A hacktivist group known as Twelve has been observed using an arsenal of publicly available tools to conduct destructive cyber attacks against Russian targets.
"Rather than demand a ransom for decrypting data, Twelve prefers to encrypt victims' data and then destroy their infrastructure with a wiper to prevent recovery," Kaspersky said in a Friday analysis.
"The approach is indicative of a

A hacktivist group known as Twelve has been observed using an arsenal of publicly available tools to conduct destructive cyber attacks against Russian targets.

"Rather than demand a ransom for decrypting data, Twelve prefers to encrypt victims' data and then destroy their infrastructure with a wiper to prevent recovery," Kaspersky said in a Friday analysis.

"The approach is indicative of a desire to cause maximum damage to target organizations without deriving direct financial benefit."

The hacking group, believed to have been formed in April 2023 following the onset of the Russo-Ukrainian war, has a track record of mounting cyber attacks that aim to cripple victim networks and disrupt business operations.

It has also been observed conducting hack-and-leak operations that exfiltrate sensitive information, which is then shared on its Telegram channel.

Kaspersky said Twelve shares infrastructural and tactical overlaps with a ransomware group called DARKSTAR (aka COMET or Shadow), raising the possibility that the two intrusion sets are likely related to one another or part of the same activity cluster.

"At the same time, whereas Twelve's actions are clearly hacktivist in nature, DARKSTAR sticks to the classic double extortion pattern," the Russian cybersecurity vendor said. "This variation of objectives within the syndicate underscores the complexity and diversity of modern cyberthreats."

The attack chains start with gaining initial access by abusing valid local or domain accounts, after which the Remote Desktop Protocol (RDP) is used to facilitate lateral movement. Some of these attacks are also carried out via the victim's contractors.

"To do this, they gained access to the contractor's infrastructure and then used its certificate to connect to its customer's VPN," Kaspersky noted. "Having obtained access to that, the adversary can connect to the customer's systems via the Remote Desktop Protocol (RDP) and then penetrate the customer's infrastructure."

Prominent among the other tools used by Twelve are Cobalt Strike, Mimikatz, Chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner, and PsExec for credential theft, discovery, network mapping, and privilege escalation. The malicious RDP connections to the system are tunneled through ngrok.

Also deployed are PHP web shells with capabilities to execute arbitrary commands, move files, or send emails. These programs, such as the WSO web shell, are readily available on GitHub.

In one incident investigated by Kaspersky, the threat actors are said to have exploited known security vulnerabilities (e.g., CVE-2021-21972 and CVE-2021-22005) in VMware vCenter to deliver a web shell that then was used to drop a backdoor dubbed FaceFish.

"To gain a foothold in the domain infrastructure, the adversary used PowerShell to add domain users and groups, and to modify ACLs (Access Control Lists) for Active Directory objects," it said. "To avoid detection, the attackers disguised their malware and tasks under the names of existing products or services."

Some of the names used include "Update Microsoft," "Yandex," "YandexUpdate," and "intel.exe."

The attacks are also characterized by the use of a PowerShell script ("Sophos\_kill\_local.ps1") to terminate processes related to Sophos security software on the compromised host.

The concluding stages entail using the Windows Task Scheduler to launch ransomware and wiper payloads, but not before gathering and exfiltrating sensitive information about their victims via a file-sharing service called DropMeFiles in the form of ZIP archives.

"The attackers used a version of the popular LockBit 3.0 ransomware, compiled from publicly available source code, to encrypt the data," Kaspersky researchers said. "Before starting work, the ransomware terminates processes that may interfere with the encryption of individual files."

The wiper, identical to the Shamoon malware, rewrites the master boot record (MBR) on connected drives and overwrites all file contents with randomly generated bytes, effectively preventing system recovery.

"The group sticks to a publicly available and familiar arsenal of malware tools, which suggests it makes none of its own," Kaspersky noted. "This makes it possible to detect and prevent Twelve's attacks in due time."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hacktivist Group Twelve Targets Russian Entities with Destructive Cyber Attacks

The U.K. Information Commissioner's Office (ICO) has confirmed that professional social networking platform LinkedIn has suspended processing users' data in the country to train its artificial intelligence (AI) models.
"We are pleased that LinkedIn has reflected on the concerns we raised about its approach to training generative AI models with information relating to its U.K. users," Stephen

Privacy / Artificial Intelligence

The U.K. Information Commissioner's Office (ICO) has confirmed that professional social networking platform LinkedIn has suspended processing users' data in the country to train its artificial intelligence (AI) models.

