Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Ever feel like you need a little distance from the Internet? Come up with a clever cybersecurity-related caption to describe the scene, above, and our favorite will win a $25 Amazon gift card.

Here are four convenient ways to, well, voice your ideas before the May 29, 2024, deadline:

*   Via social media: X, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

Aaron Foechterle, a data security analyst at The Exchange, is our latest recipient of a $25 Amazon gift card. His winning caption for last month's "Defying Gravity" contest is below. And a big thank you to everyone who submitted their ideas.

**About the Author(s)**

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Edge Toon: Puppet Master

Here at Red Hat, we’ve spent over a decade building up the power of Red Hat Insights, making it one of the most valuable pieces of technology included in your Red Hat subscription.  We’ve integrated with industry-leading technologies like IBM X-Force, we’ve grown invaluable data sets from our own support cases, and we’ve extended our reach to deliver Insights wherever you work. See What the Insights portfolio can do for you.One thing that's been a blocker for US government customers and contractors has been FedRAMP. But that's a blocker no more! Through a long process of sponsorship, d

Here at Red Hat, we’ve spent over a decade building up the power of Red Hat Insights, making it one of the most valuable pieces of technology included in your Red Hat subscription.  We’ve integrated with industry-leading technologies like IBM X-Force, we’ve grown invaluable data sets from our own support cases, and we’ve extended our reach to deliver Insights wherever you work. See What the Insights portfolio can do for you.

One thing that's been a blocker for US government customers and contractors has been FedRAMP. But that's a blocker no more! Through a long process of sponsorship, development, and assessment, Red Hat Insights is an approved service, with or without Red Hat OpenShift Service on AWS (ROSA). Red Hat Insights has received the FedRAMP High Agency authority to operate (ATO), and Red Hat is listed as Ready for the JAB  authorization process. 

So what does this mean, what does it bring you, and how can US government agencies get onboard?

****What is FedRAMP?****

FedRAMP is the authorization program for a cloud service provider (CSP) like Red Hat that shows it's approved for use by US government agencies and the contractors that serve them. And Red Hat Insights has been determined to be an environment that meets all the guidelines required for FedRAMP authorization.

A FedRAMP authorization ensures that a CSP is abiding by the government's NIST framework, and other government regulations, for operating secure environments.   Its guidelines provide US government agencies safe and reliable options for using cloud-based products. Instead of forcing every agency to individually go through an RFI (request for information) process for each provider it wants to use, FedRAMP assesses companies and grants approval to those that qualify.

****Where do I start?****

For departments that are looking for more information, a great place to start is the FedRAMP Marketplace.  The Marketplace lists all FedRAMP approved companies along with information about their cloud service offerings (CSO). On Red Hat's agency ATO (Authority to Operate) listing, you can download a package request form to be vetted by the FedRAMP Program Management Office (PMO) to gain access to Red Hat’s FedRAMP security package.  This package contains documentation about our architecture and processes, as well as our assessment results, showing how we satisfied each FedRAMP requirement. It also contains our Continuous Monitoring documentation to show how we continue to meet those requirements.

Red Hat initially pursued FedRAMP authorization for Red Hat OpenShift on AWS (ROSA). During that process, we added Red Hat Insights into that authorization as a  significant change request (SCR). Both are offered together or separately under the same ATO. 

****What’s next?****

Once you feel confident that all internal approvals are met, contact your account team for more details, or simply fill out the application to apply for entry into the FedRAMP environment.  Customers must apply for entry so that we can limit access to US government departments and agencies or contractors that have an active US government contract.  No other customers are permitted to use this environment. 

As a part of this application, we verify a few things:

1.  You are a US government agency or department, or have an active contract
2.  Your primary user is living in the US and is a US citizen (or has been granted permanent US residency)
3.  You have an active Red Hat subscription

Once our stateside support team confirms these three pieces of information, we configure your account.

