Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label spying. Show all posts
WhatsApp
Cyber Attacks espionage Iran Israel spying surveillance Telegram WhatsApp

Iran Spies on Senior Israeli Officials, Launches Over 200 Cyberattacks

Iran Spies on Senior Israeli Officials, Launches Over 200 Cyberattacks

Shin Bet, an Israeli Cybersecurity Service said recently it discovered over 200 Iranian phishing attempts targeting top Israeli diplomats to get personal information. Shin Bet believes the attacks were launched by Iranian actors through Telegram, WhatsApp, and email. 

The threat actors tried to bait targets into downloading infected apps that would give them access to victim devices and leak personal data like location history and residential addresses.

Iran Targeting Israeli Officials

The targeted senior officials include academicians, politicians, media professionals, and others

ShinBet said the stolen information would be used by Iran to launch attacks against Israeli nationals “through Israeli cells they have recruited within the country.” The targets were reached out with an “individually tailored cover story for each victim according to their area of work, so the approach doesn’t seem suspicious.”

In one case, the attacker disguised as a Cabinet Secretary lured the target saying he wanted to coordinate with PM Benjamin Netanyahu. Shin Bet has tracked the targets involved in the campaign and informed them about the phishing attempts. 

“This is another significant threat in the campaign Iran is waging against Israel, aimed at carrying out assassination attacks. We request heightened awareness, as cyberattacks of this type can be avoided before they happen through awareness, caution, suspicion, and proper preventative behavior online,” said a Shin Bet official.

Reasons for attack

Shin Bet “will continue to act to identify Iranian activity and thwart it in advance.” It believes the motive behind the attacks was to manage future attacks on Israeli nationals using information given by Israeli cells recruited by Iran. The campaign is a sign of an escalation between Iran and Israel, the end goal being assassination attempts.

The bigger picture

The recent discovery of phishing campaigns is part of larger targeted campaigns against Israel. In September 2024, 7 Jewish Israelis were arrested for allegedly spying on IDF and Israeli security figures for Iran. 

The Times of Israel reports, “Also in September, a man from the southern city of Ashkelon was arrested on allegations that he was smuggled into Iran twice, received payment to carry out missions on behalf of Tehran, and was recruited to assassinate either Israel’s prime minister, defense minister, or the head of the Shin Bet.”

Read more »
Vulnerabilities and Exploits
Data Flaws Intercm Security spying Vulnerabilities and Exploits

Unpatched Akuvox Smart Intercom Flaws Can Be Exploited for Spying

 

The E11, a popular smart intercom and videophone from Chinese company Akuvox, contains more than a dozen flaws, including a critical bug that allows unauthenticated remote code execution (RCE). Malicious actors could use these to gain access to an organization's network, steal photos or video captured by the device, control the camera and microphone, and even lock and unlock doors. 

The flaws were discovered and highlighted by Claroty's Team82, a security firm that became aware of the device's flaws when they moved into an office where the E11 was already installed. Team82 members' interest in the device grew into a full-fledged investigation as they discovered 13 vulnerabilities, which they classified into three categories based on the attack vector used.

The first two types can occur via RCE within a local area network or through remote activation of the E11's camera and microphone, allowing the attacker to collect and exfiltrate multimedia recordings. The third attack vector focuses on gaining access to an external, insecure file transfer protocol (FTP) server, which allows the actor to download stored images and data.

The Akuvox 311 contains a critical RCE bug

One critical threat — CVE-2023-0354, with a CVSS score of 9.1 — allows the E11 Web server to be accessed without any user authentication, potentially giving an attacker easy access to sensitive information.

"The Akuvox E11 Web server can be accessed without any user authentication, and this could allow an attacker to access sensitive information, as well as create and download packet captures with known default URLs," according to the Cybersecurity and Infrastructure Security Agency (CISA), which published an advisory about the bugs, including a vulnerability overview.

Another notable vulnerability (CVE-2023-0348, with a CVSS score of 7.5) affects the SmartPlus mobile app, which iOS and Android users can use to interact with the E11. The main problem is that the app uses the open-source Session Initiation Protocol (SIP) to allow communication between two or more participants over IP networks. The SIP server does not validate SmartPlus users' authorization to connect to a specific E11, which means that anyone with the app installed can connect to any E11 connected to the Internet, including those behind a firewall.

