The company is adding new tools as bad actors use ChatGPT-themed lures and mask their infrastructure in an attempt to trick victims and elude defenders.

The social media giant Meta warned today that it sees many malware actors spreading their attack infrastructure across multiple platforms, to make it more difficult for individual tech companies to detect their malicious activity. The company added, though, that it views the shift in tactics as a sign that industry crackdowns are working, and it says it is launching additional resources and protections for business users with the goal of raising the barriers for attackers even more.

On Facebook, Meta has now added new controls for business accounts to manage, audit, and limit who can become an account administrator, who can add other administrators, and who can perform sensitive actions like accessing a line of credit. The goal is to make it more difficult for attackers to use some of their most common tactics. For example, bad actors may take over the account of an individual who is employed by or otherwise connected to a target company, so the attacker can then add the compromised account as an administrator on the business page.

Meta is also launching a step-by-step tool for businesses to help them flag and remove malware on their enterprise devices and will even suggest using third-party malware scanners. The company says it sees a pattern in which users' Facebook accounts are compromised, the owners regain control, and then the accounts are re-compromised because the targets' devices are still infected with malware or have been reinfected.

“This is an ecosystem challenge, and there’s a lot of adversary adaptation,” says Nathaniel Gleicher, Meta’s head of security policy. “What we’re seeing is adversaries working really hard, but defenders moving more systematically. We're not just disrupting individual bad actors; there are a number of different ways that we are countering them and making it harder.”

The move to distribute malicious infrastructure across multiple platforms has advantages for attackers. They may distribute ads on a social network like Facebook that aren't directly malicious, but that link to a fake creator page or other niche profile. On that site, attackers can post a special password and link to a file-sharing service like Dropbox or Mega. Then they can upload their malicious file to the hosting platform and encrypt it with the password from the previous page to make it harder for companies to scan and flag. In this way, victims follow the bread crumbs through a chain of legitimate-looking services, and no one site has a complete view of every step in the attack.

As public interest in generative AI chatbots like ChatGPT and Bard has ramped up in recent months, Meta also says it has seen attackers incorporating the topic into their malicious ads, claiming to offer access to these and other generative AI tools. Since March 2023, the company says, it has blocked more than 1,000 malicious links used in generative AI-themed lures so they can't be shared on Facebook or other Meta platforms, and it has shared the URLs with other tech companies. It has also reported multiple browser extensions and mobile apps related to these malicious campaigns.

Meta says the attackers who distribute a known malware strain called Ducktail have increasingly leaned on these techniques in an attempt to compromise a range of victims and take over Facebook business accounts to distribute more of their malicious ads. Meta attributes Ducktail's activity to actors in Vietnam, and the company recently issued a cease-and-desist letter to specific individuals in addition to reporting the activity to law enforcement.

In late January, Meta also identified a new malware strain, dubbed NodeStealer, that was targeting Windows browsers to record victims' usernames and passwords, steal cookies, and use the data to compromise Facebook accounts as well as Gmail and Outlook accounts. Meta also attributes this campaign to Vietnamese actors, and it quickly began submitting takedown requests to hosting providers, domain registrars, and other application services that the actor was using for its activity and malware distribution. The company says these steps appear to have been disruptive, and it hasn't detected new samples of NodeStealer since February 27.

“What they’re counting on is that we are going to keep working in silos amongst companies and we’re not going to be able to follow them jump to jump, platform to platform,” Meta's Gleicher says. 

He adds that in addition to adding new features for users, expanding Meta's automatic detections, and taking direct action against attackers, the company uses public disclosure and information-sharing with other companies and law enforcement as a way of making things more difficult for attackers.

“It’s easy to recognize that the more platforms need to coordinate, the more complex the defenses can be,” Gleicher says. “But the more distributed an adversary's operation is, the more they have to keep all these different platforms working together, and the number of victims who make it through that funnel is lower and lower. The more we force them to be distributed, the higher the cost on the adversary.”

Meta Moves to Counter New Malware and Repeat Account Takeovers

The tech industry’s transition to passkeys gets its first massive boost with the launch of the alternative login scheme for Google’s billions of users.

Google is announcing a major effort to let its account holders log in with the password replacement known as “passkeys.” The feature launches today for the company's billions of accounts, and users will be able to proactively seek it out and turn it on. Google says it plans to promote passkeys in the coming months and start nudging account holders to convert their traditional username and password login to a passkey.

Password-based authentication has been standard across the internet (and computing in general) for decades, but the system has serious security issues, namely that attackers can steal your password or trick you into giving it to them in phishing attacks. The passkey scheme is specifically designed to address phishing attacks by relying on a different model that uses cryptographic keys stored on your devices for account authentication. 

In the year since the industry association known as the FIDO Alliance began publicly promoting the rollout of passkeys, the makers of the world's biggest consumer operating systems—Microsoft, Google, and Apple—have launched the necessary infrastructure to support passkeys. But if you still have never used a passkey in your daily life, you're far from alone.

The next step toward passkey adoption is for services to actually offer passkeys as a login option for user accounts. So far, companies like PayPal, Shopify, CVS Health, Kayak, and Hyatt have taken the plunge. Today's launch of passkeys for Google’s users is noteworthy given the company's resources and sheer scale.

