Lonial Con discovered that the netfilter subsystem in the Linux kernel contained a memory leak when handling certain element flush operations. A local attacker could use this to expose sensitive information (kernel memory). Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel did not properly handle inactive elements in its PIPAPO data structure, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. Various other issues were also addressed.

Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

-   Ubuntu 20.04 LTS  
-   Ubuntu 18.04 LTS  
-   Ubuntu 22.04 LTS

Summary

Several security issues were fixed in the kernel.

Software Description

-   linux - Linux kernel  
-   linux-aws - Linux kernel for Amazon Web Services (AWS) systems  
-   linux-azure - Linux kernel for Microsoft Azure Cloud systems  
-   linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems  
-   linux-gke - Linux kernel for Google Container Engine (GKE) systems  
-   linux-ibm - Linux kernel for IBM cloud systems

Details

Lonial Con discovered that the netfilter subsystem in the Linux kernel  
contained a memory leak when handling certain element flush operations.  
A local attacker could use this to expose sensitive information (kernel  
memory). (CVE-2023-4569)

Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel  
did not properly handle inactive elements in its PIPAPO data structure,  
leading to a use-after-free vulnerability. A local attacker could use  
this to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2023-6817)

It was discovered that a race condition existed in the AppleTalk  
networking subsystem of the Linux kernel, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of  
service (system crash) or possibly execute arbitrary code.  
(CVE-2023-51781)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel  
did not properly check deactivated elements in certain situations,  
leading to a use-after-free vulnerability. A local attacker could use  
this to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2024-0193)

Lonial Con discovered that the netfilter subsystem in the Linux kernel  
did not properly handle element deactivation in certain cases, leading  
to a use-after-free vulnerability. A local attacker could use this to  
cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2024-1085)

Notselwyn discovered that the netfilter subsystem in the Linux kernel  
did not properly handle verdict parameters in certain cases, leading to  
a use- after-free vulnerability. A local attacker could use this to  
cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2024-1086)

In the Linux kernel, the following vulnerability has been resolved:   
net: qualcomm: rmnet: fix global oob in rmnet_policy The variable   
rmnet_link_ops assign a bigger maxtype which leads to a global out-of-  
bounds read when parsing the netlink attributes. (CVE-2024-26597)

Update instructions

The problem can be corrected by updating your kernel livepatch to the  
following versions:

Ubuntu 20.04 LTS  
    aws - 103.1  
    aws - 103.2  
    aws - 103.3  
    azure - 103.3  
    gcp - 103.2  
    gcp - 103.3  
    generic - 103.1  
    generic - 103.2  
    generic - 103.3  
    gke - 103.3  
    ibm - 103.2  
    lowlatency - 103.1  
    lowlatency - 103.2  
    lowlatency - 103.3

Ubuntu 18.04 LTS  
    aws - 103.3  
    azure - 103.3  
    gcp - 103.3  
    generic - 103.3  
    lowlatency - 103.3

Ubuntu 22.04 LTS  
    aws - 103.1  
    aws - 103.2  
    aws - 103.3  
    azure - 103.1  
    azure - 103.2  
    azure - 103.3  
    gcp - 103.1  
    gcp - 103.2  
    generic - 103.1  
    generic - 103.2  
    generic - 103.3  
    gke - 103.1  
    gke - 103.2  
    gke - 103.3  
    ibm - 103.1  
    ibm - 103.2  
    ibm - 103.3

Support Information

Livepatches for supported LTS kernels will receive upgrades for a period  
of up to 13 months after the build date of the kernel.

Livepatches for supported HWE kernels which are not based on an LTS  
kernel version will receive upgrades for a period of up to 9 months  
after the build date of the kernel, or until the end of support for that  
kernel’s non-LTS distro release version, whichever is sooner.

References

-   CVE-2023-4569  
-   CVE-2023-6817  
-   CVE-2023-51781  
-   CVE-2024-0193  
-   CVE-2024-1085  
-   CVE-2024-1086  
-   CVE-2024-26597

Kernel Live Patch Security Notice LSN-0103-1

USBs have something the newest, hottest attack techniques lack: the ability to bridge air gaps.

Source: Mohammad Aaref Barahouei via Alamy Stock Photo

Industrial cyberattackers are increasingly using removable media to penetrate operational technology (OT) networks, then leveraging the same old malware and vulnerabilities to make their mark.

For whatever reason, USB devices are a la mode again with some of the world's premier threat actors. Nowhere is this more evident than in the OT space where, according to Honeywell's "2024 USB Threat Report," attackers are "clearly" turning to USBs to get a foothold in industrial networks.

With that foothold, Honeywell reports, attackers are forgoing sophisticated exploitation techniques, zero-day vulnerabilities, or novel malware. Instead, they're leveraging old tools and bugs, plus the built-in capabilities of OT control systems to achieve their end goals.

**Why USBs?**

USBs have something that none of the newest, hottest attack techniques do: the ability to bridge air gaps.

True air gaps are physical separations between OT and IT networks designed to let no malicious attacks pass through. Some also use the term to describe other kinds of setups that distinguish IT and OT systems using access controls, segmentation, and the like. Air gaps are most often used in high-risk industries — think nuclear, military, financial services, etc. — where other means of demarcating IT and OT networks won't cut it.

