**LEXINGTON, Mass.--(****BUSINESS WIRE****)--**VulnCheck, the vulnerability intelligence company, today announced it has been authorized by the CVE Program as a CVE Numbering Authority (CNA). The company also announced the launch of VulnCheck Advisories, a program designed to simplify how security researchers share vulnerabilities with vendors.

The CVE Program is sponsored by the U.S. Department of Homeland Security and Cybersecurity and Infrastructure Security Agency with a mission to identify, define and catalog publicly disclosed cybersecurity vulnerabilities. As a CNA, VulnCheck joins an elite group of over 280 partners in 36 countries authorized to assign CVE identification numbers to vulnerabilities and publish additional details in the associated CVE record.

"Our company offers the most comprehensive, real-time vulnerability, threat and exploit intelligence available on the market today,” said Anthony Bettini, CEO and Founder of VulnCheck. "Our products often uncover publicly disclosed vulnerabilities and exploits that have no CVE. To better serve the community, VulnCheck has taken on the task of coordinating CVE assignments for these issues. Now as a full partner in the CVE Program, we can expedite the rate at which we can address these problems. This is just the latest step we’ve taken to use our data to help security teams fight back against the growing tide of vulnerabilities they face each day.”

In conjunction with the authorization, the company also launched VulnCheck Advisories, a program designed to remove friction between researchers who identify and report vulnerabilities and the organizations that acknowledge and fix the flaws. The program enables researchers to share newly discovered vulnerabilities directly with VulnCheck. The intelligence company then takes over the submission process to the vendor and guarantees the vulnerability is published within 120 days, whether fixed or not.

“A lot of the time, researchers are at a disadvantage,” said Bettini. “Programs that buy vulnerabilities can be cumbersome and rife with restrictions. And if researchers choose to work directly with a vendor, they can often spend months just trying to get the company to acknowledge their report. With our program, researchers can submit their findings to VulnCheck and let the process run its course without all the hassle.”

The news comes just months after the company raised a $3.2 million seed round to increase hiring, bolster product development and help large enterprises, government agencies and cybersecurity solutions providers outpace adversaries by solving the vulnerability prioritization challenge.

To learn more about VulnCheck and the Advisories program, visit https://vulncheck.com/advisories.

**About VulnCheck**

VulnCheck is the vulnerability intelligence company helping enterprises, government organizations, and cybersecurity vendors solve the vulnerability prioritization challenge. Trusted by some of the world's largest organizations responsible for protecting hundreds of millions of systems and people, VulnCheck helps organizations outpace adversaries by providing the most comprehensive, real-time vulnerability intelligence that is autonomously correlated with unique, proprietary exploit and threat intelligence. Follow the company on LinkedIn. To learn more about VulnCheck, visit https://vulncheck.com/.

VulnCheck Named CVE Numbering Authority for Common Vulnerabilities and Exposures

**MIAMI****,** **April 12, 2023** **/PRNewswire/ --** Network Assured has reported that data leaks, phishing scams and malware infections attributable to ChatGPT are on the rise. The report tracks the most significant cybersecurity breaches in which ChatGPT has been involved and has found almost two new events of concern each week through March and April 2023.

**March Saw OpenAI's First Major Data Leak**

As many as 1.2% of ChatGPT users during a particular session in March may have had their payment details exposed to the public. While the bug that caused the leak was quickly fixed, the leak's impact on credit card fraud and identity theft may not be known for months.

**3 New ChatGPT-linked Security Events in First Two Weeks of April**

In April alone, the report found: ChatGPT was involved in a major data leak at Samsung, where staff members uploaded sensitive information that included source code from defective equipment and the transcripts of private meetings.

The report also revealed:

*   **A 135% increase in novel phishing attacks:** Hackers are using tools like ChatGPT to create more convincing phishing emails using sophisticated language that matches the target organization.
*   Fake browser **plugins posing as ChatGPT deployed malware to as many as 2,000 people per day** over a 6 day period in March.
*   **Scammers Impersonated OpenAI to promote a fake Defi token** with a phishing email campaign.
*   Dark web forum users are distributing **scripts that allow malicious actors to bypass ChatGPTs illegal content filters** and create new Malware.
*   11% of what company employees paste into ChatGPT during the course of work, was sensitive company information.

**Researchers Use ChatGPT to Create Undetectable Zero Day Virus**

Documenting additional cybersecurity risks, the report highlights the first case of ChatGPT creating a Zero Day virus, with undetectable exfiltration, that successfully passed a virus scan.

