Security

canada-declares-flipper-zero-public-enemy-no.-1-in-car-theft-crackdown

Canada declares Flipper Zero public enemy No. 1 in car-theft crackdown

Biz & IT, Canada, car theft, Cars, flipper zero, hacking, Policy, radio, Security / /

FLIPPING YOUR LID —

How do you ban a device built with open source hardware and software anyway?

A Flipper Zero device

Enlarge / A Flipper Zero device

https://flipperzero.one/

Canadian Prime Minister Justin Trudeau has identified an unlikely public enemy No. 1 in his new crackdown on car theft: the Flipper Zero, a $200 piece of open source hardware used to capture, analyze and interact with simple radio communications.

On Thursday, the Innovation, Science and Economic Development Canada agency said it will “pursue all avenues to ban devices used to steal vehicles by copying the wireless signals for remote keyless entry, such as the Flipper Zero, which would allow for the removal of those devices from the Canadian marketplace through collaboration with law enforcement agencies.” A social media post by François-Philippe Champagne, the minister of that agency, said that as part of the push “we are banning the importation, sale and use of consumer hacking devices, like flippers, used to commit these crimes.”

In remarks made the same day, Trudeau said the push will target similar tools that he said can be used to defeat anti-theft protections built into virtually all new cars.

“In reality, it has become too easy for criminals to obtain sophisticated electronic devices that make their jobs easier,” he said. “For example, to copy car keys. It is unacceptable that it is possible to buy tools that help car theft on major online shopping platforms.”

Presumably, such tools subject to the ban would include HackRF One and LimeSDR, which have become crucial for analyzing and testing the security of all kinds of electronic devices to find vulnerabilities before they’re exploited. None of the government officials identified any of these tools, but in an email, a representative of the Canadian government reiterated the use of the phrase “pursuing all avenues to ban devices used to steal vehicles by copying the wireless signals for remote keyless entry.”

A humble hobbyist device

The push to ban any of these tools has been met with fierce criticism from hobbyists and security professionals. Their case has only been strengthened by Trudeau’s focus on Flipper Zero. This slim, lightweight device bearing the logo of an adorable dolphin acts as a Swiss Army knife for sending, receiving, and analyzing all kinds of wireless communications. It can interact with radio signals, including RFID, NFC, Bluetooth, Wi-Fi, or standard radio. People can use them to change the channels of a TV at a bar covertly, clone simple hotel key cards, read the RFID chip implanted in pets, open and close some garage doors, and, until Apple issued a patch, send iPhones into a never-ending DoS loop.

The price and ease of use make Flipper Zero ideal for beginners and hobbyists who want to understand how increasingly ubiquitous communications protocols such as NFC and Wi-Fi work. It bundles various open source hardware and software into a portable form factor that sells for an affordable price. Lost on the Canadian government, the device isn’t especially useful in stealing cars because it lacks the more advanced capabilities required to bypass anti-theft protections introduced in more than two decades.

One thing the Flipper Zero is exceedingly ill-equipped for is defeating modern antihack protections built into cars, smartcards, phones, and other electronic devices.

The most prevalent form of electronics-assisted car theft these days, for instance, uses what are known as signal amplification relay devices against keyless ignition and entry systems. This form of hack works by holding one device near a key fob and a second device near the vehicle the fob works with. In the most typical scenario, the fob is located on a shelf near a locked front door, and the car is several dozen feet away in a driveway. By placing one device near the front door and another one next to the car, the hack beams the radio signals necessary to unlock and start the device.

Canada declares Flipper Zero public enemy No. 1 in car-theft crackdown Read More »

london-underground-is-testing-real-time-ai-surveillance-tools-to-spot-crime

London Underground is testing real-time AI surveillance tools to spot crime

AI, AI surveillance, Biz & IT, Freedom of information act, london underground, Security, syndication / /

tube tracking —

Computer vision system tried to detect crime, weapons, people falling, and fare dodgers.

Commuters wait on the platform as a Central Line tube train arrives at Liverpool Street London Transport Tube Station in 2023.

Thousands of people using the London Underground had their movements, behavior, and body language watched by AI surveillance software designed to see if they were committing crimes or were in unsafe situations, new documents obtained by WIRED reveal. The machine-learning software was combined with live CCTV footage to try to detect aggressive behavior and guns or knives being brandished, as well as looking for people falling onto Tube tracks or dodging fares.

From October 2022 until the end of September 2023, Transport for London (TfL), which operates the city’s Tube and bus network, tested 11 algorithms to monitor people passing through Willesden Green Tube station, in the northwest of the city. The proof of concept trial is the first time the transport body has combined AI and live video footage to generate alerts that are sent to frontline staff. More than 44,000 alerts were issued during the test, with 19,000 being delivered to station staff in real time.

Documents sent to WIRED in response to a Freedom of Information Act request detail how TfL used a wide range of computer vision algorithms to track people’s behavior while they were at the station. It is the first time the full details of the trial have been reported, and it follows TfL saying, in December, that it will expand its use of AI to detect fare dodging to more stations across the British capital.

In the trial at Willesden Green—a station that had 25,000 visitors per day before the COVID-19 pandemic—the AI system was set up to detect potential safety incidents to allow staff to help people in need, but it also targeted criminal and antisocial behavior. Three documents provided to WIRED detail how AI models were used to detect wheelchairs, prams, vaping, people accessing unauthorized areas, or putting themselves in danger by getting close to the edge of the train platforms.

The documents, which are partially redacted, also show how the AI made errors during the trial, such as flagging children who were following their parents through ticket barriers as potential fare dodgers, or not being able to tell the difference between a folding bike and a non-folding bike. Police officers also assisted the trial by holding a machete and a gun in the view of CCTV cameras, while the station was closed, to help the system better detect weapons.

