Security

millions-of-low-cost-android-devices-turn-home-networks-into-crime-platforms

Millions of low-cost Android devices turn home networks into crime platforms

Android malware, Biz & IT, Security / /

Millions of low-cost devices for media streaming, in-vehicle entertainment, and video projection are infected with malware that turns consumer networks into platforms for distributing malware, concealing nefarious communications, and performing other illicit activities, the FBI has warned.

The malware infecting these devices, known as BadBox, is based on Triada, a malware strain discovered in 2016 by Kaspersky Lab, which called it “one of the most advanced mobile Trojans” the security firm’s analysts had ever encountered. It employed an impressive kit of tools, including rooting exploits that bypassed security protections built into Android and functions for modifying the Android OS’s all-powerful Zygote process. Google eventually updated Android to block the methods Triada used to infect devices.

The threat remains

A year later, Triada returned, only this time, devices came pre-infected before they reached consumers’ hands. In 2019, Google confirmed that the supply-chain attack affected thousands of devices and that the company had once again taken measures to thwart it.

In 2023, security firm Human Security reported on BigBox, a Triada-derived backdoor it found preinstalled on thousands of devices manufactured in China. The malware, which Human Security estimated was installed on 74,000 devices around the world, facilitated a range of illicit activities, including advertising fraud, residential proxy services, the creation of fake Gmail and WhatsApp accounts, and infecting other Internet-connected devices.

Millions of low-cost Android devices turn home networks into crime platforms Read More »

two-certificate-authorities-booted-from-the-good-graces-of-chrome

Two certificate authorities booted from the good graces of Chrome

Biz & IT, certificate authorities, chrome browser, Google, Security / /

Google says its Chrome browser will stop trusting certificates from two certificate authorities after “patterns of concerning behavior observed over the past year” diminished trust in their reliability.

The two organizations, Taiwan-based Chunghwa Telecom and Budapest-based Netlock, are among the dozens of certificate authorities trusted by Chrome and most other browsers to provide digital certificates that encrypt traffic and certify the authenticity of sites. With the ability to mint cryptographic credentials that cause address bars to display a padlock, assuring the trustworthiness of a site, these certificate authorities wield significant control over the security of the web.

Inherent risk

“Over the past several months and years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports,” members of the Chrome security team wrote Tuesday. “When these factors are considered in aggregate and considered against the inherent risk each publicly-trusted CA poses to the internet, continued public trust is no longer justified.”

Two certificate authorities booted from the good graces of Chrome Read More »

meta-and-yandex-are-de-anonymizing-android-users’-web-browsing-identifiers

Meta and Yandex are de-anonymizing Android users’ web browsing identifiers

Biz & IT, browsing histories, Features, Meta Pixel, Metrica, privacy, Security, yandex / /

Abuse allows Meta and Yandex to attach persistent identifiers to detailed browsing histories.

Credit: Aurich Lawson | Getty Images

Credit: Aurich Lawson | Getty Images

Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it’s investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.

The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they’re off-limits for every other site.

A blatant violation

“One of the fundamental security principles that exists in the web, as well as the mobile system, is called sandboxing,” Narseo Vallina-Rodriguez, one of the researchers behind the discovery, said in an interview. “You run everything in a sandbox, and there is no interaction within different elements running on it. What this attack vector allows is to break the sandbox that exists between the mobile context and the web context. The channel that exists allowed the Android system to communicate what happens in the browser with the identity running in the mobile app.”

The bypass—which Yandex began in 2017 and Meta started last September—allows the companies to pass cookies or other identifiers from Firefox and Chromium-based browsers to native Android apps for Facebook, Instagram, and various Yandex apps. The companies can then tie that vast browsing history to the account holder logged into the app.

This abuse has been observed only in Android, and evidence suggests that the Meta Pixel and Yandex Metrica target only Android users. The researchers say it may be technically feasible to target iOS because browsers on that platform allow developers to programmatically establish localhost connections that apps can monitor on local ports.

In contrast to iOS, however, Android imposes fewer controls on local host communications and background executions of mobile apps, the researchers said, while also implementing stricter controls in app store vetting processes to limit such abuses. This overly permissive design allows Meta Pixel and Yandex Metrica to send web requests with web tracking identifiers to specific local ports that are continuously monitored by the Facebook, Instagram, and Yandex apps. These apps can then link pseudonymous web identities with actual user identities, even in private browsing modes, effectively de-anonymizing users’ browsing habits on sites containing these trackers.

Meta Pixel and Yandex Metrica are analytics scripts designed to help advertisers measure the effectiveness of their campaigns. Meta Pixel and Yandex Metrica are estimated to be installed on 5.8 million and 3 million sites, respectively.

Meta and Yandex achieve the bypass by abusing basic functionality built into modern mobile browsers that allows browser-to-native app communications. The functionality lets browsers send web requests to local Android ports to establish various services, including media connections through the RTC protocol, file sharing, and developer debugging.

A conceptual diagram representing the exchange of identifiers between the web trackers running on the browser context and native Facebook, Instagram, and Yandex apps for Android.

A conceptual diagram representing the exchange of identifiers between the web trackers running on the browser context and native Facebook, Instagram, and Yandex apps for Android.

