An enterprise-grade surveillanceware dubbed Hermit has been put to use by entities operating from within Kazakhstan, Syria, and Italy over the years since 2019, new research has revealed.
Lookout attributed the spy software, which is equipped to target both Android and iOS, to an Italian company named RCS Lab S.p.A and Tykelab Srl, a telecom services provider which it suspects to be a front

An enterprise-grade surveillanceware dubbed **Hermit** has been put to use by entities operating from within Kazakhstan, Syria, and Italy over the years since 2019, new research has revealed.

Lookout attributed the spy software, which is equipped to target both Android and iOS, to an Italian company named RCS Lab S.p.A and Tykelab Srl, a telecom services provider which it suspects to be a front company. The San Francisco-based cybersecurity firm said it detected the campaign aimed at Kazakhstan in April 2022.

Hermit is modular and comes with myriad capabilities that allow it to "exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages," Lookout researchers Justin Albrecht and Paul Shunk said in a new write-up.

The spyware is believed to be distributed via SMS messages that trick users into installing what are seemingly innocuous apps from Samsung, Vivo, and Oppo, which, when opened, loads a website from the impersonated company while stealthily activating the kill chain in the background.

Like other Android malware threats, Hermit is engineered to abuse its access to accessibility services and other core components of the operating system (i.e., contacts, camera, calendar, clipboard, etc.) for most of its malicious activities.

Android devices have been at the receiving end of spyware in the past. In November 2021, the threat actor tracked as APT-C-23 (aka Arid Viper) was linked to a wave of attacks targeting Middle East users with new variants of FrozenCell.

Then last month, Google's Threat Analysis Group (TAG) disclosed that at least government-backed actors located in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia are buying Android zero-day exploits for covert surveillance campaigns.

"RCS Lab, a known developer that has been active for over three decades, operates in the same market as Pegasus developer NSO Group Technologies and Gamma Group, which created FinFisher," the researchers noted.

"Collectively branded as 'lawful intercept' companies, they claim to only sell to customers with legitimate use for surveillanceware, such as intelligence and law enforcement agencies. In reality, such tools have often been abused under the guise of national security to spy on business executives, human rights activists, journalists, academics and government officials."

The findings come as the Israel-based NSO Group is said to be reportedly in talks to sell off its Pegasus technology to U.S. defense contractor L3Harris, the company that manufactures StingRay cellular phone trackers, prompting concerns that it could open the door for law enforcement's use of the controversial hacking tool.

The German maker behind FinFisher has been courting troubles of its own in the wake of raids conducted by investigating authorities in connection with suspected violations of foreign trading laws by way of selling its spyware in Turkey without obtaining the required license.

Earlier this March, it shut down its operations and filed for insolvency, Netzpolitik and Bloomberg reported, adding, "the office has been dissolved, the employees have been laid off, and business operations have ceased."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover 'Hermit' Android Spyware Used in Kazakhstan, Syria, and Italy

The commercial-grade surveillance software initially was used by law enforcement authorities in Italy in 2019, according to a new report.

Researchers have discovered an enterprise-grade Android family of modular spyware dubbed Hermit conducting surveillance on citizens of Kazakhstan by their government.

Lookout Threat Lab researchers - who spotted the spyware - surmise that the secretive Italian spyware vendor RCS Lab developed it and say Hermit was previously deployed by Italian authorities in a 2019 anti-corruption operation in Italy. The spyware also was found in northeastern Syria, home to the country's Kurdish majority and a site of ongoing crises, including the Syrian civil war.

Android devices have been abused with spyware in the past; Sophos researchers uncovered new variants of Android spyware linked to a Middle Eastern APT group back in November 2021. More recent analysis from Google TAG indicates at least eight governments from across the globe are buying Android zero-day exploits for covert surveillance purposes.

Mike Parkin, senior technical engineer at Vulcan Cyber, says spyware is a tool used by many actors worldwide, including criminal organizations, state or state-sponsored threat actors, national security, and law-enforcement organizations following their own mandates.

"Regardless of who is using it or what agenda they are working toward, these commercial- grade spyware tools can seriously threaten people's personal privacy," he says.

The highest profile spyware case in recent memory was the discovery of Pegasus, a legal surveillance software developed by Israeli company NSO Group. The news caused an international furor after it was found covertly installed on iOS and Android mobile phones belonging to human rights activists, journalists, and high-ranking members of governments.

**How Hermit Works**

Hermit first gets installed on a targeted device as a framework with minimal surveillance capability. Then it can download modules from a command-and-control (C2) server as instructed and activate the spying functionality built into these modules.

This modular approach masks the malware from automated analysis of the app and makes manual malware analysis significantly harder. In addition, it allows the malicious actor to enable and disable different functionalities in their surveillance campaign or the capabilities of a target device. Hermit can also alter its behavior as needed to evade analysis tools and processes.

"The modular design might also be part of the business model of the software vendor, allowing them to sell individual spying features as value-add line items," explains Paul Shunk, security researcher at Lookout, which published a report on Hermit today.

Shunk says the overall design and code quality of the malware stands out compared with many other samples he has seen. 

