In zulip before 1.3.12, bot API keys were accessible to other users in the same realm.

CVE-2016-4426: Version History — Zulip 2.1.7 documentation

Even the head of the country's online offensive is surprised by the successes—although they’re not without controversy.

When Russian president Vladimir Putin launched his full invasion of Ukraine in February, the world expected Moscow’s cyber and information operations to pummel the country alongside air strikes and shelling. Two months on, however, Kyiv has not only managed to keep the country online amidst a deluge of hacking attempts, but it has brought the fight back to Russia.

Even Ukrainian officials are surprised by how ineffective Russia’s digital war has been.

“I think that the root cause of this is the difference between our systems,” says Mykhailo Fedorov, Ukraine’s 31-year-old minister for digital transformation. “Because the Russian system is centralized. It's monopolized. And it leads to the scale of corruption and graft that is becoming increasingly apparent as the war continues.”

Speaking to WIRED from near Kyiv, Fedorov says his country has been preparing for this moment since Russia first invaded in 2014. “We have had eight years,” he says.

In recent weeks, Fedorov and the Ukrainian government have deployed the controversial face recognition program ClearviewAI to identify killed and captured Russian soldiers. They have deployed thousands of Elon Musk’s Starlink terminals to keep the country connected, even amid Russian bombardment. They have crowdsourced intelligence collection, letting ordinary Ukrainians report troop movements. And, perhaps most critically, they have beaten back aggressive attempts to knock offline their internet, energy, and financial systems.

Fedorov, who also serves as deputy prime minister, ran Ukrainian president Volodmyr Zelensky’s wildly successful election campaign in 2019, winning by nearly 50 points in the second round against incumbent Petro Poroshenko. He did so, in part, by leveraging authentic selfie videos to market the former comedian as an unconventional politician who eschews the normal trappings of politics. It’s exactly that style of video that Zelensky has uploaded regularly from the streets of Kyiv in recent weeks, offering a stark contrast with Putin’s stiff proclamations inside his palatial offices.

Ukraine has brought the war home to Russia in more cutting ways. In March, Reuters reported that Ukraine had purchased face recognition software from American company Clearview AI to identify the bodies of Russian soldiers killed in action—Kyiv later acknowledged that they were using this information to contact the families of the dead soldiers.

“We are pursuing two goals here,” Fedorov says. “First is: We are notifying their relatives, and telling them, basically, that it's not a very good idea to go to war with Ukraine. So that serves as a cautionary tale. And secondly, it's a humanitarian purpose—just telling them where their relatives, or friends, or children are so that they don't try to get this information from the Russian authorities. Because, more often than not, they can't.”

That decision hasn’t come without criticism. Contacting the families of soldiers killed in battle could be seen as harassment. Others have pointed out that being deployed in Ukraine is a PR coup for ClearviewAI, which has been embroiled in scandal over its liberal use by police forces across North America.

Fedorov, for his part, says Russia “can spin this whatever way they want. But the fact of the matter is, there are tens of thousands of Russians dying in Ukraine, and we are just providing this information to their families because that serves, among other things, a humanitarian purpose.”

There is a propaganda element to Kyiv’s use of face recognition technology as well.

“This facial recognition plays to our, let's say, to our advantage in the information space,” Fedorov says. Moscow has projected the image of a professional and volunteer fighting force. “We're trying to say that, for example, Russia is sending conscripts … we are proving that and justifying that with a lot of factual information. We can give you a list of hundreds of people who are 18 and 19 years old, with their names and with their birth dates and how and where specifically, they were conscripted. So that gives some substance to our claims.”

Fedorov says the utility goes beyond just identifying the dead.

“One interesting case study of how we used Clearview AI,” Fedorov says. “There was a man who was found in a Ukrainian hospital, claiming that he was a Ukrainian soldier who suffered from shell shock or some kind of trauma and that he forgot everything. And he was claiming that he was Ukrainian. So the doctor sent the picture to us, and we were able to ID him in a matter of minutes. We found his social network profile, and we established that he was Russian and, of course, he was brought to responsibility.”

Ukrainian officials have said that the frequency of Russian cyberattacks tripled immediately prior to the war, and they have aggressively targeted critical infrastructure since the war began.

But Viktor Zhora, deputy head of Ukraine's State Service of Special Communications and Information Protection, says Moscow may have maxed out its ability to launch attacks. “Russian cyber operations likely reached their full potential," he says.

Zhora told WIRED that years of training, exercises, and cooperation with NATO have made Ukraine far more resilient to cyberattacks. Some attacks are easier to defend against than others—as we spoke, Zhora said he was monitoring an active attack on the state administration of Lviv, which had been publicly announced by Russia hours earlier.

But Zhora stresses that while it is wrong to overestimate how powerful Russia’s cyber capabilities are, it would also be wrong to underestimate its more “sophisticated” operations. “We should continue to observe their potential, like Sandworm, like a Fancy Bear, like Gamaredon, many other groups that are still active, and still very dangerous,” he says, referring to a number of Russian government hacker groups.

Brandon Valeriano, a senior fellow at the Cato Institute who specializes in cyber operations, says offensive cyber operations don’t mesh well with traditional, kinetic warfare. At best, he says, “they’re enabling, they’re complimentary … they don’t transform it.”

Valeriano points to a slowdown in the tempo of Russian-backed cyberattacks targeting the United States as evidence that Moscow’s capacity isn’t as expansive as some have assessed. “They’re not organized for offensive cyber operations in the way that we think they are,” he says.

Kyiv’s ability to beat back against those operations, Valeriano says, can be attributed to “intense collaboration between Ukraine, Western powers, and NATO.” Indeed, Five Eyes signals intelligence agencies have both been providing training and support for Ukraine’s cyber defense and have been sharing threat intelligence. (Zhora stresses that information-sharing is a “two-way road.”)

