The Russia-linked threat actor known as APT28 has been linked to multiple ongoing phishing campaigns that employ lure documents imitating government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America.
"The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated

APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme

There are a few reasons why we’re so ready to jump to the “it’s a cyber attack!”

Thursday, March 14, 2024 14:00

Some of my Webex rooms recently have been blowing up with memes about blaming Canada or wild speculation that a state-sponsored actor is carrying out some sort of major campaign.  

After a widespread outage of cellular service with AT&T and other carriers a few weeks ago, people were sure it was some sort of coordinated attack to disrupt Americans’ services that largely power our day-to-day lives. The outage lasted about 11 hours, and after the fact, the company announced they’d give customers a whopping $5 credit to make up for the issue. The Federal Communications Commission also announced last week that it was launching a formal investigation into the outage, requesting more information about the exact cause and how many users were affected.  

About two weeks later, the same kinds of messages and questions to our team came flooding in when Meta experienced an outage across many of its platforms, most notably Facebook, Instagram and Threads. Though this only lasted a few hours, any time Americans can’t access their Instagram feeds, it’s going to make headlines. 

In both cases, consumers immediately wanted to start pointing fingers — Which actor was behind these? Why is there so little information about this outage? Is this China getting revenge for talk of forcing a TikTok sale? What’s the broader conspiracy behind this? The outages also quickly opened the door for some of the world’s chief spreaders of misinformation and fake news to start spreading conspiracy theories. 

The problem is, not every technical issue can or needs to be explained away by a cyber attack. That’s not to undersell the danger that state-sponsored APTs pose currently, or the fact that they \*could\* one day cause a disruption like this. But jumping to that conclusion every time Down Detector pops off is only going to spread fear/FUD and help these outlets for disinformation reach a larger audience.  

It creates a “boy who cried wolf” situation for when a major cyber attack actually does happen, and the average consumer is forced to make an immediate update to some piece of software or hardware. 

There are a few reasons why we’re so ready to jump to the “it’s a cyber attack!” conclusion. One is that Hollywood has been “glamorizing” the idea of a major cyber attack or major disruption for years now. Movies and TV shows like Netflix’s “Leave the World Behind” have dramatized what a major cyber attack or internet outage may look like, and how quickly it could lead to the unraveling of civilization. Because of our current doomscrolling culture, the second something even looks like it could be a cyber event, we’re ready to declare the end of our economy and society. 

It’s also sexier when it’s a cyber attack. AT&T says its outage was caused by a technical error that occurred when it was trying to upgrade its network’s capacity, explicitly stating it was not caused by any sort of disruption campaign or cyber attack. Meta simply chalked their outage up to a “technical issue.”  

None of these things make for good headlines. But sometimes, the simplest explanation is the most obvious one — we’ve all pressed a wrong button here or there, and stuff breaks on the internet all the time for all sorts of reasons. But “Users logged out of Instagram after Meta employee hits ‘enter’ too soon” isn’t as eye-catching as “Are Instagram and Facebook down because of a cyber attack?” 

Could these multi-billion-dollar corporations be lying? Sure, but I also find it hard enough to believe that the truth would not have made it out to consumers by now if these outages weren’t simple technical issues, nor would AT&T feel compelled to reimburse customers for something that could be totally out of their control. 

And if you ever get logged out of Facebook or Instagram, maybe you’re just better off being offline for a few hours anyway than immediately assuming Mahershala Ali is going to be knocking on your vacation home’s door in any minute.   

**The one big thing **

We want to keep reminding users to update and upgrade their network infrastructure. Aging devices like switches and routers that are used across the globe are a consistently vulnerable surface for adversaries to gain an initial foothold onto targeted networks. Talos recently highlighted the three most common post-compromise attacks that adversaries carry out after compromising these types of vulnerable devices, including modifying the device’s firmware and downgrading the firmware to remove older patches and open the door to new exploitable vulnerabilities. Nick Biasini from Talos Outreach also spoke about this issue for an article in NetworkWorld.  

**Why do I care? **

As Hazel Burton puts it in the blog post linked above: “Adversaries, particularly APTs, are capitalizing on this scenario to conduct hidden post-compromise activities once they have gained initial access to the network. The goal here is to give themselves a greater foothold, conceal their activities, and hunt for data and intelligence that can assist them with their espionage and/or disruptive goals. Think of it like a burglar breaking into a house via the water pipes. They’re not using “traditional” methods such as breaking down doors or windows (the noisy smash-and-grab approach) — they’re using an unusual route, because no one ever thinks their house will be broken into via the water pipes. Their goal is to remain stealthy on the inside while they take their time to find the most valuable artefacts.” 

**So now what? **

If you are using network infrastructure that is end of life, out of support, and now has vulnerabilities that cannot be patched, now really is the time to replace those devices. Using networking equipment that has been built with secure-by-design principles such as running secure boot, alongside having a robust configuration and patch management approach, is key to combatting these types of threats. Ensure that these devices are being watched very carefully for any configuration changes and patch them promptly whenever new vulnerabilities are discovered.   

