Categories: Ransomware
Categories: Threat Intelligence
In the last 12 months France was one of the most attacked countries in the world, and a favourite target of LockBit, the world's most dangerous ransomware.



(Read more...)




The post Ransomware in France, April 2022–March 2023 appeared first on Malwarebytes Labs.

_This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who monitors information published by ransomware gangs on their dark web sites. In this report, "known attacks" are attacks where the victim opted not to pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.  
_

Between April 2022 and March 2023, France was one of the most attacked countries by ransomware gangs. During that period:

*   France was the fifth most attacked country in the world.
*   The government sector was attacked more often than in similar countries.
*   LockBit dominated the last twelve months, being used in 57% of known attacks.
*   There were almost twice as many LockBit attacks in France than either the UK or Germany.

In July 2022, La Poste Mobile, a mobile carrier owned by French postal company La Poste, suffered a LockBit ransomware attack, severely impacting its administrative and management services. After successfully reducing the ransom demand from $1.4 million to $300,000 in a five day negotiation, La Poste Mobile's negotiator announced on July 11, "Management doesn’t want to pay anymore ... it has reconsidered its decision." LockBit published the data it had stolen on its leak site, describing it as "the private information of more than a million and a half people in France."

The La Poste Mobile page on the LockBit leak site

In August 2022, attackers demanded $10 million after a ruthless assault on the Center Hospitalier Sud Francilien (CHSF), a 1000-bed hospital near Paris. The disruption to CHSF's computer systems resulted in patients having to be sent elsewhere, and surgeries having to be postponed.

A few months later, in mid-November, French defense and technology group Thales confirmed a data breach affecting contracts and partnerships in Malaysia and Italy. As with so many attacks in France in the last twelve months, the perpetrators used LockBit ransomware.

**France is a prime target**

In the 12 months from April 2022 to March 2023, France was a globally significant target for ransomware, and the fifth most attacked country by known attacks.

Known attacks in the ten most attacked countries, April 2022 - March 2023

Given the disparity between the USA and the rest of the world in terms of number of attacks it would be easy to conclude that ransomware is, first-and-foremost, a USA problem. It is not. The size and nature of the US economy means that it has many more targets for ransomware gangs than the other countries in the top ten.

We can account for the difference in the size of countries' economies by dividing the number of known ransomware attacks by a country's nominal GDP, which gives us an approximate rate of attacks per $1T of economic output. On that basis, the difference between France and the USA is far smaller than the total number of known attacks would suggest. And while France and Germany suffered nearly identical numbers of known attacks, France appears to suffer a much higher rate of attacks per unit of economic activity than its neighbour.

The ten most attacked countries between April 2022 - March 2023, ordered by attacks per $1T GDP

The size of the countries in the top ten also vary enormously, and we can try to account for that by dividing known attacks by the size of each country's population. On that measure, again, the differences between countries are far smaller than a simple count of known attacks suggests.

In all the variations of our top ten, English-speaking countries occupy at least three of the top five positions, which suggests that ransomware gangs have a slightly bias for English-speaking targets. France sits just below the Anglosphere in a cluster of four advanced European economies suffering nearly identical rates of attacks per capita.

The ten most attacked countries between April 2022 - March 2023, ordered by attacks per capita

By any measure, France is one of the most attacked countries in the world, and its organisations are prime targets for ransomware gangs. Unusually, government targets accounted for a significant proportion of those organisations in the last twelve months. It was the country's third most attacked sector, accounting for 9% of known attacks. By comparison, over the same twelve month period, 4% of known attacks in the USA and 3% of known attacks in Germany affected their government sectors, while just 20 miles across the English channel, the UK experienced none at all.

Known ransomware attacks by industry sector in France, April 2022 - March 2023

As is often the case, the reasons for this are not obvious. It is possible that this simply reflects the larger footprint of government in France—government spending accounts for a larger proportion of the economy in France than in either the UK or Germany. However, the difference is only a few percentage points.

Ransomware gangs often operate from the safe havens of Russia and the Commonwealth of Independent states, which can make it tempting to ascribe nationalistic or geopolitical motivations to their activity. However, the truth is they are businesses that choose targets that are easy to infiltrate and likely to pay substantial ransoms.

Unfortunately, the most likely explanation for the high proportion of government sector targets among the known attacks in France is that government institutions were easier targets in France than elsewhere.

**LockBit's hunting ground**

The most dangerous ransomware in the world right now, is LockBit, and LockBit loves France.

In 2022, LockBit was used in 31% of known attacks globally, 3.5 times more than its nearest competitor, ALPHV. (You can read much more about why LockBit is the number one threat to your business in our 2023 State of Malware report.) As you'd expect, given its global preeminence, LockBit was also the most widely used ransomware in France, Germany, and the UK in the last twelve months.

However, LockBit dominates in France in a way that it doesn't in its European neighbours. Between April 2022 and March 2023, LockBit accounted for an absolutely enormous 57% of known attacks in France. Over the same period, it accounted for 20% of known attacks in the UK and about 30% in Germany.

LockBit recorded 62 known attacks in France in the last twelve months, but no other gang registered more than seven. In the same period LockBIt was responsible for 33 known attacks in the UK while six other gangs also got into double digits.

Ransomware with two or more known attacks in France, April 2022 - March 2023

LockBit's outsized contribution to France's misery is most clearly seen by highlighting its contribution on a month-by-month basis. The number of monthly attacks in France has been highly volatile, showing far larger variation than the UK, despite its proximity and the similarity of their economies and populations. That volatility is almost entirely down to how many or how few LockBit attacks occurred each month. In the last twelve months only one other gang has registered three known attacks in a single month (Royal in March 2023), while LockBit has matched or exceeded that figure eight times, and exceeded ten attacks in a month twice.

