The United Nations' top internet governance body will allegedly host its next two annual meetings in countries known for repressive internet policies and human rights abuses.

The United Nations’ main internet governance body looks set to host its next international forum in Riyadh, Saudi Arabia. In 2025, the UN may take its discussions on the future of an open internet to Russia. Holding the Internet Governance Forum (IGF), back to back, in authoritarian countries notorious for their surveillance and censorship of the internet risks making “a joke of the whole system,” one advocate says.

While the UN has yet to formally announce the host countries for either meeting, Saudi Arabia's minister of communications and information technology, Abdullah Alswaha, seemed to let the news slip at this year’s forum in Tokyo, Japan, which began on Sunday and ends Thursday.

In a short speech before the plenary, Alswaha ran through some key issues facing the IGF, including generative artificial intelligence and the digital divide. He proposed to the attendees that “we continue this dialog at Riyadh IGF ‘24.” He repeated that idea again at the end of his speech, leaving attendees buzzing.

“It's extremely problematic,” Barbora Bukovská, senior director for law and policy at human rights organization Article 19, tells WIRED. She learned the news on Tuesday from colleagues in Tokyo. “Their human rights record and their record on digital freedoms should disqualify them from having it.”

In recent years, Riyadh has engaged in digital surveillance of dissidents, administering the death penalty against citizens who called out its human rights record online. The Saudi regime also ordered the 2018 extrajudicial killing of journalist Jamal Khashoggi. Freedom House, a pro-democracy nonprofit, assesses that Saudi Arabia maintains one of the world’s most restrictive and censored internet systems, only marginally better than Russia.

“The IGF is a community, it's a multi-stakeholder event,” Bukovská says. “You are supposed to have not just governments and companies, but also civil society, activists, and so on.” She says it will be difficult to invite democracy and open internet advocates to Riyadh. “How are they supposed to participate in Saudi Arabia, when you can be targeted by spyware, and with all kinds of restrictions? So I think it's extremely problematic.”

The IGF is a relatively new organization, having been set up in 2006. Its purpose is more advisory than regulatory, serving as a chance for countries, corporations, civil society organizations, and activists to discuss and debate various aspects of how the internet itself is run. “It's quite interesting and important for shaping the responses on certain issues,” Bukovská says.

While it may not be responsible for standards and regulations like the International Telecommunications Union—which has also been the subject of an international tug-of-war between censorship-minded countries and those who support an open internet—it is the main UN body devoted to internet governance. Where it is hosted matters, Bukovská says. Countries like Saudi Arabia can use the Forum “as a decoy to present themselves as a part of the international community, which respects human rights.”

Oppressive governments have worked hard to dismantle the shared system of governance model of the internet, argues Léa Fiddler, pushing instead for “sovereign digital ecosystems over which they can exert even more control, leading to what is often called the ‘splinternet.”

Fiddler is a visiting fellow for democracy and human rights at the Atlantic Council’s DFRLab. She wrote in advance of the 2023 Forum that the IGF will have an “outsized impact on how the internet looks and operates over the next several decades.” The IGF is also due to renew and rewrite its mandate in the coming years, she notes. “The conclusions that stakeholders come to at IGF will inform their stance on efforts at risk of being exploited for authoritarian purposes.”

There have been proposals put forth at the UN to substantially alter the balance of power in global internet governance. Fiddler points to the “Global Digital Compact,” which could substantially increase the UN’s role in regulating the internet. In a similar vein, Bukovská points to a cybersecurity treaty currently being proposed by Russia which, critics fear, is so vague that it could permit prosecution and targeting of journalists and democracy advocates.

Saudi Arabia will not be the first illiberal regime to host the IGF. Last year’s Forum was held in Addis Ababa, Ethiopia, amid an internet shutdown in the country’s Tigray region. Critics like digital rights group AccessNow decried the choice of venue at the time. “We cannot have a truly resilient internet or shared, sustainable, common future if we systematically silence or ignore those most at risk of rights violations,” the organization wrote in a statement.

It’s unclear if Saudi Arabia was the only country to actually submit a bid to host the 2024 Forum.

In 2021, Canadian cybersecurity firm eQualitie launched a petition to have the 2024 Forum in Montreal. Dozens of tech companies and civil society organizations from Canada and around the world signed on to the petition, but the Canadian government appears to have ignored the request. A spokesperson for Canadian foreign affairs minister Melanie Joly did not return a request for comment.

In a press release, eQualitie called Riyadh’s selection a "missed opportunity" and that Saudi Arabia's successful bid "raises concerns about the Forum's ability to maintain its principles of open dialogue and collaboration with civil society."