"It was clear this was professionally developed by creators with an understanding of software engineering best practices," he says. "Beyond that, it is not very often we come across malware \[that\] assumes it will be able to successfully exploit a device and make use of elevated root permissions."

The discovery of Hermit adds another puzzle piece to the picture of the secretive market for "lawful intercept" surveillance tools, he says.

"As in the cases of NSO, Cytrox, and other vendors, discovery of their customers usually exposes their claim that their product is only used for legitimate purposes as at least partially untrue," Shunk says.

One of the Hermit samples Lookout analyzed used a Kazakh language website as its decoy.

And the main C2 server used by the app was just a proxy, with the real C2 being hosted on an IP from Kazakhstan. 

"The combination of the targeting of Kazakh-speaking users and the location of the back-end C2 server is a strong indication that the campaign is controlled by an entity in Kazakhstan," Shunk says.

Lookout says an Apple iOS version of the spyware exists as well, but the research team was unable to obtain a sample to analyze.

**'MaliBot' Targets Online Banking**

Meanwhile, another Android-based malware family reared its head this week in the form of Malibot, which is targeting online banking customers in Spain and Italy with the capability to steal credentials and crypto wallets. The malware was discovered by F5 Labs while the security company was tracking the mobile banking Trojan FluBot.

The malware consists of two campaigns: Mining X, which presents a QR code that leads to the malware Android Package Kit, and TheCryptoApp, which attempts to dupe users into downloading a fake version of the popular cryptocurrency tracker app available on the Google Play Store. 

It's also able to steal or bypass multifactor authentication codes and trick victims into downloading the malware either via a direct SMS phishing message or via fake websites they're lured to.

"This is certainly one to pay attention to and F5 expects to see a broader range of targets as time goes on, especially given the versatility of the malware could, in principle, be used for a wider range of attacks than stealing credentials and cryptocurrency," F5 warns in a blog post.

Android Spyware 'Hermit' Discovered in Targeted Attacks

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
I’m still decompressing from Cisco Live and the most human interaction I’ve had in a year and a half.  
But after spending a few days on the show floor and interacting with everyone, there are a...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

I’m still decompressing from Cisco Live and the most human interaction I’ve had in a year and a half.  

But after spending a few days on the show floor and interacting with everyone, there are a few things that stand out to me about the state of security and what people are interested in at Cisco Live. So, I wanted to take some time to highlight a few things that stood out to me at this year’s Cisco Live. _Editor's note: The Threat Source newsletter will be on a summer break next week, so no new edition!_ 

**Don’t think about the worst **

A lot of our lightning talks at the Cisco Secure Pub this week centered around some crazy days, many of which left us scrambling — the Colonial Pipeline ransomware attack, Log4J, Kaseya, you name it. The problem is no one wants to think about how awful these days are. 

During these talks, I saw a lot of heads in the audience nodding around how we need to be prepared for the worst, but no one wants to talk about that. Who wants to be the one to predict the next Log4J? Unfortunately, it’s going to happen, we just don’t know when. That’s why things like Incident Response plans and playbooks are so important. 

You may not want to talk about the toughest day of your professional career, but it’s going to come, so we may as well embrace it and be ready. 

**A wink and a nod **

Speaking of these major incidents, it seems like a ton of major security events have happened since the last Cisco Live in person. While they were happening, it was all anyone could talk about. But in person, words like “SolarWinds” and “Kaseya” were all spoken in hush tones or were just vaguely referenced to in-person like “back then” or “the dark times.”  

If we are going to truly learn from these events, I feel like we need to speak about them openly and honestly. I try to have a judgment-free security zone because eventually, a breach is going to happen to everyone. So the point is not to shame someone when it happens, we should be discussing the lessons learned openly so we can do better next time, rather than trying to brush it under the rug. 

During these stretches, we were all busy and stressed and it made for some late nights. That’s OK, and it should be OK to talk about that, even if you’re within earshot of someone who was involved.

**We can’t replicate everything over the internet **

The future is hybrid work, there’s no doubt about it. And I’d be the first person to tell you I prefer working from home versus commuting to the office today. But I must admit — it’s tough to replicate the connections at conferences and shows over Webex. 

Meetings and 1:1 check-ins work great for virtual meeting platforms, but there’s something about just making a personal connection in-person to a stranger. I was working at the Talos booth this week and struck up a conversation with someone who worked in network operations for an NFL team. Being a huge NFL fan, I had all sorts of questions to ask about the ins and outs of his job and the organization, especially given Cisco Talos Incident Response’s recent work at the Super Bowl and NFL draft. 

Unfortunately, this isn’t something we’ve been able to capture virtually. That operations person and I exchanged information on what we’re seeing in the field, what pain points exist and even got to talking about the NFL offseason. My wife, boss and parents would be shocked to hear me say this — but I actually missed talking to people in person.    

**The one big thing **

Microsoft’s Patch Tuesday for this month included 40 high-severity vulnerabilities, including one critical issue. The most serious issue is CVE-2022-30136, a remote code execution vulnerability in the Windows Network File System (NFS) service, version NFSv4.1, with a severity score of near-maximum 9.8. An attacker can exploit the vulnerability over the network by making an unauthenticated, specially crafted call to an NFS service to execute remote code. To mitigate this vulnerability, users are advised to disable the vulnerable version NFSV4.1 and restart the NFS server or reboot the machine. 

