Talos revealed that rebooting an iOS or Android device may not remove the Predator spyware produced by Intellexa. Intellexa knows if their customers intend to perform surveillance operations on foreign soil.

Thursday, December 21, 2023 11:00

_By Mike Gentile,_ _Asheer Malhotra_ _and_ _Vitor Ventura__._

**Editor’s note:** This blog post is a public version of a talk presented at LabsCon 2023 on Sept. 22, 2023. You can watch a recording of the talk here. Some of the intelligence presented at LabsCon was later confirmed by an Amnesty International blog post released on Oct. 6, 2023.

*   Cisco Talos has a new, in-depth analysis of timelines, operating paradigms and procedures adopted by spyware vendor Intellexa (previously known as Cytrox). 
*   Talos’ analysis revealed that rebooting an iOS or Android device may **_not_** always remove the Predator spyware produced by Intellexa. Persistence is an add-on feature provided by Intellexa for their implants and primarily depends on the licensing options chosen by a customer.
*   Intellexa knows if their customers intend to perform surveillance operations on foreign soil.
*   Two years after its first public exposure, Intellexa’s Predator/Nova spyware solution continues to be undetected by anti-virus solutions. Public reporting on Intellexa’s operations has had little to no impact on their ability to conduct and grow their business across the world.
*   Almost all publications on malicious operations conducted using Intellexa’s spyware consist primarily of malicious domains as indicators of compromise (IOCs). Talos assesses that the disclosure of such domains, managed by the customers, has little to no effect on Intellexa’s operations and enables them to preserve their malware implants due to a lack of technical disclosures. 
*   After many users patched against the exploit chains used by Intellexa as of December 2021, the spyware vendor started shipping a new exploit chain to at least one new customer in early 2022 that covered the same and more recent versions of the Android operating system.

In May 2023, Cisco Talos published the first ever in-depth technical report on Intellexa’s spyware solution named Alien and Predator, showing its inner workings and demonstrating the highly complex software architecture decisions required to make such spyware work properly on the Android operating system. This research also sheds light on several other aspects of the commercial spyware space, like plausible deniability, the impacts of widespread media exposure and recruitment issues.

During the LabsCon 2023 cyber threat intelligence conference, Talos presented the operational risks inherent to the commercial spyware landscape, using Intellexa as a use case.

This research delves into the history of the Alien/Predator line of implants, illustrating how a run-down spyware seller, Cytrox, was bought and transformed into an intelligence agency-grade spyware vendor: Intellexa.

**Implants’ persistence is an add-on in Intellexa’s offering**

Leaked commercial proposals from the Intellexa Alliance have shown that prices per infection are increasing every year, along with the capabilities of the company's technological solution. Rebooting the device is no longer a means to remove the implants from an infected device. 

In 2021, Predator spyware couldn’t survive a reboot on the infected Android system (it had it on iOS). However, by April 2022, that capability was being offered to their customers. Since then, no reports have been published detailing such a mechanism, as there is no reason to believe it has become obsolete. It still doesn’t survive a factory reset, but it is fair to assume that this specific capability will become available, literally breaking all trust in the device beyond recovery.

**Intellexa’s product development journey**

Cytrox was first created in North Macedonia in 2017, and at the time, built Android-based malware. In 2018, Cytrox was acquired by WiSpear and then in 2019 Nexa Technologies, WiSpear (and Cytrox) and Senpai Technologies teamed up to create the Intellexa Alliance, a commercial spyware company that, according to public reports, sells commercial spyware to multiple customers without regard for their potential targets and the spyware’s misuse. 

Senpai Technologies is a company specializing in OSINT and persona creation based out of Israel, while WiSpear, also based in Israel, specializes in Wi-Fi interception. Nexa Technologies (now called RB 42) is a French-based company whose main focus is remote surveillance and security services.

Immediately after the consolidation of all these firms under Intellexa in May 2019, the revamping of Predator began, which at the time, was their flagship spyware for Android. This can be confirmed on the artifacts left on the malware binary due to the use of static library compilation at build time.

By April 2020, the revamp was finished and the malware was ready to be deployed on Android. In May 2020, the developers began working on an iOS “solution” which we assess with medium confidence was a port of Alien/Predator from Android to iOS. Our assessment is based on the fact that the engine that drives the high-level components of the Predator system is similar, if not identical, to the point where some Android artifacts, detailed in the following sections, can be found on the iOS sample.

Evolution timeline

**Pricing model**

Building commercial spyware is a sophisticated and research-driven process. It involves meticulously circumventing, bypassing and exploiting security controls put in place by mobile applications/packages and Operating Systems such as Android and iOS. Combining such potent software into a package with zero or one-click zero-day exploits makes it a highly reliable offensive “solution” – and that is exactly what makes it expensive. As early as 2016, The New York Times reported that the NSO Group charged $650,000 for every 10 infections, with an additional $500,000 for initial setup. Multi-year deals between the NSO Group and Mexico were estimated to be around $15 million – and this was back in 2013.

Fast forward five years to 2021, and another disclosure from The New York Times details the proposal brochure for Intellexa’s Predator framework offering their solution for a whopping 13.6 million Euros for:

*   20 concurrent infections.
*   One-click exploit for initial access.
*   Predator C2 and administrative hardware and software.
*   Project plans, documentation, etc.
*   12 months of warranty support.

Proposal (snipped) defining price and items

Leaked documents from 2022 show that the Nova platform, which is Intellexa’s data-gathering module, was priced at 8 million Euros in 2022. Price tags of 13.6 million or even 8 million Euros is a hefty sum. However, this reinforces the fact that commercial spyware such as those from Intellexa is neither for the common man nor for petty crimeware operators. These solutions are meant for customers with deep pockets and such expenses can only be incurred by state-sponsored agencies.