**Top security headlines of the week **

**Security researchers have found a new vulnerability affecting chips made by nearly all major CPU makers dubbed “GhostRace.”** The vulnerability, identified as CVE-2024-2193, requires an adversary to win a race condition and to have physical or privileged access to the targeted machine. However, it could allow a malicious user to steal potentially sensitive information from memory like passwords and encryption keys. "The vulnerability affects many CPU architectures, including those made by Intel, AMD, Arm and IBM. It also affected some hypervisor vendors and the Linux operating system. AMD released an advisory this week that informed customers that they should follow previous defense guidance for other security flaws like Spectre that have affected CPUs in the past. “Our analysis shows all the other common write-side synchronization primitives in the Linux kernel are ultimately implemented through a conditional branch and are therefore vulnerable to speculative race conditions,” VU Amsterdam said in its blog post disclosing GhostRace. (SecurityWeek, Vrije Universiteit Amsterdam) 

**Health care providers are still reeling from a cyber attack on Change Healthcare**, a subsidiary of the United HealthGroup Inc. insurance provider. First Health Advisory, a digital health risk assurance firm, recently estimated that health care providers are losing an estimated $100 million daily as they still cannot process payments from insurance providers. Change first disclosed the suspected ransomware attack in late February, and on March 5, the U.S. government announced a plan to provide relief payments for providers who are facing financial shortfalls due to the outage. Many doctors' offices and care clinics are facing late rent payments and unpaid invoices. The attack has also limited some patients’ ability to obtain pre-authorization for certain services and surgeries, and others have not been able to refill their prescriptions at hospitals. U.S. Congress is also asking the CEO of United HealthGroup to appear before a committee to answer questions about the hack. (CBS News, Bloomberg) 

**The U.S. has placed formal sanctions against two individuals and five entities associated with the Intellexa Consortium,** responsible for developing and distributing the Predator spyware. Talos has previously reported on Intellexa’s tools, and how their spyware is silently loaded onto targeted devices. This is the first time the Treasury Department has sanctioned a spyware organization and announced it publicly. The sanctions include five vendors who work with Intellexa to sell the spyware, all of whom are spread across Europe. Intellexa itself is based in Greece. Predator and other spyware developed by private parties are often used to target high-risk individuals to track their communication and movement, including politicians, journalists, activists and political dissidents. Under the sanctions, anyone in the U.S. is forbidden from doing business with Intellexa or the associated companies and individuals. The Biden administration has long pushed for additional action against spyware makers, including Israel-based NSO Group, which distributes the Pegasus spyware. (Voice of America, Axios) 

**Can’t get enough Talos? **

*   Threat actors leverage document publishing sites for ongoing credential and session token theft 
*   Heather Couk is here to keep your spirits up during a cyber emergency, even if it takes the “Rocky” music 
*   Another Patch Tuesday with no zero-days, only two critical vulnerabilities disclosed by Microsoft 
*   Talos Takes Ep. #175: What's new about GhostSec's ransomware-as-a-service model 

**Upcoming events where you can find Talos **

**Botconf** **(April 23 - 26)** 

_Nice, Côte d'Azur, France_

> _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_   

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe   
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a   
**Typical Filename:** nYzVlQyRnQmDcXk   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd 

**SHA 256:** e38c53aedf49017c47725e4912fc7560e1c8ece2633c05057b22fd4a8ed28eb3   
**MD5:** c16df0bfc6fda86dbfa8948a566d32c1   
**Typical Filename:** CEPlus.docm   
**Claimed Product:** N/A    
**Detection Name:** Doc.Downloader.Pwshell::mash.sr.sbx.vioc 

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f    
**Typical Filename:** VID001.exe    
**Claimed Product:** N/A    
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934   
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c   
**Typical Filename:** Wextract   
**Claimed Product:** Internet Explorer   
**Detection Name:** W32.File.MalParent

Not everything has to be a massive, global cyber attack

The US Treasury Department has sanctioned Predator spyware vendor Intellexa Consortium, and banned the company from doing business in the US.

The US Treasury Department has sanctioned Predator spyware vendor Intellexa Consortium, and banned the company from doing business in the US.

Predator can turn infected smartphones into surveillance devices. Intellexa is based in Greece but the Treasury Department imposed the sanctions because of the use of the spyware against Americans, including US government officials, journalists, and policy experts.

Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said:

> “Today’s actions represent a tangible step forward in discouraging the misuse of commercial surveillance tools, which increasingly present a security risk to the United States and our citizens.”

Since its founding in 2019, the Intellexa Consortium has marketed the Predator label as a suite of tools created by a variety of offensive cybercompanies that enable targeted and mass surveillance campaigns.