"We tested this using the intercom at our lab and another one at the office entrance," according to the Claroty report. "Each intercom is associated with different accounts and different parties. We were, in fact, able to activate the camera and microphone by making a SIP call from the lab's account to the intercom at the door."

Unpatched Akuvox Security Vulnerabilities

Beginning in January 2022, Team82 detailed their efforts to bring the vulnerabilities to the attention of Akuvox, but after several outreach attempts, Claroty's account with the vendor was blocked. Following that, Team82 published a technical blog detailing the zero-day vulnerabilities and enlisted the help of the CERT Coordination Center (CERT/CC) and CISA.

Organizations that use the E11 should disconnect it from the Internet until the vulnerabilities are fixed, or ensure that the camera is not capable of recording sensitive information. According to the Claroty report, "organizations are advised to segment and isolate the Akuvox device from the rest of the enterprise network" within the local area network. 

"Not only should the device reside on its own network segment, but communication to this segment should be limited to a minimal list of endpoints."

A world of increasingly connected devices has provided sophisticated adversaries with a vast attack surface.As per Juniper Research, the number of industrial internet of things (IoT) connections alone — a measure of total IoT device deployment — is expected to more than double to 36.8 billion in 2025, up from 17.7 billion in 2020.

And, despite the fact that the National Institute of Standards and Technology (NIST) has agreed on a standard for encrypting IoT communications, many devices remain vulnerable and unpatched. Akuvox is the latest in a long line of these that have been found to be severely lacking in device security. Last year, for example, a critical RCE vulnerability in Hikvision IP video cameras was disclosed.
Read more »
Zimbra
CISA Cyber Attacks DPRK lazarus spying Zimbra

DPRK Uses Unfixed Zimbra Devices for Spying on Researchers


State-sponsored hackers exploit unpatched Zimbra devices

A recent series of compromises that exploited unpatched Zimbra devices was an operation sponsored by the North Korean government and aimed to steal intelligence from a collection of private and public medical and energy sector researchers. 

Analysts with W labs in a new report explained that due to an overlap in techniques, and thanks to a mess up by one of the threat actors, they attributed the recent series of cyber incidents against unpatched Zimbra devices to the Lazarus group, a well-known cybercriminal group sponsored by the North Korean government. 

A joint report by NSA and Central Security service said "DPRK cyber actors have been using cryptocurrency generated through illicit cybercrime activities to procure infrastructure such as IP addresses and domains. The actors intend to conceal their affiliation and then exploit common vulnerabilities and exposures (CVE) in order to gain access and escalate privileges on targeted networks to perform ransomware activities. Recently observed CVEs include remote code execution in the Apache Log4j software library (also known as "Log4Shell") and remote code execution in various SonicWall appliances."

Lazarus ran a campaign using unpatched Zimbra devices

Lazarus ran this campaign and other likewise intelligence-gathering operations till the end of 2022. The experts have named the campaign "No pineapple" after an error message created by the malware during their investigation. The threat actors quietly stole around 100GB of data, without running any destructive cyber campaign or disrupting information.

Security teams running unpatched, Internet-connected Zimbra Collaboration Suite (ZCS) can assume they are compromised and should take immediate detection and response action. 

A recent security alert by CISA flagged active Zimbra exploits for CVE-2022-24682, CVE-2022-27924, and CVE-2022-27925, which are being chained with CVE-2022-37042, and CVE-2022-30333. 

The cyber attacks lead to remote code execution (RCE) and access to the Zimbra platform. 

Unfixed Zimbra devices can affect sensitive info

The results can be quite dangerous when it comes to protecting sensitive info and shielding email-based follow-on threats. ZCS is a suite of business communication services that consists of an email server and a Web client for accessing messages via the cloud. 

CISA and Multi-State Information Sharing and Analysis Center (MS-ISAC) strongly suggest administrators and users apply the guidelines in the recommendations of the cybersecurity advisory to defend their organization's systems against malicious cyber operations. 

