Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

The US government's Computer Emergency Response Team (US-Cert) has posted a new report on the latest exploits of North Korea's Hidden Cobra hacking crews.

The updated advisory (PDF) details how the hacking groups believed to operate on behalf of the isolated government, have carried out various hacking operations in recent years in an effort to drum up cash for the sanctions-hit regime. There's currently up to $5m up for grabs for catching North Korean miscreants.

Among the claims in the report are that DPRK hackers (US-Cert uses Hidden Cobra as the catch-all name) have started strong-arming companies into paying them off for "protection" and have also loaned their services out to other hacking crews.

"DPRK cyber actors have also conducted extortion campaigns against third-country entities by compromising an entity’s network and threatening to shut it down unless the entity pays a ransom," US-Cert notes.

"In some instances, DPRK cyber actors have demanded payment from victims under the guise of long-term paid consulting arrangements in order to ensure that no such future malicious cyber activity takes place. DPRK cyber actors have also been paid to hack websites and extort targets for third-party clients."

US-Cert also notes a number of recent reports on the group, including the 2019 UN Panel of Experts report that determined the hacking crew had probably generated something in the range of $2bn for the despotic regime since it first emerged back in 2014 with the hack of Sony.

That crew, known as Lazarus Group, was also blamed for the Wannacry 2.0 malware and the $81m theft from a bank in Bangladesh.

Mentioned in that UN report and highlighted by US-Cert, was a more recent move into cryptojacking, as the crews have used their sizable malware arsenal to start targeting cryptocurrency wallets or using the compute cycles on infected machines to generate new coins.

"The [UN report] has identified several incidents in which computers infected with cryptojacking malware sent the mined assets – much of it anonymity enhanced digital currency (sometimes also referred to as “privacy coins”) – to servers located in the DPRK, including at Kim Il Sung University in Pyongyang," US-Cert reported.

So what's the point of all this? Well, other than to remind businesses that Hidden Cobra is still out there and posing a threat to both private and public-sector companies, US-Cert wanted to let people know that there remains a massive bounty on members of the hacking crew.

"If you have information about illicit DPRK activities in cyberspace, including past or ongoing operations, providing such information through the Department of State’s Rewards for Justice program could make you eligible to receive an award of up to $5 million."

So, if you're out of work and up for a bit of sleuthing to pass the time during the lockdown, there is plenty of cash to be had.
 
India has effectively banned videoconferencing service Zoom for government users and repeated warnings that consumers need to be careful when using the tool.

The nation's Cyber Coordination Centre has issued advice (PDF) titled "Advisory on Secure use of Zoom meeting platform by private individuals (not for use by government offices/officials for official purpose)".

The document refers to past advisories that offered advice on how to use Zoom securely and warned that Zoom has weak authentication methods. Neither of those notifications mentioned policy about government use of the tool, meaning the new document is a significant change in position!

The document is otherwise a comprehensive-if-dull guide to using Zoom securely.

It comes as India has decided to become self-sufficient by crowdsourcing a Zoom-like service in a competition that will award the winner fat government contracts.

Zoom, meanwhile, has announced it will "re-architect" its bug bounty program as part of an effort to "help get Zoom's overall security house in order". The company today blogged about its recent security enhancements such as routing around China and detailed its expected progress in coming days.

India, meanwhile, continues to involve its tech industry in its coronavirus response. After yesterday letting IT workers back into the office ahead of many other sectors, the nation has granted a four-month rent holiday to the small businesses and startups that typically tenant the 60 government-run Software Technology Parks of India. The decision is expected to protect 3,000 jobs.
 
As American crude oil crashed on Monday, leading to the bizarre situation of a negative futures contract price, our attention was drawn to a spear-phishing campaign against organizations involved in global oil production.

The folks at Bitdefender today detailed a targeted espionage mission against oil and energy companies around the world. The phishing peaked on March 31, just before a planned OPEC meeting of oil-producing nations, many of which were targeted, we're told.

The lure itself appeared rather unremarkable: targets in various businesses were sent spear-phishing emails containing Windows spyware dubbed Agent Tesla disguised as an attached report or form. If opened, Agent Tesla would execute and use a Yandex mail server – smtp.yandex.com – to receive commands from its masters and reply with stolen data, presumably via email messages. These commands told the software nasty what to collect, such as password key-presses, clipboard contents, and so on, which were duly sent to whoever was behind the phishing campaign.

