threat research engineer at NetSPI.
“Due to its complexity, it would take an attacker between six hours and a week of persistent effort to successfully exploit the condition and gain a root shell — making it highly unlikely that we’ll experience mass exploitation, as we've seen with similar vulnerabilities. However, organizations should remain proactive and vigilant against the exploit.”
An international coalition of law enforcement agencies have taken action against hundreds of installations of the Cobalt Strike software, a penetration testing tool notoriously abused by both state-sponsored and criminal hackers involved in the ransomware ecosystem.
Britain’s National Crime Agency (NCA) announced on Wednesday that it coordinated global action against the tool, tackling 690 IP addresses hosting illegal instances of the software in 27 countries.
Cobalt Strike, now owned by a company called Fortra, was developed in 2012 to simulate how hackers break into victims’ networks. However, it works so well — easing the processes involved in trying to break into a victim’s network — that pirated versions of the tool have been widely deployed by real malicious actors over the last decade.
The action comes as law enforcement agencies continue to tackle ransomware gangs by targeting the ecosystem’s weak points — hitting the links in the chain that could have cascading effects, such as the seizure of bulletproof hosting provider LolekHosted.
Alongside its legitimate users and those in the ransomware space, Cobalt Strike has also been used by hackers linked to the Russian, Chinese and North Korean governments.
“Since the mid 2010s, pirated and unlicensed versions of the software downloaded by criminals from illegal marketplaces and the dark web have gained a reputation as the ‘go-to’ network intrusion tool for those seeking to build a cyber attack, allowing them to deploy ransomware at speed and at scale,” stated the NCA.
Most commonly, the unlicensed versions of Cobalt Strike are used in spear phishing emails that aim to install a beacon on the target’s device. This beacon then allows the attacker to profile and remotely access the victim’s network.
However its multifunctional nature, including a framework for managing the hackers' command and control infrastructure, makes the tool “the Swiss army knife of cybercriminals and nation state actors,” as described by Don Smith, the vice president of threat research at Secureworks Counter Threats Unit.
“Cobalt Strike has long been the tool of choice for cybercriminals, including as a precursor to ransomware. It is also deployed by nation state actors, e.g. Russian and Chinese – to facilitate intrusions in cyber espionage campaigns. Used as a foothold, it has proven to be highly effective at providing the back door to victims to facilitate intrusions in cyber espionage campaigns,” Smith said.
According to the NCA, the action tackling the rogue uses of the software took place last week and involved server takedowns as well as sending “abuse notifications” to ISPs to warn them that they could be hosting malware.
Paul Foster, the director of threat leadership at the NCA, stressed that Cobalt Strike was “a legitimate piece of software,” but that “sadly cybercriminals have exploited its use for nefarious purposes.”
“Illegal versions of it have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise,” Foster said.
“International disruptions like these are the most effective way to degrade the most harmful cyber criminals, by removing the tools and services which underpin their operations,” added the NCA director.
Despite the law enforcement action, “the threat from ransomware remains omnipresent and whilst this disruption is to be welcomed, criminals and nation state actors will almost certainly have a Plan B,” said Secureworks’ Smith.
Fortra has pledged to continue to work with law enforcement to identify and remove older versions of its software from the internet. The NCA retracted an earlier statement that the company had released a new version of the software with “enhanced security measures.”
“Fortra has taken significant steps to prevent the abuse of its software and has partnered with law enforcement throughout this investigation to protect the legitimate use of its tools,” Europol stated.
“However, in rare circumstances, criminals have stolen older versions of Cobalt Strike, creating cracked copies to gain backdoor access to machines and deploy malware. Such unlicensed versions of the tool have been connected to multiple malware and ransomware investigations, including those into RYUK, Trickbot and Conti.”
Ticketmaster shot down claims made on the dark web that hackers have access to working ticket barcodes for several upcoming Taylor Swift concerts and other events.
On Friday, a hacker allegedly offered for sale event barcodes for Taylor Swift’s Eras Tour concert dates in New Orleans, Miami and Indianapolis.
The barcodes are typically scanned at the entrance for events. In total, the hacker offered about 170,000 barcodes for sale, with about 20,000 for sale at each show.
The hacker also threatened Ticketmaster with more leaks if they are not paid $2 million — claiming to have 30 million more barcodes for NFL games, Sting concerts and more.
A spokesperson for Ticketmaster debunked the claims made in the post in comments to Recorded Future News.
“Ticketmaster’s SafeTix technology protects tickets by automatically refreshing a new and unique barcode every few seconds so it cannot be stolen or copied,” the spokesperson said.
“This is just one of many fraud protections we implement to keep tickets safe and secure.”
The spokesperson also shot down allegations made in media reports that they engaged the hacker in ransom negotiations, saying that they never engaged with the hacker and never offered the person money.
Ticketmaster’s parent company Live Nation confirmed last month that the company’s account on data storage platform Snowflake had been breached.
Hackers on the dark web claimed to have a 1.3 terabyte database of information on about 560 million Ticketmaster users that included names, addresses, emails and phone numbers as well as event details and information on specific orders.
