Elon Musk claims plane-tracking data is a risky privacy violation. But the world loses a lot if this information disappears—and that's already happening.

I woke up Friday morning to the message I’d been expecting: “Your account, @Justin\_Ling has been locked for violating the Twitter Rules.”

Below was the offending tweet: a link to one of the few websites that provide real-time private jet flight data that “chief twit” Elon Musk, I wrote, “hasn't bullied into suppressing his flight data.”

Musk has accused these flight trackers of providing “basically assassination coordinates.” He has launched a crusade against these apps and anyone who shares them on his recently acquired social media platform. Accounts like mine were locked, while others were banned entirely—from the @ElonJet bot, which shared the location of Musk’s private plane, to reporters who picked up on his campaign. Twitter rules were rewritten on the fly to forbid publishing anyone’s “physical location.”

The chaotic few days prompted the European Union to warn Musk that silencing journalists would likely result in sanctions from EU regulators. US Representative Adam Schiff demanded that Musk reinstate the suspended accounts and explain to Congress why he decided to retaliate against the press in the first place.

As of Monday, following a poll asking users when he should lift the account suspensions, Musk reinstated some—but not all—of those accounts. 

Lost in the chaos is just how successful Musk has been at suppressing that real-time flight data on the internet. In so doing, he’s taking aim at an incredibly valuable source of information—which has helped researchers, journalists, and experts with everything from tracking Russian oligarchs to investigating the fate of missing aircraft to tracking down international hitmen. Musk isn’t the only one trying to keep this type of information out of the public’s hands. 

Both real-time and historical information on Musk’s main private jet—a 2015 Gulfstream G650ER, tail number N628TS—is conspicuously missing from the two main flight-tracking platforms: FlightAware and FlightRadar24.

FlightAware reports that its real-time data on Musk’s jet is unavailable “due to European government data rules,” while its historical data about the plane’s comings and goings was removed “per request from the owner/operator.” Looking up Musk’s jet on FlightRadar24 returns the message: “we could not find data.”

Even smaller tracking platforms, like AirportInfo—the account that led to my Twitter being locked—have taken Musk’s flight information offline.

“The ongoing hullabaloo about the location of Elon Musk’s airplane has caused us to stop displaying his plane at the moment,” says Christian Rommes, an AirportInfo administrator. “Because Musk is threatening legal action, we don’t want to take any risks.”

While Rommes says his office hasn’t heard from Musk’s legal team, they took the step as a precaution. “Don’t mess with the (former) richest man of the world,” he says.

Aircraft operators are required to report detailed information on their flight path to various national regulators, including the Federal Aviation Administration. That data is generally a matter of public record and is published to various websites popular amongst airline enthusiasts. 

Some companies, like FlightAware, augment government data with their own sources of real-time flight information. Other websites, like planespotters.net and airliners.net, allow users to submit photos taken of aircraft as they come and go around the world.

These services have proved incredibly useful for journalists and independent researchers in recent years.

When Malaysian Airlines flight 370 disappeared in 2014, these trackers provided the public with the same data investigators were puzzling over—a flight path that cut straight across Malaysia before stopping abruptly over the South China Sea. Those websites would become critical tools for independent researchers in the years that followed.

Journalists and the general public again turned to these services after Malaysia Airlines flight 17 and Ukrainian International Airlines flight 752 were shot down in 2014 and 2020, respectively. As early reports suggested disaster had struck, these websites showed clearly that the flights were interrupted in mid-air.

But the utility of real-time flight tracking goes far beyond disasters.

In more lighthearted examples, diehard soccer fans have used FlightRadar24 to figure out where prospective trades are heading ahead of a possible signing. In 2015, tens of thousands of football fanatics correctly identified star manager Jurgen Klopp’s private jet as it made its way to Liverpool, preempting the team’s announcement.

The availability of this data has made it possible to track everything from a shipment of US weapons to Ukraine to Nancy Pelosi’s tense visit to Taiwan, in defiance of Chinese warnings.

Some pilots have leaned into this new visibility. One made headlines after drawing a penis in the sky over Florida.

The websites have also contributed to embarrassment for some private jet owners. Thanks to @CelebJets, a bot account set up by 20-year-old programmer Jack Sweeney, who also created @ElonJet, scrutiny over the pace at which the rich and famous galavant around in their CO2\-intensive private planes reached a fever pitch in 2022. Marketing agency Yard calculated just how much environmental damage was caused by these private jet trips—particularly short-haul flights, where driving or taking public transit would take only marginally longer. That report led to a massive public shaming of celebrities like Taylor Swift, whose private jet addiction put 1,184 times more CO2 into the atmosphere than the average person produces in a whole year. 

A single Elon Musk flight from February burned nearly 4.5 tonnes of CO2.

Sweeney’s jet-tracking bots, which scraped that public flight data and sent it directly to Twitter, also published real-time information on Russian oligarchs. That bot helped open source investigators keep tabs on a cohort of the ultra-rich Russians mainly responsible for keeping Vladimir Putin’s regime running amid a costly war against Ukraine.

Investigative outlet Bellingcat recommends FlightRadar24 for open source investigators, and its researchers have relied on the tool to track likely Russian intelligence operatives, understand political tumult in Kazakhstan, follow the Venezuelan government’s semi-secret private jet, and keep tabs on NATO planes as they conduct operations. Other investigative outlets, like the Organized Crime and Corrupting Reporting Project, have similarly leveraged the data to hunt down shady dealings the world over.

But as Musk’s effort to suppress the information has shown, not everyone wants this data to remain public.

For starters, some planes can turn off their transponders, which relay their coordinates to flight regulators. That option is generally not available for private civilian aircraft.

More useful to someone like Musk is the FAA’s Limiting Aircraft Data Displayed list. Introduced by a 2018 act of Congress, it allows private jet owners to block their data from being disseminated by the FAA. A spokesperson for FlightRadar24 confirmed to WIRED that, as they rely primarily on the FAA’s data, they respect the block list.

Not everyone relies on the FAA, however. Planes regularly transmit basic information mid-flight, through Automatic Dependent Surveillance-Broadcast technology (ADS-B). 

ADS-Bexchange, which describes itself as the “world’s largest source of unfiltered flight data,” has continued reporting real-time information on Musk’s Gulfstream using that technology. Sweeney relies on that website for his bots—which have since moved over to Instagram and Mastodon.

“The position data shown by ADSBexchange is available to anyone who can spend $50 on Amazon and put the parts together,” reads a Q&A on its website. “It’s not secret.”

Users on the site’s Discord channel have spent recent days mocking Musk’s attempt to go after this information and have been clear that they do not intend to remove his jet from the platform. “ADSBx does no blocking or hiding for any reason,” one moderator wrote.

Anyone keeping tabs on Musk’s jet would have known that the Twitter CEO was heading to Qatar for the World Cup finale on Sunday. Doha was a key player in Musk’s Twitter takeover. While there, Musk snapped a selfie with a Russian state broadcaster. (Musk has also relied on a Dubai-based financier with ties to Russian oligarchs to finance his $44 billion purchase of the social network.)

