News: Security & Privacy News

EXCLUSIVE iPhone flaw exploited by second Israeli spy firm-sources

Thu, 03 Feb 2022 17:02:39 +0000

WASHINGTON, Feb 3 (Reuters) - A flaw in Apple's software exploited by Israeli surveillance firm NSO Group to break into iPhones in 2021 was simultaneously abused by a competing company, according to five people familiar with the matter.

QuaDream, the sources said, is a smaller and lower profile Israeli firm that also develops smartphone hacking tools intended for government clients.

The two rival businesses gained the same ability last year to remotely break into iPhones, according to the five sources, meaning that both firms could compromise Apple phones without an owner needing to open a malicious link. That two firms employed the same sophisticated hacking technique – known as a “zero-click” – shows that phones are more vulnerable to powerful digital spying tools than the industry will admit, one expert said.

"People want to believe they're secure, and phone companies want you to believe they're secure. What we've learned is, they're not," said Dave Aitel, a partner at Cordyceps Systems, a cybersecurity firm.

Experts analyzing intrusions engineered by NSO Group and QuaDream since last year believe the two companies used very similar software exploits, known as ForcedEntry, to hijack iPhones.

An exploit is computer code designed to leverage a set of specific software vulnerabilities, giving a hacker unauthorized access to data.

The analysts believed NSO and QuaDream's exploits were similar because they leveraged many of the same vulnerabilities hidden deep inside Apple's instant messaging platform and used a comparable approach to plant malicious software on targeted devices, according to three of the sources.

Bill Marczak, a security researcher with digital watchdog Citizen Lab who has been studying both companies' hacking tools, told Reuters that QuaDream's zero-click capability seemed "on par" with NSO's.

Reuters made repeated attempts to reach QuaDream for comment, sending messages to executives and business partners. A Reuters journalist last week visited QuaDream’s office, in the Tel Aviv suburb of Ramat Gan, but no one answered the door. Israeli lawyer Vibeke Dank, whose email was listed on QuaDream's corporate registration form, also did not return repeated messages.

An Apple spokesman declined to comment on QuaDream or say what if any action they planned to take with regard to the company.

ForcedEntry is viewed as "one of the most technically sophisticated exploits" ever captured by security researchers.

So similar were the two versions of ForcedEntry that when Apple fixed the underlying flaws in September 2021 it rendered both NSO and QuaDream’s spy software ineffective, according to two people familiar with the matter.

In a written statement, an NSO spokeswoman said the company "did not cooperate" with QuaDream but that "the cyber intelligence industry continues to grow rapidly globally."

Apple sued NSO Group over ForcedEntry in November, claiming that NSO had violated Apple's user terms and services agreement. The case is still in its early stages.

In its lawsuit, Apple said that it "continuously and successfully fends off a variety of hacking attempts." NSO has denied any wrongdoing.

Spyware companies have long argued they sell high-powered technology to help governments thwart national security threats. But human rights groups and journalists have repeatedly documented the use of spyware to attack civil society, undermine political opposition, and interfere with elections.

Apple notified thousands of ForcedEntry targets in November, making elected officials, journalists, and human rights workers around the world realize they had been placed under surveillance.

In Uganda, for example, NSO's ForcedEntry was used to spy on U.S. diplomats, Reuters reported.

In addition to the Apple lawsuit, Meta's WhatsApp is also litigating over the alleged abuse of its platform. In November, NSO was put on a trade blacklist by the U.S. Commerce Department over human rights concerns.

Unlike NSO, QuaDream has kept a lower profile despite serving some of the same government clients. The company has no website touting its business and employees have been told to keep any reference to their employer off social media, according to a person familiar with the company.

REIGN

QuaDream was founded in 2016 by Ilan Dabelstein, a former Israeli military official, and by two former NSO employees, Guy Geva and Nimrod Reznik, according to Israeli corporate records and two people familiar with the business. Reuters could not reach the three executives for comment.

Like NSO's Pegasus spyware, QuaDream's flagship product - called REIGN - could take control of a smartphone, scooping up instant messages from services such as WhatsApp, Telegram, and Signal, as well as emails, photos, texts and contacts, according to two product brochures from 2019 and 2020 which were reviewed by Reuters.

REIGN's “Premium Collection” capabilities included the "real time call recordings", "camera activation - front and back" and "microphone activation", one brochure said.

Prices appeared to vary. One QuaDream system, which would have given customers the ability to launch 50 smartphone break-ins per year, was being offered for $2.2 million exclusive of maintenance costs, according to the 2019 brochure. Two people familiar with the software's sales said the price for REIGN was typically higher.

Over the years, QuaDream and NSO Group employed some of the same engineering talent, according to three people familiar with the matter. Two of those sources said the companies did not collaborate on their iPhone hacks, coming up with their own ways to take advantage of vulnerabilities.

Several of QuaDream's buyers have also overlapped with NSO's, four of the sources said, including Saudi Arabia and Mexico - both of whom have been accused of misusing spy software to target political opponents.

One of QuaDream's first clients was the Singaporean government, two of the sources said, and documentation reviewed by Reuters shows the company's surveillance technology was pitched to the Indonesian government as well. Reuters couldn't determine if Indonesia became a client.

Mexican, Singaporean, Indonesian and Saudi officials did not return messages seeking comment about QuaDream.

Reporting by Christopher Bing and Raphael Satter in Washington. Joseph Menn in San Francisco, Nir Elias in Ramat Gan, Israel, Dan Williams in Jerusalem, and Michele Kambas in Nicosia, Cyprus contributed reporting. Editing by Chris Sanders and Edward Tobin

Source

North Korea Hacked Him. So He Took Down Its Internet

Wed, 02 Feb 2022 21:17:39 +0000

Disappointed with the lack of US response to the Hermit Kingdom's attacks against US security researchers, one hacker took matters into his own hands.

For the past two weeks, observers of North Korea's strange and tightly restricted corner of the internet began to notice that the country seemed to be dealing with some serious connectivity problems. On several different days, practically all of its websites—the notoriously isolated nation only has a few dozen—intermittently dropped offline en masse, from the booking site for its Air Koryo airline to Naenara, a page that serves as the official portal for dictator Kim Jong-un's government. At least one of the central routers that allow access to the country's networks appeared at one point to be paralyzed, crippling the Hermit Kingdom's digital connections to the outside world.

Some North Korea watchers pointed out that the country had just carried out a series of missile tests, implying that a foreign government's hackers might have launched a cyberattack against the rogue state to tell it to stop saber-rattling.

But responsibility for North Korea's ongoing internet outages doesn't lie with US Cyber Command or any other state-sponsored hacking agency. In fact, it was the work of one American man in a T-shirt, pajama pants, and slippers, sitting in his living room night after night, watching Alien movies and eating spicy corn snacks—and periodically walking over to his home office to check on the progress of the programs he was running to disrupt the internet of an entire country.

Just over a year ago, an independent hacker who goes by the handle P4x was himself hacked by North Korean spies. P4x was just one victim of a hacking campaign that targeted Western security researchers with the apparent aim of stealing their hacking tools and details about software vulnerabilities. He says he managed to prevent those hackers from swiping anything of value from him. But he nonetheless felt deeply unnerved by state-sponsored hackers targeting him personally—and by the lack of any visible response from the US government.

So after a year of letting his resentment simmer, P4x has taken matters into his own hands. “It felt like the right thing to do here. If they don’t see we have teeth, it’s just going to keep coming,” says the hacker. (P4x spoke to WIRED and shared screen recordings to verify his responsibility for the attacks but declined to use his real name for fear of prosecution or retaliation.) “I want them to understand that if you come at us, it means some of your infrastructure is going down for a while.”

P4x says he's found numerous known but unpatched vulnerabilities in North Korean systems that have allowed him to singlehandedly launch “denial-of-service” attacks on the servers and routers the country's few internet-connected networks depend on. For the most part, he declined to publicly reveal those vulnerabilities, which he argues would help the North Korean government defend against his attacks. But he named, as an example, a known bug in the web server software NginX that mishandles certain HTTP headers, allowing the servers that run the software to be overwhelmed and knocked offline. He also alluded to finding “ancient” versions of the web server software Apache, and says he's started to examine North Korea's own national homebrew operating system, known as Red Star OS, which he described as an old and likely vulnerable version of Linux.

P4x says he has largely automated his attacks on the North Korean systems, periodically running scripts that enumerate which systems remain online and then launching exploits to take them down. “For me, this is like the size of a small-to-medium pentest,” P4x says, using the abbreviation for a “penetration test,” the sort of whitehat hacking he's carried out in the past to reveal vulnerabilities in a client's network. “It's pretty interesting how easy it was to actually have some effect in there.”

Those relatively simple hacking methods have had immediate effects. Records from the uptime-measuring service Pingdom show that at several points during P4x's hacking, almost every North Korean website was down. (Some of those that stayed up, like the news site Uriminzokkiri.com, are based outside the country.) Junade Ali, a cybersecurity researcher who monitors the North Korean internet, says he began to observe what appeared to be mysterious, mass-scale attacks on the country's internet starting two weeks ago and has since closely tracked the attacks without having any idea who was carrying them out.

Ali says he saw key routers for the country go down at times, taking with them not only access to the country's websites but also to its email and any other internet-based services. “As their routers fail, it would literally then be impossible for data to be routed into North Korea,” Ali says, describing the result as “effectively a total internet outage affecting the country.” (P4x notes that while his attacks at times disrupted all websites hosted in the country and access from abroad to any other internet services hosted there, they didn’t cut off North Koreans’ outbound access to the rest of the internet.)

As rare as it may be for a single pseudonymous hacker to cause an internet blackout on that scale, it's far from clear what real effects the attacks have had on the North Korean government. Only a tiny fraction of North Koreans have access to internet-connected systems to begin with, says Martyn Williams, a researcher for the Stimson Center think tank's North Korea-focused 38 North Project. The vast majority of residents are confined to the country's disconnected intranet. Williams says the dozens of sites P4x has repeatedly taken down are largely used for propaganda and other functions aimed at an international audience.

While knocking out those sites no doubt presents a nuisance to some regime officials, Williams points out that the hackers who targeted P4x last year—like almost all the country's hackers—are almost certainly based in other countries, such as China. “I would say, if he's going after those people, he's probably directing his attentions to the wrong place,” says Williams. “But if he just wants to annoy North Korea, then he is probably being annoying.”

For his part, P4x says he would count annoying the regime as a success, and that the vast majority of the country's population that lacks internet access was never his target. “I definitely wanted to affect the people as little as possible and the government as much as possible,” P4x says.

He acknowledges that his attacks amount to no more than “tearing down government banners or defacing buildings,” as he puts it. But he also says that his hacking has so far focused on testing and probing to find vulnerabilities. He now intends to try actually hacking into North Korean systems, he says, to steal information and share it with experts. At the same time, he's hoping to recruit more hacktivists to his cause with a dark website he launched Monday called the FUNK Project—i.e. “FU North Korea”—in the hopes of generating more collective firepower.

“This is a project to keep North Korea honest,” the FUNK Project site reads. “You can make a difference as one person. The goal is to perform proportional attacks and information-gathering in order to keep NK from hacking the western world completely unchecked.”

P4x says his hacktivist efforts are meant to send a message not only to the North Korean government, but also his own. His cyberattacks on North Korean networks are, he says, in part an attempt to draw attention to what he sees as a lack of government response to North Korean targeting of US individuals. “If no one ’s going to help me, I’m going to help myself,” he says.

P4x knows the exact moment last year when he was hit by North Korea's spies. In late January of 2021, he opened a file sent to him by a fellow hacker, who had described it as an exploitation tool. Just 24 hours later, he spotted a blog post from Google Threat Analysis Group warning that North Korean hackers were targeting security researchers. Sure enough, when P4x scrutinized the hacking tool he'd received from a stranger, he saw that it contained a backdoor designed to provide a remote foothold on his computer. P4x had opened the file in a virtual machine, digitally quarantining it from the rest of his system. But he was nonetheless shocked and appalled by the realization that he'd been personally targeted by North Korea.

P4x says he was later contacted by the FBI but was never offered any real help to assess the damage from North Korea's hacking or to protect himself in the future. Nor did he ever hear of any consequences for the hackers who targeted him, an open investigation into them, or even a formal recognition from a US agency that North Korea was responsible. It began to feel, as he put it, like “there’s really nobody on our side.”

When WIRED asked the FBI about its response to the North Korean targeting of US security researchers, it responded in a statement: “As the lead agency responsible for threat response we rely on the public and private sector to report suspicious activity and intrusions, and work together to ensure we understand what’s happening, prevent it from happening to others, and hold those responsible accountable,” the FBI statement reads. “The FBI is committed to pursuing the malicious actors and countries behind cyberattacks, and will not tolerate intellectual property theft or intimidation.”

After his experience as a target of state-sponsored cyberespionage, P4x spent much of the next year on other projects. But after a year had passed, still without public or private statements from the federal government about the targeting of security researchers and no offer of support from any US agency, P4x says he decided it was time to make his own statement to both the North Korean and American governments.

Other hackers targeted by North Korea don't all agree that P4x's hacking spree is the right way to make that statement. Dave Aitel, a former NSA hacker and the founder of security firm Immunity, was similarly targeted in the same espionage campaign. But he questions whether P4x has taken a productive approach to getting even, given that he may actually be getting in the way of stealthier intelligence efforts targeting the same North Korean computers.

“I would not want to disrupt real Western intelligence efforts that are already in place on those machines, assuming there is anything of value there,” Aitel says.

Aitel agrees, though, that the government response to North Korea's campaign has been lacking. He says he never received any contact from a government agency and lays the blame for that silence specifically at the feet of the Cybersecurity and Infrastructure Security Agency. “This is one of the biggest balls CISA, in particular, has dropped,” Aitel says. “The United States is good at protecting the government, OK at protecting corporations, but does not protect individuals.” He points out that many of the targeted security researchers likely had significant access to software vulnerabilities, enterprise networks, and the code of widely used tools. That could result, he says, in “the next SolarWinds.”

When WIRED reached out to CISA, a spokesperson responded in a statement that the agency “is committed to supporting the cybersecurity community in detecting and protecting against malicious cyber actors,” adding that "as part of this work, we encourage any researcher that is being targeted by cyber threats to contact the US government so we can provide all possible assistance.”

US government criticisms aside, P4x is clear that his hacking aims primarily to send a message to the Kim regime, which he describes as carrying out “insane human rights abuses and complete control over their population.” While he acknowledges that his attacks likely violate US computer fraud and hacking laws, he argues he hasn't done anything ethically wrong. “My conscience is clear,” he says.

And what's the final goal of his cyberattacks on that totalitarian government's internet infrastructure? When will he end them?

“Regime change. No, I'm just kidding,” P4x says with a laugh. “I just want to prove a point. I want that point to be very squarely proven before I stop.”

North Korea Hacked Him. So He Took Down Its Internet

(May require free registration to view)

Firefox’s anti-tracking feature adds per-account VPN for more privacy

Wed, 02 Feb 2022 21:13:45 +0000

It’s also bringing its multi-hop feature to Mozilla VPN on iOS and Android

Mozilla is combining its Multi-Account Containers add-on with its VPN service, which lets you keep your online personas — such as your work and personal browsing histories — separate.

Multi-Account Containers has been available as a Firefox add-on since 2017. It works to “contain” your different online lives into separate tabs that you can label with colors, icons, or names. The containers just don’t hold your browsing histories — they also store cookies and tracking information, which means you can sign into different accounts on the same site just by clicking over to another container.

But using the add-on with Mozilla VPN comes with a distinct advantage (well, at least in my option): the ability to hide your location across containers. As Mozilla’s blog post explains, you can connect each of your online personas with a different server — for example, if you’re traveling abroad but want to check your online bank account back home, you can use the add-on to browse for local shops in one tab and then manage your personal finances from a server near your hometown in another.

