The spyware has been used to target people in Italy, Kazakhstan, and Syria, researchers at Google and Lookout have found.

In hearings this week, the notorious spyware vendor NSO group told European legislators that at least five EU countries have used its powerful Pegasus surveillance malware. But as ever more comes to light about the reality of how NSO's products have been abused around the world, researchers are also working to raise awareness that the surveillance-for-hire industry goes far beyond one company. On Thursday, Google's Threat Analysis Group and Project Zero vulnerability analysis team published findings about the iOS version of a spyware product attributed to the Italian developer RCS Labs.

Google researchers say they detected victims of the spyware in Italy and Kazakhstan on both Android and iOS devices. Last week, the security firm Lookout published findings about the Android version of the spyware, which it calls “Hermit” and also attributes to RCS Labs. Lookout notes that Italian officials used a version of the spyware during a 2019 anti-corruption probe. In addition to victims located in Italy and Kazakhstan, Lookout also found data indicating that an unidentified entity used the spyware for targeting in northeastern Syria.

“Google has been tracking the activities of commercial spyware vendors for years, and in that time we have seen the industry rapidly expand from a few vendors to an entire ecosystem,” TAG security engineer Clement Lecigne tells WIRED. “These vendors are enabling the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities in-house. But there is little or no transparency into this industry, that's why it's critical to share information about these vendors and their capabilities.”

TAG says it currently tracks more than 30 spyware makers that offer an array of technical capabilities and levels of sophistication to government-backed clients.

In their analysis of the iOS version, Google researchers found that attackers distributed the iOS spyware using a fake app meant to look like the My Vodafone app from the popular international mobile carrier. In both Android and iOS attacks, attackers may have simply tricked targets into downloading what appeared to be a messaging app by distributing a malicious link for victims to click. But in some particularly dramatic cases of iOS targeting, Google found that attackers may have been working with local ISPs to cut off a specific user's mobile data connection, send them a malicious download link over SMS, and convince them to install the fake My Vodafone app over Wi-Fi with the promise that this would restore their cell service.

Attackers were able to distribute the malicious app because RCS Labs had registered with Apple's Enterprise Developer Program, apparently through a shell company called 3-1 Mobile SRL, to obtain a certificate that allows them to sideload apps without going through Apple's typical AppStore review process.

Apple tells WIRED that all of the known accounts and certificates associated with the spyware campaign have been revoked. 

“Enterprise certificates are meant only for internal use by a company, and are not intended for general app distribution, as they can be used to circumvent App Store and iOS protections,” the company wrote in an October report about sideloading. “Despite the program’s tight controls and limited scale, bad actors have found unauthorized ways of accessing it, for instance by purchasing enterprise certificates on the black market.”

Project Zero member Ian Beer conducted a technical analysis of the exploits used in the RCS Labs iOS malware. He notes that the spyware uses a total of six exploits to gain access to surveil a victim's device. While five are known and publicly circulating exploits for older iOS versions, the sixth was an unknown vulnerability at the time it was discovered. (Apple patched that vulnerability in December.) That exploit took advantage of structural changes in how data flows across Apple's new generations of “coprocessors” as the company, and the industry overall, moves toward the all-in-one “system-on-a-chip” design.

The exploit isn't unprecedented in its sophistication, but Google researchers note that the RCS Labs spyware reflects a broader trend in which the surveillance-for-hire industry combines existing hacking techniques and exploits with more novel elements to gain the upper hand. 

“The commercial surveillance industry benefits from and reuses research from the jailbreaking community. In this case, three out of six of the exploits are from public jailbreak exploits,” TAG member Benoit Sevens says. “We also see other surveillance vendors reusing techniques and infection vectors initially used and discovered by cyber crime groups. And like other attackers, surveillance vendors are not only using sophisticated exploits but are using social engineering attacks to lure their victims in.”

The research shows that while not all actors are as successful or well known as a company like NSO Group, many small and midsize players together in a burgeoning industry are creating real risk for internet users worldwide.

Google Warns of New Spyware Targeting iOS and Android Users

Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.

0 selected

anno...@golang.org

Jun 10

Go 1.19 Beta 1 is released

Hello gophers, We have just released go1.19beta1, a beta version of Go 1.19. It is cut from the

unread,

Go 1.19 Beta 1 is released

Hello gophers, We have just released go1.19beta1, a beta version of Go 1.19. It is cut from the

Jun 10

Dmitri Shuralyov

Jun 1

\[security\] Go 1.18.3 and Go 1.17.11 are released

Hello gophers, We have just released Go versions 1.18.3 and 1.17.11, minor point releases. These

unread,

\[security\] Go 1.18.3 and Go 1.17.11 are released

Hello gophers, We have just released Go versions 1.18.3 and 1.17.11, minor point releases. These

Jun 1

Heschi Kreinick

May 10

\[security\] Go 1.18.2 and Go 1.17.10 are released

Hello gophers, We have just released Go versions 1.18.2 and 1.17.10, minor point releases. These

unread,

\[security\] Go 1.18.2 and Go 1.17.10 are released

Hello gophers, We have just released Go versions 1.18.2 and 1.17.10, minor point releases. These

May 10

Dmitri Shuralyov

Apr 13

\[security\] Go 1.18.1 and Go 1.17.9 are released

Hello gophers, We have just released Go versions 1.18.1 and 1.17.9, minor point releases. These minor

unread,

\[security\] Go 1.18.1 and Go 1.17.9 are released

Hello gophers, We have just released Go versions 1.18.1 and 1.17.9, minor point releases. These minor

Apr 13

Julie Qiu, Carlos Amedee2

Apr 7

\[security\] Go 1.18.1 and Go 1.17.9 pre-announcement

Hello gophers, Due to an issue with release tooling, this release is now planned for Tuesday, April

unread,

\[security\] Go 1.18.1 and Go 1.17.9 pre-announcement

Hello gophers, Due to an issue with release tooling, this release is now planned for Tuesday, April

Apr 7

Heschi Kreinick

Mar 15

Go 1.18 is released

Hello gophers, We just released Go 1.18 To find out what has changed in Go 1.18, read the release

unread,

Go 1.18 is released

Hello gophers, We just released Go 1.18 To find out what has changed in Go 1.18, read the release