Privacy experts who reviewed the documents question the accuracy of object detection algorithms. They also say it is not clear how many people knew about the trial, and warn that such surveillance systems could easily be expanded in the future to include more sophisticated detection systems or face recognition software that attempts to identify specific individuals. “While this trial did not involve facial recognition, the use of AI in a public space to identify behaviors, analyze body language, and infer protected characteristics raises many of the same scientific, ethical, legal, and societal questions raised by facial recognition technologies,” says Michael Birtwistle, associate director at the independent research institute the Ada Lovelace Institute.

In response to WIRED’s Freedom of Information request, the TfL says it used existing CCTV images, AI algorithms, and “numerous detection models” to detect patterns of behavior. “By providing station staff with insights and notifications on customer movement and behaviour they will hopefully be able to respond to any situations more quickly,” the response says. It also says the trial has provided insight into fare evasion that will “assist us in our future approaches and interventions,” and the data gathered is in line with its data policies.

In a statement sent after publication of this article, Mandy McGregor, TfL’s head of policy and community safety, says the trial results are continuing to be analyzed and adds, “there was no evidence of bias” in the data collected from the trial. During the trial, McGregor says, there were no signs in place at the station that mentioned the tests of AI surveillance tools.

“We are currently considering the design and scope of a second phase of the trial. No other decisions have been taken about expanding the use of this technology, either to further stations or adding capability.” McGregor says. “Any wider roll out of the technology beyond a pilot would be dependent on a full consultation with local communities and other relevant stakeholders, including experts in the field.”

London Underground is testing real-time AI surveillance tools to spot crime Read More »

a-password-manager-lastpass-calls-“fraudulent”-booted-from-app-store

A password manager LastPass calls “fraudulent” booted from App Store

App Store, Apple, Biz & IT, lastpass, Security / /

GREAT PRETENDER —

“LassPass” mimicked the name and logo of real LastPass password manager.

A password manager LastPass calls “fraudulent” booted from App Store

Getty Images

As Apple has stepped up its promotion of its App Store as a safer and more trustworthy source of apps, its operators scrambled Thursday to correct a major threat to that narrative: a listing that password manager maker LastPass said was a “fraudulent app impersonating” its brand.

At the time this article on Ars went live, Apple had removed the app—titled LassPass and bearing a logo strikingly similar to the one used by LastPass—from its App Store. At the same time, Apple allowed a separate app submitted by the same developer to remain. Apple provided no explanation for the reason for removing the former app or for allowing the latter one to remain.

Apple warns of “new risks” from competition

The move comes as Apple has beefed up its efforts to promote the App Store as a safer alternative to competing sources of iOS apps mandated recently by the European Union. In an interview with App Store head Phil Schiller published this month by FastCompany, Schiller said the new app stores will “bring new risks”—including pornography, hate speech, and other forms of objectionable content—that Apple has long kept at bay.

“I have no qualms in saying that our goal is going to always be to make the App Store the safest, best place for users to get apps,” he told writer Michael Grothaus. “I think users—and the whole developer ecosystem—have benefited from that work that we’ve done together with them. And we’re going to keep doing that.”

Somehow, Apple’s app vetting process—long vaunted even though Apple has provided few specifics—failed to spot the LastPass lookalike. Apple removed LassPass Thursday morning, two days, LastPass said, after it flagged the app to Apple and one day after warning its users the app was fraudulent.

“We are raising this to our customers’ attention to avoid potential confusion and/or loss of personal data,” LastPass Senior Principal Intelligence Analyst Mike Kosak wrote.

There’s no denying that the logo and name were strikingly similar to the official ones. Below is a screenshot of how LassPass appeared, followed by the official LastPass listing:

The LassPass entry as it appeared in the App Store.

Enlarge / The LassPass entry as it appeared in the App Store.

The official LastPass entry.

Enlarge / The official LastPass entry.

Here yesterday, gone today

Thomas Reed, director of Mac offerings at security firm Malwarebytes, noted that the LassPass entry in the App Store said the app’s privacy policy was available on bluneel[.]com, but that the page was gone by Thursday, and the main page shows a generic landing page. Whois records indicated the domain was registered five months ago.

There’s no indication that LassPass collected users’ LastPass credentials or copied any of the data it stored. The app did, however, provide fields for users to enter a wealth of sensitive personal information, including passwords, email and physical addresses, and bank, credit, and debit card data. The app had an option for paid subscriptions.

A LastPass representative said the company learned of the app on Tuesday and focused its efforts on getting it removed rather than analyzing its behavior. Company officials don’t have information about precisely what LassPass did when it was installed or when it first appeared in the App Store.

The App Store continues to host a separate app from the same developer who is listed simply as Parvati Patel. (A quick Internet search reveals many individuals with the same name. At the moment, it wasn’t possible to identify the specific one.) The separate app is named PRAJAPATI SAMAJ 42 Gor ABD-GNR, and a corresponding privacy policy (at psag42[.]in/policy.html) is dated December 2023. It’s described as an “application for Ahmedabad-Gandhinager Prajapati Samaj app” and further as a “platform for community.” The app was also recently listed on Google Play but was no longer available for download at the time of publication. Attempts to contact the developer were unsuccessful.

There’s no indication the separate app violates any App Store policy. Apple representatives didn’t respond to an email asking questions about the incident or its vetting process or policies.

A password manager LastPass calls “fraudulent” booted from App Store Read More »

critical-vulnerability-affecting-most-linux-distros-allows-for-bootkits

Critical vulnerability affecting most Linux distros allows for bootkits

Biz & IT, bootkits, Linux, Security, shim, uefi, vulnerabilities / /
Critical vulnerability affecting most Linux distros allows for bootkits

Linux developers are in the process of patching a high-severity vulnerability that, in certain cases, allows the installation of malware that runs at the firmware level, giving infections access to the deepest parts of a device where they’re hard to detect or remove.

The vulnerability resides in shim, which in the context of Linux is a small component that runs in the firmware early in the boot process before the operating system has started. More specifically, the shim accompanying virtually all Linux distributions plays a crucial role in secure boot, a protection built into most modern computing devices to ensure every link in the boot process comes from a verified, trusted supplier. Successful exploitation of the vulnerability allows attackers to neutralize this mechanism by executing malicious firmware at the earliest stages of the boot process before the Unified Extensible Firmware Interface firmware has loaded and handed off control to the operating system.

