Meta Platforms said it took a series of steps to curtail malicious activity from eight different firms based in Italy, Spain, and the United Arab Emirates (U.A.E.) operating in the surveillance-for-hire industry.
The findings are part of its Adversarial Threat Report for the fourth quarter of 2023. The spyware targeted iOS, Android, and Windows devices.
"Their various malware included

Meta Warns of 8 Spyware Firms Targeting iOS, Android, and Windows Devices

A group of cybercriminals is committing bank fraud by convincing victims to scan their IDs and faces.

Well, the GoldPickaxe Trojan does not literally steal your face, but it does steal an image of your face in order to be able to identify as you.

Researchers have found a family of Trojans, attributed to a financially motivated Chinese group, which come in versions for iOS and Android.

Cybercriminals try to trick victims into scanning their faces along with identification documents. The victims are approached through phishing and smishing messages claiming to be from local governments or other trusted sources. They ask the target to install a fake government service app.

At this stage there is a crossroads where Android and iOS infections are different. While Android users go straight to the malicious app, due to measures taken by Apple the criminals ask the iOS users to install a disguised Mobile Device Management (MDM) profile. MDM allows a controller to remotely configure devices by sending profiles and commands to the device. As such MDM offers a wide range of features such as remote wipe, device tracking, and application management, which the cybercriminals take advantage of to install malicious applications and obtain the information they need.

The criminals then request that the victim take a photo of an official ID and scan their face with the app. Additionally, the criminals request the target’s phone number in order to get more details about them, particularly their bank accounts.

Once the criminals have a scan of the face they can use artificial intelligence (AI) to perform face-swaps. Face swapping is a technique that allows you to replace faces in images with others.

With the face swap and the photo of the ID the criminals can identify themselves as the victim to the victim’s bank and withdraw funds from their account. Many financial organizations use facial recognition for transaction verification and login authentication. Although the researchers found no evidence that bank fraud was the goal of the cybercriminals, their story was confirmed by warnings from the Thai police.

Although this group is mainly active in Asia, more precisely in Thailand, it makes sense to expect such a successful method to be copied.

Malwarebytes and ThreatDown solutions detect the GoldPickaxe Trojan as Android/Trojan.Agent.prn1.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 GoldPickaxe Trojan steals your face! 

By Waqas
The latest report from Swedish telecom security firm Enea sheds light on security vulnerabilities within the widely used messaging platform, WhatsApp.
This is a post from HackRead.com Read the original post: Israeli NSO Group Suspected of “MMS Fingerprint” Attack on WhatsApp

NSO Group, an Israeli spyware firm, is suspected of exploiting a novel “MMS Fingerprint” attack to target unsuspected users on WhatsApp, exposing their device information without needing user interaction.

Swedish telecom security firm Enea reports that the Israeli NSO Group, targeted journalists, human rights activists, lawyers, and government officials with a novel MMS Fingerprint attack by exploiting a **vulnerability in WhatsApp**.

The report that the company shared with Hackread.com on Thursday 15, 2023, WhatsApp discovered a vulnerability in its system in May 2019, allowing attackers to install Pegasus spyware on users’ devices. The flaw was then exploited to target government officials and activists globally. WhatsApp sued **NSO Group** for this exploitation, but appeals failed in the US appeal court and Supreme Court.

The attack, reportedly used by NSO Group, was discovered in a contract between the Israeli agency’s reseller and the telecom regulator of Ghana, which can be viewed in lawsuit documents **here** (PDF).

Enea launched an investigation to find out how an MMS fingerprint attack occurs. They discovered that it could reveal the target device and OS version without user interaction by sending an MMS.

The MMS UserAgent, a string that identifies the OS and device (such as a Samsung phone running Android), can be used by malicious actors to exploit vulnerabilities, tailor malicious payloads, or craft phishing campaigns.

**Surveillance companies** often request device information, but UserAgent may be more useful than IMEI. It’s important to note that MMS UserAgent is different from browser UserAgent, which has privacy concerns and changes.

The problem, according to Enea’s **report**, was not in the Android, Blackberry, or iOS devices but in the complex, multi-stage MMS flow process. The MMS flow examination suggested this was launched possibly through another method involving binary SMS.

For your information, MMS standards designers worked on a way to notify recipient devices of an MMS waiting for them without requiring them to be connected to the data channel. MM1\_notification.REQ uses SMS, a binary SMS (WSP Push), to notify the recipient MMS device’s user agent that an MMS message is waiting for retrieval.

The subsequent MM1\_retrieve.REQ is an HTTP GET to the URL address, including user device information, suspected to be leaked and potentially lifted the MMS fingerprint.

Researchers obtained sample SIM cards from a randomly selected Western European operator and successfully sent MM1\_notification.REQs (binary SMSs), setting the content location to a URL controlled by their web server.

The target device automatically accessed the URL, exposing its UserAgent and x-wap-profile fields. A Wireshark decode of the MMS notification and GET revealed how an attacker would execute an “MMS Fingerprint” attack, demonstrating it was possible in real life.

Enea’s report outlines the stages in an MMS flow and provides insight into the initial attack notification sent to the target. (Screenshot: ENEA)

The attack highlights the **ongoing threat to the mobile ecosystem**. Binary SMS attacks have been steadily reported over the last 20 years, highlighting the need for mobile operators to evaluate their protection against such threats.

For detailed insights into the report, we reached out to **Javvad Malik**, lead security awareness advocate at **KnowBe4** who warned that, Unlike previous methods, this attack doesn’t require user interaction, posing a significant concern for users’ security. The targeting of journalists, activists, and officials highlights the misuse of technology for surveillance and oppression. Platforms like WhatsApp must prioritize security as the foundation of their services.