"We are pleased that LinkedIn has reflected on the concerns we raised about its approach to training generative AI models with information relating to its U.K. users," Stephen Almond, executive director of regulatory risk, said.

"We welcome LinkedIn's confirmation that it has suspended such model training pending further engagement with the ICO."

Almond also said the ICO intends to closely keep an eye on companies that offer generative AI capabilities, including Microsoft and LinkedIn, to ensure that they have adequate safeguards in place and take steps to protect the information rights of U.K. users.

The development comes after the Microsoft-owned company admitted to training its own AI on users' data without seeking their explicit consent as part of an updated privacy policy that went into effect on September 18, 2024, 404 Media reported.

"At this time, we are not enabling training for generative AI on member data from the European Economic Area, Switzerland, and the United Kingdom, and will not provide the setting to members in those regions until further notice," Linked said.

The company also noted in a separate FAQ that it seeks to "minimize personal data in the data sets used to train the models, including by using privacy enhancing technologies to redact or remove personal data from the training dataset."

Users who reside outside Europe can opt out of the practice by heading to the "Data privacy" section in account settings and turning off the "Data for Generative AI Improvement" setting.

"Opting out means that LinkedIn and its affiliates won't use your personal data or content on LinkedIn to train models going forward, but does not affect training that has already taken place," LinkedIn noted.

LinkedIn's decision to quietly opt in all users for training its AI models comes only days after Meta acknowledged that it has scraped non-private user data for similar purposes going as far back as 2007. The social media company has since resumed training on U.K. users' data.

Last August, Zoom abandoned its plans to use customer content for AI model training after concerns were raised over how that data could be used in response to changes in the app's terms of service.

The latest development underscores the growing scrutiny of AI, specifically surrounding how individuals' data and content could be used to train large AI language models.

It also comes as the U.S. Federal Trade Commission (FTC) published a report that essentially said large social media and video streaming platforms have engaged in vast surveillance of users with lax privacy controls and inadequate safeguards for kids and teens.

The users' personal information is then often combined with data gleaned from artificial intelligence, tracking pixels, and third-party data brokers to create more complete consumer profiles before being monetized by selling it to other willing buyers.

"The companies collected and could indefinitely retain troves of data, including information from data brokers, and about both users and non-users of their platforms," the FTC said, adding their data collection, minimization, and retention practices were "woefully inadequate."

"Many companies engaged in broad data sharing that raises serious concerns regarding the adequacy of the companies' data handling controls and oversight. Some companies did not delete all user data in response to user deletion requests."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

LinkedIn Halts AI Data Processing in UK Amid Privacy Concerns Raised by ICO

Ukraine has restricted the use of the Telegram messaging app by government officials, military personnel, and other defense and critical infrastructure workers, citing national security concerns.
The ban was announced by the National Coordination Centre for Cybersecurity (NCCC) in a post shared on Facebook.
"I have always advocated and advocate for freedom of speech, but the issue of Telegram is

National Security / Cyber Attack

Ukraine has restricted the use of the Telegram messaging app by government officials, military personnel, and other defense and critical infrastructure workers, citing national security concerns.

The ban was announced by the National Coordination Centre for Cybersecurity (NCCC) in a post shared on Facebook.

"I have always advocated and advocate for freedom of speech, but the issue of Telegram is not a question of freedom of speech, it is a matter of national security," Kyrylo Budanov, head of Ukraine's GUR military intelligence agency, said.

Ukraine's National Security and Defense Council (NSDC) said that Telegram is "actively used by the enemy" to launch cyber attacks, spread phishing messages and malicious software, track users' whereabouts, and gather intelligence to help the Russian military target Ukraine's facilities with drones and missiles.

To that end, the use of Telegram has been proscribed on official devices of employees of state authorities, military personnel, employees of the security and defense sector, as well as enterprises that are operators of critical infrastructure.

It's worth noting that the ban does not extend to personal phones, or people who use the app as part of their official duties.

In a statement shared with Reuters, Telegram said it has not provided any personal data to any country, including Russia, and that deleted messages are permanently deleted with no way of recovering them.

