The war in Ukraine appears to have triggered a change in mission for the APT known as Bronze President (aka Mustang Panda).

China's tacit support for Russia's war in Ukraine apparently doesn't preclude likely China-backed cyber actors from mounting espionage campaigns on the Russian military.

Researchers from Secureworks' Counter Threat Unit this week said they recently discovered malware that suggests the advanced persistent threat (APT) known as Bronze President (aka Mustang Panda) is now targeting Russian military personnel and officials. The security vendor described the effort as an example of how political changes can push countries into new territory for surreptitious information-gathering efforts, even against friends and allies.

**Cyberespionage Campaign Delivers PlugX**  
According to the report, the heavily obfuscated malicious executable being used in the campaign is designed to appear as a Russian-language PDF document pertaining to Russia's 56th Blagoveshchenskiy Red Banner Border Guard Detachment (which is deployed near Russia's border with China). The file is designed so that default Windows settings do not display its .exe extension, Secureworks said.

Secureworks also explained that the executable file displays a decoy document written in English, though the filename itself is in Russian. The document appears to be legitimate and contains data pertaining to asylum applications and migratory pressure in the three countries that border Belarus — Poland, Lithuania, and Latvia. The content also includes commentary on European Union sanctions against Belarus for its role in the war in Ukraine.

When executed, the file downloads three additional files from a staging server. One of them is a legitimate signed file from Global Graphics Software, a UK-based firm. The file uses DLL search-order hijacking to import an updated version of PlugX, a remote-access Trojan (RAT) that has been previously associated with Bronze President.

"DLL search-order hijacking has been around for years," says Mike McLellan, director of intelligence at Secureworks. "It's a well-known technique by threat actors in which they maliciously use a legitimate executable file, often from a well-known vendor, together with a malicious library file (DLL), to load and execute an encrypted malware payload."

Threat actors use the technique because it ensures that the malicious payload file on a compromised system is never sitting around on disk in a manner that scanners and anti-malware can detect.

"This technique has been a staple of several China-nexus threat groups for many years," McLellan says.

As part of the attack chain, the threat actors have also included a ping command that adds a significant delay before executing the legitimate signed file, Secureworks said — a generic evasion technique to introduce a time lag while files are downloaded to the victim.

The staging server that Secureworks observed the threat actor using in the current campaign hosts a domain that Proofpoint earlier this year linked to a PlugX campaign against diplomatic entities in Europe. The security vendor determined that campaign to be motivated by matters related to the war in Ukraine as well. The same domain has also been linked to Bronze President attacks in 2020 that Secureworks observed against the Vatican.

**A New Set of Victims for Bronze Panda**  
Bronze President is a threat group that has been active since at least 2018, according to the researchers. Secureworks and others have assessed the group as being China-based and likely sponsored by — or operating with the knowledge of — the Chinese government. The group has been associated with numerous attacks on nongovernmental organizations and others, mostly in Asia but to some extent in other countries. Last year, for example, researchers from McAfee spotted the threat actor conducting a major cyber espionage operation targeting telecommunication companies in the US, Asia, and Europe.

The latest campaign represents a departure from the usual for the group, since it targets Russian entities, according to McLellan: "This is substantially different to what we have seen over the past two years where Bronze President has been about 90% focused on Myanmar and Vietnam. We believe they still have a mission in the Asia region, but this has been a bit of a departure for them."

Chinese APT Bronze President Mounts Spy Campaign on Russian Military

The Botnet appears to use a new delivery method for compromising Windows systems after Microsoft disables VBA macros by default.

The Botnet appears to use a new delivery method for compromising Windows systems after Microsoft disables VBA macros by default.

Emotet malware attacks are back after a 10-month “spring break” – with criminals behind the attack rested, tanned and ready to launch a new campaign strategy. That new approach includes more targeted phishing attacks, different from the previous spray-and-pray campaigns, according to new research.

Proofpoint analysts linked this activity to the threat actor known as TA542, which since 2014 has leveraged the Emotet malware with great success, according to a Tuesday report.

Emotet, once dubbed “the most dangerous malware in the world” is being leveraged in its most recent campaign to deliver ransomware. Those behind distributing the malware have been in law enforcement’s crosshairs for years.  In  January  2021, authorities in Canada, France, Germany, Lithuania, the Netherlands, Ukraine, the United Kingdom and the United States worked together to take down a network of hundreds of botnet servers supporting Emotet, as part of “Operation LadyBird.”

