Security

thousands-of-linux-systems-infected-by-stealthy-malware-since-2021

Thousands of Linux systems infected by stealthy malware since 2021

Biz & IT, exploits, Linux, malware, Security, vulnerabilities / /

The ability to remain installed and undetected makes Perfctl hard to fight.

Real Java Script code developing screen. Programing workflow abstract algorithm concept. Closeup of Java Script and HTML code.

Thousands of machines running Linux have been infected by a malware strain that’s notable for its stealth, the number of misconfigurations it can exploit, and the breadth of malicious activities it can perform, researchers reported Thursday.

The malware has been circulating since at least 2021. It gets installed by exploiting more than 20,000 common misconfigurations, a capability that may make millions of machines connected to the Internet potential targets, researchers from Aqua Security said. It can also exploit CVE-2023-33246, a vulnerability with a severity rating of 10 out of 10 that was patched last year in Apache RocketMQ, a messaging and streaming platform that’s found on many Linux machines.

Perfctl storm

The researchers are calling the malware Perfctl, the name of a malicious component that surreptitiously mines cryptocurrency. The unknown developers of the malware gave the process a name that combines the perf Linux monitoring tool and ctl, an abbreviation commonly used with command line tools. A signature characteristic of Perfctl is its use of process and file names that are identical or similar to those commonly found in Linux environments. The naming convention is one of the many ways the malware attempts to escape notice of infected users.

Perfctl further cloaks itself using a host of other tricks. One is that it installs many of its components as rootkits, a special class of malware that hides its presence from the operating system and administrative tools. Other stealth mechanisms include:

  • Stopping activities that are easy to detect when a new user logs in
  • Using a Unix socket over TOR for external communications
  • Deleting its installation binary after execution and running as a background service thereafter
  • Manipulating the Linux process pcap_loop through a technique known as hooking to prevent admin tools from recording the malicious traffic
  • Suppressing mesg errors to avoid any visible warnings during execution.

The malware is designed to ensure persistence, meaning the ability to remain on the infected machine after reboots or attempts to delete core components. Two such techniques are (1) modifying the ~/.profile script, which sets up the environment during user login so the malware loads ahead of legitimate workloads expected to run on the server and (2) copying itself from memory to multiple disk locations. The hooking of pcap_loop can also provide persistence by allowing malicious activities to continue even after primary payloads are detected and removed.

Besides using the machine resources to mine cryptocurrency, Perfctl also turns the machine into a profit-making proxy that paying customers use to relay their Internet traffic. Aqua Security researchers have also observed the malware serving as a backdoor to install other families of malware.

Assaf Morag, Aqua Security’s threat intelligence director, wrote in an email:

Perfctl malware stands out as a significant threat due to its design, which enables it to evade detection while maintaining persistence on infected systems. This combination poses a challenge for defenders and indeed the malware has been linked to a growing number of reports and discussions across various forums, highlighting the distress and frustration of users who find themselves infected.

Perfctl uses a rootkit and changes some of the system utilities to hide the activity of the cryptominer and proxy-jacking software. It blends seamlessly into its environment with seemingly legitimate names. Additionally, Perfctl’s architecture enables it to perform a range of malicious activities, from data exfiltration to the deployment of additional payloads. Its versatility means that it can be leveraged for various malicious purposes, making it particularly dangerous for organizations and individuals alike.

“The malware always manages to restart”

While Perfctl and some of the malware it installs are detected by some antivirus software, Aqua Security researchers were unable to find any research reports on the malware. They were, however, able to find a wealth of threads on developer-related sites that discussed infections consistent with it.

This Reddit comment posted to the CentOS subreddit is typical. An admin noticed that two servers were infected with a cryptocurrency hijacker with the names perfcc and perfctl. The admin wanted help investigating the cause.

“I only became aware of the malware because my monitoring setup alerted me to 100% CPU utilization,” the admin wrote in the April 2023 post. “However, the process would stop immediately when I logged in via SSH or console. As soon as I logged out, the malware would resume running within a few seconds or minutes.” The admin continued:

I have attempted to remove the malware by following the steps outlined in other forums, but to no avail. The malware always manages to restart once I log out. I have also searched the entire system for the string “perfcc” and found the files listed below. However, removing them did not resolve the issue. as it keep respawn on each time rebooted.

Other discussions include: Reddit, Stack Overflow (Spanish), forobeta (Spanish),  brainycp (Russian), natnetwork (Indonesian), Proxmox (Deutsch), Camel2243 (Chinese), svrforum (Korean), exabytes, virtualmin, serverfault and many others.

After exploiting a vulnerability or misconfiguration, the exploit code downloads the main payload from a server, which, in most cases, has been hacked by the attacker and converted into a channel for distributing the malware anonymously. An attack that targeted the researchers’ honeypot named the payload httpd. Once executed, the file copies itself from memory to a new location in the /tmp directory, runs it, and then terminates the original process and deletes the downloaded binary.

Once moved to the /tmp directory, the file executes under a different name, which mimics the name of a known Linux process. The file hosted on the honeypot was named sh. From there, the file establishes a local command-and-control process and attempts to gain root system rights by exploiting CVE-2021-4043, a privilege-escalation vulnerability that was patched in 2021 in Gpac, a widely used open source multimedia framework.

The malware goes on to copy itself from memory to a handful of other disk locations, once again using names that appear as routine system files. The malware then drops a rootkit, a host of popular Linux utilities that have been modified to serve as rootkits, and the miner. In some cases, the malware also installs software for “proxy-jacking,” the term for surreptitiously routing traffic through the infected machine so the true origin of the data isn’t revealed.

