Tools like ChatGPT aren't making social engineering attacks any more effective, but it does make it faster for actors to write up phishing emails.

Thursday, April 13, 2023 00:04

*   Phishing attacks are increasingly more targeted and customized than in the past.
*   The proliferation of additional communications channels such as mobile devices and social media provides attackers with new avenues to phish users.
*   The technology behind phishing attacks evolves as necessary for cybercriminals to bypass content filters and successfully transmit and display the phishing content to the victims.
*   Artificial Intelligence (AI) apps provide attackers with the means to generate highly customized content that makes phishing lures even more convincing.

Cybercriminals often find it easier to trick users into compromising their own security rather than utilizing exploits or highly technical attacks to break into networks. Deceiving users to convince them into divulging sensitive information or take inappropriate actions is known as “social engineering” and this tactic can be extremely effective, regardless of whatever technological defenses have been deployed. As a result, social engineering has become a mainstay in cybercriminals’ arsenals.

Social engineering can take many forms. However, by far the most popular type of contemporary social engineering is phishing. Phishing is the practice of sending victims fraudulent communications that appear to come from a reputable source. It is most often performed through email though other communications platforms such as phone calls and text messages on mobile devices, social media, or chat rooms can also play host to phishing attacks.

The goal of a phishing attack is to steal sensitive data like credit card and/or login information or to install malware on the victim's machine. Phishing has evolved considerably over the past dozen-or-so years. We now have many different subtypes of phishing, including spear phishing (targeting specific users in phishing attacks), whaling (phishing specific high-profile users who have considerable resources or access privileges), smishing (phishing users via SMS messages), quishing (phishing using QR codes) and vishing (telephone-based phishing).

**Phishing attacks have become more targeted**

The earliest phishing attacks, such as those conducted via instant messaging applications like AOHell, intentionally cast a broad net, aiming to snare as many victims as possible. However, phishing in this way has become less effective over time. In order for a phishing attack to succeed, an attacker must first deliver their phishing messages to the victims, and sending a large volume of similar-looking phishing messages to a large number of recipients attracts a considerable amount of attention from security devices and personnel.

On the other hand, only sending a handful of phishing emails is orders of magnitude more difficult for network defenders to prevent. This is the idea behind spear phishing: Attackers narrow the phishing target pool down to a smaller desired group of victims who can be sent a more customized phishing attack. The smaller volume of email increases the odds the message will be successfully delivered to the users and will not be filtered out or flagged by network security devices, and customization raises the likelihood the recipient will view the email as legitimate.

**More locations for phishing**

The proliferation of mobile devices and social media applications has provided phishers with multiple vehicles besides email in which to conduct their attacks. Phishers have been known to use applications such as LinkedIn, Instagram, Facebook, Telegram, Discord, Twitter and other social media apps to transmit phishing messages to victims. We also now regularly receive phishing messages transmitted over SMS and even using QR codes.  

A phishing link to “metamask.lc” is tweeted in reply to a tweet from the real @MetaMask Twitter account.‌ ‌

An example of an SMS phish using a link shortener to hide the true destination URL.

Not all phishing happens online. Some phishers now take a hybrid approach where phishing emails are transmitted, but rather than containing a link to a phishing website or malware, the email contains a phone number that the victim is meant to call where the victim can then be further socially engineered over the telephone.

**Evasion tactics help bypass security devices and fool users**

Security devices are constantly monitoring the network for signs of phishing content and then marking the content as fraudulent or even discarding phishing messages altogether. Today, a successful cybercriminal must find ways around the anti-phishing security technology in place. There are several ways today’s cybercriminals attempt this:

*   Placing text information or links inside images.
*   Using large attachments that cannot be scanned due to their size.
*   HTML smuggling.
*   Using various attachment file types (.doc, .one, .lnk, password-protected .zip).
*   Hiding phishing links behind link-shortening services.
*   Varying the phishing message content by including hidden garbage text pulled from books.
*   Using links to lookalike domain names, known as typosquatting, or domain names that have specially crafted subdomains, ex. www.office.com.login.evilbadguy.com.
*   Transmitting messages from compromised legitimate accounts.
*   Using the browser-in-the-browser technique.

**More convincing phishing lures**

Contemporary phishing lures tend to fall into two basic categories. Many phishing messages attempt to replicate transactional messages, for example, an invoice or receipt for a purchase. Other phishing messages tend to target victims who are eager for news about specific topics, such as current events, natural disasters or the latest celebrity gossip.

With readily accessible open-source information and publicly available breach data, there can be a substantial trove of sensitive information concerning individuals/groups that is freely available online to attackers who are motivated enough to search. This information can be used to customize phishing emails and make phishing content even more relevant to the victims.

To aid in customizing phishing content, attackers are increasingly turning to AI apps such as ChatGPT that can be used to generate phishing content that sounds quite convincing. Fortunately, the designers of ChatGPT have built some guardrails so that attackers cannot simply ask ChatGPT to generate a phishing lure.

However, by phrasing the question a little differently, ChatGPT will help generate convincing content for use in phishing attacks.

Over the past few years, we have seen how some attackers, such as those behind Emotet, have leveraged existing email threads to compel targets to open attachments or click links. Using AI applications similar to ChatGPT, those malicious emails could be customized based on the context of those prior threads.

Voice cloning is another piece of AI technology that is expected to play a role in future phishing attacks. Deepfake technology has already progressed to the point that users can be fooled by a familiar voice over the telephone and once deepfake tools become more widely available, we expect attackers to deploy this as an additional mechanism to phish users.

**Protecting users from today’s phishing attacks**

Of course, as phishing content becomes easier to generate and customize to a specific victim, it becomes increasingly harder to defend. Educating users about how to recognize a phishing attack can be helpful. Additionally, deploying multi-factor authentication such as Cisco Duo is a solid defense that can thwart phishing attacks. Understanding regular network traffic patterns using products like Cisco Secure Network Analytics can help your network security personnel recognize unusual activity that could be related to a successful phishing attack. It is also a good idea to have your email delivered through a secure gateway such as Cisco Secure Email that can scan the email contents for phishing, malware and other email-based attacks. DNS security products such as Cisco Umbrella can help prevent users from navigating to or downloading content from phishing domains.

