Popular social messaging platform Discord has announced that it's rolling out a new custom end-to-end encrypted (E2EE) protocol to secure audio and video calls.
The protocol has been dubbed DAVE, short for Discord's audio and video end-to-end encryption ("E2EE A/V").
As part of the change introduced last week, voice and video in DMs, Group DMs, voice channels, and Go Live streams are expected to

Encryption / Data Protection

Popular social messaging platform Discord has announced that it's rolling out a new custom end-to-end encrypted (E2EE) protocol to secure audio and video calls.

The protocol has been dubbed **DAVE**, short for Discord's audio and video end-to-end encryption ("E2EE A/V").

As part of the change introduced last week, voice and video in DMs, Group DMs, voice channels, and Go Live streams are expected to be migrated to use DAVE.

That said, it's worth noting that messages on Discord will remain unencrypted and are subject to its content moderation approach.

"When we consider adding new privacy features like E2EE A/V, we do not do so in isolation from safety," Discord said. "That is why safety is integrated across our product and policies, and why messages on Discord are unencrypted."

"Messages will still be subject to our content moderation approach, allowing us to continue offering additional safety protections."

DAVE is publicly auditable and has been reviewed by Trail of Bits, with the protocol leveraging WebRTC encoded transforms and Message Layer Security (MLS) for encryption and group key exchange (GKE), respectively.

This allows for media frames, outside of the codec metadata, to be encrypted after they are encoded and decrypted before being decoded on the receiver side.

"Each frame is encrypted or decrypted with a per-sender symmetric key," Discord said. "This key is known to all participants of the audio and video session but crucially is unknown to any outsider who is not a member of the call, including Discord."

The use of MLS, on the other hand, makes it possible for users to join or leave a voice or video session on Discord in such a manner that neither new participants can decrypt media sent before they joined nor leaving members can decrypt any media sent in the future.

"Discord's existing transport encryption for audio and video between the client and our selective forwarding unit (SFU) is retained, ensuring only audio and video from authenticated call participants is forwarded," it noted.

"While the SFU still processes all packets for the call, audio or video data inside each packet is end-to-end encrypted and undecryptable by the SFU."

The development comes days after the GSM Association (GSMA), the governing body that oversees the development of the Rich Communications Services (RCS) protocol, said it's working towards implementing E2EE to secure messages sent between the Android and iOS ecosystems.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Discord Introduces DAVE Protocol for End-to-End Encryption in Audio and Video Calls

The APT group uses spear-phishing and a vulnerability in a geospatial data-sharing server to compromise organizations in Taiwan, Japan, the Philippines, and South Korea.

Source: kb-photodesign via Shutterstock

A China-linked cyber-espionage group has attacked Taiwanese government agencies, the Philippine and Japanese military, and energy companies in Vietnam, installing either the Cobalt Strike client or a custom backdoor known as EagleDoor on compromised machines.

Dubbed Earth Baxia by cybersecurity firm Trend Micro, the group primarily uses spear-phishing to compromise victims, but it has also exploited a vulnerability (CVE-2024-36401) in the open source GeoServer software used to distribute geospatial data. The group uses public cloud services for hosting malicious files, and appears not to be connected to other known advance persistent threat (APT) groups, although at least one analysis has found overlap between APT41 — also known as Wicked Panda and Brass Typhoon.

The majority of the group's infrastructure is based in China, and its attacks target nations of Chinese national interest, says Ted Lee, a threat researcher with Trend Micro.

"In recent campaigns, their primary targets are government agencies and other critical infrastructures — \[such as\] telecommunication — in the APAC region," he says. "In addition, we also found the decoy documents they used to lure victims are related to some significant conferences or international meetings."

The attack comes as China appears to be ramping up its attacks on governments and companies in the Asia-Pacific region. Operation Crimson Palace, a collection of three Chinese APT groups working in concert, has successfully compromised more than a dozen targets in Southeast Asia, including government agencies. In another recent case, a Chinese espionage group used a malicious fake document in an attempt to compromise systems at the US-Taiwan Business Council, prior to its 23rd US-Taiwan Defense Industry Conference.

**Spear-Phishing, With a Side of GeoServer**

The latest attacks primarily employ spear-phishing, either sending a file or a link, using regional conferences as a lure.