"NSA and the other authoring agencies urge all critical infrastructure entities and organizations, including the Healthcare and Public Health (HPH) Sector, and the Department of Defense and Defense Industrial Base, to apply the mitigations listed in this advisory," said NSA


Read more »
spying
Cyber Security Data Safety data security Email Safety Email scam email security Email Tracking Pixels Online Privacy Spy Pixels spying

How these Invisible Images Enable Companies Eavesdrop on your Email — Here’s all you need to know

 

The emails are eavesdropping on you. Most of the billions of emails that arrive in our inboxes every day contain hidden trackers that can tell the recipient when you open them, where you open them, how many times you've read them, and much more — a privacy nightmare that many call "endemic." Fortunately, you can take measures to safeguard yourself and your inbox. 

Advertisers and marketing firms, in particular, embed tracking pixels in their promotional emails to keep track of their mass campaigns. Senders can learn which subject lines are the most "clickable," and which of their targets are potential customers, based on how people interact with them.

Though this is beneficial from an analytics standpoint, it is frequently done covertly and without consent.  There is a simple way to disable email tracking. Continue reading to learn more about these troublesome little pixels and how to get rid of them.
 
Email tracking pixels:

The email tracking pixel is a surprisingly simple concept that allows anyone to secretly collect a plethora of information about you as soon as you interact with their messages.

When someone wants to know if you read their email, they insert a tiny 1 pixel by 1 pixel image into it. When you open the email, it sends a ping to the server where the image is stored and records your interaction. The sender can tell your location by checking where that network ping was launched and what type of device was used, in addition to whether or not you clicked their email and how many times you clicked it.

There are two possible explanations for why you never notice that tracking graphic. For starters, it's insignificant. Second, it's in GIF or PNG format, enabling the company to keep it transparent and invisible to the naked eye. A sender will frequently conceal this in their signature. As a result, that fancy font or flashing company logo at the bottom of a commercial email may be more than just a cosmetic presence.

More importantly, studies have revealed that by pairing your location and device specifications, advertisers and other malicious actors can link your email activities with your browser cookies. This opens a can of worms because it allows them to identify you wherever you go online and connect your email address.

Most email clients, including Gmail and Outlook, do not have this feature built-in, but you can use third-party tools. It's recommended to use the Chrome and Firefox extensions Ugly Email for Gmail. It places an "eyeball" icon next to emails containing tracking pixels and prevents them from spying on you. If you use Yahoo or Outlook, you can also use Trocker, which marks emails with trackers on their websites.

These extensions, however, are only available on your computers. You'll need to subscribe to a premium email client like HEY to detect email trackers on your phone.

How to block email tracking pixels?

Email trackers are easy to detect because they rely on hidden media attachments. The simplest method is to simply disable image loading in your email apps by default and only do it manually for emails you trust or when there is an attachment to download.

1. Adjust your existing inbox: On Gmail, the option to block external images is available under Settings > Images > Ask Before Displaying External Images on the web and mobile apps. On Outlook apps, it’s found under Options > Block External Images on mobile and Options > Trust Center > Automatic Download on desktop.

Though Apple Mail also lets you accomplish this from Preferences > Viewing > Load remote content in messages, you can directly block trackers on it as long as you’re on macOS Monterey. Head over to Mail > Preferences > Privacy and check the “Protect Mail Activity” box. 

2. Get yourself a private relay email address: The issue with the methods discussed previously is that they only block tracking pixels after the email has already arrived in your inbox — they don't remove them entirely. To ensure that you never open an email containing trackers by accident, you'll need a proxy address that scans your messages and eliminates any malware before they show up in your inbox.

Another advantage is that you can keep your personal email address private and only provide a relay ID to websites, newsletters, and other services. There are numerous free services that provide a proxy email address. 

Email Protection from DuckDuckGo is recommended. It allows you to create a new custom relay address, which secures your mail before forwarding it to your personal inbox by booting the trackers and encrypting any unsecured links in the body. DuckDuckGo adds a small section at the top of forwarded emails that tells you whether it found any trackers in it and, if so, which companies were responsible for it.

