By Vitor Ventura

This post is the result of research presented at Recon Montreal 2022. Two slide decks are provided along with this research . One is the presentation showing the whole process and how to do it on Google Play Protect services. The other one is a workshop on how

_By_ _Vitor Ventura_  

This post is the result of research presented at Recon Montreal 2022. Two slide decks are provided along with this research . One is the presentation showing the whole process and how to do it on Google Play Protect services. The other one is a workshop on how to do it on an emulator targeting MtpService.

**Motivation**

Performing reverse engineering on Android applications and/or malware is often about doing static analysis that is complemented by dynamic analysis. This is an approach that works perfectly with applications that run at the user level and have a user interface. However, the Android security model allows for the existence of system applications, which can be operating system applications, operator applications or vendor applications. This does not mean that the applications require special permissions. They may be regular applications or service provider applications that are pre-installed either by a vendor or by the telecom service provider.

One of the features associated with these applications is that they are uninstalable by the user - The best the user can do is uninstall the latest updates and suspend or deactivate the applications, but never uninstall them.

There are also system applications that are part of the Android framework which, are closed source, thus require reverse engineering to be analyzed.

A popular tool to perform dynamic analysis is the Frida Framework. To use it a researcher needs to inject the Frida library into the target application’s address space. This can be done either by running the Frida daemon with root level access on the device or by patching the target application and making it load the shared library version of Frida. If the target application is headless, i.e. without a user interface, the instrumentation can only be done by forcing the load of the shared library and patching the target application code.  

Doing such analysis should be easy by using an OEM version of the Android operating system; however, these images may not contain the target of our research which created the need to  enable the instrumentation of system applications on Android stock images.

This, however, presented a bigger challenge than originally expected due to the protection mechanisms in place in the Android Operating system. Maddie Stone’s presentation at BlackHat 2019 describes both the limitations and vulnerabilities found on some system applications.

**Obstacles**

There are several limitations imposed by the Android security architecture, but also limitations imposed by the very nature of the availability of the target applications. This section will enumerate the limitations and solutions to those limitations.

**Operating system limitations**

It would be easy to obtain root level access on the operating system if one was to reflash the device with an open operating system like GrapheneOS however this presents two challenges:

1) Applications that are installed by vendors would not be present. Even though it is possible to install them, they may have checks regarding the operating system version they are running on. Eventually a static analysis along with patching could bypass such checks. But at this point the analysis environment would be tainted which could lead to biased results. Additionally there is also the risk of missing some checks.

2) Some vendors add protections to the kernel which won’t be present on this different operating system which tend to be more generic. As an example, Samsung ships most of their kernels with the SELinux permissions set to restricted without the possibility of change from user level.

**Headless applications**

System applications are often headless, meaning that they don’t have a launch activity or a user interface. Without it, tools like Frida or the debugger provided by the Android studio, are not able to start the application and debug it. Effectively the researcher doesn’t have the means to start the application or even to know, in a deterministic way, when the application will be executed.

One option could be the patching of the manifest and adding the launch activity. This poses its own problems, like deciding which existent activity would handle the request, and even checking if the code would be able to handle it. This leads to increased tampering with the application’s way of working, eventually creating unpredictable problems.

**Enabling dynamic analysis on the application**

On Android when doing dynamic analysis on a regular application the analyst can either activate the debug option on the application manifest or use an instrumentation toolkit like Frida.  To activate the debugging the researcher needs to change the debuggable attribute (android:debuggable="true") in the Application section of the application manifest to true, and repackage the application.

To use Frida, assuming there is no root level or the target application is headless, the analyst would need to patch the application, make it load the Frida Gadget and give it the Internet permission. These changes, like the previous, also need a  repackaging of the application.

Android requires that all application packages are digitally signed. In regular applications and in an open environment, the certificate that signs the application has little importance and a researcher can simply use a freshly generated self-signed certificate . However this is not the case if the target application is a system application. The sections ahead explain why.

**Android security architecture**

This section will describe the obstacles that a researcher must overcome to reach the point where it is possible to perform the dynamic analysis.

**Digital certificate collision**

As described above, in order to install an application its package needs to be digitally signed, which shouldn’t be a problem. However, there are a few situations where the certificate that signs the package actually matters. One of these cases, and for good security reasons, is when a user tries to upgrade an application. Imagine the following scenario;

An attacker is able to trick the victim into downloading and installing a fake Instagram application, posing it (to the system) as an upgrade to the original application. If there weren’t checks on the package signatures the malicious application would get access to all the data and configuration from the legitimate application. To avoid this, Android checks if the two applications are signed by the same certificate. If they are not, it won’t allow the installation of the fake upgrade. There are other ways to perform such an attack, but that is beyond the scope of this research.

This means that when the changes needed for dynamic analysis are made and the application is repacked, the patched application will not be able to be installed because the signatures will not match.

**Replace the original application**

Since the patched application cannot be installed on top of the original application, the obvious solution would be to simply uninstall the original one and replace it with the patched one. However this presents another barrier in this specific use case. As it was explained in the first section, these applications cannot be uninstalled. At best they can be deactivated but not uninstalled, making this a huge limitation to overcome in order to dynamically analyze these applications.

**Shared UIDs**

The fact that it's not possible to upgrade applications with different digital signatures is not the only limitation imposed. On the Android operating system, applications may share user IDs (UIDs). This is particularly useful if a developer wants to share information between applications using simple mechanisms provided by Linux without having to use mechanisms provided by the framework. However the security architecture imposes, and rightfully so, that applications that share the user ID must all be signed by the same certificate. Unfortunately, there are several system applications that share the same user ID, so it is likely that a researcher will bump into this limitation throughout their research.

**Solution**

The method to be able to dynamically analyze system applications on Android requires several actions.

**Step-by-step  
**

As it was shown in the previous sections there are several obstacles that need to be overcome in order to dynamically analyze system applications on the Android platform.  

Not necessarily in this order, but first the original target application needs to be uninstalled and removed, then identify if there are shared user ID applications. If these applications exist they need to be either uninstalled or re-signed with the same certificate used to sign the patched version of the target application. The image below illustrates the necessary steps.

Since system applications are often headless for the sake of this document, instrumenting target system application is the best way to perform non-interactive dynamic analysis.

This means that the application needs to be patched, and the instructions for it to load Frida library (gadget) into its address space must be added.

Before jumping into the details of the method it's important to explain the target and the environment. This research was conducted on the standard Android emulator using the Pixel 4 XL skin, an x86 image with API 30. For demonstration purposes the selected target application was the MtpService which is responsible for handling the MediaTransferProtocol setup when a new USB device is connected to the device. This is an open sourced application which was perfect for testing as the reversed code and behavior could always be compared  with the original code.

**Patching and re-signing target application  
**

The first step to patch the target is to unpack it using apktool which can be found here along with the instructions to pack and unpack applications.

The place to actually perform the patching will be highly dependent on the target application, there is not “_one spot fits all_”. As a rule of thumb the library should be  loaded as early as possible in the target application. A good way to do that is to load the library inside the method that handles the “BOOT\_COMPLETED” action as this will be the first one to be executed upon device reboot.  

The manifest will have the class that handles that action named on the receiver section. In the target application the class is called “com.android.mtp.MtpReceiver”. In this class look for the “onReceive()” method as that will be the method that will be executed once the action is broadcasted.

Using the apktool one can decompile the classes.dex and edit the smali code to load the library. The smali code should look like the image below.

Line 151 declares a variable string object referred to as v0 and stores the word “gadget” inside of it. Line 153 invokes the static method “loadLibrary()” which resides inside the System package. With a single String object as argument, the v0 object was previously declared. These two instructions are enough to load a static library into the application address space. The image below illustrates how the code looks like in Java.

Now before repacking the whole application the Frida library needs to be added into the package. In the root of the package (created by apktool after extraction) create a directory called “lib/” inside it and create a directory with the architecture of the library, in this case it's “x86” since this is the emulator. Inside this directory place the library file.

Now, because of the Android installer there are a few tweaks that need to be done. First the library file must start with the prefix “lib” and end with the extension “.so”. So even though the instructions make the system load a library called “gadget”, the file name must be “libgadget.so”. Frida gadget needs a configuration file, whose details will be addressed in the next section. This file also needs to be inside the package so that it is made available upon the loading of the library. Frida gadget will look for a configuration file with the same name as the library itself but with an extension “.config”. So as per Android requirements this file must be called “libgadget.config.so”.

Conforming to these  naming criteria will ensure that upon installation the patched version of the target application will load the Frida gadget once the device is rebooted. Once all the files are in place, the application needs to be repacked into an APK file using apktool.

