Red Hat Security Advisory 2024-0758-03 - An update for the container-tools:2.0 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0758.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: container-tools:2.0 security updateAdvisory ID:        RHSA-2024:0758-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0758Issue date:         2024-02-09Revision:           03CVE Names:          CVE-2024-21626====================================================================Summary: An update for the container-tools:2.0 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.Security Fix(es):* runc: file descriptor leak (CVE-2024-21626)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-21626References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2024-001https://bugzilla.redhat.com/show_bug.cgi?id=2258725

Red Hat Security Advisory 2024-0758-03

“Had this all been contrived? Had his life become a game in which everyone knew the rules but him?” An exclusive excerpt from 2054: A Novel.

2054, Part V: From Tokyo With Love

Known for doing business with far-right extremist websites, Epik has been acquired by a company that specializes in helping businesses keep their operations secret.

A technology company that has been essential in keeping far-right and extremist websites online was acquired last year by a firm that operates an empire of shell companies across the United States, according to people familiar with the deal.

Epik.com has been for years the go-to domain registrar for websites that other companies refuse to do business with. Sites dedicated to white nationalism, QAnon conspiracy theories, and harassing transgender people were all welcomed by Epik. Now, it appears that Epik’s new owner may abandon the extremist fringe and shift its customer base toward companies seeking to operate in the shadows.

Rob Monster, a born-again Christian who founded Epik in 2009, had been key in keeping many of the most extreme websites online. He often went to great lengths to personally defend the sites and extolled the virtues of free speech. Epik was sold to new ownership last year after the company unraveled amid allegations of gross financial mismanagement.

An accounting firm hired by Epik to conduct a forensic investigation alleged that Monster had misappropriated more than $3.5 million, according to an internal preliminary report obtained by WIRED. More than $1.5 million was attributed to Monster personally withdrawing funds from the company. Nearly $2 million of Epik funds was used in Kingdom Ventures, Monsters’ venture capital firm, according to the report.

Monster didn’t respond to multiple requests for comment.

The buyer of Epik’s domain registrar business was a brand-new company that had been incorporated in Wyoming weeks before the sale was completed last summer: Epik LLC. The owner of Epik LLC, according to two people familiar with the deal, is Registered Agents Inc. The company confirmed its ownership in a press release late Friday night.

Registered Agents Inc. and its subsidiary companies claim to have offices in every state and Washington, DC. Its services allow companies to operate anonymously in a jurisdiction of its choosing. Registered Agents Inc. says it provides services to over 1 million companies.

The founder and owner of Registered Agents, according to two people familiar with the company, is a man named Dan Keen. In an email, a lawyer for Registered Agents Inc. says Keen is not the owner nor an employee of Registered Agents Inc. or Epik, and that he acted as a consultant in the acquisition.

Keen is intensely private, according to multiple people who have worked with him who requested anonymity to discuss details of the deal. “He has made it his mission in life to be invisible,” said one. “He’s someone who likes to operate in the shadows,” claims another. Keen is a serial entrepreneur who previously ran a lawn care and tree-trimming business, according to public records.

Keen has no website or social media pages. Emails sent by Keen don’t include a signature. Attempts to reach Keen for comment led to a reply from Bryce Myrvang, a lawyer for Registered Agents Inc.

Using a registered agent to incorporate a business allows the owner to shield who actually owns it. A registered agent will act as an official point of contact for a company, receiving legal notices and mail, and filing incorporation documents with the state. In Wyoming alone, Registered Agents Inc. represents around 50,000 companies, according to the Wyoming secretary of state.

For example, a company that uses Registered Agents Inc. to set up shop in Wyoming would have its address listed as 30 N. Gould Sreet, a squat one-story building in the town of Sheridan.

A local paper in Wyoming, _The Sheridan Press_, reported in August 2021 that scam business had been linked to the 30 N. Gould Street address, where more than 20 registered agent firms claim to have their offices. An editor's note added after publication stated, “It remains completely legal for registered agents to do what they’re doing under Wyoming Statute.”

