The widespread use of mines has left Ukrainians scrambling to find ways to clear the explosives. New efforts to develop mine-clearing technology may help them push back Russia's invading forces.

Oleksandr Kryvtsov had enough.

The owner of an agricultural company in Hrakove, near Kharkiv, Kryvtsov found his land littered with land mines. That region of Ukraine, occupied by Russian forces for nearly eight months, had been pockmarked with explosive ordinances. The threat meant that farmers like Kryvtsov had to let their fields lay fallow. Even though Kryvstov’s fields were once part of Europe’s breadbasket, Ukraine’s mine clearance teams were overworked and under-resourced.

So Kryvtsov came up with his own solution. He jimmyrigged a plow onto an old tractor, with massive steel rollers underneath. On the side, he painted the yellow and blue Ukrainian flag. Kryvtsov connected a remote-control steering system and, from afar, he drove his Mad Max-style tractor over his fields, detonating any mines lurking under the soil.

The makeshift operation has worked well, Kryvtsov told Reuters, even clearing an anti-tank mine.

Kryvstov’s story is an example of incredible Ukrainian ingenuity—a nation of gilders, working to invent, adapt, and repurpose technology to defend themselves against a better-resourced, larger, determined enemy. But it’s also an ominous sign of just how bad the problem is.

In recent months, WIRED has investigated the technological challenges and opportunities facing Ukraine as it tries to defend itself and recapture its territory. One particular problem, unsung by the Western media but frequently cited by Ukrainian officials, are the haphazard minefields across Eastern Ukraine.

WIRED has spoken to a range of engineers, government officials, and humanitarian mine-clearance experts, and consulted Ukraine’s new mine clearance plan. It is apparent that Kyiv is prioritizing the problem, but without a significant new influx of money, personnel, and technology, the threat of these mines could hobble Ukraine’s economy, frustrate future counteroffensives, and pose a humanitarian crisis for decades to come.

A Humanitarian Crisis, an Economic Cost

Ukraine’s mine problem has been acute for a decade. The full-scale war with Russia has only made it worse. From 2014, when Russia first invaded, to the end of 2021, the United Nations says 312 Ukraines were killed by land mines. Since Russia’s February 2022 invasion, Ukraine has recorded at least 269 civilian casualties, including 14 children. Prime Minister Denys Shmyhal has taken to calling Eastern Ukraine “the largest minefield in the world.”

Those casualty figures only capture the deaths on territory currently held by Ukraine. Behind the front lines, in the Russian-occupied regions of Eastern Ukraine, at least a hundred more have reportedly been killed.

“Twenty percent of the whole territory is dangerous,” Ihor Bezkaravainyi, Ukraine’s deputy minister of finance, tells WIRED. “Right now we’re talking about 150,000 square kilometers.” (The total area, including water littered with naval mines, is nearly 175,000 km².)

Bezkaravainyi is a veteran of the war in Eastern Ukraine—he lost a leg to an anti-tank mine in 2016. He’s now responsible for coordinating the mine-clearance effort behind the front lines, giving Ukrainians back their property and recovering damaged agricultural lands. It’s not an easy task.

“It looks like the _zone rogue_ in France after World War One,” Bezkaravainyi says, referring to the areas near Germany and Belgium that remain contaminated by land mines to this day.

Conducting surveys to identify those mines will be a gargantuan challenge. Actually clearing them will be even more taxing.

Russia has deployed older anti-tank and anti-personnel mines—of the kind the world has ample experience dealing with. But it is believed that this is the first time the sophisticated PTKM-1R anti-tank mine, which detonates only when it picks up a certain seismic signature, has been used in battle. Russia has also made liberal use of the more advanced PFM-1 mine, also known as the “butterfly mine,” made mostly from plastic and liquid explosive. These mines are particularly odious because they can be scattered in huge quantities from afar or from the air, meaning that they are impossible to track. Because they are colorful and plastic, they can be mistaken by children as toys.

Beyond purpose-built mines, Russia has also littered Ukraine with unexploded munitions and “improvised explosive devices and booby traps,” according to a draft version of Kyiv’s plan to decontaminate the country, prepared late last year and provided to WIRED.

Until now, Ukraine has not had a national plan on how to deal with the mine problem—its ad hoc response has been split between the military, NGOs, a small number of private mine-clearance companies, and a small network of government mine-clearance operators.

In 2021, before Russia’s full-scale invasion, Ukraine had certified just four “mine action operators” to conduct the mine identification and clearance. Since the start of the war, that number has grown to “only 23.” That number is simply “not adequate,” the plan states.

This National Mine Action Strategy was devised to bring consistency and focus to this effort. But it warns that the scope of this problem “cannot be solved in a short-term perspective.” Kyiv hopes it can assess the entirety of its lands, to identify which areas are actually contaminated and which are safe to use, by 2029. By 2033, Ukraine aspires to have decontaminated 80 percent of its previously occupied territory. The strategy does not provide a date for when the whole country might be free of mines.

If Ukraine wants to meet these goals, it will need significantly more staff, technology, and equipment than it has now.

This will be a tough hill to climb. Humanitarian demining groups are spread thin across many global conflict zones, while commercial operators tend to be prohibitively expensive.

This is the reality that pushed Kryvtsov, the farmer, to take matters into his own hands. But Kyiv warns that these “black sappers”—unlicensed and unsanctioned mine-clearance operations—are dangerous and unreliable. Still, the government recognizes that, unless it can dramatically scale up its own operations, these freelance mine operators will become a popular choice for locals frustrated by the slow pace of progress.

Like many aspects of Ukraine’s war effort, Kyiv believes the solution is at home. The strategy calls for a substantial investment in Ukraine’s industrial capacity to produce mine-clearing equipment, research demining technology, and train demining teams. The World Bank estimated in early 2023 that the total cost of identifying and clearing these mines would be nearly $38 billion. Kyiv expects the true cost will be higher.

