The inner workings of a cybercriminal group known as the Wizard Spider have been exposed, shedding light on its organizational structure and motivations.
"Most of Wizard Spider's efforts go into hacking European and U.S. businesses, with a special cracking tool used by some of their attackers to breach high-value targets," Swiss cybersecurity company PRODAFT said in a new report shared with The

The inner workings of a cybercriminal group known as the Wizard Spider have been exposed, shedding light on its organizational structure and motivations.

"Most of Wizard Spider's efforts go into hacking European and U.S. businesses, with a special cracking tool used by some of their attackers to breach high-value targets," Swiss cybersecurity company PRODAFT said in a new report shared with The Hacker News. "Some of the money they get is put back into the project to develop new tools and talent."

Wizard Spider, also known as Gold Blackburn, is believed to operate out of Russia and refers to a financially motivated threat actor that's been linked to the TrickBot botnet, a modular malware that was officially discontinued earlier this year in favor of improved malware such as BazarBackdoor.

That's not all. The TrickBot operators have also extensively cooperated with Conti, another Russia-linked cybercrime group notorious for offering ransomware-as-a-service packages to its affiliates.

Gold Ulrick (aka Grim Spider), as the group responsible for the distribution of the Conti (previously Ryuk) ransomware is called, has historically leveraged initial access provided by TrickBot to deploy the ransomware against targeted networks.

"Gold Ulrick is comprised of some or all of the same operators as Gold Blackburn, the threat group responsible for the distribution of malware such as TrickBot, BazarLoader and Beur Loader," cybersecurity firm Secureworks notes in a profile of the cybercriminal syndicate.

Stating that the group is "capable of monetizing multiple aspects of its operations," PRODAFT emphasized the adversary's ability to expand its criminal enterprise, which it said is made possible by the gang's "extraordinary profitability."

Typical attack chains involving the group commence with spam campaigns that distribute malware such as Qakbot (aka QBot) and SystemBC, using them as launchpads to drop additional tools, including Cobalt Strike for lateral movement, before executing the locker software.

In addition to leveraging a wealth of utilities for credential theft and reconnaissance, Wizard Spider is known to use an exploitation toolkit that makes use of recently disclosed vulnerabilities such as Log4Shell to gain an initial foothold into victim networks.

Also, put to users a cracking station that hosts cracked hashes associated with domain credentials, Kerberos tickets, and KeePass files, among others.

What's more, the group has invested in a custom VoIP setup wherein hired telephone operators cold-call non-responsive victims in a bid to put additional pressure and compel them into paying up after a ransomware attack.

This is not the first time the group has resorted to such a tactic. Last year, Microsoft detailed a BazarLoader campaign dubbed BazaCall that employed phony call centers to lure unsuspecting victims into installing ransomware on their systems.

"The group has huge numbers of compromised devices at its command and employs a highly distributed professional workflow to maintain security and a high operational tempo," the researchers said.

"It is responsible for an enormous quantity of spam on hundreds of millions of millions of devices, as well as concentrated data breaches and ransomware attacks on high-value targets."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Expose Inner Working of Billion-Dollar Wizard Spider Cybercrime Gang

A critical VMware bug tracked as CVE-2022-22954 continues to draw cybercriminal moths to its remote code-execution flame, with recent attacks focused on botnets and Log4Shell.

Recently uncovered VMware vulnerabilities continue to anchor an ongoing wave of cyberattacks bent on dropping various payloads. In the latest spate of activity, nefarious types are going in with the ultimate goal of infecting targets with various botnets or establishing a backdoor via Log4Shell.

That's according to Barracuda researchers, who found that attackers are particularly probing for the critical vulnerability tracked as CVE-2022-22954 in droves, with swaths of actual exploitation attempts in the mix as well.

The security vulnerability carries a CVSS score of 9.8 and affects the VMware Workspace ONE Access and Identity Manager. Workspace ONE is VMware's platform for delivering corporate applications to any device (a sort of juiced-up mobile device management solution), and the identity manager handles authentication to the platform. The bug allows remote code execution (RCE) via server-side template injection for attackers that have network access.