Monthly ransomware attacks in France with LockBit highlighted, April 2022 - March 2023

The reasons for this aren't clear, but it may simply be that as the 800lb gorilla in the ransomware ecosystem, LockBit is best placed to exploit opportunities outside of the Anglosphere. Like a lot of ransomware, LockBit is sold as a service and attacks are carried out by independent criminal gangs, referred to as "affiliates", which pay the LockBit gang 20% of the ransoms they extract. The French economy is large enough to provide a fertile hunting ground for cybercriminals. It is possible that some of LockBit's 100 or so affiliates have decided to specialise there.

**Conclusions**

In the last 12 months, France was a globally significant hunting ground for ransomware gangs, and the country with the fifth highest total of known attacks. Within France, the government sector was over represented, suffering a higher proportion of known attacks than the government sector in the USA, Germany, and the UK. Much like the education sector in the UK, the French government sector should be alarmed that with an entire world of targets to choose from, it has attracted a disproportionate amount of attention.

France attracted enormous attention from gangs using LockBit, the most dangerous ransomware in the world. There were almost twice as many known LockBit attacks in France than in either Germany or the UK. In all, LockBit was used in 57% of known attacks in France, while the next most used ransomware, Vice Society, accounted for just 6%.

France does not so much have a ransomware problem as a LockBit problem.

**How to avoid ransomware**

*   **Block common forms of entry**. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
*   **Detect intrusions**. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption**. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups**. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Ransomware in France, April 2022–March 2023

An emerging Python-based credential harvester and a hacking tool named Legion are being marketed via Telegram as a way for threat actors to break into various online services for further exploitation.
Legion, according to Cado Labs, includes modules to enumerate vulnerable SMTP servers, conduct remote code execution (RCE) attacks, exploit unpatched versions of Apache, and brute-force cPanel and

An emerging Python-based credential harvester and a hacking tool named **Legion** is being marketed via Telegram as a way for threat actors to break into various online services for further exploitation.

Legion, according to Cado Labs, includes modules to enumerate vulnerable SMTP servers, conduct remote code execution (RCE) attacks, exploit unpatched versions of Apache, and brute-force cPanel and WebHost Manager (WHM) accounts.

The malware is suspected to be linked to another malware family called AndroxGh0st that was first documented by cloud security services providerLacework in December 2022.

Cybersecurity firm SentinelOne, in an analysis published late last month, revealed that AndroxGh0st is part of a comprehensive toolset called AlienFox that's offered to threat actors to steal API keys and secrets from cloud services.

"Legion appears to be part of an emerging generation of cloud-focused credential harvester/spam utilities," security researcher Matt Muir told The Hacker News. "Developers of these tools often steal each other's code, making attribution to a particular group difficult."

Besides using Telegram as a data exfiltration point, Legion is designed to exploit web servers running content management systems (CMS), PHP, or PHP-based frameworks like Laravel.

"It can retrieve credentials for a wide range of web services, such as email providers, cloud service providers, server management systems, databases, and payment platforms like Stripe and PayPal," Cado Labs said.

Some of the other targeted services include SendGrid, Twilio, Nexmo, AWS, Mailgun, Plivo, ClickSend, Mandrill, Mailjet, MessageBird, Vonage, Exotel, OneSignal, Clickatell, and TokBox.

The primary goal of the malware is to enable threat actors to hijack the services and weaponize the infrastructure for follow-on attacks, including mounting opportunistic phishing campaigns.

The primary goal of the malware is to enable threat actors to hijack the services and weaponize the infrastructure for follow-on attacks, including mounting mass spam and opportunistic phishing campaigns.

The cybersecurity firm said it also discovered a YouTube channel containing tutorial videos on how to use Legion, suggesting that the "tool is widely distributed and is likely paid malware." The YouTube channel, which was created on June 15, 2021, remains active as of writing.

Furthermore, Legion retrieves AWS credentials from insecure or misconfigured web servers and deliver SMS spam messages to users of U.S. mobile networks such as AT&T, Sprint, T-Mobile, Verizon, and Virgin.

UPCOMING WEBINAR

Master the Art of Dark Web Intelligence Gathering

Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!

Save My Seat!

"To do this, the malware retrieves the area code for a U.S. state of the user's choosing from the website www.randomphonenumbers.com," security researcher Matt Muir said. "A rudimentary number generator function is then used to build up a list of phone numbers to target."

Furthermore, Legion can retrieve AWS credentials from insecure or misconfigured web servers and deliver SMS spam messages to users of U.S. mobile networks such as AT&T, Sprint, T-Mobile, Verizon, and Virgin by leveraging the stolen SMTP credentials.

"To do this, the malware retrieves the area code for a U.S. state of the user's choosing from the website www.randomphonenumbers\[.\]com," Muir said. "A rudimentary number generator function is then used to build up a list of phone numbers to target."

Another notable aspect of Legion is its ability to exploit well-known PHP vulnerabilities to register a web shell for persistent remote access or execute malicious code.

The origins of the threat actor behind the tool, who goes by the alias "forzatools" on Telegram, remain unknown, although the presence of Indonesian-language comments in the source code indicates that the developer may be Indonesian or based in the country.

"Since this malware relies heavily on misconfigurations in web server technologies and frameworks such as Laravel, it's recommended that users of these technologies review their existing security processes and ensure that secrets are appropriately stored," Muir said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Python-Based "Legion" Hacking Tool Emerges on Telegram

Tools like ChatGPT aren't making social engineering attacks any more effective, but it does make it faster for actors to write up phishing emails.