Predator is capable of infiltrating a range of electronic devices without any user interaction (known as ‘zero-click’). Once installed, Predator deploys its extensive data-stealing and surveillance capabilities, giving the attacker access to a variety of applications and personal information on the compromised device. The spyware is capable of turning on the user’s microphone and camera, downloading their files without their knowledge, tracking their location, and more.

Under the sanctions, Americans and people who do business with the US are forbidden from transacting with Intellexa, its founder and architect Tal Dilian, employee Sara Hamou and four of the companies affiliated with Intellexa.

Sanctions of this magnitude leveraged against commercial spyware vendors for enabling misuse of their tools are unprecedented, but the US has expressed concerns about commercial spyware vendors before.

> “A growing number of foreign governments around the world, moreover, have deployed this technology to facilitate repression and enable human rights abuses, including to intimidate political opponents and curb dissent, limit freedom of expression, and monitor and target activists and journalists.”

In July 2023, the US Commerce Department’s Bureau of Industry and Security (BIS) added Intellexa and Cytrox AD to the Entity List for trafficking in cyber exploits used to gain access to information systems. Cytrox AD is a North Macedonia-based company within the Intellexa Consortium and acts as a developer of the consortium’s Predator spyware.

The Entity List is a trade control list created and maintained by the US government. It identifies foreign individuals, organizations, companies, and government entities that are subject to specific export controls and restrictions due to their involvement in activities that threaten US national security or foreign policy interests.

Earlier this month, a California federal judge ordered spyware maker NSO Group to hand over the code for Pegasus and other spyware products used to spy on WhatsApp users.

While you’ll see Predator and Pegasus usually deployed in small-scale and targeted attacks, putting a stop to the development and deployment of spyware by these commercial entities is good news for everyone.

**How to remove spyware**

Because spyware apps install under a different name and hide themselves from the user, it can be hard to find and remove them. That is where Malwarebytes for Android can help you.

1.  Open Malwarebytes for Android and navigate to the dashboard
2.  Tap **Scan** **now**
3.  It may take a few minutes to scan your device, but it will tell you if it finds spyware or any other nasties.
4.  You can then uninstall the app.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Predator spyware vendor banned in US 

Meta has won a court case against spyware vendor NSO Group to reveal the Pegasus spyware code that allows spying on WhatsApp users.

A California federal judge has ordered spyware maker NSO Group to hand over the code for Pegasus and other spyware products that were used to spy on WhatsApp users.

Meta-owned WhatsApp has been fighting NSO in court since 2019, after Pegasus was allegedly used against 1,400 WhatsApp users over the period of two weeks. During this time, NSO Group gained access to the users’ sensitive data, including encrypted messages.

NSO Group justifies the use of Pegasus by saying it’s a beneficial tool for investigating and preventing terrorist attacks and maintaining the safety of the public. However, the company also says it recognizes that some customers might abuse the abilities of the software for other purposes.

Earlier in the court case, NSO Group argued it should be recognized as a foreign government agent and, therefore, be entitled to immunity under US law limiting lawsuits against foreign countries. NSO Group is closely regulated by the Israeli ministry of defense, which reviews and has to approve the sale of all licenses to foreign governments or entities. This is likely also the reason why NSO Group claimed to be excused of all its discovery obligations in the case, due to various US and Israeli restrictions.

NSO Group argued it should only be required to hand over information about Pegasus’ installation layer, but this was denied by the court. The judge ordered NSO Group to provide the plaintiffs with the knowledge needed to understand how the relevant spyware performs the functions of accessing and extracting data.

WhatsApp said that the decision is a major victory in its mission to defend its users against cyberattacks. This may be true if a better understanding of how the spyware works leads to improvements that can thwart future abuse.

However, this is no reason to assume that this will bring an end to NSO Group’s capabilities or willingness to spy on WhatsApp users. NSO Group doesn’t have to disclose the identity of its clients and it only has to produce information concerning the full functionality of the relevant spyware, specifically for a period of one year before the alleged attack to one year after the alleged attacks, which means from April 29, 2018 to May 10, 2020. Things have developed since then.

The US sanctioned NSO Group in 2021 for developing and supplying cyber weapons to foreign governments that used these tools to maliciously target government officials, journalists, business people, activists, academics, and embassy workers.

After that period we saw many zero-day vulnerabilities brought to light in browsers and other online applications very likely used by the NSO to compromise mobile devices.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Pegasus spyware creator ordered to reveal code used to spy on WhatsApp users 

Plus: Apple warns about sideloading apps, a court orders NSO group to turn over the code of its Pegasus spyware, and an investigation finds widely available security cams are wildly insecure.

To send those notifications that awaken a device and appear on its screen without a user’s interaction, apps and smartphone operating system makers must store tokens that identify the device of the intended recipient. That system has created what US senator Ron Wyden has called a “digital post office” that can be queried by law enforcement to identify users of an app or communications platform. And while it has served as a powerful tool for criminal surveillance, privacy advocates warn that it could just as easily be turned against others such as activists or those seeking an abortion in states where that’s now illegal.

In many cases, tech firms don’t even demand a court order for the data: Apple, in fact, only demanded a subpoena for the data until December. That allowed federal agents and police to obtain the identifying information without the involvement of a judge until it changed its policy to demand a judicial order.

Europe's sweeping Digital Markets Act comes into force next week and is forcing major "gatekeeper" tech companies to open up their services. Meta-owned WhatsApp is opening its encryption to interoperate with other messaging apps; Google is giving European users more control over their data; and Apple will allow third-party app stores and the sideloading of apps for the first time.

Apple's proposed changes have proved controversial, but ahead of the March 7 implementation date the company has reiterated its belief that sideloading apps creates more security and privacy risks. It may be easier for apps on third-party apps stores, the company says in a white paper, to contain malware or try to access people's iPhone data. Apple says it is bringing in new checks to try to make sure apps are safe.

"These safeguards will help keep EU users' iPhone experience as secure, privacy-protecting, and safe as possible—although not to the same degree as in the rest of the world," the company claims. Apple also says it has heard from EU organizations, such as those in banking and defense, which say they are concerned about employees installing third-party apps on work devices.

WhatsApp scored a landmark legal win this week against the notorious mercenary hacking firm NSO Group in its long-running lawsuit against that spyware seller for allegedly breaching its app and the devices of its users. The judge in the case, Phyllis Hamilton, sided with WhatsApp in its demand that NSO Group hand over the code of its Pegasus spyware, which has long been considered one of the most sophisticated pieces of spyware to target mobile devices, sometimes through vulnerabilities in WhatsApp. The code handover—which includes versions of Pegagus from 2018 to 2020 as well as NSO’s documentation around its spyware—could help WhatsApp prove its allegations that NSO hacked 1,400 of its users, including at least 100 members of “civil society” such as journalists and human rights defenders. “Spyware companies and other malicious actors need to understand they can be caught and will not be able to ignore the law,” a WhatsApp spokesperson told the _Guardian_.

Here’s a solid rule of thumb: Don’t put any device in or around your home that has a camera, an internet connection, and is made by a Chinese manufacturer you’ve never heard of. In the latest reminder of that maxim, Consumer Reports this week revealed that countless brands of video-enabled doorbells have absolutely shambolic security, to the degree that for many of the devices, anyone can walk up to them outside your door, hold a button to pair their own smartphone with it, and then spy through your camera. In some cases, they can even obtain just a serial number from the device that lets them hijack it via the internet from anywhere in the world, according to the investigation. Consumer Reports found that these devices were sold under the brand names Eken and Tuck but that they appeared to share a manufacturer with no fewer than 10 other devices that all had similar designs. And while those devices might sound obscure, they’re reportedly sold through major retail platforms like Amazon, Walmart, Sears, Shein, and Temu. In some cases, Amazon had even marked the devices with their “Amazon’s Choice: Overall Pick” badge—even after Consumer Reports alerted Amazon to the security flaws.

The Privacy Danger Lurking in Push Notifications

A U.S. judge has ordered NSO Group to hand over its source code for Pegasus and other products to Meta as part of the social media giant's ongoing litigation against the Israeli spyware vendor.
The decision, which marks a major legal victory for Meta, which filed the lawsuit in October 2019 for using its infrastructure to distribute the spyware to approximately

U.S. Court Orders NSO Group to Hand Over Pegasus Spyware Code to WhatsApp

Fake news, disinformation, misinformation – whatever label you want to put on it – will not just go away if one election in the U.S. goes one way or the other.

Thursday, February 22, 2024 14:00

When we talk about the term “fake news,” most people likely picture a certain person who made the term infamous. 

And when we talk about misinformation and disinformation, many will remember the “Russian troll farms” that popped up during the 2016 U.S. presidential election and were unmasked and shut down during former president Barack Obama’s final days in office. 

But a few recent actions from TikTok, the most popular online social media platform, show that the problem of spreading misinformation and disinformation goes far beyond the borders of the U.S. 

TikTok announced last week it was launching in-app “election centres” to help combat misinformation and inform users of facts when they view videos about elections in European Union nations. This includes 27 unique apps that all use the country’s native language.  

In a statement on their site, the social media company said this effort is to “ensure people can easily separate fact from fiction.” 

Part of me can’t help but wonder if this wasn’t a problem of the company’s own creation after they allowed misinformation about the COVID-19 global pandemic to spread rapidly and use an algorithm that enhances “controversial” videos about different international brands. But I can certainly hope that these election centres provide more context than the little info box Twitter launched a while ago.  

I think this is important to note, though, that this problem just goes beyond American culture. Fake news, disinformation, misinformation – whatever label you want to put on it – will not just go away if one election in the U.S. goes one way or the other. It is an issue that is spreading on all platforms in all countries. 

I’ve been at fault in the past for just wanting to put the blame on Twitter. While they have been one of the worst offenders of allowing misinformation on their site, they are far from the only offenders or the only platform where users can spread this time of misinformation, even if they are doing it by accident. 

Just like any other platform, it’s easy for someone on TikTok to simply “share” or “like” someone else’s video if they find it compelling without giving it a second thought. Your friends and family are likely spreading misinformation on their feeds without even knowing it or doing it with any malicious intent. Regardless of where you live in the world, this is likely true. 

It’s amplified in the U.S. because our political theater is such that when something happens, everyone else on the world stage notices it. I can’t say that folks in the U.S. are necessarily invested in the national elections in Greece.  

But if misinformation is allowed to spread during the Greek elections, it’s going to spread to U.S. presidential elections. Once the infrastructure is in place for disinformation to flourish on a platform, it’s nearly impossible to get rid of, no matter the topic.  

**The one big thing **

Google Cloud Run is currently being abused in high-volume malware distribution campaigns, spreading several banking trojans such as Astaroth (aka Guildma), Mekotio and Ousaban to targets across Latin America and Europe. The volume of emails associated with these campaigns has significantly increased since September 2023 and we continue to regularly observe new email distribution campaigns. We have observed all three malware families being delivered during the same timeframe from the same storage bucket within Google Cloud. 

**Why do I care? **

Some of the highest volume campaigns recently observed were being used to deliver the Astaroth, Mekotio, and Ousaban banking trojans to victims largely located in Latin American countries. We have also observed lower volume campaign victims located throughout Europe and North America, which may indicate less geographically focused targeting by threat actors moving forward. For example, the current variant of Astaroth targets more than 300 institutions across 15 Latin American countries. 

**So now what? **

Talos has released new ClamAV signatures and Snort rules to protect against these various banking trojans. Our researchers have also alerted Google of this activity so that they may address it internally on Cloud Run. 

**Top security headlines of the week **

**Poland is launching a formal investigation into whether its former government leaders misused the Pegasus spyware.** Parliament created a coalition to see if the Law and Justice (PiS) government, previously the ruling party of Poland, used the controversial spyware to track and target its political opponents. Current ruling leaders used a promise of an investigation as one of their top campaign platforms. Meanwhile, NSO Group, the creators of Pegasus, have reportedly created a new one-click exploit called “MMS Fingerprint” that it offers as an infection tool for the spyware. MMS Fingerprint allows Pegasus users to learn a great deal about a target Blackberry, iPhone or Android device by sending a specially crafted Multimedia Messaging Service (MMS) message. A contract between an NSO Group reseller and a customer in Ghana exposed the information, including a promise that MMS Fingerprint required “No user interaction, engagement, or message opening ... to receive the device fingerprint.” (Politico, DarkReading) 

**The spyware startup Variston is reportedly shrinking and is preparing to completely close.** Variston is known for launching spyware that can target iPhones, Android devices and some PCs. A disgruntled employee reportedly leaked information about the company and the zero-day exploits they used to Google’s Threat Analysis Group, which allowed Google to unmask the operation. This eventually led to several employees and developers leaving Variston. Variston, founded in 2018, previously used three zero-day vulnerabilities to target Apple devices, including a campaign in March 2023 to target iPhones in Indonesia. Reporters and researchers have yet to find who, exactly, Variston sold their services and technology to, though former employees have said some of the spyware was sent to the United Arab Emirates. (Tech Crunch, Google) 

**Volt Typhoon, a large APT based in China, is reportedly still exfiltrating sensitive information on operational technology (OT) networks.** Volt Typhoon has been known to target organizations in the communications, manufacturing, utility, IT and education sectors across the globe, though it’s recently become more noteworthy for its targeting of critical networks in the U.S. A new report from cybersecurity firm Dragos says that it spotted Volt Typhoon conducting scanning activities against electric companies between November and December 2023. Volt Typhoon is traditionally known for espionage and data theft on behalf of the Chinese government. But Dragos also says that the actor has also recently infiltrated a large U.S. city's emergency services network, as well as critical infrastructure networks in Africa. The report states that the OT data stolen may cause “unintended disruption to critical industrial processes or provide the adversary with crucial intelligence to aid in follow-up offensive tool development or attacks against ICS networks.” (SecurityWeek, The Register) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #172: Case study: How Talos IR helped a healthcare tech company avoid a ransomware attack 
*   How CVSS 4.0 changes (or doesn’t) the way we see vulnerability severity 
*   Network infrastructure was a prime target for cyber threats in 2023 
*   Russian APT Turla Wields Novel Backdoor Malware Against Polish NGOs 
*   Turla hackers backdoor NGOs with new TinyTurla-NG malware 

**Upcoming events where you can find Talos **

**S4x24** **(March 4 - 27)** 

Miami Beach, Florida 

_To protect themselves during Russian aggression, the Ukrainian military utilizes electronic warfare to blanket critical infrastructure to defeat radar and GPS-guided smart munitions. This has the unintended consequence of disrupting GPS synchrophasor clock measurements and creating service outages on an already beleaguered and damaged transmission electric grid. Joe Marshall from Talos’ Strategic Communications team will tell an incredible story of how a group of engineers and security professionals from a diverse coalition of organizations came together to solve this electronic warfare GPS problem in an unconventional technical way, and helped stabilize parts of the transmission grid of Ukraine._ 

**RSA** **(May 6 - 9)** 

_San Francisco, California_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f    
**Typical Filename:** VID001.exe    
**Claimed Product:** N/A    
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** 6d167aee7013d61b0832937773cd71d77493a05d6ffb1849bdfb1477622e54c2   
**MD5:** 36503fd339663027f5909793ea49ccbc   
**Typical Filename:** telivy\_agent\_2.3.1.exe   
**Claimed Product:** N/A    
**Detection Name:** W32.File.MalParent

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1      
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515      
**Typical Filename:** IMG001.exe      
**Claimed Product:** N/A      
**Detection Name:** Win.Dropper.Coinminer::1201 

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa     
**MD5:** df11b3105df8d7c70e7b501e210e3cc3     
**Typical Filename:** DOC001.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Worm.Coinminer::1201

TikTok’s latest actions to combat misinformation shows it’s not just a U.S. problem

A single, vendorwide, hardcoded AES key in the Yealink Configuration Encrypt Tool used to encrypt provisioning documents was leaked leading to a compromise of confidentiality of provisioning documents.

    CloudAware Security AdvisoryCVE-2024-24681: Insecure AES key in Yealink Configuration Encrypt Tool========================================================================Summary========================================================================A single, vendorwide, hardcoded AES key in the configuration tool used toencrypt provisioning documents was leaked leading to a compromise ofconfidentiality of provisioning documents.========================================================================Product========================================================================* Yealink Configuration Encrypt Tool (AES version)* Yealink Configuration Encrypt Tool (RSA version <v1.2)========================================================================Detailed description========================================================================The Yealink Configuration Encrypt Tool facilites provisioning and configuration mangementof Yealink products, such as VoIP phones. The tool created AES encrypted provisioningdocuments, containing configuration directives such asusername=user1passwword=passw0rd!serverhost=sip.host.comcallerid=+19051231212The files created by this tool are then transferred to the Yealink equipment. The equipmentdecrypts the files and uses them to configure itself.This process needs to be secure. So these files are encrypted.The decryption is done by a static, hardcoded, key that is identical across all installs andcustomers. After decryption of this file by the hardcoded AES key confidential information,such as user passwords are visible in plain text.This implies that knowledge of this hardcoded key allows for the disclosure of sensitiveinformation from the configuration files, or that files with different information can beintroduced and are axiomatically trusted by the phone.As this key is static - this includes historic files from any customer that used this tool.The vendor has fixed this in version 1.2 of the Configuration Encrypt Tool.========================================================================Solution========================================================================1) Upgrade Yealink Configuration Encrypt Tool to version 1.22) Evaluate the impact of the disclosure of any configurations rolled out withprior versions of this tool (including, specifically, the leaking of passwords)========================================================================Mitigation========================================================================1) If an upgrade is not an option - as `anyone' can create valid configurationfiles; ensure that affected equipment is unable to reach provisioning servers.2) Evaluate the impact of the disclosure of any configurations rolled out priorto these mitigation steps========================================================================Weblinks========================================================================https://github.com/gitaware/CVE/tree/main/CVE-2024-24681========================================================================History========================================================================early 2020, release of Configuration Encrypt Tool v1 containing RSA encryption methodjuli 2022, Yealink informed “old” AES key still present and working in tool2023, new version of Configuration Encrypt Tool v1.2 without a hardcoded AESencryptionkey

Yealink Configuration Encrypt Tool Static AES Key

By Waqas
The latest report from Swedish telecom security firm Enea sheds light on security vulnerabilities within the widely used messaging platform, WhatsApp.
This is a post from HackRead.com Read the original post: Israeli NSO Group Suspected of “MMS Fingerprint” Attack on WhatsApp

NSO Group, an Israeli spyware firm, is suspected of exploiting a novel “MMS Fingerprint” attack to target unsuspected users on WhatsApp, exposing their device information without needing user interaction.

Swedish telecom security firm Enea reports that the Israeli NSO Group, targeted journalists, human rights activists, lawyers, and government officials with a novel MMS Fingerprint attack by exploiting a **vulnerability in WhatsApp**.

The report that the company shared with Hackread.com on Thursday 15, 2023, WhatsApp discovered a vulnerability in its system in May 2019, allowing attackers to install Pegasus spyware on users’ devices. The flaw was then exploited to target government officials and activists globally. WhatsApp sued **NSO Group** for this exploitation, but appeals failed in the US appeal court and Supreme Court.

The attack, reportedly used by NSO Group, was discovered in a contract between the Israeli agency’s reseller and the telecom regulator of Ghana, which can be viewed in lawsuit documents **here** (PDF).

Enea launched an investigation to find out how an MMS fingerprint attack occurs. They discovered that it could reveal the target device and OS version without user interaction by sending an MMS.

The MMS UserAgent, a string that identifies the OS and device (such as a Samsung phone running Android), can be used by malicious actors to exploit vulnerabilities, tailor malicious payloads, or craft phishing campaigns.

**Surveillance companies** often request device information, but UserAgent may be more useful than IMEI. It’s important to note that MMS UserAgent is different from browser UserAgent, which has privacy concerns and changes.

The problem, according to Enea’s **report**, was not in the Android, Blackberry, or iOS devices but in the complex, multi-stage MMS flow process. The MMS flow examination suggested this was launched possibly through another method involving binary SMS.

For your information, MMS standards designers worked on a way to notify recipient devices of an MMS waiting for them without requiring them to be connected to the data channel. MM1\_notification.REQ uses SMS, a binary SMS (WSP Push), to notify the recipient MMS device’s user agent that an MMS message is waiting for retrieval.

The subsequent MM1\_retrieve.REQ is an HTTP GET to the URL address, including user device information, suspected to be leaked and potentially lifted the MMS fingerprint.

Researchers obtained sample SIM cards from a randomly selected Western European operator and successfully sent MM1\_notification.REQs (binary SMSs), setting the content location to a URL controlled by their web server.

The target device automatically accessed the URL, exposing its UserAgent and x-wap-profile fields. A Wireshark decode of the MMS notification and GET revealed how an attacker would execute an “MMS Fingerprint” attack, demonstrating it was possible in real life.

Enea’s report outlines the stages in an MMS flow and provides insight into the initial attack notification sent to the target. (Screenshot: ENEA)

The attack highlights the **ongoing threat to the mobile ecosystem**. Binary SMS attacks have been steadily reported over the last 20 years, highlighting the need for mobile operators to evaluate their protection against such threats.

For detailed insights into the report, we reached out to **Javvad Malik**, lead security awareness advocate at **KnowBe4** who warned that, Unlike previous methods, this attack doesn’t require user interaction, posing a significant concern for users’ security. The targeting of journalists, activists, and officials highlights the misuse of technology for surveillance and oppression. Platforms like WhatsApp must prioritize security as the foundation of their services.

> _“The saga of the NSO Group and its controversial exploits offers another chapter with the revelation of the “MMS Fingerprint” attack. At the heart of this revelation is a stark reminder of the ever-evolving cybersecurity threats, demonstrating not just the sophistication of threat actors, but their relentless pursuit to leverage vulnerabilities._
> 
> _The tactical evolution from requiring user interaction to achieve compromise—such as the unfortunate click on a malicious link—to now being able to extract valuable information through seemingly benign MMSs, underlines a significant shift. It’s concerning, to say the least, that users can be targeted without any user interaction._
> 
> _The targeting of journalists, activists, and officials is particularly egregious, highlighting a dark side of technological advancements where tools designed to connect and empower can also be twisted into instruments of surveillance and oppression. For organisations like WhatsApp and entities involved in digital communication, the imperative is clear: Security cannot merely be a feature; it must be the very foundation upon which platforms are built and maintained._
> 
> _In the broader context, incidents like the “MMS Fingerprint” attack are reminders that security cannot remain static and needs to continually evolve and build more resilient and secure systems.”_
> 
> Javvad Malik – KnowBe4

To prevent the attack, disabling MMS auto-retrieval on mobile devices can help, but some devices may not allow modification. On the network side, filtering Binary SMS/MM1\_notification messages can be effective. If a malicious binary SMS message is received, it is essential to prevent messages from connecting to attacker-controlled IP addresses.

1.  **Israeli spyware hacked phones of journalists globally**
2.  **iShutdown Tool Detects Pegasus Spyware on iOS Devices**
3.  **Fake WhatsApp clone aim at crypto on Android and Windows**
4.  **WhatsApp OTP Scam Allows Scammers to Hijack Your Account**
5.  **iPhones of State Dept officials hacked by NSO Pegasus spyware**

Israeli NSO Group Suspected of “MMS Fingerprint” Attack on WhatsApp

By Deeba Ahmed
This is the first instance of an iOS trojan that has been found stealing facial data from victims.
This is a post from HackRead.com Read the original post: New iOS Trojan “GoldPickaxe” Steals Facial Recognition Data

Beware, as a new iOS trojan dubbed GoldPickaxe has emerged, capable of stealing banking data, ID documents, and even facial data from infected devices.