The development comes weeks after Telegram's CEO was arrested in France and then released on bail in connection with an investigation into the use of the popular messaging app for child pornography, drug trafficking, and fraud.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Ukraine Bans Telegram Use for Government and Military Personnel

Plus: The FBI dismantles the largest-ever China-backed botnet, the DOJ charges two men with a $243 million crypto theft, Apple’s MacOS Sequoia breaks cybersecurity tools, and more.

The week was dominated by news that thousands of pagers, walkie-talkies and other devices were exploding across Lebanon on Tuesday and Wednesday in an attack targeting the militant group Hezbollah. At least 32 people were killed, including at least four children, and more than 3,200 people were injured. The covert campaign has widely been attributed to Israel, though none of the country's government agencies have commented.

In addition to the carnage, the attacks have—seemingly by design—had the effect of sowing paranoia and fear, not just among members of Hezbollah but also in the general Lebanese public. Hardware and warfare experts say that the incident is unlikely to establish a global precedent that people's most trusted communication devices and electronics, like smartphones, are rigged with explosives left and right. But it does create the potential to inspire copycats and puts defenders on notice that such attacks are possible.

Researchers say that China’s 2023 Zhujian Cup, a hacking competition with ties to the country's military, took the unusual step of requiring participants to keep the content of the exercise secret—and they may have been targeting a real victim as part of the event. Apple’s new stand-alone app Passwords that launched with iOS 18 may help solve your login problems. And a now-deleted post from billionaire Elon Musk that questioned why no one has attempted to assassinate Joe Biden and Kamala Harris renewed concerns this week that Musk is willing to inspire extremist violence and is a national security threat in the United States.

And there's more. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Last month, media outlets, Microsoft, and Google warned that an Iranian state-sponsored hacking group known as APT42 had targeted both the Joe Biden and Donald Trump political campaigns, and that it had successfully stolen emails from the Trump campaign that were later shared with reporters. Now the FBI has chimed in with the added revelation that the same hackers also sent those stolen Trump communications to the Democrats, too—though for now there's no sign that the Democrats solicited those emails from the Iranians or necessarily even received the Iranians' message.

Republicans were nonetheless quick to compare the news to accusations that the Trump campaign “colluded” with the Russian hackers, part of the Kremlin's GRU military intelligence agency, who breached the Democratic National Committee and the Clinton Campaign in 2016 to carry out a hack-and-leak operation. In a statement, the Trump campaign demanded that the Democrats “must come clean on whether they used the hacked material.” The Harris campaign told CNN that it has cooperated with law enforcement and that it was “not aware of any material being sent directly to the campaign,” believing the emails to be spam or phishing attempts. “We condemn in the strongest terms any effort by foreign actors to interfere in US elections, including this unwelcome and unacceptable malicious activity,” Morgan Finkelstein, the national security spokesperson for the Harris campaign, told CNN.

**FBI Dismantles the Largest-Ever Chinese State-Sponsored Botnet**

The FBI announced this week that it had taken down a network of hacked machines being secretly controlled by a Chinese state-sponsored hacking group known as Flax Typhoon. The botnet, made up of 260,000 routers and internet-of-things devices, was allegedly being run by a Chinese contractor known as the Beijing Integrity Technology Group, a rare instance of a known, publicly traded company operating essentially a massive collection of hacked devices on behalf of the Chinese state. The botnet, according to the FBI and security firm Black Lotus Labs, had been used to hack government agencies, defense contractors, telecoms, and other US and Taiwanese targets. At the time of its takedown, the botnet still encompassed 60,000 machines, making it the largest Chinese state-sponsored botnet ever, according to Black Lotus Labs.

**Two Men Charged With Stealing $243M in Cryptocurrency Using Social Engineering Scam**

On Wednesday night, two young men were arrested after they allegedly stole hundreds of millions of dollars of cryptocurrency and spent the earnings on luxury cars, watches, jewelry, and designer handbags. In an unsealed indictment, the US Department of Justice charged Malone Lam, 20, known online as “Anne Hathaway” and Jeandiel Serrano, 21, aka “VersaceGod,” with stealing $243 million in cryptocurrency and laundering the proceeds through mixing services to conceal the origin.