"Based on the collected phishing emails, decoy documents, and observations from incidents, it appears that the targets are primarily government agencies, telecommunication businesses, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand," Trend Micro stated in its analysis. "Notably, we also discovered a decoy document written in simplified Chinese, suggesting that China is also one of the impacted countries. However, due to limited information, we cannot accurately determine which sectors in China are affected."

In a limited number of cases, Trend Micro has noticed that the threat group uses a known flaw in the open source geospatial sharing service GeoServer to gain a beachhead within an organization. The GeoServer attacks appear to have started at least two months ago, with the Shadowserver Foundation noting that the attack first appeared in its logs on July 9. The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerability (KEV) catalog on July 15.

Whether it uses a vulnerability or spear-phishing, the next step is to use one of two techniques, dubbed GrimResource and AppDomainManager injection, to further compromise targeted systems.

Discovered in June, GrimResource uses a cross-site scripting (XSS) flaw to execute JavaScript on the victim's machine and, together with a second exploit, gain arbitrary code execution. AppDomainManager injection is an older — but still not widely known — technique that can be used to load run malicious code and is starting to be abused by state-backed groups, NTT Security stated in an analysis (via Google Translate).  
"Since this method is not widely known at this time, it is clear that it is a unilateral advantage for the attackers," the translated analysis stated. "As a result, there is concern about the possibility that such attacks will expand in the future."

**All Roads Lead to Cobalt Strike?**

Compromise in any case leads either to a custom backdoor known as EagleDoor, or the installation of an implant by a pirated version of the red-team tool Cobalt Strike, whose use is common among cybercriminal and cyber-espionage groups because of its powerful lateral movement and command-and-control (C2) capabilities.

In addition, the commonness of the tool means investigators gain no attribution information from its use, Trend Micro's Lee says.

"While its use can be a red flag, attackers often modify its components to evade detection," he says. "On the other hand, it’s difficult for analysts to finish group attribution based on Cobalt Strike because it is a shared tool used by many different groups."

The Cobalt Strike component drops two executables, Hook and Eagle, which make up the EagleDoor backdoor, which allows communication over DNS, HTTP, TCP, and Telegram. The commands are used to exfiltrate data from the victim's system and installing additional payloads, Trend Micro stated in its analysis.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

China's 'Earth Baxia' Spies Exploit Geoserver to Target APAC Orgs

An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production."

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-6f62-3596-g6w7: HTTP Request Smuggling in ruby webrick

Ukraine has restricted the use of the Telegram messaging app by government officials, military personnel, and other defense and critical infrastructure workers, citing national security concerns.
The ban was announced by the National Coordination Centre for Cybersecurity (NCCC) in a post shared on Facebook.
"I have always advocated and advocate for freedom of speech, but the issue of Telegram is

National Security / Cyber Attack

Ukraine has restricted the use of the Telegram messaging app by government officials, military personnel, and other defense and critical infrastructure workers, citing national security concerns.

The ban was announced by the National Coordination Centre for Cybersecurity (NCCC) in a post shared on Facebook.

"I have always advocated and advocate for freedom of speech, but the issue of Telegram is not a question of freedom of speech, it is a matter of national security," Kyrylo Budanov, head of Ukraine's GUR military intelligence agency, said.

Ukraine's National Security and Defense Council (NSDC) said that Telegram is "actively used by the enemy" to launch cyber attacks, spread phishing messages and malicious software, track users' whereabouts, and gather intelligence to help the Russian military target Ukraine's facilities with drones and missiles.

To that end, the use of Telegram has been proscribed on official devices of employees of state authorities, military personnel, employees of the security and defense sector, as well as enterprises that are operators of critical infrastructure.

It's worth noting that the ban does not extend to personal phones, or people who use the app as part of their official duties.

In a statement shared with Reuters, Telegram said it has not provided any personal data to any country, including Russia, and that deleted messages are permanently deleted with no way of recovering them.

The development comes weeks after Telegram's CEO was arrested in France and then released on bail in connection with an investigation into the use of the popular messaging app for child pornography, drug trafficking, and fraud.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Ukraine Bans Telegram Use for Government and Military Personnel

Plus: The FBI dismantles the largest-ever China-backed botnet, the DOJ charges two men with a $243 million crypto theft, Apple’s MacOS Sequoia breaks cybersecurity tools, and more.

