Meta has suspended the use of generative artificial intelligence (GenAI) in Brazil after the country's data protection authority issued a preliminary ban objecting to its new privacy policy.
The development was first reported by news agency Reuters.
The company said it has decided to suspend the tools while it is in talks with Brazil's National Data Protection Authority (ANPD) to address the

Artificial Intelligence / Data Protection

Meta has suspended the use of generative artificial intelligence (GenAI) in Brazil after the country's data protection authority issued a preliminary ban objecting to its new privacy policy.

The development was first reported by news agency Reuters.

The company said it has decided to suspend the tools while it is in talks with Brazil's National Data Protection Authority (ANPD) to address the agency's concerns over its use of GenAI technology.

Earlier this month, ANPD halted with immediate effect the social media giant's new privacy policy that granted the company access to users' personal data to train its GenAI systems.

The decision stems from "the imminent risk of serious and irreparable damage or difficult-to-repair damage to the fundamental rights of the affected data subjects," the agency said.

It further set a daily fine of 50,000 reais (about $9,100 as of July 18) in case of non-compliance. Last week, it gave Meta "five more days to prove compliance with the decision."

In response, Meta said it was "disappointed" by ANPD's decision and that the move constitutes "a step backwards for innovation, competition in AI development and further delays bringing the benefits of AI to people in Brazil."

The use of personal data to train AI systems without their express consent or knowledge has raised privacy concerns, forcing U.S.-based tech giants to pause the rollout of their tools in regions with stricter data privacy laws, such as the European Union.

The Human Rights Watch reported in June how personal photos of Brazilian children have found their way to image caption datasets like LAION-5B, exposing them to further exploitation and harm through the facilitation of malicious deepfakes.

Apple, which announced a new AI system called Apple Intelligence last month, has said it won't be bringing the features to Europe this year due to the prevailing regulatory concerns arising from the Digital Markets Act (DMA).

"We are concerned that the interoperability requirements of the DMA could force us to compromise the integrity of our products in ways that risk user privacy and data security," Apple was quoted as saying to The Wall Street Journal.

Meta has since confirmed to Axios that it will also be withholding its upcoming multimodal AI models from customers in the region because of the "unpredictable nature of the European regulatory environment."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Meta Halts AI Use in Brazil Following Data Protection Authority's Ban

Cybersecurity researchers have discovered an updated variant of a known stealer malware that attackers affiliated with the Democratic People's Republic of Korea (DPRK) have delivered as part of prior cyber espionage campaigns targeting job seekers.
The artifact in question is an Apple macOS disk image (DMG) file named "MiroTalk.dmg" that mimics the legitimate video call service of the same name,

Cybersecurity researchers have discovered an updated variant of a known stealer malware that attackers affiliated with the Democratic People's Republic of Korea (DPRK) have delivered as part of prior cyber espionage campaigns targeting job seekers.

The artifact in question is an Apple macOS disk image (DMG) file named "MiroTalk.dmg" that mimics the legitimate video call service of the same name, but, in reality, serves as a conduit to deliver a native version of BeaverTail, security researcher Patrick Wardle said.

BeaverTail refers to a JavaScript stealer malware that was first documented by Palo Alto Networks Unit 42 in November 2023 as part of a campaign dubbed Contagious Interview that aims to infect software developers with malware through a supposed job interview process. Securonix is tracking the same activity under the moniker DEV#POPPER.

Besides siphoning sensitive information from web browsers and crypto wallets, the malware is capable of delivering additional payloads like InvisibleFerret, a Python backdoor that's responsible for downloading AnyDesk for persistent remote access.

While BeaverTail has been distributed via bogus npm packages hosted on GitHub and the npm package registry, the latest findings mark a shift in the distribution vector.

"If I had to guess, the DPRK hackers likely approached their potential victims, requesting that they join a hiring meeting, by downloading and executing the (infected version of) MiroTalk hosted on mirotalk\[.\]net," Wardle said.

An analysis of the unsigned DMG file reveals that it facilitates the theft of data from web browsers like Google Chrome, Brave, and Opera, cryptocurrency wallets, and iCloud Keychain. Furthermore, it's designed to download and execute additional Python scripts from a remote server (i.e., InvisibleFerret).

"The North Korean hackers are a wily bunch and are quite adept at hacking macOS targets, even though their technique often rely on social engineering (and thus from a technical point of view are rather unimpressive)," Wardle said.