CoinDesk reported that the men allegedly tricked the heist’s victim, a creditor of the now-defunct trading firm Genesis, using a social engineering scam that led them to reset their Gemini two-factor authentication and transfer 4,100 bitcoin to a compromised wallet. An analysis of the transaction by blockchain investigator ZachXBT revealed that the $243 million was divided among multiple wallets and then distributed to over 15 exchanges.

**Apple MacOS Update Breaks Some Cybersecurity Tools**

On Thursday, TechCrunch reported that Apple's latest desktop operating system update, macOS 15 (Sequoia), breaks some functionality of major security tools made by CrowdStrike, SentinelOne, and Microsoft. It’s unclear what specifically in the update is causing the issues, but social media posts and internal Slack messages reviewed by the tech outlet show that the update has frustrated engineers working on macOS-focused security tools.

A CrowdStrike sales engineer informed colleagues via Slack, as seen by TechCrunch, that the company would not be able to support Sequoia on day one, despite its usual practice of quickly supporting new OS releases. While they hope for a quick patch, they will likely need to scramble to resolve the issue with an update in their own code, assuming no immediate fix is available from Apple, which has not yet commented on the issue.

**Leader of Crypto Extortion Gang Sentenced to 47 Years**

Cryptocurrency theft has become practically a common-garden form of cybercrime. But one brutal gang took that form of thievery to a new level of cruelty and violence, breaking into a series of victims' homes to threaten and extort them into handing over their crypto holdings, sometimes even resorting to kidnapping and torture. This week, that disturbing story came to a close with the sentencing of the group's ring leader, a Florida man named Remy St. Felix, to 47 years in prison. St. Felix is one of 12 members of the gang to have now been charged, convicted, and sentenced. Prior to the home invasions that St. Felix led, another member of the group named Jarod Seemungal allegedly stole millions with more traditional crypto hacking techniques. But St. Felix's more violent, offline extortion attempts netted his gang only around $150,000 in cryptocurrency before they were caught and sentenced to years behind bars. The lesson: Crime doesn't pay—or at least, not the physical kind.

Iranian Hackers Tried to Give Hacked Trump Campaign Emails to Dems

The FOCAL plan outlines baselines to synchronize cybersecurity priorities and policies across, as well as within, agencies.

Source: ronstik via Alamy Stock Photo

The US Cybersecurity and Infrastructure Security Agency released a plan to align the “collective operational defense capabilities” of federal agencies to reduce their cyber-risk. The plan’s focus is to have more synchronized and robust cyber defenses, improved communications, and better agility and resilience in the federal government.

For the most part, federal agencies built out their own defense capabilities based on the threats they are facing. As a result, the agencies vary widely in how effectively they manage risks, and there is no “no cohesive or consistent baseline security posture," CISA said. This discrepancy means despite investing in cybersecurity, the agencies are still vulnerable to threats.

“Collective operational defense is required to adequately reduce risk posed to more than 100 FCEB agencies and to address dynamic cyber threats to government services and data,” CISA said.

In the Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) plan, CISA sets out both “broad organizing concepts for federal cybersecurity” and tactical guidance agencies should implement. The plan covers daily activities and processes organizations should be using to defend their data and information systems, and spans five areas: asset management, vulnerability management, defensible architecture, cyber supply chain risk management, and incident response. It also sets collective security goals for the enterprise and provides a framework for coordinated support and services.

It is not intended to provide a comprehensive or exhaustive list of everything that an agency has to accomplish.

“The actions in the FOCAL plan orient and guide FCEB agencies toward effective and collaborative operational cybersecurity and will build resilience,” Jeff Greene, CISA’s executive assistant director for cybersecurity, said in a statement.

The essential components of FOCAL are “solid,” says John Vecchi, security strategist at Phosphorus Security. There are “very wide disparities” between agencies from a cyber maturity and culture perspective, but these agencies can achieve a “more consistent cybersecurity posture and baseline security hygiene” if FOCAL’s basics are implemented, Vecchi says.

However, accomplish a task of this magnitude can be challenge, Vecchi notes. Agency IT teams still need the staff, knowledge, and skills to actually deploy and implement the technologies and processes. The sheer number of security tools needed to accomplish the various elements in the plan could pose problems for agency security teams. While the focus on patching and vulnerability management is essential, these two areas are difficult to implement at scale.

