Risky Biz News: Intellexa pulls new Predator spyware infra after thorough undressing
In other news: US charges Tortoiseshell APT member; judge orders NSO to give Pegasus source code to Meta; new ASCII art attack bypasses LLM safety checks.
This newsletter is brought to you by Corelight. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
Intellexa—the holding company that sells and operates the Predator spyware—has taken servers offline after two security firms exposed the company's brand-new infrastructure.
Reports from Sekoia and Recorded Future provided details on new domains and servers used as part of the Predatory attack and delivery platform.
The reports provided insights on how and from where Intellexa customers were launching operations against their targets. It included details on suspected phishing and social engineering domains and "delivery servers" that hosted and sent the Predator spyware to devices that needed to be infected.
"The complete Predator system comprises various elements, such as the spyware agent, exploits, and attack vectors. Exploits and payloads are distributed from an 'installation server,' and, upon infection, the device connects to a command-and-control C2 network. Both the 'installation server' and C2 server must be publicly accessible on the internet for connections from targeted devices. Operators can issue commands, such as to retrieve specific files or activate the device's microphone. An anonymization network obscures the operator's location and identity, making attribution of attacks more challenging."
Less than 24 hours after the second report went out, all of these servers went offline.
This marks the second time in less than six months that Intellexa has pulled the plug on its server infrastructure. The first was in October of last year when a consortium of news agencies published the Predator Files, an exposé of the Intellexa alliance and its Predator spyware platform.
The Predator Files revealed how a surveillance platform advertised as a law enforcement solution was often used in both democratic and oppressive regimes to spy on journalists, political opponents, NGOs, and human rights activities.
In a phone call, Félix Aimé, lead of Sekoia's APT threat intelligence team, told Risky Business that Intellexa's latest action is similar to what they saw last year when everything went offline in a similar manner.
It's unclear how much it will take the company to come back online with new servers and domains. Having server IPs and domain names listed in the public domain will lead cybersecurity firms to add detections and warnings.
Aimé believes the company's swift reaction is a combination of OpSec and contractual requirements.
Regardless of whether Intellexa's Predator platform is used against legitimate criminal organizations or an unsuspecting opposition party member, the company and its customers would like to avoid having their targets being alerted of ongoing ops—so a new rebuild is very likely.
There is also the matter of the practicality of exposing a surveillance vendor's infrastructure. There is, on the one hand, the argument that having spyware vendors re-tool every now and then keeps them busy and hampers their uptime and operations. On the other hand, there is the argument that keeping such information private allows security firms to track and report on their operations. Both ways have their merits and are used on a regular basis in the infosec field.
Breaches, hacks, and security incidents
Telecom incident in Taiwan: A threat actor has hacked and stolen sensitive information from the servers of Taiwan's largest telecom company. More than 1.7TB of files from Chunghwa Telecom have been put on sale on the dark web. According to Taiwan's Ministry of National Defence, some of the stolen data also includes military and government documents. [Additional coverage in France24]
Pepco phishing incident: European retail chain Pepco says it lost €15.5 million following what the company described as a phishing incident. Pepco says the funds were stolen from its Hungarian branch. The company says the incident did not appear to have involved any customer or supplier data.
Shido cyber-heist: A threat actor has stolen almost $35 million worth of assets from cryptocurrency platform Shido Network. The attacker is believed to have stolen almost half of the company's Shido tokens. The hack caused the Shido token price to fall by 94%. Experts believe the hacker exploited a vulnerability in the company's smart contracts to gain control and exfiltrate funds. [Additional coverage in InvestorsObserver]
General tech and privacy
Apple's DMA changes: Apple has published a 32-page document [PDF] going over all the changes it rolled out to its EU userbase in order to comply with the new EU Digital Markets Act (and why it thinks they're bad).
Google limits RCS access: Google has confirmed that the RCS app won't run on rooted Android devices. [Additional coverage in Android Authority]
GitHub push protection: GitHub is enabling a new feature by default for all its users designed to stop accidental leaks of API keys and secret tokens. Named Push Protection, the feature has been available as an opt-in for GitHub users since last year. It works by scanning GitHub code commits and blocking updates if it detects text that resembles API keys and secret tokens. According to GitHub, Push Protection can detect over 200 token formats from more than 180 companies.
Canada to investigate Google: Canada's Competition Bureau has obtained a court's clearance to start an investigation of Google's advertising business. The government will investigate if Google engaged in practices that hurt competitors in the online advertising business. The Bureau started investigating Google's abuse in 2016, only to be blocked in court by the company on several occasions.
EU to look at Meta's Pay-or-Okay: The EU is looking at Meta's Pay-or-Okay scheme, where it charges users money not to use or sell their private data. European privacy watchdog noyb filed a complaint against Meta for this practice last November, describing it as an extortion. This is not an official investigation yet but only an RFI (request for information).