The virus was made by a novice developer, using only prompts from ChatGPT. In his worrying conclusion, the developer noted that _"this kind of end to end, very advanced attack has previously been reserved for nation state attackers."_

**A.I. Tools Are Fighting Cybercrime Too**

Fortunately, A.I. tools are also being used to detect and prevent cyberattacks at an increasing rate. The report cites evidence from January 2023 indicating that AI-based security tools stopped over 1.7 million malware attacks within a 90 day period.

To see the complete set of leaks, phishing attempts and malware attacks and cyber risks attributable to ChatGPT, including a full breakdown of the largest healthcare breaches by records stolen, and damage incurred, with full color charts, please see the report here.

**About Network Assured**

Network Assured is a free, independent advisory that helps businesses price cybersecurity services, perform due diligence, and find better vendors. Learn more at www.NetworkAssured.com.

Report Reveals ChatGPT Already Involved in Data Leaks, Phishing Scams & Malware Infections

Entry-level cybersecurity certification is now accredited to the highest global standards alongside other globally recognized (ISC)² certifications like the CISSP®

**ALEXANDRIA, Va.****,** **April 12, 2023** **/PRNewswire/ --** (ISC)² – the world's largest nonprofit association of certified cybersecurity professionals – today announced that the (ISC)² Certified in Cybersecurity℠ certification has received accreditation from the ANSI National Accreditation Board (ANAB) meeting ANSI/ISO/IEC Standard 17024. This achievement follows the latest growth milestone of more than 15,000 Certified in Cybersecurity holders worldwide since the certification was introduced seven months ago.  

ANAB accreditation assures current and future Certified in Cybersecurity certification holders, as well as private and public sector employers, that the certification program was developed and will be maintained to the same rigorous standards as all (ISC)² certifications. (ISC)² was the first cybersecurity certifying body to meet the requirements of ANSI/ISO/IEC Standard 17024, which is a global benchmark for certifying qualified professionals. By extension, this means that Certified in Cybersecurity is now accepted as IAF-approved, which will bring broader recognition to the certification throughout Europe, the Middle East, Africa and Asia-Pacific.  

"The Certified in Cybersecurity certification prepares a new generation of cybersecurity practitioners – from recent university graduates to career changers to IT professionals – to join the field by providing an entry-level career path," said Dr. Casey Marks, Chief Qualifications Officer at (ISC)². "By achieving ANAB accreditation, it provides assurance for career hopefuls and job seekers that the certification is held at a premier standard, like CISSP, for assessing one's knowledge, skills and abilities." 

Certified in Cybersecurity is also recognized by the American Council on Education's College Credit Recommendation Service (ACE CREDIT®) and has evaluated and recommended two credit hours for candidates successfully passing the exam. ACE CREDIT helps adult learners gain academic credit for courses and examinations taken outside of traditional degree programs. 

**Growing Demand for One Million Certified in Cybersecurity**  

(ISC)² launched One Million Certified in Cybersecurity to provide free training and educational resources, as well as a free Certified in Cybersecurity exam to one million new cybersecurity professionals, and more than 190,000 people have enrolled since its launch in late August. 

To meet the growing demand, (ISC)² has increased the availability of Certified in Cybersecurity by adding new languages in Chinese, German and Spanish, with Japanese and Korean coming soon. With increased interest in the certification program, (ISC)² has also expanded the number of test administration centers available for exam takers in the U.S. and the U.K.  

To learn more about the (ISC)² Certified in Cybersecurity certification, please visit: www.isc2.org/Certifications/CC.  

To review a full list of accreditations and endorsements conferred upon (ISC)², please visit: https://www.isc2.org/about/Accreditation-Recognition-and-Endorsement.   

**About (ISC)²**(ISC)² is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)² offers a portfolio of credentials that are part of a holistic, pragmatic approach to security. Our association of candidates, associates and members, more than 365,000 strong, is made up of certified cyber, information, software and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the general public through our charitable foundation – The Center for Cyber Safety and Education™. For more information on (ISC)², visit www.isc2.org, follow us on Twitter or connect with us on Facebook and LinkedIn.

(ISC)² Certified in Cybersecurity Earns ANAB Accreditation to ISO 17024 and Surpasses 15,000 Certification Holders

Usually focused on going after cryptocurrency organizations, the threat actor has begun targeting defense companies around the world.

An operation within North Korea's notorious Lazarus Group that initially focused solely on coin-mining attacks has begun targeting defense sector organizations around the world.

The DeathNote cluster's shift in focus began in 2020 with attacks on automotive and academic organizations in Eastern Europe linked to the defense industry. Researchers from Kaspersky that have been tracking DeathNote's activities found the Lazarus subgroup following up on that attack with subsequent campaigns on defense and defense-related companies in Europe, Latin America, Africa, and South Korea.

