Tag Archive for: Journalists

Experts Warn of RambleOn Android Malware Targeting South Korean Journalists

/in


Feb 17, 2023Ravie LakshmananMobile Security / Cyber Threat

RambleOn Android Malware

Suspected North Korean nation-state actors targeted a journalist in South Korea with a malware-laced Android app as part of a social engineering campaign.

The findings come from South Korea-based non-profit Interlab, which coined the new malware RambleOn.

The malicious functionalities include the “ability to read and leak target’s contact list, SMS, voice call content, location and others from the time of compromise on the target,” Interlab threat researcher Ovi Liber said in a report published this week.

The spyware camouflages as a secure chat app called Fizzle (ch.seme), but in reality, acts as a conduit to deliver a next-stage payload hosted on pCloud and Yandex.

The chat app is said to have been sent as an Android Package (APK) file over WeChat to the targeted journalist on December 7, 2022, under the pretext of wanting to discuss a sensitive topic.

The primary purpose of RambleOn is to function as a loader for another APK file (com.data.WeCoin) while also requesting for intrusive permissions to collect files, access call logs, intercept SMS messages, record audio, and location data.

RambleOn Android Malware

The secondary payload, for its part, is designed to provide an alternative channel for accessing the infected Android device using Firebase Cloud Messaging (FCM) as a command-and-control (C2) mechanism.

Interlab said it identified overlaps in the FCM functionality between RambleOn and FastFire, a piece of Android spyware that was attributed to Kimsuky by South Korean cybersecurity company S2W last year.

“The victimology of this event fits very closely with the modus operandi of groups such as APT37 and Kimsuky,” Liber said, pointing out the former’s use of pCloud and Yandex storage for payload delivery and command-and-control.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Source…


[the_ad_group id="27628"]

Iran: State-Backed Hacking of Activists, Journalists, Politicians

/in


(Beirut) – Hackers backed by the Iranian government have targeted two Human Rights Watch staff members and at least 18 other high-profile activists, journalists, researchers, academics, diplomats, and politicians working on Middle East issues in an ongoing social engineering and credential phishing campaign, Human Rights Watch said today.

An investigation by Human Rights Watch attributed the phishing attack to an entity affiliated with the Iranian government known as APT42 and sometimes referred to as Charming Kitten. The technical analysis conducted jointly by Human Rights Watch and Amnesty International’s Security Lab identified 18 additional victims who have been targeted as part of the same campaign. The email and other sensitive data of at least three of them had been compromised: a correspondent for a major US newspaper, a women’s rights defender based in the Gulf region, and Nicholas Noe, an advocacy consultant for Refugees International based in Lebanon.

“Iran’s state-backed hackers are aggressively using sophisticated social engineering and credential harvesting tactics to access sensitive information and contacts held by Middle East-focused researchers and civil society groups,” said Abir Ghattas, information security director at Human Rights Watch. “This significantly increases the risks that journalists and human rights defenders face in Iran and elsewhere in the region.”

For the three people whose accounts were known to be compromised, the attackers gained access to their emails, cloud storage drives, calendars, and contacts and also performed a Google Takeout, using a service that exports data from the core and additional services of a Google account.

Various security companies have reported on phishing campaigns by APT42 targeting Middle East-focused researchers, civil society groups, and dissidents. Most of them identify APT42 based on targeting patterns and technical evidence. Organizations such as Google and the cybersecurity companies Recorded Future, Proofpoint, and Mandiant have linked APT 42 to Iranian authorities. Identifying and naming a threat actor helps researchers to identify, track, and link hostile cyber…

Source…

How the Internet of Things poses threats to journalists

/in






“And far away, as Frodo put on the Ring […] The Dark Lord was suddenly aware of him, and his Eye piercing all shadows looked across the plain to the door that he had made […] and all the devices of his enemies were at last laid bare.” – J.R.R. Tolkien, “The Return of the King

“You hereby grant Ring and its licensees an unlimited, irrevocable, fee free and royalty-free, perpetual, worldwide right to use, distribute, store, delete, translate, copy, modify, display, and create derivative works from such Content that you share through Services.” – Amazon Ring, Terms of Service (as of Oct. 5, 2022)

There is plenty of research showing that many journalists have insufficient support, inadequate training and incalculable numbers of adversaries looking to cause digital harm. Most journalist cybersecurity guidance focuses on legacy devices — laptops, tablets and phones. While these threats are by no means over (spyware, for example, is still very much a concern), it is important to acknowledge and address the invasion of newer networked technologies all around us, such as Amazon Alexa devices and smart light bulbs.

In a previous article for The Journalist’s Resource, I wrote about the multiplying numbers of consumer Internet of Things (IoT) devices in private and public spaces and the threat that they pose to journalists’ security. This article further categorizes threats to journalists from the IoT, pairing example threat-types in each category with descriptions of potential consequences. The information presented here is based on a forthcoming paper in Springer’s Proceedings of the International Conference on Cybersecurity, Situational Awareness and Social Media. Rather than providing an exhaustive or overly-technical list of potential threats, this system represents an initial step toward illustrating new and upcoming threats. It is designed to appeal to a narrative-driven audience, such as the media, to help them navigate the uncertainty that shrouds IoT threats, such as surveillance

My goal is to give journalists ways to understand these threats, to easily communicate them to their…

Source…

Google Chrome Zero-Day Weaponized to Spy on Journalists

/in


A zero-day vulnerability in Google Chrome was used by the established spyware group Candiru to compromise users in the Middle East — specifically journalists in Lebanon.

Avast researchers said attackers compromised a website used by news agency employees in Lebanon, and injected code. That code identified specific, targeted users and routed them to an exploit server. From there, the attackers collect a set of about 50 data points, including language, device type, time zone, and much more, to verify that they have the intended target.

At the very end of the exploit chain, the attackers drop DevilsTongue spyware, the team noted.

“Based on the malware and TTPs used to carry out the attack, we can confidently attribute it to a secretive spyware vendor of many names, most commonly known as Candiru,” the Avast researchers explained.

The original vulnerability (CVE-2022-2294), discovered by the same Avast team, was the result of a memory corruption flaw in WebRTC. Google issued a patch on July 4.

“The vulnerabilities discovered here are definitely serious, particularly because of how far-reaching they are in terms of the number of products affected — most modern desktop browsers, mobile browsers, and any other products using the affected components of WebRTC,” James Sebree, senior staff research engineer with Tenable, said via email. “If successfully exploited, an attacker could potentially execute their own malicious code on a given victim’s computer and install malware, spy on the victim, steal information, or perform any other number of nefarious deeds.”

But, Sebree added, the original heap overflow flaw is complicated to exploit and won’t likely result in widespread, generalized attacks.

“It’s likely that any attacks utilizing this vulnerability are highly targeted,” Sebree explained. “While it’s unlikely that we will see generalized attacks exploiting this vulnerability, the chances are not zero, and organizations must patch accordingly.”

Candiru (aka Sourgum, Grindavik, Saito Tech, and Taveta) allegedly sells the DevilsTongue surveillance malware to governments around the world. The Israeli company was founded by engineers who left NSO Group, maker of the infamous Pegasus…

Source…