Eight out of nine apps that people use to input Chinese characters into mobile devices have weakness that allow a passive eavesdropper to collect keystroke data.

Source: badboydt7 via Shutterstock

Nearly all keyboard apps that allow users to enter Chinese characters into their Android, iOS, or other mobile devices are vulnerable to attacks that allow an adversary to capture the entirety of their keystrokes.

This includes data such as login credentials, financial information, and messages that would otherwise be end-to-end encrypted, a new study by Toronto University's Citizen Lab has uncovered.

**Ubiquitous Problem**

For the study, researchers at the lab considered cloud-based Pinyin apps (which render Chinese characters into words spelled with roman letters) from nine vendors selling to users in China: Baidu, Samsung, Huawei, Tencent, Xiaomi, Vivo, OPPO, iFlytek, and Honor. Their investigation showed all but the app from Huawei to be transmitting keystroke data to the cloud in a manner that enabled a passive eavesdropper to read the contents in clear text and with little difficulty. Citizen Lab researchers, who have earned a reputation over the years for exposing multiple cyber espionage, surveillance, and other threats targeted at mobile users and civil society, said each of them contain at least one exploitable vulnerability in how they handle transmissions of user keystrokes to the cloud.

The scope of vulnerabilities should not be underestimated, Citizen Lab researchers Jeffrey Knockel, Mona Wang and Zoe Reichert wrote in a report summarizing their findings this week: The researchers from Citizen Lab found that 76% of keyboard app users in mainland China, in fact, use a Pinyin keyboard to input Chinese characters.

"All of the vulnerabilities that we covered in this report can be exploited entirely passively without sending any additional network traffic," the researchers said. And to boot, the vulnerabilities were easy to discover and do not require any technological sophistication to exploit, they noted.  "As such, we might wonder, are these vulnerabilities actively under mass exploitation?"

Each of the vulnerable Pinyin keyboard apps that Citizen Lab examined had both a local, on-device component and a cloud-based prediction service for handling long strings of syllables and particularly complex characters. Of the nine apps they looked at, three were from mobile software developers — Tencent, Baidu, and iFlytek. The remaining five were apps that Samsung, Xiaomi, OPPO, Vivo, and Honor — all mobile device manufacturers — had either developed on their own or had integrated into their devices from a third-party developer.

**Exploitable via Active & Passive Methods**

Methods of exploitation differ for each app. Tencent's QQ Pinyin app for Android and Windows for instance had a vulnerability that allowed the researchers to create a working exploit for decrypting keystrokes via active eavesdropping methods. Baidu's IME for Windows contained a similar vulnerability, for which Citizen Lab created a working exploit for decrypting keystroke data via both active and passive eavesdropping methods.

The researchers found other encrypted related privacy and security weaknesses in the Baidu's iOS and Android versions but did not develop exploits for them. iFlytek's app for Android had a vulnerability that allowed a passive eavesdropper to recover in plaintext keyboard transmissions because of insufficient mobile encryption.

On the hardware vendor side, Samsung's homegrown keyboard app offered no encryption at all and instead sent keystroke transmissions in the clear. Samsung also offers users the option of either using Tencent's Sogou app or an app from Baidu on their devices. Of the two apps, Citizen Lab identified Baidu's keyboard app as being vulnerable to attack.

The researchers were unable to identify any issue with Vivo's internally developed Pinyin keyboard app but had a working exploit for a vulnerability they discovered in a Tencent app that is also available on Vivo's devices.

The third-party Pinyin apps (from Baidu, Tencent, and iFlytek) that are available with devices from the other mobile device makers all had exploitable vulnerabilities as well.

These are not uncommon issues, it turns out. Last year, Citizen Labs had conducted a separate investigation in Tencent's Sogou — used by some 450 million people in China — and found vulnerabilities that exposed keystrokes to eavesdropping attacks.

"Combining the vulnerabilities discovered in this and our previous report analyzing Sogou's keyboard apps, we estimate that up to one billion users are affected by these vulnerabilities," Citizen Lab said.

The vulnerabilities could enable mass surveillance of Chinese mobile device users — including by signals intelligence services belonging to the so-called Five Eyes nations — US, UK, Canada, Australia, and New Zealand — Citizen Lab said; the vulnerabilities in the keyboard apps that Citizen Lab discovered in its new research are very similar to vulnerabilities in the China-developed UC browser that intelligence agencies from these countries exploited for surveillance purposes, the report noted.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Chinese Keyboard Apps Open 1B People to Eavesdropping

The refunds will be made to individual affected customers through thousands of PayPal payments, available to be redeemed for a limited time.

Source: Len Holsborg via Alamy Stock Photo

The Federal Trade Commission (FTC) is refunding over $5.6 million to Ring customers after a 2023 privacy settlement.

Last year the FTC filed complaints against Ring, the home security company owned by Amazon, after accusations arose that employees were spying on female customers in bedrooms and bathrooms. Not only this, but the company failed to notify and obtain consent from customers regarding use of security video footage for training purposes until 2018.

