A former U.S. NSA employee has been sentenced to nearly 22 years in prison for attempting to sell classified documents to Russia.

Jareh Sebastian Dalke (32), of Colorado Springs, is a former employee of the U.S. National Security Agency (NSA) who has been sentenced to nearly 22 years (262 months) in prison for attempting to transmit classified National Defense Information (NDI) to Russia.

Dalke pleaded guilty to six counts of attempting to transmit classified documents to a foreign agent while he was working at the NSA. The man served as an Information Systems Security Designer between June 6 to July 1, 2022, this job position gave him access to sensitive information.

He shared excerpts of three classified documents, classified as Top Secret//Sensitive Compartmented Information (SCI), with an individual he believed to be a Russian agent, who was actually an FBI online covert employee. These attempts occurred between August and September 2022, using an encrypted email account to demonstrate his willingness to share sensitive information.

Dalke demanded $85,000 in return for sharing all the classified information, he was aware of the importance of the documents for the Kremlin. He also told the undercover agent that he would share more files upon his return to Washington, D.C.

Dalke arranged to transfer additional classified information to a purported Russian agent at Union Station in downtown Denver. The former NSA employee used a laptop and followed the instructions provided by his contact. Four of the transferred files contained Top Secret National Defense Information (NDI). One file was a letter expressing Dalke’s eagerness to provide information and expressing anticipation of mutual benefit.

Dalke was arrested by the FBI on September 28, shortly after he transmitted the files. The former NSA employee revealed he leaked the classified documents to injure the United States and to benefit Russia.

“This defendant, who had sworn an oath to defend our country, believed he was selling classified national security information to a Russian agent, when in fact, he was outing himself to the FBI,” said Attorney General Merrick B. Garland. “This sentence demonstrates that that those who seek to betray our country will be held accountable for their crimes. I am grateful to the FBI Denver and Washington Field Offices for their extraordinary work on this case.”

“This sentence should serve as a stark warning to all those entrusted with protecting national defense information that there are consequences to betraying that trust,” said FBI Director Christopher Wray. “Dalke believed he was passing classified information to an agent of the Russian government. The hard work of our FBI employees prevented that from happening and any potential harm to the United States.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, NSA)

A new malware named Cuttlefish targets enterprise-grade and small office/home office (SOHO) routers to harvest public cloud authentication data.

Researchers at Lumen’s Black Lotus Labs discovered a new malware family, named Cuttlefish, which targets enterprise-grade and small office/home office (SOHO) routers to harvest public cloud authentication data from internet traffic.

The malware creates a proxy or VPN tunnel on the compromised router to exfiltrate data, and then uses stolen credentials to access targeted resources. 

Cuttlefish has a modular structure, it was designed to primarily steal authentication data from web requests passing through the router from the local area network (LAN). The malicious code can also perform DNS and HTTP hijacking within private IP spaces. Additionally, it can interact with other devices on the LAN and transfer data or deploy new agents. The researchers observed similarities in code and build paths with a previously reported malware called HiatusRat, linked to China. Although there’s code overlap, no shared victimology has been observed, suggesting that these malware families operate concurrently.

“The Cuttlefish malware offers a zero-click approach to capturing data from users and devices behind the targeted network’s edge. Any data sent across network equipment infiltrated by this malware, is potentially exposed.” reads the Lumen’s Black Lotus researchers. “What makes this malware family so insidious is the ability to perform HTTP and DNS hijacking for connections to private IP addresses. Cuttlefish lies in wait, passively sniffing packets, acting only when triggered by a predefined ruleset.”

The malware has been active since at least July 27, 2023, with indications of earlier versions. The recent campaign spanned from October 2023 to April 2024. The experts noticed that the infection chain was distinct, with 99% of infections originating in Turkey, primarily from two major telecommunications providers. These providers comprised around 93% of infections, totaling 600 unique IP addresses. Other non-Turkish victims included IP addresses likely belonging to clients of global satellite phone providers and a potential US-based data center.

The researchers have yet to determine the initial access vector, however, they believe threat actors could have exploited known vulnerabilities or carried out brute-forcing credentials. Upon gaining access to the routers, the attackers deploy a bash script that gathers certain host-based data to send to the C2. The bash script also downloads and executes Cuttlefish.

