Want to try out Meta’s new social media app? Here’s more context on what personal data is collected by Threads and similar social media apps.

Meta's long-awaited Twitter alternative is here, and it's called Threads. The new social media app launches at a time when alternatives, like Bluesky, Mastodon, and Spill, are vying for users who are dissatisfied with Elon Musk's handling of Twitter's user experience, with its newly introduced rate limits and an uptick in hate speech.

Meta owns Facebook, Instagram, and WhatsApp, so the company’s attempt to recreate an online experience similar to Twitter is likely to attract plenty of normies, lurkers, and nomadic shitposters. Threads uses the AT Protocol developed by Bluesky, and Meta is working to incorporate Threads as part of the online Fediverse, a group of shared servers where users can interact across multiple platforms.

If you’re hesitant to share your personal data with a company on the receiving end of a billion dollar fine, that’s understandable. For those who are curious, however, here’s what we know about the service’s privacy policy, what data you hand over when you sign up, and how it compares to the data collected by other options.

Threads

Threads (Android, Apple) potentially collects a wide assortment of personal data that remains connected to you, based on the information available in Apple’s App Store, from your purchase history and physical address to your browsing history and health information. “Sensitive information” is also listed as a type of data collected by the Threads app. Some information this could include is your race, sexual orientation, pregnancy status, and religion as well as your biometric data.

Threads falls under the larger privacy policy covering Meta’s other social media platforms. Want to see the whole thing? You can read it for yourself here. There’s one caveat, though. The app has a supplemental privacy policy that’s also worth reading. A noteworthy detail from this document is that while you’re able to deactivate your Threads account whenever, you must delete your Instagram if you fully want to delete your Threads account.

Below is all the data collected by Threads that’s mentioned in the App Store. Do you have the Facebook or Instagram app on your phone? Keep in mind that this data collection by Meta is comparable to the data those apps collect about you.

For Android users, the Google Play Store doesn’t require you to hand over the same amount of extensive data to try out Threads. You have more control than Apple users, since you can granularly toggle what personal data is shared with apps.

Data Linked to You

**Third-Party Advertising:**

*   _Purchases_ (Purchase History)
*   _Financial Info_ (Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   _Contacts_
*   _User Content_ (Photos or Videos, Gameplay Content, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

**Developer's Advertising or Marketing:**

*   _Purchases_ (Purchase History)
*   _Financial Info_ (Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   _Contacts_
*   _User Content_ ( Photos or Videos, Gameplay Content, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

**Analytics:**

*   _Health & Fitness_ (Health, Fitness)
*   _Purchases_ (Purchase History, Financial Info, Payment Info, Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   Contacts
*   _User Content_ (Photos or Videos, Audio Data, Gameplay Content, Customer Support, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Sensitive Info_
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

**Product Personalization:**

*   _Purchases_ (Purchase History)
*   _Financial Info_ (Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   Contacts
*   _User Content_ (Photos or Videos, Gameplay Content, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Sensitive Info_
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

**App Functionality:**

*   _Health & Fitness_ (Health, Fitness)
*   _Purchases_ (Purchase History)
*   _Financial Info_ (Payment Info, Credit Info, Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   _Contacts_
*   _User Content_ (Emails or Text Messages, Photos or Videos, Audio Data, Gameplay Content, Customer Support, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Sensitive Info_
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

**Other Purposes:**

*   _Purchases_ (Purchase History)
*   _Financial Info_ (Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   _Contacts_
*   _User Content_ (Photos or Videos, Gameplay Content, Customer Support, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

Bluesky

Looking for an app that collects less personal data? Bluesky (Android, Apple) is a buzzy Twitter alternative started by Twitter founder Jack Dorsey and managed by CEO Jay Graber. Bluesky uses the AT Protocol that it created. Like Mastodon already does and Threads soon will, Bluesky incorporates the Fediverse servers as its backbone. The app is currently invite-only, but it does not currently collect anywhere near as much information as Threads or Twitter.

For Bluesky, the data that’s linked to you is focused on app functionality, like remembering your email and user ID, or access to photos and videos on your device so you can post memes. Here’s where you can find more info about Bluesky’s privacy policy. Keep in mind the service is still new and adding features, so there will likely be changes as it evolves.

Below is all the data collected by Bluesky that’s mentioned in the App Store. (Remember that this is only for iPhone owners. If you use an Android smartphone, you have more control over what data is shared.)

Data Linked to You

**App Functionality:**

*   _Contact Info_ (Email Address)
*   _User Content_ (Photos or Videos, Customer Support, Other User Content)
*   _Identifiers_ (User ID)

Data Not Linked to You

**Analytics:**

*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)

**App Functionality:**

*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)

Mastodon

What if you want a social media app that doesn’t suck up all your personal data? **Mastodon** (Android, Apple) might be a good option for you. Originally launched in 2016 by Eugen Rochko, Mastodon uses a decentralized protocol that’s different from Threads and Bluesky, called ActivityPub. It’s part of the Fediverse of shared servers. Mastodon is not exactly a new pick; it has positioned itself for years as an alternative to Twitter. (Remember, 2023 isn’t the first time users have considered ditching Twitter for something new and exciting.)

Are you trying it out for the first time? Here’s a great guide to getting started on Mastodon. There’s a bit of a learning curve with this one.

Below is all the data collected by Mastodon that’s mentioned in the App Store.

_\*In the style of Taylor Swift.\*_

\[Blank Space\]

That's right, the Mastodon app for iOS won't collect any data from your device. For Android owners, the app may share your name and email address with other companies.

If you don't like the official Mastodon apps for any reason, you can always try alternative apps with unique interfaces and features. Just be on the lookout for the privacy policies and data collection for those apps, since they don't have to commit to zero-data collection the way the official ones do.

Spill

Are you part of (or a fan of) Black Twitter and on the search for a new posting platform, preferably one that’s inclusive and voicey? Spill (Apple) is a Black-owned social media app that’s made with diverse communities in mind, specifically people of color. It was founded by Alphonzo “Phonz” Terrell and Devaris Brown, who both used to work at Twitter, and it launched earlier this year. Spill is not part of the Fediverse of shared servers.

Spill is currently invite-only, but you can sign up for the waiting list. While Spill does gather sensitive info, the other aspects of its data collection are not as extensive as Threads. Here’s the full privacy policy you can read over.

Below is all the data collected by Spill that’s mentioned in the App Store. It’s worth noting that Spill’s dev team is working on an Android app, but it’s not yet available to use.

Data Linked to You

**Developer's Advertising or Marketing:**

*   _Location_ (Coarse Location)
*   _Contact Info_ (Email Address, Name, Phone Number)
*   _User Content_ (Emails or Text Messages, Photos or Videos, Audio Data)
*   _Sensitive Info_

**Analytics:**

*   _Location_ (Coarse Location)
*   _Contact Info_ (Email Address, Name, Phone Number)
*   _User Content_ (Emails or Text Messages, Photos or Videos, Audio Data)
*   _Sensitive Info_

**Product Personalization:**

*   _Location_ (Coarse Location)
*   _Contact Info_ (Email Address, Name, Phone Number)
*   _Contacts_
*   _User Content_ (Emails or Text Messages, Photos or Videos, Audio Data)
*   _Sensitive Info_

**App Functionality:**

*   _Location_ (Coarse Location)
*   _Contact Info_ (Email Address, Name, Phone Number)
*   _Contacts_
*   _User Content_ (Emails or Text Messages, Photos or Videos, Audio Data)
*   _Sensitive Info_

**Other Purposes:**

*   _Contact Info_ (Email Address, Phone Number)

Hive Social

It’s a bit smaller than other platforms, but Hive Social (Android, Apple) is another contender for your attention span that’s particularly popular with gamers. This app is not part of the Fediverse. Nostalgic for the days when curated music would automatically play when a person visited your profile? This feature is one way Hive differentiates itself from Twitter, along with a built-in Q&A feature that lets your followers ask you questions (sometimes anonymously) that you can answer in posts to your feed. Want to give Hive a try? Check out our guide with tips for getting started.

