**PRESS RELEASE**

**MEXICO CITY and NEW YORK; Oct. 23, 2023 –** Accenture (NYSE: ACN) has acquired MNEMO Mexico, a privately held company specializing in managed cybersecurity services. Financial terms were not disclosed. 

Founded in Mexico City in 2012, MNEMO Mexico has 229 cybersecurity professionals and 180 cybersecurity industry certifications with key ecosystem partners. The company’s portfolio includes advanced cyber defense and response capabilities, a cyber intelligence platform powered by generative AI and other advanced technologies and a 24/7/365 security operations center in Mexico City. Its client base spans multiple industries, including telecommunications, banking and insurance.

“The combination of MNEMO Mexico’s managed cybersecurity services, extensive industry expertise and strong client base makes them an ideal partner to complement our existing capabilities. The addition of MNEMO Mexico’s team will help us grow our business in Mexico, expand our presence in Latin America and support our North America business,” said Paolo Dal Cin, who leads Accenture Security globally. “Together, we will help organizations build more cyber-resilient businesses and secure their digital cores, technologies and supply chains.”

MNEMO Mexico’s cybersecurity professionals will join Accenture Security’s workforce of more than 19,500 professionals globally, extending Accenture’s local resources and capabilities in Mexico / Latin America while addressing the growing regional demand for managed security services.

“The constantly shifting digital world is both a source of opportunity and risk, making it essential to have a well-trained and proficient cybersecurity team,” said Julian Garrido, General Director of MNEMO Mexico. “For more than 20 years our clients have counted on us to safeguard them against destructive cyberattacks. We are excited to join Accenture Security so we can collaborate across industries to help clients in Mexico and around the world build a secure future.” 

Mexico consistently ranks among the top countries in Latin America hardest hit by cyberattacks. Additionally, a report in collaboration with the World Economic Forum’s Global Cybersecurity Outlook 2023 and Accenture revealed that 59% of business leaders and 64% of cyber leaders ranked talent recruitment and retention as a key challenge for managing cyber resilience. And less than half of respondents reported having the people and skills needed today to respond to cyberattacks.

"We are proud to welcome the MNEMO Mexico team to Accenture. Their robust cybersecurity capabilities and commitment to a collaborative work culture are essential as we look to meet the increasing demand for managed security services in the market," said Andre Fleury, who leads Accenture Security in Latin America. "We are confident that we will bring tremendous talent and capability to our clients."

Accenture recently ranked No. 1 in managed security services (MSS) market share by revenue in the Gartner® Market Share: Managed Security Services, Worldwide, 2022 report, 18 April 2023 \*. **Last year, Accenture** was recognized **as a leader in strategic security services and MSS in Brazil by ISG.**

Since 2015, Accenture Security has made 17 acquisitions. Following its January 2020 acquisition of Symantec’s Cyber Security Services business, Accenture became one of the leading global providers of MSS. Accenture further strengthened its cyber defense and MSS capabilities in Latin America through the acquisition of Brazil-based Morphus earlier this year and its 2021 acquisition of Real Protect.

**Forward-Looking Statements**

Except for the historical information and discussions contained herein, statements in this news release may constitute forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. Words such as “may,” “will,” “should,” “likely,” “anticipates,” “aspires,” “expects,” “intends,” “plans,” “projects,” “believes,” “estimates,” “positioned,” “outlook,” “goal,” “target” and similar expressions are used to identify these forward-looking statements. These statements are not guarantees of future performance nor promises that goals or targets will be met, and involve a number of risks, uncertainties and other factors that are difficult to predict and could cause actual results to differ materially from those expressed or implied. These risks include, without limitation, risks that: the transaction might not achieve the anticipated benefits for Accenture; Accenture’s results of operations have been, and may in the future be, adversely affected by volatile, negative or uncertain economic and political conditions and the effects of these conditions on the company’s clients’ businesses and levels of business activity; Accenture’s business depends on generating and maintaining client demand for the company’s services and solutions including through the adaptation and expansion of its services and solutions in response to ongoing changes in technology and offerings, and a significant reduction in such demand or an inability to respond to the evolving technological environment could materially affect the company’s results of operations; if Accenture is unable to match people and their skills with client demand around the world and attract and retain professionals with strong leadership skills, the company’s business, the utilization rate of the company’s professionals and the company’s results of operations may be materially adversely affected; Accenture faces legal, reputational and financial risks from any failure to protect client and/or company data from security incidents or cyberattacks; the markets in which Accenture operates are highly competitive, and Accenture might not be able to compete effectively; Accenture’s ability to attract and retain business and employees may depend on its reputation in the marketplace; if Accenture does not successfully manage and develop its relationships with key ecosystem partners or fails to anticipate and establish new alliances in new technologies, the company’s results of operations could be adversely affected; Accenture’s profitability could materially suffer if the company is unable to obtain favorable pricing for its services and solutions, if the company is unable to remain competitive, if its cost-management strategies are unsuccessful or if it experiences delivery inefficiencies or fail to satisfy certain agreed-upon targets or specific service levels; changes in Accenture’s level of taxes, as well as audits, investigations and tax proceedings, or changes in tax laws or in their interpretation or enforcement, could have a material adverse effect on the company’s effective tax rate, results of operations, cash flows and financial condition; Accenture’s results of operations could be materially adversely affected by fluctuations in foreign currency exchange rates; changes to accounting standards or in the estimates and assumptions Accenture makes in connection with the preparation of its consolidated financial statements could adversely affect its financial results; as a result of Accenture’s geographically diverse operations and strategy to continue to grow in key markets around the world, the company is more susceptible to certain risks; if Accenture is unable to manage the organizational challenges associated with its size, the company might be unable to achieve its business objectives; Accenture might not be successful at acquiring, investing in or integrating businesses, entering into joint ventures or divesting businesses; Accenture’s business could be materially adversely affected if the company incurs legal liability; Accenture’s global operations expose the company to numerous and sometimes conflicting legal and regulatory requirements; Accenture’s work with government clients exposes the company to additional risks inherent in the government contracting environment; if Accenture is unable to protect or enforce its intellectual property rights or if Accenture’s services or solutions infringe upon the intellectual property rights of others or the company loses its ability to utilize the intellectual property of others, its business could be adversely affected; Accenture may be subject to criticism and negative publicity related to its incorporation in Ireland; as well as the risks, uncertainties and other factors discussed under the “Risk Factors” heading in Accenture plc’s most recent Annual Report on Form 10-K and other documents filed with or furnished to the Securities and Exchange Commission. Statements in this news release speak only as of the date they were made, and Accenture undertakes no duty to update any forward-looking statements made in this news release or to conform such statements to actual results or changes in Accenture’s expectations. 

**About Accenture**    
Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent- and innovation-led company with approximately 733,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology and leadership in cloud, data and AI with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients reinvent and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com. 

**Accenture Security** is a leading provider of end-to-end cybersecurity services, including strategy, protection, resilience and industry-specific cyber services. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Cyber Fusion Centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Visit us at accenture.com/security.

\*Gartner, Market Share: Managed Security Services, Worldwide, 2022, April 2023. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Accenture Expands Cybersecurity Services Capabilities in Latin America With Acquisition of MNEMO Mexico

Categories: Threat Intelligence
Tags: malvertising

Tags: ads

Tags: hong kong

Tags: malware

Tags: whatsapp

Tags: telegram

Ads on Google for popular communication apps are used as a lure to compromise the devices of people from Hong Kong.



(Read more...)




The post Hong Kong residents targeted in malvertising campaigns for WhatsApp, Telegram appeared first on Malwarebytes Labs.

Malvertising is a powerful malware or scam delivery mechanism that makes it easy to target specific geographies or even users. A recent article from the South China Morning Post discussed an increase in malicious webpages for the popular WhatsApp communication tool, driven via malicious Google ads. The paper described how these ads appeared to be exclusively targeted at people from Hong Kong and have caused losses of about USD$300K last month.