The disclosure comes as Phylum uncovered a new malicious npm package named call-blockflow that's virtually identical to the legitimate call-bind but incorporates complex functionality to download a remote binary file while taking painstaking efforts to fly under the radar.

"In this attack, while the call-bind package has not been compromised, the weaponized call-blockflow package copies all the trust and legitimacy of the original to bolster the attack's success," it said in a statement shared with The Hacker News.

The package, suspected to be the work of the North Korea-linked Lazarus Group and unpublished about an hour and a half later after it was uploaded to npm, attracted a total of 18 downloads. Evidence suggests that the activity, comprising over three dozen malicious packages, has been underway in waves since September 2023.

"These packages, once installed, would download a remote file, decrypt it, execute an exported function from it, and then meticulously cover their tracks by deleting and renaming files," the software supply chain security company said. "This left the package directory in a seemingly benign state after installation."

It also follows an advisory from JPCERT/CC, warning of cyber attacks orchestrated by the North Korean Kimsuky actor targeting Japanese organizations.

The infection process starts with phishing messages impersonating security and diplomatic organizations, and contain a malicious executable that, upon opening, leads to the download of a Visual Basic Script (VBS), which, in turn, retrieves a PowerShell script to harvest user account, system and network information as well as enumerate files and processes.

The collected information is then exfiltrated to a command-and-control (C2) server, which responds back with a second VBS file that's then executed to fetch and run a PowerShell-based keylogger named InfoKey.

"Although there have been few reports of attack activities by Kimsuky targeting organizations in Japan, there is a possibility that Japan is also being actively targeted," JPCERT/CC said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Update BeaverTail Malware to Target MacOS Users

Russian threat actor FIN7 has shifted gears multiple times in recent years, focusing now on helping ransomware groups be even more covertly effective.

Source: AVC Photography via Alamy Stock Photo

A widespread cybercrime tool designed to tamper with security solutions has been upgraded, with a new method for killing the protected Windows processes that endpoint detection and response (EDR) tools rely on.

"AuKill," developed by the notorious FIN7 cybercrime collective (aka Carbanak, Carbon Spider, Cobalt Group, Navigator Group), is a program specifically designed to undermine endpoint security. It employs more than 10 different user and kernel mode techniques to that end, like sandboxing protected processes and leveraging fundamental Windows APIs like Restart Manager and Service Control Manager.

A new report from SentinelOne describes how AuKill is becoming increasingly popular among cybercrime actors, particularly high-level ransomware groups. And to keep it one step ahead of defenders, FIN7 has iterated on it with a new technique for throwing certain protected processes into a denial-of-service (DoS) condition.

**Born to AuKill**

FIN7, a largely Russian-Ukrainian operation, was carrying out financially motivated cyber campaigns across industries as far back as 2012. At the time, its specialty was point-of-sale (PoS) malware, then a trend.

As cybercrime moved from credit card theft to ransomware, FIN7 moved with it. It launched its own ransomware-as-a-service (RaaS) projects: first Darkside and then, after its run-ins with Uncle Sam, BlackMatter. It also began to affiliate with other major ransomware groups, like the leading Conti and REvil.

In April 2022, FIN7 began development on the anti-security tool now known as AuKill. Using various pseudonyms, it began to market the program on cybercrime forums for prices ranging from $4,000 to $15,000.

The first actor known to use it in the wild was Black Basta, in June 2022. Around the turn of 2023, threat actors across the ransomware spectrum began to follow suit. SentinelOne has observed it in attacks alongside payloads like AvosLocker, BlackCat, and LockBit, for example. 

**The New Technique**

Whenever a new malware tool begins to attract attention, it risks losing its initial effectiveness as defenders start to adjust. To keep it going, then, authors need to modify and build out new features.

AuKill's new feature targets the protected processes run by EDR solutions. Its weapons: the default time-travel debugging (TTD) monitor Windows driver — used for monitoring TTD processes — in tandem with an updated version of the Process Explorer driver.

In short, the malware uses the former driver to watch for protected Windows processes it wants to attack and, if they pop up, suspends them. When the protected process then tries to spin up non-protected helper (child) processes, the latter driver blocks those. With the drivers blocking parent and child, a crash ensues.