The week was dominated by news that thousands of pagers, walkie-talkies and other devices were exploding across Lebanon on Tuesday and Wednesday in an attack targeting the militant group Hezbollah. At least 32 people were killed, including at least four children, and more than 3,200 people were injured. The covert campaign has widely been attributed to Israel, though none of the country's government agencies have commented.

In addition to the carnage, the attacks have—seemingly by design—had the effect of sowing paranoia and fear, not just among members of Hezbollah but also in the general Lebanese public. Hardware and warfare experts say that the incident is unlikely to establish a global precedent that people's most trusted communication devices and electronics, like smartphones, are rigged with explosives left and right. But it does create the potential to inspire copycats and puts defenders on notice that such attacks are possible.

Researchers say that China’s 2023 Zhujian Cup, a hacking competition with ties to the country's military, took the unusual step of requiring participants to keep the content of the exercise secret—and they may have been targeting a real victim as part of the event. Apple’s new stand-alone app Passwords that launched with iOS 18 may help solve your login problems. And a now-deleted post from billionaire Elon Musk that questioned why no one has attempted to assassinate Joe Biden and Kamala Harris renewed concerns this week that Musk is willing to inspire extremist violence and is a national security threat in the United States.

And there's more. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Last month, media outlets, Microsoft, and Google warned that an Iranian state-sponsored hacking group known as APT42 had targeted both the Joe Biden and Donald Trump political campaigns, and that it had successfully stolen emails from the Trump campaign that were later shared with reporters. Now the FBI has chimed in with the added revelation that the same hackers also sent those stolen Trump communications to the Democrats, too—though for now there's no sign that the Democrats solicited those emails from the Iranians or necessarily even received the Iranians' message.

Republicans were nonetheless quick to compare the news to accusations that the Trump campaign “colluded” with the Russian hackers, part of the Kremlin's GRU military intelligence agency, who breached the Democratic National Committee and the Clinton Campaign in 2016 to carry out a hack-and-leak operation. In a statement, the Trump campaign demanded that the Democrats “must come clean on whether they used the hacked material.” The Harris campaign told CNN that it has cooperated with law enforcement and that it was “not aware of any material being sent directly to the campaign,” believing the emails to be spam or phishing attempts. “We condemn in the strongest terms any effort by foreign actors to interfere in US elections, including this unwelcome and unacceptable malicious activity,” Morgan Finkelstein, the national security spokesperson for the Harris campaign, told CNN.

**FBI Dismantles the Largest-Ever Chinese State-Sponsored Botnet**

The FBI announced this week that it had taken down a network of hacked machines being secretly controlled by a Chinese state-sponsored hacking group known as Flax Typhoon. The botnet, made up of 260,000 routers and internet-of-things devices, was allegedly being run by a Chinese contractor known as the Beijing Integrity Technology Group, a rare instance of a known, publicly traded company operating essentially a massive collection of hacked devices on behalf of the Chinese state. The botnet, according to the FBI and security firm Black Lotus Labs, had been used to hack government agencies, defense contractors, telecoms, and other US and Taiwanese targets. At the time of its takedown, the botnet still encompassed 60,000 machines, making it the largest Chinese state-sponsored botnet ever, according to Black Lotus Labs.

**Two Men Charged With Stealing $243M in Cryptocurrency Using Social Engineering Scam**

On Wednesday night, two young men were arrested after they allegedly stole hundreds of millions of dollars of cryptocurrency and spent the earnings on luxury cars, watches, jewelry, and designer handbags. In an unsealed indictment, the US Department of Justice charged Malone Lam, 20, known online as “Anne Hathaway” and Jeandiel Serrano, 21, aka “VersaceGod,” with stealing $243 million in cryptocurrency and laundering the proceeds through mixing services to conceal the origin.

CoinDesk reported that the men allegedly tricked the heist’s victim, a creditor of the now-defunct trading firm Genesis, using a social engineering scam that led them to reset their Gemini two-factor authentication and transfer 4,100 bitcoin to a compromised wallet. An analysis of the transaction by blockchain investigator ZachXBT revealed that the $243 million was divided among multiple wallets and then distributed to over 15 exchanges.