The pricing model also shows the technological evolution of the product. Based on the leaked proposal dates in July 2022, Intellexa had already incorporated boot survivability into the Android solution. It also increased the support for Android to 18 months. At this point, it is unclear if this is the direct result of Intellexa’s development and research capabilities, or if these are based on exploits acquired that ultimately would result in having such capabilities.

The original persistence mechanism on iOS was the exploitation of the original vulnerability during the boot process by loading the malicious HTML page stored locally. As such, the newly introduced Android persistence mechanism can simply be based on a similar method.

**Plausible deniability**

Intellexa’s commercial proposals are designed to create plausible deniability. These clauses extend from the infrastructure responsibilities to the delivery methods. This is a key aspect of Intellexa’s business model, the goal is to avoid a bad reputation and to claim they are not responsible for what their customers do with their “product” — they claim that they don’t even know who the victims are.

Proposal (snipped) defining responsibilities

The leaked proposals show that the infrastructure and anonymization are the responsibility of the customer. From a deniability point of view, this enables the claim that Intellexa doesn’t know _how_ victims are being targeted. From the operational risk perspective, such clauses also shield Intellexa from any responsibility in the event of a public exposure connecting malicious operations back to the vendor.

Delivery method method

The delivery of Intellexa’s supporting hardware is done at a terminal or airport. This delivery method is known as Cost Insurance and Freight (CIF), which is part of the shipping industry’s jargon (“Incoterms”). This mechanism allows Intellexa to claim that they have no visibility of where the systems are deployed and eventually located. This exact scenario was seen being put into practice when, according to a LighthouseReports

investigation

, Intellexa sold their solution to the Sudanese government.

Source: https://www.lighthousereports.com/investigation/flight-of-the-predator/

Even if we take into consideration the proposal’s terms such as, “Installation and configuration at customer designated facility…” and the “Standard training course ……,” it still does not mean that Intellexa might know where the hardware is located since everything can be done remotely or even without their personnel knowing where the customer’s “solution” is physically located.

Intellexa does have first-hand knowledge of if their software is being used to conduct surveillance operations targeting phone number prefixes other than their customers' country of origin and possibly their jurisdiction. This knowledge is a consequence of the licensing model. Any sale is limited to a single phone country code prefix, but for an additional fee, the customer can license the usage of the solution in additional countries without geographic limitations.

**Business risks****Human resources**

Commercial spyware companies don’t seem to have any kind of problem recruiting highly specialized human resources to develop their solutions. This was evidenced by the LinkedIn profiles of several highly specialized engineers. In one example, the NSO Group in June had just recruited new, highly specialized engineers from an intelligence military unit.

During the development of the iOS implant, Intellexa hired an iOS expert vulnerability researcher who had previously worked for the NSO Group. The timing of the hire indicates that the firm needed to integrate the implant with the exploit chain to deploy it reliably on iOS devices.

Snippet of the iOS security expert Curriculum Vitae

Such “experts” can be found working for and actively hunting for jobs regularly at other commercial spyware vendors too.  For example, a quick search by Talos showed that just in September 2023, the NSO group had hired another security researcher with the same research background:  

Example of employment history

And there are several examples like that. The highly skilled researchers will move from one company to another in the same line of business supplying a constant flow of human resources as needed.

**Target operating system support**

New operating system releases don’t seem to make a considerable impact on the Predator solution. Intellexa now supports OS versions going back 18 months on Android and 12 months on iOS from their last supported version, which may not be the latest. Google releases approximately one new version per year just like Apple. But, the Android OS may consist of beta versions months before general availability. This gives plenty of lead time to Intellexa and their exploit suppliers to develop new exploit chains to use as initial attack vectors. 

It is important to understand that the Alien/Predator implants themselves don’t need to change much between operating system releases. They are written to be as generic and modular as possible, and the modules that need to be specific to an OS version and/or capability are written in Python, which can easily be updated and deployed on the fly via a customer’s infrastructure. 

The components that are more sensitive to operating system updates are the initial access vectors and the persistence mechanisms. These capabilities often rely on exploits that can be patched or new mitigation techniques may render them useless. 

**Vulnerability exploits chain patching**

This is the most sensitive and least controlled part of any commercial spyware solution. Still, one may think that there is a high impact on the operational capability of a commercial spyware vendor, but the reality seems to prove the impact is low, or medium at most. 

Exploit brokers and exploit research companies, sell full or partial exploit chains as a subscription model where the customers are entitled to workable replacements if the purchased chain is patched.

The timeline of events shows that it took Intellexa, at most, six months (probably less) to obtain and integrate a new fully operational exploit chain into their solution, after their Android previous one was patched in Nov 2021. This is confirmed by the fact that, in May 2022, their platform was being shipped to a new customer in Sudan, according to the Lighthouse report.

Overall, this demonstrates that exposing the vulnerabilities used by commercial spyware vendors, although extremely important, does not impose much of a risk on them. In fact, that risk is transferred onto the exploit brokers and vendors.

This has caught the attention of the Biden-Harris administration, to the point that the Intellexa Alliance was added to the Entity List for “_...determination that the companies engaged in trafficking in cyber exploits used to gain access to information systems…_”  In practical terms, U.S.-based companies that deal in exploits cannot do business with the Intellexa galaxy of companies. This means that Intellexa will have to procure its exploits from companies in other regions, which for the time being, doesn’t seem to be a problem. However, if the United Kingdom and the European Union take similar actions, the market will become smaller, making it much harder for these companies to acquire their initial attack vector.