“It's very, very significant,” says Andrew Shikiar, executive director of the FIDO Alliance. “It's an inflection point. A company like Google enabling this with so many people actually seeing passkey sign-ins, they’ll be more likely to use them elsewhere. And it will also accelerate other companies’ deployment plans and help them deploy better, because we will learn from this as a body."

You can log in with passkeys using biometric sensors like fingerprint or face scanners, your smartphone's device lock PIN, or physical authentication dongles like YubiKeys. To transition your Google account, you'll navigate to this link, log in with your username, password, and any additional authentication factors you have set up, and then click “+ Create a passkey” on the device you're using.

“We have an opportunity here to change the way users think about signing in,” says Christiaan Brand, an identity and security product manager at Google and co-chair of the FIDO2 technical working group. “If we can change the way that signing in works for your Google account, we hope that consumers will start to get more accustomed to the technology, and also signal to industry that we’re not just _talking_ about this stuff—it is ready for prime-time adoption.”

Passkeys can sync between your devices through end-to-end encrypted services like Google Password Manager and iCloud Keychain. Or you can set up passkeys on multiple devices by generating a QR code on a device that's logged in to your Google account that will anoint another device where you want to log in. 

All of your Google account passkeys will be listed on the “Passkey Management Page,” where you can review and revoke them. You can even store a passkey for your account on the device of someone you trust as a recovery option. If you issue a passkey to log into your Google account on a shared device, be sure to revoke it once you're done.

“What doesn’t help is when a vendor or developer only rolls out passkey for iOS or only rolls it out for Android. That’s not how passwords work; passwords are ubiquitous," Brand says. “So for us, it was important to cover as wide a range of devices as possible on launch day, no carve-outs.”

Google says that even once you make a passkey for your account (or five), your traditional username and password login isn't going anywhere, and you can still use it if you choose. But the company is betting that once people get used to passkeys, they'll like them better and find them easier to manage than passwords. And once you've set up a passkey on a device, Google will automatically detect it and prompt you to log in that way going forward.

Brand says that in early tests on a few thousand users, sign-in success rates with passkeys were immediately higher than for traditional username and password logins. That doesn't mean there won't be what Brand calls “rough edges” or use cases where there are passkey bugs. But Google says it hopes to discover and iron out as many of these issues as possible, so smaller organizations can feel more confident implementing passkeys.

Google's announcement comes on the eve of World Password Day on Thursday. But passkey proponents are ramping up their efforts to make the occasion obsolete.

“Eventually, it's going to be like World Horse and Buggy Day, I think,” Shikiar says. “For the time being, it’s a good reminder of the challenge we have to get rid of passwords.”

Google Is Rolling Out Passkeys, the Password-Killing Tech, to All Accounts

A Google Drive left public on the American College of Pediatricians’ website exposed detailed financial records, sensitive member details, and more.

While the material is not expressly religious, it is clearly aimed at painting same-sex marriage as aberrant and immoral behavior. Physicians lobbied by the group are also told to urge patients to purchase Christian-based parenting guides, including one designed to help parents broach the topic of sex with their 11- and 12-year-old kids. The College suggests telling parents to plan a “special overnight trip,” a pretext for instilling in their children sexual norms in line with evangelical practice. The group suggests telling parents to buy a tool called a “getaway kit,” a series of workbooks that run around $54 online. The workbooks methodically walk the parents through the process of springing the topic, but only after a day-long charade of impromptu gift-giving and play. 

These books are full of games and puzzles for the parent and child to cooperatively take on. Throughout the process, the child slowly digests a concept of “sexual purity,” lessons aided by oversimplified scripture and well-trodden Bible school parables. 

Another document the group shared with its members contains a script for appointments with pregnant minors. Its purpose is made evidently clear: The advice is engineered specifically to reduce the odds of minors coming into contact with medical professionals not strictly opposed to abortion. A practice script recommends the doctor inform the minor that they “strongly recommend against” abortion, adding “the procedure not only kills the infant you carry, but is also a danger to you.” (Medically, the term “fetus” and “infant” are not interchangeable, the latter referring to a newborn baby less than one year old.)

The doctors are urged to recommend that the minor visit a website that, like others shared with patients, is not expressly religious but will only direct visitors to Catholic-run “crisis pregnancy centers,” which strictly reject abortion. The same site is widely promoted by anti-abortion groups such as National Right to Life, which last year held that it should be illegal to terminate the pregnancy of a 10-year-old rape victim.

The Professionals

The effort to ban mifepristone, which the Supreme Court paused last month pending further review, faces significant legal hurdles but could ultimately benefit from the appellate court’s disproportionately conservative makeup. Most of the legal power in the fight was supplied by a much older and better funded group, the Alliance Defending Freedom, which has established ties with some of the country’s most elite political figures—former vice president Mike Pence and Supreme Court justice Amy Coney Barrett among them.

A contract in the leaked documents dated April 2021 shows the ADF agreeing to legally represent the College free of charge. It stipulates that ADF’s ability to subsidize expenses incurred during lawsuits would be limited by ethical guidelines; however, it could still forgive any lingering costs simply by declaring the College “indigent.”

In contrast to the College’s some 700 members, the American Academy of Pediatrics (AAP)–the organization from which the College’s founders split 20 years ago–has roughly 67,000. The rupture between the two groups was a direct result of a statement issued by the AAP in 2002. Modern research, the AAP said, had conclusively shown that the sexual orientation of parents had an imperceptible impact on the well-being of children, so long as they were raised in caring, supportive families.