HP printer business goes SaaS: HP's printer division has announced its new All-In business plan that will provide customers with a free printer and refills from $6.99/month. ArsTechnica has a better take on this with a headline of "HP wants you to pay up to $36/month to rent a printer that it monitors."
Twilio pricing change: Twilio is preparing to annoy its customers by adding a $0.025 fee on the delivery of international messages. The company describes the fee as an anti-fraud protection.
Government, politics, and policy
The Netherlands rips out national alarm system: The Dutch government has decided to rip out its physical national alarm system and replace it with a fully digital version known as NL-Alert. The replacement will take place at the end of 2025. [Additional coverage in NOS]
VPNs in Russia: Russia's VPN ban entered into effect on Friday, March 1, last week. [Additional coverage in BFM]
Sponsor section
In this Risky Business News sponsored interview, Tom Uren talks to Vijit Nair, Corelight’s VP of Product, about how cloud security was once an afterthought but is now on the improve.
Cybercrime and threat intel
Court orders NSO to hand over Pegasus code: A California judge has ordered spyware maker NSO Group to hand over the Pegasus source code to Meta. The decision is part of a lawsuit Meta's WhatsApp service filed against NSO in late 2019. The judge ruled that WhatsApp was entitled to the Pegasus source code as part of the lawsuit's discovery process. The lawsuit is still in its early phase after NSO tried to have it dismissed on several occasions. [Additional coverage in The Record]
Crimemarket takedown: German police have seized Crimemarket, the country's largest cybercrime marketplace. Authorities have seized servers, searched 36 locations, and arrested three individuals, including the site's main administrator. Crimemarket ran on both the clear and dark web and had more than 180,000 registered users. It primarily sold drugs, weapons, and cybercrime services.
Phishing gang detained: Dutch police have arrested four suspects for their alleged involvement in a phishing and bank helpdesk fraud scheme. Officials say they identified the four men using data seized from the Genesis underground cybercrime portal. Europol and the FBI took down the Genesis marketplace in April 2023. The site sold access to authentication cookies and login credentials that were stolen using malware from victims around the world.
Scam call center survivors repatriated: The Chinese government is repatriating more than 1,000 individuals who were previously trapped in Myanmar scam call centers. The victims were lured to Myanmar, trapped, and forced to work in call centers specialized in internet fraud, also known as pig butchering farms. They are part of a larger group of 1,200 individuals who were freed at the end of last year. It is unclear what will happen to the remaining 200 victims. Many of them are from African countries. [Additional coverage in DW]
New npm malware: Eight malicious npm packages were discovered last week. Check out GitHub's security advisory portal for more details.
KEV update: CISA has updated its KEV database with a new vulnerability that is currently exploited in the wild. The vulnerability is CVE-2023-29360, an elevation of privilege in the Windows Streaming Service. Microsoft patched the bug in June 2023.
AriBnB scam campaign: Malwarebytes researchers have discovered 220 domains pushing AirBnB scams via malicious search ads.
Mystery box scam ads: Bitdefender looks at a series of "mystery box" scam ads that have been flooding social media users for the past months.
The world of Traffers: Security researcher g0njxa has published an introduction into the world of "traffers," a term used to describe threat actors that help (re)distribute web traffic to malware operations.
Infostealer ecosystem: Security firm LogPoint has published a 58-page report on the infostealer ecosystem.
Surge in PDF delivery: McAfee has seen a spike in the distribution of prominent malware through PDF files.
TA577 phishing infrastructure: Intel-Ops has published an analysis of the TA577 infrastructure used in recent phishing campaigns. This campaign used Impacket to capture NTLMv2 hashes and steal credentials.
Contiinued phishing kit: The folks at BadOosb have published some tips on how to hunt for instances of the Contiinued phishing kit.
CryptoChameleon: Lookout has published a technical report on CryptoChameleon, a phishing kit that was used in recent campaigns targeting cryptocurrency users and even FCC employees.
"Following the tactics of groups like Scattered Spider, this kit enables attackers to build carbon copies of single sign-on (SSO) pages, then use a combination of email, SMS, and voice phishing to trick the target into sharing usernames, passwords, password reset URLs and even photo IDs from hundreds of victims, mostly in the United States."
Threat/trend reports: Some infosec reports covering industry threats and trends came out at the end of last week from Fortinet, Kaspersky, and Chainalysis.
Malware technical reports
NoName057(16)'s DDoSia: Sekoia researchers have published an analysis on Project DDoSia, the self-install DDoS client advertised by pro-Kremlin hacktivist group NoName057(16). According to Sekoia, the DDoSia client is now installed on more than 20,000 systems, which are then used for DDoS attacks—usually against various Western government sites.
SocGolish updates: GoDaddy's Sucuri has spotted some changes to the way SocGolish operates. This is a botnet that infects websites and hijacks their traffic to redirect users to malicious sites. While it previously disguised its malicious code as jQuery or Google-related scripts, Sucuri says SocGolish now tries to hide its code as scripts related to various popular WordPress plugins.