The vulnerability, tracked as CVE-2023-40547, is what’s known as a buffer overflow, a coding bug that allows attackers to execute code of their choice. It resides in a part of the shim that processes booting up from a central server on a network using the same HTTP that the Internet is based on. Attackers can exploit the code-execution vulnerability in various scenarios, virtually all following some form of successful compromise of either the targeted device or the server or network the device boots from.

“An attacker would need to be able to coerce a system into booting from HTTP if it’s not already doing so, and either be in a position to run the HTTP server in question or MITM traffic to it,” Matthew Garrett, a security developer and one of the original shim authors, wrote in an online interview. “An attacker (physically present or who has already compromised root on the system) could use this to subvert secure boot (add a new boot entry to a server they control, compromise shim, execute arbitrary code).”

Stated differently, these scenarios include:

  • Acquiring the ability to compromise a server or perform an adversary-in-the-middle impersonation of it to target a device that’s already configured to boot using HTTP
  • Already having physical access to a device or gaining administrative control by exploiting a separate vulnerability.

While these hurdles are steep, they’re by no means impossible, particularly the ability to compromise or impersonate a server that communicates with devices over HTTP, which is unencrypted and requires no authentication. These particular scenarios could prove useful if an attacker has already gained some level of access inside a network and is looking to take control of connected end-user devices. These scenarios, however, are largely remedied if servers use HTTPS, the variant of HTTP that requires a server to authenticate itself. In that case, the attacker would first have to forge the digital certificate the server uses to prove it’s authorized to provide boot firmware to devices.

The ability to gain physical access to a device is also difficult and is widely regarded as grounds for considering it to be already compromised. And, of course, already obtaining administrative control through exploiting a separate vulnerability in the operating system is hard and allows attackers to achieve all kinds of malicious objectives.

Critical vulnerability affecting most Linux distros allows for bootkits Read More »

as-if-two-ivanti-vulnerabilities-under-exploit-weren’t-bad-enough,-now-there-are-3

As if two Ivanti vulnerabilities under exploit weren’t bad enough, now there are 3

Biz & IT, exploitation, ivanti, Security, vpns, vulnerabilities / /

CHAOS REIGNS —

Hackers looking to diversify, began mass exploiting a new vulnerability over the weekend.

As if two Ivanti vulnerabilities under exploit weren’t bad enough, now there are 3

Mass exploitation began over the weekend for yet another critical vulnerability in widely used VPN software sold by Ivanti, as hackers already targeting two previous vulnerabilities diversified, researchers said Monday.

The new vulnerability, tracked as CVE-2024-21893, is what’s known as a server-side request forgery. Ivanti disclosed it on January 22, along with a separate vulnerability that so far has shown no signs of being exploited. Last Wednesday, nine days later, Ivanti said CVE-2024-21893 was under active exploitation, aggravating an already chaotic few weeks. All of the vulnerabilities affect Ivanti’s Connect Secure and Policy Secure VPN products.

A tarnished reputation and battered security professionals

The new vulnerability came to light as two other vulnerabilities were already under mass exploitation, mostly by a hacking group researchers have said is backed by the Chinese government. Ivanti provided mitigation guidance for the two vulnerabilities on January 11, and released a proper patch last week. The Cybersecurity and Infrastructure Security Agency, meanwhile, mandated all federal agencies under its authority disconnect Ivanti VPN products from the Internet until they are rebuilt from scratch and running the latest software version.

By Sunday, attacks targeting CVE-2024-21893 had mushroomed, from hitting what Ivanti said was a “small number of customers” to a mass base of users, research from security organization Shadowserver showed. The steep line in the right-most part of the following graph tracks the vulnerability’s meteoric rise starting on Friday. At the time this Ars post went live, the exploitation volume of the vulnerability exceeded that of CVE-2023-46805 and CVE-2024-21887, the previous Ivanti vulnerabilities under active targeting.

Shadowserver

Systems that had been inoculated against the two older vulnerabilities by following Ivanti’s mitigation process remained wide open to the newest vulnerability, a status that likely made it attractive to hackers. There’s something else that makes CVE-2024-21893 attractive to threat actors: because it resides in Ivanti’s implementation of the open-source Security Assertion Markup Language—which handles authentication and authorization between parties—people who exploit the bug can bypass normal authentication measures and gain access directly to the administrative controls of the underlying server.

Exploitation likely got a boost from proof-of-concept code released by security firm Rapid7 on Friday, but the exploit wasn’t the sole contributor. Shadowserver said it began seeing working exploits a few hours before the Rapid7 release. All of the different exploits work roughly the same way. Authentication in Ivanti VPNs occurs through the doAuthCheck function in an HTTP web server binary located at /root/home/bin/web. The endpoint /dana-ws/saml20.ws doesn’t require authentication. As this Ars post was going live, Shadowserver counted a little more than 22,000 instances of Connect Secure and Policy Secure.

Shadowserver

VPNs are an ideal target for hackers seeking access deep inside a network. The devices, which allow employees to log into work portals using an encrypted connection, sit at the very edge of the network, where they respond to requests from any device that knows the correct port configuration. Once attackers establish a beachhead on a VPN, they can often pivot to more sensitive parts of a network.

The three-week spree of non-stop exploitation has tarnished Ivanti’s reputation for security and battered security professionals as they have scrambled—often in vain—to stanch the flow of compromises. Compounding the problem was a slow patch time that missed Ivanti’s own January 24 deadline by a week. Making matters worse still: hackers figured out how to bypass the mitigation advice Ivanti provided for the first pair of vulnerabilities.

Given the false starts and high stakes, CISA’s Friday mandate of rebuilding all servers from scratch once they have installed the latest patch is prudent. The requirement doesn’t apply to non-government agencies, but given the chaos and difficulty securing the Ivanti VPNs in recent weeks, it’s a common-sense move that all users should have taken by now.