A Military Challenge

In the snow-covered fields near the front lines, the Ukrainian Armed Forces have been deploying autonomous demining vehicles—which, although purpose-built and donated by European allies, look an awful lot like Kryvstov’s homemade version.

Since the start of the war, these military demining teams have cleared more than 280,000 mines—at a pace of more than 2,200 every week. Its work is entirely separate from the humanitarian teams run under Bezkaravainyi's department.

The military may have cleared a staggering volume, but the work is impeded by a lack of equipment. The military boasts 262 separate demining teams, but it has just six demining vehicles.

In an essay for _The Economist,_ former commander-in-chief of the Ukrainian Armed Forces Valerii Zaluzhnyi wrote that his forces were initially relying on “technically outdated pieces of equipment” to conduct this operational mine clearance. With Western donations, “it was possible to slightly augment the capabilities of engineer units … but given the unprecedented scale of these barriers, even such capabilities are objectively lacking.”

Much of the analysis of Ukraine’s failed summer counteroffensive has focused on the offensive gear it lacks—artillery shells, fighter jets, drones, and long-range missiles. But even if it had managed to pierce the Russian front line, Ukraine faced layers of other defensive structures, including between 15 and 20 kilometers of minefields.

As Zaluzhnyi notes, Russian reconnaissance drones have kept a watchful eye on these minefields, targeting any Ukrainian teams dispatched to clear them. “In case of successful mine barriers breaching, the enemy quickly restores minefields in these areas,” he wrote.

European allies, in particular, have donated mine clearance vehicles—including retrofitted German-made Leopard 2 tanks—but they have been hard hit by Russian forces.

While clearing fields near the front lines is difficult, risky work, Russia is capable of laying these fields remotely and quickly. The ISDM Zemledeliye, a mobile mine-laying system that sits on the back of a truck, can carry 50 rockets, each filled with anti-personnel or anti-tank mines that scatter over a targeted area. The system allows the operator to lay minefields from as far as 15 kilometers away. One pro-Kremlin Russian media outlet recently remarked that the Zemledeliye, which translates to “agriculture” in Russian, “sowed” the defeat of the Ukrainian summer counteroffensive.

“The Ukrainians didn't necessarily have the equipment, the type of trained brigades, etc, to break through that defense and overcome the Russians, who were defending in a doctrinally consistent and actually quite sound way,” Karolina Hird, an analyst at the Institute for the Study of War and the deputy team lead for their Russia desk, tells WIRED. “Which brings us to where we are today.”

Even if Kyiv manages to overcome all of those other problems, if it cannot figure out how to clear the Russian-laid minefields, its progress risks being squandered.

“One of the big operational problems is, how do you increase by an order of magnitude the detection of mines, mapping of minefields, and the clearance of them—whilst denying the Russians visibility of them?” Mick Ryan, a 35-year veteran of the Australian Army who has traveled to Ukraine frequently during the war, tells WIRED. “And these are pretty significant problems, but they’re known problems, right?”

Ryan says there needs to be a deeper recalibration of the relationship between Ukraine and NATO. At the beginning of the war, the transfer of knowledge and expertise from NATO to Ukraine may have been largely one-directional, but today, Ukraine’s expertise in modern warfare certainly rivals many of its benefactors.

“Ukrainians and NATO, they just need to divide up the problems and solve them,” Ryan says. “I mean, this isn't inventing the nuclear bomb.”

The Technology

As the National Mine Action Strategy notes, research on mine clearance has been sorely lacking.

There has been, the strategy says, a “lack of systematic and centralized work on the introduction of innovative technologies in the field of Mine Action, in particular, unmanned aerial vehicles, the use of satellite images, artificial intelligence, data collection and analysis systems.”

It’s a frustration that Federica Mezzani knows well. Since 2019, she’s been researching how new technologies can help improve mine detection strategies—but it is a field, she says, which had been “completely forgotten.”

Despite the fact that an estimated 110 million mines are still active around the world, they are primarily distributed in poor and war-torn countries. While NGOs such as the HALO Trust have worked to steadily decontaminate those territories, the research and development has been piecemeal and slow. It simply hasn’t been a priority.

But Mezzani, along with her colleagues in the Department of Mechanical and Aerospace Engineering at Sapienza University in Rome, set out to prove that new technology could help with this old problem. There had been some research testing how drones could be used to identify unexploded ordinances, but not much. Mezzani wanted to take it a step further, dispatching drone swarms equipped with ground-penetrating radar to methodically scan each section of the ground, the way a human team might. Algorithms could essentially automate mine detection, she believed.

In a series of small-scale experiments, Mezzani’s technique worked.

“The experimental campaign proved the effectiveness of the algorithm, which appears as a powerful tool to automatically detect buried objects with even small metal content,” reads her paper, published in _Advances in Nonlinear Dynamics_ in 2022.

“The technology is ready,” Mezzani tells WIRED. “I think that it's been ready for many years, actually.”

When the full-scale war began, research efforts like Mezzani’s were few and far between. That meant figuring out these strategies from the ground up.

Part of the challenge is about confidence. As Bezkaravainyi explains, humanitarian mine clearance operates on a zero-tolerance policy for civilian deaths—if they mark a territory as uncontaminated, they must be absolutely sure it is entirely safe. Where possible, that also means defusing the land mines instead of exploding them and further contaminating the soil.

This process is significantly slower than how the military clears territory. Prioritizing speed, the army may blast a path through an active minefield in order to advance quickly without fully clearing it. To that end, humanitarian mine clearance operates on the Swiss cheese model: applying multiple imperfect strategies on top of each other.