The researchers continued:

As part of its command-and-control operation, the malware opens a Unix socket, creates two directories under the /tmp directory, and stores data there that influences its operation. This data includes host events, locations of the copies of itself, process names, communication logs, tokens, and additional log information. Additionally, the malware uses environment variables to store data that further affects its execution and behavior.

All the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defense mechanisms and hinder reverse engineering attempts. The malware also uses advanced evasion techniques, such as suspending its activity when it detects a new user in the btmp or utmp files and terminating any competing malware to maintain control over the infected system.

The diagram below captures the attack flow:

Credit: Aqua Security

Credit: Aqua Security

The following image captures some of the names given to the malicious files that are installed:

Credit: Aqua Security

Credit: Aqua Security

By extrapolating data such as the number of Linux servers connected to the Internet across various services and applications, as tracked by services such as Shodan and Censys, the researchers estimate that the number of machines infected by Perfctl is measured in the thousands. They say that the pool of vulnerable machines—meaning those that have yet to install the patch for CVE-2023-33246 or contain a vulnerable misconfiguration—is in the millions. The researchers have yet to measure the amount of cryptocurrency the malicious miners have generated.

People who want to determine if their device has been targeted or infected by Perfctl should look for indicators of compromise included in Thursday’s post. They should also be on the lookout for unusual spikes in CPU usage or sudden system slowdowns, particularly if they occur during idle times. To prevent infections, it’s important that the patch for CVE-2023-33246 be installed and that the the misconfigurations identified by Aqua Security be fixed. Thursday’s report provides other steps for preventing infections.

Photo of Dan Goodin

Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at @dangoodin on Mastodon. Contact him on Signal at DanArs.82.

Thousands of Linux systems infected by stealthy malware since 2021 Read More »

attackers-exploit-critical-zimbra-vulnerability-using-cc’d-email-addresses

Attackers exploit critical Zimbra vulnerability using cc’d email addresses

Biz & IT, email, Security, vulnerabilities, webshells, Zimbra / /

Attackers are actively exploiting a critical vulnerability in mail servers sold by Zimbra in an attempt to remotely execute malicious commands that install a backdoor, researchers warn.

The vulnerability, tracked as CVE-2024-45519, resides in the Zimbra email and collaboration server used by medium and large organizations. When an admin manually changes default settings to enable the postjournal service, attackers can execute commands by sending maliciously formed emails to an address hosted on the server. Zimbra recently patched the vulnerability. All Zimbra users should install it or, at a minimum, ensure that postjournal is disabled.

Easy, yes, but reliable?

On Tuesday, Security researcher Ivan Kwiatkowski first reported the in-the-wild attacks, which he described as “mass exploitation.” He said the malicious emails were sent by the IP address 79.124.49[.]86 and, when successful, attempted to run a file hosted there using the tool known as curl. Researchers from security firm Proofpoint took to social media later that day to confirm the report.

On Wednesday, security researchers provided additional details that suggested the damage from ongoing exploitation was likely to be contained. As already noted, they said, a default setting must be changed, likely lowering the number of servers that are vulnerable.

Security researcher Ron Bowes went on to report that the “payload doesn’t actually do anything—it downloads a file (to stdout) but doesn’t do anything with it.” He said that in the span of about an hour earlier Wednesday a honey pot server he operated to observe ongoing threats received roughly 500 requests. He also reported that the payload isn’t delivered through emails directly, but rather through a direct connection to the malicious server through SMTP, short for the Simple Mail Transfer Protocol.

“That’s all we’ve seen (so far), it doesn’t really seem like a serious attack,” Bowes wrote. “I’ll keep an eye on it, and see if they try anything else!”

In an email sent Wednesday afternoon, Proofpoint researcher Greg Lesnewich seemed to largely concur that the attacks weren’t likely to lead to mass infections that could install ransomware or espionage malware. The researcher provided the following details:

  • While the exploitation attempts we have observed were indiscriminate in targeting, we haven’t seen a large volume of exploitation attempts
  • Based on what we have researched and observed, exploitation of this vulnerability is very easy, but we do not have any information about how reliable the exploitation is
  • Exploitation has remained about the same since we first spotted it on Sept. 28th
  • There is a PoC available, and the exploit attempts appear opportunistic
  • Exploitation is geographically diverse and appears indiscriminate
  • The fact that the attacker is using the same server to send the exploit emails and host second-stage payloads indicates the actor does not have a distributed set of infrastructure to send exploit emails and handle infections after successful exploitation. We would expect the email server and payload servers to be different entities in a more mature operation.
  • Defenders protecting  Zimbra appliances should look out for odd CC or To addresses that look malformed or contain suspicious strings, as well as logs from the Zimbra server indicating outbound connections to remote IP addresses.

Proofpoint has explained that some of the malicious emails used multiple email addresses that, when pasted into the CC field, attempted to install a webshell-based backdoor on vulnerable Zimbra servers. The full cc list was wrapped as a single string and encoded using the base64 algorithm. When combined and converted back into plaintext, they created a webshell at the path: /jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp.

Attackers exploit critical Zimbra vulnerability using cc’d email addresses Read More »

crook-made-millions-by-breaking-into-execs’-office365-inboxes,-feds-say

Crook made millions by breaking into execs’ Office365 inboxes, feds say

Biz & IT, insider trading, password resets, passwords, Security / /

WHAT IS THE NAME OF YOUR FIRST PET? —

Email accounts inside 5 US companies unlawfully breached through password resets.

Crook made millions by breaking into execs’ Office365 inboxes, feds say

Getty Images

Federal prosecutors have charged a man for an alleged “hack-to-trade” scheme that earned him millions of dollars by breaking into the Office365 accounts of executives at publicly traded companies and obtaining quarterly financial reports before they were released publicly.