The FTC asserted that Ring had failed to restrict access to its videos, failed to gain user consent, and failed to implement security safeguards leading to "egregious violations of users' privacy."

The FTC will be making the refunds through 117,044 PayPal payments to customers, depending on the type of Ring device used during the period when unauthorized users could have accessed Ring video footage.

**About the Author(s)**

FTC Issues $5.6M in Refunds to Customers After Ring Privacy Settlement

Recent trends in breaches and attack methods offer a valuable road map to cybersecurity professionals tasked with detecting and preventing the next big thing.

Source: YAY Media AS via Alamy Stock Photo

Cybersecurity is constantly evolving and, as such, requires regular vigilance.

Microsoft analyzes more than 78 trillion security signals every day to better understand the latest attack vectors and techniques. Since last year, we noticed a shift in how threat actors are scaling and leveraging nation-state support. It's clear that organizations continue to experience more attacks than ever before, and attack chains are growing more complex. Dwell times have shortened and tactics, techniques, and procedures (TTPs) have evolved to become nimbler and more evasive in nature. 

Informed by these insights, here are five attack trends end-user organizations should be monitoring regularly.

**Achieving Stealth By Avoiding Custom Tools and Malware**

Some threat actor groups are prioritizing stealth by leveraging tools and processes that already exist on their victims' devices. This allows adversaries to slip under the radar and go undetected by obscuring their actions alongside other threat actors that are using similar methods to launch attacks. 

An example of this trend can be seen with Volt Typhoon, a Chinese state-sponsored actor that made headlines for targeting US critical infrastructure with living-off-the-land techniques.

**Combining Cyber and Influence Operations for Greater Impact**

Nation-state actors have also created a new category of tactics that combines cyber operations and influence operations (IO) methods. Known as "cyber-enabled influence operations," this hybrid combines cyber methods — such as data theft, defacement, distributed denial-of-service, and ransomware — with influence methods — like data leaks, sockpuppets, victim impersonation, misleading social media posts, and malicious SMS/email communication — to boost, exaggerate, or compensate for shortcomings in adversaries' network access or cyberattack capabilities. 

For example, Microsoft has observed multiple Iranian actors attempting to use bulk SMS messaging to enhance the amplification and psychological effects of their cyber-influence operations. We're also seeing more cyber-enabled influence operations attempt to impersonate purported victim organizations or leading figures in those organizations to add credibility to the effects of the cyberattack or compromise.

**Creating Covert Networks By Targeting SOHO Network Edge Devices**

Particularly relevant for distributed or remote employees is the rising abuse of small-office/home-office (SOHO) network edge devices. More and more, we're seeing threat actors use target SOHO devices — such as the router in a local coffee shop — to assemble covert networks. Some adversaries will even use programs to locate vulnerable endpoints around the world and identify jumping-off points for their next attack. This technique complicates attribution, making attacks appear from virtually anywhere.

**Rapidly Adopting Publicly Disclosed POCs for Initial Access and Persistence **

Microsoft has increasingly observed certain nation-state subgroups adopting publicly disclosed proof-of-concept (POC) code shortly after it is released to exploit vulnerabilities in Internet-facing applications.

This trend can be seen in threat groups like Mint Sandstorm, an Iranian nation-state actor that rapidly weaponized N-day vulnerabilities in common enterprise applications and conducted highly targeted phishing campaigns to quickly and successfully access environments of interest.

**Prioritizing Specialization Within the Ransomware Economy**

We've been observing a continued move toward ransomware specialization. Rather than carry out an end-to-end ransomware operation, threat actors are choosing to focus on a small range of capabilities and services. 

This specialization has a splintering effect, spreading components of a ransomware attack across multiple providers in a complex underground economy. No longer can companies think of ransomware attacks as just coming from an individual threat actor or group. Instead, they may be combating the entire ransomware-as-a-service economy. In response, Microsoft Threat Intelligence now tracks ransomware providers individually, noting which groups traffic in initial access and which offer other services.

As cyber defenders look for more effective ways to harden their security posture, it's important to reference and learn from significant trends and breaches in years past. By analyzing these incidents and understanding different adversaries' motives and favored TTPs, we can better prevent similar breaches from happening in the future.

— Read more Partner Perspectives from Microsoft Security

**About the Author(s)**

Microsoft

Protect it all with Microsoft Security.

Microsoft offers simplified, comprehensive protection and expertise that eliminates security gaps so you can innovate and grow in a changing world. Our integrated security, compliance, and identity solutions work across platforms and cloud environments, providing protection without compromising productivity.

We help customers simplify the complex by prioritizing risks with unified management tools and strategic guidance created to maximize the human expertise inside your company. Our unparalleled AI is informed by trillions of signals so you can detect threats quickly, respond effectively, and fortify your security posture to stay ahead of ever-evolving threats.

5 Attack Trends Organizations of All Sizes Should Be Monitoring

Hackers can influence voters with media and breach campaigns, or try tampering with votes. Or they can combine these tactics to even greater effect.