**The lack of impact from public exposure**

The public exposure of commercial spyware companies creates awareness and has gained the attention of governments and regulating bodies. Such disclosures have also been successful at attributing malicious operations conducted by regimes against human rights activists, journalists and civilian dissidents, indicating the lack of a moral compass of many of Intellexa’s “customers.” 

However, exposing regimes conducting these operations seems to have little effect on these companies’ abilities to make money. It may increase the costs by making them buy or create new exploit chains but these vendors appear to have seamlessly acquired new exploit chains, enabling them to remain in business by jumping from one set of exploits to another as a means of initial access. A majority of public disclosures in the commercial spyware space focus on the political aspects of the operations along with listing malicious domains and infrastructure but fail to tear open the inner workings of the malware themselves. The domains and infrastructure exposed in a disclosure are owned and operated by spyware customers themselves, often in silos, meaning that exposing one operation typically may have no impact on all the other customers. However, the risk of exposure will always be primarily based on the efforts put by the customer into their anonymization chain.

Such disclosures may have a substantial impact on the regimes (“customer”), but they fail to impose costs on the spyware vendor themselves. What is needed is the public disclosure of technical analyses of the mobile spyware and tangible samples enabling public scrutiny of the malware. Such public disclosures will not only enable greater analyses and drive detection efforts but also impose development costs on vendors to constantly evolve their implants.

Intellexa and Cytrox: From fixer-upper to Intel Agency-grade spyware

The Chinese-speaking threat actors behind Smishing Triad have been observed masquerading as the United Arab Emirates Federal Authority for Identity and Citizenship to send malicious SMS messages with the ultimate goal of gathering sensitive information from residents and foreigners in the country.
"These criminals send malicious links to their victims' mobile devices through SMS or

Identity Theft / SMS Phishing

The Chinese-speaking threat actors behind **Smishing Triad** have been observed masquerading as the United Arab Emirates Federal Authority for Identity and Citizenship to send malicious SMS messages with the ultimate goal of gathering sensitive information from residents and foreigners in the country.

"These criminals send malicious links to their victims' mobile devices through SMS or iMessage and use URL-shortening services like Bit.ly to randomize the links they send," Resecurity said in a report published this week. "This helps them protect the fake website's domain and hosting location."

Smishing Triad was first documented by the cybersecurity company in September 2023, highlighting the group's use of compromised Apple iCloud accounts to send smishing messages for carrying out identity theft and financial fraud.

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals

Traditional security measures won't cut it in today's world. It's time for Zero Trust Security. Secure your data like never before.

Join Now

The threat actor is also known to offer ready-to-use smishing kits for sale to other cybercriminals for $200 a month, alongside engaging in Magecart-style attacks on e-commerce platforms to inject malicious code and pilfer customer data.

"This fraud-as-a-service (FaaS) model enables 'Smishing Triad' to scale their operations by empowering other cybercriminals to leverage their tooling and launch independent attacks," Resecurity noted.

The latest attack wave is designed to target individuals who have recently updated their residence visas with harmful messages. The smishing campaign applies to both Android and iOS devices, with the operators likely using SMS spoofing or spam services to perpetrate the scheme.

Recipients who click on the embedded link the message are taken to a bogus, lookalike website ("rpjpapc\[.\]top") impersonating the UAE Federal Authority for Identity, Citizenship, Customs and Port Security (ICP), which prompts them to enter their personal information such as names, passport numbers, mobile numbers, addresses, and card information.

What makes the campaign noteworthy is the use of a geofencing mechanism to load the phishing form only when visited from UAE-based IP addresses and mobile devices.

"The perpetrators of this act may have access to a private channel where they obtained information about UAE residents and foreigners living in or visiting the country," Resecurity said.

"This could be achieved through third-party data breaches, business email compromises, databases purchased on the dark web, or other sources."

Smishing Triad's latest campaign coincides with the launch of a new underground market known as OLVX Marketplace ("olvx\[.\]cc") that operates on the clear web and claims to sell tools to carry out online fraud, such as phish kits, web shells, and compromised credentials.

"While the OLVX marketplace offers thousands of individual products across numerous categories, its site administrators maintain relationships with various cybercriminals who create custom toolkits and can obtain specialized files, thereby furthering OLVX's ability to maintain and attract customers to the platform," ZeroFox said.

**Cyber Criminals Misuse Predator Bot Detection Tool for Phishing Attacks**

The disclosure comes as Trellix revealed how threat actors are leveraging Predator, an open-tool designed to combat fraud and identify requests originating from automated systems, bots, or web crawlers, as part of various phishing campaigns.

The starting point of the attack is a phishing email sent from a previously compromised account and containing a malicious link, which, when clicked, checks if the incoming request is coming from a bot or a crawler, before redirecting to the phishing page.

The cybersecurity firm said it identified various artifacts where the threat actors repurposed the original tool by providing a list of hard-coded links as opposed to generating random links dynamically upon detecting a visitor is a bot.

"Cyber criminals are always looking for new ways to evade detection from organizations' security products," security researcher Vihar Shah and Rohan Shah said. "Open-source tools such as these make their task easier, as they can readily use these tools to avoid detection and more easily achieve their malicious goals."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Alert: Chinese-Speaking Hackers Pose as UAE Authority in Latest Smishing Wave

By Owais Sultan
Online gaming is a luxury, especially if you are interested in strategic war games. So, here are the…
This is a post from HackRead.com Read the original post: 4 Best War Games You Should Play

Online gaming is a luxury, especially if you are interested in strategic war games. So, here are the 5 best war games that you can play!