The action, taken by the office of the US Attorney for the district of New Jersey, accuses UK national Robert B. Westbrook of earning roughly $3.75 million in 2019 and 2020 from stock trades that capitalized on the illicitly obtained information. After accessing it, prosecutors said, he executed stock trades. The advance notice allowed him to act and profit on the information before the general public could. The US Securities and Exchange Commission filed a separate civil suit against Westbrook seeking an order that he pay civil penalties and return all ill-gotten gains.

Buy low, sell high

“The SEC is engaged in ongoing efforts to protect markets and investors from the consequences of cyber fraud,” Jorge G. Tenreiro, acting chief of the SEC’s Crypto Assets and Cyber Unit, said in a statement. “As this case demonstrates, even though Westbrook took multiple steps to conceal his identity—including using anonymous email accounts, VPN services, and utilizing bitcoin—the Commission’s advanced data analytics, crypto asset tracing, and technology can uncover fraud even in cases involving sophisticated international hacking.”

A federal indictment filed in US District Court for the District of New Jersey said that Westbrook broke into the email accounts of executives from five publicly traded companies in the US. He pulled off the breaches by abusing the password reset mechanism Microsoft offered for Office365 accounts. In some cases, Westbrook allegedly went on to create forwarding rules that automatically sent all incoming emails to an email address he controlled.

Prosecutors alleged in one such incident:

On or about January 26, 2019, WESTBROOK gained unauthorized access to the Office365 email account of Company-1 ‘s Director of Finance and Accounting (“Individual-!”) through an unauthorized password reset. During the intrusion, an auto-forwarding rule was implemented, which was designed to automatically forward content from lndividual-1 ‘s compromised email account to an email account controlled by WESTBROOK. At the time of the intrusion, the compromised email account of Individual-I contained non-public information about Company-1 ‘s quarterly earnings, which indicated that Company-1 ‘s sales were down.

Once a person gains unauthorized access to an email account, it’s possible to conceal the breach by disabling or deleting password reset alerts and burying password reset rules deep inside account settings.

Prosecutors didn’t say how the defendant managed to abuse the reset feature. Typically such mechanisms require control of a cell phone or registered email account belonging to the account holder. In 2019 and 2020 many online services would also allow users to reset passwords by answering security questions. The practice is still in use today but has been slowly falling out of favor as the risks have come to be more widely understood.

By obtaining material information, Westbrook was able to predict how a company’s stock would perform once it became public. When results were likely to drive down stock prices, he would place “put” options, which give the purchaser the right to sell shares at a specific price within a specified span of time. The practice allowed Westbrook to profit when shares fell after financial results became public. When positive results were likely to send stock prices higher, Westbrook allegedly bought shares while they were still low and later sold them for a higher price.

The prosecutors charged Westbrook with one count each of securities fraud and wire fraud and five counts of computer fraud. The securities fraud count carries a maximum penalty of up to 20 years’ prison time and $5 million in fines The wire fraud count carries a maximum penalty of up to 20 years in prison and a fine of either $250,000 or twice the gain or loss from the offense, whichever is greatest. Each computer fraud count carries a maximum five years in prison and a maximum fine of either $250,000 or twice the gain or loss from the offense, whichever is greatest.

The US Attorney’s office in the District of New Jersey didn’t say if Westbrook has made an initial appearance in court or if he has entered a plea.

Crook made millions by breaking into execs’ Office365 inboxes, feds say Read More »

systems-used-by-courts-and-governments-across-the-us-riddled-with-vulnerabilities

Systems used by courts and governments across the US riddled with vulnerabilities

Biz & IT, courts, governments, Security, vulnerabilities / /

SECURITY FAILURE —

With hundreds of courts and agencies affected, chances are one near you is, too.

Systems used by courts and governments across the US riddled with vulnerabilities

Getty Images

Public records systems that courts and governments rely on to manage voter registrations and legal filings have been riddled with vulnerabilities that made it possible for attackers to falsify registration databases and add, delete, or modify official documents.

Over the past year, software developer turned security researcher Jason Parker has found and reported dozens of critical vulnerabilities in no fewer than 19 commercial platforms used by hundreds of courts, government agencies, and police departments across the country. Most of the vulnerabilities were critical.

One flaw he uncovered in the voter registration cancellation portal for the state of Georgia, for instance, allowed anyone visiting it to cancel the registration of any voter in that state when the visitor knew the name, birthdate, and county of residence of the voter. In another case, document management systems used in local courthouses across the country contained multiple flaws that allowed unauthorized people to access sensitive filings such as psychiatric evaluations that were under seal. And in one case, unauthorized people could assign themselves privileges that are supposed to be available only to clerks of the court and, from there, create, delete, or modify filings.

Failing at the most fundamental level

It’s hard to overstate the critical role these systems play in the administration of justice, voting rights, and other integral government functions. The number of vulnerabilities—mostly stemming from weak permission controls, poor validation of user inputs, and faulty authentication processes—demonstrate a lack of due care in ensuring the trustworthiness of the systems millions of citizens rely on every day.

“These platforms are supposed to ensure transparency and fairness, but are failing at the most fundamental level of cybersecurity,” Parker wrote recently in a post he penned in an attempt to raise awareness. “If a voter’s registration can be canceled with little effort and confidential legal filings can be accessed by unauthorized users, what does it mean for the integrity of these systems?”

The vulnerability in the Georgia voter registration database, for instance, lacked any form of automated way to reject cancellation requests that omitted required voter information. Instead of flagging such requests, the system processed it without even flagging it. Similarly, the Granicus GovQA platform hundreds of government agencies use to manage public records could be hacked to reset passwords and gain access to usernames and email addresses simply by slightly modifying the Web address showing in a browser window.