"A lot of operational facilities are entirely air gapped," explains Matt Wiseman, director of OT product marketing at OPSWAT. "Those more modern approaches like email-based attack — something over the network — aren't really as effective when \[the OT systems\] are disconnected from the broader Internet. You need to be more creative, think outside the box. USBs and removable media are very interesting because they're the only threat you can pick up in your pocket and carry beyond that air gap."

Interestingly, the trend seems to have been born during COVID. In 2019, only 9% of USB-carried cyber threats to industry were actually designed for USBs. By 2022 — and consistently ever since — that number exceeded 50%.

Having crossed that air gap with a USB, attackers are opting for living-off-the-land tactics to perform data collection and exfiltration (observed in 36% of Honeywell's detected USB attacks), defense evasion (29%), and escalation privileges (18%), ultimately achieving persistence in the operational network.

Clearly novel and powerful malware and vulnerabilities are not the focus, as brand name tools of yesteryear such as BlackEnergy and Industroyer (aka CrashOverride) are still making rounds. The most common vulnerabilities exploited in such attacks — such as CVE-2010-2883 and CVE-2017-11882 — are equally dated. All of the most common CVEs listed in Honeywell's report have been known since at least 2018.

In most cases, the goal of these attacks is disruption or destruction. Around 80% of USB-based threats every year now are capable of causing disruptions to OT systems, including loss of visibility or control, or worse (ransomware, wipers, etc.).

**Defending Against USB Threats**

The good news for defenders is that with such antiquated threat vectors, fancy and expensive solutions aren't necessarily the solution. "You can always go with the fundamentals," Wiseman says, meaning strict USB policies and procedures.

At many organizations, he says, "You go back a number of years, there was an honor system. 'Hey, did you scan that?' Now you have technology that can check to make sure. If you plug something in, it's not going to work unless it has been scanned and checked by some type of formal security solution."

This technology often takes the form of a kiosk or "sanitation station" for scanning removable media, placed strategically at the exterior of a sensitive site in order to make sure no malicious ones make their way through. Sometimes those stations are paired with file transfer systems to ensure that no outside device ever actually has to cross the threshold of an industrial control floor.

"We're seeing more mature conversations now. What's our mobile program? What's the process for employees? What's the process for guests? How do we manage these devices? How do we view the activity that's occurring? And how do we ensure that we're ahead of it going forward?" he says. "There's definitely a massive realization of the threat that these devices can pose."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

To Damage OT Systems, Hackers Tap USBs, Old Bugs &amp; Malware

Verizon, AT&T, and T-Mobile USA are being fined for sharing location data. They plan to appeal the decision, which is the culmination of a four-year investigation into how carriers sold customer data to third parties.

Source: Wavebreak Media ltd via Alamy Stock Photo

The Federal Communications Commission (FCC) has fined the top US wireless carriers a collective $200 million for sharing access to customers' location information without consent, the culmination of an action proposed four years ago as authorities continue to grapple with how to reel in companies' handling of sensitive personal data. For carriers, who note that the fines are based on outdated programs that no longer exist, the action represents unsettled regulatory waters as requirements for handling customer data security and privacy in the modern era continue to shake out.

Specifically, the FCC fined Sprint and T-Mobile USA, which have merged since the investigation began, more than $12 million and $80 million, respectively; AT&T more than $57 million; and Verizon almost $47 million.

The agency proposed the fines in 2020 based on an investigation that started after reports that a Missouri sheriff consistently used a "location-finding service" operated by Securus, a company that provides and monitors telecommunications service in correctional facilities, to access the location information of the wireless carriers' customers without their consent between 2014 and 2017.

The case ultimately revealed that the four telecom providers had programs in place at the time that were selling customer-location data to two data-aggregation firms, who then resold access to this data to other entities.

"This action demonstrated the carriers offloading obligations to obtain customer consent onto downstream recipients of location information," which in many instances meant customers did not actually consent to releasing their data, according to an FCC press release (PDF) on the decision. For their part, the carriers say that the data was shared with the third parties in order to enable location-based safety services such as roadside assistance.

"Our communications providers have access to some of the most sensitive information about us," said FCC Chairwoman Jessica Rosenworcel in a statement on the fines. "These carriers failed to protect the information entrusted to them."

This is likely not the end of the fines: The commission also said that it plans to continue to resolve these types of older privacy cases regarding customer data, holding "all carriers accountable and making sure they fulfill their obligations to their customers as stewards of this most private data," she said.

**Wireless Cos Push Back on FCC Privacy Fines**

All of the carriers confirmed to Dark Reading that they will go to court to appeal the decision, which was based on a provision of the Communications Act of 1934 that requires US wireless carriers to take reasonable steps to safeguard specific customer data, such as location information.

Generally, the companies claim the action by the FCC is based on outdated scenarios at the telecom providers that have since been remedied, and they no longer allow third parties to access sensitive customer location-based data.

Verizon spokesman Rich Young says the order concerns an old program at Verizon that required customers to opt in and was shut down more than five years ago. The program "was intended to support services like roadside assistance and medical alerts," he tells Dark Reading, and Verizon shuttered it when the company discovered it was being used fraudulently.

"Verizon is deeply committed to protecting customer privacy," Young says. "Unfortunately, the  FCC's order gets it wrong on both the facts and the law, and we plan to appeal this decision."

For its part, T-Mobile USA gave Dark Reading a statement to much the same effect: "This industry-wide third-party aggregator location-based services program was discontinued more than five years ago after we took steps to ensure that critical services like roadside assistance, fraud protection, and emergency response would not be disrupted. We take our responsibility to keep customer data secure very seriously and have always supported the FCC's commitment to protecting consumers, but this decision is wrong, and the fine is excessive. We intend to challenge it."

