Ubuntu Security Notice 7021-1 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7021-1September 18, 2024linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15,linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15,linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15,linux-kvm, linux-nvidia, linux-oracle, linux-raspi vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-intel-iotg: Linux kernel for Intel IoT platforms- linux-kvm: Linux kernel for cloud environments- linux-nvidia: Linux kernel for NVIDIA systems- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-5.15: Linux kernel for Microsoft Azure cloud systems- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop-5.15: Linux kernel for Google Container Engine (GKE) systems- linux-hwe-5.15: Linux hardware enablement (HWE) kernel- linux-intel-iotg-5.15: Linux kernel for Intel IoT platformsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - GPU drivers;  - BTRFS file system;  - F2FS file system;  - GFS2 file system;  - BPF subsystem;  - Netfilter;  - RxRPC session sockets;  - Integrity Measurement Architecture(IMA) framework;(CVE-2024-39496, CVE-2024-41009, CVE-2024-26677, CVE-2024-42160,CVE-2024-27012, CVE-2024-42228, CVE-2024-39494, CVE-2024-38570)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS  linux-image-5.15.0-1053-gkeop   5.15.0-1053.60  linux-image-5.15.0-1063-ibm     5.15.0-1063.66  linux-image-5.15.0-1063-raspi   5.15.0-1063.66  linux-image-5.15.0-1065-intel-iotg  5.15.0-1065.71  linux-image-5.15.0-1065-nvidia  5.15.0-1065.66  linux-image-5.15.0-1065-nvidia-lowlatency  5.15.0-1065.66  linux-image-5.15.0-1067-gke     5.15.0-1067.73  linux-image-5.15.0-1067-kvm     5.15.0-1067.72  linux-image-5.15.0-1068-oracle  5.15.0-1068.74  linux-image-5.15.0-1069-gcp     5.15.0-1069.77  linux-image-5.15.0-1070-aws     5.15.0-1070.76  linux-image-5.15.0-1073-azure   5.15.0-1073.82  linux-image-5.15.0-122-generic  5.15.0-122.132  linux-image-5.15.0-122-generic-64k  5.15.0-122.132  linux-image-5.15.0-122-generic-lpae  5.15.0-122.132  linux-image-aws-lts-22.04       5.15.0.1070.70  linux-image-azure-lts-22.04     5.15.0.1073.71  linux-image-gcp-lts-22.04       5.15.0.1069.65  linux-image-generic             5.15.0.122.122  linux-image-generic-64k         5.15.0.122.122  linux-image-generic-lpae        5.15.0.122.122  linux-image-gke                 5.15.0.1067.66  linux-image-gke-5.15            5.15.0.1067.66  linux-image-gkeop               5.15.0.1053.52  linux-image-gkeop-5.15          5.15.0.1053.52  linux-image-ibm                 5.15.0.1063.59  linux-image-intel-iotg          5.15.0.1065.65  linux-image-kvm                 5.15.0.1067.63  linux-image-nvidia              5.15.0.1065.65  linux-image-nvidia-lowlatency   5.15.0.1065.65  linux-image-oracle-lts-22.04    5.15.0.1068.64  linux-image-raspi               5.15.0.1063.61  linux-image-raspi-nolpae        5.15.0.1063.61  linux-image-virtual             5.15.0.122.122Ubuntu 20.04 LTS  linux-image-5.15.0-1053-gkeop   5.15.0-1053.60~20.04.1  linux-image-5.15.0-1065-intel-iotg  5.15.0-1065.71~20.04.1  linux-image-5.15.0-1069-gcp     5.15.0-1069.77~20.04.1  linux-image-5.15.0-1070-aws     5.15.0-1070.76~20.04.1  linux-image-5.15.0-1073-azure   5.15.0-1073.82~20.04.1  linux-image-5.15.0-122-generic  5.15.0-122.132~20.04.1  linux-image-5.15.0-122-generic-64k  5.15.0-122.132~20.04.1  linux-image-5.15.0-122-generic-lpae  5.15.0-122.132~20.04.1  linux-image-aws                 5.15.0.1070.76~20.04.1  linux-image-azure               5.15.0.1073.82~20.04.1  linux-image-azure-cvm           5.15.0.1073.82~20.04.1  linux-image-gcp                 5.15.0.1069.77~20.04.1  linux-image-generic-64k-hwe-20.04  5.15.0.122.132~20.04.1  linux-image-generic-hwe-20.04   5.15.0.122.132~20.04.1  linux-image-generic-lpae-hwe-20.04  5.15.0.122.132~20.04.1  linux-image-gkeop-5.15          5.15.0.1053.60~20.04.1  linux-image-intel               5.15.0.1065.71~20.04.1  linux-image-intel-iotg          5.15.0.1065.71~20.04.1  linux-image-oem-20.04           5.15.0.122.132~20.04.1  linux-image-oem-20.04b          5.15.0.122.132~20.04.1  linux-image-oem-20.04c          5.15.0.122.132~20.04.1  linux-image-oem-20.04d          5.15.0.122.132~20.04.1  linux-image-virtual-hwe-20.04   5.15.0.122.132~20.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7021-1  CVE-2024-26677, CVE-2024-27012, CVE-2024-38570, CVE-2024-39494,  CVE-2024-39496, CVE-2024-41009, CVE-2024-42160, CVE-2024-42228Package Information:  https://launchpad.net/ubuntu/+source/linux/5.15.0-122.132  https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1070.76  https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1073.82  https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1069.77  https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1067.73  https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1053.60  https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1063.66  https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1065.71  https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1067.72  https://launchpad.net/ubuntu/+source/linux-nvidia/5.15.0-1065.66  https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1068.74  https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1063.66  https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1070.76~20.04.1  https://launchpad.net/ubuntu/+source/linux-azure-5.15/5.15.0-1073.82~20.04.1  https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1069.77~20.04.1  https://launchpad.net/ubuntu/+source/linux-gkeop-5.15/5.15.0-1053.60~20.04.1  https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-122.132~20.04.1  https://launchpad.net/ubuntu/+source/linux-intel-iotg-5.15/5.15.0-1065.71~20.04.1

Ubuntu Security Notice USN-7021-1

In a second attack on Hezbollah members, two-way radios detonated around Lebanon on Wednesday, causing injuries and multiple deaths.