Bezkaravainyi explains that their process normally involves consulting high-resolution satellite imagery of the territory and identifying land mines from the sky. From there, drones may be dispatched to confirm those locations and identify mines that may be buried or tough to spot. After that, teams are dispatched to sweep the territory.

Last fall, at an international conference on Ukraine’s demining efforts held in Zagreb, Bezkaravainyi’s department unveiled a prototype, developed by American surveillance technology giant Palantir, which used artificial intelligence to help inform how Kyiv approaches mine clearance.

This multilayered approach is increasingly necessary. Magnetometers and thermal scanners, which identify mines by identifying the metal amidst the organic material, were once the gold standard for mine identification. Some mines have electromagnetic shields, protecting them from ground-penetrating radar. The PFM-1 mine, in particular, contains very little metal, making it difficult to detect.

This problem is mostly, but not entirely, of Russia’s making. Reports suggest that Ukraine has also deployed these PFM-1 mines against Russian forces in Eastern Ukraine.

Difficult terrain, such as forests or mud, makes this work more difficult. Ukraine has difficult terrain in spades: It even has a word, _bezdorizhzhya_, for the mud that covers the eastern part of the country in the spring.

“If all the technologies in the world were given to Ukraine, it would not be enough,” Bezkaravainyi says.

An Opportunity

Ukraine is not merely contemplating how to buy and acquire enough technology to do this job—they are developing a plan to become a world leader on mine clearance.

That sort of focus has been sorely lacking for decades. “It’s a type of research that doesn't bring in profits,” Mezzani says. It’s a problem she crashed into during her own research project. “I wouldn't say that we have a technological issue. We have a willingness issue.”

Some 70 countries worldwide are still contaminated by land mines, according to the United Nations, and they kill or maim thousands every year. Most, however, are located in the Global South. The conflict in Ukraine may finally be the impetus to develop the technology and expertise to address that problem.

Indeed, Bezkaravainyi says his department has fielded plenty of offers from companies professing expertise in mine clearance, but many have been unreliable, haven’t delivered, or were outright scams.

If Ukraine can develop both the technology and the industry to do this work, it could provide a critical advantage in the war, boost its battered economy, and provide an enormous service to the entire world.

Brave1, a platform launched by the Ukrainian government to identify innovative projects and connect them to public and private financing, has identified mine clearance as one of its main priorities. Thus far, 30 projects—which range from autonomous land vehicles to more sophisticated detection systems—are part of the Brave1 platform.

If the Ukrainian government can spur the creation of a domestic demining industry, it will speed up its economic recovery, help war-torn countries the world over, and maybe even help win the war.

The Danger Lurking Just Below Ukraine's Surface

By Waqas
Deja vu at Robert Half? Notorious hackers claim responsibility as the staffing giant makes headlines for yet another alleged data breach in two years.
This is a post from HackRead.com Read the original post: Hackers Claim Data Breach at Staffing Giant Robert Half, Sell Sensitive Data

The hackers, infamously known as IntelBroker and Sanggiero, claim to possess a trove of data from Robert Half, which is being sold for $20,000 in Monero (XMR) cryptocurrency.

In June 2022, Robert Half International Inc., a global staffing and business consulting service, filed a data breach notification with the Office of the Maine Attorney General. According to the notification, the company experienced a data breach in which hackers targeted more than 1,000 customers, successfully obtaining their names, addresses, social security numbers, and tax information.

Now, Hackread.com can confirm that individuals operating under the aliases IntelBroker and Sanggiero are claiming responsibility for another breach at Robert Half International. They claim to have successfully breached the company once again, bragging about the theft of a substantial amount of data.

The stolen data is currently being offered for sale on the notorious Breach Forums at the price of $20,000 in Monero (XMR) cryptocurrency. Notably, the data listing initially appeared on Thursday, February 8, 2024, and has remained active since then.

The hackers claim that they breached RobertHalf.com on the same day, indicating that this alleged data breach is separate from the previous one in 2022. However, it remains uncertain whether these are the same hackers responsible for the earlier breach.

IntelBroker on Breach Forum (Screenshot: Hackread.com)

Nevertheless, IntelBroker is already recognized for their high-profile and credible hacks, which include breaches of the Weee! Grocery, General Electric and the most recent data leak involving a partial Facebook Marketplace database.

****The Alleged Stolen Data****

Headquartered in Menlo Park, California, United States, and established in 1948, Robert Half International holds the distinction of being the world’s first and largest specialized talent solutions firm. With over 325 offices globally, spanning countries such as Australia, Brazil, the UAE, the UK, Germany, Japan, China, and Canada, the company presents a lucrative target for cybercriminals.

In their post on Breach Forums, IntelBroker disclosed that they managed to gain access to confidential records, employee documents, customer information, and configuration settings related to services such as OpenAI and Twilio.

The hackers additionally shared screenshots purportedly displaying the stolen data, Git repositories, and AWS-related system settings. One screenshot appears to reveal a client list, with companies listed under ‘Account Names,’ accompanied by full names, primary functional roles, titles, and phone numbers.

Sample data leaked by the hacker (Hackread.com)

The full scope of the breach and the number of affected individuals remain uncertain. Hackread.com has contacted Robert Half International Inc. for an official statement or clarification. As this is a developing story, the article will be updated accordingly.

****Increasing Data Breaches****

In the first two months of 2024, there has been a notable increase in data breaches affecting both companies and government organizations. Last week, Infosys disclosed a breach impacting over 57,000 Bank of America customers.

Earlier this month, two major US insurance companies, Washington National Insurance Company and Bankers Life and Casualty Company, reported a SIM-swapping-related breach affecting more than 66,000 customers.

In January, Jason’s Deli fell victim to a significant data breach, exposing the personal information of over 344,000 users due to a successful credential-stuffing attack. Also in January, hackers targeted Indian ISP Hathway, compromising the personal information and KYC records of over 4 million unsuspecting customers.