The theft was part of a larger campaign of thefts targeting about 165 customers of Snowflake. Some of the data stolen from those companies was offered for sale by the same hacker behind this most recent post about event barcodes.
A 4chan user claims to have leaked 270GB of internal New York Times data, including source code, via the notorious image board.
According to the unnamed netizen, the information includes "basically all source code belonging to The New York Time Company," amounting to roughly 5,000 repositories and 3.6 million files now available for download from peer-to-peer networks. Details on how to get the files were shared by the poster on 4chan.
While The Register has seen what's said to be a list of files in the purported leak, we have not yet verified the legitimacy of the leak, and the newspaper did not respond to inquiries about the case.
Of the code listed - whose filenames indicate everything from the blueprints to Wordle to email marketing campaigns and ad reports - "less than 30" are "encrypted," the 4channer claimed. Again, take this with a healthy dose of salt considering the source — an unnamed 4chan user.
The Register will update this story if and when we receive a response from The Times. But if true, the theft could potentially cause a huge headache for the newspaper, given the list of stolen data. There's a lot of JavaScript and TypeScript in there, judging by the filenames, plus some personal information. It might be largely scraped from the public site, it might actually be stolen.
In 2013 The New York Times and other media outlets saw their operations come under attack by a bunch of miscreants calling themselves the Syrian Electronic Army. During these incidents, which occurred over a period of months, readers were unable to visit some publications' websites at times; at other times, pages were defaced by intruders.
The Register was targeted, too, by the gang in a failed spear-phishing attack. At least one of our vultures was sent an email claiming to be from a senior editor, with a link to a fake copy of our publishing system to phish their credentials; the giveaway was that the message was far too cheery for that editor to be real. It also prompted us to introduce mandatory multi-factor authentication at work.
A few years later, in 2016, suspected Russian cyber-spies broke into email inboxes belonging to The New York Times and other American news organizations.
The U.S. service Docker Hub, widely used for developing software, has suspended its operations in Russia without giving advance notice to local users, according to media reports.
Russian users lost access to Docker Hub repositories on Thursday and couldn’t access the service even through virtual private networks (VPNs), reported Russian news website Kommersant.
Developers use the cloud-based platform to store, share and manage their container images — digital packages that include everything needed to run an application.
Docker Hub stated in a message displayed to those trying to access the platform from Russia that it is blocking services in Cuba, Iran, North Korea, Sudan, Syria and Russian-annexed Crimea to “adhere to U.S. export control rules.” Russia itself wasn’t included in the message.
At the time of publication, the platform’s operator, Docker Inc., hasn’t responded to a request for comment.
Russian legal expert Maria Udodova told Kommersant that the blocking could be linked to the new proposed rule introduced by the Department of Commerce in January to protect cloud services from foreign cyberthreats to national security. Recorded Future News couldn’t verify this claim.
In an interview with Russian media, several local tech businesses complained that due to the blocking, they cannot upload or save their projects from the repository. They said that Docker Hub was popular among Russian companies involved in cybersecurity.
Following the service suspension, Russian developers took to the Docker Hub forum and Reddit to voice their complaints.
“It’s not me who invaded Ukraine, it’s not millions of developers and software engineers either, but we have to suffer the consequences. Thanks a lot, Docker!” one user said on Reddit.
“Please consider keeping Docker Hub available for Russians — they’re oppressed by their own government they didn’t choose. The regime will have access to any technology anyway, and have resources to keep their infrastructure running,” another user wrote on the Docker community forum.
Industry experts admitted to Kommersant that Docker Hub restrictions could deal a blow to tech businesses, which now have to quickly find an alternative. This is not easy since other similar services, including GitHub, suspended some of their services in Russia when it invaded Ukraine.
In 2022, Docker said in a statement that the company “stands with Ukraine” and will not do business with Russian and Belarusian businesses or accept payments from these locations during the war.
The company also said that it removed the ability to purchase and renew Docker subscriptions from Russia and Belarus.
Slow exits
The fact that Docker Hub was still generally available in Russia until this week, despite the company’s previous statements, isn’t unusual.
With the start of the war in Ukraine two years ago, many Western tech firms announced that they would quit the Russian market or suspend selling their products there — either for moral reasons or due to economic sanctions imposed on Russia by the EU or the U.S.
Big tech companies that served many clients in Russia didn’t exit the market immediately. Only this August, Microsoft, for example, announced that it would stop renewing licenses for its products to Russian companies and would not process payments via wire transfer to local bank accounts.
In March, Russians received a notification from Microsoft saying that it would suspend access to its cloud services for local users as a result of European sanctions imposed on Russia after its invasion of Ukraine.
Earlier in January, Czech antivirus developer Avast suspended selling its software in Russia. In the initial months of the war, the company announced that it would stop renewing licenses for its products for Russian and Belarusian users.
A strain of malware named Chalubo wrecked over 600,000 routers for small offices and homes in the U.S. last year.
In a new report from Lumen Technologies’ Black Lotus Labs, researchers described a “destructive” incident between October 25-27 in which hundreds of thousands of routers made by Sagemcom and ActionTec were rendered permanently inoperable.
Chalubo was first discovered in 2018 by researchers from Sophos, which said it was used to infect devices and add them to powerful botnets that could perform distributed denial of service (DDoS) attacks.