What is unique, in this case, is the very specific group of companies targeted, Bitdefender said. Certain key oil-producing organizations across the world were sent emails from seemingly one of their own: Egyptian oil and gas engineering firm Enppi.

"The impersonated engineering contractor (Enppi - Engineering for Petroleum and Process Industries) has experience in onshore and offshore projects in oil and gas, with attackers abusing its reputation to target the energy industry in Malaysia, the United States, Iran, South Africa, Oman and Turkey, among others," the Bitdefender Labs team said.

A second, much smaller spear-phishing operation, impersonated a Philippines-based shipping company, targeted oil and gas companies in that country.

The who and where of those targets are key to understanding the seriousness of the attack and how it tied into current events. Each of the targeted companies are in countries that are major stakeholders in the global oil market.

Following plummeting oil demand, and economic instability, amid the coronavirus pandemic, OPEC has cut production of the fossil fuel, forcing energy companies and their buyers and suppliers around the world to scramble and adapt. As supply outstrips demand, unwanted barrels of oil are piling up, forcing prices so low, some distributors are paying people to take them away.

This, it seems, is what the attackers are after; details on the strategies oil and energy companies are following to deal with the cuts.

"While the spear phishing attacks on oil and gas could be part of a business email compromise scam, the fact that it drops the Tesla Agent info-stealer suggests these campaigns could be more espionage focused," Bitdefender senior e-threat analyst Liviu Arsene told The Register.

"Threat actors that might have some stakes in oil and gas prices or developments may be responsible, especially when considering the niche targeted vertical and the ongoing oil crisis.

In other words, someone, possibly a private energy company, or a state-backed hacking group, or even a combination of the two, wants to keep tabs on how companies are dealing with the oil crisis so that they can react or even get ahead of the markets.

While the infrastructure, particularly the use of an ordinary Yandex server, could cause some speculation on the attackers being Russian, Arsene cautions not to read into the host too much, as it is fairly common for malware operators to use legit, busy services around the world to communicate.

"It's not uncommon for attackers to abuse legitimate services, such as email services or social networking platforms, for command and control," Arsene explained to El Reg.

"Communication between the victim and the attacker would go through a legitimate service, making it seem legitimate to security tools. Hackers also prefer locations where jurisdiction from law enforcement is difficult and needs an extended number of approvals to get to the server."

Admins are advised to make sure users are protected from the Agent Tesla trojan (as it has been around since 2014, most antivirus software should detect it) and, if applicable, Bitdefender has provided a list of file hashes to block and indicators of compromise in its above-linked report.
 
Hackers working on behalf of the Vietnamese government attempted to break into Chinese organisations heading up the country's coronavirus response, according to infosec outfit FireEye.

APT32, a hacking group previously linked to the Vietnamese government, tried to access the personal and professional email addresses of staff at China's Ministry of Emergency Management and the government of Wuhan, where it is believed the pandemic started, according to a report released by FireEye yesterday.

Between January and April, APT32 sent Chinese officials phishing emails that contained a tracking link claiming to direct the reader to a report on office equipment bids. When clicked, the link would report back to the hackers, indicating that they the trigger-happy user was vulnerable to malware.

FireEye said the attacks mirror other attempts by state-backed hackers to collect information about the virus.

"The COVID-19 crisis poses an intense, existential concern to governments, and the current air of distrust is amplifying uncertainties, encouraging intelligence collection on a scale that rivals armed conflict," the FireEye team concluded in their report.

"National, state or provincial, and local governments, as well as non-government organizations and international organizations, are being targeted, as seen in reports... Until this crisis ends, we anticipate related cyber espionage will continue to intensify globally."

Vietnam responded quickly to the outbreak of the novel coronavirus earlier this year. It sealed off its borders with China and implemented an aggressive program of contract tracing and quarantining citizens. Today the nation claimed and only 268 overall. So just why it needs to look at China's virus-fighters is unclear.

Tensions between Vietnam and China are high, as the former nation this week protested the latter's extension of its domestic administration units to cover disputed islands in the South China Sea.
 
A vulnerability existed in Microsoft's Slack for Suits tool, Teams, that could have let a remote attacker take over accounts by simply sending a malicious GIF, infosec researchers claim.

