Security – Page 7

Tails OS joins forces with Tor Project in merger

anonymity, Biz & IT, privacy, Security, tails, Tor network, Tor Project / Paul Patrick / September 26, 2024

COME TOGETHER —

The organizations have worked closely together over the years.

Dan Goodin – Sep 26, 2024 8: 57 pm UTC

The Tor Project, the nonprofit that maintains software for the Tor anonymity network, is joining forces with Tails, the maker of a portable operating system that uses Tor. Both organizations seek to pool resources, lower overhead, and collaborate more closely on their mission of online anonymity.

Tails and the Tor Project began discussing the possibility of merging late last year, the two organizations said. At the time, Tails was maxing out its current resources. The two groups ultimately decided it would be mutually beneficial for them to come together.

Amnesic onion routing

“Rather than expanding Tails’s operational capacity on their own and putting more stress on Tails workers, merging with the Tor Project, with its larger and established operational framework, offered a solution,” Thursday’s joint statement said. “By joining forces, the Tails team can now focus on their core mission of maintaining and improving Tails OS, exploring more and complementary use cases while benefiting from the larger organizational structure of The Tor Project.”

The Tor Project, for its part, could stand to benefit from better integration of Tails into its privacy network, which allows web users and websites to operate anonymously by connecting from IP addresses that can’t be linked to a specific service or user.

The “Tor” in the Tor Project is short for The Onion Router. It’s a global project best known for developing the Tor Browser, which connects to the Tor network. The Tor network routes all incoming and outgoing traffic through a series of three IP addresses. The structure ensures that no one can determine the IP address of either originating or destination party. The Tor Project was formed in 2006 by a team that included computer scientists Roger Dingledine and Nick Mathewson. The Tor protocol on which the Tor network runs was developed by the Naval Research Laboratory in the early 2000s.

Tails (The Amnesic Incognito Live System) is a portable Linux-based operating system that runs from thumb drives and external hard drives and uses the Tor browser to route all web traffic between the device it runs on and the Internet. Tails routes outgoing traffic through the Tor Network

One of the key advantages of Tails OS is its ability to run entirely from a USB stick. The design makes it possible to use the secure operating system while traveling or using untrusted devices. It also ensures that no trace is left on a device’s hard drive. Tails has the additional benefit of routing traffic from non-browser clients such as Thunderbird through the Tor network.

“Incorporating Tails into the Tor Project’s structure allows for easier collaboration, better sustainability, reduced overhead, and expanded training and outreach programs to counter a larger number of digital threats,” the organizations said. “In short, coming together will strengthen both organizations’ ability to protect people worldwide from surveillance and censorship.”

The merger comes amid growing threats to personal privacy and calls by lawmakers to mandate backdoors or trapdoors in popular apps and operating systems to allow law enforcement to decrypt data in investigations.

Tails OS joins forces with Tor Project in merger Read More »

Hacker plants false memories in ChatGPT to steal user data in perpetuity

AI, Biz & IT, chatgpt, openai, privacy, prompt injection, Security / Mike M. / September 24, 2024

MEMORY PROBLEMS —

Emails, documents, and other untrusted content can plant malicious memories.

Dan Goodin – Sep 24, 2024 8: 56 pm UTC

When security researcher Johann Rehberger recently reported a vulnerability in ChatGPT that allowed attackers to store false information and malicious instructions in a user’s long-term memory settings, OpenAI summarily closed the inquiry, labeling the flaw a safety issue, not, technically speaking, a security concern.

So Rehberger did what all good researchers do: He created a proof-of-concept exploit that used the vulnerability to exfiltrate all user input in perpetuity. OpenAI engineers took notice and issued a partial fix earlier this month.

Strolling down memory lane

The vulnerability abused long-term conversation memory, a feature OpenAI began testing in February and made more broadly available in September. Memory with ChatGPT stores information from previous conversations and uses it as context in all future conversations. That way, the LLM can be aware of details such as a user’s age, gender, philosophical beliefs, and pretty much anything else, so those details don’t have to be inputted during each conversation.

Within three months of the rollout, Rehberger found that memories could be created and permanently stored through indirect prompt injection, an AI exploit that causes an LLM to follow instructions from untrusted content such as emails, blog posts, or documents. The researcher demonstrated how he could trick ChatGPT into believing a targeted user was 102 years old, lived in the Matrix, and insisted Earth was flat and the LLM would incorporate that information to steer all future conversations. These false memories could be planted by storing files in Google Drive or Microsoft OneDrive, uploading images, or browsing a site like Bing—all of which could be created by a malicious attacker.

Rehberger privately reported the finding to OpenAI in May. That same month, the company closed the report ticket. A month later, the researcher submitted a new disclosure statement. This time, he included a PoC that caused the ChatGPT app for macOS to send a verbatim copy of all user input and ChatGPT output to a server of his choice. All a target needed to do was instruct the LLM to view a web link that hosted a malicious image. From then on, all input and output to and from ChatGPT was sent to the attacker’s website.

ChatGPT: Hacking Memories with Prompt Injection – POC

“What is really interesting is this is memory-persistent now,” Rehberger said in the above video demo. “The prompt injection inserted a memory into ChatGPT’s long-term storage. When you start a new conversation, it actually is still exfiltrating the data.”

The attack isn’t possible through the ChatGPT web interface, thanks to an API OpenAI rolled out last year.

While OpenAI has introduced a fix that prevents memories from being abused as an exfiltration vector, the researcher said, untrusted content can still perform prompt injections that cause the memory tool to store long-term information planted by a malicious attacker.

LLM users who want to prevent this form of attack should pay close attention during sessions for output that indicates a new memory has been added. They should also regularly review stored memories for anything that may have been planted by untrusted sources. OpenAI provides guidance here for managing the memory tool and specific memories stored in it. Company representatives didn’t respond to an email asking about its efforts to prevent other hacks that plant false memories.

