Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the classes/usergroups management section.

CVE-2023-37067: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the session category management section.

CVE-2023-37065: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the extra fields management section.

CVE-2023-37064: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the skills wheel.

CVE-2023-37066: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the careers & promotions management section.

CVE-2023-37063: Security issues - Chamilo LMS

Want to try out Meta’s new social media app? Here’s more context on what personal data is collected by Threads and similar social media apps.

Meta's long-awaited Twitter alternative is here, and it's called Threads. The new social media app launches at a time when alternatives, like Bluesky, Mastodon, and Spill, are vying for users who are dissatisfied with Elon Musk's handling of Twitter's user experience, with its newly introduced rate limits and an uptick in hate speech.

Meta owns Facebook, Instagram, and WhatsApp, so the company’s attempt to recreate an online experience similar to Twitter is likely to attract plenty of normies, lurkers, and nomadic shitposters. Threads uses the AT Protocol developed by Bluesky, and Meta is working to incorporate Threads as part of the online Fediverse, a group of shared servers where users can interact across multiple platforms.

If you’re hesitant to share your personal data with a company on the receiving end of a billion dollar fine, that’s understandable. For those who are curious, however, here’s what we know about the service’s privacy policy, what data you hand over when you sign up, and how it compares to the data collected by other options.

Threads

Threads (Android, Apple) potentially collects a wide assortment of personal data that remains connected to you, based on the information available in Apple’s App Store, from your purchase history and physical address to your browsing history and health information. “Sensitive information” is also listed as a type of data collected by the Threads app. Some information this could include is your race, sexual orientation, pregnancy status, and religion as well as your biometric data.

Threads falls under the larger privacy policy covering Meta’s other social media platforms. Want to see the whole thing? You can read it for yourself here. There’s one caveat, though. The app has a supplemental privacy policy that’s also worth reading. A noteworthy detail from this document is that while you’re able to deactivate your Threads account whenever, you must delete your Instagram if you fully want to delete your Threads account.

Below is all the data collected by Threads that’s mentioned in the App Store. Do you have the Facebook or Instagram app on your phone? Keep in mind that this data collection by Meta is comparable to the data those apps collect about you.

For Android users, the Google Play Store doesn’t require you to hand over the same amount of extensive data to try out Threads. You have more control than Apple users, since you can granularly toggle what personal data is shared with apps.

Data Linked to You

**Third-Party Advertising:**

*   _Purchases_ (Purchase History)
*   _Financial Info_ (Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   _Contacts_
*   _User Content_ (Photos or Videos, Gameplay Content, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

**Developer's Advertising or Marketing:**

*   _Purchases_ (Purchase History)
*   _Financial Info_ (Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   _Contacts_
*   _User Content_ ( Photos or Videos, Gameplay Content, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

**Analytics:**

*   _Health & Fitness_ (Health, Fitness)
*   _Purchases_ (Purchase History, Financial Info, Payment Info, Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   Contacts
*   _User Content_ (Photos or Videos, Audio Data, Gameplay Content, Customer Support, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Sensitive Info_
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

**Product Personalization:**

*   _Purchases_ (Purchase History)
*   _Financial Info_ (Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   Contacts
*   _User Content_ (Photos or Videos, Gameplay Content, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Sensitive Info_
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

**App Functionality:**

*   _Health & Fitness_ (Health, Fitness)
*   _Purchases_ (Purchase History)
*   _Financial Info_ (Payment Info, Credit Info, Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   _Contacts_
*   _User Content_ (Emails or Text Messages, Photos or Videos, Audio Data, Gameplay Content, Customer Support, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Sensitive Info_
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

**Other Purposes:**

*   _Purchases_ (Purchase History)
*   _Financial Info_ (Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   _Contacts_
*   _User Content_ (Photos or Videos, Gameplay Content, Customer Support, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

Bluesky

Looking for an app that collects less personal data? Bluesky (Android, Apple) is a buzzy Twitter alternative started by Twitter founder Jack Dorsey and managed by CEO Jay Graber. Bluesky uses the AT Protocol that it created. Like Mastodon already does and Threads soon will, Bluesky incorporates the Fediverse servers as its backbone. The app is currently invite-only, but it does not currently collect anywhere near as much information as Threads or Twitter.