War and hostilities are terrible events and the worst outcome in the development of state policies. A format for human interaction in which there are no winners and all parties are losers, losing the best people who join the army.

Nevertheless, the theme of wars attracts players and movie lovers, because in such difficult and critical situations, the best and worst qualities in a person are revealed at the same time, and therefore it is interesting to watch the actions of the heroes and at least approximately understand what the soldiers participating in big wars went through.

Let this format be better expressed within the framework of games and films and people will perceive it at the multimedia level, and not take part in real combat operations. Let’s look at five of the most interesting and vibrant projects that you should play.

**Call of Duty Modern Warfare**

A project from the Infinity Ward studio invites players to fully transport themselves and see the world through the eyes of different soldiers who will take part in a fictional modern conflict, first against terrorists, and then in a full-fledged war.

According to the game plot, in the Far East, separatists from Russia helped carry out a coup and put the terrorist Al Assad in power, who carried out a coup, killed the current ruler and took possession of nuclear weapons, to counteract him, special operations forces and the regular army of US Rangers enter the battle.

You will play as individual characters, some of whom will continue their journey in the next parts of the series.

You will be able to fully experience the spirit of the offensive and storming of cities, carrying out secret and silent operations, tank offensives and major landings. You will destroy entire armies in units and destroy important targets.

Among the interesting mechanics, you will find a nuclear explosion with all the consequences and the outcome of an entire war in the series of Modern Warfare with the reflection of the attack on Washington, New York, Paris and Berlin.

For players who want to play against other gamers, there is the Warzone format, in which players face each other on a small game map in a survival mode where there can only be one winner.

Victories and high results in the match will lead to an increase in rating and entry into new matches with stronger players.

If you are unable to increase your rank on your own, then you can always order Call of Duty services – professionals who will increase your level, and you will only come across strong gamers.

****Battlefield 5****

A project in which you will be immersed in the format of the battles of the Second World War and, at the same time, you will choose one of the proposed stories, with all the moral dilemmas and important turning points of gaming companies.

Battlefield relies relatively on realism but creates an atmosphere in which the player will be interested in immersing himself in his gameplay and gives an additional chills effect due to the soundtrack, which has not changed for many years, but is constantly changing the arrangement.

You will be able to go through a company of Norwegian saboteurs, the first British SAS Forces, military pilots and even a tank commander of the Third Reich at the very end of the Second World War.

You will see many aspects, including moral ones, associated with the loss of morale and the general cruelty of any of the fronts, however, you will be able to play for different participants in the Second World War.

****Medal of Honor****

Medal of Honor, one of the earliest shooters in the gaming industry, allows players to delve into future conflicts and the missions of special forces units in its latest versions. Beyond diverse tasks, the game immerses players in the everyday challenges faced by soldiers, including conflicts with wives grappling with the absence of their husbands and the risks they endure.

There is, of course, a theme of the Second World War. Still, it belongs to already quite outdated games unless you choose the format of the Pacific front, in which a group of friends together will go through a campaign against Japanese forces on key islands throughout the Second World War and survive Pearl Harbor as well.

There is a project in the series based on cinematography and vivid scenes played by real actors for realism.

This is the Airborne Medal of Valor, in which the player will have to take part in several operations as part of the airborne forces, where each task will be accompanied by a mandatory parachute into a danger zone and the completion of tasks in Operation Husky, during the assault on German bunkers, the Normandy landings and attacks in cities.

Each time there will be different landing circumstances, from ordinary to extremely difficult. The tasks will constantly become more complicated, and one of the interesting features is the constant improvement of the selected weapon when using it.

This means that by hitting enemies with a Thompson assault rifle, you will regularly upgrade it. First, get manual stabilization and front sight for better and more accurate aiming, and then get a larger ammo clip.

The system works similarly with all game weapons, including enemy ones. Any third-level weapon will be very different from its initial appearance but will bring significant benefits to its owner.

****Wolfenstein****

Wolfenstein is a series of games with a rather interesting setting and a unique format, which differs depending on the game you choose for yourself.

The old format is a setting of the Second World War, in which the fascists experiment on people and turn to mysticism to create unique and invincible soldiers, and you have to stop their entire plan.

The new format and updated version, called New Order, offers to try out unique mechanics and a plot that suggests trying out a dystopia in which it is demonstrated what would have happened to the world if the Nazis had won the Second World War.

You will again find the format of super soldiers, experiments and attempts to destroy humanity, in which again one person must stop everyone.

**Bonus:** For those into old-school gaming, revisiting Delta Force is a pure delight as all of its versions offer a fun playing experience.

****_RELATED ARTICLES_****

1.  **5 Classic Games to Play in 2023**
2.  **GAM3S.GG Raises $2M to Grow Web3 Gaming Superapp**
3.  **The Rise of Blockchain Gaming and Secure Marketplaces**
4.  **The Best FPS Games on Android In 2023: Popular by Demand**
5.  **Is it Getting Harder to Pigeonhole Games into Specific Genres?**
6.  **NEOBRED Integrates with Avalanche for Elite Gaming Experience**

4 Best War Games You Should Play

By Owais Sultan
eSIM technology is a promising innovation that offers a number of benefits over traditional SIM cards.
This is a post from HackRead.com Read the original post: Navigating eSIM Policies and Regulations

As eSIM technology becomes more widely adopted, we can expect to see even more devices and carriers offering support for this new generation of SIM cards.

eSIM, which stands for embedded SIM, is a new generation of SIM card technology that’s soldered directly onto the motherboard of your device, like a smartphone or smartwatch. Unlike traditional SIM cards, which are removable plastic cards with a gold chip, eSIMs are permanent fixtures within your device.

