Security

$30-doorbell-cameras-have-multiple-serious-security-flaws,-says-consumer-reports

$30 doorbell cameras have multiple serious security flaws, says Consumer Reports

Amazon, doorbell camera, doorbell cameras, eken, Security, Tech, tuck, video doorbell, walmart / /

Video doorbell security —

Models still widely available on e-commerce sites after issues reported.

Image showing a delivery person saying

Enlarge / Consumer Reports’ investigation suggests that, should this delivery person press and hold the bell button and then pair using Eken’s app, he could see if other delivery people get such a perfunctory response.

Eken

Video doorbell cameras have been commoditized to the point where they’re available for $30–$40 on marketplaces like Amazon, Walmart, Temu, and Shein. The true cost of owning one might be much greater, however.

Consumer Reports (CR) has released the findings of a security investigation into two budget-minded doorbell brands, Eken and Tuck, which are largely the same hardware produced by the Eken Group in China, according to CR. The cameras are further resold under at least 10 more brands. The cameras are set up through a common mobile app, Aiwit. And the cameras share something else, CR claims: “troubling security vulnerabilities.”

The pairing procedure for one of Eken's doorbell cameras, which allows a malicious actor quite a bit of leeway.

Enlarge / The pairing procedure for one of Eken’s doorbell cameras, which allows a malicious actor quite a bit of leeway.

Eken

Among the camera’s vulnerabilities cited by CR:

  • Sending public IP addresses and Wi-Fi SSIDs (names) over the Internet without encryption
  • Takeover of the cameras by putting them into pairing mode (which you can do from a front-facing button on some models) and connecting through the Aiwit app
  • Access to still images from the video feed and other information by knowing the camera’s serial number.

CR also noted that Eken cameras lacked an FCC registration code. More than 4,200 were sold in January 2024, according to CR, and often held an Amazon “Overall Pick” label (as one model did when an Ars writer looked on Wednesday).

“These video doorbells from little known manufacturers have serious security and privacy vulnerabilities, and now they’ve found their way onto major digital marketplaces such as Amazon and Walmart,” said Justin Brookman, director of tech policy at Consumer Reports, in a statement. “Both the manufacturers and platforms that sell the doorbells have a responsibility to ensure that these products are not putting consumers in harm’s way.”

CR noted that it contacted vendors where it found the doorbells for sale. Temu told CR that it would halt sales of the doorbells, but “similar-looking if not identical doorbells remained on the site,” CR noted.

A Walmart representative told Ars that all cameras mentioned by Consumer Reports, sold by third parties, have been removed from Walmart by now. The representative added that customers may be eligible for refunds and that Walmart prohibits the selling of devices that require an FCC ID and lack one.

Ars contacted Amazon for comment and will update this post with new information. An email sent to the sole address that could be found on Eken’s website was returned undeliverable. The company’s social media accounts were last updated at least three years prior.

Consumer Reports' researchers claim to have found JPEG file references passed in plaintext over the network, which could later be viewed without authentication in a browser.

Consumer Reports’ researchers claim to have found JPEG file references passed in plaintext over the network, which could later be viewed without authentication in a browser.

Consumer Reports

CR issued vulnerability disclosures to Eken and Tuck regarding its findings. The disclosures note the amount of data that is sent over the network without authentication, including JPEG files, the local SSID, and external IP address. It notes that after a malicious user has re-paired a doorbell with a QR code generated by the Aiwit app, they have complete control over the device until a user sees an email from Eken and reclaims the doorbell.

With a few exceptions, video doorbells and other IoT cameras tend to rely on cloud connections to stream and store footage, as well as notify their owners about events. This has led to some notable privacy and security concerns. Ring doorbells were found to be pushing Wi-Fi credentials in plaintext in late 2019. Eufy, a company that marketed its “No clouds” offerings, was found to be uploading facial thumbnails to cloud servers to send push alerts and later apologized for that and other vulnerabilities. Camera provider Wyze recently disclosed that, for the second time in five months, images and video feeds were accidentally available to the wrong customers following a lengthy outage.

Listing image by Amazon/Eken

$30 doorbell cameras have multiple serious security flaws, says Consumer Reports Read More »

github-besieged-by-millions-of-malicious-repositories-in-ongoing-attack

GitHub besieged by millions of malicious repositories in ongoing attack

Biz & IT, GitHub, repositories, Security, supply chain attack / /
GitHub besieged by millions of malicious repositories in ongoing attack

Getty Images

GitHub is struggling to contain an ongoing attack that’s flooding the site with millions of code repositories. These repositories contain obfuscated malware that steals passwords and cryptocurrency from developer devices, researchers said.

The malicious repositories are clones of legitimate ones, making them hard to distinguish to the casual eye. An unknown party has automated a process that forks legitimate repositories, meaning the source code is copied so developers can use it in an independent project that builds on the original one. The result is millions of forks with names identical to the original one that add a payload that’s wrapped under seven layers of obfuscation. To make matters worse, some people, unaware of the malice of these imitators, are forking the forks, which adds to the flood.