In a LinkedIn post, Bukovská sarcastically wrote of the trend being set by the UN body hosting an internet governance conference in Riyadh. “I guess I will also be looking forward to visiting Pyongyang, Teheran, or Moscow in the years to come.” But there are good odds that the IGF’s next meeting will, in fact, be held in Russia.

In 2020, the Russian Internet Governance Forum issued a press release indicating that Russia had been chosen as the 2025 host, citing official confirmation sent by the UN. It was repeated again in December 2021 by Russia’s deputy prime minister, Dmitry Chernyshenko. “Choosing Russia as the venue to host the 20th forum is a great honor for us and evidence that our country’s strong positions in the field of the development of the information society and digital technologies are recognized,” he said in a speech.

WIRED has previously reported on how a concerted American campaign for the presidency of the International Telecommunications Union thwarted Russian efforts to take over the body.

“This actually makes a joke of the whole system,” Bukovská says. She points to similar efforts at the UN Human Rights Council. “If you want to protect the integrity of these UN systems, as something where states should be held accountable for their human rights violations, it should not go to these countries.”

This spring, the Norwegian government announced its bid for the 2025 forum. The IGF has not officially indicated where the forum will be held, and the Norwegian government did not respond to a request for comment.

It is increasingly clear that the world’s most repressive countries are vying, either in conjunction or independently, to gain more control of how the very mechanics of the internet operate.

The UN Risks Normalizing Internet Censorship

NB Defense, ModelScan, and Rebuff, which detect vulnerabilities in machine learning systems, are available on GitHub.

Protect AI, maker of Huntr, a bug-bounty program for open source software (OSS), is venturing further into the OSS world by licensing three of its artificial intelligence/machine learning (AI/ML) security tools under the permissive Apache 2.0 terms.

The company developed the first tool, NB Defense, to protect ML projects being developed in Jupyter Notebooks, a common application favored by data scientists. As it became widely used, hackers began targeting Jupyter because of the power inherent in a tool meant to test code and packages. In response, Protech AI developed NB Defense, a pair of tools for scanning Notebooks for vulnerabilities, such as secrets, personally identifiable information (PII), CVE exposures, and code subject to restrictive third-party licenses. The JupityrLab extension finds and fixes security issues within a Notebook, whereas the CLI tool enables scanning of multiple Notebooks simultaneously and automatic scanning of those being uploaded to a central repository.

The second tool, ModelScan, originated from the need for teams to share ML models across the Internet, as more companies are developing AI/ML tools for internal use. ModelScan scans Pytorch, Tensorflow, Keras, and other formats for model serialization attacks,such as credential theft, data poisoning, model poisoning, and privilege escalation (wherein the model is weaponized to attack other company assets).

The third tool, Rebuff, was an existing open source project that Protect AI acquired in July and has continued developing. Rebuff addresses prompt injection (PI) attacks, in which an attacker sends malicious inputs to large language models (LLMs) in order to manipulate outputs, expose sensitive data, and allow unauthorized actions. The self-hardening prompt injection detection framework employs four layers of defense: heuristics, which filters out potentially malicious input before it reaches the model; a dedicated LLM, which analyzes incoming prompts to identify potential attacks; a database of known attacks, which helps it recognize and fend off similar attacks later on; and canary tokens, which modify prompts to detect leaks.

The spread of AI and LLMs across organizations of various sizes has led to a similar rise in tools to secure — or attack — such models. For example, HiddenLayer, this year's winner of the RSA Conference Innovation Sandbox, made securing those models against tampering its mission. In 2021, Microsoft released a security framework and its own open source tools for protecting AI systems against adversarial attacks. And the flaws just announced in TorchServe underscore the real-world stakes for even the biggest players, such as Walmart and the three major cloud service providers.

All three of Protect AI's tools — NB Defense, ModelScan, and Rebuff — are available on GitHub.

Protect AI Releases 3 AI/ML Security Tools as Open Source

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection.

Xiaomi welcomes security experts and research teams to join our Vulnerability Disclosure Program (VDP). Xiaomi is commited to taking the responsibility to the security of our users around the world can enjoy a secure and reliable intelligent life.

For the security vulnerabilities disclosed in this page, Xiaomi does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose or non-infringement. You understand the vulnerabilities disclosure information is just to provide reference for you to assess security risk and make appropriate decision. Your use of the document, by whatsoever means, will be totally at your own risk. In no event shall Xiaomi or be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

CVE-2023-26319: Xiaomi Security Center

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Xiaomi Xiaomi Router allows Overflow Buffers.