With Hezbollah and Lebanon still reeling from a coordinated wave of pager explosions on Tuesday that killed at least 12 people and injured thousands, another bombardment began on Wednesday, this time taking the form of exploding two-way radios. Footage of the explosions, which was not independently confirmed by WIRED, appears to show even larger blasts than those that emanated from the booby-trapped pagers.

Lebanon’s official news agency also reported exploding home solar systems less than two hours after the radio detonations began on Wednesday, according to the Associated Press. Details of the alleged solar equipment attacks were still developing at the time of publication.

The walkie-talkie explosions appeared to have been orchestrated the same way as the attack on Tuesday, which was likely carried out by intercepting new pagers at some point in their journey through the supply chain and modifying them to add explosive material. Hezbollah had reportedly expanded its use of pagers recently in an attempt to secure communications after the group feared that other channels had been infiltrated by Israeli intelligence. Reuters reported on Wednesday that Hezbollah purchased the walkie-talkies about five months ago as part of the same initiative that led the group to purchase the pagers.

In a statement after Wednesday’s explosions, Lebanon’s Health Ministry said more than 300 people had been injured and nine people had died, with incidents being reported in several regions of the country. The Lebanese Red Cross said more than 30 ambulances were involved in the treatment of people injured.

Though details of Wednesday’s attack are still emerging, the perpetrator of Tuesday’s exploding pager operation is widely believed to be Israel. Fighting between Israel and Hezbollah, which is backed by Iran, has intensified over the past year since Hamas’ October 7 attack on Israel. On Tuesday, Hezbollah blamed Israel for the “criminal aggression that targeted civilians too.”

“I'm floored by the sophistication of this operation,” says Jake Williams, vice president of research and development at Hunter Strategy, who formerly worked for the US National Security Agency. “The scale of this supply chain compromise is unprecedented. It's hard to imagine what technology Hezbollah could consider ‘safe’ at this point.”

Photos and videos posted to social media on Wednesday appeared to show handheld radios, or walkie-talkies, in various states of destruction. In many of the images, the devices, which are larger and bulkier than smartphones, had one side of their casing removed. Middle East experts citing local media reports noted that cars, scooters, and even buildings appear to have been damaged by tampered devices.

“From what we are seeing, including images circulating on social media, the devices exploding are handheld radios, possibly an Icom model,” says Michael Horowitz, head of intelligence at the risk management company Le Beck International.

The second round of explosions on Wednesday indicates that whoever conducted the sabotage and attacks likely had deeply rooted access and knowledge of Hezbollah’s infrastructure and operations. “This shows an even deeper penetration that may have relied on multiple fronts and multiple vectors (different electronic devices and providers),” Horowitz says. “This is unheard of.”

Israel has not yet commented on any of the attacks, and the Israel Defense Forces did not immediately respond to WIRED’s request for comment about the second round of explosions.

The pagers that exploded on Tuesday were mostly Gold Apollo AR-924 model pagers, which the Taiwan-based company says were produced by a third-party firm, Hungary-based BAC Consulting. The New York Times reports that 1 to 2 ounces of explosive were inserted in the pagers before they were distributed to members of Hezbollah. A person listed as the CEO of BAC Consulting did not respond to WIRED’s request for comment. A Hungarian government spokesperson has claimed the company is a “trading intermediary” and does not have a “manufacturing or operational site in Hungary.”

Following the first round of explosions on Tuesday, Human Rights Watch called for an investigation, saying it was not possible to locate all the sabotaged pagers and, as a result, they could end up striking “military targets and civilians without distinction.”

“Customary international humanitarian law prohibits the use of booby traps—objects that civilians are likely to be attracted to or are associated with normal civilian daily use—precisely to avoid putting civilians at grave risk and produce the devastating scenes that continue to unfold across Lebanon today,” Lama Fakih, the group’s Middle East and North Africa director said in a statement.

US secretary of state Anthony Blinken on Wednesday denied the US had advance knowledge of Tuesday’s attack.

“The United States did not know about, nor was it involved in, these incidents,” he said at a conference in Cairo, Egypt. “We’re still gathering the information and gathering the facts.”

Walkie-Talkies Explode in New Attack on Hezbollah

Scammers are flooding Facebook with groups that purport to offer video streaming of funeral services for the recently deceased. Friends and family who follow the links for the streaming services are then asked to cough up their credit card information. Recently, these scammers have branched out into offering fake streaming services for nearly any kind of event advertised on Facebook. Here's a closer look at the size of this scheme, and some findings about who may be responsible.

Scammers are flooding **Facebook** with groups that purport to offer video streaming of funeral services for the recently deceased. Friends and family who follow the links for the streaming services are then asked to cough up their credit card information. Recently, these scammers have branched out into offering fake streaming services for nearly any kind of event advertised on Facebook. Here’s a closer look at the size of this scheme, and some findings about who may be responsible.

One of the many scam funeral group pages on Facebook. Clicking to view the “live stream” of the funeral takes one to a newly registered website that requests credit card information.

