Google's Threat Analysis Group (TAG) on Thursday pointed fingers at a North Macedonian spyware developer named Cytrox for developing exploits against five zero-day (aka 0-day) flaws, four in Chrome and one in Android, to target Android users.
"The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched

Google's Threat Analysis Group (TAG) on Thursday pointed fingers at a North Macedonian spyware developer named Cytrox for developing exploits against five zero-day (aka 0-day) flaws, four in Chrome and one in Android, to target Android users.

"The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched but not flagged as security issues and when these patches were fully deployed across the Android ecosystem," TAG researchers Clement Lecigne and Christian Resell said.

Cytrox is alleged to have packaged the exploits and sold them to different government-backed actors located in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia, who, in turn, weaponized the bugs in at least three different campaigns.

The commercial surveillance company is the maker of Predator, an implant analogous to that of NSO Group's Pegasus, and is known to have developed tools that enables its clients to penetrate iOS and Android devices.

In December 2021, Meta Platforms (formerly Facebook) disclosed that it had acted to remove roughly 300 accounts on Facebook and Instagram that the company used as part of its compromise campaigns.

The list of the five exploited zero-day flaws in Chrome and Android is below -

*   **CVE-2021-37973** - Use-after-free in Portals API
*   **CVE-2021-37976** - Information leak in core
*   **CVE-2021-38000** - Insufficient validation of untrusted input in Intents (root cause analysis)
*   **CVE-2021-38003** - Inappropriate implementation in V8, and
*   **CVE-2021-1048** - Use-after-free in Android kernel (root cause analysis)

According to TAG, all the three campaigns in question commenced with a spear-phishing email that contained one-time links mimicking URL shortener services that, once clicked, redirected the targets to a rogue domain that dropped the exploits before taking the victim to a legitimate site.

"The campaigns were limited — in each case, we assess the number of targets was in the tens of users," Lecigne and Resell noted. "If the link was not active, the user was redirected directly to a legitimate website."

The ultimate goal of the operation, the researchers assessed, was to distribute a malware dubbed Alien, which acts as a precursor for loading Predator onto infected Android devices.

The "simple" malware, which receives commands from Predator over an inter process communication (IPC) mechanism, is engineered to record audio, add CA certificates, and hide apps to evade detection.

The first of the three campaigns took place in August 2021. It used Google Chrome as a jumping off point on a Samsung Galaxy S21 device to force the browser to load another URL in the Samsung Internet browser without requiring user interaction by exploiting CVE-2021-38000.

Another intrusion, which occurred a month later and was delivered to an up-to-date Samsung Galaxy S10, involved an exploit chain using CVE-2021-37973 and CVE-2021-37976 to escape the Chrome sandbox (not to be confused with Privacy Sandbox), leveraging it to drop a second exploit to escalate privileges and deploy the backdoor.

The third campaign — a full Android 0-day exploit — was detected in October 2021 on an up-to-date Samsung phone running the then latest version of Chrome. It strung together two flaws, CVE-2021-38003 and CVE-2021-1048, to escape the sandbox and compromise the system by injecting malicious code into privileged processes.

Google TAG pointed out that while CVE-2021-1048 was fixed in the Linux kernel in September 2020, it wasn't backported to Android until last year as the fix was not marked as a security issue.

"Attackers are actively looking for and profiting from such slowly-fixed vulnerabilities," the researchers said.

"Tackling the harmful practices of the commercial surveillance industry will require a robust, comprehensive approach that includes cooperation among threat intelligence teams, network defenders, academic researchers and technology platforms."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Cytrox's Predator Spyware Target Android Users with Zero-Day Exploits

New research from Google's Threat Analysis Group outlines the risks Android users face from the surveillance-for-hire industry.

NSO Group and its powerful Pegasus malware have dominated the debate over commercial spyware vendors who sell their hacking tools to governments, but researchers and tech companies are increasingly sounding the alarm about activity in the wider surveillance-for-hire industry. As part of this effort, Google's Threat Analysis Group is publishing details on Thursday of three campaigns that used the popular Predator spyware, developed by the North Macedonian firm Cytrox, to target Android users.

In line with findings on Cytrox published in December by researchers at University of Toronto’s Citizen Lab, TAG saw evidence that state-sponsored actors who bought the Android exploits were located in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia. And there may have been other customers. The hacking tools took advantage of five previously unknown Android vulnerabilities, as well as known flaws that had fixes available but that victims hadn’t patched.