> _“The saga of the NSO Group and its controversial exploits offers another chapter with the revelation of the “MMS Fingerprint” attack. At the heart of this revelation is a stark reminder of the ever-evolving cybersecurity threats, demonstrating not just the sophistication of threat actors, but their relentless pursuit to leverage vulnerabilities._
> 
> _The tactical evolution from requiring user interaction to achieve compromise—such as the unfortunate click on a malicious link—to now being able to extract valuable information through seemingly benign MMSs, underlines a significant shift. It’s concerning, to say the least, that users can be targeted without any user interaction._
> 
> _The targeting of journalists, activists, and officials is particularly egregious, highlighting a dark side of technological advancements where tools designed to connect and empower can also be twisted into instruments of surveillance and oppression. For organisations like WhatsApp and entities involved in digital communication, the imperative is clear: Security cannot merely be a feature; it must be the very foundation upon which platforms are built and maintained._
> 
> _In the broader context, incidents like the “MMS Fingerprint” attack are reminders that security cannot remain static and needs to continually evolve and build more resilient and secure systems.”_
> 
> Javvad Malik – KnowBe4

To prevent the attack, disabling MMS auto-retrieval on mobile devices can help, but some devices may not allow modification. On the network side, filtering Binary SMS/MM1\_notification messages can be effective. If a malicious binary SMS message is received, it is essential to prevent messages from connecting to attacker-controlled IP addresses.

1.  **Israeli spyware hacked phones of journalists globally**
2.  **iShutdown Tool Detects Pegasus Spyware on iOS Devices**
3.  **Fake WhatsApp clone aim at crypto on Android and Windows**
4.  **WhatsApp OTP Scam Allows Scammers to Hijack Your Account**
5.  **iPhones of State Dept officials hacked by NSO Pegasus spyware**

Israeli NSO Group Suspected of “MMS Fingerprint” Attack on WhatsApp

There was about a 24-hour period where many news outlets reported on a reported DDoS attack that involved a botnet made up of thousands of internet-connected toothbrushes.

Thursday, February 15, 2024 14:00

I’ll be the first to admit that, like many people on the internet last week, I got caught up in the toothbrush distributed denial-of-service attack that wasn’t.  

I had a whole section on it written up in last week’s newsletter, and then I came across Graham Cluley’s blog post debunking the whole thing, and I had to delete it about an hour before the newsletter went live.  

There was about a 24-hour period where many news outlets reported on a reported DDoS attack that involved a botnet made up of thousands of internet-connected toothbrushes, it all started with one international newspaper report, and then was aggregated to death and spread quickly on social media.  

This attack was only a _hypothetical_ that a security researcher posed in an interview but was reported or translated as an attack that happened. 

To me, I think we can all learn from a few major takeaways from this entire saga — myself included.  

It’s easy to see why this was a ready-made story to go viral: It involved a silly device that probably doesn’t need to be connected to the internet anyway, it involved a large number that would grab headlines and it was a DDoS attack, which have suddenly come back in vogue over the past year. 

But, I’ll admit, the aggregated stories seemed a little fishy to me at first, because all the reports didn’t include any specifics about which company was targeted, how long the attack lasted, or the name of the device that was reportedly compromised. 

That last part should be a red flag going forward for any of us wanting to share a meme about something the next time a cybersecurity story goes viral — in my opinion, responsible disclosure of an attack or compromise should always include information about whatever vulnerability it was that was exploited. In this hypothetical scenario, I don’t think an adversary would have been able to compromise an internet-connected toothbrush without first exploiting some sort of vulnerability, which if it’s being reported on in public, should at least include information on patches or mitigations. 

I also think we all need to be asking the fundamental question: Why? In this case, I should have asked myself why an attacker would want to go through the trouble of compromising smart toothbrushes. And what would be the end goal of targeting a private company with a DDoS attack? Likely, it would be to demand a ransom in exchange for the attacker stopping the attack, but without knowing what sector the targeted company was in, it’s tough to guess how profitable that might even be. (For example, a health care agency may be looking to do anything to get back to operating asap, as lives could literally be at stake.) 

And once the attacker compromised a toothbrush, what information can they glean from the user besides their dental hygiene habits? Usually, they’d be looking to steal some sort of personal information, login credentials or financial data that they could then turn around and sell on the dark web. 

Needless to say, there were multiple red flags we all ignored when this story started to spread. And I’m not here to blame anyone in this case; it was all honest mistakes that, all things considered, ended up not being that serious. But the toothbrush botnet that wasn’t does serve as a reminder to all of us to be a bit more mindful before clicking share or posting a story on social media.  

**The one big thing **

Cisco Talos has identified a new backdoor authored and operated by the Turla APT group, a Russian cyber espionage threat group. This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation. Talos assesses with high confidence that TinyTurla-NG, just like TinyTurla, is a small “last chance” backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems. 

**Why do I care? **

Turla has been widely known to target entities across the world using a huge set of offensive tools in geographies including the U.S., European Union, Ukraine and Asia. They’ve previously used malware families such as CAPIBAR and KAZUAR to target Ukrainian defense forces. After Crutch and TinyTurla, Turla has now expanded their arsenal to include the TinyTurla-NG and TurlaPower-NG malware families, while also widening its net of targets to NGOs. 

**So now what? **

Talos has released new ClamAV signatures and Snort rules to protect against TinyTurla and the actors’ actions. We don’t know what the initial access vector is, so it’s tough to give targeted advice on how to avoid this malware, but having any endpoint detection in place will block this “last chance” backdoor.  