**Apple MacOS Update Breaks Some Cybersecurity Tools**

On Thursday, TechCrunch reported that Apple's latest desktop operating system update, macOS 15 (Sequoia), breaks some functionality of major security tools made by CrowdStrike, SentinelOne, and Microsoft. It’s unclear what specifically in the update is causing the issues, but social media posts and internal Slack messages reviewed by the tech outlet show that the update has frustrated engineers working on macOS-focused security tools.

A CrowdStrike sales engineer informed colleagues via Slack, as seen by TechCrunch, that the company would not be able to support Sequoia on day one, despite its usual practice of quickly supporting new OS releases. While they hope for a quick patch, they will likely need to scramble to resolve the issue with an update in their own code, assuming no immediate fix is available from Apple, which has not yet commented on the issue.

**Leader of Crypto Extortion Gang Sentenced to 47 Years**

Cryptocurrency theft has become practically a common-garden form of cybercrime. But one brutal gang took that form of thievery to a new level of cruelty and violence, breaking into a series of victims' homes to threaten and extort them into handing over their crypto holdings, sometimes even resorting to kidnapping and torture. This week, that disturbing story came to a close with the sentencing of the group's ring leader, a Florida man named Remy St. Felix, to 47 years in prison. St. Felix is one of 12 members of the gang to have now been charged, convicted, and sentenced. Prior to the home invasions that St. Felix led, another member of the group named Jarod Seemungal allegedly stole millions with more traditional crypto hacking techniques. But St. Felix's more violent, offline extortion attempts netted his gang only around $150,000 in cryptocurrency before they were caught and sentenced to years behind bars. The lesson: Crime doesn't pay—or at least, not the physical kind.

Iranian Hackers Tried to Give Hacked Trump Campaign Emails to Dems

The FOCAL plan outlines baselines to synchronize cybersecurity priorities and policies across, as well as within, agencies.

Source: ronstik via Alamy Stock Photo

The US Cybersecurity and Infrastructure Security Agency released a plan to align the “collective operational defense capabilities” of federal agencies to reduce their cyber-risk. The plan’s focus is to have more synchronized and robust cyber defenses, improved communications, and better agility and resilience in the federal government.

For the most part, federal agencies built out their own defense capabilities based on the threats they are facing. As a result, the agencies vary widely in how effectively they manage risks, and there is no “no cohesive or consistent baseline security posture," CISA said. This discrepancy means despite investing in cybersecurity, the agencies are still vulnerable to threats.

“Collective operational defense is required to adequately reduce risk posed to more than 100 FCEB agencies and to address dynamic cyber threats to government services and data,” CISA said.

In the Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) plan, CISA sets out both “broad organizing concepts for federal cybersecurity” and tactical guidance agencies should implement. The plan covers daily activities and processes organizations should be using to defend their data and information systems, and spans five areas: asset management, vulnerability management, defensible architecture, cyber supply chain risk management, and incident response. It also sets collective security goals for the enterprise and provides a framework for coordinated support and services.

It is not intended to provide a comprehensive or exhaustive list of everything that an agency has to accomplish.

“The actions in the FOCAL plan orient and guide FCEB agencies toward effective and collaborative operational cybersecurity and will build resilience,” Jeff Greene, CISA’s executive assistant director for cybersecurity, said in a statement.

The essential components of FOCAL are “solid,” says John Vecchi, security strategist at Phosphorus Security. There are “very wide disparities” between agencies from a cyber maturity and culture perspective, but these agencies can achieve a “more consistent cybersecurity posture and baseline security hygiene” if FOCAL’s basics are implemented, Vecchi says.

However, accomplish a task of this magnitude can be challenge, Vecchi notes. Agency IT teams still need the staff, knowledge, and skills to actually deploy and implement the technologies and processes. The sheer number of security tools needed to accomplish the various elements in the plan could pose problems for agency security teams. While the focus on patching and vulnerability management is essential, these two areas are difficult to implement at scale.

It's also important to remember that about a third of the assets across these agencies represent smart devices, Internet of Things , operational technology, and embedded devices, Vecchi says. These types of systems are often out of compliance in terms of security hygiene.