How threat actors are using AI and other modern tools to enhance their phishing attempts

<drupal-media data-align="center" data-entity-type="media" data-entity-uuid="86dcee13-494e-41e0-a1ed-419306586e5d"></drupal-media>

<h3>What are Confidential Containers?</h3>

<p><strong><a href="https://github.com/confidential-containers">Confidential Containers</a></strong> (CoCo) is a new sandbox project of the <a href="https://www.cncf.io/">Cloud Native Comput

**What are Confidential Containers?**

**Confidential Containers** (CoCo) is a new sandbox project of the Cloud Native Computing Foundation (CNCF) that enables cloud-native confidential computing by taking advantage of a variety of hardware platforms and technologies. The project brings together software and hardware companies including Alibaba-cloud, AMD, ARM, IBM, Intel, Microsoft, Red Hat, Rivos and others.

The CoCo project builds on existing and emerging hardware security technologies such as Intel SGX, Intel TDX, AMD SEV and IBM Z Secure Execution, in combination with new software frameworks **to help better secure user data in use**. This will establish a new level of confidentiality, which does not rely on trust in the cloud providers and their employees, but on hardware-level cryptography. CoCo will support multiple environments including public clouds, on-premise and edge computing.

The goal of the CoCo project is to **standardize** confidential computing at the container level and **simplify** its consumption in Kubernetes. This is in order to enable Kubernetes users to deploy confidential container workloads using familiar workflows and tools without extensive knowledge of underlying confidential computing technologies.

Latest posts

**What is the Confidential Containers project?****October 7, 2022 - Pradipta Banerjee, Christophe de Dinechin, Ariel Adam, Jochen Schroder, Martin Tessun**

Confidential Containers (CoCo) is a new sandbox project of the Cloud Native Computing Foundation (CNCF) that enables cloud-native confidential computing by taking advantage of a variety of hardware platforms and technologies…read more

**Understanding the Confidential Containers Attestation Flow****December 2, 2022 - Pradipta Banerjee, Samuel Ortiz**

This article describes the hardware-based attestation flows and processes that the Confidential Containers project is built upon. With hardware-based attestation, a confidential computing processor generates cryptographic evidence for a workload-running environment. Provided that the workload owner trusts that piece of hardware, they can then remotely verify that evidence and decide if the workload’s execution environment is trustworthy or not…read more

**How to use Confidential Containers without confidential hardware****March 6, 2023 - Wainer dos Santos Moschetta, Steve Horsman**

The CoCo community recognizes that not every developer has access to TEE-capable machines and we don't want this to be a blocker for contributions. So version 0.1.0 and later come with a custom runtime that lets developers play with CoCo on either a simple virtual or bare-metal machine. In this tutorial you will learn: How to install CoCo and create a simple confidential pod on Kubernetes, and the main features that keep your pod confidential…read more

Learn about Confidential Containers

**LEXINGTON, Mass.--(****BUSINESS WIRE****)--**VulnCheck, the vulnerability intelligence company, today announced it has been authorized by the CVE Program as a CVE Numbering Authority (CNA). The company also announced the launch of VulnCheck Advisories, a program designed to simplify how security researchers share vulnerabilities with vendors.

The CVE Program is sponsored by the U.S. Department of Homeland Security and Cybersecurity and Infrastructure Security Agency with a mission to identify, define and catalog publicly disclosed cybersecurity vulnerabilities. As a CNA, VulnCheck joins an elite group of over 280 partners in 36 countries authorized to assign CVE identification numbers to vulnerabilities and publish additional details in the associated CVE record.

"Our company offers the most comprehensive, real-time vulnerability, threat and exploit intelligence available on the market today,” said Anthony Bettini, CEO and Founder of VulnCheck. "Our products often uncover publicly disclosed vulnerabilities and exploits that have no CVE. To better serve the community, VulnCheck has taken on the task of coordinating CVE assignments for these issues. Now as a full partner in the CVE Program, we can expedite the rate at which we can address these problems. This is just the latest step we’ve taken to use our data to help security teams fight back against the growing tide of vulnerabilities they face each day.”

In conjunction with the authorization, the company also launched VulnCheck Advisories, a program designed to remove friction between researchers who identify and report vulnerabilities and the organizations that acknowledge and fix the flaws. The program enables researchers to share newly discovered vulnerabilities directly with VulnCheck. The intelligence company then takes over the submission process to the vendor and guarantees the vulnerability is published within 120 days, whether fixed or not.

“A lot of the time, researchers are at a disadvantage,” said Bettini. “Programs that buy vulnerabilities can be cumbersome and rife with restrictions. And if researchers choose to work directly with a vendor, they can often spend months just trying to get the company to acknowledge their report. With our program, researchers can submit their findings to VulnCheck and let the process run its course without all the hassle.”

The news comes just months after the company raised a $3.2 million seed round to increase hiring, bolster product development and help large enterprises, government agencies and cybersecurity solutions providers outpace adversaries by solving the vulnerability prioritization challenge.

To learn more about VulnCheck and the Advisories program, visit https://vulncheck.com/advisories.

**About VulnCheck**

VulnCheck is the vulnerability intelligence company helping enterprises, government organizations, and cybersecurity vendors solve the vulnerability prioritization challenge. Trusted by some of the world's largest organizations responsible for protecting hundreds of millions of systems and people, VulnCheck helps organizations outpace adversaries by providing the most comprehensive, real-time vulnerability intelligence that is autonomously correlated with unique, proprietary exploit and threat intelligence. Follow the company on LinkedIn. To learn more about VulnCheck, visit https://vulncheck.com/.

VulnCheck Named CVE Numbering Authority for Common Vulnerabilities and Exposures

The bizarre release of sensitive US government materials soon after their creation signals a potential shift to near-real-time unauthorized disclosures.

the United States government has been scrambling this week, thanks to a leak of sensitive Pentagon documents that include an array of recent intelligence updates and Joint Chiefs of Staff briefings. Notably, the documents seem to be very recent, dating from as early as January to early March. The trove was first posted to Discord a few weeks ago, before some of the documents got pickup more recently on Russian Telegram channels and then Twitter.

Initial reporting about the situation—including by _The New York Times_, which broke the story—has focused on roughly 100 documents, but some reports indicate that even more secret documents may have been shared on Discord over the past few months. The documents are photographs of printed-out presentation slides. Some of the papers had been folded and unfolded before being photographed, and some of the photos capture slivers of other objects that were on the desk with the papers.