AT&T too plans to appeal the fines, which apply for a service that was discontinued in 2019.

"The FCC order lacks both legal and factual merit," a spokesperson says. "It unfairly holds us responsible for another company's violation of our contractual requirements to obtain consent, ignores the immediate steps we took to address that company's failures, and perversely punishes us for supporting life-saving location services like emergency medical alerts and roadside assistance that the FCC itself previously encouraged. We expect to appeal the order after conducting a legal review."

A spokesman for CTIA, a telecommunications industry trade association representing US carriers and resellers, also criticized the fines, citing a "broken enforcement process" on the part of the FCC that deserves examination by Congress.

"After touting the potential of location-based services to provide benefits like roadside assistance and emergency medical alerts, the FCC refused CTIA's request for guidance on how providers should run those programs, and is now penalizing providers for facilitating them," said CTIA senior vice president and chief communications officer Nick Ludlum, in a media statement.

**Carrier Uncertainly: Customer-Privacy Worries Persist**

Complaints that the FCC is behind the times may indeed be justified, as the commission is not known for moving quickly on clarifying how telecom and VoIP providers handle customer privacy.

For instance, it took the FCC 16 years to update how telecom and VoIP providers report data-breaches, issuing new rules in February of this year that they must notify customers whenever there's personally identifiable information (PII) involved in a cyber incident. The new rules — which also require carriers and service providers to report breaches to the FCC, the FBI, and the Secret Service within seven days of discovery — were the first since 2007 to be issued by the commission regarding data-breach notifications.

Meanwhile, the issue of customer privacy when it comes to carriers continues to be a worry, and the fines appear to demonstrate a heavy hand by the FCC in holding communications providers accountable when private customer data leaks. Abroad, other privacy troubles concerning how carriers handle customer data also are brewing.

For example, a huge swathe of telecom customers in Namibia recently were faced with losing their phone service if they didn't hand over sensitive biometric data to the country's premier telco, Mobile Telecommunications Ltd. The potential privacy threat occurred after a well-intentioned plan to combat mobile fraud and identity theft went astray.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Wireless Carriers Face $200M FCC Fine As Data Privacy Waters Roil

While other professions are making up ground, cybersecurity still lags behind in female representation, thanks to a lack of respect and inclusion.

Source: Valeriy Kachaev via Alamy Stock Photo

Right now, in 2024, at least three of every four cybersecurity professionals is male.

Cybersecurity is hardly the only male-dominated industry, but even in contrast to others — like law (53%), accounting (46%), and doctors of medicine (37%) — it lags behind.

According to new research from ISC2, women make up just 20% to 25% of the cybersecurity industry. And that figure, it noted, has remained relatively consistent for some years.

It stands out even more when compared with the racial makeup of the industry. While the majority of cyber pros over the age of 40 in the US, the UK, Canada, and Ireland are white, the majority under 40 are not. ISC2 found that over the past 12 months, a full two-thirds of new entrants to the industry from those countries have been non-white.

The takeaway? Cybersecurity is fixing its diversity problem, but only halfway.

**Gender Representation in Cyber, by the Numbers**

Just 4% of ISC2 survey respondents indicated that women make up a majority of their security teams. By contrast, 11% admitted they have no women on their teams at all.

There seems to be a mild networking effect at play, too. The average woman in security works with around 8% more women (30%) on average than men do (22%).

The problem is pretty much the same across industries, as the most-diverse sectors, like cloud services, automotive, and construction (all 28% female), don't far outpace the least-diverse (military and energy, each at 20%).

There are, however, some positive trends alongside the lagging ones.

Where only around 14% or 15% of cyber pros over age 40 are women, at least 25% under age 35 are (a relative improvement).

Most interestingly, the women who do make it into the cybersecurity field tend to rise up the corporate ladder at least as high as, if not higher than, their male counterparts. Women own executive titles at a similar clip to men. A greater percentage of them possess managerial-level roles, and a lesser percentage are ranked as individual contributors. And counterintuitive though it may sound, a greater percentage of women in security are involved in the hiring process than are men (33% to 24%).

That data, however, contrasts with other recent findings.

**The Root of the Problem: Exclusion**

In its "2023 State of Inclusion Benchmark in Cybersecurity" report, Women in Cybersecurity (WiCyS) tracked the ways in which women experience exclusion in the industry. "Respect" ranked as the worst issue on its list, but just behind respect was "career and growth opportunities."

"Women are experiencing a glass ceiling at around six years," reports Lynn Dohm, executive director at WiCyS. "You could imagine the journey for a woman in cybersecurity as they're advancing in their career, not necessarily getting the stretch assignments they're anticipating, perhaps their managers aren't taking initiative and identifying the trajectory of their career within the organization, they're getting passed up for promotions and experiencing that lack of respect with microaggressions, tokenism, comments. All of that leads up to the point where an individual would likely choose to step out of the career and move into other areas."

It's a self-fulfilling cycle: Too little female representation is leading more women to steer clear of security. As Dohm puts it: "Lack of diversity in the workforce is a symptom of the lack of inclusion."

Simply hiring more women doesn't solve the problem, either, since exclusion extends far deeper than any one person or organization can account for.