> **Why do I care? **This month’s round of updates also includes a fix for the high-profile Follina vulnerability disclosed a few weeks ago. Attackers are actively exploiting this in the wild to deliver malware, so this is especially important to patch for immediately. Also, this release marks the official end of Internet Explorer, the Microsoft browser that’s been around for more than 25 years. As of Tuesday, Microsoft stopped officially supporting most versions of Explorer and disabled the IE desktop application. All Explorer users are encouraged to switch over to Microsoft Edge (or another web browser).   
> **So now what? **Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. And it goes without saying, but all Microsoft users should update their products as soon as possible. 

**Other news of note**

U.S. defense contractor L3Harris is in talks to acquire the controversial Israeli tech company NSO Group, the creators of the Pegasus spyware. Pegasus is known to be used by threat actors to track unwilling targets, including activists, journalists and government leaders. This has set off alarm bells for privacy experts and those following national security, and some are even calling on the White House to preemptively block any sort of deal. NSO Group is currently on a U.S. blacklist for working “contrary to the foreign policy and national security interests of the U.S.” (The Guardian, Haaretz) 

Apple unveiled the newest version of its iOS operating system for iPhones last week, including several new security features and improvements. Users will no longer have to download standalone versions of the operating system to implement security updates, and instead, the patches will be installed automatically. Another new feature is the ability to edit and unsend iMessages. However, security and privacy experts worry this ability could allow stalkers, harassers, and abusers to contact their victims and then hide any trace of their messages, leading some people to call on Apple to change the feature. (9To5Mac, Mac Rumors) 

A newly discovered Linux malware is extremely difficult to detect while spreading silently across a network. Security researchers call this campaign “Symbiote,” and it's already been spotted in the wild. Symbiote infects running Linux processes and steals user credentials, gains rootkit functionality and installs a backdoor for remote access. Once it infects the processes, it can become difficult to detect by the typical security software, and some researchers are wondering if it’s even possible to detect this attack. (ThreatPost, Ars Technica) 

**Can’t get enough Talos? **

*   Boosting Security Resilience and Defending the IT Ecosystem
*   Businesses need to be more aggressive with their cyber security, Cisco warns
*   Cisco unveils sweeping new cloud capabilities, SASE and WAN forecasting offerings
*   Deepfake attacks expected to be next major threat to businesses  
    

  

**Upcoming events where you can find Talos **

**BlackHat** **U.S.** (Aug. 6 - 11, 2022)  
Las Vegas, Nevada 

**DEF CON U.S.** (Aug. 11 - 14, 2022)  
Las Vegas, Nevada 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  **MD5:** 93fefc3e88ffb78abb36365fa5cf857c  **Typical Filename:** Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645    **MD5:** 2c8ea737a232fd03ab80db672d50a17a    **Typical Filename:** LwssPlayer.scr      
**Claimed Product:** 梦想之巅幻灯播放器      
**Detection Name:** Auto.125E12.241442.in02    

**SHA 256:** b2ef49a10d07df6db483e86516d2dfaaaa2f30f4a93dd152fa85f09f891cd049   
**MD5:** 067f9a24d630670f543d95a98cc199df **Typical Filename:** RzxDivert32.sys **Claimed Product:** WinDivert 1.4 driver   
**Detection Name:** W32.B2EF49A10D-95.SBX.TG 

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 **MD5:** 8c69830a50fb85d8a794fa46643493b2   
**Typical Filename:** AAct.exe **Claimed Product:** N/A    
**Detection Name:** PUA.Win.Dropper.Generic::1201

Threat Source newsletter (June 16, 2022) — Three top takeaways from Cisco Live

New details connect police in India to a plot to plant evidence on victims' computers that led to their arrest.

police forces around the world have increasingly used hacking tools to identify and track protesters, expose political dissidents’ secrets, and turn activists’ computers and phones into inescapable eavesdropping bugs. Now, new clues in a case in India connect law enforcement to a hacking campaign that used those tools to go an appalling step further: planting false incriminating files on targets’ computers that the same police then used as grounds to arrest and jail them. 

More than a year ago, forensic analysts revealed that unidentified hackers fabricated evidence on the computers of at least two activists arrested in Pune, India, in 2018, both of whom have languished in jail and, along with 13 others, face terrorism charges. Researchers at security firm Sentinel One and nonprofits Citizen Lab and Amnesty International have since linked that evidence fabrication to a broader hacking operation that targeted hundreds of individuals over nearly a decade, using phishing emails to infect targeted computers with spyware, as well as smartphone hacking tools sold by the Israeli hacking contractor NSO Group. But only now have Sentinel One’s researchers revealed ties between the hackers and a government entity: none other than the very same Indian police agency in the city of Pune that arrested multiple activists based on the fabricated evidence.