A 2022 investigation by the International Consortium of Investigative Journalists found that “oligarchs, criminals and online scammers” have used registered agents to operate in the United States and shield their true identity.

Registered Agents Inc.’s acquisition of Epik allows the company to extend its offerings to the internet, providing its customers another layer of anonymity for their websites.

“This most recent acquisition provided an opportunity to expand our business offerings to include a business email address, a domain name, and open source website hosting at a reasonable cost,” Myrvang tells WIRED. “Registered Agents Inc. now has the capability to establish an entire business identity for its customers in less than 10 minutes.”

Clues about changes within Epik first emerged in January, when the company terminated its relationship with Kiwi Farms, a notorious trolling site whose users are dedicated to perpetuating never-ending drama and misery. In a series of bizarre and now deleted tweets, Epik claimed it suspended Kiwi Farms in response to a US court order and that the site hosted child sexual abuse material. In response, the Kiwi Farms administrator began crowdfunding money for a defamation lawsuit against Epik.

“You specialize in defamation, revenge porn, harassment, and hate speech and you want to sue us? We will expose all your and your users dirty secrets and they will be permanent public records,” the EpikLLC X account replied. “The judgment we will win against you will follow you the rest of your life.”

It was as if a new set of trolls with an entirely different worldview had taken over Epik.

“Alright all Whiny, Beta Snowflakes. Our DEI hires of the month canceled #Kiwifarms,” another post from EpikLLC read. “We don't like hate speech, porn, or doxxing. #JoeBiden will fix it! 2024!”

Some of the tweets trolling Epik were later deleted. “If such comments and or interactions on X were found to be offensive, Epik LLC formally apologizes to those individuals and or company,” Myrvang, the company's lawyer, says. “Further, the appropriate action has been taken internally in relation to the comments made on X.”

It’s unclear if Epik’s new owners singled out Kiwi Farms or if it has booted other sites from its service. “Epik.com’s Terms of Service has been updated to maintain compliance with all regulatory requirements,” Myrvang says.

When asked if the company has stopped working with other customers, Myrvang says, “Epik LLC will suspend and or terminate relationships with any company and or individual who violates its Terms of Services.”

In late 2022, Epik customers began reporting that they were suddenly unable to withdraw money from Masterbucks, Epik’s payment platform, which facilitated buying and selling pricey domain names. One customer, Luigi Marruso, posted on the domain name forum NamePros claiming that Epik was holding onto $1.5 million of its money. In an email to WIRED, Marruso says he still hasn’t been paid back.

Another customer, Matthew Adkisson, sued Epik and Monster, claiming they had mismanaged or embezzled $327,000 from him as he sought to purchase nourish.com. Epik later settled with Adkisson.

Claims like Adkisson’s began to pile up on forums for professionals in the domain name business (known as “domainers”), and Epik was in serious financial jeopardy.

Epik’s customers, fearing the worst, rushed to get their money back from the company. Epik even had outstanding debts with ICANN, the nonprofit that serves as a global administrator for the internet, according to legal filings.

“They were using customer funds to fund its operations. People started asking for those customer funds back, and they couldn't pay them,” says Andrew Allemann, a journalist who covered the fiasco for Domain Name Wire. “There was a run on the bank, and the money wasn’t there.”

In September 2022, a new CEO was installed at Epik in an attempt to stem the bleeding and settle the company’s debts. Epik, once valued by an investor at around $150 million was sold for around $5 million dollars in June 2023, according to a purchase agreement released as an exhibit in the Adkisson lawsuit. Much of the $5 million purchase price was allocated to paying off some of Epik’s debts. It’s unclear if the terms of the final deal match the one released as part of the lawsuit, but a source familiar with the acquisition says it was generally similar.

The rest of the debt was left with Monster. Just how much Monster owes former customers and vendors is unknown. Two former Epik customers told WIRED they’re still waiting to be paid back $38,000 and $20,000, respectively.