Hacker plants false memories in ChatGPT to steal user data in perpetuity Read More »

11 million devices infected with botnet malware hosted in Google Play

android, Biz & IT, botnet, google play, malware, Security / Rejus Almole / September 23, 2024

NECRO —

Necro infiltrated Google Play in 2019. It recently returned.

Dan Goodin – Sep 23, 2024 8: 27 pm UTC

Five years ago, researchers made a grim discovery—a legitimate Android app in the Google Play market that was surreptitiously made malicious by a library the developers used to earn advertising revenue. With that, the app was infected with code that caused 100 million infected devices to connect to attacker-controlled servers and download secret payloads.

Now, history is repeating itself. Researchers from the same Moscow, Russia-based security firm reported Monday that they found two new apps, downloaded from Play 11 million times, that were infected with the same malware family. The researchers, from Kaspersky, believe a malicious software developer kit for integrating advertising capabilities is once again responsible.

Clever tradecraft

Software developer kits, better known as SDKs, are apps that provide developers with frameworks that can greatly speed up the app-creation process by streamlining repetitive tasks. An unverified SDK module incorporated into the apps ostensibly supported the display of ads. Behind the scenes, it provided a host of advanced methods for stealthy communication with malicious servers, where the apps would upload user data and download malicious code that could be executed and updated at any time.

The stealthy malware family in both campaigns is known as Necro. This time, some variants use techniques such as steganography, an obfuscation method rarely seen in mobile malware. Some variants also deploy clever tradecraft to deliver malicious code that can run with heightened system rights. Once devices are infected with this variant, they contact an attacker-controlled command-and-control server and send web requests containing encrypted JSON data that reports information about each compromised device and application hosting the module.

The server, in turn, returns a JSON response that contains a link to a PNG image and associated metadata that includes the image hash. If the malicious module installed on the infected device confirms the hash is correct, it downloads the image.

The SDK module “uses a very simple steganographic algorithm,” Kaspersky researchers explained in a separate post. “If the MD5 check is successful, it extracts the contents of the PNG file—the pixel values in the ARGB channels—using standard Android tools. Then the getPixel method returns a value whose least significant byte contains the blue channel of the image, and processing begins in the code.”

The researchers continued:

If we consider the blue channel of the image as a byte array of dimension 1, then the first four bytes of the image are the size of the encoded payload in Little Endian format (from the least significant byte to the most significant). Next, the payload of the specified size is recorded: this is a JAR file encoded with Base64, which is loaded after decoding via DexClassLoader. Coral SDK loads the sdk.fkgh.mvp.SdkEntry class in a JAR file using the native library libcoral.so. This library has been obfuscated using the OLLVM tool. The starting point, or entry point, for execution within the loaded class is the run method.

Enlarge / Necro code implementing steganography.

Kaspersky

Follow-on payloads that get installed download malicious plugins that can be mixed and matched for each infected device to perform a variety of different actions. One of the plugins allows code to run with elevated system rights. By default, Android bars privileged processes from using WebView, an extension in the OS for displaying webpages in apps. To bypass this safety restriction, Necro uses a hacking technique known as a reflection attack to create a separate instance of the WebView factory.

This plugin can also download and run other executable files that will replace links rendered through WebView. When running with the elevated system rights, these executables have the ability to modify URLs to add confirmation codes for paid subscriptions and download and execute code loaded at links controlled by the attacker. The researchers listed five separate payloads they encountered in their analysis of Necro.

The modular design of Necro opens myriad ways for the malware to behave. Kaspersky provided the following image that provides an overview.

Enlarge / Necro Trojan infection diagram.

Kaspersy

The researchers found Necro in two Google Play apps. One was Wuta Camera, an app with 10 million downloads to date. Wuta Camera versions 6.3.2.148 through 6.3.6.148 contained the malicious SDK that infects apps. The app has since been updated to remove the malicious component. A separate app with roughly 1 million downloads—known as Max Browser—was also infected. That app is no longer available in Google Play.

The researchers also found Necro infecting a variety of Android apps available in alternative marketplaces. Those apps typically billed themselves as modified versions of legitimate apps such as Spotify, Minecraft, WhatsApp, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox.

People who are concerned they may be infected by Necro should check their devices for the presence of indicators of compromise listed at the end of this writeup.

11 million devices infected with botnet malware hosted in Google Play Read More »

Google calls for halting use of WHOIS for TLS domain verifications

Biz & IT, Security, tls, transport layer security, WHOIS / Paul Patrick / September 20, 2024

WHOWAS —

WHOIS data is unreliable. So why is it used in TLS certificate applications?

Dan Goodin – Sep 20, 2024 8: 53 pm UTC

Certificate authorities and browser makers are planning to end the use of WHOIS data verifying domain ownership following a report that demonstrated how threat actors could abuse the process to obtain fraudulently issued TLS certificates.

TLS certificates are the cryptographic credentials that underpin HTTPS connections, a critical component of online communications verifying that a server belongs to a trusted entity and encrypts all traffic passing between it and an end user. These credentials are issued by any one of hundreds of CAs (certificate authorities) to domain owners. The rules for how certificates are issued and the process for verifying the rightful owner of a domain are left to the CA/Browser Forum. One “base requirement rule” allows CAs to send an email to an address listed in the WHOIS record for the domain being applied for. When the receiver clicks an enclosed link, the certificate is automatically approved.

Non-trivial dependencies

Researchers from security firm watchTowr recently demonstrated how threat actors could abuse the rule to obtain fraudulently issued certificates for domains they didn’t own. The security failure resulted from a lack of uniform rules for determining the validity of sites claiming to provide official WHOIS records.

