WordPress LiteSpeed Cache plugin versions 5.6 and below suffer from a persistent cross site scripting vulnerability.

    Vulnerability Summary from Wordfence IntelligenceDescription: LiteSpeed Cache <= 5.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected Plugin: LiteSpeed CachePlugin Slug: litespeed-cacheAffected Versions: <= 5.6CVE ID: CVE-2023-4372CVSS Score: 6.4 (Medium)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NResearcher/s: Lana Codes Fully Patched Version: <= 5.7The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘esi’ shortcode in versions up to, and including, 5.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.Technical AnalysisThe LiteSpeed Cache is a site acceleration plugin with server-level cache and optimization. It provides a shortcode ([esi]) that can be used to cache blocks with Edge Side Includes technology when added to a WordPress page, if ESI was previously enabled in the settings.Unfortunately, insecure implementation of the plugin’s shortcode functionality allows for the injection of arbitrary web scripts into these pages. Examining the vulnerable code reveals that the shortcode method in the ESI class does not adequately sanitize the user-supplied ‘cache’ input, and then fails to escape the ‘control’ output derived from the ‘cache’ parameter when it builds the ESI block. This makes it possible to inject attribute-based Cross-Site Scripting payloads via the ‘cache’ attribute.[You can view these code snippets on the blog] This makes it possible for threat actors to carry out stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page. While this vulnerability does require that a trusted contributor account is compromised, or a user be able to register as a contributor, successful threat actors could steal sensitive information, manipulate site content, inject administrative users, edit files, or redirect users to malicious websites which are all severe consequences.Shortcode Exploit PossibilitiesPrevious versions of WordPress contained a vulnerability that allowed shortcodes supplied by unauthenticated commenters to be rendered in certain configurations. This would make it possible for unauthenticated attackers to exploit this Cross-Site Scripting vulnerability on vulnerable installations. Fortunately, however, a vast majority of sites have been automatically upgraded to a patched release of WordPress as of this writing, which means most site owners do not need to be concerned about this. We still strongly recommend verifying your site has been updated to one of the patched versions of WordPress core found here. Disclosure TimelineAugust 14, 2023 – Wordfence Threat Intelligence team discovers the stored XSS vulnerability in LiteSpeed Cache.August 14, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.August 14, 2023 – The vendor confirms the inbox for handling the discussion.August 14, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.August 16, 2023 – The vendor made the patch and sent us the GitHub commit.October 10, 2023 – The fully patched version, 5.7, is released.ConclusionIn this blog post, we have detailed a stored XSS vulnerability within the LiteSpeed Cache plugin affecting versions 5.6 and earlier. This vulnerability allows authenticated threat actors with contributor-level permissions or higher to inject malicious web scripts into pages that execute when a user accesses an affected page. The vulnerability has been fully addressed in version 5.7 of the plugin.We encourage WordPress users to verify that their sites are updated to the latest patched version of LiteSpeed Cache.All Wordfence users, including those running Wordfence Premium , Wordfence Care , and Wordfence Response , as well as sites still running the free version of Wordfence, are fully protected against this vulnerability.If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence  and potentially earn a spot on our leaderboard .

WordPress LiteSpeed Cache 5.6 Cross Site Scripting

Ubuntu Security Notice 6445-2 - It was discovered that the IPv6 implementation in the Linux kernel contained a high rate of hash collisions in connection lookup table. A remote attacker could use this to cause a denial of service. Daniel Trujillo, Johannes Wikner, and Kaveh Razavi discovered that some AMD processors utilising speculative execution and branch prediction may allow unauthorised memory reads via a speculative side-channel attack. A local attacker could use this to expose sensitive information, including kernel memory.

==========================================================================  
Ubuntu Security Notice USN-6445-2  
October 24, 2023

linux-intel-iotg-5.15 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-intel-iotg-5.15: Linux kernel for Intel IoT platforms

Details:

It was discovered that the IPv6 implementation in the Linux kernel  
contained a high rate of hash collisions in connection lookup table. A  
remote attacker could use this to cause a denial of service (excessive CPU  
consumption). (CVE-2023-1206)

Daniel Trujillo, Johannes Wikner, and Kaveh Razavi discovered that some AMD  
processors utilising speculative execution and branch prediction may allow  
unauthorised memory reads via a speculative side-channel attack. A local  
attacker could use this to expose sensitive information, including kernel  
memory. (CVE-2023-20569)

It was discovered that the IPv6 RPL protocol implementation in the Linux  
kernel did not properly handle user-supplied data. A remote attacker could  
use this to cause a denial of service (system crash). (CVE-2023-2156)

Davide Ornaghi discovered that the DECnet network protocol implementation  
in the Linux kernel contained a null pointer dereference vulnerability. A  
remote attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. Please note that kernel support for the  
DECnet has been removed to resolve this CVE. (CVE-2023-3338)

Ross Lagerwall discovered that the Xen netback backend driver in the Linux  
kernel did not properly handle certain unusual packets from a  
paravirtualized network frontend, leading to a buffer overflow. An attacker  
in a guest VM could use this to cause a denial of service (host system  
crash) or possibly execute arbitrary code. (CVE-2023-34319)

Chih-Yen Chang discovered that the KSMBD implementation in the Linux kernel  
did not properly validate command payload size, leading to a out-of-bounds  
read vulnerability. A remote attacker could possibly use this to cause a  
denial of service (system crash). (CVE-2023-38432)

It was discovered that the NFC implementation in the Linux kernel contained  
a use-after-free vulnerability when performing peer-to-peer communication  
in certain conditions. A privileged attacker could use this to cause a  
denial of service (system crash) or possibly expose sensitive information  
(kernel memory). (CVE-2023-3863)

Laurence Wit discovered that the KSMBD implementation in the Linux kernel  
did not properly validate a buffer size in certain situations, leading to  
an out-of-bounds read vulnerability. A remote attacker could use this to  
cause a denial of service (system crash) or possibly expose sensitive  
information. (CVE-2023-3865)

Laurence Wit discovered that the KSMBD implementation in the Linux kernel  
contained a null pointer dereference vulnerability when handling handling  
chained requests. A remote attacker could use this to cause a denial of  
service (system crash). (CVE-2023-3866)

It was discovered that the Siano USB MDTV receiver device driver in the  
Linux kernel did not properly handle device initialization failures in  
certain situations, leading to a use-after-free vulnerability. A physically  
proximate attacker could use this cause a denial of service (system crash).  
(CVE-2023-4132)

Andy Nguyen discovered that the KVM implementation for AMD processors in  
the Linux kernel with Secure Encrypted Virtualization (SEV) contained a  
race condition when accessing the GHCB page. A local attacker in a SEV  
guest VM could possibly use this to cause a denial of service (host system  
crash). (CVE-2023-4155)

It was discovered that the TUN/TAP driver in the Linux kernel did not  
properly initialize socket data. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2023-4194)

Bien Pham discovered that the netfiler subsystem in the Linux kernel  
contained a race condition, leading to a use-after-free vulnerability. A  
local user could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-4244)

Maxim Suhanov discovered that the exFAT file system implementation in the  
Linux kernel did not properly check a file name length, leading to an out-  
of-bounds write vulnerability. An attacker could use this to construct a  
malicious exFAT image that, when mounted and operated on, could cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-4273)

Kyle Zeng discovered that the networking stack implementation in the Linux  
kernel did not properly validate skb object size in certain conditions. An  
attacker could use this cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-42752)

Kyle Zeng discovered that the netfiler subsystem in the Linux kernel did  
not properly calculate array offsets, leading to a out-of-bounds write  
vulnerability. A local user could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-42753)

Kyle Zeng discovered that the IPv4 Resource Reservation Protocol (RSVP)  
classifier implementation in the Linux kernel contained an out-of-bounds  
read vulnerability. A local attacker could use this to cause a denial of  
service (system crash). Please note that kernel packet classifier support  
for RSVP has been removed to resolve this vulnerability. (CVE-2023-42755)

Kyle Zeng discovered that the netfilter subsystem in the Linux kernel  
contained a race condition in IP set operations in certain situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-42756)

Thelford Williams discovered that the Ceph file system messenger protocol  
implementation in the Linux kernel did not properly validate frame segment  
length in certain situation, leading to a buffer overflow vulnerability. A  
remote attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2023-44466)

Bing-Jhong Billy Jheng discovered that the Unix domain socket  
implementation in the Linux kernel contained a race condition in certain  
situations, leading to a use-after-free vulnerability. A local attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2023-4622)