"The gender gap in cybersecurity begins long before women reach the workforce," explains Jessy McDermott, partner solution architect at Aqua Security. "I know firsthand as a former engineering student that this gap existed at the college level. For example, only four other women — out of an original 15, excluding myself — completed the engineering program alongside me at UMass Dartmouth. During those four years, I experienced an ongoing prejudice and doubt and saw how women were ultimately driven out of the field before they even graduated.

"This is only exacerbated as time goes on and women begin to see that careers in information technology or cybersecurity are 'male-dominated.' If you’re somehow able to get through college without being driven out of the field, you've just started the first leg of a never-ending journey. Ultimately, this can all lead to imposter syndrome, which myself and many female friends in the industry deal with. I have days where, even now, as a cybersecurity professional with years of experience under my belt, I still get challenged to show and, more importantly, prove my knowledge to others."

So, she adds, "I love how more companies are going out of their way to hire more women into the field, but to see a difference, women need internal support to feel confident and be successful in their roles."

**Non-Diversity Consequences to Companies**

Besides the obvious consequences for people, there are also consequences for uniformity for companies.

"When retention isn't there for female talent, it costs money, because it's pulling back out recruiting dollars. And it's also a reputational risk," Dohm notes.

"Broader than cybersecurity, there's a body of research that says the more perspectives you bring to the table, the better off you will be at problem solving," says Clar Rosso, CEO of ISC2. "In cybersecurity, which is a very complex, growing threat landscape, the more perspectives that we bring to the table to solve problems, the more likely we will be able to impact our cyber defense."

Dohm puts it tersely: "It's a security risk not having the diverse perspective that women bring to the cybersecurity workforce."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Cybersecurity Is Becoming More Diverse … Except by Gender

By Deeba Ahmed
New Android malware alert! Brokewell steals data, takes over devices & targets your bank. Learn how this sneaky malware works & what you can do to protect yourself. Stop Brokewell before it stops you!
This is a post from HackRead.com Read the original post: Fake Chrome Updates Hide Android Brokewell Malware Targeting Your Bank

Brokewell malware poses a new cybersecurity threat to your device and personal information. Unlike your typical data-stealing app, Brokewell takes it a step further by granting attackers near-complete control of your phone.

In their report, fraud risk firm ThreatFabric’s threat intelligence researchers shared details of a newly discovered Android banking malware dubbed Brokewell, which uses overlay attacks to capture user credentials and steal cookies.

Further probing revealed a repository called “Brokewell Cyber Labs,” created by an individual “Baron Samedit.”  This repository hosted the source code for the “Brokewell Android Loader,” a tool designed to bypass Android 13+ accessibility restrictions and widely used by cybercriminals.

Brokewell has previously been used in campaigns targeting “buy now, pay later” financial services like Klarna and in exploiting the Austrian digital authentication application, ID Austria.

****Fake Updates, Real Danger****

Brokewell hides behind a familiar facade – fake software updates. It typically masquerades as a critical update for Google Chrome, tricking users into downloading and installing it. Once installed, Brokewell unleashes its wrath as it isn’t just after your login credentials. It’s a comprehensive toolkit for conducting a wide-scale data theft. 

Fake Chrome browser update as seen by ThreatFabric

The trojan uses its own WebView to load a legitimate website and dumps session cookies after the victim completes the login process. Brokewell also has “accessibility logging” capabilities, capturing every event on the device, posing a threat to all installed applications.

****What Information is at Stake?****

Brokewell can steal a wide range of information, including call logs, text messages, and contact lists. Moreover, it looks for your financial apps and if found, it overlays fake login screens on top of legitimate banking apps, capturing your login details without you realizing it.

The most problematic part is that Brokewell grants attackers remote access to your device. It supports spyware functionalities, collecting device information, geolocation, and recording audio. After stealing credentials, the actors can initiate a Device Takeover attack using remote control capabilities.

****An Evolving Threat****

In their blog post, ThreatFabric researchers warned that althoughBrokewell is under active development, the malware’s creators are constantly adding new features to enhance its capabilities.

To protect yourself from Brokewell and other malicious software, download apps from the official Google Play Store only.  Be cautious of fake updates and always use a reputable security app. Staying updated on the latest Android security threats is crucial to protect your device.

****Experts’ Opinion****

Ray Kelly, Fellow from Synopsys Software Integrity Group shared their thoughts on Brokewell’s discovery with Hackread.com stating, _“_As a policy, users should never install apps outside of the Google and Apple stores as Malware often sneaks in through ‘side loading’ apps, especially on rooted or jailbroken devices from fake stores._“_

“What makes this instance different is that the malicious app sideloaded on non-rooted devices and bypassed Google’s security measures,” stressed Ray. _“_The key takeaway is don’t fall for web popups prompting app updates; always rely on the Play Store for updates to safeguard against such threats._“_

1.  Android TV Boxes Infected with Backdoors
2.  SpyNote Android Spyware Poses as Legit Crypto Wallets
3.  Fake YouTube Android Apps Used to Distribute CapraRAT
4.  Xamalicious Backdoor Infects 25 Apps, Affects 327K Devices
5.  Android Malware FjordPhantom Steals Funds Via Virtualization

Fake Chrome Updates Hide Android Brokewell Malware Targeting Your Bank

A ban on weapons of mass destruction in orbit has stood since 1967. Russia apparently has other ideas.

Russia vetoed a United Nations Security Council resolution Wednesday that would have reaffirmed a nearly 50-year-old ban on placing weapons of mass destruction into orbit, two months after reports Russia has plans to do just that.

