By Deeba Ahmed
The attacks, according to Reuters' report, happened between August and September 2022. 
This is a post from HackRead.com Read the original post: Russian Hackers Targeted Three US Nuclear Research Labs

The Russian hackers from the Callisto group used fake login pages for each lab and sent emails to nuclear scientists to trick them into divulging their passwords.

In its latest report released this Friday, Reuters revealed surprising details of how a group of Russian hackers targeted three high-profile nuclear research laboratories.

As per Reuters research, the hacking group is known as Callisto (aka Cold River), and they managed to target the Argonne, Brookhaven, and Lawrence Livermore National Laboratories. On the other hand, at least five prominent cybersecurity experts second these findings.

It is worth noting that in December 2020, a group of Russian hackers were also blamed for targeting 40 agencies including US Nuclear Agency.

**When and How the Attacks Occurred?**

The attacks, according to Reuters’ report, happened between August and September 2022. That’s when Russian president Vladimir Putin claimed Russia intended to use nuclear weapons for its defence. So, it seems likely that the three labs were targeted to steal crucial information.

During their attack, the hackers used phishing techniques by creating fake login pages for each lab and sent emails to nuclear scientists to trick them into giving away their passwords. Researchers couldn’t determine why Callisto targeted these three labs and whether they succeeded in their attempts.

However, they did reveal that the attack occurred after United Nations (UN) experts entered Ukraine’s Russian-held territories to inspect the Russian-occupied Zaporizhzhia nuclear plant to assess the extent of fallout that could be caused by excessive shelling in its vicinity.

Malicious PDF files sent by Calisto (Image credit: Sekoia)

**About Callisto**

This hacking group first surfaced on the internet in 2016 when Britain’s Foreign Office was targeted. The group is known for targeting Western allies of Ukraine and has stepped up its hacks after the Russian invasion of Ukraine in February 2022.

The same group was also pointed out for targeting and leaking the emails of the former head of the British intelligence agency MI6. You can also read the group’s activities, analyzed by cyber security researchers at Sekoia, in their blog post.

Recently, Callisto has been involved in many prominent hacking incidents. Reuters connected the emails used by this group between 2015 and 2020 to Andrey Korinets, a Syktyvkar-based bodybuilder and IT expert.

However, when Reuters interviewed him, Korinets admitted using those emails but denied any connection with Callisto. Nonetheless, Billy Leonard from Google Threat Analysis Group claims they have verified Korinets as an active member of Callisto.

1.  Top US Federal Agencies Hacked by Russian Hackers
2.  Russian hackers hit Republican and Conservative leaders
3.  Russia Hackers Abusing BRc4 Red Team Penetration Tool
4.  Russian hackers hacked Department of Homeland Security
5.  SolarWinds Hack – US Blames Russian Intel Agency Hackers

Russian Hackers Targeted Three US Nuclear Research Labs

An issue was discovered in Siren Investigate before 12.1.7. Script variable whitelisting is insufficiently sandboxed.

**New features**

**Custom record views**

You can now create custom views for your documents in the Overview tab of the Record View by writing template scripts. Learn more.

**Reporting**

Template scripts can also be used to generate reports from Elasticsearch documents in many different formats (PDF, HTML, Word and more) through integration with jsreport. Learn more.

**Filter to dashboard**

You now have the option to apply the filters from one dashboard to another dashboard associated to the same entity table. Learn more.

**Security fixes**

*   Upgraded Node.js to version 14.19.1. For the full list of fixes, see the 14.19.1 changelog.
    
*   Upgraded url-parse to version 1.5.9 to address CVE-2022-0691.
    
*   Upgraded prismjs to version 1.27.0 to address CVE-2022-23647.
    
*   Upgraded moment to version 2.29.2 to address GHSA-8hfj-j24r-96c4.
    

**Breaking Changes**

**Saved objects**

*   The index-pattern saved object type has been removed; the methods that were previously exposed by IndexPattern instances are now part of the SavedSearch interface.
    

**Migration to Babel 7**

*   Siren Investigate is now built with Babel 7; if you made any custom plugin it is recommended to test it on a pristine Siren Investigate 12.1 instance before upgrading.
    

**Deprecations**

**Discover**

*   The Discover application has been deprecated and will be removed in a future release. The buttons to create and save child searches from the Discover application have been removed.
    

**Improvements**

**Auditing**

*   Added a configuration option that allows customization of the Elasticsearch fields to be put in data export audit log entries. Learn more.
    

**Data model**

*   Enabled granular editing of relations in the Relations tab. When saving or deleting a relation the changes will now be applied immediately.
    
*   Improved the performance of the relations tab with a high number of relations.
    
*   Added a button to aggregate multiple relations between two entities into a single link showing the number of relations. In this mode, the individual relation names are displayed in a tooltip.
    
*   When transforming data it is now possible to test the transformation against any of the sample source documents.
    

**Dashboard**

*   It is now possible to use a visual date/time picker when creating filters on date fields.
    
*   When editing a visualization on a dashboard, you can now save it and return immediately to the dashboard by clicking on a **Save and return** button.
    
*   The tooltips showing data model explanations on 360 Dashboards are now enabled by default.
    
*   Modified 360 Dashboards to include documents from both the target and the source entity when self relations have the same label in both directions.
    
*   Replaced the graph based widget to pick relations in the 360 Dashboard data model configuration with a simpler dropdown based widget.
    

