By Waqas
You are not alone, an AT&T outage is happening across the United States, and the company is working…
This is a post from HackRead.com Read the original post: AT&T Outage Disrupts Service for Millions of Users Across US

You are not alone, an AT&T outage is happening across the United States, and the company is working to bring back service to normal.

Millions of AT&T customers across the United States woke up to widespread service disruptions on Thursday, February 22nd, 2024. The outage, which began early in the morning, has impacted mobile phone service, leaving users unable to make and receive calls, text messages, and access data.

Reports from users and outage tracking websites like Downdetector indicate the issue is nationwide, affecting major cities like New York, Los Angeles, Chicago, Dallas, and Atlanta. Social media is flooded with complaints from frustrated customers, many unable to connect with loved ones or conduct essential business activities.

The cause of the outage remains unclear. AT&T has yet to officially comment on the issue, leaving users in the dark about the root cause and expected resolution timeframe. This lack of communication is further adding to the frustration of affected customers.

**Cyber Attack?**

The cause behind the widespread outage affecting AT&T services across the United States remains uncertain, with conflicting reports suggesting it could be either a cyber attack or technical issues. Users across various regions have reported difficulties accessing wireless services, prompting concerns about the extent and nature of the disruption.

****AT&T is Aware!****

Although some users are reporting on social media that their service has been restored, on X (formerly Twitter), AT&T stated, “Some of our customers are experiencing wireless service interruptions. We are working urgently to restore service to all who are impacted.” It is worth noting that the company also provided a link to visit and keep an eye on updates.

Ironically, that link was also down and showing an error message to visitors. However, according to a live outage map from Down Detector, a platform that monitors internet outages, AT&T is still facing service issues across the United States.

The potential impact of this outage is significant. Disruptions to mobile phone service can hinder communication, impact emergency services for some, and cause inconvenience for countless individuals and businesses relying on their mobile devices for daily activities.

While AT&T is working to restore service, no estimated time for resolution has been announced. In the meantime, users are advised to:

*   **Use Wi-Fi calling:** If available, utilize Wi-Fi calling to make and receive calls over a Wi-Fi network.
*   **Stay informed:** Check the AT&T website and social media for updates on the outage.
*   **Consider alternative communication methods:** Explore options like text messaging apps or social media to connect with others if unable to use your phone.

This latest outage highlights the critical role of reliable mobile phone service in today’s interconnected world. It also underscores the importance of clear and timely communication from service providers during such disruptions to minimize inconvenience and ensure user safety.

As the situation unfolds, we will continue to monitor developments and provide updates on this evolving story.

1.  **ChatGPT Down? OpenAI Blames Outages on DDoS Attacks**
2.  **Amazon Web Services suffer outage taking popular sites down**
3.  **Facebook down with Messenger, Instagram, WhatsApp disruption**

AT&T Outage Disrupts Service for Millions of Users Across US

By Uzair Amir
Learn about different types of SaaS solutions and the most widely used SaaS categories to create your own…
This is a post from HackRead.com Read the original post: Types of SaaS Applications: Categories and Examples

Learn about different types of SaaS solutions and the most widely used SaaS categories to create your own successful Software as a Service product!

Today, almost any company, from small startups to large enterprises, uses SaaS solutions in its day-to-day operations. With various types of SaaS products becoming essential for business operations, more and more companies are considering building SaaS applications.

If you want to know how to build a SaaS app, learning about the types and categories of these solutions is critical. With this knowledge, you can create a more comprehensive blueprint for your future product and have a deeper understanding of the modern SaaS market.

****About SaaS solutions****

Software as a Service (SaaS) is a software distribution model that allows users to access applications via the Internet on a subscription basis. SaaS is a subset of cloud computing due to the absolute majority of software-as-a-service apps being cloud-based.

Unlike traditional desktop apps, you don’t need to download and install SaaS solutions. Cloud computing allows users to enjoy all of the features and functionalities using remote servers.

The SaaS model began to gain traction in the late 1990s due to the success of web-based CRM systems, such as Salesforce. With the emergence of affordable cloud providers, many companies started to build SaaS products. Let’s talk about the main advantages of the SaaS model:

*   **Cost-effectiveness.** Companies and individuals can usually choose the one that fits them best from several subscription plans. Almost any SaaS offering will still be cheaper than buying traditional software, plus there is no need to spend money on hardware and infrastructure, the responsibility for maintenance, upgrades, and scalability lies with cloud service providers.
*   **Accessibility.** Cloud-based SaaS applications can be accessed from any device with an internet connection and web browser. With just a web browser, users can interact with Software as a Service product without the need to install or update anything manually.
*   **Scalability.** Scalability is often an issue for web applications and websites with traditional, client-server architecture. But you don’t need to worry about how to build a SaaS website or app that can provide scalability without sacrificing performance. Cloud services allow businesses to scale their product back and forth without significant investments or operational downtime.
*   **Security.** Protecting sensitive data is one of the main tasks in the modern software development industry. Reliable cloud providers offer a high level of security due to their decentralized nature. With information being stored in several places at once, it is more difficult for malicious actors to access it.

****SaaS categories****

When experts in SaaS application development describe different types of SaaS solutions, we can often hear two terms: _horizontal_ and _vertical_. An experienced SaaS development company can consult you on which type of app you need, but it is still essential to have a basic understanding of these classifications yourself. Let’s talk about these two categories:

*   **Horizontal SaaS.** If you wonder how to develop a SaaS application that will meet the needs of businesses across multiple industries, horizontal solutions are for you. These products offer features and services that can be applied to various business settings. Horizontal SaaS platforms are often used for improving day-to-day operations, streamlining processes, and increasing productivity.
*   **Vertical SaaS.** If you, on the other hand, want to develop a SaaS application that is designed to meet the needs of a specific industry or organization type, this option is perfect for you. Vertical Software as a Service product is used in healthcare, retail, fintech, and governmental projects. You need specific SaaS development expertise in your team to create vertical apps.

****Types of SaaS Applications****

Vertical and horizontal are the key types of Software as a Service solution, but to know how to build SaaS applications with impressive functionalities and competitive advantage, you need to learn about the most widely used categories of SaaS.

****CRM software****

This is one of the most popular types of B2B SaaS software that almost any company has experience with. Customer Relationship Management (CRM) system is an essential part of any business workflow and enables companies to keep track of customer data and gain valuable insights about clients’ preferences and behaviour.

Most of the modern CRM solutions offer task automation, advanced analytics, and even predictive analysis based on customer data. The most well-known CRM software today are Salesforce, Hubspot, Zoho, and Microsoft Dynamics 365.

If you want to learn more about developing SaaS applications like these, take a closer look at their core features and implementation of cutting-edge technologies like AI and ML, and consult with a SaaS application development company that has successful cases of building CRM SaaS products.

****CMS software****

Content Management Systems (CMS) enable individuals with no experience in the software development process to create and manage web pages and digital content. Unlike the majority of SaaS types on our list, CMS is not designed specifically for business use, but companies still can benefit from them, creating basic websites without a development team.

Today, there are four top CMS SaaS products: WordPress, Drupal, Shopify, and Joomla. Each solution has its long list of pros and cons, struggling in certain aspects and excelling in others.

To build a SaaS app that will be as good if not better than these five, you need to not only have a good understanding of the SaaS model and have a reliable SaaS app development partner but also to become familiar with the most widely used CMS SaaS products and their features and functionalities.

****ERP software****

Enterprise Resource Planning (ERP) software is used by companies of any size for managing business processes. These SaaS applications offer such features as inventory and order management, operations scheduling, customer relationships management, and handling of accounting tasks. Many ERP solutions try to integrate CRM, project management, accounting, and HR modules, making them the types of SaaS software that companies need for managing day-to-day operations.