“It's important to shine some light on the surveillance vendor ecosystem and how these exploits are being sold,” says Google TAG director Shane Huntley. “We want to reduce the ability of both the vendors and the governments and other actors who buy their products to throw around these dangerous zero-days without any cost. If there’s no regulation and no downside to using these capabilities, then you’ll see it more and more.”

The commercial spyware industry has given governments that don’t have the funds or expertise to develop their own hacking tools access to an expansive array of products and surveillance services. This allows repressive regimes and law enforcement more broadly to acquire tools that enable them to surveil dissidents, human rights activists, journalists, political opponents, and regular citizens. And while a lot of attention has been focused on spyware that targets Apple’s iOS, Android is the dominant operating system worldwide and has been facing similar exploitation attempts.

 “We just want to protect users and find this activity as quickly as possible,” Huntley says. “We don’t think we can find everything all the time, but we can slow these actors down.”

TAG says it currently tracks more than 30 surveillance-for-hire vendors that have ranging levels of public presence and offer an array of exploits and surveillance tools. In the three Predator campaigns TAG examined, attackers sent Android users one-time links over email that looked like they had been shortened with a standard URL shortener. The attacks were targeted, focusing on just a few dozen potential victims. If a target clicked on the malicious link, it took them to a malicious page that automatically began deploying the exploits before quickly redirecting them to a legitimate website. On that malicious page, attackers deployed “Alien,” Android malware designed to load Cytrox's full spyware tool, Predator.

As is the case with iOS, such attacks on Android require exploiting a series of operating system vulnerabilities in sequence. By deploying fixes, operating system makers can break these attack chains, sending spyware vendors back to the drawing board to develop new or modified exploits. But while this makes it more difficult for attackers, the commercial spyware industry has still been able to flourish.

“We can’t lose sight of the fact that NSO Group or any one of these vendors is just one piece of a broader ecosystem,” says John Scott-Railton, a senior researcher at Citizen Lab. “We need collaboration between platforms so that enforcement actions and mitigations cover the full scope of what these commercial players are doing and make it harder for them to continue.”

Spyware Vendors Target Android With Zero-Day Exploits

Researchers found a way to exploit the tech that enables Apple’s Find My feature, which could allow attackers to track location when a device is powered down.

When you turn off an iPhone, it doesn’t fully power down. Chips inside the device continue to run in a low-power mode that makes it possible to locate lost or stolen devices using the Find My feature or use credit cards and car keys after the battery dies. Now researchers have devised a way to abuse this always-on mechanism to run malware that remains active even when an iPhone appears to be powered down.

It turns out that the iPhone’s Bluetooth chip—which is key to making features like Find My work—has no mechanism for digitally signing or even encrypting the firmware it runs. Academics at Germany’s Technical University of Darmstadt figured out how to exploit this lack of hardening to run malicious firmware that allows the attacker to track the phone’s location or run new features when the device is turned off.

This video provides a high overview of some of the ways an attack can work.

The research is the first—or at least among the first—to study the risk posed by chips running in low-power mode. Not to be confused with iOS’s low-power mode for conserving battery life, the low-power mode (LPM) in this research allows chips responsible for near-field communication, ultra wideband, and Bluetooth to run in a special mode that can remain on for 24 hours after a device is turned off.

“The current LPM implementation on Apple iPhones is opaque and adds new threats,” the researchers wrote in a paper published last week. “Since LPM support is based on the iPhone’s hardware, it cannot be removed with system updates. Thus, it has a long-lasting effect on the overall iOS security model. To the best of our knowledge, we are the first who looked into undocumented LPM features introduced in iOS 15 and uncover various issues.”

They added: “Design of LPM features seems to be mostly driven by functionality, without considering threats outside of the intended applications. Find My after power off turns shutdown iPhones into tracking devices by design, and the implementation within the Bluetooth firmware is not secured against manipulation.”

The findings have limited real-world value, since infections required first jailbreaking an iPhone, which in itself is a difficult task, particularly in an adversarial setting. Still, targeting the always-on feature in iOS could prove handy in post-exploit scenarios by malware such as Pegasus, the sophisticated smartphone exploit tool from Israel-based NSO Group, which governments worldwide routinely employ to spy on adversaries.

It may also be possible to infect the chips in the event hackers discover security flaws that are susceptible to over-the-air exploits similar to this one that worked against Android devices.

Besides allowing malware to run while the iPhone is turned off, exploits targeting LPM could also allow malware to operate with much more stealth since LPM allows firmware to conserve battery power. And, of course, firmware infections are extremely difficult to detect since it requires significant expertise and expensive equipment.