****RELATED ARTICLES****

1.  **23andMe blames its users for the massive data breach**
2.  **AnyDesk Urges Password Change Amid Security Breach**
3.  **Defunct Ambulance Service Data Breach Impacts 1 Million**
4.  **Cloudflare Hacked After State Actor Leverages Okta Breach**
5.  **RingGo Owner EasyPark Hit by Data Breach, User Data Stolen**

Hackers Claim Data Breach at Staffing Giant Robert Half, Sell Sensitive Data

Plus: State-backed hackers test out generative AI, the US takes down a major Russian military botnet, and 100 hospitals in Romania go offline amid a major ransomware attack.

While the response to Cowles’ tale has been a mix of praise and mockery, experts in online threats say it’s foolish to think you’re too savvy to never fall for a professional scammer. “The reality is, criminals perpetuating fraud—whether via phone, email, or social media—are very good at social engineering,” says Selena Larson, a senior threat intelligence analyst at security firm Proofpoint, who describes Cowles as “extremely courageous.”

Manipulative tactics the scammers used against Cowles are common. They include, Larson says, “making someone afraid for themselves or their families, making them excited or enticed by the possibility of money or romance, or any number of heightened emotions to push them into making decisions they otherwise wouldn’t.” To protect yourself from scams like the one that hooked Cowles, Larson suggests being on high alert for anyone trying to isolate you from people in your life, and don’t trust someone posing as a government employee or celebrity. “Forcing a sense of urgency,” like asking for money immediately, is also a huge red flag. “If people are worried they are being targeted by fraudsters,” Larson says, “they should immediately break off contact and report the activity.”

Or you can adopt Cowles' new tactic: Never answer the phone.

Generative AI tools like ChatGPT are all the rage—including among hackers working on behalf of Russia, China, and North Korea, according to research published this week by Microsoft and OpenAI. While researchers note that they have “not identified significant attacks” that use large language models like those powering OpenAI’s ChatGPT, they did find widespread use of generative AI tools for research, reconnaissance, “basic scripting tasks,” and ways to improve code used to carry out cyberattacks. “Microsoft and OpenAI have not yet observed particularly novel or unique AI-enabled attack or abuse techniques resulting from threat actors’ usage of AI,” Microsoft wrote in a blog post outlining the research. “However, Microsoft and our partners continue to study this landscape closely.”

The US Department of Justice announced this week that it had disrupted a botnet controlled by APT28, a hacking group known as Fancy Bear that operates under Russia’s GRU military intelligence service. According to the DOJ, the hackers infected hundreds of routers used by homes and businesses with the “Moobot” malware, which the DOJ says is linked to a cybercriminal group. Fancy Bear hackers then used to Moobot to “install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform,” according to the DOJ. To seize control of the botnet, the US government also used the Moobot malware to delete “stolen and malicious data” in the routers and then tweaked the routers’ firewalls to prevent the hackers from accessing them remotely. US attorney general Merrick Garland praised the operation in a statement as a successful effort to “dismantle the Russian government’s malicious cyber tools that endanger the security of the United States and our allies.”

Ransomware attacks frequently target hospitals, but few have had as widespread an impact as a strike against Romania’s health care system this week. Approximately 100 hospitals took their systems offline after attackers hit a popular hospital management system. Romanian officials say 25 hospitals had their data encrypted by the ransomware, which targeted the Hipocrate Information System (HIS) on the night of February 11. Another 75 hospitals voluntarily took their systems offline to avoid possible infection. The disruption has forced the hospitals to revert to paper records. The attackers, who have not yet been identified, demanded a ransom of 3.5 bitcoin, or around $180,000, to decrypt the files.

How to Not Get Scammed Out of $50,000

By Waqas
The #MonikerLink security flaw in Microsoft Outlook allows hackers to execute arbitrary code on the targeted device.
This is a post from HackRead.com Read the original post: New MonikerLink Flaw Exposes Outlook Users to Data Theft and Malware

The #MonikerLink vulnerability (CVE-2024-21413) holds a CVSS score of 9.8 out of 10, indicating critical severity and high exploitability, potentially enabling system compromise with minimal user interaction.

Check Point Research (CPR) has discovered a critical security flaw in Microsoft Outlook. Dubbed the #MonikerLink; the vulnerability allows threat actors to execute arbitrary code on their targeted device. The research, detailed in a blog post, highlights the flaw’s potential to exploit the way Outlook processes certain hyperlinks.

The exploit is tracked as CVE-2024-21413 with a CVSS score of 9.8 out of 10, which means the vulnerability has critical severity and is highly exploitable, possibly allowing an attacker to compromise the system with minimal user interaction. This could lead to complete system compromise, denial of service, and data breach. Furthermore, an attacker could execute arbitrary code, steal data, and install malware. 

The issue occurs due to the way Outlook processes the “file://” hyperlinks, leading to severe security implications. Threat actors can execute unauthorized code on the targeted device. CPR’s research reveals that the #MonikerLink vulnerability misuses the Component Object Model (COM) on Windows, allowing unauthorized code execution and leaking of local NTLM credential information. 

The vulnerability exploits a user’s NTLM credentials to enable arbitrary code execution through the COM in Windows. When a user clicks on the malicious hyperlink, it connects to a remote server controlled by the attacker, compromising authentication details and potentially leading to code execution. This allows attackers to invoke COM objects and execute code on the victim’s machine remotely, bypassing the Protected View mode in Office applications.

Researchers studied three attack vectors for MS Windows-Outlook 2021: the “obvious” Hyperlink attack vector, the “normal” attachment attack vector, and the “advanced” attack vector. The “obvious” Hyperlink attack vector involves sending emails with malicious web hyperlinks, posing security risks in browsers.