It's also important to remember that about a third of the assets across these agencies represent smart devices, Internet of Things , operational technology, and embedded devices, Vecchi says. These types of systems are often out of compliance in terms of security hygiene.

“Resource allocation will most certainly be an issue here, but my guess is that the vast number of disparate teams and cultural differences across all of the agencies will present an even bigger and more immediate challenge,” Vecchi says. “It can be quite challenging for different teams within a single agency to collaborate effectively, let alone across so many unique, independent agencies and networks.”

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

CISA Releases Plan to Align Cybersecurity Across Federal Agencies

The critical bug, CVE-2024-8963, can be used in conjunction with the prior known flaw to achieve remote code execution (RCE).

Source: Kristoffer Tripplaar via Alamy Stock Photo

Less than two weeks after patching one flaw, Ivanti announced on Sept. 19 that a second, critical Cloud Services Appliance (CSA) vulnerability is being exploited in the wild.

The vulnerability (CVE-2024-8963, CVSS 9.4) is a path traversal in Ivanti CSA that allows a remote, unauthenticated attacker to access restricted functionalities. Attackers have chained it to the previously disclosed flaw, CVE-2024-8190, which is a high-severity OS command injection flaw that can allow unauthorized access to devices. The chain can be exploited for remote code execution (RCE), if the attacker has admin-level privileges.

"If CVE-2024-8963 is used in conjunction with CVE-2024-8190 an attacker can bypass admin authentication and execute arbitrary commands on the appliance," the enterprise said.

The news comes during an ongoing series of security issues Ivanti has faced since 2023.

**Not First & Likely Not the Last**

Just this year alone, Ivanti has faced flaw after flaw; in February, the Cybersecurity and Infrastructure Security Agency (CISA) ordered Ivanti VPN appliances be disconnected, rebuilt, and reconfigured in 48 hours, after there were concerns that multiple threat actors were exploiting security flaws found in the systems.

In April, foreign nation-state hackers took advantage of vulnerable Ivanti gateway devices and attacked MITRE, breaking its 15-year streak of being incident free. And MITRE wasn’t alone in this, as thousands of Ivanti VPN instances were compromised due to two unpatched zero-day vulnerabilities.

And in August, Ivanti's Virtual Traffic Manager (vTM) harbored a critical vulnerability that could have led to authentication bypass and creation of an administrator user without the patch that the enterprise provided.

"These known but unpatched vulnerabilities have emerged a favorite target for attackers because they are easy to exploit and oftentimes organizations have no idea that devices with EOL systems are still running in their network," Greg Fitzgerald, co-founder of Sevco Security, said in an emailed statement to Dark Reading.

**Protection in an Ongoing Storm**

To mitigate this threat, Ivanti recommends that its customers upgrade the Ivanti CSA 4.6 to CSA 5.0. They can also update CSA 4.6 Patch 518 to Patch 519; however, this product has entered end of life, so it's recommended to upgrade to CSA 5.0 instead. 

In addition to this, Ivanti recommends that all customers ensure dual-homed CSA configurations with eth0 as an internal network.

Customers should review the CSA for modified or newly added administrators if they are concerned that they may have been compromised. If users have endpoint detection and response (EDR) installed, it's recommended to review those alerts as well. 

Users can request help or ask questions by logging a case or requesting a call through Ivanti's Success Portal.

Ivanti's Cloud Service Appliance Attacked via Second Vuln

A North Korean advanced persistent threat (APT) actor (aka Gleaming Pisces) tried to sneak simple backdoors into public software packages.

Source: Chronicle via Alamy Stock Photo

One of North Korea's most sophisticated threat groups has been hiding remote access malware for macOS and Linux inside of open source Python packages.

North Korean advanced persistent threats (APTs) have become notorious for certain characteristic types of cyberattack in recent years. There's the cryptocurrency scam, which can come in many forms — often a fake trading platform, where victims are lured into divulging their wallet information or downloading malware. Supply chain attacks are common, particularly via poisoned packages typosquatting on public repositories. An impish recent trend involves contracting actual, honest labor to Western companies under false pretenses, then sending the salaries earned back to Kim's state. The reverse — agents posing as tech recruiters, convincing developers to download malware — is also common.