"A server-side template-injection issue may allow an unauthenticated user with access to the Web interface to execute any arbitrary shell command as the VMware user," Mike Goldgof, Barracuda's senior director of product marketing for data protection, network, and application security, tells Dark Reading. "In effect, a hacker can bring down the system, extract data, inject ransomware, etc."

"Cybercriminals are constantly scanning for these types of advisories and jump on them ASAP to attempt to exploit targets before they get a chance to download a patch," Goldgof noted. "\[And\] VMware infrastructure is widely deployed in both data center and cloud environments, providing a large population of attractive hacking targets." 

The activity sometimes involves a second bug (CVE-2022-22960, CVSS score of 7.8), which is a local privilege escalation (LPE) vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation (a platform for creating private clouds). The bug arises because of improper permissions in support scripts, according to VMware's advisory, and could allow attackers with local access to achieve root privileges. 

In this case, it's being chained with the previous flaw for a full exploitation vector, Barracuda noted.

VMware disclosed the bugs in April, and soon thereafter, a proof-of-concept (PoC) exploit was released on GitHub and tweeted out to the world. Unsurprisingly, researchers from multiple security firms started seeing probes and exploit attempts very soon thereafter — and the hits just keep coming. 

"Any serious vulnerability in a broadly used platform or application is cause for concern. Threat actors are always looking for an opportunity to hit multiple targets with minimal effort," Mike Parkin, senior technical engineer at Vulcan Cyber, tells Dark Reading. "VMware is one of the most popular virtualization platforms around, and often runs on powerful iron with multiple applications running on top of it. This gives an attacker multiple reasons to go after VMware servers."

**VMware Payloads du Jour**  
Barracuda researchers noticed that most of the probing in its telemetry now is for the VMware RCE vulnerability, using the PoC code from GitHub. Most of the actual exploit attempts meanwhile are now primarily from botnet operators, especially IPs hosting variants of the Mirai distributed denial-of-service (DDoS) botnet malware, along with a few EnemyBot samples (another DDoS baddie).

Otherwise, "some Log4Shell exploit attempts were also seen in the data," researchers noted.

As for who's behind the attacks, most originate in the US (76%), mostly emanating from data centers and cloud providers. However, the researchers also found "consistent background attempts" from Russian IP addresses that are well known to be affiliated with opportunistic cybercrime cartels.

"Some of these IPs perform scans for specific vulnerabilities at regular intervals, and it looks like the VMware vulnerabilities have been added to their usual rotating list of Laravel/Drupal/PHP probes," the researchers explained.

In April, another set of attacks was flagged, with a very different aim. An Iranian cyber-espionage group known as Rocket Kitten was seen exploiting the CVE-2022-22954 RCE to deliver the Core Impact penetration testing tool on vulnerable systems. And in another batch of April activity, cryptominers reportedly made their way into the exploitation-palooza lineup.

After several initial spikes in April, the interest levels in triggering these vulnerabilities have been holding steady, according to Barracuda, and the firm expects the scanning and exploitation attempts to continue for some time.

The best defense against this spate of attacks (and most botnet and Log4Shell activity) is Security 101 — i.e., patching. Defenders can also build in an extra layer of protection with a Web application firewall (WAF), adding "defense in depth against zero-day attacks and other vulnerabilities," according to Barracuda's Tuesday writeup.

It's important for companies to hop on patches for popular platforms as soon as vendor disclosures come out, Goldgof notes.

"Cybercriminals are constantly scanning for these types of advisories and jump on them ASAP to attempt to exploit targets before they get a chance to download a patch," he says. "\[And\] VMware infrastructure is widely deployed in both data center and cloud environments, providing a large population of attractive hacking targets."

Critical VMware Bug Exploits Continue, as Botnet Operators Jump In

Law enforcement is warning about a wave of Web injection attacks on US online retailers that are successfully stealing credit-card information from online checkout pages.

Cyberattackers are targeting US online businesses by injecting malicious PHP code into e-commerce checkout pages and exfiltrating scraped data to a command-and-control (C2) server spoofed to look like a legitimate credit-card processor.