Mar 15

Filippo Valsorda

Mar 15

An update of golang.org/x/crypto/ssh might be necessary

Hello gophers, Version v0.0.0-20220315160706-3147a52a75dd of golang.org/x/crypto/ssh implements

unread,

An update of golang.org/x/crypto/ssh might be necessary

Hello gophers, Version v0.0.0-20220315160706-3147a52a75dd of golang.org/x/crypto/ssh implements

Mar 15

Carlos Amedee

Mar 3

\[security\] Go 1.17.8 and Go 1.16.15 are released

Hello gophers, We have just released Go versions 1.17.8 and 1.16.15, minor point releases. These

unread,

\[security\] Go 1.17.8 and Go 1.16.15 are released

Hello gophers, We have just released Go versions 1.17.8 and 1.16.15, minor point releases. These

Mar 3

Dmitri Shuralyov

Feb 17

Go 1.18 Release Candidate 1 is released

Hello gophers, We have just released go1.18rc1, a release candidate version of Go 1.18. It is cut

unread,

Go 1.18 Release Candidate 1 is released

Hello gophers, We have just released go1.18rc1, a release candidate version of Go 1.18. It is cut

Feb 17

Cherry Mui

Feb 11

\[security\] Go 1.17.7 and Go 1.16.14 are released

Hello gophers, We have just released Go versions 1.17.7 and 1.16.14, minor point releases. These

unread,

\[security\] Go 1.17.7 and Go 1.16.14 are released

Hello gophers, We have just released Go versions 1.17.7 and 1.16.14, minor point releases. These

Feb 11

Alex Rakoczy

Jan 31

Go 1.18 Beta 2 is released

Hello gophers, We have just released go1.18beta2, a beta version of Go 1.18. It is cut from the

unread,

Go 1.18 Beta 2 is released

Hello gophers, We have just released go1.18beta2, a beta version of Go 1.18. It is cut from the

Jan 31

Roland Shoemaker

Jan 27

Most certificates managed by autocert require manual renewal

Hello gophers, The Let's Encrypt certificate authority is revoking all certificates issued with

unread,

Most certificates managed by autocert require manual renewal

Hello gophers, The Let's Encrypt certificate authority is revoking all certificates issued with

Jan 27

Carlos Amedee

Jan 6

Go 1.17.6 and Go 1.16.13 are released

Hello gophers, We have just released Go versions 1.17.6 and 1.16.13, minor point releases. View the

unread,

Go 1.17.6 and Go 1.16.13 are released

Hello gophers, We have just released Go versions 1.17.6 and 1.16.13, minor point releases. View the

Jan 6

Cherry Mui

12/14/21

Go 1.18 Beta 1 is released

Hello gophers, We have just released go1.18beta1, a beta version of Go 1.18. It is cut from the

unread,

Go 1.18 Beta 1 is released

Hello gophers, We have just released go1.18beta1, a beta version of Go 1.18. It is cut from the

12/14/21

Alex Rakoczy

12/9/21

\[security\] Go 1.17.5 and Go 1.16.12 are released

Hello gophers, We have just released Go versions 1.17.5 and 1.16.12, minor point releases. These

unread,

\[security\] Go 1.17.5 and Go 1.16.12 are released

Hello gophers, We have just released Go versions 1.17.5 and 1.16.12, minor point releases. These

12/9/21

Michael Knyszek

12/3/21

Go 1.17.4 and Go 1.16.11 are released

Hello gophers, We have just released Go versions 1.17.4 and 1.16.11, minor point releases. View the

unread,

Go 1.17.4 and Go 1.16.11 are released

Hello gophers, We have just released Go versions 1.17.4 and 1.16.11, minor point releases. View the

12/3/21

Roland Shoemaker

12/2/21

\[security\] Vulnerability in golang.org/x/crypto/ssh

Hello gophers, Version v0.0.0-20211202192323-5770296d904e of golang.org/x/crypto fixes a

unread,

\[security\] Vulnerability in golang.org/x/crypto/ssh

Hello gophers, Version v0.0.0-20211202192323-5770296d904e of golang.org/x/crypto fixes a

12/2/21

Roland Shoemaker

11/29/21

\[security\] golang.org/x/crypto/ssh fix pre-announcement

Hello gophers, We plan to issue a security fix for the golang.org/x/crypto/ssh package in the golang.

unread,

\[security\] golang.org/x/crypto/ssh fix pre-announcement

Hello gophers, We plan to issue a security fix for the golang.org/x/crypto/ssh package in the golang.

11/29/21

Than McIntosh

11/4/21

\[security\] Go 1.17.3 and Go 1.16.10 are released

Hi gophers, We have just released Go versions 1.17.3 and 1.16.10, minor point releases. These minor

unread,

\[security\] Go 1.17.3 and Go 1.16.10 are released

Hi gophers, We have just released Go versions 1.17.3 and 1.16.10, minor point releases. These minor

11/4/21

Michael Knyszek

10/8/21

\[security\] Go 1.17.2 and Go 1.16.9 are released

Hello gophers, We have just released Go versions 1.17.2 and 1.16.9, minor point releases. These minor

unread,

\[security\] Go 1.17.2 and Go 1.16.9 are released

Hello gophers, We have just released Go versions 1.17.2 and 1.16.9, minor point releases. These minor

10/8/21

Roland Shoemaker

10/4/21

\[security\] Go 1.17.2 and Go 1.16.9 pre-announcement

Hello gophers, We plan to issue Go 1.17.2 and Go 1.16.9 on Thursday, October 7. These are minor

unread,

\[security\] Go 1.17.2 and Go 1.16.9 pre-announcement

Hello gophers, We plan to issue Go 1.17.2 and Go 1.16.9 on Thursday, October 7. These are minor

10/4/21

Than McIntosh

9/9/21

\[security\] Go 1.17.1 and Go 1.16.8 are released

Hello gophers, We have just released Go versions 1.17.1 and 1.16.8 minor point releases. These minor

unread,

\[security\] Go 1.17.1 and Go 1.16.8 are released

Hello gophers, We have just released Go versions 1.17.1 and 1.16.8 minor point releases. These minor