For Bluesky, the data that’s linked to you is focused on app functionality, like remembering your email and user ID, or access to photos and videos on your device so you can post memes. Here’s where you can find more info about Bluesky’s privacy policy. Keep in mind the service is still new and adding features, so there will likely be changes as it evolves.

Below is all the data collected by Bluesky that’s mentioned in the App Store. (Remember that this is only for iPhone owners. If you use an Android smartphone, you have more control over what data is shared.)

Data Linked to You

**App Functionality:**

*   _Contact Info_ (Email Address)
*   _User Content_ (Photos or Videos, Customer Support, Other User Content)
*   _Identifiers_ (User ID)

Data Not Linked to You

**Analytics:**

*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)

**App Functionality:**

*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)

Mastodon

What if you want a social media app that doesn’t suck up all your personal data? **Mastodon** (Android, Apple) might be a good option for you. Originally launched in 2016 by Eugen Rochko, Mastodon uses a decentralized protocol that’s different from Threads and Bluesky, called ActivityPub. It’s part of the Fediverse of shared servers. Mastodon is not exactly a new pick; it has positioned itself for years as an alternative to Twitter. (Remember, 2023 isn’t the first time users have considered ditching Twitter for something new and exciting.)

Are you trying it out for the first time? Here’s a great guide to getting started on Mastodon. There’s a bit of a learning curve with this one.

Below is all the data collected by Mastodon that’s mentioned in the App Store.

_\*In the style of Taylor Swift.\*_

\[Blank Space\]

That's right, the Mastodon app for iOS won't collect any data from your device. For Android owners, the app may share your name and email address with other companies.

If you don't like the official Mastodon apps for any reason, you can always try alternative apps with unique interfaces and features. Just be on the lookout for the privacy policies and data collection for those apps, since they don't have to commit to zero-data collection the way the official ones do.

Spill

Are you part of (or a fan of) Black Twitter and on the search for a new posting platform, preferably one that’s inclusive and voicey? Spill (Apple) is a Black-owned social media app that’s made with diverse communities in mind, specifically people of color. It was founded by Alphonzo “Phonz” Terrell and Devaris Brown, who both used to work at Twitter, and it launched earlier this year. Spill is not part of the Fediverse of shared servers.

Spill is currently invite-only, but you can sign up for the waiting list. While Spill does gather sensitive info, the other aspects of its data collection are not as extensive as Threads. Here’s the full privacy policy you can read over.

Below is all the data collected by Spill that’s mentioned in the App Store. It’s worth noting that Spill’s dev team is working on an Android app, but it’s not yet available to use.

Data Linked to You

**Developer's Advertising or Marketing:**

*   _Location_ (Coarse Location)
*   _Contact Info_ (Email Address, Name, Phone Number)
*   _User Content_ (Emails or Text Messages, Photos or Videos, Audio Data)
*   _Sensitive Info_

**Analytics:**

*   _Location_ (Coarse Location)
*   _Contact Info_ (Email Address, Name, Phone Number)
*   _User Content_ (Emails or Text Messages, Photos or Videos, Audio Data)
*   _Sensitive Info_

**Product Personalization:**

*   _Location_ (Coarse Location)
*   _Contact Info_ (Email Address, Name, Phone Number)
*   _Contacts_
*   _User Content_ (Emails or Text Messages, Photos or Videos, Audio Data)
*   _Sensitive Info_

**App Functionality:**

*   _Location_ (Coarse Location)
*   _Contact Info_ (Email Address, Name, Phone Number)
*   _Contacts_
*   _User Content_ (Emails or Text Messages, Photos or Videos, Audio Data)
*   _Sensitive Info_

**Other Purposes:**

*   _Contact Info_ (Email Address, Phone Number)

Hive Social

It’s a bit smaller than other platforms, but Hive Social (Android, Apple) is another contender for your attention span that’s particularly popular with gamers. This app is not part of the Fediverse. Nostalgic for the days when curated music would automatically play when a person visited your profile? This feature is one way Hive differentiates itself from Twitter, along with a built-in Q&A feature that lets your followers ask you questions (sometimes anonymously) that you can answer in posts to your feed. Want to give Hive a try? Check out our guide with tips for getting started.