**Signing the target application  
**

Now the package needs to be re-signed. The certificate can be generated with a simple command such as :

keytool -genkey -v -keystore release-key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my-alias

Keep in mind that this same certificate may be needed to sign applications that share the user ID (UID) with your target application. Before the package can be signed the zip file needs to be aligned which is done with the command below.

zipalign -v -p 4 <package\_file> <output>

Afterwards the package should be signed using the apksigner with the command line below:

apksigner sign --ks <path to java keystore> --out <package name> <output  from zipalign>

**Searching for shared ID applications**

As It happens, the MtpService application installation still fails with the error below.

This means that there are applications that share the same userid but are signed with a different certificate. This can be confirmed by checking the manifest snippet below.

There is a property called “android:sharedUserId” which is defined and set to “android.media”, meaning that there are other applications that use the same userid. Any application using this shared userid must be a system application. A not very elegant but effective method to find all the applications is to download all the system applications, extract and convert the manifest into a text format and search for the shared id property.

Once all of these are known, they can either be removed, using the same technique described in the previous section; OR they can be replaced with a version signed with the same certificate. The latter is the preferred action because there may be unforeseen dependencies between the applications.

**Uninstall/replace the original target application package  
**

_This is a crucial step in this method_, without which Android security architecture will never allow the installation of the patched version of the target application. So in order to do this a tool called Magisk, will have to be installed. Magisk is a “rooting” tool that will allow users to obtain root level access on their devices without changing the whole operating system image. The tool provides a method for users to patch the kernel which can then be re-flashed into the device.

This method is the least intrusive possible, while allowing root access. Because these are system applications analysis, the root access is not that relevant (keep in mind that the application must be patched to have the Frida library in its own code) since there is no need to run Frida server as a daemon with high privileges.

Magisk has another crucial feature: It allows a user to define a virtual filesystem which will be laid on top of the actual file system at boot time. This allows any folder or file to be remapped to the version replacing the original ones flashed into the partitions upon system creation.

The first step is to install Magisk on the system that will be used for the analysis. The installation itself is beyond the scope of this article, but once installed you should be able to see the home screen of the Magisk Application, and should look something like the image below.

The application being  targeted here is stored at “/system/priv-app/MtpService/” and the image below shows that's where the application package is located at.

If one tries to delete the package manually, one can see that “/system” directory is mounted on a read-only filesystem which, as seen below, doesn’t allow the file to be deleted, even though the files are owned as root.

So the way to address this is to use what Magisk calls “modules”, where in reality a user can define a filesystem path to be overlaid by Magisk on top of the real path. Thus changing the contents of the real path. The overlay can simply delete a full path or replace it with one’s own contents.

The Magisk modules configuration is stored in “/data/adb/modules”, the full module documentation can be found here, and in this case one just needs to create a directory with the name desired for the module to have and recreate the path to overlay. By adding the file “.replace” on the last directory, one simply replaces that directory by an empty one.

The image above shows the empty directory after the module has been created.

Now that all the obstacles have been overcome, the patched application can simply be installed and the device rebooted. This should start the patched application with the instrumentation toolkit embedded in it and ready to use.

How to instrument system applications on Android stock images

By Deeba Ahmed
In total 22 proprietary software vulnerabilities were identified in the firmware, which Qualcomm addressed in its January 2023…
This is a post from HackRead.com Read the original post: Chip Vulnerabilities Impacting Microsoft, Lenovo, and Samsung Devices

In total 22 proprietary software vulnerabilities were identified in the firmware, which Qualcomm addressed in its January 2023 security bulletin.

Firmware attacks are increasingly common nowadays as cybercriminals are focusing more on the lower-level embedded code, which supports hardware. **Qualcomm**’s hardware is the latest target in this regard.

Reportedly, the company was notified about the presence of nearly 2 dozen security vulnerabilities in its flagship chipset suite, Snapdragon.

**Vulnerabilities Details**

These vulnerabilities were discovered by Binarly AI-powered firmware protection company. In total 22 proprietary software issues were identified in the firmware, which Qualcomm addressed in its January 2023 security bulletin.

These include 2 bugs in automotive tracked as CVE-2022-33218 and CVE-2022-33219 and one bug in powerline communication firmware tracked as CVE-2022-33265. These bugs were rated critical or high severity and their patching was quite complex.

Additionally, five major vulnerabilities in UEFI firmware on ARM were identified and tracked as CVE-2022-40516 to CVE-2022-40520. These vulnerabilities impacted the whole infrastructure of ARM-based devices and laptops.

Binarly discovered two types of vulnerabilities, including out-of-bounds read issued and stack-based buffer overflows. Both were connected to the DXE driver and could be exploited by whoever gained elevated privileges.

The company has released patches for the vulnerabilities in its latest security advisory, including patches for five connectivity and boot issues.

**Which Devices are at Risk?**

Devices made by Lenovo, Microsoft, and Samsung are at risk due to using Snapdragon chipsets. However, the scope of impact is highly diverse as the vulnerabilities may affect vehicles to powerline communications. For your information, the Snapdragon CPU uses the ARM architecture.

Therefore, apart from Lenovo and other manufacturers, ARM-based Microsoft Surface and Windows Dev Kit 2023/Project Volterra computers were also affected by the vulnerabilities. Some vulnerabilities could lead to arbitrary code execution and be exploited for a Secure Boot bypass, allowing an attacker to gain persistence on a device by gaining privileges to write to the file system.

**How the Flaws Were Discovered?**

Binarly founder and CEO, Alex Matrosov revealed that they discovered around nine security vulnerabilities while examining the Lenovo Thinkpad X13s firmware powered by the Snapdragon system-on-a-chip.

Further probe revealed that some vulnerabilities were specific to Lenovo devices and five impacted Qualcomm reference codes. This means the vulnerabilities were impacting laptops and all other devices having Snapdragon chips installed.

Matrosov clarified that this was the first time UEFI firmware vulnerabilities connected to the ARM device architecture were disclosed at such a scale. The CEO also noted that the number of affected chipsets is “massive.”

The good news is that Lenovo has addressed the issue and its advisory is available here.

1.  Alert: New Bluetooth flaw lets attackers monitor traffic
2.  Source code of over 50 top organizations leaked online
3.  Hackers Exploiting MSI Afterburner to Deliver Coin Miner
4.  400 chip flaws turn 3 billion Android phones into spying tool
5.  Microsoft hopes Windows PCs protection with Pluton security chip

Chip Vulnerabilities Impacting Microsoft, Lenovo, and Samsung Devices

By Waqas
Apparently, the server belongs to a company based in the US with offices around the globe including India.
This is a post from HackRead.com Read the original post: Top ERP Firm Exposing Half a Million Indian Job Seekers Data

At the time of writing, a misconfigured server belonging to an Enterprise Resource Planning (ERP) Software provider based in California, United States was still exposing data to public without any security authentication or password.

An **Elasticsearch server** belonging to a major international IT recruitment and software solution provider is currently exposing the personal data of more than half a million Indian candidates looking for jobs.

However, the data is not limited to jobseeker as the server is also exposing the company’s employees’ data. Another important aspect of this data exposure is the fact that it also contains the company’s client records from different companies, including Apple and Samsung.

This was confirmed to Hackread.com by **Anurag Sen**, a prominent independent security researcher. What is worse, the server is still exposed and publicly accessible without any security authentication or password. Originally, the server was being exposed since late December 2022.

It all started when Anurag scanned for **misconfigured databases on Shodan** and noted a server exposing more than 6GB worth of data to public access. Anurag said that the server belongs to a company originally based in the United States with offices around the globe  
including India. Whilst the database contains details of job seekers in **India**.

Hackread.com would not share the name of the company in this article because the server is still exposed.

**Exposed Data**

Anurag’s analysis of the server revealed that the exposed records contain personal data of over 575,000 individuals, while the size of the data is over 6.3GB and increasing with new data with each day passing. This data includes the following:

*   Full Name
*   Date of birth
*   Email address
*   Phone number
*   Resume details
*   Employer details

The screenshot below shows the candidate details and client data that are currently being exposed:

Image credit: Anurag Sen – Hackread.com

The screenshot below was taken from the live server that shows the company’s client details. Some of these are top companies Apple, Samsung, Sandisk, Unilog, Moody, Intuit, NEC Corporation, Falabella and many more.

The company’s client list also indicates that its a high-profile business with a presence all over the globe.

Screenshot credit: Anurag Sen – Hackread.com

**Indian CERT Alerted**

Since the server is still live at the time of writing; Anurag alerted the Indian Computer Emergency Response Team over the weekend. However, there has been no response from the authorities yet.

**India and server misconfiguration**

India is home to almost 1.4 billion people. This makes the country a lucrative target for businesses as well as cybercriminals. The more the investment, the more widespread and vulnerable the IT infrastructure becomes.

Last year, several top data exposure-related incidents involving tens of millions of victims were reported from India. These included **Indian Federal Police and banking records**, **Covid antigen test results**, **MyEasyDocs**, online packaging marketplace **Bizongo**, etc.