Black Lotus Labs did not name the internet service provider (ISP) that deployed the routers but Reuters said an analysis of news coverage indicated it was likely Arkansas-based Windstream, which did not respond to requests for comment.
Further research revealed that the routers were destroyed by a firmware update sent out to the devices that had already been compromised by Chalubo.
“At this time, we do not have an overlap between this activity and any known nation-state activity clusters,” the researchers explained. “We assess with high confidence that the malicious firmware update was a deliberate act intended to cause an outage, and though we expected to see a number of router make and models affected across the internet, this event was confined to the single ISP’s autonomous system number (ASN).”
A survey of complaints on internet forums and outage detectors revealed that most people were complaining about issues with router models Sagemcom F5380, ActionTec T3200s and ActionTec T3260s.
Users who contacted ActionTec’s support center were told the entire router would need to be replaced. To check whether those models were the only ones affected, the researchers used internet scanning tool Censys and found that between October 27 and October 28, there was a 179,000 drop in IP addresses connected to ActionTec devices and a decrease of 480,000 devices associated with Sagemcom.
Lumen researchers noted that the Chalubo malware family continues to be active and found that more than 330,000 IP addresses communicated with tools connected to the malware, indicating that “while the Chalubo malware was used in this destructive attack, it was not written specifically for destructive actions.”
'Rural or underserved communities'
The researchers do not know what exploit was used to gain initial access to compromised devices. They could not find vulnerabilities for the specific models impacted, “suggesting the threat actor likely either abused weak credentials or exploited an exposed administrative interface.”
“We suspect the threat actors behind this event chose a commodity malware family to obfuscate attribution, instead of using a custom-developed toolkit,” they said.
The researchers noted that “a sizeable portion of this Internet Service Provider’s service area covers rural or underserved communities,” potentially making recovery more difficult.
The outage affected “places where residents may have lost access to emergency services, farming concerns may have lost critical information from remote monitoring of crops during the harvest, and health care providers cut off from telehealth or patients’ records,” they said.
Chalubo is a sophisticated malware family that its creators went to great lengths to conceal. The malicious code removes all of its files and renames itself after something already present on the device.
All of the communication with command and control (C2) servers is encrypted — which Lumen said contributed to the lack of previous research on the malware.
There has been significant law enforcement focus this week on malware that affects routers. International law enforcement agencies announced Thursday that they took several of the most influential malware families offline in the “largest ever operation against botnets.”
The FBI and international partners dismantled another massive botnet on Wednesday that infected more than 19 million IP addresses across 200 countries and was used for years to conceal cybercrime.
A bipartisan pair of House lawmakers is pressing for more details about the breach of a water facility in Texas that was carried out by a group with suspected ties to the Russian government.
In an April 23 letter, Reps. Pat Fallon (R-TX) and Ruben Gallego (D-AZ) asked Homeland Security Secretary Alejandro Mayorkas for a briefing on the January incident, which caused a tank at a water facility in Muleshoe, Texas, to overflow.
The Google-owned security firm Mandiant later issued a report that said the group purportedly behind the attack, the Cyber Army of Russia, is linked to a Russian state actor, Sandworm — which has gained global notoriety for its past, and present, digital assaults on Ukraine.
The group has since claimed credit for a cyberattack on an Indiana water plant.
“As you may know, much of the American West is experiencing a historic, long-term drought that makes fortifying water supplies from vulnerabilities like adversary disruption efforts all the more important,” the duo wrote.
“Should a hack similar to the Texas incident occur in Arizona or other states that may lack sufficient water supply, it could disrupt operations across the region with devastating effects,” they added.
The pair asked Mayorkas to answer a series of questions, including what DHS is doing to respond to the incident; how the agency is coordinating with international, state and local partners; and if it needs additional authorities to protect the nation’s water supply,
Gallego and Rep. Jim Banks (R-IN) — both of whom are running for Senate — sent a similar letter to Mayorkas late last year after the Irank-linked Cyber Av3ngers group claimed responsibility for striking a water authority in Pennsylvania.
A former NSA employee has been sentenced to 262 months in prison for attempting to freelance as a Russian spy.
In his trial yesterday, Jareh Sebastian Dalke pleaded guilty to six counts of attempted transmission of top-secret info to a foreign agent as announced by the US Department of Justice.
He had worked at the NSA as an information systems security designer for just under a month from June to July 2022, making quick work of the short period by accumulating top secret documents with national defense information (NDI).
Between August and September that year, shortly after leaving the NSA, Dalke made contact with a person he thought was a Russian agent. To prove his "legitimate access and willingness to share," he then emailed the apparent spy snippets of three top secret, classified documents with NDI. Dalke then said he'd be willing to sell the full documents and more for just $85k.
A former NSA employee has been sentenced to 262 months in prison for attempting to freelance as a Russian spy.
In his trial yesterday, Jareh Sebastian Dalke pleaded guilty to six counts of attempted transmission of top-secret info to a foreign agent as announced by the US Department of Justice.
He had worked at the NSA as an information systems security designer for just under a month from June to July 2022, making quick work of the short period by accumulating top secret documents with national defense information (NDI).