Data visualization: DataWrapper

The College would gain notoriety early on by assailing the positions of the AAP. In 2005, a _Boston Globe_ reporter noted how common it had become for the American College of Pediatricians “to be quoted as a counterpoint” to anything said by the AAP. The institution, he wrote, had a rather “august-sounding name” for being run by a “single employee.” 

Internal documents show that the group’s directors quickly encountered hurdles operating on the fringe of accepted science. Some claimed to be oppressed. Most of the College’s research had been “written by one person,” according to minutes from a 2006 meeting, which were included in the leak. The College was failing to make a splash. In the future, one director suggested, papers rejected by medical journals “should be published on the web.” The vote to do so was unanimous (though the board decided the term “not published” was nicer than “rejected”). 

A second director put forth a motion to create a separate “scientific section” on the group’s website, strictly for linking to articles published in medical journals. The motion was quashed after it dawned on the board that they didn’t “have enough articles” to make the page “look professional.” 

The College struggled to identify the root cause of its runtedness. “To get enough clout,” one director said, “it would take substantial numbers, maybe 10,000.” (The College’s recruitment efforts would yield fewer than 7 percent of this goal in the following 17 years.) Yet another said the marketing department advised that “the College needs to pick a fight with the AAP and get on _Larry King Live_.” Another board member, the notes say, felt the organization was too busy trying to “walk the fence” by neglecting to acknowledge that “we are conservative and religious.”

American College of Pediatricians Leak Exposes 10,000 Confidential Files

Operation SpecTor likely drew on leads from multiple dark web market busts, including the secret takedown of Monopoly Market in 2021.

A decade ago, US law enforcement was content to swat down a dark web black market for drugs and send its dealers and buyers scrambling to the next biggest anonymous online bazaar on their list. Now, one sprawling set of worldwide takedowns has revealed how those investigators are casting a much wider dragnet—one that doesn’t merely target dark web administrators, but also mines their databases for leads to relentlessly trace and arrest hundreds of dealers from those markets around the world.

Today, the US Department of Justice, Europol, and a list of law enforcement agencies in at least nine countries from Brazil to Poland revealed Operation SpecTor, a collection of dark web investigations that led to the arrest of 288 people worldwide—153 of whom were in the US. Officials also announced the seizure of nearly 1 ton of drugs, $53 million in cash and cryptocurrencies, and 117 firearms. Europol simultaneously revealed that German police had taken down the dark web site Monopoly Market, which had gone offline in late 2021 under mysterious circumstances, leaving many of its users to wonder if the market’s administrators had pulled an “exit scam” in which they absconded with users’ funds.

In Operation SpecTor, investigators appear to have leveraged information obtained through the seizure of Monopoly’s servers and data from other dark web market takedowns in recent years to find leads on hundreds of the dark web’s drug dealers—and even customers—on an unprecedented scale. “This represents the most funds seized and the highest number of arrests in any coordinated international action led by the Department of Justice against drug traffickers on the dark web,” US Attorney General Merrick Garland told reporters in a press conference. “The Justice Department is cracking down on criminal cryptocurrency transactions and the online criminal marketplaces that enable them.”

Along with Monopoly, Operation SpecTor appears to have exploited information obtained in previous dark web takedowns too. In his statement, Garland referred to both the takedown of Hydra, a Russia-based market that served as a massive hub of online drug sales and money laundering, and the smaller dark web black market Genesis, which focused on cybercrime products and services. But the Monopoly takedown, in particular, was kept under wraps for well over a year as law enforcement agencies worldwide followed leads from the case: A statement from Europol notes that “target packages” were “created by cross-matching and analyzing the collected data and evidence” from the seizure of Monopoly’s infrastructure.

All of that points to law enforcement’s increasing exploitation of the bonanza of evidence obtained in dark web takedowns. This has allowed them to carry out more far-reaching roundups of the dark web’s most prolific dealers, who are often active across multiple markets. Cryptocurrency tracing has also played a central role in expanding those operation’s targets. The databases of transactions obtained in dark web busts, if they can be decrypted, offer starting points for cryptocurrency tracers, who can then follow the money across blockchains to cryptocurrency exchanges where drug profits have been cashed out, and which can often be subpoenaed for users’ identifying information.

“It’s indeed likely that the arrests are related to data from all the different takedowns,” says one former law enforcement official involved in dark web busts, who asked not to be named. “Law enforcement combines all the information from the different seized data sets in order to identify the high-value targets. And if you identify cryptocurrency wallet addresses, you can often link activities on the different markets together, and the crypto exchanges might have the missing know-your-customer information you’re looking for.” In previous busts of dark web markets in recent years—including AlphaBay, Hansa, Wall Street Market, and Dark Market—agents obtained that sort of historical database in each case, cracking open a wealth of new leads.

Those databases can lead investigators not only to dealers on dark web markets, but also to buyers. While the DOJ and Europol didn’t reveal if any of the 288 arrests in Operation SpecTor targeted buyers, FBI deputy director Paul Abbate referred in today’s press conference to the FBI’s 56 field offices around the country carrying out “knock-and-talks” for the first time. In these operations, agents warn drug buyers that they have been identified without necessarily making arrests or pursuing charges against them.