As the adoption of eSIM technology, such as the Global YO eSIM App, continues to grow, it’s essential to understand the policies and regulations that govern its use. Navigating the legal landscape ensures that businesses and consumers can fully leverage the benefits of eSIM while staying compliant.

****The Evolution of eSIM Policies****

eSIM technology has evolved rapidly in recent years, and so have the regulations surrounding its deployment and usage. Governments and regulatory bodies are keen on ensuring that eSIM adoption (PDF) aligns with legal and security standards.

****Benefits of eSIM technology:****

*   **Convenience:** eSIMs eliminate the need to physically swap SIM cards when switching carriers or plans. You can simply download a new carrier profile onto your device through software updates.
*   **Security:** eSIMs are more secure than traditional SIM cards as they’re soldered onto the device and cannot be easily removed. This makes them less vulnerable to loss or theft.
*   **Flexibility:** eSIMs allow you to have multiple carrier profiles stored on your device at the same time. This is useful for travellers who want to use a local SIM card when abroad, or for businesses that want to manage multiple lines on one device.
*   **Environmental impact:** eSIMs eliminate the need for plastic SIM cards, which reduces e-waste.

****Key Aspects of eSIM Regulations********1\. SIM Card Registration****

Some countries require mandatory registration of eSIMs to track ownership and prevent fraudulent activities. Compliance with these regulations is essential to avoid legal complications.

****2\. Data Privacy****

eSIMs often store sensitive data, including user credentials. Regulations like GDPR in Europe emphasize data protection and privacy, making it crucial for eSIM providers to comply with these standards.

****3\. Mobile Network Regulations****

Regulations governing mobile network operators also impact eSIM usage. Ensuring that eSIM technology complies with these regulations is vital for seamless connectivity.

****Staying Compliant with eSIM Regulations****

To navigate eSIM policies and regulations effectively, consider the following:

****1\. Choose a Reputable eSIM Provider****

Opt for eSIM providers like Global Yo, which prioritize compliance with regional regulations, ensuring a smooth and lawful user experience.

****2\. Understand Local Laws****

Before deploying eSIM technology in a specific region, thoroughly research and understand the local eSIM regulations to ensure compliance.

****3\. Data Protection Measures****

Implement robust data protection measures to safeguard user information, aligning with privacy regulations.

****4\. Regular Updates****

Stay informed about changes in eSIM policies and regulations, as they can evolve. Keep your eSIM technology up to date to remain compliant.

****Conclusion****

Navigating eSIM policies and regulations is crucial for the successful adoption and use of this technology. As governments and regulatory bodies continue to address the challenges posed by eSIM, businesses and consumers need to stay informed and compliant.

With a reliable eSIM provider like Global Yo and a commitment to understanding and adhering to local regulations, you can harness the benefits of eSIM technology while ensuring that your usage remains lawful and secure.

For more information and to explore eSIM solutions that align with regulations, visit the Global Yo eSIM App (iOS) and Global Yo eSIM App (Android).

If you have any questions or concerns about eSIM policies and regulations, feel free to reach out. Compliance is key to enjoying the advantages of eSIM while staying on the right side of the law.

****_RELATED ARTICLES_****

1.  **How to Obtain a Virtual Phone Number and Why You Need One**
2.  **The Top Mobile Security Considerations for Business Travelers**
3.  **Use Internet anonymously through Tor-enabled SIM card Onion3G**

Navigating eSIM Policies and Regulations

Relive Talos' top stories from the past year as we recap the top malware and other threats that came our way.

Tuesday, December 19, 2023 08:00

If there is anything the cybersecurity world learned in 2023, it’s that you can never count any bad guy out. 

Botnets kept coming back from the dead, ransomware actors found new ways to make money through data theft extortion and threat actors and malware who have been around for more than a decade find ways to stay relevant. 

Since it seems like there's a new security threat every day making headlines, we like to take a step back at the end of every year to look back at the top stories in cybersecurity that Talos covered this year, including new research from Talos and the stories that were most interesting to readers. 

*   After Microsoft blocked macros by default in Office documents, attackers needed to find a new file format for their lure documents that could execute malware or malicious code without users noticing. To start off 2023, adversaries shifted toward Shell Link (LNK) files, which provide security researchers the opportunity to capitalize on information that can be provided by LNK metadata. We used this data to uncover new information about the Qakbot botnet and Gamaredon threat actor, and previously unknown connections between multiple threat actors. 
    

*   Attackers deployed the “MortalKombat” ransomware and Laplas Clipper malware together in a campaign primarily looking to generate revenue by forcing users into paying the requested ransom. The encryption screen and ransom note associated with this campaign used images from the “Mortal Kombat” video game series — hence the name. Our research found these adversaries targeting everyone from individual users to massive organizations. 
    

*   The operators behind the Prometei botnet continued to level up their operations, adding new functions and anti-detection methods. Talos reported on what we identified as “version 3” of the botnet in March, including an alternative C2 domain generating algorithm (DGA), a self-updating mechanism, and a bundled version of the Apache Webserver with a web shell that’s deployed onto victim hosts. At the time of writing, the botnet had over 10,000 compromised machines. 
    
*   In other botnet news, the infamous Emotet malware came back online after a relatively quiet period, this time deploying malicious Microsoft Word documents as lures. Emotet is famous for going through brief periods of inactivity, often spanning months, and then re-appearing. Its newest efforts involved infection chains that Talos had not observed the operators using before. 
    