Specifically, watchTowr researchers were able to receive a verification link for any domain ending in .mobi, including ones they didn’t own. The researchers did this by deploying a fake WHOIS server and populating it with fake records. Creation of the fake server was possible because dotmobiregistry.net—the previous domain hosting the WHOIS server for .mobi domains—was allowed to expire after the server was relocated to a new domain. watchTowr researchers registered the domain, set up the imposter WHOIS server, and found that CAs continued to rely on it to verify ownership of .mobi domains.

The research didn’t escape the notice of the CA/Browser Forum (CAB Forum). On Monday, a member representing Google proposed ending the reliance on WHOIS data for domain ownership verification “in light of recent events where research from watchTowr Labs demonstrated how threat actors could exploit WHOIS to obtain fraudulently issued TLS certificates.”

The formal proposal calls for reliance on WHOIS data to “sunset” in early November. It establishes specifically that “CAs MUST NOT rely on WHOIS to identify Domain Contacts” and that “Effective November 1, 2024, validations using this [email verification] method MUST NOT rely on WHOIS to identify Domain Contact information.”

Since Monday’s submission, more than 50 follow-up comments have been posted. Many of the responses expressed support for the proposed change. Others have questioned the need for a change as proposed, given that the security failure watchTowr uncovered is known to affect only a single top-level domain.

An Amazon representative, meanwhile, noted that the company previously implemented a unilateral change in which the AWS Certificate Manager will fully transition away from reliance on WHOIS records. The representative told CAB Forum members that Google’s proposed deadline of November 1 may be too stringent.

“We got feedback from customers that for some this is a non-trivial dependency to remove,” the Amazon representative wrote. “It’s not uncommon for companies to have built automation on top of email validation. Based on the information we got I recommend a date of April 30, 2025.”

CA Digicert endorsed Amazon’s proposal to extend the deadline. Digicert went on to propose that instead of using WHOIS records, CAs instead use the WHOIS successor known as the Registration Data Access Protocol.

The proposed changes are formally in the discussion phase of deliberations. It’s unclear when formal voting on the change will begin.

Google calls for halting use of WHOIS for TLS domain verifications Read More »

Ever wonder how crooks get the credentials to unlock stolen phones?

Biz & IT, lost phone, phishing, phishing-as-a-service, phone theft, Security / Kris Guyer / September 19, 2024

BUSTED —

iServer provided a simple service for phishing credentials to unlock phones.

Dan Goodin – Sep 19, 2024 9: 41 pm UTC

A coalition of law-enforcement agencies said it shut down a service that facilitated the unlocking of more than 1.2 million stolen or lost mobile phones so they could be used by someone other than their rightful owner.

The service was part of iServer, a phishing-as-a-service platform that has been operating since 2018. The Argentina-based iServer sold access to a platform that offered a host of phishing-related services through email, texts, and voice calls. One of the specialized services offered was designed to help people in possession of large numbers of stolen or lost mobile devices to obtain the credentials needed to bypass protections such as the lost mode for iPhones, which prevent a lost or stolen device from being used without entering its passcode.

iServer's phishing-as-a-service model. — Enlarge / iServer’s phishing-as-a-service model.

Group-IB

Catering to low-skilled thieves

An international operation coordinated by Europol’s European Cybercrime Center said it arrested the Argentinian national that was behind iServer and identified more than 2,000 “unlockers” who had enrolled in the phishing platform over the years. Investigators ultimately found that the criminal network had been used to unlock more than 1.2 million mobile phones. Officials said they also identified 483,000 phone owners who had received messages phishing for credentials for their lost or stolen devices.

According to Group-IB, the security firm that discovered the phone-unlocking racket and reported it to authorities, iServer provided a web interface that allowed low-skilled unlockers to phish the rightful device owners for the device passcodes, user credentials from cloud-based mobile platforms, and other personal information.

Group-IB wrote:

During its investigations into iServer’s criminal activities, Group-IB specialists also uncovered the structure and roles of criminal syndicates operating with the platform: the platform’s owner/developer sells access to “unlockers,” who in their turn provide phone unlocking services to other criminals with locked stolen devices. The phishing attacks are specifically designed to gather data that grants access to physical mobile devices, enabling criminals to acquire users’ credentials and local device passwords to unlock devices or unlink them from their owners. iServer automates the creation and delivery of phishing pages that imitate popular cloud-based mobile platforms, featuring several unique implementations that enhance its effectiveness as a cybercrime tool.

Unlockers obtain the necessary information for unlocking the mobile phones, such as IMEI, language, owner details, and contact information, often accessed through lost mode or via cloud-based mobile platforms. They utilize phishing domains provided by iServer or create their own to set up a phishing attack. After selecting an attack scenario, iServer creates a phishing page and sends an SMS with a malicious link to the victim.

Enlarge / An example phishing message sent.

When successful, iServer customers would receive the credentials through the web interface. The customers could then unlock a phone to disable the lost mode so the device could be used by someone new.

Ultimately, criminals received the stolen and validated credentials through the iServer web interface, enabling them to unlock a phone, turn off “Lost mode” and untie it from the owner’s account.

To better camouflage the ruse, iServer often disguised phishing pages as belonging to cloud-based services.

Enlarge / Phishing message asking for passcode.

Group-IB

Enlarge / Phishing message masquerades as a cloud-based service with a map once passcode is entered.

Group-IB

Besides the arrest, authorities also seized the iserver.com domain.

Enlarge / The iServer site as it appeared before the takedown.

Group-IB

Enlarge / The iServer website after the takedown.

Group-IB

The takedown and arrests occurred from September 10–17 in Spain, Argentina, Chile, Colombia, Ecuador, and Peru. Authorities in those countries began investigating the phishing service in 2022.