**An Ongoing RAT Campaign**

Kaspersky observed DeathNote engaged in two campaigns against defense companies in 2022 alone. One of them is still ongoing and involves a defense sector organization in Africa. The security vendor discovered the campaign last July and found DeathNote initially breached the company via a Trojanized, open source PDF reader sent via Skype messenger. Once executed, the PDF reader created a legitimate file and a malicious file in the same directory on the infected machine. 

It then used a technique known as DLL side loading to install malware for stealing system information and downloaded a sophisticated second-stage remote access trojan (RAT) called Copperhedge from an attacker-controlled command-and-control server (C2). Copperhedge is malware that Lazarus Group clusters have used in other attacks, including one against a South Korean IT company in 2021.

Kaspersky's analysis of the attack showed the malware using numerous legitimate Windows commands and tools such as Mimikatz for everything from initial reconnaissance on a compromised host system and acquiring login credentials, to lateral movement and exfiltration. To acquire basic system info, for instance, the malware used Windows commands to find TCP and system info, or to query the saved server list from the registry.

To move laterally, the actor used a technique called ServiceMove which leverages Windows Perception Simulation Service to load arbitrary DLL files, Kaspersky said. "When the group completed its mission and began exfiltrating data, they mostly utilized the WinRAR utility to compress files and transmit them via C2 communication channels."

The tactics, techniques, and procedures (TTPs) that DeathNote employed in its campaign against the defense contractor in Africa were similar to those that Kaspersky observed in another 2022 campaign that hit a defense company in Latin America.

**A Broadening Range of Cyber Targets**

Kaspersky security researcher Seongsu Park says DeathNote's evolution from cryptocurrency mining attacks to defense sector espionage is consistent with the Lazarus Group's efforts to broaden its target list over the years.

"While they primarily attacked the defense sector in the past, as we recently published, they have also targeted think tanks and the medical sector," he explains. "This demonstrates the group's wide range of targets."

Lazarus Group, which many believe is an advanced persistent threat (APT) affiliated with the North Korean government, first grabbed attention with a 2014 attack on Sony Pictures over a satirical movie about North Korean leader Kim Jong-un. Over the years, researchers have tied the group to numerous other high-profile attacks, including the WannaCry ransomware outbreak, attacks that drained tens of millions of dollars from banks in Bangladesh, and attacks on major cryptocurrency companies.

The DeathNote cluster is just one of at least seven separate Lazarus malware clusters that are currently active. The others, according to Kaspersky, are ThreatNeedle, Bookcode, AppleJeus, Mata, CookieTime, and Manuscrypt. The Lazarus group operates several clusters simultaneously and each of these clusters operates in a sophisticated manner, using its own malware toolkit with sometimes overlapping features, Park says.

"Each of their clusters changes targets from time to time," Park notes. "We have observed that other clusters, for example, CookieTime and Bookcode, belonging to the Lazarus group, have also targeted the defense industry before."

DeathNote's typical TTPs have included using spear-phishing emails with weaponized Word or PDF reader apps. During the days when the cluster focused on coin mining, it used cryptocurrency-themed lures to try and get victims to execute the initial infection vector. Since switching to defense targets, the cluster has been using defense themed lures — including those that purport to be job advertisements — as phishing lures. Kaspersky said it found DeathNote only dropping the second-stage payload on systems belonging to victims it deemed valuable from a cyberespionage standpoint.

For the moment at least DeathNote's campaigns targeting the defense sector have not affected US organizations.

Lazarus Group's 'DeathNote' Cluster Pivots to Defense Sector

If attackers use your stolen login information or set up wire transfers, you might be out of luck.

Banking laws designed to protect Federal Deposit Insurance Corp. (FDIC)-insured accounts contain loopholes that strip consumers of coverage against certain cyberattacks.

Less than a month before the US Consumer Financial Protection Bureau hit Wells Fargo & Co. with the largest financial civil penalty ever for mismanagement of car loans, mortgages, and bank accounts In December 2022, a Wells Fargo customer suffered an account takeover of his consumer checking account that cost him $45,000. Well Fargo chose not to reimburse that customer, Kartik Gada, CFO and chief economist at a San Francisco-area company.

Documents show the attackers breached Gada's cell phone account, then accessed his bank login credentials from the phone's backup data. The attackers changed the bank login information, added the ability to send wire transfers and Zelle money transfers to the checking account, then used two traditional wire transfers to move $45,000 to a New York-based bank. The thieves then removed the funds from the other bank's account by the thieves. Wells Fargo maintained that since the attackers obtained Gada's valid bank login credentials, that was sufficient to deny reimbursing Gada.

Account takeovers are not uncommon. A Marina del Rey couple faced a similar attack but had their funds returned to them by Wells Fargo at roughly the same time as the Gada attack. However, the modus operandi of the attackers was different, as were the results.