As if two Ivanti vulnerabilities under exploit weren’t bad enough, now there are 3 Read More »

a-startup-allegedly-“hacked-the-world”-then-came-the-censorship—and-now-the-backlash.

A startup allegedly “hacked the world.” Then came the censorship—and now the backlash.

Biz & IT, hackers, Security, syndication / /

hacker-for-hire —

Anti-censorship voices are working to highlight reports of one Indian company’s hacker past.

A startup allegedly “hacked the world.” Then came the censorship—and now the backlash.

Hacker-for-hire firms like NSO Group and Hacking Team have become notorious for enabling their customers to spy on vulnerable members of civil society. But as far back as a decade ago in India, a startup called Appin Technology and its subsidiaries allegedly played a similar cyber-mercenary role while attracting far less attention. Over the past two years, a collection of people with direct and indirect links to that company have been working to keep it that way, using a campaign of legal threats to silence publishers and anyone else reporting on Appin Technology’s alleged hacking past. Now, a loose coalition of anti-censorship voices is working to make that strategy backfire.

For months, lawyers and executives with ties to Appin Technology and to a newer organization that shares part of its name, called the Association of Appin Training Centers, have used lawsuits and legal threats to carry out an aggressive censorship campaign across the globe. These efforts have demanded that more than a dozen publications amend or fully remove references to the original Appin Technology’s alleged illegal hacking or, in some cases, mentions of that company’s co-founder, Rajat Khare. Most prominently, a lawsuit against Reuters brought by the Association of Appin Training Centers resulted in a stunning order from a Delhi court: It demanded that Reuters take down its article based on a blockbuster investigation into Appin Technology that had detailed its alleged targeting and spying on opposition leaders, corporate competitors, lawyers, and wealthy individuals on behalf of customers worldwide. Reuters “temporarily” removed its article in compliance with that injunction and is fighting the order in Indian court.

As Appin Training Centers has sought to enforce that same order against a slew of other news outlets, however, resistance is building. Earlier this week, the digital rights group the Electronic Frontier Foundation (EFF) sent a response—published here—pushing back against Appin Training Centers’ legal threats on behalf of media organizations caught in this crossfire, including the tech blog Techdirt and the investigative news nonprofit MuckRock.

No media outlet has claimed that Appin Training Centers—a group that describes itself as an educational firm run in part by former franchisees of the original Appin Technology, which reportedly ceased its alleged hacking operations more than a decade ago—has been involved in any illegal hacking. In December, however, Appin Training Centers sent emails to Techdirt and MuckRock demanding they too take down all content related to allegations that Appin Technology previously engaged in widespread cyberspying operations, citing the court order against Reuters.

Techdirt, Appin Training Centers argued, fell under that injunction by writing about Reuters’ story and the takedown order targeting it. So had MuckRock, the plaintiffs claimed, which hosted some of the documents that Reuters had cited in its story and uploaded to MuckRock’s DocumentCloud service. In the response sent on their behalf, the EFF states that the two media organizations are refusing to comply, arguing that the Indian court’s injunction “is in no way the global takedown order your correspondence represents it to be.” It also cites an American law called the SPEECH Act that deems any foreign court’s libel ruling that violates the First Amendment unenforceable in the US.

“It’s not a good state for a free press when one company can, around the world, disappear news articles,” Michael Morisy, the CEO and co-founder of MuckRock, tells WIRED. “That’s something that fundamentally we need to push back against.”

Techdirt founder Mike Masnick says that, beyond defeating the censorship of the Appin Technology story, he hopes their public response to that censorship effort will ultimately bring even more attention to the group’s past. In fact, 19 years ago, Masnick coined the term “the Streisand effect” to describe a situation in which someone’s attempt to hide information results in its broader exposure—exactly the situation he hopes to help create in this case. “The suppression of accurate reporting is problematic,” says Masnick. “When it happens, it deserves to be called out, and there should be more attention paid to those trying to silence it.”

The anti-secrecy nonprofit Distributed Denial of Secrets (DDoSecrets) has also joined the effort to spark that Streisand Effect, “uncensoring” Reuters’ story on the original Appin Technology as part of a new initiative it calls the Greenhouse Project. DDoSecrets cofounder Emma Best says the name comes from its intention to foster a “warming effect”—the opposite of the “chilling effect” used to describe the self-censorship created by legal threats. “It sends a signal to would-be censors, telling them that their success may be fleeting and limited,” Best says. “And it assures other journalists that their work can survive.”

Neither Appin Training Centers nor Rajat Khare responded to WIRED’s request for comment, nor did Reuters.

The fight to expose the original Appin Technology’s alleged hacking history began to reach a head in November of 2022, when the Association for Appin Training Centers sued Reuters based only on its reporters’ unsolicited messages to Appin Training Centers’ employees and students. The company’s legal complaint, filed in India’s judicial system, accused Reuters not only of defamation, but “mental harassment, stalking, sexual misconduct and trauma.”

Nearly a full year later, Reuters nonetheless published its article, “How an Indian Startup Hacked the World.” The judge in the case initially sided with Appin Training Centers, writing that the article could have a “devastating effect on the general students population of India.” He quickly ordered an injunction stating that Appin Training Centers can demand Reuters take down their claims about Appin Technology.

A startup allegedly “hacked the world.” Then came the censorship—and now the backlash. Read More »

agencies-using-vulnerable-ivanti-products-have-until-saturday-to-disconnect-them

Agencies using vulnerable Ivanti products have until Saturday to disconnect them

Biz & IT, CISA, connect secure, ivanti, Security, zerodays / /

TOUGH MEDICINE —

Things were already bad with two critical zero-days. Then Ivanti disclosed a new one.

Photograph depicts a security scanner extracting virus from a string of binary code. Hand with the word

Getty Images

Federal civilian agencies have until midnight Saturday morning to sever all network connections to Ivanti VPN software, which is currently under mass exploitation by multiple threat groups. The US Cybersecurity and Infrastructure Security Agency mandated the move on Wednesday after disclosing three critical vulnerabilities in recent weeks.