The “normal” attachment attack vector involves the attacker sending a malicious email and luring the victim to open the attachment. The Advanced attack vector, the Email Reading attack vector, triggers security problems when the victim reads an email on Outlook.

Microsoft Outlook, one of the world’s most popular Microsoft Office suite apps, has become a critical gateway for introducing cyber threats into organizations. Microsoft’s Threat Protection Intelligence team discovered a critical vulnerability (CVE-2023-23397) in Outlook in March 2023 which threat actor Forest Blizzard was exploiting to steal Net-NTLMv2 hashes and access user accounts.

According to CPR’s blog post, the company has confirmed the latest vulnerability in Microsoft 365 environments and notified the Microsoft Security Response Center. Microsoft is yet to respond to the issue. Hackread.com will update readers as soon as more details are shared with the cybersecurity community.

This vulnerability, which extends beyond Outlook, poses a significant risk to organizational security. Both users and organizations are advised to apply patches, follow security practices, and remain vigilant against suspicious emails.

****RELATED ARTICLES****

1.  **Microsoft Outlook bug expose Windows credentials to hackers**
2.  **StrelaStealer Malware Hijacking Outlook, Thunderbird Accounts**
3.   **Chinese Hackers Stole Signing Key to Breach Outlook Accounts**
4.  **New variant of MassLogger Trojan stealing Chrome, Outlook data**
5.  **Microsoft Teams External Access Abuses to by DarkGate Malware**

New MonikerLink Flaw Exposes Outlook Users to Data Theft and Malware

Google has announced that it's open-sourcing Magika, an artificial intelligence (AI)-powered tool to identify file types, to help defenders accurately detect binary and textual file types.
"Magika outperforms conventional file identification methods providing an overall 30% accuracy boost and up to 95% higher precision on traditionally hard to identify, but potentially problematic content

Google Open Sources Magika: AI-Powered File Identification Tool

A surprise disclosure of a national security threat by the House Intelligence chair was part of an effort to block legislation that aimed to limit cops and spies from buying Americans' private data.

The latest botched effort at salvaging a controversial US surveillance program collapsed this week thanks to a sabotage campaign by the United States House Intelligence Committee (HPSCI), crushing any hope of unraveling the program’s fate before Congress pivots to prevent a government shutdown in March.

An agreement struck between rival House committees fell apart on Wednesday after one side of the dispute—represented by HPSCI—ghosted fellow colleagues at a crucial hearing while working to poison a predetermined plan to usher a “compromise bill” to the floor.

A civil war between the House Judiciary and Intelligence Committees has crippled months of efforts to reauthorize Section 702 of the Foreign Intelligence Surveillance Act (FISA), an unpopular but crucial spy power, stunning the intelligence system and forcing security hawks to publicly argue in favor of surveillance tactics that even top spies acknowledge has been prone to abuse.

Witnesses to the events this week that forced House speaker Mike Johnson to shelve the latest Section 702 bill—the third of its kind to fail in as many months—say the leaders of HPSCI abandoned a deal that had been agreed to in private after weeks of negotiation. Sources familiar with the negotiations asked not to be identified, as none of them are authorized to speak publicly.

The impetus for killing the deal, WIRED has learned, was an amendment that would end the government’s ability to pay US companies for information rather than serving them with a warrant. This includes location data collected from cell phones that are capable in many cases of tracking people’s physical whereabouts almost constantly. The data is purportedly gathered for advertising purposes but is collected by data brokers and frequently sold to US spies and police agencies instead.

Senior aides say the HPSCI chair, Mike Turner, personally exploded the deal while refusing to appear for a hearing on Wednesday in which lawmakers were meant to decide the rules surrounding the vote. A congressional website shows that HPSCI staff had not filed one of the amendments meant to be discussed before the Rules Committee, suggesting that at no point in the day did Turner plan to attend.

Two senior sources on the Hill who are working for members with direct knowledge of the events but are not affiliated with either of the relevant committees say that while lawmakers waited on Turner to appear, he was meeting privately with Johnson and threatening to kill the bill he'd already signed off on.

At the same time, Turner and other HPSCI members were engaged in a floundering but possibly effective scheme to whip votes against any potential privacy enhancements, floating vague claims about an “urgent” threat against the US. Turner’s warning was later reported to concern Russia developing the capability to deploy nuclear weapons in space.

In a letter on Friday, four advocacy organizations signed a letter calling for Turner to step down from his role as Intel chair over what they called a “near-panic” started purely for “political gain.” The letter, first reported by Politico, was signed by members of groups FreedomWorks, Due Process Institute, Demand Progress, and Restore the Fourth.

Neither Johnson nor Turner’s offices responded to a request for comment.

Internal emails obtained by WIRED show that HPSCI’s ranking Democrat, Jim Himes, was likewise a part of that effort, his signature attached to a letter urging Democrats to schedule time to review “certain intelligence” in a HPSCI-operated “SCIF”—a room designed to securely host classified information. The letter implies an “urgent” threat involving foreign military capabilities that requires wide dissemination, all but ensuring it leaked to the press.

In news reports about that intelligence the following day, anonymous officials ensured it was stressed to reporters that Section 702 was essential to identifying the threat. More recent statements made by the White House and Senate intelligence staff that relay the risks the disclosure poses to classified “sources and methods” have generated skepticism around 702’s role.

Four senior aides tell WIRED that, despite speculation in _The New York Times_ that a foreign aid package related to Ukraine had been the impetus behind the effort to center the threat, Turner and Himes were motivated to instill paranoia in members that would inevitably raise doubts as to whether popular private reforms were simply too great a risk—namely those requiring the government to obtain warrants before accessing the private calls, texts, and emails of US persons, as well as “commercially available data” that can be used to monitor their whereabouts, both historically and in real-time.