And a vulnerability in the Thomson Reuters’ C-Track eFiling system allowed attackers to elevate their user status to that of a court administrator. Exploitation required nothing more than manipulating certain fields during the registration process.

There is no indication that any of the vulnerabilities were actively exploited.

Word of the vulnerabilities comes four months after the discovery of a malicious backdoor surreptitiously planted in a component of the JAVS Suite 8, an application package that 10,000 courtrooms around the world use to record, play back, and manage audio and video from legal proceedings. A representative of the company said Monday that an investigation performed in cooperation with the Cybersecurity and Infrastructure Security Agency concluded that the malware was installed on only two computers and didn’t result in any information being compromised. The representative said the malware was available through a file a threat actor posted to the JAVS public marketing website.

Parker began examining the systems last year as a software developer purely on a voluntary basis. He has worked with the Electronic Frontier Foundation to contact the system vendors and other parties responsible for the platforms he has found vulnerable. To date, all the vulnerabilities he has reported have been fixed, in some cases only in the past month. More recently, Parker has taken a job as a security researcher focusing on such platforms.

“Fixing these issues requires more than just patching a few bugs,” Parker wrote. “It calls for a complete overhaul of how security is handled in court and public record systems. To prevent attackers from hijacking accounts or altering sensitive data, robust permission controls must be immediately implemented, and stricter validation of user inputs enforced. Regular security audits and penetration testing should be standard practice, not an afterthought, and following the principles of Secure by Design should be an integral part of any Software Development Lifecycle.”

The 19 affected platforms are:

Parker is urging vendors and customers alike to shore up the security of their systems by performing penetration testing and software audits and training employees, particularly those in IT departments. He also said that multifactor authentication should be universally available for all such systems.

“This series of disclosures is a wake-up call to all organizations that manage sensitive public data,” Parker wrote. “If they fail to act quickly, the consequences could be devastating—not just for the institutions themselves but for the individuals whose privacy they are sworn to protect. For now, the responsibility lies with the agencies and vendors behind these platforms to take immediate action, to shore up their defenses, and to restore trust in the systems that so many people depend on.”

Systems used by courts and governments across the US riddled with vulnerabilities Read More »

ai-bots-now-beat-100%-of-those-traffic-image-captchas

AI bots now beat 100% of those traffic-image CAPTCHAs

AI, CAPTCHA, Security / /

Are you a robot? —

I, for one, welcome our traffic light-identifying overlords.

Examples of the kind of CAPTCHAs that image-recognition bots can now get past 100 percent of the time.

Enlarge / Examples of the kind of CAPTCHAs that image-recognition bots can now get past 100 percent of the time.

Anyone who has been surfing the web for a while is probably used to clicking through a CAPTCHA grid of street images, identifying everyday objects to prove that they’re a human and not an automated bot. Now, though, new research claims that locally run bots using specially trained image-recognition models can match human-level performance in this style of CAPTCHA, achieving a 100 percent success rate despite being decidedly not human.

ETH Zurich PhD student Andreas Plesner and his colleagues’ new research, available as a pre-print paper, focuses on Google’s ReCAPTCHA v2, which challenges users to identify which street images in a grid contain items like bicycles, crosswalks, mountains, stairs, or traffic lights. Google began phasing that system out years ago in favor of an “invisible” reCAPTCHA v3 that analyzes user interactions rather than offering an explicit challenge.

Despite this, the older reCAPTCHA v2 is still used by millions of websites. And even sites that use the updated reCAPTCHA v3 will sometimes use reCAPTCHA v2 as a fallback when the updated system gives a user a low “human” confidence rating.

Saying YOLO to CAPTCHAs

To craft a bot that could beat reCAPTCHA v2, the researchers used a fine-tuned version of the open source YOLO (“You Only Look Once”) object-recognition model, which long-time readers may remember has also been used in video game cheat bots. The researchers say the YOLO model is “well known for its ability to detect objects in real-time” and “can be used on devices with limited computational power, allowing for large-scale attacks by malicious users.”

After training the model on 14,000 labeled traffic images, the researchers had a system that could identify the probability that any provided CAPTCHA grid image belonged to one of reCAPTCHA v2’s 13 candidate categories. The researchers also used a separate, pre-trained YOLO model for what they dubbed “type 2” challenges, where a CAPTCHA asks users to identify which portions of a single segmented image contain a certain type of object (this segmentation model only worked on nine of 13 object categories and simply asked for a new image when presented with the other four categories).

The YOLO model showed varying levels of confidence depending on the type of object being identified.

Enlarge / The YOLO model showed varying levels of confidence depending on the type of object being identified.

Beyond the image-recognition model, the researchers also had to take other steps to fool reCAPTCHA’s system. A VPN was used to avoid detection of repeated attempts from the same IP address, for instance, while a special mouse movement model was created to approximate human activity. Fake browser and cookie information from real web browsing sessions was also used to make the automated agent appear more human.

Depending on the type of object being identified, the YOLO model was able to accurately identify individual CAPTCHA images anywhere from 69 percent of the time (for motorcycles) to 100 percent of the time (for fire hydrants). That performance—combined with the other precautions—was strong enough to slip through the CAPTCHA net every time, sometimes after multiple individual challenges presented by the system. In fact, the bot was able to solve the average CAPTCHA in slightly fewer challenges than a human in similar trials (though the improvement over humans was not statistically significant).

The battle continues

While there have been previous academic studies attempting to use image-recognition models to solve reCAPTCHAs, they were only able to succeed between 68 to 71 percent of the time. The rise to a 100 percent success rate “shows that we are now officially in the age beyond captchas,” according to the new paper’s authors.