The pwn-with-GIF vuln was possible, said Cyberark, thanks to two compromisable Microsoft subdomains along with a carefully crafted animated image file.

Although it was a responsibly disclosed theoretical vuln, and was not abused in the wild as far as is known, it illustrates that not all online collaboration platforms are as secure as one might hope.

"Even if an attacker doesn't gather much information from a Teams' account, they could use the account to traverse throughout an organization (just like a worm)," mused Cyberark researcher Omer Tsarfati.

The Israeli infosec outfit said it had alerted Redmond to the two subdomains, resulting in their DNS entries being tweaked. The rest of the Teams vuln was patched last Monday, 20 April.

Cyberark said that Teams fetches image content in messages in different ways. One of those, it said, involves using the device browser's resource loading, which it described as setting "an 'src' attribute of a URI to an HTML IMG tag" along with setting cookies.

After examining Teams' network traffic, Cyberark said its researchers discovered that one of those cookies contained a unique key needed to create an authentication token, which then allowed its crew access to "valuable" information, including the content of messages.

"If an attacker can somehow force a user to visit the sub-domains that have been taken over, the victim's browser will send this cookie to the attacker's server, and the attacker (after receiving the authtoken) can create a Skype token [a named token used to authenticate the user to Teams for loading images]. After doing all of this, the attacker can steal the victim's Teams account data," said the research outfit.

From here it was straightforward to create a malicious GIF file that could be sent in a Teams message. By "sending an image to our victim with an 'src' attribute set to the compromised sub-domain via Teams chat," said Cyberark, "the victim's browser will try to load the image and will send the authtoken cookie to the compromised sub-domain."

With a copy of the cookie, the attacker can then extract images, files and so on from the targeted Team user's account.

Microsoft has been asked for comment.
 
WhatsApp has alleged in new court filings that an Israeli spyware company used US-based servers and was “deeply involved” in carrying out mobile phone hacks of 1,400 WhatsApp users, including senior government officials, journalists, and human rights activists.

The new claims about NSO Group allege that the Israeli company bears responsibility in serious human rights violations, including the hacking of more than a dozen Indian journalists and Rwandan dissidents.

For years, NSO Group has said that its spyware is purchased by government clients for the purpose of tracking down terrorists and other criminals and that it had no independent knowledge of how those clients – which in the past have reportedly included Saudi Arabia and Mexico – use its hacking software.

But a lawsuit filed by WhatsApp against NSO Group last year – the first of its kind by a major technology company - is revealing more technical details about how the hacking software, Pegasus, is allegedly deployed against targets.

In the court filings last week, WhatsApp said its own investigation into how Pegasus was used against 1,400 users last year showed that servers controlled by NSO Group – not its government clients – were an integral part of how the hacks were executed.

WhatsApp has said victims of the hack received phone calls using its messaging app, and were infected with Pegasus. Then, it said: “NSO used a network of computers to monitor and update Pegasus after it was implanted on users’ devices. These NSO-controlled computers served as the nerve centre through which NSO controlled its customers’ operation and use of Pegasus.”
 
An EU-sponsored GDPR advice website run by Proton Technologies had a vulnerability that let anyone clone it and extract a MySQL database username and password.

The vulnerability in question allowed the entire contents of the website's /.git/ repository to be cloned, as Pen Test Partners explained in a blog post about what it found on advice site GDPR.eu.

"The irony of a EU-funded website about GDPR having security issues isn't lost on us," mused the security consultancy.

GDPR.eu is run by Proton Technologies AG, better known as the Swiss corporation behind email service ProtonMail, which prides itself on being leader of the pack for all things security and privacy. While not an official site as such, it bears a prominent header that reads: "This project is co-funded by the Horizon 2020 Framework Programme of the European Union," along with an EU flag graphic.

Within the /.git/ repo were the keys to GDPR.eu's WordPress kingdom: a full and unabridged copy of wp-config.php. In a WordPress installation, wp-config.php is the critical file containing a plaintext copy of the username and password for the SQL database powering the entire site. Someone malicious with those creds could wipe the site, rewrite its contents or deface it.

"This is an internal system, so it wouldn't be a trivial matter to compromise it externally unless the password is re-used elsewhere," noted PTP, in fairness to Proton Technologies.

A spokesman for Proton Technologies told The Register this was a "legitimate finding" while agreeing with the level of seriousness.