Researchers say the leak ranks high among other prominent recent revelations about clandestine US government activity—a list that includes information from Edward Snowden about the NSA's bulk surveillance activity, details of the CIA's hacking capabilities in the Vault7 revelations published by WikiLeaks, and NSA hacking tools revealed in the Shadow Brokers leak. But this latest leak has some specific characteristics reflective of the current moment: It is relatively small and contains fresh information rather than a large trove of months- or years-old data. And while it is not yet clear who leaked the documents or what their motivation was, initial indications from Discord activity suggest that the leaker may have been trying to show off to their gaming friends, and might even be a teenager or young adult.

“I am intrigued by the idea of a small, pinpoint leak phenomenon,” says Dan Meyer, a partner at the law firm Tully Rinckey who works on federal employment and national security matters. Meyer was formerly a federal investigator and whistle-blowing expert within the US government. The use of “strategic leaks” has been a tactic of top officials “for a very long time,” Meyer says. “But now the technology issue is very real with phones and the ability to move these documents in ways the government didn’t anticipate.”

The latest leaked documents reveal details about the war in Ukraine, including information about the Ukrainian army's air defenses and plans for a future counteroffensive against Russia. Notably, the trove also reveals details about Russia's war effort and exposes the degree to which the United States intelligence community has penetrated Russia's military and intelligence services. 

As with any leak of state secrets, the most impactful revelations long-term generally relate to methods and access rather than specific information. That means Russian intelligence, for example, will likely make changes to its operations in response to the relvations to evade American operators. The leak also includes indications that the US has been spying on allies like South Korean and Israeli officials, a move that is not necessarily surprising but diplomatically embarrassing.

“We're still investigating how this happened, as well as the scope of the issue,” Chris Meagher, the US assistant to the secretary of defense for public affairs, told reporters on Tuesday. “There have been steps to take a closer look at how this type of information is distributed and to whom. We are also still trying to assess what might be out there.”

Analysts emphasize that the scale of the leak may be much larger than what has emerged publicly so far, and that the situation reflects concerning lapses in the Pentagon's systems for handling secrets.

“It seems like the Department of Defense thought they had sufficient controls in place to detect would-be leakers after incidents like Snowden,” says Jake Williams, a former NSA hacker and an analyst with IANS Research, a cybersecurity consultancy firm. “But obviously, whoever is doing this got around that or learned from past techniques and mistakes.”

As real-time accounts of everything from wars to natural disasters play out on social media and other digital communication platforms, it makes sense that leaking has increasingly become targeted and agile as well. So-called “hack and leak” operations have demonstrated this in recent years, with, for example, state-backed attackers leaking excerpts of government officials' digital communications or strategy documents from political campaigns. Hactivists have also increasingly used precision leaks around the world. Ukrainian advocates have, for example, repeatedly doxed Russian military officials and intelligence agents. And they've leaked data stolen from Russian government agencies and private companies since the Kremlin's full-scale invasion of Ukraine in February 2022. 

For now, as the US government aggressively investigates the latest Pentagon leaker and their motives, Meyer says his advice for US federal employees, contractors, or anyone with a US security clearance is to mind their business.

“Just because you have the ‘need to know,’ that doesn't mean you have the need to go look at it,” he says. “That person should not access these documents anywhere on the web. This stuff has now been identified as classified, and even if it's well intentioned, if you view classified information in a non-SCIF environment, you've committed a technical infraction. It’s a mess, don’t do it.”

Leaked Pentagon Documents May Herald a New Era of Revelations

**OSLO****, Norway** **,** **April 12, 2023** **/PRNewswire/ --** Opera (NASDAQ: OPRA) – the company behind the award-winning family of web browsers – is announcing the extension of its free browser VPN service to Opera Browser for iOS. Already available to some users for early access, the full rollout will be completed within the coming weeks. With this addition, Opera became the first web browser to offer a free built-in VPN across all major platforms, including Mac, Windows, Linux, Android, and iOS.

Staying private online is becoming increasingly challenging. When users browse the internet, they can be subject to data collection from websites and online services, many of which are not always transparent about how they store and use this data. Meanwhile, unsecure networks, such as some public Wi-Fi are vulnerable to attacks from bad actors, which can compromise sensitive personal data like web banking information or credit card details. VPNs, as a result, are an increasingly essential feature of life online – they help protect one's identity and activity so that users can peruse the internet privately, their personal information safe from prying eyes.

With the addition of its VPN service to iOS, Opera becomes the first browser company to offer a built-in, free VPN on every platform. Opera's VPN service requires no subscription, no logging into an account, and no additional extensions – users simply need to toggle a switch in the main menu to browse in peace, since the Opera Browser makes sure VPN traffic is encrypted and IP address is private.

"Opera has always been known for its unique feature set. We are proud to bring our free built-in VPN to all major platforms and to be the first browser company to do so. Our commitment to providing users with a secure browsing experience has led us to develop this feature over the years. We are excited to bring this vital tool to iOS users to ensure their online safety and privacy," said Jørgen Arnesen, EVP Mobile at Opera.

A no-log service, the VPN does not collect any personal data or information related to users' browsing history or originating network address, ensuring anonymity. Fast and secure, users have instant access to virtual locations around the world.

The Opera Browser for iOS is an award-winning browser that is enjoyed by millions of users worldwide. Featuring an interface that has garnered multiple design awards, the browser affords an unparalleled user experience. Designed to be used on the go, Opera's Fast Action Button gives users the full range of navigation tools within a thumb's reach. Users can additionally keep photos, articles, recipes, travel ideas, and links with them at all times with My Flow, which allows for seamless and secure file sharing between phones, tablets, and computers. The browser even integrates a native Crypto Wallet, enabling users to keep track of their digital assets at all times.

Apart from its convenience, the Opera Browser for iOS also offers unparalleled speed and security. It features, for example, a built-in ad blocker – speeding up the loading process as well as shielding users from unwanted advertisements – plus the Apple Intelligent Tracking Prevention, which blocks third party tracking cookies and cookie dialogue. The browser also boasts Opera's Cryptojacking Protection, which safeguards users from having their device's resources hijacked for crypto mining. The free VPN service will now complete the package, affording users protection as they browse the internet.

