DarkCyber for October 19, 2021: DDoS Takedown, More NSO Group PR, VPN Shift, and Autonomous Kills

October 19, 2021

DarkCyber reports about cyber security, online services, and smart software. You can view this program at this url.

This edition of the program includes four stories:

  1. The US Department of Justice terminated 15 Internet domains involved in denial of service functions. These offered crime as a service and allowed customers to launch DDoS attacks with minimal technical expertise.
  2. The NSO Group captured headlines again. The result of revelations in a British legal proceeding resulted in the Israeli specialized services firm firing one of its Middle Eastern clients.
  3. Roll ups are popular among some financial experts. Aggregation means less competition and greater market reach. Consolidation is underway in the virtual private network sector. Will Kape Technology’s acquisition of Private Internet Access and Express VPN produce benefits for customers?
  4. The final story explores the most innovative facet of Israel’s alleged autonomous termination of a nuclear scientist. The smart software is just part of the story.

DarkCyber is produced by Stephen E Arnold, publisher of Beyond Search.

Kenny Toth, October 19, 2021

The Darknet: a Dangerous Place

October 6, 2021

Criminal activity on the Darknet is growing and evolving. One person who has taken it on themselves to study the shadow realm shares some of their experiences and observations with reporter Vilius Petkauskas in, “Darknet Researcher: They Said They’ll Come and Kill Me—Interview” at CyberNews. The anonymous interviewee, who works with research firm DarkOwl, describes a threat to their life, one serious enough to prompt them to physically move their family to a new home. They state:

“There was one specific criminal actor I was going after, trying to figure out where they were operating, who they were involved with, what groups they were affiliated with. I became a target. They turned on me and said, we will find whoever wrote this and come kill them. We will destroy them.”

Yes, poking around the Darknet can be dangerous business. What sorts of insights has our brave explorer found? Recently, there has been a substantial uptick in ransomware, and for good reason. The researcher explains:

“Look at ransomware as a service (RaaS). First and second-generation ransomware lockers were developed by incredibly smart malware developers, cryptologists, and encryption specialists. Those who designed and employed such software were some of the most sophisticated malware developers or ‘elite’ hackers around if you want to label them that. But with the RaaS affiliate model, they’re giving others the chance to ‘rent’ ransomware for as little as a few hundred bucks a year, depending on which strain they’re using. Anyone interested in getting into the business of ransomware can enter the market without necessarily having any prior or expert knowledge of how to conduct an enterprise-level attack against a network. Some of the gangs, like Lockbit 2.0 are nearly entirely automated, and their affiliates don’t need to have the slightest clue what they’re doing. You just push, plug, and play. Identify the victim, drop it onto the network, and the rest is taken care of.”

How convenient. Getting into the target’s network, though, is another matter. For that criminals turn to

initial access brokers (IABs), also located on the Darknet, who help breach networks through vulnerabilities, leaked credentials, and other weaknesses. See the write-up for more of the researchers hard-won observations. They close with this warning—there is more going on here than opportunists looking to make a buck. Espionage and cyber terrorism are also likely involved, they say. We cannot say we are surprised.

Cynthia Murrell, October 6, 2021

DarkCyber for October 5, 2021, Now Available

October 5, 2021

DarkCyber Number 20 for October 5, 2021 is available at this link. The program focuses on artificial intelligence operations or AIOps. The 11 minute program reviews how AIOps work, applications for law enforcement and intelligence activities, upsides, and downsides. The methods discussed include those of a late 1990s innovator implementing a method which has rippled over a 20 year period to the Stanford University Artificial Intelligence Lab. Snorkel.ai — a start up with more than $132 million in funding — is an influential AIOps system used by a number of high profile companies. DarkCyber is produced by Stephen E Arnold, publisher of Beyond Search. The video is available on YouTube and via the splash page of Mr. Arnold’s blog, Beyond Search. The videos are not sponsored and contain no advertising.

Kenny Toth, October 5, 2021

DarkCyber for September 21, 2021 Now Available

September 21, 2021

DarkCyber for September 21, 2021, reports about the Dark Web, cyber crime, and lesser known Internet services. The program is produced every two weeks. This is the 19th show of 2021. There are no sponsored stories nor advertisements. The program provides basic information about subjects which may not have been given attention in other forums. The program is available at this link.