To sign up for the DuckDuckGo app on an Android or iPhone, go to Settings > Email Protection. You can get started on a desktop with the DuckDuckGo browser extension or its Mac browser.


Read more »
spying
attackers Chinese Cyber Attacks domains Hackers RedAlpha Security spying

'RedAlpha': This Chinese Cyberspy Group is Targeting Governments & Humanitarian Entities

 

RedAlpha, a Chinese state-sponsored cyberespionage group, has been observed targeting numerous government organisations, humanitarian organisations, and think tanks over the last three years. 

The advanced persistent threat (APT) actor, also known as Deepcliff and Red Dev 3, has been active since at least 2015, focusing on intelligence collection and surveillance of ethnic and religious minorities such as the Tibetan and Uyghur communities. 

According to cybersecurity firm Recorded Future, RedAlpha has registered hundreds of domains impersonating global government, think tank, and humanitarian organisations such as Amnesty International, the American Institute in Taiwan (AIT), the International Federation for Human Rights (FIDH), the Mercator Institute for China Studies (MERICS), and Radio Free Asia (RFA).

According to Recorded Future, the attacks are consistent with previous RedAlpha targeting of entities of interest to the Chinese Communist Party (CCP). Taiwanese organisations were also targeted, most likely for intelligence gathering. The campaign's goal has been to collect credentials from targeted individuals and organisations in order to gain access to their email and other communication accounts.

“RedAlpha’s humanitarian and human rights-linked targeting and spoofing of organizations such as Amnesty International and FIDH is particularly concerning given the CCP’s reported human rights abuses in relation to Uyghurs, Tibetans, and other ethnic and religious minority groups in China,” Recorded Future notes.

The cyberespionage group is known for using weaponized websites - which mimics well-known email service providers or specific organisations - as part of its credential-theft campaigns, but the APT registered more than 350 domains last year.

This activity was distinguished by the use of resellerclub[.]com nameservers, as well as the use of virtual private server (VPS) hosting provider Virtual Machine Solutions LLC (VirMach), overlapping WHOIS registrant information (including names, email addresses, and phone numbers), consistent domain naming conventions, and the use of specific server-side components.

About RedAlpha:

The group has recorded hundreds of domains typosquatting major email and storage service providers, including Yahoo (135 domains), Google (91 domains), and Microsoft (70), as well as domains typosquatting multiple countries' ministries of foreign affairs (MOFAs), Purdue University, Taiwan's Democratic Progressive Party, and the aforementioned and other global government, think tank, and humanitarian organisations.

The cyberespionage group registered at least 16 domains impersonating the Berlin-based non-profit organisation MERICS during the first half of 2021, which coincided with the Chinese MOFA sanctioning the think tank.

“In many cases, observed phishing pages mirrored legitimate email login portals for the specific organizations named above. We suspect that this means they were intended to target individuals directly affiliated with these organizations rather than simply imitating these organizations to target other third parties,” Recorded Future says.

RedAlpha has also shown a consistent focus on targeting Taiwanese entities over the last three years, including through multiple domains mimicking the American Institute in Taiwan (AIT), the de facto embassy of the United States of America. The hacking group was also noticed spreading its campaigns to target Brazilian, Portuguese, Taiwanese, and Vietnamese ministries of foreign affairs, as well as India's National Informatics Centre (NIC).

“We identified multiple overlaps with previous publicly reported RedAlpha campaigns that allowed us to assess this is very likely a continuation of the group’s activity. Of note, in at least 5 instances the group appeared to re-register previously owned domains after expiry,” Recorded Future notes.

The cybersecurity firm has discovered a connection between RedAlpha and a Chinese information security firm - email addresses used to register spoofing domains appear in job listings and other web pages associated with the organisation - and believes the threat actor is based in China.

“The group’s targeting closely aligns with the strategic interests of the Chinese government, such as the observed emphasis on China-focused think tanks, civil society organizations, and Taiwanese government and political entities. This targeting, coupled with the identification of likely China-based operators, indicates a likely Chinese state-nexus to RedAlpha activity,” Recorded Future concludes.
Read more »
Vidar
data security Hackers Illegal Sites malware Private Loader Ransomware RedLine Smokeloader spying Spyware Vidar

Pay to Play PrivateLoader Disseminates Smokeloader, Redline &Vidar malware

 

An investigation at a pay-per-install loader has revealed its role in the distribution of famous malware variants including Smokeloader and Vidar. 