Concurrent with the ongoing rollout of the free VPN service, Opera Browser for iOS is also receiving a pair of additional upgrades. A Bookmarks feature will allow users to better organize their lives online, and coupled with Speed Dial ensure immediate access to what's most important. And for football fans, a new Live Scores feature lands on the browser's homepage. A scoreboard that displays the day's matches – whether they are upcoming, in progress, or the final whistle has already gone – Live Scores will help users stay on top of the action worldwide.

To start using the free VPN, users just need to download the Opera Browser for iOS and turn the VPN on in the app. The full rollout will be completed within the coming weeks, so VPN will become available for all users shortly. More information is available on the official website.

**About Opera for iOS**

Fast, safe and private, Opera Browser is a beautifully designed web browser with a Red Dot Award for its stunning user interface. Enjoyed by millions of fans across the world, it's built for people on the go and features a lightning fast web search for instant results. With built-in security features such as Apple Intelligent Tracking Prevention and Cryptojacking Protection – plus a native Crypto Wallet – Opera Browser offers users the optimal iOS experience. Opera Browser has a 4.7 star rating in the App Store and has been reviewed by more than 600,000 people worldwide.

**About Opera**

Opera is a web innovator building on more than 25 years of innovation that started with the Opera web browser. While Opera is leveraging its brand and engaged user base in order to grow and develop new products and services for people who seek a better internet experience, Opera's PC and mobile web browsers, content discovery platform Opera News, and apps dedicated to gaming, and Web3 are already the trusted choices of hundreds of millions of active and engaged users. Opera is headquartered in Oslo, Norway, and listed on the NASDAQ Stock Exchange under the OPRA ticker symbol. Download and access Opera's products and services from www.opera.com.

SOURCE Opera Limited

Opera Adds Free VPN to Opera for iOS

Hackers can compromise public charging hubs to steal data, install malware on phones, and more, threatening individuals and businesses alike.

US government agencies are warning that malware planted in public charging stations for phones and other electronics can sneak onto your device when you least expect it.

On April 6, the FBI Denver office published a morsel of advice. "Avoid using free charging stations in airports, hotels, or shopping centers," its tweet stated. "Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead."

The sentiment was echoed in an FCC notice about the phenomenon — known as "juice jacking." The commission added that, "in some cases, criminals may have intentionally left cables plugged in at charging stations." Also, "there have even been reports of infected cables being given away as promotional gifts."

Experts say that charging stations can carry risk, not just for individuals but also enterprises. Still, the risk is low and there are simple solutions for avoiding it altogether.

**How Hackers Can Poison Charging Stations**

"There are two different ways this happens," says Pete Nicoletti, field CISO at Check Point Software. "There are the people that actually own those stations. If they're looking for additional revenue, they might install malware on their charging stations."

This isn't the kind of scenario you'd run into at your local airport, though, he adds: "\[That's\] going to be the bad actors that compromise a legitimate station."

Ordinary outlets are immune, but USB ports in modern charging stations are different.

"There is some sort of computer or smart device behind these stations, connected to those USB charging outlets," explains Dmitry Bestuzhev, most distinguished threat researcher at BlackBerry. And because there's a computer involved, the opportunity exists for back-and-forth data transfer.

"Imagine using a phone for charging," Bestuzhev continues. "You use the same USB cable for synchronizing data on your phone with a computer, such as photos, videos, and other information. Technically, a threat actor could poison the data transmission between the malicious station and your device to steal information or install malicious code."

Were this to occur, the FCC says, hackers could "maliciously access electronic devices while they are being charged. Malware installed through a corrupted USB port can lock a device or export personal data and passwords directly to the perpetrator. Criminals can then use that information to access online accounts or sell it to other bad actors."

And any risk to travelers can have a knock-on effect for their employers.

"Most people use their phones for a mix of work and personal time," Allan Liska, threat intelligence analyst at Recorded Future, points out. For a work-from-home employee accessing corporate data from a coffee shop or airport lounge, "a successful attack not only means a phone owner's personal data is compromised, it also means that any work data stored on that phone would be accessible by the attackers." In theory, hackers could also plant malware on a BYOD phone or laptop, or hijack an employee's access to enterprise networks for further attacks.

Whether any of this is likely is another matter. "One of the challenges with the FBI tweet is that they don't provide any real-world examples," Liska says. "So while the kind of attack the FBI laid out is certainly possible, the risk is relatively low."

**Simple Solutions for Charging Safely**

For anyone concerned with charging devices in public, there is one simple solution: don't use dedicated charging stations. Ordinary electrical outlets — of the kind you'd use at home — provide a perfectly safe alternative.

Even when you're searching around the airport terminal and can't find any outlets, there are other options. "Your readers can't see it, but this is what people should be carrying," Nicoletti says over a Zoom call, while holding up his wireless phone charger. "These are 15 bucks!"

And "if a socket isn't available and you're charging a device through a USB cable, use a data blocker," Bestuzhev recommends. Data blockers — colloquially referred to as "data condoms" — are inexpensive and widespread online.

"They're essentially designed on a hardware level to block any data transmission to or from your device," he explains. "So even when you connect to a malicious charging station, if you're using a data blocker, you'll still get the electric charge for your device but data won't flow. That's because, on a hardware level, the data blocker is designed to block the circuit of those parts of the cable to transfer data. So, your data can't be transferred in any direction — just electricity."

Jacked charging stations may be rare, but because the alternatives are so cheap and simple, it's easy enough to avoid the hassle altogether. "These tools," Bestuzhev concludes, "should really be part of any 'frequent flier' or 'frequent traveler' kit."

FBI & FCC Warn on 'Juice Jacking' at Public Chargers, but What's the Risk?

By Waqas
Do you have the skills to take part in OpenAI's ChatGPT Bug Bounty Program? If so, here is your chance to earn big bucks.
This is a post from HackRead.com Read the original post: OpenAI Launches ChatGPT Bug Bounty Program – Earn $200 to $20k

**OpenAI has partnered with Bugcrowd, a renowned crowdsourced cybersecurity platform, to launch the highly anticipated ChatGPT Bug Bounty Program.**

OpenAI, the renowned artificial intelligence (AI) research organization, has introduced a “Bug Bounty Program” for its ChatGPT system, calling on the public to help identify and report any security vulnerabilities or other issues.