This week’s program includes five stories.

First, we provide information about two online services which offer content related to nuclear weapons. Neither source has been updated for a number of months. If you have an interest in this subject, you may want to examine the information in the event it is disappeared.

Second, you will learn about Spyfone. DarkCyber’s approach is to raise the question, “What happens when specialized software once considered “secret” by some nation states becomes available to consumers.

Third, China has demonstrated its control of certain online companies; for example, Apple. The country can cause certain applications to be removed from online stores. The argument is that large US companies, like a French bulldog, must be trained in order stay in the Middle Kingdom.

Fourth, we offer two short items about malware delivered in interesting ways. The first technique is put malicious code in a video card’s graphics processing unit. The second summarizes how “free” games have become a vector for compromising network security.

The final story reports that a Russian manufacturer of drones is taking advantage of a relaxed policy toward weapons export. The Russian firm will produce Predator-like drones in countries which purchase the unmanned aerial vehicles. The technology includes 3D printing, specialized software, and other advanced manufacturing techniques. The program includes information about they type of kinetic weapons these drones can launch.

DarkCyber is produced by Stephen E Arnold and his DarkCyber research team. You can download the program from the Beyond Search blog or from YouTube.

Kenny Toth, September 21, 2021

DarkCyber for September 7, 2021 Now Available

September 7, 2021

DarkCyber is a twice-a-month video news program about the Dark Web, cyber crime, and lesser known Internet services. Program 18 includes stories about China’s information war fighting. The program explains three services which allow anyone to find the individual to which a US license plate has been registered. Crypto currency for criminal activities is playing a larger and larger role in illegal activities. How can you determine the level of risk associated with a particular digital currency transaction. DarkCyber points to a service which provides extremely useful information. The US government has released yet another report about facial recognition. Learn the three systems which are relied upon by several US government entities. There’s a great deal of chatter about nation stations which are sponsoring cyber attacks on the US. These stories often overlook the ease with which an insider can be instrumental in providing access to an allegedly secure network. And, finally, we explain how the Hellfire missile equipped with fragmenting blades has sliced and diced its way into Afghani history. DarkCyber is a production of Stephen E Arnold. The program appears every two weeks. This week’s program is available on the Beyond Search blog and on YouTube.

Kenny Toth, September 7, 2021

DarkCyber for August 24, 2021, Now Available

August 24, 2021

The program for August 24, 2021, is now available at this link. This program, number 17 in the 2021 series, contains five stories. These are:

The NSO Group matter has produced some interesting knock on effects.

The consequence of NSO Group’s activities include criticism from the United Nations and Edward Snowden, a whistle blower and resident of Moscow. The Taliban’s takeover of Afghanistan was remarkable.

The core technology for the antagonists is discussed. You will learn about the musician Tankz and his method for making illegal credit card fraud accessible to young people in the UK and elsewhere. In addition to alleged financial crime, Tankz sings about Pyrex whipping. Ask your children what this is and then decide if you need to take action.

The program includes another reminder than one can find anti-security actors on the Regular Web and the Dark Web. The challenge is to make sure you do not become the victim of a scam.

The US government created an interesting report about nuclear war. It is not clear how lo9ng this document will remain available from a public Web server. You can check the link in the DarkCyber video for yourself. Tip: The document explains how the US may select a target for a nuclear strike.

The final story reports that the drone called Avenger has a new capability: Autonomous decision capability enabled by track and follow electronics. No human operator needed when a target is identified.

DarkCyber is produced by Stephen E Arnold and the DarkCyber research team. New programs appear every two weeks unless one of the video distribution services decides to remove the content derived from open sources of information. Tankz and a fellow traveler named DankDex, purveyor of the Fraud Bible, appear to post without pushback.

Kenny Toth, August 24, 2021

DarkCyber for August 10, 2021 Now Available

August 10, 2021

The DarkCyber video for August 10, 2021 is now available at this link. The program includes a snapshot of NSO Group’s content marketing campaign, information about inherently insecure software, fine dining at the Central Intelligence Agency, and a sure fire way to phish with quite tasty bait. The drone story explains an autonomous drone. Just give it a goal and the drone figures out what to do. No human input required. Best of all, a swarm of drones can interact with other drones in the swarm to reach a decision about how to achieve an objective. DarkCyber is produced by Stephen E Arnold, publisher of Beyond Search. The DarkCyber videos are issued every two weeks and are available at www.arnoldit.com/wordpress as well as Youtube.

