Legal documents released as part of an ongoing legal tussle between Meta's WhatsApp and NSO Group have revealed that the Israeli spyware vendor used multiple exploits targeting the messaging app to deliver Pegasus, including one even after it was sued by Meta for doing so.
They also show that NSO Group repeatedly found ways to install the invasive surveillance tool on the target's devices as

NSO Group Exploited WhatsApp to Install Pegasus Spyware Even After Meta's Lawsuit

Red Hat Security Advisory 2024-9601-03 - An update for tigervnc is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include buffer overflow and privilege escalation vulnerabilities.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9601.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: tigervnc security updateAdvisory ID:        RHSA-2024:9601-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9601Issue date:         2024-11-13Revision:           03CVE Names:          CVE-2024-9632====================================================================Summary: An update for tigervnc is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Virtual Network Computing (VNC) is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients.Security Fix(es):* xorg-x11-server: tigervnc: heap-based buffer overflow privilege escalation vulnerability (CVE-2024-9632)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-9632References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2317233

Red Hat Security Advisory 2024-9601-03

Red Hat Security Advisory 2024-9566-03 - An update for libsoup is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a HTTP request smuggling vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9566.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: libsoup security updateAdvisory ID:        RHSA-2024:9566-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9566Issue date:         2024-11-13Revision:           03CVE Names:          CVE-2024-52530====================================================================Summary: An update for libsoup is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The libsoup packages provide an HTTP client and server library for GNOME.Security Fix(es):* libsoup: HTTP request smuggling via stripping null bytes from the ends of header names (CVE-2024-52530)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-52530References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2325284

Red Hat Security Advisory 2024-9566-03

The China-affiliated group is using the highly modular DeepData framework to target organizations in South Asia.

Source: u3d via Shutterstock

China's APT41 threat group is using a sophisticated Windows-based surveillance toolkit in a cyber-espionage campaign targeting organizations in South Asia.

The malware adds to the already broad portfolio of malicious tools that the threat actor has deployed in recent years and makes APT41 an even more pernicious threat to targeted enterprises.

**Optimized Plug-ins**

Researchers at BlackBerry, among the many who are tracking the threat actor, spotted the new malware toolkit earlier this year and have dubbed it "DeepData Framework." Their analysis showed it to be a highly modular toolkit that supports as many as 12 separate plug-ins, each one optimized for a specific malicious function.

Four of the plug-ins steal communications from WhatsApp, Signal, Telegram, and WeChat. Another three are rigged to steal and exfiltrate system information, Wi-Fi network data, and information on all installed applications on the compromised system — including names and installation paths. Three DeepData plug-ins steal information related to browsing history and cookies; they also grab passwords from Web browsers, Baidu storage services, FoxMail, and other cloud services, and other information like user emails and contact lists in Microsoft Outlook. The remaining two plug-ins enable theft of audio files from compromised systems.

Blackberry researchers chanced upon DeepData when conducting an investigation of "LightSpy," an iOS implant that they have tracked APT41 using in an ongoing and wide-ranging mobile espionage campaign against targets in India and South Asia. Their analysis showed DeepData to have a similar design to LightSpy in that both have a core module and support for multiple data theft plug-ins.

Significantly, DeepData appears to be a malware toolkit that the attackers are manually interacting with after compromising a target and gaining access. "The \[command and control\] address is also specified as a command line argument, as are the requested plugins to be run or data to extract," Blackberry's research and intelligence team said in a blog post this week. "The implication of this execution method is that it must be done manually, sans a script or some other bundling distribution."

**Surveillance Powers Continue to Grow**

DeepData adds to APT41's already formidable surveillance and cyber espionage capabilities. The malicious framework is an example of the constantly emerging threats that organizations have to deal with when trying to mitigate threats from advanced persistent threat groups and nation-state bad actors. "Our latest findings indicate that the threat actor behind DeepData has a clear focus on long-term intelligence gathering," BlackBerry said. Since first deploying LightSpy in 2022, the threat actor has methodically and strategically bulked up its capabilities to intercept communications and steal data in total stealth, BlackBerry said.