"Organizations should ensure that anti-tampering protection mechanisms are enabled in their security solutions deployed on enterprise devices," says Antonio Cocomazzi, staff offensive security researcher at SentinelOne.

"For this particular technique," he adds, "organizations should ensure that their security software's anti-tampering protections are robust enough to defend against kernel-mode attacks, such as those exploiting the Process Explorer driver. Implementing additional security measures, like kernel-level monitoring and restricting driver access, can further enhance protection against these advanced threats."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Security End-Run: 'AuKill' Shuts Down Windows-Reliant EDR Processes

Israel's military computer systems have been under constant barrage in recent months.

Source: Bumble Dee via Alamy Stock Photo

The Israeli Defense Forces (IDF) have nixed somewhere in the range of 3 billion cyberattack attempts since last fall, an army chief said this week.

The claim, circulated across Israeli news outlets, was made by Colonel Racheli Dembinsky, commander of the IDF's Center of Computing and Information Systems, also known as Mamram. Mamram, essentially, is the IT organization for Israel's military, providing, maintaining, and defending its intranet, cloud systems, data processing, public-facing websites, and more.

As Dembinsky recalled at the IT for IDF conference in the city of Rishon LeTsiyon, an uptick in threats to Israel's military systems dates back to the terror attack on Oct. 7. "I received a phone call that morning and thought there was a malfunction in the alert system," she said. "I quickly understood there wasn’t a malfunction, but a broader attack. Also, we immediately understood this wasn’t fake. I put on my uniform and drove to the base. We began transitioning to emergency mode."

The strain on the IDF's systems continued in the weeks thereafter, as hundreds of thousands of reservists were quickly recruited into the war effort, and Mamram began allocating computing resources at 120% capacity.

According to Dembinsky, cyberattacks against the IDF in recent months have involved operational systems central to the military's functioning, such as those that ground forces rely on to coordinate information sharing in real-time. She did not provide details on the nature of the attacks, but noted that the many billions of them had been blocked.

**Cyber Threats to Israel**

Israel has seen a dramatic increase in cyberattacks overall since the start of the war, notes Gil Messing, chief of staff for Check Point Software. "Attacks in general have more than doubled, to the point that an average Israeli organization is attacked more than 2,200 times every week," he explains.

"This has been driven mostly by politically motivated hacking groups — such as nation-states attacking Israel, like Iran, or Hezbollah — and hacktivist groups that are joining forces in attacking Israel in the context of the war. We are monitoring over 80 such groups which do everything from defacement and DDoS to ransomware and wipers."

Specifically, Check Point tracks at least five of those groups as state-level advanced persistent threats (APTs) from Iran, and another five or six as working for the Iranian proxy Hezbollah. Some of the 80-plus work for Hamas, and still others are sympathetic groups from outside of Palestine and Lebanon.

"Cyberattacks are a clear and evident part of the war and, at the same time, the 'regular' hackers who are financially motivated are also attacking Israel (like any other country). So, all in all, the increase of attacks which we see in Israel is almost double what we see on the global average,” Messing says.

In response to the overwhelming threat, he adds, capable organizations have upped their game and their collective information sharing. Still, plenty of companies, government, and law enforcement organizations remain behind.

Case in point: At a separate panel at IT for IDF, Kobi Menashe, head of the guidance department and spectrum defense for the Israel National Cyber Directorate (INCD) defense division, revealed that 139 out of the 259 local authorities in Israel are facing a "very bad cyber situation." By contrast, just 89 are defined as "good." (He did note, though, that only 30 were considered good by Oct. 7.) That, despite a threefold increase in cyberattacks observed against local authorities in recent quarters.

"While the hackers are continuously working hard to attack Israeli organizations, many on the defenders' side don’t act so swiftly," Messing says. "This results in more successful attacks, which happen by the day."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

IDF Has Rebuffed 3B Cyberattacks Since Oct. 7, Colonel Claims

Russian hacktivists claim DDoS attacks against basic tourist websites. Is it real, or just smoke and mirrors?

Source: Hemis via Alamy Stock Photo

Against the backdrop of the upcoming Paris Olympics, Russian hacktivists have claimed denial-of-service (DoS) attacks against a few notable French websites.

For months now, the news media has warned of both physical and cyber threats to the upcoming Olympic Games. The fears are well-founded: Any major event these days is a target, and prior Olympics have seen their fair share of incidents.