The app collects information about you for functionality and analytics, but it’s not connected specifically to you. Learn more about what data the app uses by taking a look at its privacy policy.

Below is all the data collected by Hive Social that’s mentioned in the App Store for iPhone owners. (Have a Google Pixel or other Android device in your pocket? You can go into your privacy settings for more control over what data Hive collects.)

Data Not Linked to You

**Analytics:**

*   _Contact Info_ (Email Address, Name, Phone Number)
*   _User Content_ (Photos or Videos, Customer Support, Other User Content)
*   _Identifiers_ (User ID)
*   _Usage Data_ (Product Interaction, Other Usage Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)

**App Functionality:**

*   _Contact Info_ (Email Address, Name, Phone Number)
*   _User Content_ (Photos or Videos, Customer Support, Other User Content)
*   _Identifiers_ (User ID)
*   _Usage Data_ (Product Interaction, Other Usage Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)

What About Twitter?

It may seem like Threads collects a ton of personal data. (Because it does!) For more context, let’s go over what Twitter asks for as well. Twitter (Android, Apple) keeps plenty of data that’s linked to users and used to track you, like your purchase history and browsing history. With that in mind, the app does not list “sensitive information” as one of the disclosed categories of data collection. Check out its full privacy policy for an in-depth breakdown.

Below is all the data collected by Twitter that’s mentioned in the App Store. (Escaped from Apple’s walled garden? The Android app for Twitter still collects some personal data, like your precise location and web browsing history, unless you adjust your privacy settings.)

Data Used to Track You

*   _Purchases_ (Purchase History)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Email Address)
*   _User Content_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data)

Data Linked to You

**Third-Party Advertising:**

*   _Purchases_ (Purchase History)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Email Address)
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data)
*   _Diagnostics_ (Performance Data)

**Developer's Advertising or Marketing:**

*   _Purchases_ (Purchase History)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Email Address)
*   _User Content_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data)

**Analytics:**

*   _Purchases_ (Purchase History)
*   _Location_ (Precise Location, Coarse Location)
*   _Contacts_
*   _User Content_ (Photos or Videos, Audio Data, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data)
*   _Diagnostics_ (Crash Data, Performance Data)

**Product Personalization:**

*   _Purchases_ (Purchase History)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Email Address, Phone Number)
*   _Contacts_
*   _User Content_
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)

**Other Purposes:**

*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Email Address, Name, Phone Number)
*   _Contacts_
*   _User Content_ (Photos or Videos)
*   Search History
*   _Identifiers_ (User ID)

Data Not Linked to You

**Third-Party Advertising:**

*   _Other Data_

**Developer's Advertising or Marketing:**

*   _Other Data_

**Analytics:**

*   _User Content_ (Emails or Text Messages)
*   _Other Data_

**App Functionality:**

*   _Contact Info_ (Physical Address)
*   _User Content_ (Emails or Text Messages)
*   _Other Data_

How Threads' Privacy Policy Compares to Twitter's (and Its Rivals')

Meta’s Twitter alternative promises that it will work with decentralized platforms, giving you greater control of your data. You can hold the company to that—if you don't sign up.

As Meta’s Twitter competitor, Threads, started generating buzz ahead of yesterday’s launch, curious netizens spotted a placeholder listing for the app in Apple’s App Store. Like all iOS apps, the listing included details about the user data the app is designed to collect and track. And observers couldn’t help but notice that this brand-new app was already listing a whopping 14 categories of data that “may be collected and linked to your identity.” 

It might be a jarring reminder, but this is par for the course with Meta-owned apps, which the company monetizes by selling targeted ads and personalized marketing. Facebook and Instagram’s iOS apps list even more categories than Threads, the Messenger app lists about as many, and even the secure messaging app WhatsApp discloses nine categories of “Data Linked to You.” So for people fed up with Twitter’s rapidly deteriorating platform (and vibes), a Meta-owned alternative—with its predictability and relative stability—could even potentially appeal to those who are generally concerned about data privacy. 

Early data suggests as much: Threads, which is directly linked to users’ Instagram accounts, saw 10 million sign-ups in its first seven hours, according to CEO Mark Zuckerberg. Ultimately, Meta’s pitch for Threads is simply that it’s the devil you know.

But one thing is different this time: Meta is dangling an opportunity to essentially be on Threads without signing up for the platform at all. The company announced yesterday that it is planning to make Threads interoperable with other, non-Meta social networks that support a decentralized protocol already used by WordPress and 2022’s decentralization poster child, Mastodon. This means that if Meta follows through, you’ll be able to see and interact with Threads content from other platforms and services that support the standard, which is known as ActivityPub.

Meta says that Threads will start supporting ActivityPub “soon,” a descriptor that doesn’t necessarily inspire confidence. The company has already spent years, for example, working on its longtime promise of default end-to-end encryption on Messenger. But incorporating decentralization into Threads, and specifically supporting ActivityPub, has reportedly been a core aspect of Meta’s vision for the app from the beginning. Meta has also already sketched out details of the plan in its supplemental privacy policy for Threads.

All of this means that if you’re sick of Meta’s data-gobbling ways, or you don’t already have an Instagram account and don’t want to get one, you actually have some leverage: Don’t join Threads. Use Mastodon or another ActivityPub platform until Threads comes to you. Or hang out on Bluesky, which doesn’t support ActivityPub but is working on its own vision of a decentralized, portable social network.

“The fact that large platforms are adopting ActivityPub is not only validation of the movement towards decentralized social media, but a path forward for people locked into these platforms to switch to better providers. Which in turn, puts pressure on such platforms to provide better, less exploitative services," Mastodon CEO Eugen Rochko wrote in a blog post ahead of yesterday’s Threads launch.

Easy examples of decentralized services you already intuitively understand are phones and email. You can call anyone on any number, even if you and the person you’re calling buy phone service from different companies. Same with email. Even if pretty much everyone you know uses Gmail, there’s nothing materially different about emailing with the Yahoo and Hotmail holdouts in your life. And maybe your friend Jane runs her own email server and her address is jane@janerox.com. Love that for you, Jane—doesn’t change anything for anyone else.

That’s it. That’s how “the fediverse,” or federated services, work too. You join a server, and you’re trusting that server with your data. But then you can communicate with all the other servers running the same protocol, and the only data everyone on all those other servers can see from you is the content you choose to put out there. So Gmail has all of your emails and usage history, and Jane has all of her own emails and usage history, but the only data she has about you on her server is the emails you’ve sent her. And the only data Gmail has about Jane comes from her interactions with you and any other Gmail users.