When combined with the Multi-Account Containers add-on, using Mozilla’s VPN can help mask your web activity even more, as it makes it harder for servers to track you based on where you’re accessing a site from. That makes it a cool way to see what’s trending on YouTube in two different countries at once and a crucial privacy tool for avoiding prying eyes trying to find a connection between your different online personas.

While Mozilla VPN only came out in 2020, it would’ve been nice if the add-on was supported directly from the very start, considering just how useful it is, but now it’s here.

As for Mozilla’s multi-hop feature — which was first released for the desktop VPN back in September — it lets you route your online activity through two different servers, further covering up your tracks online. Today, the organization announced it’s adding support for the multi-hop feature on the Mozilla VPN Android and iOS app.

Mozilla offers instructions on how to add Multi-Account Containers to Mozilla VPN, as well as how to turn on the multi-hop feature on mobile. Although Mozilla VPN is still a fairly new service, unique features, like its Multi-Account Containers, might make the feature easily accessible to users with more serious privacy concerns.

Firefox’s anti-tracking feature adds per-account VPN for more privacy

ESET releases crucial product updates that fix security vulnerabilities for Windows AMSI

Wed, 02 Feb 2022 21:11:28 +0000

ESET has released a bunch of product updates across the stack which fix a local privilege escalation (LPE) vulnerability that affected its products. The problem stemmed in the Windows Antimalware Scan Interface (AMSI) scanning feature, and the exploitation of it by threat actors could lead to LPE.

The firm says:

[...] an attacker who is able to get SeImpersonatePrivilege can misuse the AMSI scanning feature to elevate to NT AUTHORITY\SYSTEM in some cases.

ESET was made aware of the flaw by Trend Micro's Zero Day Initiative (ZDI) and the vulnerability has been assigned the ID CVE-2021-37852.

The following builds of the respective ESET products have the problem patched and ESET has encouraged users to update to these product versions:

ESET NOD32 Antivirus, ESET Internet Security, ESET Smart Security and ESET Smart Security 15.0.19.0 (released on December 8, 2021)
ESET Endpoint Antivirus for Windows and ESET Endpoint Security for Windows 9.0.2032.6 and 9.0.2032.7 (released on December 16, 2021)
ESET Endpoint Antivirus for Windows and ESET Endpoint Security for Windows 8.0.2028.3, 8.0.2028.4, 8.0.2039.3, 8.0.2039.4, 8.0.2044.3, 8.0.2044.4, 8.1.2031.3, 8.1.2031.4, 8.1.2037.9 and 8.1.2037.10 (released on January 25, 2022)
ESET Endpoint Antivirus for Windows and ESET Endpoint Security for Windows 7.3.2055.0 and 7.3.2055.1 (released on January 31, 2022)
ESET Server Security for Microsoft Windows Server 8.0.12010.0 (released on December 16, 2021)
ESET File Security for Microsoft Windows Server 7.3.12008.0 (released on January 12, 2022)
ESET Security for Microsoft SharePoint Server 8.0.15006.0 (released on December 16, 2021)
ESET Security for Microsoft SharePoint Server 7.3.15002.0 (released on January 12, 2022)
ESET Mail Security for IBM Domino 8.0.14006.0 (released on December 16, 2021)
ESET Mail Security for IBM Domino 7.3.14003.0 (released on January 26, 2021)
ESET Mail Security for Microsoft Exchange Server 8.0.10018.0 (released on December 16, 2021)
ESET Mail Security for Microsoft Exchange Server 7.3.10014.0 (released on January 26, 2022)

Users of ESET Server Security for Microsoft Azure are advised to upgrade ESET File Security for Microsoft Azure to the latest version of ESET Server Security for Microsoft Windows Server.

You can find more information on ESET's support page here.

ESET releases crucial product updates that fix security vulnerabilities for Windows AMSI

UEFI firmware vulnerabilities affect at least 25 computer vendors

Wed, 02 Feb 2022 21:06:09 +0000

Researchers from firmware protection company Binarly have discovered critical vulnerabilities in the UEFI firmware from InsydeH2O used by multiple computer vendors such as Fujitsu, Intel, AMD, Lenovo, Dell, ASUS, HP, Siemens, Microsoft, and Acer.

UEFI (Unified Extensible Firmware Interface) software is an interface between a device’s firmware and the operating system, which handles the booting process, system diagnostics, and repair functions.

In total, Binarly found 23 flaws in the InsydeH2O UEFI firmware, most of them in the software's System Management Mode (SMM) that provides system-wide functions such as power management and hardware control.

SMM’s privileges exceed those of the OS kernel, so any security issues in this space can have severe consequences for the vulnerable system.

More specifically, a local or remote attacker with administrative privileges exploiting SMM flaws could perform the following tasks:

Invalidate many hardware security features (SecureBoot, Intel BootGuard)
Install persistent software that cannot be easily erased
Create backdoors and back communications channels to steal sensitive data

Diagram of potential impact of post-exploitation
Source: Binarly

The 23 flaws are tracked as: CVE-2020-27339, CVE-2020-5953, CVE-2021-33625, CVE-2021-33626, CVE-2021-33627, CVE-2021-41837, CVE-2021-41838, CVE-2021-41839, CVE-2021-41840, CVE-2021-41841, CVE-2021-42059, CVE-2021-42060, CVE-2021-42113, CVE-2021-42554, CVE-2021-43323, CVE-2021-43522, CVE-2021-43615, CVE-2021-45969, CVE-2021-45970, CVE-2021-45971, CVE-2022-24030, CVE-2022-24031, CVE-2022-24069.

Of the above, CVE-2021-45969, CVE-2021-45970, and CVE-2021-45971 in the SMM are rated with critical severity, receiving a 9.8 score out of 10.

Ten of the discovered vulnerabilities could be exploited for privilege escalation, twelve memory corruption flaws in SMM, and one is a memory corruption vulnerability in InsydeH2O's Driver eXecution Environment (DXE).

UEFI flaws affecting over 25 vendors
Source: Binarly

“The root cause of the problem was found in the reference code associated with InsydeH2O firmware framework code,” explains Binarly’s disclosure report.

“All of the aforementioned vendors (over 25) were using Insyde-based firmware SDK to develop their pieces of (UEFI) firmware,” the company notes. At the moment, the U.S. CERT Coordination Center confirmed three vendors with products affected by the security issues found in the InsydeH2O firmware: Fujitsu, Insyde Software Corporation, and Intel (only CVE-2020-5953)

Addressing the problems

Insyde Software has released firmware updates to fix all identified security vulnerabilities and published detailed bulletins to assign severity and description for every flaw.

However, these security updates need to be adopted original equipment manufacturers (OEMs) and pushed to affected products.

The entire process will take a considerable amount of time for the security updates to reach end-users. It is unlikely that all issues will be addressed in all impacted products, though, because some devices have reached end-of-life and are no longer supported, while others may become obsolete before a patch is ready for them.

At the time of writing, only Insyde, Fujitsu, and Intel have confirmed themselves as affected by the flaws, while Rockwell, Supermicro, and Toshiba were confirmed as not impacted. The rest are investigating.

Binarly credits Fujitsu’s incident response team for its quick reaction when receiving the vulnerability reports, and its hands-on approach in helping to scope them correctly.

If you would like to scan your system for the existence of the above flaws, Binarly has published these FwHunt rules on GitHub to assist with detection.

UEFI firmware vulnerabilities affect at least 25 computer vendors

The Battle for the World’s Most Powerful Cyberweapon

Wed, 02 Feb 2022 13:43:35 +0000

A Times investigation reveals how Israel reaped diplomatic gains around the world from NSO’s Pegasus spyware — a tool America itself purchased but is now trying to ban.

In June 2019, three Israeli computer engineers arrived at a New Jersey building used by the F.B.I. They unpacked dozens of computer servers, arranging them on tall racks in an isolated room. As they set up the equipment, the engineers made a series of calls to their bosses in Herzliya, a Tel Aviv suburb, at the headquarters for NSO Group, the world’s most notorious maker of spyware. Then, with their equipment in place, they began testing.

The F.B.I. had bought a version of Pegasus, NSO’s premier spying tool. For nearly a decade, the Israeli firm had been selling its surveillance software on a subscription basis to law-enforcement and intelligence agencies around the world, promising that it could do what no one else — not a private company, not even a state intelligence service — could do: consistently and reliably crack the encrypted communications of any iPhone or Android smartphone.

Since NSO had introduced Pegasus to the global market in 2011, it had helped Mexican authorities capture Joaquín Guzmán Loera, the drug lord known as El Chapo. European investigators have quietly used Pegasus to thwart terrorist plots, fight organized crime and, in one case, take down a global child-abuse ring, identifying dozens of suspects in more than 40 countries. In a broader sense, NSO’s products seemed to solve one of the biggest problems facing law-enforcement and intelligence agencies in the 21st century: that criminals and terrorists had better technology for encrypting their communications than investigators had to decrypt them. The criminal world had gone dark even as it was increasingly going global.

But by the time the company’s engineers walked through the door of the New Jersey facility in 2019, the many abuses of Pegasus had also been well documented. Mexico deployed the software not just against gangsters but also against journalists and political dissidents. The United Arab Emirates used the software to hack the phone of a civil rights activist whom the government threw in jail. Saudi Arabia used it against women’s rights activists and, according to a lawsuit filed by a Saudi dissident, to spy on communications with Jamal Khashoggi, a columnist for The Washington Post, whom Saudi operatives killed and dismembered in Istanbul in 2018.

None of this prevented new customers from approaching NSO, including the United States. The details of the F.B.I.’s purchase and testing of Pegasus have never before been made public. Additionally, the same year that Khashoggi was killed, the Central Intelligence Agency arranged and paid for the government of Djibouti to acquire Pegasus to assist the American ally in combating terrorism, despite longstanding concerns about human rights abuses there, including the persecution of journalists and the torture of government opponents. The D.E.A., the Secret Service and the U.S. military’s Africa Command had all held discussions with NSO. The F.B.I. was now taking the next step.

As part of their training, F.B.I. employees bought new smartphones at local stores and set them up with dummy accounts, using SIM cards from other countries — Pegasus was designed to be unable to hack into American numbers. Then the Pegasus engineers, as they had in previous demonstrations around the world, opened their interface, entered the number of the phone and began an attack.

This version of Pegasus was “zero click” — unlike more common hacking software, it did not require users to click on a malicious attachment or link — so the Americans monitoring the phones could see no evidence of an ongoing breach. They couldn’t see the Pegasus computers connecting to a network of servers around the world, hacking the phone, then connecting back to the equipment at the New Jersey facility. What they could see, minutes later, was every piece of data stored on the phone as it unspooled onto the large monitors of the Pegasus computers: every email, every photo, every text thread, every personal contact. They could also see the phone’s location and even take control of its camera and microphone. F.B.I. agents using Pegasus could, in theory, almost instantly transform phones around the world into powerful surveillance tools — everywhere except in the United States.

Ever since the 2013 revelations by Edward Snowden, a former National Security Agency contractor, about U.S. government surveillance of American citizens, few debates in this country have been more fraught than those over the proper scope of domestic spying. Questions about the balance between privacy and security took on new urgency with the parallel development of smartphones and spyware that could be used to scoop up the terabytes of information those phones generate every day. Israel, wary of angering Americans by abetting the efforts of other countries to spy on the United States, had required NSO to program Pegasus so it was incapable of targeting U.S. numbers. This prevented its foreign clients from spying on Americans. But it also prevented Americans from spying on Americans.

NSO had recently offered the F.B.I. a workaround. During a presentation to officials in Washington, the company demonstrated a new system, called Phantom, that could hack any number in the United States that the F.B.I. decided to target. Israel had granted a special license to NSO, one that permitted its Phantom system to attack U.S. numbers. The license allowed for only one type of client: U.S. government agencies. A slick brochure put together for potential customers by NSO’s U.S. subsidiary, first published by Vice, says that Phantom allows American law enforcement and spy agencies to get intelligence “by extracting and monitoring crucial data from mobile devices.” It is an “independent solution” that requires no cooperation from AT&T, Verizon, Apple or Google. The system, it says, will “turn your target’s smartphone into an intelligence gold mine.”

The Phantom presentation triggered a discussion among government lawyers at the Justice Department and the F.B.I. that lasted two years, across two presidential administrations, centering on a basic question: Could deploying Phantom inside the United States run afoul of long-established wiretapping laws? As the lawyers debated, the F.B.I. renewed the contract for the Pegasus system and ran up fees to NSO of approximately $5 million. During this time, NSO engineers were in frequent contact with F.B.I. employees, asking about the various technological details that could change the legal implications of an attack.

The discussions at the Justice Department and the F.B.I. continued until last summer, when the F.B.I. finally decided not to deploy the NSO weapons. It was around this time that a consortium of news organizations called Forbidden Stories brought forward new revelations about NSO cyberweapons and their use against journalists and political dissidents. The Pegasus system currently lies dormant at the facility in New Jersey.

An F.B.I. spokeswoman said that the bureau examines new technologies “not just to explore a potential legal use but also to combat crime and to protect both the American people and our civil liberties. That means we routinely identify, evaluate and test technical solutions and services for a variety of reasons, including possible operational and security concerns they might pose in the wrong hands.” The C.I.A., the D.E.A., the Secret Service and Africa Command declined to comment. A spokesman for the government of Djibouti said the country had never acquired or used Pegasus.

In November, the United States announced what appeared — at least to those who knew about its previous dealings — to be a complete about-face on NSO. The Commerce Department was adding the Israeli firm to its “entity list” for activities “contrary to the national security or foreign policy interests of the United States.” The list, originally designed to prevent U.S. companies from selling to nations or other entities that might be in the business of manufacturing weapons of mass destruction, had in recent years come to include several cyberweapons companies. NSO could no longer buy critical supplies from American firms.

It was a very public rebuke of a company that had in many ways become the crown jewel of the Israeli defense industry. Now, without access to the American technology it needed to run its operations — including Dell computers and Amazon cloud servers — it risked being unable to function.

The United States delivered the news to Israel’s Ministry of Defense less than an hour before it was made public. Israeli officials were furious. Many of the headlines focused on the specter of an out-of-control private company, one based in Israel but largely funded offshore. But authorities in Israel reacted as if the ban were an attack on the state itself. “The people aiming their arrows against NSO,” said Yigal Unna, director general of the Israel National Cyber Directorate until Jan. 5, “are actually aiming at the blue and white flag hanging behind it.”

The Israelis’ anger was, in part, about U.S. hypocrisy: The American ban came after years of secretly testing NSO’s products at home and putting them in the hands of at least one country, Djibouti, with a record of human rights abuses. But Israel also had its own interests to protect. To an extent not previously understood, Israel, through its internal export-licensing process, has ultimate say over who NSO can sell its spyware to. This has allowed Israel to make NSO a central component of its national-security strategy for years, using it and similar firms to advance the country’s interests around the world.

A yearlong Times investigation, including dozens of interviews with government officials, leaders of intelligence and law-enforcement agencies, cyberweapons experts, business executives and privacy activists in a dozen countries, shows how Israel’s ability to approve or deny access to NSO’s cyberweapons has become entangled with its diplomacy. Countries like Mexico and Panama have shifted their positions toward Israel in key votes at the United Nations after winning access to Pegasus. Times reporting also reveals how sales of Pegasus played an unseen but critical role in securing the support of Arab nations in Israel’s campaign against Iran and even in negotiating the Abraham Accords, the 2020 diplomatic agreements that normalized relations between Israel and some of its longtime Arab adversaries.

The combination of Israel’s search for influence and NSO’s drive for profits has also led to the powerful spying tool’s ending up in the hands of a new generation of nationalist leaders worldwide. Though the Israeli government’s oversight was meant to prevent the powerful spyware from being used in repressive ways, Pegasus has been sold to Poland, Hungary and India, despite those countries’ questionable records on human rights.