That's according to a flash alert from the FBI issued this week, which detailed one attack in particular that began in September 2020. Along with scraping credit-card data, the cybercriminals were modifying the business checkout page code to gain backdoor access to the business' system. The FBI provided indicators of compromise and recommended mitigations for similar e-tailers, including patching and ongoing monitoring of e-commerce environments. 

**Businesses Should Take Alert 'Seriously'**  
Cyvatar CISO Dave Cundiff explained in an emailed reaction to the alert that basic cybersecurity hygiene and monitoring would be enough to fend off this sort of attack. 

"Continually verifying and monitoring an organization's fundamental cybersecurity is a requirement these days," Cundiff said. "If the fundamentals of an organization’s security are not strong, then the additional complexity of any additional security is useless." 

US businesses should take this alert seriously, according to Kunal Modasiya, senior director of product management at PerimeterX,.

"Given the risks of supply-chain attacks in general, it is important that businesses look beyond server-side security tools, such as static code analysis, external scanners, and the limitations of CSP to solutions," Modasiya says. 

Ron Bradley, vice president of Shared Assessments, meanwhile notes that organizations dealing with credit-card data, which he called "one of the crown jewels for fraudsters," should have technical controls like file integrity monitoring (FIM) in place.  

"If you're running a website, especially one which transacts funds, and if you don't have FIM implemented, I don't want to shop there," Bradley said. "Furthermore, you're going to get pummeled by bad actors because you don't have your house in order."

FBI: E-Tailers, Beware Web Injections for Scraping Credit-Card Data, Backdoors

New quantum encryption standards will stand up to spy-snooping, NSA cybersecurity director said.

As the National Institute of Standards and Technology (NIST) is busy developing — and gathering industry buy-in — for a new set of quantum encryption standards, the cybersecurity chief for the National Security Agency (NSA) has vowed it won't build in a backdoor for snooping.   

The NSA has a shabby track record when it comes to violating privacy and Fourth Amendment protections with its massive surveillance operations, but in an interview, NSA director of cybersecurity Rob Joyce said, "There are no backdoors" being designed for spies to bypass new quantum encryption standards. 

Although the reality of quantum computing is still years away, its potential to crack even the strongest encryption has the cybersecurity community on the hunt for protection against this future risk.  

The NSA is also helping NIST test its various quantum encryption algorithms, Joyce told Bloomberg News. 

“Those candidate algorithms that NIST is running the competitions on all appear strong, secure, and what we need for quantum resistance,” Joyce said. “We’ve worked against all of them to make sure they are solid.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

NSA Cyber Chief Vows 'No Backdoors' in Quantum Encryption Standards

The 360° Assessment & Certification from MRG-Effitas can offer guidance to SMBs looking for a simple, effective cybersecurity product. 
The post Why MRG-Effitas matters to SMBs appeared first on Malwarebytes Labs.

When selecting the right cybersecurity vendor to protect their operations, small- and medium-sized businesses (SMBs) can lean on several third-party research organizations that analyze which cybersecurity products can best prevent, detect, and clean up various types of cyberattacks today.

But these tests can sometimes assume a level of end-user complexity—and funding and staffing—that the average SMB might lack. Without a full-time security team, or even a single full-time internal IT hire, an SMB could unwittingly purchase a cybersecurity product that, while effective, requires a level of expertise they simply do not have.

This is where one third-party research team, in particular, can help.

MRG-Effitas, which produces quarterly reports about cybersecurity products that publicly participate in evaluations, focuses its analyses on “real world” malware attacks and detection capabilities. Not only do the researchers test malware samples that are currently infecting endpoints across the world, but the researchers also stress the importance of simple, effective notifications that will help the average user respond to any detected cyberthreat.

“Simulating normal user behaviour means that we pay special attention to all alerts given by security applications,” wrote the researchers in their most recent quarterly report for their program, the “360° Assessment & Certification.”