Given how much scrutiny this type of flight data has brought on him and his business dealings, perhaps it’s no surprise that Musk has taken some desperate measures to hide this information. He reportedly offered Sweeney $5,000 to take the @ElonJet bot down. Sweeney countered, asking for $50,000—but the pair do not appear to have ever made a deal. Despite vowing to respect Sweeney’s right to publish the information, Musk banned all of his bots and his personal Twitter account earlier this month, while ADS-B’s Twitter account was similarly removed.

Steffan Watkins is a Canadian Osint researcher who has spent years tracking planes and ships using this kind of publicly available data. Last year, he worked with a United Nations panel of experts to identify planes smuggling weapons into Libya.

“Simply put, because flight data is publicly available through many different flight trackers, the public is empowered to fact-check any statement from any source, government or private,” he says. “Unsurprisingly, there are powerful people who don’t want the transparency that provides.”

Knowing more about where government planes and private jets are going to and coming from can yield surprising results. Watkins points out that the CIA’s extraordinary rendition program, which enabled the arbitrary detention and torture of suspected terrorists—many of whom were innocent—was exposed with the help of open source flight data.

“As the CIA kidnapped and flew citizens of other countries to black sites around the world for integration and torture on government-chartered bizjets, they left a trail of data in their wake that was used to unravel the routes used to ship their abductees,” Watkins told WIRED.

More recently, in 2018 researchers used ADS-B data to trace the route that a Saudi kill squad took on its way to murder _Washington Post_ journalist Jamal Khashoggi.

Earlier this year, the Saudi government submitted a proposal to the International Civil Aviation Organization to encrypt and restrict access to this data. “The uncontrolled access to detailed/accurate ADS-B data on the internet raised concerns by aircraft operators and owners on safety, security, and privacy of flights,” the Saudis wrote to the Montreal-headquartered UN body.

“Oh, the country that flies assassins around the world wants to hide aviation info from the public because of ‘security’?” Watkins says. “How quaint.”

A Saudi prince, Alwaleed bin Talal bin Abdulaziz, is the second-largest shareholder in Twitter. The site’s largest owner, Musk, is similarly relying on security concerns as he moves to ban this flight data from his platform.

In announcing the ban on real-time flight data last week, he alleged that a “crazy stalker” followed a car carrying one of his children. “Legal action is being taken against Sweeney & organizations who supported harm to my family,” he tweeted.

The Los Angeles Police Department sees no link between his private jet’s coordinates and the alleged stalking, according to _Washington Post_ reporters Drew Harwell and Taylor Lorenz—two journalists Musk banned on Twitter. A Bellingcat contributor geolocated the incident, which Musk recorded and published to Twitter (possibly in violation of his own rules), to a gas station miles away from the airport and nearly a full day after Musk’s jet had last been in the air.

Seeing how few—if any—of Musk’s critics and online tormentors have air-to-air intercept capabilities, and given that airports continue to be some of the most secure places in modern society, the Tesla owner’s security concerns appear overblown.

“Safety, security, and privacy sound like noble goals, but there isn’t a rash of violent attacks on private planes—or any planes—and no indication there will be,” Watkins says. “Musk’s gripes are almost Musk-specific; few people have a jet they themselves can call on and fly anywhere with on a whim.”

Elon Musk and the Dangers of Censoring Real-Time Flight Trackers

Categories: Threat Intelligence
Taking advantage of cost effective and high traffic adult portals, a threat actor is secretly defrauding advertisers by displaying Google ads under the disguise of an XXX page.



(Read more...)




The post Adult popunder campaign used in mainstream ad fraud scheme appeared first on Malwarebytes Labs.

_This blog post was authored by Jérôme Segura_

Online advertising is a multi billion dollar industry with projected spending to reach over 600 billion U.S. dollars for 2022. It's not surprising that criminals are trying their hardest to abuse this ecosystem in any way that they can.

One of the biggest threats and always top of mind for advertisers is bot traffic as it is the equivalent of throwing money down the drain with ads that will never be seen by real eye balls. However, ad fraud is more than bots and in fact, even when traffic is seemingly real, there can still be abuse.

Case in point, we came across a clever ad fraud scheme where a fraudster is running a cost-effective popunder campaign on high-traffic adult websites and then making money via Google Ads. What originally caught our attention was seeing a Google advert on what appeared to be an adult page, as it is strictly against the search giant's acceptable content policy. It turned out to be a clever way to hide a bogus blog loaded with many more ads, most of them hidden behind a fullscreen pornographic iframe.

As unaware visitors trigger the popunder landing page and continue browsing in their other tab, the decoy website is constantly refreshing with new content and of course new ads, generating millions of ad impressions per month.

We reported this invalid traffic and would like to thank Google for quickly shutting down this ad campaign.

**Popunder campaign on top adult sites**

It is no secret that adult websites generate a lot of traffic. Did you know that 3 of the top 20's most visited websites are from the adult industry, the more popular one getting an estimated 2.8 billion monthly visits?

A fraudster has set up an ad campaign with one of the major adult ad networks using an ad format known as a popunder, which is one of the most cost efficient. Depending on the visitor's geolocation and other parameters, the CPM (cost per thousand impressions) can be as low as $0.05.

A popunder is like a 'pop-up' in that it is triggered when a user clicks anywhere on a web page, except that the resulting ad will appear behind the open window. It's also not like a typical banner ad, it's actually an entire page, often referred to as a landing page whose goal is to provide clear and interesting information in order to have a high conversion ratio. Examples of common popunders for the adult industry include online dating services, adult webcams, or simply an adult portal.

At first, it appears that this popunder is simply promoting another adult website called Txxx. But a couple of things don't add up: the page's title and address bar show something completely unrelated and we can see what appears to be a Google ad at the bottom of the page.

The problem is that Google’s advertising policies state that sexually explicit content such as text, image, audio, or video of graphic sexual acts intended to arouse is not allowed. Technically speaking, the adult content is merely an iframe placed on top of a WordPress blog and the ad at the bottom should really have been hidden in the background.

To avoid detection, the code is heavily obfuscated and the iframe is built dynamically:

**SEO-friendly content to place ad banners**

The fraudster is actually deceiving Google by loading legitimate content (i.e. how to fix your plumbing issues) under a fullscreen XXX iframe. Not only that, but the page also refreshes its content at regular intervals, to serve a new article, still hidden behind with the XXX overlay to further monetize on Google Ads. This happens without the user's knowledge since the tab was launched as a popunder.

This is no ordinary landing page, it's actually a full blog with dozens of articles that were stolen from other sites.