Source: Lennart Worthmann via Alamy Stock Photo

If history has anything to tell us, the most significant cyber threat to this year's elections won't be a leak, a distributed denial-of-service (DDoS) attack, or a fake news video. Instead, it will be some combination of these or more.

In cyberspace's salad days, hackers caused all kinds of fuss using simple, direct methods: hiding viruses in advertisements, hacking websites with easily guessed passwords, and so on. While that still happens, attackers often have to get more creative by chaining multiple tactics together in order to achieve their goals, thanks to greater cybersecurity awareness and protections.

So too with elections. In 2006, aides to Joe Lieberman's presidential campaign had to resort to their personal emails when a DoS attack froze their IT systems. A decade later, famously, came the Podesta email leak. Now, according to Mandiant, part of Google Cloud, the most potent threats to the democratic process are chained attacks.

"In the most significant cyber incidents targeting elections that Mandiant has tracked, threat actors have deliberately layered multiple tactics in hybrid operations in such a way that the effect of each component magnifies the others," the firm wrote in a new report.

**Combination Election Attacks**

One case study Mandiant pointed to occurred in 2014 when Ukraine's presidential elections were interrupted by a Russian cyber onslaught, following the ouster of its pro-Russian president Viktor Yanukovich, and Russia's invasion of Crimea.

A week before election day, Russian actors hiding behind the hacktivist moniker "Cyber Berkut" struck websites relating to NATO and Ukrainian media outlets with DDoS attacks. That set the stage for when, with four days to go, the same fake hacktivist group broke into the country's central election computers and deleted files and rendered the vote tallying system inoperable.

A day later, they added to the chaos by breaking more election infrastructure, then leaking the emails and documents stored there to the wider Internet. Lastly, just 40 minutes before election results were to be broadcast to the public, the country's Central Election Commission reportedly removed some kind of virus that was designed to present fake results in favor of the far-right, ultra-nationalist candidate.

This extreme brand of combination cyber warfare might have only happened in a country experiencing such upheaval, but other chained cyberattacks have struck more-stable democracies since.

In 2020, two 20-something Iranian nationals carried out a campaign against multiple US states' voting-related websites. They managed to obtain confidential voter information from at least one of them, which they used to send intimidating and misleading emails, including by spreading a video with disinformation about election infrastructure vulnerabilities. They also breached one media company, which, as the Department of Justice noted, could have provided them another channel through which to disseminate their false claims.

"Leaks are particularly powerful. Potentially more powerful when boosted through the compromise of legitimate media," says John Hultquist, chief analyst with Mandiant Intelligence at Google Cloud.

The breach/fake news ploy is a potent concoction. "These disinformation efforts are often orchestrated by state-backed entities from nations such as China, Russia, and Iran," warns Madison Horn, herself a 2024 candidate running for a congressional seat in Oklahoma's 5th district. "Their impact is undeniable, as seen in instances like Russia’s involvement in the 2016 US election and China’s ongoing global influence operations, which starkly demonstrate their capacity to sway public opinion and disrupt electoral integrity."

**The Threat From Cybercrime**

It's not only state-sponsored actors that pose a threat to the democratic process, Mandiant noted. Insiders, hacktivists, and cybercriminals all muddy the waters in their own ways.

In most cases, "The avenues for these campaigns are popular social media platforms — X, Telegram, Facebook — and YouTube, making the digital battlefield as accessible as it is dangerous," Horn warns.

From January 2023 to March 2024, the cybersecurity firm BrandShield tracked suspicious new social media accounts and web domains relating to Joe Biden's and Donald Trump's presidential campaigns. It found hundreds of imposter accounts across social media sites, as well as 2,335 suspect websites claiming some sort of affiliation with the president and 9,639 for the former president (helped by a 197% boost following his arrest in August).

Fake Trump site. Source: BrandShield

Fake sites and accounts are useful for spreading scams or malware and for stealing funds that voters intended to go to candidates, or they can be used in concert with other tactics to achieve greater ends.

"They can be used to get people's information, and maybe try to influence their views by distributing fake news," says BrandShield CEO Yoav Keren, formerly an adviser in the Israeli Knesset. "I would even think that they can use these platforms to interact with real people from the campaigns, to infiltrate their systems. These impersonations can be used in a lot of different ways."

"I don't want to give too many good ideas to the bad guys," he says, "but they usually come up with them before I do."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

The Biggest 2024 Elections Threat: Kitchen-Sink Attack Chains

A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-5675

**Quarkus: authorization flaw in quarkus resteasy reactive and classic**

Moderate severity GitHub Reviewed Published Apr 25, 2024 to the GitHub Advisory Database • Updated Apr 25, 2024

**Package**

maven io.quarkus:quarkus-resteasy-reactive-common (Maven)

**Affected versions**

< 3.9.0.CR1

**Patched versions**

3.9.0.CR1

maven io.quarkus:quarkus-resteasy-reactive-common-deployment (Maven)

**Description**

Published to the GitHub Advisory Database

Apr 25, 2024

Last updated

Apr 25, 2024

GHSA-25w4-hfqg-4r52: Quarkus: authorization flaw in quarkus resteasy reactive and classic

Mobile malware-as-a-service operators are upping their game by automatically churning out hundreds of unique samples on a whim.