Budimir Markovic discovered that the qdisc implementation in the Linux  
kernel did not properly validate inner classes, leading to a use-after-free  
vulnerability. A local user could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-4623)

Alex Birnberg discovered that the netfilter subsystem in the Linux kernel  
did not properly validate register length, leading to an out-of- bounds  
write vulnerability. A local attacker could possibly use this to cause a  
denial of service (system crash). (CVE-2023-4881)

It was discovered that the Quick Fair Queueing scheduler implementation in  
the Linux kernel did not properly handle network packets in certain  
conditions, leading to a use after free vulnerability. A local attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2023-4921)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel did  
not properly handle removal of rules from chain bindings in certain  
circumstances, leading to a use-after-free vulnerability. A local attacker  
could possibly use this to cause a denial of service (system crash) or  
execute arbitrary code. (CVE-2023-5197)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.15.0-1043-intel-iotg  5.15.0-1043.49~20.04.1  
   linux-image-intel               5.15.0.1043.49~20.04.33  
   linux-image-intel-iotg          5.15.0.1043.49~20.04.33

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6445-2  
   https://ubuntu.com/security/notices/USN-6445-1  
   CVE-2023-1206, CVE-2023-20569, CVE-2023-2156, CVE-2023-3338,  
   CVE-2023-34319, CVE-2023-38432, CVE-2023-3863, CVE-2023-3865,  
   CVE-2023-3866, CVE-2023-4132, CVE-2023-4155, CVE-2023-4194,  
   CVE-2023-4244, CVE-2023-4273, CVE-2023-42752, CVE-2023-42753,  
   CVE-2023-42755, CVE-2023-42756, CVE-2023-44466, CVE-2023-4622,  
   CVE-2023-4623, CVE-2023-4881, CVE-2023-4921, CVE-2023-5197

Package Information:

 https://launchpad.net/ubuntu/+source/linux-intel-iotg-5.15/5.15.0-1043.49~20.04.1

Ubuntu Security Notice USN-6445-2

Cybercriminals already operate across borders. Nations must do the same to protect their critical infrastructure, people, and technology from threats foreign and domestic.

Despite an onslaught of media coverage on cyberattacks and the impact of cybercrime on businesses and governments around the world, most people and, worse, most countries still don't view cybercrime as a national security issue.

Unlike some other areas of organized crime, cybercrime poses a direct threat to national security and the everyday lives of citizens. These malicious actors can target critical infrastructure like hospitals, pipelines, the financial system, energy facilities, shipping ports, and airports. One of the most well-known examples of the impact cybercrime can have on critical infrastructure and how quickly things can go wrong is the Colonial Pipeline ransomware attack and its aftermath, which disrupted economic activity.

**National Intelligence Agencies Are Focused Elsewhere**

However, even as the damages inflicted by cybercrime increase every year, national intelligence agencies remain focused on other national entities and terrorist groups. This leaves private organizations on their own, unarmed and incapable of dealing with malicious actors' growing sophistication and resources.

This is a colossal mistake that could lead to catastrophic consequences. Cybercrime is the central threat in cyberspace. To effectively combat it, nation-states must recognize the harm it can do and take proactive steps to lay the foundation for an international alliance for cybersecurity. Picture it as the NATO of cybersecurity. By coming together as a group, these nation-states can better protect their people, critical infrastructure, and proprietary technology from cyber threats, while also strengthening international relations.

To date, countries have failed to rise to the occasion. Some would even venture to say that we're moving backward, as international tensions rise as a result of the war in Ukraine and other conflicts. Additionally, the ever-growing patchwork of data privacy laws has created new roadblocks for information sharing and response times. In order to shift the narrative and get on the right course to establishing a new international organization geared to the mitigation of, protection against, and punishment of cybercriminals, we first must establish three overarching branches of enforcement.

1.  **The intelligence branch:** Whether you're in Asia, Europe, Latin America, or North America, cybercriminals use the same methods and tactics to conduct attacks. However, today, each country deals with cybercriminal activities independently, negatively impacting information sharing, resources, and expertise. Establishing an intelligence branch would serve as a hub that collects and centralizes information on malicious actors, and their methods, tools, and attacks. By developing a comprehensive database on cybercriminals, each member of this international cyber alliance would benefit from shared knowledge, enabling them to enhance their ability to prevent and respond to cyber threats effectively.
2.  **The policy and strategy branch:** Using the information and data collected by the intelligence branch, a policy and strategy team would be able to develop best practices, guidelines, and regulations that serve as the bedrock for a robust national cyber environment. By sharing and implementing these policies, the alliance can create a common framework that enhances cybersecurity measures and minimizes vulnerabilities across borders.
    
3.  **The** **operations branch:** Lastly, any new international cybersecurity alliance will need an operations branch. This branch would be responsible for implementing, executing, and enforcing laws, as well as taking actions to deter cybercriminals and legally pursuing them. By collectively responding to cyber threats, the alliance can demonstrate a unified front against cybercriminals, making it more challenging for them to exploit vulnerabilities across member countries.
    

In addition to establishing the three branches of the alliance, there are several other key components that are necessary. These include infrastructure, a host country, and like-minded member countries:

*   **Infrastructure:** An undertaking on this scale would require a robust physical and virtual presence to facilitate seamless information sharing, collaboration, and coordinated responses. Without this, nations and industries would continue to struggle with information sharing, mitigation, and enforcement.
*   **Host country:** Similar to other international organizations, it is advisable for the alliance to have a host country that can facilitate the organization's operations. The United States is the most obvious choice. Given the country's technological capabilities, innovative culture, and history of leadership in cybersecurity, it would be the ideal candidate for hosting the international alliance for cybersecurity.
*   **Like-minded member countries:** The success of the international alliance depends on member countries sharing common values such as liberal principles, a free market, democratic governance, and the protection of human rights. As in other military alliances, the member countries would form a unified attack surface, and operate together to fight attacks.

Cybercriminals already operate across borders, sharing knowledge and collaborating on a global scale. It's time for nations to do the same to protect their critical infrastructure, people, and technology from threats foreign and domestic.

It's Time to Establish the NATO of Cybersecurity

Hundreds of millions of users of Grammarly, Vidio, and the Indonesian e-commerce giant Bukalapak are at risk for financial fraud and credential theft due to OAuth misfires — and other online services likely have the same problems.

Flaws in the implementation of the Open Authorization (OAuth) standard across three prominent online services could have allowed attackers to take over hundreds of millions of user accounts on dozens of websites, exposing people to credential theft, financial fraud, and other cybercriminal activity. 

Researchers from Salt Labs discovered critical API misconfigurations on the sites of several online companies — artificial intelligence (AI)-powered writing tool Grammarly, online streaming platform Vidio, and Indonesian e-commerce site Bukalapak — that lead them to believe that dozens of other sites are likely compromised in the same way, they revealed in a report published Oct. 24.

OAuth is a widely implemented standard for allowing for cross-platform authentication, familiar to most as the option to log in to an online site with another social media account, such as "Log in with Facebook" or "Log in with Google." 

The recently-discovered implementation flaws are among a series of issues in OAuth that the researchers have discovered in recent months, stretching across prominent online platforms that put users at risk. Salt researchers already had discovered similar OAuth flaws in the Booking.com website and Expo — an open source framework for developing native mobile apps for iOS, Android, and other Web platforms using a single codebase — that could have allowed account takeover and full visibility into user personal or payment-card data. The Booking.com flaw also could have allowed log-in access to the website's sister platform, Kayak.com.

The researchers refer broadly to the latest issue found in Vidio, Grammarly, and Bukalapak as a "Pass-The-Token" flaw, in which an attacker may use a token — the unique, secret site identifier used to verify the handoff — from a third party site typically owned by the attacker himself to login to another service.

"For example, if a user logged in to a site called mytimeplanner.com, which is owned by the attacker, the attacker could then use the users token and log in on his behalf to other sites, like Grammarly for instance," Yaniv Balmas, vice president of research at Salt, explains to Dark Reading.

The researchers found the latest issues in Vidio, Bukalapak, and Grammarly between February and April, respectively, and notified the three companies in turn, which all responded in a timely way. The misconfigurations all have since been resolved in these particular services, but that's not the end of the story. 