Group-IB has discovered a new iOS Trojan, dubbed GoldPickaxe.iOS designed to steal facial recognition data, identity documents, and intercept SMS. The company’s Threat Intelligence Unit has attributed the entire threat cluster to a threat actor dubbed GoldFactory.

The GoldPickaxe family has been active since mid-2023, targeting the Asia-Pacific region, specifically Thailand and Vietnam and the attack method involves impersonating local banks and government organizations.

As per Group-IB, the threat actor exploits stolen biometric data using AI-driven face-swapping services to create deepfakes, allowing unauthorized access to a victim’s banking account, which is a new monetary theft technique.

In this campaign, GoldFactory has successfully used Mobile Device Management (MDM) to manipulate Apple devices, distributing its iOS Trojan by abusing TestFlight. Victims receive seemingly innocent URLs (e.g. testflight.apple.com/join/) leading to the installation of malicious software.

Another sophisticated method is tricking victims into interacting with fraudulent websites to install an MDM profile, allowing cybercriminals complete control over the victim’s device.

Thailand Banking Sector CERT (TB-CERT) has also reported that cybercriminals are distributing malicious links via messengers to lure victims into a fraudulent app posing as a ‘Digital Pension’ app. The app’s credibility is doubtful as Group-IB’s investigation confirmed multiple versions of GoldPickaxe impersonating official Thai government services, including the Digital Pension app for Thailand.

Researchers believe that the group may be engaging operators proficient in Thai and Vietnamese or possibly running a call center since an SMS written in Thai was found in the phishing campaign. In Thailand, cybercriminals impersonate government authorities and convince victims to use LINE, a popular messaging application.

According to Group-IB’s blog post, the gang reportedly employs a combination of smishing and phishing techniques to carry out their malicious activities in Vietnam and Thailand. Despite evidence that it is a Chinese-speaking group, the involvement/role of local cybercriminals cannot be ruled out when calls made to victims are examined.

It is worth noting that Group-IB previously discovered an Android Trojan, codenamed GoldDigger, stealing facial data, targeting over 50 Vietnamese banking applications, electronic wallets, and cryptocurrency wallets since June 2023.

GoldDigger stealing facial data from Android devices (Group-IB)

The newly discovered GoldPickaxe family is based on the GoldDigger Android Trojan. However, researchers claim the infection chain for GoldPickaxe iOS variants is not significantly different for other Trojans within the GoldFactory family.

GoldPickaxe malware was developed using the same communication mechanism and cloud bucket URL as GoldDigger but has fewer functionalities compared to its Android sibling due to iOS’s closed nature and stricter permissions.

Both versions use fake login pages to access fake Digital pension applications, potentially avoiding detection. Another variant, GoldDiggerPlus, was also identified with extended GoldDigger’s functionality, allowing real-time call calls through a specially designed APK called GoldKefu. All Trojans identified are currently in the active stage of evolution.

“_Overall, we identified four Trojan families that were used by cybercriminals. We maintained the naming convention by using the prefix Gold for the newly discovered malware as a symbolic representation that they have been developed by the same threat actor_,” Group-IB researchers noted.

Researchers couldn’t identify the toolset GoldFactory uses, indicating that this is a highly organized and technically advanced group.

For your information, in March 2023, the Bank of Thailand mandated facial biometric verification for transactions exceeding 50,000 baht, and 200,000 baht per day, and raised credit transfer limits on mobile devices. As per Group-IB’s research, GoldPickaxe likely reached Vietnam in February 2024 when a Vietnamese citizen performed a facial recognition scan, withdrawing over 40,000 USD.

The State Bank of Vietnam plans to mandate facial authentication as a security measure for all money transfers from April 2024, indicating the potential exploitation of GoldPickaxe in the country. The use of GoldPickaxe in Vietnam is expected to increase assessed Group—IB.

_“GoldFactory is a resourceful team, having many tricks up their sleeve: impersonation, accessibility keylogging, fake banking websites, fake bank alerts, fake call screens, identity and facial recognition data collection. Equipped with diverse tools, they have the flexibility to select and execute the most suitable one that fits the scenario,”_ researchers noted.

The report highlights the growing cybersecurity threat and the sophisticated techniques used by cybercriminals. They have refined GoldDigger malware, introduced new categories for facial recognition data harvesting, and developed a tool for communication between victims and cybercriminals. Group-IB researchers emphasize the need for proactive, multi-faceted cybersecurity measures, including user education.

1.  **Kaspersky’s iShutdown Tool Detects iOS Pegasus Spyware**
2.  **Fake Lockdown Mode Exposes iOS Users to Malware Attacks**
3.  **Fake LastPass Password Manager App Lurks on iOS App Store**
4.  **Bitdefender Introduces GravityZone Security for Android and iOS**
5.  **Zero-Day iOS Exploit Chain Infects Devices with Predator Spyware**

Tag

#asus