Gada tells Dark Reading that Well Fargo denied his request to funds to be returned because the bank claims he "failed to protect his password security." Gada says a bank representative told him that while it acknowledged the attack, it still declined to reimburse him.

In the final resolution letter Wells Fargo sent to Gada, the bank wrote, "According to the Online Access Agreement, you are responsible for keeping your username and password confidential, and for actions taken by anyone using the Service after signing in with your username and password, or any other Wells Fargo approved authentication control, except as otherwise provided by law or regulation. We are entitled to rely and act upon instructions received under your username and password."

**Inadequate Bank Oversight**

Jay Hack, a partner at the New York law firm Gallet Dreyer & Berkey, LLP, says the bank's "procedures for due diligence with respect to customers is obviously failing and the filtering software to filter out suspicious transactions is obviously failing. This transaction has all of the conditions of being a theft."

Once the bank's systems recognized the change in how the customer had been using the personal checking account and the swift changes to the account the night of the account takeover, the bank's monitoring software should have alerted authorities, he asserts. There are two possible reasons why it might not have done so, he notes. The first is the software was misconfigured to not "kick out suspicious transactions." Another is that even if the alert was noted, it could have been ignored.

A major bank, Hack says, should have software that identifies account takeovers and unusual actions — such as changing passwords and then adding and immediately using wire transfer capabilities — and kicks out an alert.

**Finessed Legal Justifications**

Wells Fargo ignored multiple requests by Dark Reading to comment on its decision not to compensate Gada. It also would not comment on why the bank's security controls did not flag the anomalies occurring on the account and why no bank employee tried to confirm the unusual changes to the account before processing the transactions.

While the Comptroller of the Currency's office and the Consumer Financial Protection Bureau both declined to discuss the specifics of Gada's situation, both organizations directed Dark Reading to documents concerning the Electronic Fund Transfer Act and Regulation E. One carve-out that Wells Fargo used as a reason to deny compensating the customer is that the attackers implemented wire-transfer capabilities, which specifically is not covered under Regulation E.

Wells Fargo's response to the breach was to redefine the personal checking account as a brokerage account due to the attackers' actions and subsequently told the client different rules applied to the brokerage account, Gada said. The bank chose to follow Universal Commercial Code (UCC) 4A-202, which addresses wire transfers and has different "good faith" rules than does Regulation E. A short PowerPoint description of the regulations can be found on the FDIC's website.

Wells Fargo's position is that a customer is responsible for losses if the attackers use a wire transfer to steal money from the customer's checking account. Should the attackers have chosen a different approach, such as a money transfer application such as Zelle or PayPal or an Automated Clearing House (ACH) transfer, the FDIC would have required the bank to reimburse Gada under Regulation E.

The bank chose not to address why the victim of a crime would be subject to UCC 4A, which requires an agreement between the bank and the customer. As the attackers caused the change in account status and not Gada, this raised the question of whether this was a legal contract between the customer and bank.

Hack says that banks can get away with such denials because the cost of litigation is often far higher than the consumer's loss. It does not become profitable for specialty law firms to file lawsuits until the customer's losses are $1 million or more, he notes.

When Banking Laws Don't Protect Consumers From Cybertheft

**OSLO****, Norway** **,** **April 12, 2023** **/PRNewswire/ --** Opera (NASDAQ: OPRA) – the company behind the award-winning family of web browsers – is announcing the extension of its free browser VPN service to Opera Browser for iOS. Already available to some users for early access, the full rollout will be completed within the coming weeks. With this addition, Opera became the first web browser to offer a free built-in VPN across all major platforms, including Mac, Windows, Linux, Android, and iOS.

Staying private online is becoming increasingly challenging. When users browse the internet, they can be subject to data collection from websites and online services, many of which are not always transparent about how they store and use this data. Meanwhile, unsecure networks, such as some public Wi-Fi are vulnerable to attacks from bad actors, which can compromise sensitive personal data like web banking information or credit card details. VPNs, as a result, are an increasingly essential feature of life online – they help protect one's identity and activity so that users can peruse the internet privately, their personal information safe from prying eyes.

With the addition of its VPN service to iOS, Opera becomes the first browser company to offer a built-in, free VPN on every platform. Opera's VPN service requires no subscription, no logging into an account, and no additional extensions – users simply need to toggle a switch in the main menu to browse in peace, since the Opera Browser makes sure VPN traffic is encrypted and IP address is private.

"Opera has always been known for its unique feature set. We are proud to bring our free built-in VPN to all major platforms and to be the first browser company to do so. Our commitment to providing users with a secure browsing experience has led us to develop this feature over the years. We are excited to bring this vital tool to iOS users to ensure their online safety and privacy," said Jørgen Arnesen, EVP Mobile at Opera.