KrebsOnSecurity recently heard from a reader named George who said a friend had just passed away, and he noticed that a Facebook group had been created in that friend’s memory. The page listed the correct time and date of the funeral service, which it claimed could be streamed over the Internet by following a link that led to a page requesting credit card information.

“After I posted about the site, a buddy of mine indicated \[the same thing\] happened to her when her friend passed away two weeks ago,” George said.

Searching Facebook/Meta for a few simple keywords like “funeral” and “stream” reveals countless funeral group pages on Facebook, some of them for services in the past and others erected for an upcoming funeral.

All of these groups include images of the deceased as their profile photo, and seek to funnel users to a handful of newly-registered video streaming websites that require a credit card payment before one can continue. Even more galling, some of these pages request donations in the name of the deceased.

It’s not clear how many Facebook users fall for this scam, but it’s worth noting that many of these fake funeral groups attract subscribers from at least some of the deceased’s followers, suggesting those users have subscribed to the groups in anticipation of the service being streamed. It’s also unclear how many people end up missing a friend or loved one’s funeral because they mistakenly thought it was being streamed online.

One of many look-alike landing pages for video streaming services linked to scam Facebook funeral groups.

George said their friend’s funeral service page on Facebook included a link to the supposed live-streamed service at **livestreamnow\[.\]xyz**, a domain registered in November 2023.

According to DomainTools.com, the organization that registered this domain is called “**apkdownloadweb**,” is based in Rajshahi, Bangladesh, and uses the DNS servers of a Web hosting company in Bangladesh called **webhostbd\[.\]net**.

A search on “apkdownloadweb” in DomainTools shows three domains registered to this entity, including **live24sports\[.\]xyz** and **onlinestreaming\[.\]xyz**. Both of those domains also used webhostbd\[.\]net for DNS. Apkdownloadweb has a Facebook page, which shows a number of “live video” teasers for sports events that have already happened, and says its domain is **apkdownloadweb\[.\]com**.

Livestreamnow\[.\]xyz is currently hosted at a Bangladeshi web hosting provider named **cloudswebserver\[.\]com**, but historical DNS records show this website also used DNS servers from webhostbd\[.\]net.

The Internet address of livestreamnow\[.\]xyz is **148.251.54.196**, at the hosting giant Hetzner in Germany. DomainTools shows this same Internet address is home to nearly 6,000 other domains (.CSV), including hundreds that reference video streaming terms, like **watchliveon24\[.\]com** and **foxsportsplus\[.\]com**.

There are thousands of domains at this IP address that include or end in the letters “**bd**,” the country code top-level domain for Bangladesh. Although many domains correspond to websites for electronics stores or blogs about IT topics, just as many contain a fair amount of placeholder content (think “lorem ipsum” text on the “contact” page). In other words, the sites appear legitimate at first glance, but upon closer inspection it is clear they are not currently used by active businesses.

The passive DNS records for 148.251.54.196 show a surprising number of results that are basically two domain names mushed together. For example, there is **watchliveon24\[.\]com.playehq4ks\[.\]com**, which displays links to multiple funeral service streaming groups on Facebook.

Another combined domain on the same Internet address — livestreaming24\[.\]xyz.allsportslivenow\[.\]com — lists dozens of links to Facebook groups for funerals, but also for virtually all types of events that are announced or posted about by Facebook users, including graduations, concerts, award ceremonies, weddings, and rodeos.

Even community events promoted by state and local police departments on Facebook are fair game for these scammers. A Facebook page maintained by the police force in Plympton, Mass. for a town social event this summer called Plympton Night Out was quickly made into two different Facebook groups that informed visitors they could stream the festivities at either **espnstreamlive\[.\]co** or **skysports\[.\]live**.

**WHO’S BEHIND THE FAKEBOOK FUNERALS?**

Recall that the registrant of livestreamnow\[.\]xyz — the bogus streaming site linked in the Facebook group for George’s late friend — was an organization called “Apkdownloadweb.” That entity’s domain — **apkdownloadweb\[.\]com** — is registered to a **Mazidul Islam** in Rajshahi, Bangladesh (this domain is also using Webhostbd\[.\]net DNS servers).

Mazidul Islam’s LinkedIn page says he is the organizer of a now defunct IT blog called gadgetsbiz\[.\]com, which DomainTools finds was registered to a **Mehedi Hasan** from Rajshahi, Bangladesh.

To bring this full circle, DomainTools finds the domain name for the DNS provider on all of the above-mentioned sites  — webhostbd\[.\]net — was originally registered to a **Md Mehedi**, and to the email address **webhostbd.net@gmail.com** (“MD” is a common abbreviation for Muhammad/Mohammod/Muhammed).

A search on that email address at Constella finds a breached record from the data broker Apollo.io saying its owner’s full name is **Mohammod Mehedi Hasan.** Unfortunately, this is not a particularly unique name in that region of the world.

But as luck would have it, sometime last year the administrator of apkdownloadweb\[.\]com managed to infect their Windows PC with password-stealing malware. We know this because the raw logs of data stolen from this administrator’s PC were indexed by the breach tracking service Constella Intelligence \[full disclosure: As of this month, Constella is an advertiser on this website\].

These so-called “stealer logs” are mostly generated by opportunistic infections from information-stealing trojans that are sold on cybercrime markets. A typical set of logs for a compromised PC will include any usernames and passwords stored in any browser on the system, as well as a list of recent URLs visited and files downloaded.

Malware purveyors will often deploy infostealer malware by bundling it with “cracked” or pirated software titles. Indeed, the stealer logs for the administrator of apkdownloadweb\[.\]com show this user’s PC became infected immediately after they downloaded a booby-trapped mobile application development toolkit.