But this is not an entirely new problem in the world of CAPTCHAs. As far back as 2008, researchers were showing how bots could be trained to break through audio CAPTCHAs intended for visually impaired users. And by 2017, neural networks were being used to beat text-based CAPTCHAs that asked users to type in letters seen in garbled fonts.

Older text-identification CAPTCHAs have long been solvable by AI models.

Older text-identification CAPTCHAs have long been solvable by AI models.

Stack Exchange

Now that locally run AIs can easily best image-based CAPTCHAs, too, the battle of human identification will continue to shift toward more subtle methods of device fingerprinting. “We have a very large focus on helping our customers protect their users without showing visual challenges, which is why we launched reCAPTCHA v3 in 2018,” a Google Cloud spokesperson told New Scientist. “Today, the majority of reCAPTCHA’s protections across 7 [million] sites globally are now completely invisible. We are continuously enhancing reCAPTCHA.”

Still, as artificial intelligence systems become better and better at mimicking more and more tasks that were previously considered exclusively human, it may continue to get harder and harder to ensure that the user on the other end of that web browser is actually a person.

“In some sense, a good captcha marks the exact boundary between the most intelligent machine and the least intelligent human,” the paper’s authors write. “As machine learning models close in on human capabilities, finding good captchas has become more difficult.”

AI bots now beat 100% of those traffic-image CAPTCHAs Read More »

indicted-nyc-mayor-to-fbi:-i,-uh,-forgot-my-phone’s-passcode

Indicted NYC mayor to FBI: I, uh, forgot my phone’s passcode

cell phone, Eric Adams, new york, NYC FBI, passcode, Security / /

Just trying to help! —

I think it starts with a 2?

NYC Mayor Eric Adams holding an AirTag.

Enlarge / NYC Mayor Eric Adams, in happier times, holding an AirTag.

New York City mayor Eric Adams was stopped on the street by the FBI after an event in November 2023. Agents had a warrant for his electronic devices, which they seized. At the time, Adams made clear that he had nothing to hide, saying in a statement, “As a former member of law enforcement, I expect all members of my staff to follow the law and fully cooperate with any sort of investigation—and I will continue to do exactly that.”

Thanks to this week’s federal indictment (PDF) of Adams—the first for a sitting NYC mayor, and one that alleges bribery from Turkish sources—we now have the same story from the government’s perspective. It sounds quite a bit different.

According to the feds, agents seized not one but two cell phones from Adams on November 6, 2023—but neither of these was Adams’ “personal” phone, which he was not carrying. It was the personal phone that Adams allegedly used “to communicate about the conduct described in this indictment.”

The next day, November 7, Adams turned in his personal cellphone “in response to a subpoena,” but the phone was locked with a passcode. Passcodes are not unusual—indeed, they are recommended for nearly all users—but in this case there was a hitch. Adams, who continued to pledge his full cooperation, told the FBI that he couldn’t remember the code.

This might sound suspicious, but Adams said that it was actually a result of his attempts to preserve the phone and its data for the FBI. Two days earlier, on November 5, Adams had gotten wind of the investigation into his finances after the FBI raided one of his associates. When he heard this, he changed his personal cell phone passcode, increasing its length from four digits to six.

According to Adams, this was done to “prevent members of his staff from inadvertently or intentionally deleting the contents of his phone” so that Adams could “preserve the contents of his phone due to the investigation.”

Unfortunately, Adams told the FBI, he couldn’t remember this new password he had set just two days before. And so the pristinely preserved personal phone was locked and without a key.

The government does not explicitly say what it thought of the truthfulness of this explanation, but the indictment against Adams includes the anecdote under the subheading, “ADAMS and His Co-Conspirators Attempt to Conceal Their Criminal Conduct.”

Deleting apps from the bathroom

It wasn’t just Adams who had some “issues” with digital devices. As part of its investigation, the FBI asked if one of his staffers would speak to them in a voluntary interview. The woman agreed, and she then “falsely denied the criminal conduct of herself and ADAMS,” says the indictment.

But the most interesting bit was her behavior. In the middle of the interview, the staffer left to use the bathroom “and, while there, deleted the encrypted messaging applications she had used to communicate with ADAMS, the Promoter, the Turkish Official, the Airline Manager, and others.”

Others in Adams’ orbit were a bit more careful. When an Adams employee met with the mayor to talk about Turkish issues, he and Adams “left their cellphones outside the room in which they met so that it would be ‘safe’ to talk.”

Another staffer who worked on booking subsidized Turkish travel once texted Adams, “To be o[n the] safe side Please Delete all messages you send me.” Adams replied, “Always do.”

This sort of care extended even to the creation of bogus PowerPoint presentations. At a 2023 fundraiser held in a Manhattan hotel, the FBI claims that a “promoter” putting together illegal foreign donations for Adams actually “provided a PowerPoint presentation billing the event as a dinner hosted by ‘International Sustainability Leaders’ with the subject ‘Sustainable Destinations’ and an attendance price of $5,000.” This was despite the fact that the event was listed on Adams’ private calendar as “Fundraiser for Eric Adams 2025.”

Indicted NYC mayor to FBI: I, uh, forgot my phone’s passcode Read More »

meta-pays-the-price-for-storing-hundreds-of-millions-of-passwords-in-plaintext

Meta pays the price for storing hundreds of millions of passwords in plaintext

authentication, Biz & IT, cryptography, hashing, passwords, privacy, Security / /

GOT HASHES? —

Company failed to follow one of the most sacrosanct rules for password storage.