The latest activity observed by researchers occurred while Emotet was on a “spring break.” Efforts were lowkey and likely an attempt to test new tactics without drawing attention. Now, researchers say TA542 has ramped up attacks to typical high-volume threat campaigns. “The threat actor has since resumed its typical activity,” Proofpoint said.

Cybersecurity researchers from AdvIntel, Crypolaemus confirmed Proofpoint’s observations, both observing the Emotet’s return after a 10-months gap. According to those researchers, attackers behind the malware have sent millions of phishing emails designed to infect the devices with malware and can be controlled by botnets.

> 2021-11-14: 🔥The "#Emotet partner ($) loader" program appears resorcing from existing #TrickBot infections.
> 
> 📌TrickBot launched what appears to be the newer Emotet loader.  
> 👇https://t.co/nVugStaAvE https://t.co/GHupFlENaQ
> 
> — Vitali Kremez (@VK\_Intel) November 15, 2021

****New Phase of Emotet****

In its report, Proofpoint researchers noted that this new testing of phishing emails could be the result of Microsoft’s actions to disable specific macros associated with Office apps in February 2022. At the time Microsoft said it was changing defaults for five Office apps that run macros.  This prevents attackers from targeting documents with automation services to execute the malware on victims’ systems.

According to cybersecurity researchers at Proofpoint, the new techniques observed in recent campaigns appeared to be tested on a smaller scale, as a test for potential be used for a larger campaign.

The new campaigns use compromised email accounts to send out spam-phishing emails with a one-word headline. Common terms in phishing attacks included “salary” are used to encourage users to click out of curiosity, found by the ProofPoint cybersecurity researchers.

The message body contains a OneDrive URL. This URL hosts Zip files containing Microsoft Excel Add-in (XLL) files with a similar name to the email subject line.

If these XLL files are opened and executed, Emotet will infect the machine with malware. Further, it can steal the information or create a backdoor for deploying other malwares to compromise the Windows system.

According to cybersecurity researchers at Proofpoint, the use of OneDrive URLs and XLL makes this campaign distinct from previous ones. Earlier Emotet attempted to spread itself via Microsoft Office attachments or phishing URLs. Those malicious payloads included Word and Excel documents containing Visual Basics for Applications (VBA) scripts or macros.

The attacks associated with this new campaign took place between April 4, 2022 and April 19, 2022, when other widespread Emotet campaigns were put on hold, researchers said.

“After months of consistent activity, Emotet is switching things up. It is likely the threat actor is testing new behaviors on a small scale before delivering them to victims more broadly, or to distribute via new TTPs (Tactics, Techniques, and Procedures) alongside its existing high-volume campaigns,” said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint.

“Organizations should be aware of the new techniques and ensure they are implementing defenses accordingly,” she added.

“Train users to spot and report malicious email. Regular training and simulated attacks can stop many attacks and help identify people who are especially vulnerable” DeGrippo explained.

In another development malware, authors patched the issue, which prevented potential victims from getting compromised upon clicking on the malicious email attachments.  

Reported By: Sagar Tiwari, an independent security researcher and technical writer.

Emotet is Back From ‘Spring Break’ With New Nasty Tricks

Miele Benchmark Programming Tool versions 1.1.49 and 1.2.71 suffer from a privilege escalation vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20220427-0 >  
=======================================================================  
               title: Privilege Escalation  
             product: Miele Benchmark Programming Tool  
  vulnerable version: at least 1.1.49 and 1.2.71  
       fixed version: 1.2.72  
          CVE number: CVE-2022-22521  
              impact: Medium  
            homepage: https://www.miele.com/  
               found: 2022-01-24  
                  by: J. Kruchem (Office Vienna)  
                      W. Schober (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"There are many good reasons for choosing Miele. Since the company's founding in  
1899, Miele has remained true to its "Immer Besser" brand promise. This means  
that we will do all that we can to be "Immer Besser" (forever better) than our  
competitors and "Immer Besser" (forever better) than we already are. For our  
customers, this means the peace of mind of knowing that choosing Miele is a  
good decision – and probably the decision of a lifetime."

Source: https://www.mieleusa.com/c/about-us-9.htm

Business recommendation:  
------------------------  
The vendor provides a patched version which should be installed immediately.

An in-depth security analysis performed by security professionals is highly advised,  
as the software may be affected from further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Privilege Escalation (CVE-2022-22521)  
The path where the Miele Benchmark Programming Tool is installed is writable  
for any user on the Windows operation system. This allows replacing the Uninstall  
binary and thus an attacker gaining local admin privileges if uninstalled.