Source: Wodthikorn Phutthasatchathum via Alamy Stock Photo

North of 1,000 samples of the Godfather mobile banking Trojan are circulating in dozens of countries worldwide, targeting hundreds of banking apps.

First discovered in 2022, Godfather — which can record screens and keystrokes, intercepts two-factor authentication (2FA) calls and texts, initiates bank transfers, and more — has quickly become one of the most widespread malware-as-a-service offerings in cybercrime, especially mobile cybercrime. According to Zimperium's 2023 "Mobile Banking Heists Report," as of late last year, Godfather was targeting 237 banking apps spread across 57 countries. Its affiliates exfiltrated stolen financial information to at least nine countries, primarily in Europe and including the US.

All that success drew attention, so, to prevent security software from spoiling the party, Godfather's developers have been automatically generating new samples for their customers at a near industrial scale.

Other mobile malware developers across the spectrum have started doing the same thing. "What we're seeing is that malware campaigns are starting to get bigger and bigger," warns Nico Chiaraviglio, chief scientist at Zimperium, who will host a session on this and other mobile malware trends at RSAC in May.

Besides Godfather and other known families, Chiaraviglio is tracking an even bigger, still-under-wraps mobile malware family with more than 100,000 unique samples in the wild. "So that's crazy," he says. "We haven't seen that number of samples in a single malware before, ever. This is definitely a trend."

**Banking Trojans Spawn Hundreds of Samples**

Mobile security is already lagging far behind security for desktops. "In the '90s, no one was really using antivirus on desktop computers, and that's kind of where we are now. Today, only one of four users are really using some sort of mobile protection. Twenty-five percent of devices are completely unprotected, compared with desktop, at 85%," Chiaraviglio laments.

Mobile threats, meanwhile, are leveling up fast. One way they're doing so is by generating so many different iterations that antivirus programs — which profile malware by their unique signatures — have trouble correlating one infection with the next.

Consider that at the time of its initial discovery in 2022, according to Chiaraviglio, there were fewer than 10 samples of Godfather in the wild. By the end of last year, that number had risen a hundredfold.

Its developers have clearly been autogenerating unique samples for customers to help them avoid detection. "They could just be scripting everything — that would be a way to automate it. Another way would be to use large language models, as code assistance can really speed up the development process," Chiaraviglio says.

Other banking Trojan developers have followed the same approach, if at a lesser scale. In December, Zimperium tallied 498 samples of Godfather's close competitor, Nexus, 300 samples of Saderat, and 123 of PixPirate.

**Can Security Software Keep Up?**

Security solutions that tag malware by signature will find difficulty keeping track of hundreds and thousands of samples per family.

"Maybe there is a lot of code reuse between different samples," Chiaraviglio says, something he suggests adaptive solutions can use to correlate related malware with different signatures. Alternatively, instead of the code itself, defenders can use artificial intelligence (AI) to focus on the behaviors of the malware. With a model that can do that, Chiaraviglio says, "it doesn't really matter how much you change the code or the way the application looks, we will still be able to detect it."

But, he admits, "at the same time, this is always a race. We do something \[to adjust\], then the attacker does something to evolve to our predictions. \[For example\], they can ask \[a large language model\] to mutate their code as much as it can. This would be the realm of polymorphic malware, which is not something that happens a lot on mobile, but we might start seeing way more of that."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Godfather Banking Trojan Spawns 1.2K Samples Across 57 Countries

Plus, new details emerge on the Scattered Spider cybercrime network and ArcaneDoor.

Thursday, April 25, 2024 14:00

I wrote last week about the problems arising from the massive backlog of vulnerabilities at the U.S. National Vulnerability Database.  

Thousands of CVEs are still without analysis data, and the once-reliable database of every single vulnerability that’s disclosed and/or patched is now so far behind, it could take up to 100 days for the National Institute of Standards and Technology (NIST) to catch up, and that would be assuming no new vulnerabilities are disclosed during that period. 

While the U.S. government and NIST try to sort out a potential solution, and hopefully await more funding and restructuring, NIST says it’s hoping to launch a consortium to help either rebuild the NVD or create a replacement.  

Other security experts have floated the idea of other companies or organizations creating a brand-new solution of their own. The main problem with that is, what’s in it for them?  

What works about the NVD is that it’s funded by the U.S. government, so the money is always coming in to help fund the workforce and at least gives MITRE and the other private companies who contribute to the NVD motivation to keep working on it. 

To start up a whole new database of \*every\* CVE out there would take countless man-hours, and then what at the end? Would the company or person(s) who created it start charging for access? 