The United States has made a series of calculations in response to these developments — secretly acquiring, testing and deploying the company’s technology, even as it has denounced the company in public and sought to limit its access to vital American suppliers. The current showdown between the United States and Israel over NSO demonstrates how governments increasingly view powerful cyberweapons the same way they have long viewed military hardware like fighter jets and centrifuges: not only as pivotal to national defense but also as a currency with which to buy influence around the world.

Photo illustration by Cristiana Couceiro

Selling weapons for diplomatic ends has long been a tool of statecraft. Foreign-service officers posted in American Embassies abroad have served for years as pitchmen for defense firms hoping to sell arms to their client states, as the thousands of diplomatic cables released by WikiLeaks in 2010 showed; when American defense secretaries meet with their counterparts in allied capitals, the end result is often the announcement of an arms deal that pads the profits of Lockheed Martin or Raytheon.

Cyberweapons have changed international relations more profoundly than any advance since the advent of the atomic bomb. In some ways, they are even more profoundly destabilizing — they are comparatively cheap, easily distributed and can be deployed without consequences to the attacker. Dealing with their proliferation is radically changing the nature of state relations, as Israel long ago discovered and the rest of the world is now also beginning to understand.

For Israel, the weapons trade has always been central to the country’s sense of national survival. It was a major driver of economic growth, which in turn funded further military research and development. But it also played an important role in forging new alliances in a dangerous world. In the 1950s, when the nation was still young and essentially powerless, its first prime minister, David Ben-Gurion, established covert links with countries and organizations that lay just outside the ring of hostile Arab states that surround Israel. He called this approach “the periphery doctrine,” and his foreign intelligence agency, the Mossad, began weaving a network of secret contacts inside countries throughout the Middle East, Asia and Africa, including many that publicly sided with Arabs. Offering advanced weapons was a key to making those connections.

By the mid-1980s, Israel had firmly established itself as one of the world’s top arms exporters, with an estimated one in 10 of the nation’s workers employed by the industry in some way. All of this bought good will for Israel from select foreign leaders, who saw the military aid as essential to preserving their own power. In turn, those countries often voted in Israel’s favor at the United Nations General Assembly, the Security Council and other international forums. They also allowed the Mossad and the Israel Defense Forces to use their countries as bases to launch operations against Arab nations.

As cyberweapons began to eclipse fighter jets in the schemes of military planners, a different kind of weapons industry emerged in Israel. Veterans of Unit 8200 — Israel’s equivalent of the National Security Agency — poured into secretive start-ups in the private sector, giving rise to a multibillion-dollar cybersecurity industry. As with purveyors of conventional weapons, cyberweapons makers are required to obtain export licenses from Israel’s Ministry of Defense to sell their tools abroad, providing a crucial lever for the government to influence the firms and, in some cases, the countries that buy from them.

‘This issue is not about Israel’s security. It’s about something that got out of control.’

None of these firms have been as wildly successful, or as strategically useful to the Israeli government, as NSO. The firm has its roots in a former chicken coop in Bnai Zion, an agricultural cooperative just outside Tel Aviv. In the mid 2000s, the building’s owner, realizing that coders might deliver a better profit than chickens, gave the space a light makeover and began renting it to technology start-ups looking for cheap office space. Among the start-up founders there, Shalev Hulio stood out from the veteran programmers around him: He was charismatic and easy to spend time with, but he also gave the impression — at least initially — of being somewhat naïve. He and his partner, Omri Lavie, an old friend from school, had each done their mandatory military service in combat units, rather than intelligence or technology, and for years they struggled to find a product that would connect. They developed a video marketing product, which briefly took off but then crashed with the 2008 global recession. They then started another company, called CommuniTake, that offered cellphone tech-support workers the ability to take control of their customers’ devices — with permission.

That idea met with little enthusiasm, so the two friends pivoted to a very different kind of customer. “A European intelligence agency found out about our innovation and contacted me,” Hulio recalled in an interview. What quickly emerged was that their product could solve a much bigger problem than customer service.

For years, law-enforcement and intelligence agencies had been able to intercept and understand communications in transit, but as powerful encryption became widely available, that was no longer the case. They could intercept a communication, but they could no longer understand what it said. If they could control the device itself, though, they could collect the data before it was encrypted. CommuniTake had already figured out how to control the devices. All the partners needed was a way to do so without permission.

And so NSO was born. Hulio and Lavie, lacking the contacts they would need to scale their product, brought in a third partner, Niv Karmi, who had served both in military intelligence and in the Mossad. They took the company name from their first initials (Niv, Shalev and Omri) — that it sounded a little like “N.S.A.” was a happy coincidence — and began hiring. Recruitment was the essential ingredient of their business plan. The company would eventually employ more than 700 people in offices around the world and a sprawling headquarters in Herzliya, where individual labs for Apple and Android operating systems are filled with racks of smartphones undergoing constant testing by the firm’s hackers as they seek and exploit new vulnerabilities.

Nearly every member of NSO’s research team is a veteran of the intelligence services; most of them served with AMAN, the Israeli Military Intelligence Directorate, the largest agency in the Israeli espionage community — and many of them in AMAN’s Unit 8200. The company’s most valuable employees are all graduates of elite training courses, including a secretive and prestigious Unit 8200 program called ARAM that accepts only a handful of the most brilliant recruits and trains them in the most advanced methods of cyberweapons programming. There are very few people with this kind of training anywhere in the world, and soon enough, few places would have a higher concentration of them than NSO’s headquarters in Herzliya — where there were not just a few top specialists but hundreds. This would provide NSO with an incredible competitive advantage: All of those engineers would work daily to find “zero days,” i.e., new vulnerabilities in phone software that could be exploited to install Pegasus. Unlike rival firms, which generally struggled to find even a single zero day and therefore could be shut down if it were made public, NSO would be able to discover and bank multitudes of them. If someone locked one back door, the company could quickly open another.

In 2011, NSO engineers finished coding the first iteration of Pegasus. With its powerful new tool, NSO hoped to quickly build a stable of clients in the West. But many countries, especially those in Europe, were initially wary of buying foreign intelligence products. There was a particular concern about Israeli companies that were staffed by former top intelligence officials; potential customers feared that their spyware might be contaminated with even deeper spyware, allowing the Mossad access to their internal systems.

Reputation mattered, both for sales and for holding onto the well-trained coders who had made Pegasus a reality. Hulio appointed Maj. Gen. Avigdor Ben-Gal, a Holocaust survivor and a highly respected combat officer, as NSO’s chairman, and established what he said would be the company’s four main pillars: NSO would not operate the system itself. It would sell only to governments, not to individuals or companies. It would be selective about which governments it allowed to use the software. And it would cooperate with Israel’s Defense Export Controls Agency, or DECA, to license every sale.

The decisions NSO made early on about its relationship with regulators ensured that it would function as a close ally, if not an arm, of Israeli foreign policy. Ben-Gal saw that this oversight was crucial to NSO’s growth — it might restrict which countries the company could sell to, but it would also protect the company from public blowback about what its clients did. When he informed the Defense Ministry that NSO would voluntarily be subject to oversight, the authorities also seemed happy with this plan. One former military aide to Benjamin Netanyahu, at the time Israel’s prime minister, explained the advantages quite clearly. “With our Defense Ministry sitting at the controls of how these systems move around,” he said, “we will be able to exploit them and reap diplomatic profits.”

The company quickly got its first major break. Mexico, in its ongoing battle against drug cartels, was looking for ways to hack the encrypted BlackBerry messaging service favored by cartel operatives. The N.S.A. had found a way in, but the American agency offered Mexico only sporadic access. Hulio and Ben-Gal arranged a meeting with Mexico’s president, Felipe Calderón, and arrived with an aggressive sales pitch. Pegasus could do what the N.S.A. could do, and it could do so entirely at the command of Mexican authorities. Calderón was interested.

Israel’s Ministry of Defense informed NSO that there was no issue with selling Pegasus to Mexico, and a deal was finalized. Soon after, investigators at an office of the Center for Investigation and National Security, or CISEN — now called the Center for National Investigation — went to work with one of the Pegasus machines. They fed the mobile phone number of a person connected to Joaquín Guzmán’s Sinaloa cartel into the system, and the BlackBerry was successfully attacked. Investigators could see the content of the messages, as well as the locations of different BlackBerry devices. “Suddenly we started to see and hear anew,” says a former CISEN leader. “It was like magic.” In his view, the new system had revitalized their entire operation — “Everyone felt like maybe for the first time we could win.” It was also a win for Israel. Mexico is a dominant power in Latin America, a region where Israel for years has waged a kind of diplomatic trench warfare against anti-Israeli groups supported by the country’s adversaries in the Middle East. There is no direct evidence that Mexico’s contracts with NSO brought about a change in the country’s foreign policy toward Israel, but there is at least a recognizable pattern of correlation. After a long tradition of voting against Israel at United Nations conferences, Mexico slowly began to shift “no” votes to abstentions. Then, in 2016, Enrique Peña Nieto, who succeeded Calderón in 2012, went to Israel, which had not seen an official visit from a Mexican president since 2000. Netanyahu visited Mexico City the following year, the first visit ever by an Israeli prime minister. Shortly after, Mexico announced that it would abstain from voting on several pro-Palestinian resolutions that were being considered by the United Nations.

In a statement, Netanyahu’s spokesman said that the former prime minister never sought a quid pro quo when other countries wanted to buy Pegasus. “The claim that Prime Minister Netanyahu spoke to foreign leaders and offered them such systems in exchange for political or other measures is a complete and utter lie. All sales of this system or similar products of Israeli companies to foreign countries are conducted with the approval and supervision of the Ministry of Defense, as outlined in Israeli law.”

The Mexico example revealed both the promise and the perils of working with NSO. In 2017, researchers at Citizen Lab, a watchdog group based at the University of Toronto, reported that authorities in Mexico had used Pegasus to hack the accounts of advocates for a soda tax, as part of a broader campaign aimed at human rights activists, political opposition movements and journalists. More disturbing, it appeared that someone in the government had used Pegasus to spy on lawyers working to untangle the massacre of 43 students in Iguala in 2014. Tomás Zerón de Lucio, the chief of the Mexican equivalent to the F.B.I., was a main author of the federal government’s version of the event, which concluded that the students were killed by a local gang. But in 2016 he became the subject of an investigation himself, on suspicion that he had covered up federal involvement in the events there. Now it appeared that he might have used Pegasus in that effort — one of his official duties was to sign off on the procurement of cyberweapons and other equipment. In March 2019, soon after Andrés Manuel López Obrador replaced Peña Nieto after a landslide election, investigators charged that Zerón had engaged in torture, abduction and tampering with evidence in relation to the Iguala massacre. Zerón fled to Canada and then to Israel, where he entered the country as a tourist, and where — despite an extradition request from Mexico, which is now seeking him on additional charges of embezzlement — he remains today.

The American reluctance to share intelligence was creating other opportunities for NSO, and for Israel. In August 2009, Panama’s new president, Ricardo Martinelli, fresh off a presidential campaign grounded on promises of “eliminating political corruption,” tried to persuade U.S. diplomats in the country to give him surveillance equipment to spy on “security threats as well as political opponents,” according to a State Department cable published by WikiLeaks. The United States “will not be party to any effort to expand wiretaps to domestic political targets,” the deputy chief of mission replied.

Martinelli tried a different approach. In early 2010, Panama was one of only six countries at the U.N. General Assembly to back Israel against a resolution to keep the Goldstone Commission report on war crimes committed during the 2008-9 Israeli assault on Gaza on the international agenda. A week after the vote, Martinelli landed in Tel Aviv on one of his first trips outside Latin America. Panama will always stand with Israel, he told the Israeli president, Shimon Peres, in appreciation of “its guardianship of the capital of the world — Jerusalem.” He said he and his entourage of ministers, businesspeople and Jewish community leaders had come to Israel to learn. “We came a great distance, but we are very close because of the Jewish heart of Panama,” he said.

Behind closed doors, Martinelli used his trip to go on a surveillance shopping spree. In a private meeting with Netanyahu, the two men discussed the military and intelligence equipment that Martinelli wanted to buy from Israeli vendors. According to one person who attended the meeting, Martinelli was particularly interested in the ability to hack into BlackBerry’s BBM text service, which was very popular in Panama at that time.

Within two years, Israel was able to offer him one of the most sophisticated tools yet made. After the installation of NSO systems in Panama City in 2012, Martinelli’s government voted in Israel’s favor on numerous occasions, including to oppose the United Nations decision to upgrade the status of the Palestinian delegation — 138 countries voted in favor of the resolution, with just Israel, Panama and seven other countries opposing it.

According to a later legal affidavit from Ismael Pitti, an analyst for Panama’s National Security Council, the equipment was used in a widespread campaign to “violate the privacy of Panamanians and non-Panamanians” — political opponents, magistrates, union leaders, business competitors — all “without following the legal procedure.” Prosecutors later said Martinelli even ordered the team operating Pegasus to hack the phone of his mistress. It all came to an end in 2014, when Martinelli was replaced by his vice president, Juan Carlos Varela, who himself claims to have been a target of Martinelli’s spying. Martinelli’s subordinates dismantled the espionage system, and the former president fled the country. (In November, he was acquitted by Panamanian courts of wiretapping charges.)

NSO was doubling its sales every year — $15 million, $30 million, $60 million. That growth attracted the attention of investors. In 2014, Francisco Partners, a U.S.-based global investment firm, paid $130 million for 70 percent of NSO’s shares, then merged another Israeli cyberweapons firm, called Circles, into their new acquisition. Founded by a former senior AMAN officer, Circles offered clients access to a vulnerability that allowed them to detect the location of any mobile phone in the world — a vulnerability discovered by Israeli intelligence 10 years earlier. The combined company could offer more services to more clients than ever.

Through a series of new deals, Pegasus was helping to knit together a rising generation of right-wing leaders worldwide. On Nov. 21, 2016, Sara and Benjamin Netanyahu welcomed Prime Minister Beata Szydlo of Poland and her foreign minister, Witold Waszczykowski, for dinner at their home.

Shortly after, Poland signed an agreement with NSO to purchase a Pegasus system for its Central Anti-Corruption Bureau. Citizen Lab reported in December 2021 that the phones of at least three members of the Polish opposition were attacked by this spy machine. Netanyahu did not order the Pegasus system to be cut off — even when the Polish government enacted laws that many in the Jewish world and in Israel saw as Holocaust denial, and even when Prime Minister Mateusz Morawiecki, at a conference attended by Netanyahu himself, listed “Jewish perpetrators” among those responsible for the Holocaust.

In July 2017, Narendra Modi, who won office on a platform of Hindu nationalism, became the first Indian prime minister to visit Israel. For decades, India had maintained a policy of what it called “commitment to the Palestinian cause,” and relations with Israel were frosty. The Modi visit, however, was notably cordial, complete with a carefully staged moment of him and Prime Minister Netanyahu walking together barefoot on a local beach.

They had reason for the warm feelings. Their countries had agreed on the sale of a package of sophisticated weapons and intelligence gear worth roughly $2 billion — with Pegasus and a missile system as the centerpieces. Months later, Netanyahu made a rare state visit to India. And in June 2019, India voted in support of Israel at the U.N.’s Economic and Social Council to deny observer status to a Palestinian human rights organization, a first for the nation.

The Israeli Defense Ministry also licensed the sale of Pegasus to Hungary, despite Prime Minister Viktor Orban’s campaign of persecution against his political opponents. Orban deployed the hacking tools on opposition figures, social activists, journalists who conducted investigations against him and families of former business partners who had become bitter enemies. But Orban has been Israel’s devoted supporter in the European Union. In 2020, Hungary was one of the few countries that did not publicly speak out against Israel’s plan at the time to unilaterally annex swaths of the West Bank. In May of that year, European Union foreign ministers tried to reach unanimity when calling for a cease-fire between Israel and the Palestinian Islamic group Hamas, as well as for increased humanitarian aid for Gaza. Hungary declined to join the other 26 countries.