*   10-home-heating-tips
*   10-ways-to-style-your-kitchen-countertops-like-a-pro
*   4-main-benefits-of-installing-gutter-protection-systems
*   8-most-common-roof-leak-causes-in-california
*   before-you-plan-to-build-your-own-house-work-out-your-budget
*   build-your-own-home-in-3-days
*   build-your-own-home-in-the-country
*   does-your-home-in-california-need-roof-ventilation
*   homeowner-s-guide-to-the-best-outdoor-lighting
*   how-much-does-a-mortgage-to-build-your-own-house-cost
*   how-much-does-it-cost-to-build-a-new-house-in-los-angeles-area
*   how-snow-and-ice-impact-your-roof
*   how-solar-panels-can-make-your-roof-last-longer
*   how-to-adhere-drywall-to-a-concrete-block
*   how-to-build-modern-dining-room-in-california

On average (when scrolling through the entire page), there are about 5 Google ads and sometimes even video ads which are more lucrative.

**Millions of ad impressions**

Looking at high level metrics (taken from Similarweb) for that one decoy website we see some interesting figures. The total number of visits per month is close to 300K (and doubling based on previous month data). But the more interesting metric is the number of pages viewed per visit, which is over 51.

How can a human actually browse and read 51 articles in an average of 7 minutes and 45 seconds? The answer is simple: they don't. The user is most likely busy minding their own business on the other active tab while the popunder page constantly reloads new articles along with Google Ads. We ran a quick capture of what this looks like based on the ad requests made to Google's servers:

While numbers will vary based on demographics and other settings, we estimate that the page generates an average of 35 ad impressions every minute. If we do the math and multiply the total number of monthly visits (281.9K) and average duration (7:45 min or 465 seconds), we get a total ad impressions of 76,465,375 per month. Calculating the exact revenue made will depend on different factors but with a CPM of $3.50, this scheme could theoretically generate $276,629 a month.

Since these ads are not going to be seen by anyone, we could consider that all those impressions are purely driven by invalid traffic (IVT). This is not typical bot traffic though, because the unwilling participants are real users with genuine IP addresses, cookies and other browser settings. However, there are giveaways such as an unexpectedly high number of pages per visit. For comparison, the most popular adult site has an average of 9 pages and 9 minutes per visit.

There is one more twist to this ad fraud scheme that comes in the form of clickjacking. Once a user gets the tab into focus (it was a popunder), suddenly the page rotation stops and what the user sees is what looks like another adult website (the iframe). A click anywhere on the page (the user may want to select one of the thumbnails and watch a specific video) triggers a real click on a Google ad instead.

Based on the previous stats, the popunder quietly cycles through blogs and ads for an average of 7 minutes and 45 seconds before the user either closes that tab or clicks on the page which would increase the advertiser's cost-per-click (CPC).

**(Fake) real news sites**

The decoy site used fairly complex and obfuscated code to defraud Google which likely was not developed for a one-off. We wrote a signature based on a string of text that stood out called 'povtor' and ran a retrohunt search on VirusTotal. Povtor is Russian for 'repeat' which aligns with our understanding of the threat actor likely being Russian.

The retrohunt search returned a number of hits for sites that had something in common: news portals registered on previously expired domains. While we have seen influence campaigns before, pushing only biased news stories for a certain political party, we don't believe this is the case here. The news articles look balanced and real which would indicate another motive.

This is again the same modus operandi of grabbing content from various places and creating SEO-friendly sites for advertising purposes. It does not appear that this particular scheme with the news sites was extremely successful though.

**Content may be king, except when stolen**

Fraudsters will continuously look for ways to make money online, with minimal effort required. Leveraging adult traffic ensures large volume and cost-efficient campaigns thanks to the pop-under format which is perfectly suited for running a landing page that will stay open for several minutes until the user closes it.

Visitors are not genuinely going to the website and can't even see ads that are masked by a full page iframe. However, those users are not bots and they have the correct browser settings and networking attributes, possibly making it harder to identify the invalid traffic.

Had it not been for a Google ad displayed at the bottom of the page (all other ads were hidden behind the XXX iframe), we likely would not have detected this fraudulent scheme. Even with web traffic analysis, the presence of an iframe does not clearly standout when all other content appears to be genuine.

Perhaps the content itself may be where security models will work best. It would be unlikely for a fraudster to write a hundred blog articles by themselves; it would make more sense at least to hire a third-party to produce that amount of content. This is why detecting duplicates and identifying copycat sites may yield good results from phishing pages to bogus blackhat SEO websites.

After our reporting to Google, we confirmed that the website was no longer loading ads, and instead showed blank iframes.

Adult popunder campaign used in mainstream ad fraud scheme

Sites spoofing Grammarly and a Cisco webpage are spreading the DarkTortilla threat, which is filled with follow-on malware attacks.

Researchers have spotted two phishing sites — one spoofing a Cisco webpage and the other masquerading as a Grammarly site — that threat actors are using to distribute a particularly pernicious piece of malware known as "DarkTortilla."

The .NET-based malware can be configured to deliver various payloads and is known for functions that make it extremely stealthy and persistent on the systems it compromises.

Multiple threat groups have been using DarkTortilla since at least 2015 to drop information stealers and remote access Trojans, such as AgentTesla, AsyncRAT and NanoCore. Some ransomware groups too — such as the operators of Babuk — have used DarkTortilla as part of their payload delivery chain. In many of these campaigns, attackers have primarily used malicious file attachments (.zip, .img, .iso) in spam emails to wrap up unsuspecting users in the malware.

**DarkTortilla Delivery Via Phishing Sites**

Recently, researchers at Cyble Research and Intelligence Labs identified a malicious campaign where threat actors are using two phishing sites, masquerading as legitimate sites, to distribute the malware. Cyble surmised that the operators of the campaign are likely using spam email or online ads to distribute links to the two sites.

Users who follow the link to the spoofed Grammarly website end up downloading a malicious file named "GnammanlyInstaller.zip" when they click on the "Get Grammarly" button. The .zip file contains a malicious installer disguised as a Grammarly executable that drops a second, encrypted 32-bit .NET executable. That in turn downloads an encrypted DLL file from an attacker-controlled remote server. The .NET executable decrypts the encrypted DLL file and loads it into the compromised system's memory, where it executes a variety of malicious activities, Cyble said.

The Cisco phishing site meanwhile looks like a download page for Cisco's Secure Client VPN technology. But when a user clicks on the button to "order" the product, they end up downloading a malicious VC++ file from a remote attacker-controlled server instead. The malware triggers a series of actions that end with DarkTortilla installed on the compromised system.

Cyble's analysis of the payload showed the malware packing functions for persistence, process injection, doing antivirus and virtual machine/sandbox checks, displaying fake messages, and communicating with its command-and-control (C2) server and downloading additional payloads from it.

Cyble's researchers found that to ensure persistence on an infected system for instance, DarkTortilla drops a copy of itself into the system's Startup folder and creates Run/Winlogin registry entries. As an additional persistence mechanism, DarkTortilla also creates a new folder named "system\_update.exe" on the infected system and copies itself into the folder.

**Sophisticated & Dangerous Malware**

DarkTortilla's fake message functionality meanwhile basically serves up messages to trick victims into believing the Grammarly or Cisco application they wanted failed to execute because certain dependent application components were not available on their system.