CVE-2023-26318: Xiaomi Security Center

CVE-2023-26320: Xiaomi Security Center

Microsoft has linked the exploitation of a recently disclosed critical flaw in Atlassian Confluence Data Center and Server to a nation-state actor it tracks as Storm-0062 (aka DarkShadow or Oro0lxy).
The tech giant's threat intelligence team said it observed in-the-wild abuse of the vulnerability since September 14, 2023.
"CVE-2023-22515 is a critical privilege escalation vulnerability in

Cyber Attack / Vulnerability

Microsoft has linked the exploitation of a recently disclosed critical flaw in Atlassian Confluence Data Center and Server to a nation-state actor it tracks as **Storm-0062** (aka DarkShadow or Oro0lxy).

The tech giant's threat intelligence team said it observed in-the-wild abuse of the vulnerability since September 14, 2023.

"CVE-2023-22515 is a critical privilege escalation vulnerability in Atlassian Confluence Data Center and Server," the company noted in a series of posts on X (formerly Twitter).

"Any device with a network connection to a vulnerable application can exploit CVE-2023-22515 to create a Confluence administrator account within the application."

CVE-2023-22515, rated 10.0 on the CVSS severity rating system, allows remote attackers to create unauthorized Confluence administrator accounts and access Confluence servers. The flaw has been addressed in the following versions -

*   8.3.3 or later
*   8.4.3 or later, and
*   8.5.2 (Long Term Support release) or later

While the exact scale of the attacks is not clear, Atlassian said that it was made aware of the problem by "a handful of customers," meaning it had been exploited as a zero-day by the threat actor.

It's worth noting that Oro0lxy refers to a digital alias created by Li Xiaoyu, a Chinese hacker who was accused by the U.S. Department of Justice (DoJ) in July 2020 of infiltrating "hundreds of companies" in the U.S., Hong Kong, and China, including coronavirus vaccine research developer Moderna.

Xiaoyu is said to have been assigned to the Guangdong regional division of the Ministry of State Security (MSS).

"The defendants in some instances acted for their own personal financial gain, and in others for the benefit of the MSS or other Chinese government agencies," the DoJ said. "The hackers stole terabytes of data which comprised a sophisticated and prolific threat to U.S. networks."

Organizations relying on Confluence applications are highly recommended to upgrade to the latest versions to mitigate any potential threats, and also isolate them from the public internet until the fixes are in place.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of Nation-State Hackers Exploiting Critical Atlassian Confluence Vulnerability

Researchers believe that more than 70,000 Android devices may have been affected with preloaded Peachpit malware that was installed on the electronics before being sold at market.

After a researcher discovered that an Android-based TV streaming box, known as T95, was infected with preloaded malware, researchers at Human Security released information regarding the extent of infected devices and how malicious schemes are connected to these corrupted products. 

Daniel Milisic, a systems security consultant, created a script alongside instructions to help other users mitigate the threat after first coming across the issue. Now, Human Security's threat intelligence and research team has dubbed the operation "Badbox," which it characterizes as a complex, interconnected series of ad fraud schemes on a massive scale.

Human Security describes the operation as "a global network of consumer products with firmware backdoors installed and sold through a normal hardware supply chain." Once activated, the malware on the devices connect to a command-and-control (C2) server for further instructions. In tandem, a botnet known as Peachpit is integrated with Badbox, and engages in ad fraud, residential proxy services, fake email/messaging accounts, and unauthorized remote code installation.

According to the researchers at Human Security, 200 different models of Android devices are potentially affected, and at least 74,000 Android devices globally are potentially impacted by the Badbox infection. Eight different types of devices have backdoors installed: seven Android-based TV boxes — T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G — and an Android tablet, J5-W. The devices are made in China and somewhere along their supply chain, a firmware backdoor gets implemented on the devices.

The infected devices are from the Android Open Source Project (AOSP), meaning that anyone can modify the code, according to a Google spokesperson; they are not built on the official Android TV operating system for smart TVs and streaming devices, which is proprietary and open only to Google and its licensed partners for code modification. "The off-brand devices discovered to be BADBOX-infected were not Play Protect certified Android devices. If a device isn't Play Protect certified, Google doesn't have a record of security and compatibility test results." 

Google's spokesperson adds, "Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified."

Human Security recommends that users avoid off-brand devices and be wary of clone apps that could potentially infect their device. In addition, users should consider restoring factory settings if a device is behaving oddly.