Whack-a-mole

“Most of the forked repos are quickly removed by GitHub, which identifies the automation,” Matan Giladi and Gil David, researchers at security firm Apiiro, wrote Wednesday. “However, the automation detection seems to miss many repos, and the ones that were uploaded manually survive. Because the whole attack chain seems to be mostly automated on a large scale, the 1% that survive still amount to thousands of malicious repos.”

Given the constant churn of new repos being uploaded and GitHub’s removal, it’s hard to estimate precisely how many of each there are. The researchers said the number of repos uploaded or forked before GitHub removes them is likely in the millions. They said the attack “impacts more than 100,000 GitHub repositories.”

GitHub officials didn’t dispute Apiiro’s estimates and didn’t answer other questions sent by email. Instead, they issued the following statement:

GitHub hosts over 100M developers building across over 420M repositories, and is committed to providing a safe and secure platform for developers. We have teams dedicated to detecting, analyzing, and removing content and accounts that violate our Acceptable Use Policies. We employ manual reviews and at-scale detections that use machine learning and constantly evolve and adapt to adversarial tactics. We also encourage customers and community members to report abuse and spam.

Supply-chain attacks that target users of developer platforms have existed since at least 2016, when a college student uploaded custom scripts to RubyGems, PyPi, and NPM. The scripts bore names similar to widely used legitimate packages but otherwise had no connection to them. A phone-home feature in the student’s scripts showed that the imposter code was executed more than 45,000 times on more than 17,000 separate domains, and more than half the time his code was given all-powerful administrative rights. Two of the affected domains ended in .mil, an indication that people inside the US military had run his script. This form of supply-chain attack is often referred to as typosquatting, because it relies on users making small errors when choosing the name of a package they want to use.

In 2021, a researcher used a similar technique to successfully execute counterfeit code on networks belonging to Apple, Microsoft, Tesla, and dozens of other companies. The technique—known as a dependency confusion or namespace confusion attack—started by placing malicious code packages in an official public repository and giving them the same name as dependency packages Apple and the other targeted companies use in their products. Automated scripts inside the package managers used by the companies then automatically downloaded and installed the counterfeit dependency code.

The technique observed by Apiiro is known as repo confusion.

“Similar to dependency confusion attacks, malicious actors get their target to download their malicious version instead of the real one,” Wednesday’s post explained. “But dependency confusion attacks take advantage of how package managers work, while repo confusion attacks simply rely on humans to mistakenly pick the malicious version over the real one, sometimes employing social engineering techniques as well.”

GitHub besieged by millions of malicious repositories in ongoing attack Read More »

hackers-backed-by-russia-and-china-are-infecting-soho-routers-like-yours,-fbi-warns

Hackers backed by Russia and China are infecting SOHO routers like yours, FBI warns

APT28, Biz & IT, routers, Security, volt typhoon / /

IDEAL HIDEOUT —

Six years on, routers remain a favorite post for concealing malicious activities.

Computer cables plugged into a router.

The FBI and partners from 10 other countries are urging owners of Ubiquiti EdgeRouters to check their gear for signs they’ve been hacked and are being used to conceal ongoing malicious operations by Russian state hackers.

The Ubiquiti EdgeRouters make an ideal hideout for hackers. The inexpensive gear, used in homes and small offices, runs a version of Linux that can host malware that surreptitiously runs behind the scenes. The hackers then use the routers to conduct their malicious activities. Rather than using infrastructure and IP addresses that are known to be hostile, the connections come from benign-appearing devices hosted by addresses with trustworthy reputations, allowing them to receive a green light from security defenses.

Unfettered access

“In summary, with root access to compromised Ubiquiti EdgeRouters, APT28 actors have unfettered access to Linux-based operating systems to install tooling and to obfuscate their identity while conducting malicious campaigns,” FBI officials wrote in an advisory Tuesday.

APT28—one of the names used to track a group backed by the Russian General Staff Main Intelligence Directorate known as GRU—has been doing that for at least the past four years, the FBI has alleged. Earlier this month, the FBI revealed that it had quietly removed Russian malware from routers in US homes and businesses. The operation, which received prior court authorization, went on to add firewall rules that would prevent APT28—also tracked under names including Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit—from being able to regain control of the devices.

On Tuesday, FBI officials noted that the operation only removed the malware used by APT28 and temporarily blocked the group using its infrastructure from reinfecting them. The move did nothing to patch any vulnerabilities in the routers or to remove weak or default credentials hackers could exploit to use the devices once again to host their malware surreptitiously.

“The US Department of Justice, including the FBI, and international partners recently disrupted a GRU botnet consisting of such routers,” they warned. “However, owners of relevant devices should take the remedial actions described below to ensure the long-term success of the disruption effort and to identify and remediate any similar compromises.”

Those actions include:

  • Perform a hardware factory reset to remove all malicious files
  • Upgrade to the latest firmware version
  • Change any default usernames and passwords
  • Implement firewall rules to restrict outside access to remote management services.

Tuesday’s advisory said that APT28 has been using the infected routers since at least 2022 to facilitate covert operations against governments, militaries, and organizations around the world, including in the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, the United Arab Emirates, and the US. Besides government bodies, industries targeted include aerospace and defense, education, energy and utilities, hospitality, manufacturing, oil and gas, retail, technology, and transportation. APT28 has also targeted individuals in Ukraine.