We started investigating this situation and were able to identify what may be a similar campaign. The decoy sites we saw used a similar page than the web version of WhatsApp to trick victims into scanning a QR code to link their new device. Instead, it wasn't the user's device that was added to the WhatsApp account, but rather the threat actor's.

We also found another campaign using an ad for messaging tool Telegram, to lure victims into downloading a malicious version of the program. Again, this attack was targeted at residents of Hong Kong.

We have reported the malicious ads to Google and worked with partners to take down the infrastructure used in these campaigns.

**Malicious WhatsApp ad leads to QR code page**

Just like the South China Morning Post stated that users were seeing malicious ads for WhatsApp, we were able to find one immediately after switching our online profile to use a Hong Kong IP address:

The text of the ad reads as follows (translated from Chinese):

_WhatsApp New Version - WhatsApp Official Authorization_

_We are constantly updating and launching various fun and interesting functions as well as safe and reliable communication applications. Welcome to download and experience it. The cross-platform application brings you a reliable experience, and you can send private messages to your friends at any time._

Clicking on the ad leads to a convincing lookalike site in Chinese that pretends to be WhatsApp Web:

What's interesting, and works well as a lure, is the fact that WhatsApp is not just a mobile phone app, but does indeed have a web version for computers as well. The real domain for it is hosted at web.whatsapp.com and also uses a QR code to add a linked device to your account. What this means is that you can use WhatsApp on your PC or Mac after you scan the QR code and authorize that new device from your phone.

The issue here is that the QR code you are scanning is from a malicious site that has nothing to do with WhatsApp:

The domain used to generate those QR codes (lawrencework\[.\]com) was registered just two days ago. A search on urlscan.io reveals that it is associated with several other fake WhatsApp pages. We tested the QR code by adding it from a burner phone with a brand new WhatsApp account without any previous linked devices. A few seconds later, we saw a new device was added (Google Chrome running on Mac OS):

While we could not get more information (IP address, geolocation) about this new device, we knew it was not ours. When you link a new device to your WhatsApp account, the saved chat history is synced to it. This means that an attacker can essentially read your entire past and future conversations and has access to your saved contacts.

**Telegram ad links to malware**

The second ad we saw related to this campaign was using Telegram as a lure. We know it is related to the above WhatsApp attack because the ad is from the same advertiser.

The text of the ad reads as follows (translated from Chinese):

_telegram official website – telegram Chinese version – telegram download Telegram Chinese version is a Telegram client specially developed for Chinese users. Welcome to the Chinese channel, a new era of information, delivering more exciting information_

It links to a Google Docs page pretending to be a download site:

_Telegram instant messaging - simple, fast, secure and syncs across all your devices. It is one of the most downloaded apps in the world, with over 500 million active users. The latest official Telegram Chinese computer version TG-Chinese version: Click to download TG-PC: Click to download_

The two links (identical) download an MSI installer from the following URL:

kolunite.oss-ap-southeast-7.aliyuncs\[.\]com/HIP-THH-19-1.msi

This installer has been injected with malware, which we can see once we execute it:

**Targeted malvertising and motives**

These two campaigns abusing the WhatsApp and Telegram brands could be used for a variety of reasons. We did not investigate further what the ultimate ploy was, although both lead to data theft, impersonation and malware. The threat actor could use any private information from past conversations, phish the victim's contacts and much more.

This was our first foray into malvertising attacks targeted at Hong Kong. Given that this special administrative region of the People's Republic of China has a long history of tensions with Beijing, we could not help but think that malvertising campaigns such as these could be used for political reasons, although we saw no evidence of it.

Linking additional devices via QR code is a useful feature but it can also easily be abused. It's important to be cautious when scanning QR codes by verifying which site is issuing those. It's a good idea to periodically check which devices have access to your accounts, and revoke any that you don't recognize.

_Thanks to Nathan Collier for the assist with the QR code scanning on Android._

**Indicators of Compromise**

Malicious WhatsApp domains

uaa.vvg2rt\[.\]top  
wss.f8ddcc\[.\]com

QR code hostname

119srv\[.\]lawrencework\[.\]com

Telegram MSI URL

kolunite.oss-ap-southeast-7.aliyuncs\[.\]com/HIP-THH-19-1.msi

Telegram MSI

36d11b18d3345ff743f7b003d10a0820c8c1661dd7dc279434e436de798c3a4b

Hong Kong residents targeted in malvertising campaigns for WhatsApp, Telegram

By Owais Sultan
Looking for a SaaS SEO consultant? We’ve rounded up the top 15 SaaS SEO experts you need to…
This is a post from HackRead.com Read the original post: 15 Best SaaS SEO Experts That Will Help You Dominate Online

15 Best SaaS SEO Experts That Will Help You Dominate Online

WordPress LiteSpeed Cache plugin versions 5.6 and below suffer from a persistent cross site scripting vulnerability.

    Vulnerability Summary from Wordfence IntelligenceDescription: LiteSpeed Cache <= 5.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected Plugin: LiteSpeed CachePlugin Slug: litespeed-cacheAffected Versions: <= 5.6CVE ID: CVE-2023-4372CVSS Score: 6.4 (Medium)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NResearcher/s: Lana Codes Fully Patched Version: <= 5.7The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘esi’ shortcode in versions up to, and including, 5.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.Technical AnalysisThe LiteSpeed Cache is a site acceleration plugin with server-level cache and optimization. It provides a shortcode ([esi]) that can be used to cache blocks with Edge Side Includes technology when added to a WordPress page, if ESI was previously enabled in the settings.Unfortunately, insecure implementation of the plugin’s shortcode functionality allows for the injection of arbitrary web scripts into these pages. Examining the vulnerable code reveals that the shortcode method in the ESI class does not adequately sanitize the user-supplied ‘cache’ input, and then fails to escape the ‘control’ output derived from the ‘cache’ parameter when it builds the ESI block. This makes it possible to inject attribute-based Cross-Site Scripting payloads via the ‘cache’ attribute.[You can view these code snippets on the blog] This makes it possible for threat actors to carry out stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page. While this vulnerability does require that a trusted contributor account is compromised, or a user be able to register as a contributor, successful threat actors could steal sensitive information, manipulate site content, inject administrative users, edit files, or redirect users to malicious websites which are all severe consequences.Shortcode Exploit PossibilitiesPrevious versions of WordPress contained a vulnerability that allowed shortcodes supplied by unauthenticated commenters to be rendered in certain configurations. This would make it possible for unauthenticated attackers to exploit this Cross-Site Scripting vulnerability on vulnerable installations. Fortunately, however, a vast majority of sites have been automatically upgraded to a patched release of WordPress as of this writing, which means most site owners do not need to be concerned about this. We still strongly recommend verifying your site has been updated to one of the patched versions of WordPress core found here. Disclosure TimelineAugust 14, 2023 – Wordfence Threat Intelligence team discovers the stored XSS vulnerability in LiteSpeed Cache.August 14, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.August 14, 2023 – The vendor confirms the inbox for handling the discussion.August 14, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.August 16, 2023 – The vendor made the patch and sent us the GitHub commit.October 10, 2023 – The fully patched version, 5.7, is released.ConclusionIn this blog post, we have detailed a stored XSS vulnerability within the LiteSpeed Cache plugin affecting versions 5.6 and earlier. This vulnerability allows authenticated threat actors with contributor-level permissions or higher to inject malicious web scripts into pages that execute when a user accesses an affected page. The vulnerability has been fully addressed in version 5.7 of the plugin.We encourage WordPress users to verify that their sites are updated to the latest patched version of LiteSpeed Cache.All Wordfence users, including those running Wordfence Premium , Wordfence Care , and Wordfence Response , as well as sites still running the free version of Wordfence, are fully protected against this vulnerability.If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence  and potentially earn a spot on our leaderboard .

