CIA's Faulty Covert Communication System Exposed Iranian Informants to Arrest, Prison
Chinese threat actors are exploiting undisclosed Microsoft Exchange zero day bugs, Hacking group is installing back doors in VMware’s virtualization software, American to lead ITU, much more
In a feat of investigative journalism, Reuters discovered how a faulty CIA covert communications system made it easy for Iran intelligence to identify and capture Iranian informants, at least six of whom suffered five to ten years in prison as a consequence of the U.S. spy agency’s incompetence.
The now-defunct tool may have exposed at least 21 Iranian spies and hundreds of other informants operating in different countries worldwide. Iranian authorities jailed the men as part of an aggressive counterintelligence purge by Iran that began in 2009, a campaign partly enabled by a series of CIA blunders, according to news reports and three former U.S. national security officials. Moreover, using aggressive measures, the CIA placed average Iranians in danger with little prospect of gaining critical intelligence.
The CIA declined to comment on Reuters’ findings or the intelligence agency’s operations in Iran. However, a spokeswoman said the CIA does its utmost to safeguard people who work with the agency. (Joel Schectman and Bozorgmehr Sharafedin / Reuters)
Researchers at Vietnamese cybersecurity firm GTSC claim that suspected Chinese threat actors are exploiting yet-to-be-disclosed Microsoft Exchange zero-day bugs allowing for remote code execution.
The attackers are chaining the pair of zero-days to deploy Chinese Chopper web shells on compromised servers for persistence and data theft, as well as move laterally to other systems on the victims' networks. The user agent used to install the web shells also belongs to Antsword, a Chinese-based open-source website admin tool with web shell management support.
Microsoft hasn't disclosed any information regarding the two security flaws and is yet to assign a CVE ID to track them. Trend Micro released a security advisory confirming that they submitted the two new Microsoft Exchange zero-day vulnerabilities discovered by GTSC to Microsoft. (Sergiu Gatlan / Bleeping Computer)
Related: DoublePulsar - Medium, Bleeping Computer, Rapid7, Protocol, GTSC, Trend Micro, The Hacker News, The Stack, Reddit - cybersecurity, Security Affairs, Security Affairs, The Register - Security, Microsoft Security Response Center, TechNet Blogs, Help Net Security
Mandiant and VMware jointly published warnings that a sophisticated hacker group has been installing backdoors in VMware’s virtualization software on multiple targets’ networks as part of an apparent espionage campaign.
By planting their own code in victims’ so-called hypervisors, VMware software that runs on a physical computer to manage all the virtual machines it hosts, the hackers could invisibly watch and run commands on the computers those hypervisors oversee. Because the malware targets the hypervisor on the physical device rather than the victim’s virtual machines, the hackers’ trick amplifies their access and evades nearly all traditional security measures designed to monitor those target machines for signs of foul play.
Mandiant discovered the hackers earlier this year and notified VMware. Researchers say they’ve seen the group carry out virtualization hacking, a technique historically dubbed hyperjacking in reference to “hypervisor hijacking,” in fewer than ten victims’ networks across North America and Asia. Mandiant warns that the hackers’ techniques to bypass traditional security controls by exploiting virtualization represent a serious concern and are likely to increase and evolve among hacker groups.
VMware said t“while there is no VMware vulnerability involved, we are highlighting the need for strong operational security practices that include secure credential management and network security.” The company also pointed to a guide to “hardening” VMware setups. (Andy Greenberg / Wired)
A top U.S. official, Doreen Bogdan-Martin, won a massive majority over a Russian rival to lead International Telecommunication Union (ITU), the United Nations agency that sets global standards for telecoms and tech infrastructure.
One hundred thirty-nine countries voted for Bogdan-Martin against 25 casting their ballots for Russia’s Rashid Ismailov. The election pitted Western democracies' vision of a more open version of the internet against authoritarian countries' government-controlled approach. (Clothilde Goujard / Politico EU)
Metacurity is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.
The U.S. Justice Department announced that the FBI had arrested Jareh Sebastian Dalke, 30, who worked at the NSA as an Information Systems Security Designer for merely a month, accusing him of attempting to sell top secret documents to a foreign agent who was actually an undercover FBI agent.
Dalke allegedly used encrypted email to communicate with someone he believed was a foreign spy, offering to sell classified NSA documents in exchange for cryptocurrency. After Dalke sent excerpts of the documents to the FBI agent, he agreed to meet him to transfer more documents, according to the DOJ.
Dalke asked for $85,000 for the documents and told the FBI agent that he could get more information and documents. When all this happened, Dalke wasn’t working at the NSA anymore, but he reapplied to work at the agency a month later. (Lorenzo Franceschi-Bicchierai / Motherboard)
According to court records unsealed in Maryland, two physicians, including a U.S. Army major, were indicted on federal charges amid accusations that they passed confidential medical information to a person they thought was working for the Russian government.