Several open-source solutions have_man-hours_ popped up over the past few weeks, such as “NVD Data Overrides,” which “is meant to provide additional data that is currently missing from NVD.” However, these types of volunteer projects still can’t assign CVSS scores, because only the NVD is authorized to hand out official NVD CVSS scores. 

This brings up another problem for private companies that may want to develop a solution: Do they want to play referee?  

Sometimes, when there’s a disagreement on how severe a vulnerability is and what severity score to assign it, the NVD will weigh in and provide their own, independently calculated CVSS score. Who really wants to be the “bad guy” to get between a massive tech company like Microsoft or Apple and a security researcher saying a vulnerability is a 9.5 out of 10 CVSS? 

I absolutely give major credit to any volunteers or open-source developers who are working on their own solutions for essentially nothing — but how long can we expect them to keep maintaining these databases? 

Unfortunately, I don’t have a great answer for this, either. I’m far from an expert on vulnerability management, nor do I have any connections to the federal government. But I do feel the onus is on the government to come up with a solution, and potentially provide incentives for companies and researchers to participate in this new proposed consortium because I don’t see the incentives there for the private sector to come up with their own solution.  

**The one big thing **

ArcaneDoor is a new campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Talos and Cisco PSIRT recently identified a previously unknown actor, now tracked as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center. This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor. UAT4356 deployed two backdoors as components of this campaign, “Line Runner” and “Line Dancer,” which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement.   

**Why do I care? **

Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications. In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations — critical infrastructure entities that are likely strategic targets of interest for many foreign governments. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective. 

**So now what? **

There are some known indicators of compromise that customers can look for if they suspect they may have been targeted in this campaign. First, organizations should look for any flows to/from ASA devices to any of the IP addresses present in the IOC list provided at the bottom of this blog. This is one indication that further investigation is necessary. Potential targets can also follow the steps detailed in the Cisco ASA Forensic Investigation Procedures for First Responders. When following these procedures, first responders should NOT attempt to collect a core dump or reboot the device if they believe that the device has been compromised, based on the lina memory region output. Talos also released some Snort signatures to detect the activity on the wire including access attempts. Snort Signatures 63139, 62949 and 45575 have been released to detect the implants or associated behaviors. 

**Top security headlines of the week **

**A previously known Windows print spooler bug is still being actively exploited, according to Microsoft.** The company’s threat research team recently disclosed that APT28, a well-known Russian state-sponsored actor, is exploiting the vulnerability to deliver a previously unknown malware called “GooseEgg.” Microsoft disclosed and patched CVE-2022-38028 in October 2022, but APT28 may have been exploiting it as far back as 2020. The actor’s exploitation involved modifying a JavaScript constraints file in the printer spooler and executing it with SYSTEM-level permissions. The new research prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2022-38028 to its Known Exploited Vulnerabilities (KEV) catalog. If installed, GooseEgg can load other applications with System-level permissions and allow the adversary to execute remote code on the targeted device or deploy other backdoors. Another set of print spooler vulnerabilities, called PrintNightmare, made headlines in July 2021, though no one reported active exploitation of that vulnerability at the time. (SC Magazine, Security Week) 

**A new investigation revealed how members of the group Scattered Spider are partnering with Russian state-sponsored actors to carry out ransomware attacks.** Scattered Spider is made up of younger individuals based out of the U.S., U.K. and Canada. They are primarily English speakers who have been blamed for several notable ransomware attacks, including one against MGM Casinos that disrupted operations at several casinos and hotels last year. The group specializes in social engineering, more recently using LinkedIn to steal employee information and use that to infiltrate corporate networks. Members, some as young as teenagers, are connecting over the dark web and online forums like Discord and use their advanced knowledge of Western civilization to provide crucial details to Russian actors. The “60 Minutes” investigation also included new details about The Community (aka “The Comm,” the online collection of hackers who like to brag about their recent cybercrimes, often through Telegram. (CBS News) 

**The U.S. government has re-upped a law that expands government surveillance by opening the door for private companies to partner with the government on these types of activities.** The controversial Foreign Intelligence Surveillance Act (FISA) was re-approved just hours after it lapsed. The White House and proponents in U.S. Congress argued that the powers granted in Section 702 of the FISA helps prevent the spread of terrorism and cyber attacks and that any lapse in those powers would harm the government’s ability to gather crucial intelligence. However, privacy advocates say that the FISA is an overreach, and provides too much power for private companies to potentially spy on consumers. The bill also includes a new definition of “electronic communications service provider,” which could allow the U.S. government to force Big Tech companies and telecommunications providers to hand over users’ data if requested. (NBC News, TechCrunch) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #180: What are the dangers of enabling sideloading and third-party apps? 
*   Suspected CoralRaider continues to expand victimology using three information stealers 
*   Brute-force attacks surge worldwide, warns Cisco Talos    
*   Cisco Warns of Massive Surge in Password-Spraying Attacks on VPNs 
*   Rare Computer Virus Detected in Ukrainian Network, Confidential Document Potentially Compromised 

**Upcoming events where you can find Talos **

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_  

**Most prevalent malware files from Talos telemetry over the past week **

_This section will be on a brief hiatus while we work through some technical difficulties._ _Several open-source solutions have_

The private sector probably isn’t coming to save the NVD

Caliptra 1.0 offers a blueprint for integrating security features directly into microprocessors.