The Russian hackers gained control of devices after they were already infected with Moobot, which is botnet malware used by financially motivated threat actors not affiliated with the GRU. These threat actors installed Moobot after first exploiting publicly known default administrator credentials that hadn’t been removed from the devices by the people who owned them. APT28 then used the Moobot malware to install custom scripts and malware that turned the botnet into a global cyber espionage platform.

Hackers backed by Russia and China are infecting SOHO routers like yours, FBI warns Read More »

avast-ordered-to-stop-selling-browsing-data-from-its-browsing-privacy-apps

Avast ordered to stop selling browsing data from its browsing privacy apps

Avast, avast antivirus, Biz & IT, browsing data, federal trade commission, ftc, jumpshot, Policy, privacy, Security, Tech / /

Security, privacy, things of that nature —

Identifiable data included job searches, map directions, “cosplay erotica.”

Avast logo on a phone in front of the words

Getty Images

Avast, a name known for its security research and antivirus apps, has long offered Chrome extensions, mobile apps, and other tools aimed at increasing privacy.

Avast’s apps would “block annoying tracking cookies that collect data on your browsing activities,” and prevent web services from “tracking your online activity.” Deep in its privacy policy, Avast said information that it collected would be “anonymous and aggregate.” In its fiercest rhetoric, Avast’s desktop software claimed it would stop “hackers making money off your searches.”

All of that language was offered up while Avast was collecting users’ browser information from 2014 to 2020, then selling it to more than 100 other companies through a since-shuttered entity known as Jumpshot, according to the Federal Trade Commission. Under a proposed recent FTC order (PDF), Avast must pay $16.5 million, which is “expected to be used to provide redress to consumers,” according to the FTC. Avast will also be prohibited from selling future browsing data, must obtain express consent on future data gathering, notify customers about prior data sales, and implement a “comprehensive privacy program” to address prior conduct.

Reached for comment, Avast provided a statement that noted the company’s closure of Jumpshot in early 2020. “We are committed to our mission of protecting and empowering people’s digital lives. While we disagree with the FTC’s allegations and characterization of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world,” the statement reads.

Data was far from anonymous

The FTC’s complaint (PDF) notes that after Avast acquired then-antivirus competitor Jumpshot in early 2014, it rebranded the company as an analytics seller. Jumpshot advertised that it offered “unique insights” into the habits of “[m]ore than 100 million online consumers worldwide.” That included the ability to “[s]ee where your audience is going before and after they visit your site or your competitors’ sites, and even track those who visit a specific URL.”

While Avast and Jumpshot claimed that the data had identifying information removed, the FTC argues this was “not sufficient.” Jumpshot offerings included a unique device identifier for each browser, included in data like an “All Clicks Feed,” “Search Plus Click Feed,” “Transaction Feed,” and more. The FTC’s complaint detailed how various companies would purchase these feeds, often with the express purpose of pairing them with a company’s own data, down to an individual user basis. Some Jumpshot contracts attempted to prohibit re-identifying Avast users, but “those prohibitions were limited,” the complaint notes.

The connection between Avast and Jumpshot became broadly known in January 2020, after reporting by Vice and PC Magazine revealed that clients, including Home Depot, Google, Microsoft, Pepsi, and McKinsey, were buying data from Jumpshot, as seen in confidential contracts. Data obtained by the publications showed that buyers could purchase data including Google Maps look-ups, individual LinkedIn and YouTube pages, porn sites, and more. “It’s very granular, and it’s great data for these companies, because it’s down to the device level with a timestamp,” one source told Vice.

The FTC’s complaint provides more detail on how Avast, on its own web forums, sought to downplay its Jumpshot presence. Avast suggested both that only non-aggregated data was provided to Jumpshot and that users were informed during product installation about collecting data to “better understand new and interesting trends.” Neither of these claims proved true, the FTC suggests. And the data collected was far from harmless, given its re-identifiable nature:

For example, a sample of just 100 entries out of trillions retained by Respondents

showed visits by consumers to the following pages: an academic paper on a study of symptoms

of breast cancer; Sen. Elizabeth Warren’s presidential candidacy announcement; a CLE course

on tax exemptions; government jobs in Fort Meade, Maryland with a salary greater than

$100,000; a link (then broken) to the mid-point of a FAFSA (financial aid) application;

directions on Google Maps from one location to another; a Spanish-language children’s

YouTube video; a link to a French dating website, including a unique member ID; and cosplay

erotica.

In a blog post accompanying its announcement, FTC Senior Attorney Lesley Fair writes that, in addition to the dual nature of Avast’s privacy products and Jumpshot’s extensive tracking, the FTC is increasingly viewing browsing data as “highly sensitive information that demands the utmost care.” “Data about the websites a person visits isn’t just another corporate asset open to unfettered commercial exploitation,” Fair writes.

FTC commissioners voted 3-0 to issue the complaint and accept the proposed consent agreement. Chair Lina Khan, along with commissioners Rebecca Slaughter and Alvaro Bedoya, issued a statement on their vote.