Those stolen credentials indicate Apkdownloadweb\[.\]com is maintained by a 20-something native of Dhaka, Bangladesh named **Mohammod Abdullah Khondokar**.

The “browser history” folder from the admin of Apkdownloadweb shows Khondokar recently left a comment on the Facebook page of Mohammod Mehedi Hasan, and Khondokar’s Facebook profile says the two are friends.

Neither MD Hasan nor MD Abdullah Khondokar responded to requests for comment. KrebsOnSecurity also sought comment from Meta.

Scam ‘Funeral Streaming’ Groups Thrive on Facebook

Snapchat reserves the right to use your selfies to add a personal touch, as in your face, to its advertisements.

Snapchat is reserving the right to use your selfie images to power Cameos, Generative AI, and other experiences on Snapchat, including ads, according to our friends at 404 Media,

The Snapchat Support page about its My Selfie feature says:

> “You’ll take selfies with your Snap camera or select images from your camera roll. These images will be used to understand what you look like to enable you, Snap and your friends to generate novel images of you. If you’re uploading images from the camera roll, only add images of yourself.”

A Snapchat spokesperson told 404 Media:

> “You are correct that our terms do reserve the right, in the future, to offer advertising based on My Selfies in which a Snapchatter can see themselves in a generated image delivered to them…“As explained in the onboarding modal, Snapchatters have full control over this, and can turn this on and off in My Selfie Settings at any time.”

However, according to 404 Media the “See My Selfie in Ads” feature is on by default, so you’d have to know about the feature in the first place in order to turn it off.

We also wonder how Snapchat plans to check whether the user is uploading real selfies and not pictures of someone else.

Once again, we see this assumption by a social media platform that it’s OK to use content posted on their platform for training Artificial Intelligence (AI). It isn’t!

It’s even worse to do it without explicit user consent. Hiding it somewhere deep down in a mountain of legalese called a privacy policy that nobody actually reads is not real consent. This lack of transparency and control over personal data is upsetting. The realization that some individuals may not want their likeness used for commercial purposes or to train systems they don’t support doesn’t seem to bother anyone at these social media giants.

**How to change your My Selfie settings**

You can change or clear your **My Selfie** in your **Settings**:

1.  Tap the gear icon ⚙️ in **My Profile** to open **Settings**
2.  Tap **My Selfie** under **My Account**
3.  Tap **Update My Selfie** or **Clear Selfie**

**Why AI training on your images is bad**

We have seen many cases where social media and other platforms have used the content of their users to train their AI. Some people have a tendency to shrug it off because they don’t see the dangers, but let us explain the possible problems.

*   Deepfakes: AI generated content, such as deepfakes, can be used to spread misinformation, damage your reputation or privacy, or defraud people you know.
*   Metadata: Users often forget that the images they upload to social media also contain metadata like, for example, where the photo was taken. This information could potentially be sold to third parties or used in ways the photographer didn’t intend.
*   Intellectual property. Never upload anything you didn’t create or own. Artists and photographers may feel their work is being exploited without proper compensation or attribution.
*   Bias: AI models trained on biased datasets can perpetuate and amplify societal biases.
*   Facial recognition: Although facial recognition is not the hot topic it once used to be, it still exists. And actions or statements done by your images (real or not) may be linked to your persona.
*   Memory: Once a picture is online, it is almost impossible to get it completely removed. It may continue to exist in caches, backups, and snapshots.

If you want to continue using social media platforms that is obviously your choice, but consider the above when uploading pictures of you, your loved ones, or even complete strangers.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Snapchat wants to put your AI-generated face in its ads 

Can cyber defenders use the presence of infostealers as a canary in the coal mine to preempt ransomware attacks?

Source: Jim West via Alamy Stock Photo

Nearly a third of companies that fell victim to ransomware last year had at least one infostealer infection in the months prior to their attack.

Cyberattacks, but particularly ransomware attacks, only work when they're a surprise. It's why ransom notes through history have almost always opened by simply stating the facts: "Your network has been penetrated," or "Oops, your files have been encrypted." Companies with any notion that an attack is about to come can easily rebuff it simply by backing up and encrypting their files. That's why it's so interesting that, as SpyCloud notes in its 2024 "Malware and Ransomware Defense Report," nearly a third of all ransomware events last year were foreshadowed by an infostealer infection in the 16 weeks prior.

Infostealers before ransomware is a useful combination for attackers. What's less clear is whether it could be useful for defenders, to help reduce attackers' surprise advantage.

**Ransomware's Canary?**

In a recent attack observed by Sophos, the Qilin ransomware gang breached its target via a VPN portal. It waited 18 days, then deployed a custom infostealer to grab credentials from Google Chrome. Only later did it drop any actual ransomware.

High-level groups like Qilin might have the capacity for turnkey jobs, but perhaps more common are cases where initial access brokers (IABs) partner with ransomware actors to split things up.

Stephen Robinson, senior threat intelligence analyst at WithSecure, was investigating such a case last year. The perpetrator was a Vietnamese malware-as-a-service (MaaS) operation, delivering payloads like the DarkGate remote access Trojan (RAT) against companies in digital marketing. "The thing with \[tools like\] DarkGate is that it's one of those pieces of malware that will do infostealing or credential stealing, but also a bunch of other functions like cryptocurrency theft, and delivering ransomware," Robinson explains. The Vietnamese threat actors didn't have to perform ransomware attacks themselves. Instead, IABs like them can plant DarkGate — or RedLine, Qakbot, or Raccoon — far and wide, then sell the access they afford to the next baddies down the line, allowing both sides of the exchange to specialize in what they do best.