Between August and September that year, shortly after leaving the NSA, Dalke made contact with a person he thought was a Russian agent. To prove his "legitimate access and willingness to share," he then emailed the apparent spy snippets of three top secret, classified documents with NDI. Dalke then said he'd be willing to sell the full documents and more for just $85k.
Only there was one problem: he was talking to an undercover FBI agent.
Dalke and the FBI agent then arranged a time and place to hand over the documents. On September 28, the former NSA worker took his laptop to Union Station in Denver and sent the documents to the FBI agent over the internet. Dalke also included a letter in Russian that said, among other things, "My friends! I am very happy to finally provide this information to you… I look forward to our friendship and shared benefit."
Of course, the FBI agent was not his friend and the whole thing was a sting operation, and the former NSA employee was arrested just after he sent the classified materials. Dalke pleaded guilty from the outset.
"This defendant, who had sworn an oath to defend our country, believed he was selling classified national security information to a Russian agent, when in fact, he was outing himself to the FBI," Attorney General Merrick Garland said. "This sentence demonstrates that those who seek to betray our country will be held accountable for their crimes."
A former NSA employee has been sentenced to 262 months in prison for attempting to freelance as a Russian spy.
In his trial yesterday, Jareh Sebastian Dalke pleaded guilty to six counts of attempted transmission of top-secret info to a foreign agent as announced by the US Department of Justice.
He had worked at the NSA as an information systems security designer for just under a month from June to July 2022, making quick work of the short period by accumulating top secret documents with national defense information (NDI).
Between August and September that year, shortly after leaving the NSA, Dalke made contact with a person he thought was a Russian agent. To prove his "legitimate access and willingness to share," he then emailed the apparent spy snippets of three top secret, classified documents with NDI. Dalke then said he'd be willing to sell the full documents and more for just $85k.
Only there was one problem: he was talking to an undercover FBI agent.
Dalke and the FBI agent then arranged a time and place to hand over the documents. On September 28, the former NSA worker took his laptop to Union Station in Denver and sent the documents to the FBI agent over the internet. Dalke also included a letter in Russian that said, among other things, "My friends! I am very happy to finally provide this information to you… I look forward to our friendship and shared benefit."
Of course, the FBI agent was not his friend and the whole thing was a sting operation, and the former NSA employee was arrested just after he sent the classified materials. Dalke pleaded guilty from the outset.
"This defendant, who had sworn an oath to defend our country, believed he was selling classified national security information to a Russian agent, when in fact, he was outing himself to the FBI," Attorney General Merrick Garland said. "This sentence demonstrates that those who seek to betray our country will be held accountable for their crimes."
Sentencing law is somewhat complex, but assuming Dalke can't serve any of his counts concurrently and that he doesn't get out early, he'll be getting out in January 2046, and he'll be 53 or 54.
The NSA employee turned failed Russian informant was remarkably unsuccessful in his attempt to give Russia a helping hand, though it is a little concerning that Dalke had NDI material in his possession at all. The incident isn't unlike the Teixeira leaks from last month, especially since both Dalke and Teixeira were seemingly completely incompetent in leaking info. Maybe the US government should review who gets access to classified materials, as it seems neither person had any real business handling these docs.
NATO will establish a new cyber center at its military headquarters in Mons, Belgium, a senior official confirmed to Recorded Future News on Wednesday. The new facility, details about which have not previously been reported, marks the fruition of a significant doctrinal shift in how the alliance approaches operations in cyberspace.
The shift, as officially set out in NATO’s Strategic Concept (2022), states that “cyberspace is contested at all times,” meaning it cannot just be a concern for the military alliance during moments of crisis or conflict. NATO needs to constantly engage with adversaries on computer networks — not just when Article 4 or Article 5 are triggered by allies.
Although allies last year endorsed the creation of a NATO cyber center during the cyber defense conference in Berlin, at that time the exact plan was unclear. Suggestions ranged from an institution that would help develop cyber competencies among allies through to a tactical-level command for combined operations, similar to NATO’s maritime (MARCOM), air (AIRCOM), and land (LANDCOM) command centers.
Speaking to Recorded Future News at the ENISA Cybersecurity Policy Conference in Brussels, James Appathurai, NATO’s deputy assistant secretary general for innovation, hybrid and cyber, said the structural changes that are being made flow from that doctrine about cyberspace. He said the model for the center was the United Kingdom’s National Cyber Security Centre — where civilian experts could work alongside those from industry, the military, and NATO’s political corps — to address potential threats.
The working name for the new facility is the NATO Integrated Cyber Centre (NICC).
The idea is the NICC would physically co-locate personnel in Mons to provide the Supreme Allied Commander Europe (SACEUR) — effectively NATO’s most senior military official, historically always a senior U.S. military officer — with 24/7 visibility over both NATO enterprise networks and other networks beyond where incidents risk impacting military operations in Europe.
SACEUR “needs to have visibility over what cyberspace looks like for him at all times. That’s the logic behind this, and that’s where we will get to in time for the summit, which is in only a few weeks,” explained Appathurai.