Since the time of the FTC’s complaint and its Jumpshot business, Avast has been acquired by Gen Digital, a firm that contains Norton, Avast, LifeLock, Avira, AVG, CCLeaner, and ReputationDefender, among other security businesses.

Disclosure: Condé Nast, Ars Technica’s parent company, received data from Jumpshot before its closure.

Avast ordered to stop selling browsing data from its browsing privacy apps Read More »

ransomware-associated-with-lockbit-still-spreading-2-days-after-server-takedown

Ransomware associated with LockBit still spreading 2 days after server takedown

Biz & IT, connectwise, lockbit, ransomware, screenconnect, Security / /

LINGERING RANSOMWARE MENACE —

LockBit’s extensive reach is making complete erasure hard.

A stylized skull and crossbones made out of ones and zeroes.

Two days after an international team of authorities struck a major blow at LockBit, one of the Internet’s most prolific ransomware syndicates, researchers have detected a new round of attacks that are installing malware associated with the group.

The attacks, detected in the past 24 hours, are exploiting two critical vulnerabilities in ScreenConnect, a remote desktop application sold by Connectwise. According to researchers at two security firms—SophosXOps and Huntress—attackers who successfully exploit the vulnerabilities go on to install LockBit ransomware and other post-exploit malware. It wasn’t immediately clear if the ransomware was the official LockBit version.

“We can’t publicly name the customers at this time but can confirm the malware being deployed is associated with LockBit, which is particularly interesting against the backdrop of the recent LockBit takedown,” John Hammond, principal security researcher at Huntress, wrote in an email. “While we can’t attribute this directly to the larger LockBit group, it is clear that LockBit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown by law enforcement.”

Hammond said the ransomware is being deployed to “vet offices, health clinics, and local governments (including attacks against systems related to 911 systems).”

Muddying the attribution waters

SophosXOps and Huntress didn’t say if the ransomware being installed is the official LockBit version or a version leaked by a disgruntled LockBit insider in 2022. The leaked builder has circulated widely since then and has touched off a string of copycat attacks that aren’t part of the official operation.

“When builds are leaked, it can also muddy the waters with regards to attribution,” researchers from security firm Trend Micro said Thursday. “For example, in August 2023, we observed a group that called itself the Flamingo group using a leaked LockBit payload bundled with the Rhadamanthys stealer. In November 2023, we found another group, going by the moniker Spacecolon, impersonating LockBit. The group used email addresses and URLs that gave victims the impression that they were dealing with LockBit.”

SophosXOps said only that it had “observed several LockBit attacks.” A company spokesperson said no other details were available. Hammond said the malware was “associated with” the ransomware group and wasn’t immediately able to confirm if the malware was the official version or a knockoff.

The attacks come two days after officials in the UK, US, and Europol announced a major disruption of LockBit. The action included seizing control of 14,000 accounts and 34 servers, arresting two suspects, and issuing five indictments and three arrest warrants. Authorities also froze 200 cryptocurrency accounts linked to the ransomware operation. The actions came after investigators hacked and took control of the LockBit infrastructure.

Authorities said LockBit has extorted more than $120 million from thousands of victims around the world, making it among the world’s most active ransomware groups. Like most other ransomware groups, LockBit operates under a ransomware-as-a-service model, in which affiliates share the revenue they generate in exchange for using the LockBit ransomware and infrastructure.

Given the sheer number of affiliates and their broad geographic and organizational distribution, it’s often not feasible for all of them to be neutralized in actions like the one announced Tuesday. It’s possible that some affiliates remain operational and want to signal that the ransomware franchise will continue in one form or another. It’s also possible that the infections SophosXOps and Huntress are seeing are the work of an unaffiliated group of actors with other motivations.

Besides installing the LockBit-associated ransomware, Hammond said, the attackers are installing several other malicious apps, including a backdoor known as Cobalt Strike, cryptocurrency miners, and SSH tunnels for remotely connecting to compromised infrastructure.

The ScreenConnect vulnerabilities are under mass exploitation and are tracked as CVE-2024-1708 and CVE-2024-1709. ConnectWise has made patches available for all vulnerable versions, including those no longer actively supported.

Ransomware associated with LockBit still spreading 2 days after server takedown Read More »

imessage-gets-a-major-makeover-that-puts-it-on-equal-footing-with-signal

iMessage gets a major makeover that puts it on equal footing with Signal

Apple, Biz & IT, iMessage, messaging apps, MESSENGER, quantum computing, Security, signal / /
Stylized illustration of key.

iMessage is getting a major makeover that makes it among the two messaging apps most prepared to withstand the coming advent of quantum computing, largely at parity with Signal or arguably incrementally more hardened.

On Wednesday, Apple said messages sent through iMessage will now be protected by two forms of end-to-end encryption (E2EE), whereas before, it had only one. The encryption being added, known as PQ3, is an implementation of a new algorithm called Kyber that, unlike the algorithms iMessage has used until now, can’t be broken with quantum computing. Apple isn’t replacing the older quantum-vulnerable algorithm with PQ3—it’s augmenting it. That means, for the encryption to be broken, an attacker will have to crack both.