**Impact**

It is yet unclear whether a third party accessed the database **with malicious intent**, such as ransomware gangs or threat actors. However, if it did, it would be devastating for the victim and the healthcare firm responsible for the server.

Furthermore, considering the extent and nature of the exposed data, the incident can have far-reaching implications, such as bad actors downloading the data, carrying out phishing scams, or identity theft-related fraud.

Hackers can hold the company’s server or **data for ransom** and leak it on cybercrime forums if their demands are not met. Nevertheless, the victims in this situation are the job hunters who trusted authorities with their personal information.

**Misconfigured Databases – Threat to Privacy**

Misconfigured or unsecured databases, as we know it, have become a major privacy threat to companies and unsuspected users. **In 2020**, researchers identified over 10,000 unsecured databases that exposed more than ten billion (10,463,315,645) records to public access without any security authentication. 

**In 2021**, the number increased to 399,200 exposed databases. The top 10 countries with top database leaks due to misconfiguration in 2021 included the following:

*   USA – 93,685 databases
*   China – 54,764 databases
*   Germany – 11,177 databases
*   France – 9,723 databases
*   India – 6,545 databases
*   Singapore – 5,882 databases
*   Hong Kong – 5,563 databases
*   Russia – 5,493 databases
*   Japan – 4,427 databases
*   Italy – 4,242 databases

1.  **Hackers claim to be selling 13TB of Domino’s India data**
2.  **Hackers leak data of 29 million Indian job seekers for download**
3.  **India’s COVID-19 surveillance tool exposed millions of user data**
4.  **Hackers leak millions of Airtel India user data with Aadhaar numbers**
5.  **9,517 unsecured databases identified with 10 billion records globally**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Top ERP Firm Exposing Half a Million Indian Job Seekers Data

Plus: Patches for Apple iOS 16, Google Chrome, Windows 10, and more.

The holiday season is almost over, but security patches are still continuing to arrive thick and fast in December. The month has seen updates released by Apple, Google, and Microsoft, as well as enterprise software companies including the likes of SAP, Citrix, and VMWare. 

Many of the patches fix zero-day vulnerabilities already being exploited in attacks, making it important that they are applied as soon as possible. Here’s the lowdown on all the patches released in December.

Apple iOS and iPadOS 16.2, iOS 15.7.2, iOS 16.1.2

Apple released a major point upgrade to its iOS 16 operating system in December: iOS 16.2. The update comes with features including end-to-end encryption in iCloud, but it also fixes 35 security vulnerabilities.

None of the issues patched in iOS 16.2 are known to have been used in attacks; however, many are pretty serious. The flaws include six in the Kernel and nine in the engine that powers Apple’s Safari browser, WebKit, which could allow an attacker to execute code. 

Apple also released iOS 15.7.2 for users of older iPhones that can’t run iOS 16, fixing a flaw already being used in attacks. Tracked as CVE-2022-42856, the WebKit vulnerability could allow an attacker to execute code, according to Apple’s support page. At the end of November, Apple fixed the same WebKit flaw in iOS 16.1.2.

Since the launch of iOS 16 in September, Apple has been offering security updates to those who don’t want to upgrade to the new operating system. But iOS 15.7.2 is only for older iPhones, so if you’ve got an iPhone 8 or above, you now need to upgrade to iOS 16 to stay secure. 

The iPhone maker also released macOS Ventura 13.1, watchOS 9.2, tvOS 16.2, macOS Big Sur 11.7.2, macOS Monterey 12.6.2, and Safari 16.2.

Google Android 

December was a hefty patch month for Google’s Android operating system, with fixes for dozens of security vulnerabilities issued during the month. Tracked as CVE-2022-20411, the most severe is a critical vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed, Google said in a security bulletin. 

Google also fixed two critical flaws in the Android Framework component, CVE-2022-20472 and CVE-2022-20473. Meanwhile, 151 Pixel-specific bugs were patched by Google in December. 

The December patch is available for Google’s own Pixel devices as well as Samsung smartphones, including the hardware maker’s flagship Galaxy range. 

Google Chrome 108

Google has issued an emergency update for its Chrome browser to fix the ninth zero-day vulnerability of the year. Tracked as CVE-2022-4262, the high-severity type confusion issue in Chrome’s V8 JavaScript engine could allow a remote attacker to exploit heap corruption via a crafted HTML page. “Google is aware that an exploit for CVE-2022-4262 exists in the wild,” the browser maker said in a blog.

The emergency update arrived just days after Google released Chrome 108, patching 28 security flaws. Among the fixes are CVE-2022-4174—a type confusion flaw in V8—and several use-after-free bugs. None of these vulnerabilities have been exploited in attacks, according to Google. But given that the latest bug is already in the hands of attackers, it’s a good idea to update Chrome as soon as possible.

Microsoft Patch Tuesday 

Microsoft’s December Patch Tuesday was another big one, fixing 49 security vulnerabilities, including a flaw being used in attacks. Tracked as CVE-2022-44698, the issue is a Windows SmartScreen security feature bypass vulnerability that could lead to loss of integrity and availability.

“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” Microsoft said.

Update Android Right Now to Fix a Scary Remote-Execution Flaw

New web targets for the discerning hacker

New web targets for the discerning hacker

  

As 2022 draws to a close, HackerOne has revealed that cloud-based vulnerabilities became increasingly common this year as organizations embark on digital transformation.

The bug bounty platform reported that researchers uncovered more than 65,000 software vulnerabilities through its service during the year, up 21% on 2021.

Misconfiguration vulnerabilities also rose 150% and improper authorization issues by 45% – largely because organizations are instituting ever-more granular permissions as they migrate to the cloud.

Intel recently paid out a $10,000 bug bounty to Julien Ahrens of RCE Security – despite disputing the seriousness of the flaw.

Ahrens bypassed Intel Data Center Manager (DCM) authentication by spoofing Kerberos and LDAP (Lightweight Directory Access Protocol) responses, claiming this led to remote code execution (RCE).

Intel acknowledged the vulnerability and gave it a severity score of 8.8, but says the issue amounted only to a privilege elevation flaw. It was persuaded to make the payout anyway as a one-off.

Meanwhile, a security researcher known by the moniker Peter M demonstrated this month how he bypassed Akamai web application firewalls (WAF) running Spring Boot, potentially leading to remote code execution (RCE).

He says it took 500 crafted attempts and over 14 hours to find an entry point as part of a private Bugcrowd program.

The attack, carried out with the assistance of Synack pentester Usman Mansha, used Spring Expression Language (SpEL) injection.

Read more of the latest bug bounty news

In other bug bounty news, Intigriti says it has paid out nearly three times as much this year compared to last, with the average amount having doubled.

It says ethical hackers increasingly see bug bounty hunting as a full-time career, with 96% saying they’d like to spend more time on it. The biggest draw is the money, along with the ability to work anywhere in the world, the ability to work alone, and the chance to outsmart cybercriminals.

And Meta’s review of its own bug bounty program this year has revealed that it paid out more than $2 million, receiving around 10,000 reports in total, of which it paid out on 750.

Meta also released updated payout guidelines for mobile RCE bugs, and there are new payout guidelines for account takeover (ATO) and two-factor authentication (2FA) bypass vulnerabilities, too. These go up to $130,000 for ATO reports and $300,000 for mobile RCE bugs.

Finally, bug bounty and security services platform for web3 Immunefi says it has paid out just under $66 million this year, with the biggest bounty amounting to $10 million for a vulnerability discovered in Wormhole, a generic cross-chain messaging protocol.

Critical vulnerabilities took the lead with a total of $61 million paid out, accounting for 92.7% of all bounties paid.

**The latest bug bounty programs for January 2023**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Axis Communications**

Program provider:  
Bugcrowd

Program type:  
Public

Max reward:  
TBC

Outline:  
Video surveillance vendor Axis Communications has launched a bug bounty program to find vulnerabilities in its network security products, excluding its 2N products.

Notes:  
Axis Communications has yet to release details of payment rewards for finding such bugs, but has released details of how these bugs are scored using the CVSS method.

Check out the Axis Communications bug bounty page for more details

**Contentsquare**

Program provider:   
YesWeHack  

Program type: Public

Max reward: €2,500 ($2,670)

Outline: UX analytics provider Contentsquare has launched a bug bounty program focussed on finding issues with its mobile software development kit and collection endpoints, details of which are listed on its bug bounty page.

Notes: Contentsquare asks ethical hackers to consult the list of in-scope topics beforehand, as the targets are specific.

Check out the Contentsquare bug bounty page for more details

**Doppler**

Program provider:  
HackerOne

Program type: Public

Max reward: $2,500

Outline: Doppler bills itself as a “SecretOps platform developers and security teams trust to provide secrets management at enterprise scale”.