Decentralization doesn’t change the basic functions of a social network, and that’s fine. The whole point of these services is to be a platform for publicly posting and consuming information. They aren’t designed around implementing end-to-end encryption. The servers still have access to user data and can be subpoenaed by governments or hacked. But decentralization creates a model through which users can elect to entrust their information to servers based on which ones have less-predatory data practices.

Ross Schulman, senior fellow for decentralization at digital rights nonprofit the Electronic Frontier Foundation, notes that if Threads emerges as a massive player in the fediverse, there could be concerns about what he calls “social graph slurping." Meta will know who all of their users interact with and follow within Threads, and it will also be able to see who their users follow in the broader fediverse. And if Threads builds up anywhere near the reach of other Meta platforms, just this little slice of life would give the company a fairly expansive view of interactions beyond its borders.

“I am perhaps equal parts excited and apprehensive to see how things play out with Threads, but it is really underlining the beauty of the fediverse that you have every option and the opportunity to choose,” Schulman says. “If you like Meta and you want to be in there, great. Go join Threads, you’ll be happy there, and you’ll also have access to everything else. If you don’t want to be a part of Meta, but you’ve got friends or family that do or public figures or whatever, then fine. You can get an account on any number of other fediverse servers and then follow the people that you want. Or if you want nothing to do at all with Meta, then there are plenty of servers out there \[that\] have already announced that they're preemptively blocking Threads. So you can live that life, too.”

No matter who you throw your lot in with, an important concept is that the server you choose is still going to have access to your data, even though all the other servers don’t. If Threads implements ActivityPub and you use it to interact with the fediverse, you’re choosing Meta as your server and everything that comes with that. If you run your own server, like Jane, you can retain full control. But if you’re somewhere in the middle and use a server run by someone else, you need to keep an eye out for future changes. Mastodon is currently a crowdfunded platform, but it’s largely unclear what the business model will be for decentralized services like Bluesky. And future pivots could mean that your server eventually implements more user-monitoring or data-tracking practices. Then it might be time to move on—a process made easier by the portability that's built into the fediverse, allowing you to switch servers while maintaining your connections.

If you’re a Twitter user, or used to be, you have already dealt with a service that makes dramatic changes and completely upends your expectations and trust. But the Twitter case study illustrates a crucial idea. From a data privacy perspective, the worst-case scenario is no worse in the world of decentralization, the best-case scenario is much better, and, for once, you get a say in where you end up.

Don't Join Threads—Make Instagram's 'Twitter Killer' Join You

Commercial spyware has become so notorious that international governments are taking notice and action against it, as evidenced by the Biden administration’s recent Executive Order on commercial spyware.

Thursday, July 6, 2023 08:07

Attackers have long used commercial products developed by legitimate companies to compromise targeted devices. These products are known as commercial spyware. Commercial spyware operations mainly target mobile platforms with zero- or one-click zero-day exploits to deliver spyware. This threat initially came to light with the leaks of HackingTeam back in 2015, but gained new notoriety with public reporting on the NSO Group, and, in the years that have followed, the landscape has exploded.

There are now numerous companies with similar offerings, like Intellexa, DSIRF, Variston IT, and the newly disclosed Quadream representing just a small subset — there are likely more that are operating covertly today.

Commercial spyware has become so notorious that international governments are taking notice and action against it, as evidenced by the Biden administration’s recent Executive Order on commercial spyware. A recent report from the United Kingdom’s National CyberSecurity Center (NCSC) highlights the accessibility of these tools “lowers the barrier to entry to state and non-state actors in obtaining capability and intelligence.” As recently as June 2023, the European Parliament’s plenary session voted on an ongoing investigation concerning the illicit usage of NSO’s Pegasus and equivalent surveillance spyware by EU member states (PEGA report). In this session, European Parliament members argued that the illicit usage of spyware has put “democracy itself at stake” and called for legislative changes and stricter regulation of the use of commercial spyware. The full press release and report can be found here.

**Commercial spyware companies don't care who is targeted by their products**

Commercial spyware companies advertise their products simply as a means of obtaining access and deny having any knowledge of who their customers’ targets are. This tactic is possibly a means of plausible deniability in the event that illegal targeting of individuals is traced back to their spyware. To avoid legal repercussions, these companies have headquarters in countries that do not have laws governing the export of their products or which classify the entities as IT service providers, effectively removing them from any product liability. These companies can therefore ultimately sell to whomever can pay without regard for who the intended targets are or what the impacts on the victims might be.

Although advertised as “tools” for law enforcement and government agencies strictly intended for legal use, report after report has shown commercial spyware has consistently been used against ethically questionable targets that don't fit the profile of criminals or terrorists. Such targets have repeatedly been journalists, politicians and activists who the host government perceives as competitors or existential threats. While these technologies may exist to fight terrorism and organized crime, their sale and usage must be regulated and subject to scrutiny by judicial authorities at an international level to prevent their misuse and abuse.  

One such example of limited repercussions within a host state is the case where a journalist in Greece was targeted with Predator Spyware, eventually leading to the resignation of Greece’s National Intelligence Service’s director in 2022 and the subsequent ban on the use of commercial spyware in Greece. Earlier in 2022, we also saw the departure of the NSO group’s CEO from the company amid widespread public outrage over the use of their spyware by Israeli Police forces.

**The untethered future of commercial spyware**

Mobile platform developers such as Google and Apple have repeatedly introduced and implemented protections and mitigations in their operating systems. However, commercial spyware providers often use zero-day, zero-click exploits to compromise victims’ mobile devices and are so confident in their ability to repeatedly compromise phones _without getting caught_ that, in some cases, they don't even deploy persistence mechanisms — a simple device reboot is enough to remove the implant from the device. However, a device reboot simply results in the commercial spyware outfit reinfecting the device using the zero-day, zero-click combination they had used during the initial compromise indicating the aggressive nature of these campaigns.

We see no indications that these commercial spyware offerings are slowing down. If anything, they are growing along with the constant availability of exploitable, unpatched/unknown vulnerabilities. Until the international community acts to regulate the technology, very little is going to change. When exposed by researchers, some of these companies just cease to exist. But in reality, they do not shut down, they just rebrand under a different name or merge with others sharing the technology they have produced. A typical example of such a case is the commercial spyware firm Cytrox, which was on the verge of disappearing, but was subsequently “rescued” and is now part of the Intellexa conglomerate.

Private and government organizations have taken steps to legally curb the use of commercial spyware, including attempts to hold them responsible for their actions in the past. Meta, formerly Facebook, is one of the first to move against commercial spyware companies by opening a lawsuit against the NSO Group for leveraging Meta-owned WhatsApp in their infection chain. The Biden administration has also taken an important step in fighting these companies with the Executive Order putting limitations on the U.S. government's ability to use commercial spyware to “discourage the improper use of commercial spyware; and encourage the development and implementation of responsible norms regarding the use of commercial spyware that are consistent with respect for the rule of law, human rights, and democratic norms and values.”

However, limited legal and legislative actions are yet to have an _immediate_ positive effect on curbing the use of commercial spyware. Despite these steps toward limiting the operations of these spyware companies, they are likely to keep operating in any region as long as it's financially and legally feasible. Increasing scrutiny with export regulations, criminal liability and fines may be a way forward towards ensuring that their activity does not go beyond the legitimate purposes they advertise.

**Risk profile**

For almost everyone on the planet, your Apple or Android phone’s built-in security features are more than sufficient to keep you protected. However, the commercial spyware industry has proven that it is easy to compromise targets if you have access to these products and the means to use them. We've seen numerous deeply concerning reports of people being compromised and are commonly met with the news that it was a journalist or dissident. The ability of these companies to repeatedly compromise devices, regardless of patch level, makes protection difficult.

For those that believe they are being or could be targeted by commercial spyware, rebooting the device before contacting a source or switching to lockdown mode might be the only options for the foreseeable future.

If you feel that you have been targeted by commercial spyware, there are also more generic habits that should be part of your daily routine:

*   Reboot your device regularly.
*   Use lockdown mode if your device is an iPhone.
*   Don’t click on links from dubious sources.
*   Don’t accept private messages from unknown persons.
*   If you have to keep a public contact, use an empty device to receive such contacts and reset it frequently.
*   Keep your devices up-to-date.

_If readers suspect their system(s) may have been compromised by commercial spyware or hack-for-hire groups, please consider notifying Talos’ research team at talos-mercenary-spyware-help@external.cisco.com to assist in furthering the community’s knowledge of these threats._

The growth of commercial spyware based intelligence providers without legal or ethical supervision

Cybersecurity researchers have unearthed an attack infrastructure that's being used as part of a "potentially massive campaign" against cloud-native environments.
"This infrastructure is in early stages of testing and deployment, and is mainly consistent of an aggressive cloud worm, designed to deploy on exposed JupyterLab and Docker APIs in order to deploy Tsunami malware, cloud credentials

Cloud Security / Server Hacking

Cybersecurity researchers have unearthed an attack infrastructure that's being used as part of a "potentially massive campaign" against cloud-native environments.

"This infrastructure is in early stages of testing and deployment, and is mainly consistent of an aggressive cloud worm, designed to deploy on exposed JupyterLab and Docker APIs in order to deploy Tsunami malware, cloud credentials hijack, resource hijack, and further infestation of the worm," cloud security firm Aqua said.

The activity, dubbed **Silentbob** in reference to an AnonDNS domain set up by the attacker, is said to be linked to the infamous cryptojacking group tracked as TeamTNT, citing overlaps in tactics, techniques, and procedures (TTPs). Alternatively, it could be the work of an "advanced copycat."

Aqua's investigation was prompted in the aftermath of an attack targeting its honeypot in early June 2023, leading to the discovery of four malicious container images that are designed to detect exposed Docker and Jupyter Lab instances and deploy a cryptocurrency miner as well as the Tsunami backdoor.

This feat is achieved by means of a shell script that's programmed to launch when the container starts and is used to deploy the Go-based ZGrab scanner to locate misconfigured servers. Docker has since taken down the images from the public registry. The list of images are below -

*   shanidmk/jltest2 (44 pulls)
*   shanidmk/jltest (8 pulls)
*   shanidmk/sysapp (11 pulls)
*   shanidmk/blob (29 pulls)

shanidmk/sysapp, besides executing a cryptocurrency miner on the infected host, is configured to download and run additional binaries, which Aqua said could either be backup cryptominers or the Tsunami malware.

UPCOMING WEBINAR

🔐 Privileged Access Management: Learn How to Conquer Key Challenges

Discover different approaches to conquer Privileged Account Management (PAM) challenges and level up your privileged access security strategy.

Reserve Your Spot

Also downloaded by the container is a file named "aws.sh.txt," a script that's likely designed to systematically scan the environment for AWS keys for subsequent exfiltration.

Aqua said it found 51 servers with exposed JupyterLab instances in the wild, all of which have been actively exploited or exhibited signs of exploitation by threat actors. This includes a "live manual attack on one of the servers that employed masscan to scan for exposed Docker APIs."

"Initially, the attacker identifies a misconfigured server (either Docker API or JupyterLab) and deploys a container or engages with the Command Line Interface (CLI) to scan for and identify additional victims," security researchers Ofek Itach and Assaf Morag said.

"This process is designed to spread the malware to an increasing number of servers. The secondary payload of this attack includes a crypto miner and a backdoor, the latter employing the Tsunami malware as its weapon of choice."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Silentbob Campaign: Cloud-Native Environments Under Attack

70% think criminals will move from WhatsApp etc to non-regulated apps, post OSB.

**London - 4th July 2023 -** This week, the House of Lords continues to debate the Online Safety Bill (OSB), demanding every private online message sent in the UK is scanned for the potential of illegal content. A new study shows the UK public believe the new legislation will not achieve this aim.

The independent survey, conducted by Opinium for Element, polled 2,000 politically and nationally representative UK citizens. It revealed that, despite Government assurances, 70% of the UK public believes scanning our online messages will not stop criminal activity, and 44% think it will damage national security, by creating a centralised 'honeypot' for nation state hackers. 

**UK Public at Odds With Government**

Unlike the Government, some 83% of UK citizens believe personal conversations on messaging apps such as Element, WhatsApp, or Signal should have the highest level of security and privacy. However, under the Online Safety Bill, communications providers are expected to break the trust of their consumers and scan every single one of their conversations, on the off chance they are committing an egregious crime. Key findings from the research study are:

*   70% of respondents said the if the OSB insists on scanning all online messages, criminals will move to other platforms to continue illegal activities
*   44% believe it will make the UK more vulnerable to cyber attacks from nation states like Russia and China
*   43% believe UK citizens will be even more vulnerable to cyber attacks from criminals

Matthew Hodgson, CEO of Element, comments: "Technology is not responsible for criminal behaviour and it should never be touted as a catch-all solution as the OSB currently does. If the UK won't listen to security experts, perhaps it will now listen to its citizens who know very well that surveilling our online conversations will only push criminals to other platforms, while reducing security for good actors."

He notes: "This research shows UK citizens are well aware that their privacy, and that of our businesses and even our Government, will suffer if this poorly thought-out legislation comes to pass. Criminals and rogue nations will rejoice. We need to stop this Bill."

**Private Conversations for All**

No matter how you cut it, UK consumers care about retaining the privacy and security of online conversations. 44% of the British public believe citizens should have access to the best private and secure communications available, not just the government (27%). This drops down to only 7% for businesses.

**OSB Drops UK Privacy to North Korea, Russia, and China Levels**

The Online Safety Bill proposes that Ofcom can mandate an unspecified 3rd party tool to connect to private messaging systems such as Element, WhatsApp, and Signal to covertly scan messages. Brits said China, North Korea and Russia are the countries most likely to routinely scan private messages in this way today — just 12% expected Britain to adopt such widespread routine surveillance, although this is the stated intention of the Bill.

Hodgson continues: "If the Online Safety Bill goes through, every online conversation could end up being surveilled, placing us on the same stage as other governments we know monitor their citizens' conversations - China, Russia and North Korea. Meanwhile Brits will lose their strongest cyber defence, giving criminals the upper hand; criminals who will not be using regulated apps known to comply with Ofcom’s requirements."

83% of Brits Demand Messaging Apps Remain Private, Ahead of Threat From Online Safety Bill

By Waqas
The feature that allows users to browse with the Bing browser is only available for paid ChatGPT users.
This is a post from HackRead.com Read the original post: ChatGPT’s Bing Browsing Feature Disabled for Paywall Article Access

**The feature was disabled by OpenAI, the creator of ChatGPT, on July 3rd, and it will remain suspended until the company fixes this issue in order to do right by content owners.**

ChatGPT has been involved in several legal battles, and the last thing its creators want is to open another front. The AI chatbot is undoubtfully a gift for internet users in recent times, and gaining the ability to add plugins to the AI-powered chatbot is the cherry on top.

The plugins that helped users connect ChatGPT to the internet were the most sought-after ones. One such plugin was the Browsing model, also known as Browse with Bing, which used the Bing search API to enable internet access.

This Beta feature was available for ChatGPT Plus subscribers and integrated the search engine into the conversation, allowing the user to access information from the web. When it was rolled out, the feature tremendously enhanced ChatGPT’s utility by making it possible to merge the internet and the AI chatbot.

However, this much-talked-about feature has now been disabled by OpenAI, the creator of ChatGPT, because it allowed users to access paywalled articles. Reportedly, the paywalled content was accessible through the “Print the Content of this Article” prompt by pasting the article’s URL after it. ChatGPT would then display the content of the article. For example, if a user asked for the full text of a specific URL, it fulfilled this request.

One of ChatGPT’s users shared this screenshot on Twitter. (Credit: @wunderwuzzi23)

The company stated that this feature inadvertently displayed content it wasn’t meant to show, violating the terms and services of most subscription-based online publications. Therefore, OpenAI disabled this feature on July 3rd, and it will remain suspended until the company fixes this issue in order to do right by content owners. ChatGPT won’t display information beyond September 2021, its training data cutoff date.

The company asserts that the feature will be back soon. However, until this happens, the unexpected disabling has disappointed ChatGPT users as they are in disbelief that this glitch was detected at the beta stage when it should have been fixed in the Alpha stages. According to reports, users who had paid for the Chat with Bing feature are asking for refunds as the service is not available anymore.

However, OpenAI has confirmed that the feature has been temporarily disabled, and their team is diligently working on reintroducing it after ensuring that it complies with the performance and content accuracy.

Nevertheless, there is confusion as OpenAI hasn’t disclosed when the feature will be available. We will update our readers as soon as there is any new development in this story.

**RELATED ARTICLES**

1.  100,000 Hacked ChatGPT Accounts Discovered on Dark Web
2.  ChatGPT’s False Information Generation Enables Code Malware
3.  ChatGPT tricked into generating Windows 10 and Windows 11 keys
4.  ChatGPT Improves Healthcare, But Industry Needs Secure Database
5.  OpenAI Launches ChatGPT Bug Bounty Program – Earn $200 to $20k

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

ChatGPT’s Bing Browsing Feature Disabled for Paywall Article Access

The Tutor LMS WordPress plugin before 2.2.1 does not implement adequate permission checks for REST API endpoints, allowing unauthenticated attackers to access information from Lessons that should not be publicly available.

CVE-2023-3133: Tutor LMS – eLearning and online course solution

If you've ever owned a domain name, the chances are good that at some point you've received a snail mail letter which appears to be a bill for a domain or website-related services. In reality, these misleading missives try to trick people into paying for useless services they never ordered, don't need, and probably will never receive. Here's a look at the most recent incarnation of this scam -- DomainNetworks -- and some clues about who may be behind it.

If you’ve ever owned a domain name, the chances are good that at some point you’ve received a snail mail letter which appears to be a bill for a domain or website-related services. In reality, these misleading missives try to trick people into paying for useless services they never ordered, don’t need, and probably will never receive. Here’s a look at the most recent incarnation of this scam — **DomainNetworks** — and some clues about who may be behind it.

The DomainNetworks mailer may reference a domain that is or was at one point registered to your name and address. Although the letter includes the words “marketing services” in the upper right corner, the rest of the missive is deceptively designed to look like a bill for services already rendered.

DomainNetworks claims that listing your domain with their promotion services will result in increased traffic to your site. This is a dubious claim for a company that appears to be a complete fabrication, as we’ll see in a moment.  But happily, the proprietors of this enterprise were not so difficult to track down.

The website **Domainnetworks\[.\]com** says it is a business with a post office box in Hendersonville, N.C., and another address in Santa Fe, N.M. There are a few random, non-technology businesses tied to the phone number listed for the Hendersonville address, and the New Mexico address was used by several no-name web hosting companies.

However, there is little connected to these addresses and phone numbers that get us any closer to finding out who’s running Domainnetworks\[.\]com. And neither entity appears to be an active, official company in their supposed state of residence, at least according to each state’s Secretary of State database.

The **Better Business Bureau** listing for DomainNetworks gives it an “F” rating, and includes more than 100 reviews by people angry at receiving one of these scams via snail mail. Helpfully, the BBB says DomainNetworks previously operated under a different name: **US Domain Authority LLC.**

DomainNetworks has an “F” reputation with the Better Business Bureau.

Copies of snail mail scam letters from US Domain Authority posted online show that this entity used the domain **usdomainauthority\[.\]com**, registered in May 2022. The Usdomainauthority mailer also featured a Henderson, NC address, albeit at a different post office box.

Usdomainauthority\[.\]com is no longer online, and the site seems to have blocked its pages from being indexed by the Wayback Machine at archive.org. But searching on a long snippet of text from DomainNetworks\[.\]com about refund requests shows that this text was found on just one other active website, according to publicwww.com, a service that indexes the HTML code of existing websites and makes it searchable.

A deceptive snail mail solicitation from DomainNetwork’s previous iteration — US Domain Authority. Image: Joerussori.com

That other website is a domain registered in January 2023 called **thedomainsvault\[.\]com**, and its registration details are likewise hidden behind privacy services. Thedomainsvault’s “Frequently Asked Questions” page is quite similar to the one on the DomainNetworks website; both begin with the question of why the company is sending a mailer that looks like a bill for domain services.

Thedomainsvault\[.\]com includes no useful information about the entity or people who operate it; clicking the “Contact-us” link on the site brings up a page with placeholder Lorem Ipsum text, a contact form, and a phone number of 123456789.

However, searching passive DNS records at **DomainTools.com** for thedomainsvault\[.\]com shows that at some point whoever owns the domain instructed incoming email to be sent to **ubsagency@gmail.com**.

The first result that currently pops up when searching for “ubsagency” in Google is **ubsagency\[.\]com**, which says it belongs to a Las Vegas-based Search Engine Optimization (SEO) and digital marketing concern generically named both **United Business Service** and **United Business Services**. UBSagency’s website is hosted at the same Ann Arbor, Mich. based hosting firm (A2 Hosting Inc) as thedomainsvault\[.\]com.

UBSagency’s LinkedIn page says the company has offices in Vegas, Half Moon Bay, Calif., and Renton, Wash. But once again, none of the addresses listed for these offices reveal any obvious clues about who runs UBSagency. And once again, none of these entities appear to exist as official businesses in their claimed state of residence.

Searching on ubsagency@gmail.com in Constella Intelligence shows the address was used sometime before February 2019 to create an account under the name “**Sammy\\Sam\_Alon**” at the interior decorating site **Houzz.com**. In January 2019, Houzz acknowledged that a data breach exposed account information on an undisclosed number of customers, including user IDs, one-way encrypted passwords, IP addresses, city and ZIP codes, as well as Facebook information.

Sammy\\Sam\_Alon registered at Houzz using an Internet address in Huntsville, Ala. (68.35.149.206). Constella says this address was associated with the email **tropicglobal@gmail.com**, which also is tied to several other “Sammy” accounts at different stores online.

Constella also says a highly unique password re-used by tropicglobal@gmail.com across numerous sites was used in connection with just a few other email accounts, including **shenhavgroup@gmail.com**, and **distributorinvoice@mail.com**.

The shenhavgroup@gmail.com address was used to register a Twitter account for a **Sam Orit Alon** in 2013, whose account says they are affiliated with the Shenhav Group. According to DomainTools, shenhavgroup@gmail.com was responsible for registering roughly two dozen domains, including the now-defunct unitedbusinessservice\[.\]com.

Constella further finds that the address distributorinvoice@mail.com was used to register an account at **whmcs.com**, a web hosting platform that suffered a breach of its user database several years back. The name on the WHMCS account was **Shmuel Orit Alon**, from Kidron, Israel.

UBSagency also has a Facebook page, or maybe “had” is the operative word because someone appears to have defaced it. Loading the Facebook page for UBSagency shows several of the images have been overlaid or replaced with a message from someone who is _really_ disappointed with **Sam Alon**.

“Sam Alon is a LIAR, THIEF, COWARD AND HAS A VERY SMALL D\*CK,” reads one of the messages:

The current Facebook profile page for UBSagency includes a logo that is similar to the DomainNetworks logo.

The logo in the UBSagency profile photo includes a graphic of what appears to be a magnifying glass with a line that zig-zags through bullet points inside and outside the circle, a unique pattern that is remarkably similar to the logo for DomainNetworks:

The logos for DomainNetworks (left) and UBSagency.

Constella also found that the same Huntsville IP address used by Sam Alon at Houzz was associated with yet another Houzz account, this one for someone named “**Eliran**.”

The UBSagency Facebook page features several messages from an Eliran “Dani” Benz, who is referred to by commenters as an employee or partner with UBSagency. The last check-in on Benz’s profile is from a beach at Rishon Letziyon in Israel earlier this year.

Neither Mr. Alon nor Mr. Benz responded to multiple requests for comment.

It may be difficult to believe that anyone would pay an invoice for a domain name or SEO service they never ordered. However, there is plenty of evidence that these phony bills often get processed by administrative personnel at organizations that end up paying the requested amount because they assume it was owed for some services already provided.

In 2018, KrebsOnSecurity published How Internet Savvy are Your Leaders?, which examined public records to show that dozens of cities, towns, school districts and even political campaigns across the United States got snookered into paying these scam domain invoices from a similar scam company called **WebListings Inc.**

In 2020, KrebsOnSecurity featured a deep dive into who was likely behind the WebListings scam, which had been sending out these snail mail scam letters for over a decade. That investigation revealed the scam’s connection to a multi-level marketing operation run out of the U.K., and to two brothers living in Scotland.

Who’s Behind the DomainNetworks Snail Mail Scam?

com.perimeter81.osx.HelperTool in Perimeter81 10.0.0.19 on macOS allows Local Privilege Escalation (to root) via shell metacharacters in usingCAPath.

Share feedback

Thanks for sharing your feedback!

**MacOS agent 10.0.0.19**

**May 7th, 2023**

**New Features:**

*   The agent now supports the new Exclude configuration option for Split Tunneling (so that all traffic except specific addresses will go through the tunnel).

**Resolved Issues:**

*   P81-23365 - Mac agent launching twice, 2 different instances running at the same time
*   P81-26071 - OpenVPN connection sometimes taking too long

**MacOS agent 9.0.1.9**

**New Features:**

*   You can now switch between protocols while the agent is connected to a network! Simply select a protocol in the Protocols tab to switch to it.
*   When the user session expires (according to the session length set by the administrator), the agent will be automatically logged out during local night time, in order to avoid disconnections during the workday. This applies to session lengths of 2 days and above.

**Enhancements:**

*   Logging improvements
*   Agent installation will be prevented on unsupported MacOS version 10.14 and below

**Resolved Issues:**

*   P81-18590 - On macOS 13.0, sometimes the quick access UI and Full agent UI were displayed simultaneously when changing networks
*   P81-20543 - Incorrect icon state after silent upgrade of the agent
*   P81-23034 - Agent disconnection after OS upgrade to Mac OS 13.2
*   P81-23462 - SWG Web Filtering not working when a rule is set with two custom URLs that one is contained within the other
*   P81-7337 - Agent logs show that user is using macOS 10.16 when it is actually a higher version

**MacOS agent 9.0.0.28**

**New Features:**

*   Secure Web Gateway (SWG) now includes Malware Protection! SWG users now have an additional layer of protection against malicious software, on top of the existing web filtering functionality. Malware Protection actively scans content before it reaches the user's browser, blocks multiple types of threats, and notifies the user. Admins can view logs of blocked malware in a new page under the Monitor and Logs section.

**Enhancements:**

*   Log file size decreased, implemented log rotation
*   Added support for long-life certificates for SDP sessions
*   Updated internal frameworks to support minimum target OS of 10.15
*   Improved SWG module behaviour, increased reliability of Proxy module
*   Improved memory usage of agent and fixed issues with memory leaks
*   Improved stability
*   Improved connectivity

**Resolved Issues:**  
P81-21296 - Fixed an issue related to the Disable Sign-out feature  
P81-22039 - Fixed issue when agent UI was out of sync with Daemon  
P81-14902 - Fixed Trusted Wired Network MAC address case-insensitive comparison

**MacOS agent 8.0.6.166**

**Resolved Issues:**  
P81-16293 - Excessive memory consumption when using SWG

**MacOS agent 8.0.6.163**

**New Features:**

*   The agent can now remain connected while P81 SDP backend is restarted/offline, for better connection stability

**Enhancements:**

*   Added additional logging events on VPN reconnection and Probe failure
*   In the Protocols section, relabeled 'Automatic' protocol to 'Default'
*   Improved mechanism for fetching Public IP
*   Increased shared codebase between MacOS and iOS agents for better compatibility

**Resolved Issues:**  
P81-12527, P81-12562 - Unplanned disconnections  
P81-12869, P81-6732 - Sporadically cannot login to the agent - 'your session was not established'  
P81-14787 - Routing table not updated on Split Tunneling update until user disconnects  
P81-13988 - Agent User Interface is cut off when it’s the rightmost icon in the macOS tray  
P81-7450 - Fixed sorting in Quick Access networks list  
P81-14953 - Install update prompt appears without user interaction  
P81-16096, P81-16864 - DPC failed although conditions passed, until reboot  
P81-16189, P81-16949 - While connecting to VPN on unsecured WiFi, Internet is unavailable for 40-60 seconds

**MacOS agent 8.0.5.143**

**New Features:**

*   New wake from sleep mechanism logic
*   Added 'Quit' button to the agent's quick-UI for easier access
*   Added 'Reset Agent' button to the loading screen if it does not connect within 60 seconds
*   Added 'Reset Agent' button to the full UI (under the Support tab) to provide the ability to reset the agent at any time

**Resolved Issues:**

*   P81-14321 - Infinite connection attempts
*   P81-14317 - The loading screen does not disapear
*   P81-13962 - Agent says it's connected but loses all Internet connectivity
*   P81-13257 - Possible command injection vector via DPC
*   P81-13188 - DPC stuck after machine reboot
*   P81-12978 - Proxy communication issue
*   P81-12749 - Presented with a "You have reached your pre-configured connection time limit" error
*   P81-12698 - DPC: Device Activity Log does not appears in web console at admission time, only after DPC scheduled recheck time (20 minutes)
*   P81-12360 - Agent log files take too much space (0.4 GB)
*   P81-7128 - The Device Activity log shows 'No Hostname' instead of the device name
*   P81-6628 - The user is not signed out properly after the agent receives a new token

**MacOS agent 8.0.4.132**

**New Features:**

*   Disable Sign-Out (enforce Always On) - this feature is being gradually rolled out and will be available to all customers in a few weeks. Requires this version of the agent and above.
*   Agent sign-out brute-force prevention
*   Allow admins to control whether using the internal DNS is enforced or not, in order to support co-existing with products that require control over DNS

**Enhancements:**

*   Agent version is now displayed before login, for easier troubleshooting
*   The Quit button has been re-added to the agent extended UI, allowing users to shut down the agent application and the Perimeter 81 service in case they need to
*   P81-11453 - SWG bootstrap certificate enhancement

**Resolved Issues:**

*   P81-13378 - Changing settings on the console would cause the agent to Reconnect
*   P81-12977 - RegionName always showed N/A
*   P81-12747, P81-12674, P81-12571, P81-12525, P81-12164 - Issues connencting after sleep
*   P81-12746 - Connectivity issue when using SWG
*   P81-12417, P81-12618 - Connectivity issues
*   P81-12560 - Sign-in failing to open browser
*   P81-12539, P81-12519 - Websites unreachable
*   P81-12536 - SWG rules issues
*   P81-12461 - Internet connection issue after session timeout
*   P81-12419 - Reconnection process takes too long
*   P81-12269 - Public IP stuck in "Refreshing" and losing Internet connectivity
*   P81-11170, P81-11171, P81-12807 - Internal log fixes
*   P81-6859 - Silent Upgrade improvements
*   P81-6467 - UI bugs
*   P81-11531 - Better handling of ProtocolFilters in regards to certificates
*   P81-12720 - SWG bug fixes

**MacOS agent 8.0.4.124**

**Enhancements:**

*   Changed MTU for Wireguard to 1380 to improve connectivity in low-MTU scenarios
    
*   The Perimeter 81 certificate is now installed only if using Secure Web Gateway. If needed, users are referred to a webpage on how to complete the certificate and add-on setup
    
*   'Start Minimized' removed from Settings screen
    

**Resolved Issues:**

P81-11830/P81-10601 Connection is not restored after sleep  
P81-11673 Sometimes the app Signed Out incorrectly  
P81-11251/P81-11163 Agent stuck with connect button not responding  
P81-11211 DNS fails after sleep on latest Mac version (Monterey 12.3)  
P81-11074/P81-10889 Constant disconnections  
P81-11071 Connection issue with IKE protocol  
P81-11035/P81-11034/P81-8381Connection issue with Wireguard  
P81-11027/P81-11026/P81-10631 Internet connection blocked/unstable  
P81-10922/P81-10916 After sleep, the agent is connected but there is no internet connectivity  
P81-10874 Sign In button not working after session timeout  
P81-10556 Network adaptor changing every several minutes  
P81-9987 Split tunneling configuration didn't updated till Agent reconnection  
P81-9804 Client generates certificate errors  
P81-8032 "Connected to Network" notification doesn't hide automatically  
P81-7340 After upgrading XPC between Daemons, Proxy is not starting  
P81-6312/P81-3930 "Private DNS" icon not displayed on network with "Regional Private DNS"  
P81-6080 Closed Mac agent pops up every time Firewall rule is changed

**MacOS agent 8.0.4.116**

Fixed Issues:

*   P81-9839/P81-9833/P81-9795 - App crash
*   P81-9794/P81-9493 Connection issue - agent stuck in 'Reconnecting'
*   P81-9500 Failed to connect while returning from sleep mode
*   P81-9181 Agent takes a while to reconnect after sleep
*   P81-9152 Sign Out pop-up header displayed incorrectly
*   P81-8233 Device Activity Log - MacBook still appears as Healthy even though found Not Healthy
*   P81-8048 Apple M1 Pro - Disconnect during Zoom
*   P81-7340 SWG - Proxy not starting after upgrading XPC between Daemons
*   P81-5273 .pkg error - 'The Package is unsigned'
*   P81-910 .pkg installer file - Unsupported file format in MobileIron
*   P81-8236 Icons for Support, Settings, Sign Out are blurred

New features:

*   P81-9985 When installing using pkg file, the P81 certificate will not be installed unless specified by admin
*   P81-7551 The agent now allows admins to pre-populate the workspace value during installation via CLI.

**MacOS agent 8.0.4.108**

Fixed Issues:

*   P81-6326 - Failed to login after agent upgrade.
*   P81-4795 - DNS lost randomly when using split tunneling + custom DNS.
*   P81-7608 - IPv6 behavior is unpredictable.
*   P81-5029 - Improved messaging when pre-configured connection time limit is reached.
*   P81-2455 - agent UI pops up upon changing firewall rules.
*   P81-5034 - renamed 'diagnose issues' button to 'Send logs to support'.

New Features:

*   The Perimeter 81 agent now runs as a service in the background! There is no need to keep the agent UI open - it is always up and available via an icon in the system tray.
*   Connectivity and stability have been improved.
*   The agent now has a brand new “quick access” UI, which allows you to perform most operations from a single screen by clicking on the tray icon. The classic UI is still available, and can still be accessed in order to configure settings, contact support etc.
*   This agent version supports Secure Web Gateway (SWG).

**MacOS agent 7.0.3.37**

Fixed issues:

*   P81-2389 - Helper tool installation requires admin permissions
*   P81-5385 - Crash on changing networks while OpenVPN connected on TWN
*   P81-5332 - Post connection loss authentication issue
*   P81-4796 - Correction of description for Automatic Protocol
*   P81-4764 - Agent stuck in reconnecting when coming out of sleep mode
*   P81-4368 - Agent stuck in Reconnecting state

New features:

*   P81-5029 - Improve the output message after "Automatically log out Client "
*   P81-5026 - Remove "contact support" suggestion when failing DPC
*   P81-5034 - Rename "diagnose issues" button
*   P81-4699 - Compatibility with MacOS 12.0 Monterey

**MacOS agent 7.0.3.28**

Fixed issues:

*   P81-3293 - Added latency measurements BI events
*   P81-3312 - Fixed device register issue caused by UDID non-escaping

**MacOS agent 7.0.2.21**

Fixed issues:

*   P81-1995 — Device posture check says that disk is not encrypted when it actually is encrypted
*   P81-2021 — Incorrect VPN status on Home screen if Start Minimized=ON and VPN has connected automatically
*   P81-2532 — Agent stuck on reconnecting
*   P81-3111 — DPC failed for all the rules that should pass
*   P81-3179 — App hanging during TWN check processing