**Record Table**

*   Added options to rearrange the columns of the table to the column context menu.
    

**Record view**

*   It is now possible to use a visual date/time picker when editing date fields.
    
*   It is now possible to add multiple values to a field when editing a document in the record view.
    

**Graph Browser**

*   Links that represent self relations on the same field are now automatically hidden when the source and the target are the same node.
    
*   Added explicit drag and drop handles to the lens listing.
    
*   Added an option to the Node to edge by fields lens configuration that allows you to automatically expand intermediate nodes when creating edge links.
    

**Relational Navigator**

*   Added a configuration option that allows you to group relations having the same label into a single button.
    
*   Modified the relation links to include documents from both the target and the source entity when self relations have the same label in both directions.
    
*   Removed the automatic capitalization of relation links.
    

**Development**

*   The EUI library dependency has been upgraded to version 34.6.0 .
    

**Bug fixes**

**Auditing**

*   Fixed an issue that caused data requests initiated by the Graph Browser to be classified as count requests.
    
*   Fixed an issue that caused dataExport requests to be assigned to the HOME dataspace instead of the current one.
    

**Data Model**

*   Fixed an issue that prevented child searches from inheriting the search query and filters from their parent.
    
*   Suppressed an unnecessary warning which was appearing after saving changes to a child search.
    
*   Fixed an issue in the data import flow that caused leading zeroes in fields to be automatically stripped.
    

**Graph Browser**

*   Fixed an issue that caused nodes created by a time/location lens to not disappear when disabling the lens.
    
*   You can now use custom icons in node glyphs.
    
*   Fixed an issue that could cause a node to edge lens to not be applied automatically when adding nodes to the graph.
    
*   Fixed an issue that could cause a fatal error when switching between two dashboards with a Graph Browser visualization in map mode.
    
*   Fixed an issue that would cause all the nodes to be expanded when no checkbox was selected in the expansion dialog.
    
*   Adjusted the formula to determine the size of nodes at high zoom levels to minimize overlapping.
    
*   Fixed an issue that prevented the deletion of edges created by Node to edge by fields lens instances.
    
*   Fixed an issue that prevented opening the record view of nodes containing spaces in the _id field.
    

**Enhanced Coordinate Map**

*   Fixed an issue that would cause unnecessary rendering operations while changing the configuration of a visualization.
    

**Scripting**

*   Fixed an issue that could cause a fatal error when editing a script containing JSX fragments.
    

**Record Table**

*   Fixed an issue that caused a wrong search request to be generated after creating a negated filter having multiple values by holding CTRL/CMD.
    

**Dashboard**

*   Fixed an issue that caused a wrong confirmation dialog to appear after deleting a dashboard whilst in edit mode.
    
*   Fixed an issue that prevented nodes from being added to a Graph Browser visualization when dragging a dashboard with a modified state.
    
*   The explanation tooltip for visualizations in 360 Dashboards is now enabled by default following recent performance improvements.
    

**Miscellaneous**

*   Added the investigate_core.search.max_buckets configuration setting. This setting prevents aggregations with a large number of buckets from being processed by visualizations and freezing the browser. The default value of the setting is 1000.
    
*   Improved the Elasticsearch periodic health check to wait for the ACL index to be ready in addition to the main Siren Investigate index.

CVE-2022-47544: Release Notes :: SIREN DOCS

The financially motivated threat group, also known as OPERA1ER, demonstrated an evolution in tactics in its compromise of three Francophone financial institutions in Africa, likely adding to its $11 million to-date haul.

A criminal group, which has already stolen nearly $11 million by specializing in targeted attacks against the financial sector, has French-speaking African banks in its crosshairs in a recent campaign that demonstrates an evolution in tactics, researchers have found.

Bluebottle, aka OPERA1ER, compromised three different financial institutions in three separate African nations between mid-July and September, affecting multiple machines in all three organizations, researchers from Symantec revealed in a blog post published on Jan. 5.

Though it's unclear if the group was able to capitalize financially on the activity, it's significant because the different payloads and other tactics that Bluebottle used in the campaign vary from previous offensives by the group, Sylvester Segura, Symantec threat intelligence analyst, tells Dark Reading. 

In particular, Bluebottle used commodity malware GuLoader and malicious ISO files in the initial stages of the attack — which it hasn't done before — as well as abused kernel drivers with a signed driver that has been linked to other attacks such as ransomware, Segura says.

These "all indicate the Bluebottle group is keeping up to date with the tools and techniques that other threat actors are currently using," he says. "They may not be the most advanced, but this latest activity proves they are following attacker trends in tooling and techniques."

Indeed, the use of signed drivers in particular shows that Bluebottle — a financially motivated group first observed in 2019 — is aiming to up its game in this latest spate of activity, forcing enterprises to do the same in terms of defensive maneuvers, Segura says.

"More and more 'less advanced' attackers are aware of the impact they can have by disabling detection solutions through various means such as using signed drivers," he notes. "To prevent the trust we put in software like signed drivers from becoming a single point of failure, enterprises need to employ as many layers of detection and protection as they reasonably can."

**Keeping Up With Bluebottle****

Group-IB first began tracking Bluebottle, which it calls OPERA1ER, in activity that spanned from mid-2019 to 2021. During this period, the group stole at least $11 million in the course of 30 targeted attacks, researchers said in a report published in November. The group typically infiltrates a financial organization and moves laterally, scooping up credentials that it can use for fraudulent transfers and other funds-stealing activity.