Proof of concept:  
-----------------  
1) Privilege Escalation (CVE-2022-22521)  
The Uninstall string can be found in the following registry entry:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{<UUID of Miele Benchmark Programming>}

The UninstallString field has the following value:

UninstallString  
"C:\MIELE_SERVICE\Miele Benchmark Programming Tool\Uninstall Miele Benchmark Programming Tool.exe" /allusers

For exploitation, replace the "Uninstall Miele Benchmark Programming Tool.exe"  
with a malicious binary and uninstall via Software Center or call the admin  
and let them uninstall the Miele Benchmark Programming Tool.

Vulnerable / tested versions:  
-----------------------------  
The following versions have been tested, which were the latest versions available  
during the time of the test:

* 1.1.49  
* 1.2.71

Other (lower) software versions may be affected as well.

Vendor contact timeline:  
------------------------  
2022-03-21: Contacting vendor through psirt@miele.com  
2022-03-22: Vendor answered that they will check the provided information  
2022-04-07: Vendor confirmed the vulnerability and answered with aim to fix it asap  
2022-04-11: Vendor sent their advisory (including CVE) and fixed version  
2022-04-27: Coordinated release of advisory.

Solution:  
---------  
The vendor provides a patched version v1.2.72 which can be downloaded here:

https://www.miele.com/en/com/downloads-6770.htm

Workaround:  
-----------  
Adapt permissions of the C:\MIELE_SERVICE directory according to the least privilege  
principle.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF J. Kruchem / @2022

Miele Benchmark Programming Tool 1.1.49 / 1.2.71 Privilege Escalation

Trojan-Downloader.Win32.Agent malware suffers from an insecure permissions vulnerability.

    Discovery / credits: Malvuln - malvuln.com (c) 2022Original source: https://malvuln.com/advisory/fb3ac3c9d808de7f4b5ede68715f658f.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Trojan-Downloader.Win32.AgentVulnerability: Insecure PermissionsDescription: The malware writes a PE file to the "Windows\System" directory granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges.Family: AgentType: PE32MD5: fb3ac3c9d808de7f4b5ede68715f658fVuln ID: MVID-2022-0570Dropped files: alg.exeDisclosure: 04/26/2022 Exploit/PoC:C:\>cacls \Windows\System\alg.exeC:\Windows\System\alg.exe BUILTIN\Administrators:(ID)F                          NT AUTHORITY\SYSTEM:(ID)F                          BUILTIN\Users:(ID)R                          NT AUTHORITY\Authenticated Users:(ID)CC:\>dir \Windows\System\alg.exe Volume in drive C has no label. Directory of C:\Windows\System04/10/2022  01:18 AM           882,688 alg.exe               1 File(s)        882,688 bytesDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Trojan-Downloader.Win32.Agent Insecure Permissions

IBM Security Identity Manager (IBM Security Verify Password Synchronization Plug-in for Windows AD 10.x) is vulnerable to a denial of service, caused by a heap-based buffer overflow in the Password Synch Plug-in. An authenticated attacker could exploit this vulnerability to cause a denial of service. IBM X-Force ID: 218379.

CVE-2022-22323: IBM Security Identity Manager buffer overflow CVE-2022-22323 Vulnerability Report

IBM Security Identity Manager (IBM Security Verify Password Synchronization Plug-in for Windows AD 10.x) is vulnerable to a denial of service, caused by a heap-based buffer overflow in the Password Synch Plug-in. An authenticated attacker could exploit this vulnerability to cause a denial of service. IBM X-Force ID: 217369.

  

**Summary**

IBM Security Verify Password Synchronization Plug-in for Windows AD released a fix in response to a denial of service vulnerability caused by a heap-based buffer overflow in the Password Synch Plug-in.

**Vulnerability Details**

**CVEID:**   CVE-2022-22323  
**DESCRIPTION:**   IBM Security Identity Manager is vulnerable to a denial of service, caused by a heap-based buffer overflow in the Password Synch Plug-in. An authenticated attacker could exploit this vulnerability to cause a denial of service.  
CVSS Base score: 5.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/218379 for the current score.  
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-22312  
**DESCRIPTION:**   IBM Security Identity Manager is vulnerable to a denial of service, caused by a heap-based buffer overflow in the Password Synch Plug-in. An authenticated attacker could exploit this vulnerability to cause a denial of service.  
CVSS Base score: 5.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217369 for the current score.  
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Security Verify Password Synchronization Plug-in for Windows AD

10.x

Password Sync Plug-in for WinAD 64-bit

6.x

Password Sync Plug-in for WinAD 64-bit

7.x

**Remediation/Fixes**

IBM encourages customers to update their systems promptly.