**Top security headlines of the week **

**Chinese state-sponsored actor Volt Typhoon may have silently sat on U.S. critical infrastructure networks for more than five years,** according to a new report from American intelligence agencies. According to the advisory, the infamous hacking group has been exploiting vulnerabilities in routers, firewalls and VPNs to target water, transportation, energy and communications systems across the country. Volt Typhoon has been able to control some victims’ surveillance camera systems, and the access could have allowed them to disrupt critical energy and water controls. The actor is known for using living-off-the-land binaries (LoLBins) to remain undetected once they gain an initial foothold. Authorities in Canada, Australia and New Zealand also contributed to last week’s advisory, citing their concern for similar activity in their countries. The FBI’s director recently said in testimony to U.S. Congress that authorities had dismantled a bot network of hundreds of compromised devices that was connected to VoltTyphoon. (Axios, The Guardian) 

**A new spyware network called TheTruthSpy may have compromised hundreds of Android devices using silent tracking apps that users download thinking they’re legitimate.** Security researchers uncovered the information of thousands of devices that have already been compromised, including their IMEI numbers and advertising IDs. TheTruthSpy appears to actively spy on large clusters of victims across Europe, India, Indonesia, the U.S. and U.K. The operators behind TheTruthSpy also did not address a security vulnerability in the software, identified as CVE-2022-0732, which left the victim data they stole potentially vulnerable to other bad actors. These types of stalkerware tools are often used by family members, spouses or peers of victims who want to track their physical locations and spy on messages and phone calls. The spyware is downloaded via an app, which doesn’t appear on the victim’s home screen and operates quietly in the background. (TechCrunch, maia blog) 

**Apple removed a fake LastPass app called “LassPass” after the popular password management service reported it.** The phony LassPass used a similar logo to that of the legitimate LastPass and was up on the App Store for an unknown amount of time. Apple also said it was removing the creator of the app from its Developer Program. This is a very rare case for the Apple App Store, as it has a strict review policy. LastPass released a warning to all users last week of the fake app’s existence, including a link to the legitimate LastPass app. LassPass only had one review on the store, and multiple reviews warning it was fake. However, it’s safe to assume that the app was likely set up as some sort of phishing scam meant to get users to enter their legitimate LastPass login information to be stolen by the fake app’s creator. (Ars Technica, Bleeping Computer) 

**Can’t get enough Talos? **

*   Beers with Talos Ep. #143: The Reddit security diaries 
*   The Need to Know: How are attackers using QR codes in phishing emails and lure documents? 
*   First Microsoft Patch Tuesday zero-day of 2024 disclosed as part of group of 75 vulnerabilities 

**Upcoming events where you can find Talos **

**S4x24** **(March 4 - 27)** 

Miami Beach, Florida 

_To protect themselves during Russian aggression, the Ukrainian military utilizes electronic warfare to blanket critical infrastructure to defeat radar and GPS-guided smart munitions. This has the unintended consequence of disrupting GPS synchrophasor clock measurements and creating service outages on an already beleaguered and damaged transmission electric grid. Joe Marshall from Talos’ Strategic Communications team will tell an incredible story of how a group of engineers and security professionals from a diverse coalition of organizations came together to solve this electronic warfare GPS problem in an unconventional technical way, and helped stabilize parts of the transmission grid of Ukraine._ 

**RSA** **(May 6 - 9)** 

_San Francisco, California_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1      
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515      
**Typical Filename:** IMG001.exe      
**Claimed Product:** N/A      
**Detection Name:** Win.Dropper.Coinminer::1201 

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa     
**MD5:** df11b3105df8d7c70e7b501e210e3cc3     
**Typical Filename:** DOC001.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** tmp000c3787   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg

Why the toothbrush DDoS story fooled us all

Malwarebytes researchers have discovered a prolific campaign of fraudulent energy ads shown to users via Google searches.

For many households, energy costs represent a significant part of their overall budget. And when customers want to discuss their bills or look for ways to save money, scammers are just a phone call away.

Enter the utility scam, where crooks pretend to be your utility company so they can threaten and extort as much money from you as they can.

This scam has been going on for years and usually starts with an unexpected phone call and, in some cases, a visit to your door. Obviously the phone call side of the scam is much more scalable and means the scam can be done from overseas.

However, criminals know that victims are more likely to be tricked if they were the ones who initiated the call. In a recent investigation, we discovered a prolific campaign of fraudulent ads shown to users via Google searches. To give an idea of scale, the number of ads we found exceeds what we have found in previous malvertising cases.

This blog post has two purposes: the first one is to draw awareness to this problem by showing how it works. Secondly, we’ve collected and shared as many ads and fake sites as we could in the hope that action will be taken, with hopefully some cost for the scammers.

**Fraudulent utility scam ads**

The scam begins when a user searches for keywords related to their energy bill. The ads are shown to mobile devices only, which makes sense given how often people use their phones. Also, the ads are geolocated, so that they are relevant to the user’s location.

We found 28 advertisers with over 300 ads, most of them registered by individuals from Pakistan. We have also seen legitimate but hacked advertiser accounts belonging to US entities that were abused. We didn’t investigate further into the whereabouts and identities of the scammers, but we should note that Pakistan is a possible location.

In most cases, tapping on the ad will not open a new website, but instead will prompt you to dial a phone number. This is exactly what the crooks want as many people will have no idea that an ad approved by Google could possibly be fraudulent.

The utility scam often works by threatening and scaring victims into making poor decisions. An unpaid bill, or an offer that is too good to be true and must be accepted immediately are some of their tactics. Once you’ve made that phone call, you’re already in their hands and very close to losing a significant amount of money.