The researchers said Apple engineers reviewed their paper before it was published, but company representatives never provided any feedback on its contents. Apple representatives didn’t respond to an email seeking comment for this story.

Ultimately, Find My and other features enabled by LPM help provide added security, because they allow users to locate lost or stolen devices and lock or unlock car doors even when batteries are depleted. But the research exposes a double-edged sword that, until now, has gone largely unnoticed.

“Hardware and software attacks similar to the ones described have been proven practical in a real-world setting, so the topics covered in this paper are timely and practical,” said John Loucaides, senior vice president of strategy at firmware security firm Eclypsium. “This is typical for every device. Manufacturers are adding features all the time, and with every new feature comes a new attack surface.”

_This story originally appeared on_ _Ars Technica__._

Your iPhone Is Vulnerable to a Malware Attack Even When It’s Off

By Deeba Ahmed
The iOS Find My feature has a safety loophole that can lead to infecting the iPhone even if…
This is a post from HackRead.com Read the original post: Attackers can Install Malware on iPhone When it is Powered Off – Research

The iOS Find My feature has a safety loophole that can lead to infecting the iPhone even if the phone is off.

Academic researchers from the Secure Mobile Networking Lab (SEEMOO) at the Technical University of Darmstadt have identified a unique way of infecting an iPhone by loading malware while the phone is off.

Researchers will present their findings at the ACM Conference on Security and Privacy in Wireless Mobile Networks/ WiseSec 2022.

**How does the Attack work?**

The attack occurs after tampering with the iOS firmware and loading the malicious software onto a wireless Bluetooth chip with Near-field Communication and Ultra-Wideband. The attacker needs to execute the chip to infect the phone when it is off. The chip continues to operate when the system is off, and the Low Power Mode (LPM) is activated.

While the three wireless chips can facilitate Find My and Express Card transaction features, these can directly access the secure element. Basically, the ultra-wideband (UWB) (supported by iPhone 11, 12, and 13) and the Bluetooth chips are hardwired to the NFC chip’s Secure Element and can easily access confidential data.

“Since LPM support is implemented in hardware, it cannot be removed by changing software components. As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown,” researchers wrote in the paper titled “Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhones.”

Researchers regarded the LPM feature as Opaque and highlighted that it sometimes fails to initialize Find My ads when the phone is off. Moreover, the Bluetooth firmware is not encrypted or signed.

An attacker can exploit this flaw to execute the malware on an iPhone Bluetooth chip. However, the adversary must possess privileged access. Furthermore, the attacker must communicate to the firmware via the OS, modify its image or obtain code execution on an LPM-activated chip by exploiting another flaw such as BrakTooth to exploit the loophole successfully.

**What is LPM?**

This feature was introduced in 2021 with iOS 15. It helps the user track lost devices using the Find My network and stays available even when the phone is out of battery power or is off. Before the phone shuts down, a message states the device will remain findable despite being off, and the Find My feature will locate it in case it is lost or stolen. The phone will be accessible when powered off or is in power reserve mode.

**More iPhone Tech & Hack on Hackread.com**

1.  A bug lets you crash anyone’s iPhone with a text message
2.  SolarWinds hackers exploited iOS 0-day to compromise iPhones
3.  Apple’s neuralMatch tool will scan iPhones for child abuse content
4.  iPhones of 9 State Dept officials hijacked by NSO Pegasus spyware
5.  NSO zero-click iMessage exploit hacks iPhone without the need to click links

Attackers can Install Malware on iPhone When it is Powered Off – Research

Asus DSL-N14U-B1 1.1.2.3_805 allows remote attackers to cause a Denial of Service (DoS) via a TCP SYN scan using nmap.

layout

title

date

comments

categories

post

Persistent crash of services after TCP SYN scan

2021-01-22

true

vulnerability

**Affected products**

We have not yet tested Asus models other than those listed. However we suspect it may also work on other models with the same firmware version.

        DSL-N14U_B1 V.1.1.2.3_805
        
    

**Overview**

An issue was discovered on ASUS DSL-N14U-B1 1.1.2.3\_805 device. Remote attacker to cause a denial of service (crash) by performing a SYN scan using a tool such as nmap. Sending these packets causes a persistent outage of the jetdirect (9100/tcp), LPD (515/tcp) and sos (3838/udp) services.

**POC**

**This PoC can crash services.**

##Stage 1: Enumeration

##Stage 2: Upload test

We enter the router via ssh to understand through the proc file system what's going on.

