A list of topics we covered in the week of September 30 to October 6 of 2024

October 3, 2024 - Malwarebytes Browser Guard now warns users about recent data breaches, as well as automatically opting users out of tracking cookies.

October 3, 2024 - Smart glasses that use facial recognition can instantly reveal the identity of someone you're looking at.

October 3, 2024 - Medical imaging company I-MED left thousands of patient files exposed through re-used login credentials.

October 1, 2024 - Next time you need to activate a subscription on your TV, watch out for these fake sites scammers are using to trick you and steal your money.

October 1, 2024 - ThreatDown research has uncovered a campaign that spreads annoying adware for Android devices.

 A week in security (September 30 &#8211; October 6) 

Europe's top court has ruled that Meta Platforms must restrict the use of personal data harvested from Facebook for serving targeted ads even when users consent to their information being used for advertising purposes, a move that could have serious consequences for ad-driven companies operating in the region.
"An online social network such as Facebook cannot use all of the personal data

Data Privacy / Advertising

Europe's top court has ruled that Meta Platforms must restrict the use of personal data harvested from Facebook for serving targeted ads even when users consent to their information being used for advertising purposes, a move that could have serious consequences for ad-driven companies operating in the region.

"An online social network such as Facebook cannot use all of the personal data obtained for the purposes of targeted advertising, without restriction as to time and without distinction as to type of data," the Court of Justice of the European Union (CJEU) said in a ruling on Friday.

In other words, social networks, such as Facebook, cannot keep using users' personal data for ad targeting indefinitely, the court said, adding limits must be set in place in order to comply with the bloc's General Data Protection Regulation (GDPR) data minimization requirements.

It's worth noting that Article 5(1)(c) of GDPR necessitates that companies limit the processing to strictly necessary data, preventing the collected personal data about an individual -- whether gathered on or outside the platform via third-parties -- from being aggregated, analyzed, and processed for targeted advertising without time-bound restrictions.

The case was originally filed by privacy activist and noyb (None Of Your Business) co-founder Maximilian "Max" Schrems in 2014 over claims that the social media giant targeted him with personalized ads based on his sexual orientation.

"The fact that a person has made a statement about his or her sexual orientation on the occasion of a public panel discussion does not authorize the operator of an online social network platform to process other data relating to that person's sexual orientation, obtained, as the case may be, outside that platform using partner third-party websites and apps, with a view to aggregating and analyzing those data, in order to offer that person personalized advertising," the CJEU said.

Noyb, in a statement, said it welcomed the ruling and that the result was along expected lines, stating the judgment also extends to any other online advertisement company that does not have stringent data deletion practices.

"Meta and many players in the online advertisement space have simply ignored this rule and did not foresee any deletion periods or limitations based on the type of personal data," the Austrian non-profit said.

"The application of the 'data minimization principle' radically restricts the use of personal data for advertising. The principle of data minimization applies regardless of the legal basis used for the processing, so even a user who consents to personalized advertising cannot have their personal data used indefinitely."

In a statement shared with Reuters, Meta said it has made monetary efforts to "embed privacy" in its products, noting it "does not use special categories of data that users provide to personalize ads while advertisers are not allowed to share sensitive data."

The development comes as Texas Attorney General Ken Paxton has filed a lawsuit against ByteDance-owned TikTok for alleged violations of child privacy laws in the U.S. state, otherwise called the Securing Children Online Through Parental Empowerment (SCOPE) Act.

The lawsuit accused TikTok of failing to provide adequate tools that allow parents and guardians to control the privacy and account settings of children aged between 13 and 17.

"For example, parents or guardians do not have the ability to control \[TikTok's\] sharing, disclosing, and selling of a known minor's personal identifying information, nor control \[TikTok's\] ability to display targeted advertising to a known minor," the lawsuit reads.

"Texas law requires social media companies to take steps to protect kids online and requires them to provide parents with tools to do the same," Paxton said. "TikTok and other social media companies cannot ignore their duties under Texas law."

TikTok, which prohibits targeted advertising for anyone under 18, said it strongly disagreed with the allegations and that it offers "robust safeguards for teens and parents, including family pairing, all of which are publicly available."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

E.U. Court Limits Meta's Use of Personal Facebook Data for Targeted Ads

The ABB BMS/BAS controller suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'SYSLOG' HTTP POST parameter called by the syslogSwitch.php script.