Ukraine has been able to defend itself, both in cyberspace and in an outright propaganda war, because it has managed to stay online. For that, Fedorov credits a decentralized network of internet service providers and Elon Musk.

“It wouldn't be possible to restore 10 km of cable connection between villages in Chernigiv region after serious battles so quick,” he tweeted earlier this month. “Normally it takes few months.” But with one Starlink satellite, he says, five villages were reconnected in a matter of days.

“We have received over 10,000 Starlink terminals to date, and we use those where we have blind spots with, let's say, more traditional coverage,” Fedorov says. “So we are trying very hard to restore and protect our landline and mobile connections.”

Like any physical infrastructure, those Starlink terminals—which have even managed to keep the embattled city of Mariupol online—have been vulnerable to Russian shelling. Zhora says Russia has managed to hit some of those terminals but has not managed to target the system as a whole. “I suppose that it was coincidence that some shells hit these terminals and locations,” Zhora says. “It's not easy to identify and to attack them systematically.”

Keeping Ukrainians online is a clear strategic objective for Ukraine. Photo and video evidence of the brutality being doled out by the Russian army has galvanized Western support for Kyiv and led to an unprecedented level of support from NATO to help the country defend itself.

It’s also letting regular Ukrainians contribute to the collective defense.

During Zelensky’s presidential campaign, Fedorov made particular use of the messaging app Telegram, which is also popular with Russian intelligence operatives. In recent weeks, the app has been leveraged to collect evidence of possible war crimes in towns like Bucha, but also to enable Ukrainians to upload details of Russian troop movements. A Telegram bot collects photos and videos of Russian military movements, verifying Ukrainians through their digital ID,: a project spearheaded by Fedorov.

“Regular internet users—so, basically, civilians—they can go and post photos of what's happening in Ukraine,” Fedorov says.

The Ukrainian security ministry said in a tweet in March that those crowdsourced reports have directly contributed to drone strikes against Russian tanks.

“There are actually very many ways that regular citizens can contribute to the effort,” Fedorov says. One particularly “successful vector,” he says, is basically trolling. His government has been sending users “into the comment sections of posts by some very high traffic Russian influencers and just trying to talk sense into people and telling them that there's actually a war in Ukraine.”

Fedorov is also responsible for Ukraine’s IT Army, a network of cyber activists and hackers who have targeted Russian systems. In recent weeks, they have dumped huge troves of personal information from large Russian corporations.

Russia’s poor information security has also been a significant factor in their fumbled invasion.

A huge number of technology providers, from cybersecurity firms to cloud hosting services, have pulled out of Russia since the start of the war—either due to sanctions or to a concerted push from Fedorov and others in the Ukrainian government. “If the world were able to stop the delivery of these products to Russia, we see that they will have no infrastructure even to organize attacks,” Zhora says.

Russia’s attempts to knock out mobile and internet connections in Ukraine have mired their own communications. Their encrypted radio platform, Era, has been unreliable, leading Russian soldiers to opt for unencrypted platforms. Numerous outlets have reported details of conversations between Russians troops, their commanders, and their families—some even admitting to possible war crimes over unencrypted channels.

While Fedorov’s reform mission has played a large role in modernizing Ukraine, support from the West has certainly helped. SpaceX and the United States have sent some 5,000 Starlink terminals. Fedorov says the European Union has provided some 10 million euros toward computer systems and workstations.

Asked what Ukraine needs as the war wears into its third month, Fedorov mentions satellite equipment, including more Starlink terminals, as well as laptops, tablets, and other tools “to put our civilian infrastructure back online.” He also jokes: “Let's say that the most surefire way to keep us online for a very long time to come is to provide us with artillery, tanks, and warplanes—because that will effectively end the war. And that will remove the problem altogether.”

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   Sober influencers and the end of alcohol
*   For mRNA, Covid vaccines are just the beginning
*   The future of the web is AI-generated marketing copy
*   Keep your home connected with the best wi-fi routers
*   How to limit who can contact you on Instagram
*   👁️ Explore AI like never before with our new database
*   🏃🏽‍♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones

Ukraine’s Digital Battle With Russia Isn’t Going as Expected

Plus: The FTC cracks down on GoodRx, Microsoft boots “verified” phishing scammers, researchers disclose EV charger vulnerabilities, and more.

If you heard rumblings this week that Netflix is finally cracking down on password sharing in the United States and other markets, you heard wrong—but only for now. The company told WIRED that while it plans to make an announcement in the next few weeks about limiting account sharing, nothing has happened yet. Meanwhile, lawmakers in Congress are eager to overhaul systems for dealing with secret US government data as classified documents keep turning up in the wrong places.

We did a deep dive this week into a ransomware attack that crippled the digital infrastructure of London’s Hackney Council. The assault happened more than two years ago, but it was so impactful that the local authority is still working to recover. A project that’s looking far into the future, meanwhile, is developing prototype pursuit satellites for real-world testing that could someday be used in space battles.

In other military news from the skies, we examined the situation with the apparent Chinese spy balloon over the US and the pros and cons of using balloons as espionage tools. And if you want to improve your personal digital security this weekend, we’ve got a roundup of the most important software updates to install right away, including fixes for Android and Firefox vulnerabilities.

Plus, there’s more. Each week we round up the stories we didn’t cover in-depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

If you’re looking for legit software downloads by searching Google, your clicks just got riskier. The spam- and malware-tracking nonprofit Spamhaus says it has detected a “massive spike” in malware spread via Google Ads in the past two months. This includes “malvertizing” that appears to be authentic downloads of tools like Slack, Mozilla’s Thunderbird email client, and the Tor Browser. Security firm SentinelOne further identified a handful of malicious loaders spread through Google Ads, which researchers collectively dubbed MalVirt. They say MalVirt loaders are used to distribute malware like XLoader, which an attacker can use to steal data from an infected machine. Google told Ars Technica in a statement that it is aware of the malvertizing uptick. “Addressing it is a critical priority, and we are working to resolve these incidents as quickly as possible,” the company said.