Delivering his keynote to the conference, Appathurai said: “For example, a port in Europe has been under a sustained cyberattack to try to lock the locks. So we have ships transiting through, [the attackers] try to lock it and drain the water to drop the ship inside of the lock, which would damage the ship and block the port.”
Appathurai did not name the port and did not confirm the port when asked by Recorded Future News. But for a major seaport such as Rotterdam, the potential impact of such an attack could severely disrupt the supply of critical military and civilian materiel. Officials in the United States are warning that cyberattacks pose a significant threat to ports.
“There is a lot more risk and a lot more capabilities out there. So what are we doing about it? First we have to recognise and act on it,” said Appathurai.
“We need to break down, in the NATO sense, bureaucratic barriers. For us, we have the military, we have the civilians, we have the intelligence world, we have industry. We are working on bringing them all together.
“I would commend for an example the U.K. National Cyber Security Centre, where they have everybody together in one building, with a less secure and then a more secure tier. And industry is there full-time with everybody else, with information on their networks, providing it and receiving intelligence or other forms of support. So aggregating what is disaggregated, and breaking down the barriers between the two,” he said.
No delineation between peacetime and conflict
Acknowledging that “cyberspace is contested at all times” was “the most fundamental shift we’ve made in the last year,” said Appathurai. “Allies have now codified the understanding that unlike in other environments, you cannot have a clear delineation between peacetime, crisis, and conflict [in cyberspace].”
The concept is a comfortable one for some of NATO’s more mature cyber powers, particularly the United States has proactively conducted what it calls persistent engagement for a number of years — alongside similar operational activities by the United Kingdom and the Netherlands.
But among some allies, the prescription that the concept calls for — engaging with adversaries in cyberspace — remains controversial. Appathurai said that key to understanding the prescription, and to understanding the risk facing Europe in general, was the conflict in Ukraine.
“It’s really important that people understand how important cyberdefense has been for Ukrainians. Without it, their military command and control wouldn’t work. Their civilian communications would not work. They would not have banks operating and providing people money. People wouldn’t know where to go and what to do when something happens. And President Zelensky would not be on the air motivating us to provide weapons — which we need to do faster — helping his people to have courage in this situation.”
Cyberdefense “underpins everything in our doctrine,” said the NATO official. This was also why the new cyber center would not be a command in the style of MARCOM or LANDCOM, because cyber underpins the other domains.
The ultimate structure of the center hasn’t been finalized, Appathurai told Recorded Future News, explaining that the plan was to get everything completed ahead of the summit in Washington in July, adding that “literally this morning was another meeting of our committee that’s looking at our political-military advice.”
“The direction we’ve already been given is clear, that we have to integrate political and military tools to give us a better picture of military and civilian networks, that this should be for deterrence and defense, so that’s very much the framework in which it’s in,” he explained.
“But also that this will parallel and complement a separate track of decisions that we’re taking in time for the summit, to give NATO a stronger role when it comes to, for example, enforcing cyber norms when it comes to allies, allies being able to work in other international bodies, to strengthen standards. So there’s a political aspect that will be strengthened as well as this very practical center, or whatever we end up calling it.”
“We’re working on the mechanics of the center. How exactly staff will relate to each other, who exactly, which parts exactly, but this is all mechanics and it can be worked out so there’s no problem there. So I’m actually 100% confident that we will arrive at a good solution.
“Then there’s the implementation. That’s always a bureaucratic struggle, but we’ll get through it, and we’ll get through it pretty fast because it’s NATO and you can give orders,” he said.
Intel CPU cores remain vulnerable to Spectre data-leaking attacks, say academics at VU Amsterdam.
We're told mitigations put in place at the software and silicon level by the x86 giant to thwart Spectre-style exploitation of its processors' speculative execution can be bypassed, allowing malware or rogue users on a vulnerable machine to steal sensitive information – such as passwords and keys – out of kernel memory and other areas of RAM that should be off limits.
The boffins say they have developed a tool called InSpectre Gadget that can find snippets of code, known as gadgets, within an operating system kernel that on vulnerable hardware can be abused to obtain secret data, even on chips that have Spectre protections baked in.
InSpectre Gadget was used, as an example, to find a way to side-step FineIBT, a security feature built into Intel microprocessors intended to limit Spectre-style speculative execution exploitation, and successfully pull off a Native Branch History Injection (Native BHI) attack to steal data from protected kernel memory.
"We show that our tool can not only uncover new (unconventionally) exploitable gadgets in the Linux kernel, but that those gadgets are sufficient to bypass all deployed Intel mitigations," the VU Amsterdam team said this week. "As a demonstration, we present the first native Spectre-v2 exploit against the Linux kernel on last-generation Intel CPUs, based on the recent BHI variant and able to leak arbitrary kernel memory at 3.5 kB/sec."
A quick video demonstrating that Native BHI-based attack to grab the /etc/shadow file of usernames and hashed passwords out of RAM on a 13th-gen Intel Core processor is below. We're told the technique, tagged CVE-2024-2201, will work on any Intel CPU core.
The VU Amsterdam team — Sander Wiebing, Alvise de Faveri Tron, Herbert Bos and Cristiano Giuffrida — have now open sourced InSpectre Gadget, an angr-based analyzer, plus a database of gadgets found for Linux Kernel 6.6-rc4 on GitHub.