The initiative aims to leverage the collective expertise of researchers and technology enthusiasts to enhance the security and reliability of ChatGPT.

The launch of the ChatGPT bug bounty program should not be surprising, as cybercriminals have been eager to exploit the platform to conduct cyberattacks, including developing malware, ransomware, and phishing kits.

Under the program, anyone, including both professional researchers and general users, can participate in the ChatGPT bug bounty program and potentially earn cash rewards for their findings. The bounty rewards start at $200 for “low-severity findings” and can go up to an impressive $20,000 for “exceptional discoveries.”

To manage the program, OpenAI has partnered with Bugcrowd, a leading bug bounty platform that specializes in handling submissions and payouts. Here’s what OpenAI wants the good guys to delve into:

Screenshot: Bugcrowd

Notably, OpenAI is not the first tech giant to implement a bug bounty program. Currently, Sony, Google, Apple and several other firms have been offering big bucks as part of bug bounty programs.

**More Context**

1.  6 of the Best Crypto Bug Bounty Programs
2.  Sony Announces PlayStation Bug Bounty Program
3.  Hack the Pentagon 3.0 Bug Bounty Program Is Back
4.  Apple Bug bounty: Earn big backs for hacking iPhone
5.  Google Bug Bounty Program for Open-Source Software

ChatGPT has encountered its share of bugs in the past. In a recent incident, the entire system went offline after users reported seeing names of conversations they were not part of. Furthermore, the company acknowledged a security breach in which payment details of ChatGPT Plus subscribers were exposed to random users.

OpenAI’s ChatGPT bug bounty program does have some limitations. Not all issues reported will warrant cash rewards, and activities such as jailbreaking or attempting to make the model say or do anything negative will not be eligible for rewards. OpenAI acknowledges that while it works diligently to mitigate risks, it cannot predict all possible uses or misuse of its technology in the real world.

With the launch of the Bug Bounty Program, OpenAI aims to demonstrate its commitment to privacy and security while proactively addressing potential vulnerabilities in ChatGPT. As the AI landscape continues to evolve, this initiative may serve as a valuable step towards ensuring the robustness and reliability of AI systems in real-world applications.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

OpenAI Launches ChatGPT Bug Bounty Program – Earn $200 to $20k

Researchers at Microsoft have discovered links between a threat group tracked as DEV-0196 and an Israeli private-sector company, QuaDream, that sells a platform for exfiltrating data from mobile devices.

Microsoft has identified another Israel-based threat organization, similar to NSO Group, that is selling mobile spyware and other cyber espionage tools and services to international governments to monitor and spy on private individuals.

Microsoft Threat Intelligence researchers have discovered links between a threat group they've been tracking as DEV-0196, which offers iOS malware, and a private-sector company called QuaDream that sells a platform for exfiltrating data from mobile devices, researchers said in a blog post published April 11. Without explicitly stating so, the researchers suggested that DEV-0196 and QuaDream are actually one and the same.

"Microsoft Threat Intelligence analysts assess with high confidence that the malware, which we call KingsPawn, is developed by DEV-0196 and therefore strongly linked to QuaDream," the researchers wrote. "We assess with medium confidence that the mobile malware we associate with DEV-0196 is part of the \[company's 'Reign' offering\]."

The parallels between the activity of the separately linked entities is eerily similar to that of Israel-based NSO Group, which has been widely condemned, blacklisted, and even sued for its role in selling the iOS-based spyware known as Pegasus to hostile governments to target journalists, activists, politicians, businesspeople, and other private citizens with unethical cyber espionage activity. The spyware notably targets zero-day flaws with exploits, making it difficult to mitigate or detect its nefarious activity.

**Suspicious QuaDream Activity**

Similarly, QuaDream's REIGN is a suite of exploits, malware, and infrastructure designed to extract data from mobile devices for allegedly legal purposes, however, the company suspiciously doesn't have a website, and a 2022 Reuters report suggested that QuaDream used a zero-click iOS exploit that leveraged the same vulnerability seen in NSO Group's ForcedEntry exploit.

According to the Israeli Corporations Authority, QuaDream, under the Israeli name קוודרים בע”מ, was incorporated in August 2016. A report by news outlet Haaretz, citing a QuaDream brochure, claimed that the government of Saudi Arabia — known for targeting journalists and others who speak out against its policies — was among QuaDream's clients, as was the government of Ghana.

A separate December 2022 report from Meta, which reportedly took down 250 accounts associated with QuaDream, also shed light on the activity of the company. That report claimed that QuaDream was testing its ability to exploit iOS and Android mobile devices with the intent "to exfiltrate various types of data including messages, images, video and audio files, and geolocation," the researchers said.

Meanwhile, Microsoft Threat Intelligence believes that DEV-0196 is selling both exploitation services and its KingsPawn iOS malware to governments to spy on and track members of civil society — including journalists, political opposition figures, and a non-government organization (NGO) worker — in locations across Europe, North America, the Middle East, and Southeast Asia.

Microsoft worked with several partners on the investigation of the links between QuaDream and DEV-0196, including Citizen Lab of the University of Toronto's Munk School, which identified at least five targets of DEV-0196 across the aforementioned geographies. It also identified operator locations for QuaDream systems in Bulgaria, Czechia, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates, and Uzbekistan. Citizen Lab has released its own separate report about the findings.

The behavior of DEV-0196 is consistent with that of "private sector offensive actors (PSOAs)" or "cyber mercenaries," according to Microsoft Threat Intelligence, which sell hacking tools or services through a variety of business models — including access as a service — to the highest bidder. They don't directly target individuals or run cyber espionage operations themselves.

**KingsPawn: A Custom Spyware**

Microsoft and its partners analyzed samples of the multi-component KingsPawn, which specifically targets iOS 14. However, it's possible that some of the code also could be used on Android devices, the researchers said. It's also likely that the threat group has already updated the malware to target versions of iOS newer than 14, as the latest version of Apple's operating system software is already up to iOS 16, the researchers said.

KingsPawn is comprised of two agents — a monitor agent in the form of a native Mach-O file written in Objective-C, and the main malware agent, a native Mach-O file written in GoLang, a language favored by threat actors for its portability, among other features, the researchers said.