WordPress LiteSpeed Cache 5.6 Cross Site Scripting

Ubuntu Security Notice 6445-2 - It was discovered that the IPv6 implementation in the Linux kernel contained a high rate of hash collisions in connection lookup table. A remote attacker could use this to cause a denial of service. Daniel Trujillo, Johannes Wikner, and Kaveh Razavi discovered that some AMD processors utilising speculative execution and branch prediction may allow unauthorised memory reads via a speculative side-channel attack. A local attacker could use this to expose sensitive information, including kernel memory.

==========================================================================  
Ubuntu Security Notice USN-6445-2  
October 24, 2023

linux-intel-iotg-5.15 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-intel-iotg-5.15: Linux kernel for Intel IoT platforms

Details:

It was discovered that the IPv6 implementation in the Linux kernel  
contained a high rate of hash collisions in connection lookup table. A  
remote attacker could use this to cause a denial of service (excessive CPU  
consumption). (CVE-2023-1206)

Daniel Trujillo, Johannes Wikner, and Kaveh Razavi discovered that some AMD  
processors utilising speculative execution and branch prediction may allow  
unauthorised memory reads via a speculative side-channel attack. A local  
attacker could use this to expose sensitive information, including kernel  
memory. (CVE-2023-20569)

It was discovered that the IPv6 RPL protocol implementation in the Linux  
kernel did not properly handle user-supplied data. A remote attacker could  
use this to cause a denial of service (system crash). (CVE-2023-2156)

Davide Ornaghi discovered that the DECnet network protocol implementation  
in the Linux kernel contained a null pointer dereference vulnerability. A  
remote attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. Please note that kernel support for the  
DECnet has been removed to resolve this CVE. (CVE-2023-3338)

Ross Lagerwall discovered that the Xen netback backend driver in the Linux  
kernel did not properly handle certain unusual packets from a  
paravirtualized network frontend, leading to a buffer overflow. An attacker  
in a guest VM could use this to cause a denial of service (host system  
crash) or possibly execute arbitrary code. (CVE-2023-34319)

Chih-Yen Chang discovered that the KSMBD implementation in the Linux kernel  
did not properly validate command payload size, leading to a out-of-bounds  
read vulnerability. A remote attacker could possibly use this to cause a  
denial of service (system crash). (CVE-2023-38432)

It was discovered that the NFC implementation in the Linux kernel contained  
a use-after-free vulnerability when performing peer-to-peer communication  
in certain conditions. A privileged attacker could use this to cause a  
denial of service (system crash) or possibly expose sensitive information  
(kernel memory). (CVE-2023-3863)

Laurence Wit discovered that the KSMBD implementation in the Linux kernel  
did not properly validate a buffer size in certain situations, leading to  
an out-of-bounds read vulnerability. A remote attacker could use this to  
cause a denial of service (system crash) or possibly expose sensitive  
information. (CVE-2023-3865)

Laurence Wit discovered that the KSMBD implementation in the Linux kernel  
contained a null pointer dereference vulnerability when handling handling  
chained requests. A remote attacker could use this to cause a denial of  
service (system crash). (CVE-2023-3866)

It was discovered that the Siano USB MDTV receiver device driver in the  
Linux kernel did not properly handle device initialization failures in  
certain situations, leading to a use-after-free vulnerability. A physically  
proximate attacker could use this cause a denial of service (system crash).  
(CVE-2023-4132)

Andy Nguyen discovered that the KVM implementation for AMD processors in  
the Linux kernel with Secure Encrypted Virtualization (SEV) contained a  
race condition when accessing the GHCB page. A local attacker in a SEV  
guest VM could possibly use this to cause a denial of service (host system  
crash). (CVE-2023-4155)

It was discovered that the TUN/TAP driver in the Linux kernel did not  
properly initialize socket data. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2023-4194)

Bien Pham discovered that the netfiler subsystem in the Linux kernel  
contained a race condition, leading to a use-after-free vulnerability. A  
local user could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-4244)

Maxim Suhanov discovered that the exFAT file system implementation in the  
Linux kernel did not properly check a file name length, leading to an out-  
of-bounds write vulnerability. An attacker could use this to construct a  
malicious exFAT image that, when mounted and operated on, could cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-4273)

Kyle Zeng discovered that the networking stack implementation in the Linux  
kernel did not properly validate skb object size in certain conditions. An  
attacker could use this cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-42752)

Kyle Zeng discovered that the netfiler subsystem in the Linux kernel did  
not properly calculate array offsets, leading to a out-of-bounds write  
vulnerability. A local user could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-42753)

Kyle Zeng discovered that the IPv4 Resource Reservation Protocol (RSVP)  
classifier implementation in the Linux kernel contained an out-of-bounds  
read vulnerability. A local attacker could use this to cause a denial of  
service (system crash). Please note that kernel packet classifier support  
for RSVP has been removed to resolve this vulnerability. (CVE-2023-42755)

Kyle Zeng discovered that the netfilter subsystem in the Linux kernel  
contained a race condition in IP set operations in certain situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-42756)

Thelford Williams discovered that the Ceph file system messenger protocol  
implementation in the Linux kernel did not properly validate frame segment  
length in certain situation, leading to a buffer overflow vulnerability. A  
remote attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2023-44466)

Bing-Jhong Billy Jheng discovered that the Unix domain socket  
implementation in the Linux kernel contained a race condition in certain  
situations, leading to a use-after-free vulnerability. A local attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2023-4622)

Budimir Markovic discovered that the qdisc implementation in the Linux  
kernel did not properly validate inner classes, leading to a use-after-free  
vulnerability. A local user could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-4623)

Alex Birnberg discovered that the netfilter subsystem in the Linux kernel  
did not properly validate register length, leading to an out-of- bounds  
write vulnerability. A local attacker could possibly use this to cause a  
denial of service (system crash). (CVE-2023-4881)

It was discovered that the Quick Fair Queueing scheduler implementation in  
the Linux kernel did not properly handle network packets in certain  
conditions, leading to a use after free vulnerability. A local attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2023-4921)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel did  
not properly handle removal of rules from chain bindings in certain  
circumstances, leading to a use-after-free vulnerability. A local attacker  
could possibly use this to cause a denial of service (system crash) or  
execute arbitrary code. (CVE-2023-5197)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.15.0-1043-intel-iotg  5.15.0-1043.49~20.04.1  
   linux-image-intel               5.15.0.1043.49~20.04.33  
   linux-image-intel-iotg          5.15.0.1043.49~20.04.33

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6445-2  
   https://ubuntu.com/security/notices/USN-6445-1  
   CVE-2023-1206, CVE-2023-20569, CVE-2023-2156, CVE-2023-3338,  
   CVE-2023-34319, CVE-2023-38432, CVE-2023-3863, CVE-2023-3865,  
   CVE-2023-3866, CVE-2023-4132, CVE-2023-4155, CVE-2023-4194,  
   CVE-2023-4244, CVE-2023-4273, CVE-2023-42752, CVE-2023-42753,  
   CVE-2023-42755, CVE-2023-42756, CVE-2023-44466, CVE-2023-4622,  
   CVE-2023-4623, CVE-2023-4881, CVE-2023-4921, CVE-2023-5197

Package Information:

 https://launchpad.net/ubuntu/+source/linux-intel-iotg-5.15/5.15.0-1043.49~20.04.1

Ubuntu Security Notice USN-6445-2

Cybercriminals already operate across borders. Nations must do the same to protect their critical infrastructure, people, and technology from threats foreign and domestic.

Despite an onslaught of media coverage on cyberattacks and the impact of cybercrime on businesses and governments around the world, most people and, worse, most countries still don't view cybercrime as a national security issue.

Unlike some other areas of organized crime, cybercrime poses a direct threat to national security and the everyday lives of citizens. These malicious actors can target critical infrastructure like hospitals, pipelines, the financial system, energy facilities, shipping ports, and airports. One of the most well-known examples of the impact cybercrime can have on critical infrastructure and how quickly things can go wrong is the Colonial Pipeline ransomware attack and its aftermath, which disrupted economic activity.