A potential opening salvo rang out in June, Cyble notes in a new report, when the Russian hacktivist groups HackNeT and the People's Cyber Army claimed a series of distributed DoS attacks on their social media channels. The Sandworm-linked People's Cyber Army referred to the attacks as mere "training."

**Pre-Olympics DDoS Attacks**

On June 23, the hacker collectives posted a series of screenshots of victim websites, and website uptime monitoring tools to demonstrate their downing.

At 8:30 UTC, for example, the People's Cyber Army claimed an attack on the website of the La Rochelle International Film Festival. Shortly thereafter, HackNet published news of another attack against the site for the Grand Palais. Cyble labeled these many claims as "possibly true" but couldn't confirm their legitimacy.

The pattern of targeting relatively mundane websites belonging to popular tourist attractions fits neatly into a picture of amateurish hacktivists seeking attention.

"I think it's mostly about being recognized as a formidable player in this whole space of cyber hacktivism — being seen taking up causes, and appearing to be fighting for it," says Kaustubh Medhe, head of research and intelligence at Cyble. "You have to keep your voice heard and be in the headlines all the time. And it's also a chance for groups to gather more mass support."

The People's Cyber Army in particular has historically done quite well on those fronts. Though it's only just over two years old, its Telegram channel sports more than 50,000 subscribers.

**Cyber Threats to the Paris Olympics**

When it comes to the myriad cyber threats to the Paris Olympics, "I delineate between risks that are scary, and those that are more of a nuisance," says Bojan Simic, co-founder and CEO of HYPR.

"Nuisance types of scenarios are: the Olympics app doesn't work and people don't know where the next event is and it's annoying. And taking down specific events from TV or streaming," he says. Politically motivated hacktivism against static websites — of the kind so boasted about by HackNet and the People's Cyber Army — also falls under this banner.

The problem, Medhe warns, is that nuisances can provide a screen for more ambitious attacks. "There have been instances in the past where DDoS attacks are a distraction to throw off a security team, to focus them on something less important, while some other threat groups are trying to get in some other way, and there is a more advanced attack in progress," he says.

Besides physical threats to athletes and fans, advanced cyber attacks might take the form of a major data breach, such as when Russia's Fancy Bear stole sensitive medical data on athletes at the 2016 games in Rio. This was a major interference, like the Olympic Destroyer attack at Pyeongchang 2018 that disrupted broadcasting, ticketing, various Olympics websites, and Wi-Fi at the host stadium. Attacks might also take some other form not yet seen at prior Games.

"I think they're generally reasonably well prepared," Simic says of the Olympic committee this time around, "but I think their preparations are going to be largely based off of previous attacks. I think they've been on the lookout for DDoS attacks, making sure that they have the ability to automatically scale the environment if they need to, to make sure that disruptions are minimized. Their ability to stop newer attacks is to be seen.

"We haven't really seen organizations adapt to modern, AI-based attacks involving malware and social engineering. That gives me some discomfort around the Olympic Committee being able to stop \[certain\] attacks."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'Trial' DDoS Attacks on French Sites Portend Greater Olympics Threats

At least a dozen organizations with domain names at domain registrar Squarespace saw their websites hijacked last week. Squarespace bought all assets of Google Domains a year ago, but many customers still haven't set up their new accounts. Experts say malicious hackers learned they could commandeer any migrated Squarespace accounts that hadn't yet been registered, merely by supplying an email address tied to an existing domain.

At least a dozen organizations with domain names at domain registrar **Squarespace** saw their websites hijacked last week. Squarespace bought all assets of **Google Domains** a year ago, but many customers still haven’t set up their new accounts. Experts say malicious hackers learned they could commandeer any migrated Squarespace accounts that hadn’t yet been registered, merely by supplying an email address tied to an existing domain.

Until this past weekend, Squarespace’s website had an option to log in via email.

The Squarespace domain hijacks, which took place between July 9 and July 12, appear to have mostly targeted cryptocurrency businesses, including Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains. In some cases, the attackers were able to redirect the hijacked domains to phishing sites set up to steal visitors’ cryptocurrency funds.

New York City-based Squarespace purchased roughly 10 million domain names from Google Domains in June 2023, and it has been gradually migrating those domains to its service ever since. Squarespace has not responded to a request for comment, nor has it issued a statement about the attacks.