Kenny Toth, August 10, 2021

New Malware MosaicLoader Takes Unusual Attack Vector

August 5, 2021

ZDNet warns us about some micro targeting from bad actors in, “This Password-Stealing Windows Malware is Distributed Via Ads in Search Results.” The malware was first identified by Bitdefender, which named it MosaicLoader. The security experts believe a new group is behind these attacks, one not tied to any known entities. Writer Danny Palmer tells us:

“MosaicLoader can be used to download a variety of threats onto compromised machines, including Glupteba, a type of malware that creates a backdoor onto infected systems, which can then be used to steal sensitive information, including usernames and passwords, as well as financial information. Unlike many forms of malware, which get distributed via phishing attacks or unpatched software vulnerabilities, MosaicLoader is delivered to victims via advertising. Links to the malware appear at the top of search results when people search for cracked versions of popular software. Automated systems used to buy and serve advertising space likely means that nobody in the chain – aside from the attackers – know the adverts are malicious at all. The security company said that employees working from home are at higher risk of downloading cracked software. ‘Most likely, attackers are purchasing adverts with downstream ad networks – small ad networks that funnel ad traffic to larger and larger providers. They usually do this over the weekend when manual ad vetting is impacted by the limited staff on call,’ Bogdan Botezatu, director of threat research and reporting at Bitdefender, told ZDNet.”

Antivirus software might catch MosaicLoader—if users have not disabled it because they are downloading illegally cracked software. Oops. Once downloaded, the malware can steal usernames and passwords, farm out crypto currency mining, and install Trojan software through which malefactors can access the machine. Users should be safe if they do not attempt to download pirated software. Sometimes, though, such software does a good job of posing as legitimate. Palmer advises readers to avoid being duped by navigating away if instructed to disable antivirus software before downloading any program. That is always good advice.

Cynthia Murrell, August 5, 2021

NSO Group: Talking and Not Talking Is Quite a Trick

July 30, 2021

I read “A Tech Firm Has Blocked Some Governments from Using Its Spyware over Misuse Claims.” First, let’s consider the headline. If the headline is factual, the message I get is that NSO Group operates one or more servers through which Pegasus traffic flows. Thus, the Pegasus system includes one or more servers which have log files, uptime monitoring, and administrative tools which permit operations like filtering, updating, and the like. Thus, a systems administrator with authorized access to one or a fleet of NSO Group servers supporting Pegasus can do what some system administrators do: Check out what’s shakin’ with the distributed system. Is the headline accurate? I sure don’t know, but the implication of the headline (assuming it is not a Google SEO ploy to snag traffic) is that NSO Group is in a position to know — perhaps in real time via a nifty AWS-type dashboard — who is doing what, when, where, for how long, and other helpful details about which a curious observer finds interesting, noteworthy, or suitable for assessing an upcharge. Money is important in zippy modern online systems in my experience.

My goodness. That headline was inspirational.

What about the write up itself from the real news outfit National Public Radio or NPR, once home to Bob Edwards, who was from Louisville, not far from the shack next to a mine run off pond outside my door. Ah, Louisville, mine drainage, and a person who finds this passage suggestive:

“There is an investigation into some clients. Some of those clients have been temporarily suspended,” said the source in the company, who spoke to NPR on condition of anonymity because company policy states that NSO “will no longer be responding to media inquiries on this matter and it will not play along with the vicious and slanderous campaign.”

So the company won’t talk to the media, but does talk to the media, specifically NPR. What do I think about that? Gee, I just don’t know. Perhaps I don’t understand the logic of NSO Group. But I don’t grasp what “unlimited” means when a US wireless provider assures customers that they have unlimited bandwidth. I am just stupid.

Next, I noted:

NSO says it has 60 customers in 40 countries, all of them intelligence agencies, law enforcement bodies and militaries. It says in recent years, before the media reports, it blocked its software from five governmental agencies, including two in the past year, after finding evidence of misuse. The Washington Post reported the clients suspended include Saudi Arabia, Dubai in the United Arab Emirates and some public agencies in Mexico. The company says it only sells its spyware to countries for the purpose of fighting terrorism and crime, but the recent reports claim NSO dealt with countries known to engage in surveillance of their citizens and that dozens of smartphones were found to be infected with its spyware.