*   Talos discovers a new threat actor we called “YoroTrooper” targeting government and energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States (CIS). YoroTrooper’s activities seem largely centered around trying to steal sensitive information from these groups. We’d continued to follow this group for the remainder of the year, writing about their malware and TTPs multiple times in 2023.  
    

*   Although it was released earlier in the year, Talos disclosed a newly discovered “V2” version of the Typhon Reborn information-stealing malware. The updated version features additional anti-analysis and anti-virtual machine (VM) capabilities to evade detection and make analysis more difficult. At the time, we predicted that Typhon Reborn would appear in future cyber attacks. 
    
*   A large-scale attack on global network infrastructure known as “Jaguar Tooth” goes public, including extensive reporting from Talos and Cisco. In this campaign, state-sponsored actors targeted older networking devices like wireless routers, including Cisco devices. The UK’s National Cyber Security Centre (NCSC) also released a report on a sustained campaign by a Russian intelligence agency targeting a vulnerability in routers that Cisco had published a patch for in 2017. These ongoing discussions about defending network infrastructure and ensuring organizations use up-to-date devices eventually led to Cisco and other partners co-founding the new Network Resilience Coalition in July. 
    

*   A new phishing-as-a-service tool called “Greatness” appears in the wild, offering attackers the ability to pay a subscription fee for their infrastructure. Greatness allows users to send spam emails, pointing targets to convincing Microsoft 365 login pages. The “as-a-service" model for threat actors had long been around, but the trend received increased attention in 2022 as several large ransomware groups shifted to new affiliate models, which offered their services and code to anyone who wanted to use it for a fee. 
    
*   With the help of our partners at The Citizen Lab, Talos revealed new details about the “ALIEN” and “PREDATOR” mobile spyware suites. Many groups that we called “mercenary spyware” groups use these tools to create spyware, software that is considered illegal in many countries and is often used to target at-risk individuals like politicians and activists. 
    
*   Talos revealed a new threat actor we called “RA Group” targeting users globally, including companies in manufacturing, wealth management, insurance providers and pharmaceuticals. RA Group uses a modified version of the Babuk ransomware, which was leaked online in September 2021. 
    

*   Talos discloses the details of a botnet that’s been active for nearly three full years, “Horabot.” The actor delivers a known banking trojan and spam tool onto victim machines, specifically targeting Spanish-speaking users in North and South America. At the time, Talos believed the actor behind this botnet was located in Brazil. 
    
*   A month after the .zip top-level domain was released for the public to register, our researchers noticed attackers using it in scams designed to get users to leak sensitive information. As a result of user applications increasingly registering “.zip” files as URLs, these filenames may trigger unintended DNS queries or web requests, thereby revealing possibly sensitive or internal company data in a file’s name to any actor monitoring the associated DNS server. 
    

*   We discovered multiple versions of an undocumented malicious driver named “RedDriver,” a driver-based browser hijacker that uses the Windows Filtering Platform (WFP) to intercept browser traffic. Our research indicates that RedDriver has been active since at least 2021. This attack primarily targets Chinese-speaking users, and we suspected the creators of RedDriver are also native Chinese speakers. 
    
*   An unnamed actor started targeting government agencies in Ukraine and Poland, looking to steal sensitive information and setting up a backdoor for potential future attacks. Ukraine’s Computer Emergency Response Team (CERT-UA) attributed attacks, first spotted in July, to the threat actor group UNC1151, as a part of the GhostWriter operational activities allegedly linked to the Belarusian government. 
    

*   Talos’ Vulnerability Research team disclosed dozens of vulnerabilities that affect several small and home office (SOHO) routers. That team spent years on this research in the wake of the massive VPNFilter attack. Adversaries could chain together many of these vulnerabilities to directly access or those an adversary could chain together to gain elevated access to the devices. 
    
*   A new attacker appeared to use a variant of the Yashma ransomware likely to target multiple geographic areas by mimicking WannaCry characteristics. The actor, apparently of Vietnamese origins, was targeting users in targets Bulgaria, China, Vietnam and other countries since at least June. The new wrinkle to this ransomware attack is that the adversary asks the target to download the ransom note via their publicly available GitHub, rather than including some strings in the binary. 
    
*   The U.S. Department of Health and Human Services (HHS) released a warning to the healthcare industry about Rhysida ransomware activity. Rhysida appears to have first popped up back in May, with several high-profile compromises posted on their leak site since then, causing the U.S. government to release a specific warning alerting hospital systems and doctor’s offices about the activity. Talos released several new Snort rules to detect the Rhysida ransomware and details on the actor’s TTPs, including a new ransom note in which they pose as a legitimate cybersecurity company.  
    
*   Talos discloses new information about the infamous Lazarus Group APT, including several new RATs they’re using in the wild. The North Korean state-sponsored actor targeted internet infrastructure and healthcare entities in Europe and the United States with what we called “QuietRAT.” Additional research into the group found that Lazarus Group is increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.  
    
*   SapphireStealer, an open-source information stealer, is disclosed after Talos observed the malware across public malware repositories with increasing frequency since its initial public release in December 2022. We assessed with moderate confidence that multiple entities are using SapphireStealer, who have improved and modified the original code base separately, extending it to support additional data exfiltration mechanisms leading to the creation of several variants. 
    

*   Talos discovered a new malware family we called “HTTPSnoop” being deployed against telecommunications providers in the Middle East. HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint. We also discovered a sister implant called “PipeSnoop,” which can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint. Both tools are believed to be created and owned by the ShroudedSnooper threat actor, which built the intrusion set.  
    