In its 2024 "Crypto Crime Report," blockchain analysis firm Chainalysis discovered "a correlation between inflows to IAB wallets and an upsurge in ransomware payments." For example, the ransomware group depicted in the chart below spent thousands of dollars with multiple IABs in the course of its multimillion-dollar campaigns.

Source: Chainalysis

"It definitely seems, to me at least, that this is trending upward," says Trevor Hilligoss, vice president of SpyCloud Labs. "It makes sense if you think about it. Malware-as-a-service is easy, it's cheap. A couple hundred bucks a month gets you access to a pre-built package for attacks, and a lot of these stealers have been adding more functionality."

**Can Infostealers Be Used to Predict Ransomware?**

The literally million-dollar question is this: If 30% of ransomware attacks are preceded by infostealers, can the presence of an infostealer in one's network be used to predict oncoming ransomware, giving defenders a window of time to prepare?

"It really depends on who you are," Hilligoss says. When an infostealer pops up on your network, "If you are an admin of a large, multinational insurance group, I would be very concerned, and I would think that ransomware is probably not too far away. If you're \[an individual\] person or you're a small business, your alarm would go down proportionally." Chainalysis suggested the same, writing that "monitoring IABs could provide early warning signs and allow for potential intervention and mitigation of attacks."

Robinson takes the less optimistic view, arguing that the first steps in an attack chain tend to look quite similar, no matter the threat actor.

"The issue is that someone gets access, steals some credentials, or installs a remote monitoring management tool (RMM). From that first step, you can't now predict what's going to come next," he says. "We had one case where a network was compromised by five or six different groups. There was North Korea, some cryptocurrency miners, there was a ransomware group, there was an IAB. And you couldn't tell what the next step was going to be for each one of them until they took it, because those first steps were all the same. And that's the thing with infostealers."

Either way, Hilligoss advises, "If you see this happens, then rapidly remediate. Find the exposure, figure out all of the data that was stolen from your network, go through it, and reset those credentials — reset those authentication tokens, reissue those API keys — as quickly as possible. That's going to make it really hard for a ransomware actor that has access to that information to actually use it."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Infostealers: An Early Warning for Ransomware Attacks

Cary, North Carolina, 18th September 2024, CyberNewsWire

**Cary, North Carolina, September 18th, 2024, CyberNewsWire**

INE Security is proud to announce that it has been named a winner in the prestigious 2024 SC Awards, named Best IT Security-Related Training Program. This designation underscores INE Security’s commitment to excellence and leadership in the cybersecurity industry.

The SC Awards, now in its 27th year, recognize the solutions, organizations, and individuals that have demonstrated outstanding achievement in advancing the security of information systems. This year’s awards were presented across 33 categories, celebrating both established industry leaders and emerging innovators.

INE Security stood out among a competitive field of entries, demonstrating its innovation in addressing the evolving cybersecurity landscape. The Best IT Security-Related Training Program award highlights INE Security’s efforts to deliver practical, effective solutions that safeguard against today’s complex threats.

> “We are thrilled to receive the 2024 SC Excellence Award for Best IT Security-Related Training Program. This recognition highlights our relentless pursuit of excellence and innovation in cybersecurity training,” said Dara Warn, CEO of INE Security. “At INE Security, we are committed to empowering professionals and organizations with the skills they need to defend against the ever-evolving cybersecurity threats. This accolade not only reflects our commitment to the highest standards of training but also motivates us to continue advancing the field of cybersecurity education.”

The SC Awards are presented by SC Media, a trusted cybersecurity resource, and evaluated by a panel of independent industry experts. Winners are selected based on their contributions to innovation, their ability to address the cybersecurity industry’s critical challenges, and their demonstrated impact on protecting organizations.

> “These award recipients represent the very best of what the cybersecurity community has to offer,” said Tom Spring, Editorial Director at SC Media. “Each winner has shown a commitment to advancing the industry with forward-thinking solutions and an ability to adapt to new challenges. Their contributions help drive progress in securing our digital environments.”

 INE Security has been recognized among the best cybersecurity training platform in 2024 by numerous organizations including:

*   G2 as an online course provider and technical training provider
*   G2’s 2024 Best Software Awards for Education Products 
*   Security Boulevard’s list of the Top 10 Hacking Certifications for both the Certified Professional Penetration Tester (eCPPT) and Web Application Penetration Tester eXtreme (eWPTX) certifications

The SC Awards were evaluated by a distinguished panel of judges, including cybersecurity professionals, industry leaders, and members of the CyberRisk Alliance community from sectors such as healthcare, financial services, education, and technology.

The full list of 2024 SC Awards winners: https://www.scmagazine.com/sc-awards

**About INE Security:**

INE Security is the premier provider of online networking and cybersecurity training and certification. Harnessing a powerful hands-on lab platform, cutting-edge technology, a global video distribution network, and world-class instructors, INE Security is the top training choice for Fortune 500 companies worldwide for cybersecurity training in business and for IT professionals looking to advance their careers. INE Security’s suite of learning paths offers an incomparable depth of expertise across cybersecurity and is committed to delivering advanced technical training while also lowering the barriers worldwide for those looking to enter and excel in an IT career.

**About CyberRisk Alliance**

CyberRisk Alliance provides business intelligence that helps the cybersecurity ecosystem connect, share knowledge, accelerate careers, and make smarter and faster decisions. Through their trusted information brands, network of experts, and more than 250 innovative annual events we provide cybersecurity professionals with actionable insights and act as a powerful extension of cybersecurity marketing teams. Their brands include SC Media, the Official Cybersecurity Summits, Security Weekly, InfoSec World, Identiverse, CyberRisk Collaborative, ChannelE2E, MSSP Alert, LaunchTech Communications and TECHEXPO Top Secret.

