WhatsApp notched a major victory against the spyware producer NSO Group last week when a California federal judge ordered the Israeli company to turn over its highly protected secret code as part of discovery in a years-long lawsuit.

The case could have major repercussions for NSO Group, whose Pegasus spyware has been used to spy on human rights activists, journalists and opposition politicians across the world.

Judge Phyllis Hamilton ordered NSO Group to produce its code, specifically directing it to unveil relevant spyware from the year leading up to when WhatsApp users were allegedly victimized in 2019 through May 2020 until a year after the alleged attack ended.

WhatsApp has alleged that NSO Group exploited an audio calling vulnerability in its system to attach Pegasus to phones targeted by NSO Group clients.

It sued the company in 2019, alleging the spyware purveyor had facilitated surveillance of about 1,400 WhatsApp users over the course of two weeks, including journalists, human rights activists, political dissidents, diplomats and other senior foreign government officials.

According to WhatsApp’s complaint, NSO Group complained to a WhatsApp employee in a message when the vulnerability was fixed, saying, “you just closed our biggest remote for cellular … It’s on the news all over the world.”

In her opinion, Hamilton said she weighed an NSO Group argument that the discovery requirements should be modified but ultimately dismissed the claim.

“The court rejects defendants’ argument that their production should be limited to the installation layer of the alleged spyware, and instead concludes that defendants must produce information concerning the full functionality of the relevant spyware,” Hamilton’s decision said. “The complaint contains numerous instances alleging not only that spyware was installed on users’ devices, but also that information was accessed and/or extracted from those devices.”

News of the order was first reported by The Guardian.

A spokesperson for WhatsApp said the court ruling is an “important milestone in our long running goal of protecting WhatsApp users against unlawful attacks.

“Spyware companies and other malicious actors need to understand they can be caught and will not be able to ignore the law.”

Not everything went WhatsApp’s way, however. Hamilton ruled that NSO does not have to reveal its client names or provide details of its server architecture.

NSO Group did not respond to a request for comment.

In January, a federal judge denied a NSO motion to dismiss an Apple lawsuit alleging Pegasus spyware broke computer fraud laws.

Pegasus and other powerful spyware has recently been used in several European countries to marginalize opposition politicians and spy on journalists. Recent scandals in Poland, Spain, Greece, Serbia and Hungary have alarmed government officials across Europe. Just last week, in advance of June elections, spyware was found on the phones of members and staff of Europe’s Parliament.

The spyware is easily placed on victim’s phones without their knowledge, not even requiring them to click on links sent by unknown contacts. Once a phone is overtaken by the spyware it can see through the camera, activate the microphone, read emails and text messages and otherwise fully access the phone’s contents.

The U.S. government blacklisted NSO in 2021. The company has long claimed that Pegasus is designed to help governments fight terrorism but a long string of abuses have undermined its reputation and led to pressure on Israel’s government to stop supporting it.

The German Ministry of Defense (Bundeswehr) has confirmed that a recording of a call between high-ranking officials discussing war efforts in Ukraine, leaked by Russian media, is legitimate.

Senior government officials have also confirmed Russian reports that the call was hosted on and tapped via Cisco's WebEx video conferencing platform rather than any kind of secure, military-grade comms.

Roderich Kiesewetter, deputy chairman of the German parliament's oversight committee, said the Bundeswehr leak was possibly caused by a Russian agent inside the WebEx call or the Bundeswehr's implementation of it, but the country is still working on discovering how the intrusion took place.

Likewise, the ministry released a statement to wider media saying: "According to our assessment, a conversation in the air force division was intercepted. We are currently unable to say for certain whether changes were made to the recorded or transcribed version that is circulating on social media."

Cisco has distanced itself from the situation. A spokesperson told The Register: "Cisco does not publicly discuss customer information and we refer your request to the organization in question."

The 38-minute recording was first published by Margarita Simonyan, editor-in-chief at the Russian state-controlled RT news outlet, and has since been shared widely online. It was supposedly handed to her by "sources" in Russian intelligence.

RT said it identified two of the four German military officials on the call, including the head of Air Force Operations Brigadier General Frank Graefe, and Air Force Chief Lieutenant General Ingo Gerhartz.

RT has since made a number of claims after publishing the call, including that the conversation provides proof that Germany was planning to help Ukraine to destroy the Kerch Bridge that connects Russia to the illegally annexed Crimea.

Discussions also involved a potential delivery of Taurus long-range missiles to Ukraine for use in the attacks and how Germany could supply these without appearing to be directly involved in the conflict.

Taurus missiles have a range of around 310 miles, far greater than the Storm Shadow cruise missiles supplied to Ukraine by the UK, which have a range of around 155 miles.

Ukraine has long asked Germany to deliver Taurus missiles, but Chancellor Olaf Scholz has repeatedly declined to do so out of fears that the ongoing conflict could escalate.

Kiesewetter told broadcaster ZDF that more recordings are likely to have been intercepted and could well be released at a later date, all to Russia's benefit.

It's likely the recent release was designed to pressure Germany to drop talks over Taurus missile deliveries.

On Friday, Dmitry Medvedev, deputy head of Russia's Security Council, said via Telegram: "After all, our eternal opponents – the Germans – have again turned into sworn enemies."

"Germany is preparing for war with Russia," he said in a second message on Sunday, both of which were lengthy and included several Nazi-themed slurs against the German military.

Maria Zakharova, spokesperson for Russia's Foreign Ministry, said Germany must "promptly" explain the nature of the audio, adding that a failure to respond will be seen as an admission of guilt.

Scholz said on Saturday that the leak was "a very serious matter" and is now being investigated thoroughly and quickly.

Asked about developments in the investigation, the Bundeswehr told The Register it had nothing further to add, but pointed to defense minister Boris Pistorius's comments on Sunday, calling the leak an act of "information war."

"It is a hybrid disinformation attack. It is about division. It is about undermining our unity," he said.

• Cisco Talos observed a surge in GhostSec, a hacking group’s malicious activities since this past year.
• GhostSec has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware.
• The GhostSec and Stormous ransomware groups are jointly conducting double extortion ransomware attacks on various business verticals in multiple countries.
• GhostLocker and Stormous ransomware have started a new ransomware-as-a-service (RaaS) program STMX_GhostLocker, providing various options for their affiliates.
• Talos also discovered two new tools in GhostSec arsenal, the “GhostSec Deep Scan tool” and “GhostPresser,” both likely being used in the attacks against websites.

There are indications that U.S. healthcare giant Change Healthcare has made a $22 million extortion payment to the infamous BlackCat ransomware group (a.k.a. “ALPHV“) as the company struggles to bring services back online amid a cyberattack that has disrupted prescription drug services nationwide for weeks. However, the cybercriminal who claims to have given BlackCat access to Change’s network says the crime gang cheated them out of their share of the ransom, and that they still have the sensitive data Change reportedly paid the group to destroy. Meanwhile, the affiliate’s disclosure appears to have prompted BlackCat to cease operations entirely.