APT41 is a known threat actor that security vendors and researchers have been variously tracking as Winnti, WickedPanda, Barium, Wicked Spider, and other names. Some vendors consider APT41 to be a collection of smaller subgroups collectively working at the behest of, or on behalf of the Chinese government. The group's mandate appears to be very broad, based on its targets and the kind of campaigns it has conducted in recent years.

Most recently, researchers tied APT41 to attacks targeting global logistics and utilities companies, and to a campaign that targeted research entities in Taiwan. Over the years, the group has stolen data from a wide range of organizations, including intellectual property and trade secrets from healthcare organizations, media and entertainment companies, government agencies, automative firms, retailers, energy companies, pharmaceutical companies, and others. Its activities prompted a US government investigation and subsequent indictment of five alleged members of APT41 back in 2020. Its victims have spanned Europe, Asia, and North America.

The group's latest South Asian campaign appears aimed at politicians, journalists, and political activists in the region, according to BlackBerry. "Organizations of all sizes, particularly those in targeted regions, should treat this threat as a high priority and implement comprehensive defensive measures."

The company's recommended mitigation measures include blocking the group's known C2 infrastructure, monitoring networks and devices for unexpected audio recording activities, using secure communications for transmitting data, and deploying the detection rules that BlackBerry has released for DeepData components.  

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Toolkit Vastly Expands APT41's Surveillance Powers

Red Hat Security Advisory 2024-9525-03 - An update for libsoup is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a HTTP request smuggling vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9525.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: libsoup security updateAdvisory ID:        RHSA-2024:9525-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9525Issue date:         2024-11-13Revision:           03CVE Names:          CVE-2024-52530====================================================================Summary: An update for libsoup is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The libsoup packages provide an HTTP client and server library for GNOME.Security Fix(es):* libsoup: HTTP request smuggling via stripping null bytes from the ends of header names (CVE-2024-52530)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-52530References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2325284

Red Hat Security Advisory 2024-9525-03

Red Hat Security Advisory 2024-9500-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9500.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: kernel security updateAdvisory ID:        RHSA-2024:9500-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9500Issue date:         2024-11-13Revision:           03CVE Names:          CVE-2022-48695====================================================================Summary: An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel packages contain the Linux kernel, the core of any Linux operating system.Security Fix(es):* kernel: drm/amdgpu: use-after-free vulnerability (CVE-2024-26656)* kernel: scsi: mpt3sas: Fix use-after-free warning (CVE-2022-48695)* kernel: mptcp: pm: Fix uaf in __timer_delete_sync (CVE-2024-46858)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-48695References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2272692https://bugzilla.redhat.com/show_bug.cgi?id=2278999https://bugzilla.redhat.com/show_bug.cgi?id=2315210

Red Hat Security Advisory 2024-9500-03

US Immigration and Customs Enforcement put out a fresh call for contracts for surveillance technologies before an anticipated surge in the number of people it monitors ahead of deportation hearings.

On November 6, just hours after news outlets declared that Donald Trump had been elected the next president of the United States, Immigration and Customs Enforcement posted a notice asking companies to submit plans for how they would expand ICE’s system of ankle monitors, GPS trackers, biometric check-in technology, and human agents monitoring “non-citizens” awaiting immigration court hearings or deportation.

The notice signals the mechanisms through which ICE will expand its intensive surveillance of people awaiting deportation hearings—a list that could grow from under 200,000 to more than 5 million.

Throughout Trump’s presidential campaign, he has promised to execute “the largest deportation operation in American history.” Beyond promising workplace raids and giant detention “camps,” Trump hasn’t released specific plans for how his mass deportations would work. However, it’s likely that many granular aspects of a mass monitoring, detention, and deportation program would be planned by private companies contracting with ICE.