Russia's vote against the resolution was no surprise. As one of the five permanent members of the Security Council, Russia has veto power over any resolution that comes before the body. China abstained from the vote, and 13 other members of the Security Council voted in favor of the resolution.

If it passed, the resolution would have affirmed a binding obligation in Article IV of the 1967 Outer Space Treaty, which says nations are "not to place in orbit around the Earth any objects carrying nuclear weapons or any other kinds of weapons of mass destruction."

**Going Nuclear**

Russia is one of 115 parties to the Outer Space Treaty. The Security Council vote Wednesday follows reports in February that Russia is developing a nuclear anti-satellite weapon.

"The United States assesses that Russia is developing a new satellite carrying a nuclear device," said Jake Sullivan, President Biden's national security advisor. "We have heard President Putin say publicly that Russia has no intention of deploying nuclear weapons in space. If that were the case, Russia would not have vetoed this resolution."

The United States and Japan proposed the joint resolution, which also called on nations not to develop nuclear weapons or any other weapons of mass destruction designed to be placed into orbit around the Earth. In a statement, US and Japanese diplomats highlighted the danger of a nuclear detonation in space. Such an event would have "grave implications for sustainable development, and other aspects of international peace and security," US officials said in a press release.

With its abstention from the vote, "China has shown that it would rather defend Russia as its junior partner, than safeguard the global nonproliferation regime," said Linda Thomas-Greenfield, the US ambassador to the UN.

US government officials have not offered details about the exact nature of the anti-satellite weapon they say Russia is developing. A nuclear explosion in orbit would destroy numerous satellites—from many countries—and endanger astronauts. Space debris created from a nuclear detonation could clutter orbital traffic lanes needed for future spacecraft.

The Soviet Union launched more than 30 military satellites powered by nuclear reactors. Russia's military space program languished in the first couple of decades after the fall of the Soviet Union, and US intelligence officials say it still lags behind the capabilities possessed by the US Space Force and the Chinese military.

Russia's military funding has largely gone toward the war in Ukraine for the last two years, but Putin and other top Russian officials have raised threats of nuclear force and attacks on space assets against adversaries. Russia's military launched a cyberattack against a commercial satellite communications network when it invaded Ukraine in 2022.

Russia has long had an appetite for anti-satellite (ASAT) weapons. The Soviet Union experimented with "co-orbital" ASATs in the 1960s and 1970s. When deployed, these co-orbital ASATs would have attacked enemy satellites by approaching them and detonating explosives or using a grappling arm to move the target out of orbit.

In 1987, the Soviet Union launched an experimental weapons platform into orbit to test laser technologies that could be used against enemy satellites. Russia shot down one of its own satellites in 2021 in a widely condemned "direct ascent" ASAT test. This Russian direct ascent ASAT test followed demonstrations of similar capability by China, the United States, and India. Russia's military has also demonstrated satellites over the last decade that could grapple onto an adversary's spacecraft in orbit, or fire a projectile to take out an enemy satellite.

These ASAT capabilities could destroy or disable one enemy satellite at a time. The US Space Force is getting around this threat by launching large constellations of small satellites to augment the military's much larger legacy communications, surveillance, and missile warning spacecraft. A nuclear ASAT weapon could threaten an entire constellation or render some of space inaccessible due to space debris.

Russia's ambassador to the UN, Vasily Nebenzya, called this week's UN resolution "an unscrupulous play of the United States" and a "cynical forgery and deception." Russia and China proposed an amendment to the resolution that would have banned all weapons in space. This amendment got the support of about half of the Security Council but did not pass.

Outside the 15-member Security Council, the original resolution proposed by the United States and Japan won the support of more than 60 nations as co-sponsors.

"Regrettably, one permanent member decided to silence the critical message we wanted to send to the present and future people of the world: Outer space must remain a domain of peace, free of weapons of mass destruction, including nuclear weapons," said Kazuyuki Yamazaki, Japan's ambassador to the UN.

_This story originally appeared on_ _Ars Technica._

Russia Vetoed a UN Resolution to Ban Space Nukes

By Waqas
The official website of Samourai Wallet has been seized, while its official app on the Apple Store and Google Play has been removed.
This is a post from HackRead.com Read the original post: Feds Bust Privacy-Centric Samourai Wallet Over BTC Money Laundering

The United States has taken down the popular “privacy-focused” Bitcoin wallet Samourai, arresting founders and accusing them of laundering $2 billion in crypto, including dark web funds.

The US Department of Justice has arrested the founders of Samourai Wallet, a popular Bitcoin wallet marketed for its strong privacy features. Keonne Rodriguez and William Lonergan Hill now face charges of conspiracy to commit money laundering and operating an unlicensed money transmitting business.

The seized website of the Samourai Wallet (Screenshot: Hackread.com)

Samourai Wallet, known for its “Whirlpool” and “Ricochet” anonymization tools, had long attracted users seeking enhanced privacy for their Bitcoin transactions. However, the DOJ alleges that this cover of secrecy facilitated a staggering amount of illicit activity.

According to the indictment, Samourai allegedly processed over $2 billion in transactions, with at least $100 million originating from illegal dark web marketplaces like Silk Road and Hydra Market.