"While the disruption of Bandbox is a victory for the cybersecurity community, research must continue into the supply chain that allowed the threat to develop in the first place," Human Security said in its report, and added that other threat actors are poised to fill the vacuum.

Badbox Operation Targets Android Devices in Fraud Schemes

DDoS for hire and live attacks hit both sides as cyber campaigns continue.

Hacktivists are trading cyberattacks on both sides of the Israel-Hamas conflict.

According to detections by ReliaQuest, several pro-Russian hacktivist groups have identified Israeli targets, and Anonymous Sudan's official Telegram channel is discussing how to undermine Israel's Iron Dome defense, a mobile air defense system that intercepts and destroys short-range rockets and artillery shells.

Anonymous Sudan also named the Israeli government in online discussions as a main target and said it had obtained unspecified "zero-day vulnerabilities from Romania" to use in anti-Israel attacks.

The AnonGhost hacktivist group said it had managed to breach the "Red Alert" app to send messages like "The Nuclear Bomb is coming" and "Death to Israel."

Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest, says the discussion on Telegram channels should be taken seriously even though their users' intentions and activities are often not verified, or reflect the true nature of a group.

**DDoS for Hire**

The Krypton network has also offered to sell its distributed denial-of-service (DDoS) capabilities to hacktivists wishing to target Israeli organizations. Morgan says Krypton is a known DDoS-for-hire botnet that allegedly includes several features to bypass DDoS mitigation services.

"It is realistically possible that the group saw an opportunity amidst the rush to target Israel, viewing it as a chance to make additional sales," Morgan says.

However, the attacks are not all one way, as ThreatSec reportedly compromised the Palestinian Internet services provider AlfaNet, with "literally every server owned by Alfanet" shut down. The group claimed its original goal was just to get a hold of some infrastructure, but it gained full control of more than 5,000 servers in the Gaza region. Statistics show a decline in Internet connectivity in Gaza over the past few days.

Since the attacks by Hamas began, cybercrime groups have shifted their activities toward the Middle East. More than a dozen threat groups declared their intention to launch disruptive attacks against Israel, Palestine, and their supporters. The Jerusalem Post was taken down by a cyberattack this week.

Morgan says Israel is regularly targeted by cyber threats — such as when the Russia-aligned Ragnar Locker group hit the Mayanei Hayeshua Medical Center in Bnei Brak this summer — often by Iranian APTs. Additionally, hacktivist groups frequently target Israel in response to the ongoing conflict with Hamas.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Hackers for Hire Hit Both Sides in Israel-Hamas Conflict

Keyloggers have been used for espionage since the days of the typewriter, but today's threats are easier to get and use than ever.

Keyloggers, the often-unseen sentinels of the digital space, silently and meticulously document a user's every tap and keystroke with the objective of harvesting valuable information. While many consider them tools of the cyber elite, it's startling how readily available and easy to use they are today.

Let's explore their lineage, the different kinds that exist, their multiple (good and bad) purposes, and the pressing need for protective measures.

**Historical Keyloggers**

The concept of spying on communication isn't new. But the 1970s, characterized by the ideological tussle between the East and West, offered a unique twist. Soviet engineers developed the Selectric bug to spy on electric typewriters. This ingenious device both underscored the era's espionage intensity and foreshadowed future digital surveillance.

Fast forward to the 1990s, as the tech revolution was reshaping the world. Computers transitioned from huge rooms to desktops. With this, the keylogger evolved too, from tangible devices to sophisticated software programs. In a twist of irony and to acknowledge digital espionage threats, in 2013 the Russian embassies dusted off their old typewriters.

Today's world paints a complex canvas. While keyloggers have become tools to help agencies like the FBI capture criminals, they've also become the weapon of choice for digital pirates and hackers globally.

**Types of Keyloggers**

There are a host of hardware and software devices that can spy on computer keyboard input today.