The 360° Assessment & Certification combines several tests that are then grouped into four separate certifications. Based on how a cybersecurity product performed in certain tests, that product will either earn a certificate or not. This almost-binary representation of a product’s performance is simple and effective, and it can help to quickly inform an SMB about whether a certain product is right for their company.

At the core of the MRG-Effitas certification process—which tests how products respond to known exploits, ransomware, botnets, adware, and more—is the user.

“A pass is given only when alerts are straightforward, and clearly suggest that the malicious action should be blocked,” the report said. “With this in mind, it is very important to note that the best choice for an average user is to keep things as simple as possible and not to overwhelm them with cryptic pop-ups, alerts or questions.”

****Testing and certification****

The 360° Assessment & Certification by MRG-Effitas involves the following nine rounds of testing:

*   In the Wild/Full Spectrum Test
*   PUA/Adware Test
*   Exploit/Fileless Test
*   Real Botnet Test
*   Banking Simulator Test
*   Ransomware Simulator Test
*   False Positive Ransomware Test
*   False Positive Test
*   Performance Test

Each test has a specific purpose, from testing how cybersecurity products respond to an end-user visiting a malicious URL that delivers malware, to the detection of non-malicious but meddlesome applications such as adware, to even testing how a product responds to live ransomware samples observed in real world applications, and to simulated ransomware samples developed by MRG-Effitas. Importantly, MRG-Effitas also tests the performance load of each cybersecurity product, analyzing how much time it takes to perform certain tasks on devices that have the cybersecurity product installed.

While MRG-Effitas performs testing in the above nine categories, it only awards certificates in four categories: The 360° Assessment, the 360° Exploit Degree, the 360° Online Banking Degree, and the 360° Ransomware Degree.

For the 360° Assessment, MRG-Effitas assigns two levels of certification—Level 1 and Level 2—depending on how successfully a cybersecurity product detected the cyberthreats that were launched at it during testing. A vendor only receives Level 1 certification if it detected all threats on “first exposure or via behaviour protection,” the report said, and it passed the Real Botnet Test.

The malware load used during the 360° Assessment is significant. In the most recent round, it involved 360 “In The Wild” samples that included: “20 trojans, 54 backdoors, 50 financial malware samples, 53 ransomware, 49 spyware, 84 malicious documents, \[and\] 50 malicious script files.”

Just four products publicly received a Level 1 certification in the recent 360° Assessment: Malwarebytes Endpoint Protection, Bitdefender Endpoint Security, Microsoft Windows Defender, and Symantec Endpoint Protection.

A similar test deploys 50 financial malware samples against the detection and protection capabilities of the cybersecurity products, along with simulated banking malware. Five products publicly received the 360° Online Banking Certification: Malwarebytes Endpoint Protection, Avira Antivirus Pro, Bitdefender Endpoint Security, ESET Endpoint Security, and Symantec Endpoint Protection.

****Ransomware simulations****

In just the past decade, ransomware has evolved tremendously. Developers of the infamous family of malware have gone from asking for measly sums of money from individuals to creating entire business models in which they license out their ransomware tool to other threat actors. When those threat actors successfully hit a business—which they could have purchased access to from other threat actors—the original ransomware developers take a cut of whatever eventual payment is made. To make matters worse, threat actors have also begun deploying ransomware that not only encrypts a company’s files, but it also first exfiltrates any sensitive data, which the threat actors then use as a second point of leverage: Pay up or your data will be published for everyone to see.

The researchers at MRG-Effitas, recognizing this rapid pace of ransomware evolution, have, for years, tested cybersecurity products against ransomware samples developed in-house that could represent where ransomware development is headed in just months or years.

In the most recent 360° Assessment & Certification, MRG-Effitas deployed 53 ransomware samples against the cybersecurity products, and an additional four simulated ransomware samples. To achieve the 360° Ransomware Certification, a product must have protected a device from the 53 ransomware samples and 4 simulated ransomware simulated samples, and it must have passed the false positive ransomware test.

In the most recent round of testing, all nine publicly-evaluated cybersecurity products achieved ransomware certification.