The Federal Trade Commission this week issued its first-ever fine under the Health Breach Notification Rule (HBNR). Online pharmacy GoodRx was ordered to pay a $1.5 million fine for allegedly sharing its users’ medication data with third parties like Meta and Google without informing those users of the “unauthorized disclosures,” as is required under the HBNR. The FTC’s enforcement action follows investigations by Consumer Reports and Gizmodo into GoodRx’s data-sharing practices. In addition to violating the HBNR, GoodRx misrepresented its claims of HIPAA compliance, the FTC alleges. GoodRx claims it fixed the issues at the heart of the FTC’s complaint years ago and rejects any admission of guilt. “We do not agree with the FTC’s allegations and we admit no wrongdoing,” a spokesperson told Gizmodo. “Entering into the settlement allows us to avoid the time and expense of protracted litigation.” 

Microsoft this week announced that it had disabled accounts of threat actors who managed to get verified under the Microsoft Cloud Partner Program. Posing as legitimate businesses, the threat actors used their verified account status to create malicious OAuth applications. “The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting permissions to the fraudulent apps,” Microsoft said in a blog detailing the issue. “This phishing campaign targeted a subset of customers primarily based in the UK and Ireland.” The company says the people behind the phishing attacks likely used their access to steal emails and that it has notified all victims.

Researchers at the security firm Saiflow this week exposed two vulnerabilities in versions of the open source protocol used in the operation of many electric-vehicle charging stations, called the Open Charge Point Protocol (OCPP). By exploiting vulnerable instances of the OCPP standard, which is used to communicate between chargers and management software, an attacker could take over a charger, disable groups of chargers, or siphon off electricity from a charger for their own use. Saiflow says it’s working with EV charger companies to mitigate the risks of the vulnerabilities.

The 37 million customers exposed by the most recent T-Mobile hack may not be the only people impacted by the breach. Google this week informed customers of the Google Fi mobile service that hackers had obtained “limited” account information, including phone numbers, SIM serial numbers, and information about their accounts. The hackers did not access payment information, passwords, or the contents of communications, like text messages. Still, it’s possible the information could have been used for SIM swap attacks. TechCrunch reports that the intrusion was detected by Google Fi’s “primary network provider,” which noticed “suspicious activity relating to a third-party support system.” The timing of the hack, which comes two weeks after the latest T-Mobile breach, suggests the two are related.

Googling for Software Downloads Is Extra Risky Right Now

The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has XSS via a custom input field of a poll.

_Not your typical form-making plugin. Forminator is the easy-to-use WordPress form builder plugin for every website and situation. It’s the easiest way to create any form – contact form, order form, payment form, email form, feedback widgets, interactive polls with real-time results, buzzfeed-style “no wrong answer” quizzes, service estimators, and registration forms with payment options including PayPal and Stripe._

It’s the magical WordPress form builder for, well, everyone!

Forminator’s drag and drop visual builder makes it easy to setup and add forms to your WordPress website. Collect information, make your content interactive and generate more conversions with Forminator.

**Forminator Forms, Surveys, Quizzes, Polls, Calculations and More…**

*   Forms – Custom forms for all your needs with as many fields as you like.
*   Polls – Interactive polls to collect users opinions, with lots of dynamic options and settings.
*   Quizzes – Fun or challenging quizzes for your visitors to take and share on social media.
*   Calculations – Collect information, generate leads, take orders, and engage visitors.
*   Payments – Take payments, donations, down payments, sell merch with the included Stripe and PayPal integrations.

**Learn The Ropes With These Hands-On Forminator Tutorials**

*   Creating the Perfect Contact Form with Forminator
*   Create an Easy Payment Form (for free!) with Forminator
*   How to Get the Most Out of Using Forminator
*   How To Capture eSignatures Using Forminator
*   How To Collect Emails and Generate Leads With a Forminator Quiz

**Accept Payments With Stripe and PayPal**

Start taking payments with Forminator. No Pro upgrade required! SCA compliant Stripe and PayPal come included. Just enter your publish keys to activate the Forminator payment module for both fixed and variable payments. Check out how it works in the video below:

**Stripe Verified Partner**

Forminator is also proud to be a Stripe Verified Partner. This partnership allows us to help you get the most out of our Stripe integration thanks to additional resources, e.g. the ability to escalate support questions, or request custom pricing reviews.

**Calculations are a Lead Magnet**

There are literally thousands of combinations for adding value to your site with Calculations:

*   Registration forms with upgrade packages
*   Sell a tee shirt with size, color, price, and tax variations
*   Add a BMI and/or calorie intake calculator to your health and fitness blog
*   Embed a loan calculator into your finance site
*   Give a midwife a due date calculator
*   Insta-quote or service estimator
*   Put an ROI calculator on your agency site
*   And on, and on, and on…

**Drag and Drop Form Blocks**

Forminator has a bunch of drag and drop blocks that make it easy to put forms together – name, email, phone number, text, file upload, website, date, time, number, HTML, pagination, radio boxes, GDPR-friendly opt-ins, payments, calculations, and hidden field.

**Your Favorite Integrations Including +1000 Apps Already Added**

Forminator comes stacked with crowd favorite third-party integrations – email services, CRM, storage, and project managers.