Apple's latest security patches address four vulnerabilities affecting iOS and iPadOS, including two zero-days that intel suggests attackers have already exploited.

In typical Apple fashion, it's keeping most of the interesting details under wraps, but both have the potential to access data in the protected kernel.

The consumer tech giant registered the vulnerability as CVE-2024-23225 and said that an attacker would already need to have kernel read and write capabilities to bypass the kernel memory protections. The issue was fixed with improved validation, Apple said.

It's a similar story with CVE-2024-23296, the second zero-day disclosed in the round of updates. Affecting RTKit, Apple's real-time operating system that runs on various devices like AirPods, Apple Watch, and more, its description closely mirrors that of CVE-2024-23225.

Apple's latest security patches address four vulnerabilities affecting iOS and iPadOS, including two zero-days that intel suggests attackers have already exploited.

In typical Apple fashion, it's keeping most of the interesting details under wraps, but both have the potential to access data in the protected kernel.

The consumer tech giant registered the vulnerability as CVE-2024-23225 and said that an attacker would already need to have kernel read and write capabilities to bypass the kernel memory protections. The issue was fixed with improved validation, Apple said.

It's a similar story with CVE-2024-23296, the second zero-day disclosed in the round of updates. Affecting RTKit, Apple's real-time operating system that runs on various devices like AirPods, Apple Watch, and more, its description closely mirrors that of CVE-2024-23225.

Attackers would again need kernel read and write capabilities to exploit it, and it too allows miscreants to bypass kernel memory protections. It was also fixed with improved validation.

There are, however, slight differences between the two. While Apple's latest iOS and iPadOS 17.4 updates protect users from the vulnerabilities, Cupertino's security engineers were also forced to develop a patch for devices running iOS and iPadOS version 16.x.

Indeed, CVE-2024-23225 also affects devices such as the iPhone 8, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation – devices that are no longer supported by Apple's latest OS releases.

Unfortunately, there are no details on offer in terms of what attacks the exploited zero-days were involved in or how severe the vulnerabilities are. At the time of writing, the National Vulnerability Database (NVD) is still analyzing the flaws and hasn't yet assigned either a CVSS severity rating.

Usually, when vendors register for CVEs they also provide a provisional CVSS rating of their own which appears alongside the NVD's assessment, but it's rare that Apple submits its own, in our experience.

Apple has also withheld attribution for the zero-days' discovery, revealing nothing about whether they were found in-house or reported by a third party.

The iOS and iPadOS versions 17.4 were released on March 5 and also brought with them fixes for two other minor-sounding vulnerabilities.

Discovered by Cristian Dinca, student at Tudor Vianu National College of Computer Science in Bucharest, CVE-2024-23243 was registered as a vulnerability that could expose sensitive location information to an app.

"A privacy issue was addressed with improved private data redaction for log entries," said Apple.

Students at the school are aged between 11 and 19 years, which means Dinca may well have a bright future in cybersecurity.

The discovery of CVE-2024-23256 was attributed to one "Om Kothawade," although no credentials were included next to their name.

The vulnerability relates to Safari's private browsing feature and could have seen a user's locked tabs becoming visible for a short time when switching tab groups, only when Locked Private Browsing was enabled.

"A logic issue was addressed with improved state management," said Apple. More than a patch

As we've already covered this week, Apple's iOS and iPadOS 17.4 updates brought more than just security fixes.

Orders per the EU's Digital Markets Act are now in the wild. Apple was compelled by Brussels to give users a choice over their browser engine and from where they download their apps.

Apple met its March 6 deadline early, overhauling previously longstanding rules against app sideloading and browser apps using their own engines on Apple's phones and tablets. Chrome, Firefox, and the rest were all essentially reskins of Apple's Safari running on its WebKit framework.

In the EU, that's no longer the case. Users now see a new setup screen after installing the update prompting them to choose a default browser. They also may be penalized for spending too much time outside of the country, it has emerged, with Apple stating: "If you're gone for too long, you'll lose access to some features, including installing new alternative app marketplaces," Apple said.

The new updates also brought a few other features too, such as automatic podcast transcription, quantum-safe iMessages, and new emojis. ®

Microsoft has now confirmed that the Russian cyberspies who broke into its executives' email accounts stole source code and gained access to internal systems. The Redmond giant has characterized the intrusion as "ongoing."

In an updated US Securities and Exchange filing and companion security post, Microsoft provided more details about the breach, which it originally disclosed in January.

At that time, Microsoft said Midnight Blizzard — the Kremlin-backed grew also known as Cozy Bear and APT29 that was behind the SolarWinds supply chain attack — snooped around in "a very small percentage of Microsoft corporate email accounts" and stole internal messages and files belonging to the leadership team, cybersecurity and legal employees.

"There is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems," Redmond said in January.

That has since changed.

"In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access," according to the latest disclosure. "This has included access to some of the company's source code repositories and internal systems."

Microsoft maintains that there's "no evidence" so far that the Russian criminals compromised any customer-facing systems. But that's not for lack of trying.

"It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found," the company admitted. "Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures."

Microsoft has now confirmed that the Russian cyberspies who broke into its executives' email accounts stole source code and gained access to internal systems. The Redmond giant has characterized the intrusion as "ongoing."

In an updated US Securities and Exchange filing and companion security post, Microsoft provided more details about the breach, which it originally disclosed in January.

At that time, Microsoft said Midnight Blizzard — the Kremlin-backed grew also known as Cozy Bear and APT29 that was behind the SolarWinds supply chain attack — snooped around in "a very small percentage of Microsoft corporate email accounts" and stole internal messages and files belonging to the leadership team, cybersecurity and legal employees.

"There is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems," Redmond said in January.

That has since changed.

"In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access," according to the latest disclosure. "This has included access to some of the company's source code repositories and internal systems."

Microsoft maintains that there's "no evidence" so far that the Russian criminals compromised any customer-facing systems. But that's not for lack of trying.

"It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found," the company admitted. "Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures."

It also sounds like this is not the last we'll hear about the break-in, which started in November and used password spray attacks to compromise a corporate account that did not have multi-factor authentication enabled.

The spies are still trying to access additional Microsoft accounts, and we're told the volume of password sprays increased ten-fold in February compared to the volume of such attacks seen in January.

The silver lining, according to Microsoft's updated Form 8-K, is that the security snafu hasn't had any financial impact on operations — yet.

Redmond says its investigation is ongoing and promised to share updates.

"Midnight Blizzard's ongoing attack is characterized by a sustained, significant commitment of the threat actor's resources, coordination, and focus," the security updated said. "It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks."