While the technical underpinnings differ, both Meta Pixel and Yandex Metrica are performing a “weird protocol misuse” to gain unvetted access that Android provides to localhost ports on the 127.0.0.1 IP address. Browsers access these ports without user notification. Facebook, Instagram, and Yandex native apps silently listen on those ports, copy identifiers in real time, and link them to the user logged into the app.

A representative for Google said the behavior violates the terms of service for its Play marketplace and the privacy expectations of Android users.

“The developers in this report are using capabilities present in many browsers across iOS and Android in unintended ways that blatantly violate our security and privacy principles,” the representative said, referring to the people who write the Meta Pixel and Yandex Metrica JavaScript. “We’ve already implemented changes to mitigate these invasive techniques and have opened our own investigation and are directly in touch with the parties.”

Meta didn’t answer emailed questions for this article, but provided the following statement: “We are in discussions with Google to address a potential miscommunication regarding the application of their policies. Upon becoming aware of the concerns, we decided to pause the feature while we work with Google to resolve the issue.”

Yandex representatives didn’t answer an email seeking comment.

How Meta and Yandex de-anonymize Android users

Meta Pixel developers have abused various protocols to implement the covert listening since the practice began last September. They started by causing apps to send HTTP requests to port 12387. A month later, Meta Pixel stopped sending this data, even though Facebook and Instagram apps continued to monitor the port.

In November, Meta Pixel switched to a new method that invoked WebSocket, a protocol for two-way communications, over port 12387.

That same month, Meta Pixel also deployed a new method that used WebRTC, a real-time peer-to-peer communication protocol commonly used for making audio or video calls in the browser. This method used a complicated process known as SDP munging, a technique for JavaScript code to modify Session Description Protocol data before it’s sent. Still in use today, the SDP munging by Meta Pixel inserts key _fbp cookie content into fields meant for connection information. This causes the browser to send that data as part of a STUN request to the Android local host, where the Facebook or Instagram app can read it and link it to the user.

In May, a beta version of Chrome introduced a mitigation that blocked the type of SDP munging that Meta Pixel used. Within days, Meta Pixel circumvented the mitigation by adding a new method that swapped the STUN requests with the TURN requests.

In a post, the researchers provided a detailed description of the _fbp cookie from a website to the native app and, from there, to the Meta server:

1. The user opens the native Facebook or Instagram app, which eventually is sent to the background and creates a background service to listen for incoming traffic on a TCP port (12387 or 12388) and a UDP port (the first unoccupied port in 12580–12585). Users must be logged-in with their credentials on the apps.

2. The user opens their browser and visits a website integrating the Meta Pixel.

3. At this stage, some websites wait for users’ consent before embedding Meta Pixel. In our measurements of the top 100K website homepages, we found websites that require consent to be a minority (more than 75% of affected sites does not require user consent)…

4. The Meta Pixel script is loaded and the _fbp cookie is sent to the native Instagram or Facebook app via WebRTC (STUN) SDP Munging.

5. The Meta Pixel script also sends the _fbp value in a request to https://www.facebook.com/tr along with other parameters such as page URL (dl), website and browser metadata, and the event type (ev) (e.g., PageView, AddToCart, Donate, Purchase).

6. The Facebook or Instagram apps receive the _fbp cookie from the Meta JavaScripts running on the browser and transmits it to the GraphQL endpoint (https://graph[.]facebook[.]com/graphql) along with other persistent user identifiers, linking users’ fbp ID (web visit) with their Facebook or Instagram account.

Detailed flow of the way the Meta Pixel leaks the _fbp cookie from Android browsers to it’s Facebook and Instagram apps.

Detailed flow of the way the Meta Pixel leaks the _fbp cookie from Android browsers to it’s Facebook and Instagram apps.

The first known instance of Yandex Metrica linking websites visited in Android browsers to app identities was in May 2017, when the tracker started sending HTTP requests to local ports 29009 and 30102. In May 2018, Yandex Metrica also began sending the data through HTTPS to ports 29010 and 30103. Both methods remained in place as of publication time.

An overview of Yandex identifier sharing

An overview of Yandex identifier sharing

A timeline of web history tracking by Meta and Yandex

A timeline of web history tracking by Meta and Yandex

Some browsers for Android have blocked the abusive JavaScript in trackers. DuckDuckGo, for instance, was already blocking domains and IP addresses associated with the trackers, preventing the browser from sending any identifiers to Meta. The browser also blocked most of the domains associated with Yandex Metrica. After the researchers notified DuckDuckGo of the incomplete blacklist, developers added the missing addresses.

The Brave browser, meanwhile, also blocked the sharing of identifiers due to its extensive blocklists and existing mitigation to block requests to the localhost without explicit user consent. Vivaldi, another Chromium-based browser, forwards the identifiers to local Android ports when the default privacy setting is in place. Changing the setting to block trackers appears to thwart browsing history leakage, the researchers said.

Tracking blocker settings in Vivaldi for Android.

There’s got to be a better way

The various remedies DuckDuckGo, Brave, Vivaldi, and Chrome have put in place are working as intended, but the researchers caution they could become ineffective at any time.

“Any browser doing blocklisting will likely enter into a constant arms race, and it’s just a partial solution,” Vallina Rodriguez said of the current mitigations. “Creating effective blocklists is hard, and browser makers will need to constantly monitor the use of this type of capability to detect other hostnames potentially abusing localhost channels and then updating their blocklists accordingly.”