This campaign—mirrored with less success by the FBI—appeared to backfire in a matter of hours, with Senate intelligence staff refusing to support Turner’s claims and instead issuing a statement that implied his disclosure had put classified sources at risk. The White House similarly dismissed the urgency communicated by Turner, warning that information related to the “threat” might expose intelligence sources.

Some aides critical of the tactics say nevertheless that they believe it may have been effective, shaking some members’ willingness to openly support reform.

“These tricks aren’t new,” said one aide. “They’re recycled, but increasingly transparent.” (“Every spymaster in history has exploited the mixed feeling of awe, gratitude, and fear that power-holders respond to in dealing with intelligence,” civil liberties attorney Frank Donner once said. It was 1971.)

By Wednesday afternoon, Himes, whose signature appeared on the initial “dear colleague” email announcing that the classified matter “should be known by all,” appeared to be seeking distance from the controversy, issuing a statement acknowledging the intel was “not a cause for panic” and saying the protection of sources is “a legal and sacred duty.”

After Johnson reluctantly killed the plans to move forward with a vote—and with it, any hope of resolving the battle over Section 702—intelligence officials began the task of redirecting the blame. The complexities of the issue, and general lack of knowledge among the public and press, aided significantly in that goal.

A Fox News report published Thursday morning, while accurately noting that it was Turner's threat that forced Johnson to cancel the vote, goes on to cite “sources close to the Intelligence Committee” who offered analysis of the events. The sources claimed that Turner was compelled to abandon the deal because the “compromise bill” had been sneakily altered in a manner that “totally screws FISA in terms of its ability to be a national security tool.”

While redirecting blame away from Turner and his cohorts, the claim is both false and deceptive, relying on assertions that, while farcical perhaps to legal experts, would be impossible for the public at large (and most of the press) to parse alone.

The text that Fox News’ intelligence sources are referring to—which can be read on the final page of the bill online—does nothing, in reality. It does not require or prevent anyone in the government from taking any action whatsoever. It also has no impact on FISA, the statute from which Section 702 derives its power.

The controversial text states that the nation’s top intelligence official “may submit” information to Congress regarding how “law enforcement agencies and the intelligence community” purchase “commercially available data about United States persons.” Essentially, it grants the intelligence community permission to do something that it does not actually need permission to do.

The language was included not to “totally screw” FISA, but to ensure that the phrase “commercially available data” appears at least once in the text, for reasons that are as benign as they are elusive to casual followers of legislative procedures.

One of the most popular amendments suggested to the Section 702 bill, discussed openly by lawmakers for months, is one that would prevent the government from purchasing data that normally requires a warrant. To counter arguments that these purchases are unrelated (which is to say, not “germane”) to the 702 program, the language in the final section, accomplishing nothing else, was added. A placeholder, effectively.

A senior source close to the Judiciary Committee said that it would have been impossible for Turner not to know the amendment was coming, and that the surprise expressed by his staff in the Fox News piece and elsewhere appeared to those in the know as pure theater.

Four aides, recordings of several public hearings, and a slew of reporting confirm that Turner had been aware for weeks, if not months, that restrictions on commercially available data would be one of the key amendments offered up by Judiciary members. The aides added that he'd also privately agreed to allow Judiciary members to offer their amendments. Prior to the bill being pulled, Representatives Warren Davidson and Zoe Lofgren had issued a relevant joint statement publicly: “It makes little sense to rein in warrantless surveillance under one authority when the government can simply fall back on other available techniques to acquire similar information,” they said.

Only after forcing Johnson to cancel the vote did the germaneness of the measure become a justification for tanking the entire process.

“No one actually thinks the Intelligence Committee cares about this,” says an aide working for a Judiciary member. “It’s the amendment they’re freaking out about. They don’t want the intelligence community to have to ask judges before they do anything.”

“For all the downplaying the agencies have done, telling us repeatedly they aren’t purchasing our data that often, Turner just blew weeks of negotiation to defend this one thing,” says the same aide. “To me, that says something about how much the government actually cares about this.”

_Update: 2/16/24, 3:35 pm ET: Added details about a letter calling for Turner to step down as Intel chair._

Leak of Russian ‘Threat’ Part of a Bid to Kill US Surveillance Reform, Sources Say

By Deeba Ahmed
From Banking Apps to Crypto Wallets: SpyNote Malware Evolves for Financial Gain.
This is a post from HackRead.com Read the original post: SpyNote Android Spyware Poses as Legit Crypto Wallets, Steals Funds

The notorious SpyNote Android spyware returns, exploiting Accessibility APIs to target crypto wallets and unsuspecting users, ultimately stealing their cryptocurrency.

The Android spyware SpyNote developers are now considering cryptocurrencies, extending beyond mere credentials spying to initiate cryptocurrency transfers, revealed the latest research report from FortiGuard Labs.

Researchers noted that Spynote, a notorious Remote Access Trojan (**RAT**), is now targeting “famous crypto wallets” by abusing the Accessibility API. The API’s job is to automatically perform UI actions, such as recording device unlocking gestures and is mainly helpful for people with disabilities.

The malicious code abuses the Accessibility API to automatically fill out a form and transfer cryptocurrency to cyber criminals. It reads and memorizes the destination wallet address and amount, and replaces it with the attacker’s crypto wallet address.

The information is sent to a remote server with which the malware has established a connection already to complete the action. It is worth noting that the entire act is completed automatically, without alerting the user.

According to Fortinet’s **blog post**, on 1st February, a malicious sample was found posing as a legitimate crypto wallet, incorporating SpyNote RAT and anti-analysis features. They also observed that threat actors are mainly targeting users with mobile crypto wallets or banking applications in this financially motivated, medium-severity hacking saga.