The app collects information about you for functionality and analytics, but it’s not connected specifically to you. Learn more about what data the app uses by taking a look at its privacy policy.

Below is all the data collected by Hive Social that’s mentioned in the App Store for iPhone owners. (Have a Google Pixel or other Android device in your pocket? You can go into your privacy settings for more control over what data Hive collects.)

Data Not Linked to You

**Analytics:**

*   _Contact Info_ (Email Address, Name, Phone Number)
*   _User Content_ (Photos or Videos, Customer Support, Other User Content)
*   _Identifiers_ (User ID)
*   _Usage Data_ (Product Interaction, Other Usage Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)

**App Functionality:**

*   _Contact Info_ (Email Address, Name, Phone Number)
*   _User Content_ (Photos or Videos, Customer Support, Other User Content)
*   _Identifiers_ (User ID)
*   _Usage Data_ (Product Interaction, Other Usage Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)

What About Twitter?

It may seem like Threads collects a ton of personal data. (Because it does!) For more context, let’s go over what Twitter asks for as well. Twitter (Android, Apple) keeps plenty of data that’s linked to users and used to track you, like your purchase history and browsing history. With that in mind, the app does not list “sensitive information” as one of the disclosed categories of data collection. Check out its full privacy policy for an in-depth breakdown.

Below is all the data collected by Twitter that’s mentioned in the App Store. (Escaped from Apple’s walled garden? The Android app for Twitter still collects some personal data, like your precise location and web browsing history, unless you adjust your privacy settings.)

Data Used to Track You

*   _Purchases_ (Purchase History)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Email Address)
*   _User Content_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data)

Data Linked to You

**Third-Party Advertising:**

*   _Purchases_ (Purchase History)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Email Address)
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data)
*   _Diagnostics_ (Performance Data)

**Developer's Advertising or Marketing:**

*   _Purchases_ (Purchase History)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Email Address)
*   _User Content_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data)

**Analytics:**

*   _Purchases_ (Purchase History)
*   _Location_ (Precise Location, Coarse Location)
*   _Contacts_
*   _User Content_ (Photos or Videos, Audio Data, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data)
*   _Diagnostics_ (Crash Data, Performance Data)

**Product Personalization:**

*   _Purchases_ (Purchase History)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Email Address, Phone Number)
*   _Contacts_
*   _User Content_
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)

**Other Purposes:**

*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Email Address, Name, Phone Number)
*   _Contacts_
*   _User Content_ (Photos or Videos)
*   Search History
*   _Identifiers_ (User ID)

Data Not Linked to You

**Third-Party Advertising:**

*   _Other Data_

**Developer's Advertising or Marketing:**

*   _Other Data_

**Analytics:**

*   _User Content_ (Emails or Text Messages)
*   _Other Data_

**App Functionality:**

*   _Contact Info_ (Physical Address)
*   _User Content_ (Emails or Text Messages)
*   _Other Data_

How Threads' Privacy Policy Compares to Twitter's (and Its Rivals')

Meta’s Twitter alternative promises that it will work with decentralized platforms, giving you greater control of your data. You can hold the company to that—if you don't sign up.

As Meta’s Twitter competitor, Threads, started generating buzz ahead of yesterday’s launch, curious netizens spotted a placeholder listing for the app in Apple’s App Store. Like all iOS apps, the listing included details about the user data the app is designed to collect and track. And observers couldn’t help but notice that this brand-new app was already listing a whopping 14 categories of data that “may be collected and linked to your identity.” 

It might be a jarring reminder, but this is par for the course with Meta-owned apps, which the company monetizes by selling targeted ads and personalized marketing. Facebook and Instagram’s iOS apps list even more categories than Threads, the Messenger app lists about as many, and even the secure messaging app WhatsApp discloses nine categories of “Data Linked to You.” So for people fed up with Twitter’s rapidly deteriorating platform (and vibes), a Meta-owned alternative—with its predictability and relative stability—could even potentially appeal to those who are generally concerned about data privacy. 

Early data suggests as much: Threads, which is directly linked to users’ Instagram accounts, saw 10 million sign-ups in its first seven hours, according to CEO Mark Zuckerberg. Ultimately, Meta’s pitch for Threads is simply that it’s the devil you know.