Meta pays the price for storing hundreds of millions of passwords in plaintext

Getty Images

Officials in Ireland have fined Meta $101 million for storing hundreds of millions of user passwords in plaintext and making them broadly available to company employees.

Meta disclosed the lapse in early 2019. The company said that apps for connecting to various Meta-owned social networks had logged user passwords in plaintext and stored them in a database that had been searched by roughly 2,000 company engineers, who collectively queried the stash more than 9 million times.

Meta investigated for five years

Meta officials said at the time that the error was found during a routine security review of the company’s internal network data storage practices. They went on to say that they uncovered no evidence that anyone internally improperly accessed the passcodes or that the passcodes were ever accessible to people outside the company.

Despite those assurances, the disclosure exposed a major security failure on the part of Meta. For more than three decades, best practices across just about every industry have been to cryptographically hash passwords. Hashing is a term that applies to the practice of passing passwords through a one-way cryptographic algorithm that assigns a long string of characters that’s unique for each unique input of plaintext.

Because the conversion works in only one direction—from plaintext to hash—there is no cryptographic means for converting the hashes back into plaintext. More recently, these best practices have been mandated by laws and regulations in countries worldwide.

Because hashing algorithms works in one direction, the only way to obtain the corresponding plaintext is to guess, a process that can require large amounts of time and computational resources. The idea behind hashing passwords is similar to the idea of fire insurance for a home. In the event of an emergency—the hacking of a password database in one case, or a house fire in the other—the protection insulates the stakeholder from harm that otherwise would have been more dire.

For hashing schemes to work as intended, they must follow a host of requirements. One is that hashing algorithms must be designed in a way that they require large amounts of computing resources. That makes algorithms such as SHA1 and MD5 unsuitable, because they’re designed to quickly hash messages with minimal computing required. By contrast, algorithms specifically designed for hashing passwords—such as Bcrypt, PBKDF2, or SHA512crypt—are slow and consume large amounts of memory and processing.

Another requirement is that the algorithms must include cryptographic “salting,” in which a small amount of extra characters are added to the plaintext password before it’s hashed. Salting further increases the workload required to crack the hash. Cracking is the process of passing large numbers of guesses, often measured in the hundreds of millions, through the algorithm and comparing each hash against the hash found in the breached database.

The ultimate aim of hashing is to store passwords only in hashed format and never as plaintext. That prevents hackers and malicious insiders alike from being able to use the data without first having to expend large amounts of resources.

When Meta disclosed the lapse in 2019, it was clear the company had failed to adequately protect hundreds of millions of passwords.

“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” Graham Doyle, deputy commissioner at Ireland’s Data Protection Commission, said. “It must be borne in mind, that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”

The commission has been investigating the incident since Meta disclosed it more than five years ago. The government body, the lead European Union regulator for most US Internet services, imposed a fine of $101 million (91 million euros) this week. To date, the EU has fined Meta more than $2.23 billion (2 billion euros) for violations of the General Data Protection Regulation (GDPR), which went into effect in 2018. That amount includes last year’s record $1.34 billion (1.2 billion euro) fine, which Meta is appealing.

Meta pays the price for storing hundreds of millions of passwords in plaintext Read More »

tails-os-joins-forces-with-tor-project-in-merger

Tails OS joins forces with Tor Project in merger

anonymity, Biz & IT, privacy, Security, tails, Tor network, Tor Project / /

COME TOGETHER —

The organizations have worked closely together over the years.

Tails OS joins forces with Tor Project in merger

The Tor Project

The Tor Project, the nonprofit that maintains software for the Tor anonymity network, is joining forces with Tails, the maker of a portable operating system that uses Tor. Both organizations seek to pool resources, lower overhead, and collaborate more closely on their mission of online anonymity.

Tails and the Tor Project began discussing the possibility of merging late last year, the two organizations said. At the time, Tails was maxing out its current resources. The two groups ultimately decided it would be mutually beneficial for them to come together.

Amnesic onion routing

“Rather than expanding Tails’s operational capacity on their own and putting more stress on Tails workers, merging with the Tor Project, with its larger and established operational framework, offered a solution,” Thursday’s joint statement said. “By joining forces, the Tails team can now focus on their core mission of maintaining and improving Tails OS, exploring more and complementary use cases while benefiting from the larger organizational structure of The Tor Project.”

The Tor Project, for its part, could stand to benefit from better integration of Tails into its privacy network, which allows web users and websites to operate anonymously by connecting from IP addresses that can’t be linked to a specific service or user.

The “Tor” in the Tor Project is short for The Onion Router. It’s a global project best known for developing the Tor Browser, which connects to the Tor network. The Tor network routes all incoming and outgoing traffic through a series of three IP addresses. The structure ensures that no one can determine the IP address of either originating or destination party. The Tor Project was formed in 2006 by a team that included computer scientists Roger Dingledine and Nick Mathewson. The Tor protocol on which the Tor network runs was developed by the Naval Research Laboratory in the early 2000s.

Tails (The Amnesic Incognito Live System) is a portable Linux-based operating system that runs from thumb drives and external hard drives and uses the Tor browser to route all web traffic between the device it runs on and the Internet. Tails routes outgoing traffic through the Tor Network

One of the key advantages of Tails OS is its ability to run entirely from a USB stick. The design makes it possible to use the secure operating system while traveling or using untrusted devices. It also ensures that no trace is left on a device’s hard drive. Tails has the additional benefit of routing traffic from non-browser clients such as Thunderbird through the Tor network.

“Incorporating Tails into the Tor Project’s structure allows for easier collaboration, better sustainability, reduced overhead, and expanded training and outreach programs to counter a larger number of digital threats,” the organizations said. “In short, coming together will strengthen both organizations’ ability to protect people worldwide from surveillance and censorship.”