9/9/21

Michael Knyszek

8/16/21

Go 1.17 is released

Hello gophers, We just released Go 1.17 To find out what has changed in Go 1.17, read the release

unread,

Go 1.17 is released

Hello gophers, We just released Go 1.17 To find out what has changed in Go 1.17, read the release

8/16/21

Alex Rakoczy

8/5/21

Go 1.16.7 and Go 1.15.15 are released

Hello gophers, We have just released Go versions 1.16.7 and 1.15.15, minor point releases. These

unread,

Go 1.16.7 and Go 1.15.15 are released

Hello gophers, We have just released Go versions 1.16.7 and 1.15.15, minor point releases. These

8/5/21

Alex Rakoczy

8/2/21

Go 1.17 Release Candidate 2 is released

Hello gophers, We have just released go1.17rc2, a release candidate version of Go 1.17. It is cut

unread,

Go 1.17 Release Candidate 2 is released

Hello gophers, We have just released go1.17rc2, a release candidate version of Go 1.17. It is cut

8/2/21

Cherry Mui

7/13/21

Go 1.17 Release Candidate 1 is released

Hello gophers, We have just released go1.17rc1, a release candidate version of Go 1.17. It is cut

unread,

Go 1.17 Release Candidate 1 is released

Hello gophers, We have just released go1.17rc1, a release candidate version of Go 1.17. It is cut

7/13/21

Dmitri Shuralyov

7/13/21

\[security\] Go 1.16.6 and Go 1.15.14 are released

Hello gophers, We have just released Go versions 1.16.6 and 1.15.14, minor point releases. These

unread,

\[security\] Go 1.16.6 and Go 1.15.14 are released

Hello gophers, We have just released Go versions 1.16.6 and 1.15.14, minor point releases. These

7/13/21

Filippo Valsorda

7/7/21

\[security\] Go 1.16.6 and Go 1.15.14 pre-announcement

Hello gophers, We plan to issue Go 1.16.6 and Go 1.15.14 on Monday, July 12. These are minor releases

unread,

\[security\] Go 1.16.6 and Go 1.15.14 pre-announcement

Hello gophers, We plan to issue Go 1.16.6 and Go 1.15.14 on Monday, July 12. These are minor releases

7/7/21

Dmitri Shuralyov

6/10/21

Go 1.17 Beta 1 is released

Hello gophers, We have just released go1.17beta1, a beta version of Go 1.17. It is cut from the

unread,

Go 1.17 Beta 1 is released

Hello gophers, We have just released go1.17beta1, a beta version of Go 1.17. It is cut from the

6/10/21

David Chase

6/4/21

Go 1.16.5 and Go 1.15.13 are released

Hello gophers, We have just released Go versions 1.16.5 and 1.15.13, minor point releases. These

unread,

Go 1.16.5 and Go 1.15.13 are released

Hello gophers, We have just released Go versions 1.16.5 and 1.15.13, minor point releases. These

6/4/21

CVE-2022-29526: golang-announce - Google Groups

Algo Communication Products Ltd. 8373 IP Zone Paging Adapter Firmware 1.7.6 allows attackers to perform a directory traversal via a web request sent to /fm-data.lua.

Hey All,

Been awhile, like usual :)

We will be talking about a CVE related to firmware running on one of these devices in this blog. Other devices by Algo running identical firmware seem impacted as well.

I am here today to write about a vulnerability I recently discovered during a security assessment and how it spawned into my first CVE. Getting a CVE to my name is something I’ve wanted to accomplish for several years. I got close a few times, and once I even found what I thought was a “Zero day” in a Fortinet Firewall just to find out it was reported and patched just weeks before I found it. So close!

While I will be transparent in saying that this vulnerability is far from the most mind blowing or exciting vulnerability in recent times. I will also say I’m proud to have reported it through the CVE reporting process and was reserved CVE-2022–31395 by doing so. The final step in locking the CVE in is to point MITRE to a publication about the vulnerability. As you can maybe imagine, that is a large part of why I am writing this article. I did attempt to contact the manufacture to ask if they knew about this vulnerability. They simply told me the firmware in question was outdated and to update it. That however didn’t tell me if this was a known vulnerability so I asked if they had any specific CVE’s known to exist against the outdated firmware version I was working with. They said they did not have that information so I moved on to reporting to MITRE. As I sent the details to MITRE I was like:

I just want a CVE with my name on it!!!

I didn’t hear anything for several days from MITRE so I pinged them for an updated and was told they are experiencing a high volume of reported CVE’s and are working through them in a priority order. A few weeks passed and finally I saw a glorious email arrive. It stated that I should use CVE-2022–31395 to craft a public reference for the vulnerability in question, at which point the CVE should be official and no longer just “reserved”.

Without further ado… I present to you the Directory Traversal vulnerability I found and reported. The vulnerability affects at least: **ALGO COMMUNICATION PRODUCTS LTD 8373 IP Zone Paging Adapter Control Panel, Firmware 1.7.6**. Other ALGO products containing the same firmware likely contain the same vulnerability as I have also confirmed the **1.7.6 Firmware on Algos’ “8201 SIP PoE Intercom Control Panel”** contains the same vulnerability). I have not yet confirmed if other, newer firmwares are vulnerable at this time. In addition, the support team at Algo said the best way to know would be to update to their newest firmware and try the attack again. However, I do not have administrative privileges to this device as it belongs to a client of mine, so I am not able to update it and will have to wait if to see if my client decides to do so. I will report back if I find that newer versions are impacted.

Lets’ get into some of the details about this vulnerability! First, it is worth noting that this is an authenticated attack. The part of the application that is vulnerable is only accessible once authenticated. These devices appear to come pre-configured with a default password of “algo” with no username. In fact, I am saved a Google search for default password when initially analyzing the interface as it’s clearly stated right in the web interface itself.

I know it’s not a secret… but it feels like a bad idea to have the default password printed next to the login feature.

Lucky for me, the device I was analyzing still had its’ default password configured so I was able to access administrative functions of this IP Zone Paging Adapter. A function that quickly stood out to me was called “File Manager” which for obvious reasons (to people in offensive security) is immediately a place I start to analyze deeper as a pentester and bug hunter.