“For almost 10 years, Keonne Rodriguez and William Hill allegedly operated a mobile cryptocurrency mixing platform which provided other criminals a virtual haven for the clandestine exchange of illicit funds, the facilitation of more than $2 billion in illegal transactions, and $100 million in dark web money laundering,” stated FBI Assistant Director in Charge James Smith. “The FBI is committed to exposing covert financial schemes and ensuring no one can hide behind a screen to perpetuate financial wrongdoing.”

The indictment further accuses Rodriguez and Hill of profiting from these alleged illegal transactions. Samourai allegedly generated millions in fees through its services, raising questions about the company’s true mission.

The takedown of Samourai Wallet has sent shivers down the spines of privacy-focused crypto enthusiasts. Some argue that the ability to conduct anonymous transactions is a core principle of cryptocurrency, essential for protecting users from financial surveillance. Others, however, see the case as validating concerns that criminals can exploit anonymity tools.

The outcome of this case is likely to have a lasting impact on the cryptocurrency industry. It could lead to increased scrutiny of privacy-focused technologies and potentially stricter regulations for cryptocurrency exchanges and wallets.

In the meantime, Samourai Wallet’s website has been seized, and their mobile application is expected to be removed from app stores. Whether Rodriguez and Hill will be found guilty remains to be seen, their arrest goes on to show the the potential consequences for those who operate in the restricted areas of cryptocurrency and anonymity.

1.  Crypto tumbler BestMixer.io seized for money laundering
2.  New Dark Web Market Styx: Focuses on Money Laundering
3.  Android Money Transfer XHelper App was Laundering Money
4.  DeepDotWeb admin pleads guilty to money laundering, kickbacks
5.  2 Russians charged in Mt. Gox Bitcoin heist, BTC-e money laundering
6.  US Blacklists Tornado Cash, GitHub Removes Co-Founder in Response

Feds Bust Privacy-Centric Samourai Wallet Over BTC Money Laundering

Hackers can influence voters with media and breach campaigns, or try tampering with votes. Or they can combine these tactics to even greater effect.

Source: Lennart Worthmann via Alamy Stock Photo

If history has anything to tell us, the most significant cyber threat to this year's elections won't be a leak, a distributed denial-of-service (DDoS) attack, or a fake news video. Instead, it will be some combination of these or more.

In cyberspace's salad days, hackers caused all kinds of fuss using simple, direct methods: hiding viruses in advertisements, hacking websites with easily guessed passwords, and so on. While that still happens, attackers often have to get more creative by chaining multiple tactics together in order to achieve their goals, thanks to greater cybersecurity awareness and protections.

So too with elections. In 2006, aides to Joe Lieberman's presidential campaign had to resort to their personal emails when a DoS attack froze their IT systems. A decade later, famously, came the Podesta email leak. Now, according to Mandiant, part of Google Cloud, the most potent threats to the democratic process are chained attacks.

"In the most significant cyber incidents targeting elections that Mandiant has tracked, threat actors have deliberately layered multiple tactics in hybrid operations in such a way that the effect of each component magnifies the others," the firm wrote in a new report.

**Combination Election Attacks**

One case study Mandiant pointed to occurred in 2014 when Ukraine's presidential elections were interrupted by a Russian cyber onslaught, following the ouster of its pro-Russian president Viktor Yanukovich, and Russia's invasion of Crimea.

A week before election day, Russian actors hiding behind the hacktivist moniker "Cyber Berkut" struck websites relating to NATO and Ukrainian media outlets with DDoS attacks. That set the stage for when, with four days to go, the same fake hacktivist group broke into the country's central election computers and deleted files and rendered the vote tallying system inoperable.

A day later, they added to the chaos by breaking more election infrastructure, then leaking the emails and documents stored there to the wider Internet. Lastly, just 40 minutes before election results were to be broadcast to the public, the country's Central Election Commission reportedly removed some kind of virus that was designed to present fake results in favor of the far-right, ultra-nationalist candidate.

This extreme brand of combination cyber warfare might have only happened in a country experiencing such upheaval, but other chained cyberattacks have struck more-stable democracies since.

In 2020, two 20-something Iranian nationals carried out a campaign against multiple US states' voting-related websites. They managed to obtain confidential voter information from at least one of them, which they used to send intimidating and misleading emails, including by spreading a video with disinformation about election infrastructure vulnerabilities. They also breached one media company, which, as the Department of Justice noted, could have provided them another channel through which to disseminate their false claims.

"Leaks are particularly powerful. Potentially more powerful when boosted through the compromise of legitimate media," says John Hultquist, chief analyst with Mandiant Intelligence at Google Cloud.

The breach/fake news ploy is a potent concoction. "These disinformation efforts are often orchestrated by state-backed entities from nations such as China, Russia, and Iran," warns Madison Horn, herself a 2024 candidate running for a congressional seat in Oklahoma's 5th district. "Their impact is undeniable, as seen in instances like Russia’s involvement in the 2016 US election and China’s ongoing global influence operations, which starkly demonstrate their capacity to sway public opinion and disrupt electoral integrity."

**The Threat From Cybercrime**

It's not only state-sponsored actors that pose a threat to the democratic process, Mandiant noted. Insiders, hacktivists, and cybercriminals all muddy the waters in their own ways.

In most cases, "The avenues for these campaigns are popular social media platforms — X, Telegram, Facebook — and YouTube, making the digital battlefield as accessible as it is dangerous," Horn warns.

From January 2023 to March 2024, the cybersecurity firm BrandShield tracked suspicious new social media accounts and web domains relating to Joe Biden's and Donald Trump's presidential campaigns. It found hundreds of imposter accounts across social media sites, as well as 2,335 suspect websites claiming some sort of affiliation with the president and 9,639 for the former president (helped by a 197% boost following his arrest in August).

Fake Trump site. Source: BrandShield

Fake sites and accounts are useful for spreading scams or malware and for stealing funds that voters intended to go to candidates, or they can be used in concert with other tactics to achieve greater ends.

"They can be used to get people's information, and maybe try to influence their views by distributing fake news," says BrandShield CEO Yoav Keren, formerly an adviser in the Israeli Knesset. "I would even think that they can use these platforms to interact with real people from the campaigns, to infiltrate their systems. These impersonations can be used in a lot of different ways."

"I don't want to give too many good ideas to the bad guys," he says, "but they usually come up with them before I do."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

The Biggest 2024 Elections Threat: Kitchen-Sink Attack Chains

Mobile malware-as-a-service operators are upping their game by automatically churning out hundreds of unique samples on a whim.

Source: Wodthikorn Phutthasatchathum via Alamy Stock Photo

North of 1,000 samples of the Godfather mobile banking Trojan are circulating in dozens of countries worldwide, targeting hundreds of banking apps.

First discovered in 2022, Godfather — which can record screens and keystrokes, intercepts two-factor authentication (2FA) calls and texts, initiates bank transfers, and more — has quickly become one of the most widespread malware-as-a-service offerings in cybercrime, especially mobile cybercrime. According to Zimperium's 2023 "Mobile Banking Heists Report," as of late last year, Godfather was targeting 237 banking apps spread across 57 countries. Its affiliates exfiltrated stolen financial information to at least nine countries, primarily in Europe and including the US.

All that success drew attention, so, to prevent security software from spoiling the party, Godfather's developers have been automatically generating new samples for their customers at a near industrial scale.

Other mobile malware developers across the spectrum have started doing the same thing. "What we're seeing is that malware campaigns are starting to get bigger and bigger," warns Nico Chiaraviglio, chief scientist at Zimperium, who will host a session on this and other mobile malware trends at RSAC in May.

Besides Godfather and other known families, Chiaraviglio is tracking an even bigger, still-under-wraps mobile malware family with more than 100,000 unique samples in the wild. "So that's crazy," he says. "We haven't seen that number of samples in a single malware before, ever. This is definitely a trend."

**Banking Trojans Spawn Hundreds of Samples**

Mobile security is already lagging far behind security for desktops. "In the '90s, no one was really using antivirus on desktop computers, and that's kind of where we are now. Today, only one of four users are really using some sort of mobile protection. Twenty-five percent of devices are completely unprotected, compared with desktop, at 85%," Chiaraviglio laments.

Mobile threats, meanwhile, are leveling up fast. One way they're doing so is by generating so many different iterations that antivirus programs — which profile malware by their unique signatures — have trouble correlating one infection with the next.

Consider that at the time of its initial discovery in 2022, according to Chiaraviglio, there were fewer than 10 samples of Godfather in the wild. By the end of last year, that number had risen a hundredfold.

Its developers have clearly been autogenerating unique samples for customers to help them avoid detection. "They could just be scripting everything — that would be a way to automate it. Another way would be to use large language models, as code assistance can really speed up the development process," Chiaraviglio says.

Other banking Trojan developers have followed the same approach, if at a lesser scale. In December, Zimperium tallied 498 samples of Godfather's close competitor, Nexus, 300 samples of Saderat, and 123 of PixPirate.

**Can Security Software Keep Up?**

Security solutions that tag malware by signature will find difficulty keeping track of hundreds and thousands of samples per family.

"Maybe there is a lot of code reuse between different samples," Chiaraviglio says, something he suggests adaptive solutions can use to correlate related malware with different signatures. Alternatively, instead of the code itself, defenders can use artificial intelligence (AI) to focus on the behaviors of the malware. With a model that can do that, Chiaraviglio says, "it doesn't really matter how much you change the code or the way the application looks, we will still be able to detect it."

But, he admits, "at the same time, this is always a race. We do something \[to adjust\], then the attacker does something to evolve to our predictions. \[For example\], they can ask \[a large language model\] to mutate their code as much as it can. This would be the realm of polymorphic malware, which is not something that happens a lot on mobile, but we might start seeing way more of that."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Godfather Banking Trojan Spawns 1.2K Samples Across 57 Countries

Plus, new details emerge on the Scattered Spider cybercrime network and ArcaneDoor.

Thursday, April 25, 2024 14:00

I wrote last week about the problems arising from the massive backlog of vulnerabilities at the U.S. National Vulnerability Database.  

Thousands of CVEs are still without analysis data, and the once-reliable database of every single vulnerability that’s disclosed and/or patched is now so far behind, it could take up to 100 days for the National Institute of Standards and Technology (NIST) to catch up, and that would be assuming no new vulnerabilities are disclosed during that period. 

While the U.S. government and NIST try to sort out a potential solution, and hopefully await more funding and restructuring, NIST says it’s hoping to launch a consortium to help either rebuild the NVD or create a replacement.  

Other security experts have floated the idea of other companies or organizations creating a brand-new solution of their own. The main problem with that is, what’s in it for them?  

What works about the NVD is that it’s funded by the U.S. government, so the money is always coming in to help fund the workforce and at least gives MITRE and the other private companies who contribute to the NVD motivation to keep working on it. 