As big as the scale of Operation SpecTor may be, it’s by no means the first DOJ operation to arrest hundreds of the dark web’s dealers. In 2020, for instance, the Justice Department announced the arrest of 179 individuals in Operation DisrupTor, and in 2021 another 150 in HunTor. (Each of those operation names refers to Tor, the anonymity software that serves as a key component of the dark web’s hidden marketplaces.)

While SpecTor nearly doubles the head count of those previous roundups of dark web dealers, it also illustrates, perhaps, that even these massive crackdowns haven’t previously prevented new generations of dealers from immediately taking their places. Even as Garland, the attorney general, touted law enforcement’s repeated successes following those dealers’ trails, he seemed to concede that the dark web’s trade in criminal contraband isn’t going away.

“There is a bit of a whack-a-mole problem here,” Garland told reporters. “We’re whacking as hard as we can.”

Cops Just Revealed a Record-Breaking Dark Web Dragnet

The attackers were in thousands of corporate and government networks. They might still be there now. Behind the scenes of the SolarWinds investigation.

SolarWinds: The Untold Story of the Boldest Supply-Chain Hack

AI tools? A porn filter, but for Top Secret documents? Just classifying less stuff? US lawmakers are full of ideas but lack a silver bullet.

In the wake of the most recent classified leak case—this time allegedly involving a 21-year-old Air National Guard IT specialist, not a president—lawmakers on Capitol Hill are redoubling efforts to classify less information. But as lawmakers await more details on how cyber transport systems specialist Jack Teixeira was allegedly able to disseminate highly sensitive military documents on the chat app Discord, the growing consensus among lawmakers is that America’s classification protocols need to be overhauled.  

“It seems to me like we're trying to protect so much that the job becomes impossible, and then inevitably, things that really, really matter slip through the cracks,” US representative Adam Smith, the top Democrat on the House Armed Services Committee, told reporters upon leaving a classified briefing on the leak late last month. “That's the lesson for me, is if you try to do absolutely everything, then you can't do the things that you really want to do.”

Over-classification is one bookend, as Senate Intelligence chair Mark Warner puts it, which was on display as classified documents were found in the possession of President Joe Biden, former president Donald Trump, and former vice president Mike Pence. But this latest case reveals problems on the other end of the spectrum: Too many people have security clearances.

“Now we, in a sense, have potentially the worst of both worlds, where we have an over-classification problem and, at the same time, in the public domain it’s been reported that we have more than 4 million people with clearances,” Warner says. “So how do you square those?”

Lawmakers in both parties are now looking to technology for help as they negotiate how to best protect American secrets, while—if proponents get their way—also increasing transparency.

“This Is a Serious Situation”

The FBI arrested Teixeira on April 13 after a series of US military documents, some labeled “Top Secret,” surfaced online. Teixeira allegedly shared the documents with members of a Discord server as early as last December. Members of the Discord group reportedly claim that hundreds of documents, many of which pertain to Russia’s war against Ukraine, were shared with the group.

On Wednesday, two of Teixeira’s commanders were suspended, “pending further investigation into the unauthorized disclosure of classified information,” according to the US Air Force. In its 42-page filing, released ahead of Teixeira facing Magistrate Judge David Hennessy of the US District Court in Massachusetts on Thursday, the Department of Justice accuses the IT specialist of trying to destroy evidence and looking up mass shootings on his federal government computer. The Justice Department also claims Teixeira’s former access to classified information “far exceeds what has been publicly disclosed.” 

On Thursday, DOJ lawyers also said Teixeira owns a large number of firearms and that they found social media posts where he says he wants to kill a “ton of people.” Defense lawyers argued that Teixeira never meant for the classified material to be widely—let alone internationally—disseminated. The magistrate was skeptical. 

Meanwhile, at the Capitol, when they’re not fuming, lawmakers are befuddled.

“This is a serious situation. You just can’t let someone like this have access to this kind of classified information, and, if you do, you ought to at least use technology to block that person from being able to share it,” says Senator John Kennedy, a Louisiana Republican. “I mean, most of us can put controls on the internet to stop our kids from looking at pornography, for God’s sake. How hard is that?”

Pentagon officials are promising members of Congress another briefing in early June. In the meantime, lawmakers fear current protocols amount to a high-stakes game of whack-a-mole—a game the intelligence community continues to lose despite a series of high-profile leaks that led to changes in the protocols governing classified material.

In 2010, Army Private First-Class Chelsea Manning was arrested for sharing US intelligence with WikiLeaks. Then in 2013, NSA contractor Edward Snowden shared thousands of classified documents with reporters from _The Guardian_ and _The Washington Post_. Lawmakers say they don’t think those leaks could happen today, but they’re still pressing the Pentagon for answers.

“I believe—and I believe this, I don’t have complete proof—that some of the places that in the past where mistakes were made, may have had stricter protocols than the whole balance of the \[Department of Defense\],” Warner says.

Starting in 2018, the federal government replaced its old clearance protocol—where clearances were updated every five to 10 years—with a continuous vetting system for employees and contractors with security clearances that’s supposed to be fully implemented by October 1, 2023.

“One of the things that we have moved into in this internet-driven age is a process called continuous vetting, so even once you get a top-secret security clearance, you’re supposed to be vetted on an ongoing basis,” Warner says. “That raises a whole host of questions about posting in public or otherwise on the internet that, frankly, still need to be sorted out.” While the Discord leaks investigation continues, Warner says a top priority for lawmakers is making sure “continuous vetting in an internet-driven age actually can spot anomalies.”  