Notes: Again, there are multiple domains to explore plus Doppler’s source code. There are also five domains that are out of scope for testing.

Check out the Doppler bug bounty page for more details

**Engel & Völkers Technology GmbH**

Program provider:  
HackerOne

Program type: Public

Max reward: $1,000

Outline: IT consulting firm Engel & Völkers Technology GmbH has opened its domains to testing by bug bounty hunters.

Notes: There are more than 10 domains available to attack, ranging from critical to medium severity. There are also a handful of domains that are out of scope and shouldn’t be tested.

Check out the Engel & Völkers Technology GmbH bug bounty page for more details

**Harman International**

Program provider:  
YesWeHack

Program type: Public

Max reward: $5,000

Outline: Electronics manufacturer Harman, a Samsung company, is asking for help with “hardening of the entire ecosystem” related to JBL devices.

Notes: There are 16 targets in scope including physical devices, web APIS, and applications, so there’s something for everyone to get stuck into.

Check out the Harman International bug bounty page for more details

**Moonpay**

Program provider:  
HackerOne

Program type: Public

Max reward: $20,000

Outline: Crypto exchange platform Moonpay is offering big rewards for security vulnerabilities in multiple domains and its source code.

Notes: There are four domains out of scope, so these should be checked before proceeding. Moonpay also details an extensive list of vulnerabilities that aren’t eligible for reward, so this should be checked, too.

Check out the Moonpay bug bounty page for more details

**Navitas**

Program provider:  
Bugcrowd

Program type:  
Private

Max reward:  
$2,500

Outline:  
Australian education provider Navitas is offering rewards for reproducible bugs in its services, with rewards based on the severity of the issue.

Notes:  
Although the company is based in Australia, the rewards are open to ethical hackers worldwide, on an invite basis.

Check out a press release regarding the Navitas bug bounty program for more details

**OVO**

Program provider:  
YesWeHack

Program type:  
Public

Max reward:  
$3,000

Outline:  
Indonesian payment, rewards and financial services platform is asking hackers to find bugs in four of its mobile and web apps, providing plenty of opportunity to seek a reward.

Notes:  
OVO has explicitly noted that staging environments are out of scope, as are any other targets that aren’t specifically listed on its bug bounty page.

Check out the OVO bug bounty page for more details

**Swapcard**

Program provider:  
YesWeHack

Program type:  
Public

Max reward:  
€2,000 ($2,140)

Outline:  
Swapcard describes itself as an event app and matchmaking platform powered by artificial intelligence, which holds events in the sectors of security, government, and health.

Notes:  
There is an extensive list of applications and APIs that can be targeted, so this is worth checking out before making a start. Also note that Swapcard states that reports with a detailed proof of concept will be rewarded at a quicker rate, if eligible, than those without.

Check out the Swapcard bug bounty page for more details

**VFS**

Program provider:  
YesWeHack

Program type:  
Public

Max reward:  
$1,500

Outline:  
VFS manages the administrative and non-judgmental tasks related to visa, passport and consular services for its client governments.

Notes:  
The maximum reward is for vulnerabilities deemed as ‘critical’. Examples include, but aren’t limited to, the leaking of visa applicant personally identifiable information, Insecure Direct Object References (IDOR) issues resulting in significant leak of sensitive user information, and scripts that can automate the completion of the user registration flow.

Check out the VFS bug bounty page for more details

**Yuga Labs**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$25,000

Outline:  
Yuga Labs is offering an impressive $25,000 for the discovery of critical vulnerabilities in its web3 platform.

Notes:  
The company is asking for reports on bugs in not only its domains but its Discord servers too. Anyone wanting to attack the Discord servers should check out the separate policy on Yuga Labs’ bug bounty page first.

Check out the Yuga Labs bug bounty page for more details

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for December 2022

Bug Bounty Radar // The latest bug bounty programs for January 2023

KrebsOnSecurity turns 12 years old today. That's a crazy long time for an independent media outlet these days, but then again I'm liable to keep doing this as long as they keep letting me!

Thanks to your readership and support, I was able to spend more time in 2022 on in-depth investigative stories -- the really satisfying kind with the potential to affect positive change. Some of that work is highlighted in the 2022 Year in Breaches review below.

KrebsOnSecurity turns 13 years old today. That’s a crazy long time for an independent media outlet these days, but then again I’m bound to keep doing this as long as they keep letting me. Heck, I’ve been doing this so long I briefly forgot which birthday this was!

Thanks to your readership and support, I was able to spend more time in 2022 on some deep, meaty investigative stories — the really satisfying kind with the potential to affect positive change. Some of that work is highlighted in the 2022 Year in Review review below.

Until recently, I was fairly active on **Twitter**, regularly tweeting to more than 350,000 followers about important security news and stories here. For a variety of reasons, I will no longer be sharing these updates on Twitter. I seem to be doing most of that activity now on Mastodon, which appears to have absorbed most of the infosec refugees from Twitter, and in any case is proving to be a far more useful, civil and constructive place to post such things. I will also continue to post on LinkedIn about new stories in 2023.

Here’s a look at some of the more notable cybercrime stories from the past year, as covered by KrebsOnSecurity and elsewhere. Several strong themes emerged from 2022’s crop of breaches, including the targeting or impersonating of employees to gain access to internal company tools; multiple intrusions at the same victim company; and less-than-forthcoming statements from victim firms about what actually transpired.

**JANUARY**

You just knew 2022 was going to be _The Year of Crypto Grift_ when two of the world’s most popular antivirus makers — Norton and Avira — kicked things off by installing cryptocurrency mining programs on customer computers. This bold about-face dumbfounded many longtime Norton users because antivirus firms had spent years broadly classifying all cryptomining programs as malware.

Suddenly, hundreds of millions of users — many of them old enough to have bought antivirus from **Peter Norton** himself back in the day — were being encouraged to start caring about and investing in crypto. Big Yellow and Avira weren’t the only established brands cashing in on crypto hype as a way to appeal to a broader audience: The venerable electronics retailer **RadioShack** wasted no time in announcing plans to launch a cryptocurrency exchange.

By the second week of January, Russia had amassed more than 100,000 troops along its southern border with Ukraine. The Kremlin breaks with all tradition and announces that — at the request of the United States — it has arrested 14 people suspected of working for REvil, one of the more ruthless and profitable Russian ransomware groups.

Security and Russia experts dismiss the low-level arrests as a kind of “**ransomware diplomacy**,” a signal to the United States that if it doesn’t enact severe sanctions against Russia for invading Ukraine, Russia will continue to cooperate on ransomware investigations.

The Jan. 19th story IRS Will Soon Require Selfies For Online Access goes immediately viral for pointing out something that apparently nobody has noticed on the **U.S. Internal Revenue Service** website for months: Anyone seeking to create an account to view their tax records online would soon be required to provide biometric data to a private company in Virginia — **ID.me**.

Facing a backlash from lawmakers and the public, the IRS soon reverses course, saying video selfies will be optional and that any biometric data collected will be destroyed after verification.

**FEBRUARY**

Super Bowl Sunday watchers are treated to no fewer than a half-dozen commercials for cryptocurrency investing. **Matt Damon** sells his soul to **Crypto.com**, telling viewers that “fortune favors the brave” — basically, “only cowards would fail to buy cryptocurrency at this point.” Meanwhile, Crypto.com is trying to put space between it and recent headlines that a breach led to $30 million being stolen from hundreds of customer accounts. A single bitcoin is trading at around $45,000.

**Larry David**, the comedian who brought us years of awkward hilarity with hits like **Seinfeld** and **Curb Your Enthusiasm**, plays the part of the “doofus, crypto skeptic” in a lengthy Super Bowl ad for **FTX,** a cryptocurrency exchange then valued at over $20 billion that is pitched as a “safe and easy way to get into crypto.” \[Last month, FTX imploded and filed for bankruptcy; the company’s founder now faces civil and criminal charges from three different U.S. agencies\].

On Feb. 24, Russia invades Ukraine, and fault lines quickly begin to appear in the cybercrime underground. Cybercriminal syndicates that previously straddled Russia and Ukraine with ease are forced to reevaluate many comrades who are suddenly working for The Other Side.

Many cybercriminals who operated with impunity from Russia and Ukraine prior to the war chose to flee those countries following the invasion, presenting international law enforcement agencies with rare opportunities to catch most-wanted cybercrooks. One of those is **Mark Sokolovsky**, a 26-year-old Ukrainian man who operated the popular “**Raccoon**” malware-as-a-service offering; Sokolovsky was busted in March after fleeing Ukraine’s mandatory military service orders.

Also nabbed on the lam is **Vyacheslav “Tank” Penchukov**, a senior Ukrainian member of a transnational cybercrime group that stole tens of millions of dollars over nearly a decade from countless hacked businesses. Penchukov was arrested after leaving Ukraine to meet up with his wife in Switzerland.