He continued:

While this solution works once you know the hostnames doing that, it’s not the right way of mitigating this issue, as trackers may find ways of accessing this capability (e.g., through more ephemeral hostnames). A long-term solution should go through the design and development of privacy and security controls for localhost channels, so that users can be aware of this type of communication and potentially enforce some control or limit this use (e.g., a permission or some similar user notifications).

Chrome and most other Chromium-based browsers executed the JavaScript as Meta and Yandex intended. Firefox did as well, although for reasons that aren’t clear, the browser was not able to successfully perform the SDP munging specified in later versions of the code. After blocking the STUN variant of SDP munging in the early May beta release, a production version of Chrome released two weeks ago began blocking both the STUN and TURN variants. Other Chromium-based browsers are likely to implement it in the coming weeks. A representative for Firefox-maker Mozilla said the organization prioritizes user privacy and is taking the report seriously

“We are actively investigating the reported behavior, and working to fully understand its technical details and implications,” Mozilla said in an email. “Based on what we’ve seen so far, we consider these to be severe violations of our anti-tracking policies, and are assessing solutions to protect against these new tracking techniques.”

The researchers warn that the current fixes are so specific to the code in the Meta and Yandex trackers that it would be easy to bypass them with a simple update.

“They know that if someone else comes in and tries a different port number, they may bypass this protection,” said Gunes Acar, the researcher behind the initial discovery, referring to the Chrome developer team at Google. “But our understanding is they want to send this message that they will not tolerate this form of abuse.”

Fellow researcher Vallina-Rodriguez said the more comprehensive way to prevent the abuse is for Android to overhaul the way it handles access to local ports.

“The fundamental issue is that the access to the local host sockets is completely uncontrolled on Android,” he explained. “There’s no way for users to prevent this kind of communication on their devices. Because of the dynamic nature of JavaScript code and the difficulty to keep blocklists up to date, the right way of blocking this persistently is by limiting this type of access at the mobile platform and browser level, including stricter platform policies to limit abuse.”

Got consent?

The researchers who made this discovery are:

  • Aniketh Girish, PhD student at IMDEA Networks
  • Gunes Acar, assistant professor in Radboud University’s Digital Security Group & iHub
  • Narseo Vallina-Rodriguez, associate professor at IMDEA Networks
  • Nipuna Weerasekara, PhD student at IMDEA Networks
  • Tim Vlummens, PhD student at COSIC, KU Leuven

Acar said he first noticed Meta Pixel accessing local ports while visiting his own university’s website.

There’s no indication that Meta or Yandex has disclosed the tracking to either websites hosting the trackers or end users who visit those sites. Developer forums show that many websites using Meta Pixel were caught off guard when the scripts began connecting to local ports.

“Since 5th September, our internal JS error tracking has been flagging failed fetch requests to localhost: 12387,” one developer wrote. “No changes have been made on our side, and the existing Facebook tracking pixel we use loads via Google Tag Manager.”

“Is there some way I can disable this?” another developer encountering the unexplained local port access asked.

It’s unclear whether browser-to-native-app tracking violates any privacy laws in various countries. Both Meta and companies hosting its Meta Pixel, however, have faced a raft of lawsuits in recent years alleging that the data collected violates privacy statutes. A research paper from 2023 found that Meta pixel, then called the Facebook Pixel, “tracks a wide range of user activities on websites with alarming detail, especially on websites classified as sensitive categories under GDPR,” the abbreviation for the European Union’s General Data Protection Regulation.

So far, Google has provided no indication that it plans to redesign the way Android handles local port access. For now, the most comprehensive protection against Meta Pixel and Yandex Metrica tracking is to refrain from installing the Facebook, Instagram, or Yandex apps on Android devices.

Photo of Dan Goodin

Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.

Meta and Yandex are de-anonymizing Android users’ web browsing identifiers Read More »

ransomware-kingpin-“stern”-apparently-ided-by-german-law-enforcement

Ransomware kingpin “Stern” apparently IDed by German law enforcement

Biz & IT, conti, ransomware, Security, Stern, syndicated, TrickBot / /

unlikely to be extradited

BSA names Vi­ta­ly Ni­ko­lae­vich Kovalev is “Stern,” the leader of Trickbot.

Credit: Tim Robberts/Getty Images

For years, members of the Russian cybercrime cartel Trickbot unleashed a relentless hacking spree on the world. The group attacked thousands of victims, including businesses, schools, and hospitals. “Fuck clinics in the usa this week,” one member wrote in internal Trickbot messages in 2020 about a list of 428 hospitals to target. Orchestrated by an enigmatic leader using the online moniker “Stern,” the group of around 100 cybercriminals stole hundreds of millions of dollars over the course of roughly six years.

Despite a wave of law enforcement disruptions and a damaging leak of more than 60,000 internal chat messages from Trickbot and the closely associated counterpart group Conti, the identity of Stern has remained a mystery. Last week, though, Germany’s federal police agency, the Bundeskriminalamt or BKA, and local prosecutors alleged that Stern’s real-world name is Vi­ta­ly Ni­ko­lae­vich Kovalev, a 36-year-old, 5-foot-11-inch Russian man who cops believe is in his home country and thus shielded from potential extradition.