Network-attached storage (NAS) specialist QNAP has disclosed and released fixes for two new vulnerabilities, one of them a zero-day discovered in early November.

The Taiwanese company's coordinated disclosure of the issues with researchers at Unit 42 by Palo Alto Networks has, however, led to some confusion over the severity of the security problem.

QNAP assigned CVE-2023-50358 a middling 5.8-out-of-10 severity score, the breakdown of which revealed it was classified as a high-complexity attack that would have a low impact if exploited successfully.

Unit 42's assessment, on the other hand, was the polar opposite: "These remote code execution vulnerabilities affecting IoT devices exhibit a combination of low attack complexity and critical impact, making them an irresistible target for threat actors. As a result, protecting IoT devices against such threats is an urgent task."

The German Federal Office for Information Security (BSI) also released an emergency alert today warning that successful exploits could lead to "major damage," encouraging users to apply patches quickly.

At the time of writing, the National Vulnerability Database (NVD) is still working to assign the vulnerability an independent rating.

Typically, command injection vulnerabilities that are easy to exploit tend to attract severity scores at the higher end of the scale, so it will be interesting to see what the NVD's score ends up being.

According to Unit42's internet scans of vulnerable devices carried out in mid-January, 289,665 separate IP addresses registered a vulnerable, public-facing device.

Germany and the US were the most exposed, with 42,535 and 36,865 vulnerable devices respectively, while China, Italy, Japan, Taiwan, and France trailed each with over 10,000 devices exposed.

Exploiting CVE-2023-50358

Unlike QNAP, Unit 42 published a technical breakdown of CVE-2023-50358 and how to exploit the vulnerability.

It's classed as a command injection flaw in the quick.cgi component of QNAP's QTS firmware, which runs on most of its NAS devices.

"While setting the HTTP request parameter todo=set_timeinfo, the request handler in quick.cgi saves the value of the parameter SPECIFIC_SERVER into a configuration file /tmp/quick/quick_tmp.conf with the entry name NTP Address," the researchers explained.

"After writing the NTP server address, the component starts time synchronization using the ntpdate utility. The command-line execution is built by reading the NTP Address in quick_tmp.conf, and this string is then executed using system().

"Untrusted data from the SPECIFIC_SERVER parameter is therefore used to build a command line to be executed in the shell resulting in arbitrary command execution."

Double up

QNAP's advisory also detailed fixes for a second command injection flaw, CVE-2023-47218, which was reported by Stephen Fewer, principal security researcher at Rapid7, and has also been given the same 5.8 severity score.

The advisory itself combines both vulnerabilities and provides technical details for neither, so it's difficult to determine what the differences are from this alone.

Rapid7's advisory, however, provides extensive detail on how CVE-2023-47218 also lies in the quick.cgi component, allowing for command injection, and how it can feasibly be exploited using a specially crafted HTTP POST request.

Details of the disclosure timeline also offered a glimpse at what appears to be a slightly ticked-off Rapid7 after QNAP went silent and published its patches earlier than agreed.

After agreeing to a coordinated disclosure date for the vulnerabilities of February 7 back in December, on January 25 QNAP told Rapid7 it had already pushed out the patches. This followed more than two weeks of radio silence from the NAS slinger after Rapid7 requested a progress update.

QNAP also asked Rapid7 to delay the publication of its advisory to February 26, nearly three weeks after the original agreed date, which didn't appear to have been received warmly.

So many patches

Rather than focusing on the technical details of the vulnerabilities, QNAP's main focus with its disclosure appears to be highlighting the different patches available for different firmware versions. QTS, QuTS hero, and QuTAcloud are all impacted differently and each version has its own specific upgrade recommendation.

A single packet can exhaust the processing capacity of a vulnerable DNS server, effectively disabling the machine, by exploiting a 20-plus-year-old design flaw in the DNSSEC specification.

That would make it trivial to take down a DNSSEC-validating DNS resolver that has yet to be patched, upsetting all the clients relying on that service and make it seem as though websites and apps were offline.

The academics who found this flaw – associated with the German National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt – claimed DNS server software makers briefed about the vulnerability described it as "the worst attack on DNS ever discovered."

Identified by Professor Haya Schulmann and Niklas Vogel of the Goethe University Frankfurt; Elias Heftrig of Fraunhofer SIT; and Professor Michael Waidner at the Technical University of Darmstadt and Fraunhofer SIT, the security hole has been named KeyTrap, designated CVE-2023-50387, and assigned a CVSS severity rating of 7.5 out of 10.

As of December 2023, approximately 31 percent of web clients worldwide used DNSSEC-validating DNS resolvers and, like other applications relying on those systems, would feel the effects of a KeyTrap attack: With those DNS servers taken out by the flaw, clients relying on them would be unable to resolve domain and host names to IP addresses to use, resulting in a loss of connectivity.

The researchers said lone DNS packets exploiting KeyTrap could stall public DNSSEC-validated DNS services, such as those provided by Google and Cloudflare, by making them do calculations that overtax server CPU cores.

This disruption of DNS could not only deny people's access to content but could also interfere with other systems, including spam defenses, cryptographic defenses (PKI), and inter-domain routing security (RPKI), the researchers assert.

"Exploitation of this attack would have severe consequences for any application using the Internet including unavailability of technologies such as web-browsing, e-mail, and instant messaging," they claimed. "With KeyTrap, an attacker could completely disable large parts of the worldwide internet."

A non-public technical paper on the vulnerability provided to The Register, titled, "The KeyTrap Denial-of-Service Algorithmic Complexity Attacks on DNS," describes how an assault would be carried out. It basically involves asking a vulnerable DNSSEC-validating DNS resolver to look up an address that causes the server to contact a malicious nameserver that sends a reply that causes the resolver to consume most or all of its own CPU resources.

To initiate the attacks our adversary causes the victim resolver to look up a record in its malicious domain," the due-to-be-published paper states. "The attacker’s nameserver responds to the DNS queries with a malicious record set (RRset), according to the specific attack vector and zone configuration."

The attack works, the paper explains, because the DNSSEC spec follows Postel’s Law: "The nameservers should send all the available cryptographic material, and the resolvers should use any of the cryptographic material they receive until the validation is successful."

This requirement, to ensure availability, means DNSSEC-validating DNS resolvers can be forced to do a lot of work if presented with colliding key-tags and colliding keys that must be validated.

"Our complexity attacks are triggered by feeding the DNS resolvers with specially crafted DNSSEC records, which are constructed in a way that exploits validation vulnerabilities in cryptographic validation logic," the paper explains.

"When the DNS resolvers attempt to validate the DNSSEC records they receive from our nameserver, they get stalled. Our attacks are extremely stealthy, being able to stall resolvers between 170 seconds and 16 hours (depending on the resolver software) with a single DNS response packet."

The ATHENE boffins said they worked with all relevant vendors and major public DNS providers to privately disclose the vulnerability so a coordinated patch release would be possible. The last patch was finished today.