But an analysis released by security experts at Metamask and Paradigm finds the most likely explanation for what happened is that Squarespace assumed all users migrating from Google Domains would select the social login options — such “Continue with Google” or “Continue with Apple” — as opposed to the “Continue with email” choice.

**Taylor Monahan**, lead product manager at Metamask, said Squarespace never accounted for the possibility that a threat actor might sign up for an account using an email associated with a recently-migrated domain before the legitimate email holder created the account themselves.

“Thus nothing actually stops them from trying to login with an email,” Monahan told KrebsOnSecurity. “And since there’s no password on the account, it just shoots them to the ‘create password for your new account’ flow. And since the account is half-initialized on the backend, they now have access to the domain in question.”

What’s more, Monahan said, Squarespace did not require email verification for new accounts created with a password.

“The domains being migrated from Google to Squarespace are known,” Monahan said. “It’s either public or easily discernible info which email addresses have admin of a domain. And if that email never sets up their account on Squarespace — say because the billing admin left the company five years ago or folks just ignored the email — anyone who enters that email@domain in the squarespace form now has full access to control to the domain.”

The researchers say some Squarespace domains that were migrated over also could be hijacked if attackers discovered the email addresses for less privileged user accounts tied to the domain, such as “domain manager,” which likewise has the ability to transfer a domain or point it to a different Internet address.

Squarespace says domain owners and domain managers have many of the same privileges, including the ability to move a domain or manage the site’s domain name server (DNS) settings.

Monahan said the migration has left domain owners with fewer options to secure and monitor their accounts.

“Squarespace can’t support users who need any control or insight into the activity being performed in their account or domain,” Monahan said. “You basically have no control over the access different folks have. You don’t have any audit logs. You don’t get email notifications for some actions. The owner doesn’t get email notification for actions taken by a ‘domain manager.’ This is absolutely insane if you’re used to and expecting the controls Google provides.”

The researchers have published a comprehensive guide for locking down Squarespace user accounts, which urges Squarespace users to enable multi-factor authentication (disabled during the migration).

“Determining what emails have access to your new Squarespace account is step 1,” the help guide advises. “Most teams DO NOT REALIZE these accounts even exist, let alone theoretically have access.”

The guide also recommends removing unnecessary Squarespace user accounts, and disabling reseller access in Google Workspace.

“If you bought Google Workspace via Google Domains, Squarespace is now your authorized reseller,” the help document explains. “This means that anyone with access to your Squarespace account also has a backdoor into your Google Workspace unless you explicitly disable it by following the instructions here, which you should do. It’s easier to secure one account than two.”

Researchers: Weak Security Defaults Enabled Squarespace Domains Hijacks

A list of topics we covered in the week of July 8 to July 14 of 2024

July 12, 2024 - In a new malware campaign, threat actors are using Google ads to target Mac users looking to download Microsoft Teams.

July 12, 2024 - Customers of the stalkerware application mSpy had their customer support details exposed after a data breach

July 12, 2024 - AT&T has told customers about yet another data breach. This time call and text records of nearly all customers were stolen.

July 12, 2024 - Apple has sent a warning to people targeted by mercenary spyware in 98 countries.

July 8, 2024 - Shopify has denied it has suffered a breach, saying the stolen data comes from a third-party provider that will notify affected customers.

 A week in security (July 8 &#8211; July 14) 

In a new malware campaign, threat actors are using Google ads to target Mac users looking to download Microsoft Teams.

Competition between stealers for macOS is heating up, with a new malvertising campaign luring Mac users via a fraudulent advert for Microsoft Teams. This attack comes on the heels of the new Poseidon (OSX.RodStealer) project, another threat using a similar code base and delivery techniques.

Based on our tracking, Microsoft Teams is once again a popular keyword threat actors are bidding on, and it is the first time we have seen it used by Atomic Stealer. Communication tools like Zoom, Webex or Slack have been historically coveted by criminals who package them as fake installers laced with malware.

This latest malvertising campaign was running for at least a few days and used advanced filtering techniques that made it harder to detect. Once we were able to reproduce a full malware delivery chain, we immediately reported the ad to Google.

**Top search result for Microsoft Teams**

We were able to reliably search for and see the same malicious ad for Microsoft Teams which was likely paid for by a compromised Google ad account. For a couple of days, we could not see any malicious behavior as the ad redirected straight to Microsoft’s website. After numerous attempts and tweaks, we finally saw a full attack chain.