He said: "We were informed of this issue on Friday, the 24th of April, and a fix was deployed shortly afterwards. gdpr.eu is hosted on independent third party infrastructure, does not contain any user data, and the information in the exposed git folder cannot lead to the gdpr.eu being defaced because database access is limited to internal only. Nevertheless this is a legitimate finding under our bug bounty program. It's important to note that no personal information is stored at gdpr.eu and at no point was any sensitive data at risk."

Should you have carelessly uploaded your /.git/ repository alongside your WordPress website, treat any creds in it – not just those in wp-config.php – as compromised and change them immediately, advised PTP. Such creds could include, for example, the admin username and password for the WordPress installation.
 
Foreign state hackers are trying to brute-force their way into pharmaceutical and medical research agencies hunting for a COVID-19 vaccine, British and American infosec agencies are warning.

The National Cyber Security Centre (NCSC) and America’s Cybersecurity and Infrastructure Security Agency (CISA) cautioned of a “password spraying” campaign targeting healthcare and medical research organisations.

Hostile countries are also said to be abusing a specific Citrix vulnerability (CVE-2019-19781) that, if unpatched, permits remote code execution by an unauthenticated user. In addition, they are also abusing vulns in VPNS from Palo Alto Networks, Fortinet and Pulse Secure to snare people working from home.

Paul Chichester, NCSC director of operations, said in a statement: “Protecting the healthcare sector is the NCSC’s first and foremost priority at this time, and we’re working closely with the NHS to keep their systems safe.”
 
The Norwegian Investment Fund has been swindled out of $10m (£8.2m) by fraudsters who pulled off what's been described as "an advance data breach."

Norfund – the world's largest sovereign wealth fund, created from saved North Sea Oil revenues and currently worth over $1tn – said a hacker was able to manipulate the organization into routing a loan intended for a Cambodian microfinance organization into an account controlled by the crooks. As a result, in March, 100m Kroner was lost.

The investment fund says the money appears to have been diverted from the organization in Cambodia to Mexico. Local and international police have been brought in to investigate the matter.

Details of the cyber-attack are scant. It may be a bog-standard business email compromise attack, in which a miscreant hijacks an email account to impersonate an employee or official to redirect cash meant for the Cambodian company to another bank account. Alternatively, it could have been something more intrusive.

"The defrauders manipulated and falsified information exchange between Norfund and the borrowing institution over time in a way that was realistic in structure, content and use of language," Norfund said on Wednesday of the heist. "Documents and payment details were falsified."

Again, this may be a generous way of saying someone got tricked into sending money into the wrong account with some forged invoices, or bogus emails, and poor invoice control.

Despite Norfund being worth over a $1tn, the Norwegians aren't going to let this one slide. CEO Tellef Thorleifsson is promising swift action to prevent the organization from getting conned again - they are going to go viking on this one.

"This is a grave incident. The fraud clearly shows that we, as an international investor and development organisation, through active use of digital channels are vulnerable," he said.

"The fact that this has happened shows that our systems and routines are not good enough. We have [to] take immediate and serious action to correct this."

In addition to getting the cops involved, Norfund said it is working with the Norwegian Ministry of Foreign Affairs and its bank, DNB, to track down the thief and get the money back. PwC is also being called in to do an evaluation for the IT security setup at the fund.

"Norfund hopes that by being open about this incident we can contribute to reducing the risk of others being victims of similar fraudulent activities," the investment firm said.

One of Britain's most powerful academic supercomputers has fallen victim to a "security exploitation" of its login nodes, forcing the rewriting of all user passwords and SSH keys.

The intrusion, which is understood to be under investigation by GCHQ offshoot the National Cyber Security Centre (NCSC), rendered the ARCHER high-performance computing (HPC) network unavailable to its users on Tuesday.

Sysadmins warned ARCHER users that their SSH keys may have been compromised as a result of the apparent attack, advising them to "change passwords and SSH keys on any other systems which you share your ARCHER credentials with".

In a statement posted to the project's status page on Wednesday, ARCHER admins said it appeared several academic high-performance computers were disrupted across Europe in addition to the Cray-built ARCHER. They explained:

Due to a security exploitation on the ARCHER login nodes, the decision has been taken to disable access to ARCHER while further investigations take place.
Jobs that are currently running or queued will continue to run, but you will be unable to log in or to submit new jobs.