The most prominent players in the ERP industry are SAP, Oracle, NetSuite, and Microsoft Dynamics 365. As you can see, Microsoft Dynamics appears in our list in the second category already due to its different functionalities and features that can be used in various processes. It can serve as a lesson for anyone interested in how to create a SaaS application that is always in demand.

****Project management software****

Project management tools are widely used today for planning, executing, and monitoring projects. They help to improve efficiency by creating workflows, enabling teams to keep track of different tasks, and reducing the chance of miscommunications and errors. Modern project management software also leverages AI capabilities for repetitive task automation, data visualization, and report generation.

The most successful SaaS project management tools today are Trello, Asana, Jira, Microsoft Project, and Notion. These solutions offer essential features and capabilities needed for efficient project management, but each one has its own unique additions and distinct user interface. By researching these tools, you can learn how to create SaaS applications that can be used for project management tasks by companies from different industries.

****HR software****

Human Resources (HR) software enables organizations to seamlessly manage employee data and create a streamlined HR process from recruitment to retirement. It allows companies to save time, administrative resources, and money. No wonder that more and more SaaS development companies have decided to develop SaaS applications for HR purposes.

The most widely used and acclaimed HR software products are SAP, ADP, Workday, Zoho People, and BambooHR. These tools not only provide features and capabilities for managing all of an organization’s HR operations but also work seamlessly with third-party integrations and offer robust analytics. Of all the types of SaaS products, this is one of the most promising ones, considering that businesses of any size and industry have employees and HR tasks that need solving from time to time.

****Accounting and billing software****

Every company needs tools for processing payments and managing finances. Accounting and billing SaaS solutions offer an efficient and cost-effective way to control finances and streamline operations. The most widely used accounting Software as a Service platforms are Xero, QuickBooks Online, and Freshbooks. All of these solutions offer such benefits as easier compliance with regulations, real-time data insights, and improved collaboration between departments.

As for billing software, it is crucial to find reliable solutions with perfect reputations. Among the most well-known and established payment gateways you can integrate within your platform during SaaS platform development are PayPal and Stripe. By researching and comparing accounting and billing software, you can gain valuable insights into building a SaaS product for efficient financial management.

****Communication software****

During the global pandemic, communication software grew in popularity beyond the boldest projections, and today, more and more companies dream of building a SaaS platform that will be used for remote work and corporate communication.

The most popular SaaS communication software today is Slack, Google Meets, Zoom, Skype, and Microsoft Teams. Most of these tools are free, with some additional features available for an extra price. Modern communication tools provide such capabilities as file sharing, screen sharing, chat recording, and remote control. With remote work becoming more and more popular, developing SaaS applications for communication and collaborations seems like a safe bet and an excellent investment.

****Conclusion****

With numerous types of SaaS services available today, it can be easy to get confused, but a deep understanding of these basics is the first step to becoming a real expert in SaaS software development. Of course, you can just hire a SaaS application development services provider; however, without your input at the planning stage and a clear vision for the final product, chances for success are much lower.

After choosing the type of Software as a Service product you want to develop, you and your development team can choose the right tech stack, avoid many SaaS application development challenges, and build the SaaS application of your dreams.

****RELATED ARTICLES****

1.  **20 Best Amazon PPC Management Agencies**
2.  **SaaS Security Best Practices: Safeguard Consumer Data**
3.  **15 Best SaaS SEO Experts That Will Help You Dominate Online**
4.  **How To Reduce Cost Overruns For AI Implementation Projects**
5.  **The Role of DevOps in Streamlining Cloud Migration Processes**

Types of SaaS Applications: Categories and Examples

Law enforcement has humiliated the humiliators.

In an act of exquisite trolling, the UK’s National Crime Agency (NCA) has announced further details about its disruption of the LockBit ransomware group by using the group’s own dark web website.

The LockBit dark web site has a new look

Since the demise of Conti in 2022, LockBit has been unchallenged as the most prolific ransomware group in the world. In the last 12 months it has racked up more than two and half times as many known attacks as its closest rival. That all stopped yesterday, though, when the LockBit site was replaced with a banner decorated with the flags and badges of the countries and agencies that cooperated to “disrupt” it. The banner read:

> This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’.

It also promised more information would be revealed today at 11:30 GMT. It didn’t disappoint. There was a press release, of course, and a video:

> The NCA reveals details of an international disruption campaign targeting the world’s most harmful cyber crime group, Lockbit.
> 
> Watch our video and read on to learn more about Lockbit and why this is a huge step in our collective fight against cyber crime. pic.twitter.com/m00VFWkR9Z
> 
> — National Crime Agency (NCA) (@NCA\_UK) February 20, 2024

But the real treat was an updated version of the LockBit website that returned it to something resembling its former self. However, some crucial details had changed. Until yesterday, the secret dark web site was used to list details of the organizations being held to ransom by LockBit. Green squares represented companies whose data had been leaked. Timers on the red squares showed companies under threat of a leak just how long they had until their stolen data would be published.

Not any more, though.

In a graphic illustration of just how comprehensively the LockBit group has been compromised, the green squares now detail published information about the takedown, while red squares tease further reveals for the coming days.

> Today, after infiltrating the group’s network, the NCA has taken control of LockBit’s services, compromising their entire criminal enterprise.

As well as taking over the leak site, law enforcement agencies have taken over LockBit’s administration environment, seized the infrastructure used by LockBit’s data exfiltration tool, Stealbit, captured over 1,000 decryption keys, and frozen 200 cryptocurrency accounts.

A screenshot from LockBit’s admin panel

The group’s source code has also fallen into the hands of law enforcement, along with “a vast amount of intelligence” from its systems. Criminal affiliates who logged into the compromised environment were warned that the NCA knows all about their activities too, and the NCA reports that 28 servers belonging to LockBit affiliates have been taken down, too.

Two “LockBit actors” have been arrested in Poland and Ukraine, and the US Department of Justice has announced that two defendants responsible for using LockBit in ransomware attacks have been charged, are in custody, and will face trial in the US. It also unsealed indictments against two Russian nationals, for conspiring to commit LockBit attacks. 

There are numerous reveals promised for the next few days, but the most tantalising is the imminent uncloaking of LockBit’s leader and spokesperson, LockBitSupp.

The identity of Lockbitsupp won’t be a mystery for much longer

The NCA could have put the information about the takedown anywhere, but it didn’t; it did something memorable, humorous, and deliberately humiliating with it. In other words, it mimicked perfectly the way that ransomware gangs troll the world and each other. In doing so, the NCA signaled that it knows all about LockBit and the broader community of criminals it belongs to. It knows that LockBit’s affiliates and rivals will be watching, and looking over their shoulder.

Good times.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

You can learn more about the threat of big game ransomware like LockBit and ALPHV in our 2024 State of Malware report.

 Law enforcement trolls LockBit, reveals massive takedown 

U.S. and U.K. authorities have seized the darknet websites run by LockBit, a prolific and destructive ransomware group that has claimed more than 2,000 victims worldwide and extorted over $120 million in payments. Instead of listing data stolen from ransomware victims who didn't pay, LockBit's victim shaming website now offers free recovery tools, as well as news about arrests and criminal charges involving LockBit affiliates.

U.S. and U.K. authorities have seized the darknet websites run by **LockBit**, a prolific and destructive ransomware group that has claimed more than 2,000 victims worldwide and extorted over $120 million in payments. Instead of listing data stolen from ransomware victims who didn’t pay, LockBit’s victim shaming website now offers free recovery tools, as well as news about arrests and criminal charges involving LockBit affiliates.

Investigators used the existing design on LockBit’s victim shaming website to feature press releases and free decryption tools.