The binary analyzed by the researchers is compiled for all major architectures used by SOHO operating systems. 

The malware passively monitors network packets for “credential markers,” including usernames, passwords, and authentication tokens. Cuttlefish primarily targets public cloud-based services such as Alicloud, AWS, Digital Ocean, CloudFlare, and BitBucket.

The Black Lotus Labs report highlights that targeted services are used for storing sensitive data. This approach enables threat actors to potentially copy data from cloud resources lacking the logging or controls commonly present in traditional network perimeters.

The malware store the stolen data in the log, then when the log file of filtered traffic reaches a specified size, Cuttlefish compresses it using gzip and uploads it to the C2 server using a computed uuid and a predefined value of “tid”.

Cuttlefish redirects DNS requests for private IP addresses to a specified DNS server and manipulates HTTP requests to reroute traffic to an infrastructure under the control of its operators using HTTP 302 error codes. This capability suggests that Cuttlefish can hijack internal or site-to-site traffic, enabling access to secured resources not exposed on the Internet.

“Cuttlefish represents the latest evolution in passive eavesdropping malware for edge networking equipment, allowing an actor to adapt and overcome the TLS configurations adopted by more modern enterprises.” concludes the report. “We also believe these innovations are the next generation in malware capabilities; the ability to eavesdrop and perform DNS and HTTP hijacking has seldom been observed – the few publicly identified campaigns include ZuoRat, VPNFilter, Attor, and Plead. However, this is the first instance where we have seen rules specifically designed to seek out private IP connections to hijack.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, malware)

A flaw in the R programming language enables the execution of arbitrary code when parsing specially crafted RDS and RDX files.

A vulnerability, tracked as CVE-2024-27322 (CVSS v3: 8.8), in the R programming language could allow arbitrary code execution upon deserializing specially crafted R Data Serialization (RDS) or R package files (RDX).

R is an open-source programming language widely used for statistical computing and graphics. It was initially developed by Ross Ihaka and Robert Gentleman at the University of Auckland, New Zealand, in the early 1990s. Since then, it has gained popularity among statisticians and data miners for its powerful features and extensive libraries for data manipulation, visualization, and statistical analysis.

The R programming language has also become increasingly popular in the AI/ML field because it allows to manage large datasets.

The vulnerability was reported by researchers at HiddenLayer, the experts pointed out that the attack vector is very effective because RDS files or R packages are often shared between developers and data scientists.

“Our team discovered that it is possible to craft a malicious RDS file that will execute arbitrary code when loaded and referenced. This vulnerability, assigned CVE-2024-27322, involves the use of promise objects and lazy evaluation in R.” reads the analysis published by HiddenLayer.

The R programming language has its serialization format, used for serializing objects with ‘saveRDS’ and deserializing them with ‘readRDS’. This format is also utilized when saving and loading R packages.

The vulnerability ties how R handles serialization (‘saveRDS’) and deserialization (‘readRDS’) and involves the use of promise objects and lazy evaluation in R.

“Lazy evaluation is a strategy that allows for symbols to be evaluated only when needed, i.e., when they are accessed.” continues the analysis. “The above is achieved by creating a promise object that has both a symbol and an expression attached to it. Once the symbol ‘y’ is accessed, the expression assigning the value of ‘x’ to ‘y’ is run. The key here is that ‘y’ is not assigned the value 1 because ‘y’ is not assigned to ‘x’ until it is accessed. While we were not successful in gaining code execution within the deserialization code itself, we thought that since we could create all of the needed objects, it might be possible to create a promise that would be evaluated once someone tried to use whatever had been deserialized.”

Attackers can put promise objects containing arbitrary code in the metadata of an RDS file in the form of expressions that will be evaluated during deserialization leading to the execution of the embedded code.

Possible attack scenarios see threat actors tricking victims into executing malicious files or distributing a malware-laced package through widely used repositories and waiting victims download them.