"Just these three sites are enough for us to prove our point, and we decided to not look for additional targets," according to the report, "but we expect that thousands of other websites are vulnerable to the attack we detail in this post, putting billions of additional Internet users at risk every day,"

**Various Ways to Misconfigure OAuth**

The issue manifests itself uniquely on each of the three sites. On Vidio, an online streaming platform with 100 million monthly active users, the researchers found that when logging into the site through Facebook, the site did not verify the token — which the website developers and not OAuth must do. Because of this, an attacker could manipulate the API calls to insert an access token generated for a different application, the researchers found.

"This alternate token/AppID combination allowed the Salt Labs research team to impersonate a user on the Vidio site, which would have allowed massive account takeover on thousands of accounts," the researchers wrote in the report.

Like Vidio, Bukalapak — which has more than 150 million monthly users — also didn't verify the access token when users registered using a social login. In a similar way, the researchers could insert a token from another website to access a user's credentials and completely take over that user's account.

The OAuth issue discovered on Grammarly — which helps more than 30 million daily users improve their writing by offering grammar, punctuation, spelling checks, and other writing tips — manifested itself slightly differently.

The researchers found that by doing reconnaissance on the API calls and learning the terminology the Grammarly site uses to send the code, they could manipulate the API exchange to insert code used to verify users on a different site and, again, obtain the credentials of a user's account and achieve full account takeover.

**Secure OAuth From the Start**

OAuth itself is well-designed, and the major OAuth providers such as Google and Facebook have secure servers protecting them on the back end. However, those developing the services and sites that leverage the standard to perform the authentication handoff often create issues that render the exchange inherently insecure even if the site appears to function properly, Balmas says.

"It is very easy for anyone to add social-login functionality to his website … and everything will actually work quite fine," he says. "However, without the proper knowledge and awareness, it is very easy to leave cracks that the attacker will be able to abuse and achieve very serious impact on all the website users."

For this reason, it's essential to the security of sites and services that leverage OAuth to be secure from an implementation standpoint, which may require that developers do some homework before building the standard into the site.

"Web services who wish to implement social login or any other OAuth-related functionalities should make sure they have a solid understanding of how OAuth works and common pitfalls that may have potential for being abused," he says.

Developers can also use third-party tools that monitor for anomalies and deviations from typical behavior and which may identify as-yet unknown attacks, providing a safety net for the site and thus all of its users, Balmas adds.

'Log in with...' Feature Allows Full Online Account Takeover for Millions

We observed the BlackByte ransomware group’s new variant, BlackByte NT, for the first time in addition to the previously seen LockBit ransomware, which continues to be the top observed ransomware family in Talos IR engagements.

Tuesday, October 24, 2023 08:10

**Quarterly threat report: Telecommunications and education are most-targeted verticals**

There was a notable increase in threats to web applications, accounting for 30 percent of the engagements Cisco Talos Incident Response (Talos IR) responded to in the third quarter of 2023, compared to 8 percent the previous quarter. Exploitation of public-facing applications was the top observed means of gaining initial access, accounting for 30 percent of engagements. The high number of web application attacks likely played a significant role in the increase this quarter.  

However, ever-present ransomware continues to be a threat, accounting for 10 percent of engagements. This quarter, which covers July, August and September, featured the LockBit and BlackByte ransomware families, which Talos IR has observed in previous quarters. But for the very first time, Talos IR observed a new variant of BlackByte ransomware, BlackByte NT. 

 Telecommunications and education were the most targeted verticals, each accounting for 20 percent of engagements. Threat actors and groups with varying motives and sophistication frequently targeted telecommunications organizations, continuing a trend where it was consistently a top-targeted industry vertical in 2022, according to Talos IR.  

Telecommunications companies are attractive targets due to their control over several critical infrastructure assets, serving as a gateway for adversaries to access other businesses, subscribers, or third-party providers. These organizations also have a large amount of customer data that is often targeted by financially motivated cybercriminals such as ransomware groups.   

Educational institutions are continuously targeted by cybercriminals due to vast amounts of personally identifiable student data, including financial and counseling records, as well as research institutes rich in intellectual property. Many education organizations have limited budgets devoted to cybersecurity, hampering defenses.      

**Web application targeting on the rise **

Attacks against web applications — and subsequent post-compromise activity — were the top-observed threat in Q3, accounting for 30 percent of engagements, a significant increase compared to the previous quarter. After gaining initial access, adversaries leveraged techniques such as launching web injection attacks, deploying web shells, and using commercial off-the-shelf frameworks such as Supershell, which deploys web shells to maintain access to a system. Talos IR is seeing a growing trend of adversaries leveraging advanced functionalities of various command and control (C2) frameworks, such as the newly observed Supershell C2 framework, to identify weaknesses in web servers and deploy web shells more easily. 

Supershell is a web-based management platform that allows attackers to remotely execute commands, manage compromised systems, and collaborate with multiple users. Before downloading Supershell, the attackers placed malicious XML inputs containing a reference to an external entity using XML external entity (XXE) injection attacks in hopes the web server had a misconfigured XML parser. Based on our analysis, Supershell appears to be designed for predominantly Chinese-speaking individuals as the tool is written for a Chinese-only web interface console. There is also a clear preference for Chinese in Supershell’s GitHub documentation, although an English-translated option exists.  

Although the development of recent frameworks that make the deployment of web shells easier benefits sophisticated adversaries, these frameworks may also reduce the barrier for entry for less sophisticated attackers. Given the growing trend of commercial off-the-shelf C2 frameworks within the last year, including Alchimist and Manjusaka, it is likely this trend will continue to play out as adversaries increasingly turn to adopt additional capabilities for performing web-based attacks. 

Web shells are malicious scripts that enable threat actors to compromise web-based servers exposed to the internet. Talos IR responded to an engagement where attackers uploaded several PHP web shells to an unpatched web server, demonstrating how threat actors commonly chain together web shells to build a more flexible toolkit. Within this cluster of activity, the attackers could not further carry out any post-compromise objectives due to the presence of a Web Application Firewall (WAF), highlighting the importance of implementing a WAF between public-facing servers and the Internet to help defend against these attacks.   

In several engagements this quarter, we observed adversaries leveraging Structured Query Language injection (SQLi) attacks, a technique in which adversaries enter SQL commands into an input field that does not use validation and sanitization. We increasingly see adversaries continue to use scanning frameworks to launch SQLi attacks. In one cluster of activity, Talos IR identified multiple SQLi attempts and more than 1,000 instances of SQLMap, an open-source utility often used to identify and exploit SQLi vulnerabilities. Adversaries also used a SQL injection module within Nessus, a proprietary vulnerability scanner, highlighting the threat actor’s intent on identifying SQLi vulnerabilities for expanded access.  

**Ransomware remains a threat **

Ransomware activity continued this quarter accounting for 10 percent of total IR engagements in Q3. We observed the BlackByte ransomware group’s new variant, BlackByte NT, for the first time in addition to the previously seen LockBit ransomware, which continues to be the top observed ransomware family in Talos IR engagements. 

LockBit was one of the most prevalent variants seen in Talos IR engagements since September 2022, consistent with a wide body of reporting calling LockBit one of the most active ransomware threats this year.  

Talos IR responded to a LockBit ransomware attack where the adversaries gained an initial foothold into the environment by compromising a valid contractor account. Once inside, attackers began dumping credentials from internal systems and were able to create an administrator account to elevate privileges and remain persistent in the environment. To evade detection, the attackers cleared the Windows event logs and disabled several security tools, including endpoint detection and response (EDR) and antivirus. LockBit established C2 channels via multiple methods, including the adversary simulation tool Cobalt Strike and the legitimate remote access software AnyDesk. The attackers modified domain policies to create a scheduled task that eventually executed the LockBit ransomware binary.  

Talos IR has previously observed BlackByte ransomware, but this quarter was the first time seeing the new variant, BlackByte NT. Unlike the former variants, this new variant (aka BlackByte 2.0) is written entirely in C++ and was discovered in May 2023. 

Talos IR observed the new BlackByte NT ransomware variant where the attackers initially compromised a valid account to gain access. Several accounts with administrator privileges were created in this engagement as well, showing ransomware actors’ reliance on account creation to escalate privileges and enable persistence. Attackers then used a combination of RDP, SSH, and Server Message Block (SMB) for lateral movement. Using the open-source Secure File Transfer Protocol (SFTP) tool WinSCP, adversaries exfiltrated data from the environment. Before encryption, the attackers cleared the Windows event logs to cover their tracks and deleted the shadow volume copies to inhibit system recovery, consistent with ransomware TTPs. Ransomware was propagated across the environment via SMB admin shares, a common distribution method also observed in ransomware attacks.   