As shown in the figure, we can see some active services and their port in hexadecimal format. Those that interest us are basically jetdirect LPD (i.e. 238C and 0203 in hex)

##Stage 3: Showdown

We run nmap by inserting an additional script with a moderate degree of intrusion.

The script retrieves or sets the "ready message" on devices that support the Printer Job Language.

sudo nmap -sV --script pjl-ready-message

Once this is done, we immediately notice differences in the proc file system.

As a counter check, we show the status of services before and after running nmap via netstat -tulen (busybox doesn't support -p, which is why we work on the proc file system inside the router).

In the latest two figures we show proc file system effects in a comprehensive way 

If we had an eye previously, we have seen well, not just two ocurrencies related to printing services crashed... an additional service disappeared: sos service (3838 / tcp) - Scito Object Server

The situation will persist as long as the modem router is active. The services will be active again only with a physical intervention (reboot)

CVE-2021-3254: kaisersource.github.io/2021-01-22-dsl-n14u.md at main · kaisersource/kaisersource.github.io

CVE-2021-3254

Plus: Russia rerouted internet in occupied Ukraine, Grindr sold its users' location data to ad networks, and more.

If the war in Ukraine and Russia's still-unfolding atrocities there didn't offer enough fodder for doomscrolling, this week supplied a new dose of domestic crisis: A leaked Supreme Court draft decision that would overturn _Roe v. Wade_, demolishing a ruling that has served as a cornerstone of reproductive rights for nearly five decades. And this crisis, too, will play out in the digital realm as much as the physical and legal ones.

WIRED's Lily Hay Newman responded to the news with a guide to protecting your privacy if you're seeking an abortion in a near-future world in which _Roe_ has in fact been overturned. As right-wing pundits demand the Supreme Court leaker's prosecution, meanwhile, we analyzed the laws concerning leaks of unclassified government information like a draft court ruling and found that there's no clear statute criminalizing that sort of information sharing. And law professor Amy Gajda walked us through the history of Supreme Court information leaks, which stretches back hundreds of years.

As Russia's war in Ukraine grinds on, we looked at how small, consumer-grade drones are offering a defensive tool to Ukrainians that they're exploiting as in no other war in history. And further abroad in India, a battle is taking shape between VPN firms and the Indian government, which is demanding they hand over users' data. Meanwhile, the country's new “super app,” Tata Neu, has sparked user privacy concerns.

And there's more. As we do every week, we’ve rounded up all the news that we didn’t break or cover in-depth. Click on the headlines to read the full stories. And stay safe out there.

If _Roe_'s precedent ceases to protect people seeking abortions across the United States, the question of who can digitally surveil those seeking abortions and abortion providers—and how to evade that surveillance—will become a civil liberties battle of the highest urgency. This week, Motherboard's Joseph Cox fired the opening salvos of that battle with a series of stories about data brokers who offer to sell location data that include individuals' visits to abortion clinics and Planned Parenthood offices, an egregious form of surveillance capitalism with immediate human consequences. Anti-abortion protest groups have already used abortion clinic data to target ads at women inside the clinics, and the same data could soon be used to identify women who seek out-of-state abortions in violation of local laws.

Cox pointed to two companies, SafeGraph and Placer.ai, both of which sold location data of those apparently visiting abortion clinics. Placer.ai has gone so far as to offer "heat maps" of where abortion clinic visitors live to anyone who creates a free account on its site. Cox's reporting had quick results: SafeGraph, which was banned from the Google Play store in June, responded to Motherboard's story by committing to stop selling the abortion-related location data. One of its investors, Are Traasdahl, says he's selling his stake in the company and donating the money to Planned Parenthood.

Your move, Placer.ai.

While we're shaming firms that leak or sell their users' location data, Grindr has long represented a uniquely dangerous combination: a company that courts at-risk users, and then egregiously fails to protect their privacy. This week, _The Wall Street Journal_ revealed that Grindr users' location data was sold for years—beginning in 2017 until at least two years ago—via ad networks, potentially exposing the movements, work locations, and home addresses of millions of gay men. The revelation follows years of Grindr data abuses and inattention to privacy and security, such as allowing anyone to pinpoint users with a triangulation technique, and even turning a blind eye as one man's life was ruined by spoofed Grindr accounts.