"We are aware of this vulnerability and rolled out a fix in coordination with the reporting researchers," a Google spokesperson told The Register. "There is no evidence of exploitation and no action required by users at this time."

Network research lab NLnet Labs published a patch for its Unbound DNS software, addressing two vulnerabilities, one of which is KeyTrap. The other bug fixed, CVE-2023-50868, referred to as the NSEC3 vulnerability, also allows denial of service through CPU exhaustion.

"The KeyTrap vulnerability works by using a combination of keys (also colliding keys), signatures and number of RRSETs on a malicious zone," NLnet Labs wrote. "Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path."

PowerDNS, meanwhile, has an update here to thwart KeyTrap exploitation.

The Minnesota-based Internet provider U.S. Internet Corp. has a business unit called Securence, which specializes in providing filtered, secure email services to businesses, educational institutions and government agencies worldwide. But until it was notified last week, U.S. Internet was publishing more than a decade’s worth of its internal email — and that of thousands of Securence clients — in plain text out on the Internet and just a click away for anyone with a Web browser.

Headquartered in Minnetonka, Minn., U.S. Internet is a regional ISP that provides fiber and wireless Internet service. The ISP’s Securence division bills itself “a leading provider of email filtering and management software that includes email protection and security services for small business, enterprise, educational and government institutions worldwide.”

This page is for anyone trying to find their way in the overwhelming world of open-source intelligence. It's a collection of my favorite OSINT resources, and I hope it helps you find new ways to learn from some amazing people.

Key Findings

• A network of at least 123 websites operated from within the People’s Republic of China while posing as local news outlets in 30 countries across Europe, Asia, and Latin America, disseminates pro-Beijing disinformation and ad hominem attacks within much larger volumes of commercial press releases. We name this campaign PAPERWALL.
• PAPERWALL has similarities with HaiEnergy, an influence operation first reported on in 2022 by the cybersecurity company Mandiant. However, we assess PAPERWALL to be a distinct campaign with different operators and unique techniques, tactics and procedures.
• PAPERWALL draws significant portions of its content from Times Newswire, a newswire service that was previously linked to HaiEnergy. We found evidence that Times Newswire regularly seeds pro-Beijing political content, including ad hominem attacks, by concealing it within large amounts of seemingly benign commercial content.
• A central feature of PAPERWALL, observed across the network of websites, is the ephemeral nature of its most aggressive components, whereby articles attacking Beijing’s critics are routinely removed from these websites some time after they are published.
• We attribute the PAPERWALL campaign to Shenzhen Haimaiyunxiang Media Co., Ltd., aka Haimai, a PR firm in China based on digital infrastructure linkages between the firm’s official website and the network.
• While the campaign’s websites enjoyed negligible exposure to date, there is a heightened risk of inadvertent amplification by the local media and target audiences, as a result of the quick multiplication of these websites and their adaptiveness to local languages and content.
• These findings confirm the increasingly important role private firms play in the realm of digital influence operations and the propensity of the Chinese government to make use of them.

Why Exposing this Type of Campaign Matters

Beijing is increasing its aggressive activities in the spheres of influence operations (IOs), both online and offline. In the online realm, relevant to the findings in this report, Chinese IOs are shifting their tactics and increasing their volume of activity. For example, in November 2023 Meta – owner of the social media platforms Facebook, Instagram, and WhatsApp – announced the removal of five networks engaging in “coordinated inauthentic behavior” (i.e. influence operations) and targeting foreign audiences. Meta noted it as a marked increase in IO activity by China, stating that “for comparison, between 2017 and November 2020, we took down two CIB networks from China, and both mainly focused on the Asia-Pacific region. This represents the most notable change in the threat landscape, when compared with the 2020 [US] election cycle.”

Seeding ad hominem attacks on Beijing’s critics can result in particularly harmful consequences for the targeted individuals, especially when, as in PAPERWALL’s case, it happens within much larger amounts of ostensibly benign news or promotional content that lends credibility to and expands the reach of the attacks. The consequences to these individuals can include, but are not limited to, their delegitimization in the country that hosts them; the loss of professional opportunities; and even verbal or physical harassment and intimidation by communities sympathetic to the Chinese government’s agenda.

This report adds yet more evidence, to what has been reported by other researchers, of the increasingly important role played by private firms in the management of digital IOs on behalf of the Chinese government. For example, an October 2023 blog post by the RAND corporation summarized recent public findings on this issue, and advocated for the disruption of the disinformation-for-hire industry through the use of sanctions or other available legal and policy means.

It should be noted that disinformation-for-hire companies, driven by revenue, not ideology, tend not to be discerning about the motivations of their clients. As major recent press investigations have shown, both their origin and their client base can truly be global. Exposing this actor type, and its tactics, can help understand how governments seek plausible deniability through the hiring of corporate proxies. It can also refocus research on the latter, increasing deterrence by exposing their actions.

We're very familiar with the many projects in which Raspberry Pi hardware is used, from giving old computers a new lease of life through to running the animated displays so beloved by retailers. But cracking BitLocker? We doubt the company will be bragging too much about that particular application.

The technique was documented in a YouTube video over the weekend, which demonstrated how a Raspberry Pi Pico can be used to gain access to a BitLocker-secured device in under a minute, provided you have physical access to the device.

A Lenovo laptop was used in the video, posted by user stacksmashing, although other hardware will also be vulnerable. The technique also relies on having a Trusted Platform Module (TPM) separate from the CPU. In many cases, the two will be combined, in which case the technique shown cannot be used.

However, if you get your hands on a similarly vulnerable device secured with BitLocker, gaining access to the encrypted storage appears embarrassingly simple. The crux of it is sniffing out the key to the device as it is passed from TPM to CPU. The key is helpfully not encrypted.

This particular laptop had connections that could be put to use alongside a custom connector to access the signals between chips. Stir in an analyzer running on the Raspberry Pi Pico and for less than $10 in components, you can get hold of the master key for the laptop hardware.

Microsoft has long accepted that such attacks are possible, although it describes them as a "targeted attack with plenty of time; the attacker opens the case, solder, and uses sophisticated hardware or software."

At less than a minute in the example, we'd dispute the "plenty of time" claim, and while the Raspberry Pi Pico is undoubtedly impressive for the price, at less than $10, the hardware spend is neither expensive nor specific.

If your hardware is vulnerable, mitigation can be achieved through the use of a PIN.

It's enough to send administrators scurrying to their inventory lists to check for hardware they would be forgiven for assuming had been safely encrypted.

As one wag observed: "Congratulations! You found the FBI's backdoor."

Hackers allegedly connected to China’s government are conducting attacks with the long-term goal of causing physical destruction, according to a new advisory from several of the world’s leading cyber agencies.