ABB Cylon Aspect 3.08.00 (syslogSwitch.php) Remote Code Execution

You've just created a Red Hat Customer Portal account to provision a Red Hat OpenShift cluster. If you're new to Red Hat Customer Portal, then you probably have a lot of questions, like what other Red Hat portals do you have access to? How do you manage your registered clusters? What exactly is an Organization Administrator? Are there other team members who need privileged access? In this blog, we address all of these questions, and more, to help you navigate the Red Hat Customer Portal and its role-based access control (RBAC) system, and how it all connects to the Red Hat Hybrid Cloud Console

You've just created a Red Hat Customer Portal account to provision a Red Hat OpenShift cluster. If you're new to Red Hat Customer Portal, then you probably have a lot of questions, like what other Red Hat portals do you have access to? How do you manage your registered clusters? What exactly is an Organization Administrator? Are there other team members who need privileged access? In this blog, we address all of these questions, and more, to help you navigate the Red Hat Customer Portal and its role-based access control (RBAC) system, and how it all connects to the Red Hat Hybrid Cloud Console (HCC) and OpenShift Cluster Manager (OCM).

**Customer Portal**

Your Red Hat Customer Portal account is a critical connection point to important information about your organization's subscriptions, products, and support. It's also the overarching account to other Red Hat portals such as Developer Hub, Hybrid Cloud Console, and more.

**Organization Administrator**

A Red Hat Organization Administrator, also known as an org admin, is the root user of the Red Hat Customer Portal. It has all possible permissions and is the only role that can manage users and their respective access to the organization's Red Hat account. By default, every org admin is also the admin for other portals, such as the Hybrid Cloud Console. An org admin can create and manage users one at a time, several at a time, or through bulk uploads, and can assign any roles to any user. For additional information on managing users, read common user management questions.

Once a user is added to the Customer Portal, it exists on any Red Hat hosted website that uses Red Hat single sign-on authentication. A Customer Portal login ID can be configured for two-factor authentication as well as a third party identity provider. This configuration applies to any Red Hat website that uses Red Hat single sign-on authentication (sso.redhat.com), including the Customer Portal at access.redhat.com and the Hybrid Cloud Console (console.redhat.com). You can also integrate your application with the Customer Portal using APIs. To determine the feasibility of integrating your specific third party identity provider, you will need to reach out to your Red Hat account team.

It is crucial to ensure that each user is granted the minimum required roles complying with the best practice of least privileged access. For example, an OpenShift cluster site reliability engineer who needs to create support cases would require the **Manage Support Cases** role, and a team lead may need the **Manage Your Subscriptions** role to manage subscriptions, but neither requires the permissions of the **Organization Administrator** role.

As a best practice of applying least privileges, the org admin role must be used with discretion, restricted to a few people in the organization at most. Aside from org admin, there are several roles and permissions that can be assigned to Customer Portal accounts. Have transparent conversations with stakeholders within your organization about designating org admins and other roles to each user.

**Hybrid Cloud Console**

The Red Hat Hybrid Cloud Console (HCC) is utilized to access a comprehensive set of services from a single interface. The HCC contains two default groups maintained by Red Hat with predefined roles:

*   **Default admin access group:** All Red Hat Portal Organization Administrators are added to this group by default. Users and roles are not customizable.
*   **Default access group:** This group contains all authenticated users in your organization. It can be modified by adding or removing roles. Upon modification, the group is automatically renamed to **Custom default access** and is no longer maintained by Red Hat. You can restore the default access group after a custom group has been created. 

To reduce administrative complexity, it's recommended that you create additional custom groups with any combination of roles. This allows users to be added or removed from the groups while keeping role permissions intact, allowing for better RBAC management compared to modifying an individual user's role. A list of predefined roles which are not modifiable can be viewed here.

User access roles are additive. There are no roles that deny access, only roles that allow. For more information, read these additional learning resources, which include step-by-step instructions and documentation on user access configuration.

**User Access administrator**

The User Access administrator is a special role that only an org admin can assign to a group within HCC. It allows a user to perform actions such as adding, modifying, or deleting groups and roles. The User Access administrator role cannot create or modify a User Access administrator group.