Dubbed “Operation Cronos,” the law enforcement action involved the seizure of nearly three-dozen servers; the arrest of two alleged LockBit members; the unsealing of two indictments; the release of a free LockBit decryption tool; and the freezing of more than 200 cryptocurrency accounts thought to be tied to the gang’s activities.

LockBit members have executed attacks against thousands of victims in the United States and around the world, according to the **U.S. Department of Justice** (DOJ). First surfacing in September 2019, the gang is estimated to have made hundreds of millions of U.S. dollars in ransom demands, and extorted over $120 million in ransom payments.

LockBit operated as a ransomware-as-a-service group, wherein the ransomware gang takes care of everything from the bulletproof hosting and domains to the development and maintenance of the malware. Meanwhile, affiliates are solely responsible for finding new victims, and can reap 60 to 80 percent of any ransom amount ultimately paid to the group.

A statement on Operation Cronos from the European police agency Europol said the months-long infiltration resulted in the compromise of LockBit’s primary platform and other critical infrastructure, including the takedown of 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom. Europol said two suspected LockBit actors were arrested in Poland and Ukraine, but no further information has been released about those detained.

The DOJ today unsealed indictments against two Russian men alleged to be active members of LockBit. The government says Russian national **Artur Sungatov** used LockBit ransomware against victims in manufacturing, logistics, insurance and other companies throughout the United States.

**Ivan Gennadievich Kondratyev**, a.k.a. “Bassterlord,” allegedly deployed LockBit against targets in the United States, Singapore, Taiwan, and Lebanon. Kondratyev is also charged (PDF) with three criminal counts arising from his alleged use of the Sodinokibi (aka “REvil“) ransomware variant to encrypt data, exfiltrate victim information, and extort a ransom payment from a corporate victim based in Alameda County, California.

With the indictments of Sungatov and Kondratyev, a total of five LockBit affiliates now have been officially charged. In May 2023, U.S. authorities unsealed indictments against two alleged LockBit affiliates, **Mikhail “Wazawaka” Matveev** and **Mikhail Vasiliev**.

Vasiliev, 35, of Bradford, Ontario, Canada, is in custody in Canada awaiting extradition to the United States (the complaint against Vasiliev is at this PDF). Matveev remains at large, presumably still in Russia. In January 2022, KrebsOnSecurity published Who is the Network Access Broker ‘Wazawaka,’ which followed clues from Wazawaka’s many pseudonyms and contact details on the Russian-language cybercrime forums back to a 31-year-old Mikhail Matveev from Abaza, RU.

An FBI wanted poster for Matveev.

In June 2023, Russian national **Ruslan Magomedovich Astamirov** was charged in New Jersey for his participation in the LockBit conspiracy, including the deployment of LockBit against victims in Florida, Japan, France, and Kenya. Astamirov is currently in custody in the United States awaiting trial.

LockBit was known to have recruited affiliates that worked with multiple ransomware groups simultaneously, and it’s unclear what impact this takedown may have on competing ransomware affiliate operations. The security firm **ProDaft** said on Twitter/X that the infiltration of LockBit by investigators provided “in-depth visibility into each affiliate’s structures, including ties with other notorious groups such as FIN7, Wizard Spider, and EvilCorp.”

In a lengthy thread about the LockBit takedown on the Russian-language cybercrime forum XSS, one of the gang’s leaders said the **FBI** and the U.K.’s **National Crime Agency** (NCA) had infiltrated its servers using a known vulnerability in PHP, a scripting language that is widely used in Web development.

Several denizens of XSS wondered aloud why the PHP flaw was not flagged by LockBit’s vaunted “Bug Bounty” program, which promised a financial reward to affiliates who could find and quietly report any security vulnerabilities threatening to undermine LockBit’s online infrastructure.

This prompted several XSS members to start posting memes taunting the group about the security failure.

“Does it mean that the FBI provided a pentesting service to the affiliate program?,” one denizen quipped. “Or did they decide to take part in the bug bounty program? :):)”

Federal investigators also appear to be trolling LockBit members with their seizure notices. LockBit’s data leak site previously featured a countdown timer for each victim organization listed, indicating the time remaining for the victim to pay a ransom demand before their stolen files would be published online. Now, the top entry on the shaming site is a countdown timer until the public doxing of “LockBitSupp,” the unofficial spokesperson or figurehead for the LockBit gang.

“Who is LockbitSupp?” the teaser reads. “The $10m question.”

In January 2024, LockBitSupp told XSS forum members he was disappointed the FBI hadn’t offered a reward for his doxing and/or arrest, and that in response he was placing a bounty on his own head — offering $10 million to anyone who could discover his real name.

“My god, who needs me?,” LockBitSupp wrote on Jan. 22, 2024. “There is not even a reward out for me on the FBI website. By the way, I want to use this chance to increase the reward amount for a person who can tell me my full name from USD 1 million to USD 10 million. The person who will find out my name, tell it to me and explain how they were able to find it out will get USD 10 million. Please take note that when looking for criminals, the FBI uses unclear wording offering a reward of UP TO USD 10 million; this means that the FBI can pay you USD 100, because technically, it’s an amount UP TO 10 million. On the other hand, I am willing to pay USD 10 million, no more and no less.”

**Mark Stockley**, cybersecurity evangelist at the security firm Malwarebytes, said the NCA is obviously trolling the LockBit group and LockBitSupp.

“I don’t think this is an accident—this is how ransomware groups talk to each other,” Stockley said. “This is law enforcement taking the time to enjoy its moment, and humiliate LockBit in its own vernacular, presumably so it loses face.”

In a press conference today, the FBI said Operation Cronos included investigative assistance from the Gendarmerie-C3N in France; the State Criminal Police Office L-K-A and Federal Criminal Police Office in Germany; Fedpol and Zurich Cantonal Police in Switzerland; the National Police Agency in Japan; the Australian Federal Police; the Swedish Police Authority; the National Bureau of Investigation in Finland; the Royal Canadian Mounted Police; and the National Police in the Netherlands.

The Justice Department said victims targeted by LockBit should contact the FBI at https://lockbitvictims.ic3.gov/ to determine whether affected systems can be successfully decrypted. In addition, the Japanese Police, supported by Europol, have released a recovery tool designed to recover files encrypted by the LockBit 3.0 Black Ransomware.

Feds Seize LockBit Ransomware Websites, Offer Decryption Tools, Troll Affiliates

The widespread use of mines has left Ukrainians scrambling to find ways to clear the explosives. New efforts to develop mine-clearing technology may help them push back Russia's invading forces.

Oleksandr Kryvtsov had enough.

The owner of an agricultural company in Hrakove, near Kharkiv, Kryvtsov found his land littered with land mines. That region of Ukraine, occupied by Russian forces for nearly eight months, had been pockmarked with explosive ordinances. The threat meant that farmers like Kryvtsov had to let their fields lay fallow. Even though Kryvstov’s fields were once part of Europe’s breadbasket, Ukraine’s mine clearance teams were overworked and under-resourced.

So Kryvtsov came up with his own solution. He jimmyrigged a plow onto an old tractor, with massive steel rollers underneath. On the side, he painted the yellow and blue Ukrainian flag. Kryvtsov connected a remote-control steering system and, from afar, he drove his Mad Max-style tractor over his fields, detonating any mines lurking under the soil.

The makeshift operation has worked well, Kryvtsov told Reuters, even clearing an anti-tank mine.

Kryvstov’s story is an example of incredible Ukrainian ingenuity—a nation of gilders, working to invent, adapt, and repurpose technology to defend themselves against a better-resourced, larger, determined enemy. But it’s also an ominous sign of just how bad the problem is.