Too Many Secrets

Whether an updated system will involve artificial intelligence tools remains unknown, but some senators are pushing the intelligence community to embrace new technologies to help streamline and safeguard government secrets.

“They're going to need to come up with things like artificial intelligence and other things to be able to identify sensitive digital content so we can keep the truly important stuff secret but then make everything else available to the public,” says Senator John Cornyn, a Texas Republican.

Since classified documents from past administrations were found at Trump’s Mar-a-Lago in Florida, a Biden office and home in Delaware, and Pence’s Indiana home, lawmakers have been focusing on overclassification. Cornyn says he’s been a part of talks with Republican senator Jerry Moran of Kansas, Democratic senator Ron Wyden of Oregon, and Warner on how to streamline classification protocols. 

“I think there's just a lot of work that needs to be done and can be done, to provide more political accountability and, at the same time, raise standards for protecting truly sensitive national security information,” Cornyn says. “We need to have a better process for declassified information for historical purposes and lessons learned, so we're going to hopefully roll out a bill here pretty soon.”

Lawmakers remain perplexed over how all these classified documents keep getting out, in part because, at the Capitol, sensitive documents are kept under lock, armed guard, and key. Beyond that, many fear the culture around classified documents is too lax throughout the executive branch.

From 2009 to 2013, Don Beyer served as ambassador to Switzerland and Liechtenstein, where he took extraordinary measures to protect classified documents. “I made a rule that, mostly, I would actually go to our base office and have them talk to me about it. Or if they came to my office with it, you stand right there while I read it. I never want it on my desk,” Beyer says of classified material. “There's never a phone in that office. Every phone was left outside. In every office in our building, you had to leave your cell phone outside.”  

Now that he’s a Democratic representative from Virginia, Beyer is also wondering what role overclassification is playing in all these high-stakes blunders. “When you classify so much stuff, more people have the clearances in order to be able to do their job,” Beyer says. “So if you could rationalize it, maybe you can shrink the number of people who need a clearance.” 

The ‘Need-to-Share’ Era

Even as US officials and lawmakers are focused on keeping American secrets, well, secret, others are warning against overreacting. Information flies these days.

“It's a problem. We’ve got to figure out a better system, obviously, going forward. But you’ve got to balance that against the need for people to have access to information as well,” says Representative Mike Gallagher, the Wisconsin Republican who chairs the new House select committee on China. “I think it's just an increasing trend in the 21st century, which is, we're going to have to move from this kind of need-to-know culture to a need-to-share in the government and with our allies.”

Disinformation, as this most recent leak of classified documents showcases, flies too. Versions of the sensitive files Teixeira allegedly shared with his buddies on Discord were later posted on pro-Russian Telegram channels, but they’d been crudely altered to make Russia look better and Ukraine look worse.

“Some of them have been doctored. Some adjusted, I’m sure, by the defendant himself, so assessing what the potential damage is and how to prevent that from occurring will be an ongoing process,” says Senator Mitt Romney, a Utah Republican.

Technological fixes can only go so far. Plus, for the time being, there’s always a human at the other end—and there’s no AI fix for human nature, at least not yet.

“I think the fundamental dilemma remains, which is that, ultimately, when you give someone a top-secret clearance, you’re placing an enormous amount of trust in that person. It’s hard to design software—or a policy—to fix the problem of human beings doing bad things," Gallagher says. “So there's some level of risk just built into the system that I think it's impossible to be reduced to zero. It’s not obvious to me right yet what the right fix is. We're trying to figure that out.”

The High-Stakes Scramble to Stop Classified Leaks

Firefox gets a needed tune-up, SolarWinds squashes two high-severity bugs, Oracle patches 433 vulnerabilities, and more updates you should make now.

Given the number and seriousness of the issues, Chrome users should prioritize checking that their current version is up to date.

Mozilla Firefox

Chrome rival Firefox has fixed issues in Firefox 112, Firefox for Android 112, and Focus for Android 112. Among the flaws is CVE-2023-29531, an out-of-bound memory access in WebGL on macOS rated as having a high impact. Meanwhile, CVE-2023-29532 is a bypass flaw affecting Windows, which requires local system access.

CVE-2023-1999 is a double-free in libwebp that could result in memory corruption and a potentially exploitable crash, Firefox owner Mozilla wrote in an advisory.

Mozilla also fixed two memory safety bugs, CVE-2023-29550 and CVE-2023-29551. “Some of these bugs showed evidence of memory corruption, and we presume that with enough effort, some of these could have been exploited to run arbitrary code,” the browser maker said.

SolarWinds

IT giant SolarWinds has patched two high-severity issues in its platform that could lead to command execution and privilege escalation. Tracked as CVE-2022-36963, the first issue is a command-injection flaw in SolarWinds’ infrastructure monitoring and management product, the firm wrote in a security advisory. If exploited, the bug could allow a remote adversary with a valid SolarWinds Platform admin account to execute arbitrary commands.

Another high-severity issue is CVE-2022-47505, a local privilege escalation vulnerability that a local adversary with a valid system user account could use to escalate privileges.

The latest SolarWinds patch fixes several more issues rated as having a medium impact. None have been used in attacks, but if you are impacted by the flaws, it makes sense to update as soon as possible.