Thursday, April 13, 2023 00:04

*   Phishing attacks are increasingly more targeted and customized than in the past.
*   The proliferation of additional communications channels such as mobile devices and social media provides attackers with new avenues to phish users.
*   The technology behind phishing attacks evolves as necessary for cybercriminals to bypass content filters and successfully transmit and display the phishing content to the victims.
*   Artificial Intelligence (AI) apps provide attackers with the means to generate highly customized content that makes phishing lures even more convincing.

Cybercriminals often find it easier to trick users into compromising their own security rather than utilizing exploits or highly technical attacks to break into networks. Deceiving users to convince them into divulging sensitive information or take inappropriate actions is known as “social engineering” and this tactic can be extremely effective, regardless of whatever technological defenses have been deployed. As a result, social engineering has become a mainstay in cybercriminals’ arsenals.

Social engineering can take many forms. However, by far the most popular type of contemporary social engineering is phishing. Phishing is the practice of sending victims fraudulent communications that appear to come from a reputable source. It is most often performed through email though other communications platforms such as phone calls and text messages on mobile devices, social media, or chat rooms can also play host to phishing attacks.

The goal of a phishing attack is to steal sensitive data like credit card and/or login information or to install malware on the victim's machine. Phishing has evolved considerably over the past dozen-or-so years. We now have many different subtypes of phishing, including spear phishing (targeting specific users in phishing attacks), whaling (phishing specific high-profile users who have considerable resources or access privileges), smishing (phishing users via SMS messages), quishing (phishing using QR codes) and vishing (telephone-based phishing).

**Phishing attacks have become more targeted**

The earliest phishing attacks, such as those conducted via instant messaging applications like AOHell, intentionally cast a broad net, aiming to snare as many victims as possible. However, phishing in this way has become less effective over time. In order for a phishing attack to succeed, an attacker must first deliver their phishing messages to the victims, and sending a large volume of similar-looking phishing messages to a large number of recipients attracts a considerable amount of attention from security devices and personnel.

On the other hand, only sending a handful of phishing emails is orders of magnitude more difficult for network defenders to prevent. This is the idea behind spear phishing: Attackers narrow the phishing target pool down to a smaller desired group of victims who can be sent a more customized phishing attack. The smaller volume of email increases the odds the message will be successfully delivered to the users and will not be filtered out or flagged by network security devices, and customization raises the likelihood the recipient will view the email as legitimate.

**More locations for phishing**

The proliferation of mobile devices and social media applications has provided phishers with multiple vehicles besides email in which to conduct their attacks. Phishers have been known to use applications such as LinkedIn, Instagram, Facebook, Telegram, Discord, Twitter and other social media apps to transmit phishing messages to victims. We also now regularly receive phishing messages transmitted over SMS and even using QR codes.  

A phishing link to “metamask.lc” is tweeted in reply to a tweet from the real @MetaMask Twitter account.‌ ‌

An example of an SMS phish using a link shortener to hide the true destination URL.

Not all phishing happens online. Some phishers now take a hybrid approach where phishing emails are transmitted, but rather than containing a link to a phishing website or malware, the email contains a phone number that the victim is meant to call where the victim can then be further socially engineered over the telephone.

**Evasion tactics help bypass security devices and fool users**

Security devices are constantly monitoring the network for signs of phishing content and then marking the content as fraudulent or even discarding phishing messages altogether. Today, a successful cybercriminal must find ways around the anti-phishing security technology in place. There are several ways today’s cybercriminals attempt this:

*   Placing text information or links inside images.
*   Using large attachments that cannot be scanned due to their size.
*   HTML smuggling.
*   Using various attachment file types (.doc, .one, .lnk, password-protected .zip).
*   Hiding phishing links behind link-shortening services.
*   Varying the phishing message content by including hidden garbage text pulled from books.
*   Using links to lookalike domain names, known as typosquatting, or domain names that have specially crafted subdomains, ex. www.office.com.login.evilbadguy.com.
*   Transmitting messages from compromised legitimate accounts.
*   Using the browser-in-the-browser technique.

**More convincing phishing lures**

Contemporary phishing lures tend to fall into two basic categories. Many phishing messages attempt to replicate transactional messages, for example, an invoice or receipt for a purchase. Other phishing messages tend to target victims who are eager for news about specific topics, such as current events, natural disasters or the latest celebrity gossip.

With readily accessible open-source information and publicly available breach data, there can be a substantial trove of sensitive information concerning individuals/groups that is freely available online to attackers who are motivated enough to search. This information can be used to customize phishing emails and make phishing content even more relevant to the victims.

To aid in customizing phishing content, attackers are increasingly turning to AI apps such as ChatGPT that can be used to generate phishing content that sounds quite convincing. Fortunately, the designers of ChatGPT have built some guardrails so that attackers cannot simply ask ChatGPT to generate a phishing lure.

However, by phrasing the question a little differently, ChatGPT will help generate convincing content for use in phishing attacks.

Over the past few years, we have seen how some attackers, such as those behind Emotet, have leveraged existing email threads to compel targets to open attachments or click links. Using AI applications similar to ChatGPT, those malicious emails could be customized based on the context of those prior threads.

Voice cloning is another piece of AI technology that is expected to play a role in future phishing attacks. Deepfake technology has already progressed to the point that users can be fooled by a familiar voice over the telephone and once deepfake tools become more widely available, we expect attackers to deploy this as an additional mechanism to phish users.