**National Intelligence Agencies Are Focused Elsewhere**

However, even as the damages inflicted by cybercrime increase every year, national intelligence agencies remain focused on other national entities and terrorist groups. This leaves private organizations on their own, unarmed and incapable of dealing with malicious actors' growing sophistication and resources.

This is a colossal mistake that could lead to catastrophic consequences. Cybercrime is the central threat in cyberspace. To effectively combat it, nation-states must recognize the harm it can do and take proactive steps to lay the foundation for an international alliance for cybersecurity. Picture it as the NATO of cybersecurity. By coming together as a group, these nation-states can better protect their people, critical infrastructure, and proprietary technology from cyber threats, while also strengthening international relations.

To date, countries have failed to rise to the occasion. Some would even venture to say that we're moving backward, as international tensions rise as a result of the war in Ukraine and other conflicts. Additionally, the ever-growing patchwork of data privacy laws has created new roadblocks for information sharing and response times. In order to shift the narrative and get on the right course to establishing a new international organization geared to the mitigation of, protection against, and punishment of cybercriminals, we first must establish three overarching branches of enforcement.

1.  **The intelligence branch:** Whether you're in Asia, Europe, Latin America, or North America, cybercriminals use the same methods and tactics to conduct attacks. However, today, each country deals with cybercriminal activities independently, negatively impacting information sharing, resources, and expertise. Establishing an intelligence branch would serve as a hub that collects and centralizes information on malicious actors, and their methods, tools, and attacks. By developing a comprehensive database on cybercriminals, each member of this international cyber alliance would benefit from shared knowledge, enabling them to enhance their ability to prevent and respond to cyber threats effectively.
2.  **The policy and strategy branch:** Using the information and data collected by the intelligence branch, a policy and strategy team would be able to develop best practices, guidelines, and regulations that serve as the bedrock for a robust national cyber environment. By sharing and implementing these policies, the alliance can create a common framework that enhances cybersecurity measures and minimizes vulnerabilities across borders.
    
3.  **The** **operations branch:** Lastly, any new international cybersecurity alliance will need an operations branch. This branch would be responsible for implementing, executing, and enforcing laws, as well as taking actions to deter cybercriminals and legally pursuing them. By collectively responding to cyber threats, the alliance can demonstrate a unified front against cybercriminals, making it more challenging for them to exploit vulnerabilities across member countries.
    

In addition to establishing the three branches of the alliance, there are several other key components that are necessary. These include infrastructure, a host country, and like-minded member countries:

*   **Infrastructure:** An undertaking on this scale would require a robust physical and virtual presence to facilitate seamless information sharing, collaboration, and coordinated responses. Without this, nations and industries would continue to struggle with information sharing, mitigation, and enforcement.
*   **Host country:** Similar to other international organizations, it is advisable for the alliance to have a host country that can facilitate the organization's operations. The United States is the most obvious choice. Given the country's technological capabilities, innovative culture, and history of leadership in cybersecurity, it would be the ideal candidate for hosting the international alliance for cybersecurity.
*   **Like-minded member countries:** The success of the international alliance depends on member countries sharing common values such as liberal principles, a free market, democratic governance, and the protection of human rights. As in other military alliances, the member countries would form a unified attack surface, and operate together to fight attacks.

Cybercriminals already operate across borders, sharing knowledge and collaborating on a global scale. It's time for nations to do the same to protect their critical infrastructure, people, and technology from threats foreign and domestic.

It's Time to Establish the NATO of Cybersecurity

Hundreds of millions of users of Grammarly, Vidio, and the Indonesian e-commerce giant Bukalapak are at risk for financial fraud and credential theft due to OAuth misfires — and other online services likely have the same problems.

Flaws in the implementation of the Open Authorization (OAuth) standard across three prominent online services could have allowed attackers to take over hundreds of millions of user accounts on dozens of websites, exposing people to credential theft, financial fraud, and other cybercriminal activity. 

Researchers from Salt Labs discovered critical API misconfigurations on the sites of several online companies — artificial intelligence (AI)-powered writing tool Grammarly, online streaming platform Vidio, and Indonesian e-commerce site Bukalapak — that lead them to believe that dozens of other sites are likely compromised in the same way, they revealed in a report published Oct. 24.

OAuth is a widely implemented standard for allowing for cross-platform authentication, familiar to most as the option to log in to an online site with another social media account, such as "Log in with Facebook" or "Log in with Google." 

The recently-discovered implementation flaws are among a series of issues in OAuth that the researchers have discovered in recent months, stretching across prominent online platforms that put users at risk. Salt researchers already had discovered similar OAuth flaws in the Booking.com website and Expo — an open source framework for developing native mobile apps for iOS, Android, and other Web platforms using a single codebase — that could have allowed account takeover and full visibility into user personal or payment-card data. The Booking.com flaw also could have allowed log-in access to the website's sister platform, Kayak.com.

The researchers refer broadly to the latest issue found in Vidio, Grammarly, and Bukalapak as a "Pass-The-Token" flaw, in which an attacker may use a token — the unique, secret site identifier used to verify the handoff — from a third party site typically owned by the attacker himself to login to another service.

"For example, if a user logged in to a site called mytimeplanner.com, which is owned by the attacker, the attacker could then use the users token and log in on his behalf to other sites, like Grammarly for instance," Yaniv Balmas, vice president of research at Salt, explains to Dark Reading.

The researchers found the latest issues in Vidio, Bukalapak, and Grammarly between February and April, respectively, and notified the three companies in turn, which all responded in a timely way. The misconfigurations all have since been resolved in these particular services, but that's not the end of the story. 

"Just these three sites are enough for us to prove our point, and we decided to not look for additional targets," according to the report, "but we expect that thousands of other websites are vulnerable to the attack we detail in this post, putting billions of additional Internet users at risk every day,"

**Various Ways to Misconfigure OAuth**

The issue manifests itself uniquely on each of the three sites. On Vidio, an online streaming platform with 100 million monthly active users, the researchers found that when logging into the site through Facebook, the site did not verify the token — which the website developers and not OAuth must do. Because of this, an attacker could manipulate the API calls to insert an access token generated for a different application, the researchers found.

"This alternate token/AppID combination allowed the Salt Labs research team to impersonate a user on the Vidio site, which would have allowed massive account takeover on thousands of accounts," the researchers wrote in the report.

Like Vidio, Bukalapak — which has more than 150 million monthly users — also didn't verify the access token when users registered using a social login. In a similar way, the researchers could insert a token from another website to access a user's credentials and completely take over that user's account.

The OAuth issue discovered on Grammarly — which helps more than 30 million daily users improve their writing by offering grammar, punctuation, spelling checks, and other writing tips — manifested itself slightly differently.

The researchers found that by doing reconnaissance on the API calls and learning the terminology the Grammarly site uses to send the code, they could manipulate the API exchange to insert code used to verify users on a different site and, again, obtain the credentials of a user's account and achieve full account takeover.

**Secure OAuth From the Start**

OAuth itself is well-designed, and the major OAuth providers such as Google and Facebook have secure servers protecting them on the back end. However, those developing the services and sites that leverage the standard to perform the authentication handoff often create issues that render the exchange inherently insecure even if the site appears to function properly, Balmas says.

"It is very easy for anyone to add social-login functionality to his website … and everything will actually work quite fine," he says. "However, without the proper knowledge and awareness, it is very easy to leave cracks that the attacker will be able to abuse and achieve very serious impact on all the website users."

For this reason, it's essential to the security of sites and services that leverage OAuth to be secure from an implementation standpoint, which may require that developers do some homework before building the standard into the site.

"Web services who wish to implement social login or any other OAuth-related functionalities should make sure they have a solid understanding of how OAuth works and common pitfalls that may have potential for being abused," he says.

Developers can also use third-party tools that monitor for anomalies and deviations from typical behavior and which may identify as-yet unknown attacks, providing a safety net for the site and thus all of its users, Balmas adds.