The group, which Palo Alto's Unit 42 tracks as Gleaming Pisces (and Microsoft as Citrine Sleet), seems to have supplemented category one with category two. Active since 2018, the financially motivated, DPRK Reconnaissance General Bureau (RGB)-linked group is known for attacks weaponizing fake crypto platforms. Unit 42 now assesses with medium confidence that it was responsible for uploading a handful of malicious packages to the Python Package Index (PyPI) back in February. The packages have since been taken down.

**DPRK-Poisoned PyPI Packages**

Most packages uploaded to open source repositories are simple by nature. As Louis Lang, co-founder and chief technology officer (CTO) at Phylum recalls, "What was interesting about these packages was that there was a higher order of complexity than you typically find among benign packages."

Phylum had identified four packages worth taking a second look at: real-ids, minisound, coloredtxt, and beautifultext. The innocuous names seemed to allude to legitimate functionality, like syntax highlighting for terminal outputs.

In reality, the packages contained malicious code that would be decoded and executed upon download. The code would then run bash commands in order to retrieve and download a remote access Trojan (RAT) called "PondRAT."

PondRAT is an entirely simple backdoor, capable of just a few functions: uploading and downloading files, checking to see that an implant is active or instructing it to sleep, and executing commands issued by the operator. It is, in essence, a "light" version of PoolRAT. PoolRAT is a known Gleaming Pisces backdoor for macOS that has a half dozen more standard capabilities than its successor, like listing directories, deleting files, etc.

**No Need for Windows**

More notable than the malware itself may be the fact that its authors wrote it only for macOS and Linux systems.

Forgoing hackers' long preferred Windows operating system makes sense, though, when one considers Gleaming Pisces' typical audience. As Lang explains, "They're targeting the actual builders, CI/CD infrastructure, developer workstations — environments that are overwhelmingly going to be Linux or macOS based. Very few people are doing development on straight Windows. So if you are targeting developers, it makes sense to ship variants for these systems, because that's where your target population lives."

Developers, then, need to be alert to phishing attacks, like those fake crypto platforms and job recruitment scams. Because while it's rare that anyone might pull an unpopular, ultra-generic package from PyPI, it's entirely likely that that same package could be quietly integrated into a broader infection chain.

"If you add a package, it could have downstream impacts, where you're actually pulling in 30, 40 other packages it may \[be connected to\]. So if I was a developer, I'd be very cognizant of what I'm installing, and try to minimize the attack surface by minimizing the number packages I'm pulling in. And then, obviously, scan the packages — look for these zombies, look for high-entropy strings, look for code obfuscation," Lang suggests.

"Like we always say," he adds, "you're one update away from malware."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Citrine Sleet Poisons PyPI Packages With Mac &amp; Linux Malware

Critical-rated CVE-2024-20017 allows remote code execution (RCE) on a range of phones and Wi-Fi access points from a variety of OEMs.

Source: Ros Drinkwater via Alamy Stock Photo

A nearly max-critical zero-click vulnerability is impacting MediaTek Wi-Fi chipsets and driver bundles used in routers and smartphones from various manufacturers, including Ubiquiti, Xiaomi, and Netgear.

According to SonicWall Capture Labs researchers who found the issue (CVE-2024-20017, CVSS 9.8), exploitation would open the door to remote code execution (RCE) without user interaction, making the bug a conduit for easy device takeover. Making matters worse, a public proof-of-concept exploit (PoC) recently became available, they warned.

The issue affects MediaTek SDK versions 7.4.0.1 and earlier, as well as OpenWrt 19.07 and 21.02, and affected users should apply the available MediaTek patches as soon as possible.

In terms of the technical details, the vulnerability is an out-of-bounds write issue that resides in wappd, a network daemon responsible for configuring and managing wireless interfaces and access points.

"The architecture of wappd is complex, comprising the network service itself, a set of local services that interact with the device's wireless interfaces, and communication channels between components via Unix domain sockets," the researchers explained in a blog post on the issue this week. "Ultimately, the vulnerability is a buffer overflow as a result of a length value taken directly from attacker-controlled packet data without bounds checking and placed into a memory copy."

**About the Author**

Zero-Click MediaTek Bug Opens Phones, Wi-Fi to Takeover

German authorities dismantled Boystown, a notorious Dark Web platform for CSAM, by deanonymizing Tor users in 2021. This…

German authorities dismantled Boystown, a notorious Dark Web platform for CSAM, by deanonymizing Tor users in 2021. This breakthrough raises concerns over Tor’s privacy as law enforcement targets criminal activities on the Dark Web.