**Protecting users from today’s phishing attacks**

Of course, as phishing content becomes easier to generate and customize to a specific victim, it becomes increasingly harder to defend. Educating users about how to recognize a phishing attack can be helpful. Additionally, deploying multi-factor authentication such as Cisco Duo is a solid defense that can thwart phishing attacks. Understanding regular network traffic patterns using products like Cisco Secure Network Analytics can help your network security personnel recognize unusual activity that could be related to a successful phishing attack. It is also a good idea to have your email delivered through a secure gateway such as Cisco Secure Email that can scan the email contents for phishing, malware and other email-based attacks. DNS security products such as Cisco Umbrella can help prevent users from navigating to or downloading content from phishing domains.

How threat actors are using AI and other modern tools to enhance their phishing attempts

<drupal-media data-align="center" data-entity-type="media" data-entity-uuid="86dcee13-494e-41e0-a1ed-419306586e5d"></drupal-media>

<h3>What are Confidential Containers?</h3>

<p><strong><a href="https://github.com/confidential-containers">Confidential Containers</a></strong> (CoCo) is a new sandbox project of the <a href="https://www.cncf.io/">Cloud Native Comput

**What are Confidential Containers?**

**Confidential Containers** (CoCo) is a new sandbox project of the Cloud Native Computing Foundation (CNCF) that enables cloud-native confidential computing by taking advantage of a variety of hardware platforms and technologies. The project brings together software and hardware companies including Alibaba-cloud, AMD, ARM, IBM, Intel, Microsoft, Red Hat, Rivos and others.

The CoCo project builds on existing and emerging hardware security technologies such as Intel SGX, Intel TDX, AMD SEV and IBM Z Secure Execution, in combination with new software frameworks **to help better secure user data in use**. This will establish a new level of confidentiality, which does not rely on trust in the cloud providers and their employees, but on hardware-level cryptography. CoCo will support multiple environments including public clouds, on-premise and edge computing.

The goal of the CoCo project is to **standardize** confidential computing at the container level and **simplify** its consumption in Kubernetes. This is in order to enable Kubernetes users to deploy confidential container workloads using familiar workflows and tools without extensive knowledge of underlying confidential computing technologies.

Latest posts

**What is the Confidential Containers project?****October 7, 2022 - Pradipta Banerjee, Christophe de Dinechin, Ariel Adam, Jochen Schroder, Martin Tessun**

Confidential Containers (CoCo) is a new sandbox project of the Cloud Native Computing Foundation (CNCF) that enables cloud-native confidential computing by taking advantage of a variety of hardware platforms and technologies…read more

**Understanding the Confidential Containers Attestation Flow****December 2, 2022 - Pradipta Banerjee, Samuel Ortiz**

This article describes the hardware-based attestation flows and processes that the Confidential Containers project is built upon. With hardware-based attestation, a confidential computing processor generates cryptographic evidence for a workload-running environment. Provided that the workload owner trusts that piece of hardware, they can then remotely verify that evidence and decide if the workload’s execution environment is trustworthy or not…read more

**How to use Confidential Containers without confidential hardware****March 6, 2023 - Wainer dos Santos Moschetta, Steve Horsman**

The CoCo community recognizes that not every developer has access to TEE-capable machines and we don't want this to be a blocker for contributions. So version 0.1.0 and later come with a custom runtime that lets developers play with CoCo on either a simple virtual or bare-metal machine. In this tutorial you will learn: How to install CoCo and create a simple confidential pod on Kubernetes, and the main features that keep your pod confidential…read more

Learn about Confidential Containers

**LEXINGTON, Mass.--(****BUSINESS WIRE****)--**VulnCheck, the vulnerability intelligence company, today announced it has been authorized by the CVE Program as a CVE Numbering Authority (CNA). The company also announced the launch of VulnCheck Advisories, a program designed to simplify how security researchers share vulnerabilities with vendors.

The CVE Program is sponsored by the U.S. Department of Homeland Security and Cybersecurity and Infrastructure Security Agency with a mission to identify, define and catalog publicly disclosed cybersecurity vulnerabilities. As a CNA, VulnCheck joins an elite group of over 280 partners in 36 countries authorized to assign CVE identification numbers to vulnerabilities and publish additional details in the associated CVE record.

"Our company offers the most comprehensive, real-time vulnerability, threat and exploit intelligence available on the market today,” said Anthony Bettini, CEO and Founder of VulnCheck. "Our products often uncover publicly disclosed vulnerabilities and exploits that have no CVE. To better serve the community, VulnCheck has taken on the task of coordinating CVE assignments for these issues. Now as a full partner in the CVE Program, we can expedite the rate at which we can address these problems. This is just the latest step we’ve taken to use our data to help security teams fight back against the growing tide of vulnerabilities they face each day.”

In conjunction with the authorization, the company also launched VulnCheck Advisories, a program designed to remove friction between researchers who identify and report vulnerabilities and the organizations that acknowledge and fix the flaws. The program enables researchers to share newly discovered vulnerabilities directly with VulnCheck. The intelligence company then takes over the submission process to the vendor and guarantees the vulnerability is published within 120 days, whether fixed or not.

“A lot of the time, researchers are at a disadvantage,” said Bettini. “Programs that buy vulnerabilities can be cumbersome and rife with restrictions. And if researchers choose to work directly with a vendor, they can often spend months just trying to get the company to acknowledge their report. With our program, researchers can submit their findings to VulnCheck and let the process run its course without all the hassle.”

The news comes just months after the company raised a $3.2 million seed round to increase hiring, bolster product development and help large enterprises, government agencies and cybersecurity solutions providers outpace adversaries by solving the vulnerability prioritization challenge.