'Log in with...' Feature Allows Full Online Account Takeover for Millions

We observed the BlackByte ransomware group’s new variant, BlackByte NT, for the first time in addition to the previously seen LockBit ransomware, which continues to be the top observed ransomware family in Talos IR engagements.

Tuesday, October 24, 2023 08:10

**Quarterly threat report: Telecommunications and education are most-targeted verticals**

There was a notable increase in threats to web applications, accounting for 30 percent of the engagements Cisco Talos Incident Response (Talos IR) responded to in the third quarter of 2023, compared to 8 percent the previous quarter. Exploitation of public-facing applications was the top observed means of gaining initial access, accounting for 30 percent of engagements. The high number of web application attacks likely played a significant role in the increase this quarter.  

However, ever-present ransomware continues to be a threat, accounting for 10 percent of engagements. This quarter, which covers July, August and September, featured the LockBit and BlackByte ransomware families, which Talos IR has observed in previous quarters. But for the very first time, Talos IR observed a new variant of BlackByte ransomware, BlackByte NT. 

 Telecommunications and education were the most targeted verticals, each accounting for 20 percent of engagements. Threat actors and groups with varying motives and sophistication frequently targeted telecommunications organizations, continuing a trend where it was consistently a top-targeted industry vertical in 2022, according to Talos IR.  

Telecommunications companies are attractive targets due to their control over several critical infrastructure assets, serving as a gateway for adversaries to access other businesses, subscribers, or third-party providers. These organizations also have a large amount of customer data that is often targeted by financially motivated cybercriminals such as ransomware groups.   

Educational institutions are continuously targeted by cybercriminals due to vast amounts of personally identifiable student data, including financial and counseling records, as well as research institutes rich in intellectual property. Many education organizations have limited budgets devoted to cybersecurity, hampering defenses.      

**Web application targeting on the rise **

Attacks against web applications — and subsequent post-compromise activity — were the top-observed threat in Q3, accounting for 30 percent of engagements, a significant increase compared to the previous quarter. After gaining initial access, adversaries leveraged techniques such as launching web injection attacks, deploying web shells, and using commercial off-the-shelf frameworks such as Supershell, which deploys web shells to maintain access to a system. Talos IR is seeing a growing trend of adversaries leveraging advanced functionalities of various command and control (C2) frameworks, such as the newly observed Supershell C2 framework, to identify weaknesses in web servers and deploy web shells more easily. 

Supershell is a web-based management platform that allows attackers to remotely execute commands, manage compromised systems, and collaborate with multiple users. Before downloading Supershell, the attackers placed malicious XML inputs containing a reference to an external entity using XML external entity (XXE) injection attacks in hopes the web server had a misconfigured XML parser. Based on our analysis, Supershell appears to be designed for predominantly Chinese-speaking individuals as the tool is written for a Chinese-only web interface console. There is also a clear preference for Chinese in Supershell’s GitHub documentation, although an English-translated option exists.  

Although the development of recent frameworks that make the deployment of web shells easier benefits sophisticated adversaries, these frameworks may also reduce the barrier for entry for less sophisticated attackers. Given the growing trend of commercial off-the-shelf C2 frameworks within the last year, including Alchimist and Manjusaka, it is likely this trend will continue to play out as adversaries increasingly turn to adopt additional capabilities for performing web-based attacks. 

Web shells are malicious scripts that enable threat actors to compromise web-based servers exposed to the internet. Talos IR responded to an engagement where attackers uploaded several PHP web shells to an unpatched web server, demonstrating how threat actors commonly chain together web shells to build a more flexible toolkit. Within this cluster of activity, the attackers could not further carry out any post-compromise objectives due to the presence of a Web Application Firewall (WAF), highlighting the importance of implementing a WAF between public-facing servers and the Internet to help defend against these attacks.   

In several engagements this quarter, we observed adversaries leveraging Structured Query Language injection (SQLi) attacks, a technique in which adversaries enter SQL commands into an input field that does not use validation and sanitization. We increasingly see adversaries continue to use scanning frameworks to launch SQLi attacks. In one cluster of activity, Talos IR identified multiple SQLi attempts and more than 1,000 instances of SQLMap, an open-source utility often used to identify and exploit SQLi vulnerabilities. Adversaries also used a SQL injection module within Nessus, a proprietary vulnerability scanner, highlighting the threat actor’s intent on identifying SQLi vulnerabilities for expanded access.  

**Ransomware remains a threat **

Ransomware activity continued this quarter accounting for 10 percent of total IR engagements in Q3. We observed the BlackByte ransomware group’s new variant, BlackByte NT, for the first time in addition to the previously seen LockBit ransomware, which continues to be the top observed ransomware family in Talos IR engagements. 

LockBit was one of the most prevalent variants seen in Talos IR engagements since September 2022, consistent with a wide body of reporting calling LockBit one of the most active ransomware threats this year.  

Talos IR responded to a LockBit ransomware attack where the adversaries gained an initial foothold into the environment by compromising a valid contractor account. Once inside, attackers began dumping credentials from internal systems and were able to create an administrator account to elevate privileges and remain persistent in the environment. To evade detection, the attackers cleared the Windows event logs and disabled several security tools, including endpoint detection and response (EDR) and antivirus. LockBit established C2 channels via multiple methods, including the adversary simulation tool Cobalt Strike and the legitimate remote access software AnyDesk. The attackers modified domain policies to create a scheduled task that eventually executed the LockBit ransomware binary.  

Talos IR has previously observed BlackByte ransomware, but this quarter was the first time seeing the new variant, BlackByte NT. Unlike the former variants, this new variant (aka BlackByte 2.0) is written entirely in C++ and was discovered in May 2023. 

Talos IR observed the new BlackByte NT ransomware variant where the attackers initially compromised a valid account to gain access. Several accounts with administrator privileges were created in this engagement as well, showing ransomware actors’ reliance on account creation to escalate privileges and enable persistence. Attackers then used a combination of RDP, SSH, and Server Message Block (SMB) for lateral movement. Using the open-source Secure File Transfer Protocol (SFTP) tool WinSCP, adversaries exfiltrated data from the environment. Before encryption, the attackers cleared the Windows event logs to cover their tracks and deleted the shadow volume copies to inhibit system recovery, consistent with ransomware TTPs. Ransomware was propagated across the environment via SMB admin shares, a common distribution method also observed in ransomware attacks.   

**New ShroudedSnooper actor observed using custom backdoors **

This quarter also featured a new advanced persistent threat (APT) ShroudedSnooper targeting telecommunications firms in the Middle East. This activity is a continuation of a trend we have been monitoring over the past several years in which sophisticated actors are frequently targeting telecommunications organizations, a top-targeted industry vertical this quarter and throughout 2022, according to Talos IR. As part of this activity, ShroudedSnooper deployed two novel backdoor implants we dubbed “HTTPSnoop” and “PipeSnoop.” 

These backdoors interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint. Talos IR observed DLL- and EXE-based versions of the implants that masquerade as legitimate security software components, and specifically extended detection and response (XDR) agents, making detection challenging.  

**Initial vectors **

Exploitation of public-facing applications was the top observed means of gaining initial access, accounting for 30 percent of engagements. The high number of web application attacks likely played a significant role in the increase this quarter.   

**Security weaknesses **

Unpatched or misconfigured applications and a lack of multi-factor authentication (MFA) were tied to the top security weaknesses, each accounting for 40 percent of engagements. This activity aligns with the top two initial access vectors used by adversaries this quarter, including exploiting public-facing applications and abusing valid accounts. Talos IR frequently observes attacks that could have been prevented if MFA was enabled on critical services, such as RDP. Talos IR recommends expanding MFA for all user accounts, such as employee, contractor and business partner accounts.   

Staying up-to-date with software updates on public-facing applications is a crucial aspect of an organization’s security posture. Attackers often exploit vulnerabilities to achieve post-compromise objectives, such as privilege escalation. While vulnerability and patch management are critical, it is not always possible to immediately apply every security patch due to the complexity of enterprise networks. Talos IR recommends prioritizing critical vulnerabilities that pose the biggest threats to preventing exploitation.   