*   **USB keyloggers:** It's a stark testimony that anyone can purchase a keylogger as easily as they can buy a book. Retailers such as Amazon list these devices camouflaged as innocuous USB drives. While they might seem harmless, they're digital Trojan horses. For example, in 2017 a university student was expelled for using such a hardware keylogger to change academic scores.
*   **Acoustic keyloggers:** Sound, an elemental form of communication, has been weaponized by acoustic keyloggers. Every key on a computer keyboard has a unique sound. By recording and analyzing these sounds, these keyloggers can recreate entire documents. Research labs at University of California, Berkeley, have demonstrated how over 96% of a document's content can be reconstructed from keystroke sounds.
*   **Electromagnetic keyloggers:** Advancing from sound to the electromagnetic spectrum, keyloggers can eavesdrop on keyboards' faint electromagnetic discharges. Finely calibrated receivers can intercept and decode these emissions, even through physical barriers.
*   **Smartphone-based keyloggers:** In this mobile-first era, the array of sensors on mobile phones offer a fertile ground for innovative keylogging methods. By manipulating sensors designed for motion detection, software can decipher typing habits. Reports have unveiled accuracy levels approaching 97% from using smartphone data alone.
*   **Software-based keyloggers:** The 1980s saw the rise of software-based keyloggers. Some were crafted with malicious objectives, while others, such as those embedded in Windows 10, aimed to amplify the user experience through enhanced predictive text abilities. However, the rise of artificial intelligence and voice-activated devices like Amazon's Alexa becoming household staples creates new concerns. Their "always listening" feature has become a contentious topic.

**Ethical Keyloggers**

While the term "keylogger" often conjures negative imagery, many are used for valid, ethical purposes. Examples include enhancing software user experiences, helping parents monitor their children's digital footprints, aiding IT professionals in diagnosing tech issues, and safeguarding communal tech platforms from inappropriate use.

YouTube's vast informational landscape caters to curious minds, offering guidance on myriad subjects, including creating software. These include keylogger tutorials touted for educational enrichment. While they empower and educate genuine learners, they simultaneously risk aiding malicious intent. This duality underscores the need for discerning content consumption and ethical application of knowledge.

**Counteracting the Keylogger Threat**

Knowledge and proactive defense are the watchwords for decreasing your risk of being a keylogger victim. Regularly updating software, using robust two-factor authentication, leveraging virtual keyboards, employing state-of-the-art anti-keylogger tools, and physical examinations can help ward off these digital spies.

From their humble beginnings as tools of geopolitical subterfuge to their current omnipresence in the digital era, keyloggers have charted a dramatic trajectory. As we hurtle into an increasingly digital future, the history of keyloggers serves as a stark reminder of the delicate balance between technology's boons and banes.

How Keyloggers Have Evolved From the Cold War to Today

An update for kernel is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2020-36558: A NULL pointer dereference flaw was found in the Linux kernel’s Virtual Terminal subsystem was found in how a user calls the VT_RESIZEX ioctl. This flaw allows a local user to crash the system.
* CVE-2022-2503: A flaw was found in the Linux kernel. Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module and firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification until reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates.
* CVE-2022-2873: An out-of-bounds memory access flaw was found in the Linux kernel Intel’s iSMT SMBus host controller driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input data. This flaw allows a local user to crash the system.
* CVE-2022-36879: A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). An error while resolving policies in xfrm_bundle_lookup causes the refcount to drop twice, leading to a possible crash and a denial of service.
* CVE-2023-0590: A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 ("net: sched: fix race condition in qdisc_graft()") not applied yet, then kernel could be affected.
* CVE-2023-1095: A NULL pointer dereference flaw was found in the Linux kernel’s netfilter subsystem. The issue could occur due to an error in nf_tables_updtable while freeing a transaction object not placed on the list head. This flaw allows a local, unprivileged user to crash the system, resulting in a denial of service.
* CVE-2023-1206: A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%.
* CVE-2023-2235: The Linux kernel's Performance Events subsystem has a use-after-free flaw that occurs when a user triggers the perf_group_detach and remove_on_exec functions simultaneously. This flaw allows a local user to crash or potentially escalate their privileges on the system.
* CVE-2023-3090: A flaw was found in the IPVLAN network driver in the Linux kernel. This issue is caused by missing skb->cb initialization in `__ip_options_echo` and can lead to an out-of-bounds write stack overflow. This may allow a local user to cause a denial of service or potentially achieve local privilege escalation.
* CVE-2023-4004: A use-after-free flaw was found in the Linux kernel's netfilter in the way a user triggers the nft_pipapo_remove function with the element, without a NFT_SET_EXT_KEY_END. This issue could allow a local user to crash the system or potentially escalate their privileges on the system.
* CVE-2023-4128: A use-after-free flaw was found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel. This flaw allows a local attacker to perform a local privilege escalation due to incorrect handling of the existing filter, leading to a kernel information leak issue.
* CVE-2023-35001: An out-of-bounds (OOB) memory access flaw was found in the Netfilter module in the Linux kernel's nft_byteorder_eval in net/netfilter/nft_byteorder.c. A bound check failure allows a local attacker with CAP_NET_ADMIN access to cause a local privilege escalation issue due to incorrect data alignment.


Tag

#intel