Researchers showed screenshots in which SpyNote malware can be seen requesting Accessibility Service and the user granting access with the Android OS displaying additional warnings. It is evident that clicking on “Allow” signals the malware to perform its nefarious action whereas clicking “Deny” prevents it from gaining access.

Screenshot: FortiGuard Labs

Hackread has been following the evolution of SpyNote ever since it made its first appearance **back in 2016** when Palo Alto’s Unit 42 discovered this RAT on a dark net forum mainly targeting users who install APK apps. Researchers noted that SpyNote helped attackers gain remote control of infected devices, and enabled sideloading on Android devices.

In 2017, Zscaler IT security researchers **discovered** fake apps infected with the SpyNote RAT, allowing attackers to gain remote administrative control on Android devices. Researchers identified various apps, including fake Netflix, WhatsApp, YouTube, Facebook, Photoshop, SkyTV, Hotstar, Trump Dash PokemonGo, etc., infected with a new variant of SpyNote RAT.

Over the years, SpyNote has become a common family of Android malware, with over 10,000 samples and multiple variants, noted FortiGuard researchers.

Last year, the malware authors shifted focus to banking fraud, as the Cleafy Threat Intelligence Team **reported** SpyNote targeting European financial institutions with social engineering tactics and abusing Accessibility services. The attack started with deceptive smishing campaigns, directing victims to install a “new certified banking app” and granting remote access to their devices.

It is worth noting that malware often lures victims into giving them the necessary rights to access the Accessibility API through different lures, posing a threat to users, especially people with disabilities.

Android users are advised to pay attention to applications requesting the Accessibility API. End-users should treat these requests as suspicious, especially from alleged crypto wallets, PDF readers, and video players.

****RELATED ARTICLES****

1.  **Watch out: New Android spyware records your calls covertly**
2.  **LetMeSpy Android Spyware Service Shuts Down After Data Breach**
3.  **Confucius Android spyware hits military, nuclear entities in Pakistan**
4.  **Xamalicious Backdoor Infects 25 Android Apps, Affects 327K Devices**
5.  **Hackers spread Android spyware through Facebook using Fake profiles**

SpyNote Android Spyware Poses as Legit Crypto Wallets, Steals Funds

A group of cybercriminals is committing bank fraud by convincing victims to scan their IDs and faces.

Well, the GoldPickaxe Trojan does not literally steal your face, but it does steal an image of your face in order to be able to identify as you.

Researchers have found a family of Trojans, attributed to a financially motivated Chinese group, which come in versions for iOS and Android.

Cybercriminals try to trick victims into scanning their faces along with identification documents. The victims are approached through phishing and smishing messages claiming to be from local governments or other trusted sources. They ask the target to install a fake government service app.

At this stage there is a crossroads where Android and iOS infections are different. While Android users go straight to the malicious app, due to measures taken by Apple the criminals ask the iOS users to install a disguised Mobile Device Management (MDM) profile. MDM allows a controller to remotely configure devices by sending profiles and commands to the device. As such MDM offers a wide range of features such as remote wipe, device tracking, and application management, which the cybercriminals take advantage of to install malicious applications and obtain the information they need.

The criminals then request that the victim take a photo of an official ID and scan their face with the app. Additionally, the criminals request the target’s phone number in order to get more details about them, particularly their bank accounts.

Once the criminals have a scan of the face they can use artificial intelligence (AI) to perform face-swaps. Face swapping is a technique that allows you to replace faces in images with others.

With the face swap and the photo of the ID the criminals can identify themselves as the victim to the victim’s bank and withdraw funds from their account. Many financial organizations use facial recognition for transaction verification and login authentication. Although the researchers found no evidence that bank fraud was the goal of the cybercriminals, their story was confirmed by warnings from the Thai police.

Although this group is mainly active in Asia, more precisely in Thailand, it makes sense to expect such a successful method to be copied.

Malwarebytes and ThreatDown solutions detect the GoldPickaxe Trojan as Android/Trojan.Agent.prn1.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 GoldPickaxe Trojan steals your face! 

The U.S. government on Thursday said it disrupted a botnet comprising hundreds of small office and home office (SOHO) routers in the country that was put to use by the Russia-linked APT28 actor to conceal its malicious activities.
"These crimes included vast spear-phishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S.

U.S. Government Disrupts Russian-Linked Botnet Engaged in Cyber Espionage

There was about a 24-hour period where many news outlets reported on a reported DDoS attack that involved a botnet made up of thousands of internet-connected toothbrushes.

Thursday, February 15, 2024 14:00

I’ll be the first to admit that, like many people on the internet last week, I got caught up in the toothbrush distributed denial-of-service attack that wasn’t.  

I had a whole section on it written up in last week’s newsletter, and then I came across Graham Cluley’s blog post debunking the whole thing, and I had to delete it about an hour before the newsletter went live.  

There was about a 24-hour period where many news outlets reported on a reported DDoS attack that involved a botnet made up of thousands of internet-connected toothbrushes, it all started with one international newspaper report, and then was aggregated to death and spread quickly on social media.  

This attack was only a _hypothetical_ that a security researcher posed in an interview but was reported or translated as an attack that happened. 

To me, I think we can all learn from a few major takeaways from this entire saga — myself included.  

It’s easy to see why this was a ready-made story to go viral: It involved a silly device that probably doesn’t need to be connected to the internet anyway, it involved a large number that would grab headlines and it was a DDoS attack, which have suddenly come back in vogue over the past year. 

But, I’ll admit, the aggregated stories seemed a little fishy to me at first, because all the reports didn’t include any specifics about which company was targeted, how long the attack lasted, or the name of the device that was reportedly compromised. 

That last part should be a red flag going forward for any of us wanting to share a meme about something the next time a cybersecurity story goes viral — in my opinion, responsible disclosure of an attack or compromise should always include information about whatever vulnerability it was that was exploited. In this hypothetical scenario, I don’t think an adversary would have been able to compromise an internet-connected toothbrush without first exploiting some sort of vulnerability, which if it’s being reported on in public, should at least include information on patches or mitigations. 