****What should I expect from the FedRAMP environment?****

It’s important to note that the FedRAMP instance of Insights is a completely separate environment from our commercial product.  You have a handful of different experiences. Here are some of the major ones:

1.  _**Stateside support:**_ As a requirement of FedRAMP, you communicate and troubleshoot with Red Hat’s stateside support team when you receive support for Insights. This means you’ll be asked to set up ServiceNow credentials to correspond with the proper team. This team has also been vetted according to government requirements, and consists of US citizens (or those who have been granted permanent US residency)
2.  _**Boundary:**_ Insights leverages Amazon Web Services GovCloud infrastructure to run the FedRAMP environment, and all aspects of that infrastructure need to remain "in boundary".  This means you’ll use a different login URL, a different authentication tool, and have some limited services to maintain the proper security stance of data flows
3.  _**Connection:**_ You can connect your hosts to the FedRAMP Insights environment through your Satellite servers.  To allow data flow from your Satellite into the restricted FedRAMP boundary, you need to provide your IP ranges and register your Satellite to send data to the FedRAMP environment.  Stateside support walks you through both of these processes. Note that “direct connecting” a host without a satellite is not supported at this time
4.  _**Feature Delivery:**_ Due to extra change controls within the FedRAMP environment, changes to the Insights applications slightly lag behind those made in the commercial environment. This doesn't impact any of the monitoring capabilities of Insights, like our Vulnerability service

One major consistency between these two environments is their cost.  Insights is included in your Red Hat subscription, at no extra cost, no matter the environment you choose. 

****Get started****

Once the approvals and setup are complete, you’re ready to onboard like normal Insights users. I recommend setting up inventory groups, configuring your RBAC, and digging into the portfolio of features available for you. Not sure where to start?  Insights Vulnerability and Content are some of our most popular services. 

We’re thrilled to bring the power of Insights to US federal use cases, and we're honored to have been approved for the FedRAMP program.  If you want more information on this offer, please reach out to your account team, visit our website, or email me directly at mmeza@redhat.com.

Beyond the lingo:  What does Red Hat Insights and FedRAMP mean for your workload?

Lonial Con discovered that the netfilter subsystem in the Linux kernel contained a memory leak when handling certain element flush operations. A local attacker could use this to expose sensitive information (kernel memory). Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel did not properly handle inactive elements in its PIPAPO data structure, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. Various other issues were also addressed.

Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

-   Ubuntu 20.04 LTS  
-   Ubuntu 18.04 LTS  
-   Ubuntu 22.04 LTS

Summary

Several security issues were fixed in the kernel.

Software Description

-   linux - Linux kernel  
-   linux-aws - Linux kernel for Amazon Web Services (AWS) systems  
-   linux-azure - Linux kernel for Microsoft Azure Cloud systems  
-   linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems  
-   linux-gke - Linux kernel for Google Container Engine (GKE) systems  
-   linux-ibm - Linux kernel for IBM cloud systems

Details

Lonial Con discovered that the netfilter subsystem in the Linux kernel  
contained a memory leak when handling certain element flush operations.  
A local attacker could use this to expose sensitive information (kernel  
memory). (CVE-2023-4569)

Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel  
did not properly handle inactive elements in its PIPAPO data structure,  
leading to a use-after-free vulnerability. A local attacker could use  
this to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2023-6817)

It was discovered that a race condition existed in the AppleTalk  
networking subsystem of the Linux kernel, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of  
service (system crash) or possibly execute arbitrary code.  
(CVE-2023-51781)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel  
did not properly check deactivated elements in certain situations,  
leading to a use-after-free vulnerability. A local attacker could use  
this to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2024-0193)

Lonial Con discovered that the netfilter subsystem in the Linux kernel  
did not properly handle element deactivation in certain cases, leading  
to a use-after-free vulnerability. A local attacker could use this to  
cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2024-1085)

Notselwyn discovered that the netfilter subsystem in the Linux kernel  
did not properly handle verdict parameters in certain cases, leading to  
a use- after-free vulnerability. A local attacker could use this to  
cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2024-1086)

In the Linux kernel, the following vulnerability has been resolved:   
net: qualcomm: rmnet: fix global oob in rmnet_policy The variable   
rmnet_link_ops assign a bigger maxtype which leads to a global out-of-  
bounds read when parsing the netlink attributes. (CVE-2024-26597)

Update instructions

The problem can be corrected by updating your kernel livepatch to the  
following versions:

Ubuntu 20.04 LTS  
    aws - 103.1  
    aws - 103.2  
    aws - 103.3  
    azure - 103.3  
    gcp - 103.2  
    gcp - 103.3  
    generic - 103.1  
    generic - 103.2  
    generic - 103.3  
    gke - 103.3  
    ibm - 103.2  
    lowlatency - 103.1  
    lowlatency - 103.2  
    lowlatency - 103.3