*   Our researchers spot threat actors abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware on infected machines. These attacks specifically target graphic designers or other artists who use computers with exceptionally large graphics cards — thus making them more valuable for cryptocurrency mining.  
    

*   Cloudflare and other internet hosting providers reported what was considered the largest distributed denial-of-service attack ever. Though the actual attack occurred earlier in the year, the official disclosure came in October, including details of a vulnerability in the HTTP/2 protocol that the attackers exploited. Talos released an advisory about these attacks, urging users to patch immediately and releasing new Snort rules to detect the exploitation of CVE-2023-44487. 
    
*   YoroTrooper, which Talos initially reported on earlier in the year, started using new TTPs, including new obfuscation techniques and the use of commodity malware. The actor is likely operating out of Kazakhstan, but these new tactics were made to look as if their lure documents came from the government of Azerbaijan.  
    
*   Arid Viper, a threat actor believed to be based out of Gaza, is disclosed. The APT used malicious apps designed as software for the Android operating system to collect sensitive information from targets and deploy additional malware onto infected devices. Although Arid Viper is believed to be based out of Gaza, Cisco Talos has no evidence indicating or refuting that this campaign is related in any way to the Israel-Hamas war, which also began in October. 
    

*   Talos identified the most prolific Phobos variants, common affiliate tactics, techniques and procedures (TTPs), and characteristics of the Phobos affiliate structure. Our researchers looked at observed Phobos activity and analyzed more than 1,000 Phobos samples from VirusTotal dating back to 2019. We found that the 8Base group was increasingly deploying variants of Phobos via the SmokeLoader backdoor. We also found indications that Phobos could be available as a pay-for ransomware-as-a-service model. 
    
*   Talos discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.” We found evidence suggesting the threat actor is targeting the Uzbekistan Ministry of Foreign Affairs and users in South Korea. SugarGh0st is believed to be a variant of the infamous Gh0st RAT, a years-old malware of Chinese origin. SugarGh0st is believed to be targeting users in Uzbekistan and South Korea. 
    

*   Talos releases the details of Project PowerUp, an effort from multiple teams across Cisco to create a new, bespoke hardware device used to protect Ukraine’s power grid. The modified IoT switches allow the country’s power grid to be protected against GPS-jamming attacks, which traditionally tried to disrupt the way timing on the network worked. CNN first wrote about these efforts, and Joe Marshall, Talos’ researcher who spearheaded the project, wrote a firsthand account for the Talos blog.  
    

For further analysis of the threat landscape trends in 2023, download your copy of the Talos Year in Review.

Year in Malware 2023: Recapping the major cybersecurity stories of the past year

Google will soon roll out its Tracking Protection feature to some randomly chosen users in order to prepare for a full deployment.

Google has announced that it will start rolling its Chrome web browser’s new Tracking Protection feature from January of 2024. Tracking Protection is part of Google’s Privacy Sandbox initiative to phase out third-party cookies. The Tracking Protection feature aims to disable third-party cookies completely in the second half of 2024.

Third-party cookies, often referred to as non-essential cookies, can be used to track visitors as they move from one website to another, with the purpose of creating profiles for personalized ads. But other website features, like authentication and fraud prevention can also depend on them.  

Starting January 4, Google says it will select one percent of Chrome users on desktop and Android at random, and that group will get the option to use the Tracking Protection feature. The chosen users will receive a notification about it when they open Chrome.

The selected Chrome users can do some testing to establish the impact of blocking third-party cookies on their browsing experience. For example, when Tracking Protection is enabled, some websites may not load correctly, so users will also have the option to temporarily re-enable third-party cookies for that specific website.

One significant difference with the existing (largely useless) “Do Not Track” feature is that websites do not have a choice about whether to cooperate with Tracking Protection. Do Not Track is a signal sent by the browser that asks websites to play nicely and not track it. It isn’t effective and there is no way to determine if it’s having the desired effect or not.

Other initiatives by Google in this direction include hiding your IP address. An IP address is the next best thing for tracking users across the internet. Although the IP address is often not limited to one system, they are very often bound to one household. Google’s IP Protection proposal wants to use proxies to hide users’ IP addresses.

It remains to be seen how fruitful these initiatives will be. A few years ago (March 2021), Google ran some tests with a program called Federated Learning of Cohorts (FLoC) which was also intended to replace third-party cookies. But the technology was criticized on privacy grounds and on January 25, 2022, Google officially announced it had ended development of FLoC technologies.

FLoC was replaced by the Topics API, another Privacy Sandbox mechanism designed to preserve privacy while allowing a browser to share information with third parties about a user’s interests.

Meanwhile, regulators are monitoring the tech giant’s initiatives to ensure they don’t give the company an unfair advantage in selling its own ads.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Chrome starts the countdown to the end of tracking cookies 

Google on Thursday announced that it will start testing a new feature called "Tracking Protection" starting January 4, 2024, to 1% of Chrome users as part of its efforts to deprecate third-party cookies in the web browser.
The setting is designed to limit "cross-site tracking by restricting website access to third-party cookies by default," Anthony Chavez, vice president of Privacy

Google on Thursday announced that it will start testing a new feature called "Tracking Protection" starting January 4, 2024, to 1% of Chrome users as part of its efforts to deprecate third-party cookies in the web browser.

The setting is designed to limit "cross-site tracking by restricting website access to third-party cookies by default," Anthony Chavez, vice president of Privacy Sandbox at Google, said.

The tech giant noted that participants for Tracking Protection will be selected at random and that chosen users will be notified upon opening Chrome on either a desktop or an Android device.

The goal is to restrict third-party cookies (also called "non-essential cookies") by default, preventing them from being used to track users as they move from one website to the other for serving personalized ads.