**MacOS agent 7.0.2.19**

Fixed issues:

*   P81-2680 — Trusted Wired Networks - Agent user still needs to enter code on Quit/sign out while connected to TWN
*   P81-2198 — User still needs to enter code on Quit/Sign Out while on TWNP81-2198
*   P81-2633 — The Always On Not restored 0n turning Netwotk's toggle if Network above in list is Disabled
*   P81-2231 — Attempt to connect to the VPN is made on setting AlwaysOn by user
*   P81-2199 — No "Connected to Trusted Network" badge on Home screen when computer on TWN
*   P81-2198 — User still needs to enter code on Quit/Sign Out while on TWN
*   P81-2215 — The app connected to VPN on user setting AlwaysOn=ON while connected to TWN
*   P81-2550 — Show appropriate text when hovering over the "Connected to Trusted Network" badge
*   P81-2798 — MacOS P81 DPC: Condition "AND" for "Process Running" doesn't work

**MacOS 7.0.1.12**

*   Silent upgrade feature imlemented

**MacOS 7.0.1.7**

*   Fixed issue when agent app pops up with every ZTA change — P81-1117, P81-1115
*   Fixed wrong Device Name documented in Device Activity — P81-1364
*   Fixed Internal IP Not Defined issue, when VPN get connected — P81-1347
*   Moved Snowplow session cache file outside of the user’s Documents folder — P81-937

**MacOS 7.0.1.6****New features:**

*   Device Posture Check feature implemented

**Resolved Issues:**

*   Fixed app crash issue — P81-726
*   Fixed app re-connect issue when losing WiFi — P81-906
*   Fixed Run on StartUp issue — P81-914
*   Fixed Sign Out” and “Quit” option from doesn’t work if app is not in foreground — P81-1027
*   Fixed app re-login when DPC check has failed — P81-1452
*   Fixed Disconnect/Connect notifications showing — P81-1110
*   Fixed high CPU consumption issue when the app is in background — P81-438
*   Fixed SDP socket re-connect issue after sleep-mode

**MacOS 7.0.0 (7):****Bug fixes:**

*   Application complete re-design, Main view, Settings page, Support page, OnBoarding page
*   Implemented new login flow using default browser with SSO support
*   Implemented accessToken token rotation before performing Logout call -- #MAC-1056
*   Added timeout for LoginSucceeded event -- #MAC-1075
*   Added full username showing inside of the Main view (if it’s available) -- #MAC-1083
*   Added support ticket number for the user if it’s available from Troubleshooting -- #MAC-1074
*   Change user’s email address fetching from JWT to channel.OnUpdated data payload -- #MAC-1066
*   Fixed Connection/Reconnection initiated from Connect on Launch can’t be interrupted -- #MAC-1079
*   Fixed Hide Automatic Location from Icon/Dock menus -- #MAC-1086
*   Fixed issue when Admin can’t enforce upgrade to the latest version -- #MAC-942
*   Disable KillSwitch by default for AlwaysON -- #MAC-1081
*   Fixed Sleep/awake re-connect issue -- #MAC-1061
*   Fixed Disconnect button non-responsiveness when agent connecting/reconnecting -- #MAC-1078
*   Fixed expand/collapse Shared Networks issue, when hover stopped to work -- #MAC-1062
*   Fixed issues when “Change Network” button displayed incorrectly when “Upgrade Application” is enforced -- #MAC-1111
*   Added BI events sending support
*   Added osVersion as a part of channel.open payload
*   Implemented automated Troubleshooting script, now avg processing time is ~1 min -- #MAC-1093
*   Fixed “Sign Out” and “Quit” options from notification area context menu when app is in background mode -- #MAC-1100, #MAC-1099
*   Fixed “Automatic Location” network option -- #MAC-1096
*   Added tooltips for SignOut / Exit Settings buttons, Main + OnBoarding windows appear at the same time -- #MAC-1088
*   Fixed “Automatic Location” network option -- #MAC-1096
*   Fixed UI blinking when switching between Home tab and any other -- #MAC-1073
*   Fix network selection logic -- #MAC-1087

Was this article helpful?

CVE-2023-33298: MacOS - Agent

Categories: Cybercrime
Categories: News
Tags: proxyjacking

Tags:  cryptojacking

Tags:  curl

Tags:  Docker

Tags:  proxy service

Tags:  compromised

Proxyjacking is a cybercrime where your bandwidth is sold by criminals.



(Read more...)




The post A proxyjacking campaign is looking for vulnerable SSH servers appeared first on Malwarebytes Labs.

A researcher at Akamai has posted a blog about a worrying new trend—proxyjacking—where criminals sell your bandwidth to a third-party proxy service.

To understand how proxyjacking works, we’ll need to explain a few things.

There are several legitimate services that pay users to share their surplus Internet bandwidth, such as Peer2Profit and HoneyGain. The participants install software that adds their systems to the proxy-network of the service. Customers of the proxy service have their traffic routed through the participants' systems.

The foundation of the proxyjacking problem lies in the fact that these services don’t check where the shared bandwidth is coming from. Peer2Profit and Honeygain claim to only share their proxies with theoretically vetted partners, but according to Akamai's research they don’t check if the one offering the bandwidth is the actual owner.

Proxies and stolen bandwidth have always been popular among cybercriminals since they allow them to anonymize their traffic. What’s new about this campaign is that these same criminals are now “renting out” the bandwidth of compromised systems to make money instead of simply using them.

The researcher became aware of the campaign when they noticed an attacker establishing multiple SSH (Secure Shell) connections to one of their Cowrie honeypots. Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. It can be used to emulate a UNIX system in Python, or to function as an SSH and telnet proxy to observe attacker behavior to another system.

For the criminals the beauty of the attack is that it is mostly fileless and the files that are actually used, curl and the public Docker images for the proxy monetization services Peer2Profit and Honeygain, are legitimate and will not be detected by anti-malware solutions.

And proxyjacking is a lot less likely to be detected than cryptojacking since it requires only minimal CPU cycles and uses surplus Internet bandwidth. Interesting to note, the researchers found out that the compromised distribution server also contained a cryptomining utility, as well as many other exploits and common hacking tools.

**Protection**

Since these seemingly legitimate services can be used by criminals on both ends, both to anonymize their activities and to sell others’ resources, we would rather see them disappear altogether, but they should at least improve the verification of their customers and their participants.

Home users can protect themselves from proxyjacking by:

*   Keeping their systems and software updated
*   Use an effective and secure password strategy

Corporate users can add:

*   Monitor network traffic for anomalies
*   Keep track of running containerized applications.
*   Using key-based authentication for SSH instead of passwords

Akamai added:

> “In this particular campaign, we saw the use of SSH to gain access to a server and install a Docker container, but past campaigns have exploited web vulnerabilities as well. If you check your local running Docker services and find any unwanted resource sharing on your system, you should investigate the intrusion, determine how the script was uploaded and run, and perform a thorough cleanup.”

If you lack the time and resources for constant monitoring, Malwarebytes can offer Managed Detection and Response (MDR). Want to learn more about how we can help protect your business? Get in touch.

TRY NOW

Tag

#sap