It may be worthwhile to consider assigning the User Access administrator role to production cluster admin team leads to ensure there is no unintended access to production environments.

Service accounts can be used to programmatically interact with the Hybrid Cloud Console API, and can be created and managed by org admins or User Access administrators. Similar to user accounts, service accounts can be assigned to user groups to grant them specific roles and permissions as necessary.

**Openshift Cluster Manager**

The OpenShift Cluster Manager (OCM) is a service managed by Red Hat that allows you to operate and upgrade Red Hat OpenShift clusters. The HCC also provides an RBAC interface to assign roles such as OCM Cluster Provisioner, which allows a user with that role to create and manage clusters in OCM. It may be sufficient for some team members to have only the OCM Cluster Viewer role instead of additional OCM roles that would allow them to modify clusters.

Roles specific to OCM provide precise access to clusters. These roles are managed through HCC, and it's recommended to create custom groups to manage these roles. For additional information on managing clusters in OCM, read the official documentation.

**Tying it all together**

Now that we've provided an overview of RBAC for the various Red Hat portals, we have a recommendation on how to administer your organization's RBAC policies.

The most common question is who should be an org admin. This is easy to get wrong! In some companies, leadership or sales teams involved in managing subscriptions are assigned org admin. However, these are permissions inherited from Customer Portal, so there may be unintended consequences because org admins are also added to the default admin access group in the HCC. An org admin can manage all OpenShift clusters, create or delete clusters, and give themselves permission to log into existing clusters as any user (including as a user with the cluster-admin role).

When managing systems through Hybrid Cloud Console, it's crucial to determine the minimum and specific users that require all the permissions an org admin inherits.

In the event that the only org admin leaves the company, this knowledge base article provides guidance on how to recover from this scenario and assign a new org admin.

We've provided an overview of RBAC for the Red Hat Customer Portal and Hybrid Cloud Console and highlighted the implications of these inherited permissions. Understanding best practices around RBAC for your organization, and specifically the role of an org admin, and applying the principle of least privileges, allows your organization to effectively administer its Red Hat accounts.

Solving the Puzzle of RBAC with Red Hat Customer Portal

The ABB BMS/BAS controller suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'Footer' HTTP POST parameter called by the caldavUtil.php script.

ABB Cylon Aspect 3.08.01 (caldavUtil.php) Remote Code Execution

The ABB BMS/BAS controller suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'timeserver' HTTP POST parameter called by the setTimeServer.php script.

ABB Cylon Aspect 3.08.00 (setTimeServer.php) Remote Code Execution

The building management system suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'logFile' GET parameter via the 'logYumLookup.php' script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.

ABB Cylon Aspect 3.08.01 (logYumLookup.php) Unauthenticated File Disclosure

Perfctl malware is hard to detect, persists after reboots, and can perform a breadth of malicious activities.

Thousands of machines running Linux have been infected by a malware strain that’s notable for its stealth, the number of misconfigurations it can exploit, and the breadth of malicious activities it can perform, researchers reported Thursday.

The malware has been circulating since at least 2021. It gets installed by exploiting more than 20,000 common misconfigurations, a capability that may make millions of machines connected to the internet potential targets, researchers from Aqua Security said. It can also exploit CVE-2023-33426, a vulnerability with a severity rating of 10 out of 10 that was patched last year in Apache RocketMQ, a messaging and streaming platform that’s found on many Linux machines.

****Perfctl Storm****

The researchers are calling the malware Perfctl, the name of a malicious component that surreptitiously mines cryptocurrency. The unknown developers of the malware gave the process a name that combines the perf Linux monitoring tool and ctl, an abbreviation commonly used with command line tools. A signature characteristic of Perfctl is its use of process and file names that are identical or similar to those commonly found in Linux environments. The naming convention is one of the many ways the malware attempts to escape notice of infected users.

Perfctl further cloaks itself using a host of other tricks. One is that it installs many of its components as rootkits, a special class of malware that hides its presence from the operating system and administrative tools. Other stealth mechanisms include:

*   Stopping activities that are easy to detect when a new user logs in
*   Using a Unix socket over TOR for external communications
*   Deleting its installation binary after execution and running as a background service thereafter
*   Manipulating the Linux process pcap\_loop through a technique known as hooking to prevent admin tools from recording the malicious traffic
*   Suppressing mesg errors to avoid any visible warnings during execution.