Okay, if the headline is on the beam, then NSO Group, maybe some unnamed Israeli government agencies like the unit issuing export licenses for NSO Group-type software, and possibly some “trusted” third parties are going to prowl through the data about the usage of Pegasus by entities. Some of these agencies may be quite secretive. Imagine the meetings going on in which those in these secret agencies. What will the top dogs in these secret outfits about the risks of having NSO Group’s data sifted, filtered, and processed by Fancy Dan analytics’ systems tell their bosses? Yeah, that will test the efficacy of advanced degrees, political acumen, and possible fear.

And what’s NSO Group’s position. The information does not come from an NSO Group professional who does not talk to the media but sort of does. Here’s the word from the NSO Group’s lawyer:

Shmuel Sunray, who serves as general counsel to NSO Group, said the intense scrutiny facing the company was unfair considering its own vetting efforts.

“What we are doing is, what I think today is, the best standard that can be done,” Sunray told NPR. “We’re on the one hand, I think, the world leaders in our human rights compliance, and the other hand we’re the poster child of human rights abuse.”

I like this. We have the notion of NSO Group doing what it can do to the “best standard.” How many times has this situation faced an outfit in the intelware game, based in Herliya, and under the scrutiny of an Israeli agency which says yes or no to an export license for a Pegasus type system. Is this a new situation? Might be. If true, what NSO Group does will define the trajectory of intelware going forward, won’t it?

Next, I like the “world leaders” and “Human rights compliance.” This line creates opportunities for some what I would call Comedy Central comments. I will refrain and just ask you to consider the phrase in the context of the core functions and instrumentality of intelware. (If you want to talk in detail, write benkent2020 at yahoo dot com and one of my team will get back to you with terms and fees. If not, I am retired, so I don’t care.)

Exciting stuff and the NSO Group ice cream melt is getting stickier by the day. And in Herzliya, the temperature is 29 C. “C” is the grade I would assign to this  allegedly accurate statement from the article that NSO Group does not talk to the media. Get that story straight is my advice.

And, gentle NPR news professional, why not ask the lawyer about log file retention and access to data in Pegasus by an NSO system administrator?

Stephen E Arnold, July 30, 2021

Exploit Checklist for Bad Actors

July 28, 2021

I found this post my MIT Research (oops, sorry, I meant MITRE Research. The information in “2021 CWE Top 25 Most Dangerous Software Weaknesses” is fascinating. It provides hot links to details in a public facing encyclopedia called Common Weakness Enumeration. The link is to additional information about the Out-of-Bounds Write” weak point. The Top 25 is a helpful reference for good actors as well as bad actors. The MITRE team provides this preface to the list:

The 2021 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses (CWE Top 25) is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years. These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working. The CWE Top 25 is a valuable community resource that can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses. To create the 2021 list, the CWE Team leveraged Common Vulnerabilities and Exposures (CVE®) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each CVE record. A formula was applied to the data to score each weakness based on prevalence and severity.

Popular weaknesses, the equivalent of a 1960s AM radio station’s “Fast Mover Tunes” are:

  • CWE-276 (Incorrect Default Permissions): from #41 to #19
  • CWE-306 (Missing Authentication for Critical Function): from #24 to #11
  • CWE-502 (Deserialization of Untrusted Data): from #21 to #13
  • CWE-862 (Missing Authorization): from #25 to #18
  • CWE-77 (Improper Neutralization of Special Elements used in a Command (‘Command Injection’)): from #31 to #25

New entries are:

  • CWE-276 (Incorrect Default Permissions): from #41 to #19
  • CWE-918 (Server-Side Request Forgery (SSRF)): from #27 to #24
  • CWE-77 (Improper Neutralization of Special Elements used in a Command (‘Command Injection’)): from #31 to #25

A few minutes spent with this list can be instructive. The write up includes a list of weaknesses which one might want to know about.

Net net: Who will find this list more inspirational: Marketing oriented cyber threat vendors or bad actors working under the protection of nation states hostile to US interests?

Stephen E Arnold, July 28, 2021

Next Page »

  • Archives

  • Recent Posts

  • Meta