**New ShroudedSnooper actor observed using custom backdoors **

This quarter also featured a new advanced persistent threat (APT) ShroudedSnooper targeting telecommunications firms in the Middle East. This activity is a continuation of a trend we have been monitoring over the past several years in which sophisticated actors are frequently targeting telecommunications organizations, a top-targeted industry vertical this quarter and throughout 2022, according to Talos IR. As part of this activity, ShroudedSnooper deployed two novel backdoor implants we dubbed “HTTPSnoop” and “PipeSnoop.” 

These backdoors interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint. Talos IR observed DLL- and EXE-based versions of the implants that masquerade as legitimate security software components, and specifically extended detection and response (XDR) agents, making detection challenging.  

**Initial vectors **

Exploitation of public-facing applications was the top observed means of gaining initial access, accounting for 30 percent of engagements. The high number of web application attacks likely played a significant role in the increase this quarter.   

**Security weaknesses **

Unpatched or misconfigured applications and a lack of multi-factor authentication (MFA) were tied to the top security weaknesses, each accounting for 40 percent of engagements. This activity aligns with the top two initial access vectors used by adversaries this quarter, including exploiting public-facing applications and abusing valid accounts. Talos IR frequently observes attacks that could have been prevented if MFA was enabled on critical services, such as RDP. Talos IR recommends expanding MFA for all user accounts, such as employee, contractor and business partner accounts.   

Staying up-to-date with software updates on public-facing applications is a crucial aspect of an organization’s security posture. Attackers often exploit vulnerabilities to achieve post-compromise objectives, such as privilege escalation. While vulnerability and patch management are critical, it is not always possible to immediately apply every security patch due to the complexity of enterprise networks. Talos IR recommends prioritizing critical vulnerabilities that pose the biggest threats to preventing exploitation.   

Misconfigurations can also leave organizations exposed regardless of an adversary’s intention. Talos IR frequently sees actors compromising systems that were misconfigured to be exposed publicly. Attackers often take the path of least resistance by leveraging vulnerabilities and exposures, highlighting that organizations need to be proactive in ensuring both systems and tools are configured properly.    

**Top observed MITRE ATT&CK techniques **

The table below represents the MITRE ATT&CK techniques observed in this quarter’s IR engagements, which includes relevant examples and the volume Talos IR saw in engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note this is not an exhaustive list. 

Key findings from the MITRE ATT&CK framework include: 

*   Exploitation of public-facing applications was the top observed means of gaining initial access this quarter, accounting for 30 percent of total engagements.  
*   Attackers abused remote services, such as RDP, to move laterally in 25 percent of engagements. 
*   AnyDesk was observed in all ransomware and pre-ransomware engagements this quarter, underscoring its role in ransomware affiliates' attack chains.   
*   Indicator removal, such as clearing Windows event logs and file deletion, was the top defense evasion technique observed.   
*   In 25 percent of engagements this quarter, Talos IR observed attackers abusing scheduled tasks for continuous execution of malicious code to maintain persistence on an endpoint.    

Initial Access (TA0001)  

Example  

T1190 Exploit in Public-Facing Application  

Attackers successfully exploited a vulnerable application that was publicly exposed to the Internet    

Execution (TA0002)  

Example  

T1059.001 Command and Scripting Interpreter: PowerShell  

Executes PowerShell code to retrieve information about the client’s Active Directory environment  

Persistence (TA0003)  

Example  

T1053.005 Scheduled Task / Job: Scheduled Task  

Scheduled tasks were created on a compromised server  

Defense Evasion (TA0005)  

Example  

T1134.002 Access Token Manipulation: Create Process with Token  

Attackers created a new process using the command “run as”  

Credential Access (TA0006)  

Example  

T1003.001 OS Credential Dumping: LSASS Memory  

Use “lsass.exe” for stealing password hashes from memory  

Lateral Movement (TA0008)  

Example  

T1021.001 Remote Services: Remote Desktop Protocol  

Adversary made attempts to move laterally using Windows Remote Desktop   

Command and Control (TA0011)  

Example  

T1219 Remote Access Software  

Remote access tools found on the compromised system    

Exfiltration (TA0010)  

Example  

T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol  

Using FTP for file exfiltration  

Impact (TA0040)  

Example  

T1486 Data Encrypted for Impact  

Deploy LockBit ransomware and encrypt critical systems

Attacks on web applications spike in third quarter, new Talos IR data shows

Though often viewed as the “crown jewel” of the US intelligence community, fresh reports of abuse by NSA employees and chaos in the US Congress put the tool's future in jeopardy.

A federal law authorizing a vast amount of the United States military’s foreign intelligence collection is set to expire in two months, pulling the plug on history’s most prolific eavesdropping operation and the primary means by which US spies intercept the private communications of people deemed threatening, or simply interesting, by the US government—the world’s foremost surveillant.

The US National Security Agency (NSA) relies heavily on the statute, Section 702 of the Foreign Intelligence Surveillance Act, when compelling the cooperation of communications giants that oversee huge swaths of the world’s internet traffic, intercepting hundreds of millions of phone calls and email messages each year, and eavesdropping on the personal conversations of targeted foreign individuals and anyone else, including Americans, unfortunate enough to be caught in their orbit.

As of now, members of Congress have introduced exactly zero bills to prevent Section 702 from sunsetting on January 1, 2024, even though many—perhaps a majority—view this intelligence “crown jewel” as fundamental to the national defense; a flawed but fixable law. The Democrats, who control the Senate, are not blameless in stalling the reauthorization, with more than a handful vying to ensure its renewal is contingent on new rules that force the government to get a warrant before weaponizing the data against its own citizens. The internal conflict roiling the Republican Party, many of whose members share in the desire to rein in the government’s domestic surveillance capabilities, is nevertheless the biggest factor forestalling a compromise, particularly following the removal of Kevin McCarthy as House speaker earlier this month.

The US intelligence community is not without blame. A litany of reported errors, ethical violations, and at least some criminal activity bearing the telltale signs of having been swept under the rug have gone a long way in validating the concerns of Section 702’s biggest detractors: Privacy defenders on both sides of the aisle who share common ground with political allies of Donald Trump, a wellspring of animosity when it comes to military and intelligence leaders—officials routinely peppered from the right with allegations of partisanship and other “treasonous things.”

A US report published in September by an independent government privacy watchdog describes a number of new “noncompliant” uses of raw Section 702 data by analysts at the NSA, an agency where military and civilian employees have been caught repeatedly abusing classified intel for personal, and even sexual, reasons. Issued by the Privacy and Civil Liberties Oversight Board (PCLOB), a body effectively commandeered by Congress in 2005 in an effort to help gauge the scope of the explosion in surveillance after 9/11, the report adds to a decade’s worth of documented surveillance abuses.

_The Wall Street Journal_ first reported in 2013 amid the exploding Edward Snowden scandal that NSA staff had been caught on numerous occasions spying on what the paper called “love interests.” The phenomenon is common enough at the agency to receive its own internal designation: “LOVEINT,” a portmanteau of “love” and “intelligence,” abbreviated in the style of actual surveillance disciplines such SIGINT and HUMINT (“signals” and “human” intelligence, respectively.)

Senator Dianne Feinstein, who died who on September 29 at the age of 90, had defended the NSA following the report, referring to the violations as “isolated,” occurring only roughly, she said, once a year. The _Journal_ noted, meanwhile, that nearly all of the known violations had been self-reported, likely by employees fearful of failing a polygraph exam.

The term “LOVEINT” implies a degree of harmlessness, the misguided acts of a hopeless romantic or a jilted lover. Yet it signifies behavior that is by any modern definition equivalent to stalking. That it received this designation at all seemingly suggests that the abuse is constant enough to border on systemic. The watchdog report released last month by the PCLOB notes that, in 2022, one NSA analyst twice conducted queries on people they’d met “through an online dating service,” showing that despite years of procedures developed to protect against such incidents, the temptation to abuse the most expansive surveillance tool in history for personal gain remains too enticing a prospect for some.

“The US government’s incredible surveillance powers are intended to keep Americans safe from global threats, but we’ve seen time and again how officials have misused this authority at the expense of Americans’ civil liberties,” US senator Chuck Grassley, a Republican from Iowa, tells WIRED. “Instead of aiming this tool at terrorists and international criminals, some have put their political rivals and even love interests in the crosshairs.” The intelligence community’s continued access to the 702 data hinges, in part, on its ability to demonstrate that it can cooperate with oversight attempts, Grassley says, and send an “unequivocal message that abuses will be met with steep consequences.”