The malware is designed to ensure persistence, meaning the ability to remain on the infected machine after reboots or attempts to delete core components. Two such techniques are (1) modifying the ~/.profile script, which sets up the environment during user login so the malware loads ahead of legitimate workloads expected to run on the server and (2) copying itself from memory to multiple disk locations. The hooking of pcap\_loop can also provide persistence by allowing malicious activities to continue even after primary payloads are detected and removed.

Besides using the machine resources to mine cryptocurrency, Perfctl also turns the machine into a profit-making proxy that paying customers use to relay their internet traffic. Aqua Security researchers have also observed the malware serving as a backdoor to install other families of malware.

Assaf Morag, Aqua Security’s threat intelligence director, wrote in an email:

> Perfctl malware stands out as a significant threat due to its design, which enables it to evade detection while maintaining persistence on infected systems. This combination poses a challenge for defenders and indeed the malware has been linked to a growing number of reports and discussions across various forums, highlighting the distress and frustration of users who find themselves infected.
> 
> Perfctl uses a rootkit and changes some of the system utilities to hide the activity of the cryptominer and proxy-jacking software. It blends seamlessly into its environment with seemingly legitimate names. Additionally, Perfctl’s architecture enables it to perform a range of malicious activities, from data exfiltration to the deployment of additional payloads. Its versatility means that it can be leveraged for various malicious purposes, making it particularly dangerous for organizations and individuals alike.

****“The Malware Always Manages to Restart”****

While Perfctl and some of the malware it installs are detected by some antivirus software, Aqua Security researchers were unable to find any research reports on the malware. They were, however, able to find a wealth of threads on developer-related sites that discussed infections consistent with it.

This Reddit comment posted to the CentOS subreddit is typical. An admin noticed that two servers were infected with a cryptocurrency hijacker with the names perfcc and perfctl. The admin wanted help investigating the cause.

“I only became aware of the malware because my monitoring setup alerted me to 100% CPU utilization,” the admin wrote in the April 2023 post. “However, the process would stop immediately when I logged in via SSH or console. As soon as I logged out, the malware would resume running within a few seconds or minutes.” The admin continued:

> I have attempted to remove the malware by following the steps outlined in other forums, but to no avail. The malware always manages to restart once I log out. I have also searched the entire system for the string "perfcc" and found the files listed below. However, removing them did not resolve the issue. as it keep respawn on each time rebooted.

Other discussions include: Reddit, Stack Overflow (Spanish), forobeta (Spanish), brainycp (Russian), natnetwork (Indonesian), Proxmox (Deutsch), Camel2243 (Chinese), svrforum (Korean), exabytes, virtualmin, serverfault and many others.

After exploiting a vulnerability or misconfiguration, the exploit code downloads the main payload from a server, which, in most cases, has been hacked by the attacker and converted into a channel for distributing the malware anonymously. An attack that targeted the researchers’ honeypot named the payload httpd. Once executed, the file copies itself from memory to a new location in the /temp directory, runs it, and then terminates the original process and deletes the downloaded binary.

Once moved to the /tmp directory, the file executes under a different name, which mimics the name of a known Linux process. The file hosted on the honeypot was named sh. From there, the file establishes a local command-and-control process and attempts to gain root system rights by exploiting CVE-2021-4043, a privilege-escalation vulnerability that was patched in 2021 in Gpac, a widely used open source multimedia framework.

The malware goes on to copy itself from memory to a handful of other disk locations, once again using names that appear as routine system files. The malware then drops a rootkit, a host of popular Linux utilities that have been modified to serve as rootkits, and the miner. In some cases, the malware also installs software for “proxy-jacking,” the term for surreptitiously routing traffic through the infected machine so the true origin of the data isn’t revealed.

The researchers continued:

> As part of its command-and-control operation, the malware opens a Unix socket, creates two directories under the /tmp directory, and stores data there that influences its operation. This data includes host events, locations of the copies of itself, process names, communication logs, tokens, and additional log information. Additionally, the malware uses environment variables to store data that further affects its execution and behavior.
> 
> All the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defense mechanisms and hinder reverse engineering attempts. The malware also uses advanced evasion techniques, such as suspending its activity when it detects a new user in the btmp or utmp files and terminating any competing malware to maintain control over the infected system.