"The DarkTortilla malware is highly sophisticated .NET-based malware that targets users in the wild," Cyble researchers said in a Monday advisory. "The files downloaded from the phishing sites exhibit different infection techniques, indicating that the \[threat actors\] have a sophisticated platform capable of customizing and compiling the binary using various options."

DarkTortilla, as mentioned, often acts as a first-stage loader for additional malware. Researchers from Secureworks' Counter Threat Unit earlier this year identified threat actors using DarkTortilla to mass distribute a wide range of malware including, Remcos, BitRat, WarzoneRat, Snake Keylogger, LokiBot, QuasarRat, NetWire, and DCRat.

They also identified some adversaries using the malware in targeted attacks to deliver Cobalt Strike and Metasploit post-compromise attack kits. At the time, Secureworks said it had counted at least 10,000 unique DarkTortilla samples since it first spotted a threat actor using the malware in an attack targeting a critical Microsoft Exchange remote code execution vulnerability (CVE-2021-34473) last year.

Secureworks assessed DarkTortilla as being very dangerous because of its high degree of configurability and its use of open source tools like CofuserEX and DeepSea to obfuscate its code. The fact that DarkTortilla's main payload is executed entirely in memory is another feature that makes the malware dangerous and difficult to spot, Secureworks noted at the time.

Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages

Bright Data CEO Or Lenchner discusses how security teams are utilizing public Web data networks to safeguard their organizations from digital risks.

Threat intelligence plays a key role in the safety and security of any organization’s online activity, and it plays a determining factor in upholding the integrity of their internal infrastructure.

But to be able to assess possible threats across the cybersecurity landscape at scale, they need data — and more importantly, public Web data.

This is because Web data helps security operators better understand the vulnerabilities that may be present within their systems, threats that could originate within the networks of outside organizations as well as potential risks that could target their organization across the World Wide Web.

**Public Web Data in Security Research, Intelligence, and Testing**

In practice, this collection of public Web data is used to automate checks that can discover the presence of possible malware, phishing links, different forms of fraud, information leaks, and counterfeiting schemes.

Essentially, it provides security operators with the visibility they need to proficiently detect, address, and prevent real live threats or intrusions from affecting their organizational security, by mapping out the potential security gaps that could target various Web-based systems.

**Web Data Collection Networks**

To obtain this increased visibility, security firms and operators use public Web data collection networks to gather large amounts of information, or Web data, which they then use to identify, monitor, and assess threats in real-time.

The Web data collection networks (IP proxy networks included) provide a risk-free environment to discover how to prevent digital risks from reaching their organization, without sacrificing the integrity of their internal infrastructure.

In order to accomplish this, security operators route requests through Web data collection networks to assess the risk of potentially malicious websites or URLs.

The requests then return information, or Web data. That Web data provides details on how the domain reacted to the request, which then allows the security teams to assess the threat (or lack thereof) and take proper action to mitigate it before it ever reaches their Web-based systems.

Within applications, this method essentially provides a firewall, opening a one-way access to information, considering the manner in which the requests are routed: away from their internal systems — safeguarding their organization’s internal network.

**Security Use Cases:****Scraping for Possible Malware and Phishing Schemes Targeting US Banks**

The security departments of some of the leading US banks use public Web data collection networks to gather information about possible online threat actors and examine malware.

Additionally, they use Web scraping techniques to continually and automatically scan the public domain for potentially malicious websites or links. For example, security teams can automatically identify different phishing sites that attempt to steal sensitive client or company information such as usernames, passwords, or credit card information.

From here, when an email comes into the organization’s network or a website is approached, the security team already knows the risk parameters attached to it.

**Web Scraping for Cybersecurity Firms**

A number of cybersecurity firms use Web data collection in order to assess the risk of different domains for malware and fraud.

They generate or purchase lists of potentially malicious domains, and then route DNS requests to each of these links, servers, or websites to see how they react to the request.

This provides the cybersecurity firms with the ability to approach possibly malicious websites as a “victim” or a real user, and see how the website would target an unsuspecting visitor to properly assess the risk.

**Threat Research and Mitigation**

Threat intelligence firms deploy the use of public Web data collection networks to tap into various sources of information, such as hacker or app forums, public social media channels, blogs, and so on, to identify new leads on various potential threats.

This collection of Web data is foundational to their intelligence insights, which they then share with a wide range of customers looking to bolster their own security operations.

**Key Takeaways**

Overall, integrating with Web data collection networks enhances an organization’s visibility and ability to deal with digital threats across the vast online landscape in real-time.

This is particularly important considering the recent shifts made in remote working, as well as the broadening of online operations, strategies, and services all around, following the onset of the coronavirus, which only further add to the lists of risks or pathways that can disrupt organizational security.

So, while the task set before security teams has become increasingly more difficult, Web data collection networks have essentially transformed this once complicated ordeal into a much more manageable endeavor by providing options for automation — helping them to target more sources of information, in turn identifying more risks, while protecting the integrity of their own internal systems in the grand scheme of things.

**About the Author**

    

Or Lenchner is CEO of Bright Data, a position he has held since July 2018. For the past few years, under his leadership, the company has advanced its product offerings to include first-of-its-kind automated solutions, enabling its over 15,000 customers to collect and receive public data in a matter of minutes. Prior to his career at Bright Data, Lenchner founded and managed several Web-based businesses, developing digital assets and online marketing programs.

Threat Intelligence Through Web Scraping

Leading global education provider engages with Bugcrowd Security Researchers to identify threats.

**SYDNEY** **and** **SAN FRANCISCO****,** **Dec. 19, 2022** **/PRNewswire/ --** Bugcrowd, the leader in crowdsourced cybersecurity, today announced that Navitas, one of the world's leading global education providers, has launched a private bug bounty program with Bugcrowd to identify and resolve security vulnerabilities.

Navitas delivers educational programs to 60,000 aspirational students each year across its network of 92 colleges and campuses in 24 countries around the world. Under the bug bounty program, dozens of Bugcrowd security researchers will test Navitas' web applications for security risks on an ongoing basis. Ethical hackers who identify and remediate any valid threats will receive a bug bounty financial reward of up to AUD $3,700 (USD $2,500), depending on the severity of the uncovered threat.

Gavin Ryan, Global Head of Information Security for Navitas, selected the Bugcrowd crowdsourced security solution based on its proven track record of being able to scale, reduce costs and risks through a continuous testing process, along with the extensive global reach of its researcher team. 

"At Navitas we take the security of our data and applications extremely seriously and are always seeking innovative ways to protect the private information of our students and staff from continuous and fast-changing cyber threats," said Gavin Ryan. "We are pleased to partner with Bugcrowd to take advantage of its extensive network of trained security researchers who can help us find and resolve online vulnerabilities before attacks occur. Only a month into the program, we are already realising the benefits of a bug bounty program and plan to extended it to include agile continuous security testing across selected non production environments" 

Bugcrowd's ability to deliver a fast return on investment through crowdsourced bug bounties, rather than undertaking lengthy and costly consulting engagements, was one of the biggest contributing factors in its selection. The solution's continuous assurance model was also better positioned to safeguard Navitas' global attack surface, which had made traditional penetration testing less tenable and less effective for ongoing application security assurance.