Ever wonder how crooks get the credentials to unlock stolen phones? Read More »

Life imitates xkcd comic as Florida gang beats crypto password from retiree

crime, crypto, Features, robbery, Security / Rejus Almole / September 19, 2024

intruders —

Group staged home invasions to steal cryptocurrency.

Nate Anderson – Sep 19, 2024 7: 57 pm UTC

Enlarge / Sometimes this is all you need.

Aurich Lawson | Getty Image

Remy Ra St. Felix spent April 11, 2023, on a quiet street in a rented BMW X5, staking out the 76-year-old couple that he planned to rob the next day.

He had recently made the 11-hour drive up I-95 from southern Florida, where he lived, to Durham, North Carolina. It was a long way, but as with so many jobs, occasional travel was the cost of doing business. That was true especially when your business was robbing people of their cryptocurrency by breaking into their homes and threatening to cut off their balls and rape their wives.

St. Felix, a young man of just 25, had tried this line of work closer to home at first, but it hadn’t gone well. A September 2022 home invasion in Homestead, Florida, was supposed to bring St. Felix and his crew piles of crypto. All they had to do was stick a gun to some poor schlub’s head and force him to log in to his online exchange and then transfer the money to accounts controlled by the thieves. A simple plan—which worked fine until it turned out that the victim’s crypto accounts had far less money in them than planned.

Rather than waste the opportunity, St. Felix improvised. Court records showed that he tied the victim’s hands, shoved him into a vehicle, and drove away. Inside the car, the kidnappers filmed themselves beating the victim, who was visibly bleeding from the mouth and face. A gun was placed to the victim’s neck, and he was forced to record a plea for friends and family to send cryptocurrency to secure the man’s release. Five such videos were recorded in the car. The abducted man was eventually found by police 120 miles from his home.

A messy operation.

So St. Felix and his crew began to look out of state for new jobs. They robbed someone in Little Elm, Texas, of $150,000 and two Rolex watches, but their attention was eventually drawn to a tidy home on Wells Street in far-off Durham. The homeowner there was believed to be a significant crypto investor. (The crew had hacked into his email account to confirm this.)

After his day of surveillance on April 11, St. Felix and his partner, Elmer Castro, drove to a local Walmart and purchased their work uniforms: sunglasses, a clipboard, reflective vests, and khaki pants. Back at their hotel, St. Felix snapped a photo of himself in this getup, which looked close enough to a construction worker for his purposes.

The next morning at 7: 30 am, St. Felix and Castro rolled up to the Wells Street home once more. Instead of surveilling it from down the block, they knocked on the door. The husband answered. The men told him some story involving necessary pipe inspections. They wandered around the home for a few minutes, then knocked on the front door again.

But this time, when the wife answered, St. Felix and Castro were wearing ski masks and sunglasses—and they had handguns. They pushed their way inside. The woman screamed, and her husband came in from the kitchen to see them all fighting. The intruders punched the husband in the face and zip-tied the hands and feet of both homeowners.

Castro dragged the wife by her legs down the hallway and into the bathroom. He stood guard over her, wielding his distinctive pink revolver.

In the meantime, St. Felix had marched the husband at gunpoint into a loft office at the back of the home. There, the threats came quickly—St. Felix would cut off the man’s toes, he said, or his genitals. He would shoot him. He would rape his wife. The only way out was to cooperate, and that meant helping St. Felix log in to the man’s Coinbase account.

St. Felix, holding a black handgun and wearing a Bass Pro Shop baseball cap, waited for the shocked husband’s agreement. When he got it, he cut the man’s zip-ties and set him in front of the home office iMac.

The husband logged in to the computer, and St. Felix took over and downloaded the remote-control software AnyDesk. He then opened up a Telegram audio call to the real brains of the operation.

The actual robbery was about to begin.

Life imitates xkcd comic as Florida gang beats crypto password from retiree Read More »

Massive China-state IoT botnet went undetected for four years—until now

Biz & IT, Security / Kris Guyer / September 18, 2024

OVER 260,000 PWNED —

75% of infected devices were located in homes and offices in North America and Europe.

Dan Goodin – Sep 18, 2024 7: 58 pm UTC

The FBI has dismantled a massive network of compromised devices that Chinese state-sponsored hackers have used for four years to mount attacks on government agencies, telecoms, defense contractors, and other targets in the US and Taiwan.

The botnet was made up primarily of small office and home office routers, surveillance cameras, network-attached storage, and other Internet-connected devices located all over the world. Over the past four years, US officials said, 260,000 such devices have cycled through the sophisticated network, which is organized in three tiers that allow the botnet to operate with efficiency and precision. At its peak in June 2023, Raptor Train, as the botnet is named, consisted of more than 60,000 commandeered devices, according to researchers from Black Lotus Labs, making it the largest China state botnet discovered to date.

Burning down the house

Raptor Train is the second China state-operated botnet US authorities have taken down this year. In January, law enforcement officials covertly issued commands to disinfect Internet of Things devices that hackers backed by the Chinese government had taken over without the device owners’ knowledge. The Chinese hackers, part of a group tracked as Volt Typhoon, used the botnet for more than a year as a platform to deliver exploits that burrowed deep into the networks of targets of interest. Because the attacks appear to originate from IP addresses with good reputations, they are subjected to less scrutiny from network security defenses, making the bots an ideal delivery proxy. Russia-state hackers have also been caught assembling large IoT botnets for the same purposes.

An advisory jointly issued Wednesday by the FBI, the Cyber National Mission Force, and the National Security Agency said that China-based company Integrity Technology Group controlled and managed Raptor Train. The company has ties to the People’s Republic of China, officials said. The company, they said, has also used the state-controlled China Unicom Beijing Province Network IP addresses to control and manage the botnet. Researchers and law enforcement track the China-state group that worked with Integrity Technology as Flax Typhoon. More than half of the infected Raptor Train devices were located in North America and another 25 percent in Europe.