The monitor agent is responsible for reducing the forensic footprint of the malware to prevent detection and hinder investigations, as well as manage the various processes and threads spawned on behalf of the malware to avoid artifacts created from unexpected process crashes.

Within the main agent of KingsPawn is the real gravy of the spyware where all of the capabilities to track victims and steal data lies, the researchers said.

Capabilities of the main agent include: obtaining device, Wi-Fi, cellular info, searching for and retrieving files, using the camera in the background, locating where the device is, monitoring phone calls, accessing the iOS keychain for passwords, and generating an iCloud one-time password that's time sensitive to retrieve stored data.

"The agent also creates a secure channel for XPC messaging by creating a nested app extension called _fud.appex_," the researchers wrote. "XPC messaging allows the agent to query various system binaries for sensitive device information, such as location details."

**Detection & Protection From Mobile Spyware**

Microsoft has developed unique network detections that could be used to fingerprint DEV-019's infrastructure on the Internet based on the group's heavy use of domain registrars and inexpensive cloud hosting providers that accept cryptocurrency as payment, the researchers said.

"They tended to only use a single domain per IP address and domains were very rarely reused across multiple IP addresses," they wrote in the post. "Many of the observed domains were deployed using free Let's Encrypt SSL certificates, while others used self-signed certificates designed to blend in with normal Kubernetes deployments."

The blog post includes network-based indicators that the researchers gleaned from their investigation to help potential victims identify if they've been compromised, including domains strongly associated with some countries that Citizen Lab has identified as locations of victims, countries where QuaDream platforms were operating, or both.

While acknowledging that preventing exploitation of mobile devices by threat actors who are exploiting zero-click vulnerabilities is difficult, there are ways to minimize the risk of mobile devices being compromised, the researchers said.

Following basic cyber hygiene and best practices to keep device software updated through automatic updates, the use of anti-malware software, and maintaining vigilance not to click on malicious links or suspicious messages can also help potential victims avoid compromise.

Researchers also suggested that if someone using an iOS device believes they may be a target of spyware, they can enable Lockdown Mode to enact advanced iOS security, thus reducing the attack surface for threat actors.

Microsoft: NSO Group-Like 'QuaDream' Actor Selling Mobile Spyware to Governments

Ubuntu Security Notice 6013-1 - Xuewei Feng, Chuanpu Fu, Qi Li, Kun Sun, and Ke Xu discovered that the TCP implementation in the Linux kernel did not properly handle IPID assignment. A remote attacker could use this to cause a denial of service or inject forged data. Ke Sun, Alyssa Milburn, Henrique Kawakami, Emma Benoit, Igor Chervatyuk, Lisa Aichele, and Thais Moreira Hamasaki discovered that the Spectre Variant 2 mitigations for AMD processors on Linux were insufficient in some situations. A local attacker could possibly use this to expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6013-1  
April 12, 2023

linux-aws vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 ESM

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems

Details:

Xuewei Feng, Chuanpu Fu, Qi Li, Kun Sun, and Ke Xu discovered that the TCP  
implementation in the Linux kernel did not properly handle IPID assignment.  
A remote attacker could use this to cause a denial of service (connection  
termination) or inject forged data. (CVE-2020-36516)

Ke Sun, Alyssa Milburn, Henrique Kawakami, Emma Benoit, Igor Chervatyuk,  
Lisa Aichele, and Thais Moreira Hamasaki discovered that the Spectre  
Variant 2 mitigations for AMD processors on Linux were insufficient in some  
situations. A local attacker could possibly use this to expose sensitive  
information. (CVE-2021-26401)

Jürgen Groß discovered that the Xen subsystem within the Linux kernel did  
not adequately limit the number of events driver domains (unprivileged PV  
backends) could send to other guest VMs. An attacker in a driver domain  
could use this to cause a denial of service in other guest VMs.  
(CVE-2021-28712, CVE-2021-28713)

Wolfgang Frisch discovered that the ext4 file system implementation in the  
Linux kernel contained an integer overflow when handling metadata inode  
extents. An attacker could use this to construct a malicious ext4 file  
system image that, when mounted, could cause a denial of service (system  
crash). (CVE-2021-3428)

It was discovered that the IEEE 802.15.4 wireless network subsystem in the  
Linux kernel did not properly handle certain error conditions, leading to a  
null pointer dereference vulnerability. A local attacker could possibly use  
this to cause a denial of service (system crash). (CVE-2021-3659)

It was discovered that the System V IPC implementation in the Linux kernel  
did not properly handle large shared memory counts. A local attacker could  
use this to cause a denial of service (memory exhaustion). (CVE-2021-3669)

Alois Wohlschlager discovered that the overlay file system in the Linux  
kernel did not restrict private clones in some situations. An attacker  
could use this to expose sensitive information. (CVE-2021-3732)

It was discovered that the SCTP protocol implementation in the Linux kernel  
did not properly verify VTAGs in some situations. A remote attacker could  
possibly use this to cause a denial of service (connection disassociation).  
(CVE-2021-3772)

It was discovered that the btrfs file system implementation in the Linux  
kernel did not properly handle locking in certain error conditions. A local  
attacker could use this to cause a denial of service (kernel deadlock).  
(CVE-2021-4149)

Jann Horn discovered that the socket subsystem in the Linux kernel  
contained a race condition when handling listen() and connect() operations,  
leading to a read-after-free vulnerability. A local attacker could use this  
to cause a denial of service (system crash) or possibly expose sensitive  
information. (CVE-2021-4203)

It was discovered that the file system quotas implementation in the Linux  
kernel did not properly validate the quota block number. An attacker could  
use this to construct a malicious file system image that, when mounted and  
operated on, could cause a denial of service (system crash).  
(CVE-2021-45868)

Zhihua Yao discovered that the MOXART SD/MMC driver in the Linux kernel did  
not properly handle device removal, leading to a use-after-free  
vulnerability. A physically proximate attacker could possibly use this to  
cause a denial of service (system crash). (CVE-2022-0487)

It was discovered that the block layer subsystem in the Linux kernel did  
not properly initialize memory in some situations. A privileged local  
attacker could use this to expose sensitive information (kernel memory).  
(CVE-2022-0494)