But one thing is different this time: Meta is dangling an opportunity to essentially be on Threads without signing up for the platform at all. The company announced yesterday that it is planning to make Threads interoperable with other, non-Meta social networks that support a decentralized protocol already used by WordPress and 2022’s decentralization poster child, Mastodon. This means that if Meta follows through, you’ll be able to see and interact with Threads content from other platforms and services that support the standard, which is known as ActivityPub.

Meta says that Threads will start supporting ActivityPub “soon,” a descriptor that doesn’t necessarily inspire confidence. The company has already spent years, for example, working on its longtime promise of default end-to-end encryption on Messenger. But incorporating decentralization into Threads, and specifically supporting ActivityPub, has reportedly been a core aspect of Meta’s vision for the app from the beginning. Meta has also already sketched out details of the plan in its supplemental privacy policy for Threads.

All of this means that if you’re sick of Meta’s data-gobbling ways, or you don’t already have an Instagram account and don’t want to get one, you actually have some leverage: Don’t join Threads. Use Mastodon or another ActivityPub platform until Threads comes to you. Or hang out on Bluesky, which doesn’t support ActivityPub but is working on its own vision of a decentralized, portable social network.

“The fact that large platforms are adopting ActivityPub is not only validation of the movement towards decentralized social media, but a path forward for people locked into these platforms to switch to better providers. Which in turn, puts pressure on such platforms to provide better, less exploitative services," Mastodon CEO Eugen Rochko wrote in a blog post ahead of yesterday’s Threads launch.

Easy examples of decentralized services you already intuitively understand are phones and email. You can call anyone on any number, even if you and the person you’re calling buy phone service from different companies. Same with email. Even if pretty much everyone you know uses Gmail, there’s nothing materially different about emailing with the Yahoo and Hotmail holdouts in your life. And maybe your friend Jane runs her own email server and her address is jane@janerox.com. Love that for you, Jane—doesn’t change anything for anyone else.

That’s it. That’s how “the fediverse,” or federated services, work too. You join a server, and you’re trusting that server with your data. But then you can communicate with all the other servers running the same protocol, and the only data everyone on all those other servers can see from you is the content you choose to put out there. So Gmail has all of your emails and usage history, and Jane has all of her own emails and usage history, but the only data she has about you on her server is the emails you’ve sent her. And the only data Gmail has about Jane comes from her interactions with you and any other Gmail users.

Decentralization doesn’t change the basic functions of a social network, and that’s fine. The whole point of these services is to be a platform for publicly posting and consuming information. They aren’t designed around implementing end-to-end encryption. The servers still have access to user data and can be subpoenaed by governments or hacked. But decentralization creates a model through which users can elect to entrust their information to servers based on which ones have less-predatory data practices.

Ross Schulman, senior fellow for decentralization at digital rights nonprofit the Electronic Frontier Foundation, notes that if Threads emerges as a massive player in the fediverse, there could be concerns about what he calls “social graph slurping." Meta will know who all of their users interact with and follow within Threads, and it will also be able to see who their users follow in the broader fediverse. And if Threads builds up anywhere near the reach of other Meta platforms, just this little slice of life would give the company a fairly expansive view of interactions beyond its borders.

“I am perhaps equal parts excited and apprehensive to see how things play out with Threads, but it is really underlining the beauty of the fediverse that you have every option and the opportunity to choose,” Schulman says. “If you like Meta and you want to be in there, great. Go join Threads, you’ll be happy there, and you’ll also have access to everything else. If you don’t want to be a part of Meta, but you’ve got friends or family that do or public figures or whatever, then fine. You can get an account on any number of other fediverse servers and then follow the people that you want. Or if you want nothing to do at all with Meta, then there are plenty of servers out there \[that\] have already announced that they're preemptively blocking Threads. So you can live that life, too.”

No matter who you throw your lot in with, an important concept is that the server you choose is still going to have access to your data, even though all the other servers don’t. If Threads implements ActivityPub and you use it to interact with the fediverse, you’re choosing Meta as your server and everything that comes with that. If you run your own server, like Jane, you can retain full control. But if you’re somewhere in the middle and use a server run by someone else, you need to keep an eye out for future changes. Mastodon is currently a crowdfunded platform, but it’s largely unclear what the business model will be for decentralized services like Bluesky. And future pivots could mean that your server eventually implements more user-monitoring or data-tracking practices. Then it might be time to move on—a process made easier by the portability that's built into the fediverse, allowing you to switch servers while maintaining your connections.