**Product(s)**

**Version(s)**

**Remediation/First Fix**

IBM Security Verify Password Synchronization Plug-in for Windows AD

10.x

IBM Security Verify Password Synchronization Plug-in for Windows AD  v10.0.4 or higher

Password Sync Plug-in for WinAD 64-bit

7.x

IBM Security Verify Password Synchronization Plug-in for Windows AD  v10.0.4 or higher

Password Sync Plug-in for WinAD 64-bit

6.x

IBM Security Verify Password Synchronization Plug-in for Windows AD  v10.0.4 or higher

To download IBM Security Verify Password Synchronization Plug-in for Windows AD v10.0.4 or higher, sign into IBM Passport Advantage Online (PAO) website. Note, you must be an authorized user from your company to sign in.  
Enter "IBM Security Verify Password Synchronization Plug-in for Windows AD" text string for search by Product name.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

The vulnerability was reported to IBM by Krzysztof Andrusiak (STM Cyber).

**Change History**

22 Apr 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

**Document Location**

Worldwide

\[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSBM27","label":"IBM Security Verify Governance"},"ARM Category":\[{"code":"a8m0z0000001hhBAAQ","label":"Identity Manager-\\u003EAdapters \\/ Services"}\],"Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"All Versions"}\]

CVE-2022-22312: Security Bulletin: IBM Security Verify Password Synchronization Plug-in for Windows AD is vulnerable to a denial of service vulnerability (CVE-2022-22323, CVE-2022-22312)

Due to build misconfiguration in openssl dependency, LINE for Windows before 7.8 is vulnerable to DLL injection that could lead to privilege escalation.

CVE-2022-29505

In cifs-utils through 6.14, a stack-based buffer overflow when parsing the mount.cifs ip= command-line argument could lead to local attackers gaining root privileges.

CVE-2022-27239: Linux CIFS Utils and Samba - Free Knowledge Base

A new report suggests that a small but vibrant group of smartphones hackers may be challenging the world's most digitally restrictive regime.

For most of the world, the common practice of "rooting" or "jailbreaking" a phone allows the device's owner to install apps and software tweaks that break the restrictions of Apple’s or Google's operating systems. For a growing number of North Koreans, on the other hand, the same form of hacking allows them to break out of a far more expansive system of control—one that seeks to extend to every aspect of their lives and minds.

On Wednesday, the North Korea-focused human rights organization Lumen and Martyn Williams, a researcher at the Stimson Center think tank's North Korea–focused 38 North project, together released a report on the state of smartphones and telecommunications in the Democratic People's Republic of Korea, a country that restricts its citizens' access to information and the internet more tightly than any other in the world. The report details how millions of government-approved, Android-based smartphones now permeate North Korean society, though with digital restrictions that prevent their users from downloading any app or even any file not officially sanctioned by the state. But within that regime of digital repression, the report also offers a glimpse of an unlikely new group: North Korean jailbreakers capable of hacking those smartphones to secretly regain control of them and unlock a world of forbidden foreign content.

"There has been a sort of constant battle between the North Korean government and its citizens over use of technology: Each time a new technology has been introduced, people have usually found a way to use it for some illicit purpose. But that hasn't really been done through this kind of hacking—until now," says Williams. "In terms of the future of free information in North Korea, it shows that people are still willing to try to break the government's controls."

Learning anything about the details of subversive activity in North Korea—digital or otherwise—is notoriously difficult, given the Hermit Kingdom's nearly airtight information controls. Lumen's findings on North Korean jailbreaking are based on interviews with just two defectors from the country. But Williams says the two escapees both independently described hacking their phones and those of other North Koreans, roughly corroborating each others' telling. Other North Korea–focused researchers who have interviewed defectors say they've heard similar stories.