A recently issued Interpol red notice says that Kovalev is wanted by Germany for allegedly being the “ringleader” of a “criminal organisation.”

“Stern’s naming is a significant event that bridges gaps in our understanding of Trickbot—one of the most notorious transnational cybercriminal groups to ever exist,” says Alexander Leslie, a threat intelligence analyst at the security firm Recorded Future. “As Trickbot’s ‘big boss’ and one of the most noteworthy figures in the Russian cybercriminal underground, Stern remained an elusive character, and his real name was taboo for years.”

Stern has notably seemed to be absent from multiple rounds of Western sanctions and indictments in recent years calling out alleged Trickbot and Conti members. Leslie and other researchers have long speculated to WIRED that global law enforcement may have strategically withheld Stern’s alleged identity as part of ongoing investigations. Kovalev is suspected of being the “founder” of Trickbot and allegedly used the Stern moniker, the BKA said in an online announcement.

“It has long been assumed, based on numerous indications, that ‘Stern’ is in fact Kovalev,” a BKA spokesperson says in written responses to questions from WIRED. They add that “the investigating authorities involved in Operation Endgame were only able to identify the actor Stern as Kovalev during their investigation this year,” referring to a multi-year international effort to identify and disrupt cybercriminal infrastructure, known as Operation Endgame.

The BKA spokesperson also notes in written statements to WIRED that information obtained through a 2023 investigation into the Qakbot malware as well as analysis of the leaked Trickbot and Conti chats from 2022 were “helpful” in making the attribution. They added, too, that the “assessment is also shared by international partners.”

The German announcement is the first time that officials from any government have publicly alleged an identity for a suspect behind the Stern moniker. As part of Operation Endgame, BKA’s Stern attribution inherently comes in the context of a multinational law enforcement collaboration. But unlike in other Trickbot- and Conti-related attributions, other countries have not publicly concurred with BKA’s Stern identification thus far. Europol, the US Department of Justice, the US Treasury, and the UK’s Foreign, Commonwealth & Development Office did not immediately respond to WIRED’s requests for comment.

Several cybersecurity researchers who have tracked Trickbot extensively tell WIRED they were unaware of the announcement. An anonymous account on the social media platform X recently claimed that Kovalev used the Stern handle and published alleged details about him. WIRED messaged multiple accounts that supposedly belong to Kovalev, according to the X account and a database of hacked and leaked records compiled by District 4 Labs but received no response.

Meanwhile, Kovalev’s name and face may already be surprisingly familiar to those who have been following recent Trickbot revelations. This is because Kovalev was jointly sanctioned by the United States and United Kingdom in early 2023 for his alleged involvement as a senior member in Trickbot. He was also charged in the US at the time with hacking linked to bank fraud allegedly committed in 2010. The US added him to its most-wanted list. In all of this activity, though, the US and UK linked Kovalev to the online handles “ben” and “Bentley.” The 2023 sanctions did not mention a connection to the Stern handle. And, in fact, Kovalev’s 2023 indictment was mainly noteworthy because his use of “Bentley” as a handle was determined to be “historic” and distinct from that of another key Trickbot member who also went by “Bentley.”

The Trickbot ransomware group first emerged around 2016, after its members moved from the Dyre malware that was disrupted by Russian authorities. Over the course of its lifespan, the Trickbot group—which used its namesake malware, alongside other ransomware variants such as Ryuk, IcedID, and Diavol—increasingly overlapped in operations and personnel with the Conti gang. In early 2022, Conti published a statement backing Russia’s full-scale invasion of Ukraine, and a cybersecurity researcher who had infiltrated the groups leaked more than 60,000 messages from Trickbot and Conti members, revealing a huge trove of information about their day-to-day operations and structure.

Stern acted like a “CEO” of the Trickbot and Conti groups and ran them like a legitimate company, leaked chat messages analyzed by WIRED and security researchers show.

“Trickbot set the mold for the modern ‘as-a-service’ cybercriminal business model that was adopted by countless groups that followed,” Recorded Future’s Leslie says. “While there were certainly organized groups that preceded Trickbot, Stern oversaw a period of Russian cybercrime that was characterized by a high level of professionalization. This trend continues today, is reproduced worldwide, and is visible in most active groups on the dark web.”

Stern’s eminence within Russian cybercrime has been widely documented. The cryptocurrency-tracing firm Chainalysis does not publicly name cybercriminal actors and declined to comment on BKA’s identification, but the company emphasized that the Stern persona alone is one of the all-time most profitable ransomware actors it tracks.

“The investigation revealed that Stern generated significant revenues from illegal activities, in particular in connection with ransomware,” the BKA spokesperson tells WIRED.

Stern “surrounds himself with very technical people, many of which he claims to have sometimes decades of experience, and he’s willing to delegate substantial tasks to these experienced people whom he trusts,” says Keith Jarvis, a senior security researcher at cybersecurity firm Sophos’ Counter Threat Unit. “I think he’s always probably lived in that organizational role.”

Increasing evidence in recent years has indicated that Stern has at least some loose connections to Russia’s intelligence apparatus, including its main security agency, the Federal Security Service (FSB). The Stern handle mentioned setting up an office for “government topics” in July 2020, while researchers have seen other members of the Trickbot group say that Stern is likely the “link between us and the ranks/head of department type at FSB.”