****Performance****

Understanding whether a cybersecurity product works well is, obviously, important. But of similar importance to SMBs is understanding what impact a cybersecurity product will have on a suite of endpoints. Without large budgets that could allow for constantly refreshed, new devices to be purchased, SMBs should consider how much a cybersecurity product could slow down their organizations’ devices.

Thankfully, MRG-Effitas analyzes cybersecurity products based on their impact on performing simple operations, like downloading a file, opening a Microsoft Office program, or opening a website. The analysis also measures the time spent performing a security software update and the CPU usage during the update process.

Unlike the certificates offered by MRG-Effitas for other categories, there is no certificate or “pass/fail” result when testing performance. Instead, SMBs can look at the performance measurements for each product in the latest 360° Assessment & Certification.

****Less “interpretation,” quicker answers****

The simplicity of MRG-Effitas’ 360° Assessment & Certification gives SMBs a quick guide into what cybersecurity products could be the right fit for them. Without having to dive into countless interpretive reports from each cybersecurity vendor, SMBs can instead look at the most recent 360° Assessment & Certification and ask themselves: Which of these products received certification and which did not?

Knowing that MRG-Effitas hews its testing ideology to the user—only offering certifications for products that clearly notify and warn users about how to respond to a threat—SMBs can be sure that whatever tool they choose will, at the very least, be easy to use on their end.

Why MRG-Effitas matters to SMBs

By Deeba Ahmed
Cobalt Mirage is an Irani threat group believed to be linked to the Iranian Cobalt Illusion threat group,…
This is a post from HackRead.com Read the original post: Iran’s COBALT MIRAGE Threat Group Behind Ransomware Attacks in US

Cobalt Mirage is an Irani threat group believed to be linked to the Iranian Cobalt Illusion threat group, whereas Cobalt Mirage’s activities have been reported as TunnelVision and Phosphorus.

SecureWorks® Counter Threat Unit™ (CTU) researchers are investigating an Irani threat group known as the Cobalt Mirage group. This group first surfaced in June 2020 and is linked to another Irani threat group Cobalt Illusion, also known as Charming Kitten, Phosphorus, APT35, and Newscaster.

The group primarily uses phishing campaigns to gain access to networks. Researchers suspect that the two groups are interconnected and might share access and tradecraft.

It is worth noting that previously, Charming Kitten was also accused of its involvement in some highly sophisticated social engineering attacks including bypassing Gmail and Yahoo’s 2FA (Two-Factor Authentication (2FA) in December 2018.

Furthermore, Charming Kitten was the talk of the town in March 2019 when Microsoft seized 99 websites used by Iranian hackers for large-scale phishing attacks. In July 2020, the same group exposed 40GB of videos exposing its entire modus operandi.

**Cobalt Mirage Attack Tactics**

Based on information obtained via incident response activities and public reporting, the researchers identified two clusters of Cobalt Mirage attacks, labeled Cluster A and Cluster B. 

According to researchers, threat actors used DiskCryptor and BitLocker in Cluster A for conducting ransomware attacks that are mainly profit-driven. On the other hand, Cluster B entails targeted intrusions to invade a network and collect intelligence. But sometimes, Cluster B attacks may also involve ransomware in selected cases.

COBALT MIRAGE’s attack vector (Image: SecureWorks)

**Primary Targets of Cobalt Mirage**

According to SecureWorks’s blog post published on May 12th, Cobalt Mirage’s victims are primarily organizations in the USA, Australia, Europe, and Israel. The group mainly uses file-encrypting ransomware to target its victims.

Some of its previous campaigns include the scan-and-exploit attack against Microsoft Exchange Servers and exploiting the ProxyShell vulnerabilities in March 2022 to access a US local government network.

The group also targeted a philanthropic organization in the USA in January 2022. Research reveals that the group has limited ability to capitalize on the access they gain to a network and use it for financial gains or intelligence data collection.

**How does Cobalt Mirage Attack its Victims?**

Research revealed that Cobalt Mirage scans internet-exposed servers to detect vulnerable servers and identify initial access routes. They often look for flaws in Microsoft Exchange servers and Fortinet appliances.