Oracle

April has been a big month for enterprise software maker Oracle, which has issued fixes for 433 vulnerabilities, 70 of which are rated as having a critical severity. These include issues in the Oracle GoldenGate Risk Matrix, including CVE-2022-23457, which has a CVSS base score of 9.8. The issue may be remotely exploitable without authentication, Oracle said in its advisory.

The April fixes also contain six new patches for Oracle Commerce. “All of these vulnerabilities may be remotely exploitable without authentication,” Oracle warned.

Due to the threat posed by a successful attack, Oracle “strongly recommends” that customers apply Critical Patch Update security fixes as soon as possible.

Cisco

Software firm Cisco has released fixes for vulnerabilities that could allow an authenticated, local attacker to escape the restricted shell and gain root privileges on the underlying operating system.

CVE-2023-20121, which affects Cisco EPNM, Cisco ISE, and Cisco Prime Infrastructure, is a  command-injection vulnerability. An attacker could exploit the flaw by logging in to the device and issuing a crafted CLI command. “A successful exploit could allow the attacker to escape the restricted shell and gain root privileges on the underlying operating system of the affected device,” Cisco said, adding that the attacker must be an authenticated shell user to exploit the flaw.

Meanwhile, CVE-2023-20122 is a command-injection vulnerability in the restricted shell of Cisco ISE that could allow an authenticated, local attacker to escape the restricted shell and gain root privileges on the underlying operating system.

SAP

It’s been another busy Patch Day for SAP, which saw the release of 19 new Security Notes. Among the fixes are CVE-2023-27497, comprising multiple vulnerabilities in SAP Diagnostics Agent. Another notable patch is CVE-2023-28765, an information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform. A missing password protection enforcement allows an attacker to access the lcmbiar file, according to security firm Onapsis. “After successful decryption of its content, the attacker could gain access to a user’s passwords,” the firm explained. “Depending on the authorizations of the impersonated user, an attacker could completely compromise the system’s confidentiality, integrity, and availability.”

Apple, Google, and Microsoft Just Fixed Zero-Day Security Flaws

Plus: Cyber Command’s disruption of Iranian election hacking, an exposé on child sex trafficking on Meta’s platforms, and more.

Ransomware gangs have long sought pain points where their extortion demands have the greatest leverage. Now an investigation from NBC News has made clear what that merciless business model looks like when it targets kids: One ransomware group's giant leak of sensitive files from the Minneapolis school system exposes thousands of children at their most vulnerable, complete with behavioral and psychological reports on individual students and highly sensitive documentation of cases where they've allegedly been abused by teachers and staff.

We'll get to that. But first, WIRED contributor Kim Zetter broke the news this week that the Russian hackers who carried out the notorious SolarWinds espionage operation were detected in the US Department of Justice's network six months earlier than previously reported—but the DOJ didn't realize the full scale of the hacking campaign that would later be revealed. 

Meanwhile, WIRED reporter Lily Hay Newman was at the RSA cybersecurity conference in San Francisco, where she brought us stories of how security researchers disrupted the operators of the Gootloader malware who sold access to victims' networks to ransomware groups and other cybercriminals, and how Google Cloud partnered with Intel to hunt for and fix serious security vulnerabilities that underlie critical cloud servers. She also captured a warning in a talk from NSA cybersecurity director Rob Joyce, who told the cybersecurity industry to "buckle up" and prepare for big changes to come from AI tools like ChatGPT, which will no doubt be wielded by both attackers and defenders alike.

On that same looming AI issue, we looked at how the deepfakes enabled by tools like ChatGPT, Midjourney, DALL-E, and StableDiffusion will have far-reaching political consequences. We examined a newly introduced US bill that would ban kids under the age of 13 from joining social media. We tried out the new feature in Google's Authenticator App that allows you to back up your two-factor codes to a Google account in case you lose your 2FA device. And we opined—well, ranted—on the ever-growing sprawl of silly names that the cybersecurity industry gives to hacker groups.

But that’s not all. Each week, we round up the news we didn’t report in-depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

What happens when a school system is targeted by a ransomware group, refuses to pay, and thus gets their stolen data dumped wholesale onto the dark web? Well, it's even worse than it sounds, as NBC's Kevin Collier found this week when he dug through portions of a trove of 200,000 files leaked online after the Minneapolis public school system was hit by hackers earlier this year. 

The leaked files include detailed dossiers linking children by name, birth date, and address to a laundry list of highly private information: their special needs, their psychological profiles and behavioral analyses, their medications, the results of intelligence tests, and which kids' parents have divorced, among many other sensitive secrets. In some cases, the files even note which children have been victims of alleged abuse by school teachers or staff. The hackers also took special pains to publicly promote their toxic dump of children's information, with links posted to social media sites and a video showing off the files and instructing viewers how to download them.

The Minneapolis school system is offering free credit monitoring to parents and children affected by the data dump. But given the radioactive nature of the personal information released by the hackers, identity fraud may be the least of their victims' worries.

In a rare declassified disclosure at a panel at this week's RSA Conference, General William Hartman revealed that US Cyber Command had disrupted an Iranian hacking operation that targeted a local elections website ahead of the 2020 election. According to Hartman, who leads Cyber Command's National Mission Force, the intrusion couldn't have affected actual vote counts or voting machines, but—had Cyber Command's own hackers not kiboshed the operation—might have potentially been used to post false results as part of a disinformation effort. 