Intel 471 issued a report on PrivateLoader on Tuesday, analyzing cyberattacks that have used the loader since May 2021. The pay-per-install (PPI) malware service has been around for a time, but it's unclear who is responsible for its creation. Additional payloads are deployed on a target machine using loaders. 

PrivateLoader is a variation that is supplied to criminal customers on an installation basis, with payment based on the number of victims captured. PrivateLoader is managed by a collection of command-and-control (C2) servers and an AdminLTE 3-based administrator panel. 

Adding new users, configuring the loader to install a payload, picking target regions and nations, setting up payload download links, encryption, and selecting browser extensions for infecting target devices are all available through the front-end panel. 

The loader is mainly distributed through websites that sell pirated software. Cracked copies of popular software, which are occasionally included with key generators, are illegal versions of software that have been modified to avoid licencing or payment. On websites, download buttons for cracked software are included with JavaScript, which releases the payload in a.ZIP archive. 

The package contained a malicious executable, according to the cybersecurity firm's findings. A false GCleaner load reseller, PrivateLoader, and Redline are among the malware that is triggered by .exe file. 

Since at least May 2021, the PrivateLoader module has been used to run Smokeloader, Redline, and Vidar. Smokeloader is the most well-known of these malware families. Smokeloader is a distinct loader that can also be utilized for data theft and reconnaissance; Redline specializes in credential theft, whereas Vidar is spyware that can steal data from a variety of data types, including passwords, documents, and digital wallet details. 

A distribution link for Smokeloader also signals a possible connection to the Qbot banking Trojan. The Kronos banking Trojan and the Dridex botnet have both been disseminated using PrivateLoader bots. 

Although PrivateLoader isn't particularly linked to the distribution of ransomware, a loader associated with it, known as Discoloader, has been used in assaults aimed at spreading the malware. 

The researchers stated, "PPI services have been a pillar of cybercrime for decades. Just like the wider population, criminals are going to flock to software that provides them with a wide array of options to easily achieve their goals. By highlighting the versatility of this malware, we hope to give defenders the chance to develop unique strategies in thwarting malware attacks empowered by PrivateLoader."
Read more »
Spyware
Apple Cytrox Facebook iPhone Iphone Spying Meta Mobile Security Mobile Spyware Pegasus spying Spyware

Citizen Lab Exposes Cytrox as Vendor Behind 'Predator' iPhone Spyware

 

The University of Toronto's Citizen Lab has found yet another player in the private sector mobile spyware market, citing a small North Macedonian firm called Cytrox as the maker of high-end iPhone implants. 

Citizen Lab worked with Facebook parent company Meta's threat-intelligence team to expose Cytrox and a handful of other PSOAs (private sector offensive actors) in the murky surveillance-for-hire industry. Citizen Lab stated that Cytrox is behind a piece of iPhone spying malware that was put on the phones of two prominent Egyptians, according to a detailed technical analysis published. 

Predator, the malware, was able to infect the most recent iOS version (14.6) utilising single URLs provided via WhatsApp. Exiled Egyptian politician Ayman Nour was spooked by his iPhone overheating, and later discovered evidence of two different spyware applications running on the device, administered by two different government APT actors. 

The Egyptian government, a known Cytrox customer, has been attributed with the attack, according to Citizen Lab. Nour's phone was infected with both Cytrox's Predator and Israeli vendor NSO Group's more well-known Pegasus spyware, according to Citizen Lab. Citizen Lab's exposé detailed Cytrox's background as a startup launched in 2017 by Ivo Malinkovksi, a North Macedonian who later integrated the company with Intellexa and publicly hawked digital forensics tools. The firm claims to be established in the European Union, with R&D labs and sites all over Europe. 

In a separate advisory published by Meta’s security team, Cytrox is listed alongside Cobwebs Technologies, Cognate, Black Cupe, Bluehawk CI, BellTroX and two unknown Chinese entities among a growing roster of private companies in the surveillance-for-hire business. 