In recent months, WIRED has investigated the technological challenges and opportunities facing Ukraine as it tries to defend itself and recapture its territory. One particular problem, unsung by the Western media but frequently cited by Ukrainian officials, are the haphazard minefields across Eastern Ukraine.

WIRED has spoken to a range of engineers, government officials, and humanitarian mine-clearance experts, and consulted Ukraine’s new mine clearance plan. It is apparent that Kyiv is prioritizing the problem, but without a significant new influx of money, personnel, and technology, the threat of these mines could hobble Ukraine’s economy, frustrate future counteroffensives, and pose a humanitarian crisis for decades to come.

A Humanitarian Crisis, an Economic Cost

Ukraine’s mine problem has been acute for a decade. The full-scale war with Russia has only made it worse. From 2014, when Russia first invaded, to the end of 2021, the United Nations says 312 Ukraines were killed by land mines. Since Russia’s February 2022 invasion, Ukraine has recorded at least 269 civilian casualties, including 14 children. Prime Minister Denys Shmyhal has taken to calling Eastern Ukraine “the largest minefield in the world.”

Those casualty figures only capture the deaths on territory currently held by Ukraine. Behind the front lines, in the Russian-occupied regions of Eastern Ukraine, at least a hundred more have reportedly been killed.

“Twenty percent of the whole territory is dangerous,” Ihor Bezkaravainyi, Ukraine’s deputy minister of finance, tells WIRED. “Right now we’re talking about 150,000 square kilometers.” (The total area, including water littered with naval mines, is nearly 175,000 km².)

Bezkaravainyi is a veteran of the war in Eastern Ukraine—he lost a leg to an anti-tank mine in 2016. He’s now responsible for coordinating the mine-clearance effort behind the front lines, giving Ukrainians back their property and recovering damaged agricultural lands. It’s not an easy task.

“It looks like the _zone rogue_ in France after World War One,” Bezkaravainyi says, referring to the areas near Germany and Belgium that remain contaminated by land mines to this day.

Conducting surveys to identify those mines will be a gargantuan challenge. Actually clearing them will be even more taxing.

Russia has deployed older anti-tank and anti-personnel mines—of the kind the world has ample experience dealing with. But it is believed that this is the first time the sophisticated PTKM-1R anti-tank mine, which detonates only when it picks up a certain seismic signature, has been used in battle. Russia has also made liberal use of the more advanced PFM-1 mine, also known as the “butterfly mine,” made mostly from plastic and liquid explosive. These mines are particularly odious because they can be scattered in huge quantities from afar or from the air, meaning that they are impossible to track. Because they are colorful and plastic, they can be mistaken by children as toys.

Beyond purpose-built mines, Russia has also littered Ukraine with unexploded munitions and “improvised explosive devices and booby traps,” according to a draft version of Kyiv’s plan to decontaminate the country, prepared late last year and provided to WIRED.

Until now, Ukraine has not had a national plan on how to deal with the mine problem—its ad hoc response has been split between the military, NGOs, a small number of private mine-clearance companies, and a small network of government mine-clearance operators.

In 2021, before Russia’s full-scale invasion, Ukraine had certified just four “mine action operators” to conduct the mine identification and clearance. Since the start of the war, that number has grown to “only 23.” That number is simply “not adequate,” the plan states.

This National Mine Action Strategy was devised to bring consistency and focus to this effort. But it warns that the scope of this problem “cannot be solved in a short-term perspective.” Kyiv hopes it can assess the entirety of its lands, to identify which areas are actually contaminated and which are safe to use, by 2029. By 2033, Ukraine aspires to have decontaminated 80 percent of its previously occupied territory. The strategy does not provide a date for when the whole country might be free of mines.

If Ukraine wants to meet these goals, it will need significantly more staff, technology, and equipment than it has now.

This will be a tough hill to climb. Humanitarian demining groups are spread thin across many global conflict zones, while commercial operators tend to be prohibitively expensive.

This is the reality that pushed Kryvtsov, the farmer, to take matters into his own hands. But Kyiv warns that these “black sappers”—unlicensed and unsanctioned mine-clearance operations—are dangerous and unreliable. Still, the government recognizes that, unless it can dramatically scale up its own operations, these freelance mine operators will become a popular choice for locals frustrated by the slow pace of progress.

Like many aspects of Ukraine’s war effort, Kyiv believes the solution is at home. The strategy calls for a substantial investment in Ukraine’s industrial capacity to produce mine-clearing equipment, research demining technology, and train demining teams. The World Bank estimated in early 2023 that the total cost of identifying and clearing these mines would be nearly $38 billion. Kyiv expects the true cost will be higher.

A Military Challenge

In the snow-covered fields near the front lines, the Ukrainian Armed Forces have been deploying autonomous demining vehicles—which, although purpose-built and donated by European allies, look an awful lot like Kryvstov’s homemade version.

Since the start of the war, these military demining teams have cleared more than 280,000 mines—at a pace of more than 2,200 every week. Its work is entirely separate from the humanitarian teams run under Bezkaravainyi's department.

The military may have cleared a staggering volume, but the work is impeded by a lack of equipment. The military boasts 262 separate demining teams, but it has just six demining vehicles.

In an essay for _The Economist,_ former commander-in-chief of the Ukrainian Armed Forces Valerii Zaluzhnyi wrote that his forces were initially relying on “technically outdated pieces of equipment” to conduct this operational mine clearance. With Western donations, “it was possible to slightly augment the capabilities of engineer units … but given the unprecedented scale of these barriers, even such capabilities are objectively lacking.”

Much of the analysis of Ukraine’s failed summer counteroffensive has focused on the offensive gear it lacks—artillery shells, fighter jets, drones, and long-range missiles. But even if it had managed to pierce the Russian front line, Ukraine faced layers of other defensive structures, including between 15 and 20 kilometers of minefields.

As Zaluzhnyi notes, Russian reconnaissance drones have kept a watchful eye on these minefields, targeting any Ukrainian teams dispatched to clear them. “In case of successful mine barriers breaching, the enemy quickly restores minefields in these areas,” he wrote.

European allies, in particular, have donated mine clearance vehicles—including retrofitted German-made Leopard 2 tanks—but they have been hard hit by Russian forces.

While clearing fields near the front lines is difficult, risky work, Russia is capable of laying these fields remotely and quickly. The ISDM Zemledeliye, a mobile mine-laying system that sits on the back of a truck, can carry 50 rockets, each filled with anti-personnel or anti-tank mines that scatter over a targeted area. The system allows the operator to lay minefields from as far as 15 kilometers away. One pro-Kremlin Russian media outlet recently remarked that the Zemledeliye, which translates to “agriculture” in Russian, “sowed” the defeat of the Ukrainian summer counteroffensive.

“The Ukrainians didn't necessarily have the equipment, the type of trained brigades, etc, to break through that defense and overcome the Russians, who were defending in a doctrinally consistent and actually quite sound way,” Karolina Hird, an analyst at the Institute for the Study of War and the deputy team lead for their Russia desk, tells WIRED. “Which brings us to where we are today.”

Even if Kyiv manages to overcome all of those other problems, if it cannot figure out how to clear the Russian-laid minefields, its progress risks being squandered.

“One of the big operational problems is, how do you increase by an order of magnitude the detection of mines, mapping of minefields, and the clearance of them—whilst denying the Russians visibility of them?” Mick Ryan, a 35-year veteran of the Australian Army who has traveled to Ukraine frequently during the war, tells WIRED. “And these are pretty significant problems, but they’re known problems, right?”

Ryan says there needs to be a deeper recalibration of the relationship between Ukraine and NATO. At the beginning of the war, the transfer of knowledge and expertise from NATO to Ukraine may have been largely one-directional, but today, Ukraine’s expertise in modern warfare certainly rivals many of its benefactors.