Source: Alexmillos via Alamy Stock Vector

A consortium of top chip makers have finalized the first version of Caliptra, a specification to add zero-trust security features directly inside silicon.

The Caliptra 1.0 specification has hardware and software blocks providing multiple protection layers for encrypted data on chips.

"We believe Caliptra is a foundational aspect to the future of confidential computing and couldn't be more excited to reach our 1.0 milestone," says Andrés Lagar-Cavilla, a distinguished engineer at Google. Caliptra is currently being integrated by companies across the ecosystem into chips that will start to appear in the market in 2026.

Security-focused hardware exists, but usually as separate components on the hardware. At the moment, chips typically access security features that are available as separate hardware components on the motherboard. The Caliptra specification provides a blueprint to embed the security features into the chip instead of accessing those hardware cores.

For example, the Trusted Platform Module (TPM), which is required on all machines running Windows 11, is a secure processor carrying out cryptographic functions, such as Windows Hello authentication and BitLocker drive encryption. Caliptra could make possible an on-silicon version of TPM.

The specification was built around the concept of confidential computing, an emerging technology focused on building walls to protect data and programs during storage, transport, and execution. Users and code are verified before being allowed to enter the secure area, after which they can run programs.

**Caliptra-Spec Chips on the Way?**

The Caliptra specification aims to fend off cyberattacks and protect from vulnerabilities, such as Meltdown and Spectre, which exposed confidential user data to hackers.

Caliptra's protection layers on silicon include a root-of-trust block, in which code, users, and firmware are isolated, verified, and authenticated. The spec extends to protecting firmware and ROMs. The root-of-trust layer also detects and recovers data that may be corrupted.

The specification is now available for tape-in, which means it is also ready for testing for chips that may be going into production. Google's Lagar-Cavilla says the company is actively integrating Caliptra in first-party silicon designs and collaborating with suppliers to ensure their system-on-chips — across CPUs, GPUs, DPUs, BMCs, SSDs, and more — include Caliptra.

Caliptra is an open source technology, so chip makers can adopt and modify it for free.

A company called Antmicro is developing a Caliptra-based security core for an emerging chip architecture called RISC-V. The technology is an alternative to the dominant x86 and ARM instruction set architectures. RISC-V has a modular design that makes it easier to include technologies like Caliptra in production-level silicon.

Google is a lead developer of Caliptra, working alongside Advanced Micro Devices, Microsoft, Marvell, and NVIDIA. The Linux Foundation's CHIPS Alliance is managing the development of the specification.

Intel is one of the big names in chips missing from the group of companies developing Caliptra. Intel is pushing its own on-chip security technology to protect user data and chips from hackers.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Chip Giants Finalize Specs Baking Security Into Silicon

Cyberattacks on logistics are becoming increasingly common, and the potential impact is enormous.

Chahak Mittal, Cybersecurity GRC Manager, Universal Logistics Holdings, Inc.

April 25, 2024

5 Min Read

Source: Rawf8 via Alamy Stock Photo

COMMENTARY

Imagine you're standing in a bustling city, surrounded by the symphony of commerce. The exchange of goods and the flow of transportation are all around you. This is the heartbeat of our global economy. But what would happen if this heartbeat were to be disrupted? If the very lifeblood of our interconnected world were to falter — or worse, come to a grinding halt?

The consequences would be catastrophic. Imagine empty shelves in grocery stores, gas stations running out of fuel, and hospitals unable to get the supplies they need. Imagine widespread panic and social unrest.

This is not just a hypothetical scenario. It's a real threat we need to take seriously. Cyberattacks on logistics are becoming increasingly common, and the potential impact is enormous. Logistics is the backbone of our global economy. It's the process that keeps the world's shelves stocked and the wheels of commerce turning.

**Cyberattacks on Logistics May Have Severe Ramifications**

Let's first discuss why cyberattacks on logistics are so concerning.

Remember back to the haunting early days of the pandemic. Lockdown measures paralyzed entire nations, factories fell silent, and transportation came to a grinding halt. The repercussions were profound, as essential goods faced severe delays, and shortages left many in dire straits. The fabric of our interconnected world was put to the test, and the challenges were immense.

Four years later, we see news headlines about cyberattacks on Ukraine's logistics and its global impact. Think for a moment about the unimaginable consequences if a cyberattack were to disrupt logistics on a larger scale than COVID-19 or even exceed its impact.

It is unsettling that a nation could be brought to its knees not by an army or weapons but by code on a computer. This prospect cannot be ignored, especially given that the transport and logistics industry is undergoing a digital transformation.