If you’re a Twitter user, or used to be, you have already dealt with a service that makes dramatic changes and completely upends your expectations and trust. But the Twitter case study illustrates a crucial idea. From a data privacy perspective, the worst-case scenario is no worse in the world of decentralization, the best-case scenario is much better, and, for once, you get a say in where you end up.

Don't Join Threads—Make Instagram's 'Twitter Killer' Join You

Commercial spyware has become so notorious that international governments are taking notice and action against it, as evidenced by the Biden administration’s recent Executive Order on commercial spyware.

Thursday, July 6, 2023 08:07

Attackers have long used commercial products developed by legitimate companies to compromise targeted devices. These products are known as commercial spyware. Commercial spyware operations mainly target mobile platforms with zero- or one-click zero-day exploits to deliver spyware. This threat initially came to light with the leaks of HackingTeam back in 2015, but gained new notoriety with public reporting on the NSO Group, and, in the years that have followed, the landscape has exploded.

There are now numerous companies with similar offerings, like Intellexa, DSIRF, Variston IT, and the newly disclosed Quadream representing just a small subset — there are likely more that are operating covertly today.

Commercial spyware has become so notorious that international governments are taking notice and action against it, as evidenced by the Biden administration’s recent Executive Order on commercial spyware. A recent report from the United Kingdom’s National CyberSecurity Center (NCSC) highlights the accessibility of these tools “lowers the barrier to entry to state and non-state actors in obtaining capability and intelligence.” As recently as June 2023, the European Parliament’s plenary session voted on an ongoing investigation concerning the illicit usage of NSO’s Pegasus and equivalent surveillance spyware by EU member states (PEGA report). In this session, European Parliament members argued that the illicit usage of spyware has put “democracy itself at stake” and called for legislative changes and stricter regulation of the use of commercial spyware. The full press release and report can be found here.

**Commercial spyware companies don't care who is targeted by their products**

Commercial spyware companies advertise their products simply as a means of obtaining access and deny having any knowledge of who their customers’ targets are. This tactic is possibly a means of plausible deniability in the event that illegal targeting of individuals is traced back to their spyware. To avoid legal repercussions, these companies have headquarters in countries that do not have laws governing the export of their products or which classify the entities as IT service providers, effectively removing them from any product liability. These companies can therefore ultimately sell to whomever can pay without regard for who the intended targets are or what the impacts on the victims might be.

Although advertised as “tools” for law enforcement and government agencies strictly intended for legal use, report after report has shown commercial spyware has consistently been used against ethically questionable targets that don't fit the profile of criminals or terrorists. Such targets have repeatedly been journalists, politicians and activists who the host government perceives as competitors or existential threats. While these technologies may exist to fight terrorism and organized crime, their sale and usage must be regulated and subject to scrutiny by judicial authorities at an international level to prevent their misuse and abuse.  

One such example of limited repercussions within a host state is the case where a journalist in Greece was targeted with Predator Spyware, eventually leading to the resignation of Greece’s National Intelligence Service’s director in 2022 and the subsequent ban on the use of commercial spyware in Greece. Earlier in 2022, we also saw the departure of the NSO group’s CEO from the company amid widespread public outrage over the use of their spyware by Israeli Police forces.

**The untethered future of commercial spyware**

Mobile platform developers such as Google and Apple have repeatedly introduced and implemented protections and mitigations in their operating systems. However, commercial spyware providers often use zero-day, zero-click exploits to compromise victims’ mobile devices and are so confident in their ability to repeatedly compromise phones _without getting caught_ that, in some cases, they don't even deploy persistence mechanisms — a simple device reboot is enough to remove the implant from the device. However, a device reboot simply results in the commercial spyware outfit reinfecting the device using the zero-day, zero-click combination they had used during the initial compromise indicating the aggressive nature of these campaigns.