“Ukrainians and NATO, they just need to divide up the problems and solve them,” Ryan says. “I mean, this isn't inventing the nuclear bomb.”

The Technology

As the National Mine Action Strategy notes, research on mine clearance has been sorely lacking.

There has been, the strategy says, a “lack of systematic and centralized work on the introduction of innovative technologies in the field of Mine Action, in particular, unmanned aerial vehicles, the use of satellite images, artificial intelligence, data collection and analysis systems.”

It’s a frustration that Federica Mezzani knows well. Since 2019, she’s been researching how new technologies can help improve mine detection strategies—but it is a field, she says, which had been “completely forgotten.”

Despite the fact that an estimated 110 million mines are still active around the world, they are primarily distributed in poor and war-torn countries. While NGOs such as the HALO Trust have worked to steadily decontaminate those territories, the research and development has been piecemeal and slow. It simply hasn’t been a priority.

But Mezzani, along with her colleagues in the Department of Mechanical and Aerospace Engineering at Sapienza University in Rome, set out to prove that new technology could help with this old problem. There had been some research testing how drones could be used to identify unexploded ordinances, but not much. Mezzani wanted to take it a step further, dispatching drone swarms equipped with ground-penetrating radar to methodically scan each section of the ground, the way a human team might. Algorithms could essentially automate mine detection, she believed.

In a series of small-scale experiments, Mezzani’s technique worked.

“The experimental campaign proved the effectiveness of the algorithm, which appears as a powerful tool to automatically detect buried objects with even small metal content,” reads her paper, published in _Advances in Nonlinear Dynamics_ in 2022.

“The technology is ready,” Mezzani tells WIRED. “I think that it's been ready for many years, actually.”

When the full-scale war began, research efforts like Mezzani’s were few and far between. That meant figuring out these strategies from the ground up.

Part of the challenge is about confidence. As Bezkaravainyi explains, humanitarian mine clearance operates on a zero-tolerance policy for civilian deaths—if they mark a territory as uncontaminated, they must be absolutely sure it is entirely safe. Where possible, that also means defusing the land mines instead of exploding them and further contaminating the soil.

This process is significantly slower than how the military clears territory. Prioritizing speed, the army may blast a path through an active minefield in order to advance quickly without fully clearing it. To that end, humanitarian mine clearance operates on the Swiss cheese model: applying multiple imperfect strategies on top of each other.

Bezkaravainyi explains that their process normally involves consulting high-resolution satellite imagery of the territory and identifying land mines from the sky. From there, drones may be dispatched to confirm those locations and identify mines that may be buried or tough to spot. After that, teams are dispatched to sweep the territory.

Last fall, at an international conference on Ukraine’s demining efforts held in Zagreb, Bezkaravainyi’s department unveiled a prototype, developed by American surveillance technology giant Palantir, which used artificial intelligence to help inform how Kyiv approaches mine clearance.

This multilayered approach is increasingly necessary. Magnetometers and thermal scanners, which identify mines by identifying the metal amidst the organic material, were once the gold standard for mine identification. Some mines have electromagnetic shields, protecting them from ground-penetrating radar. The PFM-1 mine, in particular, contains very little metal, making it difficult to detect.

This problem is mostly, but not entirely, of Russia’s making. Reports suggest that Ukraine has also deployed these PFM-1 mines against Russian forces in Eastern Ukraine.

Difficult terrain, such as forests or mud, makes this work more difficult. Ukraine has difficult terrain in spades: It even has a word, _bezdorizhzhya_, for the mud that covers the eastern part of the country in the spring.

“If all the technologies in the world were given to Ukraine, it would not be enough,” Bezkaravainyi says.

An Opportunity

Ukraine is not merely contemplating how to buy and acquire enough technology to do this job—they are developing a plan to become a world leader on mine clearance.

That sort of focus has been sorely lacking for decades. “It’s a type of research that doesn't bring in profits,” Mezzani says. It’s a problem she crashed into during her own research project. “I wouldn't say that we have a technological issue. We have a willingness issue.”

Some 70 countries worldwide are still contaminated by land mines, according to the United Nations, and they kill or maim thousands every year. Most, however, are located in the Global South. The conflict in Ukraine may finally be the impetus to develop the technology and expertise to address that problem.

Indeed, Bezkaravainyi says his department has fielded plenty of offers from companies professing expertise in mine clearance, but many have been unreliable, haven’t delivered, or were outright scams.

If Ukraine can develop both the technology and the industry to do this work, it could provide a critical advantage in the war, boost its battered economy, and provide an enormous service to the entire world.

Brave1, a platform launched by the Ukrainian government to identify innovative projects and connect them to public and private financing, has identified mine clearance as one of its main priorities. Thus far, 30 projects—which range from autonomous land vehicles to more sophisticated detection systems—are part of the Brave1 platform.

If the Ukrainian government can spur the creation of a domestic demining industry, it will speed up its economic recovery, help war-torn countries the world over, and maybe even help win the war.

The Danger Lurking Just Below Ukraine's Surface

By Deeba Ahmed
From Banking Apps to Crypto Wallets: SpyNote Malware Evolves for Financial Gain.
This is a post from HackRead.com Read the original post: SpyNote Android Spyware Poses as Legit Crypto Wallets, Steals Funds

The notorious SpyNote Android spyware returns, exploiting Accessibility APIs to target crypto wallets and unsuspecting users, ultimately stealing their cryptocurrency.

The Android spyware SpyNote developers are now considering cryptocurrencies, extending beyond mere credentials spying to initiate cryptocurrency transfers, revealed the latest research report from FortiGuard Labs.

Researchers noted that Spynote, a notorious Remote Access Trojan (**RAT**), is now targeting “famous crypto wallets” by abusing the Accessibility API. The API’s job is to automatically perform UI actions, such as recording device unlocking gestures and is mainly helpful for people with disabilities.

The malicious code abuses the Accessibility API to automatically fill out a form and transfer cryptocurrency to cyber criminals. It reads and memorizes the destination wallet address and amount, and replaces it with the attacker’s crypto wallet address.

The information is sent to a remote server with which the malware has established a connection already to complete the action. It is worth noting that the entire act is completed automatically, without alerting the user.

According to Fortinet’s **blog post**, on 1st February, a malicious sample was found posing as a legitimate crypto wallet, incorporating SpyNote RAT and anti-analysis features. They also observed that threat actors are mainly targeting users with mobile crypto wallets or banking applications in this financially motivated, medium-severity hacking saga.

Researchers showed screenshots in which SpyNote malware can be seen requesting Accessibility Service and the user granting access with the Android OS displaying additional warnings. It is evident that clicking on “Allow” signals the malware to perform its nefarious action whereas clicking “Deny” prevents it from gaining access.

Screenshot: FortiGuard Labs

Hackread has been following the evolution of SpyNote ever since it made its first appearance **back in 2016** when Palo Alto’s Unit 42 discovered this RAT on a dark net forum mainly targeting users who install APK apps. Researchers noted that SpyNote helped attackers gain remote control of infected devices, and enabled sideloading on Android devices.

In 2017, Zscaler IT security researchers **discovered** fake apps infected with the SpyNote RAT, allowing attackers to gain remote administrative control on Android devices. Researchers identified various apps, including fake Netflix, WhatsApp, YouTube, Facebook, Photoshop, SkyTV, Hotstar, Trump Dash PokemonGo, etc., infected with a new variant of SpyNote RAT.

Over the years, SpyNote has become a common family of Android malware, with over 10,000 samples and multiple variants, noted FortiGuard researchers.