Enlarge / Raptor Train concentration by continent.

IC3.gov

Enlarge / Raptor Train concentration by country.

IC3.gov

“Flax Typhoon was targeting critical infrastructure across the US and overseas, everyone from corporations and media organizations to universities and government agencies,” FBI Director Christopher Wray said Wednesday at the Aspen Cyber Summit. “Like Volt Typhoon, they used Internet-connected devices, this time hundreds of thousands of them, to create a botnet that helped them compromise systems and exfiltrate confidential data.” He added: “Flax Typhoon’s actions caused real harm to its victims who had to devote precious time to clean up the mess.”

Massive China-state IoT botnet went undetected for four years—until now Read More »

14 dead as Hezbollah walkie-talkies explode in second, deadlier attack

bombs, hezbollah, Israel, Security, walkie-talkies / Kris Guyer / September 18, 2024

Day 2 —

People aren’t sure what devices will detonate next.

Nate Anderson – Sep 18, 2024 6: 48 pm UTC

Wireless communication devices have exploded again today across Lebanon in a second attack even deadlier than yesterday’s explosion of thousands of Hezbollah pagers. According to Lebanon’s Ministry of Health, the new attack has killed at least 14 more people and injured more than 450.

Today’s attack targeted two-way radios (“walkie-talkies”) issued to Hezbollah members. The radios exploded in the middle of the day, with at least one going off during a funeral for people killed in yesterday’s pager attacks. A New York Times report on that funeral described the moment:

When the blast went off, a brief, eerie stillness descended on the crowd. Mourners looked at one another in disbelief. The religious chants being broadcast over a loudspeaker abruptly stopped.

Then panic set in. People started scrambling in the streets, hiding in the lobbies of nearby buildings, and shouting at one another, “Turn off your phone! Take out the battery!” Soon a voice on the loudspeaker at the funeral urged everyone to do the same…

One woman, Um Ibrahim, stopped a reporter in the middle of the confusion and begged to use the reporter’s cellphone to call her children. The woman dialed a number with her hands shaking, then screamed into the phone, “Turn off your phones now!”

The story appears to capture the current mood in Lebanon, where no one seems quite sure what will explode next. While today’s attack against walkie-talkies is well-attested, various unconfirmed reports suggest that people fear an explosion from just about anything with a battery.

At the time of publication, The Associated Press was currently leading its coverage of the attack with the line, “Walkie-talkies and solar equipment exploded in Beirut and multiple parts of Lebanon on Wednesday.” It later added that “a girl was hurt in the south when a solar energy system blew up, the state news agency reported.” Whether this actually happened, or if it was in any way connected with the attacks, remains unclear.

The Jerusalem Post rounded up a slew of rumors making the rounds in the region, some far less plausible than others:

Unofficial reports claimed that iPhones, video cameras, IC-V82 radios, and other devices also detonated.

According to unconfirmed reports, Hezbollah has told its operatives to distance itself from communication devices.

Unofficial reports also claimed that Hezbollah told its members to dispose of devices containing a lithium battery or that are connected to the internet.

Additional unconfirmed reports claimed that lithium batteries for solar energy storage had detonated and that some houses were on fire.

Yesterday, multiple news outlets reported that the pager attacks had been caused by explosives built into the devices, likely as part of an Israeli supply chain attack.

Today, similar reporting suggests the same kind of attack was used against the two-way radios. Axios cited two of its own sources who confirmed that the “walkie-talkies were booby-trapped in advance by Israeli intelligence services and then delivered to Hezbollah as part of the militia’s emergency communications system,” adding that “the decision to conduct the second attack was also driven by the assessment that Hezbollah’s investigation into the pager explosions would likely expose the security breach in the walkie-talkies.”

14 dead as Hezbollah walkie-talkies explode in second, deadlier attack Read More »

8 dead, 2,700 injured after simultaneous pager explosions in Lebanon

hezbollah, Israel, lithium-ion batteries, pagers, Security / Mike M. / September 17, 2024

Pagers —

Lithium-ion batteries or supply chain attack may be to blame.

Nate Anderson – Sep 17, 2024 4: 35 pm UTC

Ambulance in Lebanon — Enlarge / An ambulance arrives at the site after wireless communication devices known as pagers exploded in Sidon, Lebanon, on September 17, 2024.

A massive wave of pager explosions across Lebanon and Syria around 3: 30 pm local time today has killed at least eight people and injured more than 2,700, according to local officials. Many of the injured appear to be Hezbollah members, although a young girl is said to be among the dead.

New York Times reporters captured the chaos of the striking scene in two anecdotes:

Ahmad Ayoud, a butcher from the Basta neighborhood in Beirut, said he was in his shop when he heard explosions. Then he saw a man in his 20s fall off a motorbike. He appeared to be bleeding. “We all thought he got wounded from random shooting,” Ayoud said. “Then a few minutes later we started hearing of other cases. All were carrying pagers.”

…

Residents of Beirut’s southern suburbs, where many of the explosions took place, reported seeing smoke coming from people’s pockets followed by a blast like a firework. Mohammed Awada, 52, was driving alongside one of the victims. “My son went crazy and started to scream when he saw the man’s hand flying away from him,” he said.

Video from the region already shows a device exploding in a supermarket checkout line, and pictures show numerous young men lying on the ground with large, bloody wounds on their upper legs and thighs.

The shocking—and novel—attack appears to have relied on a wave of recently imported Hezbollah pagers, according to reporting in The Wall Street Journal. (The group has already warned its members to avoid using cell phones due to both tracking and assassination concerns.)