I also think we all need to be asking the fundamental question: Why? In this case, I should have asked myself why an attacker would want to go through the trouble of compromising smart toothbrushes. And what would be the end goal of targeting a private company with a DDoS attack? Likely, it would be to demand a ransom in exchange for the attacker stopping the attack, but without knowing what sector the targeted company was in, it’s tough to guess how profitable that might even be. (For example, a health care agency may be looking to do anything to get back to operating asap, as lives could literally be at stake.) 

And once the attacker compromised a toothbrush, what information can they glean from the user besides their dental hygiene habits? Usually, they’d be looking to steal some sort of personal information, login credentials or financial data that they could then turn around and sell on the dark web. 

Needless to say, there were multiple red flags we all ignored when this story started to spread. And I’m not here to blame anyone in this case; it was all honest mistakes that, all things considered, ended up not being that serious. But the toothbrush botnet that wasn’t does serve as a reminder to all of us to be a bit more mindful before clicking share or posting a story on social media.  

**The one big thing **

Cisco Talos has identified a new backdoor authored and operated by the Turla APT group, a Russian cyber espionage threat group. This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation. Talos assesses with high confidence that TinyTurla-NG, just like TinyTurla, is a small “last chance” backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems. 

**Why do I care? **

Turla has been widely known to target entities across the world using a huge set of offensive tools in geographies including the U.S., European Union, Ukraine and Asia. They’ve previously used malware families such as CAPIBAR and KAZUAR to target Ukrainian defense forces. After Crutch and TinyTurla, Turla has now expanded their arsenal to include the TinyTurla-NG and TurlaPower-NG malware families, while also widening its net of targets to NGOs. 

**So now what? **

Talos has released new ClamAV signatures and Snort rules to protect against TinyTurla and the actors’ actions. We don’t know what the initial access vector is, so it’s tough to give targeted advice on how to avoid this malware, but having any endpoint detection in place will block this “last chance” backdoor.  

**Top security headlines of the week **

**Chinese state-sponsored actor Volt Typhoon may have silently sat on U.S. critical infrastructure networks for more than five years,** according to a new report from American intelligence agencies. According to the advisory, the infamous hacking group has been exploiting vulnerabilities in routers, firewalls and VPNs to target water, transportation, energy and communications systems across the country. Volt Typhoon has been able to control some victims’ surveillance camera systems, and the access could have allowed them to disrupt critical energy and water controls. The actor is known for using living-off-the-land binaries (LoLBins) to remain undetected once they gain an initial foothold. Authorities in Canada, Australia and New Zealand also contributed to last week’s advisory, citing their concern for similar activity in their countries. The FBI’s director recently said in testimony to U.S. Congress that authorities had dismantled a bot network of hundreds of compromised devices that was connected to VoltTyphoon. (Axios, The Guardian) 

**A new spyware network called TheTruthSpy may have compromised hundreds of Android devices using silent tracking apps that users download thinking they’re legitimate.** Security researchers uncovered the information of thousands of devices that have already been compromised, including their IMEI numbers and advertising IDs. TheTruthSpy appears to actively spy on large clusters of victims across Europe, India, Indonesia, the U.S. and U.K. The operators behind TheTruthSpy also did not address a security vulnerability in the software, identified as CVE-2022-0732, which left the victim data they stole potentially vulnerable to other bad actors. These types of stalkerware tools are often used by family members, spouses or peers of victims who want to track their physical locations and spy on messages and phone calls. The spyware is downloaded via an app, which doesn’t appear on the victim’s home screen and operates quietly in the background. (TechCrunch, maia blog) 

**Apple removed a fake LastPass app called “LassPass” after the popular password management service reported it.** The phony LassPass used a similar logo to that of the legitimate LastPass and was up on the App Store for an unknown amount of time. Apple also said it was removing the creator of the app from its Developer Program. This is a very rare case for the Apple App Store, as it has a strict review policy. LastPass released a warning to all users last week of the fake app’s existence, including a link to the legitimate LastPass app. LassPass only had one review on the store, and multiple reviews warning it was fake. However, it’s safe to assume that the app was likely set up as some sort of phishing scam meant to get users to enter their legitimate LastPass login information to be stolen by the fake app’s creator. (Ars Technica, Bleeping Computer) 

**Can’t get enough Talos? **

*   Beers with Talos Ep. #143: The Reddit security diaries 
*   The Need to Know: How are attackers using QR codes in phishing emails and lure documents? 
*   First Microsoft Patch Tuesday zero-day of 2024 disclosed as part of group of 75 vulnerabilities 

**Upcoming events where you can find Talos **

**S4x24** **(March 4 - 27)** 

Miami Beach, Florida 

_To protect themselves during Russian aggression, the Ukrainian military utilizes electronic warfare to blanket critical infrastructure to defeat radar and GPS-guided smart munitions. This has the unintended consequence of disrupting GPS synchrophasor clock measurements and creating service outages on an already beleaguered and damaged transmission electric grid. Joe Marshall from Talos’ Strategic Communications team will tell an incredible story of how a group of engineers and security professionals from a diverse coalition of organizations came together to solve this electronic warfare GPS problem in an unconventional technical way, and helped stabilize parts of the transmission grid of Ukraine._ 

**RSA** **(May 6 - 9)** 

_San Francisco, California_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1      
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515      
**Typical Filename:** IMG001.exe      
**Claimed Product:** N/A      
**Detection Name:** Win.Dropper.Coinminer::1201 

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa     
**MD5:** df11b3105df8d7c70e7b501e210e3cc3     
**Typical Filename:** DOC001.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** tmp000c3787   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg

Tag

#intel