We see no indications that these commercial spyware offerings are slowing down. If anything, they are growing along with the constant availability of exploitable, unpatched/unknown vulnerabilities. Until the international community acts to regulate the technology, very little is going to change. When exposed by researchers, some of these companies just cease to exist. But in reality, they do not shut down, they just rebrand under a different name or merge with others sharing the technology they have produced. A typical example of such a case is the commercial spyware firm Cytrox, which was on the verge of disappearing, but was subsequently “rescued” and is now part of the Intellexa conglomerate.

Private and government organizations have taken steps to legally curb the use of commercial spyware, including attempts to hold them responsible for their actions in the past. Meta, formerly Facebook, is one of the first to move against commercial spyware companies by opening a lawsuit against the NSO Group for leveraging Meta-owned WhatsApp in their infection chain. The Biden administration has also taken an important step in fighting these companies with the Executive Order putting limitations on the U.S. government's ability to use commercial spyware to “discourage the improper use of commercial spyware; and encourage the development and implementation of responsible norms regarding the use of commercial spyware that are consistent with respect for the rule of law, human rights, and democratic norms and values.”

However, limited legal and legislative actions are yet to have an _immediate_ positive effect on curbing the use of commercial spyware. Despite these steps toward limiting the operations of these spyware companies, they are likely to keep operating in any region as long as it's financially and legally feasible. Increasing scrutiny with export regulations, criminal liability and fines may be a way forward towards ensuring that their activity does not go beyond the legitimate purposes they advertise.

**Risk profile**

For almost everyone on the planet, your Apple or Android phone’s built-in security features are more than sufficient to keep you protected. However, the commercial spyware industry has proven that it is easy to compromise targets if you have access to these products and the means to use them. We've seen numerous deeply concerning reports of people being compromised and are commonly met with the news that it was a journalist or dissident. The ability of these companies to repeatedly compromise devices, regardless of patch level, makes protection difficult.

For those that believe they are being or could be targeted by commercial spyware, rebooting the device before contacting a source or switching to lockdown mode might be the only options for the foreseeable future.

If you feel that you have been targeted by commercial spyware, there are also more generic habits that should be part of your daily routine:

*   Reboot your device regularly.
*   Use lockdown mode if your device is an iPhone.
*   Don’t click on links from dubious sources.
*   Don’t accept private messages from unknown persons.
*   If you have to keep a public contact, use an empty device to receive such contacts and reset it frequently.
*   Keep your devices up-to-date.

_If readers suspect their system(s) may have been compromised by commercial spyware or hack-for-hire groups, please consider notifying Talos’ research team at talos-mercenary-spyware-help@external.cisco.com to assist in furthering the community’s knowledge of these threats._

The growth of commercial spyware based intelligence providers without legal or ethical supervision

Cybersecurity researchers have unearthed an attack infrastructure that's being used as part of a "potentially massive campaign" against cloud-native environments.
"This infrastructure is in early stages of testing and deployment, and is mainly consistent of an aggressive cloud worm, designed to deploy on exposed JupyterLab and Docker APIs in order to deploy Tsunami malware, cloud credentials

Cloud Security / Server Hacking

Cybersecurity researchers have unearthed an attack infrastructure that's being used as part of a "potentially massive campaign" against cloud-native environments.

"This infrastructure is in early stages of testing and deployment, and is mainly consistent of an aggressive cloud worm, designed to deploy on exposed JupyterLab and Docker APIs in order to deploy Tsunami malware, cloud credentials hijack, resource hijack, and further infestation of the worm," cloud security firm Aqua said.

The activity, dubbed **Silentbob** in reference to an AnonDNS domain set up by the attacker, is said to be linked to the infamous cryptojacking group tracked as TeamTNT, citing overlaps in tactics, techniques, and procedures (TTPs). Alternatively, it could be the work of an "advanced copycat."

Aqua's investigation was prompted in the aftermath of an attack targeting its honeypot in early June 2023, leading to the discovery of four malicious container images that are designed to detect exposed Docker and Jupyter Lab instances and deploy a cryptocurrency miner as well as the Tsunami backdoor.