Ubuntu 18.04 LTS  
    aws - 103.3  
    azure - 103.3  
    gcp - 103.3  
    generic - 103.3  
    lowlatency - 103.3

Ubuntu 22.04 LTS  
    aws - 103.1  
    aws - 103.2  
    aws - 103.3  
    azure - 103.1  
    azure - 103.2  
    azure - 103.3  
    gcp - 103.1  
    gcp - 103.2  
    generic - 103.1  
    generic - 103.2  
    generic - 103.3  
    gke - 103.1  
    gke - 103.2  
    gke - 103.3  
    ibm - 103.1  
    ibm - 103.2  
    ibm - 103.3

Support Information

Livepatches for supported LTS kernels will receive upgrades for a period  
of up to 13 months after the build date of the kernel.

Livepatches for supported HWE kernels which are not based on an LTS  
kernel version will receive upgrades for a period of up to 9 months  
after the build date of the kernel, or until the end of support for that  
kernel’s non-LTS distro release version, whichever is sooner.

References

-   CVE-2023-4569  
-   CVE-2023-6817  
-   CVE-2023-51781  
-   CVE-2024-0193  
-   CVE-2024-1085  
-   CVE-2024-1086  
-   CVE-2024-26597

Kernel Live Patch Security Notice LSN-0103-1

There is yet another attack possible against Protected Media Path process beyond the one involving two global XOR keys. The new attack may also result in the extraction of a plaintext content key value.

    Hello All,There is yet another attack possible against Protected Media Pathprocess beyond the one involving two global XOR keys [1]. The newattack may also result in the extraction of a plaintext content keyvalue.The attack has its origin in a white-box crypto [2] implementation.More specifically, one can devise plaintext content key from white-boxcrypto data structures of which goal is to make such a reconstructiondifficult / not possible. This alone breaks one of the main securityobjective of white-box cryptography which is to protect the secret key(unbreakability) [3].Contrary to the initial (XOR key) attack, the white-box crypto attackis not limited to the given narrow time window (white-box datastructures need to be present for the time of a movie decryption /playback). Fixing it might require a completely new approach /implementation (current one is obviously flawed).In that context, white-box crypto attack seems to be more severe thanthe XOR key one.Additionally, a cryptographic check proving that extracted key valuescorrespond to real keys has been conducted for Canal+ Online, Netflix,HBO Max, Amazon Prime Video and Sky Showtime.The check relies on a digital cryptographic signature verification.Such a signature is appended at the end of each license issued byPlayReady license server.The crypto check works as following:- plaintext value of a digital signature key encrypted through ECC isextracted from a Protected Media Path process- the extracted signature key is used to calculate the AES-CMAC valueof a binary licence XMR blob- the calculated signature value is checked against the signatureappended at the end of the issued license- correct AES-CMAC value implicates correct signature key (and correctcontent key)The above mechanism is also used by Microsoft to verify thecorrectness of decrypted content keys received from a license server.It relies on the fact that signature key is part of the same encryptedlicense blob as content key. Thus, successful extraction of asignature key implicates successful extraction of a content key.In the context of no confirmation / denial [4] from the platformsindicated above as being affected, the crypto check should constitutesufficient proof to support that claim alone.Thank you.Best Regards,Adam Gowdiak----------------------------------Security Explorations -AG Security Research Labhttps://security-explorations.com----------------------------------References:[1] Microsoft Warbird and PMP security research    https://security-explorations.com/microsoft-warbird-pmp.html[2] White-box cryptography, Wikipedia    https://en.wikipedia.org/wiki/White-box_cryptography[3] White-Box Security Notions for Symmetric Encryption Schemes    https://eprint.iacr.org/2013/523.pdf[4] Microsoft DRM Hack Could Allow Movie Downloads From PopularStreaming Services    https://www.securityweek.com/microsoft-drm-hacking-could-allow-movie-downloads-from-popular-streaming-services/

Microsoft PlayReady Cryptography Weakness

Plus: Google holds off on killing cookies, Samourai Wallet founders get arrested, and GM stops driver surveillance program.