Making E2EE future safe

The iMessage changes come five months after the Signal Foundation, maker of the Signal Protocol that encrypts messages sent by more than a billion people, updated the open standard so that it, too, is ready for post-quantum computing (PQC). Just like Apple, Signal added Kyber to X3DH, the algorithm it was using previously. Together, they’re known as PQXDH.

iMessage and Signal provide end-to-end encryption, a protection that makes it impossible for anyone other than the sender and recipient of a message to read it in decrypted form. iMessage began offering E2EE with its rollout in 2011. Signal became available in 2014.

One of the biggest looming threats to many forms of encryption is quantum computing. The strength of the algorithms used in virtually all messaging apps relies on mathematical problems that are easy to solve in one direction and extremely hard to solve in the other. Unlike a traditional computer, a quantum computer with sufficient resources can solve these problems in considerably less time.

No one knows how soon that day will come. One common estimate is that a quantum computer with 20 million qubits (a basic unit of measurement) will be able to crack a single 2,048-bit RSA key in about eight hours. The biggest known quantum computer to date has 433 qubits.

Whenever that future arrives, cryptography engineers know it’s inevitable. They also know that it’s likely some adversaries will collect and stockpile as much encrypted data now and decrypt it once quantum advances allow for it. The moves by both Apple and Signal aim to defend against that eventuality using Kyber, one of several PQC algorithms currently endorsed by the National Institute of Standards and Technology. Since Kyber is still relatively new, both iMessage and Signal will continue using the more tested algorithms for the time being.

iMessage gets a major makeover that puts it on equal footing with Signal Read More »

after-years-of-losing,-it’s-finally-feds’-turn-to-troll-ransomware-group

After years of losing, it’s finally feds’ turn to troll ransomware group

Biz & IT, hacking, lockbit, ransomware, Security, takedowns / /

LOOK WHO’S TROLLING NOW —

Authorities who took down the ransomware group brag about their epic hack.

After years of losing, it’s finally feds’ turn to troll ransomware group

Getty Images

After years of being outmaneuvered by snarky ransomware criminals who tease and brag about each new victim they claim, international authorities finally got their chance to turn the tables, and they aren’t squandering it.

The top-notch trolling came after authorities from the US, UK, and Europol took down most of the infrastructure belonging to LockBit, a ransomware syndicate that has extorted more than $120 million from thousands of victims around the world. On Tuesday, most of the sites LockBit uses to shame its victims for being hacked, pressure them into paying, and brag of their hacking prowess began displaying content announcing the takedown. The seized infrastructure also hosted decryptors victims could use to recover their data.

The dark web site LockBit once used to name and shame victims, displaying entries such as

Enlarge / The dark web site LockBit once used to name and shame victims, displaying entries such as “press releases,” “LB Backend Leaks,” and “LockbitSupp You’ve been banned from Lockbit 3.0.”

this_is_really_bad

Authorities didn’t use the seized name-and-shame site solely for informational purposes. One section that appeared prominently gloated over the extraordinary extent of the system access investigators gained. Several images indicated they had control of /etc/shadow, a Linux file that stores cryptographically hashed passwords. This file, among the most security-sensitive ones in Linux, can be accessed only by a user with root, the highest level of system privileges.

Screenshot showing a folder named

Enlarge / Screenshot showing a folder named “shadow” with hashes for accounts including “root,” “daemon,” “bin,” and “sys.”

Other images demonstrated that investigators also had complete control of the main web panel and the system LockBit operators used to communicate with affiliates and victims.

Screenshot of a panel used to administer the LockBit site.

Enlarge / Screenshot of a panel used to administer the LockBit site.

Screenshot showing chats between a LockBit affiliate and a victim.

Enlarge / Screenshot showing chats between a LockBit affiliate and a victim.

The razzing didn’t stop there. File names of the images had titles including: “this_is_really_bad.png,” “oh dear.png,” and “doesnt_look_good.png.” The seized page also teased the upcoming doxing of LockbitSupp, the moniker of the main LockBit figure. It read: “Who is LockbitSupp? The $10m question” and displayed images of cash wrapped in chains with padlocks. Copying a common practice of LockBit and competing ransomware groups, the seized site displayed a clock counting down the seconds until the identifying information will be posted.

Screenshot showing

Enlarge / Screenshot showing “who is lockbitsupp?”

In all, authorities said they seized control of 14,000 accounts and 34 servers located in the Netherlands, Germany, Finland, France, Switzerland, Australia, the US, and the UK. Two LockBit suspects have been arrested in Poland and Ukraine, and five indictments and three arrest warrants have been issued. Authorities also froze 200 cryptocurrency accounts linked to the ransomware operation.

“At present, a vast amount of data gathered throughout the investigation is now in the possession of law enforcement,” Europol officials said. “This data will be used to support ongoing international operational activities focused on targeting the leaders of this group, as well as developers, affiliates, infrastructure, and criminal assets linked to these criminal activities.”

LockBit has operated since at least 2019 under the name “ABCD.” Within three years, it was the most widely circulating ransomware. Like most of its peers, LockBit operates under what’s known as ransomware-as-a-service, in which it provides software and infrastructure to affiliates who use it to compromise victims. LockBit and the affiliates then divide any resulting revenue. Hundreds of affiliates participated.