While any substantive detail about past 702 violations remains obscured by conditions of secrecy, what can be gleaned from unclassified reports about the “consequences” facing NSA staff for stalking is not encouraging. A 2013 letter from the NSA’s then-top internal watchdog, George Ellard, for instance, described years’ worth of abuses that coincide and even predate the existence of Section 702, which Congress passed in 2008 in an effort to legalize the widespread wiretapping of calls already going in and out of the US, as well as immunize telecommunications companies like AT&T, which was revealed early on to be eagerly cooperating with the government’s demands.

Ellard’s letter, combined with more recent abuse disclosures, paints a picture of an agency that discovers surveillance abuses mainly when its employees self-report them, often to avoid trouble during or in advance of a polygraph test. Violators are often on their way out the door, presumably bound for the private sector, or are otherwise given the option to retire rather than face any real consequences for their actions. Numerous civilian employees at the NSA have admitted to wiretapping the phones of romantic partners, yet it's clear that many escaped punishment by quitting the agency before investigations into their conduct were earnestly underway.

In one of the most egregious cases, predating the 702 program by several years, an NSA employee admitted to wiretapping nine phone numbers belonging to women. Like with other offenses, Ellard noted in his letter—made public by Grassley several years ago—that the employee had “resigned before discipline had been proposed.” (Incidentally, Ellard’s decade as the NSA inspector general came to an unceremonious end following allegations that he’d retaliated against an agency whistleblower.)

Only US service members with access to raw 702 data appear to have been held accountable to some degree, almost certainly because they were unable, due to the terms of their service, to walk away from their jobs. A member of a “tactical military unit,” for instance, was demoted and docked one month’s pay after searching the classified database for communications belonging to his wife, while another’s access was cut after the NSA discovered they’d been eavesdropping on random people’s phone calls, purportedly to learn the language the victims were speaking.

Section 702, which last year targeted more than 246,000 “non-US persons,” permits the NSA to collect both text and audio of communications belonging to Americans, even when they are not the target of an investigation or suspected of foreign or criminal ties. These communications are “highly personal and sensitive, capturing exchanges with loved ones, friends, medical providers, academic adviseors, lawyers, or religious leaders,” according to the oversight authorities; capable of providing “great insight into an individual’s whereabouts, both in a given moment and in patterns over time.” While the communications of Americans captured as part of Section 702 surveillance may be subject to “minimization” procedures down the line, they are nevertheless stored in a “raw” or unredacted format and can be viewed with the help of a Google Search-like interface.

It's unclear how many government employees can access Section 702 data, but US lawmakers have offhandedly estimated the figure to be upwards of 10,000 people. This includes many employed by the Federal Bureau of Investigation, where the process of accessing the database remains practically free from judicial review. Under its own procedures, the FBI may conduct searches of the 702 database without probable cause so long as it believes it is “reasonably likely” to retrieve evidence of a crime—the legal equivalent of a hunch. According to a 2016 memorandum authored by the secretive Foreign Intelligence Surveillance Court, the FBI has at times failed to abide by what are already notably loose restrictions on using 702 for the purpose of acquiring communications protected by attorney-client privilege. The FBI's own procedures have long permitted agents to search the 702 database for correspondence between US citizens and their attorneys, as well as disseminate that information internally, provided the target of the search has not been charged with a crime.

While the NSA refers to the communications of Americans captured under Section 702 as having been collected “incidentally”—the statute authorizes only the “targeting” of “non-US persons reasonably believed to be located outside the United States”—it is important to note that the word “incidental” does not mean “by mistake.” It is merely accepted that each year, as a cost of doing business, the NSA will “inevitably” intercept the calls and messages of an unknown but “substantial” number of Americans.

This collection may be best understood as occurring not in error but as collateral surveillance, defended by the government under an ever-expanding list of national security threats: terrorism, first and foremost; then cyberattacks launched by hostile foreign actors; and today, finally, the illicit trafficking of fentanyl from sources in China.

Since the enactment of Section 702 some 15 years ago, US intelligence chiefs have claimed that it would be impossible to provide any clear metrics regarding just how many Americans are “incidentally” eavesdropped on each year. Ironically, it is the sheer amount of surveillance conducted by the NSA that is blamed for obscuring its impact on Americans’ civil liberties. “We do not yet know the scope of incidental collection,” this year’s PCLOB report states. But it should not be understood as “occurring infrequently,” it says, nor as an “inconsequential part of the Section 702 program.”

A Powerful Tool US Spies Misused to Stalk Women Faces Its Potential Demise

Stefan Thomas lost the password to an encrypted USB drive holding 7,002 bitcoins. One team of hackers believes they can unlock it—if they can get Thomas to let them.

At 9:30 am on a Wednesday in late September, a hacker who asked to be called Tom Smith sent me a nonsensical text message: “query voltage recurrence.”

Those three words were proof of a remarkable feat—and potentially an extremely valuable one. A few days earlier, I had randomly generated those terms, set them as the passphrase on a certain model of encrypted USB thumb drive known as an IronKey S200, and shipped the drive across the country to Smith and his teammates in the Seattle lab of a startup called Unciphered.

Unciphered’s staff in the company’s Seattle lab.

Photograph: Meron Menghistab

Smith had told me that guessing my passphrase might take several days. Guessing it at all, in fact, should have been impossible: IronKeys are designed to permanently erase their contents if someone tries just 10 incorrect password guesses. But Unciphered's hackers had developed a secret IronKey password-cracking technique—one that they've still declined to fully describe to me or anyone else outside their company—that gave them essentially infinite tries. My USB stick had reached Unciphered’s lab on Tuesday, and I was somewhat surprised to see my three-word passphrase texted back to me the very next morning. With the help of a high-performance computer, Smith told me, the process had taken only 200 trillion tries.

Smith’s demonstration was not merely a hacker party trick. He and Unciphered’s team have spent close to eight months developing a capability to crack this specific, decade-old model of IronKey for a very particular reason: They believe that in a vault in a Swiss bank 5,000 miles to the east of their Seattle lab, an IronKey that's just as vulnerable to this cracking technique holds the keys to 7,002 bitcoins, worth close to $235 million at current exchange rates.

For years, Unciphered's hackers and many others in the crypto community have followed the story of a Swiss crypto entrepreneur living in San Francisco named Stefan Thomas, who owns this 2011-era IronKey, and who has lost the password to unlock it and access the nine-figure fortune it contains. Thomas has said in interviews that he's already tried eight incorrect guesses, leaving only two more tries before the IronKey erases the keys stored on it and he loses access to his bitcoins forever.

Screens in Unciphered’s lab show a microscopic image of the layout of the IronKey’s controller chip (left) and a CT scan of the drive.

Photograph: Meron Menghistab

Now, after months of work, Unciphered's hackers believe they can open Thomas' locked treasure chest, and they're ready to use their secret cracking technique to do it. “We were hesitant to reach out to him until we had a full, provable, reliable attack,” says Smith, who asked WIRED not to reveal his real name due to the sensitivities of working with secret hacking techniques and very large sums of cryptocurrency. “Now we’re in that place.”

The only problem: Thomas doesn't seem to want their help.

Earlier this month, not long after performing their USB-decrypting demonstration for me, Unciphered reached out to Thomas through a mutual associate who could vouch for the company’s new IronKey-unlocking abilities and offer assistance. The call didn't even get as far as discussing Unciphered's commission or fee before Thomas politely declined.

Thomas had already made a “handshake deal” with two other cracking teams a year earlier, he explained. In an effort to prevent the two teams from competing, he had offered each a portion of the proceeds if either one could unlock the drive. And he remains committed, even a year later, to giving those teams more time to work on the problem before he brings in anyone else—even though neither of the teams has shown any sign of pulling off the decryption trick that Unciphered has already accomplished.

That has left Unciphered in a strange situation: It holds what is potentially one of the most valuable lockpicking tools in the cryptocurrency world, but with no lock to pick. “We cracked the IronKey,” says Nick Federoff, Unciphered's director of operations. “Now we have to crack Stefan. This is turning out to be the hardest part.”