Controversial gunshot-detection company ShotSpotter has deployed more than 25,000 microphones across 170 cities worldwide. This week, WIRED and _South Side Weekly_ revealed the company may continue to provide gunshot data to police in cities even after contracts have ended. Internal emails seen by the publications suggest ShotSpotter sensors may have stayed online despite law enforcement deals having expired, raising questions about what will happen to 2,500 microphones in Chicago when its contract runs out at the end of the year.

Elsewhere, Change Healthcare finally admitted to paying a ransom to the AlphV hackers, also known as BlackCat, that extorted the medical company. Weeks ago, WIRED revealed the attackers were paid $22 million, one of the largest ransomware payments ever. However, in a statement this week the company admitted for the first time that it paid the ransom as part of its effort “to do all it could to protect patient data from disclosure.” Some of that data still found its way onto the dark web.

In another successful grift, researchers have found animators in North Korea creating artwork for major Hollywood studios. A misconfigured North Korea cloud server, discovered at the end of last year, contained thousands of animation files, notes, and working documents for productions of shows that stream on Amazon Prime Video and Max. The companies likely didn’t know workers from the Hermit Kingdom were creating the artwork, but it’s another example of how North Korea is using skilled workers to circumvent sanctions and make the regime money.

Meanwhile, Cisco revealed this week that some of its devices, called Adaptive Security Appliances, have been targeted by state-sponsored hackers who exploited two zero-day vulnerabilities in the systems. The attack, dubbed ArcaneDoor, is believed to have had an espionage focus and sources suspect China’s state-backed hackers may be the culprits.

The November presidential elections may still be months away, but the next US president will have increased surveillance capabilities. This week Joe Biden signed a controversial bill extending and enhancing Section 702 of the Foreign Intelligence Surveillance Act. FISA allows spy agencies to collect Americans’ calls, emails, and more when pursuing foreign intelligence. Critics say the changes are “a gift to any president who may wish to spy on political enemies.”

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**School Principal Framed Using AI Voice Deepfake**

In January, an Instagram account in Baltimore, Maryland, posted an alleged audio recording of local school principal Eric Eiswert making racist and antisemitic comments. Baltimore County Public Schools quickly opened an investigation into the incident. However, this week, a former athletic director at Pikesville High School was arrested after police said he used artificial intelligence software to create the fake audio clip of Eiswert. The audio included comments about “ungrateful Black kids” and disparaging remarks about the Jewish community.

Dazhon Darien, the former staff member, was arrested after being stopped in possession of a gun at an airport when officials saw there was an outstanding arrest warrant, the _Baltimore Banner_ reported. The media organization reports that Darien was charged with disrupting school activities and stalking. The fake clip was allegedly made in retaliation for the principal investigating Darien over irregular payments to his roommate.

Police reports, the _Banner_ says, indicate that the audio clip had a “profound” impact on the school principal. “It not only led to Eiswert’s temporary removal from the school but also triggered a wave of hate-filled messages on social media and numerous calls to the school,” police reports said.

Voice-cloning technology, which can fall under the broader banner of deepfake technology, has rapidly improved within the last year. Cloning tools can recreate someone’s voice to a relatively realistic level using just a few seconds of real audio. The systems have increasingly been used to impersonate politicians and scam people over the phone.

**General Motors Stops Driving Surveillance, Following Privacy Complaints**

Your car knows a lot about you—from where and how you drive, to your weight and how you sit. This week, following a series of revelations from _New York Times_ reporter Kashmir Hill, General Motors announced it will end its “Smart Driver” program and unenroll all customers. Until the reports from the _Times_, GM was sharing data with data brokers LexisNexis and Verisk, which shared it with insurers and led to high payments for some people. The OnStar Smart Driver program had been designed to promote safer driving, GM said. However, many people were not aware they had been enrolled in the system. Ten lawsuits have been filed so far about the Smart Driver program and how it shared data.

**Google Delays Killing Cookies—Again**

In January 2020, Google said it would remove third-party cookies from Chrome within two years—following Safari, Brave, Firefox, and other browsers in eradicating the tracking technology. It’s now April 2024 and the company has delayed the change for a third time, saying it’ll happen in 2025. Google’s proposed cookie replacement has faced scrutiny from competition and privacy regulators in the UK, with critics saying cookies are just being replaced by another form of tracking and suggesting the changes could further benefit Google’s ad business.