The merger comes amid growing threats to personal privacy and calls by lawmakers to mandate backdoors or trapdoors in popular apps and operating systems to allow law enforcement to decrypt data in investigations.

Tails OS joins forces with Tor Project in merger Read More »

hacker-plants-false-memories-in-chatgpt-to-steal-user-data-in-perpetuity

Hacker plants false memories in ChatGPT to steal user data in perpetuity

AI, Biz & IT, chatgpt, openai, privacy, prompt injection, Security / /

MEMORY PROBLEMS —

Emails, documents, and other untrusted content can plant malicious memories.

Hacker plants false memories in ChatGPT to steal user data in perpetuity

Getty Images

When security researcher Johann Rehberger recently reported a vulnerability in ChatGPT that allowed attackers to store false information and malicious instructions in a user’s long-term memory settings, OpenAI summarily closed the inquiry, labeling the flaw a safety issue, not, technically speaking, a security concern.

So Rehberger did what all good researchers do: He created a proof-of-concept exploit that used the vulnerability to exfiltrate all user input in perpetuity. OpenAI engineers took notice and issued a partial fix earlier this month.

Strolling down memory lane

The vulnerability abused long-term conversation memory, a feature OpenAI began testing in February and made more broadly available in September. Memory with ChatGPT stores information from previous conversations and uses it as context in all future conversations. That way, the LLM can be aware of details such as a user’s age, gender, philosophical beliefs, and pretty much anything else, so those details don’t have to be inputted during each conversation.

Within three months of the rollout, Rehberger found that memories could be created and permanently stored through indirect prompt injection, an AI exploit that causes an LLM to follow instructions from untrusted content such as emails, blog posts, or documents. The researcher demonstrated how he could trick ChatGPT into believing a targeted user was 102 years old, lived in the Matrix, and insisted Earth was flat and the LLM would incorporate that information to steer all future conversations. These false memories could be planted by storing files in Google Drive or Microsoft OneDrive, uploading images, or browsing a site like Bing—all of which could be created by a malicious attacker.

Rehberger privately reported the finding to OpenAI in May. That same month, the company closed the report ticket. A month later, the researcher submitted a new disclosure statement. This time, he included a PoC that caused the ChatGPT app for macOS to send a verbatim copy of all user input and ChatGPT output to a server of his choice. All a target needed to do was instruct the LLM to view a web link that hosted a malicious image. From then on, all input and output to and from ChatGPT was sent to the attacker’s website.

ChatGPT: Hacking Memories with Prompt Injection – POC

“What is really interesting is this is memory-persistent now,” Rehberger said in the above video demo. “The prompt injection inserted a memory into ChatGPT’s long-term storage. When you start a new conversation, it actually is still exfiltrating the data.”

The attack isn’t possible through the ChatGPT web interface, thanks to an API OpenAI rolled out last year.

While OpenAI has introduced a fix that prevents memories from being abused as an exfiltration vector, the researcher said, untrusted content can still perform prompt injections that cause the memory tool to store long-term information planted by a malicious attacker.

LLM users who want to prevent this form of attack should pay close attention during sessions for output that indicates a new memory has been added. They should also regularly review stored memories for anything that may have been planted by untrusted sources. OpenAI provides guidance here for managing the memory tool and specific memories stored in it. Company representatives didn’t respond to an email asking about its efforts to prevent other hacks that plant false memories.

Hacker plants false memories in ChatGPT to steal user data in perpetuity Read More »

11-million-devices-infected-with-botnet-malware-hosted-in-google-play

11 million devices infected with botnet malware hosted in Google Play

android, Biz & IT, botnet, google play, malware, Security / /

NECRO —

Necro infiltrated Google Play in 2019. It recently returned.

A computer screen filled with ones and zeros also contains a Google logo and the word hacked.

Five years ago, researchers made a grim discovery—a legitimate Android app in the Google Play market that was surreptitiously made malicious by a library the developers used to earn advertising revenue. With that, the app was infected with code that caused 100 million infected devices to connect to attacker-controlled servers and download secret payloads.

Now, history is repeating itself. Researchers from the same Moscow, Russia-based security firm reported Monday that they found two new apps, downloaded from Play 11 million times, that were infected with the same malware family. The researchers, from Kaspersky, believe a malicious software developer kit for integrating advertising capabilities is once again responsible.

Clever tradecraft

Software developer kits, better known as SDKs, are apps that provide developers with frameworks that can greatly speed up the app-creation process by streamlining repetitive tasks. An unverified SDK module incorporated into the apps ostensibly supported the display of ads. Behind the scenes, it provided a host of advanced methods for stealthy communication with malicious servers, where the apps would upload user data and download malicious code that could be executed and updated at any time.

The stealthy malware family in both campaigns is known as Necro. This time, some variants use techniques such as steganography, an obfuscation method rarely seen in mobile malware. Some variants also deploy clever tradecraft to deliver malicious code that can run with heightened system rights. Once devices are infected with this variant, they contact an attacker-controlled command-and-control server and send web requests containing encrypted JSON data that reports information about each compromised device and application hosting the module.

The server, in turn, returns a JSON response that contains a link to a PNG image and associated metadata that includes the image hash. If the malicious module installed on the infected device confirms the hash is correct, it downloads the image.

The SDK module “uses a very simple steganographic algorithm,” Kaspersky researchers explained in a separate post. “If the MD5 check is successful, it extracts the contents of the PNG file—the pixel values in the ARGB channels—using standard Android tools. Then the getPixel method returns a value whose least significant byte contains the blue channel of the image, and processing begins in the code.”