“Given the widespread usage of R and the readRDS function, the implications of this are far-reaching. Having followed our responsible disclosure process, we have worked closely with the team at R who have worked quickly to patch this vulnerability within the most recent release – R v4.4.0. In addition, HiddenLayer’s AISec Platform will provide additional protection from this vulnerability in its Q2 product release.” concludes the report.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, R programming language)

The China-linked threat actors Muddling Meerkat are manipulating DNS to probe networks globally since 2019.

Infoblox researchers observed China-linked threat actors Muddling Meerkat using sophisticated DNS activities since 2019 to bypass traditional security measures and probe networks worldwide.

The experts noticed a spike in activity observed in September 2023.

The threat actors appear to have the capability to control China’s Great Firewall and were observed utilizing a novel technique involving fake DNS MX records.

Attackers used “super-aged” domains, usually registered before the year 2000, to avoid DNS blocklists and blending in with old malware at the same time

The attackers manipulate MX (Mail Exchange) records by injecting fake responses through China’s Great Firewall. However, the Infoblox researchers have yet to discover the motivation behind the attacks.

“The GFW can be described as an “operator on the side,” meaning that it does not alter DNS responses directly but injects its own answers, entering into a race condition with any response from the original intended destination. When the GFW response is received by the requester first, it can poison their DNS cache.” reads the analysis published by Infoblox. “The GFW creates a lot of noise and misleading data that can hinder investigations into anomalous behavior in DNS. I have personally gone hunting down numerous trails only to conclude: oh, it’s just the GFW.”

The experts noticed that a cluster of activities linked to a threat actor tracked as “ExploderBot” included most demonstrably damaging DNS DDoS attacks, ceased in May 2018. However, low-volume attacks resembling Slow Drip DDoS attacks have persisted since then. These attacks involve queries for random subdomains of target domains, propagated through open resolvers. Despite their lower volumes, these attacks share similar behavioral patterns to DNS DDoS attacks.

Muddling Meerkat’s operations also used MX record queries for random subdomains of target domains, rather than the base domain itself. This scenario is unusual as it typically occurs when a user intends to send email to a subdomain, which is not common in normal DNS activity. The researchers noticed that many of the target domains lack functional mail servers, making these queries even more mysterious.

“The data we have suggests that the operations are performed in independent “stages;” some include MX queries for target domains, and others include a broader set of queries for random subdomains. The DNS event data containing MX records from the GFW often occurs on separate dates from those where we see MX queries at open resolvers.” concludes the report. “Because the domain names are the same across the stages and the queries are consistent across domain names, both over a multi-year period, these stages surely must be related, but we did not draw a conclusion about how they are related or why the actor would use such staged approaches.”

The report also includes indicators of compromise (IoCs) recommendations to neutralize these activities..

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, DNS)

Finnish hacker was sentenced to more than six years in prison for hacking into an online psychotherapy clinic and attempted extortion.

A popular 26-year-old Finnish hacker Aleksanteri Kivimäki was sentenced to more than six years in prison for hacking into the online psychotherapy clinic Vastaamo Psychotherapy Center, exposing tens of thousands of patient therapy records, and trying to extort the clinic and its clients.

The man was arrested near Paris on February 2023, where he was living under a false identity. Kivimäki was deported to Finland and his trial concluded in March 2024.

In October 2020, the Vastaamo Psychotherapy Center was the victim of an extortion attempt. Threat actors hacked the clinic and stole a database containing information of some 33,000 clients. A threat actor that goes online with moniker “ransom_man” demanded 40 bitcoin (approximately 450,000 euros at the time) to avoid leaking sensitive therapy information stolen for the clinic, which refused to pay.

“Ransom_man announced on the dark web that he would start publishing 100 patient profiles every 24 hours. When Vastaamo declined to pay, ransom_man shifted to extorting individual patients. According to Finnish police, some 22,000 victims reported extortion attempts targeting them personally, targeted emails that threatened to publish their therapy notes online unless paid a 500 euro ransom.” reads the post published by Brian Krebs. “Finnish prosecutors quickly zeroed in on a suspect: Julius “Zeekill” Kivimäki, a notorious criminal hacker convicted of committing tens of thousands of cybercrimes before he became an adult. After being charged with the attack in October 2022, Kivimäki fled the country. He was arrested four months later in France, hiding out under an assumed name and passport.”