**Samourai Wallet Founders Arrested Over $2 Billion Unlawful Transactions**

Keonne Rodriguez and William Lonergan Hill, the founders of crypto-mixing service Samourai Wallet, were charged by US prosecutors this week for running an unlicensed money transfer business and conspiracy to commit money laundering. The company processed $2 billion in “unlawful transactions” and “facilitated more than $100 million in money laundering,” according to Damian Williams, the United States Attorney for the Southern District of New York, and other investigators. The charges can carry a maximum of 20 years each. The move comes as US prosecutors try to clampdown on crypto mixing services that may be used to hide funds or allow illicit behavior. Mixers Bitcoin Fog, Helix, and Tornado Cash have all faced action in recent years.

**Chinese Keyboard Vulnerabilities Could Reveal Typing**

New research from the University of Toronto’s Citizen Lab this week revealed vulnerabilities in eight Chinese keyboard apps that, if exploited, could allow everything typed to be intercepted. Up to a billion people may be impacted, the researchers say. They tested apps from major technology companies and phone makers, including Baidu, Honor, Huawei, Samsung and Tencent. “Most of the vulnerable apps can be exploited by an entirely passive network eavesdropper,” they researchers write, adding that most of the impacted companies fixed the vulnerabilities when they were reported.

School Employee Allegedly Framed a Principal With Racist Deepfake Rant

The refunds will be made to individual affected customers through thousands of PayPal payments, available to be redeemed for a limited time.

Source: Len Holsborg via Alamy Stock Photo

The Federal Trade Commission (FTC) is refunding over $5.6 million to Ring customers after a 2023 privacy settlement.

Last year the FTC filed complaints against Ring, the home security company owned by Amazon, after accusations arose that employees were spying on female customers in bedrooms and bathrooms. Not only this, but the company failed to notify and obtain consent from customers regarding use of security video footage for training purposes until 2018.

The FTC asserted that Ring had failed to restrict access to its videos, failed to gain user consent, and failed to implement security safeguards leading to "egregious violations of users' privacy."

The FTC will be making the refunds through 117,044 PayPal payments to customers, depending on the type of Ring device used during the period when unauthorized users could have accessed Ring video footage.

**About the Author(s)**

FTC Issues $5.6M in Refunds to Customers After Ring Privacy Settlement

The FTC is paying Ring customers in the US a totoal of $5.6 million over charges that the company allowed employees to access private videos.

Amazon’s Ring has settled with the Federal Trade Commission (FTC) over charges that the company allowed employees and contractors to access customers’ private videos, and failed to implement security protections which enabled hackers to take control of customers’ accounts, cameras, and videos.

The FTC is now sending refunds totaling more than $5.6 million to US consumers as a result of the settlement.

Ring LLC, which was purchased by Amazon in February 2018, sells internet-connected, home security cameras and video doorbells.

However, in a shocking lapse of security protection, it turned out that every single person working for Amazon Ring, whether they were an employee or a contractor, was able to access every single customer video, even when it wasn’t necessary for their jobs.

But that wasn’t the only issue. In May 2023, the FTC stated that:

> “Ring deceived its customers by failing to restrict employees’ and contractors’ access to its customers’ videos, using its customer videos to train algorithms without consent, and failing to implement security safeguards. These practices led to egregious violations of users’ privacy.”

The FTC gave the example of one employee who, over several months, viewed thousands of video recordings belonging to female users of Ring cameras that were pointed at intimate spaces in their homes such as their bathrooms or bedrooms. This didn’t stop until another employee discovered the misconduct.

The FTC is now sending 117,044 PayPal payments to US customers who had certain types of Ring devices, such as indoor cameras, during periods when the FTC alleges unauthorized users may have had access to customer videos. Customers should redeem their PayPal payment within 30 days.

“The FTC identified eligible Ring customers based on data provided by the company,” the agency told BleepingComputer, clarifying that Ring users “were eligible for a payment if their account was vulnerable because of privacy and security problems alleged in the complaint.”

Consumers who have questions about their payment should contact the refund administrator, Rust Consulting, Inc., at 1-833-637-4884, or visit the FTC website to view frequently asked questions about the refund process.

**Beware of scammers**

As always, you can expect scammers to take advantage of this news. So, it’s important to know that the FTC never asks people to pay money or provide account information to get a refund.

A payment or claim form sent as part of an FTC settlement will include an explanation of, and details about, the case. The case will be listed at ftc.gov/refunds, along with the name of the company issuing payments and a phone number for questions.