By extrapolating data such as the number of Linux servers connected to the internet across various services and applications, as tracked by services such as Shodan and Censys, the researchers estimate that the number of machines infected by Perfctl is measured in the thousands. They say that the pool of vulnerable machines—meaning those that have yet to install the patch for CVE-2023-33426 or contain a vulnerable misconfiguration—is in the millions. The researchers have yet to measure the amount of cryptocurrency the malicious miners have generated.

People who want to determine if their device has been targeted or infected by Perfctl should look for indicators of compromise included in Thursday’s post. They should also be on the lookout for unusual spikes in CPU usage or sudden system slowdowns, particularly if they occur during idle times. Thursday’s report also provides steps for preventing infections in the first place.

_This story originally appeared on_ _Ars Technica._

Stealthy Malware Has Infected Thousands of Linux Systems for Years

A foreign government is believed to have hacked into the Dutch police force’s systems, exposing the contact details…

A foreign government is believed to have hacked into the Dutch police force’s systems, exposing the contact details of nearly 63,000 officers. The attack has raised serious concerns about cybersecurity and state-sponsored hacking.

A foreign government is believed to have hacked into the Dutch police force’s systems, exposing the contact details of nearly 63,000 officers. The attack reportedly took place on September 26, 2024.

The cyberattack on the Dutch police force was a sophisticated operation that targeted a specific police account. The attackers were able to exploit vulnerabilities in the system to gain access to the work-related contact details of nearly all Dutch police officers. While the exact method used by the hackers remains undisclosed, it is clear that they were highly skilled and well-prepared.

The hackers gained access to sensitive information including names, emails, phone numbers, private details of some, and ‘work related’ data. While the Dutch government has not publicly identified the perpetrators, intelligence agencies have concluded that a state actor was likely behind the attack.

“The police have been informed by the intelligence services that it is very likely a ‘state actor’, in other words: another country or perpetrators on behalf of another country,” stated Politie (national Dutch police). 

The hack against the Dutch Police is noteworthy, as this is not a typical event. The agency is recognized globally for its high-profile actions and proactive stance against cybercrime. Some of its notable operations include seizing the infamous dark web drug and data marketplace HANSA, shutting down Raid Forums and Breach Forums, EncroChat, and targeting DDoS-for-hire sites, among others.

The stolen information could potentially be used to target officers, their families, or informants. The Dutch police immediately investigated the breach, enlisting the help of internal cyber specialists and national security partners. The investigation is ongoing, and the police have not yet publicly attributed the attack to a specific country or actor.

According to Justice and Security Minister David van Weel, the hack impacted (PDF) nearly all police officers in the Netherlands, leading to widespread unrest among officers, particularly those involved in covert operations. The stolen information has not yet been leaked online, but the chief of police and security services are taking the incident seriously. 

The Netherlands Police Union chair, Nine Kooiman, called the hack a ‘nightmare,’ urging for prompt identification of the perpetrators. Nevertheless, the incident highlights the growing threat posed by state-sponsored cyberattacks. As countries increasingly rely on online infrastructure, the need for strong cybersecurity defences has never been more urgent.

1.  Database Leak Exposes 500K Irish Police Vehicle Seizure Records
2.  Data Leak Exposes 500GB of Indian Police, Military Biometric Data
3.  Police lose evidence to Ryuk ransomware attack; suspects walk free
4.  Dutch Man Deployed Stuxnet via Water Pump to Disable Iran’s Nukes
5.  Chinese Hackers Infiltrate Dutch Defense Networks with Coathanger RAT

Dutch Police Hacked, 63,000 Officers’ Details Exposed

Plus: Harvard students pack Meta’s smart glasses with privacy-invading face-recognition tech, Microsoft and the DOJ seize Russian hackers’ domains, and more.

Pig butchering, the crypto-based scammer scourge that has pulled in an estimated $75 billion from victims globally, is spreading beyond its roots in Southeast Asia, with operations proliferating across the Middle East, Eastern Europe, Latin America, and West Africa.

The UK's National Crime Agency disclosed new details about the identities of the Russian ransomware group known as Evil Corp—as well as the group's ties to Russian intelligence agencies and even its direct participation in espionage operations targeting NATO allies.