We now believe this to be a major issue across the academic community as several computers have been compromised in the UK and elsewhere in Europe. We have been working with the National Cyber Security Centre (NCSC) and Cray/HPE in order to better understand the position and plan effective remedies.

Knowledgeable sources speculated to The Register that ARCHER is an obvious resource for research work by computational biologists as well as those modelling the potential further spread of the novel coronavirus – and is therefore a target for hostile states looking to steal advances from British research into the virus, or to simply disrupt it.
American authorities are reportedly set to publicly blame China and Iran for trying to hack research institutions trying to develop a vaccine, according to an unsourced claim made in the New York Times newspaper. This appears to be linked to understated – and unspecific – warnings from NCSC earlier this month about advanced persistent threat (APT) hacker crews targeting counter-COVID-19 research.

Hosted by the University of Edinburgh, ARCHER is a Cray XC30 supercomputer with 118,080 Intel Xeon E5 CPU cores at its disposal. It was due to be retired and replaced this month, though the global pandemic has delayed its planned withdrawal. El Reg reported on ARCHER2 when it was confirmed in October 2019.

ARCHER is one of the most powerful supercomputers in the UK, although it is outclassed by the UK's most powerful publicly known super, an eight-petaFLOPS 241,920-core Cray-Intel machine operated by the Meteorological Office as well as the European Centre for Medium-Range Weather Forecasts's two Cray XC-40s, the Atomic Weapons Establishment's in-house supercomputer and others. It is ranked 334th on the TOP500 list of the world's most powerful supercomputers.

The latest updates on the ARCHER status page said: "Unfortunately, due to the severity of the situation, the ARCHER Service will not be returned before Friday 15th May. We will review the situation with UKRI and NCSC on Friday and will then provide a further update to you."

Professor Alan Woodward of the University of Surrey told The Register: "To see a Cray being attacked is very unusual so I imagine it must be the computing infrastructure around it that has been attacked. Most users obviously don't sit at a terminal directly attached to the supercomputers, so if the means for remote access is rendered inoperable it means the supercomputers become just an expensive lump of metal and silicon.

"Looks like someone has somehow managed to gain a secure shell on an access node. Assuming that's true, it's going to be a real pain as you’ll have to set everyone up again."

An NCSC spokesman told The Register: "We are aware of this incident and are providing support. The NCSC works with the academic sector to help them improve their security practices and protect its institutions from threats."
 
An important middleman in the UK's electrical power grid has suffered a cyber attack, though the lights are still on across good old Blighty.

Elexon, which reconciles electricity supply to the National Grid and issues bills for undersupply or oversupply, was struck by what appears to be a partially contained ransomware attack, judging by its effects on the company's operations.

"We are advising you that today that Elexon's internal IT systems have been impacted by a cyber attack," the firm said in a market update yesterday. "The attack is to our internal IT systems and Elexon's laptops only. We are currently working hard to resolve this. However please be aware that at the moment we are unable to send or receive any emails."

Elexon later added that it had identified the "root cause" and was "taking steps to restore our IT systems".

As well as its internal IT network, Elexon is responsible for the UK's Balancing and Settlement Code (BSC) and the systems underpinning that, a process explained in depth on its website. Briefly, Elexon captures data to figure out whether power generation companies owe extra to National Grid for undersupplying at key times or whether the grid owes them cash for requiring less electricity than forecast.

A complex and vital market mechanism, any failure in the BSC would cause severe headaches for accountants trying to reconcile their figures. The financial side of the UK's electricity market is, however, well insulated from the wiggly amps making their way along the nation's cables.

The National Grid said in a Twitter post addressing Elexon's outage: "Electricity supply is not affected. We have robust cybersecurity measures across our IT and operational infrastructure to protect against cyber threats."

Infosec specialist Jake Moore of antivirus firm ESET mused in a statement: "With all the hallmarks of ransomware, I would imagine they are in a dilemma as to if or how to pay. Obviously I would never recommend paying a ransom, but these days more and more companies are forced to pay to speed up the process of getting back to business as usual. However, this can be extremely costly to an organisation and it still doesn't confirm the data will be restored."