*   HubSpot
*   Campaign Monitor
*   ActiveCampaign
*   Google Sheets
*   Webhooks (Zapier, Make, Tray, etc)
*   Trello
*   MailChimp
*   AWeber
*   Slack

**Develop And Sell Your Own Extensions**

Forminator is free and open to millions of WordPress users! Use the developer API and the included hooks and filters to build your own integrations or custom apps and sell them or give them away free here on WordPress.org.

**Poll Your Visitors**

Polls are a brilliant way to engage visitors. Forminator gives real-time feedback with live stats displayed in beautiful pie charts and graphs.

**Your Own Facebook-Style Quizzes**

Who hasn’t been roped into taking “IQ tests” and “figure out which Star Wars character you are” quizzes on Facebook? Now you can run all that traffic to your site. Create both knowledge and no wrong answer quizzes with Forminator.

**Collect Leads With Your Quizzes**

Looking to use your quizzes for more than just entertainment and a way to engage your audience? Forminator also allows you to collect participants’ details (e.g., name, email, etc.) by integrating a lead generation form in your quiz. See how it works below:

**Gutenberg Block**

Forminator’s got you, whether you’re a classic editor or Gutenberg early adapter. Say goodbye to shortcodes and quickly add forms to posts with the Forminator block for Gutenberg.

**Email Routing and Pre-Populate**

Make your site more efficient from visitor input to email response times. Use query strings to pre-fill your visitor information and deliver forms direct to specific teams with email routing, auto-response and conditions.

**User Front End Post Submissions**

Want to let your visitors share a post submission without needing access to the WordPress dashboard? With Forminator visitors can submit post ideas from the front end of your site so you can easily curate and publish their thoughts. Assign post to a default author, save to draft, publish immediately, etc.

**Google reCAPTCHA**

You don’t want your inbox flooded with a bunch of form spam. Google ReCAPTCHA is free with Forminator. Now you can stop the crazy bots without making it hard on your visitors. No more hard to read random phrases.

**Collect, Track and GDPR Ready**

Forminator stores and organizes submissions so you can sort, analyze and manage responses – of course, all while making it super easy to comply with the GDPR and other legal privacy policies.

**Import Your Existing Contact Form 7 Data**

Looking to move existing forms over from CF7? Forminator’s Import Wizard allows you to migrate all, or selected forms in a matter of clicks. You can also transfer data from a range of Contact Form 7 add-ons and settings.

**Custom Login and Registration Forms**

Create and embed custom login and registration forms for your sites (or multisites!). Take L&R forms to the next level: choose from a range of form fields, and customize settings, style, and behavior. Learn more in the video below:

**Multi-file Upload Field**

Along with enabling single file uploads, Forminator takes things up a notch by allowing users to upload multiple files. You can also choose to set specific file types, limit the number of files that can be uploaded, as well as the individual file size. The upload field’s drag and drop interface also makes it a breeze for users to upload files.

**Group And Repeat Form Fields**

The Field Group feature allows you to group any number of fields together in one form. You can also enable users to add as many additional field groups as needed when filling out your form. Great for repeatable data entry such as employment history, event attendees, lists, etc.

**Advanced Date Field Restrictions**

Perfect for appointment and hotel bookings – Forminator’s Date Picker Limits feature allows you to restrict the available dates shown on your date field calendar. For example, you might show future dates only, a selected number of dates from today, dates between a specific date range, specific days of the week, and more!

**Add An E-Signature Form Field (Pro Only)\***

Have an online application that requires a signature, or a contract you need your customers to sign? Forminator’s E-signature feature allows visitors to use their mouse, trackpad, or finger (on touch devices) to leave a signature upon submitting the form. Just insert the “E-Signature” field and voila!

**Receive Subscriptions and Recurring Payments on Stripe (Pro Only)\***

Create fully-customized subscription forms with Forminator Pro’s Stripe Subscription add-on. Allow your customers to choose plans/pricing, billing cycle, custom upsells, a free trial option, and of course, make secure card payments. Forminator also saves you time by instantly and automatically syncing all subscription form data straight to your Stripe account.

\***Note:** These features are only available with Forminator Pro. Get instant access to Forminator Pro – as well as all our other premium plugins, managed WP hosting, our site management platform: The Hub, and 24/7 expert support – all with a WPMU DEV membership.

**What Do People Say About Forminator?**

★★★★★

> Amazing plugin, it really seems that only your imagination can limit its uses. Loads of features like taking payments, calendar, for free. Can’t believe everything I need is in there, it sparks creativity and makes it fun to work on a website. – araca

★★★★★

> This plugin has an excellent, well-thought-out, well-designed UI and offers everything I was looking for (and I think I’ve tried every serious competitor). – tvsmvp

★★★★★

> This plugin is the best free form builder by far! I have researched many but this is so easy to use… Try it. I am SURE you will LOVE IT. – johncarteroz

★★★★★

> Great interface design, super easy to use and great functionality. I don’t normally write reviews, but I loved it so much, I just had to this time! – istavridi

**Shameless Plug(ins)**

Love Forminator! WPMU DEV has some other awesome free plugins you should checkout.

*   Smush – Image Compression and Optimization
*   Hummingbird – Page Speed Optimization
*   Hustle – Pop-ups, Slide-ins and Email Opt-ins
*   SmartCrawl – SEO Optimizer
*   Defender – Security, Monitoring, and Hack Protection

**About Us**

WPMU DEV is a premium supplier of quality WordPress plugins, services and support. Join here:  
https://wpmudev.com/

Don’t forget to stay up to date on everything WordPress from the Internet’s number one resource:  
WPMU DEV Blog

Hey, one more thing… we hope you enjoy our free offerings as much as we’ve loved making them for you!

**Contact and Credits**

WPMU DEV

CVE-2019-9567: Forminator – Contact Form, Payment Form & Custom Form Builder

Telecommunications provider AT&T disclosed earlier this month that adversaries stole a cache of data that contained the phone numbers and call records of “nearly all” of its customers.