A WIRED investigation revealed how car-mounted automatic license plate reader cameras are capturing far more than just license plates, including campaign yard signs, bumper stickers, and other politically sensitive text, all examples of how a system for tracking vehicles threatens to become a broader surveillance tool.

In other news, ICE signed a $2 million contract with Paragon Solutions, a known vendor of spyware including the hacking tool Graphite. And the Pentagon is increasingly adopting handheld controllers for weapons systems in an effort provide more intuitive interfaces to soldiers who have grown up playing Xbox and PlayStation consoles.

And there's more. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

As the politics of America's biggest city have been turned upside down by the criminal charges against New York mayor Eric Adams, there's still a “significant wild card” in the corruption case against him, prosecutors said in court this week: The FBI can't manage to get into his phone.

Prosecutors in the case against Adams, which centers on alleged illegal payments the mayor received from the Turkish government, revealed that the FBI still hasn't cracked the encryption on Adams' personal phone, nearly a year after it was seized. That phone is one of three that the bureau has taken from Adams, but agents seized Adams' personal phone a day later than the other two devices he used in an official capacity. By that time, Adams had not only changed the passcode on the phone from a four digit PIN to six digits—a measure he says he took to prevent staffers from intentionally or unintentionally deleting information from the device. He also claims he immediately “forgot” that code to unlock it.

That very convenient amnesia may leave the FBI and prosecutors in a situation similar to their investigation into the San Bernardino mass shooting carried out by Syed Rizwan Farook in 2016, when the US government demanded Apple help unlock the shooter's encrypted iPhone, leading to a high-profile standoff between the Apple and the FBI. In that case, the cybersecurity firm Azimuth eventually used a closely guarded—and expensive—hacking technique to unlock the device. In Adams' case, prosecutors hinted that the FBI may have to resort to similar measures. “Decryption always catches up with encryption,” a prosecutor in the case, Hagan Scotten, told the judge.

Face recognition is one of only a few technologies that even Facebook and Google have hesitated to integrate into products like Google Glass and the Ray-Ban Meta smart glasses—and rightly so, given the privacy implications of a device that would allow anyone to look at a stranger on the street and immediately determine their phone number and home address. Now, however, a group of Harvard students has shown how easy it is to bolt that face recognition onto Meta's augmented-reality eyewear. The project, known as I-XRAY, integrates with the face-recognition service Pimeyes to let Ray-Ban Meta wearers learn the name of virtually anyone they see and then immediately scour databases of personal information to determine other info about them, including names of family members, phone numbers, and home addresses. The students say they're not releasing the code for their experiment, instead intending it as a demonstration of the privacy-invasive potential of augmented-reality devices. Point made.

If that warning about the privacy risks of AR eyewear needed more reinforcement, Meta this week also conceded to TechCrunch that it will use input from users' smart glasses to train its AI products. Initially, Meta declined to answer TechCrunch's questions about whether and how it would collect information from Ray-Ban Meta smart glasses for use as AI training data, in contrast to companies like OpenAI and Anthropic that explicitly say they don't exploit user inputs to train their AI services. A couple of days later, however, Meta confirmed to TechCrunch that it does in fact use images or video collected through its smart glasses to train its AI, but only if the user submits them to Meta's AI tools. That means anything that a user sees and asks Meta's AI chatbot to comment on or analyze will become part of Meta's massive AI-training data trove.

If you can't arrest Russian hackers, at least you can nab their web domains. That, at least, is the approach this week of the US Justice Department, which along with Microsoft and the NGO Information Sharing and Analysis Center used a lawsuit to take control of more than a hundred web domains that had been used by Russian hackers working for the Kremlin's intelligence and law enforcement agency known as the FSB. Those domains had been exploited in phishing campaigns by the Russian hacker group known as Star Blizzard, which has a history of targeting the typical victims of geopolitical spying such as journalists, think tanks, and NGOs. The domain seizures seem designed in part to head off threats of foreign interference in next month's US election. “Rebuilding infrastructure takes time, absorbs resources, and costs money,” Steven Masada, the assistant general counsel of Microsoft’s Digital Crimes Unit, said in a statement. “Today’s action impacts \[the hackers'\] operations at a critical point in time when foreign interference in US democratic processes is of utmost concern.”

Latest News