The scammers may even redirect you to their website to “prove” that they are legitimate. Those sites are often credible enough for a victim to feel like they are doing the right thing, but that couldn’t be further from the truth.

**Large scamming infrastructure**

The crooks have registered dozens of different domains names and built templates that appear related to energy or utility savings. The sites are quite simple and consist of one main page with some customer-centric text and one or multiple phone numbers.

We can usually deduce they are fraudulent by looking up their registration date as well as connecting them with search ads.

However, that might not be enough to have them suspended without going through the whole process of calling the scammers, recording the interaction and showing that evidence. This type of investigation requires time and resources to be done properly. Perhaps one of the many scambaiters out there will look into it in the future.

In the meantime, we have tracked and reported as many domains as we could to the relevant registrars in the hope that some may take action and suspend them.

**Keep your identity and money safe from scammers**

This scam is widespread, and so our advice right now is to avoid clicking on any ad from search as the malicious ads largely outnumber the legitimate ones. You can tell it’s an ad as it will be labelled “Sponsored” or “Ad”.

Here are some additional tips:

*   **Watch out for a sense of urgency**. Scammers will often threaten to cut your power immediately. This and similar scare tactics are meant to pressure you into making hasty decisions. Take the time to look things up or speak to a friend before you do anything.
*   **Never disclose personal details** over the phone without being absolutely certain you are talking to the right person. If in doubt, hang up the phone and look for the official phone number from your energy company, perhaps from a past bill. Do not trust any phone number that appears on an online ad.
*   **Beware requests for money transfers or prepaid cards**. These are a huge sign you are dealing with criminals. Again, take your time to think it over even if just for a few hours. Scammers tend to be so impatient they will make all sorts of claims to act right now, which should be a dead giveaway.
*   **Contact your bank immediately** if you think you’ve been scammed and wired money,. Change all your passwords and add a notice with your utility company that someone may attempt to impersonate you.
*   **Report the scam** to the proper authorities, which may be the FTC.

**Malwarebytes protection**

Malwarebytes is working with its partners to go after these scammers. We also provide protection if you are using our iOS app via the ad blocking feature which will disable search ads and other ads that may be targeting you.

**Indicators of Compromise**

**Google advertiser accounts**

**Advertiser name**

**Advertiser ID**

**Number of ads**

Telesoft

N/A

1

Digitron

04170244641179828225

4

Syed muhammad Adnan

08157637715521699841

15

Progressix

02149758434478653441

2

Umair Jameel

11899369518209695745

1

Laiba Mazhar

14248337572488019969

1

Syed Shahmeer Hussain

12265272419404480513

6

Snow Tech

N/A

1

Muhammad Pirzada

12480474916866490369

145

Eco Designs (Private) Limited

17013467067027816449

5

Right Path Solutions

11370048952557633537

21

Rehman Munawar

06906645958470139905

1

ANDREW PAUL GUZMAN

09045338907926855681

17

Economical Deals

09045708721790910465

4

Qasim Ahmed

15768816743289454593

20

Summaira

14596269127925497857

3

Citrex Solutions (Private) Limited

16648988995463675905

19

Get Energy Promo

08074609881656590337

6

Brightboost LLC

07744256527850012673

5

AA DIGITAL LABS (SMC-PRIVATE) LIMITED

10871392529253662721

1

Malik Muhammad Shahroz Ibrahim

N/A

1

HongKong AdTiger Media Co., Limited

14567350391567024129

1

Mah Noor

07681945004880691201

12

Usama Ashfaq

06711852389684477953

2

Ali Raza

04534984293432164353

15

Muhammad Usman Tariq

17723433991509377025

5

SHABNUM FATIMA SHAH

02536959185141104641

4

QASMIC L.L.C-FZ

11321807192694194177

1

**Phone numbers**

888\[-\]960\[-\]3984  
888\[-\]315\[-\]9188  
888\[-\]715\[-\]1808  
888\[-\]873\[-\]0295  
888\[-\]317\[-\]0580  
888\[-\]316\[-\]0466  
888\[-\]983\[-\]0288  
888\[-\]439\[-\]0639  
888\[-\]312\[-\]2983  
844\[-\]967\[-\]9649  
855\[-\]200\[-\]3417  
888\[-\]842\[-\]0793  
888\[-\]207\[-\]3713  
833\[-\]435\[-\]0029  
888\[-\]494\[-\]4956

888\[-\]928\[-\]6404  
888\[-\]374\[-\]1693  
888\[-\]834\[-\]1050  
888\[-\]497\[-\]3560  
888\[-\]960\[-\]2303  
888\[-\]430\[-\]0128  
800\[-\]353\[-\]5613  
888\[-\]407\[-\]1004  
855\[-\]216\[-\]2411  
844\[-\]679\[-\]7635  
888\[-\]483\[-\]2851  
888\[-\]657\[-\]2401  
888\[-\]580\[-\]0106  
888\[-\]326\[-\]7299  
888\[-\]870\[-\]2661

888\[-\]203\[-\]1692  
855\[-\]428\[-\]7345  
888\[-\]641\[-\]0108  
888\[-\]960\[-\]0688  
888\[-\]347\[-\]7462  
888\[-\]448\[-\]0550  
888\[-\]834\[-\]0998  
888\[-\]470\[-\]8496  
888\[-\]554\[-\]0461  
855\[-\]980\[-\]1080  
888\[-\]539\[-\]0722  
866\[-\]685\[-\]0355  
888\[-\]715\[-\]1806  
888\[-\]960\[-\]2550  
888\[-\]641\[-\]0096  
888\[-\]996\[-\]5133