The FTC only works with four private companies to handle the refund process:

*   Analytics Consulting, LLC
*   Epiq Systems
*   JND Legal Administration
*   Rust Consulting, Inc.

Before sending any PayPal payment, the FTC will send an email from the subscribe@subscribe.ftc.gov address to issue a payment recipient. Once payments have been issued, PayPal will send an email telling recipients about their refund.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

 Ring agrees to pay $5.6 million after cameras were used to spy on customers 

Thousands of exposed files on a misconfigured North Korean server hint at one way the reclusive country may evade international sanctions.

For almost a decade, Nick Roy has been scanning North Korea’s tiny internet presence, spotting new websites coming online and providing a glimpse of the Hermit Kingdoms’ digital life. However, at the end of last year, the cybersecurity researcher and DPRK blogger stumbled across something new: signs North Koreans are working on major international TV shows.

In December, Roy discovered a misconfigured cloud server on a North Korean IP address containing thousands of animation files. Included in the cache were animation cells, videos, and notes discussing the work, plus changes that needed to be made to ongoing projects. Some images appeared to be from an Amazon Prime Video superhero show and an upcoming Max (aka HBO Max) children’s anime.

The findings and security lapse—detailed in a report by the Stimson Center think tank's North Korea–focused 38 North Project, which helped analyze the findings along with Google-owned security firm Mandiant—provide a glimpse at how North Korea can use skilled IT and tech workers to raise funds for its heavily sanctioned regime. It also comes as US officials increasingly warn about North Korean IT workers infiltrating companies and their outsourcing.

North Korea’s internet is a small—and fragile—space. The repressive nation only has 1,024 IP addresses and around 30 websites that connect to the global internet. While there is a limited internal intranet, only a few thousand of the country’s 26 million people can get on the internet. When they do, it’s highly controlled: These select few North Koreans can use the internet for an hour at a time and have a person sitting next to them approving their use every five minutes.

When Roy discovered the exposed cloud server, it was being updated on a daily basis. Martyn Williams, a senior fellow on the 38 North Project who helped analyze the contents of the server, says the server likely allowed work to be sent to and from North Korean animators. The server itself is still live, but it mysteriously stopped being used at the end of February. While there is a login page, its contents can be accessed without a username and password. “I found the login page after I found all the exposed files,” Roy says.

Inside, the files contained editing comments and instructions in Chinese which were translated to Korean, the researchers write in their report. “For a lot of the animation files, we would find things like spreadsheets with details of the workflow,” Williams says. A sample of the files shared with WIRED show detailed anime images and video clips, with notes for the authors and date stamps on various files. In one instance, the report says, an animator was “asked to improve the shape of the character’s head.”

Based on the documents and drawings, the researchers were able to identify some of the shows and projects the North Koreans were working on. Some of the projects included work from season 3 of the Amazon show _Invincible_, which is produced by California-based Skybound Entertainment. There were also documents linked to Max and Cartoon Network show _Iyanu: Child of Wonder_, produced by YouNeek Studios, as well as files from a Japanese anime series and an animation studio in Japan.

Some file names gave away clues about the series and episode numbers. There were also files and projects the researchers could not identify—including a “bunch of files” with videos of horses and a Russian book on horses, Williams says.

Sanctions placed upon the North Korean regime, for its ongoing human rights abuses and nuclear warfare programs, prohibit US companies from working with DPRK companies or individuals. However, the researchers say it is highly unlikely that any companies involved would have a clue about North Korean animators working on the shows, and there is nothing suggesting the companies violated any sanctions or other laws. “It is likely that the contracting arrangement was several steps downstream from the major producers,” the report says.

Spokespeople for Amazon and Max spokesperson declined to comment for this story. YouNeek Studios did not respond to a request for comment.

“We do not work with North Korean companies, or Chinese companies on _Invincible_, or any affiliated entities, and have no knowledge of any North Korean or Chinese companies working on _Invincible_,” a spokesperson for Skybound Entertainment says. “We take any claims very seriously and have commenced an investigation into this.” In a post on X, the company characterized the findings as “unconfirmed” and said it is working with authorities to investigate.