Stern’s consistent presence was a significant contributor to Trickbot and Conti’s effectiveness—as was the entity’s ability to maintain strong operational security and remain hidden.

As Sophos’ Jarvis put it, “I have no thoughts on the attribution, as I’ve never heard a compelling story about Stern’s identity from anyone prior to this announcement.”

This story originally appeared on wired.com.

Photo of WIRED

Wired.com is your essential daily guide to what’s next, delivering the most original and complete take you’ll find anywhere on innovation’s impact on technology, science, business and culture.

Ransomware kingpin “Stern” apparently IDed by German law enforcement Read More »

spy-catcher-saw-“stupid”-tech-errors-others-made-fbi-says-he-then-made-his-own.

Spy-catcher saw “stupid” tech errors others made. FBI says he then made his own.

DIA, Security, SOCKS, spying / /

2) EMAIL ADDRESS FAIL: The FBI quickly gained access to the “anonymous” email account used to send the message. They found that, on the day that this account was set up, it received a message from a second email account—possibly as a test—which turned out to be one of Laatsch’s and contained his name as part of the email address.

3) EMAIL ACCOUNT FAIL: This second email account, when the FBI examined it, had been set up using Laatsch’s full name, date of birth, and phone number.

4) IP ADDRESS FAIL: Both the first and second email account had been logged into from the same IP address, suggesting they were controlled by the same person. And the IP address that was used for them both resolved to… Laatsch’s residence.

The leaker did suggest moving the conversation to an encrypted messaging platform, but the damage was already done.

The FBI immediately began a sting operation, posing as the “friendly country,” asking Laatsch to copy some juicy data and provide it in a “dead drop” at a park in northern Virginia. Laatsch allegedly then went in to work at DIA, using his deep knowledge of DIA computerized tracking systems to avoid detection by… copying secret documents into notebooks by hand, then ripping out the sheets of paper and stuffing them in his socks.

This appears to have worked well enough—except for the fact that internal DIA “video monitoring” was watching him do it, with FBI agents noting even the ways Laatsch tried to “hide his notebook” when co-workers walked by. Whether Laatsch was aware of this video monitoring system is unclear.

On May 1, 2025, Laatsch allegedly wrote up his notes, stored them on a thumb drive, and dropped them as requested at an Alexandria park. The drive was later retrieved by the FBI. On May 8, Laatsch told his contact that he wasn’t seeking money but “citizenship for your country” because he didn’t “expect things here to improve in the long term, even in the event there is a change in the future.”

Laatsch was arrested yesterday, May 29.

Spy-catcher saw “stupid” tech errors others made. FBI says he then made his own. Read More »

thousands-of-asus-routers-are-being-hit-with-stealthy,-persistent-backdoors

Thousands of Asus routers are being hit with stealthy, persistent backdoors

asus routers, backdoors, Biz & IT, hacking, Security / /

GreyNoise said it detected the campaign in mid-March and held off reporting on it until after the company notified unnamed government agencies. That detail further suggests that the threat actor may have some connection to a nation-state.

The company researchers went on to say that the activity they observed was part of a larger campaign reported last week by fellow security company Sekoia. Researchers at Sekoia said that Internet scanning by network intelligence firm Censys suggested as many as 9,500 Asus routers may have been compromised by ViciousTrap, the name used to track the unknown threat actor.

The attackers are backdooring the devices by exploiting multiple vulnerabilities. One is CVE-2023-39780, a command-injection flaw that allows for the execution of system commands, which Asus patched in a recent firmware update, GreyNoise said. The remaining vulnerabilities have also been patched but, for unknown reasons, have not received CVE tracking designations.

The only way for router users to determine whether their devices are infected is by checking the SSH settings in the configuration panel. Infected routers will show that the device can be logged in to by SSH over port 53282 using a digital certificate with a truncated key of: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ…

To remove the backdoor, infected users should remove the key and the port setting.

People can also determine if they’ve been targeted if system logs indicate that they have been accessed through the IP addresses 101.99.91[.]151, 101.99.94[.]173, 79.141.163[.]179, or 111.90.146[.]237. Users of any router brand should always ensure their devices receive security updates in a timely manner.

Thousands of Asus routers are being hit with stealthy, persistent backdoors Read More »

feds-charge-16-russians-allegedly-tied-to-botnets-used-in-cyberattacks-and-spying

Feds charge 16 Russians allegedly tied to botnets used in cyberattacks and spying

Biz & IT, botnet, russian hacking, Security, syndication / /

The hacker ecosystem in Russia, more than perhaps anywhere else in the world, has long blurred the lines between cybercrime, state-sponsored cyberwarfare, and espionage. Now an indictment of a group of Russian nationals and the takedown of their sprawling botnet offers the clearest example in years of how a single malware operation allegedly enabled hacking operations as varied as ransomware, wartime cyberattacks in Ukraine, and spying against foreign governments.

The US Department of Justice today announced criminal charges today against 16 individuals law enforcement authorities have linked to a malware operation known as DanaBot, which according to a complaint infected at least 300,000 machines around the world. The DOJ’s announcement of the charges describes the group as “Russia-based,” and names two of the suspects, Aleksandr Stepanov and Artem Aleksandrovich Kalinkin, as living in Novosibirsk, Russia. Five other suspects are named in the indictment, while another nine are identified only by their pseudonyms. In addition to those charges, the Justice Department says the Defense Criminal Investigative Service (DCIS)—a criminal investigation arm of the Department of Defense—carried out seizures of DanaBot infrastructure around the world, including in the US.