ICE’s recent notice asks interested companies to send specific details about how they would store location data and personal information, where their office locations would be, how they would staff agents, and what technology they have for remote surveillance, among other details. Currently, ICE uses a combination of ankle monitors and GPS-enabled smartwatches and smartphone apps to remotely monitor people. It also uses apps with facial recognition for “biometric” check-ins.

The notice says companies must have facilities with “suitably large intake rooms” for people being enrolled in ICE surveillance. They also must have the “ability to perform mass-scale intakes as required by unforeseeable events.”

Contractors would be facilitating ICE’s Intensive Supervision Appearance Program, which is a way for ICE to monitor these undocumented or unnaturalized people without placing them in a detention facility. ISAP is meant especially for people who have been in the United States for some period of time and already have a house, apartment, or other residence. ISAP has flourished under President Biden, who has more than doubled the number of participants since December 2020, putting the current total at almost 200,000 people.

For ICE, according to the November notice, the program offers “considerable cost savings” compared to detention. So even if Trump follows through on his promise of mass detention, it’s likely that ISAP would be a significant aspect of any mass deportation program.

Compared to its recent November notice, ICE was more detailed about its 2025 plans in a different notice released last year. This earlier notice shows that ICE was preparing for a more intense immigration policy on the horizon regardless of who eventually won the election.

In the 2023 notice, ICE says that ISAP’s parent program, Alternatives to Detention, would be rebranded as Release and Reporting Management. This new program would involve monitoring every single non-detained person who’s awaiting a court hearing or deportation, as opposed to just some. At the time the notice was published, ICE said 5.7 million people were eligible to be monitored under the new program—meaning that if implemented, the scale of ICE’s remote surveillance would increase by approximately 3,000 percent.

According to a government contract database, B.I. Incorporated has been ICE’s ISAP contractor since at least 2005. The company is a subsidiary of GEO Group, which is one of the largest private prison companies in the US.

Though the stock market as a whole went up the day after Trump’s victory, GEO Group’s stock boost made it “the single biggest winner in the US stock market—among companies of any size,” according to Robinhood-owned investment news site Sherwood News. Its five-year contract to run ISAP, worth $2.2 billion, is scheduled to expire next year.

On a post-election earnings call for GEO Group, CEO Brian Evans said that the company could increase its ISAP capacity by “several hundreds of thousands of participants, and up to several million if necessary,” as reported by HuffPo. The company’s COO, Wayne Calabrese, added that they have already informed ICE that it’s ready to do this.

“We expect the incoming Trump administration to take a much more expansive approach to monitoring the several millions of individuals who are currently on the non-detained immigrant docket,” Calabrese said on the call.

According to HuffPo, GEO Group competitor CoreCivic (previously called Corrections Corporation of America) had its own post-election earnings call, during which CEO Damon Hininger said that the timing of the November 6 ICE notice was “probably not a coincidence.”

“We took that as a very encouraging sign,” Hininger said.

ICE Started Ramping Up Its Surveillance Arsenal Immediately After Donald Trump Won

## Description

When the `register_argc_argv php` directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request.

## Resolution

The framework now ignores argv values for environment detection on non-cli SAPIs.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-gv7v-rgg6-548h: Laravel environment manipulation via query string

Red Hat Security Advisory 2024-9331-03 - An update for krb5 is now available for Red Hat Enterprise Linux 9. Issues addressed include a memory leak vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9331.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: krb5 security updateAdvisory ID:        RHSA-2024:9331-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9331Issue date:         2024-11-12Revision:           03CVE Names:          CVE-2024-26458====================================================================Summary: An update for krb5 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC).Security Fix(es):* krb5: Memory leak at /krb5/src/lib/rpc/pmap_rmt.c (CVE-2024-26458)* krb5: Memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c (CVE-2024-26461)* krb5: Memory leak at /krb5/src/kdc/ndr.c (CVE-2024-26462)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.5 Release Notes linked from the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-26458References:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.5_release_notes/indexhttps://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2266731https://bugzilla.redhat.com/show_bug.cgi?id=2266740https://bugzilla.redhat.com/show_bug.cgi?id=2266742

Red Hat Security Advisory 2024-9331-03

Atlas Biomed, a DNA testing company that promised clients insights into their genetic disposition has suddenly disappeared.