“There’s a provable connection between the individuals who arrested these folks and the individuals who planted the evidence,” says Juan Andres Guerrero-Saade, a security researcher at Sentinel One who, along with fellow researcher Tom Hegel, will present findings at the Black Hat security conference in August. “This is beyond ethically compromised. It is beyond callous. So we’re trying to put as much data forward as we can in the hopes of helping these victims.”

Sentinel One’s new findings that link the Pune City Police to the long-running hacking campaign, which the company has called Modified Elephant, center on two particular targets of the campaign: Rona Wilson and Varvara Rao. Both men are activists and human rights defenders who were jailed in 2018 as part of a group called the Bhima Koregaon 16, named for the village where violence between Hindus and Dalits—the group once known as “untouchables”—broke out earlier that year. (One of those 16 defendants, 84-year-old Jesuit priest Stan Swamy, died in jail last year after contracting Covid-19. Rao, who is 81 years old and in poor health, has been released on medical bail, which expires next month. Of the other 14, only one has been granted bail.)

Early last year, Arsenal Consulting, a digital forensics firm working on behalf of the defendants, analyzed the contents of Wilson’s laptop, along with that of another defendant, human rights lawyer Surendra Gadling. Arsenal analysts found that evidence had clearly been fabricated on both machines. In Wilson’s case, a piece of malware known as NetWire had added 32 files to a folder of the computer’s hard drive, including a letter in which Wilson appeared to be conspiring with a banned Maoist group to assassinate Indian prime minister Narendra Modi. The letter was, in fact, created with a version of Microsoft Word that Wilson had never used, and that had never even been installed on his computer. Arsenal also found that Wilson’s computer had been hacked to install the NetWire malware after he opened an attachment sent from Varvara Rao’s email account, which had itself been compromised by the same hackers. “This is one of the most serious cases involving evidence-tampering that Arsenal has ever encountered,” Arsenal’s president, Mark Spencer, wrote in his report to the Indian court.

In February, Sentinel One published a detailed report on Modified Elephant, analyzing the malware and server infrastructure used in the hacking campaign to show that the two cases of evidence fabrication Arsenal had analyzed were part of a much larger pattern: The hackers had targeted hundreds of activists, journalists, academics, and lawyers with phishing emails and malware since as early as 2012. But in that report, Sentinel One stopped short of identifying any individual or organization behind the Modified Elephant hackers, writing only that the “activity aligns sharply with Indian state interests.”

Now the researchers have gone further in nailing down the group’s affiliations. Working with a security analyst at a certain email provider—who also spoke to WIRED but asked that neither they nor their employer be named—Sentinel One learned that three of the victim email accounts compromised by the hackers in 2018 and 2019 had a recovery email address and phone number added as a backup mechanism. For those accounts, which belonged to Wilson, Rao, and an activist and professor at Delhi University named Hany Babu, the addition of a new recovery email and phone number appears to have been intended to allow the hacker to easily regain control of the accounts if their passwords were changed. To the researchers’ surprise, that recovery email on all three accounts included the full name of a police official in Pune who was closely involved in the Bhima Koregaon 16 case.

The three hacked accounts have other fingerprints that link them—and thus the Pune police—to the larger Modified Elephant hacking campaign: The email provider found that the hacked accounts were accessed from IP addresses that Sentinel One and Amnesty International had previously identified as those of Modified Elephant. In the case of Rona Wilson, the email provider security analyst says that Wilson’s email account received a phishing email in April 2018 and then appeared to be compromised by the hackers using those IPs, and at the same time the email and phone number linked to the Pune City Police were added as recovery contacts to the account. The analyst says Wilson’s email account was then itself used to send out other phishing emails to targets in the Bhima Koregaon case for at least two months before Wilson was arrested in June of 2018.

“We generally don’t tell people who targeted them, but I’m kind of tired of watching shit burn,” the security analyst at the email provider told WIRED of their decision to reveal the identifying evidence from the hacked accounts. “These guys are not going after terrorists. They’re going after human rights defenders and journalists. And it’s not right.”

To further confirm the link between the recovery email and phone number on the hacked accounts and the Pune City Police, WIRED turned to Citizen Lab security researcher John Scott-Railton, who along with researchers at Amnesty International had earlier revealed the extent of the hacking campaign against the Bhima Koregaon 16 and shown that the NSO hacking tool Pegasus had been used to target some of their smartphones. To prove that the Pune City Police controlled the recovery contacts on the hacked accounts, Scott-Railton dug up entries in open source databases of Indian mobile phone numbers and emails for the recovery phone number that linked it to an email address ending in pune@ic.in, a suffix for other email addresses used by police in Pune. Scott-Railton found that the number is also linked in the database to the recovery email address connected to the hacked accounts for the same Pune police official.

Separately, security researcher Zeshan Aziz found the recovery email address and phone number tied to the Pune police official’s name in the leaked database of TrueCaller, a caller ID and call-blocking app, and found the phone number linked to his name in the leaked database of iimjobs.com, an Indian job recruitment website. Finally, Aziz found the recovery phone number listed with the official’s name on multiple archived web directories for Indian police, including on the website of the Pune City Police. (WIRED also verified that at the time the accounts were compromised, the email provider would have sent a confirmation link or text message to any recovery contact information added to an email account, which suggests that the police did, in fact, control that email address and phone number.)

