A list of topics we covered in the week of May 20 to May 26 of 2024

May 22, 2024 - A notorious cybercriminal involved in breaches has released a database containing 70 million US criminal records.

May 22, 2024 - Microsoft unveiled an AI search tool on new laptops that will require regular screenshots of all device activity to be recorded and stored.

May 21, 2024 - This post explains how to remove additional users and accounts from your Android device

May 21, 2024 - This post explains how to remove additional users and accounts from your Windows device

May 20, 2024 - This week on Lock and Code, we talk about what people lose when they let AI services make choices for dinners, reservations, and even dating.

 A week in security (May 20 &#8211; May 26) 

Plus: US surveillance reportedly targets pro-Palestinian protesters, the FBI arrests a man for AI-generated CSAM, and stalkerware targets hotel computers.

Sex, drugs, and … Eventbrite? A WIRED investigation published this week uncovered a network of spammers and scammers pushing the illegal sale of controlled substances like Xanax and oxycodone, escort services, social media accounts, and personal information on the event management platform. Making matters worse, Eventbrite’s recommendation algorithm promoted posts for opioids alongside addiction recovery events. The good news is, the company appears to have removed most of the more than 7,400 illicit posts WIRED uncovered.

If you drive a Tesla Model 3, make sure to enable your PIN-to-drive feature or your car could be easily stolen within seconds. While the company has added new ultra-wideband radio tech to its keyless system, which can prevent “relay attacks,” researchers at Beijing-based security firm GoGoByte found that Model 3s (as well as other unnamed makes and models of vehicles) are still vulnerable. Relay attacks use inexpensive radios to transmit the signal from someone’s key fob or phone app that can then be used to unlock and start an impacted vehicle. Tesla says its adoption of ultra-wideband radio was not meant to stop relay attacks (even though it technically could), but it’s possible the automaker will add that protection in the future.

Police busting people for running illicit online markets is nearly as old a tale as the dark web itself. But this week’s takedown offered a new twist. The FBI recently arrested Lin Rui-siang, a 23-year-old accused of operating Incognito Market, which authorities claim facilitated $100 million in sales of narcotics on the dark web. US prosecutors claim Lin then extorted Incognito’s users by threatening to expose them unless they paid up. Curiously, Lin’s professional experience includes teaching police how to catch cybercriminals by tracing cryptocurrency on blockchains. If the US Justice Department is correct about his alleged involvement in Incognito Market, that would make him one of the most unusual cybercriminals we’ve ever encountered.

Leaks don’t just impact people on the wrong side of the law, of course. An unsecured database recently exposed biometric data of police officers in India, including face scans, fingerprints, and more. The incident reveals the dangers of collecting sensitive biometrics in the first place.

Finally, the saga of WikiLeaks founder Julian Assange inched forward again this week, with a British court ruling that he can appeal his extradition to the US, where he faces 18 charges under the Espionage Act for WikiLeaks’ publication of classified US military information. The judges said that Assange can appeal US prosecutors’ assurances about how his trial would be conducted and on First Amendment grounds. The appeals process will inevitably push back any final decision about his potential extradition for months.

But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Following the trend of tech companies in the AI race throwing privacy and caution to the wind, Microsoft unveiled plans this week to launch a tool on its forthcoming Copilot+ PCs called Recall that takes screenshots of its customers’ computers every few seconds. Microsoft says the tool is meant to give people the ability to “find the content you have viewed on your device.” The company also claims to have a range of protections in place and says the images are only stored locally in an encrypted drive, but the response has been roundly negative nonetheless, with some watchdogs reportedly calling it a possible “privacy nightmare.” The company notes that an intruder would need a password and physical access to the device to view any of the screenshots, which should rule out the possibility of anyone with legal concerns ever adopting the system. Ironically, Recall’s description sounds eerily reminiscent of computer monitoring software the FBI has used in the past. Microsoft even acknowledges that the system takes no steps to redact passwords or financial information.

**US Surveillance Reportedly Targets Pro-Palestinian Protesters**

Federal authorities are reportedly working quietly to establish ties between antiwar demonstrators on US campuses and any foreign groups or individuals overseas, according to journalist Ken Klippenstein, formerly of the Intercept, who says the National Counterterrorism Center is at the center of the effort. Evidence of overseas ties would lend further ammunition to politicians, university officials, and police, who’ve widely claimed “outside agitators” are to blame for the demonstrations—an allegation that’s routinely lobbed at protesters in the United States, often meant to imply that the protesters themselves are dupes. Incidentally, authorities may also overcome constitutional hurdles to surveillance by establishing a foreign target to spy on; someone unprotected by the country’s Fourth Amendment. Republicans in Congress—representatives Mark Green and August Pfluger—have, meanwhile, asked the FBI and Department of Homeland Security to supply congressional committees with records about the government’s surveillance of the protesters, including any efforts to infiltrate them using “online covert employees or confidential human sources.”

**FBI Arrests Man for AI-Generated CSAM**

The FBI has nabbed a 42-year-old Wisconsin man for using Stable Diffusion, the text-to-image generative AI software, to manufacture child sexual abuse material. The man was reportedly caught with “thousands of realistic images” of children, some featuring them nude or partially clothed with men. Court records indicate the evidence includes more than 13,000 gen-AI images as well as the prompts he used to create the images. “Using AI to produce sexually explicit depictions of children is illegal, and the Justice Department will not hesitate to hold accountable those who possess, produce, or distribute AI-generated child sexual abuse material,” Nicole Argentieri, head of the Justice Department’s Criminal Division, says in a statement. The arrest is part of Project Safe Childhood, a collaboration between the government and corporations reportedly targeting online offenders.