“Resource allocation will most certainly be an issue here, but my guess is that the vast number of disparate teams and cultural differences across all of the agencies will present an even bigger and more immediate challenge,” Vecchi says. “It can be quite challenging for different teams within a single agency to collaborate effectively, let alone across so many unique, independent agencies and networks.”

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

CISA Releases Plan to Align Cybersecurity Across Federal Agencies

The critical bug, CVE-2024-8963, can be used in conjunction with the prior known flaw to achieve remote code execution (RCE).

Source: Kristoffer Tripplaar via Alamy Stock Photo

Less than two weeks after patching one flaw, Ivanti announced on Sept. 19 that a second, critical Cloud Services Appliance (CSA) vulnerability is being exploited in the wild.

The vulnerability (CVE-2024-8963, CVSS 9.4) is a path traversal in Ivanti CSA that allows a remote, unauthenticated attacker to access restricted functionalities. Attackers have chained it to the previously disclosed flaw, CVE-2024-8190, which is a high-severity OS command injection flaw that can allow unauthorized access to devices. The chain can be exploited for remote code execution (RCE), if the attacker has admin-level privileges.

"If CVE-2024-8963 is used in conjunction with CVE-2024-8190 an attacker can bypass admin authentication and execute arbitrary commands on the appliance," the enterprise said.

The news comes during an ongoing series of security issues Ivanti has faced since 2023.

**Not First & Likely Not the Last**

Just this year alone, Ivanti has faced flaw after flaw; in February, the Cybersecurity and Infrastructure Security Agency (CISA) ordered Ivanti VPN appliances be disconnected, rebuilt, and reconfigured in 48 hours, after there were concerns that multiple threat actors were exploiting security flaws found in the systems.

In April, foreign nation-state hackers took advantage of vulnerable Ivanti gateway devices and attacked MITRE, breaking its 15-year streak of being incident free. And MITRE wasn’t alone in this, as thousands of Ivanti VPN instances were compromised due to two unpatched zero-day vulnerabilities.

And in August, Ivanti's Virtual Traffic Manager (vTM) harbored a critical vulnerability that could have led to authentication bypass and creation of an administrator user without the patch that the enterprise provided.

"These known but unpatched vulnerabilities have emerged a favorite target for attackers because they are easy to exploit and oftentimes organizations have no idea that devices with EOL systems are still running in their network," Greg Fitzgerald, co-founder of Sevco Security, said in an emailed statement to Dark Reading.

**Protection in an Ongoing Storm**

To mitigate this threat, Ivanti recommends that its customers upgrade the Ivanti CSA 4.6 to CSA 5.0. They can also update CSA 4.6 Patch 518 to Patch 519; however, this product has entered end of life, so it's recommended to upgrade to CSA 5.0 instead. 

In addition to this, Ivanti recommends that all customers ensure dual-homed CSA configurations with eth0 as an internal network.

Customers should review the CSA for modified or newly added administrators if they are concerned that they may have been compromised. If users have endpoint detection and response (EDR) installed, it's recommended to review those alerts as well. 

Users can request help or ask questions by logging a case or requesting a call through Ivanti's Success Portal.

Ivanti's Cloud Service Appliance Attacked via Second Vuln

A North Korean advanced persistent threat (APT) actor (aka Gleaming Pisces) tried to sneak simple backdoors into public software packages.

Source: Chronicle via Alamy Stock Photo

One of North Korea's most sophisticated threat groups has been hiding remote access malware for macOS and Linux inside of open source Python packages.

North Korean advanced persistent threats (APTs) have become notorious for certain characteristic types of cyberattack in recent years. There's the cryptocurrency scam, which can come in many forms — often a fake trading platform, where victims are lured into divulging their wallet information or downloading malware. Supply chain attacks are common, particularly via poisoned packages typosquatting on public repositories. An impish recent trend involves contracting actual, honest labor to Western companies under false pretenses, then sending the salaries earned back to Kim's state. The reverse — agents posing as tech recruiters, convincing developers to download malware — is also common.

The group, which Palo Alto's Unit 42 tracks as Gleaming Pisces (and Microsoft as Citrine Sleet), seems to have supplemented category one with category two. Active since 2018, the financially motivated, DPRK Reconnaissance General Bureau (RGB)-linked group is known for attacks weaponizing fake crypto platforms. Unit 42 now assesses with medium confidence that it was responsible for uploading a handful of malicious packages to the Python Package Index (PyPI) back in February. The packages have since been taken down.