Both jailbreakers interviewed by Lumen and Williams said they hacked their phones—government-approved, Chinese-made, midrange Android phones known as the Pyongyang 2423 and 2413—primarily so that they could use the devices to watch foreign media and install apps that weren't approved by the government. Their hacking was designed to circumvent a government-created version of Android on those phones, which has for years included a certificate system that requires any file downloaded to the device to be "signed" with a cryptographic signature from government authorities, or else it's immediately and automatically deleted. Both jailbreakers say they were able to remove that certificate authentication scheme from phones, allowing them to install forbidden apps, such as games, as well as foreign media like South Korean films, TV shows, and ebooks that North Koreans have sought to access for decades despite draconian government bans.

In another Orwellian measure, Pyongyang phones' government-created operating system takes screenshots of the device at random intervals, the two defectors say—a surveillance feature designed to instill a sense that the user is always being monitored. The images from those screenshots are then kept in an inaccessible portion of the phone's storage, where they can't be viewed or deleted. Jailbreaking the phones also allowed the two defectors to access and wipe those surveillance screenshots, they say.

The two hackers told Lumen they used their jailbreaking skills to remove restrictions from friends' phones, as well. They said they also knew of people who would jailbreak phones as a commercial service, though often for purposes that had less to do with information freedom than more mundane motives. Some users wanted to install a certain screensaver on their phone, for instance, or wipe the phone's surveillance screenshots merely to free up storage before selling the phone secondhand.

One of the two jailbreakers, by contrast, said he was motivated in part by the same kind of mentality that drives some hackers in the West, according to Sokeel Park, the country director for Liberty in North Korea, who also spoke with the same defector who was interviewed by Lumen. "There isn't necessarily a super rational reason for this kind of hacking," says Park. "It's just like, doing stuff because you _can_, playing this cat-and-mouse game to test your own abilities."

Exactly what technical methods the two hackers used to defy their devices' restrictions is far from clear, given their limited, secondhand accounts. But both described attaching phones to a Windows PC via a USB cable to install a jailbreaking tool. One mentioned that the Pyongyang 2423’s software included a vulnerability that allowed programs to be installed in a hidden directory. The hacker says they exploited that quirk to install a jailbreaking program they'd downloaded while working abroad in China and then smuggled back into North Korea. The other hacker didn't make clear the source of his jailbreaking tool, but said he had been a student in a computer science group at Pyongyang's elite Kim Il Sung University.

The hackers Lumen describes are broadly representative of the two emerging classes of people jailbreaking phones in North Korea, says Nat Kretchun, the vice president for programs at the Open Technology Fund and a longtime researcher of North Korean media and technology. "There are the folks who come out of Kim Il Sung University or Kim Chaek University or part of the North Korean state who are essentially building these tools and doing kind of cheeky things on the side to allow themselves a little bit of room to undo the things that they implemented themselves," says Kretchun, who has independently interviewed several North Korean jailbreakers. "Then there's this other class of folks who have some amount of computer science literacy and are spending so much time with the phones that they're basically mapping out exactly how the thing works in practice and finding pretty clever work-arounds."

Kretchun and other researchers say that the number of jailbreakers remains fairly small, given the rarity of computer literacy in the country and the difficulty of sharing the tools. Changes to North Korean phones to disable their USB connections may have made jailbreaking even more of a challenge, says 38 North's Williams. But he points to a new law implemented in late 2020 that forbids "illegally installing a phone manipulation program" and includes a fine for possessing a smartphone without safeguards designed to block "impure publications," as the law puts it.

"While it is difficult to estimate the number of North Koreans modifying their phones, and interviewees did not seem to think the practice was widespread," reads Lumen's report, "the existence of this specific wording would imply it is happening at a scale where authorities are aware and potentially concerned."

Despite the relatively small scale of jailbreaking in the DPRK, Liberty in North Korea’s Sokeel Park argues that even a small community of phone hackers represents a sign that North Koreans have the will to fight against government controls. He adds that jailbreakers elsewhere in the world should perhaps focus their efforts on building and distributing hacking tools designed to help them.

"I think it's a very obvious call to action for the international community of technologists," Park says. "There is a dynamism there. This kind of hacking shows North Koreans are not passive subjects of oppression and surveillance and censorship. North Korean people are creating solutions and work-arounds so that they can learn things that the North Korean government doesn't want them to learn, sharing things the government considers subversive, and ultimately so they can create a challenge to the regime."

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   Sober influencers and the end of alcohol
*   For mRNA, Covid vaccines are just the beginning
*   The future of the web is AI-generated marketing copy
*   Keep your home connected with the best wi-fi routers
*   How to limit who can contact you on Instagram
*   👁️ Explore AI like never before with our new database
*   🏃🏽‍♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones

Tag

#windows