"Our efforts led to the discovery of 1,511 Spectre gadgets and 2,105 so-called 'dispatch gadgets,'" the academics added. "The latter are very useful for an attacker, as they can be used to chain gadgets and direct speculation towards a Spectre gadget."
These numbers suggest a "nontrivial attack surface," said the researchers, who pointed to an Intel security advisory that includes updated software-level mitigations for these kinds of Native BHI attacks.
As we understand things, Intel in 2022 addressed BHI attacks with hardware and software-level protections as well as recommendations like not allowing unprivileged eBPF use.
Now an updated exploit, dubbed Native BHI, was developed using InSpectre Gadget that defeats those defense mechanisms, leading to the x86 titan issuing updated advice for developers and patches for the Linux kernel to block exploitation of CVE-2024-2201 – we assume other operating systems will need fixing up, too.
"External academic researchers reported new techniques to identify BHI sequences that could allow a local attacker who can already execute code to possibly infer the contents of Linux kernel memory," an Intel spokesperson told The Register today.
"Intel has previously shared mitigation guidance for BHI and intra-mode BTI attacks. In light of this new report, Intel is releasing updated guidance to assist in broader deployment of these mitigations."
AMD and Arm cores are not vulnerable to Native BHI, according to the VU Amsterdam team. AMD has since confirmed this in an advisory
History lesson
InSpectre Gadget, and the related research and Native BHI exploit, builds on the boffins' earlier work exploiting the Spectre variant BHI.
Spectre emerged in public in early 2018, along the related Meltdown design blunder, which The Register first reported. Over the years various variants of Spectre have been found, prompting engineers to shore up the security around performance-boosting speculative execution units.
After the aforementioned steps were taken to shut down BHI-style attacks, "this mitigation left us with a dangling question: 'Is finding 'native' Spectre gadgets for BHI, ie, not implanted through eBPF, feasible?'" the academics asked.
The short answer is yes. A technical paper [PDF] describing Native BHI is due to be presented at the USENIX Security Symposium.
Apple has sent a new batch of threat notifications to users in 92 countries who may have been targeted by mercenary spyware attacks, according to several media reports.
The alerts were sent on Wednesday, warning users that attackers tried to remotely compromise their iPhones. On the same day, Apple also updated its support page, explaining how threat notifications work and what targeted users should do if they receive one.
In previous alerts, the company described such incidents as “state-sponsored,” but according to its updated policy, it will now refer to them as “mercenary spyware attacks.” Common sources of spyware include private companies such as NSO Group and Cytrox.
According to Reuters, Apple's removal of the term "state-sponsored" from its description of threat notifications comes after it repeatedly faced pressure from the Indian government because of linking such breaches to nation-state actors. Sources told Reuters that Apple held extensive talks with Indian officials before releasing the latest set of alerts.
Spyware attacks affect a very small number of specific individuals — often journalists, activists, politicians, and diplomats — and are extremely costly, sophisticated and hard to detect, Apple explained. Since 2021, the company has sent threat notifications to users in over 150 countries.
Apple didn't reveal who was on the list of targets in the latest set of alerts, but sources told The Economic Times, an Indian English-language newspaper, that Indian users were among those included.
Last October, Apple warned over half a dozen Indian lawmakers from Prime Minister Narendra Modi’s main opposition party about spyware attacks. These attacks were reportedly part of an espionage campaign preceding this year’s general elections, held in seven phases between April 19 and June 1.
The company stated that it relies solely on internal threat intelligence to detect such attacks. Other organizations, such as the Canada-based Citizen Lab, also produce reports about spyware infections on Apple devices.
“Although our investigations can never achieve absolute certainty, Apple threat notifications are high-confidence alerts that a user has been individually targeted by a mercenary spyware attack, and should be taken very seriously,”' the company said in an update.
Apple typically notifies users multiple times a year in two ways: by displaying an alert at the top of the page after the user signs into their Apple ID, or by sending an email and iMessage notification to the email addresses and phone numbers associated with the user’s Apple ID.
The company said that it cannot provide more information about what causes the company to send this notification, as that may help attackers adapt their behavior to evade detection in the future.
Earlier in February, Poland’s prime minister stated that he had uncovered documents confirming that the prior administration illegally deployed Pegasus spyware. Poland’s investigators claimed that the country’s 2019 elections were unfair due to the deployment of Pegasus, which is sold to governments worldwide by the Israel-based NSO Group. The company says it only supports lawful use of its products.
In September, the phones of prominent Russian journalists and critics of the Kremlin were infected with Pegasus spyware. Among the targets was Galina Timchenko, owner of the Russian independent media outlet Meduza.
She was infected with Pegasus while in Berlin for a private conference with other Russian independent journalists living in exile. This marked the first documented case of a Pegasus infection targeting a Russian citizen.
Cybersecurity giant Palo Alto Networks is alerting customers that a zero-day vulnerability in its firewall tool is being exploited by hackers.