To learn more about VulnCheck and the Advisories program, visit https://vulncheck.com/advisories.

**About VulnCheck**

VulnCheck is the vulnerability intelligence company helping enterprises, government organizations, and cybersecurity vendors solve the vulnerability prioritization challenge. Trusted by some of the world's largest organizations responsible for protecting hundreds of millions of systems and people, VulnCheck helps organizations outpace adversaries by providing the most comprehensive, real-time vulnerability intelligence that is autonomously correlated with unique, proprietary exploit and threat intelligence. Follow the company on LinkedIn. To learn more about VulnCheck, visit https://vulncheck.com/.

VulnCheck Named CVE Numbering Authority for Common Vulnerabilities and Exposures

The bizarre release of sensitive US government materials soon after their creation signals a potential shift to near-real-time unauthorized disclosures.

the United States government has been scrambling this week, thanks to a leak of sensitive Pentagon documents that include an array of recent intelligence updates and Joint Chiefs of Staff briefings. Notably, the documents seem to be very recent, dating from as early as January to early March. The trove was first posted to Discord a few weeks ago, before some of the documents got pickup more recently on Russian Telegram channels and then Twitter.

Initial reporting about the situation—including by _The New York Times_, which broke the story—has focused on roughly 100 documents, but some reports indicate that even more secret documents may have been shared on Discord over the past few months. The documents are photographs of printed-out presentation slides. Some of the papers had been folded and unfolded before being photographed, and some of the photos capture slivers of other objects that were on the desk with the papers.

Researchers say the leak ranks high among other prominent recent revelations about clandestine US government activity—a list that includes information from Edward Snowden about the NSA's bulk surveillance activity, details of the CIA's hacking capabilities in the Vault7 revelations published by WikiLeaks, and NSA hacking tools revealed in the Shadow Brokers leak. But this latest leak has some specific characteristics reflective of the current moment: It is relatively small and contains fresh information rather than a large trove of months- or years-old data. And while it is not yet clear who leaked the documents or what their motivation was, initial indications from Discord activity suggest that the leaker may have been trying to show off to their gaming friends, and might even be a teenager or young adult.

“I am intrigued by the idea of a small, pinpoint leak phenomenon,” says Dan Meyer, a partner at the law firm Tully Rinckey who works on federal employment and national security matters. Meyer was formerly a federal investigator and whistle-blowing expert within the US government. The use of “strategic leaks” has been a tactic of top officials “for a very long time,” Meyer says. “But now the technology issue is very real with phones and the ability to move these documents in ways the government didn’t anticipate.”

The latest leaked documents reveal details about the war in Ukraine, including information about the Ukrainian army's air defenses and plans for a future counteroffensive against Russia. Notably, the trove also reveals details about Russia's war effort and exposes the degree to which the United States intelligence community has penetrated Russia's military and intelligence services. 

As with any leak of state secrets, the most impactful revelations long-term generally relate to methods and access rather than specific information. That means Russian intelligence, for example, will likely make changes to its operations in response to the relvations to evade American operators. The leak also includes indications that the US has been spying on allies like South Korean and Israeli officials, a move that is not necessarily surprising but diplomatically embarrassing.

“We're still investigating how this happened, as well as the scope of the issue,” Chris Meagher, the US assistant to the secretary of defense for public affairs, told reporters on Tuesday. “There have been steps to take a closer look at how this type of information is distributed and to whom. We are also still trying to assess what might be out there.”

Analysts emphasize that the scale of the leak may be much larger than what has emerged publicly so far, and that the situation reflects concerning lapses in the Pentagon's systems for handling secrets.

“It seems like the Department of Defense thought they had sufficient controls in place to detect would-be leakers after incidents like Snowden,” says Jake Williams, a former NSA hacker and an analyst with IANS Research, a cybersecurity consultancy firm. “But obviously, whoever is doing this got around that or learned from past techniques and mistakes.”

As real-time accounts of everything from wars to natural disasters play out on social media and other digital communication platforms, it makes sense that leaking has increasingly become targeted and agile as well. So-called “hack and leak” operations have demonstrated this in recent years, with, for example, state-backed attackers leaking excerpts of government officials' digital communications or strategy documents from political campaigns. Hactivists have also increasingly used precision leaks around the world. Ukrainian advocates have, for example, repeatedly doxed Russian military officials and intelligence agents. And they've leaked data stolen from Russian government agencies and private companies since the Kremlin's full-scale invasion of Ukraine in February 2022. 

For now, as the US government aggressively investigates the latest Pentagon leaker and their motives, Meyer says his advice for US federal employees, contractors, or anyone with a US security clearance is to mind their business.

“Just because you have the ‘need to know,’ that doesn't mean you have the need to go look at it,” he says. “That person should not access these documents anywhere on the web. This stuff has now been identified as classified, and even if it's well intentioned, if you view classified information in a non-SCIF environment, you've committed a technical infraction. It’s a mess, don’t do it.”

Leaked Pentagon Documents May Herald a New Era of Revelations

**OSLO****, Norway** **,** **April 12, 2023** **/PRNewswire/ --** Opera (NASDAQ: OPRA) – the company behind the award-winning family of web browsers – is announcing the extension of its free browser VPN service to Opera Browser for iOS. Already available to some users for early access, the full rollout will be completed within the coming weeks. With this addition, Opera became the first web browser to offer a free built-in VPN across all major platforms, including Mac, Windows, Linux, Android, and iOS.