The activity that Symantec observed started in mid-July, when researchers spotted job-themed malware on one of the infected systems, which they believe could have been the result of a spear-phishing campaign — though they said they are not certain of the group's initial point of entry.

"These likely acted as lures," researchers wrote in the post. "In some cases, the malware was named to trick the user into thinking it was a PDF file."

Symantec researchers linked the group to the previous OPERA1ER activity reported by Group-1B because it shared the same domain, used similar tools, included no custom malware, and also targeted Francophone nations in Africa, they said.

****Living Off the Land****

After noticing the job-themed malware, researchers then observed the deployment of a downloader before detecting the commercial Sharphound hacktool as well as a tool called fakelogonscreen, researchers said. Then, about three weeks after this initial compromise, researchers saw attackers using a command prompt and PsExec for lateral movement.

"It appears the attackers were 'hands on keyboard' at this point of the attack," researchers wrote in the post, using various dual-use and living-off-the-land (LotL) tools for a number of purposes during their occupation of the network.

These tools included Quser for user discovery, Ping for checking Internet connectivity, Ngrok for network tunneling, Net localgroup/add for adding users, the Fortinet VPN client most likely for a secondary access channel, Xcopy to copy RDP wrapper files, and Netsh to open port 3389 in the firewall, among several others.

As previously mentioned, Bluebottle also used commodity tools GuLoader as well as Mimikatz, Revealer Keylogger, Backdoor.Cobalt, Netwire RAT, and the malicious DLL and driver for killing processes during their activity, along with "multiple other unknown files," the researchers wrote.

Some of the tools — such as GuLoader — were deployed across all three victims; other activity linking the three victims included the use of the same .NET downloader, malicious driver, and at least one overlapping transfer\[.\]sh URL, they said.

Researchers observed the last activity on the compromised network in September; however, the Ngrok tunneling tool remained on the network until November, they said.

****How Enterprises Can Respond****

Since Bluebottle uses mainly commodity RATs and other malware in its activity, enterprises can mitigate attacks from this threat group by ensuring they have good endpoint protection against such threats, Segura says.

"Furthermore, an extended detection and response solution should also help detect their abuse of living off the land tools like PsExec during attempted lateral movement," he says.

Since Bluebottle typically goes after credentials immediately in its attacks for financial gain, multifactor authentication can also go a long way in helping enterprises protect accounts and monitor for suspicious account activity, Segura says.

Other steps enterprises can take to counter activity from Bluebottle specifically include allowing applications that "will help prevent the malicious use of dual-use tools like Ngrok, which they use for hiding their presence," he says.

"Finally, training employees to look out for phishing and other malicious emails is going to be crucial to prevent a group like this from intruding in the first place," Segura adds.

**

Bluebottle Continues Bank Heist Assault With Signed Malware

** DISPUTED ** The tf_remapper_node component 1.1.1 for Robot Operating System (ROS) allows attackers, who control the source code of a different node in the same ROS application, to change a robot's behavior. This occurs because a topic name depends on the attacker-controlled old_tf_topic_name and/or new_tf_topic_name parameter. NOTE: the vendor's position is "it is the responsibility of the programmer to make sure that only known and required parameters are set and unexpected parameters are not."

Hi,

We notice that you are using topic names from ROS parameter at the following locations:  

this\->oldTfTopic, 100, &TfRemapperNode::oldTfCallback, this);

  

this\->remappedTfTopic, 100, this\->staticTf);

  

this\->remappedTfTopic, 100, &TfRemapperNode::remappedTfCallback, this);

  

this\->oldTfTopic, 100, this\->staticTf);

  
For security reasons detailed below, we strongly suggest avoiding the usage of strings from parameters as topic names.

Although parameters are usually set in parameter files, they can also be changed by nodes. Specifically, other nodes in the same ROS application can also change the parameters listed above before it’s used, either by accident or _intentionally_ (i.e., by potential attackers).  
Such changes can lead to disruption of the remapper functionality, as the input or the output tf topic is changed. Moreover, if an attacker exists, she can even change the tf message content by first fool the remapper to publish to a wrong topic like /tf_fake, and then forwarding messages from /tf_fake to /tf after modifying the message contents. Downstream functionalities like navigation will be affected, and severe consequences such as crashes may happen. Because ROS is an OSS (open-source software) community, third-party nodes are widely used in ROS applications, usually without complete vetting of their behavior, which gives the opportunity to potentially malicious actors to inject malicious code (e.g, by submitting hypocrite commits like in other OSS systems \[1\]) to infiltrate the ROS applications that use it (or software supply chain attacks, one of the primary means for real-world attackers today \[2\]).

We understand that using parameters to set topic names brings flexibility. Still, for the purpose of security, we strongly suggest that you avoid such vulnerable programming patterns if possible. For example, to avoid the exposure of this specific vulnerability, you may consider alternatives like remapping, which is designed for configuring names when launching the nodes.

\[1\] Q. Wu and K. Lu, “On the feasibility of stealthily introducing vulnerabilities in open-source software via hypocrite commits,” 2021, https://linuxreviews.org/images/d/d9/OpenSourceInsecurity.pdf.  
\[2\] Supply chain attacks are the hacker’s new favourite weapon. and the threat is getting bigger. https://www.zdnet.com/article/supply-chain-attacks-are-the-hackers-new-favourite-weapon-and-the-threat-is-getting-bigger/.