In 2021, SecureWorks’ blog post revealed that the threat group scanned ports 4443, 8443, and 10443 to find flaws in devices vulnerable to FortiOS vulnerabilities (CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591).

In September 2021, they targeted the MS Exchange servers and deployed the Fast Reverse Proxy Client by exploiting the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to enable access to vulnerable devices.

Once they identify a loophole, they drop web shells and use them as a conduit for lateral movement across the network and launch the ransomware. They complete their attack with a rather unusual way of sending ransom notes, which they send to a local printer.

This note contains the email address and Telegram account details for victims to contact the attacker. However, researchers couldn’t identify how the encryption feature is triggered. The group uses publicly available encryption tools for launching ransomware attacks.

COBALT MIRAGE’s ransom note (Image: SecureWorks)

> “CTU researchers recommend that organizations use available controls to review and restrict access using the indicators listed in Table 1. Note that IP addresses can be reallocated. The domains and IP addresses may contain malicious content, so consider the risks before opening them in a browser.”

**More Iranian Security News on Hackread.com**

1.  Iran-linked hackers hit Israeli, US and EU defense tech firm
2.  Irani and Chinese State Hackers Exploiting Log4j Vulnerability
3.  Watch as hackers disrupt Iran’s prison computers; leak live footage
4.  Exposed: 6 year old Iranian espionage campaign using Android backdoor
5.  Iranian APT group hits schools, universities in global spear phishing attacks

Iran’s COBALT MIRAGE Threat Group Behind Ransomware Attacks in US

Calibre-Web before 0.6.18 allows user table SQL Injection.

**Security Policy****Reporting a Vulnerability**

Please report security issues to ozzie.fernandez.isaacs@googlemail.com

**Supported Versions**

To receive fixes for security vulnerabilities it is required to always upgrade to the latest version of Calibre-Web. See https://github.com/janeczku/calibre-web/releases/latest for the latest release.

**History**

Fixed in

Description

CVE number

3rd July 2018

Guest access acts as a backdoor

V 0.6.7

Hardcoded secret key for sessions

CVE-2020-12627

V 0.6.13

Calibre-Web Metadata cross site scripting

CVE-2021-25964

V 0.6.13

Name of Shelves are only visible to users who can access the corresponding shelf Thanks to @ibarrionuevo

V 0.6.13

JavaScript could get executed in the description field. Thanks to @ranjit-git and Hagai Wechsler (WhiteSource)

V 0.6.13

JavaScript could get executed in a custom column of type "comment" field

V 0.6.13

JavaScript could get executed after converting a book to another format with a title containing javascript code

V 0.6.13

JavaScript could get executed after converting a book to another format with a username containing javascript code

V 0.6.13

JavaScript could get executed in the description series, categories or publishers title

V 0.6.13

JavaScript could get executed in the shelf title

V 0.6.13

Login with the old session cookie after logout. Thanks to @ibarrionuevo

V 0.6.14

CSRF was possible. Thanks to @mik317 and Hagai Wechsler (WhiteSource)

CVE-2021-25965

V 0.6.14

Migrated some routes to POST-requests (CSRF protection). Thanks to @scara31

CVE-2021-4164

V 0.6.15

Fix for "javascript:" script links in identifier. Thanks to @scara31

CVE-2021-4170

V 0.6.15

Cross-Site Scripting vulnerability on uploaded cover file names. Thanks to @ibarrionuevo

V 0.6.15

Creating public shelfs is now denied if user is missing the edit public shelf right. Thanks to @ibarrionuevo

V 0.6.15

Changed error message in case of trying to delete a shelf unauthorized. Thanks to @ibarrionuevo

V 0.6.16

JavaScript could get executed on authors page. Thanks to @alicaz

CVE-2022-0352

V 0.6.16

Localhost can no longer be used to upload covers. Thanks to @scara31

CVE-2022-0339

V 0.6.16

Another case where public shelfs could be created without permission is prevented. Thanks to @nhiephon