Last year, the malware authors shifted focus to banking fraud, as the Cleafy Threat Intelligence Team **reported** SpyNote targeting European financial institutions with social engineering tactics and abusing Accessibility services. The attack started with deceptive smishing campaigns, directing victims to install a “new certified banking app” and granting remote access to their devices.

It is worth noting that malware often lures victims into giving them the necessary rights to access the Accessibility API through different lures, posing a threat to users, especially people with disabilities.

Android users are advised to pay attention to applications requesting the Accessibility API. End-users should treat these requests as suspicious, especially from alleged crypto wallets, PDF readers, and video players.

****RELATED ARTICLES****

1.  **Watch out: New Android spyware records your calls covertly**
2.  **LetMeSpy Android Spyware Service Shuts Down After Data Breach**
3.  **Confucius Android spyware hits military, nuclear entities in Pakistan**
4.  **Xamalicious Backdoor Infects 25 Android Apps, Affects 327K Devices**
5.  **Hackers spread Android spyware through Facebook using Fake profiles**

SpyNote Android Spyware Poses as Legit Crypto Wallets, Steals Funds

By Waqas
The latest report from Swedish telecom security firm Enea sheds light on security vulnerabilities within the widely used messaging platform, WhatsApp.
This is a post from HackRead.com Read the original post: Israeli NSO Group Suspected of “MMS Fingerprint” Attack on WhatsApp

NSO Group, an Israeli spyware firm, is suspected of exploiting a novel “MMS Fingerprint” attack to target unsuspected users on WhatsApp, exposing their device information without needing user interaction.

Swedish telecom security firm Enea reports that the Israeli NSO Group, targeted journalists, human rights activists, lawyers, and government officials with a novel MMS Fingerprint attack by exploiting a **vulnerability in WhatsApp**.

The report that the company shared with Hackread.com on Thursday 15, 2023, WhatsApp discovered a vulnerability in its system in May 2019, allowing attackers to install Pegasus spyware on users’ devices. The flaw was then exploited to target government officials and activists globally. WhatsApp sued **NSO Group** for this exploitation, but appeals failed in the US appeal court and Supreme Court.

The attack, reportedly used by NSO Group, was discovered in a contract between the Israeli agency’s reseller and the telecom regulator of Ghana, which can be viewed in lawsuit documents **here** (PDF).

Enea launched an investigation to find out how an MMS fingerprint attack occurs. They discovered that it could reveal the target device and OS version without user interaction by sending an MMS.

The MMS UserAgent, a string that identifies the OS and device (such as a Samsung phone running Android), can be used by malicious actors to exploit vulnerabilities, tailor malicious payloads, or craft phishing campaigns.

**Surveillance companies** often request device information, but UserAgent may be more useful than IMEI. It’s important to note that MMS UserAgent is different from browser UserAgent, which has privacy concerns and changes.

The problem, according to Enea’s **report**, was not in the Android, Blackberry, or iOS devices but in the complex, multi-stage MMS flow process. The MMS flow examination suggested this was launched possibly through another method involving binary SMS.

For your information, MMS standards designers worked on a way to notify recipient devices of an MMS waiting for them without requiring them to be connected to the data channel. MM1\_notification.REQ uses SMS, a binary SMS (WSP Push), to notify the recipient MMS device’s user agent that an MMS message is waiting for retrieval.

The subsequent MM1\_retrieve.REQ is an HTTP GET to the URL address, including user device information, suspected to be leaked and potentially lifted the MMS fingerprint.

Researchers obtained sample SIM cards from a randomly selected Western European operator and successfully sent MM1\_notification.REQs (binary SMSs), setting the content location to a URL controlled by their web server.

The target device automatically accessed the URL, exposing its UserAgent and x-wap-profile fields. A Wireshark decode of the MMS notification and GET revealed how an attacker would execute an “MMS Fingerprint” attack, demonstrating it was possible in real life.

Enea’s report outlines the stages in an MMS flow and provides insight into the initial attack notification sent to the target. (Screenshot: ENEA)

The attack highlights the **ongoing threat to the mobile ecosystem**. Binary SMS attacks have been steadily reported over the last 20 years, highlighting the need for mobile operators to evaluate their protection against such threats.

For detailed insights into the report, we reached out to **Javvad Malik**, lead security awareness advocate at **KnowBe4** who warned that, Unlike previous methods, this attack doesn’t require user interaction, posing a significant concern for users’ security. The targeting of journalists, activists, and officials highlights the misuse of technology for surveillance and oppression. Platforms like WhatsApp must prioritize security as the foundation of their services.

> _“The saga of the NSO Group and its controversial exploits offers another chapter with the revelation of the “MMS Fingerprint” attack. At the heart of this revelation is a stark reminder of the ever-evolving cybersecurity threats, demonstrating not just the sophistication of threat actors, but their relentless pursuit to leverage vulnerabilities._
> 
> _The tactical evolution from requiring user interaction to achieve compromise—such as the unfortunate click on a malicious link—to now being able to extract valuable information through seemingly benign MMSs, underlines a significant shift. It’s concerning, to say the least, that users can be targeted without any user interaction._
> 
> _The targeting of journalists, activists, and officials is particularly egregious, highlighting a dark side of technological advancements where tools designed to connect and empower can also be twisted into instruments of surveillance and oppression. For organisations like WhatsApp and entities involved in digital communication, the imperative is clear: Security cannot merely be a feature; it must be the very foundation upon which platforms are built and maintained._
> 
> _In the broader context, incidents like the “MMS Fingerprint” attack are reminders that security cannot remain static and needs to continually evolve and build more resilient and secure systems.”_
> 
> Javvad Malik – KnowBe4

To prevent the attack, disabling MMS auto-retrieval on mobile devices can help, but some devices may not allow modification. On the network side, filtering Binary SMS/MM1\_notification messages can be effective. If a malicious binary SMS message is received, it is essential to prevent messages from connecting to attacker-controlled IP addresses.

1.  **Israeli spyware hacked phones of journalists globally**
2.  **iShutdown Tool Detects Pegasus Spyware on iOS Devices**
3.  **Fake WhatsApp clone aim at crypto on Android and Windows**
4.  **WhatsApp OTP Scam Allows Scammers to Hijack Your Account**
5.  **iPhones of State Dept officials hacked by NSO Pegasus spyware**

Israeli NSO Group Suspected of “MMS Fingerprint” Attack on WhatsApp

There was about a 24-hour period where many news outlets reported on a reported DDoS attack that involved a botnet made up of thousands of internet-connected toothbrushes.

Thursday, February 15, 2024 14:00

I’ll be the first to admit that, like many people on the internet last week, I got caught up in the toothbrush distributed denial-of-service attack that wasn’t.  

I had a whole section on it written up in last week’s newsletter, and then I came across Graham Cluley’s blog post debunking the whole thing, and I had to delete it about an hour before the newsletter went live.  

There was about a 24-hour period where many news outlets reported on a reported DDoS attack that involved a botnet made up of thousands of internet-connected toothbrushes, it all started with one international newspaper report, and then was aggregated to death and spread quickly on social media.  

This attack was only a _hypothetical_ that a security researcher posed in an interview but was reported or translated as an attack that happened. 

To me, I think we can all learn from a few major takeaways from this entire saga — myself included.  

It’s easy to see why this was a ready-made story to go viral: It involved a silly device that probably doesn’t need to be connected to the internet anyway, it involved a large number that would grab headlines and it was a DDoS attack, which have suddenly come back in vogue over the past year. 

But, I’ll admit, the aggregated stories seemed a little fishy to me at first, because all the reports didn’t include any specifics about which company was targeted, how long the attack lasted, or the name of the device that was reportedly compromised. 