Scott-Railton further found that the WhatsApp profile photo for the recovery phone number added to the hacked accounts displays a selfie photo of the police official—a man who appears to be the same officer at police press conferences and even in one news photograph taken at the arrest of Varvara Rao.

WIRED reached out in multiple emails and phone calls to the Pune City Police and the Pune police official whose personal details were linked to the hacked accounts and received no reply.

One Mumbai-based defense attorney representing several of the Bhima Koregaon 16, Mihir Desai, says he would need to independently corroborate the new evidence of the Pune police’s links to the hacking campaign. But taken at face value, he says, it appears “very damning.” He adds that he is hopeful it could help his clients, including Anand Teltumbde, who has been accused of terrorist connections based in part on an apparently fabricated document found on Rona Wilson’s computer. “We’ve known things have been planted, but the police could have always said, ‘we are not involved in all this,’” says Desai. “By showing the police did this, it would mean there was a conspiracy to arrest these people. It would show the police have acted in a vicious and deliberate manner knowing fully well this was false evidence.”

The conclusion that Pune police are tied to a hacking campaign that appears to have framed and jailed human rights activists presents a disturbing new example of the dangers of hacking tools in the hands of law enforcement—even in an ostensible democracy like India. Sentinel One’s Guerrero-Saade argues that it also raises questions about the validity of any evidence pulled from a computer that’s been hacked by a law enforcement surveillance operation. “This should invite a conversation about whether we can trust law enforcement with these sorts of malware operations at all,” says Guerrero-Saade. “What does it mean to have evidentiary integrity when you have a compromised device? What does it mean for somebody to hack a device for fact-finding in a law enforcement operation when they can also alter the contents of the device in question?”

Beyond any larger questions, Guerrero-Saade and his fellow Sentinel One researcher Tom Hegel say they’re focused on the fate of the victims in the Bhima Koregaon case, almost all of whom have remained in jail even as the evidence against them proves to be more corrupt with every year. Ultimately, the researchers hope their findings can not only demonstrate police wrongdoing in the case, but win those activists and human rights defenders their freedom. “The real concern here is the folks languishing in prison,” says Guerrero-Saade. “We’re hoping this leads to some form of justice.”

Police Linked to Hacking Campaign to Frame Indian Activists

In response to a comment about the Prophet Mohammed, a hacktivist group in Malaysia has unleashed a wave of cyber attacks in India.

In response to a comment about the Prophet Mohammed, a hacktivist group in Malaysia has unleashed a wave of cyber attacks in India.

According to a new advisory from Radware, a hacktivist group called DragonForce Malaysia, “with the assistance of several other threat groups, has begun indiscriminately scanning, defacing and launching denial-of-service attacks against numerous websites in India.” In addition to DDoS, their targeted campaign – dubbed “OpsPatuk” – involves advanced threat actors “leveraging current exploits, breaching networks and leaking data.”

DragonForce Malaysia – best known for their hacktivism in support of the Palestinian cause – have turned their attention on India this time, in response to a controversial comment made by a Hindu political spokesperson about the Prophet Mohammed.

According to the advisory, OpsPatuk remains ongoing today.

**The Casus Belli**

In a televised debate last month, Nupur Sharma – a spokesperson for the Hindu nationalist Bharatiya Janata Party (BJP) – made controversial remarks regarding the age of the Prophet Mohammed’s third wife, Aisha. Widespread outrage followed, involving statements from leaders in the Muslim world, widespread protests, and the outsting of Sharma herself from BJP.

Then, beginning on June 10, DragonForce Malaysia entered the fray. Their new offensive against the government of India was first enshrined in a tweet:

_Greetings The Government of India._ _We Are DragonForce Malaysia._ _This is a special operation on the insult of our Prophet Muhammad S.A.W._ _India Government website hacked by DragonForce Malaysia. We will never remain silent._ _Come Join This Operation !_ _#OpsPatuk Engaged_

(image from @DragonForceIO on Twitter)

The new advisory confirms that the group has used DDoS to perform “numerous defacements across India,” pasting their logo and messaging to targeted websites.

The group also “claimed to have breached and leaked data from various government agencies, financial institutions, universities, service providers, and several other Indian databases.”

The researchers also observed other hacktivists – ‘Localhost’, ‘M4NGTX’, ‘1887’, and ‘RzkyO’ – joining the party, “defacing multiple websites across India in the name of their religion.”

**Who are DragonForce Malaysia?**

DragonForce Malaysia is a hacktivist group in the vein of Anonymous. They’re connected by political goals, with a penchant for sensationalism. Their social media channels and website forums – used for everything “ranging from running an eSports team to launching cyberattacks” – are visited by tens of thousands of users.

In the past, DragonForce have launched attacks against organizations and government entities across the Middle East and Asia. Their favorite target has been Israel, having launched multiple operations – #OpsBedil, #OpsBedilReloaded and #OpsRWM – against the nation and its citizens.