Aside from alleging how DanaBot was used in for-profit criminal hacking, the indictment also makes a rarer claim—it describes how a second variant of the malware it says was used in espionage against military, government, and NGO targets. “Pervasive malware like DanaBot harms hundreds of thousands of victims around the world, including sensitive military, diplomatic, and government entities, and causes many millions of dollars in losses,” US attorney Bill Essayli wrote in a statement.

Since 2018, DanaBot—described in the criminal complaint as “incredibly invasive malware”—has infected millions of computers around the world, initially as a banking trojan designed to steal directly from those PCs’ owners with modular features designed for credit card and cryptocurrency theft. Because its creators allegedly sold it in an “affiliate” model that made it available to other hacker groups for $3,000 to $4,000 a month, however, it was soon used as a tool to install different forms of malware in a broad array of operations, including ransomware. Its targets, too, quickly spread from initial victims in Ukraine, Poland, Italy, Germany, Austria, and Australia to US and Canadian financial institutions, according to an analysis of the operation by cybersecurity firm Crowdstrike.

Feds charge 16 Russians allegedly tied to botnets used in cyberattacks and spying Read More »

researchers-cause-gitlab-ai-developer-assistant-to-turn-safe-code-malicious

Researchers cause GitLab AI developer assistant to turn safe code malicious

AI, Artificial Intelligence, Biz & IT, chatbots, large language models, Security / /

Marketers promote AI-assisted developer tools as workhorses that are essential for today’s software engineer. Developer platform GitLab, for instance, claims its Duo chatbot can “instantly generate a to-do list” that eliminates the burden of “wading through weeks of commits.” What these companies don’t say is that these tools are, by temperament if not default, easily tricked by malicious actors into performing hostile actions against their users.

Researchers from security firm Legit on Thursday demonstrated an attack that induced Duo into inserting malicious code into a script it had been instructed to write. The attack could also leak private code and confidential issue data, such as zero-day vulnerability details. All that’s required is for the user to instruct the chatbot to interact with a merge request or similar content from an outside source.

AI assistants’ double-edged blade

The mechanism for triggering the attacks is, of course, prompt injections. Among the most common forms of chatbot exploits, prompt injections are embedded into content a chatbot is asked to work with, such as an email to be answered, a calendar to consult, or a webpage to summarize. Large language model-based assistants are so eager to follow instructions that they’ll take orders from just about anywhere, including sources that can be controlled by malicious actors.

The attacks targeting Duo came from various resources that are commonly used by developers. Examples include merge requests, commits, bug descriptions and comments, and source code. The researchers demonstrated how instructions embedded inside these sources can lead Duo astray.

“This vulnerability highlights the double-edged nature of AI assistants like GitLab Duo: when deeply integrated into development workflows, they inherit not just context—but risk,” Legit researcher Omer Mayraz wrote. “By embedding hidden instructions in seemingly harmless project content, we were able to manipulate Duo’s behavior, exfiltrate private source code, and demonstrate how AI responses can be leveraged for unintended and harmful outcomes.”

Researchers cause GitLab AI developer assistant to turn safe code malicious Read More »

authorities-carry-out-global-takedown-of-infostealer-used-by-cybercriminals

Authorities carry out global takedown of infostealer used by cybercriminals

Biz & IT, CISA, infostealer, infostealers, Security, syndication / /

Authorities, along with tech companies including Microsoft and Cloudflare, say they’ve disrupted Lumma.

A consortium of global law enforcement agencies and tech companies announced on Wednesday that they have disrupted the infostealer malware known as Lumma. One of the most popular infostealers worldwide, Lumma has been used by hundreds of what Microsoft calls “cyber threat actors” to steal passwords, credit card and banking information, and cryptocurrency wallet details. The tool, which officials say is developed in Russia, has provided cybercriminals with the information and credentials they needed to drain bank accounts, disrupt services, and carry out data extortion attacks against schools, among other things.

Microsoft’s Digital Crimes Unit (DCU) obtained an order from a United States district court last week to seize and take down about 2,300 domains underpinning Lumma’s infrastructure. At the same time, the US Department of Justice seized Lumma’s command and control infrastructure and disrupted cybercriminal marketplaces that sold the Lumma malware. All of this was coordinated, too, with the disruption of regional Lumma infrastructure by Europol’s European Cybercrime Center and Japan’s Cybercrime Control Center.

Microsoft lawyers wrote on Wednesday that Lumma, which is also known as LummaC2, has spread so broadly because it is “easy to distribute, difficult to detect, and can be programmed to bypass certain security defenses.” Steven Masada, assistant general counsel at Microsoft’s DCU, says in a blog post that Lumma is a “go-to tool,” including for the notorious Scattered Spider cybercriminal gang. Attackers distribute the malware using targeted phishing attacks that typically impersonate established companies and services, like Microsoft itself, to trick victims.

“In 2025, probably following Redline’s disruption and Lumma’s own development, it has ranked as the most active module, indicating its growing popularity and widespread adoption among cybercriminals,” says Victoria Kivilevich, director of threat research at security firm Kela.