Misconfigurations can also leave organizations exposed regardless of an adversary’s intention. Talos IR frequently sees actors compromising systems that were misconfigured to be exposed publicly. Attackers often take the path of least resistance by leveraging vulnerabilities and exposures, highlighting that organizations need to be proactive in ensuring both systems and tools are configured properly.    

**Top observed MITRE ATT&CK techniques **

The table below represents the MITRE ATT&CK techniques observed in this quarter’s IR engagements, which includes relevant examples and the volume Talos IR saw in engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note this is not an exhaustive list. 

Key findings from the MITRE ATT&CK framework include: 

*   Exploitation of public-facing applications was the top observed means of gaining initial access this quarter, accounting for 30 percent of total engagements.  
*   Attackers abused remote services, such as RDP, to move laterally in 25 percent of engagements. 
*   AnyDesk was observed in all ransomware and pre-ransomware engagements this quarter, underscoring its role in ransomware affiliates' attack chains.   
*   Indicator removal, such as clearing Windows event logs and file deletion, was the top defense evasion technique observed.   
*   In 25 percent of engagements this quarter, Talos IR observed attackers abusing scheduled tasks for continuous execution of malicious code to maintain persistence on an endpoint.    

Initial Access (TA0001)  

Example  

T1190 Exploit in Public-Facing Application  

Attackers successfully exploited a vulnerable application that was publicly exposed to the Internet    

Execution (TA0002)  

Example  

T1059.001 Command and Scripting Interpreter: PowerShell  

Executes PowerShell code to retrieve information about the client’s Active Directory environment  

Persistence (TA0003)  

Example  

T1053.005 Scheduled Task / Job: Scheduled Task  

Scheduled tasks were created on a compromised server  

Defense Evasion (TA0005)  

Example  

T1134.002 Access Token Manipulation: Create Process with Token  

Attackers created a new process using the command “run as”  

Credential Access (TA0006)  

Example  

T1003.001 OS Credential Dumping: LSASS Memory  

Use “lsass.exe” for stealing password hashes from memory  

Lateral Movement (TA0008)  

Example  

T1021.001 Remote Services: Remote Desktop Protocol  

Adversary made attempts to move laterally using Windows Remote Desktop   

Command and Control (TA0011)  

Example  

T1219 Remote Access Software  

Remote access tools found on the compromised system    

Exfiltration (TA0010)  

Example  

T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol  

Using FTP for file exfiltration  

Impact (TA0040)  

Example  

T1486 Data Encrypted for Impact  

Deploy LockBit ransomware and encrypt critical systems

Attacks on web applications spike in third quarter, new Talos IR data shows

Though often viewed as the “crown jewel” of the US intelligence community, fresh reports of abuse by NSA employees and chaos in the US Congress put the tool's future in jeopardy.

A federal law authorizing a vast amount of the United States military’s foreign intelligence collection is set to expire in two months, pulling the plug on history’s most prolific eavesdropping operation and the primary means by which US spies intercept the private communications of people deemed threatening, or simply interesting, by the US government—the world’s foremost surveillant.

The US National Security Agency (NSA) relies heavily on the statute, Section 702 of the Foreign Intelligence Surveillance Act, when compelling the cooperation of communications giants that oversee huge swaths of the world’s internet traffic, intercepting hundreds of millions of phone calls and email messages each year, and eavesdropping on the personal conversations of targeted foreign individuals and anyone else, including Americans, unfortunate enough to be caught in their orbit.

As of now, members of Congress have introduced exactly zero bills to prevent Section 702 from sunsetting on January 1, 2024, even though many—perhaps a majority—view this intelligence “crown jewel” as fundamental to the national defense; a flawed but fixable law. The Democrats, who control the Senate, are not blameless in stalling the reauthorization, with more than a handful vying to ensure its renewal is contingent on new rules that force the government to get a warrant before weaponizing the data against its own citizens. The internal conflict roiling the Republican Party, many of whose members share in the desire to rein in the government’s domestic surveillance capabilities, is nevertheless the biggest factor forestalling a compromise, particularly following the removal of Kevin McCarthy as House speaker earlier this month.

The US intelligence community is not without blame. A litany of reported errors, ethical violations, and at least some criminal activity bearing the telltale signs of having been swept under the rug have gone a long way in validating the concerns of Section 702’s biggest detractors: Privacy defenders on both sides of the aisle who share common ground with political allies of Donald Trump, a wellspring of animosity when it comes to military and intelligence leaders—officials routinely peppered from the right with allegations of partisanship and other “treasonous things.”

A US report published in September by an independent government privacy watchdog describes a number of new “noncompliant” uses of raw Section 702 data by analysts at the NSA, an agency where military and civilian employees have been caught repeatedly abusing classified intel for personal, and even sexual, reasons. Issued by the Privacy and Civil Liberties Oversight Board (PCLOB), a body effectively commandeered by Congress in 2005 in an effort to help gauge the scope of the explosion in surveillance after 9/11, the report adds to a decade’s worth of documented surveillance abuses.

_The Wall Street Journal_ first reported in 2013 amid the exploding Edward Snowden scandal that NSA staff had been caught on numerous occasions spying on what the paper called “love interests.” The phenomenon is common enough at the agency to receive its own internal designation: “LOVEINT,” a portmanteau of “love” and “intelligence,” abbreviated in the style of actual surveillance disciplines such SIGINT and HUMINT (“signals” and “human” intelligence, respectively.)

Senator Dianne Feinstein, who died who on September 29 at the age of 90, had defended the NSA following the report, referring to the violations as “isolated,” occurring only roughly, she said, once a year. The _Journal_ noted, meanwhile, that nearly all of the known violations had been self-reported, likely by employees fearful of failing a polygraph exam.

The term “LOVEINT” implies a degree of harmlessness, the misguided acts of a hopeless romantic or a jilted lover. Yet it signifies behavior that is by any modern definition equivalent to stalking. That it received this designation at all seemingly suggests that the abuse is constant enough to border on systemic. The watchdog report released last month by the PCLOB notes that, in 2022, one NSA analyst twice conducted queries on people they’d met “through an online dating service,” showing that despite years of procedures developed to protect against such incidents, the temptation to abuse the most expansive surveillance tool in history for personal gain remains too enticing a prospect for some.

“The US government’s incredible surveillance powers are intended to keep Americans safe from global threats, but we’ve seen time and again how officials have misused this authority at the expense of Americans’ civil liberties,” US senator Chuck Grassley, a Republican from Iowa, tells WIRED. “Instead of aiming this tool at terrorists and international criminals, some have put their political rivals and even love interests in the crosshairs.” The intelligence community’s continued access to the 702 data hinges, in part, on its ability to demonstrate that it can cooperate with oversight attempts, Grassley says, and send an “unequivocal message that abuses will be met with steep consequences.”

While any substantive detail about past 702 violations remains obscured by conditions of secrecy, what can be gleaned from unclassified reports about the “consequences” facing NSA staff for stalking is not encouraging. A 2013 letter from the NSA’s then-top internal watchdog, George Ellard, for instance, described years’ worth of abuses that coincide and even predate the existence of Section 702, which Congress passed in 2008 in an effort to legalize the widespread wiretapping of calls already going in and out of the US, as well as immunize telecommunications companies like AT&T, which was revealed early on to be eagerly cooperating with the government’s demands.

Ellard’s letter, combined with more recent abuse disclosures, paints a picture of an agency that discovers surveillance abuses mainly when its employees self-report them, often to avoid trouble during or in advance of a polygraph test. Violators are often on their way out the door, presumably bound for the private sector, or are otherwise given the option to retire rather than face any real consequences for their actions. Numerous civilian employees at the NSA have admitted to wiretapping the phones of romantic partners, yet it's clear that many escaped punishment by quitting the agency before investigations into their conduct were earnestly underway.