_Updated: 2/8/2024, 2:35 pm ET: Added additional comment from a Registered Agents Inc. spokesperson regarding Dan Keen's relationship with the company._

Epik, the Far-Right's Favorite Web Host, Has a Shadowy New Owner

Passkeys are here to replace passwords. When they work, it’s a seamless vision of the future. But don’t ditch your old logins just yet.

Using passkeys likely means having a different mindset from how you think about passwords. There’s nothing to remember when you log in, and you have to use something else to store your passkeys. Passkeys can be stored in Apple’s, Google’s or Microsoft’s password manager systems; your browser; a dedicated password manager; or on a physical security key. I created a Google passkey on one USB key, and all I need to do to sign in is, essentially, plug it in. (All of the devices I use professionally and personally are Apple, meaning I haven’t tested passkeys between my iPhone and a Windows laptop, for instance.)

“The technology is mature, the front ends are still nascent,” Shikiar from the FIDO Alliance says. Over the past year, the FIDO alliance has also been working on user experience guidelines, he says, making it more straightforward for people to sign up and use passkeys across systems. Gary Orenstein, the chief customer officer of password manager Bitwarden, says there are multiple groups involved in the creation and rollout of passkeys, so transitioning to a world where everything is seamless takes coordination. “The standards are at one level, user expectations are at a different level,” he says. “The vendor implementations are at a third level, and they’re merging, but it takes time.”

Being able to save a passkey on essentially any device makes them more useful and means you aren’t locked in to Google’s, Microsoft’s, or Apple’s ecosystems. However, where you save a passkey is going to take some remembering. When setting up one passkey, I was asked by my password manager, browser, and the device operating system whether I wanted to save my passkey with each of them. Picking one spot and sticking to it is probably the best option.

Most of my work is done on my laptop—and it's rare that I download new apps or log out of apps on my phone—so I have been saving the majority of my passkeys in Bitwarden, which costs me $10 a year for a premium account alongside my hundreds of passwords. It works like this: When logging in to my Amazon account, I enter my username, and then Bitwarden’s browser extension pops up asking whether I want to log in with my passkey for Amazon. I press confirm, and I am logged in. It also offers the option to use my device or a hardware key to log in, and if I select one of these options, it looks for passkeys stored on my laptop.

However, as mentioned, Bitwarden doesn’t currently offer passkeys on mobile, meaning that to get the mobile-first Coinbase integration to work, I ended up saving that passkey to iCloud’s Keychain instead. Orenstein, from Bitwarden, says that making passkeys work on mobile is a priority for Bitwarden and more support should be rolling out in the coming months. The company has seen a “fantastic” adoption of passkeys so far, he says, but acknowledges people will have to get used to the change. “You still need an awareness about where it is,” Orenstein says. “I think, over time, as an industry, we can reduce the need for that awareness, hopefully to zero.”

The Password’s Long Goodbye

You may not have set up any passkeys yet, but it’s only a matter of time. Tech companies are starting to make passkeys the default, and more businesses are adopting them. In the past couple of weeks, X has started allowing some people to use passkeys, and WhatsApp is bringing them to iPhones and iPads after previously rolling out passkey support for Android devices.

Leona Lassak, Blase Ur, and Maximilian Golla, three academics from Germany and the US who have researched the adoption of passkeys, say that businesses they’ve interviewed are generally positive about the adoption of passkeys and the extra security it will bring. However, it will likely take some time until the majority of websites, apps, and companies are using passkeys for everything. “I don’t think we will have a big bang in the next few months,” Lassak says. “It’s going to be a slow process, which on the way will then also catch other and smaller entities.”

As a result, passwords will still be around for a while. It’ll be a long time until I have converted my remaining 320-ish accounts to be using passkeys. And for the time being at least, those accounts where I do have passkeys will still have existing passwords that I can fall back on. “Passkeys is having fewer passwords, but not necessarily no passwords,” says Golla.