Staying private online is becoming increasingly challenging. When users browse the internet, they can be subject to data collection from websites and online services, many of which are not always transparent about how they store and use this data. Meanwhile, unsecure networks, such as some public Wi-Fi are vulnerable to attacks from bad actors, which can compromise sensitive personal data like web banking information or credit card details. VPNs, as a result, are an increasingly essential feature of life online – they help protect one's identity and activity so that users can peruse the internet privately, their personal information safe from prying eyes.

With the addition of its VPN service to iOS, Opera becomes the first browser company to offer a built-in, free VPN on every platform. Opera's VPN service requires no subscription, no logging into an account, and no additional extensions – users simply need to toggle a switch in the main menu to browse in peace, since the Opera Browser makes sure VPN traffic is encrypted and IP address is private.

"Opera has always been known for its unique feature set. We are proud to bring our free built-in VPN to all major platforms and to be the first browser company to do so. Our commitment to providing users with a secure browsing experience has led us to develop this feature over the years. We are excited to bring this vital tool to iOS users to ensure their online safety and privacy," said Jørgen Arnesen, EVP Mobile at Opera.

A no-log service, the VPN does not collect any personal data or information related to users' browsing history or originating network address, ensuring anonymity. Fast and secure, users have instant access to virtual locations around the world.

The Opera Browser for iOS is an award-winning browser that is enjoyed by millions of users worldwide. Featuring an interface that has garnered multiple design awards, the browser affords an unparalleled user experience. Designed to be used on the go, Opera's Fast Action Button gives users the full range of navigation tools within a thumb's reach. Users can additionally keep photos, articles, recipes, travel ideas, and links with them at all times with My Flow, which allows for seamless and secure file sharing between phones, tablets, and computers. The browser even integrates a native Crypto Wallet, enabling users to keep track of their digital assets at all times.

Apart from its convenience, the Opera Browser for iOS also offers unparalleled speed and security. It features, for example, a built-in ad blocker – speeding up the loading process as well as shielding users from unwanted advertisements – plus the Apple Intelligent Tracking Prevention, which blocks third party tracking cookies and cookie dialogue. The browser also boasts Opera's Cryptojacking Protection, which safeguards users from having their device's resources hijacked for crypto mining. The free VPN service will now complete the package, affording users protection as they browse the internet.

Concurrent with the ongoing rollout of the free VPN service, Opera Browser for iOS is also receiving a pair of additional upgrades. A Bookmarks feature will allow users to better organize their lives online, and coupled with Speed Dial ensure immediate access to what's most important. And for football fans, a new Live Scores feature lands on the browser's homepage. A scoreboard that displays the day's matches – whether they are upcoming, in progress, or the final whistle has already gone – Live Scores will help users stay on top of the action worldwide.

To start using the free VPN, users just need to download the Opera Browser for iOS and turn the VPN on in the app. The full rollout will be completed within the coming weeks, so VPN will become available for all users shortly. More information is available on the official website.

**About Opera for iOS**

Fast, safe and private, Opera Browser is a beautifully designed web browser with a Red Dot Award for its stunning user interface. Enjoyed by millions of fans across the world, it's built for people on the go and features a lightning fast web search for instant results. With built-in security features such as Apple Intelligent Tracking Prevention and Cryptojacking Protection – plus a native Crypto Wallet – Opera Browser offers users the optimal iOS experience. Opera Browser has a 4.7 star rating in the App Store and has been reviewed by more than 600,000 people worldwide.

**About Opera**

Opera is a web innovator building on more than 25 years of innovation that started with the Opera web browser. While Opera is leveraging its brand and engaged user base in order to grow and develop new products and services for people who seek a better internet experience, Opera's PC and mobile web browsers, content discovery platform Opera News, and apps dedicated to gaming, and Web3 are already the trusted choices of hundreds of millions of active and engaged users. Opera is headquartered in Oslo, Norway, and listed on the NASDAQ Stock Exchange under the OPRA ticker symbol. Download and access Opera's products and services from www.opera.com.

SOURCE Opera Limited

Opera Adds Free VPN to Opera for iOS

Hackers can compromise public charging hubs to steal data, install malware on phones, and more, threatening individuals and businesses alike.

US government agencies are warning that malware planted in public charging stations for phones and other electronics can sneak onto your device when you least expect it.

On April 6, the FBI Denver office published a morsel of advice. "Avoid using free charging stations in airports, hotels, or shopping centers," its tweet stated. "Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead."

The sentiment was echoed in an FCC notice about the phenomenon — known as "juice jacking." The commission added that, "in some cases, criminals may have intentionally left cables plugged in at charging stations." Also, "there have even been reports of infected cables being given away as promotional gifts."

Experts say that charging stations can carry risk, not just for individuals but also enterprises. Still, the risk is low and there are simple solutions for avoiding it altogether.

**How Hackers Can Poison Charging Stations**

"There are two different ways this happens," says Pete Nicoletti, field CISO at Check Point Software. "There are the people that actually own those stations. If they're looking for additional revenue, they might install malware on their charging stations."

This isn't the kind of scenario you'd run into at your local airport, though, he adds: "\[That's\] going to be the bad actors that compromise a legitimate station."

Ordinary outlets are immune, but USB ports in modern charging stations are different.

"There is some sort of computer or smart device behind these stations, connected to those USB charging outlets," explains Dmitry Bestuzhev, most distinguished threat researcher at BlackBerry. And because there's a computer involved, the opportunity exists for back-and-forth data transfer.

"Imagine using a phone for charging," Bestuzhev continues. "You use the same USB cable for synchronizing data on your phone with a computer, such as photos, videos, and other information. Technically, a threat actor could poison the data transmission between the malicious station and your device to steal information or install malicious code."