The Cybersecurity and Infrastructure Security Agency (CISA), NSA and FBI published an advisory alongside the cybersecurity directorates in Australia, New Zealand and the U.K. outlining the tactics of Volt Typhoon — a China-based hacking group that has caused alarm at the senior-most levels of government over the last year.

“The U.S. authoring agencies assess Volt Typhoon primarily collects information that would facilitate follow-on actions with physical impacts,” the advisory said.

The agencies “assess that People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”

In one example, Volt Typhoon — which overlaps with BRONZE SILHOETTE and TAG-87 — stole multiple zipped files that “included diagrams and documentation related to OT equipment, including supervisory control and data acquisition (SCADA) systems, relays, and switchgear.”

“This data is crucial for understanding and potentially impacting critical infrastructure systems, indicating a focus on gathering intelligence that could be leveraged in actions targeting physical assets and systems,” the agencies said.

The advisory, first reported by CNN, says that several U.S. agencies have seen that Volt Typhoon hackers have been “maintaining access and footholds within some victim IT environments for at least five years.”

Since last summer, U.S. agencies have been on high alert about Volt Typhoon’s actions — which were first discovered through espionage attacks on critical infrastructure organizations in Guam and other parts of the U.S. around military bases.

The New York Times and Washington Post reported last summer that U.S. officials believed the campaign to be tied to preparatory efforts around a potential invasion of Taiwan, where Chinese officials would allegedly seek to slow down the U.S. deployment of forces. President Xi Jinping has allegedly ordered his military to be prepared to invade Taiwan by 2027.

Since the initial report on the group’s actions in Guam, dozens of reports have been released about Volt Typhoon’s efforts and researchers have since uncovered multiple campaigns with the goal of burrowing into U.S. critical infrastructure enough to enable destructive actions.

Last week, the U.S. Justice Department confirmed that it disrupted the “KV Botnet” malware run by Volt Typhoon. FBI Director Christopher Wray said in a statement that Chinese hackers are “targeting American civilian critical infrastructure, pre-positioning to cause real-world harm to American citizens and communities in the event of conflict.”

Communications, water, energy and transportation

The lengthy advisory published Wednesday highlights Volt Typhoon’s wide-ranging success in pre-positioning themselves on the IT networks of multiple critical infrastructure organizations — most notably those involved in the communications, energy, transportation, and water and wastewater systems sectors.

The attacks included organizations in the continental and non-continental United States and its territories, including Guam. Some of the victims identified are smaller organizations with limited cybersecurity protections.

“Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions,” the advisory explained.

“The U.S. authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts.”

The advisory notes that Canada’s threat exposure is “likely lower than that to U.S. infrastructure” but said any attack on the U.S. would likely affect Canada “due to cross-border integration.” The officials made a similar assessment of Australia and New Zealand critical infrastructure.

Volt Typhoon typically relies on valid accounts and other tools that allow for long-term, undiscovered persistence. The hackers conduct extensive research into their targets and tailor their techniques for each organization they plan to breach.

They also “dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.”

The hackers track an organization’s security apparatus, user behavior and the actions of IT staff. The agencies said they have seen situations where hackers refrained from using stolen credentials outside of normal working hours to avoid triggering security alerts.

They typically gain initial access by exploiting known and unknown vulnerabilities in public-facing network appliances like routers, firewalls and virtual private networks. From there, they attempt to obtain administrator credentials to pivot into wider access to the network.

“Volt Typhoon uses elevated credentials for strategic network infiltration and additional discovery, often focusing on gaining capabilities to access OT assets,” the authoring agencies said.

“Volt Typhoon actors have been observed testing access to domain-joint OT assets using default OT vendor credentials, and in certain instances, they have possessed the capability to access OT systems whose credentials were compromised.”

These kinds of attack enable the group to cause a variety of disruptions, including “manipulating heating, ventilation, and air conditioning (HVAC) systems in server rooms or disrupting critical energy and water controls, leading to significant infrastructure failures (in some cases, Volt Typhoon actors had the capability to access camera surveillance systems at critical infrastructure facilities).”

The agencies have seen in at least one confirmed compromise that the hackers had moved laterally into a control system and were positioned to move into a second if they wanted.

At times, Volt Typhoon hackers will compromise legitimate accounts and conduct almost no activity, suggesting their goal is persistence instead of immediate impact. Some organizations are targeted repeatedly, sometimes over the span of several years. They also delete logs in order to hide their actions.

The advisory notes that the group typically used compromised Cisco and NETGEAR end-of-life home routers as part of the KV Botnet to support their operations. The hackers have also been seen exploiting vulnerabilities in networking appliances such as those from Fortinet, Ivanti Connect Secure, NETGEAR, Citrix, and Cisco.

“They often use publicly available exploit code for known vulnerabilities but are also adept at discovering and exploiting zero-day vulnerabilities,” the advisory states.

The hackers rarely deploy malware in their attacks, instead using hands-on-keyboard activity to maintain their access.

In one attack on a water utility, the hackers used a VPN with administrator credentials to spend nine months moving laterally throughout the system, eventually obtaining access to a server with information on OT assets.

The access gave them critical information on water treatment plants, water wells, an electrical substation, OT systems, and network security devices.

The agencies urged critical infrastructure organizations to apply a range of mitigations and urgently reach out to CISA or FBI field offices in the event of an attack.

“It is vital that operators of U.K critical infrastructure heed this warning about cyber attackers using sophisticated techniques to hide on victims’ systems,” said Paul Chichester, director of Operations at the U.K.’s National Cyber Security Centre.

“Threat actors left to carry out their operations undetected present a persistent and potentially very serious threat to the provision of essential services. Organizations should apply the protections set out in the latest guidance to help hunt down and mitigate any malicious activity found on their networks.”

Some smart folks have found a way to automatically unscramble documents encrypted by the Rhysida ransomware, and used that know-how to produce and release a handy recovery tool for victims.

Rhysida is a newish ransomware gang that has been around since May last year.

The extortion crew targets organizations in education, healthcare, manufacturing, information technology, and government; the crooks' most high-profile attack to date has been against the British Library. The gang is thought to be linked to the Vice Society criminal group, and it's known to lease out malware and infrastructure to affiliates for a cut of the proceeds.

In research [PDF] published February 9, South Korea's Giyoon Kim, Soojin Kang, Seungjun Baek, Kimoon Kim, and Jongsung Kim explained how they uncovered an "implementation vulnerability" in the random number generator used by Rhysida to lock up victims' data.

This flaw "enabled us to regenerate the internal state of the random number generator at the time of infection," and then decrypt the data, "using the regenerated random number generator," the team wrote. The Korea Internet and Security Agency (KISA) is now distributing the free Rhysida ransomware recovery tool which is the first successful decryptor of this particular strain of ransomware.

"We aspire for our work to contribute to mitigating the damage inflicted by the Rhysida ransomware," the boffins, based variously at Kookmin University and KISA, noted in their paper.