Arguably the most fruitful alliances made with Pegasus’s help have been those between Israel and its Arab neighbors. Israel first authorized the sale of the system to the U.A.E. as something of an olive branch, after Mossad agents poisoned a senior Hamas operative in a Dubai hotel room in 2010. It was not the assassination itself that infuriated Crown Prince Mohammed bin Zayed, the de facto Emirati leader, so much as it was that the Israelis had carried it out on Emirati soil. The prince, widely known as M.B.Z., ordered that security ties between Israel and the U.A.E. be severed. In 2013, by way of a truce, M.B.Z. was offered the opportunity to buy Pegasus. He readily agreed.

The Emirates did not hesitate to deploy Pegasus against its domestic enemies. Ahmed Mansoor, an outspoken critic of the government, went public after Citizen Lab determined that Pegasus had been used to hack his phone. When the vulnerability was made public, Apple immediately pushed out an update to block the vulnerability. But for Mansoor, the damage had already been done. His car was stolen, his email account was hacked, his location was monitored, his passport was taken from him, $140,000 was stolen from his bank account, he was fired from his job and strangers beat him on the street several times. “You start to believe your every move is watched,” he said at the time. “Your family starts to panic. I have to live with that.” (In 2018, Mansoor was sentenced to 10 years in prison for posts he made on Facebook and Twitter.)

The messy outcome of the Dubai assassination aside, Israel and the U.A.E. had, in fact, been growing closer together for years. The calcified animosities between Israel and the Arab world that for years drove Middle East politics had given way to a new uneasy alliance in the region: Israel and the Sunni states in the Persian Gulf lining up against their archenemy, Iran, a Shia nation. Such an alliance would have been unheard-of decades ago, when Arab kings proclaimed themselves to be the protectors of the Palestinians and their struggle for independence from Israel. The Palestinian cause has less of a hold on some of the next generation of Arab leaders, who have shaped much of their foreign policy to address the sectarian battle between Sunni and Shia, and they have found common cause with Israel as an important ally against Iran.

No leader represents this dynamic more than Saudi Arabia’s Crown Prince Mohammed bin Salman, the son of the ailing king and the kingdom’s de facto ruler. In 2017, Israeli authorities decided to approve the sale of Pegasus to the kingdom, and in particular to a Saudi security agency under the supervision of Prince Mohammed. From this point on, a small group of senior members of the Israeli defense establishment, reporting directly to Netanyahu, took a lead role in the exchanges with the Saudis, all “while taking extreme measures of secrecy,” according to one of the Israelis involved in the affair. One Israeli official said that the hope was to gain Prince Mohammed’s commitment and gratitude. The contract, for an initial installation fee of $55 million, was signed in 2017.

Years prior, NSO had formed an ethics committee, made up of a bipartisan cast of former U.S. foreign-policy officials who would advise on potential customers. After the Khashoggi killing in 2018, its members requested an urgent meeting to address the stories circulating about NSO involvement. Hulio flatly denied that Pegasus had been used to spy on the Washington Post columnist. Pegasus systems log every attack in case there is a complaint, and — with the client’s permission — NSO can perform an after-the-fact forensic analysis. Hulio said his staff had done just that with the Saudi logs and found no use of any NSO product or technology against Khashoggi. The committee nonetheless urged NSO to shut off the Pegasus system in Saudi Arabia, and it did. The committee also advised NSO to reject a subsequent request by the Israeli government to reconnect the hacking system in Saudi Arabia, and it stayed off.

Then, the following year, the company reversed course. Novalpina, a British private-equity firm, acting in cooperation with Hulio, purchased Francisco Partners’ shares of NSO, with a valuation of $1 billion — more than five times more than it was when the American fund acquired it in 2014. In early 2019, NSO agreed to turn the Pegasus system in Saudi Arabia back on.

Keeping the Saudis happy was important for Netanyahu, who was in the middle of a secret diplomatic initiative he believed would cement his legacy as a statesman — an official rapprochement between Israel and several Arab states. In September 2020, Netanyahu, Donald Trump and the foreign ministers of the United Arab Emirates and Bahrain signed the Abraham Accords, and all the signatories heralded it as a new era of peace for the region.

But behind the scenes of the peace deal was a Middle East weapons bazaar. The Trump administration had quietly agreed to overturn past American policy and sell F-35 joint strike fighters and armed Reaper drones to the U.A.E., and had spent weeks assuaging Israel’s concerns that it would no longer be the only country in the region with the sophisticated F-35. Pompeo would later describe the aircraft deals in an interview as “critical” to obtaining M.B.Z.’s consent to the historic move. And by the time the Abraham Accords were announced, Israel had provided licenses to sell Pegasus to nearly all the signatories.

Things hit a snag a month later, when the Saudi export license expired. Now it was up to the Israeli Defense Ministry to decide whether or not to renew it. Citing Saudi Arabia’s abuse of Pegasus, it declined to do so. Without the license, NSO could not provide routine maintenance on the software, and the systems were crashing. Numerous calls among Prince Mohammed’s aides, NSO executives, the Mossad and the Israeli Defense Ministry had failed to resolve the issue. So the crown prince placed an urgent telephone call to Netanyahu, according to people familiar with the call. He wanted the Saudi license for Pegasus renewed.

Prince Mohammed had a significant amount of leverage. His ailing father, King Salman, had not officially signed on to the Abraham Accords, but he offered the other signatories his tacit blessing. He also allowed for a crucial part of the agreement to move forward: the use of Saudi air space, for the first time ever, by Israeli planes flying eastward on their way to the Persian Gulf. If the Saudis were to change their mind about the use of their airspace, an important public component of the accords might collapse.

Netanyahu apparently had not been updated on the brewing crisis, but after the conversation with Prince Mohammed his office immediately ordered the Defense Ministry to have the problem fixed. That night, a ministry official called NSO’s operations room to have the Saudi systems switched back on, but the NSO compliance officer on duty rebuffed the request without a signed license. Told that the orders came directly from Netanyahu, the NSO employee agreed to accept an email from the Defense Ministry. Shortly afterward, Pegasus in Saudi Arabia was once again up and running.

The next morning, a courier from the Defense Ministry arrived at NSO headquarters delivering a stamped and sealed permit.

In December 2021, just weeks after NSO landed on the American blacklist, the White House national security adviser, Jake Sullivan, arrived in Israel for meetings with Israeli officials about one of the Biden administration’s top foreign-policy priorities: getting a new nuclear pact with Iran three years after President Trump scuttled the original deal.

The visit carried historical weight. In 2012, Sullivan was one of the first American officials to talk with Iranian officials about a possible nuclear deal — meetings that President Obama chose to keep secret from the Israelis out of fear they might try to blow up the negotiations — and Israeli officials were furious when they found out. Now, years later, Sullivan arrived in Jerusalem to make his case for a united front in the next round of Iran diplomacy.

But there was another matter that Israeli officials — including the prime minister, the minister of defense and the foreign minister — wanted to discuss: the future of NSO. The Israelis pressed Sullivan about the reasons behind the blacklist decision. They also warned that if NSO went bankrupt, Russia and China might fill the vacuum and expand their own influence, by selling their own hacking tools to nations that could no longer buy from Israel.

Unna, the former head of the Israel National Cyber Directorate, says he believes the move against the Israeli firms, which was followed by Facebook’s blacklisting of more Israeli cyberweapons and intelligence companies, is part of something bigger, a plan to neuter Israel’s advantage in cyberweapons. “We have to prepare for a battle to defend the good name that we earned honestly,” he says.

Biden administration officials dismiss this talk of a deep conspiracy, saying the decision about NSO has everything to do with reining in a dangerous company and nothing to do with America’s relationship with Israel. There is far more at stake in the decades-old alliance, they say, than the fate of a hacking firm. Martin Indyk, a former American ambassador to Israel, agrees. “NSO was providing the means for states to spy on their own people,” he says. “From my point of view it’s straightforward. This issue is not about Israel’s security. It’s about something that got out of control.”

Under the ban, NSO’s future is in doubt, not just because of its reliance on American technology but also because its presence on an American blacklist will probably scare away prospective clients — and employees. One Israeli industry veteran says that the “sharks in the water smell blood,” and Israeli officials and industry executives say there are currently a handful of American companies, some with close ties to intelligence and law-enforcement agencies, interested in buying the company. Were that to happen, the new owner could potentially bring the company in line with U.S. regulations and start selling its products to the C.I.A., the F.B.I. and other American agencies eager to pay for the power its weapons offer.

Israeli officials now fear a strategic takeover of NSO, in which some other company — or country — would take command over how and where the weapon is used. “The State of Israel cannot allow itself to lose control of these types of companies,” a senior Israeli official said, explaining why such a deal was unlikely. “Their manpower, the knowledge they’ve gathered.” Foreign ownership was fine, but Israel had to maintain control; a sale was possible “only under conditions that preserve Israel’s interests and freedom of action.”

But the days of Israel’s near monopoly are over — or soon will be. The intense desire inside the United States government for offensive hacking tools has not gone unnoticed by the company’s potential American competitors. In January 2021, a cyberweapons firm called Boldend made a pitch to Raytheon, the defense-industry giant. According to a presentation obtained by The Times, the company had developed for various American government agencies its own arsenal of weapons for attacking cellphones and other devices.

One slide in particular underscored the convoluted nature of the cyberweapons business. The slide claimed that Boldend had found a way to hack WhatsApp, the popular messaging service owned by Facebook, but then lost the capability after a WhatsApp update. This claim is especially remarkable because, according to one of the slides, a major Boldend investor is Founders Fund — a company run by Peter Thiel, the billionaire who was one of Facebook’s first investors and remains on its board. The capability to hack WhatsApp, according to the presentation, “doesn’t currently exist” in the United States government, and the intelligence community was interested in acquiring that capability.

In October 2019, WhatsApp sued NSO, arguing that NSO tools had exploited a vulnerability in its service to attack approximately 1,400 phones around the world. Beyond the question of who controls the weapons, at stake in that lawsuit is who is responsible for the damage they do. NSO’s defense has always been that the company only sells the technology to foreign governments; it has no role in — or responsibility for — targeting specific individuals. This has long been the standard P.R. line of weapons manufacturers, whether Raytheon or Remington.

Facebook is out to prove that this defense, at least in NSO’s case, is a lie. In its lawsuit, the tech giant argues that NSO was an active participant in some of the hacks, pointing to evidence that it leased some of the computer servers used to attack WhatsApp accounts. Facebook’s argument is essentially that without NSO’s constant involvement, many of its clients would not be able to aim the gun.

When they first presented their case against NSO, Facebook’s lawyers thought they had evidence to disprove one of the Israeli company’s longtime claims — that the Israeli government strictly prohibits the firm from hacking any phone numbers in the United States. In court documents, Facebook asserted it had evidence that at least one number with a Washington area code had been attacked. Clearly someone was using NSO spyware to monitor an American phone number.

But the tech giant didn’t have the entire picture. What Facebook didn’t appear to know was that the attack on a U.S. phone number, far from being an assault by a foreign power, was part of the NSO demonstrations to the F.B.I. of Phantom — the system NSO designed for American law-enforcement agencies to turn the nation’s smartphones into an “intelligence gold mine.”

Source photographs: Dennis Cooper/Getty Images; Library of Congress, Geography and Map Division; Jorg Greuel/Getty Images; Dave Pattison/Alamy; Nicholas Kamm/Agence France-Presse, via Getty Images.

Source

Inside Trickbot, Russia’s Notorious Ransomware Gang

Tue, 01 Feb 2022 19:01:43 +0000

Internal messages WIRED has viewed shed new light on the operators of one of the world's biggest botnets.

When the phones and computer networks went down at Ridgeview Medical Center’s three hospitals on October 24, 2020, the medical group resorted to a Facebook post to warn its patients about the disruption. One local volunteer-run fire department said ambulances were being diverted to other hospitals; officials reported patients and staff were safe. The downtime at the Minnesota medical facilities was no technical glitch; reports quickly linked the activity to one of Russia’s most notorious ransomware gangs.

Thousands of miles away, just two days later members of the Trickbot cybercrime group privately gloated over what easy targets hospitals and health care providers make. “You see, how fast, hospitals and centers reply,” Target, a key member of the Russia-linked malware gang, boasted in messages to one of their colleagues. The exchange is included in previously unreported documents, seen by WIRED, that consist of hundreds of messages sent between Trickbot members and detail the inner workings of the notorious hacking group. “Answers from the rest, [take] days. And from the ridge immediately the answer flew in,” Target wrote.

As Target typed, members of Trickbot were in the middle of launching a huge wave of ransomware attacks against hospitals across the United States. Their aim: to force hospitals busy responding to the surging Covid-19 pandemic to quickly pay ransoms. The series of attacks prompted urgent warnings from federal agencies, including the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation. “Fuck clinics in the usa this week,” Target said as they gave the instruction to start targeting a list of 428 hospitals. “There’s gonna be a panic.”

The documents seen by WIRED include messages between senior members of Trickbot, dated from the summer and autumn of 2020, and expose how the group planned to expand its hacking operations. They lay bare key members’ aliases and show the ruthless attitude of members of the criminal gang.

The messages were sent in the months before and shortly after US Cyber Command disrupted much of Trickbot’s infrastructure and temporarily stopped the group’s work. Since then the group has scaled up its operations and evolved its malware, and it continues to target businesses around the world. While Russia’s Federal Security Service has recently arrested members of the REvil ransomware gang—following diplomatic efforts between presidents Joe Biden and Vladimir Putin—Trickbot’s inner circle has so far been left relatively unscathed.

The Trickbot group evolved from the banking trojan Dyre around the end of 2015, when Dyre’s members were arrested. The gang has grown its original banking trojan to become an all-purpose hacking toolkit; individual modules, which operate like plugins, allow its operators to deploy Ryuk and Conti ransomware, while other functions enable keylogging and data collection. “I don't know any other malware families that have so many modules or extended functionalities,” says Vlad Pasca, a senior malware analyst at security company Lifars who has decompiled Trickbot’s code. That sophistication has helped the gang, also known as Wizard Spider, collect millions of dollars from victims.

A core team of around half a dozen criminals sits at the heart of Trickbot’s operations, according to the documents reviewed by WIRED and security experts who track the group. Each member has their own specialities, such as managing teams of coders or heading up ransomware deployments. At the head of the organization is Stern. (Like all the monikers used in this story, the real-world name, or names, behind the handles are unknown. They are, however, the identities the group uses when talking to each other.)

“He is the boss of Trickbot,” says Alex Holden, who is CEO of cybersecurity firm Hold Security and has knowledge of the workings of the gang. Stern acts like a CEO of the Trickbot group and communicates with other members who are at a similar level. They may also report to others who are unknown, Holden says. “Stern does not get into the technical side as much,” he says. “He wants reports. He wants more communication. He wants to make high-level decisions.”

On August 20, 2020, the chat logs—provided by a cybersecurity source with knowledge of the group—show Target briefing Stern on how the group would expand in the coming weeks. “There will be 6 offices for sure and 50-80 people by the end of September,” Target said in one of a flurry of 19 messages. These offices are believed to be based in Russia’s second-largest city, Saint Petersburg. Kimberly Goody, director of cybercrime analysis at security firm Mandiant, says the group “most likely” has a significant presence there. Current estimates say Trickbot has anywhere from 100 to 400 members, making it one of the largest cybercrime groups in existence.