In one of the most egregious cases, predating the 702 program by several years, an NSA employee admitted to wiretapping nine phone numbers belonging to women. Like with other offenses, Ellard noted in his letter—made public by Grassley several years ago—that the employee had “resigned before discipline had been proposed.” (Incidentally, Ellard’s decade as the NSA inspector general came to an unceremonious end following allegations that he’d retaliated against an agency whistleblower.)

Only US service members with access to raw 702 data appear to have been held accountable to some degree, almost certainly because they were unable, due to the terms of their service, to walk away from their jobs. A member of a “tactical military unit,” for instance, was demoted and docked one month’s pay after searching the classified database for communications belonging to his wife, while another’s access was cut after the NSA discovered they’d been eavesdropping on random people’s phone calls, purportedly to learn the language the victims were speaking.

Section 702, which last year targeted more than 246,000 “non-US persons,” permits the NSA to collect both text and audio of communications belonging to Americans, even when they are not the target of an investigation or suspected of foreign or criminal ties. These communications are “highly personal and sensitive, capturing exchanges with loved ones, friends, medical providers, academic adviseors, lawyers, or religious leaders,” according to the oversight authorities; capable of providing “great insight into an individual’s whereabouts, both in a given moment and in patterns over time.” While the communications of Americans captured as part of Section 702 surveillance may be subject to “minimization” procedures down the line, they are nevertheless stored in a “raw” or unredacted format and can be viewed with the help of a Google Search-like interface.

It's unclear how many government employees can access Section 702 data, but US lawmakers have offhandedly estimated the figure to be upwards of 10,000 people. This includes many employed by the Federal Bureau of Investigation, where the process of accessing the database remains practically free from judicial review. Under its own procedures, the FBI may conduct searches of the 702 database without probable cause so long as it believes it is “reasonably likely” to retrieve evidence of a crime—the legal equivalent of a hunch. According to a 2016 memorandum authored by the secretive Foreign Intelligence Surveillance Court, the FBI has at times failed to abide by what are already notably loose restrictions on using 702 for the purpose of acquiring communications protected by attorney-client privilege. The FBI's own procedures have long permitted agents to search the 702 database for correspondence between US citizens and their attorneys, as well as disseminate that information internally, provided the target of the search has not been charged with a crime.

While the NSA refers to the communications of Americans captured under Section 702 as having been collected “incidentally”—the statute authorizes only the “targeting” of “non-US persons reasonably believed to be located outside the United States”—it is important to note that the word “incidental” does not mean “by mistake.” It is merely accepted that each year, as a cost of doing business, the NSA will “inevitably” intercept the calls and messages of an unknown but “substantial” number of Americans.

This collection may be best understood as occurring not in error but as collateral surveillance, defended by the government under an ever-expanding list of national security threats: terrorism, first and foremost; then cyberattacks launched by hostile foreign actors; and today, finally, the illicit trafficking of fentanyl from sources in China.

Since the enactment of Section 702 some 15 years ago, US intelligence chiefs have claimed that it would be impossible to provide any clear metrics regarding just how many Americans are “incidentally” eavesdropped on each year. Ironically, it is the sheer amount of surveillance conducted by the NSA that is blamed for obscuring its impact on Americans’ civil liberties. “We do not yet know the scope of incidental collection,” this year’s PCLOB report states. But it should not be understood as “occurring infrequently,” it says, nor as an “inconsequential part of the Section 702 program.”

A Powerful Tool US Spies Misused to Stalk Women Faces Its Potential Demise

Stefan Thomas lost the password to an encrypted USB drive holding 7,002 bitcoins. One team of hackers believes they can unlock it—if they can get Thomas to let them.

At 9:30 am on a Wednesday in late September, a hacker who asked to be called Tom Smith sent me a nonsensical text message: “query voltage recurrence.”

Those three words were proof of a remarkable feat—and potentially an extremely valuable one. A few days earlier, I had randomly generated those terms, set them as the passphrase on a certain model of encrypted USB thumb drive known as an IronKey S200, and shipped the drive across the country to Smith and his teammates in the Seattle lab of a startup called Unciphered.

Unciphered’s staff in the company’s Seattle lab.

Photograph: Meron Menghistab

Smith had told me that guessing my passphrase might take several days. Guessing it at all, in fact, should have been impossible: IronKeys are designed to permanently erase their contents if someone tries just 10 incorrect password guesses. But Unciphered's hackers had developed a secret IronKey password-cracking technique—one that they've still declined to fully describe to me or anyone else outside their company—that gave them essentially infinite tries. My USB stick had reached Unciphered’s lab on Tuesday, and I was somewhat surprised to see my three-word passphrase texted back to me the very next morning. With the help of a high-performance computer, Smith told me, the process had taken only 200 trillion tries.

Smith’s demonstration was not merely a hacker party trick. He and Unciphered’s team have spent close to eight months developing a capability to crack this specific, decade-old model of IronKey for a very particular reason: They believe that in a vault in a Swiss bank 5,000 miles to the east of their Seattle lab, an IronKey that's just as vulnerable to this cracking technique holds the keys to 7,002 bitcoins, worth close to $235 million at current exchange rates.

For years, Unciphered's hackers and many others in the crypto community have followed the story of a Swiss crypto entrepreneur living in San Francisco named Stefan Thomas, who owns this 2011-era IronKey, and who has lost the password to unlock it and access the nine-figure fortune it contains. Thomas has said in interviews that he's already tried eight incorrect guesses, leaving only two more tries before the IronKey erases the keys stored on it and he loses access to his bitcoins forever.

Screens in Unciphered’s lab show a microscopic image of the layout of the IronKey’s controller chip (left) and a CT scan of the drive.

Photograph: Meron Menghistab

Now, after months of work, Unciphered's hackers believe they can open Thomas' locked treasure chest, and they're ready to use their secret cracking technique to do it. “We were hesitant to reach out to him until we had a full, provable, reliable attack,” says Smith, who asked WIRED not to reveal his real name due to the sensitivities of working with secret hacking techniques and very large sums of cryptocurrency. “Now we’re in that place.”

The only problem: Thomas doesn't seem to want their help.

Earlier this month, not long after performing their USB-decrypting demonstration for me, Unciphered reached out to Thomas through a mutual associate who could vouch for the company’s new IronKey-unlocking abilities and offer assistance. The call didn't even get as far as discussing Unciphered's commission or fee before Thomas politely declined.

Thomas had already made a “handshake deal” with two other cracking teams a year earlier, he explained. In an effort to prevent the two teams from competing, he had offered each a portion of the proceeds if either one could unlock the drive. And he remains committed, even a year later, to giving those teams more time to work on the problem before he brings in anyone else—even though neither of the teams has shown any sign of pulling off the decryption trick that Unciphered has already accomplished.

That has left Unciphered in a strange situation: It holds what is potentially one of the most valuable lockpicking tools in the cryptocurrency world, but with no lock to pick. “We cracked the IronKey,” says Nick Federoff, Unciphered's director of operations. “Now we have to crack Stefan. This is turning out to be the hardest part.”

In an email to WIRED, Thomas confirmed that he had turned down Unciphered's offer to unlock his encrypted fortune. “I have already been working with a different set of experts on the recovery so I'm no longer free to negotiate with someone new,” Thomas wrote. “It's possible that the current team could decide to subcontract Unciphered if they feel that's the best option. We'll have to wait and see.” Thomas declined to be interviewed or to comment further.

A Very Valuable, Worthless USB Stick

In past interviews, Thomas has said that his 7,002 bitcoins were left over from a payment he received for making a video titled “What is Bitcoin?” that published on YouTube in early 2011, when a bitcoin was worth less than a dollar. Later that year, he told WIRED that he'd inadvertently erased two backup copies of the wallet that held those thousands of coins, and then lost the piece of paper with the password to decrypt the third copy, stored on the IronKey. By then, his lost coins were worth close to $140,000. “I spent a week trying to recover it,” he said at the time. “It was pretty painful.”