"Bugcrowd is excited to work with Navitas in assisting to protect both their data and applications with a comprehensive bug bounty strategy and a non production testing strategy," said Nick McKenzie, Chief Information and Security Officer at Bugcrowd. "Our extensive global crowdsourced security team has the ability to scale for Navitas's requirements, provide critical protections around the clock, and through the introduction of non-production testing regimes will help the Navitas business deliver at a higher digital velocity. We are happy that both control outcomes and the economics of the program's delivery (vs other testing regimes) have exceeded expectations."

"Bugcrowd" and the "Bugcrowd Security Knowledge Platform" are trademarks of Bugcrowd Inc. and its subsidiaries. All other trademarks, trade names, service marks and logos referenced herein belong to their respective companies.

**About Bugcrowd**

Bugcrowd is the leading provider of crowdsourced cybersecurity solutions purpose-built to secure the digitally connected world. Today's enterprise demands an offensive approach to cybersecurity—and Bugcrowd offers the only solution that orchestrates data, technology, and human intelligence to expose blind spots. The Bugcrowd Security Knowledge Platform™ enables businesses to do everything proactively possible to protect their organization, reputation and customers with products like Bug Bounty, Penetration Testing-as-a-Service, and more. Trusted by organizations across the globe, Bugcrowd uncovers and remediates vulnerabilities before they interrupt business by leveraging expert ingenuity and the knowledge of world-class security researchers. Based in San Francisco, Bugcrowd is backed by Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures, Salesforce Ventures and Triangle Peak Partners. Learn more at www.bugcrowd.com.

SOURCE Bugcrowd

Bugcrowd Launches Bug Bounty Program for Australian-Based Navitas

Revived levels of holiday spending have caught the eye of threat actors who exploit consumer behaviors and prey on the surge of online payments and digital activities during the holidays.

As the holiday season barrels to a conclusion, malicious actors are attempting to take advantage of harried consumers by ramping up the volume of spam and phishing attacks in the form of unsolicited emails and email-based threats — and businesses stand to suffer.  

A report from Bitdefender Antispam Lab found the volume of Christmas-themed spam has increased consistently since Nov. 27, with spikes in unsolicited correspondence observed between Dec. 6 and Dec. 9.

Scammers are employing the tried-and-true tactics of bogus surveys, online holiday dating opportunities, adult content offers, and discount shopping for designer goods.

Major corporations, including Netflix and Lowes, have been among the spoof subjects, enticing consumers with exclusive offers and cash giveaways — the catch being they must first enter credit card numbers or banking information, of course.

A recent study found more than a third of Americans have fallen victim to online shopping scams during the holidays, losing $387 on average as a result.

Alina Bizga, security analyst at Bitdefender, explains that threat actors are savvy when it comes to targeting. The holiday season tends to bring a host of socially engineered promotional campaigns aimed at fooling account holders to harvest their credentials and perform other nefarious activities.

"They update their tactics, and lures, and take note of consumer behaviors, timing their social engineering attacks to catch users off guard and steal sensitive personal data and money or compromise their devices and financial accounts," she says.

**Ramifications for Legitimate Businesses**

Bizga adds that when threat actors mimic a legitimate business to trick consumers into giving out their personal information or money, organizations may also suffer financial losses and reputational damages.

"Scams leveraging popular trade names that are proliferated via large-scale spam campaigns can impact both consumers and employees, and organizations need to have a clear action plan to minimize potential damages in the aftermath of a phishing scam," she says.

This includes identifying fraudulent communications, gathering information on the scope of the attacks, and notifying consumers and law enforcement.

Sam Curry, Cybereason chief security officer, says the annual glut of seasonal spam makes legitimate marketing for businesses much harder.

"When the bad guys try to look like legitimate marketing, legitimate marketing becomes less trusted and tolerated," he says. "If your email queue goes up to 200 junk emails a day, and you get tired of hitting delete 170 times, then you're more likely to hit delete on the buried legitimate marketing content than not."

For retailers, the fight against spam and phishing is twofold: protecting the customer and protecting the organization.

Curry points out now is the time when many retailers go into the black.

"They may make more in a few days than in some months in the rest of the year, which is why they freeze IT and changes and focus on servicing customers at scale," he says.

That means any hiccups now are even more painful as a result.

"In security, we measure risk in terms of likelihood and impact, and during the holiday season, impact goes up dramatically," he says. "That in turn changes the responses and contingencies of businesses, making them more likely to pay a ransom or to take drastic measures to fix issues and problems."

**Threat Actors Look for Quick, Easy Wins**

Bizga says that although cybercriminals are regularly adapting their tactics, techniques, and procedures (TTPs), the most common attack vectors seen throughout the holiday season include phishing, exploiting vulnerabilities and human error and misconfigurations.

"In addition, supply chain attacks can exploit access of third parties such as suppliers, distributors, or contractors to their ecosystem," she notes. "For example, breaching a small supplier may result in access to their much larger customer or entire customer base."

Michael DeBolt, chief intelligence officer at Intel 471, says cyber threat actors are always looking for quick and easy wins that result in considerable profit with a low degree of risk and effort.

"The end-of-year holiday period presents a unique window of opportunity for threat actors to increase illicit profits due to the surge in online activity as retailers and consumers transact goods and services, log into online accounts, ship and receive products, and more," he says.

**Keeping Alert Across the Organization**

DeBolt says retail organizations need to be aware of the latest spam and phishing campaigns targeting their customers.

Armed with this information, organizations can employ directed awareness campaigns warning customers of potential threats and how to avoid them.

He notes that security and fraud teams can take mitigating measures by adjusting controls within the environment to defend against account takeover (ATO) attacks.

"The same malware spam campaigns that target consumers can be used to target employees within organizations as well," he adds.

An infected machine belonging to an employee can include login information to remote network accesses or credentials to sensitive data storage, which can lead to theft of company information or as a foothold for a ransomware deployment into the company’s network.

"Perhaps the most important takeaway is that information security needs to be practiced and understood across the entire organization, not just \[by\] the network defenders," he says.

In the fight against spam and holiday season phishing, retailers need to give their customers proper information and channels through which they can report suspicious correspondence sent in their name.

Bizga says businesses should also establish seasonal awareness campaigns to inform consumers about any ongoing spam/phishing campaigns and notify the applicable domain name registrar to report fraudulent activity.

"Additional remedial efforts should include notifying law enforcement and legal bodies that can assist with legal actions and advise against malicious actors," she says.

**The Perils of Losing Customer Trust**

Patrick Harr, CEO at SlashNext, explains that bad actors leverage the brand recognition of major retailers and other businesses to lure their victims into a false sense of security.