CVE-2022-0273

V 0.6.16

It's prevented to get the name of a private shelfs. Thanks to @nhiephon

CVE-2022-0405

V 0.6.17

The SSRF Protection can no longer be bypassed via an HTTP redirect. Thanks to @416e6e61

CVE-2022-0767

V 0.6.17

The SSRF Protection can no longer be bypassed via 0.0.0.0 and it's ipv6 equivalent. Thanks to @r0hanSH

CVE-2022-0766

V 0.6.18

Possible SQL Injection is prevented in user table Thanks to Iman Sharafaldin (Forward Security)

CVE-2022-30765

V 0.6.18

The SSRF protection no longer can be bypassed by IPV6/IPV4 embedding. Thanks to @416e6e61

CVE-2022-0939

V 0.6.18

The SSRF protection no longer can be bypassed to connect to other servers in the local network. Thanks to @michaellrowley

CVE-2022-0990

**Statement regarding Log4j (CVE-2021-44228 and related)**

Calibre-web is not affected by bugs related to Log4j. Calibre-Web is a python program, therefore not using Java, and not using the Java logging feature log4j.

CVE-2022-30765: calibre-web/SECURITY.md at master · janeczku/calibre-web

Plus: New details of ICE’s dragnet surveillance in the US, Clearview AI agrees to limit sales of its faceprint database, and more.

A group of human rights lawyers and investigators called on the Hague this week to bring what would be the first ever “cyber war crimes” charges. The group is urging the International Criminal Court to bring charges against the dangerous and destructive Russian hacking group known as Sandworm, which is run by Russia’s military intelligence agency GRU. Meanwhile, activists are working to block Russia from using satellites controlled by the French company Eutelsat to broadcast its state-run propaganda programming.

Researchers released findings this week that thousands of popular websites record data that users type into forms on the site before they hit the Submit button—even if the user closes the page without submitting anything. Google released a report on an in-depth security analysis it conducted with the chipmaker AMD to catch and fix flaws in specialty security processors used in Google Cloud infrastructure. The company also announced a slew of privacy and security features for its new Android 13 mobile operating system along with a vision for making them easier for people to understand and use.

The European Union is considering child protective legislation that would require scanning private chats, potentially undermining end-to-end encryption at a massive scale. Plus, defenders from the cybersecurity nonprofit BIO-ISAC are racing to protect the bioeconomy from digital threats, announcing a partnership this week with Johns Hopkins University Applied Physics Lab that will help fund pay-what-you-can incident response resources.

But wait, there’s more. Each week we round up the news that we didn’t break or cover in-depth. Click on the headlines to read the full stories. And stay safe out there.

The United States is completing development of a new generation of high-security encryption standards that will be robust in the current technical climate and are designed to be resistant to circumvention in the age of quantum computing. And while the National Security Agency contributed to the new standards' creation, the agency says it has no special means of undermining the protections. Rob Joyce, the NSA’s director of cybersecurity, told Bloomberg this week, “There are no backdoors." The NSA has been implicated in schemes to backdoor encryption before, including in a situation in the early 2010s in which the US removed an NSA-developed algorithm as a federal standard over backdoor concerns.

An extensive investigation by Georgetown Law’s Center on Privacy & Technology reveals a more detailed picture than ever of US Immigration and Customs Enforcement agency surveillance capabilities and practices. According to the report, published this week, ICE began developing its surveillance infrastructure at the end of the George W. Bush administration, years before it was previously thought to have begun these efforts. And researchers found that ICE spent $2.8 billion on surveillance technology, including face recognition, between 2008 and 2021. ICE was already known for its aggressive and invasive surveillance tactics during the Donald Trump administration’s anti-immigration crackdowns, but the report also argues that ICE has “played a key role in the federal government’s larger push to amass as much information as possible” about people in the United States.

“Our two-year investigation, including hundreds of Freedom of Information Act requests and a comprehensive review of ICE’s contracting and procurement records, reveals that ICE now operates as a domestic surveillance agency,” the report says. “By reaching into the digital records of state and local governments and buying databases with billions of data points from private companies, ICE has created a surveillance infrastructure that enables it to pull detailed dossiers on nearly anyone, seemingly at any time.”