Three weeks ago, Ivanti disclosed two critical vulnerabilities that it said threat actors were already actively exploiting. The attacks, the company said, targeted “a limited number of customers” using the company’s Connect Secure and Policy Secure VPN products. Security firm Volexity said on the same day that the vulnerabilities had been under exploitation since early December. Ivanti didn’t have a patch available and instead advised customers to follow several steps to protect themselves against attacks. Among the steps was running an integrity checker the company released to detect any compromises.

Almost two weeks later, researchers said the zero-days were under mass exploitation in attacks that were backdooring customer networks around the globe. A day later, Ivanti failed to make good on an earlier pledge to begin rolling out a proper patch by January 24. The company didn’t start the process until Wednesday, two weeks after the deadline it set for itself.

And then, there were three

Ivanti disclosed two new critical vulnerabilities in Connect Secure on Wednesday, tracked as CVE-2024-21888 and CVE-2024-21893. The company said that CVE-2024-21893—a class of vulnerability known as a server-side request forgery—“appears to be targeted,” bringing the number of actively exploited vulnerabilities to three. German government officials said they had already seen successful exploits of the newest one. The officials also warned that exploits of the new vulnerabilities neutralized the mitigations Ivanti advised customers to implement.

Hours later, the Cybersecurity and Infrastructure Security Agency—typically abbreviated as CISA—ordered all federal agencies under its authority to “disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks” no later than 11: 59 pm on Friday. Agency officials set the same deadline for the agencies to complete the Ivanti-recommended steps, which are designed to detect if their Ivanti VPNs have already been compromised in the ongoing attacks.

The steps include:

  • Identifying any additional systems connected or recently connected to the affected Ivanti device
  • Monitoring the authentication or identity management services that could be exposed
  • Isolating the systems from any enterprise resources to the greatest degree possible
  • Continuing to audit privilege-level access accounts.

The directive went on to say that before agencies can bring their Ivanti products back online, they must follow a long series of steps that include factory resetting their system, rebuilding them following Ivanti’s previously issued instructions, and installing the Ivanti patches.

“Agencies running the affected products must assume domain accounts associated with the affected products have been compromised,” Wednesday’s directive said. Officials went on to mandate that by March 1, agencies must have reset passwords “twice” for on-premise accounts, revoke Kerberos-enabled authentication tickets, and then revoke tokens for cloud accounts in hybrid deployments.

Steven Adair, the president of Volexity, the security firm that discovered the initial two vulnerabilities, said its most recent scans indicate that at least 2,200 customers of the affected products have been compromised to date. He applauded CISA’s Wednesday directive.

“This is effectively the best way to alleviate any concern that a device might still be compromised,” Adair said in an email. “We saw that attackers were actively looking for ways to circumvent detection from the integrity checker tools. With the previous and new vulnerabilities, this course of action around a completely fresh and patched system might be the best way to go for organizations to not have to wonder if their device is actively compromised.”

The directive is binding only on agencies under CISA’s authority. Any user of the vulnerable products, however, should follow the same steps immediately if they haven’t already.

Agencies using vulnerable Ivanti products have until Saturday to disconnect them Read More »

chinese-malware-removed-from-soho-routers-after-fbi-issues-covert-commands

Chinese malware removed from SOHO routers after FBI issues covert commands

Biz & IT, chinese govvernent, fbi, malware, routers, Security, take-downs / /

REBOOT OR, BETTER yet, REPLACE YOUR OLD ROUTERS! —

Routers were being used to conceal attacks on critical infrastructure.

A wireless router with an Ethernet cable hooked into it.

Enlarge / A Wi-Fi router.

The US Justice Department said Wednesday that the FBI surreptitiously sent commands to hundreds of infected small office and home office routers to remove malware China state-sponsored hackers were using to wage attacks on critical infrastructure.

The routers—mainly Cisco and Netgear devices that had reached their end of life—were infected with what’s known as KV Botnet malware, Justice Department officials said. Chinese hackers from a group tracked as Volt Typhoon used the malware to wrangle the routers into a network they could control. Traffic passing between the hackers and the compromised devices was encrypted using a VPN module KV Botnet installed. From there, the campaign operators connected to the networks of US critical infrastructure organizations to establish posts that could be used in future cyberattacks. The arrangement caused traffic to appear as originating from US IP addresses with trustworthy reputations rather than suspicious regions in China.

Seizing infected devices

Before the takedown could be conducted legally, FBI agents had to receive authority—technically for what’s called a seizure of infected routers or “target devices”—from a federal judge. An initial affidavit seeking authority was filed in US federal court in Houston in December. Subsequent requests have been filed since then.

“To effect these seizures, the FBI will issue a command to each Target Device to stop it from running the KV Botnet VPN process,” an agency special agent wrote in an affidavit dated January 9. “This command will also stop the Target Device from operating as a VPN node, thereby preventing the hackers from further accessing Target Devices through any established VPN tunnel. This command will not affect the Target Device if the VPN process is not running, and will not otherwise affect the Target Device, including any legitimate VPN process installed by the owner of the Target Device.”

Wednesday’s Justice Department statement said authorities had followed through on the takedown, which disinfected “hundreds” of infected routers and removed them from the botnet. To prevent the devices from being reinfected, the takedown operators issued additional commands that the affidavit said would “interfere with the hackers’ control over the instrumentalities of their crimes (the Target Devices), including by preventing the hackers from easily re-infecting the Target Devices.”

The affidavit said elsewhere that the prevention measures would be neutralized if the routers were restarted. These devices would then be once again vulnerable to infection.

Redactions in the affidavit make the precise means used to prevent re-infections unclear. Portions that weren’t censored, however, indicated the technique involved a loop-back mechanism that prevented the devices from communicating with anyone trying to hack them.

Portions of the affidavit explained:

22. To effect these seizures, the FBI will simultaneously issue commands that will interfere with the hackers’ control over the instrumentalities of their crimes (the Target Devices), including by preventing the hackers from easily re-infecting the Target Devices with KV Botnet malware.