**Contact**

**Director of Global Strategic Communication and Events**  
**Kathryn Brown**  
**INE Security**  
**\[email protected\]**

INE Security Wins 2024 SC Excellence Award

A North Korea-linked cyber-espionage group has been observed leveraging job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN.
The activity cluster is being tracked by Google-owned Mandiant under the moniker UNC2970, which it said overlaps with a threat group known as TEMP.Hermit, which is

Cyber Espionage / Malware

A North Korea-linked cyber-espionage group has been observed leveraging job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN.

The activity cluster is being tracked by Google-owned Mandiant under the moniker **UNC2970**, which it said overlaps with a threat group known as TEMP.Hermit, which is also broadly called Lazarus Group or Diamond Sleet (formerly Zinc).

The threat actor has a history of targeting government, defense, telecommunications, and financial institutions worldwide since at least 2013 to collect strategic intelligence that furthers North Korean interests. It's affiliated with the Reconnaissance General Bureau (RGB).

The threat intelligence firm said it has observed UNC2970 singling out various entities located in the U.S., the U.K., the Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong, and Australia.

"UNC2970 targets victims under the guise of job openings, masquerading as a recruiter for prominent companies," it said in a new analysis, adding it copies and modifies job descriptions according to their target profiles.

"Moreover, the chosen job descriptions target senior-/manager-level employees. This suggests the threat actor aims to gain access to sensitive and confidential information that is typically restricted to higher-level employees."

The attack chains, also known as Operation Dream Job, entail the use of spear-phishing lures to engage with victims over email and WhatsApp in an attempt to build trust, before sending across a malicious ZIP archive file that's dressed up as a job description.

In an interesting twist, the PDF file of the description can only be opened with a trojanized version of a legitimate PDF reader application called Sumatra PDF included within the archive to deliver MISTPEN by means of a launcher referred to as BURNBOOK.

It's worth noting that this does not imply a supply chain attack nor is there a vulnerability in the software. Rather the attack has been found to employ an older Sumatra PDF version that has been repurposed to activate the infection chain.

This is a tried-and-tested method adopted by the hacking group as far back as 2022, with both Mandiant and Microsoft highlighting the use of a wide range of open-source software, including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks.

It's believed that the threat actors likely instruct the victims to open the PDF file using the enclosed weaponized PDF viewer program to trigger the execution of a malicious DLL file, a C/C++ launcher called BURNBOOK.

"This file is a dropper for an embedded DLL, 'wtsapi32.dll,' which is tracked as TEARPAGE and used to execute the MISTPEN backdoor after the system is rebooted," Mandiant researchers said. "MISTPEN is a trojanized version of a legitimate Notepad++ plugin, binhex.dll, which contains a backdoor."

TEARPAGE, a loader embedded within BURNBOOK, is responsible for decrypting and launching MISTPEN. A lightweight implant written in C, MISTPEN is equipped to download and execute Portable Executable (PE) files retrieved from a command-and-control (C2) server. It communicates over HTTP with the following Microsoft Graph URLs.

Mandiant also said it uncovered older BURNBOOK and MISTPEN artifacts, suggesting that they are being iteratively improved to add more capabilities and allow them to fly under the radar. The early MISTPEN samples have also been discovered using compromised WordPress websites as C2 domains.

"The threat actor has improved their malware over time by implementing new features and adding a network connectivity check to hinder the analysis of the samples," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Target Energy and Aerospace Industries with New MISTPEN Malware

Participants in a hacking competition with ties to China’s military were, unusually, required to keep their activities secret, but security researchers say the mystery only gets stranger from there.

Capture the flag hacking contests at security conferences generally serve two purposes: to help participants develop and demonstrate computer hacking and security skills, and to assist employers and government agencies with discovering and recruiting new talent.

But one security conference in China may have taken its contest a step further—potentially using it as a secret espionage operation to get participants to collect intelligence from an unknown target.

According to two Western researchers who translated documentation for China’s Zhujian Cup, also known as the National Collegiate Cybersecurity Attack and Defense Competition, one part of the three-part competition, held last year for the first time, had a number of unusual characteristics that suggest its potentially secretive and unorthodox purpose.

Capture the flag (CTF) and other types of hacking competitions are generally hosted on closed networks or “cyber ranges”—dedicated infrastructure set up for the contest so that participants don’t risk disrupting real networks. These ranges provide a simulated environment that mimics real-world configurations, and participants are tasked with finding vulnerabilities in the systems, obtaining access to specific parts of the network, or capturing data.

There are two major companies in China that set up cyber ranges for competitions. The majority of the competitions give a shout out to the company that designed their range. Notably, Zhujian Cup didn’t mention any cyber range or cyber range provider in its documentation, leaving the researchers to wonder if this is because the contest was held in a real environment rather than a simulated one.

The competition also required students to sign a document agreeing to several unusual terms. They were prohibited from discussing the nature of the tasks they were asked to do in the competition with anyone; they had to agree not to destroy or disrupt the targeted system; and at the end of the competition, they had to delete any backdoors they planted on the system and any data they acquired from it. And unlike other competitions in China the researchers examined, participants in this portion of the Zhujian Cup were prohibited from publishing social media posts revealing the nature of the competition or the tasks they performed as part of it.

Participants also were prohibited from copying any data, documents, or printed materials that were part of the competition; disclosing information about vulnerabilities they found; or exploiting those vulnerabilities for personal purposes. If a leak of any of this data or material occurred and caused harm to the contest organizers or to China, according to the pledge that participants signed, they could be held legally responsible.

“I promise that if any information disclosure incident (or case) occurs due to personal reasons, causing loss or harm to the organizer and the country, I, as an individual, will bear legal responsibility in accordance with the relevant laws and regulations,” the pledge states.