A no-log service, the VPN does not collect any personal data or information related to users' browsing history or originating network address, ensuring anonymity. Fast and secure, users have instant access to virtual locations around the world.

The Opera Browser for iOS is an award-winning browser that is enjoyed by millions of users worldwide. Featuring an interface that has garnered multiple design awards, the browser affords an unparalleled user experience. Designed to be used on the go, Opera's Fast Action Button gives users the full range of navigation tools within a thumb's reach. Users can additionally keep photos, articles, recipes, travel ideas, and links with them at all times with My Flow, which allows for seamless and secure file sharing between phones, tablets, and computers. The browser even integrates a native Crypto Wallet, enabling users to keep track of their digital assets at all times.

Apart from its convenience, the Opera Browser for iOS also offers unparalleled speed and security. It features, for example, a built-in ad blocker – speeding up the loading process as well as shielding users from unwanted advertisements – plus the Apple Intelligent Tracking Prevention, which blocks third party tracking cookies and cookie dialogue. The browser also boasts Opera's Cryptojacking Protection, which safeguards users from having their device's resources hijacked for crypto mining. The free VPN service will now complete the package, affording users protection as they browse the internet.

Concurrent with the ongoing rollout of the free VPN service, Opera Browser for iOS is also receiving a pair of additional upgrades. A Bookmarks feature will allow users to better organize their lives online, and coupled with Speed Dial ensure immediate access to what's most important. And for football fans, a new Live Scores feature lands on the browser's homepage. A scoreboard that displays the day's matches – whether they are upcoming, in progress, or the final whistle has already gone – Live Scores will help users stay on top of the action worldwide.

To start using the free VPN, users just need to download the Opera Browser for iOS and turn the VPN on in the app. The full rollout will be completed within the coming weeks, so VPN will become available for all users shortly. More information is available on the official website.

**About Opera for iOS**

Fast, safe and private, Opera Browser is a beautifully designed web browser with a Red Dot Award for its stunning user interface. Enjoyed by millions of fans across the world, it's built for people on the go and features a lightning fast web search for instant results. With built-in security features such as Apple Intelligent Tracking Prevention and Cryptojacking Protection – plus a native Crypto Wallet – Opera Browser offers users the optimal iOS experience. Opera Browser has a 4.7 star rating in the App Store and has been reviewed by more than 600,000 people worldwide.

**About Opera**

Opera is a web innovator building on more than 25 years of innovation that started with the Opera web browser. While Opera is leveraging its brand and engaged user base in order to grow and develop new products and services for people who seek a better internet experience, Opera's PC and mobile web browsers, content discovery platform Opera News, and apps dedicated to gaming, and Web3 are already the trusted choices of hundreds of millions of active and engaged users. Opera is headquartered in Oslo, Norway, and listed on the NASDAQ Stock Exchange under the OPRA ticker symbol. Download and access Opera's products and services from www.opera.com.

SOURCE Opera Limited

Opera Adds Free VPN to Opera for iOS

Hackers can compromise public charging hubs to steal data, install malware on phones, and more, threatening individuals and businesses alike.

US government agencies are warning that malware planted in public charging stations for phones and other electronics can sneak onto your device when you least expect it.

On April 6, the FBI Denver office published a morsel of advice. "Avoid using free charging stations in airports, hotels, or shopping centers," its tweet stated. "Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead."

The sentiment was echoed in an FCC notice about the phenomenon — known as "juice jacking." The commission added that, "in some cases, criminals may have intentionally left cables plugged in at charging stations." Also, "there have even been reports of infected cables being given away as promotional gifts."

Experts say that charging stations can carry risk, not just for individuals but also enterprises. Still, the risk is low and there are simple solutions for avoiding it altogether.

**How Hackers Can Poison Charging Stations**

"There are two different ways this happens," says Pete Nicoletti, field CISO at Check Point Software. "There are the people that actually own those stations. If they're looking for additional revenue, they might install malware on their charging stations."

This isn't the kind of scenario you'd run into at your local airport, though, he adds: "\[That's\] going to be the bad actors that compromise a legitimate station."

Ordinary outlets are immune, but USB ports in modern charging stations are different.

"There is some sort of computer or smart device behind these stations, connected to those USB charging outlets," explains Dmitry Bestuzhev, most distinguished threat researcher at BlackBerry. And because there's a computer involved, the opportunity exists for back-and-forth data transfer.

"Imagine using a phone for charging," Bestuzhev continues. "You use the same USB cable for synchronizing data on your phone with a computer, such as photos, videos, and other information. Technically, a threat actor could poison the data transmission between the malicious station and your device to steal information or install malicious code."

Were this to occur, the FCC says, hackers could "maliciously access electronic devices while they are being charged. Malware installed through a corrupted USB port can lock a device or export personal data and passwords directly to the perpetrator. Criminals can then use that information to access online accounts or sell it to other bad actors."

And any risk to travelers can have a knock-on effect for their employers.

"Most people use their phones for a mix of work and personal time," Allan Liska, threat intelligence analyst at Recorded Future, points out. For a work-from-home employee accessing corporate data from a coffee shop or airport lounge, "a successful attack not only means a phone owner's personal data is compromised, it also means that any work data stored on that phone would be accessible by the attackers." In theory, hackers could also plant malware on a BYOD phone or laptop, or hijack an employee's access to enterprise networks for further attacks.

Whether any of this is likely is another matter. "One of the challenges with the FBI tweet is that they don't provide any real-world examples," Liska says. "So while the kind of attack the FBI laid out is certainly possible, the risk is relatively low."

**Simple Solutions for Charging Safely**

For anyone concerned with charging devices in public, there is one simple solution: don't use dedicated charging stations. Ordinary electrical outlets — of the kind you'd use at home — provide a perfectly safe alternative.

Even when you're searching around the airport terminal and can't find any outlets, there are other options. "Your readers can't see it, but this is what people should be carrying," Nicoletti says over a Zoom call, while holding up his wireless phone charger. "These are 15 bucks!"

And "if a socket isn't available and you're charging a device through a USB cable, use a data blocker," Bestuzhev recommends. Data blockers — colloquially referred to as "data condoms" — are inexpensive and widespread online.

"They're essentially designed on a hardware level to block any data transmission to or from your device," he explains. "So even when you connect to a malicious charging station, if you're using a data blocker, you'll still get the electric charge for your device but data won't flow. That's because, on a hardware level, the data blocker is designed to block the circuit of those parts of the cable to transfer data. So, your data can't be transferred in any direction — just electricity."

Jacked charging stations may be rare, but because the alternatives are so cheap and simple, it's easy enough to avoid the hassle altogether. "These tools," Bestuzhev concludes, "should really be part of any 'frequent flier' or 'frequent traveler' kit."

FBI & FCC Warn on 'Juice Jacking' at Public Chargers, but What's the Risk?

Open source media player Kodi still hasn't recovered its forum and plans to redeploy it on a new server with software update.

The Kodi forum (MyBB) is a place where about 400,000 users of the Kodi open source media player come together to share tips on customizing their home theater experience. But when a cache of MyBB user data popped up for sale on an Internet forum, team Kodi took a closer look and realized there had been a major breach.

Logs revealed that a former MyBB admin's account was hijacked to access the admin console on both Feb. 16 and Feb. 21, the Kodi Foundation said in a statement announcing the breach on April 8.

"The account was used to create database backups which were then downloaded and deleted. It also downloaded existing nightly full-backups of the database," the Kodi statement said.

That means all public forum posts, team forum posts, user-to-user messages, and user data, including username, email address, and hashed passwords were compromised, Kodi added.

An April 11 update on the breach by the Kodi Foundation said the forums were being migrated to new servers and will run on an updated version of MyBB software, and the forums will remain offline for several days during the migration.

"As part of the redeployment we will restrict and harden access to the MyBB admin console, revise admin roles to reduce privileges wherever possible, and improve audit logging and backup processes," the statement added.

    

In the meantime, Kodi Foundation has shared breach data with the haveibeenpwned disclosure site and vowed to share password reset information as soon as the forums are back up. Additionally, the forum wiki is being moved to a new host, the statement added.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Data on 400K Kodi Forum Members Stolen and Put Up for Sale

Researchers at Microsoft have discovered links between a threat group tracked as DEV-0196 and an Israeli private-sector company, QuaDream, that sells a platform for exfiltrating data from mobile devices.

Microsoft has identified another Israel-based threat organization, similar to NSO Group, that is selling mobile spyware and other cyber espionage tools and services to international governments to monitor and spy on private individuals.

Microsoft Threat Intelligence researchers have discovered links between a threat group they've been tracking as DEV-0196, which offers iOS malware, and a private-sector company called QuaDream that sells a platform for exfiltrating data from mobile devices, researchers said in a blog post published April 11. Without explicitly stating so, the researchers suggested that DEV-0196 and QuaDream are actually one and the same.

"Microsoft Threat Intelligence analysts assess with high confidence that the malware, which we call KingsPawn, is developed by DEV-0196 and therefore strongly linked to QuaDream," the researchers wrote. "We assess with medium confidence that the mobile malware we associate with DEV-0196 is part of the \[company's 'Reign' offering\]."

The parallels between the activity of the separately linked entities is eerily similar to that of Israel-based NSO Group, which has been widely condemned, blacklisted, and even sued for its role in selling the iOS-based spyware known as Pegasus to hostile governments to target journalists, activists, politicians, businesspeople, and other private citizens with unethical cyber espionage activity. The spyware notably targets zero-day flaws with exploits, making it difficult to mitigate or detect its nefarious activity.

**Suspicious QuaDream Activity**

Similarly, QuaDream's REIGN is a suite of exploits, malware, and infrastructure designed to extract data from mobile devices for allegedly legal purposes, however, the company suspiciously doesn't have a website, and a 2022 Reuters report suggested that QuaDream used a zero-click iOS exploit that leveraged the same vulnerability seen in NSO Group's ForcedEntry exploit.

According to the Israeli Corporations Authority, QuaDream, under the Israeli name קוודרים בע”מ, was incorporated in August 2016. A report by news outlet Haaretz, citing a QuaDream brochure, claimed that the government of Saudi Arabia — known for targeting journalists and others who speak out against its policies — was among QuaDream's clients, as was the government of Ghana.

A separate December 2022 report from Meta, which reportedly took down 250 accounts associated with QuaDream, also shed light on the activity of the company. That report claimed that QuaDream was testing its ability to exploit iOS and Android mobile devices with the intent "to exfiltrate various types of data including messages, images, video and audio files, and geolocation," the researchers said.

Meanwhile, Microsoft Threat Intelligence believes that DEV-0196 is selling both exploitation services and its KingsPawn iOS malware to governments to spy on and track members of civil society — including journalists, political opposition figures, and a non-government organization (NGO) worker — in locations across Europe, North America, the Middle East, and Southeast Asia.

Microsoft worked with several partners on the investigation of the links between QuaDream and DEV-0196, including Citizen Lab of the University of Toronto's Munk School, which identified at least five targets of DEV-0196 across the aforementioned geographies. It also identified operator locations for QuaDream systems in Bulgaria, Czechia, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates, and Uzbekistan. Citizen Lab has released its own separate report about the findings.

The behavior of DEV-0196 is consistent with that of "private sector offensive actors (PSOAs)" or "cyber mercenaries," according to Microsoft Threat Intelligence, which sell hacking tools or services through a variety of business models — including access as a service — to the highest bidder. They don't directly target individuals or run cyber espionage operations themselves.

**KingsPawn: A Custom Spyware**

Microsoft and its partners analyzed samples of the multi-component KingsPawn, which specifically targets iOS 14. However, it's possible that some of the code also could be used on Android devices, the researchers said. It's also likely that the threat group has already updated the malware to target versions of iOS newer than 14, as the latest version of Apple's operating system software is already up to iOS 16, the researchers said.

KingsPawn is comprised of two agents — a monitor agent in the form of a native Mach-O file written in Objective-C, and the main malware agent, a native Mach-O file written in GoLang, a language favored by threat actors for its portability, among other features, the researchers said.

The monitor agent is responsible for reducing the forensic footprint of the malware to prevent detection and hinder investigations, as well as manage the various processes and threads spawned on behalf of the malware to avoid artifacts created from unexpected process crashes.

Within the main agent of KingsPawn is the real gravy of the spyware where all of the capabilities to track victims and steal data lies, the researchers said.

Capabilities of the main agent include: obtaining device, Wi-Fi, cellular info, searching for and retrieving files, using the camera in the background, locating where the device is, monitoring phone calls, accessing the iOS keychain for passwords, and generating an iCloud one-time password that's time sensitive to retrieve stored data.

"The agent also creates a secure channel for XPC messaging by creating a nested app extension called _fud.appex_," the researchers wrote. "XPC messaging allows the agent to query various system binaries for sensitive device information, such as location details."

**Detection & Protection From Mobile Spyware**

Microsoft has developed unique network detections that could be used to fingerprint DEV-019's infrastructure on the Internet based on the group's heavy use of domain registrars and inexpensive cloud hosting providers that accept cryptocurrency as payment, the researchers said.

"They tended to only use a single domain per IP address and domains were very rarely reused across multiple IP addresses," they wrote in the post. "Many of the observed domains were deployed using free Let's Encrypt SSL certificates, while others used self-signed certificates designed to blend in with normal Kubernetes deployments."

The blog post includes network-based indicators that the researchers gleaned from their investigation to help potential victims identify if they've been compromised, including domains strongly associated with some countries that Citizen Lab has identified as locations of victims, countries where QuaDream platforms were operating, or both.

While acknowledging that preventing exploitation of mobile devices by threat actors who are exploiting zero-click vulnerabilities is difficult, there are ways to minimize the risk of mobile devices being compromised, the researchers said.

Following basic cyber hygiene and best practices to keep device software updated through automatic updates, the use of anti-malware software, and maintaining vigilance not to click on malicious links or suspicious messages can also help potential victims avoid compromise.

Researchers also suggested that if someone using an iOS device believes they may be a target of spyware, they can enable Lockdown Mode to enact advanced iOS security, thus reducing the attack surface for threat actors.

Microsoft: NSO Group-Like 'QuaDream' Actor Selling Mobile Spyware to Governments

A recent survey showed a surprising correlation between those who operate their businesses with risk and compliance data in silos and those who experienced data breaches in the last 24 months.

What are the consequences of operating your business with risk and compliance data in silos? Turns out, it might be more impactful than you think.

A recent 2023 survey of more than 1,000 IT risk, compliance, and security professionals found a correlation between data silos and breaches: namely, that companies operating with their risk management and compliance operations data in silos experienced a higher frequency of breaches.

Let's dig into the data.

**Risk Management Confidence Remains High, but Data Silos Persist**

First, let's start with risk. Survey respondents take risk management seriously, with a staggeringly high 93% of respondents feeling that they've done well in identifying and assessing risks. Additionally, 56% of infosec professionals are conducting annual security risk assessments, and 27% are conducting biannual assessments, meaning risk management is top priority for respondents. In short, confidence to address risk is high.

    

However, although respondents grasp the importance of risk management, according to the data, their processes for managing IT risks lag behind their intentions. Despite this overwhelming confidence respondents have about identifying and assessing risks, 51% said they struggle with identifying where the critical risks are to assess what remediations to prioritize. Thirty percent of respondents said their process to identify controls that can mitigate risks does not meet their company's objectives, and 39% of all respondents said they struggle with finding risk-related information when they need it.

    

Why are survey respondents so confident in their ability to address risks but still struggling to identify risk-related critical tasks? The answer is simple: 90% of surveyed organizations are managing risk management and compliance operations activities in silos, which is opening them up to vulnerabilities. Thirty-eight percent of respondents admitted that they switch between multiple systems throughout the risk management process and that they have separate places for risk assessments vs. tracking remediation efforts, such as multiple spreadsheets containing risk assessment results or multiple platforms tracking risk.

**The Connection Between Data Silos and Security Vulnerabilities**

The survey uncovered that only 10% of respondents have an integrated view on how to manage their unique set of risks and have aligned their risk and compliance activities, and organizations that managed risk in an ad hoc manner or only when a negative event happened were more likely to experience a breach.

    

Let's break these metrics down a little more:

Managing risk ad hoc or in siloed departments had negative impacts on those surveyed: One in two companies managing risk ad hoc or in siloed departments experienced a breach in 2022. Parsing this number further, we saw that 61% of companies that characterized their risk management approach as "ad hoc" experienced a breach, and 46% of those managing risk in siloed departments experienced a breach.

In contrast, only 36% of companies with an integrated approach and manual tools experienced a breach. Additionally, only 30% of companies with an integrated approach and automated tools experienced breaches.

    

The takeaway? Companies that unified their risk and compliance operations did not suffer the same frequency of breaches, indicating that operating in silos opens companies up to vulnerabilities.

**The Power of Unifying Risk and Compliance Data**

Although risk and compliance continues to operate in silos, respondents recognize the benefits of changing this reality. Fifty-seven percent of respondents said that having a solid compliance program helps them mitigate risks, even though risk management and compliance activities are typically conducted in response to separate events.

Taking an integrated approach to risk and compliance operations allows organizations to focus on their unique set of risks while avoiding duplicate activities across their risk and compliance management processes. Organizations that take this approach typically start the risk management process with conducting a risk assessment. From there, they create security policies and implement internal controls tailored to the results of their risk assessment. This allows for greater alignment throughout the organization by allowing for input from all stakeholders, not just a select few. Also, it helps create a compliance program that integrates directly with risk operations.

The survey results provided evidence that organizations taking an integrated approach have better security posture than their counterparts who view compliance solely as the function that enforces rules and regulations: On average, organizations that take an integrated approach to risk management experienced security breaches less often than those who view their compliance function as the enforcer of rules. Additionally, as a group, organizations that take an integrated approach spend less time on repetitive and administrative tasks compared to those who believe the compliance function's purpose is to enforce the rules.

To learn more, read the full survey report here.

**About the Author**

    

Kayne McGladrey, CISSP, is the field CISO for Hyperproof and a senior member of the IEEE. He has over two decades of experience in cybersecurity and has served as a CISO and advisory board member, and focuses on the policy, social, and economic effects of cybersecurity lapses to individuals, companies, and the nation.

Source

DARKReading