Experts recommend setting up a few passkeys whenever you come across them on your online accounts, rather than necessarily trying to change them all at once. There are guides to what websites are using passkeys already, and Google, Microsoft, and Apple all have straightforward explanations on how to create passkeys. And there are plenty of benefits to getting started now.

“They are a true password replacement that eliminate the threat of phishing, eliminate the hassle of password resets, and eliminate the liability that service providers have when they’re managing thousands, tens of thousands, or tens of millions, or billions of passwords,” Shikiar says. “It really is an entirely new way of doing user authentication.”

I Stopped Using Passwords. It's Great—and a Total Mess

“The people are in the streets. We can’t ignore them any longer. Really, we have little choice. Either we heal together, or we tear ourselves apart.” An exclusive excerpt from 2054: A Novel.

2054, Part IV: A Nation Divided

“You’d have an incomprehensible level of computational, predictive, analytic, and psychic skill. You’d have the mind of God.” An exclusive excerpt from 2054: A Novel.

2054, Part III: The Singularity

New EU rules mean WhatsApp and Messenger must be interoperable with other chat apps. Here’s how that will work.

A frequent annoyance of contemporary life is having to shuffle through different messaging apps to reach the right person. Messenger, iMessage, WhatsApp, Signal—they all exist in their own silos of group chats and contacts. Soon, though, WhatsApp will do the previously unthinkable for its 2 billion users: allow people to message you from another app. At least, that's the plan.

For about the past two years, WhatsApp has been building a way for other messaging apps to plug themselves into its service and let people chat across apps—all without breaking the end-to-end encryption it uses to protect the privacy and security of people’s messages. The move is the first time the chat app has opened itself up this way, and it potentially offers greater competition.

It isn’t a shift entirely of WhatsApp’s own making. In September, European, lawmakers designated WhatsApp parent Meta as one of six influential “gatekeeer” companies under its sweeping Digital Markets Act, giving it six months to open its walled garden to others. With just a few weeks to go before that time is up, WhatsApp is detailing how its interoperability with other apps may work.

“There’s real tension between offering an easy way to offer this interoperability to third parties whilst at the same time preserving the WhatsApp privacy, security, and integrity bar,” says Dick Brouwer, an engineering director at WhatsApp who has worked on Meta rolling out encryption to its Messenger app. “I think we're pretty happy with where we’ve landed.”

Interoperability in both WhatsApp and Messenger—as dictated by Europe’s rules—will initially focus on text messaging, sending images, voice messages, videos, and files between two people. Calls and group chats will come years down the line. Europe’s rules apply only to messaging services, not traditional SMS messaging. “One of the core requirements here, and this is really important, is for users for this to be opt-in,” says Brouwer. “I can choose whether or not I want to participate in being open to exchanging messages with third parties. This is important, because it could be a big source of spam and scams.”

WhatsApp users who opt in will see messages from other apps in a separate section at the top of their inbox. This “third-party chats” inbox has previously been spotted in development versions of the app. “The early thinking here is to put a separate inbox, given that these networks are very different,” Brouwer says. “We cannot offer the same level of privacy and security,” he says. If WhatsApp were to add SMS, it would use a separate inbox as well, although there are no plans to add it, he says.

Overall, the idea behind interoperability is simple. You shouldn’t need to know what messaging app your friends or family use to get in touch with them, and you should be able to communicate from one app to another without having to download both. In an ideal interoperable world, you could, for example, use Apple’s iMessage to chat with someone on Telegram. However, for apps with millions or billions of users, making this a reality isn’t straightforward—encrypted messaging apps use their own configurations and different protocols and have different standards when it comes to privacy.

Despite WhatsApp working on its interoperability plan for more than a year, it will still take some time for third-party chats to hit people’s apps. Messaging companies that want to interoperate with WhatsApp or Messenger will need to sign an agreement with the company and follow its terms. The full details of the plan will be published in March, Brouwer says; under EU laws, the company will have several months to implement it.