Rhysida ransomware uses LibTomCrypt's ChaCha20-based cryptographically secure pseudo-random number generator (CSPRNG) to create encryption keys for each file.

The random number output by the CSPRNG is based on the ransomware's time of execution – a method the researchers realized limits the possible combinations for each encryption key. Specifically, the malware use the current time-of-execution as a 32-bit seed for the generator. That means the keys can be derived from the time of execution, and used to decrypt and recover scrambled files.

Some additional observations: the Rhysida ransomware uses intermittent encryption. It partially encrypts documents rather than entire files, a technique made popular by LockBit and other gangs because it's faster than encrypting everything. This approach means the criminals are less likely to be caught on the network before they've finished messing up a decent number of documents. It also speeds up the restoration process, though the usual caveats apply: Don't trust machines that have had intruders code running on them. Restoring data is one thing, but the PCs will need wiping to be safe.

The Rhysida malware, once on a victim's Windows PC, locates the documents it wishes to scramble, compiles them into a list, and fires up some simultaneous threads to perform that encryption. Each thread picks the next file on its todo pile to process, and uses the CSPRNG to generate a key to encrypt that document using the standard AES-256 algorithm. The key is stored in the scrambled file albeit encrypted using a hardcoded RSA public key. You'll need the private half of that RSA key pair to recover the file's AES key and unscramble the data.

However, as a result of this research, it's possible to use each file's mtime – the last time of modification – to determine the order of processing, and the time at which each thread executed, and thus the seed to generate the file's AES decryption key, giving you the final decryption key.

The researchers explained that these discoveries allowed them to unlock victims' files "despite the prevailing belief that ransomware renders data irretrievable without paying the ransom."

In November, the US government issued a security advisory that included extensive technical details to help orgs not become the next Rhysida victim.

A 22-year-old Frenchman was sentenced on Tuesday to three years in U.S. federal prison for his participation in the ShinyHunters hacking group.

Sebastien Raoult, also known as “Sezyo Kaizen,” was extradited to the U.S. in January 2023 after his arrest in Morocco the year before. He pleaded guilty to conspiracy to commit wire fraud and aggravated identity theft and is also required to pay $5 million in restitution.

According to an indictment from prosecutors in the Western District of Washington, Raoult and two co-conspirators hacked more than 60 companies around the world and posted stolen data on dark web forums like RaidForums, EmpireMarket and Exploit. In some cases, they threatened to leak data if a ransom was not paid.

In 2020 and 2021, ShinyHunters perpetrated a series of hacks on well-known entities, including breaches of the clothing retailer Bonobos, the photo app Pixlr and Microsoft’s GitHub account. It also claimed to have information from 70 million AT&T accounts, although the company denied it had been breached.

According to the DOJ, Raoult and accomplices created spoof websites pretending to be the login pages of legitimate businesses, and sent phishing emails to company employees. When the victims entered their credentials, the hackers were able to gain access to their accounts. They stole “hundreds of millions of customer records” and inflicted an estimated $6 million in losses.

“This is an extraordinarily serious offense. We’re talking about him robbing people of millions of dollars,” said U.S. District Judge Robert S. Lasnik at the sentencing hearing, according to a Department of Justice release.

Raoult’s father told DataBreaches.net that the sentence includes served time in Morocco and Seattle, meaning that he only has another 11 months to serve in prison.

According to the DOJ, Raoult told the court: “I understand my mistakes and I want to put that part behind me. No more hacking. I don’t want to disappoint my family again.”

Security experts claim ransomware criminals have got their hands on a functional exploit for a nearly year-old critical Microsoft SharePoint vulnerability that was this week added to the US's must-patch list.

Without specifically identifying the gang, researcher Kevin Beaumont said that at least one ransomware group has a working exploit for the critical vulnerability, which can potentially achieve remote code execution (RCE) although the US Cybersecurity and Infrastructure Security Agency (CISA) said its use in ransomware campaigns is currently "unknown."

When vulnerabilities are added to CISA's known exploited vulnerabilities (KEV) list, it means two things: Federal civilian executive branch (FCEB) agencies have three weeks to patch them, and they're being actively exploited by cybercrims.

Tracked as CVE-2023-29357, the SharePoint vulnerability in question was first identified by Nguyễn Tiến Giang (Jang) of Singaporean security house STAR Labs. Back in March 2023, during Vancouver's Pwn2Own contest, he chained it with another bug to achieve unauthenticated RCE on a SharePoint server.

CVE-2023-29357 is a critical elevation of privileges (EoP) vulnerability that carries a 9.8 severity score. Microsoft originally addressed this in June 2023's Patch Tuesday, and Jang published a detailed rundown of how the exploit chain was developed a few months later in September.

Proof of concept (PoC) code for CVE-2023-29357 was published to GitHub the following day, but wasn't constructed in a way that revealed how to chain it with CVE-2023-24955, or any other RCE bug, to achieve the pre-auth RCE exploit that earned Jang his $100,000 prize at Pwn2Own.

Researchers warned in September that the publication of the PoC code provided a foundation from which cybercriminals could build a working exploit, and it was highly important to patch both vulnerabilities as soon as possible.

Beaumont said at the time he expected ransomware attacks using the two vulnerabilities to begin "in [the] coming weeks."

The addition to CISA's KEV catalog means it has taken cybercriminals months to start exploiting the vulnerability, despite having the bare-bones tools to do so.

When PoC code is published for any given vulnerability, attacks typically soar in the days after as baddies race to develop working exploits before organizations can plug the holes.

The delay, in this case, might be explained by the difficulty involved in chaining CVE-2023-29357 together with CVE-2023-24955 – a feat Jang said took him and his team "nearly a year of meticulous effort and research" to achieve before demonstrating it at Pwn2Own.

Microsoft addressed CVE-2023-29357 in June and CVE-2023-24955 in May 2023, but IT admins have been reminded that simply applying the June 2023 Patch Tuesday updates won't automatically protect their organizations.

Manual, SharePoint-specific patches are required to ensure the fixes are applied properly as patches won't be installed by Windows Update.

The EOP vulnerability itself was originally designated by Microsoft as "exploitation more likely" with a "low" attack complexity.

"An attacker who successfully exploited this vulnerability could gain administrator privileges," its advisory reads. It also hasn't been updated since June to reflect the active exploitation.

"An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user. The attacker needs no privileges nor does the user need to perform any action."

CVE-2023-24955 was also designated "exploitation more likely" status with a "low" attack complexity, but carried a less severe rating of 7.2 due to privileges being required to remotely exploit it.

According to an advisory from NHS Digital, there is currently no known PoC code for the RCE vulnerability circulating online so those exploiting it will have developed it themselves and kept it a secret, for now.