According to the authors of the advisory, DragonForce are “not considered an advanced or a persistent threat group, nor are they currently considered to be sophisticated. But where they lack sophistication, they make up for it with their organizational skills and ability to quickly disseminate information to other members.” Like Anonymous and the Low Orbit Ion Cannon, DragonForce weaponizes their own open source DoS tools –  Slowloris, DDoSTool, DDoS-Ripper, Hammer, and more – in choreographed, flashy website defacements.

Some members, “over the last year, have demonstrated the ability and desire to evolve into a highly sophisticated threat group.” Among other things, that’s included leveraing publicly disclosed vulnerabilities. In OpsPatuk, for example, they’ve been working with the recently discovered CVE-2022-26134.

“DragonForce Malaysia and its associates have proven their ability to adapt and evolve with the threat landscape in the last year,” concluded the authors. With no signs of slowing down, “Radware expects DragonForce Malaysia to continue launching new reactionary campaigns based on their social, political, and religious affiliations in the foreseeable future.”

DragonForce Gang Unleash Hacks Against Govt. of India

Health plan provider plays down ID theft fears after breach at Washington state division

Health plan provider plays down ID theft fears after breach at Washington state division

The healthcare and personal information of up to 70,000 Kaiser Permanente patients in Washington state may have been exposed following unauthorized access to the US healthcare giant’s email system.

The data breach incident, which took place in early April, potentially exposed patients’ first and last name, medical record number, dates of service, and laboratory test result information of the health plan provider.

Catch up with the latest healthcare breaches and security news

Financially sensitive information (Social Security number and credit card numbers) were not exposed by the breach, according to the healthcare provider.

In a breach notice (PDF) issued earlier this month, Kaiser sought to reassure potentially affected members by stating that the security incident was promptly contained.

The organization said:

On April 5, 2022, Kaiser Permanente discovered that an unauthorized party gained access to an employee’s emails. We terminated the unauthorized access within hours after it began and promptly commenced an investigation to determine the scope of the incident.

We have determined that protected health information was contained in the emails and, while we have no indication that the information was accessed by the unauthorized party, we are unable to completely rule out the possibility.

Although there’s no evidence of identity theft or misuse of protected health information as a result of the security breach, Kaiser Permanente has nonetheless advised affected parties to be on the lookout for potential fraud.

Although not specified in Kaiser’s breach notice, regulators from the US Department of Health and Human Services Office for Civil Rights reports that 69,589 records were potentially exposed as a result of the email security slip-up at Kaiser’s Washington unit.

DON’T MISS Unpatched bug chain poses ‘mass account takeover’ threat to Yunmai weight monitoring app

In response to the incident, Kaiser said it promptly reset the employee’s password for the email account where unauthorized activity was detected.

“The employee received additional training on safe email practices, and we are exploring other steps we can take to ensure incidents like this do not happen in the future,” Kaiser Permanente concluded.

The Daily Swig asked Kaiser to confirm that only one of its email accounts was affected by the breach and invited it to explain the root cause of the incident.

We also asked the healthcare provider to shed light on why it had decided against offering a year’s credit monitoring services at no charge to those impacted by the incident – a standard but by no means universal courtesy to victims of data breach incidents.

RELATED Turkish flight operator Pegasus Airlines suffers data breach

Kaiser Permanente data breach exposed healthcare records of 70,000 patients

Data protection regulator confirms sensitive information was leaked

Data protection regulator confirms sensitive information was leaked

  

Turkish flight operator Pegasus Airlines has suffered a data breach after an AWS cloud storage bucket was reportedly left unprotected.

The Electronic Flight Bag (EFB) information belonging to an unknown number of customers was reportedly stored in the open bucket, allowing access to sensitive information.

Turkey’s data protection agency has since confirmed that a leak has happened after it received a data breach notification from the company.

**Unauthorized access**

The statement from Kişisel Verileri Koruma Kurumu (Turkey’s Personal Data Protection Authority) confirmed that there was unauthorized access to certain information held by Pegasus.

A vulnerability that allowed the access was discovered on March 21, according to regulators, and was resolved on March 24.

According to the regulator, leaked information includes the names, surnames, phone numbers, e-mail addresses, titles, flight information of past journeys, flight locations, and photographs and signature images of some employees.

**Leaky bucket**

According to Safety Detectives, which disclosed the breach, almost 23 million files were found on the bucket, totaling around 6.5 TB of data.

A blog post reads: “The bucket’s information was linked to an EFB software developed by PegasusEFB that pilots use for aircraft navigation, takeoff/landing, refueling, safety procedures, and various other in-flight processes.

“PegasusEFB’s open bucket left data including flight charts, navigation materials, and crew PII accessible to anyone.

“The bucket also exposed the EFB software’s source code, which contained plain-text passwords and secret keys that someone could use to tamper with extra-sensitive files.”

Read more of the latest news about data breaches

“This exposure could impact the safety of every Pegasus passenger and crew member around the world,” according to researchers. “Affiliated airlines that are using PegasusEFB could also be affected.”

According to regulator, an investigation into the incident is ongoing. The Daily Swig has reached out to Pegasus Airlines for more information and will update this article accordingly.