Despite showing the _microsoft.com_ URL in the ad’s display URL, it has nothing to do with Microsoft at all. The advertiser is located in Hong Kong and runs close to a thousand unrelated ads.

**Malicious redirect and payload**

We confirmed the ad was indeed malicious by recording a network capture (see below). Each click is first profiled (_smart\[.\]link_) to ensure only real people (not bots, VPNs) proceed, followed by a cloaking domain (_voipfaqs\[.\]com_) separating the initial redirect from the malicious landing (decoy) page (_teamsbusiness\[.\]org_).

Victims land on a decoy page showing a button to download Teams. A request is made to a different domain (locallyhyped\[.\]com) where a unique payload (file name and size) is generated for each visitor.

Once the downloaded file _MicrosoftTeams\_v.(xx).dmg_ is mounted, users are instructed to open it via a right click in order to bypass Apple’s built-in protection mechanism for unsigned installers.

In the video below, we show the steps required to install this malicious application, noting that you are instructed to enter your password and grant access to the file system. This may not come as unusual for someone wanting to install a new program, but it is exactly what Atomic Stealer needs to grab keychain passwords and important files.

Following the data theft is the data exfiltration step, only visible via a network packet collection tool. A single POST request is made to a remote web server (147.45.43\[.\]136) with the data being encoded.

**Mitigations**

As cyber criminals ramp up their distribution campaigns, it becomes more dangerous to download applications via search engines. Users have to navigate between malvertising (sponsored results) and SEO poisoning (compromised websites).

To mitigate such risks, we recommend using browser protection tools that can block ads and malicious websites. Often times, threat actors will rely on redirects from ads or compromised networks that can be stopped before even downloading a malicious installer.

Malwarebytes for Mac detects this threat as OSX.AtomStealer:

**Indicators of Compromise**

Cloaking domain

voipfaqs\[.\]com

Decoy site

teamsbusiness\[.\]org

Download URL

locallyhyped\[.\]com/kurkum/script\_66902619887998\[.\]92077775\[.\]php

Atomic Stealer payload

7120703c25575607c396391964814c0bd10811db47957750e11b97b9f3c36b5d

Atomic Stealer C2

147.45.43\[.\]136

 Fake Microsoft Teams for Mac delivers Atomic Stealer 

Apple has sent a warning to people targeted by mercenary spyware in 98 countries.

In April 2024, we reported how Apple was warning people of mercenary attacks via its threat notification system. At the time it warned users in 92 countries. In a new round, Apple is now warning users in 98 countries of potential mercenary spyware attacks.

The message sent to the affected users says:

> “Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID.”

In the same message, Apple says that it is very likely that the person in question is being specifically targeted because of what they do or who they are. And, although there is a certain margin of error, the user should take this warning seriously.

Mercenary spyware is used by governments to target people like journalists, political activists, and similar targets, and involves the use of sophisticated tools like Pegasus. Pegasus is one of the world’s most advanced and invasive spyware tools, known to utilize zero-day vulnerabilities against mobile devices.

On the website that explains Apple threat notifications and protection against mercenary spyware, it specifically mentions Pegasus:

> “According to public reporting and research by civil society organizations, technology firms, and journalists, individually targeted attacks of such exceptional cost and complexity have historically been associated with state actors, including private companies developing mercenary spyware on their behalf, such as Pegasus from the NSO Group.”

Apple has sent out similar notifications multiple times a year since 2021 but doesn’t disclose how it determines who to send them to, since that might aid attackers in evading future detection.

Amnesty International urges those that have received such a notification to take it seriously. Amnesty’s Security Lab offers digital forensic support to potential victims like human rights defenders, activists, journalists and members of civil society.

If you are a member of civil society, and you have received an Apple notification, you can contact Amnesty International and request forensic support using the Get Help form.

Whether you’ve received that notification or not, every iPhone user should make sure they have the latest updates, protect the device with a passcode, use multi-factor authentication and a strong password for Apple ID, only install apps from the Apple Play store, use a mobile security product, and be careful what they open or tap on.

People that have reason to believe they might be individually targeted by mercenary spyware attacks, can enable Lockdown Mode on their Apple devices for additional protection.