Tank, seen here performing as a DJ in Ukraine in an undated photo from social media.

Ransomware group **Conti** chimes in shortly after the invasion, vowing to attack anyone who tries to stand in Mother Russia’s way. Within hours of that declaration several years worth of internal chat logs stolen from Conti were leaked online. The candid employee conversations provide a rare glimpse into the challenges of running a sprawling criminal enterprise with more than 100 salaried employees. The records also reveal how Conti dealt with its own internal breaches and attacks from private security firms and foreign governments.

Faced with an increasing brain drain of smart people fleeing the country, Russia floats a new strategy to address a worsening shortage of qualified information technology experts: Forcing tech-savvy people within the nation’s prison population to perform low-cost IT work for domestic companies.

Chipmaker **NVIDIA** says a cyberattack led to theft of information on more than 71,000 employees. Credit for that intrusion is quickly claimed by **LAPSUS$**, a group of 14-18 year-old cyber hooligans mostly from the United Kingdom who specialized in low-tech but highly successful methods of breaking into companies: Targeting employees directly over their mobile phones.

LAPSUS$ soon employs these skills to successfully siphon source code and other data from some of the world’s biggest technology firms, including **Microsoft**, **Okta**, **Samsung**, **T-Mobile** and **Uber**, among many others.

**MARCH**

We learn that criminal hackers are compromising email accounts and websites for police departments worldwide, so that they can impersonate police and send legal requests to obtain sensitive customer data from mobile providers, ISPs and social media companies. That story prompts revelations that several companies — including **Apple**, **Discord** and **Meta/Facebook** — have complied with the fake requests, and draws the attention of Congress to the problem.

**APRIL**

It emerges that email marketing giant **Mailchimp** got hacked. The unknown intruders gained access to internal Mailchimp tools and customer data by social engineering employees at the company, and then started sending targeted phishing attacks to owners of **Trezor** hardware cryptocurrency wallets.

The **FBI** warns about a massive surge in victims from “**pig butchering**” scams, in which flirtatious strangers online lure people into investing in cryptocurrency scams. Investigative reports reveal pig butchering’s link to organized crime gangs in Asia that attract young job seekers with the promise of customer service jobs. Instead, those who show up at the appointed time and place are kidnapped, trafficked across the border into neighboring countries like Cambodia, and pressed into a life of indentured servitude scamming others online.

The now-defunct and always phony cryptocurrency trading platform xtb-market\[.\]com, which was fed by pig butchering scams.

**MAY**

KrebsOnSecurity reports that hackers who specialize in filing fake police requests for subscriber data gained access to a **U.S. Drug Enforcement Administration** (DEA) portal that taps into 16 different federal law enforcement databases.

The government of **Costa Rica** is forced to declare a state of emergency after a ransomware attack by Conti cripples government systems. Conti  publishes nearly 700 GB worth of government records after the country’s leaders decline to pay a $20 million ransom demand.

**JUNE**

KrebsOnSecurity identifies Russian national **Denis Emelyantsev** as the likely owner of the RSOCKS botnet, a collection of millions of hacked devices that were sold as “proxies” to cybercriminals looking for ways to route their malicious traffic through someone else’s computer. Emelyantsev was arrested that same month at a resort in Bulgaria, where he requested and was granted extradition to the United States —  reportedly telling the judge, “America is looking for me because I have enormous information and they need it.”

The employees who kept things running for RSOCKS, circa 2016. Notice that nobody seems to be wearing shoes.

**JULY**

Big-three consumer credit bureau **Experian** comes under scrutiny after KrebsOnSecurity reveals identity thieves are reliably seizing control over consumer credit files by simply re-registering using the target’s personal information and an email address tied to the crooks. Two months later, Experian would be hit with a class-action lawsuit over these security and privacy failures.

**Twitter** acknowledges that it was relieved of phone numbers and email addresses for 5.4 million users. The security weakness that allowed the data to be collected was patched in January 2022.

**AUGUST**

Messaging behemoth **Twilio** confirms that data on 125 customers was accessed by intruders, who tricked employees into handing over their login credentials by posing as employees of the company’s IT department.

Among the Twilio customers targeted was encrypted messaging service **Signal**, which relied on Twilio to provide phone number verification services. Signal said that with their access to Twilio’s internal tools, the attackers were able to re-register those users’ phone numbers to another device.

Food delivery service **DoorDash** discloses that a “sophisticated phishing attack” on a third-party vendor allowed attackers to gain access to some of DoorDash’s internal company tools. Thanks to data left exposed online by the intruders, it becomes clear that DoorDash was victimized by the same group that snookered employees at Twilio, Mailchimp, **CloudFlare**, and dozens of other major companies throughout 2022.

Mailchimp discloses another intrusion involving targeted phishing attacks against employees, wherein hackers stole data on more than 200 Mailchimp customers. Web hosting giant **DigitalOcean** discloses it was one of the victims, and that the intruders used their access to send password reset emails to a number of DigitalOcean customers involved in cryptocurrency and blockchain technologies. DigitalOcean severs ties with Mailchimp after that incident, which briefly prevented the hosting firm from communicating with its customers or processing password reset requests.

Password manager service **LastPass** discloses that its software development environment was breached, and that intruders made off with source code and some proprietary LastPass data. LastPass emphasizes the intruders weren’t able to access any customer data or encrypted password vaults, and that “there is no evidence of any threat actor activity beyond the established timeline,” and “no evidence that this incident involved any access to customer data or encrypted password vaults.”

**SEPTEMBER**

Uber discloses another breach, forcing the company to take several of its internal communications and engineering systems offline as it investigates. The intrusion only comes to light when the hacker uses the company’s internal Slack channel to boast about their access, listing several internal databases they claimed had been compromised. The intruder told The New York Times they got in by sending a text message to an employee while posing as an employee from Uber’s IT department. Uber blames LAPSUS$ for the intrusion.

Australian telecommunications giant **Optus** suffers a data breach involving nearly 10 million customers, including passport or license numbers on almost three million people. The incident dominates headlines and politics in Australia for weeks, as the hacker demands a million dollars in cryptocurrency not to publish the information online. Optus’s CEO calls the intrusion a “sophisticated attack,” but interviews with the hacker reveal they simply enumerated and scraped the data from the Optus website without authentication. After briefly posting 10,000 records from the intrusion, the hacker announces they made a mistake, and deletes the auction.

**OCTOBER**

A report commissioned by **Sen. Elizabeth Warren** (D-Mass.) reveals that most big U.S. banks are stiffing account takeover victims. Even though U.S. financial institutions are legally obligated to reverse any unauthorized transactions as long as the victim reports the fraud in a timely manner, the report cited figures showing that four of the nation’s largest banks collectively reimbursed only 47 percent of the dollar amount of claims they received.

**Joe Sullivan**, the former chief security officer for Uber, is found guilty of two felonies after a four-week trial. In 2016, while the **U.S. Federal Trade Commission** was already investigating a 2014 breach at Uber, another security breach affected 57 million Uber account holders and drivers. The intruders demand $100,000, but Sullivan and his team paid the ransom under the company’s bug bounty program, made the hackers sign a non-disclosure agreement, and concealed the incident from users and investors. The two hackers involved pleaded guilty in 2019; by this time, it has become a nearly everyday occurrence for victim companies to pay to keep a ransomware attack quiet.

**NOVEMBER**

A ransomware group with ties to REvil begins publishing names, birth dates, passport numbers and information on medical claims on nearly 10 million current and former customers of Australian health insurer **Medibank**. The data is published after Medibank reportedly declines to pay a US$10 million ransom demand.

**DECEMBER**

KrebsOnSecurity breaks the news that **InfraGard**, a program run by the **U.S. Federal Bureau of Investigation** (FBI) to build cyber and physical threat information sharing partnerships with the private sector, saw its database of contact information on more than 80,000 members put up for sale on an English-language cybercrime forum. Meanwhile, the hackers responsible were communicating directly with members through the InfraGard portal online — using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself.

A cybercriminal starts selling account data scraped from 400 million Twitter users, including email addresses and in many cases phone numbers. The seller claims their data was scraped in late December 2021 using the same vulnerability that Twitter patched in January 2022, and that led Twitter to acknowledge the data scraping of 5.4 million user accounts earlier this year. Twitter no longer has a press office, and the company’s Chief Twit has remained silent about the 400 million claim so far, despite many indications that the data is legitimate.

Two days before Christmas, LastPass posted an update on its investigation into the August data breach, saying the intruder was able to use data stolen in the August breach to come back and copy a backup of customer vault data from the encrypted storage container. LastPass’s lackadaisical disclosure timeline and failure to answer follow-up questions has done little to assuage the fears of many users, leaving _Wired.com_ to recommend users abandon the platform in favor of the password managers 1Password and Bitwarden.