According to KrebsOnSecurity, one of the LockBit leaders said on a Russian-language crime forum that a vulnerability in the PHP scripting language provided the means for authorities to hack the servers. That detail led to another round of razzing, this time from fellow forum participants.

“Does it mean that the FBI provided a pen-testing service to the affiliate program?” one participant wrote, according to reporter Brian Krebs. “Or did they decide to take part in the bug bounty program? :):).”

Several members also posted memes taunting the group about the security failure.

“In January 2024, LockBitSupp told XSS forum members he was disappointed the FBI hadn’t offered a reward for his doxing and/or arrest, and that in response he was placing a bounty on his own head—offering $10 million to anyone who could discover his real name,” Krebs wrote. “‘My god, who needs me?’ LockBitSupp wrote on January 22, 2024. ‘There is not even a reward out for me on the FBI website.’”

After years of losing, it’s finally feds’ turn to troll ransomware group Read More »

doj-quietly-removed-russian-malware-from-routers-in-us-homes-and-businesses

DOJ quietly removed Russian malware from routers in US homes and businesses

Biz & IT, china, DDoS, department of justice, DoJ, Fancy Bear, fbi, routers, russia, Security, ubiquiti / /

Fancy Bear —

Feds once again fix up compromised retail routers under court order.

Ethernet cable plugged into a router LAN port

Getty Images

More than 1,000 Ubiquiti routers in homes and small businesses were infected with malware used by Russian-backed agents to coordinate them into a botnet for crime and spy operations, according to the Justice Department.

That malware, which worked as a botnet for the Russian hacking group Fancy Bear, was removed in January 2024 under a secret court order as part of “Operation Dying Ember,” according to the FBI’s director. It affected routers running Ubiquiti’s EdgeOS, but only those that had not changed their default administrative password. Access to the routers allowed the hacking group to “conceal and otherwise enable a variety of crimes,” the DOJ claims, including spearphishing and credential harvesting in the US and abroad.

Unlike previous attacks by Fancy Bear—that the DOJ ties to GRU Military Unit 26165, which is also known as APT 28, Sofacy Group, and Sednit, among other monikers—the Ubiquiti intrusion relied on a known malware, Moobot. Once infected by “Non-GRU cybercriminals,” GRU agents installed “bespoke scripts and files” to connect and repurpose the devices, according to the DOJ.

The DOJ also used the Moobot malware to copy and delete the botnet files and data, according to the DOJ, and then changed the routers’ firewall rules to block remote management access. During the court-sanctioned intrusion, the DOJ “enabled temporary collection of non-content routing information” that would “expose GRU attempts to thwart the operation.” This did not “impact the routers’ normal functionality or collect legitimate user content information,” the DOJ claims.

“For the second time in two months, we’ve disrupted state-sponsored hackers from launching cyber-attacks behind the cover of compromised US routers,” said Deputy Attorney General Lisa Monaco in a press release.

The DOJ states it will notify affected customers to ask them to perform a factory reset, install the latest firmware, and change their default administrative password.

Christopher A. Wray, director of the FBI, expanded on the Fancy Bear operation and international hacking threats generally at the ongoing Munich Security Conference. Russia has recently targeted underwater cables and industrial control systems worldwide, Wray said, according to a New York Times report. And since its invasion of Ukraine, Russia has focused on the US energy sector, Wray said.

The past year has been an active time for attacks on routers and other network infrastructure. TP-Link routers were found infected in May 2023 with malware from a reportedly Chinese-backed group. In September, modified firmware in Cisco routers was discovered as part of a Chinese-backed intrusion into multinational companies, according to US and Japanese authorities. Malware said by the DOJ to be tied to the Chinese government was removed from SOHO routers by the FBI last month in similar fashion to the most recently revealed operation, targeting Cisco and Netgear devices that had mostly reached their end of life and were no longer receiving security patches.

In each case, the routers provided a highly valuable service to the groups; that service was secondary to whatever primary aims later attacks might have. By nesting inside the routers, hackers could send commands from their overseas locations but have the traffic appear to be coming from a far more safe-looking location inside the target country or even inside a company.

Similar inside-the-house access has been sought by international attackers through VPN products, as in the three different Ivanti vulnerabilities discovered recently.

DOJ quietly removed Russian malware from routers in US homes and businesses Read More »

canada-declares-flipper-zero-public-enemy-no.-1-in-car-theft-crackdown

Canada declares Flipper Zero public enemy No. 1 in car-theft crackdown

Biz & IT, Canada, car theft, Cars, flipper zero, hacking, Policy, radio, Security / /

FLIPPING YOUR LID —

How do you ban a device built with open source hardware and software anyway?

A Flipper Zero device

Enlarge / A Flipper Zero device

https://flipperzero.one/

Canadian Prime Minister Justin Trudeau has identified an unlikely public enemy No. 1 in his new crackdown on car theft: the Flipper Zero, a $200 piece of open source hardware used to capture, analyze and interact with simple radio communications.