The company released an advisory on Friday morning about CVE-2024-3400 — a vulnerability in the popular GlobalProtect VPN product that was unknown to researchers until this week. The bug carries the highest severity score possible of 10.
Palo Alto Networks said that it “is aware of a limited number of attacks that leverage the exploitation of this vulnerability.”
The company did not respond to requests for comment about how many customers were affected, where they are based or who was behind the attacks.
A patch will be available to customers by Sunday, the advisory said. In the meantime, Palo Alto Networks provided several mitigations customers can take to protect themselves.
The bug was discovered by researchers at cybersecurity firm Volexity. That company’s president, Steven Adair, said Friday on social media that it discovered the initial attacks two days ago.
The Cybersecurity and Infrastructure Security Agency (CISA) added the GlobalProtect flaw to its list of known exploited vulnerabilities almost immediately, signaling urgency in the need for federal agencies to patch the bug.
In a rare move, CISA gave federal civilian agencies just seven days to apply mitigations, a shortened timeline compared to the three weeks given to most bugs.
VPN products have become frequent targets for attack by threat actors in recent years due to the expansion of remote work and the widespread use of the tools among governments.
Palo Alto was previously affected by a vulnerability affecting its firewall product in 2022 that was used in a distributed denial-of-service (DDoS) attack.
Polish prosecutors are now actively building a case against current and former government officials believed to have deployed powerful commercial spyware against opposition party members and their allies in a rapidly unfolding spyware investigation.
In recent days, prosecutors have asked 31 victims whom they believe were likely targeted by Pegasus spyware to share their stories. Senior government officials have said the investigation could lead to arrests.
A probe into abuse of powers and dereliction of duties began on March 18 and is homing in on how officials used Pegasus from 2017 to 2022, according to Polish news reports citing a spokesperson for the prosecutor’s office.
The prior Polish ruling party, known as Law and Justice (PiS), is said to have targeted opposition leaders and others with the spyware, including amid the country’s election season. The spyware scandal has rocked the country since it first came to light in December 2021.
In September, Poland's Senate released the results of a special commission’s probe into the spyware’s usage, paying particular attention to the hack of an opposition politician in 2019, describing "gross violations of constitutional standards.”
The commission revealed at the time that it had alerted prosecutors to the potential for criminal charges against former and current Polish ministers for using or abetting the use of spyware.
Current Polish President Andrzej Duda is a former PiS member who is thought to remain loyal to the party, but the country has elected the leader of a different and more centrist party, Donald Tusk, as its new prime minister. Duda has served as president since 2015.
Tusk, who became prime minister in December, said in February that he can prove state authorities used the powerful spyware to monitor a “very long” list of individuals.
The prime minister also revealed at the time that he had found documents which “confirm 100%” the prior administration illegally used Pegasus, according to local news reporting at the time.
Spyware has long been a scourge in Europe with prior scandals enveloping Spain, Greece, Hungary and Serbia. Mercenary spyware is also used on a global scale. On Wednesday, Apple sent alerts to users in 92 countries, warning they may have been targeted by foreign commercial surveillance tools like Pegasus, primarily through attempts to compromise iPhones from afar.
John Scott-Railton, a security researcher at the Canada-based Citizen Lab who helped surface the Polish spyware problem, said he is watching the proceedings carefully.
“Poland has gone from being a troubling centerpiece in EU spyware scandals to showing clear signs of a concerted effort towards accountability,” Scott-Railton said via text message, citing the country’s recent decision to join a White House-led coalition of 17 countries working to fight the spread and use of spyware. “The recent developments would have been deeply unthinkable until the election.”
He added that Poland’s quest for accountability has “already gone further than most investigations in the EU.”
Scott-Railton said the fact that opposition party leader Krzysztof Brejza was hit with Pegasus during parliamentary elections in which he played a key role in setting strategy is an “ominous sign of potential election interference.”
The Polish scandal and the aftermath of its investigation will send an important signal across the continent, he said.
“As authoritarianism grows and dangers to EU democracy fueled by Russia increase, ensuring that European democracies are free from the danger of spyware abuse could not be more critical,” he said.
A second expert, white-hat hacker Runa Sandvik, said the 31 victims called to appear as witnesses may represent just a small fraction of the total scale of spyware abuse in Poland.
“It’s important to remember that this number — 31 — is the number the National Prosecutor’s Office has decided to release,” said Sandvik, who founded Granitt, a startup focused on helping journalists, human rights activists and other vulnerable populations targeted by spyware.
Sandvik said she believes the Polish government also likely used spyware to investigate crime, corruption and terrorism meaning the total number of people hit with Pegasus could be much higher.
“The number on its own does not tell us how many people were targeted, or for what purpose,” Sandvik said via email. “I hope the investigation will help shed some light on this.”
Several big businesses have published source code that incorporates a software package previously hallucinated by generative AI.
Not only that but someone, having spotted this reoccurring hallucination, had turned that made-up dependency into a real one, which was subsequently downloaded and installed thousands of times by developers as a result of the AI's bad advice, we've learned. If the package was laced with actual malware, rather than being a benign test, the results could have been disastrous.
According to Bar Lanyado, security researcher at Lasso Security, one of the businesses fooled by AI into incorporating the package is Alibaba, which at the time of writing still includes a pip command to download the Python package huggingface-cli in its GraphTranslator installation instructions.