That last part should be a red flag going forward for any of us wanting to share a meme about something the next time a cybersecurity story goes viral — in my opinion, responsible disclosure of an attack or compromise should always include information about whatever vulnerability it was that was exploited. In this hypothetical scenario, I don’t think an adversary would have been able to compromise an internet-connected toothbrush without first exploiting some sort of vulnerability, which if it’s being reported on in public, should at least include information on patches or mitigations. 

I also think we all need to be asking the fundamental question: Why? In this case, I should have asked myself why an attacker would want to go through the trouble of compromising smart toothbrushes. And what would be the end goal of targeting a private company with a DDoS attack? Likely, it would be to demand a ransom in exchange for the attacker stopping the attack, but without knowing what sector the targeted company was in, it’s tough to guess how profitable that might even be. (For example, a health care agency may be looking to do anything to get back to operating asap, as lives could literally be at stake.) 

And once the attacker compromised a toothbrush, what information can they glean from the user besides their dental hygiene habits? Usually, they’d be looking to steal some sort of personal information, login credentials or financial data that they could then turn around and sell on the dark web. 

Needless to say, there were multiple red flags we all ignored when this story started to spread. And I’m not here to blame anyone in this case; it was all honest mistakes that, all things considered, ended up not being that serious. But the toothbrush botnet that wasn’t does serve as a reminder to all of us to be a bit more mindful before clicking share or posting a story on social media.  

**The one big thing **

Cisco Talos has identified a new backdoor authored and operated by the Turla APT group, a Russian cyber espionage threat group. This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation. Talos assesses with high confidence that TinyTurla-NG, just like TinyTurla, is a small “last chance” backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems. 

**Why do I care? **

Turla has been widely known to target entities across the world using a huge set of offensive tools in geographies including the U.S., European Union, Ukraine and Asia. They’ve previously used malware families such as CAPIBAR and KAZUAR to target Ukrainian defense forces. After Crutch and TinyTurla, Turla has now expanded their arsenal to include the TinyTurla-NG and TurlaPower-NG malware families, while also widening its net of targets to NGOs. 

**So now what? **

Talos has released new ClamAV signatures and Snort rules to protect against TinyTurla and the actors’ actions. We don’t know what the initial access vector is, so it’s tough to give targeted advice on how to avoid this malware, but having any endpoint detection in place will block this “last chance” backdoor.  

**Top security headlines of the week **

**Chinese state-sponsored actor Volt Typhoon may have silently sat on U.S. critical infrastructure networks for more than five years,** according to a new report from American intelligence agencies. According to the advisory, the infamous hacking group has been exploiting vulnerabilities in routers, firewalls and VPNs to target water, transportation, energy and communications systems across the country. Volt Typhoon has been able to control some victims’ surveillance camera systems, and the access could have allowed them to disrupt critical energy and water controls. The actor is known for using living-off-the-land binaries (LoLBins) to remain undetected once they gain an initial foothold. Authorities in Canada, Australia and New Zealand also contributed to last week’s advisory, citing their concern for similar activity in their countries. The FBI’s director recently said in testimony to U.S. Congress that authorities had dismantled a bot network of hundreds of compromised devices that was connected to VoltTyphoon. (Axios, The Guardian) 

**A new spyware network called TheTruthSpy may have compromised hundreds of Android devices using silent tracking apps that users download thinking they’re legitimate.** Security researchers uncovered the information of thousands of devices that have already been compromised, including their IMEI numbers and advertising IDs. TheTruthSpy appears to actively spy on large clusters of victims across Europe, India, Indonesia, the U.S. and U.K. The operators behind TheTruthSpy also did not address a security vulnerability in the software, identified as CVE-2022-0732, which left the victim data they stole potentially vulnerable to other bad actors. These types of stalkerware tools are often used by family members, spouses or peers of victims who want to track their physical locations and spy on messages and phone calls. The spyware is downloaded via an app, which doesn’t appear on the victim’s home screen and operates quietly in the background. (TechCrunch, maia blog) 

**Apple removed a fake LastPass app called “LassPass” after the popular password management service reported it.** The phony LassPass used a similar logo to that of the legitimate LastPass and was up on the App Store for an unknown amount of time. Apple also said it was removing the creator of the app from its Developer Program. This is a very rare case for the Apple App Store, as it has a strict review policy. LastPass released a warning to all users last week of the fake app’s existence, including a link to the legitimate LastPass app. LassPass only had one review on the store, and multiple reviews warning it was fake. However, it’s safe to assume that the app was likely set up as some sort of phishing scam meant to get users to enter their legitimate LastPass login information to be stolen by the fake app’s creator. (Ars Technica, Bleeping Computer) 

**Can’t get enough Talos? **

*   Beers with Talos Ep. #143: The Reddit security diaries 
*   The Need to Know: How are attackers using QR codes in phishing emails and lure documents? 
*   First Microsoft Patch Tuesday zero-day of 2024 disclosed as part of group of 75 vulnerabilities 

**Upcoming events where you can find Talos **

**S4x24** **(March 4 - 27)** 

Miami Beach, Florida 

_To protect themselves during Russian aggression, the Ukrainian military utilizes electronic warfare to blanket critical infrastructure to defeat radar and GPS-guided smart munitions. This has the unintended consequence of disrupting GPS synchrophasor clock measurements and creating service outages on an already beleaguered and damaged transmission electric grid. Joe Marshall from Talos’ Strategic Communications team will tell an incredible story of how a group of engineers and security professionals from a diverse coalition of organizations came together to solve this electronic warfare GPS problem in an unconventional technical way, and helped stabilize parts of the transmission grid of Ukraine._ 

**RSA** **(May 6 - 9)** 

_San Francisco, California_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1      
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515      
**Typical Filename:** IMG001.exe      
**Claimed Product:** N/A      
**Detection Name:** Win.Dropper.Coinminer::1201 

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa     
**MD5:** df11b3105df8d7c70e7b501e210e3cc3     
**Typical Filename:** DOC001.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** tmp000c3787   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg

Why the toothbrush DDoS story fooled us all

The Google Passkey Manager on Android appears to have inconsistent messaging for deletion of data along with other varying issues that lead us to believe it's not ready for prime time.

*INTRODUCTION*  
Passkeys on Android are stored in Google Password Manager by default. The user cannot make their own backups of them.

Note: although the user can export a CSV file with both passkeys and passwords, the lines representing passkeys will not contain any secrets, rendering them useless.

Also note that Google Passkey Manager appears to primarily be a CLOUD-based password manager (with copies of passwords and passkeys usually cached on devices).

*PROBLEM*  
The user may have chosen to configure a "sync passphrase" in Chrome.  
Instructions on what to do, in case the user wishes to change or remove their sync passphrase, can be found in [1] under "Reset your passphrase".

Effectively the user is sent to [2] and should press the button "Clear Data" at the bottom of that page.  
Until mid June 2023, the text near that button used to read (emphasis in CAPS added by me):

   "This will clear your Chrome data from your Google Account.  
   THIS WON'T CLEAR ANY DATA FROM YOUR DEVICES."

However, tapping the "Clear Data" button would unrecoverably DELETE ALL YOUR PASSKEYS (not your passwords).

*ISSUE REPORTED TO GOOGLE*  
I reported this "passkeys gone" problem to Google as a security issue on June 11, 2023.  
Please see the Timeline below for details.

*"FIX"*  
The issue was "fixed" around June 15, 2023, apparently by changing the text at the bottom of [2] into (emphasis in CAPS added by me):

   "This will clear your Chrome data that has been saved in your Google Account.  
   THIS MIGHT CLEAR SOME DATA FROM YOUR DEVICES."

However, tapping the "Clear Data" button will still DELETE ALL OF YOUR PASSKEYS without any other warnings.