In 2022 a Russian military occupation doesn't merely mean physical devastation from shelling, unspeakable war crimes, and mass deportations of Ukrainian civilians to Russian hinterlands. In the Russian-occupied region of Kherson in southern Ukraine, it now means that Ukrainians have been disconnected from the global internet and rerouted through Russia's tightly controlled, surveilled, and censored “Runet.” The move, confirmed Monday by the internet monitoring firm Netblocks, represents a grim advancement of the “splinternet” notion of repressive regimes increasingly walling off their own regional slice of the internet to exert greater control over their populations. Russia now appears to be experimenting with extending its internet repression to the victims of its unprovoked military conquests in a bid to better control and influence digital information there too.

Last month, _The New Yorker_ published an in-depth investigation of how the Israeli hacking firm NSO Group's highly sophisticated smartphone spyware known as Pegasus was used to target members of Spain's Catalan independence movement. Now, Spain's government may be getting a taste of its own medicine: Both the prime minister, Pedro Sánchez, and the country's defense minister, Margarita Robles, have said that their phones, too, were hacked with Pegasus in May and June of 2021. Spain's criminal court is investigating the hacking, which was revealed by security researchers at Citizen Lab. While the Spanish government has claimed that the hacking must have been carried out by a foreign culprit, the Catalan targets of Pegasus have long pointed the finger—for their own targeting at least—at Spain's National Intelligence Center.

The US Treasury announced Friday that it's issuing sanctions against Blender.io, a “mixing” service that's used to obscure the origins and destinations of cryptocurrency. Mixers, including Bitcoin Fog and Helix, have been criminally prosecuted by the US Department of Justice for helping to obscure the criminal origins of cryptocurrency. But the sanctions against Blender.io represent the first time that the Treasury has taken measures to financially ostracize a mixer, making it a crime for any American to transact with the service. In this case, Blender is accused of helping to launder $20.5 million of the $620 million worth of cryptocurrency that North Korea's Lazarus hackers allegedly stole from the cryptocurrency firm Ronin Networks in March. That hack alone suggests that North Korean thieves have already topped the estimated $400 million in crypto—largely in the Ethereum currency—that they stole last year.

Data Brokers Track Abortion Clinic Visits for Anyone to Buy

The country has ordered companies operating VPNs to collect user data and hand it over to officials—but they’re refusing to do so.

VPN companies are squaring up for a fight with the Indian government over new rules designed to change how they operate in the country. On April 28, officials announced that virtual private network companies will be required to collect swathes of customer data—and maintain it for five years or more—under a new national directive. VPN providers have two months to accede to the rules and start collecting data.

The justification from the country’s Computer Emergency Response Team (CERT-In) is that it needs to be able to investigate potential cybercrime. But that doesn’t wash with VPN providers, some of whom have said they may ignore the demands. “This latest move by the Indian government to require VPN companies to hand over user personal data represents a worrying attempt to infringe on the digital rights of its citizens,” says Harold Li, vice president of ExpressVPN. He adds that the company would never log user information or activity and that it will adjust its “operations and infrastructure to preserve this principle if and when necessary.”

Other VPN providers are also considering their options. Gytis Malinauskas, head of Surfshark’s legal department, says the VPN provider couldn’t currently comply with India’s logging requirements because it uses RAM-only servers, which automatically overwrite user-related data. “We are still investigating the new regulation and its implications for us, but the overall aim is to continue providing no-logs services to all of our users,” he says. ProtonVPN is similarly concerned, calling the move an erosion of civil liberties. “ProtonVPN is monitoring the situation, but ultimately we remain committed to our no-logs policy and preserving our users’ privacy,” says spokesperson Matt Fossen. “Our team is investigating the new directive and exploring the best course of action,” says Laura Tyrylyte, head of public relations at Nord Security, which develops Nord VPN. “We may remove our servers from India if no other options are left.”

The hardball response from VPN providers shows how much is at stake. India has rapidly shifted away from a free and open democracy and launched crackdowns on non-governmental organizations, journalists, and activists, many of whom use VPNs to communicate. Human Rights Watch recently warned that media freedom is under attack in the country, with a number of law and policy changes threatening the rights of minority citizens in the country. India dropped eight places in Reporters Without Borders’ Press Freedom Index in the past year and now sits 150th out of 180 countries worldwide. Authorities are alleged to have targeted journalists, stoking nationalist division and encouraging harassment of reporters who are critical of Indian prime minister Narendra Modi. By collecting and storing data on all VPN users in India, authorities may find it easier to see who VPN-using journalists are contacting and why.