The hacker demanded a ransom of 200 euros or 500 euros to each patient, and about 20 clients paid it.

The man was found guilty of several offenses, which included aggravated data breach, 21,000 counts of aggravated blackmail attempts, and 9,200 counts of aggravated dissemination.

Kivimäki denied all charges and may appeal, according to his lawyer. Prosecutors aimed for the maximum sentence of seven years, given the nature of the crimes.

Kivimäki was involved in multiple criminal cases in the past, he was a member of the hacker group Hack the Planet (HTP).

Kivimäki is also known as a member of the notorious hacker group Lizard Squad.

In 2013, investigators discovered malicious code on devices seized from Kivimäki, which was used by HTP to compromise over 60,000 servers exploiting an Adobe ColdFusion zero-day. This exploit was reported by Brian Krebs in September 2013, after the hackers breached the servers of LexisNexis, Kroll, and Dun & Bradstreet.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Finnish Hacker)

The US government’s cybersecurity agency CISA published a series of guidelines to protect critical infrastructure against AI-based attacks.

CISA collaborated with Sector Risk Management Agencies (SRMAs) and regulatory agencies to conduct sector-specific assessments of AI risks to U.S. critical infrastructure, as mandated by Executive Order 14110 Section 4.3(a)(i). The analysis categorized AI risks into three categories:

• Attacks Using AI;
• Attacks Targeting AI Systems;
• Failures in AI Design and Implementation.

AI risk management for critical infrastructure is an ongoing process throughout the AI lifecycle.

These guidelines integrate the AI Risk Management Framework into enterprise risk management programs for critical infrastructure. The AI RMF Core consists of the Govern, Map, Measure, and Manage functions.

The Govern function within the AI RMF establishes an organizational approach to AI Risk Management within existing Enterprise Risk Management (ERM). Recommended actions for addressing risks throughout the AI lifecycle are integrated into the Map, Measure, and Manage functions. These guidelines improve AI safety and security risk management practices proposed by the NIST AI RMF.

CISA highlights that the risks are context-dependent, this implies that critical infrastructure operators should consider sector-specific and context-specific factors when assessing and mitigating AI risks. Specific sectors may need to define their own tailored guidelines for managing AI risk. Stakeholders may focus on different aspects of the AI lifecycle depending on their sector or role, whether they are involved in the design, development, procurement, deployment, operation, management, maintenance, or retirement of AI systems.

“Critical infrastructure owners and operators can foster a culture of risk management by aligning AI safety and security priorities with their own organizational principles and strategic priorities. This organizational approach follows a “secure by design” philosophy where leaders prioritize and take ownership of safety and security outcomes and build organizational structures that make security a top priority.” read the guidelines.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, CISA)

The UK National Cyber Security Centre (NCSC) orders smart device manufacturers to ban default passwords starting from April 29, 2024.

The U.K. National Cyber Security Centre (NCSC) is urging manufacturers of smart devices to comply with new legislation that bans default passwords.

The law, known as the Product Security and Telecommunications Infrastructure act (or PSTI act), will be effective on April 29, 2024.

“From 29 April 2024, manufacturers of consumer ‘smart’ devices must comply with new UK law.” reads the announcement published by NCSC. “The law, known as the Product Security and Telecommunications Infrastructure act (or PSTI act), will help consumers to choose smart devices that have been designed to provide ongoing protection against cyber attacks.”

The U.K. is the first country in the world to ban default credentia from IoT devices.

The law prohibits manufacturers from supplying devices with default passwords, which are easily accessible online and can be shared.

The law applies to the following products:

• Smart speakers, smart TVs, and streaming devices
• Smart doorbells, baby monitors, and security cameras
• Cellular tablets, smartphones, and game consoles
• Wearable fitness trackers (including smart watches)
• Smart domestic appliances (such as light bulbs, plugs, kettles, thermostats, ovens, fridges, cleaners, and washing machines)

Threat actors could use them to access a local network or launch cyber attacks.

Manufacturers are obliged to designate a contact point for reporting security issues and must specify the minimum duration for which the device will receive crucial security updates.

