cybersecurity

Archived version

Across the world, phone networks carry billions of passwords and login codes on a daily basis. Tech companies need to keep their subscribers logged in to their apps and accounts with maximum efficiency, wherever they might be. So these security codes need to get from Silicon Valley to everywhere, as quickly (and as cheaply) as possible. For most people they are a necessary annoyance, until they are breached with damaging consequences.

Companies, including banks and Big Tech, don’t send login codes to their customers directly. This would be costly and inefficient. Instead they rely on a sprawling and opaque network of contractors and subcontractors, each of which promises to shave off a part of the sending cost in return for market share. This is what the industry calls “lowest cost routing”. The catch is that any of these middleman companies can see everything transmitted. The codes that come saying “Do not share with anyone” might in fact already have been shared with more or less anyone.

...

Lighthouse obtained a cache of almost 100 million data packets from a phone industry source. The data gave a unique insight into telecom traffic passing through the network of a controversial Swiss outfit. Millions of these packets contained “A2P” (application-to-person) SMS messages. We analysed these to identify senders, recipients and type of message content.

We found millions of sensitive security codes and logins getting sent via Fink Telecom Services. The logins related to services from some of the world’s largest tech companies – including Google, Meta and Amazon; banks and crypto exchanges; dating sites and online marketplaces; and messaging apps including WhatsApp, Viber and Signal. Overall we identified over 1000 companies sending logins to their customers via the network run by maverick telecom entrepreneur Andreas Fink. The text messages we were looking at often told us the account names as well as the login codes and phone numbers.

...

cross-posted from: https://lemmy.sdf.org/post/36828953

Archived

The Apple and Google app stores continue to offer private browsing apps that are surreptitiously owned by Chinese companies, more than six weeks after they were identified in a Tech Transparency Project report. Apple and Google may also be profiting from these apps, which put Americans’ privacy and U.S. national security at risk, TTP found.

[...]

After the Financial Times asked Apple for comment on these findings, two of the apps linked to Qihoo 360—Thunder VPN and Snap VPN—were pulled from its app store. When TTP checked again in early May, another Qihoo 360-connected app called Signal Secure VPN had been quietly removed. But two other apps linked to Qihoo 360—Turbo VPN and VPN Proxy Master—remained available in the U.S. Apple App Store, along with 11 other Chinese-owned apps identified in TTP’s report.

The Google Play Store, meanwhile, offered four Qihoo 360-connected apps—Turbo VPN, VPN Proxy Master, Snap VPN, and Signal Secure VPN—as well as seven other Chinese-owned VPNs identified in TTP’s initial report.

The linked article lists several China-owned VPN apps identified by the Tech Transparency Project (TTP).

[...]

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Interesting article where ~35k devices from 45 manufacturers have vulnerabilities

Advice is probably not as easy to implement as this in real life:

Forescout recommends that you immediately stop the direct connection of devices to the Internet, to use VPNs or segmented networks, and to ensure prompt firmware updates. Otherwise, tens of thousands of systems around the world will remain a potential entry point for attackers.

We’re excited to announce the release of Vulnerability-Lookup 2.11.0 — and it comes with a major milestone for decentralized vulnerability publication!

What's New

GCVE-BCP-03 - Decentralized Publication Standard

The GCVE BCP-03 Decentralized Publication Standard has now been implemented for the first time.

This standard enables GCVE Numbering Authority (GNA) organizations to publish their vulnerability information directly—without relying on a centralized system.

As a first step, version 2.10.0 of Vulnerability-Lookup introduced support for maintaining a local copy of the GCVE registry. With the latest release, it's now possible to synchronize the list of local organizations in a Vulnerability-Lookup instance with this local GCVE registry.

This new capability provides a simple way to maintain an up-to-date list of GNA organizations in any Vulnerability-Lookup deployment.

Administrators can then choose which advisories, published by these GNA organizations, they want to import into their instance. This is possible thanks to a new feeder. (151)

Security Advisories from the Local Vulnerability-Lookup Instance (gna-65535.private.circl.lu)

This view displays advisories published on the current local instance.

Security Advisories from GNA-1 Retrieved in the Local Vulnerability-Lookup Instance (gna-65535.private.circl.lu)

This view shows advisories retrieved from a remote GNA instance (GNA-1) using the new feeder system.

Security Advisories from GNA-1 Retrieved in the Local Vulnerability-Lookup Instance (vulnerability.circl.lu)

This screenshot displays the same advisory as in the previous example, but as seen on its originating instance.

Dashboard

The dashboard where administrators manage the local GCVE registry.

Organization Management

This section allows the management of both GNA and non-GNA organizations.

Editing an Organization

Editing details for a specific organization.

The distributed GCVE network

Changes

• Added pagination in the API to the endpoint which list EMB3D objects. (a669461)
• Vendor and Product management in vulnerability-lookup (#105)
• Improvements to the view of recent vulnerabilities. The navigation menu is now automatically updated based on the list of GNAs the local instance is subscribed to.
• Various improvements to the admin dashboard.
• Various improvements to the documentation.