A DNA testing company that promised clients insights into their genetic disposition has suddenly disappeared. The BBC reports it tried several methods to reach the company but failed in this effort.

London offices are closed, nobody answers the phone, and clients are no longer capable of accessing their online records. All the company’s social media accounts haven’t been updated since 2023 at the latest.

The atlasbiomed.com domain appears to be inactive. Customers were only able to look at their test results online, these were not downloadable, so now they are not only unable to see them, but they also have no idea what has happened to that data.

Although there is no evidence that any of the data has been misused, it is worrying to not know who now has access to the data, especially now that the investigation shows that there might be ties to Russia.

While four out of eight company officers have resigned, two of those that remain are listed at the same address in Moscow. That happens to be the same address as that of a Russian billionaire, who is described as a now resigned director.

DNA testing has become so commonplace that many people have blindly participated without truly understanding the implications. It has always been a problem to figure out who you could trust with your genetic data. For some people it’s their cheapest chance of finding out whether they are affected by some genetic disorder.

Since those early days, we’ve had several warnings about how submitting your genetic data can go sideways.

In 2018, MyHeritage suffered a security incident which exposed the email addresses and hashed passwords of 92 million users.

In 2020, Ancestry was acquired by investment firm Blackstone for $4.7 billion, which raised questions about the potential commercialization of genetic data and its transfer to new owners.

And the ongoing saga of what happened at 23andMe is the clearest example of why people would be hesitant to submit genetic data. In 2023, cybercriminals put up information belonging to as many as seven million 23andMe customers for sale on criminal forums following a credential stuffing attack against the genomics company.

Since then all board members have resigned, except for CEO Anne Wojcicki who has stood by her plans to take the company private, raising again the subject of what happens to customer genetic data when a company is sold.

Data breaches happen to the best companies. So, even if a company has good intentions, there is still a risk of your genetic data being linked to your personally identifiable information (PII). This makes the information a treasure trove for advertisers, insurance companies, and Big Pharma.

All of this makes it very understandable that customers of Atlas Biomed are worried about where their data might end up.

**Words of warning**

The UK regulator, the Information Commissioner’s Office (ICO) has confirmed it has received a complaint about Atlas Biomed, saying in a statement:

> “People have the right to expect that organizations will handle their personal information securely and responsibly.”

Unfortunately, we know that not all organizations will meet that expectation, so there are a few things you should keep in mind.

If you submit genetic material, research the company you want to trust with it thoroughly.

Only share the personal information you absolutely have to provide with the genetic testing company. Lie if you must and create a separate free email account so the information can’t be tied to your main account.

Make sure to familiarize yourself with the company’s privacy policy and opt out of sharing information where possible. Make sure to stay informed about any policy updates or changes from the company.

As a wise lady and one of my former editors once wrote:

> “Many a friend and family member have scoffed at my warnings to stay away from consumer DNA testing kits, remarking that they have nothing to hide or that there’s no harm in releasing their DNA into the hands of researchers. I honestly hope they’re right.
> 
> I hope they never have to fear having their health insurance ripped away because of pre-existing conditions or an increased risk of developing certain diseases. I hope they aren’t inundated with marketing emails about cancer-preventative nutrition or the best new medicines to prolong the onset of Alzheimer’s. I sincerely hope they’re never targeted by racial-profiling police officers, denied a job by a prejudiced employer or buried in paperwork after having their identity stolen by a hacker. And I fervently hope they’ll never have to hide their genetic profile from a government hell-bent on ridding its country of a certain ethnicity or race.”

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#sap