Messages between Target and Stern show that in mid-2020 the group was spending money on three main areas. Two offices—“one main and one new for training”—were being used for the current operators’ expenses and expansion. “Hacker offices,” where 20-plus people worked, would be used for interviews, equipment, servers, and hiring, Target said. And finally, there would be an office for “programmers” and their equipment. “A good team leader has already been hired, and he will help gather the team,” Target continued. “I’m sure that everything will pay off, so I’m not nervous.”

Throughout the conversations viewed by WIRED, the group makes various references to “senior managers” working as part of Trickbot and its businesslike structure. “There is generally a core team of developers,” Goody explains. “There's a manager who oversees development work, and they have coders that work under them on specific projects.” Members of the group are encouraged to propose ideas, such as new scripts or malware, that developers could work on, Goody says, and generally the lower-level workers don’t talk to their senior colleagues. Most of the group’s internal conversations, according to various sources—including US court documents—happen through instant messages on Jabber servers.

A gang member going by the moniker Professor oversees much of the ransomware deployment work, Goody says. “Professor, who we believe also goes by the name Alter, seems to be a relatively significant player in terms of managing these specific ransomware deployment operations,” Goody says, “as well as requesting development of specific tools that would help enable those.” She adds that Professor has been linked to Conti ransomware operations in the last year and “appears to lead multiple sub-teams or has multiple team leaders” that report to them.

That wouldn’t be the only working relationship Trickbot’s team has with outside parties. In the conversations seen by WIRED, Target says the group will “learn to collaborate” with those behind the Ryuk ransomware, indicating that the two organizations are largely separate. And while the Trickbot group hasn’t been linked to hacking operations run by the Russian state—such as the activities of Sandworm—the core members of the gang make reference to Kremlin-backed activities. Stern mentioned setting up an office “for government topics” in July 2020. In response, Professor said the hacking group Cozy Bear is “working their way down the list” of potential Covid-19 targets.

In one set of internal conversations, Target answers questions from a group member who is concerned about being caught. The person is worried that colleagues could expose their locations, through leaking their IP addresses, when they don’t use a VPN to mask their whereabouts. Target says IP address exposure shouldn’t be a problem: “Here it is guaranteed that no one will touch you and you are probably not going to fly somewhere anyway.”

Prior to the REvil arrests, the Kremlin and Russian authorities spent years allowing ransomware groups believed to be based in the country to operate with relative impunity. “There seems to be very deliberate separation and non-attacks of any Russian interests by Trickbot, Ryuk, Emotet, and Conti because they don’t want confrontation with the government,” Holden says. However, not all of Trickbot’s members are in Russia. The conversations among the group viewed by WIRED reveal at least two members appear to be based in Belarus—during the summer of 2020 when Belarus shut down the internet Stern said that one member, a coder called Hof, would not be online until “the internet problem in Belarus is solved.”

These exchanges likely comprise only a small element of the group’s interactions. Some details of TrickBot’s inner workings were also revealed in June and October 2021, when the US Department of Justice unsealed and unredacted charges against two alleged Trickbot members, Alla Witte and Vladimir Dunaev. The indictment, which also covers other unnamed members of the Trickbot group, focuses on the group’s hacking and money laundering but also provides snippets of conversations. Goody says some private communication channels can contain dozens of members of the group.

Coders and developers recruited by Trickbot are drawn in from job postings on dark web forums but also on open web Russian-language freelancer websites, the DOJ indictment says. While many of the job ads are hiding in plain sight, they don’t explicitly say successful applicants will be working for one of the world’s most ruthless cybercriminal groups. One job ad the indictment points to calls for someone who is an experienced reverse engineer and knows the coding language C++. The ad, which has long-since expired, says the job was focused around web browsers on Windows, involved working remotely, and had a budget of $7,000. A long-term position would potentially be possible if the work was completed successfully, the ad says.

Holden says Trickbot uses multiple layers during its hiring process in an effort to weed out those without the technical skills needed, and also cybersecurity companies trying to gather intelligence. Anyone applying for work has to pass an initial screening before moving on to tough skills tests, he says. “The questions are very complex technologically,” he explains. Goody adds that penetration testers working for the group can be paid $1,500 per month, plus a cut of ransoms that are paid.

During the recruitment process, Holden says, it is “acknowledged” that these aren’t everyday roles. Holden says he has seen ads that tell potential recruits they will be working for a startup involved in bug bounties, and that most of its funding comes from abroad. “The majority understand that this is blackhat and asking for the commercial target,” Trickbot conversations within the DOJ indictment say, referring to criminal hacking activities. “We need to stop communicating with idiots.”

The two alleged members of Trickbot named by the DOJ—Witte and Dunaev—were arrested by law enforcement outside of Russia. Witte, a 55-year-old Latvian national who lived in Suriname, was arrested in June 2021 while traveling to Miami and is charged with 19 counts that range from identity theft to bank fraud. She’s accused of being one of Trickbot’s malware developers and allegedly exposed herself after hosting Trickbot’s malware on her personal domain name. Dunaev, 38, was extradited from the Republic of Korea to Ohio in October 2021 and is also accused of developing Trickbot’s malware.

Despite the arrests and wider ransomware crackdowns in Russia, the Trickbot group has not exactly gone into hiding. Toward the end of last year, the group boosted its operations, says Limor Kessem, an executive security advisor at IBM Security. “They're trying to infect as many people as possible by contracting out the infection,” she says. Since the start of 2022, the IBM security team has seen Trickbot increase its efforts to evade security protections and conceal its activity. The FBI also formally linked the use of the Diavol ransomware to Trickbot at the beginning of the year. “Trickbot doesn't seem to be targeting very specifically; I think what they have is numerous affiliates working with them, and whoever brings the most money is welcome to stay,” Limor says.

Holden too says he has seen evidence that Trickbot is ramping up its operations. “Last year they invested more than $20 million into their infrastructure and growth of their organization,” he explains, citing internal messages he has seen. This money, he says, is being spent on everything Trickbot does. “Staffing, technology, communications, development, extortion” are all getting extra investment, he says. The move points to a future where—after the takedown of REvil—the Trickbot group may become the primary Russia-linked cybercrime gang. “You expand in the hope of getting that money back in spades,” Holden says. “It’s not like they are planning to close the shop. It’s not like they are planning to downsize or run and hide.”

Inside Trickbot, Russia’s Notorious Ransomware Gang

Nvidia releases emergency security driver update for Kepler GTX 700 and 600 series GPUs

Mon, 31 Jan 2022 20:45:15 +0000

For the folks out there that are still running Nvidia GeForce Kepler desktop GPUs, like those belonging to GeForce GTX 600 and GTX 700 series, as well as GTX TITAN, TITAN Z, and TITAN Black, the company has announced a new WHQL-certified display driver update today.

You may be a bit surprised by this announcement as Nvidia had already ended driver support for Kepler. However, this is not the general Game Ready driver which brings support for new graphics cards or optimizations for new game titles. Instead, this is a security update driver meant to patch some of the security issues that have come up. Nvidia had earlier stated that it would provide security updates for Kepler through September 2024 and it looks like the company is true to its words.

As such, the driver changelog does not list any fixed bugs or known issues. The release note only says:

NVIDIA has released a software security update display driver for desktop Kepler-series GeForce GPUs which are no longer supported by Game Ready Drivers. This update addresses issues that may lead to multiple security impacts.

Nvidia also says that more information will be updated on its Security bulletin page for the month of February.

The links to download the new security drivers are provided below:

Download: Windows 7,8,8.1 (473.04)|Windows 10: Standard / DCH (472.98)

Nvidia releases emergency security driver update for Kepler GTX 700 and 600 series GPUs

Microsoft Defender beats out several heavyweight rivals in the latest AV-TEST ranking

Mon, 31 Jan 2022 20:42:19 +0000

AV-TEST, the IT Security research institute based in Germany, released its December 2021 best anti-virus programs assessment report for Windows 10 home users. In this report, the organization took a look at 20 different anti-malware programs from various companies and the test also included Microsoft's Windows Defender.

Just like in the October 2021 report, Windows Defender has scored very highly in this assessment. In fact, it is one of the very best available today scoring the full 18 points available. Hence it has received the "AV-TEST TOP PRODUCT" certification as it has scored higher than the 17.5 points threshold. Aside from Defender, ESET, Kaspersky, Avira, Norton, among others, have also scored full marks.

Relatively speaking, Microsoft Defender has actually done better this time around as some of its heavyweight rival programs like those from Avast, AVG, and Malwarebytes have each scored lower in one of the three categories. The categories are:

Protection
Performance
Usability

However, these are still rated AV-TEST TOP PRODUCT as each of them has managed to score 17.5 points.

The images below show how each of the 20 tested anti-virus programs has scored in the three categories differentiated by shades of blue (top) and also the certification they have received (bottom):

You can find the full test report for December 2021 here.

Images: AV-TEST GmbH (Twitter) (1), (2)

Microsoft Defender beats out several heavyweight rivals in the latest AV-TEST ranking

Researchers use GPU fingerprinting to track users online

Mon, 31 Jan 2022 07:56:02 +0000

A team of researchers from French, Israeli, and Australian universities has explored the possibility of using people's GPUs to create unique fingerprints and use them for persistent web tracking.

The results of their large-scale experiment involving 2,550 devices with 1,605 distinct CPU configurations show that their technique, named 'DrawnApart,' can boost the median tracking duration to 67% compared to current state-of-the-art methods.

This is a severe problem for user privacy, which is currently protected by laws that focus on acquiring consent to activate website cookies.

These laws have led unscrupulous websites to collect other potential fingerprinting elements such as the hardware configuration, OS, timezones, screen resolution, language, fonts, etc.

This unethical approach is still limited because these elements change frequently, and even when they're stable, they can only put users into a rough categorization rather than create a unique fingerprint.

Fingeprinting identical GPUs

The researchers considered the possibility of creating distinctive fingerprints based on the GPU (graphics processing unit) of the tracked systems with the help of WebGL (Web Graphics Library).

WebGL is a cross-platform API for rendering 3D graphics in the browser, and it's present on all modern web browsers.

Using this library, the DrawnApart tracking system can count the number and speed of the execution units in the GPU, measure the time needed to complete vertex renders, handle stall functions, and more.

Fingerprinting the GPU for persistent tracking
Source: Arxiv.org

DrawnApart uses short GLSL programs executed by the target GPU as part of the vertex shader to overcome the challenge of having random execution units handling the computations. Hence, the workload allocation is predictable and standardized.

The team developed both an on-screen measurement method that executes a small number of computationally intensive operations and an offscreen method that puts the GPU through a lengthier and less intensive test.

Render loop used for the on-screen test
Source: Arxiv.org

This process generates traces consisting of 176 measurements taken from 16 points that are used to create a fingerprint. Even when evaluating the individual raw traces visually, one can notice differences and distinct timing variations between devices.

The resulting raw traces from two identical GPUs
Source: Arxiv.org

The researchers also tried swapping other hardware parts on the machines to see if the traces would remain distinguishable and found that the fingerprints solely depended on the GPU.

Even if a set of integrated circuits is created through an identical manufacturing process, has the same nominal computational power, the number of processing units, and the exact same cores and architecture, each circuit is slightly different due to normal manufacturing variability.

These differences are indistinguishable in normal day-to-day operations, but they can become useful in the context of a sophisticated tracking system like DrawnApart, which is specifically designed to trigger functional aspects that highlight them.

Tested devices and classification accuracy
Source: Arxiv.org

Implications and considerations

When DrawnApart is used in conjunction with state-of-the-art tracking algorithms, the median tracking duration of a targeted user increases by 67%.

As illustrated in the following diagram, the standalone tracking algorithm can achieve an average tracking time of 17.5 days, but with the help of GPU fingerprinting, this is extended to 28 days.

Tracking duration diagram
Source: Arxiv.org

This evaluation was based on the testing conditions that the GPU operational temperature range is between 26.4 °C and 37 °C, with no voltage variations.

Apart from these conditions, workload variations, GPU payloads from other web browser tabs, system restarts, and other runtime changes don't affect DrawnApart.

The next-gen GPU APIs currently in development, most notably WebGPU, features compute shaders which come in addition to the existing graphics pipeline.

As such, the upcoming API may introduce even more ways to fingerprint internet users, and quite likely faster and far more accurate too.

When the researchers tested compute shaders in the now-abandoned WebGL 2.0, they found that DrawnApart delivered 98% classification accuracy in just 150 milliseconds, much faster than the 8 seconds used to collect fingerprinting data through the WebGL API.

"We believe that a similar method can also be found for the WebGPU API once it becomes generally available. The effects of accelerated compute APIs on user privacy should be considered before they are enabled globally," concludes the research paper.

Potential countermeasures to this fingerprinting method include attribute value changes, parallel execution prevention, script blocking, API blocking, and time measurement prevention.

The developer of the WebGL API, Khronos group, has received the researchers' disclosure on the above and formed a technical study group to discuss potential solutions with browser vendors and other stakeholders.

Researchers use GPU fingerprinting to track users online

Internet Blackout in Andorra during Minecraft Twitch competition

Sun, 30 Jan 2022 21:52:06 +0000

Confirmed: Internet disruption registered on #Andorra Telecom (AS6752) on Saturday evening; the incident is attributed by the state telco to a DDoS attack targeting the high-stakes #SquidCraftGames Minecraft Twitch competition, resulting in the elimination of Team Andorra

Source

End-to-end encryption of Messenger chats is now available for everyone

Fri, 28 Jan 2022 21:17:57 +0000

Facebook is a social media platform that is actively used by billions of people around the globe. It is not only a way to stay updated with the latest happenings near and far from you, but also a way to stay in touch with those close to you. To that end, Meta has now announced a bunch of updates for end-to-end encrypted (E2EE) chats on its Messenger platform to facilitate such use-cases.

Following its announcement from last year that testing had begun for E2EE group chats and voice calls, Meta has now announced that the feature is now available for everyone, and is opt-in. In addition, the company will now inform you if it detects that someone has taken a screenshot of your disappearing message.

Some other capabilities coming over to E2EE chats are GIFs, Stickers, Reactions, and Verified Badges. Additionally, you will now be able to reply to specific messages, get indicators when someone is typing, and forward messages too. Media in E2EE chats can now be saved, and before you send any media content, you also have the option to edit and personalize it with Stickers, scribbles, cropping, and audio edits.

E2EE conversations are opt-in for now, but the idea is to make them the default experience for users in the coming months and years. The latest string of enhancements is just another step in bridging the gap between the traditional Messenger experience and E2EE conversations.

End-to-end encryption of Messenger chats is now available for everyone

Lazarus hackers use Windows Update to deploy malware

Fri, 28 Jan 2022 02:44:10 +0000

North Korean-backed hacking group Lazarus has added the Windows Update client to its list of living-off-the-land binaries (LoLBins) and is now actively using it to execute malicious code on Windows systems.

The new malware deployment method was discovered by the Malwarebytes Threat Intelligence team while analyzing a January spearphishing campaign impersonating the American security and aerospace company Lockheed Martin.

After the victims open the malicious attachments and enable macro execution, an embedded macro drops a WindowsUpdateConf.lnk file in the startup folder and a DLL file (wuaueng.dll) in a hidden Windows/System32 folder.

In the next stage, the LNK file is used to launch the WSUS / Windows Update client (wuauclt.exe) to execute a command that loads the attackers' malicious DLL.

"This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms," Malwarebytes said.

The researchers linked these attacks to Lazarus based on several pieces of evidence, including infrastructure overlaps, document metadata, and targeting similar to previous campaigns.

Attack flow (Malwarebytes)

Defense evasion method revived in new attacks

As BleepingComputer reported in October 2020, this tactic was discovered MDSec researcher David Middlehurst, who found that attackers could use the Windows Update client to execute malicious code on Windows 10 systems (he also spotted a sample using it in the wild).