Thursday, July 18, 2024 14:00

Between AT&T, all the follow-on activity from Snowflake, Microsoft Outlook, and more, it’s best to probably just assume at this point that your personal information has somehow been involved in a data breach. 

We’re only halfway through 2024, and we’ve already seen some of the largest data breaches and leaks in history. Telecommunications provider AT&T disclosed earlier this month that adversaries stole a cache of data that contained the phone numbers and call records of “nearly all” of its customers, which equates to about 110 million people.  

Even if you’ve yet to receive the dreaded boilerplate notification email from any company, it’s probably just best for all of us to assume that some of our personal information has been accessed, leaked or stolen over the past few years, or it’s going to be eventually.  

I took this as an opportunity to check for myself. The ever-popular Have I Been Pwned? says my personal email address has been involved in 14 breaches, some dating back to 2017 and one as recently as June.  

Thankfully, Trend Micro’s ID Protect says that my personal cell phone hasn’t been involved in any data breaches, but that certainly hasn’t stopped me from getting my fair share of spam texts and phone calls. 

Outside of those two search engines, I felt like this would be a good space to provide additional resources and advice for anyone reading this. Even if you haven’t been a part of the recent spate of data breaches, I think it’s a good idea to take these steps now anyway, because you never know when the next breach is going to happen.  

*   **Stop reusing passwords.** Use a free password manager to generate random, secure passwords for each new account you create. That way, if one of your passwords \*is\* leaked, it makes it impossible for adversaries to start using those leaked credentials to try and brute force their way into other accounts.  
*   Once you enroll in that password manager, use it to frequently update and rotate your passwords.  
*   **Enroll in multi-factor authentication.** Using any type of MFA will ensure bad actors aren’t using any leaked credentials to log into other devices, so even if they have a complete set of usernames and passwords, you can still deny their login.  
*   **Initiate a fraud alert** **to credit reporting agencies.** Of course, this only applies to users who live in the U.S. (though I’m sure other countries have something similar; I can only confidently write about the process in the U.S.). This will let potential lenders know that you may be the victim of fraudulent activity so they will take extra steps to ensure it’s actually you filling out a credit application.  
*   **If a company responsible for exposing your information offers you free credit monitoring, take advantage of it.** We’ll be covering what identity monitoring does for users in tomorrow morning’s episode of Talos Takes, so stay tuned! 
*   **Set up a unique passcode needed to make changes to certain accounts.** AT&T is specifically advising customers to set up a passcode needed to prevent any significant account changes, such as porting phone numbers to another carrier.  

**The one big thing **

Speaking of data breaches, adversaries know that users and companies are concerned about this threat, too, and they’re leveraging that in phishing attacks and scams. Talos researchers recently observed an ongoing cryptocurrency heist scam since as early as January 2024, leveraging hybrid social engineering techniques such as vishing and spear phishing, impersonating individuals and legitimate authorities to compromise the victims by psychologically manipulating their trust with social skills. Impersonating investigation officers of CySEC (Cyprus Securities and Exchange Commission), the scammers in this campaign are using a lure theme of refunding a fake seized amount from a fraudulent trading activity in Opteck trading platform to compromise the victims. 

**Why do I care? **

This particular campaign seems to be successful, as wallets connected to the group have received tens of thousands of U.S. dollars in the Ethereum cryptocurrency. But this is also evidence of a broader trend on the threat landscape: Attackers are going to be using data breaches as a threat and lure going forward. Users who are afraid of their data being leaked may be more likely to click on a phishing email or lure document that claims to have information on a leak. Or they may be more open to clicking on a link claiming to lead to “free” identity monitoring.  

**So now what? **

The significance of data breaches is facilitating the adversaries in their scam campaigns providing them the information needed to execute fraudulent activities, causing extensive financial, reputational, and psychological damage to individuals and organizations. So, creating security awareness in public is a preliminary responsibility of the organizations and security community. It empowers individuals to protect themselves and supports organizational security efforts. By fostering a culture of security awareness, the risks associated with data breaches and scam campaigns can be reduced. 

**Top security headlines of the week **

**Trend Micro’s Zero Day Initiative publicly called out Microsoft for not crediting their researchers for a recently disclosed vulnerability.** Security researchers at ZDI say they first informed Microsoft of the vulnerability in May and hadn’t heard anything about it again until it showed up in July’s Patch Tuesday, Microsoft’s monthly security update. The ZDI blog post has generated additional conversations in the security community about the pros and cons of coordinated vulnerability disclosure and existing problems with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) CVD program. There is also still uncertainty on the exact nature of the vulnerability, CVE-2024-38112. The initial discoverers say it is a remote code execution vulnerability that should be considered critical, though when Microsoft disclosed it, it came with a lower CVSS score and identified it as a spoofing vulnerability. “CVD doesn’t work if the only ones coordinating are the researchers. While these are Microsoft examples, there are multiple occasions from various vendors where ‘coordination’ simply means ‘You tell us everything you know about this bug, and maybe something will happen,’” Trend Micro wrote in their blog post. (Zero Day Initiative, The Register) 

**A data breach unmasked the company behind the spyware mSpy and a list of its customers.** According to the data leak site Have I Been Pwned?, unknown attackers stole millions of customer support tickets, eventually leaking 142GB of data. The leaked information includes personal details of customers, emails to mSpy’s support team and email attachments. mSpy promotes itself as a phone surveillance app that can track users’ children or employees. However, it is often used to monitor people without their consent, like most spyware. The stolen data includes customer and user emails to mSpy support via the third-party software Zendesk. Leaked emails include targets who did not wish to have the spyware tracking their device, including journalists, and even U.S. law enforcement agents looking to file subpoenas or legal demands with the company. Once installed on an infected device, mSpy can monitor keystrokes, review text messages, track users’ locations, scrape their social media accounts and view the target’s sent and received photos. (TechCrunch, PC World) 