Lockdown Mode does the following:

*   Blocks most message attachments
*   Blocks incoming FaceTime calls from people you have not called previously
*   Blocks some web technologies and browsing features
*   Excludes location from shared phots and removes Shared Albums
*   Blocks wired connections when the device is locked
*   Blocks auto-joining non-secure WiFi networks
*   Blocks incoming invitations from people you have not previously invited
*   Blocks installation of configuration profiles you may require for work or school

**How to turn on Lockdown Mode on iPhone or iPad**

1.  Open the **Settings** app.
2.  Tap **Privacy & Security**.
3.  Scroll down, tap **Lockdown Mode.**
4.  Tap **Turn On Lockdown Mode**.
5.  Read what it does and tap **Turn On Lockdown Mode** if that is what you want.
6.  Tap **Turn On & Restart**, then enter your device passcode.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

**Summer mega sale**

Go into your vacation knowing you’re much more secure: This summer you can get a huge **50% off a Malwarebytes Standard subscription** or **Malwarebytes Identity bundle**. Run, don’t walk!

 iPhone users in 98 countries warned about spyware by Apple 

Even if a threat actor isn’t successful in some widespread breach that makes international headlines, even smaller-scale threats and actors are just hoping to cause chaos.

Thursday, July 11, 2024 14:00

With the 2024 Olympics’ Opening Ceremony only two weeks away now, there is one thing that’s an absolute guarantee of one thing happening during the traditionally unpredictable games: Cyber attacks. 

Every time there is a new Olympic Games, there’s a renewed discussion about how threat actors, hacktivists and state-sponsored groups are all gearing up to try to disrupt the games in some way. The Opening Ceremony at the 2018 Olympic Games in South Korea was disrupted by a major cyber attack called Olympic Destroyer, briefly pausing ticket-taking operations and taking down several Olympics-related websites. 

And for this year’s Summer Games, France faces an “unprecedented level of threat,” according to the head of the country’s cybersecurity agency.  

That’s because, in our modern day, there is just simply so much to protect. Ninety-nine percent of modern communication occurs over a network at this point, especially when you’re talking about an international event. That means protecting individual inboxes, mail servers, third-party messaging apps, virtual meetings and more. 

Each attendee of the games is going to bring in their own devices, too, and connect to whatever public network the Olympics stands up at the arenas or fields where competitions are taking place. That’s tens of thousands of new potential entry points for threat actors. 

There are also domains, subdomains, hosts, web applications and third-party cloud resources that the Games rely on, all with their own attack surfaces. 

A study from Outpost24 earlier this year found that the security for all these factors is stronger than when Russia hosted the 2018 FIFA World Cup, which came with a similar set of circumstances and popularity to the Olympics.  

Even if a threat actor isn’t successful in some widespread breach that makes international headlines, even smaller-scale threats and actors are just hoping to cause chaos.  

Last month, a fake AI-generated movie trailer seemed to show famous actor Tom Cruise condemning the International Olympic Committee in a fake documentary for Netflix. That made its rounds on Telegram, along with many threats around terrorist attacks in the hope of scaring attendees away and making the Games seem under-attended. 

Other actors are just looking to spread general misinformation, capitalizing on recent protests and elections in France to, in their mind, sow chaos in an already chaotic time for the country. 

France has been preparing for the bevy of threats with hundreds of penetration tests, tabletop exercises and, of course, partnering with Cisco to protect the Olympic Games.  

**The one big thing **

Based on a comprehensive review of more than a dozen prominent ransomware groups, Talos identified several commonalities in tactics, techniques and procedures (TTPs), along with several notable differences and outliers. Talos’ studies indicate that the most prolific ransomware actors prioritize gaining initial access to targeted networks, with valid accounts being the most common mechanism. Phishing for credentials often precedes these attacks, a trend observed across all incident response engagements, consistent with our 2023 Year in Review report. Over the past year, many groups have increasingly exploited known and zero-day vulnerabilities in public-facing applications, making this a prevalent initial access vector. 

**Why do I care? **

Key findings indicate that many of the most prominent groups in the ransomware space prioritize establishing initial access and evading defenses in their attack chains, highlighting these phases as strategic focal points. Within the past year, many groups have exploited critical vulnerabilities in public-facing applications, becoming a prevalent attack vector, which we addressed later, indicating an increased need for appropriate security controls and patch management. Ransomware actors also continue to apply a significant focus to defense evasion tactics to increase dwell time in victim networks. 