**Scammer domains**

360billingservices\[.\]com  
aadigital\[.\]online  
citrexsolutions\[.\]co  
digitelcare\[.\]com  
eco-designs\[.\]store  
economical-deals\[.\]co  
electricenergybundle\[.\]com  
electricenergyservice\[.\]com  
electricpowerdeal\[.\]com  
energpaybill\[.\]com  

energybilling\[.\]net  
energybillservice\[.\]online  
energycredits\[.\]online  
energyhelpcenter\[.\]com  
energypayment\[.\]shop  
energypoweroffer\[.\]com  
globalenergysolutionz\[.\]com  
homeutilityservices\[.\]com  
makeabillpayment\[.\]com  
paysenergy\[.\]online

powerelectricoffers\[.\]com  
qasmic\[.\]com  
rebornsolutions\[.\]co  
telecombilling\[.\]us  
telecomcredits\[.\]us  
thepowerpayllc\[.\]org  
uenergyproviders\[.\]store  
utilitybillsolution\[.\]site  
utilitybillspayments\[.\]org  
utilitydiscounts\[.\]store  
utilityservices\[.\]us

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Massive utility scam campaign spreads via online ads 

By Deeba Ahmed
This is the first instance of an iOS trojan that has been found stealing facial data from victims.
This is a post from HackRead.com Read the original post: New iOS Trojan “GoldPickaxe” Steals Facial Recognition Data

Beware, as a new iOS trojan dubbed GoldPickaxe has emerged, capable of stealing banking data, ID documents, and even facial data from infected devices.

Group-IB has discovered a new iOS Trojan, dubbed GoldPickaxe.iOS designed to steal facial recognition data, identity documents, and intercept SMS. The company’s Threat Intelligence Unit has attributed the entire threat cluster to a threat actor dubbed GoldFactory.

The GoldPickaxe family has been active since mid-2023, targeting the Asia-Pacific region, specifically Thailand and Vietnam and the attack method involves impersonating local banks and government organizations.

As per Group-IB, the threat actor exploits stolen biometric data using AI-driven face-swapping services to create deepfakes, allowing unauthorized access to a victim’s banking account, which is a new monetary theft technique.

In this campaign, GoldFactory has successfully used Mobile Device Management (MDM) to manipulate Apple devices, distributing its iOS Trojan by abusing TestFlight. Victims receive seemingly innocent URLs (e.g. testflight.apple.com/join/) leading to the installation of malicious software.

Another sophisticated method is tricking victims into interacting with fraudulent websites to install an MDM profile, allowing cybercriminals complete control over the victim’s device.

Thailand Banking Sector CERT (TB-CERT) has also reported that cybercriminals are distributing malicious links via messengers to lure victims into a fraudulent app posing as a ‘Digital Pension’ app. The app’s credibility is doubtful as Group-IB’s investigation confirmed multiple versions of GoldPickaxe impersonating official Thai government services, including the Digital Pension app for Thailand.

Researchers believe that the group may be engaging operators proficient in Thai and Vietnamese or possibly running a call center since an SMS written in Thai was found in the phishing campaign. In Thailand, cybercriminals impersonate government authorities and convince victims to use LINE, a popular messaging application.

According to Group-IB’s blog post, the gang reportedly employs a combination of smishing and phishing techniques to carry out their malicious activities in Vietnam and Thailand. Despite evidence that it is a Chinese-speaking group, the involvement/role of local cybercriminals cannot be ruled out when calls made to victims are examined.

It is worth noting that Group-IB previously discovered an Android Trojan, codenamed GoldDigger, stealing facial data, targeting over 50 Vietnamese banking applications, electronic wallets, and cryptocurrency wallets since June 2023.

GoldDigger stealing facial data from Android devices (Group-IB)

The newly discovered GoldPickaxe family is based on the GoldDigger Android Trojan. However, researchers claim the infection chain for GoldPickaxe iOS variants is not significantly different for other Trojans within the GoldFactory family.

GoldPickaxe malware was developed using the same communication mechanism and cloud bucket URL as GoldDigger but has fewer functionalities compared to its Android sibling due to iOS’s closed nature and stricter permissions.

Both versions use fake login pages to access fake Digital pension applications, potentially avoiding detection. Another variant, GoldDiggerPlus, was also identified with extended GoldDigger’s functionality, allowing real-time call calls through a specially designed APK called GoldKefu. All Trojans identified are currently in the active stage of evolution.

“_Overall, we identified four Trojan families that were used by cybercriminals. We maintained the naming convention by using the prefix Gold for the newly discovered malware as a symbolic representation that they have been developed by the same threat actor_,” Group-IB researchers noted.

Researchers couldn’t identify the toolset GoldFactory uses, indicating that this is a highly organized and technically advanced group.

For your information, in March 2023, the Bank of Thailand mandated facial biometric verification for transactions exceeding 50,000 baht, and 200,000 baht per day, and raised credit transfer limits on mobile devices. As per Group-IB’s research, GoldPickaxe likely reached Vietnam in February 2024 when a Vietnamese citizen performed a facial recognition scan, withdrawing over 40,000 USD.

The State Bank of Vietnam plans to mandate facial authentication as a security measure for all money transfers from April 2024, indicating the potential exploitation of GoldPickaxe in the country. The use of GoldPickaxe in Vietnam is expected to increase assessed Group—IB.

_“GoldFactory is a resourceful team, having many tricks up their sleeve: impersonation, accessibility keylogging, fake banking websites, fake bank alerts, fake call screens, identity and facial recognition data collection. Equipped with diverse tools, they have the flexibility to select and execute the most suitable one that fits the scenario,”_ researchers noted.