Brouwer says Meta would prefer if other apps use the Signal encryption protocol, which its systems are based upon. Other than its namesake app and the Meta-owned messengers, the Signal Protocol is publicly disclosed as being used in Google Messages and Skype. To send messages, third-party apps will need to encrypt content using the Signal Protocol and then package it into message stanzas in the eXtensible Markup Language (XML). When receiving messages, apps will need to connect to WhatsApp’s servers.

“We think that the best way to deliver this approach is through a solution that is built on WhatsApp’s existing client-server architecture,” Brouwer says, adding it has been working with other companies on the plans. “This effectively means that the approach that we’re trying to take is for WhatsApp to document our client- server protocol and letting third-party clients connect directly to our infrastructure and exchange messages with WhatsApp clients.”

There is some flexibility to WhatsApp interoperability. Meta’s app will also allow other apps to use different encryption protocols if they can “demonstrate” they reach the security standards that WhatsApp outlines in its guidance. There will also be the option, Brouwer says, for third-party developers to add a proxy between their apps and WhatsApp’s server. This, he says, could give developers more “flexibility” and remove the need for them to use WhatsApp’s client-server protocols, but it also “increases the potential attack vectors.”

So far, it is unclear which companies, if any, are planning to connect their services to WhatsApp. WIRED asked 10 owners of messaging or chat services—including Google, Telegram, Viber, and Signal—whether they intend to look at interoperability or had worked with WhatsApp on its plans. The majority of companies didn’t respond to the request for comment. Those that did, Snap and Discord, said they had nothing to add. (The European Commission is investigating whether Apple’s iMessage meets the thresholds to offer interoperability with other apps itself. The company did not respond to a request for comment. It has also faced recent challenges in the US about the closed nature of iMessage.)

Matthew Hodgson, the cofounder of Matrix, which is building an open source standard for encryption and operates the messaging app Element, confirms that his company has worked with WhatsApp on interoperability in an “experimental” way but that he cannot say any more due to signing a nondisclosure agreement. In a talk last weekend, Hodgson demonstrated “hypothetical” architectures for ways that Matrix could connect to the systems of two gatekeepers that don’t use the same encryption protocols.

Meanwhile, Julia Weis, a spokesperson for the Swiss messaging app Threema, says that while WhatsApp did approach it to discuss its interoperability plans, the proposed system didn’t meet Threema’s security and privacy standards. “WhatsApp specifies all the protocols, and we’d have no way of knowing what actually happens with the user data that gets transferred to WhatsApp—after all, WhatsApp is closed source,” Weis says. (WhatsApp’s privacy policy states how it uses people’s data.)

When the EU first announced that messaging apps may have to work together in early 2022, many leading cryptographers opposed the idea, saying it adds complexity and potentially introduces more security and privacy risks. Carmela Troncoso, an associate professor at the Swiss university École Polytechnique Fédérale de Lausanne, who focuses on security and privacy engineering, says interoperability moves could potentially lead to different power relationships between companies, depending on how they are implemented.

“This move for interoperability will, on the one hand, open the market, but also maybe close the market in the sense that now the bigger players are going to have more decisional power,” Troncoso says. “Now, if the big player makes a move and you want to continue being interoperable with this big player, because your users are hooked up to this, you're going to have to follow.”

While the interoperability of encrypted messaging apps may be possible, there are some fundamental challenges about how the systems will work in the real world. How much of a problem spam and scamming will be across apps is largely unknown until people start using interoperable setups. There are also questions about how people will find each other across different apps. For instance, WhatsApp uses your phone number to interact and message other people, while Threema randomly generates eight-digit IDs for people’s accounts. Linking up with WhatsApp “could de-anonymize Threema users,” Weis, the Threema spokesperson says.