**The Iranian APT MuddyWater added a new backdoor to its malware arsenal known as BugSleep.** Security researchers say the malware “partially replaces” the actor’s traditional use of legitimate remote monitoring tools. MuddyWater is known for its connections to Iran’s Ministry of Intelligence and Security (MOIS). The group’s most recent campaign included sending phishing emails that invite targets to attend online classes and webinars to 10 different Israeli companies. Some versions of BugSleep come with a custom malware loader that injects the backdoor into the active processes of several well-known software, including Microsoft Edge, Google Chrome and Microsoft OneDrive, so taht it can remain undetected. Talos has reported on several MuddyWater campaigns over the past few years against entities spread throughout the U.S.A, Europe, Middle East and South Asia. Their campaigns are primarily designed to either steal sensitive information or execute ransomware on a targeted network. (The Register, Bleeping Computer) 

**Can’t get enough Talos? **

*   Cisco Talos Report Reveals Critical Insights in Ransomware Trends 
*   Cisco Talos analyzes attack chains, network ransomware tactics 
*   Cisco Talos: Top Ransomware TTPs Exposed 
*   Talos Takes Ep. #190: What we learned from studying the TTPs of the 14 most active ransomware groups 

**Upcoming events where you can find Talos **

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d  
**MD5:** fd743b55d530e0468805de0e83758fe9  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** W32.File.MalParent

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe  
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a  
**Typical Filename:** nYzVlQyRnQmDcXk  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a  
**MD5:** 200206279107f4a2bb1832e3fcd7d64c  
**Typical Filename:** lsgkozfm.bat  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201

It's best to just assume you’ve been involved in a data breach somehow

A Server-Side Request Forgery (SSRF) vulnerability in IPS Community Suite before 4.6.2 allows remote authenticated users to request arbitrary URLs or trigger deserialization via phar protocol when generating class names dynamically. In some cases an exploitation is possible by an unauthenticated user.

CVE-2021-40604: 4.6.2

The Wordfence Threat Intelligence team uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection. This could allow attackers to execute arbitrary code or delete ar bitrary files on sites where a separate POP chain was present. This flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11.

    On June 16, 2022, the Wordfence Threat Intelligence team noticed a back-ported security update in Ninja Forms, a WordPress plugin with over one million active installations. As with all security updates in WordPress plugins and themes, our team analyzed the plugin to determine the exploitability and severity of the vulnerability that had been patched.We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection. This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present.There is evidence to suggest that this vulnerability is being actively exploited in the wild, and as such we are alerting our users immediately to the presence of this vulnerability.This flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11.WordPress appears to have performed a forced automatic update for this plugin, so your site may already be using one of the patched version. Nonetheless, we strongly recommend ensuring that your site has been updated to one of the patched versions as soon as possible since automatic updates are not always successful.Wordfence Premium, Wordfence Care, and Wordfence Response customers received a rule on June 16, 2022 to protect against active exploitation of this vulnerability. Wordfence users still using the free version will receive the same protection on July 16, 2022. Regardless of your protection status with Wordfence, you can update the plugin on your site to one of the patched versions to avoid exploitation.Description: Code InjectionAffected Plugin: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPressPlugin Slug: ninja-formsPlugin Developer: Saturday DriveAffected Versions: 3.6-3.6.10, 3.5-3.5.8.3, 3.4-3.4.34.2, 3.3-3.3.21.3, 3.2-3.2.27, 3.1-3.1.10, 3.0-3.0.34.2CVE ID: PendingCVSS Score: 9.8 (Critical)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFully Patched Version: 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, 3.6.11Ninja Forms is a popular WordPress plugin designed to enhance WordPress sites with easily customizable forms. One feature of Ninja Forms is the ability to add “Merge Tags” to forms that will auto-populate values from other areas of WordPress like Post IDs and logged in user’s names. Unfortunately, this functionality had a flaw that made it possible to call various Ninja Form classes that could be used for a wide range of exploits targeting vulnerable WordPress sites.Without providing too many details on the vulnerability, the Merge Tag functionality does an is_callable() check on a supplied Merge Tags. and when a callable class and method is supplied as a Merge Tag, the function is called and the code executed. These Merge Tags can be supplied by unauthenticated users due to the way NF_MergeTags_Other class handles Merge Tags.We determined that this could lead to a variety of exploit chains due to the various classes and functions that the Ninja Forms plugin contains. One potentially critical exploit chain in particular involves the use of the NF_Admin_Processes_ImportForm class to achieve remote code execution via deserialization, though there would need to be another plugin or theme installed on the site with a usable gadget.As we learn more about the exploit chains attackers are using to exploit this vulnerability, we will update this post.ConclusionIn today’s post, we detailed a critical vulnerability in Ninja Forms Contact Form which allows unauthenticated attackers to call static methods on a vulnerable site that could be used for the site. This can be used to completely take over a WordPress site. There is evidence to suggest that this vulnerability is being actively exploited.This flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11. It appears as though WordPress may have performed a forced update so your site may already be on one of the patched versions. Nonetheless, we strongly recommend ensuring that your site has been updated to one of the patched versions as soon as possible.If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that can lead to complete site takeover.Special thanks to Ramuel Gall, a Wordfence Threat Analyst, for his work reverse engineering the vulnerability's patches to develop a working Proof of Concept and for his contributions to this post.

WordPress Ninja Forms Code Injection

We take a look at a site claiming to offer "free" visa access to the UK via WhatsApp. All is not quite as it seems.
The post “Free UK visa” offers on WhatsApp are fakes appeared first on Malwarebytes Labs.