**DPRK-Poisoned PyPI Packages**

Most packages uploaded to open source repositories are simple by nature. As Louis Lang, co-founder and chief technology officer (CTO) at Phylum recalls, "What was interesting about these packages was that there was a higher order of complexity than you typically find among benign packages."

Phylum had identified four packages worth taking a second look at: real-ids, minisound, coloredtxt, and beautifultext. The innocuous names seemed to allude to legitimate functionality, like syntax highlighting for terminal outputs.

In reality, the packages contained malicious code that would be decoded and executed upon download. The code would then run bash commands in order to retrieve and download a remote access Trojan (RAT) called "PondRAT."

PondRAT is an entirely simple backdoor, capable of just a few functions: uploading and downloading files, checking to see that an implant is active or instructing it to sleep, and executing commands issued by the operator. It is, in essence, a "light" version of PoolRAT. PoolRAT is a known Gleaming Pisces backdoor for macOS that has a half dozen more standard capabilities than its successor, like listing directories, deleting files, etc.

**No Need for Windows**

More notable than the malware itself may be the fact that its authors wrote it only for macOS and Linux systems.

Forgoing hackers' long preferred Windows operating system makes sense, though, when one considers Gleaming Pisces' typical audience. As Lang explains, "They're targeting the actual builders, CI/CD infrastructure, developer workstations — environments that are overwhelmingly going to be Linux or macOS based. Very few people are doing development on straight Windows. So if you are targeting developers, it makes sense to ship variants for these systems, because that's where your target population lives."

Developers, then, need to be alert to phishing attacks, like those fake crypto platforms and job recruitment scams. Because while it's rare that anyone might pull an unpopular, ultra-generic package from PyPI, it's entirely likely that that same package could be quietly integrated into a broader infection chain.

"If you add a package, it could have downstream impacts, where you're actually pulling in 30, 40 other packages it may \[be connected to\]. So if I was a developer, I'd be very cognizant of what I'm installing, and try to minimize the attack surface by minimizing the number packages I'm pulling in. And then, obviously, scan the packages — look for these zombies, look for high-entropy strings, look for code obfuscation," Lang suggests.

"Like we always say," he adds, "you're one update away from malware."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Citrine Sleet Poisons PyPI Packages With Mac &amp; Linux Malware

Critical-rated CVE-2024-20017 allows remote code execution (RCE) on a range of phones and Wi-Fi access points from a variety of OEMs.

Source: Ros Drinkwater via Alamy Stock Photo

A nearly max-critical zero-click vulnerability is impacting MediaTek Wi-Fi chipsets and driver bundles used in routers and smartphones from various manufacturers, including Ubiquiti, Xiaomi, and Netgear.

According to SonicWall Capture Labs researchers who found the issue (CVE-2024-20017, CVSS 9.8), exploitation would open the door to remote code execution (RCE) without user interaction, making the bug a conduit for easy device takeover. Making matters worse, a public proof-of-concept exploit (PoC) recently became available, they warned.

The issue affects MediaTek SDK versions 7.4.0.1 and earlier, as well as OpenWrt 19.07 and 21.02, and affected users should apply the available MediaTek patches as soon as possible.

In terms of the technical details, the vulnerability is an out-of-bounds write issue that resides in wappd, a network daemon responsible for configuring and managing wireless interfaces and access points.

"The architecture of wappd is complex, comprising the network service itself, a set of local services that interact with the device's wireless interfaces, and communication channels between components via Unix domain sockets," the researchers explained in a blog post on the issue this week. "Ultimately, the vulnerability is a buffer overflow as a result of a length value taken directly from attacker-controlled packet data without bounds checking and placed into a memory copy."

**About the Author**

Zero-Click MediaTek Bug Opens Phones, Wi-Fi to Takeover

German authorities dismantled Boystown, a notorious Dark Web platform for CSAM, by deanonymizing Tor users in 2021. This…

German authorities dismantled Boystown, a notorious Dark Web platform for CSAM, by deanonymizing Tor users in 2021. This breakthrough raises concerns over Tor’s privacy as law enforcement targets criminal activities on the Dark Web.