Meta’s Brouwer says the company is still working on the interoperability features and the level of support it will make available for companies wanting to integrate with it. “Nobody quite knows how this works,” Brouwer says. “We have no idea what the demand is.” However, he says, the decision was made to use WhatsApp’s existing architecture to run interoperability, as it means that it can more easily scale up the system for group chats in the future. It also reduces the potential for people’s data to be exposed to multiple servers, Brouwer says.

Ultimately, interoperability will evolve over time, and from Meta’s perspective, Brouwer says, it will be more challenging to add new features to it quickly. “We don't believe interop chats and WhatsApp chats can evolve at the same pace,” he says, claiming it is “harder to evolve an open network” compared to a closed one. “The second you do something different—than what we know works really well—you open up a wormhole of security, privacy issues, and complexity that is always going to be much bigger than you think it is.”

WhatsApp Chats Will Soon Work With Other Encrypted Messaging Apps

“If molecules really were the new microchips, the promise of remote gene editing was that the body could be manipulated to upgrade itself.” An exclusive excerpt from 2054: A Novel.

2054, Part II: Next Big Thing

The U.S. State Department said it's implementing a new policy that imposes visa restrictions on individuals who are linked to the illegal use of commercial spyware to surveil civil society members.
"The misuse of commercial spyware threatens privacy and freedoms of expression, peaceful assembly, and association," Secretary of State Antony Blinken said. "Such targeting has been

The U.S. State Department said it's implementing a new policy that imposes visa restrictions on individuals who are linked to the illegal use of commercial spyware to surveil civil society members.

"The misuse of commercial spyware threatens privacy and freedoms of expression, peaceful assembly, and association," Secretary of State Antony Blinken said. "Such targeting has been linked to arbitrary detentions, forced disappearances, and extrajudicial killings in the most egregious of cases."

The latest measures, underscoring continued efforts on part of the U.S. government to curtail the proliferation of surveillance tools, are designed to "promote accountability" for individuals involved in commercial spyware misuse.

The new policy covers people who have used such tools to "unlawfully surveil, harass, suppress, or intimidate individuals," as well as those who stand to financially benefit from the misuse.

It also includes the companies (aka private sector offensive actors or PSOAs) that develop and sell the spyware to governments and other entities. It's currently not clear how the new restrictions will be enforced for individuals who possess passports that don't require a visa to enter the U.S.

However, CyberScoop notes that executives potentially affected by the ban would no longer be eligible to participate in the visa waiver program, and that they would need to apply for a visa to travel to the U.S.

The development comes days after Access Now and the Citizen Lab revealed that 35 journalists, lawyers, and human-rights activists in the Middle Eastern nation of Jordan were targeted with NSO Group's Pegasus spyware.

In November 2021, the U.S. government sanctioned NSO Group and Candiru, another spyware vendor, for developing and supplying cyber weapons to foreign governments that "used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers."

Then early last year, U.S. President Joe Biden signed an executive order barring federal government agencies from using commercial spyware that could pose national security risks. In July 2023, the U.S. also placed Intellexa and Cytrox on a trade blocklist.

According to an intelligence assessment released by the U.K. Government Communications Headquarters (GCHQ) in April 2023, at least 80 countries have purchased commercial cyber intrusion software over the past decade.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.S. Imposes Visa Restrictions on those Involved in Illegal Spyware Surveillance

The threat actor known as Patchwork likely used romance scam lures to trap victims in Pakistan and India, and infect their Android devices with a remote access trojan called VajraSpy.
Slovak cybersecurity firm ESET said it uncovered 12 espionage apps, six of which were available for download from the official Google Play Store and were collectively downloaded more than 1,400 times between

The threat actor known as Patchwork likely used romance scam lures to trap victims in Pakistan and India, and infect their Android devices with a remote access trojan called **VajraSpy**.

Slovak cybersecurity firm ESET said it uncovered 12 espionage apps, six of which were available for download from the official Google Play Store and were collectively downloaded more than 1,400 times between April 2021 and March 2023.