In an email to WIRED, Thomas confirmed that he had turned down Unciphered's offer to unlock his encrypted fortune. “I have already been working with a different set of experts on the recovery so I'm no longer free to negotiate with someone new,” Thomas wrote. “It's possible that the current team could decide to subcontract Unciphered if they feel that's the best option. We'll have to wait and see.” Thomas declined to be interviewed or to comment further.

A Very Valuable, Worthless USB Stick

In past interviews, Thomas has said that his 7,002 bitcoins were left over from a payment he received for making a video titled “What is Bitcoin?” that published on YouTube in early 2011, when a bitcoin was worth less than a dollar. Later that year, he told WIRED that he'd inadvertently erased two backup copies of the wallet that held those thousands of coins, and then lost the piece of paper with the password to decrypt the third copy, stored on the IronKey. By then, his lost coins were worth close to $140,000. “I spent a week trying to recover it,” he said at the time. “It was pretty painful.”

In the 12 years since, the value of the inaccessible coins on Thomas' IronKey has at times swelled to be worth nearly half a billion dollars, before settling to its current, still-staggering price. In January 2021, as Bitcoin began to approach its peak exchange rate, Thomas described to _The New York Times_ the angst that his long-lost hoard had caused him over the years. “I would just lay in bed and think about it,” he said. “Then I would go to the computer with some new strategy, and it wouldn’t work, and I would be desperate again.”

Around that same time in 2021, a team of cryptographers and white-hat hackers founded Unciphered with the goal of unlocking exactly the sort of vast, frozen funds that many unlucky crypto holders like Thomas have long since given up on. At the time of Unciphered’s official launch, the cryptocurrency tracing firm Chainalysis estimated the total sum of those forgotten wallets across blockchains to be worth $140 billion. Unciphered says it has since successfully helped clients open locked wallets worth “many millions” of dollars—often through novel cryptographic vulnerabilities or software flaws it has discovered in cryptocurrency wallets—though nothing close to the size of Thomas' IronKey stash.

A deconstructed IronKey inside of Unciphered’s laser cutting tool.

Photograph: Meron Menghistab

Only around the beginning of 2023 did Unciphered begin to hunt for potential avenues to unlock Thomas' IronKey prize. Smith says that they quickly started to see hints that the IronKey's manufacturer, which was sold to storage hardware firm iMation in 2011, had left them some potential openings. “We were seeing little bits and pieces,” Smith says. “Like, this looks a little sloppy, or this looks not quite like how someone should be doing things.” (Kingston Storage, which now owns IronKey, didn’t respond to WIRED’s request for comment.)

Even a decade-old IronKey is a daunting target for hackers. The USB stick, whose development was funded in part by the United States Department of Homeland Security, is FIPS-140-2 Level 3 certified, meaning it's tamper-resistant and its encryption is secure enough for use by military and intelligence agencies for classified information. But emboldened by the few hints of security flaws they'd found—and still with no participation from Thomas—Unciphered's founders decided to take on the project of cracking it. “If there is an Everest to attempt, this is it,” Federoff remembers telling the team. The company's founders would eventually pull together a group of around 10 staffers and outside consultants, several of whom had backgrounds at the National Security Agency or other three-letter government agencies. They called it Project Everest.

A $235 Million Treasure Hunt

One of their first moves was to determine the exact model of IronKey that Thomas must have used, based on timing and a process of elimination. Then they bought the entire supply of that decade-plus-old model that they could find available for sale online, eventually amassing hundreds of them in their lab.

To fully reverse engineer the device, Unciphered scanned an IronKey with a CT scanner, then began the elaborate surgery necessary to deconstruct it. Using a precise laser cutting tool, they carved out the Atmel chip that serves as the USB stick's “secure enclave” holding its cryptographic secrets. They bathed that chip in nitric acid to “decap” it, removing the layers of epoxy designed to prevent tampering. They then began to polish down the chip, layer by layer, with an abrasive silica solution and a tiny spinning felt pad, removing a fraction of a micron of material from its surface at a time, taking photos of each layer with either optical microscopes or scanning electron microscopes, and repeating the process until they could build a full 3D model of the processor.

Because the chip's read-only memory, or ROM, is built into the layout of its physical wiring for better efficiency, Unciphered's visual model gave it a head start toward deciphering much of the logic of the IronKey's cryptographic algorithm. But the team went much further, attaching tenth-of-a-millimeter gauge wires to the secure element’s connections to “wiretap” the communications going into and out of it. They even tracked down engineers who had worked on the Atmel chip and another microcontroller in the IronKey that dated back to the 1990s to quiz them for details about the hardware. “It felt very much like a treasure hunt," says Federoff. “You’re following a map that’s faded and coffee-stained, and you know there’s a pot of gold at the end of a rainbow, but you have no idea where that rainbow’s leading.”

That cracking process culminated in July, when Unciphered's team gathered at an Airbnb in San Francisco. They describe standing around a table covered with millions of dollars’ worth of lab equipment when a member of the team read out the contents of a decrypted IronKey for the first time. “What just happened?” Federoff asked the room. “We just summited Everest,” said Unciphered's CEO, Eric Michaud.

Unciphered still won't reveal its full research process, or any details of the technique it ultimately found for cracking the IronKey and defeating its “counter” that limits password guesses. The company argues that the vulnerabilities they discovered are still potentially too dangerous to be made public, given that the model of IronKeys it cracked are too old to be patched with a software update, and some may still store classified information. “If this were to leak somehow, there would be much bigger national security implications than a cryptocurrency wallet,” Federoff says.

The team notes that the final method they developed doesn't require any of the invasive or destructive tactics that they used in their initial research. They've now unlocked 2011-era IronKeys—without destroying them—more than a thousand times, they say, and unlocked three IronKeys in demonstrations for WIRED.

Cryptic Contracts

None of that, however, has gotten them any closer to persuading Stefan Thomas to let them crack _his_ IronKey. Unciphered’s hackers say they learned from the intermediary who contacted Thomas on their behalf that Thomas has already been in touch with two other potential players in the crypto- and hardware-hacking world to help unlock his USB stick: the cybersecurity forensics and investigations firm Naxo, and the independent security researcher Chris Tarnovsky.

Naxo declined WIRED’s request to comment. But Chris Tarnovsky, a renowned chip reverse engineer, confirmed to WIRED that he had a “meet-and-greet” call with Thomas in May of last year. Tarnovsky says that, in the meeting, Thomas had told him that if he could successfully unlock the IronKey, he would be "generous," but didn't specify a fee or commission. Since then, Tarnovsky says that he has done very little work on the project, and that he has essentially been waiting for Thomas to start paying him on a monthly basis for initial research. "I want Stefan to cough up some money up front," says Tarnovsky. “It's a lot of work, and I need to worry about my mortgage and my bills.”

But Tarnovsky says he hasn't heard from Thomas since that first call. “Nothing came out of it,” he says. “It's weird.”

Unciphered’s director of operations Nick Federoff.

Photograph: Meron Menghistab

Unciphered's team remains skeptical about Naxo’s progress and whether it’s any further along than Tarnovsky. There are only a small number of hardware hackers capable of the reverse engineering necessary to crack the IronKey, they argue, and none appear to be working with Naxo. As for Thomas' suggestion that they could subcontract to Naxo or another team working on the project, Unciphered's Federoff says he won't rule it out, but argues it doesn't make sense when Unciphered alone can crack the IronKey. “Based on what we know, we don't see any benefit to anyone in going that route,” Federoff says.

Thomas, meanwhile, seems to display an unusual lack of urgency in unlocking his $235 million, and has offered only vague hints about why he has yet to reveal any progress toward that goal. “When you're dealing with so much money, everything takes forever,” he told the _Thinking Crypto_ podcast in an interview over the summer. “The person you're working with, you need some contract with them, and that contract needs to be rock solid, because if there's some issue with the contract, there's suddenly hundreds of millions of dollars at stake.”

To potentially accelerate that cryptic contract process, Unciphered plans to publish an open letter to Thomas and a video in the coming days designed to persuade—or pressure—Thomas into working with them. But Federoff concedes that it's possible Thomas doesn't actually care about the money: In its piece about his locked coins in 2021, _The New York Times_ wrote that Thomas already had “more riches than he knows what to do with,” thanks to other crypto ventures.

Federoff notes that it's impossible to know for certain what Thomas' IronKey holds. Maybe the keys to the 7,002 bitcoins are held elsewhere, or gone altogether.