In the 12 years since, the value of the inaccessible coins on Thomas' IronKey has at times swelled to be worth nearly half a billion dollars, before settling to its current, still-staggering price. In January 2021, as Bitcoin began to approach its peak exchange rate, Thomas described to _The New York Times_ the angst that his long-lost hoard had caused him over the years. “I would just lay in bed and think about it,” he said. “Then I would go to the computer with some new strategy, and it wouldn’t work, and I would be desperate again.”

Around that same time in 2021, a team of cryptographers and white-hat hackers founded Unciphered with the goal of unlocking exactly the sort of vast, frozen funds that many unlucky crypto holders like Thomas have long since given up on. At the time of Unciphered’s official launch, the cryptocurrency tracing firm Chainalysis estimated the total sum of those forgotten wallets across blockchains to be worth $140 billion. Unciphered says it has since successfully helped clients open locked wallets worth “many millions” of dollars—often through novel cryptographic vulnerabilities or software flaws it has discovered in cryptocurrency wallets—though nothing close to the size of Thomas' IronKey stash.

A deconstructed IronKey inside of Unciphered’s laser cutting tool.

Photograph: Meron Menghistab

Only around the beginning of 2023 did Unciphered begin to hunt for potential avenues to unlock Thomas' IronKey prize. Smith says that they quickly started to see hints that the IronKey's manufacturer, which was sold to storage hardware firm iMation in 2011, had left them some potential openings. “We were seeing little bits and pieces,” Smith says. “Like, this looks a little sloppy, or this looks not quite like how someone should be doing things.” (Kingston Storage, which now owns IronKey, didn’t respond to WIRED’s request for comment.)

Even a decade-old IronKey is a daunting target for hackers. The USB stick, whose development was funded in part by the United States Department of Homeland Security, is FIPS-140-2 Level 3 certified, meaning it's tamper-resistant and its encryption is secure enough for use by military and intelligence agencies for classified information. But emboldened by the few hints of security flaws they'd found—and still with no participation from Thomas—Unciphered's founders decided to take on the project of cracking it. “If there is an Everest to attempt, this is it,” Federoff remembers telling the team. The company's founders would eventually pull together a group of around 10 staffers and outside consultants, several of whom had backgrounds at the National Security Agency or other three-letter government agencies. They called it Project Everest.

A $235 Million Treasure Hunt

One of their first moves was to determine the exact model of IronKey that Thomas must have used, based on timing and a process of elimination. Then they bought the entire supply of that decade-plus-old model that they could find available for sale online, eventually amassing hundreds of them in their lab.

To fully reverse engineer the device, Unciphered scanned an IronKey with a CT scanner, then began the elaborate surgery necessary to deconstruct it. Using a precise laser cutting tool, they carved out the Atmel chip that serves as the USB stick's “secure enclave” holding its cryptographic secrets. They bathed that chip in nitric acid to “decap” it, removing the layers of epoxy designed to prevent tampering. They then began to polish down the chip, layer by layer, with an abrasive silica solution and a tiny spinning felt pad, removing a fraction of a micron of material from its surface at a time, taking photos of each layer with either optical microscopes or scanning electron microscopes, and repeating the process until they could build a full 3D model of the processor.

Because the chip's read-only memory, or ROM, is built into the layout of its physical wiring for better efficiency, Unciphered's visual model gave it a head start toward deciphering much of the logic of the IronKey's cryptographic algorithm. But the team went much further, attaching tenth-of-a-millimeter gauge wires to the secure element’s connections to “wiretap” the communications going into and out of it. They even tracked down engineers who had worked on the Atmel chip and another microcontroller in the IronKey that dated back to the 1990s to quiz them for details about the hardware. “It felt very much like a treasure hunt," says Federoff. “You’re following a map that’s faded and coffee-stained, and you know there’s a pot of gold at the end of a rainbow, but you have no idea where that rainbow’s leading.”

That cracking process culminated in July, when Unciphered's team gathered at an Airbnb in San Francisco. They describe standing around a table covered with millions of dollars’ worth of lab equipment when a member of the team read out the contents of a decrypted IronKey for the first time. “What just happened?” Federoff asked the room. “We just summited Everest,” said Unciphered's CEO, Eric Michaud.

Unciphered still won't reveal its full research process, or any details of the technique it ultimately found for cracking the IronKey and defeating its “counter” that limits password guesses. The company argues that the vulnerabilities they discovered are still potentially too dangerous to be made public, given that the model of IronKeys it cracked are too old to be patched with a software update, and some may still store classified information. “If this were to leak somehow, there would be much bigger national security implications than a cryptocurrency wallet,” Federoff says.

The team notes that the final method they developed doesn't require any of the invasive or destructive tactics that they used in their initial research. They've now unlocked 2011-era IronKeys—without destroying them—more than a thousand times, they say, and unlocked three IronKeys in demonstrations for WIRED.

Cryptic Contracts

None of that, however, has gotten them any closer to persuading Stefan Thomas to let them crack _his_ IronKey. Unciphered’s hackers say they learned from the intermediary who contacted Thomas on their behalf that Thomas has already been in touch with two other potential players in the crypto- and hardware-hacking world to help unlock his USB stick: the cybersecurity forensics and investigations firm Naxo, and the independent security researcher Chris Tarnovsky.

Naxo declined WIRED’s request to comment. But Chris Tarnovsky, a renowned chip reverse engineer, confirmed to WIRED that he had a “meet-and-greet” call with Thomas in May of last year. Tarnovsky says that, in the meeting, Thomas had told him that if he could successfully unlock the IronKey, he would be "generous," but didn't specify a fee or commission. Since then, Tarnovsky says that he has done very little work on the project, and that he has essentially been waiting for Thomas to start paying him on a monthly basis for initial research. "I want Stefan to cough up some money up front," says Tarnovsky. “It's a lot of work, and I need to worry about my mortgage and my bills.”

But Tarnovsky says he hasn't heard from Thomas since that first call. “Nothing came out of it,” he says. “It's weird.”

Unciphered’s director of operations Nick Federoff.

Photograph: Meron Menghistab

Unciphered's team remains skeptical about Naxo’s progress and whether it’s any further along than Tarnovsky. There are only a small number of hardware hackers capable of the reverse engineering necessary to crack the IronKey, they argue, and none appear to be working with Naxo. As for Thomas' suggestion that they could subcontract to Naxo or another team working on the project, Unciphered's Federoff says he won't rule it out, but argues it doesn't make sense when Unciphered alone can crack the IronKey. “Based on what we know, we don't see any benefit to anyone in going that route,” Federoff says.

Thomas, meanwhile, seems to display an unusual lack of urgency in unlocking his $235 million, and has offered only vague hints about why he has yet to reveal any progress toward that goal. “When you're dealing with so much money, everything takes forever,” he told the _Thinking Crypto_ podcast in an interview over the summer. “The person you're working with, you need some contract with them, and that contract needs to be rock solid, because if there's some issue with the contract, there's suddenly hundreds of millions of dollars at stake.”

To potentially accelerate that cryptic contract process, Unciphered plans to publish an open letter to Thomas and a video in the coming days designed to persuade—or pressure—Thomas into working with them. But Federoff concedes that it's possible Thomas doesn't actually care about the money: In its piece about his locked coins in 2021, _The New York Times_ wrote that Thomas already had “more riches than he knows what to do with,” thanks to other crypto ventures.

Federoff notes that it's impossible to know for certain what Thomas' IronKey holds. Maybe the keys to the 7,002 bitcoins are held elsewhere, or gone altogether.

He says Unciphered is still hopeful. But the team is also ready to move on if Thomas won't work with them. There are, after all, other locked wallets out there for the company to crack. And the decision of whether and how to unlock this particular USB drive's riches will ultimately fall to its owner alone. “It's incredibly frustrating,” says Federoff. “But when you're dealing with people, that's always the most complex part. Code doesn't change unless you tell it to. Circuitry doesn't either. But humans are incredibly unpredictable creatures.”

Tag

#intel