Fixes

• Multiple comments share same UUID (#158)
• GCVE data/feed is missing (#155)
• Dockerfile change by P-T-I (#153)
• Fixes to installation instructions by jeroenh (#154)
• doc fix by jeroenh (#156)
• Small fixes on containers by claudex (#157)
• Fixed a test in the disculosure.html template. The description of approved diclosures was never displayed. (1ec3e55)

Changelog

📂 To see the full rundown of the changes, users can visit the changelog on GitHub: https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.11.0

Feedback and Support

If you encounter issues or have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Follow us on Fediverse/Mastodon

You can follow us on Mastodon and get real time information about security advisories:
https://social.circl.lu/@vulnerability_lookup/

• Check Point Research uncovered an active malware campaign exploiting expired and released Discord invite links. > - Attackers hijacked the links through vanity link registration, allowing them to silently redirect users from trusted sources to malicious servers.
• The attackers combined the ClickFix phishing technique, multi-stage loaders, and time-based evasions to stealthily deliver AsyncRAT, and a customized Skuld Stealer targeting crypto wallets.
• Payload delivery and data exfiltration occur exclusively via trusted cloud services such as GitHub, Bitbucket, Pastebin, and Discord, helping the operation blend into normal traffic and avoid raising alarms. The operation continues to evolve, and threat actors can now bypass Chrome’s App Bound Encryption (ABE) by using adapted tools like ChromeKatz to steal cookies from new Chromium browser versions.

On April 29, 2025, a select group of iOS users were notified by Apple that they were targeted with advanced spyware. Among the group were two journalists that consented for their cases described publicly. The key findings from our forensic analysis of their devices are summarized below:

• Our analysis finds forensic evidence confirming with high confidence that both a prominent European journalist (who requests anonymity), and Italian journalist Ciro Pellegrino, were targeted with Paragon’s Graphite mercenary spyware.
• We identify an indicator linking both cases to the same Paragon operator.
• Apple confirms to us that the zero-click attack deployed in these cases was mitigated as of iOS 18.3.1 and has assigned the vulnerability CVE-2025-43200. Our analysis is ongoing.

cross-posted from: https://scribe.disroot.org/post/3093548

Archived version

...

Russia’s subsequent efforts to destabilize and subjugate ... Ukraine have involved a combination of conventional military aggression, sabotage, cyberattacks, disinformation campaigns, and support for pro-Russian actors in Ukraine. Thanks to this prolonged exposure to Russian hybrid warfare, Ukraine has been able to develop countermeasures that have helped build resilience and reduce the impact of Russia’s hybrid operations.

Ukraine’s response has been a collaborative effort involving the Ukrainian government, civil society, and the private sector. In the cyber sphere, efforts to improve Ukraine’s digital security have played a key role, with the launch of the country’s popular Diia platform and the establishment of the Ministry of Digital Transformation helping to drive important digital governance reforms.

...

Ukraine has also benefited from a decentralized approach involving digital volunteers, civil society, and public-private partnerships. A wide range of civic tech groups and open-source investigators are active in Ukraine detecting and countering Russian disinformation. These measures have made it possible to expose Russian narratives efficiently, coordinate messaging across government and civil society, and maintain coherence during military operations.

...

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

• Check Point Research (CPR) discovered a new campaign conducted by the APT group Stealth Falcon. The attack used a .url file that exploited a zero-day vulnerability (CVE-2025-33053) to execute malware from an actor-controlled WebDAV server. CVE-2025-33053 allows remote code execution through manipulation of the working directory. Following CPR’s responsible disclosure, Microsoft today, June 10, 2025, released a patch as part of their June Patch Tuesday updates.
• Stealth Falcon’s activities are largely focused on the Middle East and Africa, with high-profile targets in the government and defense sectors observed in Turkey, Qatar, Egypt, and Yemen.
• Stealth Falcon continues to use spear-phishing emails as an infection method, often including links or attachments that utilize WebDAV and LOLBins to deploy malware.
• Stealth Falcon deploys custom implants based on open-source red team framework Mythic, which are either derived from existing agents or a private variant we dubbed Horus Agent. The customization not only introduce anti-analysis and anti-detection measures but also validate target systems before ultimately delivering more advanced payloads.
• In addition, the threat group employs multiple previously undisclosed custom payloads and modules, including keyloggers, passive backdoors, and a DC Credential Dumper.

cross-posted from: https://lemmy.sdf.org/post/36375283

Archived

Here is the technical report by SentinelOne.

An IT services company, a European media group, and a South Asian government entity are among the more than 75 companies where China-linked groups have planted malware to access strategic networks should a conflict break out.

SentinelLABS, the threat intel and research arm of security shop SentinelOne, uncovered these new clusters of malicious activity when the suspected Chinese spies tried to break into SentinelOne's own servers in October.

"We tend to prioritize China, and seeing them start to poke at our own products, our own infrastructure, that immediately raises the red flag for us," SentinelOne threat researcher Tom Hegel told The Register in a phone interview. While the attempted SentinelOne intrusion was unsuccessful, being the target of a Chinese reconnaissance campaign led the threat hunters into a deeper analysis of the broader campaign and malware used.

"We started to hunt for it globally, look at their infrastructure and identify those other victims," Hegel said.

[...]

SentinelLABS found more than 70 victims globally across manufacturing, government, finance, telecommunications, and research. One of these was an IT services and logistics company that manages hardware logistics for SentinelOne employees.

Additionally, the security outfit's research uncovered a September 2024 intrusion into a "leading European media organization."

It's a broad range of victims, but they all share one thing in common: they represent strategic targets as China prepares for war of the cyber or kinetic variety.

[...]

SentinelOne, as a security vendor for government and critical infrastructure organizations, makes an attractive starting point for a supply-chain attack along the lines of what Russian spies did to Mandiant during the SolarWinds fiasco.

[...]