**Stalkerware Targets US Hotel Computer Systems**

Security researchers this week disclosed to TechCrunch that they’d discovered consumer-grade spyware—often known as “stalkerware”—on the computers of “at least three” Wyndham hotels in the United States, potentially exposing travelers’ personal details. The stalkerware, called pcTattletale, can be installed on Android and Windows devices, giving whoever has control of the sneaky app the ability to access data on the targeted machine and monitor users’ activity. The presence of pcTattletale was discovered thanks to a security flaw in the spyware that exposed screenshots of infected machines to the open internet, according to the researchers. Although the researchers found pcTattletale on Wyndham computers, the hotel company says each of its locations are franchises, suggesting that the spyware infection could be limited to just a few locations.

Microsoft’s New Recall AI Tool May Be a ‘Privacy Nightmare’

4BRO versions prior to 2024-04-17 suffer from insecure direct object reference and API information disclosure vulnerabilities.

    SEC Consult Vulnerability Lab Security Advisory < 20240522-0 >=======================================================================               title: Broken access control & API Information Exposure             product: 4BRO App  vulnerable version: before 2024-04-17       fixed version: 2024-04-17          CVE number: -              impact: Critical            homepage: https://www.4bro.de               found: 2023-05-07                  by: Max Rull (Office Bochum)                      SEC Consult Vulnerability Lab                      An integrated part of SEC Consult, an Eviden business                      Europe | Asia                      https://www.sec-consult.com=======================================================================Vendor description:-------------------"4BRO is a German company known for producing iced tea beverages. The brand offersa variety of flavors, including unique combinations such as peach, bubblegum,and watermelon mint. 4BRO emphasizes modern and appealing packaging, targetinga younger demographic. The company promotes its products through various platformsand incentivizes customer loyalty with their app, which allows users to collectpoints for rewards. The company's headquarters is located in Germany, and theirproducts are widely available both online and in retail stores."Source: https://www.4bro.deBusiness recommendation:------------------------The vendor has fixed the security issues in the API server as of 2024-04-17.SEC Consult highly recommends to perform a thorough security review of the productconducted by security professionals to identify and resolve potential furthersecurity issues.Vulnerability overview/description:-----------------------------------1) Broken access control via IDOR in 4BRO app APIAn IDOR vulnerability (Insecure Direct Object Reference) allows an attackerto change the username in the Bearer token used for authentication in the 4BRO app.This leads to account takeover as a result of broken access control (poor Bearertoken verification). Attackers are able to access all data or Bro points ("broins")from other users.2) API Information ExposureWhen opening the app as an unauthenticated user, the 4BRO app loads JSON datafrom a publicly available API endpoint containing sensitive data like e-mailaddresses of employees, internal invoices, a CV including personal information,a gift card etc.Proof of concept:-----------------1) Broken access control via IDOR in 4BRO app APIWhen logging in into the 4BRO app, the server returns a JWT (JSON Web Token).The "login" HTTP request looks like this:--------------------------------------------------------------------------------POST /api/user/signin HTTP/2Host: adminpanel.4bro.deContent-Type: application/json[...]{"email":"<login email>","password":"<login password>"}--------------------------------------------------------------------------------The server responds with a JWT used for authentication and additionalaccount-related data:--------------------------------------------------------------------------------HTTP/2 200 OKContent-Type: application/json; charset=utf-8[...]{     "token": "<JWT here>",     "userData": {         "isBlocked": false,         "_id": "[...]",         "userType": "USER",         "email": "<login email>",         "broins": 0,         "deviceId": null,         "userCreationDate": "2023-XX-XXTXX:XX:XX.XXXZ",         "address": [{                 "_id": "[...]",                 "streetName": "[...]",                 "streetNumber": "[...]",                 "postalcode": "[...]",                 "city": "[...]",                 "firstName": "[...]",                 "lastName": "[...]",                 "country": "at"             }         ],         "ratings": [],         "__v": 0,         "pushToken": "[...]",         "telekomUUID": "[...]"     }}--------------------------------------------------------------------------------Because the JWT is only base64-encoded, it is easy to decode the JWT'sheader and payload as clear text using JWT decoders like https://token.dev/:--------------------------------------------------------------------------------Header:{   "kid": "[...]",   "alg": "RS256"}--------------------------------------------------------------------------------Payload:{   "sub": "[...]",   "event_id": "[...]",   "token_use": "access",   "scope": "aws.cognito.signin.user.admin",   "auth_time": 1683565567,   "iss": "https://cognito-idp.eu-central-1.amazonaws.com/[...]",   "exp": 1683569167,   "iat": 1683565567,   "jti": "[...]",   "client_id": "[...]",   "username": "<login email>"}--------------------------------------------------------------------------------The payload of the JWT contains multiple values indicating that AWS Cognito is in use.By changing the "username" value of the JWT payload to a victim email, it is possibleto use the modified JWT for authenticating as the victim. The victim should alreadyhave a normally registered account in the 4BRO app. By trial and error, it turns outthat even the following modified JWT payload gets accepted by the server:--------------------------------------------------------------------------------{   "sub": "0",   "event_id": "0",   "token_use": "access",   "scope": "aws.cognito.signin.user.admin",   "auth_time": 0,   "iss": "",   "exp": 0,   "iat": 0,   "jti": "0",   "client_id": "0",   "username": "<login email>"}--------------------------------------------------------------------------------Meanwhile, the "kid" property in the JWT header must be a valid value, but can belongto any other already existing 4BRO app account. The JWT signature can be the sameand does not get verified at all.Using the modified JWT, all API methods supported by the 4BRO app can be executed.Because the server only checks the "username" property in the JWT payload and doesslim to none JWT verification, the server thinks that the request came from theaccount associated with the login email contained in the "username" property.This way, sensitive data such as the current "broin" balance, full user data as seenin the login response, previous transactions, redeemed vouchers and goodies etc.can be accessed without restrictions, using the 4BRO API. Also, the "sending broins"action can be performed so that earned "broins" could be transferred to an attacker'saccount balance.2) API Information ExposureBy monitoring the 4BRO app's requests over a proxy, it can be observed thatthe following HTTP request is made when opening the "Goodies" section of the app:--------------------------------------------------------------------------------GET /api/goodies?pageSize=1000 HTTP/2Host: adminpanel.4bro.de[...]