In a new study, Citizen Lab sheds light on the massive security threats facing Latin Americans. Citizen Lab and Open Technology Fund (OTF) fellow Beau Kujath in collaboration with SocialTIC finds that mobile applications in Latin America puts millions of users at a security and privacy risk. Beau’s research focuses on three types of mobile applications: telecommunication apps, government-developed apps, and marketplace apps. Millions of people in Latin America rely on these categories of applications for essential daily functions including cellular service, emergency response, healthcare, money transfers, and more. Thus, people are incentivized to keep these apps on their devices, leaving them vulnerable.

Key Findings

• A cellular management app from Mexican telecommunications giant MiTelcel consistently fetches images and JSON files for the splash configuration over cleartext HTTP. This vulnerability allows attackers to eavesdrop on the cleartext traffic and potentially inject their own malicious images that will be displayed on the app’s “Home” page.
• The MiTelcel app sends POST requests to five different third party servers with personal info of the user including their email and phone number, although the app store’s description stated no personal info was shared with any third-parties at the time of analysis.
• Another cellular management app from Mexican telecom SAT Movil uses cleartext HTTP for the “Chat” page that is responsible for communicating highly sensitive personal info including citizen ID numbers and passwords, allowing eavesdroppers to read these as they are transmitted over the network
• A Salvadoran cryptocurrency app ChivoWallet checks with Microsoft CodePush servers each time it is opened to see if there is a new update available to fetch, granting the developers the ability to update its functionality on demand outside the trusted app store update mechanisms.
• Three of the four telecommunication apps analyzed send SMS messages that include external links that are vulnerable to SSL strip attacks. These attacks allow an attacker to downgrade connections from HTTPS to cleartext HTTP in order to eavesdrop on the info exchanged and potentially inject their own malicious responses.

The full detailed technical report includes more information on what live security and privacy issues found in the set of apps, how they were found and the motivation for this project.

Github repo: https://github.com/beaukuj15/relab

Read the full report here (PDF).

Post by the OTF

Two zero-day bugs in Ivanti products were likely under attack by cyberspies as early as December, according to Mandiant's threat intel team.

The software biz disclosed the vulnerabilities in Ivanti Connect Secure (ICS) – the VPN server appliance previously known as Pulse Connect Secure – and its Policy Secure gateways on Wednesday. At the time the biz said someone or some group had already found and exploited the holes. A spokesperson for Ivanti told The Register the victim count was "less than 10." It has since increased.

This situation is especially worrisome because neither flaw has a patch — Ivanti hopes to start rolling those out the week of January 22 in a staggered fashion, and, in the meantime urges customers to "immediately" deploy mitigations. And as Mandiant Consulting CTO Charles Carmakal noted: "These CVEs chained together lead to unauthenticated remote code execution."

That means these flaws can be exploited to seize control of an organization's Ivanti network appliances and use them to drill into that org's IT environment. The two zero-days are: CVE-2023-46805, an authentication bypass bug; and CVE-2024-21887, a command injection vulnerability.

However, as Carmakal told The Register, this number will likely increase.

"We are learning about new victims as they run Ivanti's integrity checking tool and are seeing indicators of compromise," Carmakal said. "The list will likely continue to grow, as more organizations run the tool and discover their devices are compromised."

Mandiant is working with Ivanti to help clean up the mess, and on Friday weighed in with its own initial analysis, promising to add more details as its investigation into the matter continues.

A couple pieces of the analysis in particular stand out. First, Mandiant says it has identified in-the-wild abuse of the bugs as early as December by a previously unknown suspected espionage team it now tracks as UNC5221.

Earlier probing by Volexity, which discovered the zero-day holes and privately reported them to Ivanti, linked the attackers to China. "Volexity has reason to believe that UTA0178 is a Chinese nation-state-level threat actor," it said Wednesday.

When asked about a possible China link, Carmakal said there isn't enough data for attribution.

In looking into the attacks, Mandiant saw that UNC5221 primarily used hijacked end-of-life Cyberoam VPN appliances as command-and-control servers in its attacks on Ivanti customers. "These compromised devices were domestic to the victims, which likely helped the threat actor to better evade detection," the threat hunters wrote.

Additionally, the intruders used various pieces of bespoke malware to achieve persistence and avoid detection, allowing continued access to victims' networks.

"This indicates that these are not opportunistic attacks, and UNC5221 intended to maintain its presence on a subset of high priority targets that it compromised after a patch was inevitably released," Mandiant noted.

So far, the threat hunters have identified five custom malware families used by UNC5221 after it infiltrates a target via the Ivanti flaws. One is Zipline, a backdoor that receives commands to execute on compromised devices. It also supports file transfers in and out of infected equipment, can provide a proxy server, and can implement a tunneling server.

Thinspool is designed to add malicious webshell code to legitimate files. This helps the cyber-spies establish persistence on compromised networks. It acts as the initial dropper for the Lightwire webshell. Yet another webshell, Wirefire, is stashed within Connect Secure appliances for remote control of the devices. It supports downloading files and executing arbitrary commands.

Finally, for now, anyway, there's Warpwire, a credential harvester that collects passwords and usernames to layer 7 applications (such as RDP) in plain text, and sends them off to a command-and-control server for the snoops to use to gain further access to victims' services and systems.

Mandiant has also shared indicators of compromise, so it's worth checking those out, too. And, of course, apply the mitigation before taking off for the weekend.

cross-posted from: https://links.hackliberty.org/post/790988

DISARM is a framework designed for describing and understanding disinformation incidents. DISARM is part of work on adapting information security (infosec) practices to help track and counter disinformation and other information harms, and is designed to fit existing infosec practices and tools.

DISARM's style is based on the MITRE ATT&CK framework. STIX templates for DISARM objects are available in the DISARM_CTI repo - these make it easy for DISARM data to be passed between ISAOs and similar bodies using standards like TAXII.

The pro-Ukrainian hacker group Blackjack is claiming that it breached a Moscow internet provider to seek revenge for a Russian cyberattack on Ukraine’s largest telecom company, Kyivstar.

The attack on M9com was carried out in cooperation with Ukraine’s security forces (SBU), said a source in Ukraine’s law enforcement agency who requested anonymity because he is not authorized to speak publicly about the incident.

There isn't much information available about the attack, and the SBU's role in the operation. Hackers said Monday on their Telegram channel that they will reveal more details soon. So far, the only confirmation of the incident they have provided includes screenshots of the allegedly hacked systems of the internet provider.

The group also published some of the data obtained during the hack on a darknet site accessible via the Tor browser.

The time frame of the attack on M9com is unclear, but as of the time of writing, the allegedly hacked website is up and running. There has been no mention of the operator’s shutdown in the Russian media or on its official website. The company has not replied to requests for comment.