CVE-2022-48217: Potential vulnerability: topic names from ROS parameters · Issue #1 · tradr-project/tf_remapper_cpp

Red Hat Security Advisory 2023-0016-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: webkit2gtk3 security update  
Advisory ID:       RHSA-2023:0016-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0016  
Issue date:        2023-01-04  
CVE Names:         CVE-2022-42856  
====================================================================  
1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the  
GTK platform.

Security Fix(es):

* webkitgtk: processing maliciously crafted web content may lead to an  
arbitrary code execution (CVE-2022-42856)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2153683 - CVE-2022-42856 webkitgtk: processing maliciously crafted web content may lead to an arbitrary code execution

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
webkit2gtk3-2.36.7-1.el8_7.1.src.rpm

aarch64:  
webkit2gtk3-2.36.7-1.el8_7.1.aarch64.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_7.1.aarch64.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_7.1.aarch64.rpm  
webkit2gtk3-devel-2.36.7-1.el8_7.1.aarch64.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.1.aarch64.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_7.1.aarch64.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.1.aarch64.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.1.aarch64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.1.aarch64.rpm

ppc64le:  
webkit2gtk3-2.36.7-1.el8_7.1.ppc64le.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_7.1.ppc64le.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_7.1.ppc64le.rpm  
webkit2gtk3-devel-2.36.7-1.el8_7.1.ppc64le.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.1.ppc64le.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_7.1.ppc64le.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.1.ppc64le.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.1.ppc64le.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.1.ppc64le.rpm

s390x:  
webkit2gtk3-2.36.7-1.el8_7.1.s390x.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_7.1.s390x.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_7.1.s390x.rpm  
webkit2gtk3-devel-2.36.7-1.el8_7.1.s390x.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.1.s390x.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_7.1.s390x.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.1.s390x.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.1.s390x.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.1.s390x.rpm

x86_64:  
webkit2gtk3-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-2.36.7-1.el8_7.1.x86_64.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_7.1.x86_64.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_7.1.x86_64.rpm  
webkit2gtk3-devel-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-devel-2.36.7-1.el8_7.1.x86_64.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.1.x86_64.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_7.1.x86_64.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.1.x86_64.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.1.x86_64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-42856  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY7VWL9zjgjWX9erEAQg3Gw//e0sGMYczRnNrkhBxX5J4lP7xUO+/+Pnk  
+ncXuaQpC5qToXl3w/YspsBZ8YCmNTso0WqIZjovsAbAQGgtAHh9tyrtheWkLiEf  
4dS4wocfSQOFjcmrNLVc+hECWUz9RfVuyt758uRzz/pLgKXgrIlVVnMhLk5qCYWD  
gkwYhOHBnWE1iRHVMgdFjwcsk7/V1Pcv3jGjGwy4anK+YbcWpEvHTOyT4E5gO5oj  
Fl6RU3M+cKDOcg5Uxmn5d1/MvWBvQOCu8RvJy5GPdfhZjoiWJKn43pS94Yz8RaMR  
MMa2txkibrcDalMzcFzGdWMcjnCrp30imqzrEdUbs0qeSXUgSjSUN2EEcSSOjnge  
MhkEbZTFHdGakJxWSLXLHP3YC7eJMrawDTzfUotVoQpw6uBNFZQeCrhP25gsTff3  
OSj/m3bCHSOlGZ7gVAFdLuHIomZHU6di66EFeSVIh56ukriNUkDfG3/3v8VYpSY6  
7F0PdLbbw5kW0VfOwuMrznRpzC1Vl2+r7hKBw+WqnYDr8xcI8CgObz+D64JXO3WX  
kFP9NqFYB9M4+5fB9SGcZ+0DUIPpf5w6qB4Wb+3k3IdYLXutUH61/2dCFnTxevKv  
EkVv+aTEcGDnyTgWV8FOTWXGhUBoCYgUbAHYxIbTX3TtIaMesZennJPRvQa63QAc  
nJngrnwCTog=+XpK  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0016-01

A vulnerability classified as problematic was found in iText RUPS. This vulnerability affects unknown code of the file src/main/java/com/itextpdf/rups/model/XfaFile.java. The manipulation leads to xml external entity reference. The name of the patch is ac5590925874ef810018a6b60fec216eee54fb32. It is recommended to apply a patch to fix this issue. VDB-217054 is the identifier assigned to this vulnerability.

CVE-2017-20151

By Deeba Ahmed
An EarSpy attack is a proof of concept of a new type of attack on Android devices that exposes users to eavesdropping.
This is a post from HackRead.com Read the original post: EarSpy Attack Can Use Motion Sensors Data to Pry on Android Devices

A technical paper titled “EarSpy: Spying Caller Speech and Identity through Tiny Vibrations of Smartphone Ear Speakers” has revealed how snoopers can exploit motion sensors installed inside **Android** cellphones can help adversaries eavesdrop on the user’s conversations.

**Startling Facts About Motion Sensors**

A team of researchers from different universities, including Rutgers University, Texas A&M University, Temple University, New Jersey Institute of Technology, and the University of Dayton, conducted the research.