"When a victim realizes they have been duped, it can cause them to lose trust in the brand, even though they of course had nothing to do with the actual scam," he says. "As we all know, losing consumer trust can lead to significant decreases in revenue," Harr says.

He advises retailers to deploy a strong brand protection service that checks for brand impersonation instances.

Once a scam or impersonation has been identified, a request must be filed, along with evidence to prove that it is illegitimate.

"This can take quite some time, however, so retailers should adopt an automated service that is continuously scanning and reporting these impersonations," Harr says. "It won't stop impersonations altogether, but companies that fight back make themselves less of a target for future impersonations."

Holiday Spam, Phishing Campaigns Challenge Retailers

Meta Platforms disclosed that it took down no less than 200 covert influence operations since 2017 spanning roughly 70 countries across 42 languages.
The social media conglomerate also took steps to disable accounts and block infrastructure operated by spyware vendors, including in China, Russia, Israel, the U.S. and India, that targeted individuals in about 200 countries.
"The global

Meta Platforms disclosed that it took down no less than 200 covert influence operations since 2017 spanning roughly 70 countries across 42 languages.

The social media conglomerate also took steps to disable accounts and block infrastructure operated by spyware vendors, including in China, Russia, Israel, the U.S. and India, that targeted individuals in about 200 countries.

"The global surveillance-for-hire industry continues to grow and indiscriminately target people – including journalists, activists, litigants, and political opposition – to collect intelligence, manipulate and compromise their devices and accounts across the internet," the company noted in a report published last week.

The networks that were found to engage in coordinated inauthentic behavior (CIB) originated from 68 countries. More than 100 nations are said to have been targeted by at least one such network, either foreign or domestic.

With 34 operations, the U.S. emerged as the most frequently targeted nation during the five-year period, followed by Ukraine (20) and the U.K. (16).

The top three geographic sources of CIB networks during the same timeframe were Russia (34), Iran (29), and Mexico (13). On top of that, an Iranian network disrupted by Meta in April 2020 focused on 18 countries at a time, indicating the scope of foreign interference in these campaigns.

"Notably, both our first takedown and our 200th takedown were of CIB networks originating from Russia," Meta's Ben Nimmo and David Agranovich said. "The latter takedown targeted Ukraine and other countries in Europe."

The activity, the details of which the company first disclosed in September 2022, has since been attributed as the work of two companies, Structura National Technologies and Social Design Agency (Агентство Социального Проектирования), located in the country.

That said, CIB networks run across the world have often been found targeting people in their own country, not to mention have a cross-platform presence that go beyond Facebook and Instagram to encompass Twitter, Telegram, TikTok, Blogspot, YouTube, Odnoklassniki, VKontakte, Change\[.\]org, Avaaz, and LiveJournal.

Meta further highlighted a "rapid rise" in the use of profile pictures created through artificial intelligence techniques like generative adversarial networks (GAN) since 2019 in a bid to pass off rogue accounts as more authentic and evade detection.

****Tackling Platform Abuse by Spyware Entities****

In a related report on surveillance-for-hire operations, the Menlo Park-based company said it removed a network of 130 accounts created by an Israeli company named Candiru that used these fake accounts to test phishing capabilities by sending malicious links designed to deploy malware.

A second set of 250 accounts on Facebook and Instagram linked to another Israeli company called QuaDream was found "engaged in a similar testing activity between their own fake accounts, targeting Android and iOS devices in what we assess to be an attempt to test capabilities to exfiltrate various types of data including messages, images, video and audio files, and geolocation."

Both Candiru and QuaDream are founded by former employees of NSO Group, a controversial cyber intelligence firm that has come under fire for selling its invasive technology, Pegasus, to governments with poor human rights records.

What's more, Meta said it removed more than 5,000 accounts belonging to companies such as Social Links, Cyber Globes, Avalanche, and an unattributed entity in China that used the fraudulent accounts to scrape publicly available information and market "web intelligence services."

Nearly 3,700 of those Facebook and Instagram accounts were linked to Social Links, with the China-based network of 900 accounts targeting military personnel, activists, government employees, politicians, and journalists in Myanmar, India, Taiwan, the U.S., and China.

Besides relying on fake accounts, spyware vendors have also been caught relying on other legitimate tools to conceal their origin and conduct malicious activities. One such example is the Indian hack-for-hire firm CyberRoot, which utilized a marketing solution known as Branch to create, manage, and track phishing links.

Nearly 3,700 of those Facebook and Instagram accounts were attributed to Social Links, with the China-based network of 900 accounts targeting military personnel, activists, government employees, politicians, and journalists in Myanmar, India, Taiwan, the U.S., and China.

CyberRoot has also been estimated to operate over 40 fictitious accounts that impersonated journalists, business executives, and media personalities to gain the trust of targets and send phishing links spoofing services like Gmail, Zoom, Facebook, Dropbox, Yahoo, OneDrive, and Outlook to steal their credentials.

Law firms, cosmetic surgery clinics, real estate companies, investment and private equity firms, pharmaceuticals, media houses, activist groups, and gambling entities are believed to have been targeted by the mercenary actor.

CyberRoot is the second Indian surveillance-for-hire firm to come under the radar after BellTroX, whose accounts were flagged and disbanded by the company in 2021. Coincidentally, it's also said to have been assisted by BellTroX in the past.

"These companies are part of a sprawling industry that provides intrusive software tools and surveillance services indiscriminately to any customer — regardless of who they target or the human rights abuses they might enable," Meta said.

"In a sense, this industry 'democratizes' these threats, making them available to government and non-government groups that otherwise wouldn't have these capabilities to cause harm."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Facebook Cracks Down on Spyware Vendors from U.S., China, Russia, Israel, and India

CONPROSYS HMI System (CHS) Ver.3.4.4?and earlier allows a remote unauthenticated attacker to execute an arbitrary OS command on the server where the product is running by sending a specially crafted request.

PLEASE READ THIS SOFTWARE LICENSE AGREEMENT (the "Agreement") CAREFULLY BEFORE USING CONTEC'S SOFTWARE. THIS AGREEMENT SET FORTH TERMS AND CONDITIONS REGARDING THE LICENSE TO USE CONTEC'S SOFTWARE ONTO WHICH THE AGREEMENT IS ATTACHED (the "Software"). BY DOWNLOADING, INSTALLING OR USING THE SOFTWARE OR USING MACHINEARY ONTO WHICH THE SOFTWARE HAS BEEN INSTALLED, CUSTOMERS ARE AGREEING TO BE BOUND BY THE AGREEMENT. CUSTOMERS MAY NOT DOWNLOAD, INSTALL OR USE THE SOFTWARE OR ANY MACHINERY ONTO WHICH THE SOFTWARE HAS BEEN INSTALLED WITHOUT AGREEING TO THE AGREEMENT.