The report highlights the growing cybersecurity threat and the sophisticated techniques used by cybercriminals. They have refined GoldDigger malware, introduced new categories for facial recognition data harvesting, and developed a tool for communication between victims and cybercriminals. Group-IB researchers emphasize the need for proactive, multi-faceted cybersecurity measures, including user education.

1.  **Kaspersky’s iShutdown Tool Detects iOS Pegasus Spyware**
2.  **Fake Lockdown Mode Exposes iOS Users to Malware Attacks**
3.  **Fake LastPass Password Manager App Lurks on iOS App Store**
4.  **Bitdefender Introduces GravityZone Security for Android and iOS**
5.  **Zero-Day iOS Exploit Chain Infects Devices with Predator Spyware**

New iOS Trojan “GoldPickaxe” Steals Facial Recognition Data

A Chinese-speaking threat actor codenamed GoldFactory has been attributed to the development of highly sophisticated banking trojans, including a previously undocumented iOS malware called GoldPickaxe that's capable of harvesting identity documents, facial recognition data, and intercepting SMS.
"The GoldPickaxe family is available for both iOS and Android platforms,"

Chinese Hackers Using Deepfakes in Advanced Mobile Banking Malware Attacks

Prominent advocates for the rights of pregnant people are urging members of Congress to support legislation that would ban warrantless access to sensitive data as the White House fights against it.

One of the foremost women’s advocacy groups in the United States is urging members of Congress to support a ban on government agencies using private data brokers to acquire access to Americans’ private data without a warrant, a response that came late Tuesday following explosive revelations about the surveillance of women’s health clinics across the US.

The National Partnership for Women & Families, a nonpartisan nonprofit based in Washington, DC, is pressing federal lawmakers to throw support behind an amendment this week aimed at closing off a legal loophole through which police and spy agencies routinely circumvent the courts, buying information traditionally shielded by the country’s constitution.

The organization pointed to news in Politico on Tuesday which revealed a data broker tracked people’s visits to nearly 600 reproductive health clinics in the US and put that information up for sale. Politico cites a letter from US senator Ron Wyden to the Securities and Exchange Commission calling for an investigation into the company, Near Intelligence.

“This is not only a blatant violation of privacy but a cruel attempt to force pregnant people into reproductive health decisions that they should be making for themselves,” the National Partnership told members, according to an email obtained by WIRED. “Congress needs to curtail warrantless law enforcement access to people’s data in order to prevent government monitoring of abortion and pregnancy outcomes.”

The National Partnership for Women & Families has earned praise previously from former first ladies Michelle Obama and Hillary Clinton (during the latter’s tenure as secretary of state).

The data-broker amendment aimed at preventing government agencies from circumventing warrant requirements with money has gained widespread support in Congress. Likewise, recent polling shows up to 80 percent of Americans would support its passage. It faces powerful opposition, however, from the White House, the US military, and the nation’s spy agencies, which have acknowledged purchasing domestic internet data in recent years.

In December, pro-privacy members of the House Judiciary Committee attached language that would ban government data-broker purchases of information safeguarded under the nation’s Fourth Amendment to a House bill reauthorizing Section 702, a classified surveillance program designed to target foreigners on foreign soil that also routinely sweeps up the private communications of Americans: emails, calls, and text messages in their entirety.

Roughly a week later, pro-surveillance lawmakers on the House Intelligence Committee introduced their own bill reauthorizing the 702 program, which excluded the data-broker ban as well as other reforms included in the Judiciary Committee bill. One such reform, supported by the Judiciary Committee, would force federal analysts and investigators to get a warrant before examining the communications of Americans unavoidably intercepted under the sprawling 702 program.

US House leaders had tentatively agreed to a deal that would allow the entire House to vote on both bills, passing whichever received the most support. That plan fell through, however, and before the new year, lawmakers voted instead to extend the 702 program until mid-April. An effort to proactively block the Biden administration from taking advantage of this temporary extension, circumventing Congress and getting the program reauthorized for an additional year on its own, was ultimately rejected by House speaker Mike Johnson.

As a result, most House members remain confused as to when 702 surveillance would actually end if Congress fails to take action. Reformers say fomenting a sense of urgency to salvage the spy program—ultimately deemed vital even by many of its loudest critics—mostly plays into the administration’s hand, as it serves up “what-if” scenarios concerning possible terrorist attacks to lawmakers still on the fence. A group of senior congressional aides told WIRED last month that discussions about the program have been plagued for weeks by “scare tactics” and disinformation campaigns, with intelligence officials privately using images of Hamas to imply a growing domestic threat.

Rumors have circulated about a “secret session” being called this week, a rare procedure in which Congress meets behind closed doors. The session has been reported as called off, but a source with knowledge of recent developments tells WIRED that White House national security advisers are still expected to meet privately with lawmakers—one final attempt to dissuade them from supporting privacy reforms.

Last week, House speaker Mike Johnson and House minority leader Steve Scalise privately signed off on what they’d planned to advertise as a “compromise” bill, the latest in a string of schemes aimed at preserving the 702 program with as few changes as possible. It drew immediate criticism from civil liberties organizations such as the Brennan Center for Justice, which said it had been “carefully crafted” to preserve the “status quo.” The Electronic Privacy Information Center (EPIC) said the House leadership bill was a “compromise” in name only, aligning clearly with the priorities of the spy agencies over those fighting for reform.

Multiple sources, however, say the bill ultimately gained acceptance on the condition that members of both the House Judiciary and House Intelligence Committees would be allowed to offer amendments this week that would be subject to a floor vote. The amendment supported by the National Partnership for Women & Families is destined to be among them.