There is a legit huggingface-cli, installed using pip install -U "huggingface_hub[cli]".
But the huggingface-cli distributed via the Python Package Index (PyPI) and required by Alibaba's GraphTranslator – installed using pip install huggingface-cli – is fake, imagined by AI and turned real by Lanyado as an experiment.
He created huggingface-cli in December after seeing it repeatedly hallucinated by generative AI; by February this year, Alibaba was referring to it in GraphTranslator's README instructions rather than the real Hugging Face CLI tool. Study
Lanyado did so to explore whether these kinds of hallucinated software packages – package names invented by generative AI models, presumably during project development – persist over time and to test whether invented package names could be co-opted and used to distribute malicious code by writing actual packages that use the names of code dreamed up by AIs.
The idea here being that someone nefarious could ask models for code advice, make a note of imagined packages AI systems repeatedly recommend, and then implement those dependencies so that other programmers, when using the same models and getting the same suggestions, end up pulling in those libraries, which may be poisoned with malware.
Last year, through security firm Vulcan Cyber, Lanyado published research detailing how one might pose a coding question to an AI model like ChatGPT and receive an answer that recommends the use of a software library, package, or framework that doesn't exist.
"When an attacker runs such a campaign, he will ask the model for packages that solve a coding problem, then he will receive some packages that don’t exist," Lanyado explained to The Register. "He will upload malicious packages with the same names to the appropriate registries, and from that point on, all he has to do is wait for people to download the packages." Dangerous assumptions
The willingness of AI models to confidently cite non-existent court cases is now well known and has caused no small amount of embarrassment among attorneys unaware of this tendency. And as it turns out, generative AI models will do the same for software packages.
As Lanyado noted previously, a miscreant might use an AI-invented name for a malicious package uploaded to some repository in the hope others might download the malware. But for this to be a meaningful attack vector, AI models would need to repeatedly recommend the co-opted name.
That's what Lanyado set out to test. Armed with thousands of "how to" questions, he queried four AI models (GPT-3.5-Turbo, GPT-4, Gemini Pro aka Bard, and Command [Cohere]) regarding programming challenges in five different programming languages/runtimes (Python, Node.js, Go, .Net, and Ruby), each of which has its own packaging system.
It turns out a portion of the names these chatbots pull out of thin air are persistent, some across different models. And persistence – the repetition of the fake name – is the key to turning AI whimsy into a functional attack. The attacker needs the AI model to repeat the names of hallucinated packages in its responses to users for malware created under those names to be sought and downloaded.
Lanyado chose 20 questions at random for zero-shot hallucinations, and posed them 100 times to each model. His goal was to assess how often the hallucinated package name remained the same. The results of his test reveal that names are persistent often enough for this to be a functional attack vector, though not all the time, and in some packaging ecosystems more than others.
With GPT-4, 24.2 percent of question responses produced hallucinated packages, of which 19.6 percent were repetitive, according to Lanyado. A table provided to The Register, below, shows a more detailed breakdown of GPT-4 responses.
With GPT-3.5, 22.2 percent of question responses elicited hallucinations, with 13.6 percent repetitiveness. For Gemini, 64.5 of questions brought invented names, some 14 percent of which repeated. And for Cohere, it was 29.1 percent hallucination, 24.2 percent repetition.
Even so, the packaging ecosystems in Go and .Net have been built in ways that limit the potential for exploitation by denying attackers access to certain paths and names.
"In Go and .Net we received hallucinated packages but many of them couldn't be used for attack (in Go the numbers were much more significant than in .Net), each language for its own reason," Lanyado explained to The Register. "In Python and npm it isn't the case, as the model recommends us with packages that don’t exist and nothing prevents us from uploading packages with these names, so definitely it is much easier to run this kind of attack on languages such Python and Node.js." Seeding PoC malware
Lanyado made that point by distributing proof-of-concept malware – a harmless set of files in the Python ecosystem. Based on ChatGPT's advice to run pip install huggingface-cli, he uploaded an empty package under the same name to PyPI – the one mentioned above – and created a dummy package named blabladsa123 to help separate package registry scanning from actual download attempts.
The result, he claims, is that huggingface-cli received more than 15,000 authentic downloads in the three months it has been available.
"In addition, we conducted a search on GitHub to determine whether this package was utilized within other companies' repositories," Lanyado said in the write-up for his experiment.
"Our findings revealed that several large companies either use or recommend this package in their repositories. For instance, instructions for installing this package can be found in the README of a repository dedicated to research conducted by Alibaba."
Alibaba did not respond to a request for comment.
Lanyado also said that there was a Hugging Face-owned project that incorporated the fake huggingface-cli, but that was removed after he alerted the biz.
So far at least, this technique hasn't been used in an actual attack that Lanyado is aware of.
"Besides our hallucinated package (our package is not malicious it is just an example of how easy and dangerous it could be to leverage this technique), I have yet to identify an exploit of this attack technique by malicious actors," he said. "It is important to note that it’s complicated to identify such an attack, as it doesn’t leave a lot of footsteps."