Also two days before Christmas, KrebsOnSecurity notifies Experian that anyone can bypass security questions in their application for a free credit report, meaning identity thieves can access your full credit file with just your name, address, date of birth and Social Security number. Unfortunately, this static data on most Americans has been for sale in the cybercrime underground for years. Experian has yet to say whether it has fixed the problem, but expect to see a full report about this early in the New Year.

Happy 13th Birthday, KrebsOnSecurity!

The year was marked by sinister new twists on cybersecurity classics, including phishing, breaches, and ransomware attacks.

With the pandemic evolving into an amorphous new phase and political polarization on the rise around the world, 2022 was an uneasy and often perplexing year in digital security. And while hackers frequently leaned on old chestnuts like phishing and ransomware attacks, they still found vicious new variations to subvert defenses.

Here's WIRED's look back on the year's worst breaches, leaks, ransomware attacks, state-sponsored hacking campaigns, and digital takeovers. If the first years of the 2020s are any indication, the digital security field in 2023 will be more bizarre and unpredictable than ever. Stay alert, and stay safe out there.

For years, Russia has pummeled Ukraine with brutal digital attacks causing blackouts, stealing and destroying data, meddling in elections, and releasing destructive malware to ravage the country's networks. Since invading Ukraine in February, though, times have changed for some of Russia's most prominent and most dangerous military hackers. Shrewd long-term campaigns and grimly ingenious hacks have largely given way to a stricter and more regimented clip of quick intrusions into Ukrainian institutions, reconnaissance, and widespread destruction on the network—and then repeated access over and over again, whether through a new breach or by maintaining the old access. The Russian playbook on the physical battlefield and in cyberspace seems to be the same: one of ferocious bombardment that projects might and causes as much pain as possible to the Ukrainian government and its citizens.

Ukraine has not been digitally passive during the war, though. The country formed a volunteer “IT Army” after the invasion, and it, along with other actors around the world, have mounted DDoS attacks, disruptive hacks, and data breaches against Russian organizations and services.

Over the summer, a group of researchers dubbed 0ktapus (also sometimes known as “Scatter Swine”) went on a massive phishing bender, compromising nearly 10,000 accounts within more than 130 organizations. The majority of the victim institutions were US-based, but there were dozens in other countries as well, according to researchers. The attackers primarily texted targets with malicious links that led to fake authentication pages for the identity management platform Okta, which can be used as a single sign-on tool for numerous digital accounts. The hackers' goal was to steal Okta credentials and two-factor authentication codes so they could get access to a number of accounts and services at once.

One company hit during the rampage was the communications firm Twilio. It suffered a breach at the beginning of August that affected 163 of its customer organizations. Twilio is a big company, so that only amounted to 0.06 percent of its clients, but sensitive services like the secure messaging app Signal, two-factor authentication app Authy, and authentication firm Okta were all in that slice and became secondary victims of the breach. Since one of the services Twilio offers is a platform for automatically sending out SMS text messages, one of the knock-on effects of the incident was that attackers were able to compromise two-factor authentication codes and breach the user accounts of some Twilio customers. 

As if that wasn't enough, Twilio added in an October report that it was also breached by 0ktapus in June and that the hackers stole customer contact information. The incident highlights the true power and menace of phishing when attackers choose their targets strategically to magnify the effects. Twilio wrote in August, “we are very disappointed and frustrated about this incident.”

In recent years, countries around the world and the cybersecurity industry have increasingly focused on countering ransomware attacks. While there has been some progress on deterrence, ransomware gangs were still on a rampage in 2022 and continued to target vulnerable and vital social institutions, including health care providers and schools. The Russian-speaking group Vice Society, for example, has long specialized in targeting both categories, and it focused its attacks on the education sector this year. The group had a particularly memorable showdown with the Los Angeles Unified School District at the beginning of September, in which the school ultimately took a stand and refused to pay the attackers, even as its digital networks went down. LAUSD was a high-profile target, and Vice Society may have bitten off more than it could chew, given that the system includes more than 1,000 schools serving roughly 600,000 students. 

Meanwhile, in November, the US Cybersecurity and Infrastructure Security Agency, the FBI, and the Department of Health and Human Services released a joint warning about the Russia-linked ransomware group and malware maker known as HIVE. The agencies said the group's ransomware has been used to target over 1,300 organizations around the world, resulting in roughly $100 million in ransom payments from victims. “From June 2021 through at least November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors,” the agencies wrote, “including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health.”

The digital extortion gang Lapsus$ was on an intense hacking spree at the beginning of 2022, stealing source code and other sensitive information from companies like Nvidia, Samsung, Ubisoft, and Microsoft and then leaking samples as part of apparent extortion attempts. Lapsus$ has a sinister talent for phishing, and in March, it compromised a contractor with access to the ubiquitous authentication service Okta. The attackers appeared to be based primarily in the United Kingdom, and at the end of March, British police arrested seven people in association with the group and charged two at the beginning of April. In September, though, the group flared back to life, mercilessly breaching the ride-share platform Uber and seemingly the _Grand Theft Auto_ developer Rockstar as well. On September 23, police in the UK said they had arrested an unnamed 17-year-old in Oxfordshire who seems to be one of the individuals previously arrested in March in connection with Lapsus$.

The beleaguered password manager giant LastPass, which has repeatedly dealt with data breaches and security incidents over the years, said at the end of December that a breach of its cloud storage in August led to a further incident in which hackers targeted a LastPass employee to compromise credentials and cloud storage keys. The attackers then used this access to steal some users' encrypted password vaults—the files that contain customers' passwords—and other sensitive data. Additionally, the company says that “some source code and technical information were stolen from our development environment” during the August incident. 

LastPass CEO Karim Toubba said in a blog post that in the later attacks, hackers compromised a copy of a backup that contained customer password vaults. It is not clear when the backup was made. The data is stored in a “proprietary binary format" and contains both unencrypted data, like website URLs, and encrypted data, like usernames and passwords. The company did not provide technical details about the proprietary format. Even if LastPass's vault encryption is strong, hackers will attempt to brute-force their way into the password troves by attempting to guess the “master passwords” that users set to protect their data. With a strong master password, this may not be possible, but weak master passwords could be at risk of being defeated. And since the vaults have already been stolen, LastPass users can't stop these brute-force attacks by changing their master password. Users should instead confirm that they have deployed two-factor authentication on as many of their accounts as they can, so even if their passwords are compromised, attackers still can't break in. And LastPass customers should consider changing the passwords on their most valuable and sensitive accounts.

The Worst Hacks of 2022

From SBF to the GRU, these were the most disruptive forces of online chaos this year.

Russian soldiers poured into Ukraine, accompanied by a wave of cyberattacks across the country. A major cryptocurrency exchange imploded and declared bankruptcy, vaporizing billions of dollars from that digital economy. The once-biggest dark-web drug market—after being demolished by law enforcement—clawed back to the top of the online underworld after doggedly resurrecting itself.

It's not 2014, though you could be forgiven for being confused. No, all these episodes of global chaos occurred in 2022, each one a rerun of previous events, but now with the threat they posed vastly multiplied in scale.

This year, some of the phantoms of the Trump era and the Covid-19 pandemic finally seemed to recede—only to make room for new threats and the return of ghosts of years past. The same dictators—Vladimir Putin, Xi Jinping, Kim Jong Un—who have long threatened the global order, their geographic neighbors, and their countries' own citizens. Fresher digital threats like India's slide into online repression, and brazen cybercriminals displaying more ruthlessness than ever. And then there were some vestiges of the Trump era that seemed to have hung on, such as one particularly loud and quixotic billionaire with a large, cultlike following, seemingly doing his best to singlehandedly corrupt social media.

Every year, WIRED assembles a list of the most dangerous people on the internet. For the first time since 2015, Donald Trump doesn't top this list. But there's no shortage of new sources of instability and disruption online. Here are our picks for 2022.

Sam Bankman-Fried

For its entire existence, the cryptocurrency world has been plagued with money laundering, theft, and scams, from Bitcoin-powered dark-web drug markets to billions of dollars stolen from crypto companies by rogue hackers. But one of the most dangerous players in the crypto economy, it seems, was hiding in plain sight. In the collapse of cryptocurrency exchange FTX, a poster boy for cryptocurrency’s growing legitimacy, Sam Bankman-Fried, now stands accused of more than $8 billion in fraud. The rippling fallout for the cryptocurrency economy could be far larger, and the tangled dealings and mismanagement of user funds in FTX's meltdown have yet to be fully unraveled—even the company's new CEO John Ray, who also handled the bankruptcy of Enron, says he's never seen a bigger mess. Under Bankman-Fried's hands-on leadership, FTX invested vast sums of users' cryptocurrency in his own trading platform Alameda Research, which has also gone bankrupt. Aside from those enormous losses, Bankman-Fried represents a particularly troubling figure for the ills of the crypto economy: Unlike so many others in the crypto world, he had appeared to actually _welcome_ tighter government controls of the industry. Now, like a hybrid of Elizabeth Holmes and Lehman Brothers, he's come to represent the face of regulatory capture.