He says Unciphered is still hopeful. But the team is also ready to move on if Thomas won't work with them. There are, after all, other locked wallets out there for the company to crack. And the decision of whether and how to unlock this particular USB drive's riches will ultimately fall to its owner alone. “It's incredibly frustrating,” says Federoff. “But when you're dealing with people, that's always the most complex part. Code doesn't change unless you tell it to. Circuitry doesn't either. But humans are incredibly unpredictable creatures.”

They Cracked the Code to a Locked USB Drive Worth $235 Million in Bitcoin. Then It Got Weird

Hamas has threatened to broadcast videos of hostage executions. With the war between Israel and Hamas poised to enter a new phase, are social platforms ready?

For the past decade, social media platforms have struggled to stop the spread of extremist violence livestreamed on their platforms. Now they face a much different problem: This time, they know what’s coming.

In the days after Hamas attacked Israel on October 7, the group’s military wing said it would kill an Israeli hostage every time Israel launched an attack on Gaza. Abu Obeida, a spokesperson for the al-Qassam Brigades, added that these executions would be broadcast “in audio and video.” As of today, Hamas is holding 220 people hostage, according to the Israel Defense Forces.

Amid the October 7 attack, one person livestreamed footage showing Hamas fighters murdering Israeli citizens—a clip of which was later shared by Donald Trump Jr. on X. And in the days after the attack, Hamas hijacked the accounts of those hostages on platforms like Facebook and Instagram to livestream attacks and issue death threats.

In response, tech companies appeared to take things seriously.

Meta launched a “special operations center” to track content on Facebook, Instagram, and Threads. TikTok activated its “command center.” X (formerly Twitter) mobilized its “cross-company leadership group.” YouTube activated its “intelligence desk.” And Reddit tells WIRED its “safety team” is on alert.

But when WIRED asked for specific details about how they are going to prevent bad actors from weaponizing the platforms’ livestreaming capabilities, none of the companies offered any specific details, instead pointing to their general online guidance about livestreaming policies, if they responded at all. For example, Meta directed WIRED to a 2019 blog post from chief information security officer Guy Rosen about how the company was planning to curb the use of its livestream products in the wake of the Christchurch massacre, during which a gunman killed 51 people at a mosque in New Zealand in March of that year.

Despite the press releases indicating all-hands-on-deck attention to the livestreaming problem, industry experts say social media companies are showing a lack of transparency and an unwillingness to take the measures needed to prevent execution videos from spreading on their platforms, such as suspending livestreaming capabilities completely during the Israel-Hamas war.

“Hamas’ threats to execute these people on livestreams is happening because it’s possible for them to broadcast it,” Imran Ahmed, the founder and CEO of Center for Countering Digital Hate, a nonprofit that tracks hate speech on social platforms, tells WIRED. “They’re doing this for the spectacle because it terrorizes us. If we took away their ability to generate that spectacle, would they be doing this? What comes first, the livestream or the execution?”

Ahmed alleges that the companies are failing to implement systems that automatically detect violent extremist content as effectively as they detect some other kinds of content. “If you have a snatch of copyrighted music in your video, their systems will detect it within a microsecond and take it down,” Ahmed says, adding that “the fundamental human rights of the victims of terrorist attacks” should carry as much urgency as the “property rights of music artists and entertainers.”

The lack of details about how social platforms plan to curb the use of livestreams is, in part, because they are concerned about giving away too much information, which may allow Hamas, Palestinian Islamic Jihad (PIJ), and other militant groups or their supporters to circumvent the measures that are in place, an employee of a major platform who was granted anonymity because they are not authorized to speak publicly claimed in a communication with WIRED.

Adam Hadley, founder and executive director of Tech Against Terrorism, a United Nations-affiliated nonprofit that tracks extremist activity online, tells WIRED that while maintaining secrecy around content moderation methods is important during a sensitive and volatile conflict, tech companies should be more transparent about how they work.

“There has to be some degree of caution in terms of sharing the details of how this material is discovered and analyzed,” Hadley says. “But I would hope there are ways of communicating this ethically that don’t tip off terrorists to detection methods, and we would always encourage platforms to be transparent about what they’re doing.”

The social media companies say their dedicated teams are working around the clock right now as they await the launch of Israel’s expected ground assault in Gaza, which Hadley believes could trigger a spate of hostage executions.

And yet, for all of the time, money, and resources these multibillion-dollar companies appear to be putting into tackling this potential crisis, they are still reliant on Tech Against Terrorism, a tiny nonprofit, to alert them when new content from Hamas or PIJ, another paramilitary group based in Gaza, is posted online.

Hadley says his team of 20 typically knows about new terrorist content before any of the big platforms. So far, while tracking verified content from Hamas’ military wing or the PIJ, Hadey says the volume of content on the major social platforms is “very low.”

“Examples that we can find on large platforms of that official content are in the thousands, so not a lot of examples, compared with significantly more on Telegram,” Hadley says. “We are sharing alerts to 60 platforms who have been implicated with \[Hamas\] and PIJ content to date, but very low volumes are present.”

Hamas is banned on Facebook, Instagram, YouTube, and TikTok, so it has typically not used these mainstream platforms to any great extent, though X said earlier this month that it had removed hundreds of Hamas-affiliated accounts. Instead, Hamas prefers to use Telegram.

“Because the use of Telegram is so widespread and simple, we will assume they will continue to do this because terrorists prioritize platforms they can use most easily,” Hadley says, “and why would they bother with anything other than Telegram?”

Meta, X, and YouTube collaborate to share information about what they are seeing on the platforms. Telegram does not take part in such partnerships. While it has blocked some channels in certain jurisdictions, Telegram has typically taken a hands-off approach to content moderation, meaning Hamas and related groups have been mostly free to post whatever content they like on its platform.

Telegram did not respond to WIRED’s questions about how it would deal with execution videos on its platform, nor did X or Twitch. Discord declined to provide an on-the-record comment.

While Hadley sees Telegram as the primary concern, mainstream platforms are still at risk of facilitating the spread of this content. Videos can easily be downloaded from Telegram and reposted on any other platform, which is where the mainstream social media networks face the challenge of stopping them.

When asked to provide more details about their efforts, Meta and TikTok directed WIRED to their policy pages outlining the work they are doing to prevent the spread of these videos. YouTube spokesperson Jack Malon tells WIRED that “our teams are working around the clock to monitor for harmful footage across languages and locales.” A Reddit spokesperson says the company has “dedicated teams with linguistic and subject-matter expertise actively monitoring the conflict and continuing to enforce Reddit’s Content Policy across the site.”

One of the key ways that tech companies try to keep violent extremist content from going viral on their platforms is by using what are known as hashing databases. When content from a terrorist organization is identified, it is “hashed” to create a unique identifier that can then be shared among all companies to automatically prevent that video or image from being reshared elsewhere.

The sharing of these hashes and communication around incidents like the Israel-Hamas war are coordinated by the Global Internet Forum to Counter Terrorism (GIFCT), a small team of experts whose mission is to stop tech platforms from being exploited by violent extremists. The group was founded in 2017 by Facebook, Microsoft, X (then Twitter), and YouTube as a way of centralizing and coordinating the sharing of information. Companies like Dropbox, Amazon, Pinterest, and Zoom also provide funding to the group.

GIFCT did not provide a spokesperson to answer WIRED’s questions, but a statement on the group’s website says it is “providing regular situational awareness across member companies and support in addressing content relating to this conflict that violates their platform policies.”

Even when mainstream platforms have access to a shared database of verified terrorist content and centralized communications with experts who are tracking this content closely, they still have a lot of work to do in order to prevent violent videos from spreading on their platforms.

“This will be a big litmus test for the mainstream platforms,” Hadley says. “We would expect their algorithmic systems to be able to detect the \[Hamas\] logo, for instance, and respond accordingly. So actually, we’re quietly confident that those platforms will be alright to handle it. And I would hope that they’ve been training their algorithms in anticipation of this, based on the very large amounts of existing content from \[Hamas and PIJ\]. But unfortunately, we have no insight into that at all.”

The Hamas Threat of Hostage Execution Videos Looms Large Over Social Media

Despite warnings that sending one-time passwords via text messages is a flawed security measure, companies continue to roll out the approach, especially in consumer-facing applications.

Following a spate of attacks targeting independent developers on its Steam game-distribution platform, game maker Valve last week said that it will require developers to provide their phone numbers so the company can use SMS for two-factor authentication (2FA) starting Oct. 24. 