The research team comprised Ahmed Tanvir Mahdad, Cong Shi, Zhengkun Ye, Tianming Zhao, Yan Wang, Yingying Chen, and Nitesh Saxena.

Dubbing this side-channel attack EarSpy, researchers noted that motion sensors could be used for registering ear speaker reverberations so that the attacker can determine caller identity and gender and listen to their private conversations.

This research has substantiated the assumption that eavesdropping through capturing motion sensor data is possible.

**How does EarSpy Attack help in Snooping?**

Researchers wrote that the **study** (PDF) was based on the belief that smartphones’ built-in motion sensors can let attackers collect data on indoor locations and touchscreen inputs along with listening to audio conversations without needing explicit permissions before collecting raw data.

Initially, they thought generating powerful vibrations through ear speakers to eavesdrop on user conversations wasn’t possible. But during their research, the team realized that modern smartphones have high-quality stereo speakers and highly sensitive sensors that can detect finer vibrations.

Hence, they finally determined the ideal environment for successful eavesdropping using various devices and techniques. They used multiple pre-recorded audio files, a 3rd party application for capturing sensor data as they simulated calls, and a machine learning algorithm for results interpretation.

**Research Findings**

The team found that gender detection was 98.6%, and speaker detection was up to 92.6% accurate. Moreover, they found speech detection up to 56.42% accurate. This proved the existence of differentiating between speech features in the accelerometer data that attackers can exploit for spying. EarSpy focused on gender recognition using data collected at 20 Hz, which indicates a lower sampling rate can allow attackers to determine the user’s gender.

Overview of ear speaker eavesdropping

**How to Prevent Eavesdropping?**

Researchers recommended limiting permissions to counter eavesdropping via sensor data so that 3rd party applications cannot record sensor data without the user’s permission. It is worth noting that Android 13 doesn’t allow sensor data collection at 200 Hz without the user’s permission to prevent accidental data leaks.

Furthermore, experts suggested that mobile device manufacturers must be cautious about designing more powerful speakers and instead focus on maintaining a similar sound pressure during audio conversations as was maintained by old-generation phones ear speakers.

Lastly, positioning motion sensors as far from the ear speaker as possible could minimize the phone speaker’s vibrations and diminish spying chances.

1.  **5 Tips for Protecting Your Phone from Malware**
2.  **10 Android Educational Apps That Collect Most User Data**
3.  **SSID Stripping flaw lets hackers mimic real wireless access points**
4.  **Hackers could access photos, videos without unlocking your phone**

EarSpy Attack Can Use Motion Sensors Data to Pry on Android Devices

Will the bottom falling out of the cryptocurrency market have a profound impact on cybercriminal tactics and business models? Experts weigh in on what to expect.

With the implosion of the FTX exchange putting a punctuation mark on the cryptocurrency crash of 2022, one of the natural questions for those in the cybersecurity world is, how will this rapid decline of cryptocurrency valuations change the cybercrime economy?

Throughout the most recent crypto boom, and even before then, cybercriminals have used and abused cryptocurrency to build up their empires. The cryptocurrency market provides the extortionary medium for ransomware; it's a hotbed of scams against consumers to steal their wallets and accounts. Traditionally, it's provided a ton of anonymous cover for money laundering on the back end of a range of cybercriminal enterprises.

Even so, according to cybersecurity experts and intelligence analysts, while there certainly have been some shifts in trends and tactics that they believe are loosely tied to the crypto crash, the jury's still out on long-term impacts.

**Shifting Crypto Trends & Tactics in 2022**

Regardless of crypto values, cybercriminals this year have definitely become more sophisticated in how they use cryptocurrencies to monetize their attacks, says Helen Short, cyber-threat intelligence analyst for Accenture, who points to the use by some ransomware groups taking advantage of yield farming within decentralized finance (DeFi), as an example.

"The concept of yield farming is the same as lending money, with a contract in place that clearly shows how much interest will need to be paid," she explains. "The advantage for ransomware groups is that the 'interest' will be legitimate proceeds, so there will be no need to launder or hide it."

Her analysis has shown that threat actors are increasingly turning toward 'stablecoins,' which are usually tied to fiat currencies or gold to stem their volatility. She says that in many ways, the downturn in crypto values has increased the risk appetite of cybercriminals and is spurring them into more investment fraud and cryptocurrency scams.

"Threat actors are also playing on people’s desperation to recoup their losses," she says.

While some consumers who have lost their wallet value may be desperate, others have simply lost their interest and aren't watching their accounts as closely, which is driving another trend, says Brittany Allen, trust and safety architect and fraud researcher at Sift.

"Plummeting crypto prices have led to consumers paying less attention to their crypto wallets than they were early this year and in 2021, and fraudsters noticed," Allen says. "This has led to a 79% rise in crypto account takeover attacks."

By point of example, she explains that her team discovered a new type of crypto cash-out scam this year on Telegram and Dark Web forums, where account takeover fraudsters teamed up to target the crypto market during the crash.

"In this scheme, cybercriminals use stolen wallets, bank accounts, or crypto exchange accounts to move or launder illicitly obtained funds. Fraudster A will advertise their access to stolen funds on Telegram, then find another fraudster who specializes in crypto account takeover and KYC (know your customer identity verification) bypass methods," she says. "Once Fraudster B offers access to stolen wallets or crypto exchanges, Fraudster A sends the stolen funds to Fraudster B’s accounts, where they funnel the money out and split the profits. Each party takes a risk trusting the other, but if successful, they stand to make tens of thousands of dollars each."