Article 1. Intellectual Property Rights  
The copyright, patent right or any other intellectual property right pertaining to the Software or any documentary attachments, such as manuals, as well as any copies thereof (the "Software and the Like") shall belong to CONTEC or to a third party who has the right pertaining to the Software and the Like and who has granted CONTEC the right to use them, and customers shall have no rights therefor other than those expressly authorized herein.

Article 2. Permitted License  
1\. CONTEC grants customers a non-exclusive right to install and use the Software on one (1) computer during the term of the license which the customer has purchased.  
2\. Customers may make one (1) copy of the Software solely for emergency backup purposes in using the Software.

Article 3. License Authentication  
Customers need to follow license authentication procedures to use the Software. If a customer does not properly follow license authentication procedures, the customer's use of the Software may be restricted.

Article 4. Restrictions on Use  
Customers shall not:  
(1) Create any derivative software from the Software;  
(2) Copy the Software other than as set forth herein;  
(3) Modify, adapt, decompile, disassemble or reverse-engineer the Software;or  
(4) Delete or alter the indication of the rights or the trademark on the Software.

Article 5. Limited Liabilities  
1\. If a customer gives a written notice of material non-conformity of the Software (except for malfunctions arising out of particular hardware or software which is not guaranteed to operate with the Software) within 90 days from the date of purchase of the license of the Software, CONTEC shall provide a modification program, introduce a solution, or return a part of the payment, depending on the degree of the non-conformity, and based on CONTEC's sole discretion.  
2\. EXCEPT AS OTHERWISE PROVIDED BY THE PRECEDING PARAGRAPH, CONTEC HEREBY DISCLAIMS ANY WARRANTY WITH RESPECT TO THE SOFTWARE, EITHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, OF SATISFACTORY QUALITY, OR FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS HAVE SOLE RESPONSIBILITIES FOR CHOOSING THE SOFTWARE.  
3\. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT SHALL CONTEC BE LIABLE FOR PERSONAL INJURY, OR ANY INCIDENTAL, SPECIAL, INDIRECT OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES, ARISING OUT OF OR RELATED TO YOUR USE OR INABILITY TO USE THE SOFTWARE AND THE LIKE.

Article 6. Transfer  
1\. Customers may transfer the Software and the Like and their authorized rights herein to a third party provided that the transferee agrees to the terms and conditions herein. The customer transferring the rights shall not use the Software and the Like after such transfer.  
2\. Notwithstanding the preceding paragraph, if Customers obtained the rights pertaining to the Software and the Like by purchasing CONTEC's hardware, customers may transfer their authorized rights pertaining to the Software and the Like only when the customer satisfies all of the following conditions:  
(1) The customer transferring the rights transfers the transferee all the hardware on which the Software has been installed;  
(2) The customer transferring the rights shall not use the Software and the Like after the transfer; and  
(3) The transferee agrees to the terms and conditions herein.  
3\. If the Software and the Like and the authorized rights herein are transferred pursuant to the preceding paragraphs, the transferee shall be bound by the Agreement upon the transfer.

Article 7. Expiration and Termination  
1\. This Agreement shall expire upon the expiration of the term of the license.  
2\. CONTEC may terminate the Agreement with immediate effect without any notice or demand to the customer if the customer fails to comply with any of the provisions herein.  
3\. Upon the termination of the Agreement, the customer's license shall cease to be effective. The customer shall immediately discontinue using the Software in any way, and shall uninstall and destruct any reproduction of the Software.

Article 8. Version Update  
1\. CONTEC may update the version of the Software without prior notice to customers.  
2\. CONTEC may offer a new version of the Software to customers with or without charge.

Article 9. Term of Support Service  
Support service for the Software will not be provided upon the expiration of the term of the license which the customer has purchased. Regardless of the term of the license, support service can be terminated when the support term for the operating system on which the Software can operate and for the software platform end.

Article 10. Export Control  
1\. Customers shall comply with the Foreign Exchange and Foreign Trade Act of Japan, the U.S. Export Administration Regulation and the laws and regulations of any other country when taking the Software and the Like outside Japan.  
2\. Customers shall not transfer, export or re-export the Software and the Like to any individual or entity that is likely to use the Software and the Like to design, develop or manufacture nuclear weapons, biochemical weapons, or to design, develop or manufacture missiles.  
3\. Customers shall not transfer, export or re-export the Software and the Like to any individuals or entities set forth in the following countries or regions:  
(1) The Republic of Cuba, The Islamic Republic of Iran, the Republic of Iraq, the Great Socialist People's Libyan Arab Jamahiriya or North Korea;  
(2) Any individuals or entities on the "List of Foreign Users" based on the Import Trade Control Order or the U.S. Department of Commerce's "Denied Person's List or Entity List"; or  
(3) Any country, region, individual or entity designated by the government of Japan, the U.S. or any other relevant country.

Article 11. Governing Law  
The provisions herein shall be construed and governed in accordance with the laws of Japan. This Agreement shall not be governed by the United Nations Convention on Contracts for the International Sale of Goods, the application of which is expressly excluded.

Article 12. Dispute Resolution  
Upon the occurrence of any dispute in relation to the Agreement or the Software, if any legal procedures are required, such as the filing of a petition for a lawsuit, the Osaka Summary Court or the Osaka District Court shall have the exclusive jurisdiction over such dispute.

Article 13. Severability  
If for any reason any portion of the provisions set forth herein is found to be invalid or unenforceable, the remainder of the Agreement shall not be affected in any way and shall be valid and enforceable to the extent permitted by law.

CVE-2022-44456: Download License Agreement | CONTEC

<p>Across government, organizations have extended operations from the datacenter to multiple public clouds to the edge. Now they need to manage data and deliver intelligent capabilities across those environments. More than ever, they must achieve those goals with greater simplicity, consistency and availability, along with enhanced security of their IT operations.</p>

<p>These imperatives were the focus of <a href="https://www.redhat-govsymposium.com/program/">Red Hat Government Symposium 2022</a>, which

Across government, organizations have extended operations from the datacenter to multiple public clouds to the edge. Now they need to manage data and deliver intelligent capabilities across those environments. More than ever, they must achieve those goals with greater simplicity, consistency and availability, along with enhanced security of their IT operations.

These imperatives were the focus of Red Hat Government Symposium 2022, which convened on November 9 at the Waldorf Astoria in Washington, D.C. With an overarching theme of “Innovation Unleashed,” the one-day event packed in eight insightful keynotes and panels delivered by nearly 20 industry and government leaders, plus a half-dozen drill-down breakout sessions. As the day unfolded, the following themes emerged: 

**Deploying and scaling at the mission edge**

The modern battlespace involves satellites, drones and sensors that send and receive data at the extreme edge. Symposium attendees heard from Winston Beauchamp, deputy CIO of the Air Force, and Michelle Davis, director of DoD Solution Architects for Red Hat, about ways the military is using edge compute and data management to accelerate critical decisions and dominate the battlespace.

We also learned about deployment-ready edge technology from Mark Valcich, civilian general manager of Public Sector for Intel, and Dylan Conner, vice president and product manager for Archon. They described standards-based technology that’s enabling rapid edge implementations with stronger security capabilities today.