The NCSC clarified that the PSTI act also applies to organizations importing or retailing products for the UK market, including most smart devices manufactured outside the UK. Manufacturers that don’t comply with the act will be punished with fines of up to £10 million or 4% of qualifying worldwide revenue.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, smart device manufacturers)

The Federal Communications Commission (FCC) fined the largest U.S. wireless carriers $200 million for sharing customers’ real-time location data without consent.

The FCC has fined four major U.S. wireless carriers nearly $200 million for unlawfully selling access to real-time location data of their customers without consent. The fines come as a result of the Notices of Apparent Liability (NAL) issued by the FCC against AT&T, Sprint, T-Mobile, and Verizon in February 2020.

T-Mobile is facing a proposed fine exceeding $91 million, while AT&T is looking at one over $57 million. Verizon, on the other hand, faces a proposed fine exceeding $48 million, and Sprint faces a proposed fine of more than $12 million due to the actions taken by the FCC.

“The Federal Communications Commission today proposed fines against the nation’s four largest wireless carriers for apparently selling access to their customers’ location information without taking reasonable measures to protect against unauthorized access to that information.” reads the announcement published by FCC. “As a result, T-Mobile faces a proposed fine of more than $91 million; AT&T faces a proposed fine of more than $57 million; Verizon faces a proposed fine of more than $48 million; and Sprint faces a proposed fine of more than $12 million. The FCC also admonished these carriers for apparently disclosing their customers’ location information, without their authorization, to a third party.”

The FCC’s Enforcement Bureau launched an investigation after Missouri Sheriff Cory Hutcheson misused a “location-finding service” provided by Securus, a communications service provider for correctional facilities, to access the location data of wireless carrier customers without their consent from 2014 to 2017. Hutcheson allegedly provided irrelevant documents, such as health insurance and auto insurance policies, along with pages from sheriff training manuals, as evidence of authorization to access the data.

FCC added that the carriers continued to sell access to the customers’ location information and did not sufficiently guard it from further unauthorized access even after discovering irregular procedures.

All four carriers condemned the FCC’s decision and announced they would appeal it.

The Communications Act mandates that telecommunications carriers safeguard the confidentiality of specific customer data, including location information, about telecommunications services. Carriers must adopt reasonable measures to prevent unauthorized access to customer data. Furthermore, carriers or their representatives must typically secure explicit consent from customers before utilizing, disclosing, or permitting access to such data. Carriers bear responsibility for the actions of their representatives in this regard.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Federal Communications Commission)

Google announced they have prevented 2.28 million policy-violating apps from being published in the official Google Play.

Google announced that in 2023, they have prevented 2.28 million policy-violating apps from being published on Google Play. This amazing result was possible thanks to the introduction of enhanced security features, policy updates, and advanced machine learning and app review processes.

Additionally, Google Play strengthened its developer onboarding and review procedures, requesting a more accurate identification during account setup. These efforts resulted in the ban of 333,000 accounts for confirmed malware and repeated severe policy breaches.

Google also rejected or remediated approximately 200K app submissions to ensure proper use of sensitive permissions such as background location or SMS access. Google has closely worked with SDK providers to protect users’ privacy and prevent sensitive data access and sharing. Over 31 SDKs have enhanced their posture impacting 790K+ apps.

“We also significantly expanded the Google Play SDK Index, which now covers the SDKs used in almost 6 million apps across the Android ecosystem.” states Google. “This valuable resource helps developers make better SDK choices, boosts app quality and minimizes integration risks.”

Google continues to work on improving the Android environment. In November, 2023, it moved the App Defense Alliance (ADA) under the umbrella of the Linux Foundation, with Meta, Microsoft, and Google as founding steering members. The Alliance encourages widespread adoption of best practices and guidelines for app security across the industry, while also developing countermeasures to address emerging security threats.

Google enhanced Google Play Protect’s security capabilities to provide stronger protection for users installing apps from outside the Play Store. The company implemented real-time scanning at the code-level to detect new malicious apps. The company revealed that this measure has already identified over 5 million new malicious apps outside of the Play Store, enhancing Android users’ global security.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Google Play)