According to the WSJ, a Hezbollah official speculated that “malware may have caused the devices to explode. The official said some people felt the pagers heat up and disposed of them before they burst.”

The pagers in question allegedly have lithium-ion batteries, which sometimes explode after generating significant heat. The coordinated nature of the attack suggests that some kind of firmware hack or supply chain attack may have given an adversary the ability to trigger a pager explosion at the time of its choosing.

Hezbollah officials are already privately blaming Israel, which has not taken responsibility, but it has been able to perform surprising electronic strikes on its enemies, including the Stuxnet malware that damaged Iran’s nuclear program.

The Associated Press noted that even Iran’s ambassador to Lebanon was injured in the widespread attack.

Update, 12: 55pm ET: The Times adds a small detail: “The devices were programmed to beep for several seconds before exploding, according to the officials, who spoke on the condition of anonymity because of the sensitivity of the matter.”

Several of the explosions were captured on video, and in them, the devices appear to “explode” more in the manner of a small grenade (a bang and a puff of smoke) than a lithium ion battery (which may explode but is often followed by continuing smoke and fire), despite some of the early speculation by Hezbollah officials. This is a breaking story, and the cause of the explosions still remains unclear.

Update, 1: 05pm ET: The WSJ quotes regional security analyst Michael Horowitz as suggesting the attack was likely caused by either 1) malware triggering the batteries to overheat/explode or 2) an actual explosive charge inserted in the devices at some point in the supply chain and then detonated remotely.

“Either way, this is a very sophisticated attack,” Horowitz told the WSJ. “Particularly if this is a physical breach, as this would mean Israel has access to the producer of those devices. This may be part of the message being sent here.”

Update, 1: 20pm ET: Reuters notes that Israel has claimed to foil a Hezbollah assassination plot that would have used remotely detonated explosives.

Earlier on Tuesday, Israel’s domestic security agency said it had foiled a plot by Lebanese militant group Hezbollah to assassinate a former senior defence official in the coming days.

The Shin Bet agency, which did not name the official, said in a statement it had seized an explosive device attached to a remote detonation system, using a mobile phone and a camera that Hezbollah had planned to operate from Lebanon.

Update, 2: 00pm ET: In today’s US State Department briefing, which you can watch here, spokesperson Matthew Miller was asked about the pager attacks. “The US was not involved in it,” he said. “The US was not aware of this incident in advance.” He said the US government is currently gathering more information on what happened.

Update, 3: 30pm ET: A former British Army expert speculates about the cause of the explosions, telling the BBC that “the devices would have likely been packed with between 10 to 20 grams each of military-grade high explosive, hidden inside a fake electronic component. This, said the expert, would have been armed by a signal, something called an alphanumeric text message. Once armed, the next person to use the device would have triggered the explosive.”

8 dead, 2,700 injured after simultaneous pager explosions in Lebanon Read More »

1.3 million Android-based TV boxes backdoored; researchers still don’t know how

Android Open Source Project, AOSP, backdoors, Biz & IT, Google, Security, streaming devices / Paul Patrick / September 13, 2024

CAUSE UNKNOWN —

Infection corrals devices running AOSP-based firmware into a botnet.

Dan Goodin – Sep 13, 2024 8: 20 pm UTC

Researchers still don’t know the cause of a recently discovered malware infection affecting almost 1.3 million streaming devices running an open source version of Android in almost 200 countries.

Security firm Doctor Web reported Thursday that malware named Android.Vo1d has backdoored the Android-based boxes by putting malicious components in their system storage area, where they can be updated with additional malware at any time by command-and-control servers. Google representatives said the infected devices are running operating systems based on the Android Open Source Project, a version overseen by Google but distinct from Android TV, a proprietary version restricted to licensed device makers.

Dozens of variants

Although Doctor Web has a thorough understanding of Vo1d and the exceptional reach it has achieved, company researchers say they have yet to determine the attack vector that has led to the infections.

“At the moment, the source of the TV boxes’ backdoor infection remains unknown,” Thursday’s post stated. “One possible infection vector could be an attack by an intermediate malware that exploits operating system vulnerabilities to gain root privileges. Another possible vector could be the use of unofficial firmware versions with built-in root access.”

The following device models infected by Vo1d are:

TV box model	Declared firmware version
R4	Android 7.1.2; R4 Build/NHG47K
TV BOX	Android 12.1; TV BOX Build/NHG47K
KJ-SMART4KVIP	Android 10.1; KJ-SMART4KVIP Build/NHG47K

One possible cause of the infections is that the devices are running outdated versions that are vulnerable to exploits that remotely execute malicious code on them. Versions 7.1, 10.1, and 12.1, for example, were released in 2016, 2019, and 2022, respectively. What’s more, Doctor Web said it’s not unusual for budget device manufacturers to install older OS versions in streaming boxes and make them appear more attractive by passing them off as more up-to-date models.

Further, while only licensed device makers are permitted to modify Google’s AndroidTV, any device maker is free to make changes to open source versions. That leaves open the possibility that the devices were infected in the supply chain and were already compromised by the time they were purchased by the end user.

“These off-brand devices discovered to be infected were not Play Protect certified Android devices,” Google said in a statement. “If a device isn’t Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety.”

The statement said people can confirm a device runs Android TV OS by checking this link and following the steps listed here.

Doctor Web said that there are dozens of Vo1d variants that use different code and plant malware in slightly different storage areas, but that all achieve the same end result of connecting to an attacker-controlled server and installing a final component that can install additional malware when instructed. VirusTotal shows that most of the Vo1d variants were first uploaded to the malware identification site several months ago.

Researchers wrote:

All these cases involved similar signs of infection, so we will describe them using one of the first requests we received as an example. The following objects were changed on the affected TV box:

install-recovery.sh

daemonsu

In addition, 4 new files emerged in its file system:

/system/xbin/vo1d

/system/xbin/wd

/system/bin/debuggerd

/system/bin/debuggerd_real

The vo1d and wd files are the components of the Android.Vo1d trojan that we discovered.