German authorities, in collaboration with several international law enforcement agencies, successfully dismantled “Boystown,” a notorious dark web platform dedicated to child sexual abuse material (CSAM). This happened in April 2021 but the details of it have only been revealed now. What’s even crazier is that according to German media, authorities managed to deanonymize Tor users involved with the CSAM site and successfully arrest them.

With over 400,000 registered users, the site had been operational since 2019 and hosted some of the most severe forms of abuse, with many of the victims being young boys. The German Federal Criminal Police led this operation with support from Europol, alongside agencies from the Netherlands, the U.S., Canada, and several other countries.

Boystown’s administrators, three German men, were arrested, and a fourth suspect was detained in Paraguay, with extradition requested by Germany. These individuals helped users evade detection while facilitating the distribution of illegal content.

The platform was shut down in April 2021, and its chatrooms were also dismantled. This international operation marked a significant blow to illegal dark web activity involving CSAM.

****Deanonymizing Tor Nodes****

According to NDR’s report, German authorities’ ability to deanonymize users of Tor—a network designed for anonymity—played a crucial role in the success of this operation. Through surveillance of specific Tor nodes, they identified users accessing the site.

However, such breakthroughs have raised concerns about the safety of Tor’s anonymity features, even though the Tor Project insists its network remains secure. In its blog post, the Tor Project acknowledged being aware of the claims made in NDR’s report. However, the organization also stated that it had not received proof of concept (PoC) or documents independently verifying these claims from German authorities.

> _“_The Tor Project has not been granted access to supporting documents and has not been able to independently verify if this claim is true, if the attack took place, how it was carried out, and who was involved. In the absence of facts, it is hard for us to issue any official guidance or responsible disclosures to the Tor community, relay operators, and users at this time._“_
> 
> Isabela Fernandes – Executive Director of the Tor Project

Nevertheless, experts suggest that outdated software, combined with increased scrutiny of specific exit nodes, may have led to the identification of Boystown’s users. The implications of this case extend beyond just CSAM offenders. It has raised alarms among those who use Tor for legitimate purposes, such as whistleblowers and activists.

While privacy advocates fear that increased law enforcement surveillance of Tor could jeopardize users’ anonymity, authorities argue that targeting criminal activities like Boystown is a necessary step to protect the vulnerable.

This development indicates that law enforcement agencies may continue enhancing their surveillance of darknet activity. Though Tor remains a vital tool for privacy, these cases show that it is not entirely immune to infiltration, especially when outdated systems or weak links are involved.

If you are on the Tor browser stop illegal activities. For whistleblowers and journalists, here are five tips to help lay users better secure their Tor Browser:

1.  **Keep Tor Browser Updated**: Always use the latest version of the Tor Browser, as updates include important security patches that fix vulnerabilities. You can check for updates through the browser’s settings or download the newest version directly from the Tor Project website.
2.  **Disable JavaScript**: JavaScript can be used to exploit vulnerabilities and deanonymize users. To further enhance your security, disable JavaScript through the browser’s settings or use the “Safest” security level, which disables JavaScript by default. You can adjust the security settings by clicking the shield icon next to the address bar.
3.  **Avoid Installing Browser Add-ons**: Tor comes with privacy-enhancing features, and installing third-party add-ons could weaken your anonymity by introducing new vulnerabilities or leaking information unintentionally.
4.  **Use Bridges and Pluggable Transports**: If you are in a country or region that blocks Tor or monitors access to Tor nodes, use bridges or pluggable transports to circumvent censorship and avoid detection. These tools disguise your Tor traffic, making it harder for ISPs and governments to identify that you’re using Tor.
5.  **Don’t Use Personal Information**: Avoid logging into accounts that are linked to your real identity (e.g., personal email or social media) when using Tor. This undermines anonymity and could reveal your true identity through cookies or other tracking mechanisms. Consider using pseudonyms or temporary email accounts when browsing.