A student friend recently shared a WhatsApp message, unsure if it was scam. The message claims to offer an easy to route to free visas, housing, accommodation, and medicine access.

Here’s how we know it was a scam, and where it lead.

It read as follows:

> **UK GOVERNMENT JOB RECRUITMENT 2022**: This is open to all Individuals who wants to work in UK, Here is a great chance for you all to work conveniently in the UK. UK needs over 132,000 workers in 2022. Over 186,000 Jobs are Open for applying. THE PROGRAM COVERS: Travel expense. Housing. Accommodation. Medical facilities. Applicant must be 16 years or above. Can speak basic English. BENEFIT OF THE PROGRAM: Instant work permit. Visa application assistance. All nationalities can apply. Open to all individuals and students who want to work and study. Apply here \[url removed\]

As you might suspect, there’s multiple red flags in the above claims for anyone considering signing up.

**The bogus visa claim checklist**

The site gives the impression of being operated by UK Visas and Immigration, and repeats some of the errors and red flags from the WhatsApp message.

“We are hiring”

It said:

We are urgently looking for foreigners to apply for the thousands of jobs already available in the United Kingdom. This application is free and upon approval you will be given a work permit, visa, plane tickets and accommodation in the UK for free.

With even the most cursory of glances, the claims on this website simply don’t add up. Let’s dissect some of them:

1.  UKVI applications all begin here, on a gov.uk address. This scam site is not hosted on a gov.uk address.
2.  The Home Office does _not_ cover the cost of flights or accomodation for visa applicants coming to the UK.
3.  There is no free access to medical services in the UK. Visa holders pay an annual immigration health surcharge to access NHS services. This is paid upfront at visa application time.
4.  The minimum age requirement for a skilled work visa is 18, not “16 years or above”.
5.  In most cases, applicants need to be able to demonstrate English ability through one of several available qualifications, not just “can speak basic English”.
6.  You won’t get an “Instant work permit” without paying an additional fee to make use of same day / next day processing.

**It’s website quiz time**

The site posed two questions, including marital and employment status. It then asks for first and last name, email address, and phone number. No matter what I entered, or even if I left all the form elements blank, I always got the following message:

> After checking your applications, You have been approved to work in the United Kingdom 2022

I most certainly had not. It continued:

> –Your UK VISA FORM will be available immediately after you click the “Invite Friends/Group” button below to share this information with 15 friends or 5 groups on WhatsApp so That They Can Also be Aware of the PROGRAM.

Unlike other sites along the same lines, this one didn’t check if I really was sending the link to people on WhatsApp, so I faked it. Did I get my visa after “sharing” the scam?

No, I did not.

**A distinct lack of visa forms**

The clue is definitely in the title. Instead of the promised form, I was greeted by the following message:

No visas yet

> To facilitate the downloading of your UK VISA FORM you must complete this final step of Nationality Verification!
> 
> 1.Click the Continent you are from and complete the given tasks, verification is by phone number or downloading, registering e.t.c.
> 
> (Remember, this step is very important, add your phone number to verify)
> 
> Do not skip any step..

I think my favourite part about all of this is that they used the logo for VISA, the financial multinational corporation. At this point, why not?

**Of redirects and surveys**

Whether I choose “Africa” or “Other Continent”, I was directed to several sites selling drones and watches or asking for mobile numbers, alongside yet more quizzes. The visa forms? Not so much.

This is not what a visa form looks like

While digging around for more information on the site involved in this, I came across this article from the last day or so. Clearly, this site is doing the rounds in WhatsApp circles. There’s also some additional UK visa-related scams listed there too, one of which was bouncing around a few months ago. All in all, this is yet another “if it’s too good to be true” escapade and should be avoided.

“Free UK visa” offers on WhatsApp are fakes

36% of Americans have fallen victim to holiday shopping scams.

**TEMPE, Ariz. and PRAGUE, Nov. 1, 2022 /PRNewswire/ —** A global study from Norton, a consumer Cyber Safety brand1 of NortonLifeLock (NASDAQ: NLOK), sheds new light on the risks consumers will take this holiday shopping this season. According to the 2022 Norton Cyber Safety Insights Report: Special Release – Holiday, conducted online in August 2022among 1,000 U.S. adults 18+ by The Harris Poll, one in three American adults (34%) admit to taking more risks when online shopping during holiday season compared to other times of the year.

The study found a staggering 36% of Americans have fallen victim to online shopping scams during the holidays, losing $387 on average as a result. Of those victimized, most frequently cybercriminals connected with them via email (40%), through social media (38%), third-party websites (32%), texts (28%) or phone calls (23%).

"Now more than ever, many are willing to do whatever it takes online to save on big ticket holiday items, even if it puts them at risk," said Kevin Roundy, Researcher and Senior Technical Director, NortonLifeLock. "The past frenzy of lining up outside stores early to grab must-have holiday gifts has mostly moved online."

Roundy continues, "Inflation and cost-cutting has pushed more Americans to look for discounts, with three-quarters of U.S. adults (77%) willing to take any action to cut costs this holiday season. At this time of year, and this year in particular, vigilance is needed around offers that seem too good to be true, especially when shopping on unfamiliar sites or links via social media."

Nearly 1 in 5 U.S. adults (17%) admit they would willingly risk giving away personal information to obtain a high demand gift or toy over the holiday season– more than one in ten (12%) would go so far as to share their name, email or birthdate which could compromise their identity, however 9% admit they would share the personal details of a friend or family member to secure a high demand gift. Further, more than 2 in 5 Americans (41%) admit to risking their personal information in some way during the holiday season, typically by posting a picture of an expensive gift they have received (19%), posting a picture of their travel destination (18%), tagging their current location on social media (18%), or posting a picture of their travel plans without removing any personal information (13%).