DarkGate: An ISC SANS guest post looks at the persistence tricks of the DarkGate loader.
SupermanMiner: Qihoo 360 researchers have published a report on a new version of SupermanMiner, a crypto-miner deployed on hacked web servers.
Sponsor Section
James Pope, Corelight's Director of Technical Marketing Engineering, demonstrates the company's Open NDR Platform and how it combines network detections with a whole host of other data sources.
APTs, cyber-espionage, and info-ops
Bitter: StrikeReady has published IOCs from some recent Bitter APT activity.
APT37's ROKRAT: Security researcher Ovi Liber has published a technical analysis of the APT37 ROKRAT's HWP infection method.
i-SOON leak: Harfang and Margin Research have published their own analyses of the file leak from Chinese cyber/APT contractor i-SOON. Key findings below:
- The Chinese government specifically contracts out hack-for-hire work.
- Antivirus firm Qihoo360 invests in cyber mercenaries and may be selling them user PII.
- The Tianfu Cup has been confirmed to be exploit feeder system for Chinese government.
- Some Chinese companies have used Western naming and shaming for marketing.
- Chinese firms have a well-established Capture-the-Flag to hiring pipeline for offensive talent.
- China has a well-funded, prime/sub-contracting ecosystem.
US charges Iranian cyber contractor: The US government has charged an Iranian national with allegedly hacking and stealing information from US defense contractors. Officials say Alireza Shafie Nasab was an employee of Mahak Rayan Afraz, a cyber contractor for the Iranian government. Nasab was allegedly responsible for procuring infrastructure used in the company's hacking operations. In 2021, Meta's security team linked the Nasab's employer to an APT known as Tortoiseshell. Officials say Nasab worked on campaigns that targeted the US State and Treasury Departments, defense contractors, and other private companies. The State Department is offering a reward of up to $10 million for information that may lead to Nasab's arrest.
Vulnerabilities, security research, and bug bounty
OpenNMS Horizon vulnerability: SonarSource researchers have published an analysis of CVE-2023-0846, a pre-auth code execution bug in the OpenNMS Horizon network monitoring platform. This was fixed more than a year ago, but researchers held onto the details to prevent abuse.
Progress OpenEdge: Progress Software has released a security patch for an authentication bypass vulnerability in its OpenEdge servers.
Google Bard bug bounty: Three security researchers provide details on a Google Bard (now Gemini) vulnerability that netted them $20,000 at a hacking contest last year.
DUALITY: Aon's security team has published research introducing DUALITY, a new red-team persistence concept that uses multiple backdoored DLL files that will re-infect each other in order to maintain access to a compromised host.
ArtPrompt attack: A team of academics has discovered a novel attack that can bypass safety checks on five of today's most popular LLMs. The new attack is named ArtPrompt and uses text rendered as ASCII art. Researchers say LLMs will extract the text from the ASCII art but won't pass it through their regular safety checks. This method allows threat actors to make LLMs perform undesirable or malicious operations. The ArtPrompt attack has been tested on LLMs like OpenAI's GPT, Google Gemini, and Meta's Llama2.
Morris II AI worm: Three researchers have created a computer worm that abuses generative AI tools to poison AI-based email assistants for spam campaigns and data theft. The team says it successfully tested the worm (named Morris II) in a test environment against three different GenAI models—Gemini Pro, ChatGPT 4.0, and LLaVA.
Infosec industry
Phrack CFP: The infamous Phrack e-zine has put out a call for papers. The next issue is expected this summer. It will come three years after the previous edition.
New tool—FortiGate scanner: Security firm BishopFox has released a scanner (GitHub) that can detect if FortiGate SSL VPNs are vulnerable to CVE-2024-21762, a Fortinet vulnerability that was disclosed in early February and later came under attack.
New tool—PaXtest: Grsecurity has open-sourced a tool named PaXtest. It can be used to test if memory protections and randomizations are properly applied to Linux kernels.
New tool—Sebel: Security researcher Dwi Siswanto has open-sourced Sebel, a tool that checks SSL/TLS certificates for potential malicious connections by detecting and blocking certificates used by botnet command and control (C&C) servers.
New tool—AIOCRIOC: Security researcher James Brine has open-sourced AIOCRIOC, an LLM and OCR-based tool that can be used to extract IOCs from various types of documents.
New tool—gitdoorcheck: The same Brine has also open-sourced gitdoorcheck, an OpenAI LLM-based tool to analyze Git repos for backdoors and malicious code.
New tool—LogSnare: Software engineer Erkin Djindjiev has open-sourced LogSnare, a web application playground for testing IDOR, broken access controls, and logging in Go.
New tool—Mail in the Middle: SensePost has open-sourced a tool named Mail in the Middle that can execute MitM attacks on email communications.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq apologize for repeating a quote that is purported to be Russian cyber doctrine but is not. They also wonder why this phenomenon has happened before with the so-called Gerasimov doctrine.