Companies are increasingly using digitalization tools to streamline all processes, from warehouse inventory management to vehicle tracking. This is a good thing, of course. Digitalization can help to improve efficiency, reduce costs, and improve customer service. But there is a dark side to digitalization. The more digitized a company is, the more vulnerable it is to cyberattacks.

**An Expanded Battlefield**

Let's now delve into the second part of our journey: understanding how cyberattacks on logistics can be weaponized. Throughout history, proper logistics have always been the secret weapon behind any victorious endeavor, whether in war or other ventures. From the days of the Civil War, where horses, mules, and wagons provided armies the food, equipment, and ammunition they needed, to the modern era with colossal military operations with intricate supply chains, logistics have always been the beating heart of success.

Now the battlefield has expanded into the digital realm. The logistics that have propelled economies and nations forward are now vulnerable to a new kind of adversary –— one that wields not swords and shields, but lines of code and malicious intent.

But let's go even deeper. What if these cyberattacks on logistics were not just the work of lone hackers seeking chaos? What if they were orchestrated by state actors with strategic intent? The Russia-Ukraine conflict has demonstrated the potential of such scenarios. The cyber offensive aimed at Ukraine reached far beyond its borders, affecting global supply chains and sending shockwaves through economies. 

In this ever-evolving digital landscape, a new kind of arsenal is being amassed in the shadows: stockpiled zero-day vulnerabilities. Just as nations once accumulated weapons to safeguard their sovereignty, they now amass vulnerabilities as digital ammunition. These zero-day vulnerabilities, arcane exploits unknown even to software creators, have become potent tools of cyber warfare.

Imagine the power of a nation armed with a stockpile of these vulnerabilities. It can strike silently, crippling logistical infrastructures without firing a single shot. This reality becomes more tangible as each day passes. The Russia-Ukraine conflict showcases this new arsenal's alarming potential, serving as a reminder that our reliance on interconnected logistics is both a strength and a vulnerability.

**Fortifying Our Defenses**

So, where do we go from here? How can we fortify our logistical arteries against these emerging threats? Just as the strength of a nation's military once depended on its ability to ensure a steady flow of supplies to the frontlines, today's battles are won by safeguarding the flow of data, goods, and services.

The lessons of history remain relevant — a robust logistics network is not only essential for prosperity, but it is also a fundamental pillar of security. We must invest in cyber-defense strategies that mirror the importance we place on physical defense. Collaboration between governments, industries, and international partners is paramount. The private sector, too, holds a pivotal role.

As we embrace digitalization, we must do so with cybersecurity at the forefront. Companies must not only prioritize efficiency but also fortify their digital infrastructure against potential attacks. 

Strong alliances, collaborative diplomacy, and international cooperation are essential to our defense strategy. Just as alliances between nations bolster our military might, alliances between industries and governments can fortify cybersecurity. By harnessing the power of cyber and soft power in harmony, we can navigate the intricate dance of modern warfare.

The time to act is now. We stand at a crossroads where the path of progress intersects with the shadows of uncertainty. The interconnectedness that has fueled our global economy is also its Achilles' heel. Cyberattacks on logistics are not a distant possibility; they are a sobering reality.

The disruption of our supply chains, the paralysis of our economies — these are the stakes we face. But history has shown us that challenges can become catalysts for innovation. We can forge a new paradigm, one where technology and diplomacy converge to safeguard our way of life.

It is a future where alliances are not just forged on battlefields, but in virtual boardrooms and digital summits, and where the strength of a nation's cybersecurity is as integral to its defense strategy as its military might.

**About the Author(s)**

Cybersecurity GRC Manager, Universal Logistics Holdings, Inc.

Chahak Mittal is a Certified Information Systems Security Professional (CISSP) and Cybersecurity Governance, Risk, and Compliance Manager at Universal Logistics. She is a cybersecurity leader deeply committed to knowledge sharing and community engagement. Through her roles as a Judge at Globee Awards, Major League Hacking (MLH) Hackathons, and as a dedicated cybersecurity instructor volunteer in the Microsoft TEALS Program, she has actively contributed to the cybersecurity ecosystem. Chahak's active involvement in organizations such as the Information Systems Security Association and SecureWorld's Detroit Advisory Council has been instrumental in her pursuit of staying at the forefront of industry trends and challenges. Furthermore, she has channeled her insights into thought-provoking cybersecurity articles, published on SecureWorld.io, ISC2, and CyberDefense Magazine, making a meaningful contribution to the field's intellectual discourse.

Digital Blitzkrieg: Unveiling Cyber-Logistics Warfare

Attacks by a previously unknown threat actor leveraged two bugs in firewall devices to install custom backdoors on several government networks globally.

Source: Znakki via Shutterstock

A state-sponsored threat actor has exploited two Cisco zero-day vulnerabilities in firewall devices to target the perimeter of government networks with two custom-built backdoors, in a global cyber-espionage campaign.