This can be done by loading an arbitrary specially crafted DLL using the following command-line options (the command Lazarus used to load their malicious payload):

wuauclt.exe /UpdateDeploymentProvider [path_to_dll] /RunHandlerComServer

MITRE ATT&CK classifies this type of defense evasion strategy as Signed Binary Proxy Execution, and it allows attackers to bypass security software, application control, and digital certificate validation protection.

In this case, threat actors do it by executing malicious code from a previously dropped malicious DLL, loaded using the Windows Update client's Microsoft-signed binary.

Notorious North Korean hacking group

The Lazarus Group (also tracked as HIDDEN COBRA by US intel agencies) is a North Korean military hacking group active for more than a decade, since at least 2009.

Its operators coordinated the 2017 global WannaCry ransomware campaign and have been behind attacks against high-profile companies such as Sony Films and multiple banks worldwide.

Last year, Google spotted Lazarus targeting security researchers in January as part of complex social engineering attacks and a similar campaign during March.

They were also observed using the previously undocumented ThreatNeedle backdoor in a large-scale cyber-espionage campaign against the defense industry of more than a dozen countries.

US Treasury sanctioned three DPRK-sponsored hacking groups (Lazarus, Bluenoroff, and Andariel) in September 2019, and the US government offers a reward of up to $5 million for info on Lazarus activity.

Lazarus hackers use Windows Update to deploy malware

Microsoft mitigated a record 3.47 Tbps DDoS attack on Azure users

Thu, 27 Jan 2022 18:40:30 +0000

Microsoft says its Azure DDoS protection platform mitigated a massive 3.47 terabits per second (Tbps) distributed denial of service (DDoS) attack targeting an Azure customer from Asia in November.

Two more large size attacks followed this in December, also targeting Asian Azure customers, a 3.25 Tbps UDP attack on ports 80 and 443 and a 2.55 Tbps UDP flood on port 443.

"In November, Microsoft mitigated a DDoS attack with a throughput of 3.47 Tbps and a packet rate of 340 million packets per second (pps), targeting an Azure customer in Asia. We believe this to be the largest attack ever reported in history," said Alethea Toh, an Azure Networking Product Manager.

"This was a distributed attack originating from approximately 10,000 sources and from multiple countries across the globe, including the United States, China, South Korea, Russia, Thailand, India, Vietnam, Iran, Indonesia, and Taiwan."

The 15 minutes attack used multiple attack vectors for UDP reflection on port 80, including:

Simple Service Discovery Protocol (SSDP),
Connection-less Lightweight Directory Access Protocol (CLDAP),
Domain Name System (DNS),
and Network Time Protocol (NTP)

Previous record-breaking publicly reported DDoS attacks were a 21.8 million requests per second (rrps) application layer assault that hit the Russian internet giant Yandex in August and a 2.3 Tbps volumetric strike detected by Amazon Web Services Shield during Q1 2020.

Google Security Reliability Engineer Damian Menscher also revealed two years ago that Google mitigated a 2.54 Tbps DDoS in 2017.

3.47 Tbps Azure DDoS attack (Microsoft)

"Largest attack ever reported in history"

The November 3.47 Tbps attack was the largest one the company had to face to date (and likely ever recorded), after previously reporting that it mitigated another record 2.4 Tbps attack targeting a European Azure customer during late August.

Microsoft saw a rise in attacks that lasted longer than an hour in the second half of 2021, while multi-vector attacks such as the record one mitigated in November were prevalent.

These more prolonged DDoS attacks usually come as a sequence of short-lived, repeated burst attacks quickly ramping up (in seconds) to terabit volumes.

"Gaming continues to be the hardest hit industry. The gaming industry has always been rife with DDoS attacks because players often go to great lengths to win," Toh added.

"The concentration of attacks in Asia can be largely explained by the huge gaming footprint10, especially in China, Japan, South Korea, Hong Kong, and India, which will continue to grow as the increasing smartphone penetration drives the popularity of mobile gaming in Asia."

Microsoft also defended customers against new TCP PUSH-ACK flood attacks (dominant in the East Asia region) during the 2021 holiday season.

"We observed a new TCP option manipulation technique used by attackers to dump large payloads, whereby in this attack variation, the TCP option length is longer than the option header itself," Toh said.

Microsoft mitigated a record 3.47 Tbps DDoS attack on Azure users

Ensuring privacy while still showing personalized ads is a tricky proposition [Editorial]

Wed, 26 Jan 2022 21:21:52 +0000

Yesterday, we learned that Google has killed off one of its Privacy Sandbox initiative called Federated Learning of Cohorts (FLoC), and is instead replacing it with "Topics". I read the research paper behind FLoC last year and published my thoughts on how clustering users could preserve individual privacy. At the same time, I emphasized that in order for the endeavor to be successful, "Google will need to have strong governance and security procedures in place which ensure that users cannot be de-identified by combining their data with other signals". It's clear that Google was not able to satisfactorily resolve these concerns around monopolizing individual data, hence the latest pivot to Topics.

I plan to publish an explainer on Google's Topics API in layman terms later in the week too, but for this piece, I just want to explore the idea of ensuring individual privacy while still showing personalized ads. Google's Privacy Sandbox plans to tackle this problem using privacy-preserving mechanisms, with its latest endeavors in the area being FLoC and Topics, and while they may appear to be a technically better implementation than what we have right now, I believe the actual uphill battle is shaping public perception, not the technology.

Google could announce one technology or API after the next, but the fact of the matter is that it has to regain public trust and win support from competitors for its efforts to be successful.

Let's take Topics as an example. Throughout its blog post, Google continues to emphasize that it will collect your interests (or topics) from a rolling time window of three weeks and then show only one interest per week to a website and its advertising partners. All your topics will be stored and processed locally by your browser and will not be sent to external servers, including those owned by Google. Topics older than three weeks will be deleted and users will also have control over manual deletion and complete blocking of the feature.

While that sounds better on paper than what we have right now, I do think Google will have to do a lot better to gain public trust. This is evident from the comments section in our article covering the announcement.

Suppose that I visit YouTube and the Topics API shows three of my top interests to an ad provider "X". Then I continue visiting YouTube every week with my topics being different each time. As a Chrome user, how do I know that a website and its ad partner isn't just racking up topics about it me in each three weeks and then selling them to different vendors for my data? Yes, Google says that Chrome will host and process all data locally and then remove it after three weeks, how do I know that ad provider X isn't just collecting all those topics, not deleting them, and building a profile on me, which is essentially what we have due to cookies right now?

This begs the question: how can a company like Google still show me personalized adverts while managing my personal data and ensuring that my privacy is not breached? This is a difficult question even for me to answer as a consumer and I'm sure that the head honchos at Google's Privacy Sandbox team are facing a similar predicament, maybe not in terms of the technical implementation but in terms of shaping the public perception around it.

Of course, as a consumer, one of the answers would be to disable Topics, cookies, and any other tracker altogether. But that would also mean that I don't get personalized experiences. While that sounds like a minor tradeoff, I think many people including myself have become so used to personalized experiences at online outlets, social media platforms, and other similar websites, that we do feel the need for a streamlined, personalized experience.

As such, this has also become a question for consumers who want some level of personalization: what degree of tracking are we okay with? How does Google, or any other company for that matter, convince us that our data is only being used for its intended purpose and not being sold to the next highest bidder?

I'll reiterate that none of these questions concern people who don't want personalized experiences at all. These are only thoughts to ponder for people who want personalized experiences without sacrificing their privacy completely.

Since Vivaldi and Brave were so vehemently opposed to FLoC, I was curious about what their workaround to this problem is.

Admirably, Vivaldi says that it collects absolutely no data about you and that it does not build a profile about you at all. It offers granular controls to delete cookies and also features a built-in tracker blocker to automatically do the same. In a 2019 blog post, CEO Jon von Tetzcher emphasized that "I am not suggesting that data cannot be used to provide a service. It is a question of whether that data can be used for other purposes. Your traffic data is useful there and then, and you would experience a benefit in sharing that data to get a better driving experience. [...] Companies should be custodians of our data. They should not own it or monetize it."

Similarly, Brave touts its privacy-preserving capabilities and disabled cookies and trackers out of the box. You do have fine-grained controls over what you want to enable, but in a more intelligent way, Brave actually enables you to directly offer monetary compensation to your favorite websites for blocking their ads and trackers.

If you don't want personalized experiences, I think both of these are great options. And this is what I want you to ponder as I close off this piece: if you don't want personalized experiences, you have a nice selection of other browsers that you can use, but if you want personalized experiences (ads for product categories I'm interested in have actually been useful for me multiple times in the past), you're caught between a rock and a hard place. It's extremely difficult, if not impossible to define a fine line between tracking your browsing for personalization versus invading your privacy, and that is something that Google needs to work on as it also endeavors to build trust and shape public perception around the topic.

Ensuring privacy while still showing personalized ads is a tricky proposition

Apple fixes new zero-day exploited to hack macOS, iOS devices

Wed, 26 Jan 2022 21:17:46 +0000

Apple has released security updates to fix two zero-day vulnerabilities, with one publicly disclosed and the other exploited in the wild by attackers to hack into iPhones and Macs.

The first zero-day patched today (tracked as CVE-2022-22587) [1, 2] is a memory corruption bug in the IOMobileFrameBuffer that affects iOS, iPadOS, and macOS Monterey.

Successful exploitation of this bug leads to arbitrary code execution with kernel privileges on compromised devices.

"Apple is aware of a report that this issue may have been actively exploited," Apple said when describing the zero-day bug.

The complete list of impacted devices includes:

iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
and macOS Monterey

The bug was found by an anonymous researcher, Meysam Firouzi (@R00tkitSMM) of MBition - Mercedes-Benz Innovation Lab, and Siddharth Aeri (@b1n4r1b01).

Firouzi and Aeri told BleepingComputer that they both found the bug independently and were unaware that threat actors exploited it in the wild.

The second zero-day is a Safari WebKit bug in iOS and iPadOS that allowed websites to track your browsing activity and users' identities in real-time.

The bug was first disclosed to Apple by Martin Bajanik of FingerprintJS on November 28th, 2021, and publicly disclosed on January 14th, 2022. After the researcher disclosed the bug, it was assigned the CVE-2022-22594 and fixed in today's iOS 15.3 and iPadOS 15.3 security update.

These bugs are the first zero-day vulnerabilities fixed by Apple in 2022.

However, Apple fixed what felt like a never-ending stream of zero-day bugs in 2021 that were used in attacks against iOS and macOS devices.

These bugs included numerous zero-day vulnerabilities used to install the Pegasus spyware on the iPhones of journalists, activists, and politicians.

Apple fixes new zero-day exploited to hack macOS, iOS devices

Google drops FLoC and announces Topics as the future cookie-less advertising system

Wed, 26 Jan 2022 15:27:10 +0000

Google announced the new Topics API for its Privacy Sandbox project on January 25, 2022, which replaces the controversial FLoC project.

When Google announced FLoC, Federated Learning of Cohorts, back in mid-2021, it revealed a plan to shift online advertising from user tracking to group tracking. Users would no longer be tracked individually through the use of cookies, but would join cohorts based on their interests. Sites would gain access to these interests and advertisement could be displayed based on that.

A FLoC-supporting program such as Google Chrome would analyze the browsing history of the user, join a cohort based on the data and store the information locally.

Companies like DuckDuckGo, Brave or Vivaldi rejected FLoC for a number of reasons, including that cohort information could become a strong fingerprinting identifier, as cohorts consisted of a few thousand users. Other objections included letting Google determine what it considered sensitive information, which the company wanted to exclude from being used for advertising purposes, and informing any site about interests, even if sites were never visited in the past.

Update: Brave published a statement on its site stating that Topics does not address all of the company's points of criticism. In particular, it is still Google that is deciding what is sensitive and as such excluded from being used for advertising purposes. Topics limits the exposure of a user's interests to sites visited in the past, and the advertisers that were loaded on those sites. The limitation benefits large advertisers, including Google, and puts smaller advertisers at a disadvantage.

FLoC, Privacy Sandbox, and the Topics API do not improve privacy; rather, they’re proposals to make the least private browser slightly less bad. They’re an incomplete and insufficient effort by Google to catch up with other browsers that offer real privacy protections (and that have done so for years).

End of Update

The announcement by Vinay Goel, Product Director Privacy Sandbox and Chrome at Google, confirms that Google dropped FLoC from its Privacy Sandbox program. The company plans to replace it with the Topics API, which Goel introduces in the blog post on The Keyword blog.

Topics is based around the idea of associating topics with a user's browsing behavior. Programs like Chrome will still analyze the browsing history to determine these topics, but users won't be assigned to cohorts anymore.

A "handful" of topics that represent a user's top interests are determined and kept for three weeks. Old topics are deleted after that time while new topics added, based on the user's browsing. The entire process happens locally according to Google.

When a user visits a site, the site is informed about three of the available topics, one from each week of browsing. The site and its advertising partners may use the information to display advertisement to the user.

Google plans to introduce controls that make the entire process transparent for the user; this includes options to see topics, remove them, or even disable the feature entirely. Topics won't include sensitive topics such as gender or race according to Google.

Additional information about Topics is available on the Privacy Sandbox website and on GitHub.

Closing Words

With more and more companies dropping support for FLoC, it was clear that Google had to do something. Topics replaces FLoC, and it addresses some of the major concerns levelled against FLoC. Whether Google is more successful in convincing other browser makers and companies to include Topics in their products, or in the case of Chromium-based browsers, not disable it, remains to be seen.

Source

Google introduces a new system for tracking Chrome browser users.

Wed, 26 Jan 2022 15:15:56 +0000

The company is scrapping another plan that would have blocked so-called cookies after privacy groups and regulators complained that Google needed to do more to ensure privacy.

When Google announced a plan to block digital tracking cookies from its Chrome web browser two years ago, the advertising industry and regulators worried that the proposal would further entrench the search giant’s dominance over online ads.

The outcry eventually forced Google to delay its rollout by nearly two years to late 2023.

On Tuesday, Google said it was scrapping its old plan and offered a new way to block third-party trackers in Chrome with an online advertising system called Topics. The new system would still eliminate cookies, but it would inform advertisers of a user’s areas of interest — such as “fitness” or “autos and vehicles” — based on the last three weeks of the user’s web browsing history. The Topics will be kept for three weeks before they are deleted.

Google’s plan to eliminate cookies by the end of next year is a potentially huge shift for the digital advertising industry, though it is not clear if the new method, which the company will start testing in the first quarter this year, will be any less alarming to advertisers and regulators. Google Chrome, the world’s most widely used web browser, is used by two of every three people surfing the internet, according to StatCounter.

Google said in 2019 that it would do away with third-party trackers in Chrome through an initiative called the Privacy Sandbox. The trackers allow ad services to follow users around the web to learn about their browsing habits. The company later unveiled a plan known as federated learning of cohorts, or FLoC. It was intended to allow advertisers to target groups of users, based on common browsing history, instead of individuals.

Apple has also cracked down on advertisers, limiting their ability to track users as they browse the web. Last year, the company introduced App Tracking Transparency, which allows users to block apps from tracking them, a decision that caused concern at Facebook and other major advertisers.

Since marketers rely heavily on cookies to target ads and measure their efficacy, Google’s privacy proposal led to worries that it would strengthen the company’s hold on the industry because Google already knows so much about the interests and habits of its users. Privacy experts feared that the cohorts could expose users to new forms of tracking.

Google’s proposal also caught the eye of regulators. The European Union said it was investigating the plan as part of an inquiry into Google’s role in the digital advertising market. Last year, Britain’s Competition and Markets Authority reached an agreement with Google to allow the regulator to review changes to trackers in Chrome as part of a settlement of another investigation.

Topics will address some of the concerns raised by privacy advocates about FLoC, preventing more covert tracking techniques, Google said. It aims to preserve user privacy by segmenting its audience into larger groups.

Google said there had been tens of thousands of potential cohorts under the previous plan, but that it would reduce the number of Topics to fewer than a few thousand. The company said users would be able to see what topics were associated with them, and remove them if they chose.