German authorities, in collaboration with several international law enforcement agencies, successfully dismantled “Boystown,” a notorious dark web platform dedicated to child sexual abuse material (CSAM). This happened in April 2021 but the details of it have only been revealed now. What’s even crazier is that according to German media, authorities managed to deanonymize Tor users involved with the CSAM site and successfully arrest them.

With over 400,000 registered users, the site had been operational since 2019 and hosted some of the most severe forms of abuse, with many of the victims being young boys. The German Federal Criminal Police led this operation with support from Europol, alongside agencies from the Netherlands, the U.S., Canada, and several other countries.

Boystown’s administrators, three German men, were arrested, and a fourth suspect was detained in Paraguay, with extradition requested by Germany. These individuals helped users evade detection while facilitating the distribution of illegal content.

The platform was shut down in April 2021, and its chatrooms were also dismantled. This international operation marked a significant blow to illegal dark web activity involving CSAM.

****Deanonymizing Tor Nodes****

According to NDR’s report, German authorities’ ability to deanonymize users of Tor—a network designed for anonymity—played a crucial role in the success of this operation. Through surveillance of specific Tor nodes, they identified users accessing the site.

However, such breakthroughs have raised concerns about the safety of Tor’s anonymity features, even though the Tor Project insists its network remains secure. In its blog post, the Tor Project acknowledged being aware of the claims made in NDR’s report. However, the organization also stated that it had not received proof of concept (PoC) or documents independently verifying these claims from German authorities.

> _“_The Tor Project has not been granted access to supporting documents and has not been able to independently verify if this claim is true, if the attack took place, how it was carried out, and who was involved. In the absence of facts, it is hard for us to issue any official guidance or responsible disclosures to the Tor community, relay operators, and users at this time._“_
> 
> Isabela Fernandes – Executive Director of the Tor Project

Nevertheless, experts suggest that outdated software, combined with increased scrutiny of specific exit nodes, may have led to the identification of Boystown’s users. The implications of this case extend beyond just CSAM offenders. It has raised alarms among those who use Tor for legitimate purposes, such as whistleblowers and activists.

While privacy advocates fear that increased law enforcement surveillance of Tor could jeopardize users’ anonymity, authorities argue that targeting criminal activities like Boystown is a necessary step to protect the vulnerable.

This development indicates that law enforcement agencies may continue enhancing their surveillance of darknet activity. Though Tor remains a vital tool for privacy, these cases show that it is not entirely immune to infiltration, especially when outdated systems or weak links are involved.

If you are on the Tor browser stop illegal activities. For whistleblowers and journalists, here are five tips to help lay users better secure their Tor Browser:

1.  **Keep Tor Browser Updated**: Always use the latest version of the Tor Browser, as updates include important security patches that fix vulnerabilities. You can check for updates through the browser’s settings or download the newest version directly from the Tor Project website.
2.  **Disable JavaScript**: JavaScript can be used to exploit vulnerabilities and deanonymize users. To further enhance your security, disable JavaScript through the browser’s settings or use the “Safest” security level, which disables JavaScript by default. You can adjust the security settings by clicking the shield icon next to the address bar.
3.  **Avoid Installing Browser Add-ons**: Tor comes with privacy-enhancing features, and installing third-party add-ons could weaken your anonymity by introducing new vulnerabilities or leaking information unintentionally.
4.  **Use Bridges and Pluggable Transports**: If you are in a country or region that blocks Tor or monitors access to Tor nodes, use bridges or pluggable transports to circumvent censorship and avoid detection. These tools disguise your Tor traffic, making it harder for ISPs and governments to identify that you’re using Tor.
5.  **Don’t Use Personal Information**: Avoid logging into accounts that are linked to your real identity (e.g., personal email or social media) when using Tor. This undermines anonymity and could reveal your true identity through cookies or other tracking mechanisms. Consider using pseudonyms or temporary email accounts when browsing.

1.  **Tor Browser Flow Leaks Your Real IP Address**
2.  **23% of Tor browser relays found to be stealing Bitcoin**
3.  **What is Dark Web, Search Engines, What Not to Do on Dark Web**
4.  **Microsoft Defender Flags Tor Browser as Win32/Malgent!MTB Malware**
5.  **OnionPoison – Fake Tor Browser Installer Spreads Malware Via YouTube**

Tag

#auth