Problems with the National Grid tend to immediately grab public attention, and for good reason. Fluctuations in grid frequency, for example, can have earth-shattering – nay, train-halting – effects, as rail operator Thameslink found out the hard way in 2019, when almost its entire fleet of Siemens Desiro City trains sat down after the grid frequency dropped to 48.8Hz instead of its nominal 50.0Hz frequency, following a lightning strike
 
Norjalaiset upseerit ja sotilaat ovat paljastuneet heidän omalla matkapuhelimellaan.
Tässä sinällään mitään uutta, ettei pitäisi käyttää sijaintia appseissa, mutta kivasti havainnolistettu kuvalla.
 
Attackers are putting considerable skill and effort into penetrating industrial companies in multiple countries, with hacks that use multiple evasion mechanisms, an innovative encryption scheme, and exploits that are customized for each target with pinpoint accuracy.

The attacks begin with emails that are customized for each target, a researcher at security firm Kaspersky Lab reported this week. For the exploit to trigger, the language in the email must match the localization of the target’s operating system. For example, in the case of an attack on a Japanese company, the text of the email and an attached Microsoft Office document containing a malicious macro had to be written in Japanese. Also required: an encrypted malware module could be decrypted only when the OS had a Japanese localization as well.

Recipients who click on a request to urgently enable the document’s active content will see no indication anything is amiss. Behind the scenes, however, a macro executes a Powershell script. The reason it stays hidden: the command parameters:
  • ExecutionPolicy ByPass—to override organization policies
  • WindowStyle Hidden. This hides the PowerShell window
  • NoProfile, which executes the script with no end-user configuration.
 
A hackers-for-hire group dubbed “Dark Basin” has targeted thousands of individuals and hundreds of institutions around the world, including advocacy groups, journalists, elected officials, lawyers, hedge funds, and companies, according to the Internet watchdog Citizen Lab.

Researchers discovered almost 28,000 webpages created by hackers for personalized “spear phishing” attacks designed to steal passwords, according to a report published on Tuesday by Citizen Lab, part of the University of Toronto’s Munk School.

“We see them again and again in areas where business and politics is contentious,” said John Scott-Railton, the lead author of the report, who said the hackers were “brazen, they seem to think they are untouchable.”

The report said a large cluster of targeted individuals and organizations were involved in environmental issues and had campaigned against ExxonMobil, the US oil producer. They included the Rockefeller Family Fund, the Climate Investigations Center, Greenpeace, the Conservation Law Foundation, and the Union of Concerned Scientists. Exxon declined to comment before “reviewing the full report.”

“The growth of a hacking-for-hire industry may be fueled by the increasing normalization of other forms of commercialized cyber offensive activity, from digital surveillance to ‘hacking back,’ whether marketed to private individuals, governments or the private sector,” the report said.
 
The APT known as TA410 has added a modular remote-access trojan (RAT) to its espionage arsenal, deployed against Windows targets in the United States’ utilities sector.

According to researchers at Proofpoint, the RAT, called FlowCloud, can access installed applications and control the keyboard, mouse, screen, files, services and processes of an infected computer, with the ability to exfiltrate information to a command-and-control (C2) provider. It appears to be related to previous attacks delivering the LookBack malware.

The RAT first scurried onto the scene last summer as part of a spear-phishing campaign. Utility providers received training- and certification-related emails with subject lines such as “PowerSafe energy educational courses (30-days trial),” containing portable executable (PE) attachments, according to a Monday Proofpoint analysis.
 
The list of sophisticated eavesdropping techniques has grown steadily over years: wiretaps, hacked phones, bugs in the wall—even bouncing lasers off of a building's glass to pick up conversations inside. Now add another tool for audio spies: Any light bulb in a room that might be visible from a window.

Researchers from Israeli's Ben-Gurion University of the Negev and the Weizmann Institute of Science today revealed a new technique for long-distance eavesdropping they call "lamphone." They say it allows anyone with a laptop and less than a thousand dollars of equipment—just a telescope and a $400 electro-optical sensor—to listen in on any sounds in a room that's hundreds of feet away in real-time, simply by observing the minuscule vibrations those sounds create on the glass surface of a light bulb inside. By measuring the tiny changes in light output from the bulb that those vibrations cause, the researchers show that a spy can pick up sound clearly enough to discern the contents of conversations or even recognize a piece of music.