This is in line with another shift in cybercriminal tactics in 2022 that Short says she's witnessed. It's not necessarily a response to cryptocurrency devaluation, but it is a business model shift to maximize revenue.

"We're seeing threat actors partnering together to facilitate an attack, rather than paying each other for their specialist services. This reduces the overall cost of the attack as the agreement is a set cut of the proceeds," she says.

**Ransomware Is Here to Stay**

One point that cybersecurity pundits are almost unanimous on is that even with a ton of cryptocurrency volatility, ransomware isn't going anywhere. There was a slight downturn in ransomware activity in 2022, but according to Aamil Karimi, threat intelligence analyst at Optiv, that's more attributable to other variables like the war in Ukraine. 

There was some significant regrouping of ransomware cartels that were more likely to result in the decline of activity than anything else, and he says cryptocurrency will still be a favored extortion demand for a long time.

"It’s likely cryptocurrency will still be the payment of choice demanded in extortionary incidents. As of right now, it’s the safest medium for cybercriminals to conduct transactions," Karimi says. "I don’t estimate any slowdown in cybercriminal or extortionary activity."

Bob Rudis, vice president of data science for GreyNoise Intelligence, agrees. There are simply too many soft ransomware targets ripe for attack for criminals to ignore, Rudis says. And it's not as if they lose any money with lower values of the currency since they are the ones setting the ransom, and they're likely going to convert it into tangible funds before further volatility impacts the total.

"Attackers care not if they receive one or a hundred units of a given cryptocurrency when asking for, say, $100,000 USD," Rudis says. "They have the means, markets, and processes to convert any ill-gotten crypto gains into something more tangible, and will likely always be one step ahead of law enforcement and market regulators." 

In spite of headline stories about authorities using crypto mechanisms to hurt adversaries financially, Rudis says there are "still real law enforcement hurdles to curb that flow," which is why he believes cryptocurrency will still be heavily used for cybercriminal money laundering for some time to come.

Not everyone sees it the same way, though. Short of Accenture points out that law enforcement this year has increasingly taken a real bite out of the crooks' bottom line through claw-back transactions, seizures, and more.

"Law enforcement took aggressive measures in 2022, including fund seizures, sanctions, and high-profile arrests," she says. "It is becoming harder to launder and cash out illicit funds, resulting in the trend of threat actors exchanging ‘dirty cash’ for other services as they cannot get the illicit funds out."

Ryan Kovar, distinguished strategist and leader of Splunk's SURGe research team, also points out that perhaps the cybercrime impact of the crypto crash of 2022 will have less to do with a potential future divestment of cryptocurrency in cybercriminal enterprises than it will with changes in the crypto market's perceived anonymity.

“Ransomware gangs are going to move away from cryptocurrency not because of financial instability, though that’s a factor, but more due to the traceability," Kovar says. "Ultimately, crypto is not really anonymous."

He adds, "If you’re a criminal who lives in a country that supports, sponsors, or doesn’t care about cybercrime, then you’re probably not getting prosecuted easily unless you really tick people off.” 

**Evolution to Expect in 2023**

Experts also believe that increased law enforcement friction will likely influence an evolution in cybercriminal operations around other types of attacks beyond ransomware. Especially proven ones that already don't depend on cryptocurrency, like business email compromise (BEC).

"The FBI's annual IC3 report \[PDF\] shows business email compromise (BEC) to be top of the list when it comes to attackers banking fiat coin. Advanced technology that mimics writing, speech, and even live video of humans is now almost trivial to use and will evolve rapidly in quality," GreyNoise's Rudis says. "Ransomware groups are, first and foremost, businesses, and it would seem logical to assume they'd apply their technical skills to conduct more advanced BEC schemes as well. 

In the meantime, attackers will also be likely to keep advancing technology to stay a step ahead of the authorities with regard to traceability and laundering.

"Attackers will become more sophisticated, breaking the sequence of blockchain transactions to try and obfuscate their illicit funds," Short says. "We will likely see a professionalization in cryptocurrency mixers, such as Tornado cash, with threat actors offering fast and high value 'cash out as-a-service' offerings."

She believes that in 2023, this could drive up the value of personally identifiable information (PII), as it will further push the demand for account takeovers to create mule accounts for cashing out on the back end of various scams.

"It is likely that cybercriminals will continue to convert to stable assets to secure value," she says, "and we will see an increase in threat actors using more privacy focused cryptocurrencies that are harder for law enforcement to trace."

Will the Crypto Crash Impact Cybersecurity in 2023? Maybe.

BlueNoroff, a subcluster of the notorious Lazarus Group, has been observed adopting new techniques into its playbook that enable it to bypass Windows Mark of the Web (MotW) protections.
This includes the use of optical disk image (.ISO extension) and virtual hard disk (.VHD extension) file formats as part of a novel infection chain, Kaspersky disclosed in a report published today.
"BlueNoroff

Cyber Attack / Windows Security

**BlueNoroff**, a subcluster of the notorious Lazarus Group, has been observed adopting new techniques into its playbook that enable it to bypass Windows **Mark of the Web** (MotW) protections.