Hartman named the Iranian hackers as a group known as Pioneer Kitten, also sometimes referred to as UNC757 or Parisite, but didn't name the specific elections website that they targeted. Hartman added that the hacking operation was found thanks to Cyber Command's Hunt Forward operations, in which it hacks foreign networks to preemptively discover and disrupt adversaries who target the US.

Following a two-year investigation, _The Guardian_ this week published a harrowing exposé on Facebook and Instagram's use as hunting grounds for child predators, many of whom traffic in children as sexual abuse victims for money on the two social media services. Despite the claims of the services' parent company Meta that it's closely monitoring its services for child sexual abuse materials or sexual trafficking, _The_ _Guardian_ found horrific cases of children whose accounts were hijacked by traffickers and used to advertise them for sexual victimization. 

One prosecutor who spoke to _The Guardian_ said that he'd seen child trafficking crimes on social media sites increase by about 30 percent each year from 2019 to 2022. Many of the victims were as young as 11 or 12 years old, and most were Black, Latinx, or LGBTQ+.

A group of hackers has been taking over AT&T email accounts—the telecom provider runs email domains including att.net, sbcglobal.net, bellsouth.net—to hack their cryptocurrency wallets, TechCrunch reports. 

A tipster tells TechCrunch that the hackers have access to a part of AT&T's internal network that allows them to generate "mail keys" that are used to offer access to an email inbox via email applications like Thunderbird or Outlook. The hackers then use that access to reset the victims' passwords on cryptocurrency wallet services like Gemini and Coinbase, and, according to TechCrunch's source, have already amassed between $10 million and $15 million in stolen crypto, though TechCrunch couldn't verify those numbers.

The Tragic Fallout From a School District’s Ransomware Breach

Maybe you don't want your phone number, email, home address, and other details out there for all the web to see. Here's how to make them vanish.

Last year, Google expanded the ways you can submit removal requests for search results containing personal info. Before this change, people had to meet a very high bar to get results with sensitive data wiped. Finding personal details in a Google search, like a home address or phone number, can be quite frightening, but you can take action to protect your privacy.

In addition to the removal of personal information, Google is considering removal requests for images of minors, as well as deepfake pornography and other explicit content. Although getting results scrubbed from Google Search won’t remove web pages from the internet, it will divert one of the biggest drivers of traffic.

There’s no guarantee that unwanted search results will disappear completely, however. As a result of your request, the web page could be removed from all searches on Google, only searches involving your name, or none of the above. For more information about disappearing digitally and services like DeleteMe, check out WIRED’s tips on deleting yourself from the internet.

At the time of the announcement, Michelle Chang, Google’s global policy lead for search, wrote “Open access to information is a key goal of Search, but so is empowering people with the tools they need to protect themselves and keep their sensitive, personally identifiable information private.” The new procedures can protect against malicious doxxing, as well as information leaks that are only implicit threats.

To begin the removal process, visit the topic’s support page, scroll halfway down, and click the blue **Start Removal request** button. You will initially be asked whether you have reached out to the owners of the website. It is not necessary to do this, so you can just tap **No, I prefer not to**. When Google asks what you would like removed, select: **Personal info, like ID numbers and private documents**.

Then you can specify what type of personal information is showing up in Google Search, such as your contact details or driver’s license. These steps are only for removing results from live websites; there’s a separate form to fill out for cached pages. Check the box indicating that the content is live. The next question asks whether the request pertains to doxxing, which Google defines as “contact information being shared with malicious, threatening, or harassing intent.”

After that, Google requests your full name, country of residence, and email. You are only permitted to submit takedown requests for results pertaining to yourself or someone you officially represent.

You can submit up to 1,000 links at once. Google asks for the URL of the offending content or image, and the company wants you to share the search results where it shows up. For more directions on gathering these links, check out Google’s guide to finding content URLs, image URLs, and search results page URLs.

Attach a screenshot to your request showing where on the web page your personal info is appearing. Near the end of the form, you will be asked to share a list of relevant search terms, such as your full name, nickname, and maiden name. You are given the opportunity to share supplemental details before signing and submitting the removal request.

You should get a confirmation email from Google indicating that the removal request was received. It’s not clear how long it will take to review your case, but Google will let you know when it has decided to take action—or do nothing at all. The company promises to include brief explanations with any rejections and allows repeat submissions.

How to Remove Your Personal Info From Google's Search Results

In May 2020, the US Department of Justice noticed Russian hackers in its network but did not realize the significance of what it had found for six months.

The US Department of Justice, Mandiant, and Microsoft stumbled upon the SolarWinds breach six months earlier than previously reported, WIRED has learned, but were unaware of the significance of what they had found.

The breach, publicly announced in December 2020, involved Russian hackers compromising the software maker SolarWinds and inserting a backdoor into software served to about 18,000 of its customers. That tainted software went on to infect at least nine US federal agencies, among them the Department of Justice (DOJ), the Department of Defense, Department of Homeland Security, and the Treasury Department, as well as top tech and security firms including Microsoft, Mandiant, Intel, Cisco, and Palo Alto Networks. The hackers had been in these various networks for between four and nine months before the campaign was exposed by Mandiant. 