This feat is achieved by means of a shell script that's programmed to launch when the container starts and is used to deploy the Go-based ZGrab scanner to locate misconfigured servers. Docker has since taken down the images from the public registry. The list of images are below -

*   shanidmk/jltest2 (44 pulls)
*   shanidmk/jltest (8 pulls)
*   shanidmk/sysapp (11 pulls)
*   shanidmk/blob (29 pulls)

shanidmk/sysapp, besides executing a cryptocurrency miner on the infected host, is configured to download and run additional binaries, which Aqua said could either be backup cryptominers or the Tsunami malware.

UPCOMING WEBINAR

🔐 Privileged Access Management: Learn How to Conquer Key Challenges

Discover different approaches to conquer Privileged Account Management (PAM) challenges and level up your privileged access security strategy.

Reserve Your Spot

Also downloaded by the container is a file named "aws.sh.txt," a script that's likely designed to systematically scan the environment for AWS keys for subsequent exfiltration.

Aqua said it found 51 servers with exposed JupyterLab instances in the wild, all of which have been actively exploited or exhibited signs of exploitation by threat actors. This includes a "live manual attack on one of the servers that employed masscan to scan for exposed Docker APIs."

"Initially, the attacker identifies a misconfigured server (either Docker API or JupyterLab) and deploys a container or engages with the Command Line Interface (CLI) to scan for and identify additional victims," security researchers Ofek Itach and Assaf Morag said.

"This process is designed to spread the malware to an increasing number of servers. The secondary payload of this attack includes a crypto miner and a backdoor, the latter employing the Tsunami malware as its weapon of choice."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Silentbob Campaign: Cloud-Native Environments Under Attack

70% think criminals will move from WhatsApp etc to non-regulated apps, post OSB.

**London - 4th July 2023 -** This week, the House of Lords continues to debate the Online Safety Bill (OSB), demanding every private online message sent in the UK is scanned for the potential of illegal content. A new study shows the UK public believe the new legislation will not achieve this aim.

The independent survey, conducted by Opinium for Element, polled 2,000 politically and nationally representative UK citizens. It revealed that, despite Government assurances, 70% of the UK public believes scanning our online messages will not stop criminal activity, and 44% think it will damage national security, by creating a centralised 'honeypot' for nation state hackers. 

**UK Public at Odds With Government**

Unlike the Government, some 83% of UK citizens believe personal conversations on messaging apps such as Element, WhatsApp, or Signal should have the highest level of security and privacy. However, under the Online Safety Bill, communications providers are expected to break the trust of their consumers and scan every single one of their conversations, on the off chance they are committing an egregious crime. Key findings from the research study are:

*   70% of respondents said the if the OSB insists on scanning all online messages, criminals will move to other platforms to continue illegal activities
*   44% believe it will make the UK more vulnerable to cyber attacks from nation states like Russia and China
*   43% believe UK citizens will be even more vulnerable to cyber attacks from criminals

Matthew Hodgson, CEO of Element, comments: "Technology is not responsible for criminal behaviour and it should never be touted as a catch-all solution as the OSB currently does. If the UK won't listen to security experts, perhaps it will now listen to its citizens who know very well that surveilling our online conversations will only push criminals to other platforms, while reducing security for good actors."

He notes: "This research shows UK citizens are well aware that their privacy, and that of our businesses and even our Government, will suffer if this poorly thought-out legislation comes to pass. Criminals and rogue nations will rejoice. We need to stop this Bill."

**Private Conversations for All**

No matter how you cut it, UK consumers care about retaining the privacy and security of online conversations. 44% of the British public believe citizens should have access to the best private and secure communications available, not just the government (27%). This drops down to only 7% for businesses.

**OSB Drops UK Privacy to North Korea, Russia, and China Levels**

The Online Safety Bill proposes that Ofcom can mandate an unspecified 3rd party tool to connect to private messaging systems such as Element, WhatsApp, and Signal to covertly scan messages. Brits said China, North Korea and Russia are the countries most likely to routinely scan private messages in this way today — just 12% expected Britain to adopt such widespread routine surveillance, although this is the stated intention of the Bill.

Hodgson continues: "If the Online Safety Bill goes through, every online conversation could end up being surveilled, placing us on the same stage as other governments we know monitor their citizens' conversations - China, Russia and North Korea. Meanwhile Brits will lose their strongest cyber defence, giving criminals the upper hand; criminals who will not be using regulated apps known to comply with Ofcom’s requirements."

Tag

#sap