--------------------------------------------------------------------------------The response is a JSON object containing all goodies that are or were at some pointavailable in the 4BRO app:--------------------------------------------------------------------------------HTTP/2 200 OKContent-Type: application/json; charset=utf-8Content-Length: 327138[...]{     "goodiesList": [{             "_id": "61950603005c650530b63aac",             "name": "1x 4BRO Getränk Imbiss",             "longDescription": "[...]",             "shortDescription": "Auf unseren Nacken!",             "imagePath":"https://broappasset-prod.s3.eu-central-1.amazonaws.com/dev/goodies/app_kachel_food_256x256.jpg",             "category": "Food",             "quantity": 999999999999808,             "costOfGoodie": 250,             "supplier": "<email removed>",             "totalGoodies": 999999999999861,             "goodieAvailableTime": "Unlimited",             "deliveryMethod": "partnerCoupon",             "isNewGoodie": false,             "inhouseAppVoucherUrl":"https://broappasset-prod.s3.eu-central-1.amazonaws.com/dev/inhouseAppVouchers/undefined",             "__v": 1,             "rating": {                 "value": 3.991869918699184,                 "total": 123             },             "forceGoodie": "true",             "goodieAvailableEndTime": null,             "goodieAvailableStartTime": null,             "restriction": [],             "hidden": false,             "slashedCostOfGoodie": null         },{    [...]    },    [...]    }     ],     "goodieCount": 371}--------------------------------------------------------------------------------This JSON object contains already sensitive data such as the goodie supplier's emailaddresses. Out of the 371 goodies, 36 of those have a URL to a PDF file containedwithin the "inhouseAppVoucherUrl" property. Because these files are hosted on anAWS S3 bucket, everyone can access these documents without authentication.These documents seem to contain various sensitive company internal and personalinformation.While discovering vulnerability 1), we found that old gift codes were also stored asPDF files on the AWS S3 bucket. The names of the gift code PDF files indicate thatthere may be more similarly named documents (IDOR) which could be detected in anautomated way. This could be leveraged to find additional gift code PDF files storedon the AWS S3 bucket.Vulnerable / tested versions:-----------------------------The following app version has been tested and downloaded through Google Play store,which was the most recent version available at the time of the test:* 3.14.7Because the vulnerability is actually server-side within the API, the iOS app wasalso affected at the time the vulnerabilities were discovered.Vendor contact timeline:------------------------2023-06-12: Contacting vendor through broservice@4bro.de (owner) and info@dev5310.com             (developers according to Google Play store)2023-06-15: Vendor asks about the risks of the identified vulnerabilities and which             parts of the application are affected and whether any costs would arise             before they provide us with a security contact.2023-06-16: Detailed answer regarding risk estimation, responsible disclosure and             that no costs are involved.2023-06-19: Vendor requests a phone conference, scheduled for 21st June.2023-06-21: Clarifying responsible disclosure, explaining vulnerabilities and next             steps in phone call. Providing security advisory to vendor.2023-06-29: Vendor has sent the advisory to the developer team for evaluation             and will notify SEC Consult about the release of the security patch.2023-08-18: Asking for a status update.2023-08-31: It is planned to release an Android/iOS app update end of September2023-09-18: Vendor needs to postpone update, no new date available.2023-11-08: Asking for a status update; no response.2023-11-21: Asking for a status update.2023-12-11: Vendor response, fix is available in test environment, production             will be fixed by end of this year.2024-01-24: Asking for a status update; no response.2024-02-12: Asking for a status update.2024-02-12: Vendor is still waiting for a response from their IT.2024-04-17: Asking for a status update.2024-04-17: Vendor states that the vulnerabilities have been fixed.2024-04-17: Asking for the fix date, whether an app update was needed for applying             the fix, and the fixed app version. No response.2024-05-13: Asking vendor again about fixed version, etc., setting preliminary release             date to 2024-05-21. No response.2024-05-22: Release of security advisorySolution:---------The vendor implemented a fix in the affected API server as of 2024-04-17.An app update on Android or iOS is not required to apply the fix.Workaround:-----------NoneAdvisory URL:-------------https://sec-consult.com/vulnerability-lab/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabAn integrated part of SEC Consult, an Eviden businessEurope | AsiaAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, anEviden business. It ensures the continued knowledge gain of SEC Consult in thefield of network and application security to stay ahead of the attacker. TheSEC Consult Vulnerability Lab supports high-quality penetration testing andthe evaluation of new offensive and defensive technologies for our customers.Hence our customers obtain the most current information about vulnerabilitiesand valid recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://sec-consult.com/career/Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://sec-consult.com/contact/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: security-research at sec-consult dot comWeb: https://www.sec-consult.comBlog: https://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF M. Rull / @2024

4BRO Insecure Direct Object Reference / API Information Exposure

Threat actors have been observed making use of fake websites masquerading as legitimate antivirus solutions from Avast, Bitdefender, and Malwarebytes to propagate malware capable of stealing sensitive information from Android and Windows devices.
"Hosting malicious software through sites which look legitimate is predatory to general consumers, especially those who look to protect their devices

Fake Antivirus Websites Deliver Malware to Android and Windows Devices

By Deeba Ahmed
Is your WhatsApp privacy a myth? New reports reveal a vulnerability that could expose who you message to government agents.
This is a post from HackRead.com Read the original post: WhatsApp Engineers Fear Encryption Flaw Exposes User Data, Memo

Think your private WhatsApp messages are truly private? A recent internal warning on WhatsApp suggests otherwise. Despite end-to-end encryption, a newly discovered vulnerability could allow attackers, including governments, to see who you’re communicating with. 

WhatsApp’s security team warned that **despite its encryption**, users remain vulnerable to government surveillance, according to previously undisclosed documents obtained by The Intercept’s investigative journalists.

The **report** was compiled by WhatsApp engineers and sent to Meta’s upper management, highlighting that although 2 billion user conversations’ content on **WhatsApp** remains secure however government agencies can bypass encryption to identify communication patterns, private group composition, and user location. Moreover, government agents can use internet infrastructure to monitor encrypted communications, enabling them to identify the identities involved in conversations. 

The vulnerability is related to traffic analysis, a method of monitoring networks on a national scale, identifying patterns in encrypted internet data flows and revealing connections between users based on activity spikes, even if the messages exchanged aren’t content-related. It aids governments in finding hidden identities in conversations, providing valuable metadata for intelligence and military agencies worldwide, including who, when, and where they communicate.

By exploiting this flaw, attackers could potentially gain access to a list of phone numbers belonging to people in a specific group and get identities exposed even if they cannot access conversations.

> _“Our at-risk users need robust and viable protections against traffic analysis.”_
> 
> Memo

The vulnerability warning has sparked concern among WhatsApp staff. They fear that Israeli intelligence agencies could potentially exploit it to spy on Palestinians in the Gaza Strip. This concern arises from the fact that traffic analysis, the method mentioned in the warning, is utilized by countries with data-sharing agreements like the “**Five Eyes**” alliance, as well as by neighbouring or occupied nations like Israel.

While the exact methods of exploitation are still under wraps, anyone using WhatsApp could be vulnerable, especially those in regions with a history of government surveillance. WhatsApp’s security team flagged this issue internally in March. However, the details of a fix or the extent of the vulnerability remain unclear. 

But there’s no need to panic! just be cautious of group invites and new contacts, especially if they seem suspicious and consider apps with a stronger privacy track record for more secure communication.

1.  WhatsApp Gold Scam is Back with Malware Payload
2.  Fake WhatsApp clones aim at crypto on Android, Windows
3.  New WhatsApp OTP Scam Allows Crooks to Hijack Accounts
4.  WhatsApp Controversy Highlights the Importance of Data Privacy

WhatsApp Engineers Fear Encryption Flaw Exposes User Data, Memo

Plus, SS7 vulnerabilities are being exploited and BreachForums is taken down again.

Thursday, May 23, 2024 14:00

Since the advent of products like the Tile and Apple AirTag, both used to keep track of easily lost items like wallets, keys and purses, bad actors and criminals have found ways to abuse them. 

These adversaries can range from criminals just looking to do something illegal for a range of reasons, but maybe just looking to steal a physical object, to just a jealous or suspicious spouse or partner who wants to keep tags on their significant other. 

Apple and other manufacturers who make these devices have since taken several steps to curb the abuse of these devices and make them more secure. Most recently, Google and Apple announced new alerts that would hit Android and iOS devices and alert users that their devices’ location is being connected to any location-tracking device.  

“With this new capability, users will now get an ‘\[Item\] Found Moving With You’ alert on their device if an unknown Bluetooth tracking device is seen moving with them over time, regardless of the platform the device is paired with,” Apple stated in its announcement. 

Companies Motorola, Jio and Eufy also announced that they would be adhering to these new standards and should release compliant products soon.  

Certainly, products like the AirTag and Samsung trackers that these companies have direct control over will now be more secure, and hopefully less ripe for abuse by a bad actor, but it’s far from a total solution to the problem that these types of products pose. 

As I’ve pointed out in the past with security cameras and any other range of internet-connected devices, online stores are filled with these types of products, promising to track users’ personal items with an app so they don’t lose common household items like their phones, wallets and keys.  

Amazon has countless listings under “location tag” for a range of AirTag-like products made by unknown manufacturers. Some of these products are slim enough to fit right into the credit card pocket of a wallet or purse,  and others are smaller than the average AirTag and even advertise that they can remain hidden inside a car.  

I admittedly haven’t been able to dive into these individual devices, but some of them come with their own third-party apps, which come with their own set of security caveats and completely take it out of platform developers’ hands.  

There are also other “find my device”-type services that pose additional security concerns outside of just buying a small tag. Android’s new, enhanced “Find My Device” network is a crowdsourced solution to help users potentially find their lost devices, similar to iOS’ Find My network.  

The Find My Device network works by using other Android devices to silently relay the registered device’s approximate location, even if the device being searched for is offline or turned off. In the wrong hands, there are a range of ways that can be abused on its own.  

So, rather than relying on developers and manufacturers to make these services more secure, I have a few tips for how to use AirTag-like devices safely, if you really can’t come up with a better solution for not losing your keys. 

*   Check for suspicious tracking devices. On iOS, this means opening the “Find My” app and navigating to Items > Items Detected Near You. Any unfamiliar AirTags will be listed here. On Android, you can do the same thing by going to Settings > Safety & Emergency > Unknown Tracker Alerts > Scan Now. 
*   Remove yourself from any “Sharing Groups” unless it’s a trusted contact in your phone using the Find My app on iOS. 
*   If location tracking is your primary concern (especially for parents and their children) using the Find My app on iOS and Android is generally a more secure option than trusting a third-party app downloaded from the app store or relying on a Bluetooth connection.  
*   Manage individual apps’ settings to ensure only the services that \*really\* need to track your device’s physical location are using it. (Ex., you probably don’t need Facebook tracking that information.) 
*   Since AirTags are connected to your Apple ID, ensure that login is secured with multi-factor authentication (MFA) or using a passkey.  

**The one big thing **

Cisco recently developed and released a new feature to detect brand impersonation in emails when adversaries pretend to be a legitimate corporation. Threat actors employ a variety of techniques to embed brand logos within emails. One simple method involves inserting words associated with the brand into the HTML source of the email. New data from Talos found that popular brands like PayPal, Microsoft, NortonLifeLock and McAfee are among some of the most-impersonated brands in these types of phishing emails.  

**Why do I care? **

Brand impersonation could happen on many online platforms, including social media, websites, emails and mobile applications. This type of threat exploits the familiarity and legitimacy of popular brand logos to solicit sensitive information from victims. In the context of email security, brand impersonation is commonly observed in phishing emails. Threat actors want to deceive their victims into giving up their credentials or other sensitive information by abusing the popularity of well-known brands. 

**So now what? **

Well-known brands can protect themselves from this type of threat through asset protection as well. Domain names can be registered with various extensions to thwart threat actors attempting to use similar domains for malicious purposes. The other crucial step brands can take is to conceal their information from WHOIS records via privacy protection. And users who want to learn more about Cisco Secure Email Threat Defense's new brand impersonation detection tools can visit this site. 

**Top security headlines of the week **

**Adversaries have been quietly exploiting the backbone of cellular communications to track Americans’ location for years,** according to a U.S. Cybersecurity and Infrastructure Security Agency (CISA). The official broke ranks with their agency and reportedly shared this information with the Federal Communications Commission (FCC). The official said that attackers have used vulnerabilities in the SS7 protocol to steal location data, monitor voice and text messages, and deliver spyware. Other targets have received text messages containing fake news or disinformation. SS7 is the protocol used across the globe that routes text messages and calls to different devices but has often been a target for attackers. In the past, other vulnerabilities in SS7 have been used to gain access to telecommunications providers’ networks. In their written comments to the FCC, the official said that these vulnerabilities are the “tip of the proverbial iceberg” of SS7-related exploits used against U.S. citizens. (404 Media, The Economist) 

**The FBI once again seized the main site belonging to BreachForums,** a popular platform for buying and selling stolen personal information. Last year, international law enforcement agencies took down a previous version of the cybercrime site and arrested its administrator, but the new pages quickly emerged, using three different domains since the last disruption. American law enforcement agencies also took control of the forum’s official Telegram account, and a channel belonging to the newest BreachForums administrator, “Baphomet.” However, the FBI has yet to publicly state anything about the takedown or any potential arrests. BreachForums isn’t expected to be gone for long, as another admin named “ShinyHunters” claims the site will be back with a new Onion domain soon. ShinyHunters claims they’ve retried access to the seized clearnet domain for BreachForums, though they did not provide specific methods. BreachForums is infamous for being a site where attackers can buy and sell stolen data, offer their hacking services or share recent TTPs. (TechCruch, HackRead) 

**The U.S. Department of Justice charged three North Koreans with crimes related to impersonating others to obtain remote employment in the U.S., which in turn generated funding for North Korea’s military.** The three men, and another U.S. citizen, were charged with what the DOJ called “staggering fraud” in which they secured illicit work with several U.S. companies and government agencies using fraudulent identities from 60 real Americans. The U.S. citizen was allegedly placed laptops belonging to U.S. companies at various residences so the North Koreans could hide their true location. North Korean state-sponsored actors have used these types of tactics for years, often relying on social media networks like LinkedIn to fake their personal information and obtain jobs or steal sensitive information from companies. More than 300 companies may have been affected, with the perpetrators earning more than $6.8 million, most of which was used to “raise revenue for the North Korean government and its illicit nuclear program,” according to the DOJ. (ABC News, Bloomberg) 

**Can’t get enough Talos? **

*   Proactive Threat Hunting in Duo Data 
*   Talos Takes Ep. #184: Recapping RSA  
*   You have to look out for these hacks in 2024! 

**Upcoming events where you can find Talos **

**ISC2 SECURE Europe** **(May 29)** 

_Amsterdam, Netherlands_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will participate in a panel on “Using ECSF to Reduce the Cybersecurity Workforce and Skills Gap in the EU.” Karadzhova-Dangela participated in the creation of the EU cybersecurity framework, and will discuss how Cisco has used it for several of its internal initiatives as a way to recruit and hire new talent._  

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_ 

> _B_ill Largent from Talos' Strategic Communications team will be giving our annual "State of Cybersecurity" talk at Cisco Live on Tuesday, June 4 at 11 a.m. Pacific time. Jaeson Schultz from Talos Outreach will have a talk of his own on Thursday, June 6 at 8:30 a.m. Pacific, and there will be several Talos IR-specific lightning talks at the Cisco Secure booth throughout the conference.

**_AREA41_** **_(June 6 – 7)_** 

_Zurich, Switzerland_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will highlight the primordial importance of actionable incident response documentation for the overall response readiness of an organization. During this talk, she will share commonly observed mistakes when writing IR documentation and ways to avoid them. She will draw on her experiences as a responder who works with customers during proactive activities and actual cybersecurity breaches._ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab   
**MD5:** 4c648967aeac81b18b53a3cb357120f4   
**Typical Filename:** yypnexwqivdpvdeakbmmd.exe   
**Claimed Product:** N/A    
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** d529b406724e4db3defbaf15fcd216e66b9c999831e0b1f0c82899f7f8ef6ee1   
**MD5:** fb9e0617489f517dc47452e204572b4e   
**Typical Filename:** KMSAuto++.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent 

**SHA 256:** abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6   
**MD5:** 22ae85259273bc4ea419584293eda886   
**Typical Filename:** KMSAuto++ x64.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent

Apple and Google are taking steps to curb the abuse of location-tracking devices — but what about others?

By Uzair Amir
Mathilda Studios Partners with Upland to Introduce Guntech 2.5 into Upland’s Web3 Gaming Platform with +10 Locations and…
This is a post from HackRead.com Read the original post: Guntech 2.5 to Launch in Upland’s Gaming Ecosystem

Mathilda Studios Partners with Upland to Introduce Guntech 2.5 into Upland’s Web3 Gaming Platform with +10 Locations and Legit NFTs.

Mathilda Studios, a visionary game development company specializing in blockchain technology and AI-driven gameplay, announces a new partnership with Upland, the largest mobile blockchain-powered gaming platform mapped to the real world.

Developed by Utopos Games, Guntech is a competitive shooter game. Guntech 2.5 leverages Upland’s developer APIs and no-code NFT minting features to interact with its blockchain-based economy and thriving gaming community. Guntech 2.5 is welcomed to Upland as the first ‘Gamer’s Game’ within its developer ecosystem.

****Bringing Guntech 2.5 to Upland:****

Showcasing a commitment to a cross-platform presence and ensuring a tailored experience for mobile users, Mathilda Studios and Utopos co-developed an exclusive new version of Guntech 2.5 for Upland.

The new version leverages the capabilities of iOS/iPadOS devices, offering intuitive controls and optimized performance to deliver an engaging gaming experience directly to Apple device users. An Android version will follow later this year.

****Technical Integration and Innovation:****

Today’s launch showcases Upland’s developer strategy, allowing web2 games to enjoy a blockchain-based ecosystem by using web2 APIs. The teams at Utopos and Mathilda Studios have leveraged the full scope of Upland’s development tools and features to ensure a user-friendly integration of Guntech 2.5 into the Upland platform.

Utilizing Upland’s Developer APIs, Guntech 2.5 will deliver a seamless experience for the platform’s players with identity and asset mapping, leaderboard features, in-game pass purchase using escrow containers, and connecting to its gamified NFT minting and economy.

Upland’s Preferred Developer Program (UDN Pro) offers its integration partners technical support, marketing assistance, and monetization opportunities, all designed to help developers succeed in the web3 space. The Program is tailored to connect developers with the global community in the metaverse, providing the necessary support for discoverability with its 3M users and liquidity within its open economy.

Guntech’s presence in the Upland platform will take the immersive shape of Dev Shops, where third-party applications build a physical presence in the metaverse through an NFT property correlating to a real-world address.

In its build-up to the launch, Guntech 2.5 have constructed their unique dev-shop structure in 10 cities across Upland. Upland community members were incentivized to help build the game’s presence in their respective digital communities by staking SPARK (soon to be launched as $SPARKLET).

The exclusive version of Guntech 2.5 for the Upland world also utilized Upland’s no-mint NFTs. Guntech participated in a closed beta for Legit NFT minting that will be revealed during Upland’s G-Week Live event in Vegas, on June 7th. The Legits will have in-game utility in Guntech. This marks a first in integrating a successful arcade action game with the interactive and economic features of Upland.

By harnessing features like Upland’s escrow service, tournament APIs, and the comprehensive support provided through the Preferred Developer Program, Mathilda Studios and Utopos have fully embraced the capabilities of Upland’s platform. This strategic use of Upland’s features has enabled a rich, interactive gaming experience that intertwines the thrill of arcade action with the economics of the metaverse.

This integration is a testament to the innovative spirit of all parties involved, setting a new standard for what is possible in the merging worlds of gaming and blockchain technology. As Guntech 2.5 makes its way into the Upland metaverse, both existing fans and new players can look forward to a unique and engaging experience that pushes the boundaries of traditional gaming.

****About Mathilda Studios:** **

Mathilda Studios is at the forefront of integrating cutting-edge technology with gaming. Known for creating engaging blockchain games that ensure true digital asset ownership and verifiable scarcity, Mathilda Studios is pioneering the next generation of gaming economies.

****About Utopos Games:** **

Founded by industry veteran Jani Penttinen, who has a storied history in game development with significant contributions at major companies like EA and Westwood Studios, Utopos Games has been instrumental in revitalizing classic games for the modern era, with Guntech 2.5 being a standout project.

****About Upland Inc.:** **

Unveiled in 2019, Upland is the leading mobile web3 gaming platform mapped to planet Earth with. Together with strategic alliances with FIFA, the NFLPA, Stock Car Pro Series, UNICEF, and others, Upland offers diverse activities, including virtual property trading, world-building, car racing, virtual shops, and rich, immersive social experiences.

Upland has a strong creator and developer focus with a platform that connects to both Web2 and Web3 applications. For more information, visit upland.me or download the mobile app on Google Play and Apple Store.

1.  What is Blockchain Gaming and its Play-to-Earn Model?
2.  The Advantages of a More Secure and Safer Blockchain
3.  How Will Blockchain Technology Revolutionize Logistics?
4.  Blockchain in Identity Management: Securing Personal Data
5.  Blockchain Networks Using API Security Data to Mitigate Web3 Threats

Guntech 2.5 to Launch in Upland’s Gaming Ecosystem

By Waqas
Unfading Sea Haze's modus operandi spans over five years, with evidence dating back to 2018, reveals Bitdefender Labs' investigation.
This is a post from HackRead.com Read the original post: New APT Group “Unfading Sea Haze” Hits Military Targets in South China Sea

The investigation, which involved analyzing multiple victims, primarily military and government targets, revealed a stealthy operation involving various generations of custom malware and phishing tactics. 

A recent investigation by Bitdefender Labs has uncovered the activities of a previously unknown cyber threat group, dubbed “Unfading Sea Haze.” This group has been actively targeting high-level organizations, particularly military and government entities, in countries surrounding the South China Sea. The scope and nature of their attacks suggest a potential alignment with Chinese interests in the region.

It is worth noting that the South China Sea nations typically refer to countries that border the South China Sea. These include China, Taiwan, the Philippines, Malaysia, Brunei, Indonesia, and Vietnam.

****A Journey Through Time: Unraveling the Past Activities****

The investigation spanned at least eight victims and traced the group’s activities back to 2018, revealing a complex digital archaeology. Unfading Sea Haze has repeatedly gained access to compromised systems, exploiting poor credential hygiene and inadequate patching practices. Their ability to remain invisible for over five years indicates a sophisticated and patient threat actor, likely backed by nation-state resources.

****Attribution: Clues Pointing to Chinese Cyber Ecosystem****

While a definitive attribution remains challenging, Bitdefender’s research provides suggestive clues. The group’s focus on South China Sea countries and the use of tools popular with Chinese actors, such as Gh0st RAT variants, hint at a connection to the Chinese cyber ecosystem.

Additionally, a specific technique resembling a feature found in the “funnyswitch” backdoor, linked to APT41, further strengthens this hypothesis.

Screenshot shows the malware extracting encrypted data from Google Chrome (Image credit: Bitdefender Labs)

****Anatomy of an Attack: Initial Compromise and Tactics****

Unfading Sea Haze’s tactics include spear-phishing emails with malicious archives, containing LNK files disguised as regular documents. These files execute malicious commands, providing the group with access to victim systems. They have also incorporated Remote Monitoring and Management (RMM) tools, such as ITarian RMM, into their arsenal, a deviation from typical nation-state actor tactics.

****Execution: A Sophisticated Malware Arsenal****

Unfading Sea Haze has developed a sophisticated and evolving malware arsenal. Initially, they relied on SilentGh0st, TranslucentGh0st, and SharpJSHandler, supported by Ps2dllLoader.

However, in 2023, they began deploying new components, such as msbuild.exe and C# payloads stored on remote SMB shares. They have also adopted modular and plugin-based variants, like FluffyGh0st, InsidiousGh0st, and EtherealGh0st, for improved evasion capabilities.

****Data Collection: Custom Tools and Manual Techniques****

The group’s primary objective appears to be espionage, as evidenced by their use of custom and off-the-shelf tools for data collection. They employ a custom keylogger, xkeylog, and a browser data stealer to capture sensitive information.

Additionally, they use manual techniques, such as archiving data with rar.exe and targeting messaging app data, demonstrating a targeted and flexible approach to data extraction.

Unfading Sea Haze initially used a custom tool, DustyExfilTool, for data exfiltration. However, they switched to the curl utility and FTP protocol in 2022. Their exfiltration tactics have evolved, with dynamic and randomly generated credentials, indicating a focus on improving operational security.

****Conclusion and Recommendations: A Layered Defense Strategy****

Unfading Sea Haze has showcased a sophisticated and flexible approach to cyberattacks. To mitigate the risks posed by this group and similar threat actors, organizations should adopt a multilayered defense strategy.

This includes robust vulnerability management, strong authentication, proper network segmentation, effective logging, and collaboration within the cybersecurity community. By staying vigilant and proactive, organizations can enhance their resilience against such sophisticated cyber threats.

For a comprehensive understanding of Unfading Sea Haze’s tactics and malware arsenal, refer to the full research paper (PDF) by Bitdefender Labs.

1.  China-Linked Spyware Found in Play Store Apps, 2m Downloads
2.  China’s insidious surveillance against Uyghurs with Android malware
3.  Muddling Meerkat Suspected of Espionage via Great Firewall of China
4.  Chinese Blackwood APT Deploys NSPX30 Backdoor in Cyberespionage
5.  Cyberattacks Surge 325% in Philippines Amid South China Sea Standoff

New APT Group “Unfading Sea Haze” Hits Military Targets in South China Sea

By Deeba Ahmed
Your Zoom meetings are now more secure than ever!
This is a post from HackRead.com Read the original post: Zoom Announces Advanced Encryption for Increased Meeting Security

Zoom Meetings now offer post-quantum end-to-end encryption, safeguarding your confidential conversations even from the potential threat of quantum computers. This technology ensures your data stays encrypted and inaccessible, keeping your meetings private and secure.

Zoom Video Communications has announced a significant upgrade to its security features, rolling out post-quantum end-to-end encryption (E2EE) for Zoom Meetings globally. This new layer of protection is designed to safeguard user data even from the potential threat of powerful quantum computers.

“As adversarial threats become more sophisticated, so does the need to safeguard user data,” Zoom said in a statement. “With the launch of post-quantum E2EE, we are doubling down on security and providing leading-edge features for users to help protect their data.”

****What is Post-Quantum End-to-End Encryption?****

Traditional encryption methods rely on complex mathematical problems that are difficult to solve with today’s computers. However, the development of quantum computers poses a potential challenge as they may be able to crack these codes much faster. Post-quantum cryptography utilizes algorithms specifically designed to remain secure even in the age of quantum computing.

Zoom’s post-quantum E2EE leverages the Kyber 768 algorithm, chosen by the National Institute of Standards and Technology (NIST) for its quantum-resistant properties. This ensures that the encryption keys used to scramble meeting content are resistant to decryption attempts, both now and in the foreseeable future.

****How Does it Work?****

When E2EE is enabled for a Zoom meeting, the meeting content, including audio, video, and screen sharing, is encrypted using the Kyber 768 algorithm. The encryption keys are generated and distributed solely amongst the meeting participants’ devices. This means that Zoom’s servers, or any third party for that matter, cannot access the decrypted content of the meeting.

****Benefits and Considerations****

Post-quantum E2EE offers enhanced security for highly confidential meetings. However, there are a few things to keep in mind:

*   **Meeting Compatibility:** To utilize post-quantum E2EE, all participants must be using Zoom desktop or mobile app versions 6.0.10 or higher. If some participants are on older versions, the meeting will default to the standard E2EE protocol.
*   **Free Account Verification:** For meeting hosts on free Zoom accounts, enabling E2EE requires phone number verification via SMS.

Nevertheless, Zoom’s implementation of post-quantum E2EE represents a significant step forward in securing online communication. By adopting quantum-resistant cryptography, Zoom is ensuring its users have access to a future-proof level of data protection.

1.  Staying home? Here are 5 best Java learning platforms
2.  Login details of verified Zoom accounts posted on Dark Web
3.  How to use Signal messenger face blur tool on Android & iOS
4.  8 tips to protect company data sent via home internet connections
5.  Signal, AI Generated Art Least, Amazon, Facebook Most Invasive Apps

Zoom Announces Advanced Encryption for Increased Meeting Security

This post explains how to remove additional users and accounts from your Android device

Some of our loyal readers may remember my little mishap when I was able to track my wife by accident after inadvertently adding myself to her phone as a user.

For exactly that reason we want to warn against sharing devices and at least show you how to remove other people’s accounts from your device.

The steps may be slightly different depending on your Android version, device type, and vendor, but most users should be able to follow these steps.

For the primary user:

*   Open **Settings**
*   Tap **System** > **Multiple users**.

_If you can’t find this setting, try searching your Settings app for users._

*   Tap the name of the user you want to remove.
*   Tap **Delete user** > **Delete**. If successful, the user will be removed from the list.
*   If you want to stay the only user, you can turn the **Multiple users** feature off.

If you’re not the primary user (you can’t delete the primary user):

*   Under **Multiple Users** tap **More** (three stacked dots).
*   Tap **Delete _\[username\]_ from this device**. Important: You can’t undo this.
*   The device will switch to the owner’s profile.

Note: Android devices allow two types of additional users:

*   **Secondary user:** This is any user added to the device other than the system user. Secondary users can be removed (either by themselves or by an admin user) and cannot impact other users on a device. These users can run in the background and continue to have network connectivity.
*   **Guest user:** Temporary secondary user. Guest users have an explicit option to quickly delete the guest user when its usefulness is over. There can be only one guest user at a time.

Another privacy issue can be caused by having additional accounts on the device. Accounts are contained within a user but are not linked to a particular user. The tracking issue I discussed was caused by adding one of my Google accounts to my wife’s phone.

To remove unwanted accounts:

*   Under **Settings**_,_ tap on **Accounts and Backups**
*   Then tap on **Manage Accounts**
*   Select the account you want to remove and you will see the option to do that.

If you’re having trouble finding any of these settings on your specific Android device, reach out through the comments and when we can, we’ll add as many specific instructions as possible to the post.

Tag

#android