Police and intelligence agencies regularly purchase millions of dollars worth of sensitive information from data brokers each year, according to a December 2021 study of public records by the Center for Democracy & Technology (CDT), a civil-liberties-focused nonprofit. This data can include phone location data and health data collected by medical apps, which could be used to identify people seeking abortion care.

The Congressional Research Service (CRS), which provides Congress with legal and policy analysis, noted in 2022 that federal law includes “relatively little constraints” on law enforcement gaining access to sensitive data, including geolocation data and health data collected by apps and fitness trackers. The lack of constraints is particularly true for information sold by data brokers, which are “generally not regulated by any specific privacy statute,” according to CRS. While abortion-related information obtained from data brokers is known to have been used by anti-abortion activists, the CRS notes that it could equally be used by police investigating violations of state-level abortion laws.

The primary federal law regulating data broker activities is the FTC Act, which gives the US Federal Trade Commission the authority to penalize companies that fail to disclose how the data they sell may be used. In January, the FTC banned X-Mode Social, a Virginia-based data broker now named Outlogic, from selling “sensitive location data” that “could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, places of religious worship, and domestic abuse shelters” after the company allegedly failed to institute “appropriate safeguards” against the use of precise location data by third parties.

In July 2022, US president Joe Biden issued an executive order instructing the FTC chair to “consider actions” that aim to further “protect consumers’ privacy when seeking information about and provision of reproductive healthcare services.” The House Judiciary Committee’s amendment, which US spy agencies oppose, would strengthen these protective efforts far beyond the remit of the FTC Act.

In a “dear colleagues” email obtained by WIRED, Jerrold Nadler, the ranking Democrat on the Judiciary Committee, and Representative Zoe Lofgren wrote Wednesday that the so-called compromise bill “closely tracks” with the demands of the intelligence community, “bypassing commonsense reforms,” including the amendment now endorsed by the National Partnership for Women & Families, which Lofgren and Nadler describe as strictly written to stop the government from “buying its way around the Fourth Amendment.”

“The implications for Americans’ privacy rights are staggering,” they said, refuting claims that the data-broker issue is unrelated to surveillance conducted under the 702 program. “It makes little sense to rein in warrantless surveillance under one authority when the government can simply fall back on other available techniques to acquire similar information.”

Section 702 Surveillance Fight Pits the White House Opposite Reproductive Rights

QR code attacks are particularly dangerous because they move the attack vector off a protected computer and onto the target’s personal mobile device, which usually has fewer security protections in place and ultimately has the sensitive information that attackers are after.

Wednesday, February 14, 2024 08:00

Though QR codes were once on the verge of extinction, many consumers are used to seeing them in the wild for ordering at restaurants, or as mainstays on storefront doors informing customers how they can sign up for a newsletter or score a sweet deal. 

The use of QR codes saw a resurgence during the COVID-19 pandemic as a non-contact way for consumers to obtain important information. And as they’ve become more prevalent, attackers have taken notice, too, increasingly deploying them in phishing and email-based attacks. 

There was a significant increase in QR code phishing in 2023, according to public reporting and recently collected data from Cisco Talos Incident Response (Talos IR).  

As highlighted in our latest Quarterly Trends report, Talos IR responded to a QR code phishing campaign for the first time in an engagement in the fourth quarter of 2023, where threat actors tricked victims into scanning malicious QR codes embedded in phishing emails with their personal mobile devices, thereby leading to malware being executed on the mobile devices.  

In a separate attack, the adversaries sent targets spear-phishing emails with malicious QR codes pointing to fake Microsoft Office 365 login pages that eventually steal the user’s login credentials when entered.  

QR code attacks are particularly dangerous because they move the attack vector off a protected computer and onto the target’s personal mobile device, which usually has fewer security protections in place and ultimately has the sensitive information that attackers are after. 

**How is a QR code lure different from a traditional malicious attachment or link? **

“Traditional” phishing attacks usually involve an adversary writing a highly targeted email hoping to trick a user into opening a malicious attachment or link that points to an attacker-controlled page. 

Phishing emails, such as business email compromise, are usually meant to impersonate an individual or organization the target is familiar with and willing to open something like a Microsoft Word document or URL that they would normally trust.  

These are typically links included in the body of an email, hyperlinked to a few words of text, or attachments to the emails with text prompting the user to open the attachment. 

In the case of QR code attacks, the adversary embeds a QR code in the body of the phishing email and asks the target to scan it with a mobile device to open a specific attachment or web link. As with any other QR code, the target would have to use a QR code-scanning app on their mobile device or the built-in scanning functions on native camera apps to open the requested link.  

What’s on the end of these QR codes varies greatly. Attackers could use the QR code to point to an attacker-controlled web page that looks like a legitimate login page, but instead steals the user’s credentials when they go to log in. Or it can lead to a malicious attachment that eventually installs malware on the target’s device.  

**What makes the use of QR codes in attacks so dangerous? **

Many corporate-owned computers and devices will have built-in security tools designed to detect phishing and preventing users from opening malicious links. However, when a personal device is introduced to the equation, these tools are no longer effective.  

When the target uses their personal device to scan a malicious QR code, the attack surface shifts, as enterprise security protocols and monitoring systems have less control and visibility over personal devices. And not all email security solutions can detect malicious QR codes like they would with malicious email attachments.  