It was discovered that the UDF file system implementation in the Linux  
kernel could attempt to dereference a null pointer in some situations. An  
attacker could use this to construct a malicious UDF image that, when  
mounted and operated on, could cause a denial of service (system crash).  
(CVE-2022-0617)

David Bouman discovered that the netfilter subsystem in the Linux kernel  
did not initialize memory in some situations. A local attacker could use  
this to expose sensitive information (kernel memory). (CVE-2022-1016)

It was discovered that the implementation of the 6pack and mkiss protocols  
in the Linux kernel did not handle detach events properly in some  
situations, leading to a use-after-free vulnerability. A local attacker  
could possibly use this to cause a denial of service (system crash).  
(CVE-2022-1195)

Duoming Zhou discovered race conditions in the AX.25 amateur radio protocol  
implementation in the Linux kernel, leading to use-after-free  
vulnerabilities. A local attacker could possibly use this to cause a denial  
of service (system crash). (CVE-2022-1205)

It was discovered that the tty subsystem in the Linux kernel contained a  
race condition in certain situations, leading to an out-of-bounds read  
vulnerability. A local attacker could possibly use this to cause a denial  
of service (system crash) or expose sensitive information. (CVE-2022-1462)

It was discovered that the implementation of X.25 network protocols in the  
Linux kernel did not terminate link layer sessions properly. A local  
attacker could possibly use this to cause a denial of service (system  
crash). (CVE-2022-1516)

Duoming Zhou discovered a race condition in the NFC subsystem in the Linux  
kernel, leading to a use-after-free vulnerability. A privileged local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-1974)

Duoming Zhou discovered that the NFC subsystem in the Linux kernel did not  
properly prevent context switches from occurring during certain atomic  
context operations. A privileged local attacker could use this to cause a  
denial of service (system crash). (CVE-2022-1975)

It was discovered that the HID subsystem in the Linux kernel did not  
properly validate inputs in certain conditions. A local attacker with  
physical access could plug in a specially crafted USB device to expose  
sensitive information. (CVE-2022-20132)

It was discovered that the device-mapper verity (dm-verity) driver in the  
Linux kernel did not properly verify targets being loaded into the device-  
mapper table. A privileged attacker could use this to cause a denial of  
service (system crash) or possibly execute arbitrary code. (CVE-2022-20572,  
CVE-2022-2503)

Duoming Zhou discovered that race conditions existed in the timer handling  
implementation of the Linux kernel's Rose X.25 protocol layer, resulting in  
use-after-free vulnerabilities. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2022-2318)

Zheyu Ma discovered that the Silicon Motion SM712 framebuffer driver in the  
Linux kernel did not properly handle very small reads. A local attacker  
could use this to cause a denial of service (system crash). (CVE-2022-2380)

David Leadbeater discovered that the netfilter IRC protocol tracking  
implementation in the Linux Kernel incorrectly handled certain message  
payloads in some situations. A remote attacker could possibly use this to  
cause a denial of service or bypass firewall filtering. (CVE-2022-2663)

Lucas Leong discovered that the LightNVM subsystem in the Linux kernel did  
not properly handle data lengths in certain situations. A privileged  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-2991)

It was discovered that the Intel 740 frame buffer driver in the Linux  
kernel contained a divide by zero vulnerability. A local attacker could use  
this to cause a denial of service (system crash). (CVE-2022-3061)

Jiasheng Jiang discovered that the wm8350 charger driver in the Linux  
kernel did not properly deallocate memory, leading to a null pointer  
dereference vulnerability. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2022-3111)

It was discovered that the sound subsystem in the Linux kernel contained a  
race condition in some situations. A local attacker could use this to cause  
a denial of service (system crash). (CVE-2022-3303)

It was discovered that the Broadcom FullMAC USB WiFi driver in the Linux  
kernel did not properly perform bounds checking in some situations. A  
physically proximate attacker could use this to craft a malicious USB  
device that when inserted, could cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-3628)

Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux  
kernel contained an out-of-bounds write vulnerability. A local attacker  
could use this to cause a denial of service (system crash).  
(CVE-2022-36280)

It was discovered that the NILFS2 file system implementation in the Linux  
kernel did not properly deallocate memory in certain error conditions. An  
attacker could use this to cause a denial of service (memory exhaustion).  
(CVE-2022-3646)

It was discovered that the Netlink Transformation (XFRM) subsystem in the  
Linux kernel contained a reference counting error. A local attacker could  
use this to cause a denial of service (system crash). (CVE-2022-36879)

It was discovered that the infrared transceiver USB driver did not properly  
handle USB control messages. A local attacker with physical access could  
plug in a specially crafted USB device to cause a denial of service (memory  
exhaustion). (CVE-2022-3903)

Jann Horn discovered a race condition existed in the Linux kernel when  
unmapping VMAs in certain situations, resulting in possible use-after-free  
vulnerabilities. A local attacker could possibly use this to cause a denial  
of service (system crash) or execute arbitrary code. (CVE-2022-39188)

Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not  
properly perform reference counting in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-41218)

It was discovered that a race condition existed in the SMSC UFX USB driver  
implementation in the Linux kernel, leading to a use-after-free  
vulnerability. A physically proximate attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-41849)

It was discovered that a race condition existed in the Roccat HID driver in  
the Linux kernel, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-41850)

It was discovered that the USB core subsystem in the Linux kernel did not  
properly handle nested reset events. A local attacker with physical access  
could plug in a specially crafted USB device to cause a denial of service  
(kernel deadlock). (CVE-2022-4662)

It was discovered that the network queuing discipline implementation in the  
Linux kernel contained a null pointer dereference in some situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2022-47929)

Kyle Zeng discovered that the IPv6 implementation in the Linux kernel  
contained a NULL pointer dereference vulnerability in certain situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-0394)

It was discovered that a memory leak existed in the SCTP protocol  
implementation in the Linux kernel. A local attacker could use this to  
cause a denial of service (memory exhaustion). (CVE-2023-1074)

Mingi Cho discovered that the netfilter subsystem in the Linux kernel did  
not properly initialize a data structure, leading to a null pointer  
dereference vulnerability. An attacker could use this to cause a denial of  
service (system crash). (CVE-2023-1095)

Kyle Zeng discovered that the ATM VC queuing discipline implementation in  
the Linux kernel contained a type confusion vulnerability in some  
situations. An attacker could use this to cause a denial of service (system  
crash). (CVE-2023-23455)