My first move, is to attempt to download any of the files I am presented with here and to see what that HTTP request looks like using BurpSuite Professional… P.S. if you don’t use BurpSuite Pro…. well I am just sad to hear that, it’s an incredibly valuable tool and is priced super well in the lower hundreds per year ($300–400ish if I’m remembering correctly). Anyways… this is what I saw when reviewing the download request.

In this example, I’m downloading the “user.conf” file.

A natural change to attempt to make before resubmitting the request is, of course, to replace the file in the HTTP request that we want to fetch from the server with a directory traversal payload to see if we can “break out” of the file directory the application intends for us to browse and reach the “_passwd_” file in the “_/etc/_” directory of the underlying Linux OS.

Yehaw!

I was thrilled to see the output of the _passwd_ file! Next, I thought to also grab the “_shadow_” file in the same directory (/_etc/_) which should contain hashed passwords for users! It is possible for us to maybe even crack the hash(es) if we can get them from the file.

Well, this is certainly awesome. I have the hashed password for the _root_ account. This means I can possibly “jailbreak” or “root” the device if I can accomplish two things.

1.  Crack the root password with Hashcat (my preferred hash cracking tool) or another password-hash cracking tool.
2.  Find a way to execute code as root. My two theories on how to accomplish this was either to find a way to enable SSH (since it doesn’t seem to be enabled on my target at least), or to leverage the directory traversal vulnerability while UPLOADING (instead of downloading as seen above). Perhaps I could drop a web shell or drop/overwrite a config file to get me further access.

I like Hashtcat for the GPU acceleration and the “Rules” engine that modifies a given wordlist on the fly! One or two of my first blog posts on https://n0ur5blog.wordpress.com/ (my old blog) talked a whole bunch about Hashcat!

Boom — Hash cracked! Now that I see the clear-text password for the root account, I notice it matches the default password we used to log in to the web interface. I wonder if the web interface just uses whatever the root password is set to, and if changing the web interface password would change the root password. Regardless, I now have one last challenge and that is to turn this into some form of code execution via the methods I mentioned above!

As of the time of this writing I have not successfully executed code as the root user, but have confirmed I can upload files to outside the web root directory and even overwrite files already in place on the system! I am left with the following items to continue my research on this vulnerability.

*   What other hardware and/or firmware versions are vulnerable to this? I have come across some other Algo devices containing default passwords for log-in that didn’t even have the “File Manager” feature. The few I came across did have much newer firmware but also were different hardware from those that I’ve confirmed vulnerable so far. So I assume “File Manager” was either removed in newer firmware versions OR some hardware they produce simply doesn’t have or need the File Manager.
*   How can I use unrestricted file upload, combined with directory traversal to enable SSH or achieve some other form of remote code execution via ROOT. The web server seems serve “lua” files, so I assume if I can figure out the file structure/location of the web server root directory, I could possibly drop a web shell on it that would enable the remote code execution I’m looking for via web browser.
*   Testing if changing the web interface password also changes the root password by grabbing the shadow file again after changing the password to see if the hash changed. If not, we can assume a large number of Algo devices ship with the root password of “_algo_”.
*   Create a python or bash script for this exploit once I discover the full extent of the items above!

Well folks, that is all for now! Hopefully my next blog post is about another CVE I get, but if not I’m sure whatever it is will be something fun and interesting! Hope this was a fun read!

Cheers!

N0ur5

CVE-2022-31395: Achievement Unlocked: CVE-2022–31395 - N0ur5 - Medium

Red Hat Security Advisory 2022-5029-01 - This release of Red Hat build of Eclipse Vert.x 4.2.7 GA includes security updates. Issues addressed include denial of service and deserialization vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat build of Eclipse Vert.x 4.2.7 security update  
Advisory ID:       RHSA-2022:5029-01  
Product:           Red Hat OpenShift Application Runtimes  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5029  
Issue date:        2022-06-23  
CVE Names:         CVE-2020-36518 CVE-2022-25647  
====================================================================  
1. Summary:

An update is now available for Red Hat build of Eclipse Vert.x.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability. For  
more information, see the CVE pages listed in the References section.

2. Description:

This release of Red Hat build of Eclipse Vert.x 4.2.7 GA includes security  
updates. For more information, see the release notes listed in the  
References section.

Security Fix(es):

* jackson-databind: denial of service via a large depth of nested objects  
(CVE-2020-36518)

* com.google.code.gson-gson: Deserialization of Untrusted Data in  
com.google.code.gson-gson (CVE-2022-25647)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgements, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including  
all applications, configuration files, databases and database settings, and  
so on.

The References section of this erratum contains a download link for the  
update. You must be logged in to download the update.

4. Bugs fixed (https://bugzilla.redhat.com/):

2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects  
2080850 - CVE-2022-25647 com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson

5. References:

https://access.redhat.com/security/cve/CVE-2020-36518  
https://access.redhat.com/security/cve/CVE-2022-25647  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&productÊtRhoar.eclipse.vertx&version=4.2.7  
https://access.redhat.com/documentation/en-us/red_hat_build_of_eclipse_vert.x/4.2/html/release_notes_for_eclipse_vert.x_4.2/index

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYrRWD9zjgjWX9erEAQhySBAAlXKnG1+57IQ9cKGQWzpLWKFWJVqsyrGb  
hI/qVXa3T2DnslKYD061oBjY6FEBYwVqOrZLkv+9bSuW5CqdworRqzW+ozpPUJw4  
1IKqO//OXQ/2UAB9FSKjhcyIB/d6af3urm47rtbeplt8WBF3fh4+Zo+sVxpTRbhX  
Kmy+z7YIEKkstR5AQR05mt9KHjpKkj4p2xMwtz3p+VJ0sff0O6gSMdA3oPKoSbms  
b43OhcBeiO5eqXryTgtIauRC2tzOk1lGryfDoWI24x4RFPhgK9r67Vv8r6j6psFi  
6mBcJvzCpynJSnVOR75KQl9E3t7yuIJR14M6p+PndlcrncMg7S7nlhVvRgdun+Dj  
JuL5Kd8QDqu/UQiqLYCpCoZUkyDpg3ztVgR84Y0AFWMH7Q4o+K/dlWBwE1ejrxx0  
klurqysi86Ra0UKwk5zzfvNi/r/Cm/7xdMliNrx8pozuZiFK4nW4y9a6Uvu7AH8v  
nA4cC5zeM9DWFntZiCn3bfigSRcTdZlfhnvk6Csgzu/HhYR9p2QGnY76ZSgaVq45  
ptqT37TDFHFhJSKhR7GLxwrVogT5HjrHV3OMpH2P7p/pO7MkKJovDY+YG5xk1TB8  
gdBYMYiSGhlIRrdIeoLGIkqcOs0cEP86+UO1yeYjvIssG6dArotiSJt3LTN/mLzf  
LEg430ARk3s=qurb  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5029-01

Malicious invoices coming from the accounting software's legitimate domain are used to harvest phone numbers and carry out fraudulent credit-card transactions.

Cyberattackers are hiding behind the QuickBooks brand to disguise their malicious activity, researchers are warning. The effort is a "double-spear" approach that packs a one-two punch: Stealing phone numbers and making off with cash via bogus credit-card payments.

The popular accounting software allows customers to sign up for cloud accounts, from which they can send out requests for payment, invoices, and statements, all coming from the quickbooks.intuit.com domain. According to an analysis from Avanan, cybercrooks are taking advantage of this to send out malicious versions of QuickBooks documents — and email security filters, having determined that the address isn't spooked and comes from an "allowed" domain, pass the messages right on to inboxes.

The campaign started in May, researchers noted in a blog post on Thursday. The email body spoofs brands like Norton or Microsoft 365 (formerly Office 365) and often claim that the targets owe monetary damages. The offensive casts a wide net, targeting companies across all industry segments, according to the firm.

"It presents an invoice and encourages you to call if you think there are any questions," Avanan researchers noted in their analysis. "When calling the number provided, they will ask for credit-card details to cancel the transaction. Note that the number is one associated with such scams, and the address doesn't correlate with a real one."

Once the end user calls to see what’s going on, the hackers then harvest the phone number, allowing them to use it for follow-on attacks via text message or WhatsApp. They also receive the credit-card payment, so the campaign is two-pronged in terms of victim pain.

"On this one, we're dealing with a fairly sophisticated level as hackers have found a way to know that this attack will work and to do a double spear, gaining money and credentials," Jeremy Fuchs, cybersecurity research analyst at Avanan, tells Dark Reading.

He adds, "Like any social-engineering scam, the likeliness of someone falling for this depends on the user. Given that the email comes from a legitimate QuickBooks domain and it's an invoice for what looks like a legitimate company, it might catch some users off-guard."

**Phishing, Cloaked in Legitimacy**

Using the legitimacy of cloud domains to reach the inbox is not a new approach, of course. But particularly as many businesses continue to support remote workers with cloud services and software-as-a-service apps, the approach has been cresting as these channels are less protected than traditional email gambits.

"With regards to broader trends that this falls into, we've seen hackers utilize legitimate sites for illegitimate purposes," Fuchs says. "Leveraging the reputation of a legitimate business is a great way to get into the inbox. Additionally, we've seen an uptick in hackers grabbing money and harvesting phone numbers for future attacks."

While other cloud services like Evernote, Dropbox, Microsoft, DHL, and many more have been abused in this fashion by phishers, nefarious types have leveraged Google in particular over the past few months.

For instance, in January, a threat actor used the comments function in Google Docs to dupe targets into clicking malicious links. After creating a document, the attacker added a comment containing a malicious link, then added the victim to the comment using "@". This action automatically sends the target an email with a link to the Google Docs file. The email displays the full comment, including the bad links and other text added by the attacker.

"Organizations can't block Google, so Google-related domains are allowed to come into the inbox," according to Avanan. "These static lists are continually pilfered by hackers. This has manifested itself in hackers hosting phishing content on sites like Milanote."

To guard against attacks like these, Avanan recommends the following:

*   Before calling an unfamiliar service, Google the number and check your accounts to see if there were, in fact, any charges.
*   Implement advanced security that looks at more than one indicator to determine in an email is clean or not.
*   Encourage users to ask IT if they are unsure about the legitimacy of an email.

Cyberattackers Abuse QuickBooks Cloud Service in 'Double-Spear' Campaign

Latest Prisma Cloud platform updates help organizations continuously monitor and secure web applications with maximum flexibility.

SANTA CLARA, Calif., June 23, 2022 /PRNewswire/ -- Over the last two years, organizations have expanded their use of cloud environments by more than 25%. Many are now struggling to manage the technical complexity of cloud migration, including the ability to secure their applications across the entire application development lifecycle. Palo Alto Networks (NASDAQ: PANW), a leader in The Forrester Wave™: Cloud Workload Security, Q1 2022, today announced the addition of Out-of-Band Web Application and API Security (Out-of-Band WAAS) to Prisma® Cloud to help organizations secure web applications with maximum flexibility.

Until now, a primary industry approach to securing web applications has been to deploy inline web application firewalls (WAFs). Some organizations are reluctant to introduce WAFs or API security solutions inline, however, due to performance and scalability concerns. With today's announcement, Prisma Cloud can provide organizations with deep web and API security both inline and out of band, allowing them to choose how to protect their applications in the cloud.

"Companies no longer have to decide between application security and performance. By adding Out-of-Band WAAS to Prisma Cloud, we are empowering customers with flexible security options that fit their evolving application needs," said Ankur Shah, senior vice president, Prisma Cloud, Palo Alto Networks. "As more organizations move workloads to the cloud, the capabilities that make up Prisma Cloud help provide the most complete protection, reducing complexity and increasing visibility across infrastructure, workloads, identities and applications."

"As organizations increasingly build and deploy their applications in the cloud, protecting their business-critical applications without impacting performance has been a challenge," said Melinda Marks, senior analyst, ESG. "Adding the option of Out-of-Band WAAS helps both developer and security teams secure their applications with the same level of security as traditional in-line WAFs and API security without impacting performance."