With remote work expanding after the COVID-19 pandemic, more employees are accessing business information from their mobile devices, making these attacks more likely. According to the 2023 Not (Cyber) Safe for Work Report, which is a quantitative survey performed by the cybersecurity firm Agency, 97 percent of respondents access their work accounts from their personal devices. This potentially exposes sensitive business information in QR code attacks, should adversaries be able to capture internal login credentials or downloaded files on the targeted device.  

**Prevention **

To defend against QR code-based phishing attacks, users and organizations should follow several pieces of advice: 

*   Talos recommends organizations deploy a mobile device management (MDM) platform or similar mobile security tool, such as Cisco Umbrella, to all unmanaged mobile devices that have access to business information. Cisco Umbrella’s DNS-layer security is available for personal Android and iOS devices, which provides defenders with additional visibility while protecting the privacy of mobile device owners. 
*   User education is at the core of preventing QR code-based phishing attacks. Executives and defenders should ensure all employees are educated on the dangers of phishing attacks and adversaries’ increasing use of QR codes in malicious emails. 
    *   Malicious QR codes may have a poor image quality or look blurry when embedded in an email. This could be an initial sign that the QR code is not legitimate. 
    *   QR code scanners will often provide a preview of the link the code is pointing to. Inform users that they should only be visiting trusted web pages with URLs they recognize. Alternatively, they could use their managed device to manually type in the desired destination URL instead of using the QR code as a navigation method. 
    *   Look for common red flags in phishing emails, such as typosquatted email addresses and typos or grammatical errors in the body text of the email. 
    *   Never give out personal information unless you’ve confirmed the legitimacy of a QR code with the organization in question. 
*   Using multi-factor authentication protocols such as Cisco Duo can prevent credential stealing, which often provides threat actors with an initial foothold into targeted systems to send more convincing phishing emails from trusted business associates or teammates.

How are attackers using QR codes in phishing emails and lure documents?

By Deeba Ahmed
QNAP has released fixes for the zero-day vulnerability, so it's important to install them immediately.
This is a post from HackRead.com Read the original post: Zero-Day in QNAP QTS Affects NAS Devices Globally

Unit 42 researchers discovered a new vulnerability in QNAP devices on 7 November 2023, which was confirmed by the vendor on 19 December 2023, and a security advisory was released subsequently to provide guidance and recommendations.

Palo Alto Networks Unit 42’s Advanced Threat Prevention (ATP) and telemetry systems identified a new zero-day vulnerability in QNAP QTS and QuTS hero firmware from the vendor QNAP. The vulnerability is tracked as **CVE-2023-50358** and affects QNAP Network Attached Storage (NAS) devices.

For your information, QNAP, a company specializing in NAS devices, is known for its QNAP Turbo NAS System (QTS) operating system, which is often embedded in the firmware of QNAP NAS devices.

In its **report** published on 13 February 2024, authors Chao Lei, Jeff Luo, and Zhibin Zhang explained that CVE-2023-50358 is a command injection vulnerability found in the quick.cgi component of QNAP QTS firmware that is accessible without authentication. The vulnerability occurs when the HTTP request parameter todo=set\_timeinfo is set, and the parameter SPECIFIC\_SERVER is saved into a configuration file /tmp/quick/quick\_tmp.conf with the entry name NTP Address.

The component then starts time synchronization using the ntpdate utility, and the command-line execution is ensured by reading the NTP Address in quick\_tmp.conf and system(). Untrusted data from the SPECIFIC\_SERVER parameter helps build a command line, which is executed in the shell, leading to arbitrary command execution.

It is worth noting that this vulnerability affects 289,665 separate IP addresses. The top five countries affected by the vulnerability are Germany, the United States, China, Italy, and Japan.

Proof of command-line execution and heatmap shows the most impacted countries. (Screenshot: Unit 42)

According to Unit 42 researchers threat actors constantly search for vulnerabilities in network-connected hosts, such as NAS devices because these can be exploited quickly. This is why ensuring foolproof security of these devices is necessary.

IoT devices are vulnerable to remote code execution vulnerabilities due to their low attack complexity and critical impact. To protect against these threats, QNAP recommends updating to the latest version of QTS or QuTScloud hero- QTS 5.1.5 or QuTS hero h5.1.5.

****List of Affected Devices****

*   QTS 5.1.x
*   QTS 5.0.1
*   QTS 5.0.0
*   QTS 4.5.x
*   QTS 4.3.6
*   QTS 4.3.4
*   QTS 4.3.x
*   QTS 4.2.x
*   QuTS hero h5.1.x
*   QuTS hero h5.0.1
*   QuTS hero h5.0.0
*   QuTS hero h4.x

QNAP has **released** a security advisory, advising affected organizations to follow mitigation instructions or apply firmware updates. 

“Multiple vulnerabilities have been reported to affect several QNAP operating system versions. If exploited, the OS command injection vulnerabilities could allow users to execute commands via a network.”

In its advisory, the vendor noted fixing two vulnerabilities, CVE-2023-47218 and CVE-2023-50358 and explained how to implement the fixes.

“If you do not want to install a fully fixed version for your device, you can still mitigate the vulnerabilities by installing a partially fixed version. However, note that the vulnerabilities still exist during the installation process of a partially fixed version. The vulnerabilities only disappear after installation is complete.”

1.  **CISA and Fortinet Warns of New FortiOS Zero-Day Flaws**
2.  **Ivanti VPN Flaws Exploited by DSLog Backdoor and Crypto Miners**
3.  **Hackers Uncover Airbus EFB App Vulnerability, Risking Aircraft Data**
4.  **Ethical Hackers Reported 835 Vulnerabilities, Earned $450K in 2023**
5.  **Smart Helmets Flaw Exposed Millions to Risk of Hacking and Surveillance**

Tag

#ios