These firms handle the reconnaissance, engagement, and exploitation phases of advanced malware campaigns for governments and law enforcement agencies all across the world, including those that target journalists, politicians, and other members of civil society. 

Cytrox was recognised as a company that "develops exploits and sells surveillance tools and viruses that enable its clients to compromise iOS and Android devices," as per Facebook's team. 

Facebook’s security team stated, “[We were] able to find a vast domain infrastructure that we believe Cytrox used to spoof legitimate news entities in the countries of their interest and mimic legitimate URL-shortening and social media service.” 

“They used these domains as part of their phishing and compromise campaigns. Cytrox and its customers took steps to tailor their attacks for particular targets by only infecting people with malware when they passed certain technical checks, including IP address and device type. If the checks failed, people could be redirected to legitimate news or other websites.” 

“Targets of Cytrox and its customers included politicians and journalists around the world, including in Egypt and Armenia.”
Read more »
Vulnerabilities and Exploits
Amazon DNS DNSaaS Google Microsoft spying Vulnerabilities and Exploits

New DNS Flaw Enables 'Nation-State Level Spying' on Companies

 

Researchers discovered a new category of DNS vulnerabilities hitting major DNS-as-a-Service (DNSaaS) providers, which may enable attackers to get access to sensitive data of company networks. 

DNSaaS providers (also referred to as managed DNS providers) rent DNS to other businesses who don't want to maintain and protect yet additional network resources on their own. 

These DNS vulnerabilities, as disclosed by cloud security firm Wiz researchers Shir Tamari and Ami Luttwak at the Black Hat security conference, grant threat actors nation-state intelligence harvesting powers with simple domain registration. 

As per the description, they simply created a domain and utilized it to hijack a DNSaaS provider's nameserver (in this instance, Amazon Route 53), permitting them to eavesdrop on dynamic DNS traffic streaming from Route 53 users' networks. 

The Wiz researchers stated, "We found a simple loophole that allowed us to intercept a portion of worldwide dynamic DNS traffic going through managed DNS providers like Amazon and Google," 

"The dynamic DNS traffic we 'wiretapped' came from over 15,000 organizations, including Fortune 500 companies, 45 U.S. government agencies, and 85 international government agencies." 

Employee/computer identities and locations and extremely sensitive data about organizations' infrastructure, such as Internet-exposed network equipment, were among the data they acquired this way. 

In one instance, the researchers used network data from 40,000 corporate endpoints to trace the office locations of one of the world's major services companies. The information gathered in this manner would make it much simpler for threat actors to compromise an organization's network since it would offer them a bird's eye perspective of what's going on within corporations and governments and provide them with "nation-state level surveillance capacity." 

The researchers haven't found any indication that the DNS flaw they identified has ever been exploited in the open, but they do warn that anybody with the expertise of the vulnerabilities and the abilities to exploit it might have gathered data undiscovered for over a decade. 

"The impact is huge. Out of six major DNSaaS providers we examined, three were vulnerable to nameserver registration. Any cloud provider, domain registrar, and website host who provides DNSaaS could be vulnerable," they added at Black Hat. 

Patched by some, likely to affect others: 

Although two significant DNS providers (Google and Amazon) have already patched these DNS vulnerabilities, others are still likely prone, potentially exposing millions of devices to attacks. 

Moreover, it is unclear who is responsible for fixing this serious DNS flaw. Microsoft has previously informed Wiz that this is not a vulnerability since it could alter the dynamic DNS mechanism that permits Windows endpoints to leak internal network traffic to rogue DNS servers. 

Microsoft explained, this flaw as "a known misconfiguration that occurs when an organization works with external DNS resolvers." 

To minimize DNS conflicts and network difficulties, Redmond recommends utilizing distinct DNS names and zones for internal and external hosts and provides extensive guidance on how to correctly handle DNS dynamic updates in Windows. 