“It’s slightly more privacy-protective than FLoC,” said Sara Collins, a senior policy counsel at the public interest nonprofit Public Knowledge. The larger topic groups would grant users more anonymity, but Google’s plan could still be circumvented by fingerprinting techniques meant to track individual users, she said.

Google said Topics would use human curators rather than allow machine learning technology to generate user groups, as the FLoC plan did. This will eliminate the possibility that groups might be based on sensitive characteristics like sexual orientation or race, Google said.

“There were a couple of research studies that showed concern over this happening,” Vinay Goel, who oversees the Privacy Sandbox initiative at Google, said in an interview. “We didn’t find evidence that it was happening.”

Peter Snyder, director of privacy at Brave, a privacy-minded search engine, said the changes with Topics did not address the core issues with Google’s previous proposal.

“At root is Google’s insistence on sharing information about people’s interests and behaviors with advertisers, trackers and others on the web that are hostile to privacy,” Mr. Snyder said in a statement. “These groups have no business — and no right — to learn such sensitive information about you.”

Google’s Topics plan echoes a revision made to its search product several years ago. In 2019, the company gave users the ability to set up their search history to automatically purge every three or 18 months. That made it harder for advertisers to target individuals with highly personalized ads based on their web traffic. Google also gave users the ability to disable it from recording search histories altogether.

Critics noted that the privacy controls were ineffective because they were difficult for the average person to find, and by default, Google continues to keep a permanent record of people’s search histories.

Source

Let's Encrypt is revoking lots of SSL certificates in two days

Wed, 26 Jan 2022 14:01:47 +0000

Let's Encrypt will begin revoking certain SSL/TLS certificates issued within the last 90 days starting January 28, 2022. The move could impact millions of active Let's Encrypt certificates.

As a non-profit certificate authority run by Internet Security Research Group (ISRG), Let's Encrypt provides X.509 certificates for Transport Layer Security encryption at no cost.

'Mis-issued' certificates to be revoked

Yesterday, ISRG was informed by a third party who examined Let's Encrypt's Boulder code repo that there were "two irregularities" in the certificate authority's implementation of "TLS using ALPN" validation method [1, 2].

Consequently, the certificate authority had to make two changes to how its TLS-ALPN-01 challenge validation works.

"All active certificates that were issued and validated with the TLS-ALPN-01 challenge before 00:48 UTC on 26 January 2022 when our fix was deployed are considered mis-issued," explains Let's Encrypt Site Reliability Engineer (SRE), Jillian.

To comply with Let's Encrypt Certificate Policy, which requires the certificate authority to invalidate a Certificate within 5 days under certain conditions, the non-profit will begin revoking certificates at 16:00 UTC on January 28th, 2022.

Note, however, not all certificates are affected by the improper implementation of "TLS using ALPN" validation method. This planned revocation will only apply to certificates issued with the flawed TLS-ALPN-01 validation method.

"We estimate [less than] 1% of active certificates are affected. Subscribers affected by revocations will receive e-mail notifications if their ACME account contains a valid e-mail address. If you are affected by this revocation and need help renewing your certificate please ask questions in this thread," further explains the engineer.

"We will be providing more details about this incident in the next few days."

As of November 2021, the number of all active Let's Encrypt certificates surpassed 221 million, as seen by BleepingComputer.

Therefore, the number of affected active certificates (1% or less) could possibly touch millions—if these were issued with the flawed TLS-ALPN-01 challenge validation.

Let's Encrypt growth statistics and active certificates (Let's Encrypt)

Users receiving e-mail notifications

Site owners with the affected Let's Encrypt certificates are reporting receiving email notifications, instructing them to renew their certificates as the revocation is about to kick in.

Let's Encrypt sending out email notifications (Twitter)

"If you received the e-mail, then your account has successfully obtained at least one certificate in the last 90 days that was validated using the TLS-ALPN-01 challenge," explains Let's Encrypt in the aforementioned thread.

"All certificates issued in the last 90 days and validated with TLS-ALPN-01 challenge are affected. You need to (force) renew the certificate according to your ACME client's directions. If your client requires you to make a configuration change, please remember to revert after your certificate is renewed!"

Given the short notice, not all users may be pleased with Let's Encrypt's sudden but necessary move.

On the bright side, though, those using automated certificate management solutions like Caddy Web Server can rest easy.

"Sites using Caddy v2.4.2 or newer should not have to take any action when automated certificates are revoked. Enjoy your sleep," touts the team behind Caddy Web Server.

"Caddy automatically staples OCSP for all relevant certificates. It will refresh the staple about halfway through its validity period. If the next status is Revoked, Caddy will replace the certificate right away."

Source: https://www.bleepingcomputer.com/news/security/lets-encrypt-is-revoking-lots-of-ssl-certificates-in-two-days/

Booby-trapped sites delivered potent new backdoor trojan to macOS users

Wed, 26 Jan 2022 02:41:56 +0000

Written from scratch, DazleSpy is the latest advanced piece of Mac malware.

Researchers have uncovered advanced, never-before-seen macOS malware that was installed using exploits that were almost impossible for most users to detect or stop once the users landed on a malicious website.

The malware was a full-featured backdoor that was written from scratch, an indication that the developers behind it have significant resources and expertise. DazzleSpy, as researchers from security firm Eset have named it, provides an array of advanced capabilities that give the attackers the ability to fully monitor and control infected Macs. Features include:

victim device fingerprinting
screen capture
file download/upload
execute terminal commands
audio recording
keylogging

Deep pockets, top-notch talent

Mac malware has become more common over the years, but the universe of advanced macOS backdoors remains considerably smaller than that of advanced backdoors for Windows. The sophistication of DazzleSpy—as well as the exploit chain used to install it—is impressive. It also doesn’t appear to have any corresponding counterpart for Windows. This has led Eset to say that the people who developed DazzleSpy are unusual.

“First, they seem to be targeting Macs only,” Eset researcher Marc-Etienne M.Léveillé wrote in an email. “We haven’t seen payloads for Windows nor clues that it would exist. Secondly, they have the resources to develop complex exploits and their own spying malware, which is quite significant.”

Indeed, researchers from Google’s threat analysis group who first uncovered the exploits said that, based on their analysis of the malware, they “believe this threat actor to be a well-resourced group, likely state-backed, with access to their own software engineering team based on the quality of the payload code.”

As the Google researchers first noted, the malware was spread in watering-hole attacks that used both fake and hacked sites appealing to pro-democracy activists in Hong Kong. The attacks exploited vulnerabilities that, when combined, gave the attackers the ability to remotely execute code of their choice within seconds of a victim visiting the booby-trapped webpage. All that was required for the exploit to work was for someone to visit the malicious site. No other user action was required, making this a one-click attack.

“That’s kind of the scary part: on an unpatched system the malware would start to run with administrative privileges without the victim noticing,” M.Léveillé said. “Traffic to the C&C server is also encrypted using TLS.”

Apple has since patched the vulnerabilities exploited in this attack.

The exploit chain consisted of a code-execution vulnerability in Webkit, the browser engine for Apple Safari. Eset researchers analyzed one of the watering-hole sites, which was taken down but remains cached in the Internet Archives. The site contained a simple iframe tag that connected to a page at amnestyhk[.]org.

Eset

Macho Mach-O

The script on the malicious amnestyhk[.]org domain checks for the installed macOS version and redirects visitors to the next stage if their browsers are running on macOS 10.15.2 or newer. This next stage runs a series of JavaScript files that contain more than 1,000 lines of code. The extremely complex exploit gains the ability to read and write to Mac memory by first leaking the memory address of an object and then creating a fake JavaScript object from a specific memory object.

The result: the malware creates two arrays that overlap in memory, allowing it to set a pointer that references a memory location where a malicious Mach-O executable can be executed. Researcher Samuel Groß has more details here and here.

The Mach-O then exploits a second macOS vulnerability to run the remaining stage of the attack as root. This local privilege-escalation vulnerability, tracked as CVE-2021-30869, is further described by researchers Xinru Chi and Tielei Wang here and here.

The Eset researchers aren’t sure what the CVE designation is for the privilege-escalation vulnerability, but based on Google researchers’ findings, they believe it’s CVE-2021-1789. In any event, Eset said the vulnerability no longer exists in current versions of macOS.

To recap, the Mach-O does the following:

Downloads a file from the URL supplied as an argument
Decrypts this file using AES-128-EBC and TEA with a custom delta
Writes the resulting file to $TMPDIR/airportpaird and makes it executable
Uses the privilege escalation exploit to remove the com.apple.quarantineattribute from the file to avoid asking the user to confirm the launch of the unsigned executable
Uses the same privilege escalation to launch the next stage with root privileges

With DazzleSpy installed, Macs are now fully backdoored. The malware encrypts its communications with a control server and accepts at least 21 different commands, as documented in the following table:

Table 1. DazzleSpy C&C commands

Command name	Purpose
heartbeat	Sends heartbeat response.
info	Collects information about compromised computer, including: • Hardware UUID and Mac serial number • Username • Information about disks and their sizes • macOS version • Current date and time • Wi-Fi SSID • IP addresses • Malware binary path and MD5 hash of the main executable • Malware version • System Integrity Protection status • Current privileges • Whether it’s possible to use CVE-2019-8526 to dump the keychain
searchFile	Searches for the specified file on the compromised computer.
scanFiles	Enumerates files in Desktop, Downloads, and Documents folders.
cmd	Executes the supplied shell command.
restartCMD	Restarts shell session.
restart	Depending on the supplied parameter: restarts C&C command session, shell session or RDP session, or cleans possible malware traces (fsck_hfs.log file and application logs).
processInfo	Enumerates running processes.
keychain	Dumps the keychain using a CVE-2019-8526 exploit if the macOS version is lower than 10.14.4. The public KeySteal implementation is used.
downloadFileInfo	Enumerates the supplied folder, or provides creation and modification timestamps and SHA-1 hash for a supplied filename.
downloadFile	Exfiltrates a file from the supplied path.
file	File operations: provides information, renames, removes, moves, or runs a file at the supplied path.
uninstall	Deletes itself from the compromised computer.
RDPInfo	Provides information about a remote screen session.
RDP	Starts or ends a remote screen session.
mouseEvent	Provides mouse events for a remote screen session.
acceptFileInfo	Prepares for file transfer (creates the folder at the supplied path, changes file attributes if it exists).
acceptFile	Writes the supplied file to disk. With additional parameters, updates itself or writes files required for exploiting the CVE-2019-8526 vulnerability.
socks5	Starts or ends SOCKS5 session (not implemented).
recoveryInfo	These seem like file recovery functions that involve scanning a partition. These functions do not seem to work and are probably still in development; they contain lots of hardcoded values.
recovery

While advanced and potentially dangerous, there’s no evidence DazzleSpy is targeting anyone other than those visiting sites advocating for democracy in Hong Kong. That means readers should remember the chances of being infected are extremely low for everyone else.

Those with reason to think they’ve been infected with DazzleSpy can check a list of indicators in a post Eset published on Tuesday to see if they’ve been compromised.

Booby-trapped sites delivered potent new backdoor trojan to macOS users

Linux system service bug gives you root on every major distro

Tue, 25 Jan 2022 21:22:37 +0000

A vulnerability in Polkit's pkexec component that is present in the default configuration of all major Linux distributions can be exploited to gain full root privileges on the system, researchers warn today.

Identified as CVE-2021-4034 and named PwnKit, the security issue has been tracked to the initial commit of pkexec, more than 12 years ago, meaning that all Polkit versions are affected.

Part of the Polkit open-source application framework that negotiates the interaction between privileged and unprivileged processes, pkexec allows an authorized user to execute commands as another user, doubling as an alternative to sudo.

Easy to exploit, PoC expected soon

Researchers at Qualys information security company found that the pkexec program could be used by local attackers to increase privileges to root on default installations of Ubuntu, Debian, Fedora, and CentOS.

They warn that PwnKit is likely exploitable on other Linux operating systems as well.

Bharat Jogi, Director of Vulnerability and Threat Research at Qualys explains that PwnKit is “a memory corruption vulnerability in Polkit’s, which allows any unprivileged user to gain full root privileges on a vulnerable system using default polkit configuration,”

The researcher notes that the issue has been hiding in plain sight since the first version of pkexec inn May 2009. The video below demonstrates the exploitability of the bug:

Exploiting the flaw is so easy, the researchers say, that proof-of-concept (PoC) exploit code is expected to become public in just a few days. The Qualys Research Team will not release a PoC for PwnKit.

Qualys reported the security issue responsibly on November 18, 2021, and waited for a patch to become available before publishing the technical details behind PwnKit.

The company strongly recommends administrators prioritize applying the patches that Polkit’s authors released on their GitLab a couple of hours ago.

Linux distros had access to the patch a couple of weeks before today’s coordinated disclosure from Qualys and are expected to release updated pkexec packages starting today.

A temporary mitigation for operating systems that have yet to push a patch is to strip pkexec of the the read/write rights with the following command:

chmod 0755 /usr/bin/pkexec

"Users that want to look for signs of PwnKit exploitation can do it by checking the logs for either “The value for the SHELL variable was not found the /etc/shells file” or “The value for environment variable […] contains suspicious content.” entries.

However, Qualys notes that exploiting PwnKit is possible without leaving a trace.

Last year, GitHub Security Lab researcher Kevin Backhouse discovered another old privilege escalation vulnerability affecting Polkit.

The bug had been present for seven years, since version 0.113 of the component and affected popular Linux distros including RHEL 8, Fedora 21 (or later), Ubuntu 20.04, and unstable versions of Debian ('bullseye') and its derivatives.

Linux system service bug gives you root on every major distro

Google has killed off FLoC, introduces Topics for ad tracking instead

Tue, 25 Jan 2022 21:19:36 +0000

Back in 2021, Google announced Federated Learning of Cohorts (FLoC), an initiative under its Privacy Sandbox proposal, where your data could be sent to advertisers for personalized experiences in a privacy-preserving manner. The proposal faced backlash from Vivaldi, Brave, WordPress, and Microsoft's GitHub, among many others, leading Google to delay its rollout in the same year. Today, the company has announced that it has officially killed off FLoC, and will instead be shifting focus to "Topics".

Through Topics, your web browser will determine your top interests for the week based on your browsing activity. These interests will be stored locally on your device for a period of three weeks - after which they will be deleted - and will not be sent to any external server, even those belonging to Google. When you visit a website, only three topics belonging to you will be shared with the website and its ad partners. This will comprise of one topic from each week and no more.

Google has emphasized that it is building controls in Chrome for users to remove certain topics or disable the capability completely. The company also noted that:

More importantly, topics are thoughtfully curated to exclude sensitive categories, such as gender or race. Because Topics is powered by the browser, it provides you with a more recognizable way to see and control how your data is shared, compared to tracking mechanisms like third-party cookies. And, by providing websites with your topics of interest, online businesses have an option that doesn’t involve covert tracking techniques, like browser fingerprinting, in order to continue serving relevant ads.

You can get an overview of the Topics API on Google's dedicated website here and view the in-progress technical implementation on GitHub here. A developer trial for Topics will be available in Chrome soon and future development on the API and its associated user controls will be based on that and upcoming feedback.

Google has killed off FLoC, introduces Topics for ad tracking instead

Overbearing Google Drive flagging innocent files as copyright infringement

Tue, 25 Jan 2022 21:14:22 +0000

If you’ve ever run into a problem with a Google product and then tried to get help from Google, you’ll know it’s next to impossible to speak to a real person because so much of what the company does is automated, including its support. It now appears as if that automation which Google loves so much is now flagging up Google Drive files as copyright infringement for simply containing 1’s and 0’s in them.