In addition to Out-of-Band WAAS, Prisma Cloud is getting new threat detection, alert prioritization and permissions management capabilities to help provide organizations with deeper, unified visibility across their entire cloud application portfolio:

*   **Multicloud Graph View for Cloud Infrastructure Entitlement Management (CIEM):** Discover over-privileged accounts and understand access risk across multicloud environments. Prisma Cloud now provides a graph view of the net effective permissions across AWS, Microsoft Azure and Google Cloud.
*   **Multicloud Agentless Cloud Workload Protection:** Extend visibility into cloud workloads and application risks across Azure and Google Cloud, in addition to AWS, to complement existing agent-based protection.
*   **DNS-Based Threat Detection:** Surface malicious activity and anomalous behavior in cloud environments. Prisma Cloud Threat Detection now leverages machine learning (ML) and advanced threat intelligence to identify bad actors hiding in DNS traffic.
*   **MITRE ATT&CK**® **Alert Prioritization:** Enable security teams to prioritize risks and incidents based on the industry's most widely adopted framework.

**Availability**

Out-of-band WAAS is available today for Prisma Cloud Compute Edition and will be available in the Enterprise Edition over the next month. The additional features will also roll out for Prisma Cloud Enterprise Edition over the next month.

**About Palo Alto Networks**

Palo Alto Networks is the world's cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we're committed to helping ensure each day is safer than the one before. It's what makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2021), Comparably Best Companies for Diversity (2021), and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com.

_Palo Alto Networks, Prisma, and the Palo Alto Networks logo are registered trademarks of Palo Alto Networks, Inc. in the United States and in jurisdictions throughout the world. All other trademarks, trade names, or service marks used or mentioned herein belong to their respective owners. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available._

SOURCE Palo Alto Networks, Inc.

Palo Alto Networks Bolsters Its Cloud Native Security Offerings With Out-of-Band WAAS

The APT is pairing a known Microsoft flaw with a malicious document to load malware that nabs credentials from Chrome, Firefox and Edge browsers.

The APT is pairing a known Microsoft flaw with a malicious document to load malware that nabs credentials from Chrome, Firefox and Edge browsers.

Advanced persistent threat group Fancy Bear is behind a phishing campaign that uses the specter of nuclear war to exploit a known one-click Microsoft flaw. The goal is to deliver malware that can steal credentials from the Chrome, Firefox and Edge browsers.

The attacks by the Russia-linked APT are tied the Russian and Ukraine war, according to researchers at Malwarebytes Threat Intelligence. They report that Fancy Bear is pushing malicious documents weaponized with the exploit for Follina (CVE-2022-30190), a known Microsoft one-click flaw, according to a blog post published this week.

“This is the first time we’ve observed APT28 using Follina in its operations,” researchers wrote in the post. Fancy Bear is also known as APT28, Strontium and Sofacy.

On June 20, Malwarebytes researchers first observed the weaponized document, which downloads and executes a .Net stealer first reported by Google. Google’s Threat Analysis Group (TAG) said Fancy Bear already has used this stealer to target users in the Ukraine.

The Computer Emergency Response Team of Ukraine (CERT-UA) also independently discovered the malicious document used by Fancy Bear in the recent phishing campaign, according to Malwarebytes.

****Bear on the Loose****

CERT-UA previously identified Fancy Bear as one of the numerous APTs pummeling Ukraine with cyber-attacks in parallel with the invasion by Russian troops that began in late February. The group is believed to be operating on the behest of Russian intelligence to gather info that would be useful to the agency.

In the past Fancy Bear has been linked in attacks targeting elections in the United States and Europe, as well as hacks against sporting and anti-doping agencies related to the 2020 Olympic Games.

Researchers first flagged Follina in April, but only in May was it officially identified as a zero-day, one-click exploit. Follina is associated with the Microsoft Support Diagnostic Tool (MSDT) and uses the ms-msdt protocol to load malicious code from Word or other Office documents when they’re opened.

The bug is dangerous for a number of reasons–not the least of which is its wide attack surface, as it basically affects anyone using Microsoft Office on all currently supported versions of Windows. If successfully exploited, attackers can gain user rights to effectively take over a system and install programs, view, change or delete data, or create new accounts.

Microsoft recently patched Follina in its June Patch Tuesday release but it remains under active exploit by threat actors, including known APTs.

**Threat of Nuclear Attack**

Fancy Bear’s Follina campaign targets users with emails carrying a malicious RTF file called “Nuclear Terrorism A Very Real Threat” in an attempt to prey on victims’ fears that the invasion of Ukraine will escalate into a nuclear conflict, researchers said in the post. The content of the document is an article from the international affairs group Atlantic Council that explores the possibility that Putin will use nuclear weapons in the war in Ukraine.

The malicious file uses a remote template embedded in the Document.xml.rels file to retrieve a remote HTML file from the URL http://kitten-268\[.\]frge\[.\]io/article\[.\]html. The HTML file then uses a JavaScript call to window.location.href to load and execute an encoded PowerShell script using the ms-msdt MSProtocol URI scheme, researchers said.

The PowerShell loads the final payload–a variant of the .Net stealer previously identified by Google in other Fancy Bear campaigns in the Ukraine. While the oldest variant of the stealer used a fake error message pop-up to distract users from what it was doing, the variant used in the nuclear-themed campaign does not, researchers said.

In other functionality, the recently seen variant is “almost identical” to the earlier one, “with just a few minor refactors and some additional sleep commands,” they added.

As with the previous variant, the stealer’s main pupose is to steal data—including website credentials such as username, password and URL–from several popular browsers, including Google Chrome, Microsoft Edge and Firefox. The malware then uses the IMAP email protocol to exfiltrate data to its command-and-control server in the same way the earlier variant did but this time to a different domain, researchers said.

“The old variant of this stealer connected to mail\[.\]sartoc.com (144.208.77.68) to exfiltrate data,” they wrote. “The new variant uses the same method but a different domain, www.specialityllc\[.\]com. Interestingly both are located in Dubai.”

The owners of the websites most likely have nothing to do with APT28, with the group simply taking advantage of abandoned or vulnerable sites, researchers added.