  1. a. When the FBI deletes the KV Botnet malware from the Target Devices [redacted. To seize the Target Devices and interfere with the hackers’ control over them, the FBI [redacted]. This [redacted] will have no effect except to protect the Target Device from reinfection by the KV Botnet [redacted] The effect of can be undone by restarting the Target Device [redacted] make the Target Device vulnerable to re-infection.
  2. b. [redacted] the FBI will seize each such Target Device by causing the malware on it to communicate with only itself. This method of seizure will interfere with the ability of the hackers to control these Target Devices. This communications loopback will, like the malware itself, not survive a restart of a Target Device.
  3. c. To seize Target Devices, the FBI will [redacted] block incoming traffic [redacted] used exclusively by the KV Botnet malware on Target Devices, to block outbound traffic to [redacted] the Target Devices’ parent and command-and-control nodes, and to allow a Target Device to communicate with itself [redacted] are not normally used by the router, and so the router’s legitimate functionality is not affected. The effect of [redacted] to prevent other parts of the botnet from contacting the victim router, undoing the FBI’s commands, and reconnecting it to the botnet. The effect of these commands is undone by restarting the Target Devices.

23. To effect these seizures, the FBI will issue a command to each Target Device to stop it from running the KV Botnet VPN process. This command will also stop the Target Device from operating as a VPN node, thereby preventing the hackers from further accessing Target Devices through any established VPN tunnel. This command will not affect the Target Device if the VPN process is not running, and will not otherwise affect the Target Device, including any legitimate VPN process installed by the owner of the Target Device.

Chinese malware removed from SOHO routers after FBI issues covert commands Read More »

ars-technica-used-in-malware-campaign-with-never-before-seen-obfuscation

Ars Technica used in malware campaign with never-before-seen obfuscation

ars technica, Biz & IT, malware, Security / /

WHEN USERS ATTACK —

Vimeo also used by legitimate user who posted booby-trapped content.

Ars Technica used in malware campaign with never-before-seen obfuscation

Getty Images

Ars Technica was recently used to serve second-stage malware in a campaign that used a never-before-seen attack chain to cleverly cover its tracks, researchers from security firm Mandiant reported Tuesday.

A benign image of a pizza was uploaded to a third-party website and was then linked with a URL pasted into the “about” page of a registered Ars user. Buried in that URL was a string of characters that appeared to be random—but were actually a payload. The campaign also targeted the video-sharing site Vimeo, where a benign video was uploaded and a malicious string was included in the video description. The string was generated using a technique known as Base 64 encoding. Base 64 converts text into a printable ASCII string format to represent binary data. Devices already infected with the first-stage malware used in the campaign automatically retrieved these strings and installed the second stage.

Not typically seen

“This is a different and novel way we’re seeing abuse that can be pretty hard to detect,” Mandiant researcher Yash Gupta said in an interview. “This is something in malware we have not typically seen. It’s pretty interesting for us and something we wanted to call out.”

The image posted on Ars appeared in the about profile of a user who created an account on November 23. An Ars representative said the photo, showing a pizza and captioned “I love pizza,” was removed by Ars staff on December 16 after being tipped off by email from an unknown party. The Ars profile used an embedded URL that pointed to the image, which was automatically populated into the about page. The malicious base 64 encoding appeared immediately following the legitimate part of the URL. The string didn’t generate any errors or prevent the page from loading.

Pizza image posted by user.

Enlarge / Pizza image posted by user.

Malicious string in URL.

Enlarge / Malicious string in URL.

Mandiant researchers said there were no consequences for people who may have viewed the image, either as displayed on the Ars page or on the website that hosted it. It’s also not clear that any Ars users visited the about page.

Devices that were infected by the first stage automatically accessed the malicious string at the end of the URL. From there, they were infected with a second stage.

The video on Vimeo worked similarly, except that the string was included in the video description.

Ars representatives had nothing further to add. Vimeo representatives didn’t immediately respond to an email.

The campaign came from a threat actor Mandiant tracks as UNC4990, which has been active since at least 2020 and bears the hallmarks of being motivated by financial gain. The group has already used a separate novel technique to fly under the radar. That technique spread the second stage using a text file that browsers and normal text editors showed to be blank.

Opening the same file in a hex editor—a tool for analyzing and forensically investigating binary files—showed that a combination of tabs, spaces, and new lines were arranged in a way that encoded executable code. Like the technique involving Ars and Vimeo, the use of such a file is something the Mandiant researchers had never seen before. Previously, UNC4990 used GitHub and GitLab.

The initial stage of the malware was transmitted by infected USB drives. The drives installed a payload Mandiant has dubbed explorerps1. Infected devices then automatically reached out to either the malicious text file or else to the URL posted on Ars or the video posted to Vimeo. The base 64 strings in the image URL or video description, in turn, caused the malware to contact a site hosting the second stage. The second stage of the malware, tracked as Emptyspace, continuously polled a command-and-control server that, when instructed, would download and execute a third stage.

Mandiant

Mandiant has observed the installation of this third stage in only one case. This malware acts as a backdoor the researchers track as Quietboard. The backdoor, in that case, went on to install a cryptocurrency miner.

Anyone who is concerned they may have been infected by any of the malware covered by Mandiant can check the indicators of compromise section in Tuesday’s post.

Ars Technica used in malware campaign with never-before-seen obfuscation Read More »

chatgpt-is-leaking-passwords-from-private-conversations-of-its-users,-ars-reader-says

ChatGPT is leaking passwords from private conversations of its users, Ars reader says

AI, Biz & IT, chatgpt, openai, privacy, Security / /

OPENAI SPRINGS A LEAK —

Names of unpublished research papers, presentations, and PHP scripts also leaked.

OpenAI logo displayed on a phone screen and ChatGPT website displayed on a laptop screen.

Getty Images

ChatGPT is leaking private conversations that include login credentials and other personal details of unrelated users, screenshots submitted by an Ars reader on Monday indicated.