The issue was first flagged up by an Assistant Professor at Michigan State University, Dr. Emily Dolson, who reported that a file, just containing the number 1, has been flagged and restricted by Google for breaking Google Drive’s Copyright Infringement policy. Others have tried recreating the issue over on Ycombinator News and also had their files flagged after about one hour.

Perhaps the most frustrating part of the flag raised by Google is that there’s a little note at the bottom of the warning stating that a ‘review cannot be requested for this restriction.’ While Dolson's issue got a response directly from Google Drive following much publicity, for everyone else, Google is essentially saying "suck it up", because it’s not going to address your issue.

Google Drive eventually responded to the Tweet explaining that it’s now working on a fix. If you’ve had files restricted due to this issue, they should be unflagged soon. Hopefully, Google can also fix the fact that it’s basically impossible to talk to a real person at the company.

Source: Ycombinator News via TorrentFreak

Overbearing Google Drive flagging innocent files as copyright infringement

Cracking a $2 million crypto wallet

Mon, 24 Jan 2022 22:45:41 +0000

First, he forgot his PIN — then he started looking for hackers

In early 2018, Dan Reich and a friend decided to spend $50,000 in Bitcoin on a batch of Theta tokens, a new cryptocurrency then worth just 21 cents apiece. At first, they held the tokens with an exchange based in China, but within weeks, a broad crackdown on cryptocurrency by the Chinese government meant they would soon lose access to the exchange, so they had to transfer everything to a hardware wallet. Reich and his friend chose a Trezor One hardware wallet, set up a PIN, and then got busy with life and forgot about it.

By the end of that year, the token had sunk to less than a quarter of its value, come back up, and then crashed again. Reich decided he wanted to cash out, but his friend had lost the paper where he’d written the PIN and couldn’t remember the digits. They tried guessing what they thought was a four-digit PIN (it was actually five), but after each failed attempt, the wallet doubled the wait time before they could guess again. After 16 guesses, the data on the wallet would automatically erase. When they reached a dozen tries, they stopped, afraid to go further.

Reich gave up and wrote off the money in his mind. He was willing to take the loss — until the price started to rise again.

From a low of around $12,000, the value of their tokens started to skyrocket. By the end of 2020, it would be worth more than $400,000, rising briefly to over $3 million. It would be hard to get into the wallet without the PIN — but it wasn’t impossible. And with potentially millions on the line, Reich and his friend vowed to find a way inside.

The only way to own cryptocurrency on the blockchain is to have sole possession of a private key associated with a block of currency — but managing those keys has been a, sometimes high-stakes, challenge from the beginning. You can’t sell or spend your currency without the key (or the string of words used to derive the key, also called the seed) — but if anyone else gets hold of it, they can grab your coins in a single anonymous transaction from anywhere in the world. You can store your key in a software wallet on an exchange service’s server or in a software wallet on your own computer or mobile phone — but those are vulnerable to remote attack if anyone on the internet is able to get your key.

Hardware wallets, the size of a USB stick, are meant to solve that problem, storing the key locally, off the internet, and signing transactions inside the secure wallet when you insert the device into a computer and enter the PIN. But if you forget the PIN and don’t have the key written down, you’re generally out of luck and can no longer access your currency on the blockchain.

This happens more often than you might think. The cryptocurrency data firm Chainalysis estimates that more than 3.7 million Bitcoins worth $66.5 billion are likely lost to owners. Currency can be lost for many reasons: the computer or phone storing a software wallet is stolen or crashes and the wallet is unrecoverable; the owner inadvertently throws their hardware wallet away; or the owner forgets their PIN or dies without passing it to family members.

As the value of their inaccessible tokens rapidly rose in 2020, Reich and his friend were desperate to crack their wallet. They searched online until they found a 2018 conference talk from three hardware experts who discovered a way to access the key in a Trezor wallet without knowing the PIN. The engineers declined to help them, but it gave Reich hope.

“We at least knew that it was possible and had some directional idea of how it could be done,” Reich says.

Then they found a financier in Switzerland who claimed he had associates in France who could crack the wallet in a lab. But there was a catch: Reich couldn’t know their names or go to the lab. He’d have to hand off his wallet to the financier in Switzerland, who would take it to his French associates. It was a crazy idea with a lot of risks, but Reich and his friend were desperate.

COVID and lockdowns slowed their plans in 2020, but in February 2021, with the value of their tokens now $2.5 million, Reich was making plans to fly to Europe, when suddenly they found a better option: a hardware hacker in the US named Joe Grand.

Grand is an electrical engineer and inventor who has been hacking hardware since he was 10. Known by the hacker handle “Kingpin,” he was part of the famed L0pht hacker collective that, in 1998, testified to the US Senate about a vulnerability that could be used to take down the internet or allow an intelligence agency to spy on traffic. In 2008, he co-hosted the Discovery Channel’s “Prototype This” show and currently teaches hardware hacking to organizations and companies that design complex systems and want to understand how hackers can attack their products.

Reich, an electrical engineer himself who owns a software company, had a better ability than most to assess if Grand had the skills to pull off the hack. After a single conversation, he knew they’d found the right person. “I remember thinking, ‘Wow, this is perhaps one of the brightest electrical engineers I’ve ever met,’” he recalls.

Grand, who has a custom lab in his family’s Portland backyard, purchased several identical wallets to the one Reich and his friend owned and installed the same version of firmware on them. Then he spent three months doing research and attacking his practice wallets with various techniques. They agreed that Reich, who lives in New Jersey, wouldn’t fly out to Portland with his wallet until Grand succeeded to crack three wallets using the same technique.

“If he screwed something up, there was a good shot that it would never be able to be recovered,” says Reich.

Luckily for Grand, there was previous research to guide him. In 2017, a 15-year-old hardware hacker in the UK named Saleem Rashid had developed a method to successfully unlock a Trezor wallet belonging to tech journalist Mark Frauenfelder and helped him free $30,000 in Bitcoin.

Rashid found that when the Trezor wallet was turned on, it made a copy of the PIN and key that was stored in the wallet’s secured flash memory and placed the copy in RAM. A vulnerability in the wallet allowed him to put the wallet into firmware update mode and install his own unauthorized code on the device, which let him read the PIN and key where it was in RAM. But the installation of his code caused the PIN and key stored in long-term flash memory to erase, leaving only the copy in RAM. This made it a risky technique for Grand to use; if he inadvertently erased the RAM before he could read the data, the key would be unrecoverable.

In any case, Trezor had altered its wallets since then so that the PIN and key that got copied to RAM during boot-up got erased from RAM when the device was put into firmware update mode.

So Grand looked instead to the method used in the 2018 conference talk that Reich had also examined previously. The researchers in this case found that despite Trezor removing the PIN and key that got copied to RAM during boot-up, the PIN and key were showing up in RAM during another stage. They found that at some point during the firmware update mode, the PIN and key were being temporarily moved to RAM — to prevent the new firmware from writing over the PIN and key — then moved back to flash once the firmware was installed. So they devised a technique dubbed “wallet.fail.” This attack used a fault-injection method — also known as glitching — to undermine security protecting the RAM and allow them to read the PIN and key when they were briefly in RAM.

Grand’s setup for defeating the Trezor wallet as seen in his video, including a ChipWhisperer CW 1200, PhyWhisperer-USB, and J-Link debug probe.

There are three levels of security available for the microcontroller used in Trezor wallets — RDP2, the most secure, which doesn’t let you read the RAM, and RDP1 and RDP0, which do. Trezor wallets are configured to use RDP2 to prevent someone from reading the RAM, among other things.

But by doing a fault injection attack against the chip — which affects voltage going to the microcontroller — the wallet.fail team found they could downgrade the security from RDP2 to RDP1. They could then force the wallet into firmware update mode, sending the PIN and key into RAM, and read them. It was similar to Rashid’s attack, except the fault injection got them access to RAM without needing to exploit code.

The technique was great for a research project but risky for Reich’s wallet. Because the PIN and key were moved to RAM during the firmware update and not just copied, there was only one version on the wallet during this period. Do something wrong, and Grand could inadvertently wipe the RAM, along with the key and PIN. As it was, each time he glitched his practice wallets, they froze.

But while trying to troubleshoot the problem, Grand stumbled on a better solution. He found that in the version of firmware installed on Reich’s wallet, the key and PIN still got copied to RAM when the device was powered on. If Grand glitched the device at the right moment, he could downgrade the security to RDP1 and read RAM. And because the key and PIN were merely copied to RAM at this point and not moved, unlike the wallet.fail scenario, this meant they still existed in flash if Grand inadvertently wiped the RAM. It was a much safer solution that elegantly borrowed from both prior attacks.

The only problem was the glitching required thousands of tries — powering up the wallet repeatedly and using different parameters to affect the voltage to the microcontroller each time, in an attempt to hit the exact moment that would let him downgrade the microcontroller’s security. It took three to four hours using an automated script, and there was no guarantee it would work on Reich’s wallet, even if it worked on the practice wallets. Reich likened the excruciating wait to sitting through a stakeout.

Grand designed his program so that if and when the glitch worked, his computer would call out: “Hack the planet!” — a nod to the 1995 film Hackers. When the time came to do the hack for real last May, Reich flew to Portland for two days. They spent the first day getting everything set up — they filmed the hack with a professional crew — and the next day, Grand launched his script.

Then they waited. And waited some more. Then they ate pizza and waited some more.

After nearly three and a half hours, the computer finally called out: “Hack the planet!” On Grand’s screen, he could see the key and five-digit PIN. Reich and his friend were now $2 million richer.

He immediately moved the Theta tokens out of their account and sent a percentage of the booty to Grand for his services.

It was a thrilling moment for Grand — and not just because of the money that was at stake. “It kind of reinvigorated me… and helped me decide what I should be doing with my skills,” he says.

Since last May, he’s been speaking with others who lost access to their funds, with the hope of helping more people crack their wallets. This includes James Howells in Wales, who inadvertently threw his hardware wallet in the trash in 2013 and lost access to Bitcoin now worth half a billion dollars. He’s been trying for years to convince his local council to let him dig through the dump. The city tracks where residential trash is buried and told him there’s a good chance they could locate the area where his wallet might be but have so far refused his request.

Grand has also been speaking with someone whose wallet is on a broken phone, which would require forensic repair techniques and a couple who lost the password to a software wallet stored on their computer.

But Grand doesn’t want to just crack wallets — he also wants to help make them more secure. He plans to report vulnerabilities he finds to the vendor when they’re patchable, so they can’t be exploited by criminals or others who might seize an owner’s wallet. Does this mean he’ll run out of vulnerabilities to hack at some point?

Grand doesn’t think so. There will always be people with older unpatched versions of firmware on their wallets — like Reich — and he’s confident newer devices will still be vulnerable in different ways even if they’re patched.

“It depends on the design, but with enough time and effort and resources, anything is hackable,” he notes.

Trezor already fixed part of the problem Grand exploited in later versions of its firmware. The wallets no longer copy or move the key and PIN into RAM at all. Pavol Rusnak, co-founder and CTO of SatoshiLabs, which makes Trezor wallets, said it now stores them in a protected part of flash that isn’t affected during firmware upgrades.

But a core issue with the chip that allows fault injection still exists and can only be fixed by the chip maker — which the maker has declined to do — or by using a more secure chip. Rusnak says his team explored the latter, but more secure chips generally require vendors to sign an NDA, something his team opposes. Trezor uses open-source software for transparency, and when Rusnak’s team discovered a flaw in one secure chip they considered using, the chip maker invoked the NDA to prevent them from talking about it.

This means Trezor wallets may continue to be vulnerable to other hacking techniques. Grand is already working on one new method for hacking the STM32 microcontroller used in the wallets. It will work even on wallets with the newest, more protected firmware. He says he won’t release the details publicly, however, because the ramifications go beyond wallets.

“The STM32 is used in billions of devices around the world,” he says, and the issue he found can’t be patched. “Which is both awesome and scary.”

Cracking a $2 million crypto wallet

Over 90 WordPress themes, plugins backdoored in supply chain attack

Fri, 21 Jan 2022 21:20:59 +0000

A massive supply chain attack compromised 93 WordPress themes and plugins to contain a backdoor, giving threat-actors full access to websites.

In total, threat actors compromised 40 themes and 53 plugins belonging to AccessPress, a developer of WordPress add-ons used in over 360,000 active websites.

The attack was discovered by researchers at Jetpack, the creators of a security and optimization tool for WordPress sites, who discovered that a PHP backdoor had been added to the themes and plugins.

Jetpack believes an external threat actor breached the AccessPress website to compromise the software and infect further WordPress sites.

A backdoor to give complete control

As soon as admins installed a compromised AccessPress product on their site, the actors added a new “initial.php” file into the main theme directory and included it in the main “functions.php” file.

This file contained a base64 encoded payload that writes a webshell into the “./wp-includes/vars.php” file.

Encoded payload writing the webshell
Source: Sucuri

The malicious code completed the backdoor installation by decoding the payload and injecting it into the “vars.php” file, essentially giving the threat actors remote control over the infected site.

The only way to detect this threat is to use a core file integrity monitoring solution, as the malware deletes the “initial.php” file dropper to cover its tracks.

According to Sucuri researchers who investigated the case to figure out the actors’ goal, threat actors used the backdoor to redirect visitors to malware-dropping and scam sites. Therefore, the campaign wasn’t very sophisticated.

It’s also possible that the actor used this malware to sell access to backdoored websites on the dark web, which would be an effective way to monetize such a large-scale infection.

Am I affected?

If you have installed one of the compromised plugins or themes on your site, removing/replacing/updating them won’t uproot any webshells that may have been planted through it.

As such, website administrators are advised to scan their sites for signs of compromise by doing the following:

Check your wp-includes/vars.php file around lines 146-158. If you see a “wp_is_mobile_fix” function there with some obfuscated code, you’ve been compromised.
Query your file system for “wp_is_mobile_fix” or “wp-theme-connect” to see if there are any affected files
Replace your core WordPress files with fresh copies.
Upgrade the affected plugins and switch to a different theme.
Change the wp-admin and database passwords.

Jetpack has provided the following YARA rule that can be used to check if a site has been infected and detect both the dropper and the installed webshell.

rule accesspress_backdoor_infection
{
strings:
 
   // IoC's for the dropper
   $inject0 = "$fc = str_replace('function wp_is_mobile()',"
   $inject1 = "$b64($b) . 'function wp_is_mobile()',"
   $inject2 = "$fc);"
   $inject3 = "@file_put_contents($f, $fc);"
 
   // IoC's for the dumped payload
   $payload0 = "function wp_is_mobile_fix()"
   $payload1 = "$is_wp_mobile = ($_SERVER['HTTP_USER_AGENT'] == 'wp_is_mobile');"
   $payload2 = "$g = $_COOKIE;"
   $payload3 = "(count($g) == 8 && $is_wp_mobile) ?"
 
   $url0 = /https?:\/\/(www\.)?wp\-theme\-connect\.com(\/images\/wp\-theme\.jpg)?/
 
condition:
 
   all of ( $inject* )
   or all of ( $payload* )
   or $url0
}

Backdoors detected in September

Jetpack first detected the backdoor in September 2021, and soon after, the researchers discovered that threat actors had compromised all free plugins and themes belonging to the vendor.

Jetpack believes that the paid AccessPress add-ons were likely compromised but didn’t test those, so this cannot be confirmed.

Most of the products had likely been compromised in early September from the timestamps.

On October 15, 2021, the vendor removed the extensions from the official download portal until the point of the compromise was located and fixed.

On January 17, 2022, AccessPress released new, “cleaned” versions for all the affected plugins.

However, the affected themes haven’t been cleaned yet, so migrating to a different theme is the only way to mitigate the security risks.

Users of AccessPress plugins and themes can read Jetpack’s post for a complete list of the fixed products.

BleepingComputer attempted to contact AccessPress about the compromise, but the contact form is not working.

Over 90 WordPress themes, plugins backdoored in supply chain attack