1.  **Tor Browser Flow Leaks Your Real IP Address**
2.  **23% of Tor browser relays found to be stealing Bitcoin**
3.  **What is Dark Web, Search Engines, What Not to Do on Dark Web**
4.  **Microsoft Defender Flags Tor Browser as Win32/Malgent!MTB Malware**
5.  **OnionPoison – Fake Tor Browser Installer Spreads Malware Via YouTube**

Police Broke Tor Anonymity to Arrest Dark Web Users in Major CSAM Bust

The company announced an update to its privacy policy, acknowledging it is using customer data to train its AI models.

Source: Chris Batson via Alamy Stock Photo

Professional social networking site LinkedIn allegedly used data from its users to train its artificial intelligence (AI) models, without alerting users it was doing so.

According to reports this week, LinkedIn hadn't refreshed its privacy policy to reflect the fact that it was harvesting user data for AI training purposes.

Blake Lawit, LinkedIn's senior vice president and general counsel, then posted on the company’s official blog that same day to announce that the company had corrected the oversight.

The updated policy, which includes a revised FAQ, confirms that contributions are automatically collected for AI training. According to the FAQ, LinkedIn's GenAI features could use personal data to make suggestions when posting.

**LinkedIn's AI Data-Gathering Is Automatic**

"When it comes to using members' data for generative AI training, we offer an opt-out setting," the LinkedIn post read. "Opting out means that LinkedIn and its affiliates won't use your personal data or content on LinkedIn to train models going forward, but does not affect training that has already taken place."

Shiva Nathan, founder and CEO of Onymos, expressed deep concern about LinkedIn's use of prior user data to train its AI models without clear consent or updates to its terms of service.

Related:Dark Reading Confidential: The CISO and the SEC

"Millions of LinkedIn users have been opted in by default, allowing their personal information to fuel AI systems," he said. "Why does this matter? Your data is personal and private. It fuels AI, but that shouldn’t come at the cost of your consent. When companies take liberties with our data, it creates a massive trust gap."

Nathan added this is not just happening with LinkedIn, pointing out many technologies and software services that individuals and enterprises use today are doing the same.

"We need to change the way we think about data collection and its use for activities like AI model training," he said. "We should not require our users or customers to give up their data in exchange for services or features, as this puts both them and us at risk."

LinkedIn did explain that users can review and delete their personal data from past sessions using the platform's data access tool, depending on the AI-powered feature involved.

**LinkedIn Faces Tricky Waters**

The US has no federal laws in place to govern data collection for AI use, and only a few states have passed laws on how users' privacy choices should be respected via opt-out mechanisms. But in other parts of the world, LinkedIn has had to put its GenAI training on ice.

Related:An AI-Driven Approach to Risk-Scoring Systems in Cybersecurity

"At this time, we are not enabling training for generative AI on member data from the European Economic Area, Switzerland, and the United Kingdom," the FAQ states, confirming that it has stopped the data collection in those geos.

Tarun Gangwani, principal product manager, DataGrail, says the recently enacted EU AI Act has provisions within the policy that require companies that trade in user-generated content be transparent about their use of it in AI modeling.

"The need for explicit permission for AI use on user data continues the EU's general stance on protecting the rights of citizens by requiring explicit opt-in consent to the use of tracking," Gangwani explains.

And indeed, the EU in particular has shown itself to be vigilant when it comes to privacy violations. Last year, LinkedIn parent company Microsoft had to pay out $425 million in fines for GDPR violations, while Facebook parent company Meta was slapped with a $275 million fine in 2022 for violating Europe's data privacy rules.

The UK's Information Commissioners Office (ICO) meanwhile released a statement today welcoming LinkedIn's confirmation that it has suspended such model training pending further engagement with the ICO.

"In order to get the most out of generative AI and the opportunities it brings, it is crucial that the public can trust that their privacy rights will be respected from the outset," ICO's executive director, regulatory risk, Stephen Almond said in a statement. "We are pleased that LinkedIn has reflected on the concerns we raised about its approach to training generative AI models with information relating to its UK users."

Related:How Shifts in Cyber Insurance Are Affecting the Security Landscape

Regardless of geography, it's worth noting that businesses have been warned against using customer data for the purposes of training GenAI models in the past. In August 2023, communications platform Zoom abandoned plans to use customer content for AI training after customers voiced concerns over how that data could be used. And in July, smart exercise bike startup Peloton was slapped with a lawsuit alleging the company improperly scraped data gathered from customer service chats to train AI models.

**About the Author**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Latest News