Two of the seven screenshots the reader submitted stood out in particular. Both contained multiple pairs of usernames and passwords that appeared to be connected to a support system used by employees of a pharmacy prescription drug portal. An employee using the AI chatbot seemed to be troubleshooting problems that encountered while using the portal.

“Horrible, horrible, horrible”

“THIS is so f-ing insane, horrible, horrible, horrible, i cannot believe how poorly this was built in the first place, and the obstruction that is being put in front of me that prevents it from getting better,” the user wrote. “I would fire [redacted name of software] just for this absurdity if it was my choice. This is wrong.”

Besides the candid language and the credentials, the leaked conversation includes the name of the app the employee is troubleshooting and the store number where the problem occurred.

The entire conversation goes well beyond what’s shown in the redacted screenshot above. A link Ars reader Chase Whiteside included showed the chat conversation in its entirety. The URL disclosed additional credential pairs.

The results appeared Monday morning shortly after reader Whiteside had used ChatGPT for an unrelated query.

“I went to make a query (in this case, help coming up with clever names for colors in a palette) and when I returned to access moments later, I noticed the additional conversations,” Whiteside wrote in an email. “They weren’t there when I used ChatGPT just last night (I’m a pretty heavy user). No queries were made—they just appeared in my history, and most certainly aren’t from me (and I don’t think they’re from the same user either).”

Other conversations leaked to Whiteside include the name of a presentation someone was working on, details of an unpublished research proposal, and a script using the PHP programming language. The users for each leaked conversation appeared to be different and unrelated to each other. The conversation involving the prescription portal included the year 2020. Dates didn’t appear in the other conversations.

The episode, and others like it, underscore the wisdom of stripping out personal details from queries made to ChatGPT and other AI services whenever possible. Last March, ChatGPT maker OpenAI took the AI chatbot offline after a bug caused the site to show titles from one active user’s chat history to unrelated users.

In November, researchers published a paper reporting how they used queries to prompt ChatGPT into divulging email addresses, phone and fax numbers, physical addresses, and other private data that was included in material used to train the ChatGPT large language model.

Concerned about the possibility of proprietary or private data leakage, companies, including Apple, have restricted their employees’ use of ChatGPT and similar sites.

As mentioned in an article from December when multiple people found that Ubiquity’s UniFy devices broadcasted private video belonging to unrelated users, these sorts of experiences are as old as the Internet is. As explained in the article:

The precise root causes of this type of system error vary from incident to incident, but they often involve “middlebox” devices, which sit between the front- and back-end devices. To improve performance, middleboxes cache certain data, including the credentials of users who have recently logged in. When mismatches occur, credentials for one account can be mapped to a different account.

An OpenAI representative said the company was investigating the report.

ChatGPT is leaking passwords from private conversations of its users, Ars reader says Read More »

beware-of-scammers-sending-live-couriers-to-liquidate-victims’-life-savings

Beware of scammers sending live couriers to liquidate victims’ life savings

Security / /

CONFIDENCE GAMES —

The scams sound easy to detect, but they steal billions of dollars, often from the elderly.

Beware of scammers sending live couriers to liquidate victims’ life savings

Getty Images

Scammers are stepping up their game by sending couriers to the homes of elderly people and others as part of a ruse intended to rob them of their life savings, the FBI said in an advisory Monday.

“The FBI is warning the public about scammers instructing victims, many of whom are senior citizens, to liquidate their assets into cash and/or buy gold, silver, or other precious metals to protect their funds,” FBI officials with the agency’s Internet Crime Complaint Center said. “Criminals then arrange for couriers to meet the victims in person to pick up the cash or precious metals.”

The scammers pose as tech or customer support agents or government officials and sometimes use a multi-layered approach as they falsely claim they work on behalf of technology companies, financial institutions, or the US government. The scammers tell the targets they have been hacked or are at risk of being hacked and that their assets should be protected. The scammers then instruct the targets to liquidate assets into cash. In some cases, the scammers instruct targets to wire funds to a fake metal dealer who will ship purchased merchandise to the victims’ homes.

“Criminals then arrange for couriers to meet the victims in person to pick up the cash or precious metals,” Monday’s advisory warned.

Officials said that from May to December of last year, they tracked estimated aggregate losses topping $55 million from this sort of scam. More generally, the agency received 19,000 complaints of scams from January to June of 2023, with estimated victim losses of $542 million. Almost half of the victims were over 60 years old and accounted for 66 percent of the aggregated losses.

The types of scams included in Monday’s warning use tactics intended to coax the victim into developing trust and confidence in the perpetrators. The scammers promise to safeguard the assets in a protected account. In some cases, the scammers set a passcode with the target. If targets hand over money or other assets, they never hear from the scammers again.

Monday’s advisory comes four months after IC3 warned of an increase in complaints for what the agency calls “phantom hacker scams. This form of scam is an evolution of more traditional general tech ruses. They layer imposer tech support workers with workers from financial institutions and government agencies. Victims sometimes lose their entire holdings in bank, savings, retirement, or investment accounts.

Typically, the target receives a call from someone falsely claiming to work in tech or customer support from a known, reputable company and instructs the target to call a number for assistance resolving an imaginary problem. When a target calls, the scammer tricks the person into downloading and installing a program that gives remote access to the target’s device. The scammer then asks the target to open bank accounts or other types of accounts to investigate imaginary fraud. During this step, the scammer checks balances to see if there’s enough profit potential for follow-on activities.

In any follow-on activity, the scammers pose as either representatives of the financial institution or as an employee at the Federal Reserve or another US government agency. The scammers instruct the targets to wire money, in many cases directly to overseas recipients. The scammers may instruct the victim to send multiple transactions over a span of days or months. In the event the target grows suspicious, the scammers may send written correspondence over what appears to be official letterhead.