"Any sound in the room can be recovered from the room with no requirement to hack anything and no device in the room," says Ben Nassi, a security researcher at Ben-Gurion who developed the technique with fellow researchers Yaron Pirutin and Boris Zadov, and who plans to present their findings at the Black Hat security conference in August. "You just need line of sight to a hanging bulb, and this is it."
 
Researchers have discovered a new Android spyware, dubbed ActionSpy, targeting victims across Tibet, Turkey and Taiwan. The spyware is distributed either via watering-hole websites or fake websites.

Researchers believe ActionSpy is being used in ongoing campaigns to target Uyghur victims. The Uyghurs, a Turkic minority ethnic group affiliated with Central and East Asia, have previously been targeted in spyware attacks. Though they first discovered the spyware in April 2020, researchers believe ActionSpy has existed for at least three years based on its certificate sign time.

“ActionSpy, which may have been around since 2017, is an Android spyware that allows the attacker to collect information from the compromised devices,” said researchers with Trend Micro in a Thursday analysis. “It also has a module designed for spying on instant messages… and collecting chat logs from four different instant messaging applications.”
 
In early 2017, WikiLeaks began publishing details of top-secret CIA hacking tools that researchers soon confirmed were part of a large tranche of confidential documents stolen from one of the agency's isolated, high-security networks. The leak—comprising as much as 34 terabytes of information and representing the CIA's biggest data loss in history—was the result of "woefully lax" practices, according to portions of a report that were published on Tuesday.

Vault 7, as WikiLeaks named its leak series, exposed a trove of the CIA's most closely guarded secrets. They included a simple command line that agency officers used to hack network switches from Cisco and attacks that compromised Macs, in one case using a tool called Sonic Screwdriver, which exploited vulnerabilities in the extensible firmware interface that Apple used to boot devices. The data allowed researchers from security firm Symantec to definitively tie the CIA to a hacking group they had been tracking since 2011.
 
Millions of law enforcement documents—some showing pictures of suspects, bank account numbers, and other sensitive information—has been published on a website that holds itself out as an alternative to WikiLeaks, according to a security news website KrebsOnSecurity.

DDOSecrets, short for Distributed Denial of Secrets, published what it said were millions of documents stolen from more than 200 law enforcement groups around the country. Reporter Brian Krebs, citing the organization National Fusion Center Association (NFCA), confirmed the validity of the leaked data. DDOSecrets said the documents spanned at least a decade, although some of the dates in documents suggested a timespan twice as long.

Dates on the most recent documents were from earlier this month, suggesting the hack that first exposed the documents happened in the last three weeks. The documents, which were titled “BlueLeaks,” were published on Friday, the date of this year’s Juneteenth holiday celebrating the emancipation of enslaved African Americans in the Confederacy. BlueLeaks had special significance in the aftermath of a Minneapolis police officer suffocating a handcuffed Black man to death when the officer placed his knee on the man's neck for 8 minutes and 45 seconds.

Over the weekend, critics of police abuse took to social media to celebrate the leak and display documents that purportedly came from it. Some of them included:



The link hosting the data only sporadically loads and, more often than not, times out before loading the index page. When it does display, the page organizes leaked documents both by the law enforcement agency they came from and often by names of individuals purportedly associated with a document. Once again, clicking on a link more often than not fails to load the document. BitTorrent links have also been made available, but they too fail.

What that means is that most of the world has only seen a small portion of the leak in tiny snippets without the ability to analyze the leak in its entirety firsthand.

The leaks, according to Krebs, are the result of a hack on the server of Netsential, a Houston-based Web development firm that caters to law enforcement groups, among other customers. Much of the pilfered data was distributed through law enforcement "fusion centers" across the United States that act as hubs for federal, state, and local agencies to share information. Krebs also quoted a former assistant secretary of policy at the US Department of Homeland Security saying that some of the exposed data could endanger the safety of individual sources by identifying them publicly.

In an article published by Wired, however, DDOSecrets co-founder Emma Best said that she spent a week prior to leak publication removing about 50 gigabytes of material disclosing sensitive details about crime victims, children, and information on unrelated private businesses, health care, and retired veterans’ associations.

“It’s the largest published hack of American law enforcement agencies,” Best told the publication in a series of text messages. “It provides the closest inside look at the state, local, and federal agencies tasked with protecting the public, including [the] government response to COVID and the BLM protests.”
 
Back
Top