While most Americans (89%) say they feel confident shopping safely online this holiday season, more than 2 in 5 (43%) admit they aren't really sure of the best ways to do so. When shopping online Norton experts recommend the following actionable steps to identify and avoid risks when online shopping:

*   Checking ratings of online sellers
*   Avoiding suspicious links from social media ads or unfamiliar emails using a virtual private network (VPN) when making online purchases on public or unsecured Wi-Fi.

Norton helps consumers shop safely online with products like Norton Safe Web, which enables users to check for unsafe hyperlinks with the Link Guard Feature. For those looking to take preventative steps to safeguard their connected devices, online privacy and identities, Norton provides all-in-one protection from cyber threats through Norton 360 with LifeLock Select.

To view the study's full results and accompanying visual assets, please visit the 2022 Norton Cyber Safety Insights Report: Special Release – Holiday press kit at https://newsroom.nortonlifelock.com/norton-cyber-safety-report.

**About the 2022 Norton Cyber Safety Insights Report: Special Release – Holiday**

The research was conducted online in the United States by The Harris Poll on behalf of NortonLifeLock among 1,000 adults aged 18+. The survey was conducted August 15 – September 1, 2022. Data are weighted where necessary by age, gender, race/ethnicity, region, education, marital status, household size, household income, and propensity to be online to bring them in line with their actual proportions in the population.

Respondents for this survey were selected from among those who have agreed to participate in our surveys. The sampling precision of Harris online polls is measured by using a Bayesian credible interval. For this study, the sample data is accurate to within + 3.8 percentage points using a 95% confidence level. This credible interval will be wider among subsets of the surveyed population of interest.

**About NortonLifeLock Inc.**

NortonLifeLock Inc. (NASDAQ: NLOK) is a global leader in consumer Cyber Safety, protecting and empowering people to live their digital lives safely. We are the consumer's trusted ally in an increasingly complex and connected world. Learn more about how we're transforming Cyber Safety at NortonLifeLock.com.

Online Holiday Shopping Frenzy: Study Shows 1 in 3 Americans Tend to Take More Risks When Shopping Online During Holiday Season

Categories: News
Tags: driver

Tags:  delivery

Tags:  amazon

Tags:  van

Tags:  camera

Tags:  recording

Tags:  footage

Tags:  online

Tags:  privacy

In-van delivery driver footage is reportedly finding its way to the internet. Are privacy issues at play, or is a valuable safety tool?



(Read more...)




The post Amazon in-van delivery driver footage makes its way online appeared first on Malwarebytes Labs.

Footage from technology used to monitor Amazon delivery drivers is leaking onto the internet. AI-enabled equipment which keeps an eye on the drivers’ speed, location, and other activities is part of the growing trend of workplace surveillance. In theory where drivers are concerned it could flag a lack of seat belt, or running red lights.

In practice the drivers aren’t too keen and insist that the companies using this tech can trust them without having a camera in their face all day long. There are other privacy issues to consider too.

When you receive a delivery nowadays, it’s not unusual for drivers to take a photo at the doorstep. You may or may not be present when these images are taken, but you’ll often see them on the web-based “parcel delivered” status page. If you’re lucky, your pyjamas are safely out of shot.

You may have wondered about the privacy issues related to these photographs. On the one hand, they’re attached to a URL online somewhere and they sometimes have your house number in shot. On the other hand, there’s a good chance nobody cares, those parcel delivered links tend to be temporary, and you’re not posing and waving alongside your delivery.

Why does this matter? Well, filmed footage takes in a lot more than a static, split-second shot of your doorstep. If a camera is rolling when a delivery person reaches your home, you could end up in the video footage or even just via the recorded audio should it exist. Ever had a casual chat with your driver? It could be in one of these recordings somewhere.

The cameras used are able to record both road and driver, with Vice reporting that drivers must consent to their biometric data being collected so their actions can be recorded “properly”. Despite this, there are examples of the cameras incorrectly penalising drivers.

Meanwhile the current clips are leaking to sites like Reddit, and nobody is sure who is doing it for the most part. Drivers claim they don’t have access to the footage: only Amazon, the technology maker, and the delivery service partner (DSP) which is the firm making the actual delivery.

On the Subreddit in question, drivers confirm that there is no live feed, but “dispatchers” on the other end can check-in, and drivers can request a pull up of specific footage as seems to be the case in this example. Whether the footage should be requested and dropped online is a different question. With drivers already worried about potential privacy issues of clips making their way to the internet, it’s probably not helpful if some drivers are contributing to the steady flow.

This isn’t the first time footage has appeared online, even if it seems to be more common now. Back in February of this year, one driver shared details of the AI system tracking her moments to a TikTok video which went viral. In that instance, she described the van’s four cameras (one forward facing, two on the side, and one facing her) and how they work together to “ding” her with a violation should she do something against the rules. Even there, she references a driver receiving a “distracted driver violation” for itching his beard which the system considered to be him using a phone while driving. Drivers can contest these supposed violations, but it all gives the impression of a system somewhat at war with itself.

Amazon's stance on this technology is clear: It's a valuable and necessary tool to ensure drivers are doing the right thing and not causing problems for other drivers. From Amazon's comments to Business Insider:

> "The safety technology in delivery vans help keep drivers and the communities where we deliver safe, and claims that these cameras are intended for anything else are incorrect. Since we started using them, we've seen a 35% reduction in collision rates across the network along with a reduction in distracted driving, speeding, tailgating, sign and signal violations, and drivers not wearing their seatbelts."

As for people receiving the packages, this is more of a problem for drivers than the recipients for the most part. However, it would be a shame if this ends up encouraging a lack of interaction with the folks bringing you your packages on a daily basis. 

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us