Were this to occur, the FCC says, hackers could "maliciously access electronic devices while they are being charged. Malware installed through a corrupted USB port can lock a device or export personal data and passwords directly to the perpetrator. Criminals can then use that information to access online accounts or sell it to other bad actors."

And any risk to travelers can have a knock-on effect for their employers.

"Most people use their phones for a mix of work and personal time," Allan Liska, threat intelligence analyst at Recorded Future, points out. For a work-from-home employee accessing corporate data from a coffee shop or airport lounge, "a successful attack not only means a phone owner's personal data is compromised, it also means that any work data stored on that phone would be accessible by the attackers." In theory, hackers could also plant malware on a BYOD phone or laptop, or hijack an employee's access to enterprise networks for further attacks.

Whether any of this is likely is another matter. "One of the challenges with the FBI tweet is that they don't provide any real-world examples," Liska says. "So while the kind of attack the FBI laid out is certainly possible, the risk is relatively low."

**Simple Solutions for Charging Safely**

For anyone concerned with charging devices in public, there is one simple solution: don't use dedicated charging stations. Ordinary electrical outlets — of the kind you'd use at home — provide a perfectly safe alternative.

Even when you're searching around the airport terminal and can't find any outlets, there are other options. "Your readers can't see it, but this is what people should be carrying," Nicoletti says over a Zoom call, while holding up his wireless phone charger. "These are 15 bucks!"

And "if a socket isn't available and you're charging a device through a USB cable, use a data blocker," Bestuzhev recommends. Data blockers — colloquially referred to as "data condoms" — are inexpensive and widespread online.

"They're essentially designed on a hardware level to block any data transmission to or from your device," he explains. "So even when you connect to a malicious charging station, if you're using a data blocker, you'll still get the electric charge for your device but data won't flow. That's because, on a hardware level, the data blocker is designed to block the circuit of those parts of the cable to transfer data. So, your data can't be transferred in any direction — just electricity."

Jacked charging stations may be rare, but because the alternatives are so cheap and simple, it's easy enough to avoid the hassle altogether. "These tools," Bestuzhev concludes, "should really be part of any 'frequent flier' or 'frequent traveler' kit."

FBI & FCC Warn on 'Juice Jacking' at Public Chargers, but What's the Risk?

By Waqas
Do you have the skills to take part in OpenAI's ChatGPT Bug Bounty Program? If so, here is your chance to earn big bucks.
This is a post from HackRead.com Read the original post: OpenAI Launches ChatGPT Bug Bounty Program – Earn $200 to $20k

**OpenAI has partnered with Bugcrowd, a renowned crowdsourced cybersecurity platform, to launch the highly anticipated ChatGPT Bug Bounty Program.**

OpenAI, the renowned artificial intelligence (AI) research organization, has introduced a “Bug Bounty Program” for its ChatGPT system, calling on the public to help identify and report any security vulnerabilities or other issues.

The initiative aims to leverage the collective expertise of researchers and technology enthusiasts to enhance the security and reliability of ChatGPT.

The launch of the ChatGPT bug bounty program should not be surprising, as cybercriminals have been eager to exploit the platform to conduct cyberattacks, including developing malware, ransomware, and phishing kits.

Under the program, anyone, including both professional researchers and general users, can participate in the ChatGPT bug bounty program and potentially earn cash rewards for their findings. The bounty rewards start at $200 for “low-severity findings” and can go up to an impressive $20,000 for “exceptional discoveries.”

To manage the program, OpenAI has partnered with Bugcrowd, a leading bug bounty platform that specializes in handling submissions and payouts. Here’s what OpenAI wants the good guys to delve into:

Screenshot: Bugcrowd

Notably, OpenAI is not the first tech giant to implement a bug bounty program. Currently, Sony, Google, Apple and several other firms have been offering big bucks as part of bug bounty programs.

**More Context**

1.  6 of the Best Crypto Bug Bounty Programs
2.  Sony Announces PlayStation Bug Bounty Program
3.  Hack the Pentagon 3.0 Bug Bounty Program Is Back
4.  Apple Bug bounty: Earn big backs for hacking iPhone
5.  Google Bug Bounty Program for Open-Source Software

ChatGPT has encountered its share of bugs in the past. In a recent incident, the entire system went offline after users reported seeing names of conversations they were not part of. Furthermore, the company acknowledged a security breach in which payment details of ChatGPT Plus subscribers were exposed to random users.

OpenAI’s ChatGPT bug bounty program does have some limitations. Not all issues reported will warrant cash rewards, and activities such as jailbreaking or attempting to make the model say or do anything negative will not be eligible for rewards. OpenAI acknowledges that while it works diligently to mitigate risks, it cannot predict all possible uses or misuse of its technology in the real world.

With the launch of the Bug Bounty Program, OpenAI aims to demonstrate its commitment to privacy and security while proactively addressing potential vulnerabilities in ChatGPT. As the AI landscape continues to evolve, this initiative may serve as a valuable step towards ensuring the robustness and reliability of AI systems in real-world applications.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

OpenAI Launches ChatGPT Bug Bounty Program – Earn $200 to $20k

Researchers at Microsoft have discovered links between a threat group tracked as DEV-0196 and an Israeli private-sector company, QuaDream, that sells a platform for exfiltrating data from mobile devices.

Microsoft has identified another Israel-based threat organization, similar to NSO Group, that is selling mobile spyware and other cyber espionage tools and services to international governments to monitor and spy on private individuals.