This is not the first time Ukrainian civilian hackers have allegedly cooperated with security services to attack Russian organizations. In an incident publicized in October, two groups of pro-Ukrainian hackers and the SBU claimed to have breached Russia's largest private bank, Alfa-Bank.

The disclosure of the M9com hack closely resembles how information was shared in the Alfa-Bank incident: First, pro-Ukrainian hackers claimed they acquired troves of data, released a portion of it, and then a source within Ukraine's security service confirmed the SBU's involvement in the operation without providing additional details.

Earlier this week, attackers involved in the Alfa-Bank hack released all the data of 30 million bank customers, which they reportedly obtained during the operation.

Alfa-Bank denied reports of a data leak and called the published data, which includes phone and banking card numbers, “a compilation from various sources.”

Russian cybersecurity expert Oleg Shakirov discovered that some of his acquaintances were included in the data breach. He verified that the leak included authentic Alfa-Bank card numbers, with most of the cards having the last digit replaced with 0. Additionally, in some instances, the leak displayed incorrect expiration dates. Shakirov also noted that the compromised data included accurate contact information and dates of birth.

Earlier this week, Ukraine’s military intelligence agency (GUR) claimed to have seized 100 gigabytes of classified data worth around $1.5 billion from a Russian military equipment manufacturer.

This company produces Orlan reconnaissance drones, electronic warfare systems, and other equipment used by the Russian military during the war in Ukraine.

GUR stated that they were able to gain access to this information with the help of “patriotic representatives of civil society and the media community,” but didn’t elaborate on what they meant.

Such public claims about the hacks from both Ukraine and Russia have become more common recently, but in most cases, they are hard to independently verify.

In cooperation with Dutch Police and Avast, Cisco Talos recovered a decryptor for encrypted files from systems affected by the Babuk ransomware variant known as Tortilla. We first described the operations of Tortilla ransomware in a blog post in November 2021.

Dutch Police used the intelligence provided by Talos to discover and apprehend the actor behind this malware. During the Amsterdam Police operation, Talos obtained and analyzed the decryptor, recovered the decryption key and shared the key with engineers from Avast Threat Labs in charge of development and maintenance of the decryptor for several other Babuk variants.

The generic Avast Babuk decryptor was already used as the de facto industry standard Babuk decryptor by many affected users and it made perfect sense to be updated with the keys Talos recovered from the Tortilla decryptor.

This way, the users can access programs such as NoMoreRansom to download the single decryptor containing all currently known Babuk keys and do not have to choose between competing decryptors for individual variants.

SonicWall says it has observed thousands of daily attempts to exploit an Apache OFBiz zero-day for nearly a fortnight.

The near-maximum severity zero-day vuln in OFBiz, an open source ERP system with what researchers described as a surprisingly wide install base, was first disclosed on December 26. Since then, attackers have gone for it with large numbers of exploitation attempts.

The numbers have remained consistent since the turn of the new year, SonicWall confirmed to The Register today.

If you use the Apache Software Foundation framework, which includes business process automation apps and other enterprise-friendly functions, you should upgrade to OFBiz version 18.12.11 immediately to patch both this and a second, equally serious hole.

Tracked as CVE-2023-51467, the 9.8-rated vulnerability is an authentication bypass flaw. A successful exploit of it would let an attacker circumvent authentication processes, enabling them to remotely execute arbitrary code, meaning they can access and expose sensitive information.

The threat researchers said they found the flaw while investigating the root cause of the other flaw, a separate, equally severe authentication bypass RCE vulnerability tracked as CVE-2023-49070.

Apache's patch for the '070 bug involved removing the code for the XML-RPC API, which was no longer maintained, but further analysis from SonicWall revealed the root cause to be in the login functionality.

Failing to patch the root cause of CVE-2023-49070 meant the authentication bypass vulnerability, currently under widespread exploitation, still remained in OFBiz.

Apache OFBiz is believed to have a large number of users, with SonicWall noting Atlassian's Jira alone is relied upon by more than 120,000 companies. Atlassian customer support, however, has since said Jira's implementation isn't vulnerable.

"We have contacted Prodsec, looking at the code in Jira DC, Jira Cloud, Confluence DC, and Confluence Cloud to confirm that we are not using the vulnerable framework. Jira only uses a fork of Apache's OfBiz Entity Engine module, which does not include the affected areas of code. Additionally, Confluence does not use the Entity Engine module at all."

SonicWall researchers developed two test cases that showed how exploitation of the issue was possible.

The blog post by Hasib Vhora, senior threat researcher at SonicWall, goes into the finer details about the two test cases, but the main takeaway is that the authentication bypass is caused by unexpected behavior when the requirePasswordChange parameter of the login function is set to "Y" in the URI.

Vhora commended the response of the Apache OFBiz team, fixing the problem swiftly. The two test cases developed by SonicWall have been used against the patched version (18.12.11) and are no longer successful.

"We appreciate the prompt response and remediation by the Apache OFBiz team," Vhora said. "They demonstrated extreme care for the security of their customers and were a pleasure to work with."

Flight information display screens at Beirut’s international airport were hacked over the weekend to display politically motivated messages, and the incident also temporarily affected baggage inspection, local media reported.

The hackers replaced the plane departure and arrival data on the screens of Beirut-Rafic Al Hariri International Airport with a statement accusing the Iran-backed, Lebanon-based militant group Hezbollah of dragging Lebanon into the war with Israel.

“You bear your responsibility and its consequences, Hezbollah,” part of the message said.

Airport authorities told local media that the attack briefly disrupted the passenger baggage inspection system but did not impact the flight schedule. Lebanese media reported that hackers also sent messages to some passengers on behalf of Middle East Airlines, which the company said were fake.

Tensions between Lebanon and Israel have recently escalated, with forces exchanging fire almost every day. On Monday, an Israeli strike on Lebanon reportedly killed a senior commander in Hezbollah's elite forces. Israeli officials said earlier that they prefer to restore security in the area without going to war with Hezbollah, but that they are ready to do so if necessary.

Two domestic hacker groups are believed to be behind the airport hack: a little-known gang calling itself The One Who Spoke; and a Christian group, Soldiers of God, known for its campaigns against the LGBTQ+ community in Lebanon. The second group denied its involvement.

Local media Lebanon24 reported, citing sources involved in the investigation of the incident, that the attack could have been carried out by “external parties” who used the names of Lebanese hacker groups to cover their tracks or stir up tension. Local hackers may lack the technologies and capabilities needed to execute such an attack, according to the report.

Another anonymous security source, speaking to a Lebanese TV channel, implicated Israel as a potential culprit behind the attack.

Lebanon's minister of public works and transportation, Ali Hamieh, said during a press conference on Monday that approximately 70% of the hacked airport screens have resumed their normal work. The airport was disconnected from the internet “in order to limit the damage,” he added.

The country’s security services are investigating the hack. “The answer will be within days to determine whether the breach is internal or external,” Hamieh said.