The trojan’s authors probably tried to disguise one if its components as the system program /system/bin/vold, having called it by the similar-looking name “vo1d” (substituting the lowercase letter “l” with the number “1”). The malicious program’s name comes from the name of this file. Moreover, this spelling is consonant with the English word “void”.

The install-recovery.sh file is a script that is present on most Android devices. It runs when the operating system is launched and contains data for autorunning the elements specified in it. If any malware has root access and the ability to write to the /system system directory, it can anchor itself in the infected device by adding itself to this script (or by creating it from scratch if it is not present in the system). Android.Vo1d has registered the autostart for the wd component in this file.

The modified install-recovery.sh file

Doctor Web

The daemonsu file is present on many Android devices with root access. It is launched by the operating system when it starts and is responsible for providing root privileges to the user. Android.Vo1d registered itself in this file, too, having also set up autostart for the wd module.

The debuggerd file is a daemon that is typically used to create reports on occurred errors. But when the TV box was infected, this file was replaced by the script that launches the wd component.

The debuggerd_real file in the case we are reviewing is a copy of the script that was used to substitute the real debuggerd file. Doctor Web experts believe that the trojan’s authors intended the original debuggerd to be moved into debuggerd_real to maintain its functionality. However, because the infection probably occurred twice, the trojan moved the already substituted file (i.e., the script). As a result, the device had two scripts from the trojan and not a single real debuggerd program file.

At the same time, other users who contacted us had a slightly different list of files on their infected devices:

daemonsu (the vo1d file analogue — Android.Vo1d.1);

wd (Android.Vo1d.3);

debuggerd (the same script as described above);

debuggerd_real (the original file of the debuggerd tool);

install-recovery.sh (a script that loads objects specified in it).

An analysis of all the aforementioned files showed that in order to anchor Android.Vo1d in the system, its authors used at least three different methods: modification of the install-recovery.sh and daemonsu files and substitution of the debuggerd program. They probably expected that at least one of the target files would be present in the infected system, since manipulating even one of them would ensure the trojan’s successful auto launch during subsequent device reboots.

Android.Vo1d’s main functionality is concealed in its vo1d (Android.Vo1d.1) and wd (Android.Vo1d.3) components, which operate in tandem. The Android.Vo1d.1 module is responsible for Android.Vo1d.3’s launch and controls its activity, restarting its process if necessary. In addition, it can download and run executables when commanded to do so by the C&C server. In turn, the Android.Vo1d.3 module installs and launches the Android.Vo1d.5 daemon that is encrypted and stored in its body. This module can also download and run executables. Moreover, it monitors specified directories and installs the APK files that it finds in them.

The geographic distribution of the infections is wide, with the biggest number detected in Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria, and Indonesia.

Enlarge / A world map listing the number of infections found in various countries.

Doctor Web

It’s not especially easy for less experienced people to check if a device is infected short of installing malware scanners. Doctor Web said its antivirus software for Android will detect all Vo1d variants and disinfect devices that provide root access. More experienced users can check indicators of compromise here.

1.3 million Android-based TV boxes backdoored; researchers still don’t know how Read More »

Found: 280 Android apps that use OCR to steal cryptocurrency credentials

Biz & IT, Security, Uncategorized / Mike M. / September 6, 2024

PICTURE THIS —

Optical Character Recognition converts passwords shown in images to machine-readable text.

Dan Goodin – Sep 6, 2024 8: 23 pm UTC

Researchers have discovered more than 280 malicious apps for Android that use optical character recognition to steal cryptocurrency wallet credentials from infected devices.

The apps masquerade as official ones from banks, government services, TV streaming services, and utilities. In fact, they scour infected phones for text messages, contacts, and all stored images and surreptitiously send them to remote servers controlled by the app developers. The apps are available from malicious sites and are distributed in phishing messages sent to targets. There’s no indication that any of the apps were available through Google Play.

A high level of sophistication

The most notable thing about the newly discovered malware campaign is that the threat actors behind it are employing optical character recognition software in an attempt to extract cryptocurrency wallet credentials that are shown in images stored on infected devices. Many wallets allow users to protect their wallets with a series of random words. The mnemonic credentials are easier for most people to remember than the jumble of characters that appear in the private key. Words are also easier for humans to recognize in images.

SangRyol Ryu, a researcher at security firm McAfee, made the discovery after obtaining unauthorized access to the servers that received the data stolen by the malicious apps. That access was the result of weak security configurations made when the servers were deployed. With that, Ryu was able to read pages available to server administrators.

One page, displayed in the image below, was of particular interest. It showed a list of words near the top and a corresponding image, taken from an infected phone, below. The words represented visually in the image corresponded to the same words.

” height=”706″ src=”https://cdn.arstechnica.net/wp-content/uploads/2024/09/c2-server-page-640×706.png” width=”640″>

Enlarge / An admin page showing OCR details

McAfee

“Upon examining the page, it became clear that a primary goal of the attackers was to obtain the mnemonic recovery phrases for cryptocurrency wallets,” Ryu wrote. “This suggests a major emphasis on gaining entry to and possibly depleting the crypto assets of victims.”

Optical character recognition is the process of converting images of typed, handwritten, or printed text into machine-encoded text. OCR has existed for years and has grown increasingly common to transform characters captured in images into characters that can be read and manipulated by software.

Ryu continued:

This threat utilizes Python and Javascript on the server-side to process the stolen data. Specifically, images are converted to text using optical character recognition (OCR) techniques, which are then organized and managed through an administrative panel. This process suggests a high level of sophistication in handling and utilizing the stolen information.