Microsoft Threat Intelligence researchers have discovered links between a threat group they've been tracking as DEV-0196, which offers iOS malware, and a private-sector company called QuaDream that sells a platform for exfiltrating data from mobile devices, researchers said in a blog post published April 11. Without explicitly stating so, the researchers suggested that DEV-0196 and QuaDream are actually one and the same.

"Microsoft Threat Intelligence analysts assess with high confidence that the malware, which we call KingsPawn, is developed by DEV-0196 and therefore strongly linked to QuaDream," the researchers wrote. "We assess with medium confidence that the mobile malware we associate with DEV-0196 is part of the \[company's 'Reign' offering\]."

The parallels between the activity of the separately linked entities is eerily similar to that of Israel-based NSO Group, which has been widely condemned, blacklisted, and even sued for its role in selling the iOS-based spyware known as Pegasus to hostile governments to target journalists, activists, politicians, businesspeople, and other private citizens with unethical cyber espionage activity. The spyware notably targets zero-day flaws with exploits, making it difficult to mitigate or detect its nefarious activity.

**Suspicious QuaDream Activity**

Similarly, QuaDream's REIGN is a suite of exploits, malware, and infrastructure designed to extract data from mobile devices for allegedly legal purposes, however, the company suspiciously doesn't have a website, and a 2022 Reuters report suggested that QuaDream used a zero-click iOS exploit that leveraged the same vulnerability seen in NSO Group's ForcedEntry exploit.

According to the Israeli Corporations Authority, QuaDream, under the Israeli name קוודרים בע”מ, was incorporated in August 2016. A report by news outlet Haaretz, citing a QuaDream brochure, claimed that the government of Saudi Arabia — known for targeting journalists and others who speak out against its policies — was among QuaDream's clients, as was the government of Ghana.

A separate December 2022 report from Meta, which reportedly took down 250 accounts associated with QuaDream, also shed light on the activity of the company. That report claimed that QuaDream was testing its ability to exploit iOS and Android mobile devices with the intent "to exfiltrate various types of data including messages, images, video and audio files, and geolocation," the researchers said.

Meanwhile, Microsoft Threat Intelligence believes that DEV-0196 is selling both exploitation services and its KingsPawn iOS malware to governments to spy on and track members of civil society — including journalists, political opposition figures, and a non-government organization (NGO) worker — in locations across Europe, North America, the Middle East, and Southeast Asia.

Microsoft worked with several partners on the investigation of the links between QuaDream and DEV-0196, including Citizen Lab of the University of Toronto's Munk School, which identified at least five targets of DEV-0196 across the aforementioned geographies. It also identified operator locations for QuaDream systems in Bulgaria, Czechia, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates, and Uzbekistan. Citizen Lab has released its own separate report about the findings.

The behavior of DEV-0196 is consistent with that of "private sector offensive actors (PSOAs)" or "cyber mercenaries," according to Microsoft Threat Intelligence, which sell hacking tools or services through a variety of business models — including access as a service — to the highest bidder. They don't directly target individuals or run cyber espionage operations themselves.

**KingsPawn: A Custom Spyware**

Microsoft and its partners analyzed samples of the multi-component KingsPawn, which specifically targets iOS 14. However, it's possible that some of the code also could be used on Android devices, the researchers said. It's also likely that the threat group has already updated the malware to target versions of iOS newer than 14, as the latest version of Apple's operating system software is already up to iOS 16, the researchers said.

KingsPawn is comprised of two agents — a monitor agent in the form of a native Mach-O file written in Objective-C, and the main malware agent, a native Mach-O file written in GoLang, a language favored by threat actors for its portability, among other features, the researchers said.

The monitor agent is responsible for reducing the forensic footprint of the malware to prevent detection and hinder investigations, as well as manage the various processes and threads spawned on behalf of the malware to avoid artifacts created from unexpected process crashes.

Within the main agent of KingsPawn is the real gravy of the spyware where all of the capabilities to track victims and steal data lies, the researchers said.

Capabilities of the main agent include: obtaining device, Wi-Fi, cellular info, searching for and retrieving files, using the camera in the background, locating where the device is, monitoring phone calls, accessing the iOS keychain for passwords, and generating an iCloud one-time password that's time sensitive to retrieve stored data.

"The agent also creates a secure channel for XPC messaging by creating a nested app extension called _fud.appex_," the researchers wrote. "XPC messaging allows the agent to query various system binaries for sensitive device information, such as location details."

**Detection & Protection From Mobile Spyware**

Microsoft has developed unique network detections that could be used to fingerprint DEV-019's infrastructure on the Internet based on the group's heavy use of domain registrars and inexpensive cloud hosting providers that accept cryptocurrency as payment, the researchers said.

"They tended to only use a single domain per IP address and domains were very rarely reused across multiple IP addresses," they wrote in the post. "Many of the observed domains were deployed using free Let's Encrypt SSL certificates, while others used self-signed certificates designed to blend in with normal Kubernetes deployments."

The blog post includes network-based indicators that the researchers gleaned from their investigation to help potential victims identify if they've been compromised, including domains strongly associated with some countries that Citizen Lab has identified as locations of victims, countries where QuaDream platforms were operating, or both.

While acknowledging that preventing exploitation of mobile devices by threat actors who are exploiting zero-click vulnerabilities is difficult, there are ways to minimize the risk of mobile devices being compromised, the researchers said.

Following basic cyber hygiene and best practices to keep device software updated through automatic updates, the use of anti-malware software, and maintaining vigilance not to click on malicious links or suspicious messages can also help potential victims avoid compromise.

Researchers also suggested that if someone using an iOS device believes they may be a target of spyware, they can enable Lockdown Mode to enact advanced iOS security, thus reducing the attack surface for threat actors.

Tag

#intel