Williams says it is possible that a front company in China is used to help disguise the activity and involvement of North Koreans. The researchers were able to analyze connections to the exposed server and, despite most having their location masked by a VPN, spotted access from Spain and three Chinese cities. “All three cities are known to have many North Korean–operated businesses and are main centers for North Korea’s IT workers who live overseas,” the report says.

While Williams says the researchers did not find any identifiable names of North Korean organizations buried in the files, the country has a well-established animation company called April 26 Animation Studio, which is also known as SEK Studio. Originally set up in the 1950s, the studio has worked on hundreds of international TV shows and movies.

However, in recent years, the US Treasury Department has sanctioned SEK Studios, individuals linked to it, and various “front companies” that it says are used to “work for foreign customers.” Many of these have links to China, according to the sanctions. “SEK Studio has utilized an assortment of front companies to evade sanctions targeting the government of the DPRK and to deceive international financial institutions,” a statement issued as part of the sanctions in 2021 says.

The main aim of these efforts, says Michael Barnhart, a North Korea researcher at Mandiant, is to raise money for the North Korean regime. The country’s hackers and scammers have stolen and extorted billions of dollars to help fund its military ambitions in recent years, including from huge cryptocurrency heists. In early 2022, the FBI issued a 16-page alert warning companies that remote North Korean freelance IT workers were infiltrating businesses to earn money they could funnel back home.

“The volume is much higher than we were expecting,” Barnhart says of North Korea’s IT workers. They are constantly changing their tactics to avoid being caught, he says. “We had one not too long ago, where during the interview, the person’s mouth was just off-frame. You could tell that someone in the background was speaking on their behalf.” Technically, Barnhart says, companies should verify their remote workers’ devices and make sure that there is no remote software connecting to a company laptop or network. Businesses should also put extra efforts at the hiring stage by training HR staff to detect possible IT workers.

However, he says, increasingly there is a greater crossover between North Korean IT workers and individuals who are members of known hacking groups or classified as advanced persistent threats (APTs). “The more we focus on IT workers, the more we’re starting to see APT operators and efforts blending in with those,” he says. “This might be the most quick learning-on-your-feet, nimble nation-state that I've ever seen.”

North Koreans Secretly Animated Amazon and Max Shows, Researchers Say

A major international law enforcement effort has disrupted the notorious LabHost phishing-as-a-service platform.

A major international law enforcement effort involving agencies from 19 countries has disrupted the notorious LabHost phishing-as-a-service platform.

Europol reports that the organization’s infrastructure has been compromised, its website shut down, and 37 suspects arrested, including four people in the UK linked to the running of the site, which also allegedly included the original developer of the service.

Europol’s announcement also hints that this isn’t the end of the story, and users of the platform should ready themselves for some uncomfortable encounters with law enforcement in the future. As Europol said in its release:

> A vast amount of data gathered throughout the investigation is now in the possession of law enforcement. This data will be used to support ongoing international operational activities focused on targeting the malicious users of this phishing platform.

The UK’s Metropolitan Police (“The Met”), which spearheaded the operation, says it has already contacted the criminals who used the site:

> Shortly after the platform was disrupted, 800 users received a message telling them we know who they are and what they’ve been doing. We’ve shown them we know how much they’ve paid to LabHost, how many different sites they’ve accessed and how many lines of data they’ve received. Many of these individuals will remain the focus of investigation over the coming weeks and months.

In a phishing attack, criminals use emails to trick users into entering details like passwords or credit card numbers into fake websites. The emails and websites typically mimic popular brands like UPS, Amazon, or Microsoft, and copy the format of emails sent by those companies, luring victims with things like fake security alerts.

Phishing-as-a-Service (PaaS) provides the tools and infrastructure criminals need to carry out phishing attacks on a subscription basis, so they don’t have to create and run it themselves. This lowers the barrier to entry for these kinds of crimes and puts sophisticated tools in the hands of people who wouldn’t otherwise have access to them.

LabHost was set up in 2021 and grew to become one of the largest PaaS vendors. Europol says that “with a monthly fee averaging $249, LabHost would offer a range of illicit services which were customizable and could be deployed with a few clicks.” Those services reportedly included a menu of over 170 fake websites for users to choose from, and a campaign management tool called “LabRat” that could capture two-factor (2FA) authentication codes.

The phishing platform is reported to have had 2,000 registered users and was used to create “more than 40,000 fraudulent sites.” The Met says that around 70,000 individual UK victims have been phished using the service, and that globally, it swallowed up 480,000 card numbers, 64,000 PIN numbers, and more than one million passwords.