YOU MAY LIKE India to introduce six-hour data breach notification rule

Turkish flight operator Pegasus Airlines suffers data breach

The innovative ransomware targets NAS devices, has a multitiered payment and extortion scheme as well as a flexible configuration, and takes a heavily automated approach.

The DeadBolt ransomware family is targeting QNAP and Asustor network-attached storage (NAS) devices by deploying a multitiered scheme aimed at both the vendors and their victims, and offering multiple cryptocurrency payment options.  

These factors make DeadBolt different from other NAS ransomware families and could be more problematic for its victims, according to an analysis from Trend Micro this week.

The ransomware uses a configuration file that will dynamically choose specific settings based on the vendor that it targets, making it scalable and easily adaptable to new campaigns and vendors, according to the researchers.

The payment schemes allow either the victim to pay for a decryption key, or for the vendor to pay for a decryption master key. This master key would theoretically work to decrypt data for all victims; however, the report notes less than 10% of DeadBolt victims actually paid the ransom.

"Even though the vendor master decryption key did not work in DeadBolt's campaigns, the concept of holding both the victim and the vendors ransom is an interesting approach," according to the report. "It's possible that this approach will be used in future attacks, especially since this tactic requires a low amount of effort on the part of a ransomware group."

Fernando Mercês, senior threat researcher at Trend Micro, points out that the actors also created a functional, nicely designed Web app to deal with ransom payments.

"They also know about the internals of QNAP and Asustor," he says. "Overall, it's an impressive job from a technical standpoint."

Mercês adds that ransomware actors in general are targeting NAS devices due to a combination of factors: low security, high availability, the high value of data, modern hardware, and common OS (Linux).

"It's like targeting Internet-facing Linux servers with all kinds of applications installed and no professional security in place," he says. “Additionally, these servers contain high-value data for the user. It sounds like the perfect target for ransomware."

For organizations to protect against attacks targeting internet-facing NAS devices, he says, they could use a VPN service, although the configuration may require a few technical skills.

"Suppose there's no other way other than exposing the NAS on the Internet," he says. "In that case, I'd recommend using strong passwords, 2FA, disabling/uninstalling all unused services and apps, and configuring a firewall in front of it to only allow the ports you want to access. This can be done in a router, for example."

Mercês notes that while it doesn't seem effective, it's interesting to see criminals trying to put some pressure on vendors to "fix the problem" for their customers.

"I think criminals thought the vendors would be worried about their image in front of their customers and maybe pay to get free decryptors for all of them," he says. "It could be interesting if customers started pushing vendors to pay on their behalf, but that didn't happen."

In May, QNAP warned its NAS devices are under active attack by DeadBolt ransomware, and in January, a report from attack surface solutions provider Censys.io noted that out of 130,000 QNAP NAS devices that were potential targets, 4,988 services showed signs of a DeadBolt infection.

Nicole Hoffman, senior cyber-threat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions, points out that the DeadBolt ransomware operation is interesting for several reasons, including the fact that victims do not need to contact the threat actors at any time.

"With most ransomware groups, victims need to negotiate with the threat actors, who are often in different time zones," she says. “These interactions can add a significant amount of time to the recovery process and a level of uncertainty because the outcome could rely on the success of the interaction."

However, she notes that from a technical perspective, DeadBolt ransomware attacks are different from ransomware attacks that target many enterprise devices, as initial access is gained by exploiting vulnerabilities in unpatched Internet-facing NAS devices.

"There are no social engineering or lateral movement techniques required to carry out their objectives," Hoffman says. "The threat actors do not need a lot of time, tools, or money to carry out these opportunistic attacks."

Multilevel Extortion: DeadBolt Ransomware Targets Internet-Facing NAS Devices

Government has sought to allay misgivings of cybersecurity industry

Government has sought to allay misgivings of cybersecurity industry

As concern mounts about the security risks posed by overseas hackers, the US Commerce Department’s Bureau of Industry and Security (BIS) has published revisions to its ban on certain cybersecurity exports.

The prohibition – first announced last October – effectively bans the export of hacking software and equipment to China, Russia, and a number of other countries without a license from the BIS.

**Disrupt, deny, degrade**

“These items warrant controls because these tools could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it,” reads the new and final rule, published in the Federal Register and effective from May 26.

The export ban would therefore likely cover spyware such as Pegasus, developed by Israeli firm NSO Group and controversially used by authoritarian governments to surveil journalists, activists, politicians, and business executives.

RELATED Pegasus mobile spyware used zero-click exploits to snoop on Catalan politicians

The move brings the US into line with 42 other nations that are members of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies.

An earlier version of the rule, published last year, introduced a new license exception for Authorized Cybersecurity Exports (ACE). This, included in response to cybersecurity industry concern, allowed the export, re-export, and in-country transfer of ‘cybersecurity items’ to most destinations.

As a result, under last year’s draft, it was agreed that a license would only be required for exports to countries where there are concerns about national security or weapons of mass destruction, as well as countries subject to a US arms embargo.

This final version, produced following a public consultation, includes some changes to this section. These include clarifying the definition of ‘government end user’, rewriting some of the text to make it clearer, and correcting wording that, says BIS, “inadvertently” widened the scope of exceptions.