To start up a whole new database of \*every\* CVE out there would take countless man-hours, and then what at the end? Would the company or person(s) who created it start charging for access? 

Several open-source solutions have_man-hours_ popped up over the past few weeks, such as “NVD Data Overrides,” which “is meant to provide additional data that is currently missing from NVD.” However, these types of volunteer projects still can’t assign CVSS scores, because only the NVD is authorized to hand out official NVD CVSS scores. 

This brings up another problem for private companies that may want to develop a solution: Do they want to play referee?  

Sometimes, when there’s a disagreement on how severe a vulnerability is and what severity score to assign it, the NVD will weigh in and provide their own, independently calculated CVSS score. Who really wants to be the “bad guy” to get between a massive tech company like Microsoft or Apple and a security researcher saying a vulnerability is a 9.5 out of 10 CVSS? 

I absolutely give major credit to any volunteers or open-source developers who are working on their own solutions for essentially nothing — but how long can we expect them to keep maintaining these databases? 

Unfortunately, I don’t have a great answer for this, either. I’m far from an expert on vulnerability management, nor do I have any connections to the federal government. But I do feel the onus is on the government to come up with a solution, and potentially provide incentives for companies and researchers to participate in this new proposed consortium because I don’t see the incentives there for the private sector to come up with their own solution.  

**The one big thing **

ArcaneDoor is a new campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Talos and Cisco PSIRT recently identified a previously unknown actor, now tracked as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center. This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor. UAT4356 deployed two backdoors as components of this campaign, “Line Runner” and “Line Dancer,” which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement.   

**Why do I care? **

Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications. In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations — critical infrastructure entities that are likely strategic targets of interest for many foreign governments. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective. 

**So now what? **

There are some known indicators of compromise that customers can look for if they suspect they may have been targeted in this campaign. First, organizations should look for any flows to/from ASA devices to any of the IP addresses present in the IOC list provided at the bottom of this blog. This is one indication that further investigation is necessary. Potential targets can also follow the steps detailed in the Cisco ASA Forensic Investigation Procedures for First Responders. When following these procedures, first responders should NOT attempt to collect a core dump or reboot the device if they believe that the device has been compromised, based on the lina memory region output. Talos also released some Snort signatures to detect the activity on the wire including access attempts. Snort Signatures 63139, 62949 and 45575 have been released to detect the implants or associated behaviors. 

**Top security headlines of the week **

**A previously known Windows print spooler bug is still being actively exploited, according to Microsoft.** The company’s threat research team recently disclosed that APT28, a well-known Russian state-sponsored actor, is exploiting the vulnerability to deliver a previously unknown malware called “GooseEgg.” Microsoft disclosed and patched CVE-2022-38028 in October 2022, but APT28 may have been exploiting it as far back as 2020. The actor’s exploitation involved modifying a JavaScript constraints file in the printer spooler and executing it with SYSTEM-level permissions. The new research prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2022-38028 to its Known Exploited Vulnerabilities (KEV) catalog. If installed, GooseEgg can load other applications with System-level permissions and allow the adversary to execute remote code on the targeted device or deploy other backdoors. Another set of print spooler vulnerabilities, called PrintNightmare, made headlines in July 2021, though no one reported active exploitation of that vulnerability at the time. (SC Magazine, Security Week) 

**A new investigation revealed how members of the group Scattered Spider are partnering with Russian state-sponsored actors to carry out ransomware attacks.** Scattered Spider is made up of younger individuals based out of the U.S., U.K. and Canada. They are primarily English speakers who have been blamed for several notable ransomware attacks, including one against MGM Casinos that disrupted operations at several casinos and hotels last year. The group specializes in social engineering, more recently using LinkedIn to steal employee information and use that to infiltrate corporate networks. Members, some as young as teenagers, are connecting over the dark web and online forums like Discord and use their advanced knowledge of Western civilization to provide crucial details to Russian actors. The “60 Minutes” investigation also included new details about The Community (aka “The Comm,” the online collection of hackers who like to brag about their recent cybercrimes, often through Telegram. (CBS News) 

**The U.S. government has re-upped a law that expands government surveillance by opening the door for private companies to partner with the government on these types of activities.** The controversial Foreign Intelligence Surveillance Act (FISA) was re-approved just hours after it lapsed. The White House and proponents in U.S. Congress argued that the powers granted in Section 702 of the FISA helps prevent the spread of terrorism and cyber attacks and that any lapse in those powers would harm the government’s ability to gather crucial intelligence. However, privacy advocates say that the FISA is an overreach, and provides too much power for private companies to potentially spy on consumers. The bill also includes a new definition of “electronic communications service provider,” which could allow the U.S. government to force Big Tech companies and telecommunications providers to hand over users’ data if requested. (NBC News, TechCrunch) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #180: What are the dangers of enabling sideloading and third-party apps? 
*   Suspected CoralRaider continues to expand victimology using three information stealers 
*   Brute-force attacks surge worldwide, warns Cisco Talos    
*   Cisco Warns of Massive Surge in Password-Spraying Attacks on VPNs 
*   Rare Computer Virus Detected in Ukrainian Network, Confidential Document Potentially Compromised 

**Upcoming events where you can find Talos **

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_  

**Most prevalent malware files from Talos telemetry over the past week **

_This section will be on a brief hiatus while we work through some technical difficulties._ _Several open-source solutions have_

Tag

#apple