Officials in India have claimed that the new rules for VPN providers aren't part of a data grab aimed at further stymying press freedoms, but rather an attempt to better police cybercrime. India has been hit by a number of significant data breaches in recent years and was the third-most affected country worldwide in 2021. “Data breaches have become so common in India that they no longer make front page news as they used to,” says Mishi Choudhary, a technology lawyer and founder of the Software Freedom Law Center, a technology legal support services provider in India. In May 2021, the names, email addresses, locations, and phone numbers of more than 1 million customers of Domino’s Pizza were stolen and posted online; in the same year, the personal information of 110 million users of digital payment platform MobiKwik ended up on the dark web. Now, as the major incidents pile up, Indian officials are going after VPNs in an apparent attempt to reign in the cybercrime surge.

“CERT-In is duty-bound to respond to any cybersecurity incidents,” says Srinivas Kodali, a researcher focusing on digitalization in India from the Free Software Movement of India—though he disputes its efficacy in doing so. Having this information on hand should, in theory, allow CERT-In to investigate any incidents more speedily after the fact. But many don’t believe that’s the full story. “CERT-In doesn’t really have a clean past, and they’ve never really protected citizens’ privacy,” Kodali claims. “According to the rules, they are going to only demand these logs when they actually need them for part of an investigation. But in India, you never know how they will be abused.”

Such concerns of overreach are not unfounded. According to data published in April 2022 by Access Now, an advocacy group lobbying for internet freedoms, India was responsible for 106 of the 182 documented internet shutdowns in 2021. It was the fourth successive year the country held the unenviable title of the internet shutdown capital of the world. At the same time, India’s government has allegedly misled parliament about its use and deployment of the Israeli-produced spyware Pegasus against 160 politicians, lawyers, and activists within the country.

That ‘collect data first, ask questions later’ approach to law enforcement has others worried, too. “This is a blunderbuss way of remembering all data and keeping tabs on your users,” says Anupam Chander, professor of law at Georgetown University in Washington, DC. “That way, if \[India\] needs it for law enforcement, intelligence purposes, or other purposes, they can grab it later.” And the VPN data grab could, potentially, collect information on millions of Indians who rely on the technology. One in five Indians used a VPN in 2021, according to data gathered by service provider Atlas VPN—up from just 3 percent in 2020. The increased usage echoes a broader rise in the use of VPNs in countries such as Venezuela, Costa Rica, and Cambodia, which saw similar increases. It also shows how people in India are seeking out VPNs for information security purposes, as well as to avoid geoblocking of popular websites.

There’s another reason everyday Indians are pursuing VPNs: the rollout of a controversial nationwide identification database. The ID system known as Aadhaar—which first launched in 2009 and has evolved since then—assigns citizens a 12-digit identity code based on their biometric and demographic information. Its proponents say that Aadhaar is part of a plan to digitize the Indian economy and make it easier to access government services. Its opponents say Aadhaar’s ubiquity and required use—you can’t open a bank account, get an ambulance, or pay your taxes without one—is an attempt to shoehorn a surveillance state into existence under the auspices of making things easier for citizens. Choudhary worries that the new rules for VPN providers are part of a broader “mission creep” to control what is said and by whom across India. “This is not just bureaucracy,” Choudhary says. “It seems that the government of India is using every opportunity to make access to the internet much more controlled, as well as monitored.” CERT-In did not respond to a request for comment.

And India is not alone. “South Asian governments are basically competing with each other in this operational Olympics around violating the digital rights of their citizens,” says Pakistani lawyer and internet activist Nighat Dad. Pakistan’s government attempted to introduce a law in October 2021 that gave it the right to monitor and censor any content posted on social media in the country. Pakistan has previously blocked access to Facebook, Twitter, YouTube, WhatsApp, and Telegram “to maintain public order.” Dad is scared. “Not only in Pakistan but in India, there are marginalized communities who are at risk. This is a scary situation.” Similar concerns have been raised in Indonesia, where digital platforms have to register with the communications ministry and agree to provide access to their systems and data on request. So too in Bangladesh, where internet freedom has reached an “all-time low,” according to Freedom House, as the governing party uses laws to crack down on political dissent through social media.

VPNs that are developed within—or operate in—India will have to choose whether to accede to CERT-In’s request or withdraw their support from the country. Kodali says providers may adopt a halfway-house solution, barring new users from paying for VPNs with an Indian bank account, which would theoretically make it impossible for Indians to sign up while in practice quietly permitting them to find a workaround. But what starts in India likely won’t end there. “This does have global implications,” says Chander, who believes India is learning a lesson from China, with its stringent internet crackdowns. There’s a worry other, more liberal governments will follow the Indian-Chinese model, too. Attacks on end-to-end encryption are commonplace in the UK, while the US joined India, the UK, Japan, Australia, and New Zealand in signing an international statement asking for backdoor access that would subvert encryption standards. “I think it’s important that governments justify these actions,” says Chander, “and explain how they don’t threaten civil liberties.”