While several major browsers like Apple Safari and Mozilla Firefox have either already placed restrictions on third-party cookies via features like Intelligent Tracking Prevention (ITP) and Enhanced Tracking Protection in Firefox, Google is taking more of a middle-ground approach that involves devising alternatives where users can access free online content and services without compromising on their privacy.

In mid-October 2023, Google confirmed its plans to "disable third-party cookies for 1% of users from Q1 2024 to facilitate testing, and then ramp up to 100% of users from Q3 2024."

Privacy Sandbox, instead of providing a cross-site or cross-app user identifier, "aggregates, limits, or noises data" through APIs like Protected Audience (formerly FLEDGE), Topics, and Attribution Reporting to help prevent user re-identification.

In doing so, the goal is to block third-parties from tracking user browsing behavior across sites, while still allowing sites and apps to serve relevant ads and enabling advertisers to measure the performance of their online ads without using individual identifiers.

"With Tracking Protection, Privacy Sandbox and all of the features we launch in Chrome, we'll continue to work to create a web that's more private than ever, and universally accessible to everyone," Chavez said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google's New Tracking Protection in Chrome Blocks Third-Party Cookies

Apple has changed its legal process guidelines to reflect it now requires a judge's order to hand over information about its customers' push notifications.

Last week, we reported on how US government agencies have been asking Apple and Google for metadata related to push notifications, but the companies aren’t allowed to tell users about it happening.

The content of the notifications is diverse. It ranges from a weather app warning you about rain to an alert that you have new mail, which often included the subject line and the sender. Other notifications include alerts from your bank about major changes in your balance, breaking news from your news app, or DM notifications on a social media platform.

Not all of them are equally important or sensitive, but Apple and Google acknowledged receiving such requests. Now Apple is making a stand.

Apple’s now changed its legal process guidelines so that it now requires a judge’s order to hand over information about its customers’ push notifications to law enforcement.

> “When users allow an application they have installed to receive push notifications, an Apple Push Notification Service (APNs) token is generated and registered to that developer and device. Some apps may have multiple APNs tokens for one account on one device to differentiate between messages and multi-media.
> 
> The Apple ID associated with a registered APNs token and associated records may be obtained with an order under 18 U.S.C. §2703(d) (Required disclosure of customer communications or records) or a search warrant.”

Senator Wyden, who last week urged the Department of Justice (DOJ) to “permit Apple and Google to inform their customers and the general public about demands for smartphone app notification records,” said on the latest developments:

> “Apple is doing the right thing by matching Google and requiring a court order to hand over push notification related data.”

**Disabling notifications**

If you want to trim the number of notifications, here is what you can do.

On Android devices open your **Settings** app and click on **Notifications**. In the dropdown menu, tap **All apps**. Here you can turn the app’s notifications on or off. There could be slight variations due to Android version and phone vendors. (The path may be slightly dfferent depending on the make and model of your Android device).

On iPhones and iPads open the **Settings** app and click on **Notifications**. You’ll see a list of apps that are allowed to show push notifications. To disable them, you need to click on the individual app in that list and disable notifications (turn the slider from green to grey).

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Apple now requires a judges order to hand over your push notification data 

Improper authentication in some Zoom clients before version 5.16.5 may allow an authenticated user to conduct a denial of service via network access.

**Zoom Clients - Improper Authentication**

*   Bulletin: ZSB-23062
*   CVEID: CVE-2023-49646
*   CVSS Severity: Medium
*   CVSS Score: 5.4
*   CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Description:

 Improper authentication in some Zoom clients before version 5.16.5 may allow an authenticated user to conduct a denial of service via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

*   Zoom Desktop Client for Windows before version 5.16.5
*   Zoom Desktop Client for macOS before version 5.16.5
*   Zoom Mobile App for iOS before version 5.16.5
*   Zoom Mobile App for Android before version 5.16.5
*   Zoom Desktop Client for Linux before version 5.16.5
*   Zoom VDI Client before version 5.16.5 (excluding 5.14.14 and 5.15.12)
*   Zoom SDKs before version 5.16.5

Source:

Reported by Zoom Offensive Security Team.

**Subscribe for updates**

Please provide your individual email address to receive notification of future Zoom Security Bulletins. (Note: Email aliases will not receive these notifications.)

CVE-2023-49646: ZSB 23062

Cryptographic issues Zoom Mobile App for Android, Zoom Mobile App for iOS, and Zoom SDKs for Android and iOS before version 5.16.0 may allow a privileged user to conduct a disclosure of information via network access.

**Zoom Mobile App for Android, Zoom Mobile App for iOS and Zoom SDKs - Cryptographic Issues**

*   Bulletin: ZSB-23056
*   CVEID: CVE-2023-43583
*   CVSS Severity: Medium
*   CVSS Score: 4.9
*   CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Description:

Cryptographic issues Zoom Mobile App for Android, Zoom Mobile App for iOS, and Zoom SDKs for Android and iOS before version 5.16.0 may allow a privileged user to conduct a disclosure of information via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

*   Zoom Mobile App for Android before version 5.16.0
*   Zoom Mobile App for iOS before version 5.16.0
*   Zoom Video SDK for Android before version 5.16.0
*   Zoom Video SDK for iOS before version 5.16.0
*   Zoom Meeting SDK for Android before version 5.16.0
*   Zoom Meeting SDK for iOS before version 5.16.0

Source:

Reported by Zoom Offensive Security Team.

**Subscribe for updates**

Please provide your individual email address to receive notification of future Zoom Security Bulletins. (Note: Email aliases will not receive these notifications.)

Tag

#android