The contest was hosted last December by Northwestern Polytechnical University, a science and engineering university in Xi'an, Shaanxi, that is affiliated with China’s Ministry of Industry and Information Technology and also holds a top-secret clearance to conduct work for the Chinese government and military. The university is overseen by China’s People’s Liberation Army.

Neither the university nor several cosponsors of the contest responded to WIRED’s inquiry about the competition.

Dakota Cary, a strategic advisory consultant at security firm Sentinel One, and Eugenio Benincasa, senior cyber defense researcher at the Center for Security Studies at ETH Zurich university in Switzerland, discovered the unusual contest and its requirements while researching China’s hacking competitions. The two have written a report for the Atlantic Council and plan to present their findings on Thursday at the Labscon security conference in Arizona.

They acknowledge that there is no hard evidence that the competition was used to attack a real-world target and that the evidence they do have is circumstantial. But they said they are 85 percent confident that this is what occurred because no alternative explanations make sense.

“There are a lot of good alternative explanations, and none of them have supporting evidence,” says Cary, who is fluent in Mandarin and has studied China’s offensive hacking capabilities extensively for years.

One possible alternative is that the target of the attack was a domestic company or organization that cooperated with the contest in order to give students experience in finding vulnerabilities in a real network and also provide the company with a threat assessment that could help it better secure its network against real-world adversaries.

Cary, however, says such exercises in China are called “crowd-testing” contests. But nowhere in the description of the Zhujian Cup does this phrase appear. “If it’s a real CTF exercise, why are \[participants\] deleting data and … backdoors?” he asks. And why are students told they could be held legally responsible if data or material they possess as part of the competition gets leaked? And if the students were attacking a target inside a cyber range, how could this cause “loss or harm to the organizer and the country,” per the wording in the pledge?

The competition was held on a weekend over the New Year’s holiday last year, on December 30 and 31. If the target was indeed a real-world network, the researchers note that holidays are often a time when security teams are short-staffed or less attentive and alert to intrusions. About 200 students from 29 schools participated in the weekend competition, which consisted of three parts, according to a description of the contest published by the school: a theoretical knowledge competition, a vulnerability discovery contest, and a “public-network target, actual combat attack competition.” The latter is the portion that Cary and Benincasa believe focused on a real-world target.

The researchers surveyed more than 120 capture-the-flag competitions organized in China since 2004—many of them held annually—to understand how the country has used such competitions to recruit talent and expand its cyber offensive and defensive capabilities. They say that China really began to focus on developing its cyber talent in 2015, after the Edward Snowden leaks had exposed the extensive hacking operations conducted by the US National Security Agency for intelligence purposes.

To strengthen its cyber defenses, China focused on revamping and expanding cybersecurity education programs and recruitment efforts between 2015 and 2021. A big part of the latter included the development and regulation of capture-the-flag competitions.

CTFs aren’t unique to China, of course; they are held around the world, including in the US, where one of the oldest—held annually at the Defcon hacking conference in Las Vegas—has existed for nearly two decades. The US government also hosts hackathons to help recruit talent, though not at the scale of China.

Since 2014, the researchers say, more than 540 capture-the-flag rounds of competition have occurred in China. The most intense activity began in 2018, which is also when China’s Central Cyberspace Affairs Commission and Ministry of Public Security issued a notice about the regulation and promotion of such contests. Now Chinese nationals must apply to the MPS for permission to participate in hacking competitions outside of China. Chinese leaders noticed Chinese students and security professionals were having great success competing in hacking competitions internationally and realized that each time someone from China won one of these competitions, the country was losing a potentially valuable asset with the vulnerabilities they disclosed as part of the contest. Now any vulnerabilities discovered by a Chinese national must be reported to the government and not disclosed publicly.

But importantly, China’s efforts in building its domestic capture-the-flag contests means that today it has one of the most robust hacking contest ecosystems in the world, the researchers say, including sector-specific ones for health care and law enforcement. The researchers estimate that about 300,000 people have participated in the contests over the last decade, but the researchers found only four that are open to students. The contests are led by universities across the country while also being supported by companies and the government. Contest winners and others who demonstrate good skill get entered into a national database.

Cary says that if the Zhujian Cup did involve a live target, it’s “remarkable” that the organizers put students in a position that could make them legally culpable if they got caught. But if so, it wouldn’t be the first time the government used students for intelligence operations. In 2022, the Financial Times reported that China had recruited unwitting university students to translate documents and data stolen in espionage operations conducted by the country’s hacking teams, reportedly without telling the students the source of the material.

This also may not be the first time a hacking competition in China played a role in a real-world breach subsequently attributed to China. In 2015, researchers at Threat Connect found curious evidence of a possible overlap between the TOPSEC Cup hacking competition coordinated by China’s Southeast University in 2014 and the subsequent hack of health care giant Anthem that same year. Southeast has financial connections to China’s civilian intelligence agency, the Ministry of State Security.

Did a Chinese University Hacking Competition Target a Real Victim?

Increasing attacks by the OilRig/APT34 group linked to Iran's Ministry of Intelligence and Security show that the nation's capabilities are growing, and targeting regional allies and enemies alike.

Source: Novikov Aleksey via Shutterstock

In its latest cyberattack on a Middle Eastern nation using its proxies in cyberspace, Iran continues to ramp up its cyber operations against rivals and allies.

In the attack, a cyberespionage group linked to Iran's Ministry of Intelligence and Security (MOIS) and known as APT34 targeted government ministries in Iraq, a nation that was once an enemy and now is sometimes a rival and sometimes an ally of Iran. The attack had all the hallmarks of the group, also known as Hazel Sandstorm: custom infrastructure using email tunneling for communications, use of two malware programs similar to previous APT34 code, and domain-naming schemes similar to previous operations.