**So now what? **

Our blog post includes several recommendations for how potential targets can protect against the TTPs these groups use. That includes consistently applying patches and updates to all systems and software to address vulnerabilities promptly and reduce the risk of exploitation and implement strong password policies that require complex, unique passwords for each account. Additionally, enforce multi-factor authentication (MFA) to add an extra layer of security. 

**Top security headlines of the week **

**Apple IDs are being targeted in a new SMS-based phishing scam.** Security researchers say that adversaries are sending text messages to iPhone users in the U.S. disguised to look like they’re from Apple but actually intended to steal their Apple login credentials. The phishing messages are made to seem more legitimate with a fake CAPTCHA for users to complete. They are then directed to a malicious web page that looks like an older iCloud login page, where the targeted user is asked to enter their Apple ID. Apple IDs are valuable for attackers because they could allow them to log into the target’s iPhones and iPads, provide access to personal information, and allow the attacker to make unauthorized purchases. Apple warned users that they should be implementing MFA on their devices to ensure an adversary can’t use their credentials on an unknown device, or using Face ID or Touch ID to log into their devices. iPhone users are unlikely to ever receive text messages from Apple asking for their ID, but if they do, they should manually visit the desired website rather than clicking on a link in the message. (CBS News, Forbes) 

**A newly discovered spyware may have been spying on military members across the Middle East for more than five years.** The tool, called GuardZoo, appears to be created by Houthi-aligned actors in Yemen. GuardZoo is a custom Android surveillance tool that’s used to steal potentially valuable information and military intelligence, including documents, photos and data relating to troop locations. Infection of GuardZoo begins with a malicious link sent in a WhatsApp message. These phishing links lead to one of a variety of fake apps outside of the Google Play store, disguising themselves as a range of services including an app for reading the Quran, device location tracking, and other themes relating to the Yemen Armed Forces and Saudi Arabia’s Armed Forces Command and Staff College. GuardZoo managed to fly under the radar for several years because it was a modified version of the previously known Dendroid remote access trojan. Once on a device, GuardZoo immediately disables local logging and exfiltrates all of the victim’s files from the past seven years that are KMZ, WPT, RTE or TRK files, all of which relate to GPS and mapping apps. (Dark Reading, SC Media) 

**The Australian government blamed a Chinese state-sponsored actor for being behind a series of cyber attacks and data breaches dating back to 2022.** The group, known as APT40, is allegedly the perpetrator behind the theft of usernames and passwords from two unnamed Australian networks two years ago. A newly released report from the Australian Cyber Security Centre said APT40 conducts malicious cyber operations for China’s Ministry of State Security, the main agency in China in charge of foreign intelligence. The report says that the actor tries to steal sensitive information by infecting older, and sometimes even inactive, computers that are still connected to sensitive networks. Chinese authorities immediately denied the accusations. Intelligence agencies in Canada, New Zealand, the U.S. and the U.K. co-authored the report. New Zealand’s government previously accused APT40 of targeting its parliamentary services and counsel office in 2021 and stealing sensitive information. (NBC News, Voice of America) 

**Can’t get enough Talos? **

*   Upstream’s 2024 Global Automotive Cybersecurity Report (featuring contributions from Cisco Security)
*   Hidden between the tags: Insights into spammers’ evasion techniques in HTML Smuggling 
*   How do cryptocurrency drainer phishing scams work? 
*   15 vulnerabilities discovered in software development kit for wireless routers 
*   Largest Patch Tuesday in 3 months includes 5 critical vulnerabilities 
*   Cisco Talos details latest tactics employed by prolific ransomware groups 
*   Ransomware Groups Prioritize Defense Evasion for Data Exfiltration 

**Upcoming events where you can find Talos **

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** 8a366b1d30dd4d03ad8c5c18d0fb978d00d16f5f465bd59db6e09b034775c3ec   
**MD5:** 4fca837855b3bced7559889adb41c4b7   
**Typical Filename:** UIHost32.exe   
**Claimed Product:** McAfee WebAdvisor   
**Detection Name:** Trojan.Miner.ED 

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** 484c74d529eb1551fc2ddfe3c821a7a87113ce927cf22d79241030c2b4a4aa74  
**MD5:** dc30cfd21bbb742c10e3621d5b506780  
**Typical Filename:** KMS-R@1nHook.exe  
**Claimed Product:** N/A  
**Detection Name:** W32.File.MalParent

Tag

#apple