On Thursday, the Innovation, Science and Economic Development Canada agency said it will “pursue all avenues to ban devices used to steal vehicles by copying the wireless signals for remote keyless entry, such as the Flipper Zero, which would allow for the removal of those devices from the Canadian marketplace through collaboration with law enforcement agencies.” A social media post by François-Philippe Champagne, the minister of that agency, said that as part of the push “we are banning the importation, sale and use of consumer hacking devices, like flippers, used to commit these crimes.”

In remarks made the same day, Trudeau said the push will target similar tools that he said can be used to defeat anti-theft protections built into virtually all new cars.

“In reality, it has become too easy for criminals to obtain sophisticated electronic devices that make their jobs easier,” he said. “For example, to copy car keys. It is unacceptable that it is possible to buy tools that help car theft on major online shopping platforms.”

Presumably, such tools subject to the ban would include HackRF One and LimeSDR, which have become crucial for analyzing and testing the security of all kinds of electronic devices to find vulnerabilities before they’re exploited. None of the government officials identified any of these tools, but in an email, a representative of the Canadian government reiterated the use of the phrase “pursuing all avenues to ban devices used to steal vehicles by copying the wireless signals for remote keyless entry.”

A humble hobbyist device

The push to ban any of these tools has been met with fierce criticism from hobbyists and security professionals. Their case has only been strengthened by Trudeau’s focus on Flipper Zero. This slim, lightweight device bearing the logo of an adorable dolphin acts as a Swiss Army knife for sending, receiving, and analyzing all kinds of wireless communications. It can interact with radio signals, including RFID, NFC, Bluetooth, Wi-Fi, or standard radio. People can use them to change the channels of a TV at a bar covertly, clone simple hotel key cards, read the RFID chip implanted in pets, open and close some garage doors, and, until Apple issued a patch, send iPhones into a never-ending DoS loop.

The price and ease of use make Flipper Zero ideal for beginners and hobbyists who want to understand how increasingly ubiquitous communications protocols such as NFC and Wi-Fi work. It bundles various open source hardware and software into a portable form factor that sells for an affordable price. Lost on the Canadian government, the device isn’t especially useful in stealing cars because it lacks the more advanced capabilities required to bypass anti-theft protections introduced in more than two decades.

One thing the Flipper Zero is exceedingly ill-equipped for is defeating modern antihack protections built into cars, smartcards, phones, and other electronic devices.

The most prevalent form of electronics-assisted car theft these days, for instance, uses what are known as signal amplification relay devices against keyless ignition and entry systems. This form of hack works by holding one device near a key fob and a second device near the vehicle the fob works with. In the most typical scenario, the fob is located on a shelf near a locked front door, and the car is several dozen feet away in a driveway. By placing one device near the front door and another one next to the car, the hack beams the radio signals necessary to unlock and start the device.

Canada declares Flipper Zero public enemy No. 1 in car-theft crackdown Read More »

london-underground-is-testing-real-time-ai-surveillance-tools-to-spot-crime

London Underground is testing real-time AI surveillance tools to spot crime

AI, AI surveillance, Biz & IT, Freedom of information act, london underground, Security, syndication / /

tube tracking —

Computer vision system tried to detect crime, weapons, people falling, and fare dodgers.

Commuters wait on the platform as a Central Line tube train arrives at Liverpool Street London Transport Tube Station in 2023.

Thousands of people using the London Underground had their movements, behavior, and body language watched by AI surveillance software designed to see if they were committing crimes or were in unsafe situations, new documents obtained by WIRED reveal. The machine-learning software was combined with live CCTV footage to try to detect aggressive behavior and guns or knives being brandished, as well as looking for people falling onto Tube tracks or dodging fares.

From October 2022 until the end of September 2023, Transport for London (TfL), which operates the city’s Tube and bus network, tested 11 algorithms to monitor people passing through Willesden Green Tube station, in the northwest of the city. The proof of concept trial is the first time the transport body has combined AI and live video footage to generate alerts that are sent to frontline staff. More than 44,000 alerts were issued during the test, with 19,000 being delivered to station staff in real time.

Documents sent to WIRED in response to a Freedom of Information Act request detail how TfL used a wide range of computer vision algorithms to track people’s behavior while they were at the station. It is the first time the full details of the trial have been reported, and it follows TfL saying, in December, that it will expand its use of AI to detect fare dodging to more stations across the British capital.

In the trial at Willesden Green—a station that had 25,000 visitors per day before the COVID-19 pandemic—the AI system was set up to detect potential safety incidents to allow staff to help people in need, but it also targeted criminal and antisocial behavior. Three documents provided to WIRED detail how AI models were used to detect wheelchairs, prams, vaping, people accessing unauthorized areas, or putting themselves in danger by getting close to the edge of the train platforms.

The documents, which are partially redacted, also show how the AI made errors during the trial, such as flagging children who were following their parents through ticket barriers as potential fare dodgers, or not being able to tell the difference between a folding bike and a non-folding bike. Police officers also assisted the trial by holding a machete and a gun in the view of CCTV cameras, while the station was closed, to help the system better detect weapons.