Anna Gabrielian, 36, a civilian anesthesiologist in Baltimore, and her spouse, Jamie Lee Henry, 39, an internal medicine physician assigned to Fort Bragg in North Carolina, were charged with conspiracy and improper disclosures related to what federal prosecutors termed “efforts to assist Russia in connection with the conflict in Ukraine.”
According to federal court records, the pair allegedly passed along information related to at least five people who had been patients at Fort Bragg, including a retired Army officer, a current Defense Department employee, and three military spouses. They also allegedly provided medical information related to the spouse of someone employed by the Office of Naval Intelligence that reflected a medical issue that “Russia could exploit,” authorities asserted. (Dan Morse and Alex Horton / Washington Post)
As part of its ongoing bug bounty program, the Department of Defense recently paid out $75,000 in bounties to ethical hackers who discovered nearly 350 bugs inside its networks.
The most recent campaign, dubbed Hack the U.S., kicked off on July 4 in partnership with the Pentagon’s Chief Digital and Artificial Intelligence Office (CDAO), DOD Cyber Crime Center (DC3), and HackerOne. It involved 267 hackers, 139 new to the DOD’s vulnerability disclosure program. The department paid $75,000 in bounties and $35,000 in bonuses with 648 reports submitted, 349 of which were actionable. (Mark Pomerleau / DefenseScoop)
In an interview with Motherboard, the hacker who breached the news website Fast Company and used that access to push an offensive Apple News alert to many users says they performed the hack to “embarrass” Fast Company.
The hacker, who goes by the handle thrax, said the hack itself was opportunistic, and they didn’t specifically target Fast Company, at least initially. On a data trading website where they have an account, thrax released an alleged set of more than 6,700 records that they say in an accompanying post is taken from Fast Company’s WordPress database, including password hashes for some users.
Regarding the push notification, thrax said, “It could have been a hoax threat-to-life event, a hoax nuclear fallout, the hoax death of President Biden, a crypto scam or anything else which could have had the potential to shift markets. Instead, I chose to embarrass Fast Company.” (Joseph Cox / Motherboard)
Microsoft said that a threat group tied to the North Korean government called Zinc, also known as Lazarus, is weaponizing well-known open-source software in an ongoing campaign that has already succeeded in compromising "numerous" organizations in the media, defense and aerospace, and IT services industries.
The group has been lacing PuTTY and other legitimate, open source applications with highly encrypted code that ultimately installs espionage malware. The hackers pose as job recruiters and connect with individuals of targeted organizations over LinkedIn. After developing a level of trust over a series of conversations and eventually moving them to WhatsApp messenger, the hackers instruct the individuals to install the apps, which infect the employees' work environments.
The Trojanized PuTTY and KiTTY apps Microsoft observed use a clever mechanism to ensure that only intended targets get infected and that it doesn't inadvertently infect others. The app installers don't execute any malicious code. Instead, the ZetaNile malware gets installed only when the apps connect to a specific IP address and use the login credentials the fake recruiters give targets. (Dan Goodin / Ars Technica)
House Republicans asked U.S. Attorney General Merrick Garland to brief a congressional committee by October 5 on what they say are “politically-motivated cyberattacks intended to silence supporters of conservative causes.”
In a letter to Garland, the GOP’ers pointed to a string of hacks dating back to September 2021, when hackers claiming to be carrying out an Anonymous operation attacked the Texas Republican Party website after the state passed an anti-abortion law. They also cite pro-choice hacktivists leaking around 74 gigabytes of data from a Florida hosting company that serviced several conservative and religious organizations.
Researchers at CloudSEK report that a threat actor named LeakBase has shared a database containing personal information allegedly affecting 16 million users of Swachh City. This platform is part of the Indian government's Swachh Bharat Mission (translated as Clean India Mission) nationwide initiative to "achieve universal sanitation coverage."
Leaked details include usernames, email addresses, password hashes, mobile numbers, one-time passwords, last logged-in times, and IP addresses. According to Cyble, the database comprises 101,718 unique email addresses and 15,835,111 unique mobile numbers, putting users at risk of phishing, smishing, social engineering, and identity theft. (Ravie Lakshmanan / The Hacker News)
As the nationwide fight over reproductive health rights turns violent, members of the reproductive justice community are turning to companies that specialize in getting customers delisted from data broker sites to protect their home addresses and other sensitive information.
Efforts by authorities to police the trafficking in location data have yet to include data brokers trading in public records. The oversight, experts say, puts vulnerable groups like reproductive rights workers at risk. The National Abortion Federation offers members digital security training and encourages members to remove their information from data brokers or procure removal services. (Tonya Riley / Cyberscoop)