This includes the use of optical disk image (.ISO extension) and virtual hard disk (.VHD extension) file formats as part of a novel infection chain, Kaspersky disclosed in a report published today.

"BlueNoroff created numerous fake domains impersonating venture capital companies and banks," security researcher Seongsu Park said, adding the new attack procedure was flagged in its telemetry in September 2022.

Some of the bogus domains have been found to imitate ABF Capital, Angel Bridge, ANOBAKA, Bank of America, and Mitsubishi UFJ Financial Group, most of which are located in Japan, signalling a "keen interest" in the region.

Also called by the names APT38, Nickel Gladstone, and Stardust Chollima, BlueNoroff is part of the larger Lazarus threat group that also comprises Andariel (aka Nickel Hyatt or Silent Chollima) and Labyrinth Chollima (aka Nickel Academy).

The threat actor's financial motivations as opposed to espionage has made it an unusual nation-state actor in the threat landscape, allowing for a "wider geographic spread" and enabling it to infiltrate organizations across North and South America, Europe, Africa, and Asia.

It has since been associated with high-profile cyber assaults aimed at the SWIFT banking network between 2015 and 2016, including the audacious Bangladesh Bank heist in February 2016 that led to the theft of $81 million.

Since at least 2018, BlueNoroff appears to have undergone a tactical shift, moving away from striking banks to solely focusing on cryptocurrency entities to generate illicit revenues.

To that end, Kaspersky earlier this year disclosed details of a campaign dubbed SnatchCrypto orchestrated by the adversarial collective to drain digital funds from victims' cryptocurrency wallets.

Another key activity attributed to the group is AppleJeus, in which fake cryptocurrency companies are set up to lure unwitting victims into installing benign-looking applications that eventually receive backdoored updates.

The latest activity identified by the Russian cybersecurity company introduces slight modifications to convey its final payload, swapping Microsoft Word document attachments for ISO files in spear-phishing emails to trigger the infection.

These optical image files, in turn, contain a Microsoft PowerPoint slide show (.PPSX) and a Visual Basic Script (VBScript) that's executed when the target clicks a link in the PowerPoint file.

In an alternate method, a malware-laced Windows batch file is launched by exploiting a living-off-the-land binary (LOLBin) to retrieve a second-stage downloader that's used to fetch and execute a remote payload.

Also uncovered by Kaspersky is a .VHD sample that comes with a decoy job description PDF file that's weaponized to spawn an intermediate downloader that masquerades as antivirus software to fetch the next-stage payload, but not before disabling genuine EDR solutions by removing remove user-mode hooks.

While the exact backdoor delivered is not clear, it's assessed to be similar to a persistence backdoor utilized in the SnatchCrypto attacks.

The use of Japanese file names for one of the lure documents as well as the creation of fraudulent domains disguised as legitimate Japanese venture capital companies suggests that financial firms in the island country are likely a target of BlueNoroff.

Cyber warfare has been a major focus of North Korea in response to economic sanctions imposed by a number of countries and the United Nations over concerns about its nuclear programs. It has also emerged as a major source of income for the cash-strapped country.

Indeed, according to South Korea's National Intelligence Service (NIS), state-sponsored North Korean hackers are estimated to have stolen $1.2 billion in cryptocurrency and other digital assets from targets around the world over the last five years.

"This group has a strong financial motivation and actually succeeds in making profits from their cyberattacks," Park said. "This also suggests that attacks by this group are unlikely to decrease in the near future."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

BlueNoroff APT Hackers Using New Ways to Bypass Windows MotW Protection

The ACENet service in Sierra Wireless ALEOS before 4.4.9, 4.5.x through 4.9.x before 4.9.5, and 4.10.x through 4.13.x before 4.14.0 allows remote attackers to execute arbitrary code via a buffer overflow.