Privacy experts who reviewed the documents question the accuracy of object detection algorithms. They also say it is not clear how many people knew about the trial, and warn that such surveillance systems could easily be expanded in the future to include more sophisticated detection systems or face recognition software that attempts to identify specific individuals. “While this trial did not involve facial recognition, the use of AI in a public space to identify behaviors, analyze body language, and infer protected characteristics raises many of the same scientific, ethical, legal, and societal questions raised by facial recognition technologies,” says Michael Birtwistle, associate director at the independent research institute the Ada Lovelace Institute.

In response to WIRED’s Freedom of Information request, the TfL says it used existing CCTV images, AI algorithms, and “numerous detection models” to detect patterns of behavior. “By providing station staff with insights and notifications on customer movement and behaviour they will hopefully be able to respond to any situations more quickly,” the response says. It also says the trial has provided insight into fare evasion that will “assist us in our future approaches and interventions,” and the data gathered is in line with its data policies.

In a statement sent after publication of this article, Mandy McGregor, TfL’s head of policy and community safety, says the trial results are continuing to be analyzed and adds, “there was no evidence of bias” in the data collected from the trial. During the trial, McGregor says, there were no signs in place at the station that mentioned the tests of AI surveillance tools.

“We are currently considering the design and scope of a second phase of the trial. No other decisions have been taken about expanding the use of this technology, either to further stations or adding capability.” McGregor says. “Any wider roll out of the technology beyond a pilot would be dependent on a full consultation with local communities and other relevant stakeholders, including experts in the field.”

London Underground is testing real-time AI surveillance tools to spot crime Read More »

a-password-manager-lastpass-calls-“fraudulent”-booted-from-app-store

A password manager LastPass calls “fraudulent” booted from App Store

App Store, Apple, Biz & IT, lastpass, Security / /

GREAT PRETENDER —

“LassPass” mimicked the name and logo of real LastPass password manager.

A password manager LastPass calls “fraudulent” booted from App Store

Getty Images

As Apple has stepped up its promotion of its App Store as a safer and more trustworthy source of apps, its operators scrambled Thursday to correct a major threat to that narrative: a listing that password manager maker LastPass said was a “fraudulent app impersonating” its brand.

At the time this article on Ars went live, Apple had removed the app—titled LassPass and bearing a logo strikingly similar to the one used by LastPass—from its App Store. At the same time, Apple allowed a separate app submitted by the same developer to remain. Apple provided no explanation for the reason for removing the former app or for allowing the latter one to remain.

Apple warns of “new risks” from competition

The move comes as Apple has beefed up its efforts to promote the App Store as a safer alternative to competing sources of iOS apps mandated recently by the European Union. In an interview with App Store head Phil Schiller published this month by FastCompany, Schiller said the new app stores will “bring new risks”—including pornography, hate speech, and other forms of objectionable content—that Apple has long kept at bay.

“I have no qualms in saying that our goal is going to always be to make the App Store the safest, best place for users to get apps,” he told writer Michael Grothaus. “I think users—and the whole developer ecosystem—have benefited from that work that we’ve done together with them. And we’re going to keep doing that.”

Somehow, Apple’s app vetting process—long vaunted even though Apple has provided few specifics—failed to spot the LastPass lookalike. Apple removed LassPass Thursday morning, two days, LastPass said, after it flagged the app to Apple and one day after warning its users the app was fraudulent.

“We are raising this to our customers’ attention to avoid potential confusion and/or loss of personal data,” LastPass Senior Principal Intelligence Analyst Mike Kosak wrote.

There’s no denying that the logo and name were strikingly similar to the official ones. Below is a screenshot of how LassPass appeared, followed by the official LastPass listing:

The LassPass entry as it appeared in the App Store.

Enlarge / The LassPass entry as it appeared in the App Store.

The official LastPass entry.

Enlarge / The official LastPass entry.

Here yesterday, gone today

Thomas Reed, director of Mac offerings at security firm Malwarebytes, noted that the LassPass entry in the App Store said the app’s privacy policy was available on bluneel[.]com, but that the page was gone by Thursday, and the main page shows a generic landing page. Whois records indicated the domain was registered five months ago.

There’s no indication that LassPass collected users’ LastPass credentials or copied any of the data it stored. The app did, however, provide fields for users to enter a wealth of sensitive personal information, including passwords, email and physical addresses, and bank, credit, and debit card data. The app had an option for paid subscriptions.

A LastPass representative said the company learned of the app on Tuesday and focused its efforts on getting it removed rather than analyzing its behavior. Company officials don’t have information about precisely what LassPass did when it was installed or when it first appeared in the App Store.

The App Store continues to host a separate app from the same developer who is listed simply as Parvati Patel. (A quick Internet search reveals many individuals with the same name. At the moment, it wasn’t possible to identify the specific one.) The separate app is named PRAJAPATI SAMAJ 42 Gor ABD-GNR, and a corresponding privacy policy (at psag42[.]in/policy.html) is dated December 2023. It’s described as an “application for Ahmedabad-Gandhinager Prajapati Samaj app” and further as a “platform for community.” The app was also recently listed on Google Play but was no longer available for download at the time of publication. Attempts to contact the developer were unsuccessful.

There’s no indication the separate app violates any App Store policy. Apple representatives didn’t respond to an email asking questions about the incident or its vetting process or policies.

A password manager LastPass calls “fraudulent” booted from App Store Read More »