Microsoft says that more than 394,000 Windows computers were infected with the Lumma malware between March 16 and May 16 this year. And Lumma was mentioned in more than 21,000 listings on cybercrime forums in the spring of 2024, according to figures cited in a notice published today by the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA). The malware has been spotted bundled in fake AI video generators, fake “deepfake” generation websites, and distributed by fake CAPTCHA pages.

Law enforcement’s collaboration with Microsoft’s DCU and other tech companies like Cloudflare focused on disrupting Lumma’s infrastructure in multiple ways, so its developers could not simply hire new providers or create parallel systems to rebuild.

“Cloudflare’s role in the disruption included blocking the command and control server domains, Lumma’s Marketplace domains, and banning the accounts that were used to configure the domains,” the company wrote in a blog post on Wednesday. “Microsoft coordinated the takedown of Lumma’s domains with multiple relevant registries in order to ensure that the criminals could not simply change the name servers and recover their control.”

While infostealing malware has been around for years, its use by cybercriminals and nation-state hackers has surged since 2020. Typically, infostealers find their way onto people’s computers through downloads of pirated software or through targeted phishing attacks that impersonate established companies and services, like Microsoft itself, to trick victims. Once on a computer it is able to grab sensitive information—such as usernames and passwords, financial information, browser extensions, multifactor authentication details and more—and send it back to the malware’s operators.

Some infostealer operators bundle and sell this stolen data. But increasingly the compromised details have acted as a gateway for hackers to launch further attacks, providing them with the details needed to access online accounts and the networks of multi-billion dollar corporations.

“It’s clear that infostealers have become more than just grab-and-go malware,” says Patrick Wardle, CEO of the Apple device-focused security firm DoubleYou. “In many campaigns they really act as the first stage, collecting credentials, access tokens, and other foothold-enabling data, which is then used to launch more traditional, high-impact attacks such as lateral movement, espionage, or ransomware.”

The Lumma infostealer first emerged on Russian-language cybercrime forums in 2022, according to the FBI and CISA. Since then its developers have upgraded its capabilities and released multiple different versions of the software.

Since 2023, for example, they have been working to integrate AI into the malware platform, according to findings from the security firm Trellix. Attackers want to add these capabilities to automate some of the work involved in cleaning up the massive amounts of raw data collected by infostealers, including identifying and separating “bot” accounts that are less valuable for most attackers.

One administrator of Lumma told 404Media and WIRED last year that they encouraged both seasoned hackers and new cybercriminals to use their software. “This brings us good income,” the administrator said, referring to the resale of stolen login data.

Microsoft says that the main developer behind Lumma goes by the online handle “Shamel” and is based in Russia.

“Shamel markets different tiers of service for Lumma via Telegram and other Russian-language chat forums,” Microsoft’s Masada wrote on Wednesday. “Depending on what service a cybercriminal purchases, they can create their own versions of the malware, add tools to conceal and distribute it, and track stolen information through an online portal.”

Kela’s Kivilevich says that in the days leading up to the takedown, some cybercriminals started to complain on forums that there had been problems with Lumma. They even speculated that the malware platform had been targeted in a law enforcement operation.

“Based on what we see, there is a wide range of cybercriminals admitting they are using Lumma, such as actors involved in credit card fraud, initial access sales, cryptocurrency theft, and more,” Kivilevich says.

Among other tools, the Scattered Spider hacking group—which has attacked Caesars Entertainment, MGM Resorts International, and other victims—has been spotted using the Lumma stealer. Meanwhile, according to a report from TechCrunch, the Lumma malware was allegedly used in the build-up to the December 2024 hack of education tech firm PowerSchool, in which more than 70 million records were stolen.

“We’re now seeing infostealers not just evolve technically, but also play a more central role operationally,” says DoubleYou’s Wardle. “Even nation-state actors are developing and deploying them.”

Ian Gray, director of analysis and research at the security firm Flashpoint, says that while infostealers are only one tool that cybercriminals will use, their prevalence may make it easier for cybercriminals to hide their tracks. “Even advanced threat actor groups are leveraging infostealer logs, or they risk burning sophisticated tactics, techniques, and procedures (TTPs),” Gray says.

Lumma isn’t the first infostealer to be targeted by law enforcement. In October last year, the Dutch National Police, along with international partners, took down the infrastructure linked to the RedLine and MetaStealer malware, and the US Department of Justice unsealed charges against Maxim Rudometov, one of the alleged developers and administrators of the RedLine infostealer.

Despite the international crackdown, infostealers have proven too useful and effective for attackers to abandon. As Flashpoint’s Gray puts it, “Even if the landscape ultimately shifts due to the evolution of defenses, the growing prominence of infostealers over the past few years suggests they are likely here to stay for the foreseeable future. Usage of them has exploded.”

This story originally appeared at wired.com.

Photo of WIRED

Wired.com is your essential daily guide to what’s next, delivering the most original and complete take you’ll find anywhere on innovation’s impact on technology, science, business and culture.