Dubbed "ArcaneDoor," the campaign by the previously unknown actor — which researchers from Cisco Talos track as UAT4356 — has targeted Cisco Adaptive Security Appliance (ASA) firewall devices of several Cisco customers since at least December 2023, Cisco Talos researchers revealed in a blog post.

While the actor's initial access vector remains unknown, once it occurs, UAT4356 used a "sophisticated attack chain" involving exploit of the two vulnerabilities — a denial-of-service flaw tracked as CVE-2024-20353 and a persistent local execution flaw tracked as CVE-2024-20359 that have since been patched — to implant malware and execute commands across a small set of Cisco customers. Cisco Talos also flagged a third flaw in ASA, CVE-2024-20358, that was not used in the ArcaneDoor campaign.

The researchers also found evidence that the actor has interest in and potentially will attack devices from Microsoft and other vendors, making it crucial that organizations ensure that all perimeter devices "are properly patched, logging to a central, secure location, and configured to have strong multifactor authentication (MFA)," Cisco Talos wrote in the post.

**Custom Backdoor Malware for Global Governments**

The first sign of suspicious activity in the campaign came in early 2024 when a customer reached out to Cisco's Product Security Incident Response Team (PSIRT) and Cisco Talos about security concerns with its ASA firewall devices.

A subsequent several-months-long investigation conducted by Cisco and intelligence partners uncovered threat actor-controlled infrastructure dating back to early November 2023. Most of the attacks — all of which targeted government networks globally —occurred between December and early January. There is also evidence that the actor — which Microsoft also is now tracking as STORM-1849 — was testing and developing its capability as early as last July.

The primary payloads of the campaign are two custom backdoors— "Line Dancer" and "Line Runner" — which were used together by UAT4356 to conduct malicious activities on the network, such as configuration and modification; reconnaissance; network traffic capture/exfiltration; and potentially lateral movement.  

Line Dancer is a memory-resident shellcode interpreter that enables adversaries to upload and execute arbitrary shellcode payloads. In the campaign, Cisco Talos observed the malware being used to execute various commands on an ASA device, including: disabling the syslog; running and exfiltrating the command show configuration; creating and exfiltrating packet captures; and executing commands present in the shellcode, among other activities.

Line Runner meanwhile is a persistence mechanism deployed on the ASA device using functionality related to a legacy capability that allowed for the pre-loading of VPN clients and plugins on the device during booting that can be exploited as CVE-2024-20359, according to Cisco Talos. In at least one case, the threat actor also abused CVE-2024-20353 to facilitate this process.

"The attackers were able to leverage this vulnerability to cause the target ASA device to reboot, triggering the unzipping and installing" of Line Runner, according to the researchers.

**Protect the Perimeter From Cyberattackers**

Perimeter devices, which sit at the edge between an organization's internal network and the Internet, "are the perfect intrusion point for espionage-focused campaigns," providing threat actors a way to gain a foothold to "directly pivot into an organization, reroute or modify traffic, and monitor network communications into the secure network, according to Cisco Talos.

Zero-days on these devices are an especially attractive attack surface on these devices, notes Andrew Costis, chapter lead of the Adversary Research Team at MITRE ATT&CK testing firm AttackIQ.

"We've seen time and time again critical zero and n-day vulnerabilities being exploited with all of the mainstream security appliances and software," he says, noting previous attacks on bugs in devices from Ivanti, Palo Alto Networks, and others.

The threat to these devices highlights the need for organizations to "routinely and promptly" patch them using up-to-date hardware and software versions and configurations, as well as maintain close security monitoring of them, according to Cisco Talos.

Organizations also should focus on post-compromise TTPs of threat actors and test known adversary behaviors as part of "a layered approach" to defensive network operations, Costis says.

**Detecting ArcaneDoor Cyberattack Activity**

Indicators of compromise (IoCs) that customers can look for if they suspect they may have been targeted by ArcaneDoor include any flows to/from ASA devices to any of the IP addresses present in the IOC list included in the blog.

Organizations also can issue the command "show memory region | include lina" to identify another IOC. "If the output indicates more than one executable memory region … especially if one of these memory sections is exactly 0x1000 bytes, then this is a sign of potential tampering," Cisco Talos wrote.  

And, Cisco provided two sets of steps that network administrators can take to identify and remove the ArcaneDoor persistence backdoor Line Runner on an ASA device once the patch is applied. The first is to conduct a review of the contents of disk0; if a new file (e.g., "client\_bundle\_install.zip" or any other unusual .zip file) appears on the disk, it means that Line Runner had been present but is no longer active due to the update.

Administrators also can follow a series of commands provided that will create an innocuous file with a .zip extension that will be read by the ASA at reboot. If it appears on disk0, it means that Line Runner likely was present on the device in question. Administrators can then delete the "client\_bundle\_install.zip" file to remove the backdoor.

If administrators find a newly created .zip file on their ASA devices, they should copy that file off the device and email \[email protected\] using a reference to CVE-2024-20359 and including the outputs of the "dir disk0:" and "show version" commands from the device, as well as the .zip file that they extracted.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#auth