FBI IC3

The IC3 recommends people follow these practices to prevent falling victim to such scams:

  • The US Government and legitimate businesses will never request you purchase gold or other precious metals.
  • Protect your personal information. Never disclose your home address or agree to meet with unknown individuals to deliver cash or precious metals.
  • Do not click on unsolicited pop-ups on your computer, links sent via text messages, or email links and attachments.
  • Do not contact unknown telephone numbers provided in pop-ups, texts, or emails.
  • Do not download software at the request of unknown individuals who contact you.
  • Do not allow unknown individuals access to your computer.

The FBI requests victims report these types of fraud or suspicious activities to the IC3 as soon as possible. Victims should include as much transaction information as possible:

  • The name of the person or company that contacted you.
  • Methods of communication used, including websites, emails, and telephone numbers.
  • Any bank account number that received any wired funds, along with the recipient name(s).
  • The name and location of any metal dealer companies and the account that received the wired funds.

Beware of scammers sending live couriers to liquidate victims’ life savings Read More »

the-life-and-times-of-cozy-bear,-the-russian-hackers-who-just-hit-microsoft-and-hpe

The life and times of Cozy Bear, the Russian hackers who just hit Microsoft and HPE

Biz & IT, breaches, cozy bear, hacking, hewlett packarge enterprise, microsoft, Security / /

FROM RUSSIA WITH ROOT —

Hacks by Kremlin-backed group continue to hit hard.

The life and times of Cozy Bear, the Russian hackers who just hit Microsoft and HPE

Getty Images

Hewlett Packard Enterprise (HPE) said Wednesday that Kremlin-backed actors hacked into the email accounts of its security personnel and other employees last May—and maintained surreptitious access until December. The disclosure was the second revelation of a major corporate network breach by the hacking group in five days.

The hacking group that hit HPE is the same one that Microsoft said Friday broke into its corporate network in November and monitored email accounts of senior executives and security team members until being driven out earlier this month. Microsoft tracks the group as Midnight Blizzard. (Under the company’s recently retired threat actor naming convention, which was based on chemical elements, the group was known as Nobelium.) But it is perhaps better known by the name Cozy Bear—though researchers have also dubbed it APT29, the Dukes, Cloaked Ursa, and Dark Halo.

“On December 12, 2023, Hewlett Packard Enterprise was notified that a suspected nation-state actor, believed to be the threat actor Midnight Blizzard, the state-sponsored actor also known as Cozy Bear, had gained unauthorized access to HPE’s cloud-based email environment,” company lawyers wrote in a filing with the Securities and Exchange Commission. “The Company, with assistance from external cybersecurity experts, immediately activated our response process to investigate, contain, and remediate the incident, eradicating the activity. Based on our investigation, we now believe that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions.”

An HPE representative said in an email that Cozy Bear’s initial entry into the network was through “a compromised, internal HPE Office 365 email account [that] was leveraged to gain access.” The representative declined to elaborate. The representative also declined to say how HPE discovered the breach.

Cozy Bear hacking its way into the email systems of two of the world’s most powerful companies and monitoring top employees’ accounts for months aren’t the only similarities between the two events. Both breaches also involved compromising a single device on each corporate network, then escalating that toehold to the network itself. From there, Cozy Bear camped out undetected for months. The HPE intrusion was all the more impressive because Wednesday’s disclosure said that the hackers also gained access to Sharepoint servers in May. Even after HPE detected and contained that breach a month later, it would take HPE another six months to discover the compromised email accounts.

The pair of disclosures, coming within five days of each other, may create the impression that there has been a recent flurry of hacking activity. But Cozy Bear has actually been one of the most active nation-state groups since at least 2010. In the intervening 14 years, it has waged an almost constant series of attacks, mostly on the networks of governmental organizations and the technology companies that supply them. Multiple intelligence services and private research companies have attributed the hacking group as an arm of Russia’s Foreign Intelligence Service, also known as the SVR.

The life and times of Cozy Bear (so far)

In its earliest years, Cozy Bear operated in relative obscurity—precisely the domain it prefers—as it hacked mostly Western governmental agencies and related organizations such as political think tanks and governmental subcontractors. In 2013, researchers from security firm Kaspersky unearthed MiniDuke, a sophisticated piece of malware that had taken hold of 60 government agencies, think tanks, and other high-profile organizations in 23 countries, including the US, Hungary, Ukraine, Belgium, and Portugal.

MiniDuke was notable for its odd combination of advanced programming and the gratuitous references to literature found embedded into its code. (It contained strings that alluded to Dante Alighieri’s Divine Comedy and to 666, the Mark of the Beast discussed in a verse from the Book of Revelation.) Written in assembly, employing multiple levels of encryption, and relying on hijacked Twitter accounts and automated Google searches to maintain stealthy communications with command-and-control servers, MiniDuke was among the most advanced pieces of malware found at the time.

It wasn’t immediately clear who was behind the mysterious malware—another testament to the stealth of its creators. In 2015, however, researchers linked MiniDuke—and seven other pieces of previously unidentified malware—to Cozy Bear. After a half-decade of lurking, the shadowy group was suddenly brought into the light of day.

Cozy Bear once again came to prominence the following year when researchers discovered the group (along with Fancy Bear, a separate Russian-state hacking group) inside the servers of the Democratic National Committee, looking for intelligence such as opposition research into Donald Trump, the Republican nominee for president at the time. The hacking group resurfaced in the days following Trump’s election victory that year with a major spear-phishing blitz that targeted dozens of organizations in government, military, defense contracting, media, and other industries.

One of Cozy Bear’s crowning achievements came in late 2020 with the discovery of an extensive supply chain attack that targeted customers of SolarWinds, the Austin, Texas, maker of network management tools. After compromising SolarWinds’ software build system, the hacking group pushed infected updates to roughly 18,000 customers. The hackers then used the updates to compromise nine federal agencies and about 100 private companies, White House officials have said.

Cozy Bear has remained active, with multiple campaigns coming to light in 2021, including one that used zero-day vulnerabilities to infect fully updated iPhones. Last year, the group devoted much of its time to hacks of Ukraine.

The life and times of Cozy Bear, the Russian hackers who just hit Microsoft and HPE Read More »