Victims in the UK have been contacted by the Met to inform them that some of their data has been compromised. Ironically, thousands of victims being contacted in this way creates an opportunity for copycat phishing emails with Met branding. For that reason, the Met has been careful not to include any links in its communications and warns potential victims that:

> …if you receive any contact from the Met with links in, this will be fraudulent so please do not engage with this.

If you’ve been contacted by the Metropolitan Police about the LabHost breach you can find some useful guidance and support on its LabHost Disruption page.

 Law enforcement reels in phishing-as-a-service whopper 

Permiso Security announced Cloud Console Cartographer during Black Hat Asia to help defenders look inside Amazon Web Services events logs for signs of cyberattacks.

Source: Pop Tika via Shutterstock

When investigating a potential attack on cloud services, Daniel Bohannon frequently has to contend with the verbose logging of Amazon Web Services (AWS), a problem that can allow an attacker to hide in an avalanche of data.

While AWS typically produces only a single event for every programmatic API call, accessing the management console through the Web leads to an exponential increase in events, says Bohannon, a principal threat researcher with cloud identity service provider Permiso Security. In one session, for example, 81 clicks on users, workloads, and roles resulted in 5,370 events recorded in the AWS log file.

The sheer volume of events results in so much noise that it becomes hard to determine what a user is actually doing in the AWS console, the threat researcher says. For that reason, Bohannon and fellow threat researcher Andi Ahmeti plan to release an open source tool at the Black Hat Asia conference in Singapore to help security managers and incident responder consolidate cloud log events into a record of user actions.

"The idea is that you input your raw logs — and we \[show\] 100% of those raw logs — but then we enrich the data on top of that, which ... contains all the information about the events that led to those events," he says. "We all have that full signal information, which ... contains the summary, the labels, all that kind of stuff."

Historically, the volume of data in log files have made it difficult to determine the events that led up to a compromise. Sometimes the problem is that the cloud service does not log enough events to determine what happens, such as last year's criticism that Google Cloud Platform (GCP) fails to log adequate data when a user accesses a storage instance.

In other cases, the specific ways that cloud services communicate information to their customers can result in a lack of visibility, especially with the differences that companies face with multicloud use. More than half of companies have open ports undermining their security and take some two months to close the vulnerabilities. 

**AWS Produces Avalanche of Events**

For businesses using AWS, the number of events produced in a log while using the Web console can be significant. Just clicking on a list of users produces 18 events for only three identities, and that's a mild case of AWS's verbosity, says Bohannon. A user who clicks in the AWS console to view the users in the identity and access management (IAM) console will see more than 300 events produced in the logs for CloudTrail, Amazon's auditing capability.

"That number can actually get as high as 100, 300, or even 700 events, depending on the settings you have in your Web browser — all just for one click," he says. "So at a core level, every single action you take produces at least one event, but often it's dozens or sometimes even hundreds of additional events associated with it."

The researchers' open source tool, Cloud Console Cartographer, aims to turn the list of events captured by CloudTrail into a succinct timeline of actions taken by the user. The program adds comments to the cloud log that categorizes a series of captured events into signals — actual user actions.

"We want to show all of our mapping to remove as much noise as we can but still keep all the raw events," Bohannon says. "So anything that's unmapped is great, it's still evidence, and defenders can make the most sense of it."

**No Plans for Other Clouds**

Cloud Console Cartographer, which will be available on GitHub, produces an enriched log of events and has a Web interface that lists the signals in a table. Currently, 240-plus rules for classifying collections of events into user actions — that is, signals — have been created that will be used to enrich log files.

The two threat researchers intend to keep working on expanding the number of classifiers and hope that others will do the same.

Bohannon and Ahmeti may move on to developing the tool for other cloud platforms, but because different cloud providers have different ways of logging, what works for AWS will not work for Microsoft Azure or Google Cloud Platform, they say. AWS is verbose, but Azure is the opposite — its logs are so terse as to be unhelpful, Bohannon says.

"I feel like every platform, every cloud platform has unique challenges that will have to be addressed in different ways," he says. "So we might find in the future that we can integrate other cloud platforms into this, but \[for now\] we at least have plans for additional GUIs related to AWS that we are going to be working on after the initial release."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Tag

#amazon