Authorities carry out global takedown of infostealer used by cybercriminals Read More »

“microsoft-has-simply-given-us-no-other-option,”-signal-says-as-it-blocks-windows-recall

“Microsoft has simply given us no other option,” Signal says as it blocks Windows Recall

Biz & IT, microsoft, privacy, recall, Security, signal messenger, Windows / /

But the changes go only so far in limiting the risks Recall poses. As I pointed out, when Recall is turned on, it indexes Zoom meetings, emails, photos, medical conditions, and—yes—Signal conversations, not just with the user, but anyone interacting with that user, without their knowledge or consent.

Researcher Kevin Beaumont performed his own deep-dive analysis that also found that some of the new controls were lacking. For instance, Recall continued to screenshot his payment card details. It also decrypted the database with a simple fingerprint scan or PIN. And it’s unclear whether the type of sophisticated malware that routinely infects consumer and enterprise Windows users will be able to decrypt encrypted database contents.

And as Cunningham also noted, Beaumont found that Microsoft still provided no means for developers to prevent content displayed in their apps from being indexed. That left Signal developers at a disadvantage, so they had to get creative.

With no API for blocking Recall in the Windows Desktop version, Signal is instead invoking an API Microsoft provides for protecting copyrighted material. App developers can turn on the DRM setting to prevent Windows from taking screenshots of copyrighted content displayed in the app. Signal is now repurposing the API to add an extra layer of privacy.

“We hope that the AI teams building systems like Recall will think through these implications more carefully in the future,” Signal wrote Wednesday. “Apps like Signal shouldn’t have to implement ‘one weird trick’ in order to maintain the privacy and integrity of their services without proper developer tools. People who care about privacy shouldn’t be forced to sacrifice accessibility upon the altar of AI aspirations either.”

Signal’s move will lessen the chances of Recall permanently indexing private messages, but it also has its limits. The measure only provides protection when all parties to a chat—at least those using the Windows Desktop version—haven’t changed the default settings.

Microsoft officials didn’t immediately respond to an email asking why Windows provides developers with no granular control over Recall and whether the company has plans to add any.

“Microsoft has simply given us no other option,” Signal says as it blocks Windows Recall Read More »

fbi-warns-of-ongoing-scam-that-uses-deepfake-audio-to-impersonate-government-officials

FBI warns of ongoing scam that uses deepfake audio to impersonate government officials

AI, deepfake, fbi, Federal Bureau of Investigation, Security / /

The FBI is warning people to be vigilant of an ongoing malicious messaging campaign that uses AI-generated voice audio to impersonate government officials in an attempt to trick recipients into clicking on links that can infect their computers.

“Since April 2025, malicious actors have impersonated senior US officials to target individuals, many of whom are current or former senior US federal or state government officials and their contacts,” Thursday’s advisory from the bureau’s Internet Crime Complaint Center said. “If you receive a message claiming to be from a senior US official, do not assume it is authentic.”

Think you can’t be fooled? Think again.

The campaign’s creators are sending AI-generated voice messages—better known as deepfakes—along with text messages “in an effort to establish rapport before gaining access to personal accounts,” FBI officials said. Deepfakes use AI to mimic the voice and speaking characteristics of a specific individual. The differences between the authentic and simulated speakers are often indistinguishable without trained analysis. Deepfake videos work similarly.

One way to gain access to targets’ devices is for the attacker to ask if the conversation can be continued on a separate messaging platform and then successfully convince the target to click on a malicious link under the guise that it will enable the alternate platform. The advisory provided no additional details about the campaign.

The advisory comes amid a rise in reports of deepfaked audio and sometimes video used in fraud and espionage campaigns. Last year, password manager LastPass warned that it had been targeted in a sophisticated phishing campaign that used a combination of email, text messages, and voice calls to trick targets into divulging their master passwords. One part of the campaign included targeting a LastPass employee with a deepfake audio call that impersonated company CEO Karim Toubba.

In a separate incident last year, a robocall campaign that encouraged New Hampshire Democrats to sit out the coming election used a deepfake of then-President Joe Biden’s voice. A Democratic consultant was later indicted in connection with the calls. The telco that transmitted the spoofed robocalls also agreed to pay a $1 million civil penalty for not authenticating the caller as required by FCC rules.

FBI warns of ongoing scam that uses deepfake audio to impersonate government officials Read More »

after-latest-kidnap-attempt,-crypto-types-tell-crime-bosses:-transfers-are-traceable

After latest kidnap attempt, crypto types tell crime bosses: Transfers are traceable

abduction, crime, crypto, france, Paris, Security / /

The sudden spike in copycat attacks in France, Belgium, and Spain over the last few months suggests that crypto robbery as a tactic has caught the attention of organized crime. (This week’s abduction attempt is already being investigated by the organized crime unit of the Parisian police.)

Crypto industry insiders seem convinced that organized crime likes these attacks because of a (mistaken) belief that crypto transfers are untraceable. So people like Chainalysis CEO Jonathan Levin are trying to clue in the crime bosses.

“For whatever reason, there is a perception that’s out there that crypto is an asset that is untraceable, and that really lends itself to criminals acting in a certain way,” Levin said at a recent conference covered by the trade publication Cointelegraph.

“Apparently, the [knowledge] that crypto is not untraceable hasn’t been received by some of the organized crime groups that are actually perpetrating these attacks, and some of them are concentrated in, you know, France, but not exclusively.”

After latest kidnap attempt, crypto types tell crime bosses: Transfers are traceable Read More »