Enlarge / Python code for converting text shown in images to machine-readable text.

McAfee

People who are concerned they may have installed one of the malicious apps should check the McAfee post for a list of associated websites and cryptographic hashes.

The malware has received multiple updates over time. Whereas it once used HTTP to communicate with control servers, it now connects through WebSockets, a mechanism that’s harder for security software to parse. WebSockets have the added benefit of being a more versatile channel.

A timeline of apps' evolution. — Enlarge / A timeline of apps’ evolution.

McAfee

Developers have also updated the apps to better obfuscate their malicious functionality. Obfuscation methods include encoding the strings inside the code so they’re not easily read by humans, the addition of irrelevant code, and the renaming of functions and variables, all of which confuse analysts and make detection harder. While the malware is mostly restricted to South Korea, it has recently begun to spread within the UK.

“This development is significant as it shows that the threat actors are expanding their focus both demographically and geographically,” Ryu wrote. “The move into the UK points to a deliberate attempt by the attackers to broaden their operations, likely aiming at new user groups with localized versions of the malware.”

Found: 280 Android apps that use OCR to steal cryptocurrency credentials Read More »

US charges Russian military officers for unleashing wiper malware on Ukraine

Biz & IT, GRU, indictments, Justice Department, kremlin, Security / Mike M. / September 5, 2024

INDICTED —

WhisperGate campaign targeted Ukrainian critical infrastructure and allies worldwide.

Dan Goodin – Sep 5, 2024 8: 54 pm UTC

Federal prosecutors on Thursday unsealed an indictment charging six Russian nationals with conspiracy to hack into the computer networks of the Ukrainian government and its allies and steal or destroy sensitive data on behalf of the Kremlin.

The indictment, filed in US District Court for the District of Maryland, said that five of the men were officers in Unit 29155 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces. Along with a sixth defendant, prosecutors alleged, they engaged in a conspiracy to hack, exfiltrate data, leak information, and destroy computer systems associated with the Ukrainian government in advance of the Russian invasion of Ukraine in February 2022.

Targeting critical infrastructure with WhisperGate

The indictment, which supersedes one filed earlier, comes 32 months after Microsoft documented its discovery of a destructive piece of malware, dubbed WhisperGate, had infected dozens of Ukrainian government, nonprofit, and IT organizations. WhisperGate masqueraded as ransomware, but in actuality was malware that permanently destroyed computers and the data stored on them by wiping the master boot record—a part of the hard drive needed to start the operating system during bootup.

In April 2022, three months after publishing the report, Microsoft published a new one that said WhisperGate was part of a much broader campaign that aimed to coordinate destructive cyberattacks against critical infrastructure and other targets in Ukraine with kinetic military operations waged by Russian forces. Thursday’s indictment incorporated much of the factual findings reported by Microsoft.

“The GRU’s WhisperGate campaign, including targeting Ukrainian critical infrastructure and government systems of no military value, is emblematic of Russia’s abhorrent disregard for innocent civilians as it wages its unjust invasion,” Assistant Attorney General Matthew G. Olsen of the National Security Division said in a statement. “Today’s indictment underscores that the Justice Department will use every available tool to disrupt this kind of malicious cyber activity and hold perpetrators accountable for indiscriminate and destructive targeting of the United States and our allies.”

Later in the campaign, the Russian operatives targeted computer systems in countries around the world that were providing support to Ukraine, including the United States and 25 other NATO countries.

The six defendants are:

Yuriy Denisov, a colonel in the Russian military and commanding officer of Cyber Operations for Unit 29155
Vladislav Borokov, a lieutenant in Unit 29155 who works in cyber operations
Denis Denisenko, a lieutenant in Unit 29155 who works in cyber operations
Dmitriy Goloshubov, a lieutenant in Unit 29155 who works in cyber operations
Nikolay Korchagin, a lieutenant in Unit 29155 who works in cyber operations
Amin Stigal, an alleged civilian co-conspirator, who was indicted in June for his role in WhisperGate activities

Federal prosecutors said the conspiracy started no later than December 2020 and remained ongoing. The defendants and additional unindicted co-conspirators, the indictment alleged, scanned computers of potential targets around the world, including in the US, in search of vulnerabilities and exploited them to gain unauthorized access to many of the systems. The defendants allegedly would then infect the networks with wiper malware and, in some cases, exfiltrate the stored data.

Thursday’s charges came a day after Justice Department officials announced the indictments of two Russian media executives accused of funneling millions of dollars from the Kremlin to a company responsible for creating and publishing propaganda videos in the US that racked up millions of views on social media. Federal prosecutors said the objective was to covertly influence public opinion and deepen social divisions, including over Russia’s war in Ukraine.

Also on Wednesday, federal officials took other legal actions to counter what they said were other Russian psychological operations. The actions included seizing 32 Internet domains they said were being used to spread anti-Ukraine propaganda, sanctioning Russian individuals and entities accused of spreading Russian propaganda and indicting two individuals accused of conspiring to aid a Russian broadcaster violating US sanctions.

Unit 29155 is a covert part of the GRU that carries out coup attempts, sabotage, and assassinations outside Russia. According to WIRED, Unit 29155 recently acquired its own active team of cyberwarfare operators in a move that signals the fusing of physical and digital tactics by Russia more tightly than in the past. WIRED said that the unit is distinct from others within the GRU that employ more recognized Russian-state hacking groups such as Fancy Bear or APT28, and Sandworm.

The Justice Department announced a $10 million reward in exchange for any of the suspects’ locations or cyber activity. The wanted poster and Thursday’s indictment displayed photos of all six defendants. The move is intended to limit the travel options for the men and discourage other Russians from following their example.

US charges Russian military officers for unleashing wiper malware on Ukraine Read More »