Fancy Bear Uses Nuke Threat Lure to Exploit 1-Click Bug

An update is now available for Red Hat build of Eclipse Vert.x.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE pages listed in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2020-36518: jackson-databind: denial of service via a large depth of nested objects
* CVE-2022-25647: com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson


Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Virtualization
*   Red Hat Identity Management
*   Red Hat Directory Server
*   Red Hat Certificate System
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Update Infrastructure
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat CloudForms
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Online
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   Red Hat CodeReady Workspaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Thorntail
*   Red Hat build of Eclipse Vert.x
*   Red Hat build of OpenJDK
*   Red Hat build of Quarkus

**Integration and Automation**

*   Red Hat Process Automation
*   Red Hat Process Automation Manager
*   Red Hat Decision Manager

All Products

Issued:

2022-06-23

Updated:

2022-06-23

**RHSA-2022:5029 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Moderate: Red Hat build of Eclipse Vert.x 4.2.7 security update

**Type/Severity**

Security Advisory: Moderate

**Topic**

An update is now available for Red Hat build of Eclipse Vert.x.  

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE pages listed in the References section.

**Description**

This release of Red Hat build of Eclipse Vert.x 4.2.7 GA includes security updates. For more information, see the release notes listed in the References section.  

Security Fix(es):  

*   jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
*   com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson (CVE-2022-25647)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgements, and other related information, refer to the CVE page(s) listed in the References section.

**Solution**

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.  

The References section of this erratum contains a download link for the update. You must be logged in to download the update.

**Affected Products**

*   Red Hat Openshift Application Runtimes Text-Only Advisories x86\_64

**Fixes**

*   BZ - 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects
*   BZ - 2080850 - CVE-2022-25647 com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson

**References**

*   https://access.redhat.com/security/updates/classification/#moderate
*   https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.eclipse.vertx&version=4.2.7
*   https://access.redhat.com/documentation/en-us/red\_hat\_build\_of\_eclipse\_vert.x/4.2/html/release\_notes\_for\_eclipse\_vert.x\_4.2/index

**Red Hat Openshift Application Runtimes Text-Only Advisories**

SRPM

x86\_64

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2022:5029: Red Hat Security Advisory: Red Hat build of Eclipse Vert.x 4.2.7 security update

A voicemail-themed phishing campaign is hitting specific industry verticals across the country, bent on scavenging credentials that can be used for a range of nefarious purposes.

Microsoft 365 and Outlook customers in the US are in the crosshairs of a successful credential-stealing campaign that uses voicemail-themed emails as phishing lures. The flood of malicious emails anchoring the threat is emblematic of the larger problem of securing Microsoft 365 environments, researchers say.

According to an analysis from Zscaler's ThreatLabz, a highly targeted offensive has been ongoing since May, aiming at specific verticals, including software security, the US military, security-solution providers, healthcare/pharmaceuticals, and the manufacturing supply chain.

The campaign has been successful in compromising swaths of credentials, which can be used for a variety of cybercrime endgames. These include taking over accounts in order to access documents and steal information, eavesdropping on correspondence, sending believable business email compromise (BEC) emails, implanting malware, and burrowing deeper into corporate networks. The user ID/password combos can also be added to credential-stuffing lists in hopes that victims have made the mistake of reusing passwords for other types of accounts (such as online banking).

"Microsoft 365 accounts are often a treasure trove of data, which can be downloaded en masse," says Robin Bell, CISO of Egress. "Furthermore, hackers can use compromised Microsoft 365 accounts to send phishing emails to the victim’s contacts, maximizing the effectiveness of their attacks.”

**Voicemail Phishing Attack Chain**

From a technical perspective, the attacks follow a classic phishing flow — with a couple of quirks that make them more successful.

The attacks start out with purported missed-voicemail notifications being sent via email, which contain HTML attachments.

HTML attachments often get past email gateway filters because they aren't in and of themselves malicious. They also don't tend to raise red flags for users in a voicemail notification setting, since that's how legitimate Office notifications are sent. And for added verisimilitude, the "From" fields in the emails are crafted specifically to align with the targeted organization's name, according to a recent Zscaler blog post.

If a target clicks on the attachment, JavaScript code will redirect the victim to an attacker-controlled credential-harvesting website. Each of these URLs are custom-created to match the targeted company, according to the researchers.

"For instance, when an individual in Zscaler was targeted, the URL used the following format: zscaler.zscaler.briccorp\[.\]com/<base64\_encoded\_email>," they noted in the blog post, which detailed the attacks. "It is important to note that if the URL does not contain the base64-encoded email at the end; it instead redirects the user to the Wikipedia page of MS Office or to office.com."

Before the mark can access the page however, a Google reCAPTCHA check pops up — an increasingly popular technique for evading automated URL analysis tools.

CAPTCHAs are familiar to most Internet users as the challenges that are used to confirm that they're human. The Turing test-ish puzzles usually involve clicking all photos in a grid that contain a certain object, or typing in a word presented as blurred or distorted text. The idea is to weed out bots on e-commerce and online account sites — and they serve the same purpose for crooks.

Once the targets solve the CAPTCHAs successfully, they're sent onto the phishing page, where they're asked to enter their Microsoft 365 credentials — which, of course, are promptly captured by the bad guys on the other end of the URL.

"When faced with a login prompt that looks like a typical O365 login, the person is likely to feel comfortable entering their information without looking at the browser's URL bar to ensure they are at the real login website," Erich Kron, security awareness advocate with KnowBe4, tells Dark Reading. "This familiarity, and the high odds that an intended victim regularly uses O365 for something in their workday, makes this a great lure for attackers."

Using voicemail as a lure isn't a new technique — but it's a successful one. The current campaign is actually a resurgence of earlier activity seen in July 2020, the researchers noted, given significant overlap in the tactics, techniques, and procedures (TTPs) between the two phishing waves.

"These attacks target human nature, manipulating their victims using techniques that play on our psychology," Egress' Bell tells Dark Reading. "That's why, despite investing in security awareness training, many organizations still fall victim to phishing. In addition to this, threat actors are crafting increasingly sophisticated, highly convincing attacks that many people simply can’t distinguish from the 'real thing.' This is exacerbated by the increasing use of mobile devices, as users often can’t see details like the sender’s real information."

**Microsoft 365 Continues to Be a Popular Target**

The cloud version of Microsoft's productivity suite, formerly known as Office365 or O365 and renamed Microsoft 365 by the company, is used by more than 1 million companies and more than 250 million users. As such, it acts as a siren song to cybercrooks.