%PDF-1.7 %���� 1 0 obj <>/Metadata 119 0 R/ViewerPreferences 120 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/XObject<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/Annots\[ 15 0 R\] /MediaBox\[ 0 0 612 792\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��\\\[o�8~���Gk��ś(��M�$m�N��yP;5ֱ���N���CZ�mQ�kS^��J�����I����� ���͛f;��ޏ��ּ�<�ټy~�7����8͇�q�;�ͱ������Z��m����(�!�K'!��N8���G\_#�㣳���;F��$7��#�B�Ob\*4�RQ���������I��\]<�{|��A�?����G����-UDY�m�@ݯ���qTu�HSΫ�����=�%����J4ղ ��'.�!\*&���$����CȆ�rD�>�� 7�o�0�\*$U�Ⓧ2�� 痭ƞ�hNC�\*8�����H� ���������U�4+|��$�'����d�������RR��ez�F?P�r���,���Q+\\@,4��8"�(\*�|�1elK�'&TT�mGW �8 �e '1��CY�������捒�KQ0��i��'JS��Fe\[q���+=�.��>��đf�1#eW���$l^��{��O>wZqM�5�Q۲zJ@���3l���1�b �h����i���d�wٳO�#�p�H Kݎ����� q�x� �P������p<���縄@��A�����@8���B�hι�);#N� +F���ĊNP�(g�\`c�6H�G��c��\*��7�a��2߶��Aӕ�:BK:���@4r�1&������<���� Mq6E+=�N^{u4��hD��Rd���RĠ�fyMf̣��I V�%�"2x���,u9\[В"L24���ϩ������3x�'�FT��x�D �>��π@h��!��́񻉉�0�Y�={�I�����+ބ�������E�XK,�5WX���,��:\].�"��/�0E��e\_����%;����x�Y�\]D���Dm�HU��V2��ҬV'D��$���W.�tӁ�\]Ҕ�P9�5�P-�0k<�����3Fc�w1��4� ���f�0����)�������ǮǨC\*\\�(G}bh\*�c%��&,���Aq��~/8э��,�n����\]��O������?�0�O� o���5�<+,N-�^�2��c�\\q"y̚�v���h'B�~�f;�@��A1.1�)c03X��!)��#��# ��'M�HЀ�$�9��Q�E�n�y��� �T7�?i�KsgrR��,Hl7�J�<\`\`�O��\]P��P�x%Qn�5JI��/ļ C�vs��0r��\]&����0�\`jM�Q��<�G�Wpu ?�P�sh�l�� ���\\�Lo���nz����xv 0x'�GF\\ǋ��>g�Y�"S�f��a�WoeӸ{�@/��)Ȧ��hh�\]��\*����c��!���N�Kl���b=��/��0u�m �=Nh!P�Ef섃�?��3�a��c��1p�w��,���� ��Uj�ҡz�i���-y�G���^�\_�Ԃ��:LjQ¸� �°0�����eC��.��Q$|O�e���4>�9�&��^���y���vȨf�����1N��G�JÊ�:��1���/1Y�\_�;bB���pq�2��-�G��.��FB���� kc��.�ش�)K�7�aD#���6��}ţر�4�Ș�H�3�u�1�tdj�ܧ�5��2�J �~V+��Y���i�U<���2r�h���|F���12�)fc���\*ᆨk�1�=\*)����1<�>��!U�A�'���u�ч��k�(}b�hk��>TֶS�}�%����2F�܅aրTMxu�N��:�&�#�r�n��a�P%�\]� �'��\]�Wy����\[7 ��B\_�@���!P%��'�+��9p �^k�R8+�̹\["�1�q{Z����څ1�:�޶��u�.�M�e���e�W'�)�{-�nX��2���eWPo��'h$&\\Ŀ���G�b��=�ꃅV�S� {�Z�L�--��%��0�4����%z�u�M�h�e\[6�\[�3��0�����"7�p��hR;@9�g��F���pLV<a�����s��ӟ���ǻ�$����·r!YV#����S��M� 2�n����Op�����5ͧ�ؚ�Z;iw�?\`?,��}J�Ӱ7�2K9�ͽ�-|�u2�g4���� nD�p�&(4�oB� |נy>77�(��^�(�NٍZ��1�@F&c�%� \\�-d��SC�>�:��370���:���q����g�,�o��g�g����l��{NJ�&l�7fK\_��b�v�IH{�������>�ք�^�2��&9��� ш8��\_�t�S���-\*�5#y!-DR���k VU��}�~�a�BP�ivy��Gb0kq�P�J��\_T���M����\\+:$�(�^���G(v�t)\[���,�� L����˪�P@�9=ƛʜ�u\`l�ky\]GJO�du�e�2��e�2F� k�|�����H�1�T��W�Q�u�:X �Mʳ���d�>.�Z�6���)f����\\bw�N���i/w,�֭1O�V��}g�� ��DD�%�@Tl>k>�n��S��ڢ��\*�։Z{���;ۃ�,b�ٜ�C3,Ɨ���|�p��lDw6\`��Ƽ�^�\]����I��,��# ;�k���T��J:W �mޛ@����F�\[���2���e��M�=,��#��'���g���KU�g\`"�b\]����0�j$�g��Б�#e�\[s���M������d��,CEg���8�,�e���� �\_^��\_�ȑ2z�VEN?��4۝�Ko^+̂�����fS��Ϧ���(�S� �y�͟=(��1�ô@�;�~ ��<ƫ(ېHI�DʚH�E��3�K��O9�t$J�L��'�\_��� x�^ 8f�%İr�+x�%<����B�t�2�Q̨\]MexJ���٠�ݬ�w2��~�D����d�'m��'c�f���qpr/B����A��)��tǱ��p��Ƶ��kˎ~A"Yz6+��E�3���.�M��9��r�q"�SE�gF\`D\\��t�r�Q���I'�B�G��Q���$=a�xpo���u����"����o��3�Iܽ�\`�,��Xram��6y� endstream endobj 5 0 obj <> endobj 6 0 obj <> endobj 7 0 obj <> endobj 8 0 obj <> endobj 9 0 obj <> endobj 10 0 obj <> endobj 11 0 obj <> endobj 12 0 obj <> endobj 13 0 obj <> stream x���b����NIȾ/��c��MO�w��Ǵ,q�Y�e3�'�0�0�0�0�0�0�0�7Xޛ��������{�<�L���毳\\��MΞ�ͤc�\]�˔R��}u'���O��$�Z�n��0Â����%9}��1�K��΋yqц�M��9cb��@�q�Jӛ�z !^�¸��e��e)$=�)�ty+�6��\]2�!���\]� ��z��d���LG'�wp�l�� �u=�=�zN�S�(��Fn�t45��.3\]/��?gL>�A������<ݠ�a���QN�^�\]�ȿ(˲u�O��M\]�ܽ��� �

Tag

#pdf