**Strong opposition**

There had previously been strong opposition from the cybersecurity industry, worried that the controls covered too broad a range of tools and technologies, that the red tape involved would hamper the work of good-faith hackers and bug bounty hunters, and that the restrictions on the development of intrusion software would hold back international cybersecurity research.

“This rule is meant to be a framework to understand and deter the export of cyber capability – mostly exploits, but also potentially TTPs, IOCs, et cetera – to governments in Country Group D,” Casey Ellis, founder and CTO of Bugcrowd, tells The Daily Swig.

Read more of the latest hacking tools news and analysis

“Export control is difficult enough with physical weapons – cryptographic export controls have already illustrated the idea that regulating export in the cyber domain is difficult, and the implementation of the Wassenaar Agreement to include cyber in the USA has been no exception.”

**Compliance difficulties**

There are still some concerns about the rule, with a number of commenters on the draft suggesting that it presents compliance difficulties and isn't necessarily always clear – for example, on the question as to whether it would control cybersecurity incident detection and monitoring software.

BIS is attempting to deal with this through the regular publication of FAQs, and says it plans to provide more guidance over time.

“The good and clear thing here is that the BIS has listened to and actively worked to consider feedback from the security, research, and bounty hunter communities,” says Ellis.

“An important section to keep an eye on will be the scope of license requirements, which they’ve committed to outlining and maintaining through FAQs. These FAQs will ultimately dictate who is required to pursue licensing under the ruling, and who is carved out.”

RECOMMENDED US revises policy regarding Computer Fraud and Abuse Act, will not prosecute good faith research

US export ban on hacking tools tweaked after public consultation

By Waqas
Pegasus Airlines is a Turkey-based low-cost airline that exposed Electronic Flight Bag (EFB) data to the public including…
This is a post from HackRead.com Read the original post: Pegasus Airlines Leaked 6.5TB of Data in AWS S3 Bucket Mess Up

**Pegasus Airlines is a Turkey-based low-cost airline that exposed Electronic Flight Bag (EFB) data to the public including sensitive information such as source code, crew and staff data, and flight details.**

A team of security researchers at SafetyDetectives have shared details of an unprotected cloud data storage discovered on February 28th, 2022. The details of the incident have only been shared this week.

According to researchers, the data belonged to a low-cost domestic and international flight operator known as Pegasus Airlines. Part of the data leak is the personal information of the airline’s flight crew, source code, and flight data. The database was left open in an AWS S3 bucket.

**Details of Leaked Data**

In a blog post published by SafetyDetectives, around 23 million documents were stored in the unprotected AWS S3 bucket, which equated to about 6.5TB of data. The exposed data included more than 3 million sensitive flight data files, including flight charts/revisions, pre-flight checks-related issues’ details, insurance documents, and crew shift information.

Furthermore, more than 1.6 million files contained the airline crew’s PII (personally identifiable information). This included their photos and signatures.

**Pegasus Airlines’ EFB Software Leaked the Data**

Reportedly, parts of the leaked data were tracked to the EFB (Electronic Flight Bag) software. This software, PegasusEFB, is developed by Pegasus Airlines and acts as an information management tool for the airline. EFBs help optimize the crew’s productivity by offering vital reference materials for the flight.

According to the SafetyDetectives research team, the source code of the EFB software was also included in the exposed database, including secret keys and plain text passwords. Pilots use PegasusEFB for various functions like take-off/landing, aircraft navigation, refueling, safety procedures, and other in-flight operations.

Image 1: PegasusEFB’s admin panel – Image 2: .CSV files with flight and crew data – Image 3: Flight charts featuring navigation data – Image 4: Photo of one of the Pegasus Airline’s crew members (Images Provided by SafetyDetectives)

**Possible Dangers**

The data leak has jeopardized the safety and privacy of the Pegasus Airline’s crew members. Researchers noted that the leak would allow threat actors to access sensitive flight details. Organized crime groups can coerce crew members, and bad actors may identify security loopholes in the airline and airport security.

Cybercriminals can tamper with “sensitive flight data and extra-sensitive files using passwords and secret keys found on PegasusEFB bucket.” Though researchers further claimed that there’s no certainty that pilots would use this bucket’s files for future flights, their contents may block vital EFB data from reaching the airline staff and risk the passengers and crew members.

> “With millions of files containing recent and possibly relevant flight data, unfortunately, an attacker could have numerous options to cause harm if they found PegasusEFB’s bucket.”
> 
> SafetyDetectives Cybersecurity Team

SafetyDetectives researchers stated that at the moment, there’s no evidence threat actors detected the trove before they did. The team notified Pegasus Airlines on 1 March 2022, and three weeks later, the leak was remediated.

**More AWS S3 Bucket Mess Up**

*   Misconfigured AWS bucket exposed 421GB of Artwork Archive data
*   Unprotected S3 Cloud Bucket Exposed 100GB of Classified NSA Data
*   350 million email addresses exposed on misconfigured AWS S3 bucket
*   Amazon S3 Buckets Exposed US Military’s Social Media Spying Campaign
*   S3 bucket mess up exposed 182GB of senior US, and Canada citizens’ data

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Tag

#asus