**Achieving automation and insights**

Machine learning (ML) and other forms of artificial intelligence (AI) are showing up in more places. Justin Taylor, vice president of AI for Lockheed Martin, and Chris Edillon, solution architect for Red Hat, described how intelligent technologies are transforming the capabilities of drones.

Conference-goers learned about other advanced analytics capabilities in a panel discussion by Jesus Caban, chief of Clinical Research Informatics at Walter Reed Medical Center, and Amanda Purnell, director of Data and Analytics Innovation for the Department of Veterans Affairs. These government leaders provided first hand stories of how AI and ML are helping agencies solve real-world, critical challenges.

**Building cyber-resilience**

Cybersecurity is now central to innovation. A multilayered defense can help stack the cyber-risk deck in your agency’s favor, noted panelists Ken Bailey, section chief of threat hunting for CISA; Jon Boyens, deputy chief of computer security for NIST; and Sandra López, CTO for Leidos. They shared insight into how organizations can build resilience into their networks and minimize downtime in the face of a breach.

**Quantifying quantum computing**

Finally, Vishnu Parasuraman, lead of the federal HCT OpenShift offering at IBM, and Michael Epley, chief architect, Public Sector, at Red Hat, explored the vast potential of quantum computing. Combining the results of quantum algorithms with classical computers can unleash a wealth of real-time data to support government missions. These innovations are moving within reach.

But those were only the highlights of Red Hat’s 13th-annual Government Symposium. Attendees also benefited from breakout sessions on real-time edge intelligence, enterprise integration, the future of government service delivery and more. They also heard real-world insights from agency leaders at the Coast Guard, FEMA and USPS, and from technology leaders at Accenture, AWS and KPMG.

Organizations can unleash innovation if they deploy the most effective technologies in the most effective ways. The Red Hat Government Symposium 2022 showed how agencies and their industry partners are doing just that. Couldn't make it to DC for Red Hat Government Symposium in-person? Join us online for the Best of Symposium keynotes and breakout sessions for free on demand.

Red Hat Government Symposium 2022: Unleashing innovation, powering missions

Plus: An FBI platform got hacked, an ex-Twitter employee is sentenced for espionage, malicious Windows 10 installers circulate in Ukraine, and more.

As Russia's invasion of Ukraine drags on, navigation system monitors reported this week that they've detected a rise in GPS disruptions in Russian cities, ever since Ukraine began mounting long-range drone attacks. Elsewhere, a lawsuit against Meta alleges that a lack of adequate hate-speech moderation on Facebook led to violence that exacerbated Ethiopia's civil war. 

New evidence suggests that attackers planted data to frame an Indian priest who died in police custody—and that the hackers may have collaborated with law enforcement as he was investigated. The Russia-based ransomware gang Cuba abused legitimate Microsoft certificates to sign some of their malware, a method of falsely legitimatizing hacking tools that cybercriminals have particularly been relying on lately. And with the one-year anniversary of the Log4Shell vulnerability, researchers and security professionals reflected on the current state of open source supply-chain security, and what must be done to improve patch adoption.

We also explored the confluence of factors and circumstances leading to radicalization and extremism in the United States. And Meta gave WIRED some insight into the difficulty of enabling users to recover their accounts when they get locked out—without allowing attackers to exploit those same mechanisms for account takeovers.

But wait, there’s more! Each week, we highlight the security news we didn’t cover in depth ourselves. Click on the headlines below to read the full stories.

Alexey Brayman, 35, was one of seven people named in a 16-count federal indictment this week in which they were accused of operating an international smuggling ring over the past five years, illegally exported restricted technology to Russia. Brayman was taken into custody on Tuesday and later released on a $150,000 bond, after being ordered to forfeit his passport and abide by a curfew. He is an Israeli citizen who was born in Ukraine. Brayman and his wife, Daria, live in Merrimack, New Hampshire, a small town where the two ran an online craft business out of their home. “They are the nicest family,” a delivery driver who regularly drops off packages at their home told _The Boston Globe_. “They’ll leave gift cards out around the holidays. And snacks.” The indictment alleges, though, that their house was a staging site for “millions of dollars in military and sensitive dual-use technologies from US manufacturers and vendors.” Two other suspects connected to the case have also been arrested in New Jersey and Estonia.

A hacker breached the FBI information-sharing database InfraGard this week, compromising data from more than 80,000 members who share details and updates through the platform related to critical infrastructure in the United States. Some of the data is sensitive and pertains to national and digital security threats. Last weekend, the hacker posted samples of data stolen from the platform on a relatively new cybercriminal forum called Breached. They priced the database at $50,000 for the full contents. The hacker claims to have gained access to InfraGard by posing as the CEO of a finance company. The FBI said it was “aware of a potential false account associated with the InfraGard Portal and that it is actively looking into the matter.”

Former Twitter employee Ahmad Abouammo was convicted in August of being paid to send user data to the Saudi Arabian government while working at the tech company. He was also found guilty of money laundering, wire fraud, and falsification of records. He has now been sentenced to 42 months in prison. Abouammo worked at Twitter from 2013 to 2015. “This case revealed that foreign governments will bribe insiders to obtain the user information that is collected and stored by our Silicon Valley social-media companies,” US attorney Stephanie Hinds said in a statement. “This sentence sends a message to insiders with access to user information to safeguard it, particularly from repressive regimes, or risk significant time in prison.” Earlier this year, whistleblower and former Twitter security chief Peiter Zatko alleged that Twitter has long had problems with foreign agents infiltrating the company. The situation has been of particular concern as new CEO Elon Musk massively overhauls the company and its workforce.

In an effort to compromise Ukrainian government networks,  hackers have been posting malicious Windows 10 installers on torrent sites used in Ukraine and Russia, according to researchers from the security firm Mandiant. The installers were set up with the Ukrainian language pack and were free to download. They deployed malware for reconnaissance, data gathering, and exfiltration. Mandiant said it could not definitively attribute the campaign to specific hackers, but that the targets overlap with those that have been attacked in past hacks by the Russian military intelligence agency GRU.

Years after it was proved vulnerable and insecure, the US National Institute of Standards and Technology said on Thursday that the SHA-1 cryptographic algorithm should be removed from all software platforms by December 31, 2030. Developers should turn instead to algorithms with more robust security, namely SHA-2 and SHA-3. The “security hash algorithm,” or SHA, was developed by the National Security Agency and debuted in 1993. SHA-1 is a slightly modified replacement used since 1995. By 2005 it was clear that SHA-1 was “cryptographically broken,” but it remained in widespread use for years. NIST said this week, though, that attacks on SHA-1 “have become increasingly severe.” Developers have eight years to migrate away for any remaining uses of the algorithm. "Modules that still use SHA-1 after 2030 will not be permitted for purchase by the federal government,” NIST computer scientist Chris Celi said in a statement.

Tag

#intel