WIRED can now confirm that the operation was actually discovered by the DOJ six months earlier, in late May 2020—but the scale and significance of the breach wasn’t immediately apparent. Suspicions were triggered when the department detected unusual traffic emanating from one of its servers that was running a trial version of the Orion software suite made by SolarWinds, according to sources familiar with the incident. The software, used by system administrators to manage and configure networks, was communicating externally with an unfamiliar system on the internet. The DOJ asked the security firm Mandiant to help determine whether the server had been hacked. It also engaged Microsoft, though it’s not clear why the software maker was also brought onto the investigation.

It’s not known what division of the DOJ experienced the breach, but representatives from the Justice Management Division and the US Trustee Program participated in discussions about the incident. The Trustee Program oversees the administration of bankruptcy cases and private trustees. The Management Division advises DOJ managers on budget and personnel management, ethics, procurement, and security.

Investigators suspected the hackers had breached the DOJ server directly, possibly by exploiting a vulnerability in the Orion software. They reached out to SolarWinds to assist with the inquiry, but the company’s engineers were unable to find a vulnerability in their code. In July 2020, with the mystery still unresolved, communication between investigators and SolarWinds stopped. A month later, the DOJ purchased the Orion system, suggesting that the department was satisfied that there was no further threat posed by the Orion suite, the sources say.

A DOJ spokesperson confirmed that the incident and investigation occurred but wouldn’t provide any details about what investigators concluded. “While the incident response and mitigation effort was completed, the FBI’s criminal investigation remained open throughout,” the spokesperson wrote in an email. WIRED confirmed with sources that Mandiant, Microsoft, and SolarWinds were involved in discussions about the incident and investigation. All three companies declined to discuss the matter.

The DOJ told WIRED that it notified the US Cybersecurity and Infrastructure Agency (CISA) about the breach at the time it occurred—though a US National Security Agency spokesperson expressed frustration that the agency was not also notified. But in December 2020, when the public learned that a number of  federal agencies were compromised in the SolarWinds campaign—the DOJ among them—neither the DOJ nor CISA revealed to the public that the operation had unknowingly been found months earlier. The DOJ initially said its chief information officer had discovered the breach on December 24.

In November 2020, months after the DOJ completed the mitigation of its breach, Mandiant discovered that it had been hacked, and traced its breach to the Orion software on one of its servers the following month. An investigation of the software revealed that it contained a backdoor that the hackers had embedded in the Orion software while it was being compiled by SolarWinds in February 2020. The tainted software went out to about 18,000 SolarWinds customers, who downloaded it between March and June, right around the time the DOJ discovered the anomalous traffic exiting its Orion server. The hackers chose only a small subset of these to target for their espionage operation, however. They burrowed further into the infected federal agencies and about 100 other organizations, including technology firms, government agencies, defense contractors, and think tanks.

Mandiant itself got infected with the Orion software on July 28, 2020, the company told WIRED, which would have coincided with the period that the company was helping the DOJ investigate its breach.

When asked why, when the company announced the supply-chain hack in December, it didn’t publicly disclose that it had been tracking an incident related to the SolarWinds campaign in a government network months earlier, a spokesperson noted only that “when we went public, we had identified other compromised customers.”

The incident underscores the importance of information-sharing among agencies and industry, something the Biden administration has emphasized. Although the DOJ had notified CISA, a spokesperson for the National Security Agency told WIRED that it didn’t learn of the early DOJ breach until January 2021, when the information was shared in a call among employees of several federal agencies.

That was the same month the DOJ—whose 100,000-plus employees span multiple agencies including the FBI, Drug Enforcement Agency, and US Marshals Service—publicly revealed that the hackers behind the SolarWinds campaign had possibly accessed about 3 percent of its Office 365 mailboxes. There are conflicting reports about whether this attack was part of the SolarWinds campaign or carried out by the same actors. Six months later, the department expanded on this and announced that the hackers had managed to breach email accounts of employees at 27 US Attorneys' offices, including ones in California, New York, and Washington, DC. 

In its latter statement, the DOJ said that to “encourage transparency and strengthen homeland resilience,” it wanted to provide new details, including that the hackers were believed to have had access to compromised accounts from about May 7 to December 27, 2020. And the compromised data included “all sent, received, and stored emails and attachments found within those accounts during that time.”

The investigators of the DOJ incident weren’t the only ones to stumble upon early evidence of the breach. Around the same time of the department’s investigation, security firm Volexity, as the company previously reported, was also investigating a breach at a US think tank and traced it to the organization’s Orion server. Later in September, the security firm Palo Alto Networks also discovered anomalous activity in connection with its Orion server. Volexity suspected there might be a backdoor on its customer’s server but ended the investigation without finding one. Palo Alto Networks contacted SolarWinds, as the DOJ had, but in that case as well, they failed to pinpoint the problem.

Senator Ron Wyden, an Oregon Democrat who has been critical of the government’s failure to prevent and detect the campaign in its early stages, says the revelation illustrates the need for an investigation into how the US government responded to the attacks and missed opportunities to halt it.

“Russia’s SolarWinds hacking campaign was only successful because of a series of cascading failures by the US government and its industry partners,” he wrote in an email. “I haven’t seen any evidence that the executive branch has thoroughly investigated and addressed these failures. The federal government urgently needs to get to the bottom of what went wrong so that in the future, backdoors in other software used by the government are promptly discovered and neutralized.“

Source

Wired