Elon Musk

The antics of Elon Musk, as a Willy Wonka figure with his mercuriality dialed up to 11, seemed harmless enough—or possibly even a net good for human progress—when he was focused on next-generation rockets and electric cars. But with his acquisition of Twitter, the dark side of Musk was put on display, and the fickle power of the (sometimes) world's richest man suddenly threatened a central institution of the internet. Musk's immediate, summary layoffs of thousands of Twitter's staffers put at risk key functions of a service that serves as a central artery of digital conversation. Sure, he justified lifting Twitter's ban on neo-Nazis like Andrew Anglin as well as former president Donald Trump (after the latter was removed from Twitter after using it to incite the January 6 riots and invasion of the US Capitol building) with free speech arguments. But Twitter's new emperor has also decimated its staff of content moderators, leading to situations like a single staffer being left to police child abuse content on Twitter for all of Japan and the Asia-Pacific region. Under Musk's watch, Twitter has also banned left-wing accounts he described as "antifa," contradicting his stance on free speech. Just days after the acquisition, Musk briefly tweeted—then deleted—disinformation that the man who attacked US House speaker Nancy Pelosi’s husband in October was his gay lover. Later, he seemed to call for the prosecution of the White House’s chief medical advisor Anthony Fauci for his handling of the Covid-19 pandemic, without explanation. In doing so, he offered a glimpse of the conspiracy-minded politics and trolling that truly drive his actions. Twitter hasn't collapsed under Musk, as some of its doomsayers predicted. But it may be morphing into the worst version of itself.

Xi Jinping

Xi Jinping has presided over some of China's worst human rights abuses, including its mass internment of Uyghur Muslims in Xinjiang and the crackdown on protestors in Hong Kong. Each of those waves of repression has come with its own accompanying tightening of restrictions online, as censors scoured social media for any reference to protests and Han Chinese police in Xinjiang even demanded that Uyghurs download an app that scans their phones for banned content. This year, the protests against China's draconian zero-Covid lockdowns have triggered a new online crackdown, one in which even "liking" a post about protests is deemed illegal and signs of misbehavior are tracked in a regulated "credit system" that can lead to users being summarily banned from online platforms. Xi has already established himself as the most powerful figure in China's government in decades, taking an unprecedented third term as head of the Chinese Communist Party. He's made clear that authoritarian power will extend deep into the digital lives of the world's biggest population of internet users.

Narendra Modi

Under Modi and his party, the BJP, India has become increasingly China-like in its repression of protests both physical and digital. In just the past few years, the Indian government temporarily shut down the internet in the embattled region of Kashmir, banned a large collection of China-based apps including TikTok, and just weeks ago delegated oversight of content moderation decisions on social media to a three-person group—a move widely seen as the latest step in the government's attempts to tighten its grip on those platforms. In perhaps the most appalling case of digital repression, security researchers this year revealed that hackers who fabricated evidence on the computers of activists in the region near the city of Pune had ties to the very same Pune police who arrested those activists. One of the activists targeted in that frame job died in detention. Eleven other defendants in the case remain in jail. Modi's India has proven that even a so-called democracy offers no guarantees of a remotely free internet.

GRU

Russia's GRU military intelligence agency has, for years, been home to some of the most aggressive and dangerous hackers in the world. The GRU groups known as Sandworm and APT28 have, in just the past seven years, triggered two blackouts in Ukraine, launched the hack-and-leak operation designed to sway the US 2016 election, released the NotPetya malware that spread worldwide and caused at least $10 billion in damage, and tried to destroy the backend of the 2018 Olympics. In 2022, thanks to Russia's unprovoked and brutal war in Ukraine, the GRU's focus zeroed in again on the country that has long been Russia's favorite hacking victim. In 2022, it launched countless cyberattacks designed to destroy data on Ukrainian government and corporate networks, often in tandem with physical attacks carried out by the invasion forces. One GRU malware attack went so far as to disable communications to 5,000 wind turbines across Germany in a case of collateral damage reminiscent of NotPetya. The GRU's Sandworm hackers also attempted a third blackout attack in Ukraine, which—according to Ukraine's government at least—defenders managed to foil this time. A+ for continued wanton, reckless aggression. B- for execution.

DeSnake

When the dark-web market for drugs and hacked data known as AlphaBay was shut down in 2017 and its creator Alexandre Cazes was found dead in a Thai jail cell, it seemed the story of AlphaBay was over. Then, in the summer of last year, fully four years after that massive bust, AlphaBay relaunched under the command of its cofounder and Cazes' top lieutenant, known only as DeSnake. In the year-plus since then, DeSnake has dragged AlphaBay back to the top of the dark web's competing scrum of criminal markets. To his credit, he's set more rules for what can be sold on his black market than Cazes ever did, banning the sale of fentanyl and ransomware tools, for instance. But AlphaBay remains a bustling criminal bazaar for hard drugs and stolen data, and it may be harder to shut down than ever. DeSnake has implemented security upgrades to the site, such as allowing only the harder-to-trace cryptocurrency Monero instead of Bitcoin. And he also claims to be located in the former Soviet Union—potentially putting him far farther beyond the reach of law enforcement than his unlucky predecessor.

Lazarus

In 2022, North Korea continued to distinguish itself as the world's top perpetrator of state-sponsored cybercrime: Its government hackers continued to steal hundreds of millions of dollars worth of loot, largely in the form of cryptocurrency, from targets around the globe. That spree of burglaries actually seems to be escalating. According to the blockchain analysis firm Chainalysis, North Korean thieves took in $840 million in the first five months of 2022 alone, more than the previous two years combined. Some $600 million of that came from just one heist. All of it goes toward funding one of the worst regimes in the world, with hundreds of thousands of political prisoners in concentration camps and a tendency to fire missiles over its neighbors' heads.

Conti

The scourge of ransomware continued to plague the world in 2022, and no group illustrated that threat better than Conti. In the first months of the year, the group hit dozens of corporate and government targets. Most catastrophically, it launched a wave of crippling cyberattacks across Costa Rica, shutting down 27 government bodies and medical services there and leading to a national state of emergency. After Russia's invasion of Ukraine, Conti declared its full support for that war—a decision that led to one of its disgruntled members leaking a vast trove of the group's internal communications online. Conti has subsequently shut down, but likely only in name. Its hackers may have rebranded and splintered, but the chaos that is their business model will no doubt persist.

Lapsus$

The only thing more dangerous than a group of ruthless ransomware hackers is a group of ruthless ransomware hackers who are also teenagers. In December of 2021, Lapsus$ made its entrance onto the hacking scene with a cyberattack on the Brazilian Ministry of Health in the midst of its Covid-19 response. It's since carried out a spree of splashy, often nihilistic breaches of major tech firms including Uber, Okta, Rockstar Games, Nvidia, Microsoft, Samsung, and Vodafone. Last spring, British law enforcement arrested seven people suspected of being members of the group, all ages 16 to 21. Those arrests included Lapsus$'s alleged 16-year-old "mastermind." But inexplicably, those suspects were released without charges, and the group's "hacker joyride" rolls on.

APT41

For years, China's hackers focused on by-the-book espionage. But more recently, one group, known as APT41, has proven itself to be the closest thing China has to North Korean state-sponsored cybercriminals. That group, which the US Department of Justice tied in an indictment to the Ministry of State Security contractor known as Chengdu 404, has for years moonlighted as a for-profit cybercriminal outfit. Just this month, the group was linked to the theft of $20 million in Covid-19 relief funds, an unprecedented robbery of US government money by a Chinese state-sponsored hacking outfit. Meanwhile, APT41 was also responsible for dozens of espionage-focused intrusions across the world this year, according to analysts at PricewaterhouseCoopers, which calls the group the most prolific cyberspying operation in the world. Despite the Justice Department charging seven of the group's members in 2020, they remain at large, and their unique blend of espionage and outright theft continues unabated.

The Most Dangerous People on the Internet in 2022

**SAN FRANCISCO****,** **Dec. 22, 2022** **/PRNewswire/ --** The global passwordless authentication market size is expected to reach USD 55.70 billion by 2030, growing at promising 18.2% CAGR, according to a new report by Grand View Research, Inc. Passwordless authentication is a security procedure that uses unique biological traits of a person to validate their authenticity.

**Key Industry Insights & Findings from the report:**

*   Growing investments in developed countries such as the U.S., Canada, Germany, France, and the U.K. for implementing passwordless authentication technology is a crucial factor driving the growth.
*   Fingerprint recognition and facial recognition provide various benefits. The increased security, accountability, convenience, and their non-transferable nature are crucial drivers for the growth.
*   The surge in e-commerce and internet banking, as well as legislations by various authorities such as central banks mandates large organizations to utilize robust authentication mechanisms to authenticate customers.
*   Multi-factor authentication protects clients from phishing attempts and fraudulent purchases and secures transactions.