"VajraSpy has a range of espionage functionalities that can be expanded based on the permissions granted to the app bundled with its code," security researcher Lukáš Štefanko said. "It steals contacts, files, call logs, and SMS messages, but some of its implementations can even extract WhatsApp and Signal messages, record phone calls, and take pictures with the camera."

As many as 148 devices in Pakistan and India are estimated to have been compromised in the wild. The malicious apps distributed via Google Play and elsewhere primarily masqueraded as messaging applications, with the most recent ones propagated as recently as September 2023.

*   Privee Talk (com.priv.talk)
*   MeetMe (com.meeete.org)
*   Let's Chat (com.letsm.chat)
*   Quick Chat (com.qqc.chat)
*   Rafaqat رفاق (com.rafaqat.news)
*   Chit Chat (com.chit.chat)
*   YohooTalk (com.yoho.talk)
*   TikTalk (com.tik.talk)
*   Hello Chat (com.hello.chat)
*   Nidus (com.nidus.no or com.nionio.org)
*   GlowChat (com.glow.glow)
*   Wave Chat (com.wave.chat)

Rafaqat رفاق is notable for the fact that it's the only non-messaging app and was advertised as a way to access the latest news. It was uploaded to Google Play on October 26, 2022, by a developer named Mohammad Rizwan and amassed a total of 1,000 downloads before it was taken down by Google.

The exact distribution vector for the malware is currently not clear, although the nature of the apps suggests that the targets were tricked into downloading them as part of a honey-trap romance scam, where the perpetrators convince them to install these bogus apps under the pretext of having a more secure conversation.

This is not the first time Patchwork – a threat actor with suspected ties to India – has leveraged this technique. In March 2023, Meta revealed that the hacking crew created fictitious personas on Facebook and Instagram to share links to rogue apps to target victims in Pakistan, India, Bangladesh, Sri Lanka, Tibet, and China.

It's also not the first time that the attackers have been observed deploying VajraRAT, which was previously documented by Chinese cybersecurity company QiAnXin in early 2022 as having been used in a campaign aimed at Pakistani government and military entities. Vajra gets its name from the Sanskrit word for thunderbolt.

Qihoo 360, in its own analysis of the malware in November 2023, tied it to a threat actor it tracks under the moniker Fire Demon Snake (aka APT-C-52).

Outside of Pakistan and India, Nepalese government entities have also been likely targeted via a phishing campaign that delivers a Nim-based backdoor. It has been attributed to the SideWinder group, another group that has been flagged as operating with Indian interests in mind.

The development comes as financially motivated threat actors from Pakistan and India have been found targeting Indian Android users with a fake loan app (Moneyfine or "com.moneyfine.fine") as part of an extortion scam that manipulates the selfie uploaded as part of a know your customer (KYC) process to create a nude image and threatens victims to make a payment or risk getting the doctored photos distributed to their contacts.

"These unknown, financially motivated threat actors make enticing promises of quick loans with minimal formalities, deliver malware to compromise their devices, and employ threats to extort money," Cyfirma said in an analysis late last month.

It also comes amid a broader trend of people falling prey to predatory loan apps, which are known to harvest sensitive information from infected devices, and employ blackmail and harassment tactics to pressure victims into making the payments.

According to a recent report published by the Network Contagion Research Institute (NCRI), teenagers from Australia, Canada, and the U.S. are increasingly targeted by financial sextortion attacks conducted by Nigeria-based cybercriminal group known as Yahoo Boys.

"Nearly all of this activity is linked to West African cybercriminals known as the Yahoo Boys, who are primarily targeting English-speaking minors and young adults on Instagram, Snapchat, and Wizz," NCRI said.

Wizz, which has since had its Android and iOS apps taken down from the Apple App Store and the Google Play Store, countered the NCRI report, stating it's "not aware of any successful extortion attempts that occurred while communicating on the Wizz app."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#sap