Maintained DNS providers can mitigate nameserver hijacking by adhering to the RFC's "reserved names" specification and checking and confirming domain ownership and validity before enabling their customers to register them. Companies renting DNS servers can also modify the default Start-of-Authority (SOA) record to stop internal network traffic from leaking via dynamic DNS updates.
Read more »
spying
Apple China Cyber Security iPhone Pwn2Own spying

An Award-Winning iPhone Hack Used by China to Spy on Uyghur Muslims

 

According to a recent article, the Chinese government used an award-winning iPhone hack first uncovered three years ago at a Beijing hacking competition to spy on the phones of Uyghur Muslims. The government was able to successfully tap into the phones of Uyghur Muslims in 2018 using a sophisticated tool, according to a study published Thursday by MIT Technology Review. 

For years, the US government and other major technology firms have recognized that China has been waging a violent campaign against ethnic minorities using social media, phones, and other technologies. The movement also attacked journalists and imitated Uyghur news organizations. 

According to MIT Technology Review report the hacking vulnerability was discovered during the Beijing competition. The Tianfu Cup hacking competition began in November 2018 in China as a way for Chinese hackers to discover vulnerabilities in popular tech software. According to the paper, the competition was modeled after an international festival called Pwn2Own, which attracts hackers from all over the world to show technical bugs so that marketers can discover and patch defects throughout their goods. 

However, China's Tianfu Cup was designed to enable Chinese hackers to show those vulnerabilities without exposing them to the rest of the world. According to the paper, this will enable the Chinese government to use those hacking methods found at the event for their own purposes. 

The very first event took place in November of 2018; Qixun Zhao, a researcher at Qihoo 360, won the top prize of $200,000 for demonstrating a remarkable chain of exploits that helped him to easily and reliably take control of even the newest and most up-to-date iPhones. He discovered a flaw in the kernel of the iPhone's operating system, originating from inside the Safari web browser. 

What's the end result? Any iPhone that accessed a web page containing Qixun's malicious code might be taken over by a remote intruder. It's the type of hack that could be traded on the black market for millions of dollars, allowing hackers or governments to spy on huge groups of people. It was given the name "Chaos" by Qixun. 

Apple patched it two months later, but an analysis revealed that it had been used by the Chinese government to hack Uyghur Muslims' iPhones in the interim. After US surveillance found it and confirmed it to Apple, the company released a low-key press release acknowledging it, but the full scale of it wasn't understood until now.
Read more »
USA
Cyber Security Russia spying USA

US Intelligence Task Force Accuses Russia Of Cyber Attack

 

Previously, US President Donald Trump had accused China of malicious security incidents; security experts and officials have suspected China to be involved in the recent cyberattacks on the US government and several other organizations in the nation but now other members of his administration are pointing out the finger at Moscow. 

In a joint statement on 5 January, the intelligence bodies said, "the attack believed to be an 'intelligence gathering' attempt, rather than cyber warfare, as touted by multiple lawmakers including President Donald Trump. Currently, it is also being observed that cyber-attack which attempted to sabotage online privacy and information has affected fewer than ten US government agencies along with several other organizations outside government”. 

 A collective report of government organizations, the UGC, also called Cyber Unified Coordination Group which has been set up to deal with the recent attack, stated that the Advance Persistence Threat (APT) actor which is responsible for the cyberattack was “likely Russian in origin”. It also said other government organizations that are collaborating for the collective report, are the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Office of the Director of National Intelligence (ODNI), and the National Security. 

The intelligence stated that the research regarding this is still going on to understand the scope of the data compromised during cyber attacks. According to the committee, the hacking attempts were initially made in March 2019 when the updated version of the IT network management tool called Orion was compromised. 
The report says those thousands of people who had installed this hacked tool across American territory, many of whom worked in important US federal agencies. Besides non-government organizations, a major part of the US government was compromised during the recent cyber attacks such as the Treasury and Department of Commerce, and the National Telecommunications and Information Administration.

"This is a serious compromise that will require a sustained and dedicated effort to remediate. Many organizations have to scour their systems for signs that they may have been compromised. The incident sent shockwaves across the US partly because the breach was undiscovered for many months and was potentially far-reaching in terms of who it might have affected. It also suggested a degree of sophistication and stealth which was widely seen as a trademark of hackers from the SVR", Russia's foreign intelligence agency, the Intelligence committee said in a statement.
Read more »
Subscribe to: Posts (Atom)