VPN Providers Threaten to Quit India Over New Data Law

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter that’s going to be a little different, but bear with me. 
In honor of the NFL Draft starting this evening — an event that Cisco is helping to secure — I thought it’d be appropriate to look at building a...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter that’s going to be a little different, but bear with me. 

In honor of the NFL Draft starting this evening — an event that Cisco is helping to secure — I thought it’d be appropriate to look at building a cybersecurity team from the ground up. As an avid NFL fan (go Browns!) I’m always thinking about what I would do if I was a general manager in a draft room. This year, if I was building a football team, I’d be steering clear of Aidan Hutchinson and Travon Walker early on and trying to trade back and take receivers like Chris Olave or Garrett Wilson. 

But cybersecurity is also a team sport. You need a layered model to ensure your organization stays safe from everyday vulnerabilities, state-sponsored actors and everything in between. To build that team, we need to go through seven rounds of selections to build out the ultimate roster of security tools and skills that everyone needs to keep their organization secure (obviously, some of these are a bit tongue-in-cheek, if you want honest to goodness security advice, reach out to Cisco Talos Incident Response today). Email me at threatsource@cisco.com with what — or who — you would select in the first round of your Cybersecurity Draft. 

**Round 1: Multi-factor authentication **

MFA is a guy you want in the trenches with you every day on the security playing field. They’re going to protect your most important players from attacking bad guys looking to take advantage of holes in your protection. If we’re building a team from the ground up, we need to make sure we have the basics covered, and if your team doesn’t have MFA at this point, you’re going to be searching for an authentication method in the offseason free agency, and who wants to sign passwords to a three-year contract? 

**Round 2: An Incident Response plan **

Incident Response Plans weren’t recruited highly in security high school, but they rose up through the ranks over the past few years to become a Wi-Feisman Trophy winner in 2021. An Incident Response plan is there for you when you fall behind on the scoreboard and need to make ground up quickly against attackers. A strong IR plan will give this team a base from which they can react to any attack quickly and try and minimize the damage, hopefully setting us up for a comeback in the fourth quarter. If you’re also looking to draft an IR plan of your own, might I suggest reaching out to Talos Incident Response, who can work to build one from the ground up? 

**Round 3: User training **

A lot of people are concerned that when he was in college, User Training went relatively unnoticed for being “boring.” But there are ways to spice things up on the field, and I think as a manager, I can truly unlock Training’s potential. If our users are properly informed about the risks out there in an entertaining and educational way, we can hopefully lean on MFA in the trenches to work as it's supposed to. 

**Round 4: Endpoint detection **

Endpoint detection is projected to go earlier than this in the 2022 Cybersecurity Draft, but I personally think people have kind of forgotten about EDR recently and it could slide into the later rounds, which is where I’ll grab them up. EDR will set up in secondary on defense and monitor for any attacker movements on the offensive side of the field, letting the rest of the team know about any unusual activities, users or connections.  

**Round 5: Vulnerability management program **

A vulnerability, asset and patching management program like Kenna Security will round out our starting defense. Here’s a guy who can muck up the middle of the field and make it harder for attackers to break through the line and further toward your network’s endzone. By deploying software like this, this team will make sure major holes are patched up right away before the opposing team’s leader can even see them on the field, and best of all, we can automate the process so we don’t need to focus as much as hands-on coaching with this position group. 

**Round 6: Penetration testing **

Round 6 seems late, but with this front office, we can find greatness anywhere. Penetration testing is going to be this team’s Tom Brady coming from Round 6. We’ll grab a few pentesters to place on the perimeter and look in at the team to find any vulnerabilities in our team before our opponents can. That way when we head into a week of practice, we know what needs to be fixed right away before we are out against our opponents, and they can take advantage. (Plus, this pretty much guarantees we can use red in our uniforms and get something close to the awesome throwback Falcons gear.) 

**Round 7: Physical backups **

Physical backup drives are the kickers of cybersecurity — you hate it when you have to rely on them in the final seconds, but when they work out, they can still be a lifesaver. By keeping physical backups of our team’s data and gameplans, we’re protected in a worst-case scenario and can recover quickly in crunch time rather than hoping we can pay the opponents to give us the ball back. Cloud backups would work just as well in this case, but we like that physical drives have put in years of work to get to this point.  