In a legal settlement this week, the face recognition and surveillance startup Clearview AI agreed to a set of restrictions on its business in the US, including that it won’t sell its faceprint database to businesses or individuals in the country. The company says it has more than 10 billion faceprints in its arsenal belonging to people around the world and collected through photos found online. The settlement comes after the American Civil Liberties Union accused Clearview of violating the Illinois Biometric Information Privacy Act. The agreement also stipulates that the company won’t be allowed to sell access to its database in Illinois for five years. “This settlement demonstrates that strong privacy laws can provide real protections against abuse,” Nathan Freed Wessler, a deputy director of the ACLU Speech, Privacy, and Technology Project said in a statement. Despite the privacy win, Clearview may continue to sell its services to federal law enforcement, including ICE, and police departments outside of Illinois.

Costa Rican president Rodrigo Chaves said on Sunday that the country was declaring a national emergency after the notorious Conti ransomware gang infected multiple government agencies with malware last week. Sunday was the first day of Chaves' presidency. Conti leaked some of a 672 GB trove of stolen data from multiple Costa Rican agencies. In April, the Costa Rican social security administration had announced that it was the victim of a Conti attack. “At this time, a perimeter security review is being carried out on the Conti Ransomware, to verify and prevent possible attacks," the agency tweeted at the time.

The NSA Swears It Has ‘No Backdoors’ in Next-Gen Encryption

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 6 and May 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for May 6 to May 13

A spear-phishing campaign targeting Jordan's foreign ministry has been observed dropping a new stealthy backdoor dubbed Saitama.
Researchers from Malwarebytes and Fortinet FortiGuard Labs attributed the campaign to an Iranian cyber espionage threat actor tracked under the moniker APT34, citing resemblances to past campaigns staged by the group.
"Like many of these attacks, the email contained a

A spear-phishing campaign targeting Jordan's foreign ministry has been observed dropping a new stealthy backdoor dubbed Saitama.

Researchers from Malwarebytes and Fortinet FortiGuard Labs attributed the campaign to an Iranian cyber espionage threat actor tracked under the moniker APT34, citing resemblances to past campaigns staged by the group.

"Like many of these attacks, the email contained a malicious attachment," Fortinet researcher Fred Gutierrez said. "However, the attached threat was not a garden-variety malware. Instead, it had the capabilities and techniques usually associated with advanced persistent threats (APTs)."

APT34, also known as OilRig, Helix Kitten, and Cobalt Gypsy, is known to be active since at least 2014 and has a track record of striking telecom, government, defense, oil, and financial sectors in the Middle East and North Africa (MENA) via targeted phishing attacks.

Earlier this February, ESET tied the group to a long-running intelligence gather operation aimed at diplomatic organizations, technology companies, and medical organizations in Israel, Tunisia, and the United Arab Emirates.

The newly observed phishing message contains a weaponized Microsoft Excel document, opening which prompts a potential victim to enable macros, leading to the execution of a malicious Visual Basic Application (VBA) macro that drops the malware payload ("update.exe").

Furthermore, the macro takes care of establishing persistence for the implant by adding a scheduled task that repeats every four hours.

A .NET-based binary, Saitama leverages the DNS protocol for its command-and-control (C2) communications as part of an effort to disguise its traffic, while employing a "finite-state machine" approach to executing commands received from a C2 server.

"In the end, this basically means that this malware is receiving tasks inside a DNS response," Gutierrez explained. DNS tunneling, as it's called, makes it possible to encode the data of other programs or protocols in DNS queries and responses.

In the final stage, the results of the command execution are subsequently sent back to the C2 server, with the exfiltrated data built into a DNS request.

"With the amount of work put into developing this malware, it does not appear to be the type to execute once and then delete itself, like other stealthy infostealers," Gutierrez said.

"Perhaps to avoid triggering any behavioral detections, this malware also does not create any persistence methods. Instead, it relies on the Excel macro to create persistence by way of a scheduled task."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#backdoor