Previous attacks by APT34 (aka OilRig, Helix Kitten, and Hazel Sandstorm) using similar tools and methods targeted other nations in the region, including Jordan, Lebanon, and Pakistan, according to an analysis by cybersecurity firm Check Point's research group.

"The goal is likely espionage, because those countries are at least, to some degree, allies of Iran, so I don't think, in this case, the main goal is destruction," says Sergey Shykevich, threat intelligence group manager at Check Point Research. "We also don't have any hints on the technological side that there is any destructive goal, and from what we do see — specifically in Iraq — we clearly see that the goal is data exfiltration and \[the like\]."

Following the start of the conflict between Israel and Hamas nearly a year ago, rivalries and relationships throughout the region have changed. In late spring, Iran criticized Jordan — and to a lesser extent other Arab nations — for reportedly helping Israel track and interdict missiles during Iran's April 13 attack on the Jewish nation. Meanwhile, Iraq continues to have strong ties to Iran through proxy networks and political parties aligned with Iran.

**Iran's Cyber Operations Grow**

At the same time, Iran has expanded its cyber operations strategy in the region. A group linked to the Iranian Islamic Revolutionary Guard Corps (IRGC) — and known variously as APT33 (Mandiant) and Peach Sandstorm (Microsoft) — has targeted communications equipment, government agencies, and the oil-and-gas industry in the United Arab Emirates and the United States, typically to gather intelligence, Microsoft stated in August.

Late last month, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that the Iranian group Lemon Sandstorm, also known as Fox Kitten, had leveled ransomware attacks against various countries, and another group, Charming Kitten, or APT42, targeted individuals associated with both the Democratic and Republican presidential campaigns.

Iran is increasingly flexing its muscles in cyberspace, and especially against rivals throughout the Middle East region, says Mohamed Fahmy, a cyberthreat intelligence researcher with cybersecurity firm Trend Micro.

"Iranian APT groups, including APT34, have become very active recently in targeting the Middle East, particularly the government sector in the Gulf region," he says. "From what we’ve seen of APT34’s toolset and activities, they aim to infiltrate entities as much as possible, leveraging compromised infrastructure to launch further attacks. ... APT34's primary goals seem to be espionage and stealing sensitive government information."

**Evasive New Malware: Veaty and Spearal**

In the latest campaign, APT34 used fake document attachments targeting Iraq between March and May of this year, and likely used social engineering to convince users to open the links and run an installer. The attack results in the installation a .NET backdoor. Currently, one backdoor is called Veaty and the other Spearal, and both malware binaries allow command-and-control (C2) of compromised systems.

The techniques used by Veaty and Spearal show similarities to two other malware families — known as Karkoff and Saitama — both of which are attributed to APT34, Check Point stated in its analysis.

Iranian cyber operations groups tend to use custom DNS tunneling protocols and a C2 channel based on email subject lines, according to the research: "This distinctive blend of straightforward tools, written in .NET, combined with sophisticated C2 infrastructure, is common among similar Iranian threat actors."

The capabilities of APT34 and Iran's other groups will only increase, says Check Point's Shykevich.

"They just improve it," he says. "They just use the same content, but each target, or each country they attack, they deploy a new generation of the same concept ..., where they improve it and make it more stealthy \[or add other features\]."

Companies in the Middle East should focus on implementing a zero-trust architecture to strengthen defenses, including establishing a mature security operations center (SOC) with managed endpoint detection and response (MDR) capabilities, says Trend Micro's Fahmy.

The increased geopolitical tensions in the region will only mean increasing efforts to gain intelligence through cyberattacks, he says.

"Government sectors in the Middle East and Gulf region should take this threat seriously," he says. "These groups aim to blend into the network environment by customizing their malware to avoid detection, \[so\] understanding their techniques, which have not changed significantly, is crucial."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

As Geopolitical Tensions Mount, Iran's Cyber Operations Grow

US State Department warns that Kremlin-backed media outlets in democracies around the world are hiding Russian cyber spies and actively working to sow discord.

Source: Postmodern Studio via Alamy Stock Photo

Long understood as a Kremlin-backed propaganda machine, RT News, based in the US, has been far more nefarious than officials once believed.

Just last week, the Biden administration charged two Russian nationals with pumping $10 million into RT International, a media company the US said was used by the Russian government to meddle in the upcoming US elections.

But these robust Russian interference and disinformation operations aren't unique to the US. In fact they're in full swing around the world, according to a new warning from US Secretary of State Antony Blinken.

Blinken explained in Sept. 13 statements that the US has recently discovered RT included an embedded Russian cyber unit, operating since the spring of 2023 with the full knowledge of RT leadership, adding the news outlet was "functioning like a de facto arm of Russia's intelligence apparatus."

The RT leadership team is also accused by the US of running a large crowdfunding campaign to procure equipment like weapons and generators for Russian soldiers fighting against Ukraine.

Details about RT's espionage participation and equipment fundraising were provided by RT employees, Blinken added.

**RT Tactics Replicated Around the World**

Blinken warned a similar Kremlin strategy is being used to spread disinformation and undermine democracies around the world, most acutely in Africa, Germany, and Moldova.

RT and similar influence outlets, like German outlet Red (formerly Redfish), feed intelligence gathered not just to the Russian government but media outlets and mercenary groups as well, Blinken said. Across Africa, a social media-based news organization called African Stream is being used by the Kremlin to spread disinformation in a similar fashion, he added.

"We urge every ally, every partner, to start by treating RT's activities as they do other intelligence activities by Russia within their borders," Blinken said. "Our most powerful antidote to Russia's lies is the truth."

Tag

#intel