The researchers continued:

If we consider the blue channel of the image as a byte array of dimension 1, then the first four bytes of the image are the size of the encoded payload in Little Endian format (from the least significant byte to the most significant). Next, the payload of the specified size is recorded: this is a JAR file encoded with Base64, which is loaded after decoding via DexClassLoader. Coral SDK loads the sdk.fkgh.mvp.SdkEntry class in a JAR file using the native library libcoral.so. This library has been obfuscated using the OLLVM tool. The starting point, or entry point, for execution within the loaded class is the run method.

Necro code implementing steganography.

Enlarge / Necro code implementing steganography.

Kaspersky

Follow-on payloads that get installed download malicious plugins that can be mixed and matched for each infected device to perform a variety of different actions. One of the plugins allows code to run with elevated system rights. By default, Android bars privileged processes from using WebView, an extension in the OS for displaying webpages in apps. To bypass this safety restriction, Necro uses a hacking technique known as a reflection attack to create a separate instance of the WebView factory.

This plugin can also download and run other executable files that will replace links rendered through WebView. When running with the elevated system rights, these executables have the ability to modify URLs to add confirmation codes for paid subscriptions and download and execute code loaded at links controlled by the attacker. The researchers listed five separate payloads they encountered in their analysis of Necro.

The modular design of Necro opens myriad ways for the malware to behave. Kaspersky provided the following image that provides an overview.

Necro Trojan infection diagram.

Enlarge / Necro Trojan infection diagram.

Kaspersy

The researchers found Necro in two Google Play apps. One was Wuta Camera, an app with 10 million downloads to date. Wuta Camera versions 6.3.2.148 through 6.3.6.148 contained the malicious SDK that infects apps. The app has since been updated to remove the malicious component. A separate app with roughly 1 million downloads—known as Max Browser—was also infected. That app is no longer available in Google Play.

The researchers also found Necro infecting a variety of Android apps available in alternative marketplaces. Those apps typically billed themselves as modified versions of legitimate apps such as Spotify, Minecraft, WhatsApp, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox.

People who are concerned they may be infected by Necro should check their devices for the presence of indicators of compromise listed at the end of this writeup.

11 million devices infected with botnet malware hosted in Google Play Read More »

google-calls-for-halting-use-of-whois-for-tls-domain-verifications

Google calls for halting use of WHOIS for TLS domain verifications

Biz & IT, Security, tls, transport layer security, WHOIS / /

WHOWAS —

WHOIS data is unreliable. So why is it used in TLS certificate applications?

Google calls for halting use of WHOIS for TLS domain verifications

Getty Images

Certificate authorities and browser makers are planning to end the use of WHOIS data verifying domain ownership following a report that demonstrated how threat actors could abuse the process to obtain fraudulently issued TLS certificates.

TLS certificates are the cryptographic credentials that underpin HTTPS connections, a critical component of online communications verifying that a server belongs to a trusted entity and encrypts all traffic passing between it and an end user. These credentials are issued by any one of hundreds of CAs (certificate authorities) to domain owners. The rules for how certificates are issued and the process for verifying the rightful owner of a domain are left to the CA/Browser Forum. One “base requirement rule” allows CAs to send an email to an address listed in the WHOIS record for the domain being applied for. When the receiver clicks an enclosed link, the certificate is automatically approved.

Non-trivial dependencies

Researchers from security firm watchTowr recently demonstrated how threat actors could abuse the rule to obtain fraudulently issued certificates for domains they didn’t own. The security failure resulted from a lack of uniform rules for determining the validity of sites claiming to provide official WHOIS records.

Specifically, watchTowr researchers were able to receive a verification link for any domain ending in .mobi, including ones they didn’t own. The researchers did this by deploying a fake WHOIS server and populating it with fake records. Creation of the fake server was possible because dotmobiregistry.net—the previous domain hosting the WHOIS server for .mobi domains—was allowed to expire after the server was relocated to a new domain. watchTowr researchers registered the domain, set up the imposter WHOIS server, and found that CAs continued to rely on it to verify ownership of .mobi domains.

The research didn’t escape the notice of the CA/Browser Forum (CAB Forum). On Monday, a member representing Google proposed ending the reliance on WHOIS data for domain ownership verification “in light of recent events where research from watchTowr Labs demonstrated how threat actors could exploit WHOIS to obtain fraudulently issued TLS certificates.”

The formal proposal calls for reliance on WHOIS data to “sunset” in early November. It establishes specifically that “CAs MUST NOT rely on WHOIS to identify Domain Contacts” and that “Effective November 1, 2024, validations using this [email verification] method MUST NOT rely on WHOIS to identify Domain Contact information.”

Since Monday’s submission, more than 50 follow-up comments have been posted. Many of the responses expressed support for the proposed change. Others have questioned the need for a change as proposed, given that the security failure watchTowr uncovered is known to affect only a single top-level domain.

An Amazon representative, meanwhile, noted that the company previously implemented a unilateral change in which the AWS Certificate Manager will fully transition away from reliance on WHOIS records. The representative told CAB Forum members that Google’s proposed deadline of November 1 may be too stringent.

“We got feedback from customers that for some this is a non-trivial dependency to remove,” the Amazon representative wrote. “It’s not uncommon for companies to have built automation on top of email validation. Based on the information we got I recommend a date of April 30, 2025.”

CA Digicert endorsed Amazon’s proposal to extend the deadline. Digicert went on to propose that instead of using WHOIS records, CAs instead use the WHOIS successor known as the Registration Data Access Protocol.

The proposed changes are formally in the discussion phase of deliberations. It’s unclear when formal voting on the change will begin.

Google calls for halting use of WHOIS for TLS domain verifications Read More »