According to a 2022 Egress report, "Fighting Phishing: The IT Leader’s View," 85% of organizations using Microsoft 365 reported being victims of phishing during the last 12 months, with 40% of organizations falling victim to credential theft.

"Microsoft O365 and Outlook are used by an estimated 1 million companies, so there’s a good chance that their victim, and the victim's organization, use these services," Bell says. "With such a high volume of accounts, the hackers have a better chance of reaching targets with a low level of tech awareness, who are more likely to fall for an attack."

Microsoft 365 phishes also are popular attack vectors because the blend in with normal workday activities, Kron notes.

"We spend a lot of our workday in a near autopilot mode, doing repeated tasks almost automatically, as long as the tasks are expected," he explains. "It’s only when something unexpected occurs that people tend to take notice and apply critical thinking. For many of us, the action of logging in to an O365 portal is not unusual enough to raise our suspicions. Many times, when people log in to these fake portals, the credential stealing software invisibly forwards the information to the legitimate login portal resulting in a successful login, and the victim is never aware that they were tricked.”

**How CISOs Can Defend Against Social Engineering**

There are significant challenges for CISOs in shutting down this type of threat vector, researchers say, mainly due to the fact that it's impossible to patch human nature. That said, user training to encourage employees to perform basic protections, like checking the URL before logging in, can go a long way.

"We have to face the fact that social-engineering attacks, which include phishing, vishing, and smishing, are here to stay," says Kron. "Phishing has been prevalent almost since email began, and the damage done and losses sustained are simply too high to ignore, while hoping for the best. CISOs need to understand these risks, and employees need to understand that in our modern world where everyone uses computers and processes information in some way, cybersecurity is a part of everyone’s job, and will be for the foreseeable future.”

Beyond this basic best practice, CISOs should also take back-end technology steps to fill in for when people make mistakes, as they inevitably will. And this should go beyond standard secure email gateway filters, according to Bell.

"To truly mitigate the risk, organizations need the right technology," he advises. "CISOs need to evaluate their security stack, ensuring that they are augmenting their email platforms with additional layers of protection to ensure that their people and data are protected. Technology should partner with employees to help them to identify even the most sophisticated attacks, ensuring that credentials and email accounts cannot be compromised by threat actors.”

Kron recommends a commonsense defense approach that combines both technology and training.

"For CISOs that do not recognize this and attempt to counter these attacks with purely technical tools, the odds of success are quite low," he says. "For CISOs that understand that these attacks are exploiting human vulnerabilities and deploy a mix of technical controls as well as tackling the human issue through education and training, the results are often much better."

Microsoft 365 Users in US Face Raging Spate of Attacks

The privacy-focused company's new Goggles tool allows users to weed out the noise—whatever that might mean.

Anyone can create or alter a Goggle. However, at the beta launch, Brave created eight different Goggles as examples. (It says these will be deleted once people create their own). These examples include Goggles to re-rank search results to remove copycat pages, removing search results from the top 1,000 websites, boosting content found on technical blogs, and more.

Pujol says that Brave created Goggles—which it first outlined in a 2021 white paper—to help remove biases from search results, including those in Brave’s search, and give people more choice. “Biases are everywhere: the underlying data, which sites are easier to crawl, which models are chosen, feature selection, presentation biases, popularity, the list can go on indefinitely,” Pujol says. It is very hard, if not impossible, to remove all biases from search results.

“Goggles will allow the creation of multiple universes within which users could search,” says Uri Gal, a professor of business information systems at the University of Sydney. Gal adds that the move is welcome in a search market that “has seen little innovation or competition” over the past couple of decades. “It would reduce the risk of people getting a single view of reality—or that portion of reality that they are interested in—that is created and maintained by a single platform (e.g. Google, Facebook) based on proprietary algorithms,” Gal says.

Brave knows that people may use Goggles to reinforce their worldview and filter subjects that align with their existing beliefs. At launch, both right- and left-leaning political Goggles have been created by AllSides, an American company that rates media organizations for their political bias. “We believe in freedom of speech, and as such, it is not for us to decide what is right or wrong,” Pujol says. “The person using Goggles is making a conscious act when applying a Goggle, and contrarian perspectives should be readily available. This explicitness alone is an improvement from the current landscape, where this kind of alteration is made without the user realizing it.”

Brave says it will treat Goggles the way as it does all web results and “not censor or police them,” unless it is required to do so legally, such as removing instances of child sexual abuse material.

But there are questions about how this will work in reality. “Exercising bias control is an action for the thoughtful,” says Bart Willemsen, a VP analyst focusing on privacy at Gartner, who adds that he is hopeful Goggles can have positive results. “In the abundance of information available, including dis- and malinformation, to correctly curate what is believed to be relevant and what not, or even untrue, is a huge task,” Willemsen says.

Despite Google’s dominance, there’s a flourishing market for alternative privacy-focused search engines, which claim not to track users or use their personal information for creepy ads. This includes Brave, which launched its search in beta last year. Among others—all with slightly different privacy claims and ways of working—are DuckDuckGo, StartPage, and Mojeek. (DuckDuckGo uses Bing to help power its search results, while StartPage is based on Google.) While billions of searches are made with Google alternatives each year, that’s still a drop in the ocean compared to Google’s dominance.

The search results that companies show, while being based on multiple factors, can prove controversial. Companies may face difficulties with the amplification of political content and issues around free speech. In October 2021, Twitter admitted its algorithm amplifies right-wing politicians more than left-wing ones. Recently, people on the far right have complained that DuckDuckGo limited Russian propaganda, although its results are partly provided by Microsoft’s Bing. In contrast, one 2019 study by Stanford University researchers found that Google’s search results didn’t favor either politician wing.

When Brave debuted its idea for Goggles in 2021, the company said it would open an offer to incorporate Goggles into any other search engine. So far, Pujol says, there haven’t been any conversations about this. And large changes to the status quo are unlikely. “I can’t see Google or any other major platform integrating user-defined Goggles,” Barnet says. “It would interfere with the way they personalize advertising to you and how they collect data on your activity to deliver that advertising. In other words, it would interfere with their business model.”

Tag

#google