In my opinion this is unacceptable, as is the handling of my bug report. Therefore I have not yet reported the issues mentioned below to Google nor to the Chromium team.

*POTENTIAL SYNC ISSUES*  
Apparently Google decided to use a DEVICE based encryption key (instead of a Google ACCOUNT based key) to encrypt the passkey's private keys.  
The idea is that, if you start using an second Android device, the encryption key from the first device is transferred  to your second device.

Note that this requires you to enter your Google cloud password PLUS the screen unlock code of your first device on your second device.

However, transfer of the encryption key will fail if the second device ALREADY HAS an encryption key.

Note: I actually ran into this condition accidentally during tests.  
Although this may not be a typical situation, it is possible to reproduce (which I will not (yet) describe).

Consequently, if you you brick or loose your old Android device, and somehow you managed to already have a DIFFERENT encryption key on your new Android device, passkeys and passwords will sync from the cloud, but the synced passkeys will be UNUSABLE on your new device.

Tip: whatever you do on a new replacement device: don't start by creating a passkey as a test!  
Wait until your old passkeys have synchronized to your new device and you've confirmed that they work, before you add any new passkeys.

*BUG IN PASSWORDS.GOOGLE.COM*  
Editing a passkey's (user) name in [3] renders all passkeys for the domain unusable, with the following error message when attempting to use them:

   "No Passkeys Available  
   There aren't any passkeys for [domain] on this device"

That particular passkey will be unusable forever.  
However, any other passkeys for the same domain become usable again after you delete the -now corrupt and unusable- passkey.

*OTHER ISSUES*  
During my tests I found a lot of other issues (mostly minor compared to those mentioned above).  
Such as the following worrisome messages I repeatedly saw:

   "An unknown error occurred while talking to the credential manager."

   "For security, you can no longer access your encrypted data on this device."

Also, in Chrome settings, after enabling sync, tapping on "Password Manager" would usually open Google Password Manager (implemented as a part of Google Play Services), but sometimes the Chrome built-in password manager instead.

I may reveal other issues at a later stage.

*CONCLUSION*  
In my opinion the reliability of Android's passkey implementation insufficient (immature, not production ready).

There is no way for the user to back up their passkey secrets themselves, while cloud storage of passkeys can obviously not be relied upon (Google owns your passkeys, not you).

The partial integration of Google Password Manager with Chrome's builtin password manager complicates things - in particular when combined with a "sync passphrase" and/or "on device encryption".  
The apparent confusion which party (Google or the Chromium team) is responsible for fixing bugs in Google Password Manager seems amateuristic annd chaotic.

Account lockout is a serious risk. If fallbacks to passwords or recovery codes remains a necessity because of easily lost passkeys, the advantage of "phishing resistance" is mostly moot.

*DISCLOSURE TIMELINE* (format: yyyy-mm-dd)  
2023-06-06 I published a Dutch article "Passkeys voor leken" (Passkeys for beginners) [4].

2023-06-08 After enabling encryption (using a sync passphrase) for all synced data, and then following Google's instructions [1] on how to change that passphrase, I noticed that all passkeys on my Google Pixel 6 Pro Android phone had disappeared.

I wrote about this in [5], but initially thought that I made a mistake myself.  
After thid incident I started to further investigate this issue, which appeared to reproduce.

2023-06-11 I uploaded a vulnerability report to Google titled "Passkeys gone from device after clearing Chrome data from Google Account" [6].

2023-06-12 Google acknowledges receiving my report.

2023-06-14 Google forwards my report to the Chromium team [7] and sets the status of the Google issue to "Won't Fix (Infeasible)".

2023-06-14 Im am notified that my vulnerability report was registered by the Chromium team.  
In [7] I see that the issue was assigned to a specific person (the "assignee" from now on).

2023-06-15 On the bug tracking website [7] I uploaded a zip-file with screenshots to further clarify things.

2023-06-15 The assignee wrote in [7]:

   "This is as expected, but you're right that we should clarify that on the page and that it's unexpected that Android's implementation of Sync differs r.e. the clearing of data from devices."

2023-06-15 The assignee adds a comment:

   "> it's unexpected that Android's implementation of Sync differs r.e. the clearing of data from devices.  
   (Sorry, that was poorly worded. It's potentially _surprising_ that Android differs given the wording.)"

At that time I did not understand what the assignee meant. Later I discovered by accident that the text at the bottom of [2] had been changed, and the assignee was apparently referring to that text.

2023-08-10 After 60 days since my initial report, I addded a comment in [7] that I am able to reproduce the vulnerability using the latest (August) Android update. I added:

   "I don't know whether this is a Chromium or an Android issue, but losing passkeys is unacceptible.  
   What gives?"

2023-09-10 (after 90 days) On [6] I reported that I had not heard back from the Chromium team since June 15 and that I do not understand what they wrote that day, and that there was no response to my August 8 comment.

2023-09-11 My latest comment in [6] is acknowledged by Google and under review.

2023-09-15 Google states that they won't do anything as this vulnerability is tracked by [7].

2024-02-07 No updates on [6] and [7].  
Publication.

*REFERENCES*  
[1] https://support.google.com/chrome/answer/165139

[2] https://chrome.google.com/sync

[3] https://passwords.google.com/

[4] https://security.nl/posting/798699/Passkeys+voor+leken

[5] https://security.nl/posting/798932

[6] https://issuetracker.google.com/issues/286730198

[7] https://bugs.chromium.org/p/chromium/issues/detail?id=1454857

Google Android Passkey Deletion / Confusion

Microsoft has issued patches for 73 security vulnerabilities in its February 2024 Patch Tuesday.

Microsoft has issued patches for 73 security vulnerabilities in its February 2024 Patch Tuesday. Among these vulnerabilities are two zero-days that are reportedly being used in the wild.

The two zero-day vulnerabilities have already been added to the Cybersecurity & Infrastructure Security Agency’s catalog of  Known Exploited Vulnerabilities, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate these vulnerabilities by March 5, 2024, in order to protect their devices.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-days patched in this round of updates are:

CVE-2024-21351 (CVSS score 7.6 out of 10): a Windows SmartScreen security feature bypass vulnerability. The vulnerability allows a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both. An authorized attacker must send the user a malicious file and convince the user to open it.

CVE-2024-21412 (CVSS score 8.1 out of 10): an Internet Shortcut Files security feature bypass vulnerability. An unauthenticated attacker could send the targeted user a specially crafted file that is designed to bypass displayed security checks. However, the attacker would have no way to force a user to view the attacker-controlled content. Instead, the attacker would have to convince them to take action by clicking on the file link.

The bypassed security feature in both cases is the Mark of the Web (MOTW), the technology that ensures Windows pops a warning message when trying to open a file downloaded from the Internet. When a file is downloaded, Windows adds a ZoneId in the form of an Alternate Data Stream to the file which is responsible for the warning message(s).

Another vulnerability worth keeping an eye on is CVE-2024-21413 (CVSS score 9.8 out of 10): a Microsoft Outlook remote code execution (RCE) vulnerability. Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and to gain high privileges, which include read, write, and delete functionality. Microsoft notes that the Preview Pane is an attack vector. The update guide for this vulnerability lists a number of required updates before protection is achieved.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

**Adobe** has released security updates to address vulnerabilities in several products:

*   Adobe Commerce and Magento
*   Adobe Substance 3D Painter
*   Adobe Acrobat and Reader
*   Adobe FrameMaker Publishing Server
*   Adobe Audition 
*   Adobe Substance 3D Designer

The **Android** Security Bulletin for February contains details of security vulnerabilities for patch level 2024-02-05 or later.

**Ivanti** has urged customers to patch yet another critical vulnerability.

**SAP** has released its February 2024 Patch Day updates.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

Tag

#sap