**Other newsy nuggets **

New research indicates the use of the NSO Group’s Pegasus spyware continues to spread, even to democratic nations. The Spanish government recently deployed the tool against individuals in Catalan, an area looking to separate from Spain. Spyware continues to be a growing concern across the globe, with evidence indicating that Pegasus is being used in at least 45 countries, according to new reporting in the New Yorker, and similar tools are in use by law enforcement agencies in the U.S. and Europe, areas where governments have pledged to crack down on spyware. (The New Yorker, CNET) 

Western governments doubled down on warnings that Russian state-sponsored actors could target critical infrastructure with cyber attacks in the coming weeks, as the country’s invasion of Ukraine drags on. A new alert from cybersecurity agencies in the U.S., Canada, Australia and other countries warns the attacks could come as a Russian response to international sanctions, adding that “other cybercrime groups have recently conducted disruptive attacks against Ukrainian websites, likely in support of the Russian military offensive.” (CISA, Reuters) 

The Emotet botnet could be testing new techniques in preparation for a large-scale campaign in the coming months. Security researchers recently spotted the threat actor emailing targets OneDrive URLs that hosted ZIP files containing malicious Microsoft Excel files that installed Emotet onto the targeted machine. This would represent the biggest comeback from Emotet since a law enforcement effort in January 2021 disrupted the botnet. Talos has previously seen signs that the botnet and the actor behind it was not likely to go away even after the takedown efforts. (Cybersecurity Dive, ZDNet, Talos) 

**Can’t get enough Talos? **

*   Talos Researcher Spotlight: Liz Waddell, CTIR practice lead
*   Threat Roundup (April 15 – 22)
*   Talos Takes Ep. #93: Kenna 101 — Best patching and mitigation strategies
*   Quarterly Report: Incident Response trends in Q1 2022

**Upcoming events where you can find Talos ****BSides Charm (April 30 - May 1, 2022)  
Towson, Maryland ****RSA 2022 (June 6 – 9, 2022)  
San Francisco, California ****Cisco Live U.S. (June 12 – 16, 2022)  
Las Vegas, Nevada ****DEF CON 2022 (Aug. 11 - 14, 2022)  
Las Vegas, Nevada ****Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  **MD5:** 93fefc3e88ffb78abb36365fa5cf857c  **Typical Filename:** Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645   **MD5:** 2c8ea737a232fd03ab80db672d50a17a   **Typical Filename:** LwssPlayer.scr     
**Claimed Product:** 梦想之巅幻灯播放器     
**Detection Name:** Auto.125E12.241442.in02   

**SHA 256:** 792bc2254ce371be35fcba29b88a228d0c6e892f9a525c330bcbc4862b9765d0  **MD5:** b46b60327c12290e13b86e75d53114ae  **Typical Filename:** NAPA\_HQ\_SetW10config.exe  **Claimed Product:** N/A  **Detection Name:** W32.File.MalParent 

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa **MD5:** df11b3105df8d7c70e7b501e210e3cc3 **Typical Filename:** DOC001.exe   
**Claimed Product:** N/A   
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** 1a234656f81e870cdeb0e648a6b305a41452c405cca21124de26b54f79d55ad0     
**MD5:** 10f1561457242973e0fed724eec92f8c   **Typical Filename:** ntuser.vbe   
**Claimed Product:** N/A     
**Detection Name:** Auto.1A234656F8.211848.in07.Talos

Threat Source newsletter (April 28, 2022) — The 2022 Cybersecurity Mock Draft

In ControlUp Real-Time Agent before 8.6, an unquoted path can result in privilege escalation. An attacker would require write permissions to the root level of the OS drive (C:\) to exploit this.

**Vulnerability ID:** CVE-2022-27905  
**Severity:** Medium  
**Update Release Date:** February 17, 2022  
**Fix version:** Version >= 8.6 for both Hybrid Cloud and COP (On-Premises)

**What was the problem?**

A local privilege escalation may be possible due to an insecure call to the CreateProcessAsUserA (Unquoted path) WinAPI function while the ControlUp Real-Time Agent is running.  
The prerequisites for exploiting this vulnerability are very uncommon and include write access to C:\\ by a low-privilege user and the ability to restart the cuAgent service.

We use cookies to ensure that we give you the best experience on our website. by continuing to use this site you agree to our Cookie policy. Got it

Tag

#asus