"As part of a security update, any Steamworks account setting that builds live on the default/public branch of a released app will need to have a phone number associated with their account, so that Steam can text you a confirmation code before continuing," the company stated in its notification. "We also plan on adding this requirement for other Steamworks actions in the future."

But since SMS-based two-factor authentication can be circumvented by persistent attackers using a variety of methods, the move raises the question: Why are consumer-facing online services still making SMS the go-to second factor, both internally and for customers?

**SMS-Based 2FA: Not Really Secure**

Getting around SMS two-factor authentication has become a priority among attackers, and indeed, it has been defeated using everything from machine-in-the-middle attacks to social engineering — including, in the infamous Uber breach case, through 2FA fatigue attacks. 

In 2022, for example, a banking Trojan known as Xenomorph compromised more than 50,000 Android devices after the cybercriminal group behind the malware disguised it as a performance utility, according to Tony Anscombe, chief security evangelist for digital security firm ESET.

"In reality, it was stealing the user’s login credentials for banking, payment, social media, cryptocurrency and other apps that have valuable personal information," he says. "The malware abused more than 50 apps, including PayPal and Coinbase, and included the ability to intercept messages and notifications, giving the cybercriminal the ability to bypass two-factor authentication codes.

But even the low-tech approach of just walking into a cellular store (SIM-swapping) or finding a corrupt technician works well, says David Richardson, vice president of endpoint and threat intelligence at cloud security platform Lookout. All an attacker has to do is know the targeted individual's phone number to attack the channel.

"The whole system is basically built on an assumption of trust — I could walk into any store and easily cancel my contract and port my phone number ... to pretty much any carrier," he says. "Basically \[an attacker could\] take over any phone number and start to receive the phone calls and, most importantly in these cases, the SMS messages that are that are going to those to those numbers."

And cellphone numbers are some of the most commonly leaked information on the Internet. The recent compromises of MGM Resorts and Caesars Entertainment, for example, exposed millions of records of business professionals and individual consumers, including phone numbers, which could be used by attackers for further attacks. 

**2FA Is Better Than Nothing**

SMS-based 2FA persists in the face of the insecurity for the simple reason that it's a relatively painless security mechanism for end users: A company merely needs to know is the customer's phone number to text a one-time passcode for authentication. For consumer-facing companies, reducing friction is the name of the game.

At the same time, making attackers' jobs even just a little bit more difficult helps protect developers — and the players of their games.

"Any MFA is better than no MFA — like, vastly superior," Lookout's Richardson says. "You're 10 times harder to hack if you've got an SMS-based MFA, so ... you're way better off having some form of multifactor authentication versus no form of multifactor authentication."

An SMS code could have protected Benoît Freslon, the independent developer behind the game NanoWar: Cells VS Virus, for example. Freslon fell prey to a social engineering scam, apparently when cybercriminals posing as another developer sent him a direct message with malicious content, according to a statement posted on Steam's Community forums.

"I was hacked, all my social networks accounts including Discord and Steam were compromised ... \[t\]he hacker uploaded a malware with \[sic\] my account," a developer stated on Steam's forums. "Be careful when a friend ask you to test his game on private message on Discord. ... It was the most stressfull days \[sic\] of my indie developer life."

Valve removed the game from Steam on Aug. 25, a day after the group behind the hacks published the infected version from the developer's account. The game developer stressed that a safe version of the game has been available since Sept. 15, uploaded from a "totally clean machine."

**SMS: A Good First Step, but...**

Companies focused on consumers and worried that the additional friction posed by 2FA security could use app-based factors that are already widely adopted, such as Google's or Microsoft's authenticators, says ESET's Anscombe.

"Many consumer-focused companies already provide the option to use either Microsoft or Google authenticator apps, this reduces the barrier to adoption as consumers may already have these apps installed," he says. 

"An app is not subject to SIM cloning nor malware that uses the operating systems permissions system to read SMS messages," he says. "The app itself should be protected by a passkey or biometrics adding an additional layer of security."

Boosting security has become important for game companies, as users have more digital in-game assets stored in online accounts that cybercriminals aim to monetize, and while cheaters look to access other gamers' accounts to gain advantage. Steam expects to roll out more security measures in the future to better protect, not only the developers but its customers and reputation.

Valve's 2FA Mandate for Game Developers Shows SMS Stickiness

A spoofed version of an Israeli rocket-attack alerting app is targeting Android devices, in a campaign that shows how cyber-espionage attacks are shifting to individual, everyday citizens.

Using a trending item as a malicious lure is relatively common; to do it in a period of military conflict and deliberately target users in the affected region is a different step.

Recently, a genuine app — RedAlert - Rocket Alerts — has been popular among users in the Israel and Gaza region, since it allows individuals to receive timely and precise alerts about incoming airstrikes. However, a malicious, spoofed version of the app was detected last week, which collected personal information including access to contacts, call logs, SMS, account information, and an overview of other installed apps.

This and the discovery of a similar incident indicates that unfortunately, the Israel-Hamas conflict's cybercrimes will extend beyond nation-state attacks on critical infrastructure — and into the palm of the user's hand.

**The Initial Malicious App**

According to the discovery by Cloudflare, the website hosting the malicious file was created on Oct. 12, and it has been taken offline since. Only those users who installed the Android version of the app are impacted, and they are urgently advised to delete the app.

A statement from Cloudflare said it became aware of a website hosting a Google Android Application that impersonated the legitimate RedAlert - Rocket Alerts application. "Given the current climate in Israel, this application is heavily relied upon by individuals living in the country to be notified when it is critical to seek safety," it said.

The creation of a malicious app spoofing a known brand is common, according to a recent report from Arctic Wolf, which said malicious apps found in official app stores are often disguised with the use of names, images, or descriptions similar to popular or malware-free apps. They also may have fake reviews to help increase the malicious app's rating and to make them look more realistic.

But in this case, the malicious application mimicked a widely used app to steal data, in what Cloudflare called "a time of distress" where services such as this are replied upon, adding that this is "another example of threat attackers leveraging authenticity to carry out impactful attacks."

Casey Ellis, founder and CTO of Bugcrowd, says he does expect to see more cases like this where the Gaza conflict is used as a malware lure — both regionally and globally.

"Attackers are always on the lookout for events that create fear, uncertainty, and a volatile information environment, and the Israel-Hamas conflict definitely meets these criteria," he says.

Cloudflare was unable to add attribution to whoever was behind this malicious app, and there is no evidence that this was even a threat actor from the Middle East. So this could be the work of an unrelated cybercriminal looking to use the conflict for their malicious gain.

**More Than One Incident**

In a separate detection, Cloudflare said the pro-Palestinian hacktivist group AnonGhost exploited a vulnerability in another application, Red Alert: Israel. This allowed the group to intercept requests, expose servers and APIs, and send fake alerts to some app users, including a message that a nuclear bomb strike was imminent.

In its detection of that incident, Group-IB Threat Intelligence said this shows that the actions of attackers can be diverse, as hacktivists are generally associated with conducting small-scale DDoS attacks and defacement. But as the ongoing conflict shows, sometimes their actions can be far more devastating and costly, and "it's essential to map and properly mitigate the risk of hacktivism as part of a threat intelligence program."

Krishna Vishnubhotla, vice president of product strategy at Zimperium, says spoofing mobile apps is easy, as many app teams are inadvertently giving threat actors a blueprint for abuse.

He says, "App teams focus on code optimization and speed to market, but never ensure sufficient threat visibility and protection for their apps once they are published. Threat actors know this and use reverse engineering to truly understand an app's inner workings."

Vishnubhotla adds, "Knowing an application's architecture, data flow, and security mechanisms allows a hacker to easily create spoofed apps."

**Be Careful With Clicks**

The advice to avoid becoming victimized by these types of attacks is fairly straightforward. Arctic Wolf recommend checking the app's developers and reviews, restricting permissions when necessary; users should download apps only from reputable developers and look for mentions of scams or malicious activity mentioned in reviews by other users.

The advice from Group-IB was for organizations to carefully examine and fortify all Web-facing applications, as "it's not uncommon for hacktivists to exploit web and mobile APIs, often perceived as softer targets compared to the principal product APIs."

Ellis admits his advice on protection from malicious apps — saying users should trust, but verify — is nothing groundbreaking, but it persists for a reason.

"Double-check before you trust anything that offers to assist you in issues of personal safety, and triple-check before you share it with others," he says. He acknowledges that in this case, the malicious apps were downloaded by people in a state of concern and potentially without the due consideration they would usually give to vetting them.

Tag

#intel