Read 117-page market research report, "Passwordless Authentication Market Size, Share & Trends Analysis Report By Component, By Product Type (Facial Recognition, Fingerprint, Iris), By Authentication Type, By Portability, By End-user, By Region, And Segment Forecasts, 2022 - 2030", published by Grand View Research.

**Passwordless Authentication Market Growth & Trends**

The increasing adoption of smartphones and other electronic gadgets is a crucial element driving the biometric authentication market forward. According to a July 2022 Oxford Economics and Samsung study, up to 85% of small and midsize enterprises allow all or most of their staff to use mobile devices for work. Personal laptops and smartphones used by employees might expose a small firm to the dangers of unauthorized access to proprietary data, files, and systems. Such solutions remain the need of the hour and growing focus of many companies around the world.

For instance, in September 2022, AaDya Security, a cyber-security firm, announced the availability of passwordless authentication for Judy, the first all-in-one cybersecurity solution for SMEs. The new security feature protects how small business employees access company resources, mainly when they operate remotely and on mobile phones and personal laptops.

The growing requirement for an additional layer of protection beyond passwords fuels the growth of the passwordless authentication industry. To authenticate identities, fingerprint sensors and smartcards are utilized, and these security points allow for a seamless experience and data flow across locations. Most businesses are using voice biometric authentication in their workplaces for their personnel.

Reduced fraud exposure and lower authentication costs often drive organizations to implement voice biometric technology in their facilities. For instance, in July 2022, Turant Inc., a voice biometric AI firm, launched its cutting-edge AI solution in India. The company seeks to eliminate OTP-related fraud in transactions across use cases across business/industry domains, including e-commerce deliveries, by making it available in all Indian languages and roughly 20,000 dialects.

Furthermore, due to the increasing number of incidences of data theft around the world, passwordless authentication has gained popularity. Data theft issues in devices such as computers, cellphones, and tablets have increased the requirement for protection beyond passwords. fingerprint sensors and facial recognition are ways modern gadgets can be secured to prevent data theft.

For instance, in August 2022, ForgeRock, an international identity and access management software business, established strategic cooperation with Israeli software company Secret Double Octopus. ForgeRock will use SDO technology to provide employees, contractors, and vendors with a unified multi-factor secure experience. ForgeRock Enterprise Connect, the new solution, connects effortlessly with any ForgeRock deployment option, allowing organizations to gain increased security for databases, workstations, VPNs, and servers.

**Passwordless Authentication Market Segmentation**

Grand View Research has segmented the global passwordless authentication market based on component, product type, authentication type, portability, end-user, and region:

**Passwordless Authentication Market - Component Outlook (Revenue, USD Million, 2017 - 2030)**

*   Hardware
*   Software
*   Services

**Passwordless Authentication Market - Product Type Outlook (Revenue, USD Million, 2017 - 2030)**

*   Fingerprint Authentication
*   Palm Recognition
*   Iris Recognition
*   Face Recognition
*   Voice Recognition
*   Smart Card
*   Others

**Passwordless Authentication Market - Type Outlook (Revenue, USD Million, 2017 - 2030)**

*   Single-factor Authentication
*   Multi-factor Authentication

**Passwordless Authentication Market - Portability Outlook (Revenue, USD Million, 2017 - 2030)**

*   Fixed
*   Mobile

**Passwordless Authentication Market - End-user Outlook (Revenue, USD Million, 2017 - 2030)**

*   IT & Telecom
*   Retail
*   Transportation & Logistics
*   Aerospace & Defense
*   BFSI
*   Healthcare
*   Government
*   Others

**Passwordless Authentication Market - Regional Outlook (Revenue, USD Million, 2017 - 2030)**

*   North America

*   U.S.
*   Canada
*   Mexico

*   Europe

*   U.K.
*   Germany
*   France

*   Asia Pacific

*   China
*   India
*   Japan

*   Central & South America

*   Brazil

*   Middle East and Africa (MEA)

**List of Key Players in the Passwordless Authentication Market**

*   ASSA ABLOY
*   DERMALOG Identification Systems GmbH
*   East Shore Technology, LLC
*   Fujitsu
*   HID Global Corporation
*   M2SYS Technology
*   Microsoft
*   NEC Corporation
*   Safran
*   Thales.

**Check out more related studies published by Grand View Research:**

*   Facial Recognition Market **\-** The global facial recognition market size is expected to reach USD 12.11 billion by 2028 according to a new report by Grand View Research, Inc. The market is anticipated to expand at a CAGR of 15.4% from 2021 to 2028. Facial recognition is a contactless biometric solution that is a critical factor contributing the market growth.
*   Multi-factor Authentication Market \- The global multi-factor authentication (MFA) market size is expected to reach USD 17.76 billion by 2025, according to a new study by Grand View Research, Inc., experiencing a CAGR of 15.07% during the forecast period. Increasing implementation of BYOD and cloud-based services across enterprises, along with the growing security regulations and mandates, is benefiting market growth.
*   3D Secure Payment Authentication Market \- The global 3D secure payment authentication market size is expected to reach USD 2.76 billion by 2030, growing at a CAGR of 12.2% from 2022 to 2030, according to a new study conducted by Grand View Research, Inc. The rising demand for e-commerce has augmented the use of Card Not Present (CNP) transactions. As a result of such an increase in CNP transactions, the growth in CNP fraud transactions has been observed over the past few years.

**Browse through Grand View Research's** Next Generation Technologies Industry **Research Reports.**

**About Grand View Research**

Grand View Research, U.S.-based market research and consulting company, provides syndicated as well as customized research reports and consulting services. Registered in California and headquartered in San Francisco, the company comprises over 425 analysts and consultants, adding more than 1200 market research reports to its vast database each year. These reports offer in-depth analysis on 46 industries across 25 major countries worldwide. With the help of an interactive market intelligence platform, Grand View Research Helps Fortune 500 companies and renowned academic institutes understand the global and regional business environment and gauge the opportunities that lie ahead.

Passwordless Authentication Market to Be Worth $55.7 Billion by 2030: Grand View Research, Inc.

By Deeba Ahmed
Okta has, however, confirmed that attackers couldn’t access its customer data or services. Authentication giant Okta has suffered…
This is a post from HackRead.com Read the original post: GitHub Attack Allowed Attackers to Steal Okta’s Source Code

Okta has, however, confirmed that attackers couldn’t access its customer data or services.

Authentication giant Okta has suffered yet another security breach. Reportedly, someone stole Okta’s source code after attacking its repositories on **GitHub**.

Okta’s chief security officer, David Bradbury, issued a “confidential” email notification to their “security contacts,” revealing that the suspicious activity the company detected earlier in December 2022 has led to the leaking of its code repositories.

“Upon investigation, we have concluded that such access was used to copy Okta code repositories,” Okta’s notification read.

“We have decided to share this information consistent with our commitment to transparency and partnership with our customers,” Okta explained.

According to Bradbury, GitHub notified it about a possible suspicious activity and that someone accessed its code repositories. Okta launched an investigation and concluded that the access had indeed occurred. In response, the company temporarily restricted access to Okta GitHub repositories and suspected all GitHub integrations with 3rd party apps.

Okta has confirmed that the attackers couldn’t access its customer data or services, **reports** Bleeping Computer. Hence, users of its different services, including HIPAA, DoD, and FedRAMP, were unaffected by this incident and didn’t need to adopt threat-prevention practices.

It is worth noting that the users of these services are mainly US-based government, healthcare, and defence organizations.

**Okta and Cyber Attacks**

Okta is a cloud-based identity and access management platform that provides secure single sign-on, user provisioning, data security and mobile device management.

The company already had a troublesome year regarding security. **In March 2022**, Okta confirmed a data breach by the ransomware group LAPSUS$, and in September, Auth0, which is owned by Okta, reported the theft of its old source code.

**Possible Repercussions?**

There’s no doubt that source code is a valuable asset, and its stealing or leaking can have far-reaching consequences. Okta, a mainstream authentication platform, should be really concerned because attackers can use its source code to discover hidden flaws and launch new attacks against its customers.

So far, this breach seems limited to Okta’s Workforce Identity Cloud product and not Auth0 Customer Identity Cloud. Okta plans to share more findings about the incident soon.

1.  **LastPass Security Breach – Hackers Steal Source Code**
2.  **Source codes exposed in Microsoft Azure Blob account leak**
3.  **Lapsus$ Hackers Stole T-Mobile’s Source Code, Systems Data**
4.  **Twitch hacked- Source code, Streamer payment figures leaked**
5.  **Samsung confirms data breach as Lapsus$ leak its source code**

Tag

#samsung