Lianhui Tang discovered that the MPLS implementation in the Linux kernel  
did not properly handle certain sysctl allocation failure conditions,  
leading to a double-free vulnerability. An attacker could use this to cause  
a denial of service or possibly execute arbitrary code. (CVE-2023-26545)

It was discovered that the NTFS file system implementation in the Linux  
kernel did not properly validate attributes in certain situations, leading  
to an out-of-bounds read vulnerability. A local attacker could possibly use  
this to expose sensitive information (kernel memory). (CVE-2023-26607)

Duoming Zhou discovered that a race condition existed in the infrared  
receiver/transceiver driver in the Linux kernel, leading to a use-after-  
free vulnerability. A privileged attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-1118)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 14.04 ESM:  
   linux-image-4.4.0-1117-aws      4.4.0-1117.123  
   linux-image-aws                 4.4.0.1117.114

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6013-1  
   CVE-2020-36516, CVE-2021-26401, CVE-2021-28712, CVE-2021-28713,  
   CVE-2021-3428, CVE-2021-3659, CVE-2021-3669, CVE-2021-3732,  
   CVE-2021-3772, CVE-2021-4149, CVE-2021-4203, CVE-2021-45868,  
   CVE-2022-0487, CVE-2022-0494, CVE-2022-0617, CVE-2022-1016,  
   CVE-2022-1195, CVE-2022-1205, CVE-2022-1462, CVE-2022-1516,  
   CVE-2022-1974, CVE-2022-1975, CVE-2022-20132, CVE-2022-20572,  
   CVE-2022-2318, CVE-2022-2380, CVE-2022-2503, CVE-2022-2663,  
   CVE-2022-2991, CVE-2022-3061, CVE-2022-3111, CVE-2022-3303,  
   CVE-2022-3628, CVE-2022-36280, CVE-2022-3646, CVE-2022-36879,  
   CVE-2022-3903, CVE-2022-39188, CVE-2022-41218, CVE-2022-41849,  
   CVE-2022-41850, CVE-2022-4662, CVE-2022-47929, CVE-2023-0394,  
   CVE-2023-1074, CVE-2023-1095, CVE-2023-1118, CVE-2023-23455,  
   CVE-2023-26545, CVE-2023-26607

Ubuntu Security Notice USN-6013-1

Threat actors using hacking tools from an Israeli surveillanceware vendor named QuaDream targeted at least five members of civil society in North America, Central Asia, Southeast Asia, Europe, and the Middle East.
According to findings from a group of researchers from the Citizen Lab, the spyware campaign was directed against journalists, political opposition figures, and an NGO worker in 2021.

Threat actors using hacking tools from an Israeli surveillanceware vendor named QuaDream targeted at least five members of civil society in North America, Central Asia, Southeast Asia, Europe, and the Middle East.

According to findings from a group of researchers from the Citizen Lab, the spyware campaign was directed against journalists, political opposition figures, and an NGO worker in 2021. The names of the victims were not disclosed.

It's also suspected that the company abused a zero-click exploit dubbed **ENDOFDAYS** in iOS 14 to deploy spyware as a zero-day in version 14.4 and 14.4.2. There is no evidence that the exploit has been used after March 2021.

ENDOFDAYS "appears to make use of invisible iCloud calendar invitations sent from the spyware's operator to victims," the researchers said.

The Microsoft Threat Intelligence team is tracking QuaDream as **DEV-0196**, describing the cyber mercenary company as a private sector offensive actor (PSOA). While QuaDream is not directly involved in targeting, it is known to sell its "exploitation services and malware" to government customers, the tech giant assessed with high confidence.

The malware, named **KingsPawn**, contains a monitor agent and the primary malware agent, both of which are Mach-O files written in Objective-C and Go, respectively.

While the monitor agent is responsible for reducing the forensic footprint of the malware to evade detection, the main agent comes with capabilities to gather device information, cellular and Wi-Fi data, harvest files, access camera in the background, access location, call logs, and iOS Keychain, and even generate an iCloud time-based one-time password (TOTP).

Other samples support recording audio from phone calls and the microphone, running queries in SQL databases, and cleaning up forensic trails, such as deleting all calendar events from two years prior to the current time. The data is exfiltrated via HTTPS POST requests.

Internet scans carried out by the Citizen Lab reveal that QuaDream's customers operated 600 servers from several countries around the world between late 2021 and early 2023, including Bulgaria, Czech Republic, Hungary, Romania, Ghana, Israel, Mexico, Singapore, the U.A.E., and Uzbekistan.

Despite attempts made by the spyware to cover its tracks, the interdisciplinary laboratory said it was able to uncover unspecified traces of what it calls the "Ectoplasm Factor" that could be used to track QuaDream's toolset in the future.

This is not the first time QuaDream has attracted attention. In February 2022, Reuters reported that the company weaponized the FORCEDENTRY zero-click exploit in iMessage to deploy a spyware solution named REIGN.

Then in December 2022, Meta disclosed that it took down a network of 250 fake accounts on Facebook and Instagram controlled by QuaDream to infect Android and iOS devices and exfiltrate personal data.

UPCOMING WEBINAR

Learn to Secure the Identity Perimeter - Proven Strategies

Improve your business security with our upcoming expert-led cybersecurity webinar: Explore Identity Perimeter strategies!

Don't Miss Out – Save Your Seat!

If anything, the development is yet another indication that despite the notoriety attracted by NSO Group, commercial spyware firms continue to fly under the radar and develop sophisticated spyware products for use by government clients.

"Until the out-of-control proliferation of commercial spyware is successfully curtailed through systemic government regulations, the number of abuse cases is likely to continue to grow, fueled both by companies with recognizable names, as well as others still operating in the shadows," the Citizen Lab said.

Calling the growth of mercenary spyware companies as a threat to democracy and human rights, Microsoft said combating such offensive actors requires a "collective effort" and a "multistakeholder collaboration."

"Moreover, it is only a matter of time before the use of the tools and technologies they sell spread even further," Amy Hogan-Burney, the company's associate general counsel for cybersecurity policy and protection, said.

"This poses real risk to human rights online, but also to the security and stability of the broader online environment. The services they offer require cyber mercenaries to stockpile vulnerabilities and search for new ways to access networks without authorization."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel