<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0"
     xmlns:content="http://purl.org/rss/1.0/modules/content/"
     xmlns:dc="https://purl.org/dc/elements/1.1/"
     xmlns:dcterms="http://purl.org/dc/terms/"
     xmlns:media="http://search.yahoo.com/mrss/"
     xmlns:atom="http://www.w3.org/2005/Atom"
>
    <channel>
                    <atom:link rel="alternate" hreflang="en-GB"
                       href="https://www.itpro.com/uk/feeds/tag/spyware"
                       type="application/rss+xml"/>
                            <title><![CDATA[ Latest from ITPro UK in Spyware ]]></title>
                <link>https://www.itpro.com/uk/tag/spyware</link>
        <description><![CDATA[ All the latest spyware content from the ITPro  UK team ]]></description>
                                    <lastBuildDate>Wed, 11 Feb 2026 12:07:05 +0000</lastBuildDate>
                            <language>en</language>
                                <item>
                                                            <title><![CDATA[ iOS and Android users beware: This new spyware kit allows hackers to take full control of your device ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/technology/artificial-intelligence/this-new-mobile-compromise-toolkit-enables-spyware-surveillance-and-data-theft</link>
                                                                            <description>
                            <![CDATA[ The professional package allows even unsophisticated attackers to take full control of devices ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">8e2kXHdZCgHQWLHTozXZy3</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/6UMt7L8cwrivqQPjJWN3eX-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 11 Feb 2026 12:07:05 +0000</pubDate>                                                                                                                                <updated>Fri, 13 Feb 2026 08:51:04 +0000</updated>
                                                                                                                                            <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Emma Woollacott ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/aWfskavxoVSMDy6cDWtYmJ.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/6UMt7L8cwrivqQPjJWN3eX-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Device code phishing concept image showing cartoon cell phone with a hook attached to a sign-in page. ]]></media:description>                                                            <media:text><![CDATA[Device code phishing concept image showing cartoon cell phone with a hook attached to a sign-in page. ]]></media:text>
                                <media:title type="plain"><![CDATA[Device code phishing concept image showing cartoon cell phone with a hook attached to a sign-in page. ]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/6UMt7L8cwrivqQPjJWN3eX-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>A new mobile spyware platform called ZeroDayRAT, claimed to provide full remote control over compromised Android and iOS devices, is being sold openly via Telegram.</p><p>According to analysis from iVerify, developers behind the tool run dedicated channels for sales and customer support and give regular updates. Buyers are given a single point of access to a fully operational spyware panel, with full remote control over a user’s Android or iOS device. </p><p>Support covers Android 5 through 16 and iOS up to 26, including the iPhone 17 Pro. No technical expertise is required, researchers warned. </p><p>"Taken together, this is a complete mobile compromise toolkit, the kind that used to require nation-state investment or bespoke exploit development, now sold on Telegram," the researchers said. </p><p>"A single buyer gets full access to a target’s location, messages, finances, camera, microphone, and keystrokes from a browser tab. Cross-platform support and active development make it a growing threat to both individuals and organizations."</p><h2 id="how-zerodayrat-attacks-work">How ZeroDayRAT attacks work</h2><p>Attacks generally start with <a href="https://www.itpro.com/security/phishing/361625/what-is-smishing">smishing</a>, researchers said. The victim gets a text with a link, downloads what looks like a legitimate app, and installs it. <a href="https://www.itpro.com/security/29093/what-is-phishing">Phishing emails</a>, fake app stores, and links shared over WhatsApp or Telegram are also being used.</p><p>Once a device is infected, the attacker can use an overview tab showing the device model, OS, battery, country, lock status, and SIM and carrier info. </p><p>Similarly, dual SIM phone numbers, app usage broken down by time, a live activity timeline, and a preview of recent SMS messages are all displayed on a single screen.</p><p>"This screen is enough to profile the infected user: who they talk to, what apps they use most, when they're active, and what network they're on," researchers said. "Scrolling down reveals intercepted messages from banking services, carriers, and personal contacts." </p><p>GPS coordinates are pulled and plotted on an embedded Google Maps view with location history, so an operator can track not just where the infected user is, but where they've been.</p><p>Notifications - app name, title, content, and timestamp. WhatsApp messages, Instagram notifications, missed calls, Telegram updates, YouTube alerts and system events - are also captured. </p><h2 id="follow-up-compromise-is-a-real-risk">Follow-up compromise is a real risk</h2><p>Notably, an accounts tab enumerates every account registered on the device, such as Google, WhatsApp, Instagram, Facebook, Telegram, Amazon, and Spotify accounts associated with usernames or emails. </p><p>This, researchers warned, is basically everything an attacker needs to attempt account takeover or launch targeted social engineering.</p><p>"ZeroDayRAT shows how easily an attacker can gain full, real‑time visibility into a mobile device, exposing far more than personal information," commented Matthew Stern, chief security Officer at Hypori.</p><p>"The only reliable protection is removing trust from the physical device entirely. By keeping confidential data off the endpoint, organizations ensure that even if <a href="https://www.itpro.com/spyware/30001/what-is-spyware">spyware </a>takes full control of a device, sensitive information is not accessible.”</p><h3 class="article-body__section" id="section-follow-us-on-social-media"><span>FOLLOW US ON SOCIAL MEDIA</span></h3>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Greek intelligence allegedly uses Predator spyware to wiretap Facebook security staffer ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/spyware/370302/greek-intelligence-predator-spyware-wiretap-facebook-staffer</link>
                                                                            <description>
                            <![CDATA[ The employee’s device was infected through a link pretending to confirm a vaccination appointment ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">uDpwtmcBNzTfo8xWMUz8mw</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/VrAAuac64nHTAtyAi3iz8a-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 21 Mar 2023 12:12:28 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Phishing]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Zach Marzouk ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/GFZtdGsYoXrkh3Jhj4ZKTc.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/VrAAuac64nHTAtyAi3iz8a-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[An eye overlaid with sharp-angled graphics and different colours like pink white and blue, all denoting a cyber element of surveillance such as spyware]]></media:description>                                                            <media:text><![CDATA[An eye overlaid with sharp-angled graphics and different colours like pink white and blue, all denoting a cyber element of surveillance such as spyware]]></media:text>
                                <media:title type="plain"><![CDATA[An eye overlaid with sharp-angled graphics and different colours like pink white and blue, all denoting a cyber element of surveillance such as spyware]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/VrAAuac64nHTAtyAi3iz8a-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>A former Facebook employee in Greece, a US national, was allegedly placed under a wiretap by the country’s national intelligence service through Predator spyware.</p><p>Artemis Seaford worked for Facebook between 2020 and 2022 as a trust and safety manager in Greece. She became suspicious of a potential hack after spotting her name on a leaked list of spyware targets in the Greek news media, according to the <a href="https://www.nytimes.com/2023/03/20/world/europe/greece-spyware-hacking-meta.html?unlocked_article_code=kXFnyxiUIb4EJ-2gqY_rLUuW5XN3UaX4RoAaCMPzFxJpxugCoXIrjdjEFlrhIMzqCPRpfDuTN1FzVJoPXSm90o9zDW947YyISJZayyVhk8NAZKi5YFcweXnZpaOjXUjCgt12a_r5mNs311_AbpYQ3kuKfb5YWhEr6cDoILr2nno-aAQiSUQ-7WKgyVG6dkfD0dme4lhR9F8KnLq6IBSgQ6l8O6Jr8OQnyo8rnckEBeoM-fL4I4WClxet0TBx-CPpTEvn2UyJLsgdNfHNseonlXpCXduGQRBUzEq3x70K_1AZofeSjl7YnfanK8hZU21lEuDflKxCCrztTaGrNWzmniZjbJ7kicBQLGA&smid=url-share" target="_blank"><em>New York Times</em></a> which first reported the story.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/spyware/368665/european-company-unmasked-as-cyber-mercenary-group-with-ties-to-russia" data-original-url="/security/spyware/368665/european-company-unmasked-as-cyber-mercenary-group-with-ties-to-russia">European company unmasked as cyber mercenary group with ties to Russia</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/spyware/361639/apple-sues-nso-group-over-pegasus-attacks-on-its-customers" data-original-url="/security/spyware/361639/apple-sues-nso-group-over-pegasus-attacks-on-its-customers">Apple sues NSO Group over Pegasus attacks on its customers</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/spyware/361868/egyptian-exiles-targeted-with-predator-spyware" data-original-url="/security/spyware/361868/egyptian-exiles-targeted-with-predator-spyware">Egyptian exiles targeted with Predator spyware resembling NSO Group's Pegasus</a></p></div></div><p>She worked on cyber security policy and was in contact with Greek and European officials during her role.</p><p>After realising her details were leaked, Seaford submitted her mobile phone to the University of Toronto's Citizen Lab, which investigated the device.</p><p>Citizen Lab, known for spearheading research into international spyware such as Pegasus and Predator, found that the phone had been hacked with Predator spyware in September 2021 for at least two months.</p><p>However, the organisation said that the device could have also been infected at a different time, as well as longer than two months.</p><p>Seaford booked an appointment for a COVID-19 booster shot in September 2021 using the Greek government’s vaccination portal. The Facebook employee then received an SMS confirming the appointment, and then another SMS message asking her to confirm her details by clicking on a link.</p><p>The second text message with the link was reportedly the method used to install the Predator <a href="https://www.itpro.com/spyware/30001/what-is-spyware" target="_blank" data-original-url="https://www.itpro.com/spyware/30001/what-is-spyware">spyware</a> onto her phone.</p><p>The vaccination appointment details in the message were correct, and there is a suggestion that someone reviewed the earlier message before manually composing the second, infected message using that correct information.</p><p>“Anyone, anywhere can fall prey to spyware hacking. I should know - I was a Predator target,” Seaford said on Twitter. “This does not make it normal. We need our governments and international bodies to protect us.”</p><p>This hack would make Seaford the first known case of a US citizen being targeted by spyware in an EU country.</p><p>“This Predator case is further evidence that the mercenary spyware problem in the EU is out of control,” said John Scott-Railton, senior researcher at Citizen Lab, on Twitter. “And it's directly impacting US nationals working on sensitive topics.”</p><p>Seaford has filed a lawsuit in Greece, which forces prosecutors to open an investigation into the incident. She also filed a request with the independent constitutional watchdog to determine if the national intelligence service wiretapped her phone.</p><p>Two <em>NYT</em> sources stated that Seaford had been wiretapped since August 2021 by the intelligence service, and for several months in 2022.</p><p>The Citizen Lab investigation found that the information taken from the wiretap might have helped to provide intelligence to organise the attack to implant the spyware.</p><h2 id="what-is-predator-spyware-and-who-makes-it">What is Predator spyware and who makes it?</h2><p>Predator spyware is a surreptitious program that’s able to offer <a href="https://www.itpro.com/security/privacy/361191/is-australia-becoming-a-surveillance-state" target="_blank" data-original-url="https://www.itpro.com/security/privacy/361191/is-australia-becoming-a-surveillance-state">surveillance</a> capabilities. It's installed on devices through links sent via messages that when clicked, lead to the download of the spyware.</p><p>It’s similar to the NSO Group’s Pegasus which was used in the past to target Saudi critic Jamal Khashoggi.</p><p>Predator is built and sold by Cytrox, a company founded in North Macedonia with a corporate presence in Israel and Hungary, according to a <a href="https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware" target="_blank">report</a> from Citizen Lab.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="GB7YYAdRm3LRnVVscE6aUg" name="GB7YYAdRm3LRnVVscE6aUg.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/GB7YYAdRm3LRnVVscE6aUg.png" mos="https://cdn.mos.cms.futurecdn.net/GB7YYAdRm3LRnVVscE6aUg.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Achieving zero trust for corporate networks</strong></p><p class="fancy-box__body-text">Zero trust is a new way of thinking about information security</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/network-security/370182/achieving-zero-trust-for-corporate-networks" data-original-url="/security/network-security/370182/achieving-zero-trust-for-corporate-networks">FREE DOWNLOAD</a></p></div></div><p>The organisation found that customers for the spyware are likely to be based in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.</p><p>Cytrox has been reported to be part of Intellexa, a 'star alliance of spyware', which aims to compete with the NSO Group, said Citizen Lab. This is a group of surveillance vendors that appeared in 2019, consisting of companies like Nexa Technologies, Cytrox, and Senpai.</p><p>Citizen Lab’s report stated that Intellexa operates from Greece, with the alliance having a corporate presence there as well as in Ireland.</p><p>In December 2021, the spyware <a href="https://www.itpro.com/security/spyware/361868/egyptian-exiles-targeted-with-predator-spyware" target="_blank" data-original-url="https://www.itpro.com/security/spyware/361868/egyptian-exiles-targeted-with-predator-spyware">was reported</a> to have targeted the iPhones belonging to two exiled Egyptians, a politician and a journalist. Both individuals received links through WhatsApp which were believed to be used to launch the spyware's installation.</p><p>At the time, Citizen Lab said it had medium-to-high confidence that the spyware attacks were carried out by the Egyptian government.</p><h2 id="how-is-greece-connected-to-wiretapping">How is Greece connected to wiretapping?</h2><p>In January 2023, the Greek parliament’s chamber of deputies voted 156 to 143 to defeat a no-confidence vote in Kyriakos Mitsotakis, the Greek prime minister, according to <em><a href="https://www.theguardian.com/world/2023/jan/27/kyriakos-mitsotakis-greek-pm-survives-confidence-vote-but-phone-tapping-scandal-rumbles-on" target="_blank">the Guardian</a></em>.</p><p>The vote had been called due to an alleged phone-tapping scandal which saw politicians, military officials, and journalists targeted.</p><p>This includes Nikos Androulakis, the head of Greece’s third-largest political party, who claimed that he had been wiretapped by the national intelligence service, as well as being targeted by Predator spyware.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Spanish spyware outfit uncovered, develops exploits for Windows, Chrome, and Firefox ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/spyware/369624/spanish-spyware-outfit-exploit-windows-chrome-firefox</link>
                                                                            <description>
                            <![CDATA[ Google was only able to discover the company after an anonymous submission was made to its Chrome bug reporting programme ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">cNidAx1jx2TnNJ31ENNGeK</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/AwcyAPjBPanucM4Cu3SfX8-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 01 Dec 2022 15:20:16 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Workspace]]></category>
                                                    <category><![CDATA[Software]]></category>
                                                    <category><![CDATA[Google]]></category>
                                                                                                                    <dc:creator><![CDATA[ Zach Marzouk ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ncLkbsDMZ6b76Lc5iS6mZh.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/AwcyAPjBPanucM4Cu3SfX8-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[The beach front in Barcelona ]]></media:description>                                                            <media:text><![CDATA[The beach front in Barcelona ]]></media:text>
                                <media:title type="plain"><![CDATA[The beach front in Barcelona ]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/AwcyAPjBPanucM4Cu3SfX8-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Google has tied a previously unknown spyware operation to a private company in Spain after receiving an anonymous tip-off regarding the malicious activity.</p><p>Its Threat Analysis Group (TAG) said the evidence suggests that Barcelona-based Variston IT has developed an exploit framework which leveraged zero days in Windows Defender, Firefox, and Chrome.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/malware/359049/dangerous-android-spyware-disguising-itself-as-system-update-app" data-original-url="/security/malware/359049/dangerous-android-spyware-disguising-itself-as-system-update-app">Android spyware disguised as 'system update' app discovered</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/malware/368629/mysterious-macos-spyware-using-public-cloud-storage-control-server" data-original-url="/security/malware/368629/mysterious-macos-spyware-using-public-cloud-storage-control-server">Mysterious MacOS spyware discovered using public cloud storage as its control server</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/spyware/361760/nso-group-reportedly-hacked-multiple-us-officials" data-original-url="/security/spyware/361760/nso-group-reportedly-hacked-multiple-us-officials">NSO Group reportedly hacked multiple US officials</a></p></div></div><p>Google said the operation tied to Variston IT had developed the Heliconia framework which itself was split into smaller frameworks that exploited different systems and applications, like Windows and Chrome. The product gives customers all the tools needed to deploy a payload to a target device.</p><p>The frameworks included mature source code that could deploy the exploits. The first was Heliconia Noise, a web framework used to deploy an exploit for a Chrome renderer bug, followed by a sandbox escape.</p><p>Heliconia Soft was a separate web framework that dropped a malicious PDF to exploit a vulnerability in Windows Defender. The third and final framework was called Files - it consisted of a set of exploits targeting Firefox versions on both Windows and Linux systems.</p><p>The three companies targeted in the exploit, Microsoft, Mozilla, and Google, fixed the vulnerabilities in 2021 and early 2022. Google said it hadn’t detected active exploitation of the now-patched vulnerabilities, but instead predicted that they were used as <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" target="_blank" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-days</a> in earlier attacks.</p><p>The tech giant only became aware of the Heliconia framework when it received an anonymous submission to its Chrome bug reporting programme.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="zxgJhZ9MYsxYh8heefErtH" name="zxgJhZ9MYsxYh8heefErtH.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/zxgJhZ9MYsxYh8heefErtH.png" mos="https://cdn.mos.cms.futurecdn.net/zxgJhZ9MYsxYh8heefErtH.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>The long road ahead to ransomware preparedness</strong></p><p class="fancy-box__body-text">Getting to the bigger truth</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/ransomware/369492/the-long-road-ahead-to-ransomware-preparedness" data-original-url="/security/ransomware/369492/the-long-road-ahead-to-ransomware-preparedness">FREE DOWNLOAD</a></p></div></div><p>“The submitter filed three bugs, each with instructions and an archive that contained source code,” said Google TAG researchers in a blog post. “They used unique names in the bug reports including, ‘Heliconia Noise,’ ‘Heliconia Soft’, and ‘Files'.</p><p>"TAG analysed the submissions and found they contained frameworks for deploying exploits in the wild and a script in the source code included clues pointing to the possible <a href="https://www.itpro.com/software/development/356827/how-to-become-a-developer-a-beginners-guide" target="_blank" data-original-url="https://www.itpro.com/software/development/356827/how-to-become-a-developer-a-beginners-guide">developer</a> of the exploitation frameworks, Variston IT.”</p><p>Heliconia Noise, for example, leaked the name of the company in a line of code that prevented the framework from generating binaries containing strings such as 'Variston'.</p><p>The same for loop in Heliconia Noise's code also leaked the aliases of the developers who worked on the project: majinbuu, janemba, and freezer - all references to characters in the Dragon Ball manga franchise.</p><p>Google said that commercial <a href="https://www.itpro.com/spyware/30001/what-is-spyware" target="_blank" data-original-url="https://www.itpro.com/spyware/30001/what-is-spyware">spyware</a> is used by governments to spy on journalists, human rights activists, and political opposition through its advanced surveillance abilities. The tech giant is aiming to disrupt the threat of these types of companies to protect users and raise awareness of the industry, it said.</p><p><em>IT Pro</em> has contacted Variston for comment. It appears to be registered at an address in Barcelona and was founded by Jayaraman Ramanan and Ralf Dieter Wegener in 2018, according to <a href="https://www.datoscif.es/empresa/variston-information-technology-sl" target="_blank"><em>Datos Cif</em></a>, a Spanish database containing information about companies. Deloitte is also named as its auditor.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ North Korean-linked Gmail spyware 'SHARPEXT' harvesting sensitive email content ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/368733/north-korean-sharpext-spyware-harvesting-gmail</link>
                                                                            <description>
                            <![CDATA[ The insidious software exfiltrates all mail and attachments, researchers warn, putting sensitive documents at risk ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">rJBHCXGmFtAYrjMowHWavF</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/ZTzRdo4jU6XPEhmjdNUxN7-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 04 Aug 2022 11:30:17 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Rory Bathgate ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/DnNrFxEA7RRECVgFxXR4V7.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/ZTzRdo4jU6XPEhmjdNUxN7-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A digital render of a red envelope hovering above a blocky grey surface]]></media:description>                                                            <media:text><![CDATA[A digital render of a red envelope hovering above a blocky grey surface]]></media:text>
                                <media:title type="plain"><![CDATA[A digital render of a red envelope hovering above a blocky grey surface]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/ZTzRdo4jU6XPEhmjdNUxN7-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>A malicious browser extension linked to North Korea has been operating undetected to steal data from Gmail and AOL sessions.</p><p>The extension, dubbed ‘SHARPEXT’ by researchers, monitors webpages to automatically parse any and all emails and attachments from victims' mailboxes. </p><p>It poses a particularly serious threat to machines used by organisations for business operations, as all sensitive information sent via email has the potential to be stolen. Targets have so far been identified within the US, EU and <a href="https://www.itpro.com/infrastructure/network-internet/368637/uk-to-collaborate-with-south-korea-on-5g-6g-fund" data-original-url="https://www.itpro.com/infrastructure/network-internet/368637/uk-to-collaborate-with-south-korea-on-5g-6g-fund">South Korea</a>.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/data-breaches/358455/10-ways-to-protect-your-company-from-the-next-big-data-breach" data-original-url="/security/data-breaches/358455/10-ways-to-protect-your-company-from-the-next-big-data-breach">Ten ways to protect your company from the next big data breach</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/phishing/368705/every-leading-uk-university-is-compromising-on-email-security" data-original-url="/security/phishing/368705/every-leading-uk-university-is-compromising-on-email-security">Every leading UK university is compromising on email security, researchers say</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/malware/368365/google-warns-of-isp-controlled-hermit-spyware" data-original-url="/security/malware/368365/google-warns-of-isp-controlled-hermit-spyware">Google warns of ‌ISP-controlled Hermit spyware</a></p></div></div><p>Cyber security firm Volexity revealed the spyware's existence in a <a href="https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext">blog post</a>, and linked it to a threat actor tracked by Volexity operating under the name SharpTongue, but known publicly as <a href="https://www.itpro.com/security/cyber-crime/368669/us-doubles-reward-for-information-on-north-korean-cybercrime-syndicates" data-original-url="https://www.itpro.com/security/cyber-crime/368669/us-doubles-reward-for-information-on-north-korean-cybercrime-syndicates">Kimsuky</a>. This entity is believed to be North Korean in origin, and the researchers have linked SharpTongue to attacks on targets linked to national security.</p><p><em>ArsTechnica</em> reports Volexity president Steven Adair as stating that SHARPEXT is installed through “spear <a href="https://www.itpro.com/security/29093/what-is-phishing" target="_blank" data-original-url="https://www.itpro.com/security/29093/what-is-phishing">phishing</a> and <a href="https://www.itpro.com/security/social-engineering/361911/month-in-the-life-of-social-engineer-week-one" target="_blank" data-original-url="https://www.itpro.com/security/social-engineering/361911/month-in-the-life-of-social-engineer-week-one">social engineering</a> where the victim is fooled into opening a malicious document”. Phishing is a common vector used to deliver malicious programmes, such as <a href="https://www.itpro.com/security/368363/lockbit-20-ransomware-disguised-as-pdfs-distributed-in-email-attacks" data-original-url="https://www.itpro.com/security/368363/lockbit-20-ransomware-disguised-as-pdfs-distributed-in-email-attacks">LockBit 2.0 which has been distributed by email disguised as PDFs</a>.</p><p>To lay the groundwork for the extension, the threat actor manually exfiltrates files such as the user’s preferences and secure preferences. These are changed to include exceptions for the malicious extension and then downloaded back onto the infected machine through the malware’s command and control (C2) infrastructure.</p><p>Once the original files have been switched for these copies, SHARPEXT is loaded directly from the victim’s appdata folder. Once active, the extension executes code directly from the C2 server, which has the benefit of preventing antivirus software from discovering malicious code within the extension itself.</p><p>Additionally, running code in this way allows the threat actor to regularly update the code without having to reinstall newer versions of the extension onto infected systems. Indeed, the extension is currently in its third iteration, with previous versions more limited in their browser and mail client compatibility. </p><p>At present, SHARPEXT supports Google Chrome and <a href="https://www.itpro.com/web-browsers/24526/what-is-microsoft-edge" data-original-url="https://www.itpro.com/web-browsers/24526/what-is-microsoft-edge">Microsoft Edge</a>, as well as a browser called Whale that's reasonably popular in South Korea but not in other countries.</p><p>The extension only activates when a <a href="https://www.itpro.com/chromium/32681/what-is-chromium" data-original-url="https://www.itpro.com/chromium/32681/what-is-chromium">Chromium</a> browser is running, and utilises listeners to monitor activity to ensure that only email data is stolen. Global variables track the emails, email addresses and attachments that have already been exfiltrated, so as to prevent unnecessary duplication of data.</p><p>In addition to its exfiltration functions, the extension deploys a <a href="https://www.itpro.com/microsoft-windows/34535/powershell-vs-cmd-unlocking-the-power-of-windows" data-original-url="https://www.itpro.com/microsoft-windows/34535/powershell-vs-cmd-unlocking-the-power-of-windows">Powershell</a> script that constantly checks for compatible browser processes, and if found runs a keystroke script that opens the DevTools panel. </p><p>Simultaneously, another script works to hide the DevTools window, and anything that could make the victim suspicious, such as Edge’s warning that an extension is running in developer mode.</p><p>Volexity has advised security teams within organisations to review extensions regularly, especially those installed on machines connected to highly-sensitive information.</p><p><em>IT Pro</em> has approached Volexity for comment</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Young hacker faces 20-year prison sentence for creating prolific Imminent Monitor RAT ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/spyware/368682/young-hacker-faces-20-year-prison-sentence-for-creating-prolific-imminent-monitor-rat</link>
                                                                            <description>
                            <![CDATA[ He created the RAT when he was aged just 15 and is estimated to have netted around $400,000 from the sale of it over six years ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">8RKmA9TD5NygBR7PEcCET3</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/QunLauaetsmuM23MuxM4x7-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 01 Aug 2022 09:20:13 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cyber Crime]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/QunLauaetsmuM23MuxM4x7-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Graphic of a CCTV camera observing anonymous people in a crowd]]></media:description>                                                            <media:text><![CDATA[Graphic of a CCTV camera observing anonymous people in a crowd]]></media:text>
                                <media:title type="plain"><![CDATA[Graphic of a CCTV camera observing anonymous people in a crowd]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/QunLauaetsmuM23MuxM4x7-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The Australian police have arrested a 24-year-old hacker after a lengthy investigation tied him to the widely abused Imminent Monitor remote access trojan (RAT).</p><p>The spyware tool was downloaded by more than 14,500 people across 128 countries, the police said, and reportedly generated around $400,000 AUD for the cyber-criminal. </p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/30081/what-is-a-trojan-virus" data-original-url="/security/30081/what-is-a-trojan-virus">What is a Trojan?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/malware/367670/lone-russian-rat-operator-rivals-large-gangs-with-cheap-passion-project" data-original-url="/security/malware/367670/lone-russian-rat-operator-rivals-large-gangs-with-cheap-passion-project">Lone Russian RAT operator rivals large gangs with £5 "passion project"</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/spyware/30001/what-is-spyware" data-original-url="/spyware/30001/what-is-spyware">What is spyware?</a></p></div></div><p>The Australian Federal Police (AFP) also said Imminent Monitor was allegedly first created by Jacob Wayne John Keen nine years ago when he was aged 15. </p><p>During its time on sale between 2013 and 2019, it has been used by numerous individuals including domestic and child abusers, among other criminals.</p><p>The <a href="https://www.itpro.com/spyware/30001/what-is-spyware" data-original-url="https://www.itpro.com/spyware/30001/what-is-spyware">spyware’s</a> capabilities allowed customers to steal information from victims and spy on them in various ways, including surreptitious enabling and monitoring of the webcam and microphone, logging keystrokes, and remotely controlling the device too.</p><p>Imminent Monitor could be installed through various means, including <a href="https://www.itpro.com/security/29093/what-is-phishing" data-original-url="https://www.itpro.com/security/29093/what-is-phishing">phishing</a>, the AFP said, and it believes there have been more than 10,000 victims worldwide.</p><p>“These types of <a href="https://www.itpro.com/malware/28076/what-is-malware" data-original-url="https://www.itpro.com/malware/28076/what-is-malware">malware</a> are so nefarious because it can provide an offender virtual access to a victim’s bedroom or home without their knowledge,’’ said Chris Goldsmid, AFP commander of cyber crime operations.</p><p>“Unfortunately there are criminals who not only use these tools to steal personal information for financial gain but also for very intrusive and despicable crimes.”</p><p>The RAT was sold for around $25 USD for a single-user lifetime licence but additional options were available for teams of users sold at higher prices.</p><p>The creation and sale of Imminent Monitor prompted a global investigation from law enforcement after the AFP was handed information about the campaign from the FBI and security company Palo Alto Networks in 2017.</p><p>More than a dozen law enforcement agencies were involved in the investigation across Europe, issuing a total of 85 search warrants, seizing 434 devices and arresting 13 individuals for using the RAT.</p><p>Simply owning the RAT is not an offence, the AFP said, but installing it on another individual’s device is a violation of <a href="https://www.itpro.com/it-legislation/28174/what-is-the-computer-misuse-act" data-original-url="https://www.itpro.com/it-legislation/28174/what-is-the-computer-misuse-act">computer legislation</a>. </p><p>AFP dedicated five officers to gathering information on, and ultimately shutting down the RAT. After Imminent Monitor was taken down in 2019, all copies across the globe ceased to work also.</p><p>In the same year, the accused individual’s home was searched by authorities and his computer was found with code files consistent with the development and use of the RAT. </p><p>The 24-year-old faces 6 criminal charges under computer misuse and data misuse legislation, including two counts of dealing with the proceeds of crime with a value exceeding $100,000.</p><p>He faces a maximum potential combined prison sentence of 20 years. A 42-year-old woman of the same address later revealed to be Keen’s mother, also faces one count of dealing with the proceeds of crime with a value exceeding $100,000 and also faces up to 20 years in prison, the <a href="https://www.afp.gov.au/news-media/media-releases/afp-charges-man-creating-global-spyware-tool">AFP notice</a> read.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ European company unmasked as cyber mercenary group with ties to Russia ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/spyware/368665/european-company-unmasked-as-cyber-mercenary-group-with-ties-to-russia</link>
                                                                            <description>
                            <![CDATA[ The company that's similar to NSO Group has been active since 2016 and has used different zero-days in Windows and Adobe products to infect victims with powerful, evasive spyware ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">eUGRRTT2SLKy15wWp1ymHC</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/Ym6Mo77aKm58EHtNat5fEP-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 28 Jul 2022 10:23:58 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/Ym6Mo77aKm58EHtNat5fEP-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Graphic of several CCTV cameras honing in on individuals]]></media:description>                                                            <media:text><![CDATA[Graphic of several CCTV cameras honing in on individuals]]></media:text>
                                <media:title type="plain"><![CDATA[Graphic of several CCTV cameras honing in on individuals]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/Ym6Mo77aKm58EHtNat5fEP-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Microsoft has investigated a ‘suspicious’ Austrian private-sector company, concluding that it is operating illegal offensive security services on behalf of clients in a similar fashion to NSO Group and its Pegasus spyware.</p><p>Vienna-based DSR Decision Supporting Information Research Forensic (DSIRF) presents itself as a professional services company with clients across high-value industries, but investigations have revealed it is offering spyware and malware services to clients.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/spyware/361971/el-salvador-becomes-latest-country-targeted-by-pegasus" data-original-url="/security/spyware/361971/el-salvador-becomes-latest-country-targeted-by-pegasus">El Salvador becomes latest target of Pegasus spyware</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/spyware/361529/nso-group-ceo-quits-us-sanctions-pegasus-spyware" data-original-url="/security/spyware/361529/nso-group-ceo-quits-us-sanctions-pegasus-spyware">CEO of spyware firm NSO Group quits after US sanctions</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/spyware/361760/nso-group-reportedly-hacked-multiple-us-officials" data-original-url="/security/spyware/361760/nso-group-reportedly-hacked-multiple-us-officials">NSO Group reportedly hacked multiple US officials</a></p></div></div><p>So far, victims include businesses in the UK, Austria, and Panama, and span industries such as banking, law firms, and strategic consultancies, Microsoft said, having spoken to a number of them as part of its research.</p><p>The company has been observed chaining together <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-day exploits</a> in Windows and Adobe products to deploy its Subzero <a href="https://www.itpro.com/malware/28076/what-is-malware" data-original-url="https://www.itpro.com/malware/28076/what-is-malware">malware</a> - a <a href="https://www.itpro.com/security/cyber-attacks/360526/what-is-a-rootkit" data-original-url="https://www.itpro.com/security/cyber-attacks/360526/what-is-a-rootkit">rootkit</a> capable of spying on targeted individuals.</p><p>Microsoft has concluded that the company is operating an unauthorised, mercenary offensive security operation similar to that of <a href="https://www.itpro.com/security/spyware/361760/nso-group-reportedly-hacked-multiple-us-officials" data-original-url="https://www.itpro.com/security/spyware/361760/nso-group-reportedly-hacked-multiple-us-officials">NSO Group</a>, and has given the threat actor the codename Knotweed.</p><p>The group is secretive in its operations and only reveals the full extent of its capabilities to clients in exclusive meetings. </p><p>There is no evidence that it operates a genuine professional services operation as it claims to and it is also believed to have ties to the Russian regime. </p><h2 id="unmasking-knotweed-russian-links-to-illegal-eu-surveillance">Unmasking Knotweed - Russian links to illegal EU surveillance</h2><p>DSIRF’s website says it is primarily based in Austria but also has an office in Lichtenstein. Its ‘about’ section is written in non-descript verbiage that alludes to offering services across information research, forensics, and data-driven intelligence.</p><p>It also claims to have multinational clients on its books across the technology, retail, energy, and financial sectors.</p><p>Reports linking DSIRF to malicious cyber activity date back to 2021 when several investigations that were conducted by German-speaking media linked the company to the sale of offensive security services.</p><p>First reported by <a href="https://www.focus.de/politik/vorab-aus-dem-focus-volle-kontrolle-ueber-zielcomputer-das-raetsel-um-die-spionage-app-fuehrt-ueber-wirecard-zu-putin_id_24442733.html"><em>Focus</em></a>, a DSIRF presentation given exclusively to clients was leaked to the publication and revealed the full suite of services the company offered.</p><p>The presentation - <a href="https://cdn.netzpolitik.org/wp-upload/2021/12/2018-08-28_DSIRF_Company-Profile-Gov.redacted.pdf">made public</a> by <em>Netzpolitik</em> - reportedly mentioned <a href="https://www.itpro.com/security/28170/what-is-cyber-warfare" data-original-url="https://www.itpro.com/security/28170/what-is-cyber-warfare">cyber warfare</a>, <a href="https://www.itpro.com/security/privacy/356882/the-pros-and-cons-of-facial-recognition-technology" data-original-url="https://www.itpro.com/security/privacy/356882/the-pros-and-cons-of-facial-recognition-technology">biometric facial recognition</a>, and the unmasking of foreign information warfare tactics. </p><p>The clients were eventually introduced to its Subzero malware product which the company claimed, in a six-minute video presentation, to be able to link up with surveillance cameras installed at the likes of train stations and airports.</p><p>Its program could supposedly connect to a DSIRF-controlled database and process footage against biometric, social network, criminal record, and payment data to deliver conclusions to the controller in real time.</p><p>According to the investigation conducted by <em>Focus</em>, the Austrian Ministry of Finance confirmed the company to be owned by Peter Dietenberger, a German national with residency in Austria and Switzerland. </p><p>Dietenberger is also believed to be a ’specialist’ in relations between the West and Russia with connections to the Russian nomenklatura, while also his visa identified him as a special guest of the presidential administration.</p><p>The leaked presentation itself was reportedly addressed to Jan Marsalek, a former board member and COO at the infamous German payment processor Wirecard. The internationally-wanted white-collar criminal is now believed to be a <a href="https://www.dw.com/en/wanted-wirecard-executive-jan-marsalak-reportedly-hiding-in-moscow/a-61440213">fugitive in Moscow under the protection of the FSB</a> following his alleged involvement in the <a href="https://www.ft.com/content/650d7108-dca8-4299-95ad-e68476bc3020">Wirecard scandal</a>. </p><h2 id="subzero-in-focus">Subzero in focus</h2><p>Microsoft’s <a href="https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits">investigation</a> focused more on the malware offered by the company named Subzero. It said it could be deployed in several different ways but in all cases, it used a remote code execution (RCE) vulnerability in Adobe Reader, coupled with a now-patched privilege escalation exploit in Windows (CVE-2022-22047).</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="wE3UT9aDVGm6fZh2yRZMu6" name="wE3UT9aDVGm6fZh2yRZMu6.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/wE3UT9aDVGm6fZh2yRZMu6.jpg" mos="https://cdn.mos.cms.futurecdn.net/wE3UT9aDVGm6fZh2yRZMu6.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>An EDR buyer's guide</strong></p><p class="fancy-box__body-text">How to pick the best endpoint detection and response solution for your business</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-security/368443/an-edr-buyers-guide" data-original-url="/security/cyber-security/368443/an-edr-buyers-guide">FREE DOWNLOAD</a></p></div></div><p>The malware seen by Microsoft was packaged in a PDF document sent to a victim via email but was not able to gain visibility into the entire exploit chain, it said. </p><p>The victim's version of Adobe Reader was released in January 2022 which suggests that the exploit was developed between January and May 2022, despite the company’s C2 infrastructure indication that it had been active since 2020.</p><p>“The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process,” Microsoft said. “The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL.</p><p>“Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved.”</p><p>It revealed that other security vulnerabilities were used to deploy Subzero in victims dating back to 2021, indicating that deployment tactics changed over time and there were active efforts from DSIRF to find new ways of exploiting victims.</p><p>Other tactics involved delivering Subzero via malicious Microsoft Excel documents using Excel 4.0 VBA macros - which are now once again blocked by default after <a href="https://www.itpro.com/security/cyber-security/368513/microsoft-confirms-vba-macro-backtrack-is-only-temporary" data-original-url="https://www.itpro.com/security/cyber-security/368513/microsoft-confirms-vba-macro-backtrack-is-only-temporary">a temporary backtrack</a> - and obfuscated using large chunks of text taken from the Kama Sutra.</p><h3 class="article-body__section" id="section-main-capabilities"><span>Main capabilities</span></h3><p>Corelump is the main malicious payload delivered by the Subzero program. It resides in memory to escape detection and offers a range of functions including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from Knotweed’s C2 server, Microsoft said.</p><p>Post exploitation activities observed by Microsoft included <a href="https://www.itpro.com/security/phishing/360714/credential-theft-most-prevalent-threat-to-corporate-inboxes" data-original-url="https://www.itpro.com/security/phishing/360714/credential-theft-most-prevalent-threat-to-corporate-inboxes">credential dumping</a>, accessing emails using dumped credentials, and running PowerShell scripts from a DSIRF-linked GitHub gist.</p><h2 id="how-to-defend-against-knotweed-and-subzero">How to defend against Knotweed and Subzero</h2><p>Microsoft has advised businesses to patch against the latest security threats, including the recently patched CVE-2022-22047 to prevent exposure to the exploit chain.</p><p>Ensuring <a href="https://www.itpro.com/malware/28153/whats-the-difference-between-antimalware-and-antivirus" data-original-url="https://www.itpro.com/malware/28153/whats-the-difference-between-antimalware-and-antivirus">antivirus products</a> are up-to-date is also recommended, as is scanning for the confirmed indicators of compromise (IOCs) that can be found in Microsoft’s full report. </p><p>It’s advised that Excel macro settings are reviewed to make sure malicious VBA and XLM macros are blocked by turning on runtime macros scanning by antimalware scan interface (AMSI), which should be enabled by default.</p><p>Enabling <a href="https://www.itpro.com/security/361870/five-things-to-consider-before-choosing-an-mfa-solution" data-original-url="https://www.itpro.com/security/361870/five-things-to-consider-before-choosing-an-mfa-solution">multifactor authentication (MFA)</a> can help mitigate any compromised credentials being used by the threat actor and reviewing all authentication activity for remote access infrastructure, and scanning for anomalous activity, is also advised.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Mysterious MacOS spyware discovered using public cloud storage as its control server ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/malware/368629/mysterious-macos-spyware-using-public-cloud-storage-control-server</link>
                                                                            <description>
                            <![CDATA[ Researchers have warned that little is known about the 'CloudMensis' malware, including how it is distributed and who is behind it ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">uCVk5cUp7vDY5VYB6ZBE1W</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/5hmm29Bv4fDTxWEsBHRv66-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 22 Jul 2022 11:23:13 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Rory Bathgate ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/DnNrFxEA7RRECVgFxXR4V7.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/5hmm29Bv4fDTxWEsBHRv66-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A close-up shot of a MacBook keyboard]]></media:description>                                                            <media:text><![CDATA[A close-up shot of a MacBook keyboard]]></media:text>
                                <media:title type="plain"><![CDATA[A close-up shot of a MacBook keyboard]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/5hmm29Bv4fDTxWEsBHRv66-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>MacOS users have been warned that a new spyware has been discovered using a previously undocumented backdoor to steal sensitive data from compromised Macs.</p><p>Lifting sensitive data such as keystrokes, screen captures, and email attachments, the spyware uses public cloud storage such as Yandex Disk, pCloud, and <a href="https://www.itpro.com/cloud-storage/30845/13-tricks-to-help-you-master-dropbox" data-original-url="https://www.itpro.com/cloud-storage/30845/13-tricks-to-help-you-master-dropbox">Dropbox</a> as its command and control (C2) channel. Although such use of cloud storage has been observed in Windows malware, researchers noted that this is an unusual tactic in the Mac ecosystem.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="rNAQoa9nwMcMG72HQokQfh" name="rNAQoa9nwMcMG72HQokQfh.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/rNAQoa9nwMcMG72HQokQfh.jpg" mos="https://cdn.mos.cms.futurecdn.net/rNAQoa9nwMcMG72HQokQfh.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Storage's role in addressing the challenges of ensuring cyber resilience</strong></p><p class="fancy-box__body-text">Understanding the role of data storage in cyber resiliency</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-attacks/368461/storages-role-in-addressing-the-challenges-of-ensuring-cyber" data-original-url="/security/cyber-attacks/368461/storages-role-in-addressing-the-challenges-of-ensuring-cyber">FREE DOWNLOAD</a></p></div></div><p>The <a href="https://www.itpro.com/malware/28076/what-is-malware" data-original-url="https://www.itpro.com/malware/28076/what-is-malware">malware</a>, coded in <a href="https://www.itpro.com/programming-languages/30204/what-is-object-oriented-programming" data-original-url="https://www.itpro.com/programming-languages/30204/what-is-object-oriented-programming">Objective-C</a>, was discovered by ESET researchers who named it 'CloudMensis' in a <a href="https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-discovers-new-threat-to-mac-users-cloudmensis-spies-on-them-in-targeted-operation">blog post</a>. The method by which the malware first compromises the Macs of its victims is still unknown.</p><p>Lack of clarity around this delivery mechanism, as well as the identity and goals of the threat actors, has prompted researchers to warn all MacOS users to be cautious and keep systems up-to-date. However, as it has currently been seen to affect only a limited number of systems, CloudMensis has not currently been labelled high risk.</p><p>Once present on a victim’s Mac, the first stage of CloudMensis downloads a second stage from public cloud storage, and both are written to disk. Once installed, CloudMensis receives commands from its operators through this cloud storage, and sends encrypted copies of files through it.</p><p>A total of 39 commands can be activated allowing the malware to, among other things, change its configuration values, run shell commands, and list files from removable storage.</p><p>To bypass macOS’ privacy protection system Transparency, Consent and Control (TCC), CloudMensis adds entries to grant itself permissions. If the victim is running a version of macOS predating Catalina 10.15.6, CloudMensis will exploit a known vulnerability (<a href="https://nvd.nist.gov/vuln/detail/CVE-2020-9934">CVE-2020-9943</a>) to load a TCC database that it can write to.</p><p>Metadata uncovered by ESET indicated that the threat actors behind the spyware are individually deploying CloudMensis to targets of interest, rather than spreading it as far as they can.</p><p>No clues to the intended targets have been found in the metadata, and the use of cloud storage as its C2 makes the threat actors behind it difficult to identify. ESET accessed metadata from the cloud storage services in use that indicates that the unknown threat actors began to send commands on February 4, 2022.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/malware/28083/best-free-malware-removal-tools" data-original-url="/security/malware/28083/best-free-malware-removal-tools">6 of the best free malware removal tools in 2023</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/ransomware/368476/why-are-ransomware-gangs-pivoting-to-rust" data-original-url="/security/ransomware/368476/why-are-ransomware-gangs-pivoting-to-rust">Why are ransomware gangs pivoting to Rust?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/368621/hackers-hiding-malicious-links-in-top-google-search-results" data-original-url="/security/368621/hackers-hiding-malicious-links-in-top-google-search-results">Hackers hiding malicious links in top Google search results, researchers warn</a></p></div></div><p>“We still do not know how CloudMensis is initially distributed and who the targets are,” said ESET researcher Marc-Etienne Léveillé, a member of the team that is looking into CloudMensis.</p><p>“The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets.”</p><p>No <a href="https://www.itpro.com/security/367344/report-apple-neglects-to-patch-zero-days-for-older-macos-versions" data-original-url="https://www.itpro.com/security/367344/report-apple-neglects-to-patch-zero-days-for-older-macos-versions">zero-day vulnerabilities</a> have been identified as in use by the group, so Macs that are regularly updated are potentially at lower risk.</p><p>MacOS malware is typically rarer than Windows malware, for a multitude of reasons including the fact that the larger market share of Windows PCs gives cybercriminals a better target.</p><p>Apple has acknowledged the threat of spyware such as Pegasus, and is set to introduce a new ‘<a href="https://www.itpro.com/security/spyware/368468/apple-launching-lockdown-mode-ios16-pegasus-spyware" data-original-url="https://www.itpro.com/security/spyware/368468/apple-launching-lockdown-mode-ios16-pegasus-spyware">Lockdown Mode</a>’ on iOS, iPad OS and macOS in the autumn.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Apple launching Lockdown Mode with iOS 16 to guard against Pegasus-style spyware ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/spyware/368468/apple-launching-lockdown-mode-ios16-pegasus-spyware</link>
                                                                            <description>
                            <![CDATA[ Apple breaks its bug bounty record with $2 million top prize, alongside $10 million grant funding, as it launches industry-first protections for highly targeted individuals ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">5HPd3N7J9oWcNuczFQw3XK</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/mdS4Q7FapaaKdQJmDnbvjA-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 07 Jul 2022 09:51:29 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cyber Attacks]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/mdS4Q7FapaaKdQJmDnbvjA-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A blue model of the iPhone 12 Pro]]></media:description>                                                            <media:text><![CDATA[A blue model of the iPhone 12 Pro]]></media:text>
                                <media:title type="plain"><![CDATA[A blue model of the iPhone 12 Pro]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/mdS4Q7FapaaKdQJmDnbvjA-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Apple has teased an upcoming security initiative for iPhone, iPad, and Mac users who believe they may be targeted of state-sponsored spyware campaigns in the mould of Pegasus, Predator, and Hermit.</p><p>Lockdown Mode, which is coming to iOS 16, iPad OS 16 and macOS Ventura in autumn, will implement stricter security measures on Apple devices to combat the exfiltration or monitoring of sensitive data flowing in and out of Apple hardware.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/spyware/361971/el-salvador-becomes-latest-country-targeted-by-pegasus" data-original-url="/security/spyware/361971/el-salvador-becomes-latest-country-targeted-by-pegasus">El Salvador becomes latest target of Pegasus spyware</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/spyware/361639/apple-sues-nso-group-over-pegasus-attacks-on-its-customers" data-original-url="/security/spyware/361639/apple-sues-nso-group-over-pegasus-attacks-on-its-customers">Apple sues NSO Group over Pegasus attacks on its customers</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/spyware/360682/bahrain-targets-activists-with-nsos-pegasus-spyware" data-original-url="/security/spyware/360682/bahrain-targets-activists-with-nsos-pegasus-spyware">Bahrain targets activists with NSO's Pegasus spyware</a></p></div></div><p>The feature will offer “extreme, optional protection for the very small number of users who face grave, targeted threats to their digital security”.</p><p>Embattled Israeli outfit <a href="https://www.itpro.com/security/spyware/361529/nso-group-ceo-quits-us-sanctions-pegasus-spyware" data-original-url="https://www.itpro.com/security/spyware/361529/nso-group-ceo-quits-us-sanctions-pegasus-spyware">NSO Group’s Pegasus spyware</a> is perhaps the most infamous programme of this kind, having been found on the devices of numerous high-profile individuals over the past several years, including murdered Saudi journalist Jamal Khashoggi.</p><p>Despite being discovered years ago, and with Apple releasing security patches to prevent it infecting devices, Pegasus continues to infect individuals’ devices today. </p><p>Reports from this year have indicated government officials in both the UK and <a href="https://www.itpro.com/security/spyware/361971/el-salvador-becomes-latest-country-targeted-by-pegasus" data-original-url="https://www.itpro.com/security/spyware/361971/el-salvador-becomes-latest-country-targeted-by-pegasus">El Salvador</a> have been targeted, years after the first known Pegasus case was reported.</p><p>“While the vast majority of users will never be the victims of highly targeted cyberattacks, Apple will work tirelessly to protect the small number of users who are,” <a href="https://twitter.com/radian/status/1544756898741727233">said</a> Ivan Krstić, head of security engineering and architecture at Apple on Twitter. “I’m deeply proud of our next steps, including a groundbreaking feature: Lockdown Mode.”</p><h2 id="technical-implementations">Technical implementations</h2><p>Apple calls Lockdown Mode a ‘first of its kind feature’ that'll offer a <a href="https://www.apple.com/uk/newsroom/2022/07/apple-expands-commitment-to-protect-users-from-mercenary-spyware">swathe of technical features</a> to keep the digital lives of targeted individuals safe from state-sponsored <a href="https://www.itpro.com/spyware/30001/what-is-spyware" target="_blank" data-original-url="https://www.itpro.com/spyware/30001/what-is-spyware">spyware</a>.</p><p>For messaging, Lockdown Mode will block most major attachment types, other than images, and block other features like link previews.</p><p>While Apple didn’t explicitly state the reason for this, the measure could have been implemented in relation to Pegasus previously being installed by <a href="https://www.itpro.com/security/exploits/360870/apple-patches-nso-forcedentry-zero-day-flaw" data-original-url="https://www.itpro.com/security/exploits/360870/apple-patches-nso-forcedentry-zero-day-flaw">exploiting a no-click vulnerability in Apple’s iMessage</a>.</p><p>A number of “complex web technologies” involved in on-device web browsing will also be blocked, Apple said. Things like just-in-time (JIT) <a href="https://www.itpro.com/development/30202/what-is-javascript-and-why-should-i-learn-it" target="_blank" data-original-url="https://www.itpro.com/development/30202/what-is-javascript-and-why-should-i-learn-it">JavaScript</a> compilation - a method of compiling code to make both execution and the overall experience faster - will be disabled unless a user whitelists a given website in Lockdown Mode’s settings, for example.</p><p>Incoming invitations and service requests such as FaceTime calls will be blocked for users who have never interacted with the initiator before, and wired connections to other computers or accessories will also be blocked when an iPhone is locked, Apple said.</p><p>Lastly, configuration profiles will not be able to be installed, nor can devices be enrolled into <a href="https://www.itpro.com/mobile/29775/best-mdm-solutions" target="_blank" data-original-url="https://www.itpro.com/mobile/29775/best-mdm-solutions">mobile device management (MDM)</a> programmes - combatting a method of spyware installation <a href="https://www.itpro.com/security/malware/368365/google-warns-of-isp-controlled-hermit-spyware" data-original-url="https://www.itpro.com/security/malware/368365/google-warns-of-isp-controlled-hermit-spyware">exploited by Hermit</a>. However, Krstić confirmed <a href="https://www.itpro.com/business-strategy/careers-training/367747/apple-completely-redesigns-it-certifications-mdm" data-original-url="https://www.itpro.com/business-strategy/careers-training/367747/apple-completely-redesigns-it-certifications-mdm">pre-existing MDM enrollment</a> is preserved after enabling Lockdown Mode.</p><p>Apple said it will continue to add additional features to Lockdown Mode over time and as user feedback is received. </p><p>It has also added a special category to its pre-existing bug bounty programme for Lockdown Mode bypasses, offering what it calls the largest potential payout for any bug bounty in the industry <em>–</em> $2 million (£1.67 million) <em>–</em> as a reward for the most severe submissions.</p><h2 id="10-million-fund">$10 million fund</h2><p>In addition to the launch of Lockdown Mode, Apple said it will be setting up a $10 million grant, plus any additional funds generated from the damages it receives in its <a href="https://www.itpro.com/security/spyware/361639/apple-sues-nso-group-over-pegasus-attacks-on-its-customers" data-original-url="https://www.itpro.com/security/spyware/361639/apple-sues-nso-group-over-pegasus-attacks-on-its-customers">ongoing lawsuit against Pegasus creators NSO Group</a>, to support organisations fighting highly targeted cyber attacks.</p><p>Such organisations could include those making efforts to quell state-sponsored spyware attacks, or those tasked with investigating and exposing the operators behind them - and other types of targeted attacks on digital security.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="d25pnmHteqMFEXehyV5g2n" name="d25pnmHteqMFEXehyV5g2n.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/d25pnmHteqMFEXehyV5g2n.png" mos="https://cdn.mos.cms.futurecdn.net/d25pnmHteqMFEXehyV5g2n.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Securing endpoints amid new threats</strong></p><p class="fancy-box__body-text">Ensuring employees have the flexibility and security to work remotely</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/technology/367650/securing-endpoints-amid-new-threats" data-original-url="/technology/367650/securing-endpoints-amid-new-threats">FREE DOWNLOAD</a></p></div></div><p>The grant will be made available to the Dignity and Justice Fund which expects to issue the first round of grants in late 2022 or early 2023.</p><p>“There is now undeniable evidence from the research of the Citizen Lab and other organisations that the mercenary surveillance industry is facilitating the spread of authoritarian practices and massive human rights abuses worldwide,” said Ron Deibert, director at Citizen Lab, a research group at the University of Toronto long-famed for its <a href="https://www.itpro.com/security/34715/us-allies-targeted-by-whatsapp-video-hack" data-original-url="https://www.itpro.com/security/34715/us-allies-targeted-by-whatsapp-video-hack">investigations into state-sponsored spyware</a>. </p><p>“I applaud Apple for establishing this important grant, which will send a strong message and help nurture independent researchers and advocacy organisations holding mercenary spyware vendors accountable for the harms they are inflicting on innocent people.”</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ El Salvador becomes latest target of Pegasus spyware ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/spyware/361971/el-salvador-becomes-latest-country-targeted-by-pegasus</link>
                                                                            <description>
                            <![CDATA[ The list of nations with access to Pegasus is growing, with evidence pointing to potential links between 35 confirmed Pegasus cases and the Salvadoran government ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">bVueqReuCZ3D7HqurxJVtC</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/WwNVrwL4LaXC6fzF24hrcL-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 13 Jan 2022 13:07:07 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cyber Attacks]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/WwNVrwL4LaXC6fzF24hrcL-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[The Apple logo displayed on a store building in Washington, DC]]></media:description>                                                            <media:text><![CDATA[The Apple logo displayed on a store building in Washington, DC]]></media:text>
                                <media:title type="plain"><![CDATA[The Apple logo displayed on a store building in Washington, DC]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/WwNVrwL4LaXC6fzF24hrcL-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Multiple cases of the covert Pegasus spyware have been found targeting journalists and activists in El Salvador, a report from Citizen Lab at the University of Toronto has revealed.</p><p>A total of 35 cases were confirmed after journalists and members of civil society <a href="https://citizenlab.ca/2022/01/project-torogoz-extensive-hacking-media-civil-society-el-salvador-pegasus-spyware">contacted Citizen Lab</a> to analyse their devices after becoming suspicious of a Pegasus infection, which allows operators to surreptitiously install information-harvesting and remote monitoring tools on targeted iPhones.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/spyware/361760/nso-group-reportedly-hacked-multiple-us-officials" data-original-url="/security/spyware/361760/nso-group-reportedly-hacked-multiple-us-officials">NSO Group reportedly hacked multiple US officials</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/spyware/361639/apple-sues-nso-group-over-pegasus-attacks-on-its-customers" data-original-url="/security/spyware/361639/apple-sues-nso-group-over-pegasus-attacks-on-its-customers">Apple sues NSO Group over Pegasus attacks on its customers</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/spyware/360276/journalists-human-rights-activists-targeted-with-pegasus-spyware" data-original-url="/security/spyware/360276/journalists-human-rights-activists-targeted-with-pegasus-spyware">Pegasus: Report finds spyware used to target journalists, activists</a></p></div></div><p>Targets included journalists at Salvadoran news outlets <em>El Faro, GatoEncerrado, La Prensa Gráfica, Revista Digital Disruptiva, Diario El Mundo, El Diario de Hoy</em>, and two independent journalists.</p><p>Fundación DTJ - an NGO promoting transparency in the Salvadoran justice system, Cristosal - a school on human rights, and another unnamed NGO were also successfully targeted by Pegasus, Citizen Lab said.</p><p>Developed by Israeli outfit NSO Group, <a href="https://www.itpro.com/security/spyware/360276/journalists-human-rights-activists-targeted-with-pegasus-spyware" data-original-url="https://www.itpro.com/security/spyware/360276/journalists-human-rights-activists-targeted-with-pegasus-spyware">Pegasus has been used to target a number of high-profile journalists, activists</a>, and <a href="https://www.itpro.com/security/spyware/361760/nso-group-reportedly-hacked-multiple-us-officials" data-original-url="https://www.itpro.com/security/spyware/361760/nso-group-reportedly-hacked-multiple-us-officials">diplomatic figures</a> in recent years, including prominent journalist and Saudi critic Jamal Khashoggi who was murdered in 2018.</p><p>Many of the affected individuals received notifications from <a href="https://www.itpro.com/software/apple" data-original-url="https://www.itpro.com/search/apple">Apple</a> on their devices indicating they may have been a victim of a state-sponsored spyware campaign. Apple <a href="https://www.itpro.com/security/spyware/361639/apple-sues-nso-group-over-pegasus-attacks-on-its-customers" data-original-url="https://www.itpro.com/security/spyware/361639/apple-sues-nso-group-over-pegasus-attacks-on-its-customers">launched a lawsuit against NSO Group the same day</a>.</p><p>The confirmed cases were corroborated by Amnesty International’s Security Lab, an independent analysis group that drew the same conclusions as Citizen Lab.</p><h3 class="article-body__section" id="section-uncovering-pegasus"><span>Uncovering Pegasus</span></h3><p>The researchers said attribution is typically difficult in Pegasus cases due to the way the <a href="https://www.itpro.com/spyware/30001/what-is-spyware" data-original-url="https://www.itpro.com/spyware/30001/what-is-spyware">spyware</a> hides key data, but in this case, the analysis revealed one operator operating almost exclusively on El Salvador soil since at least November 2019.</p><p>Citizen Lab researchers refer to this individual as TOROGOZ and have connected the operator to an infection attempt against the <em>El Faro</em> news organisation.</p><p>"While there is no conclusive technical evidence that TOROGOZ represents the Salvadoran government, the strong country-specific focus of the infections suggests that this is very likely," <a href="https://citizenlab.ca/2022/01/project-torogoz-extensive-hacking-media-civil-society-el-salvador-pegasus-spyware">the Citizen Lab report said</a>. "Additionally, in the single case of hacking in this investigation in which we recovered the domain names of the Pegasus servers used, the TOROGOZ operator was implicated."</p><iframe frameborder="0" height="200px" width="100%" data-lazy-priority="high" data-lazy-src="https://widget.spreaker.com/player?episode_id=44665057&theme=light&playlist=false&playlist-continuous=false&autoplay=false&live-autoplay=false&chapters-image=true&episode_image_position=right&hide-logo=false&hide-likes=true&hide-comments=true&hide-sharing=true&hide-download=true&color=ffe019"></iframe><p>The researchers were unable to attribute the attacks to NSO Group or the El Salvador administration, but found evidence that strongly suggested the operator had ties with the country's government.</p><p>The timing of the attacks coincided with moments at which the affected organisations were working on issues with great interest to President Nayib Bukele - perhaps best known in the technology community as the brainchild of El Salvador's <a href="https://www.itpro.com/technology/cryptocurrencies/361618/el-salvador-announces-plans-to-build-a-bitcoin-city" data-original-url="https://www.itpro.com/technology/cryptocurrencies/361618/el-salvador-announces-plans-to-build-a-bitcoin-city">volcano-powered Bitcoin city</a> and the decision-maker in <a href="https://www.itpro.com/technology/cryptocurrencies/360905/el-salvador-protests-bitcoin-adoption" data-original-url="https://www.itpro.com/technology/cryptocurrencies/360905/el-salvador-protests-bitcoin-adoption">adopting Bitcoin as an official national currency</a> in 2021.</p><p>TOROGOZ's "near-total focus of infections within El Salvador" was another clue linking the cases to the government, Citizen Lab said, as well as one individual from <em>El Faro</em> being targeted with Pegasus' telltale zero-click FORCEDENTRY exploit which is patched on more recent <a href="https://www.itpro.com/software/apple" data-original-url="https://www.itpro.com/search/ios">iOS</a> versions.</p><p>NSO Group has consistently denied any wrongdoing and claims Pegasus is a national security tool that is not used for malicious purposes, including state-sponsored espionage. A 2021 <a href="https://www.itpro.com/security/spyware/360276/journalists-human-rights-activists-targeted-with-pegasus-spyware" data-original-url="https://www.itpro.com/security/spyware/360276/journalists-human-rights-activists-targeted-with-pegasus-spyware">investigation</a> found at least ten countries had access to Pegasus and El Salvador was not previously included in that list.</p><h3 class="article-body__section" id="section-technical-analysis-of-the-attacks"><span>Technical analysis of the attacks</span></h3><p>Two zero-click exploit chains were used against the targeted journalists: KISMET and FORCEDENTRY. The latter of these two exploits affects older versions of iOS but was sent to an <em>El Faro </em>journalist's patched iPhone. Citizen Lab said it's unclear why a patched device was targeted with FORCEDENTRY but it may indicate that operators may not always be able to determine the device's iOS version before launching an attack.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="hqxjmaqbxyxnQ7e4kT2cXa" name="hqxjmaqbxyxnQ7e4kT2cXa.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/hqxjmaqbxyxnQ7e4kT2cXa.jpg" mos="https://cdn.mos.cms.futurecdn.net/hqxjmaqbxyxnQ7e4kT2cXa.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>The secure cloud configuration imperative</strong></p><p class="fancy-box__body-text">The central role of cloud security posture management</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/cloud/359672/the-secure-cloud-configuration-imperative" data-original-url="/cloud/359672/the-secure-cloud-configuration-imperative">FREE DOWNLOAD</a></p></div></div><p>KISMET is another exploit chain that requires no user interaction with a device in order to achieve infection. First disclosed in 2020, it too is now patched in more recent versions of iOS but was used in attacks launched between July and December 2020, on devices running iOS versions 13.5.1 to 13.7.</p><p>Researchers are only able to extract a forensic artefact from the KISMET exploit chain, rather than the full exploit, but it is thought to utilise .JPG attachments and an old iMessage flaw.</p><p>There are also variants of Pegasus available for <a href="https://www.itpro.com/android/28189/how-to-build-android-apps" data-original-url="https://www.itpro.com/android/28189/how-to-build-android-apps">Android</a> smartphones too, which is "capable of extracting data from popular messengers such as WhatsApp, Facebook, and Viber, as well as email clients and browsers," said Jakub Vavra, Mobile Threat Analyst at Avast, speaking to <em>IT Pro.</em> </p><p>"The spyware is capable of remote surveillance through microphone and camera as well as taking screenshots of the user’s screen and keylogging the user's inputs. These features make it a dangerous tool that can be misused to spy on unwitting individuals."</p><h3 class="article-body__section" id="section-el-salvador-media-and-political-landscape"><span>El Salvador media and political landscape</span></h3><p>El Salvador has a troubled history tainted with cases of authoritarianism and coups - in addition to organised crime, drug trafficking, and corruption. Civil war ravaged the country in the late 1900s which left a legacy of political and military corruption.</p><p>There are plenty of critical news organisations in the region, but journalists face challenges in the form of press freedoms and access to information. The country is often ranked poorly in terms of the level of freedom given to the press - it ranks 82nd for press freedom <a href="https://rsf.org/en/el-salvador">according to Reporters Without Borders</a> - and there are a number of cases where journalists have been <a href="https://apes.org.sv/alertas/delegados-de-la-presidencia-bloquean-a-periodistas-de-el-faro-y-factum-a-conferencia-de-prensa">blocked from attending events</a> such as government conferences.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Egyptian exiles targeted with Predator spyware resembling NSO Group's Pegasus ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/spyware/361868/egyptian-exiles-targeted-with-predator-spyware</link>
                                                                            <description>
                            <![CDATA[ A high-profile politician and journalist have been targeted with spyware likely spread using WhatsApp messages ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">siePtM439iVBub2P814ER3</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/bpMeWNKrAxSZDEqYcWcReV-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 17 Dec 2021 13:08:15 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/bpMeWNKrAxSZDEqYcWcReV-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A cheetah obscured by foliage while stalking prey]]></media:description>                                                            <media:text><![CDATA[A cheetah obscured by foliage while stalking prey]]></media:text>
                                <media:title type="plain"><![CDATA[A cheetah obscured by foliage while stalking prey]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/bpMeWNKrAxSZDEqYcWcReV-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>A new strain of spyware targeting high-profile exiled politicians and journalists has been discovered by the same organisation that investigated and alerted the world to NSO Group's Pegasus tool.</p><p>Two Egyptian exiles, a politician and a journalist, were found to have had their <a href="https://www.itpro.com/hardware/mobile-phones/iphone" data-original-url="https://www.itpro.com/search/iphone">Apple iPhones</a> infected with Predator spyware in June 2021, following an <a href="http://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware">inspection by Citizen Lab</a>.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/spyware/361760/nso-group-reportedly-hacked-multiple-us-officials" data-original-url="/security/spyware/361760/nso-group-reportedly-hacked-multiple-us-officials">NSO Group reportedly hacked multiple US officials</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">What's behind the explosion in zero-day exploits?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/spyware/30001/what-is-spyware" data-original-url="/spyware/30001/what-is-spyware">What is spyware?</a></p></div></div><p>Predator is regarded as being a program with similar capabilities to <a href="https://www.itpro.com/security/spyware/361760/nso-group-reportedly-hacked-multiple-us-officials" data-original-url="https://www.itpro.com/security/spyware/361760/nso-group-reportedly-hacked-multiple-us-officials">NSO Group's Pegasus</a>, which was used to target figures such as journalist and Saudi critic Jamal Khashoggi.</p><p>Predator is built and sold by North Macedonian startup Cytrox, which Citizen Lab researchers believe has a number of government clients across Africa, Eastern Europe, and the Middle East. It's also thought to have private customers in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.</p><p>The Predator <a href="https://www.itpro.com/spyware/30001/what-is-spyware" data-original-url="https://www.itpro.com/spyware/30001/what-is-spyware">spyware</a> offers similar surveillance capabilities to Pegasus but is less technical in its exploitation approach. Instead of utilising an undisclosed <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-day</a> vulnerability in iOS, it instead operates using a <a href="https://www.itpro.com/security/29093/what-is-phishing" data-original-url="https://www.itpro.com/security/29093/what-is-phishing">phishing</a>-like attack framework using links sent via <a href="https://www.itpro.com/tag/whatsapp" data-original-url="https://www.itpro.com/search/whatsapp">WhatsApp</a> messages that lead to one-click infections.</p><p>An iPhone belonging to Ayman Nour, former Egyptian presidential candidate and president of the Egyptian political opposition group Union of the Egyptian National Forces, was found in June 2021 to be infected with both Predator and Pegasus spyware at the same time, with the hacks conducted by two separate government clients.</p><p>Citizen Lab believes with medium-to-high confidence the Predator attacks on both Egyptian exiles were ordered by the Egyptian government as a Cytrox customer.</p><p>Nour's iPhone is said to have been repeatedly attacked with Pegasus Spyware since March 2021 using the NSO Group's iOS zero-day FORCEDEXPLOIT. Phone logs also showed a number of processes related to Predator spyware running on the device, with researchers concluding that clicking on links sent to Nour via WhatsApp from an Egyptian number purporting to be a Dr Rania Shhab led to the phone being infected with Predator.</p><p>Nour was first alerted to the possibility of a hack when he noticed his phone running unusually hot - an indicator which later revealed two separate surveillance tools running at the same time.</p><p>The second target, an exiled Egyptian journalist who wished to remain anonymous, received similar texts from a number purporting to be an assistant editor at the <em>Al Masry Al Youm</em> newspaper.</p><iframe frameborder="0" height="200px" width="100%" data-lazy-priority="low" data-lazy-src="https://widget.spreaker.com/player?episode_id=44665057&theme=light&playlist=false&playlist-continuous=false&autoplay=false&live-autoplay=false&chapters-image=true&episode_image_position=right&hide-logo=false&hide-likes=true&hide-comments=true&hide-sharing=true&hide-download=true&color=ffe019"></iframe><p>Citizen Lab was only able to obtain samples of Predator's loader, not the entire exploit, which it believes remains active in the wild. The organisation's analysis showed Predator persists on <a href="https://www.itpro.com/mobile/30409/android-vs-ios-which-mobile-os-is-right-for-you" data-original-url="https://www.itpro.com/mobile/30409/android-vs-ios-which-mobile-os-is-right-for-you">iOS</a> even after rebooting, using Apple's automation feature.</p><p>From its initial inspection in June 2021, Citizen Lab said the spyware was able to infect the then-latest iOS version (version 14.6) but it's unclear if the current version of Apple's mobile operating system is vulnerable too. <em>IT Pro</em> contacted Apple for clarity but it did not reply in time for publication, though it told Citizen Lab it was investigating the issue.</p><p>Cytrox is believed to be part of Intellexa, a collective of spyware groups formed to compete with the now-financially struggling NSO Group. Intellexa describes itself as EU-based and regulated with six sites and R&D labs throughout Europe, Citizen Lab said.</p><p>Knowledge of the 'spyware alliance' is "murky at best", Citizen Lab said, but it's thought the group was formed in 2019 and now operates out of Greece after first basing itself in Cyprus.</p><p><a href="https://www.itpro.com/tag/facebook" data-original-url="https://www.itpro.com/search/meta">Meta</a> released a report following Citizen Lab's findings announcing it was taking action against surveillance-for-hire groups. Cytrox, along with others unrelated to Intellexa, were specifically named in the <a href="https://about.fb.com/wp-content/uploads/2021/12/Threat-Report-on-the-Surveillance-for-Hire-Industry.pdf">report</a>. Meta already banned and sued NSO Group in 2019 for its surveillance programme.</p><p>Pages belonging to a total of seven companies known for surveilling others using a mercenary business model have been banned by Meta, and it has also alerted around 50,000 individuals it believes may have been targeted by the companies.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ NSO Group reportedly hacked multiple US officials  ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/spyware/361760/nso-group-reportedly-hacked-multiple-us-officials</link>
                                                                            <description>
                            <![CDATA[ Apple informed the US State Department that it found a number of cases of staff iPhones being hacked with Pegasus spyware ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">3BWFnwTJ92d22JxrQ2B6XC</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/MKjCcurycVHfKp299eFZiP-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 06 Dec 2021 11:40:34 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/MKjCcurycVHfKp299eFZiP-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[The NSO Group logo on a smartphone that&amp;#039;s been placed on a keyboard]]></media:description>                                                            <media:text><![CDATA[The NSO Group logo on a smartphone that&amp;#039;s been placed on a keyboard]]></media:text>
                                <media:title type="plain"><![CDATA[The NSO Group logo on a smartphone that&amp;#039;s been placed on a keyboard]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/MKjCcurycVHfKp299eFZiP-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>A number of US officials have been reportedly been contacted by Apple informing them that their iPhones have been hacked by NSO Group. </p><p>Early efforts have led investigators to believe that the hack was carried out using the Pegasus tool developed by Israel-based NSO Group. The company was only recently added to the US’ entity list.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/spyware/361639/apple-sues-nso-group-over-pegasus-attacks-on-its-customers" data-original-url="/security/spyware/361639/apple-sues-nso-group-over-pegasus-attacks-on-its-customers">Apple sues NSO Group over Pegasus attacks on its customers</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/spyware/361529/nso-group-ceo-quits-us-sanctions-pegasus-spyware" data-original-url="/security/spyware/361529/nso-group-ceo-quits-us-sanctions-pegasus-spyware">CEO of spyware firm NSO Group quits after US sanctions</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/privacy/355231/facebook-tried-to-buy-spyware-firm-its-now-suing-to-monitor-ios-users" data-original-url="/security/privacy/355231/facebook-tried-to-buy-spyware-firm-its-now-suing-to-monitor-ios-users">Facebook tried to buy NSO Group's Pegasus spyware to monitor iOS users</a></p></div></div><p>The attacks targeted US State Department staff either working in Uganda or focusing their work on matters related to the African country, according to <a href="https://www.reuters.com/technology/exclusive-us-state-department-phones-hacked-with-israeli-company-spyware-sources-2021-12-03"><em>Reuters</em></a> which first reported the story. </p><p>The attacks are believed to have taken place over the past few months and initial reporting revealed at least nine staff were successfully targeted, with <a href="https://www.wsj.com/articles/apple-notified-state-department-employees-of-phone-hacking-linked-to-nso-group-software-11638568687">other reports</a> suggesting the number might be slightly higher at 11.</p><p>NSO Group published a statement on Friday saying it plans to investigate the situation and terminate the contract it has with whatever country is found to have misused the Pegasus tool.</p><p>“Last night, following an inquiry we received alleging Ugandan phone numbers used by US government officials were hacked, we immediately shut down all the customers potentially relevant to this case, due to the severity of the allegations, and even before we began the investigation,” said NSO Group.</p><p>“This termination took place despite the fact that there is no indication the phones were targeted by NSO’s technology. The claims of all involved parties specifically mentioned there is no indication, let alone proof, that it was NSO’s tools that were used by these customers.”</p><p><em>IT Pro</em> contacted the US State Department and Apple for comment but neither replied at the time of the publication. Both have declined to comment to other media. </p><p>NSO Group has faced numerous challenges in the previous few months. Most recently, Apple <a href="https://www.itpro.com/security/spyware/361639/apple-sues-nso-group-over-pegasus-attacks-on-its-customers" data-original-url="https://www.itpro.com/security/spyware/361639/apple-sues-nso-group-over-pegasus-attacks-on-its-customers">filed a lawsuit</a> against the company for allegedly hacking Apple users and violating US laws.</p><p>Since the group was linked to Pegasus, the highly invasive spying tool made by NSO Group and licensed to other countries with approval from the Israeli government, many western countries have turned their backs on the company.</p><p>The US government <a href="https://www.itpro.com/security/cyber-security/361467/us-bars-israeli-nso-group-for-selling-spyware" data-original-url="https://www.itpro.com/security/cyber-security/361467/us-bars-israeli-nso-group-for-selling-spyware">added NSO Group to its entity list</a> which heavily restricts the business opportunities of those on the list with the US.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="7Yjb3YDJvnvaBQf788mwLW" name="7Yjb3YDJvnvaBQf788mwLW.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/7Yjb3YDJvnvaBQf788mwLW.jpg" mos="https://cdn.mos.cms.futurecdn.net/7Yjb3YDJvnvaBQf788mwLW.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Network virtualisation for dummies</strong></p><p class="fancy-box__body-text">Why you need to virtualise your network</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/cloud/virtualisation/361746/network-virtualisation" data-original-url="/cloud/virtualisation/361746/network-virtualisation">FREE DOWNLOAD</a></p></div></div><p>It was this development that led newly appointed CEO Isaac Benbenisti to <a href="https://www.itpro.com/security/spyware/361529/nso-group-ceo-quits-us-sanctions-pegasus-spyware" data-original-url="https://www.itpro.com/security/spyware/361529/nso-group-ceo-quits-us-sanctions-pegasus-spyware">quit the post</a> before he even started at the company.</p><p>As well as reportedly being <a href="https://www.bloomberg.com/news/articles/2021-11-12/spyware-firm-nso-group-drops-deeper-into-distress-after-ceo-exit">faced with significant financial difficulty</a>, NSO Group has continually battled the allegations fielded to it, that it helps rogue nations attack activists, journalists, and other individuals deemed to be threats. </p><p>Notable victims of the Pegasus spyware include Jamal Khashoggi, a prominent critic of the Saudi Arabian government, whose phone was found to have Pegasus installed on it after he was murdered in Istanbul in 2018.</p><p>NSO Group remains firm on its stance that Pegasus is not a tool to be used for malicious purposes and instead Pegasus is bought and used by governments for good, like combatting terrorism.</p><p>The company has said it installed security controls in Pegasus which prevent <a href="https://www.itpro.com/spyware/30001/what-is-spyware" data-original-url="https://www.itpro.com/spyware/30001/what-is-spyware">spying</a> on innocent targets. For example, Pegasus cannot be used on US phone numbers, those beginning with a +1 country code.</p><p>The US officials found to have Pegasus on their iPhones were using Ugandan-registered phones, reports indicate, which means the country code would have been different and perhaps not included in the security controls for innocents.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Chinotto spyware spies on North Korean defectors and activists ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/spyware/361684/new-chinotto-spyware-spies-on-north-korean-defectors-and-activists</link>
                                                                            <description>
                            <![CDATA[ Long term operation by ScarCruft hackers has been linked to the North Korean government ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">fqVXzUjc8oyAP8CTGMXoRA</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/odk8ZSinsL42PxYiMaFHy7-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 30 Nov 2021 08:56:30 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Rene Millman ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/vwWuTPNRCuw9vEaWzuXYnR.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/odk8ZSinsL42PxYiMaFHy7-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Computer code on a screen with a skull representing a computer virus / malware attack.]]></media:description>                                                            <media:text><![CDATA[Computer code on a screen with a skull representing a computer virus / malware attack.]]></media:text>
                                <media:title type="plain"><![CDATA[Computer code on a screen with a skull representing a computer virus / malware attack.]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/odk8ZSinsL42PxYiMaFHy7-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>New <a href="https://www.itpro.com/tag/spyware" data-original-url="https://www.itpro.com/spyware">spyware</a> has been discovered by security researchers that snoops on North Korean defectors and journalists that cover news on the Korean peninsula.</p><p>Dubbed Chinotto, the spyware is linked to a gang of hackers called ScarCruft, a group is linked to the North Korean government. The hackers are also known as APT37 or Temp.Reaper.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/spyware/361529/nso-group-ceo-quits-us-sanctions-pegasus-spyware" data-original-url="/security/spyware/361529/nso-group-ceo-quits-us-sanctions-pegasus-spyware">CEO of spyware firm NSO Group quits after US sanctions</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/hacking/360851/dual-citizen-sentenced-to-11-years-for-laundering-money" data-original-url="/security/hacking/360851/dual-citizen-sentenced-to-11-years-for-laundering-money">Dual citizen sentenced to 11 years for role in North Korean crypto hacking scheme</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-security/361467/us-bars-israeli-nso-group-for-selling-spyware" data-original-url="/security/cyber-security/361467/us-bars-israeli-nso-group-for-selling-spyware">US sanctions Israeli NSO Group for selling spyware</a></p></div></div><p>"The actor utilized three types of malware with similar functionalities: versions implemented in PowerShell, Windows executables, and Android applications," said researchers at Kaspersky. </p><p>"Although intended for different platforms, they share a similar command and control scheme based on HTTP communication. Therefore, the malware operators can control the whole malware family through one set of command-and-control scripts."</p><p>According to a <a href="https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074">blog post</a> by Kaspersky, hackers contact an acquaintance of the victim using the victim’s stolen Facebook account and already knew that the potential target ran a business related to North Korea and asked about its current status. </p><p>Following conversations on Facebook, a spear-phishing email is sent to the potential victim using a stolen email account. This email contains a password protected RAR archive with the password shown in the email body. The RAR file contains a malicious Word document that acts as a lure related to North Korea.</p><p>This word document when opened executes a macro and decrypts another payload embedded in the document. This Visual Basic Application (VBA) payload contains shellcode as a hex string. This script is responsible for injecting the shellcode into the process notepad.exe. The shellcode contains the URL to fetch the next stage payload. After fetching the payload, the shellcode decrypts it with trivial single-byte XOR decryption.</p><p>Researchers couldn’t gather the final payload when they investigated this sample. However, they did work out that one of the malware’s victims was breached on March 22, 2021, based on a file timestamp.</p><p>The Chinotto malware collected screenshots and exfiltrated them between August 6, 2021, and September 8, 2021. </p><p>In addition to a Windows version, Chinotto also has an Android version that carries out similar tasks. Researchers said the Android malware requests excessive permissions according to the AndroidManifest.xml file</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="QDksvAYJFwkcCugTbPvwS9" name="QDksvAYJFwkcCugTbPvwS9.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/QDksvAYJFwkcCugTbPvwS9.png" mos="https://cdn.mos.cms.futurecdn.net/QDksvAYJFwkcCugTbPvwS9.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Protecting every edge to make hackers’ jobs harder, not yours</strong></p><p class="fancy-box__body-text">How to support and secure hybrid architectures</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/firewalls/361592/protecting-every-edge-to-make-hackers-jobs-harder-not-yours" data-original-url="/security/firewalls/361592/protecting-every-edge-to-make-hackers-jobs-harder-not-yours">FREE DOWNLOAD</a></p></div></div><p>“To achieve its purpose of spying on the user, these apps ask users to enable various sorts of permissions. Granting these permissions allows the apps to collect sensitive information, including contacts, messages, call logs, device information, and audio recordings,” said researchers.</p><p>"Many journalists, defectors, and human rights activists are targets of sophisticated cyberattacks," they added. "Unlike corporations, these targets typically don't have sufficient tools to protect against and respond to highly skilled surveillance attacks."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Apple sues NSO Group over Pegasus attacks on its customers ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/spyware/361639/apple-sues-nso-group-over-pegasus-attacks-on-its-customers</link>
                                                                            <description>
                            <![CDATA[ The lawsuit claims 'flagrant' violations of US federal and state law from the Israeli firm behind the infamous spyware ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">nXUYiX8SLJb7RXWpkZCHcn</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/kdWQYRnebCeRMuWc86udma-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 24 Nov 2021 10:35:53 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Apple]]></category>
                                                    <category><![CDATA[Software]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/kdWQYRnebCeRMuWc86udma-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Apple logo on the side of a building]]></media:description>                                                            <media:text><![CDATA[Apple logo on the side of a building]]></media:text>
                                <media:title type="plain"><![CDATA[Apple logo on the side of a building]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/kdWQYRnebCeRMuWc86udma-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Apple has filed a lawsuit against Israel-based NSO Group for allegedly hacking Apple users and violating US federal and state laws.</p><p>In addition to the lawsuit against NSO Group and its parent company OSY Technologies, Apple will also seek a permanent injunction to ban NSO Group from using any product made by Apple, including software, hardware, and services.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-security/361467/us-bars-israeli-nso-group-for-selling-spyware" data-original-url="/security/cyber-security/361467/us-bars-israeli-nso-group-for-selling-spyware">US sanctions Israeli NSO Group for selling spyware</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/spyware/360276/journalists-human-rights-activists-targeted-with-pegasus-spyware" data-original-url="/security/spyware/360276/journalists-human-rights-activists-targeted-with-pegasus-spyware">Pegasus: Report finds spyware used to target journalists, activists</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/exploits/360870/apple-patches-nso-forcedentry-zero-day-flaw" data-original-url="/security/exploits/360870/apple-patches-nso-forcedentry-zero-day-flaw">Apple patches zero-day flaw abused by infamous NSO exploit</a></p></div></div><p>Apple said NSO Group has created "sophisticated, state-sponsored surveillance technology" to allow whoever purchases a licence to use it to surveil a highly targeted, small selection of individuals.</p><p>NSO Group is most famous for creating the Pegasus spyware capable of monitoring and stealing information from specific targets' devices and allegedly selling it to nation-states.</p><p>"State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, senior vice president of software engineering at Apple.</p><p>“Apple devices are the most secure consumer hardware on the market — but private companies developing state-sponsored spyware have become even more dangerous," he added. "While these cybersecurity threats only impact a very small number of our customers, we take any attack on our users very seriously, and we’re constantly working to strengthen the security and privacy protections in iOS to keep all our users safe.”</p><p>Apple plans to reveal new information about the FORCEDENTRY exploit Pegasus used to gain access to the microphone, camera, and sensitive data on iOS and Android devices as part of the lawsuit.</p><h3 class="article-body__section" id="section-nso-group-39-s-hacking-history"><span>NSO Group's hacking history</span></h3><p>The exploit was first discovered by Citizen Lab researchers based at the University of Toronto. Apple <a href="https://www.itpro.com/security/exploits/360870/apple-patches-nso-forcedentry-zero-day-flaw" data-original-url="https://www.itpro.com/security/exploits/360870/apple-patches-nso-forcedentry-zero-day-flaw">patched</a> this no-click <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-day</a> vulnerability in September this year which saw bad actors able to send malicious iMessages and infect a victim's iPhone, iPad, Apple Watch, and Mac without any user intervention.</p><p>"Part of [NSO Group's] pitch is you don’t need much sophistication; just sit at this console, enter a phone number, and presto, you can start pulling data from that phone," said John Scott-Railton, senior researcher at Citizen Lab to the <a href="http://darknetdiaries.com"><em>Darknet Diaries</em></a> podcast. "Their business model is kind of somewhere between hacking as a service and the provision of software.</p><p>"Basically what they’re offering to their customers is the ability to target an arbitrary cell phone and gain access and persistence," he added.</p><p>Earlier this year, a joint investigation by 17 global media organisations <a href="https://www.itpro.com/security/spyware/360276/journalists-human-rights-activists-targeted-with-pegasus-spyware" data-original-url="https://www.itpro.com/security/spyware/360276/journalists-human-rights-activists-targeted-with-pegasus-spyware">revealed</a> that Pegasus spyware was sold to authoritarian governments and then targeted at least 50,000 journalists, government officials, human rights activists, and other high-profile figures.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="TDWPShop8idtg5y5PK4Eu4" name="TDWPShop8idtg5y5PK4Eu4.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/TDWPShop8idtg5y5PK4Eu4.png" mos="https://cdn.mos.cms.futurecdn.net/TDWPShop8idtg5y5PK4Eu4.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Hybrid cloud for video surveillance</strong></p><p class="fancy-box__body-text">What it is and why you'll want one</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/cloud/360218/hybrid-cloud-for-video-surveillance" data-original-url="/cloud/360218/hybrid-cloud-for-video-surveillance">FREE DOWNLOAD</a></p></div></div><p>In perhaps the most high-profile Pegasus case to date, forensic investigations following the high-profile killing of journalist Jamal Khashoggi in 2018, ordered by the Saudi Arabian government - an NSO Group client, revealed <a href="https://www.pbs.org/wgbh/frontline/article/how-nso-group-pegasus-spyware-found-jamal-khashoggi-fiancee-phone">Pegasus spyware was found on his mobile phone</a>.</p><p>Asked directly about whether it knows that Pegasus was being used to surveil journalists and violate human rights, Shalev Hulio, co-founder of and the 'S' in NSO Group, said to <em>Darknet Diaries</em>: "I only say that we are selling Pegasus in order to prevent crime and terror".</p><p>That's the typical line given to media from NSO Group which believes Pegasus has saved the lives of tens of thousands of people.</p><h3 class="article-body__section" id="section-us-sanctions-and-financial-instability"><span>US sanctions and financial instability</span></h3><p>The US <a href="https://www.itpro.com/security/cyber-security/361467/us-bars-israeli-nso-group-for-selling-spyware" data-original-url="https://www.itpro.com/security/cyber-security/361467/us-bars-israeli-nso-group-for-selling-spyware">imposed sanctions</a> on NSO Group in November 2021, along with three other companies, stipulating that no US companies may have any dealings with NSO Group without a license from the US government. </p><p>The move prompted NSO Group's CEO Isaac Benbenisti to <a href="https://www.itpro.com/security/spyware/361529/nso-group-ceo-quits-us-sanctions-pegasus-spyware" data-original-url="https://www.itpro.com/security/spyware/361529/nso-group-ceo-quits-us-sanctions-pegasus-spyware">quit the role he accepted less than a week prior</a>. Benbenisti hadn't even started his job at NSO Group before his resignation was announced a week after US sanctions were announced.</p><p>The sanctions had additional ripple effects on the company as <a href="https://www.bloomberg.com/news/articles/2021-11-12/spyware-firm-nso-group-drops-deeper-into-distress-after-ceo-exit"><em>Bloomberg</em></a> reported that Wall Street is now treating it as a distressed asset, which could lead to further revenue contraction, and that it is currently struggling to repay a $500 million (£374 million) debt.</p><p>NSO Group is reportedly facing cash flow issues and recent alleged attempts to generate further sales with nations such as France - <a href="https://www.technologyreview.com/2021/11/23/1040509/france-macron-nso-in-crisis-sanctions">an allegation France denies</a> - have failed.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ CEO of spyware firm NSO Group quits after US sanctions ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/spyware/361529/nso-group-ceo-quits-us-sanctions-pegasus-spyware</link>
                                                                            <description>
                            <![CDATA[ Company that supplied Pegasus spyware to authoritarian governments faces further investigation from US State Department ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">rBpdjSedXjzxvBmbDszJbu</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/aCEu6dRhRpjiiN2hYB4aWC-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 12 Nov 2021 13:06:51 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Careers and Training]]></category>
                                                    <category><![CDATA[Business]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sabina Weston ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/aCEu6dRhRpjiiN2hYB4aWC-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Person holding mobile phone with logo of technology company NSO Group Technologies Ltd. on screen in front of web page]]></media:description>                                                            <media:text><![CDATA[Person holding mobile phone with logo of technology company NSO Group Technologies Ltd. on screen in front of web page]]></media:text>
                                <media:title type="plain"><![CDATA[Person holding mobile phone with logo of technology company NSO Group Technologies Ltd. on screen in front of web page]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/aCEu6dRhRpjiiN2hYB4aWC-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The newly-appointed <a href="https://www.itpro.com/strategy/28224/ceo-job-description-what-does-a-ceo-do" data-original-url="https://www.itpro.com/strategy/28224/ceo-job-description-what-does-a-ceo-do">CEO</a> of Pegasus <a href="https://www.itpro.com/spyware/30001/what-is-spyware" data-original-url="https://www.itpro.com/spyware/30001/what-is-spyware">spyware</a>-maker NSO Group has handed in his resignation only two weeks after taking the helm.</p><p>Isaac ‘Itzik’ Benbenisti, who was named CEO of the Israel-based company on 31 October, had not yet started his job when he decided against replacing co-founder and acting CEO Shalev Hulio.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/privacy/355231/facebook-tried-to-buy-spyware-firm-its-now-suing-to-monitor-ios-users" data-original-url="/security/privacy/355231/facebook-tried-to-buy-spyware-firm-its-now-suing-to-monitor-ios-users">Facebook tried to buy NSO Group's Pegasus spyware to monitor iOS users</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/malware/361088/malware-pretending-to-be-amnesty-international-antivirus-for-pegasus" data-original-url="/security/malware/361088/malware-pretending-to-be-amnesty-international-antivirus-for-pegasus">Malware pretending to be Amnesty International antivirus for Pegasus discovered</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/spyware/360682/bahrain-targets-activists-with-nsos-pegasus-spyware" data-original-url="/security/spyware/360682/bahrain-targets-activists-with-nsos-pegasus-spyware">Bahrain targets activists with NSO's Pegasus spyware</a></p></div></div><p>A spokesperson for NSO Group told <em>IT Pro</em> that Hulio "will remain in his position as CEO for the near future, due to the need for stability and continuity during this period".</p><p>Benbenisti’s departure is said to have been motivated by the <a href="https://www.itpro.com/security/cyber-security/361467/us-bars-israeli-nso-group-for-selling-spyware" data-original-url="https://www.itpro.com/security/cyber-security/361467/us-bars-israeli-nso-group-for-selling-spyware">trade ban imposed on NSO Group by the US Commerce Department</a> last week, according to reports from <a href="https://www.haaretz.com/israel-news/tech-news/.premium-nso-head-quits-after-two-weeks-on-the-job-amid-blacklisting-scandal-1.10375384"><em>Haaretz</em></a>.</p><p>The sanctions mean that NSO Group can no longer sell its products to US customers and is also barred from accessing US technologies, on grounds of national security.</p><p>Sources told the publication that Benbenisti had grown wary of the “ongoing challenges” faced by the company, including potential legal and financial repercussions, since it was <a href="https://www.itpro.com/security/spyware/360276/journalists-human-rights-activists-targeted-with-pegasus-spyware" data-original-url="https://www.itpro.com/security/spyware/360276/journalists-human-rights-activists-targeted-with-pegasus-spyware">outed as a spyware supplier to authoritarian governments</a>.</p><p>In July, an investigation conducted by 17 media organisations found that NSO Group’s Pegasus tool was used to target at least 50,000 journalists, government and union officials, human rights activists, business executives, religious figures, academics, NGO employees, and lawyers.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="zXqLgU99ufE8JGYcRWws9N" name="zXqLgU99ufE8JGYcRWws9N.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/zXqLgU99ufE8JGYcRWws9N.jpg" mos="https://cdn.mos.cms.futurecdn.net/zXqLgU99ufE8JGYcRWws9N.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>The Okta digital trust index</strong></p><p class="fancy-box__body-text">Exploring the human edge of trust</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/policy-legislation/data-protection/361514/the-okta-digital-trust-index" data-original-url="/policy-legislation/data-protection/361514/the-okta-digital-trust-index">FREE DOWNLOAD</a></p></div></div><p>Although at the time the greatest repercussion of the investigation was <a href="https://www.itpro.com/cloud/amazon-web-services-aws/360298/aws-shuts-down-nso-group-infrastructure" data-original-url="https://www.itpro.com/cloud/amazon-web-services-aws/360298/aws-shuts-down-nso-group-infrastructure">AWS’ decision to shut down NSO Group’s infrastructure and accounts</a>, the sanctions imposed by the US on 3 November have shown that the company is yet to face the full consequences of trading with authoritarian regimes.</p><p>This could also include an investigation by <a href="https://malinowski.house.gov/sites/malinowski.house.gov/files/Sec%20Blinken%20post%20NSO%20-%20final.pdf">the US State Department</a>, which last week was proposed by four members of Congress.</p><p>“We have closely tracked the parallel and reinforcing proliferation of commercially distributed surveillance and cyber-intrusion tools. These are extremely sensitive and powerful technologies used by foreign governments against Americans, as well as against journalists and civic activists," the joint statement on the proposed investigation read.</p><p>"While recent reporting confirmed that NSO Group's Pegasus software was used against journalists, human rights activists, and opposition politicians, many others are profiting from this new arms market."</p><p>This is the second resignation this year for Benbenisti, who in April stepped down as CEO of mobile network operator <a href="http://orange.co.il">Partner Communications</a> after six years in the role.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ US sanctions Israeli NSO Group for selling spyware ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/cyber-security/361467/us-bars-israeli-nso-group-for-selling-spyware</link>
                                                                            <description>
                            <![CDATA[ COSEINC and Positive Technologies were also blocked by the government ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">4cG1dTgU6XP3f3hJZS5uZz</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/MKjCcurycVHfKp299eFZiP-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 05 Nov 2021 15:58:33 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Rene Millman ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/vwWuTPNRCuw9vEaWzuXYnR.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/MKjCcurycVHfKp299eFZiP-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[The NSO Group logo on a smartphone that&amp;#039;s been placed on a keyboard]]></media:description>                                                            <media:text><![CDATA[The NSO Group logo on a smartphone that&amp;#039;s been placed on a keyboard]]></media:text>
                                <media:title type="plain"><![CDATA[The NSO Group logo on a smartphone that&amp;#039;s been placed on a keyboard]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/MKjCcurycVHfKp299eFZiP-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The US has banned Israeli company NSO Group, which sells the Pegasus <a href="https://www.itpro.com/tag/spyware" data-original-url="https://www.itpro.com/spyware">spyware</a>, and three other companies. </p><p>The prohibition means US companies wishing to import or export products or services related to NSO Group must now obtain a license from the government.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/business/business-strategy/360336/it-pro-news-in-review-aws-cuts-ties-with-nso-group-ibms-strong" data-original-url="/business/business-strategy/360336/it-pro-news-in-review-aws-cuts-ties-with-nso-group-ibms-strong">IT Pro News in Review: AWS cuts ties with NSO Group, IBM's strong growth, and HP patches hidden bug</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/cloud/amazon-web-services-aws/360298/aws-shuts-down-nso-group-infrastructure" data-original-url="/cloud/amazon-web-services-aws/360298/aws-shuts-down-nso-group-infrastructure">AWS shuts down NSO Group infrastructure</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/privacy/355231/facebook-tried-to-buy-spyware-firm-its-now-suing-to-monitor-ios-users" data-original-url="/security/privacy/355231/facebook-tried-to-buy-spyware-firm-its-now-suing-to-monitor-ios-users">Facebook tried to buy NSO Group's Pegasus spyware to monitor iOS users</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/spyware/354214/nso-group-workers-sue-facebook-for-blocking-private-accounts" data-original-url="/security/spyware/354214/nso-group-workers-sue-facebook-for-blocking-private-accounts">NSO Group workers sue Facebook for blocking private accounts</a></p></div></div><p>The US ban could represent a severe blow for NSO Group, not only in terms of its ability to sell products to customers in the US but also by restricting its access to US technologies for the development of future ones. </p><p>US companies can no longer have any kind of relationship with NSO since "there is a risk of becoming involved in activities that are dangerous to national security," thus leading to heavy <a href="https://www.itpro.com/tag/government" data-original-url="https://www.itpro.com/tags/government">government</a> penalties.</p><p>The Entity List update also included Candiru, another Israeli company active in developing and selling spyware. NSO Group and Candiru were added to the Entity List based on a determination that they developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, business people, activists, academics, and embassy workers, <a href="https://www.state.gov/the-united-states-adds-foreign-companies-to-entity-list-for-malicious-cyber-activities">according to the State Department</a>.</p><p>In a ruling by the US Commerce Department’s Bureau of Industry and Security (BIS), the government said these tools have “enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent. Such practices threaten the rules-based international order.”</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="TDWPShop8idtg5y5PK4Eu4" name="TDWPShop8idtg5y5PK4Eu4.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/TDWPShop8idtg5y5PK4Eu4.png" mos="https://cdn.mos.cms.futurecdn.net/TDWPShop8idtg5y5PK4Eu4.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Hybrid cloud for video surveillance</strong></p><p class="fancy-box__body-text">What it is and why you'll want one</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/cloud/360218/hybrid-cloud-for-video-surveillance" data-original-url="/cloud/360218/hybrid-cloud-for-video-surveillance">FREE DOWNLOAD</a></p></div></div><p>In addition, Positive Technologies and COSEINC were added to the Entity List based on a determination they “misuse and traffic cyber tools that are used to gain unauthorized access to information systems in ways that are contrary to the national security or foreign policy of the United States, threatening the privacy and security of individuals and organizations worldwide.”</p><p>“The United States is committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials, and organizations here and abroad,” said commerce secretary Gina Raimondo.</p><p>The announcement comes as part of the Biden-Harris Administration’s efforts to put human rights at the center of US foreign policy, including by working to stem the proliferation of digital tools used for repression.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Malware pretending to be Amnesty International antivirus for Pegasus discovered ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/malware/361088/malware-pretending-to-be-amnesty-international-antivirus-for-pegasus</link>
                                                                            <description>
                            <![CDATA[ Victims fearing Pegasus spyware targeted in a new malware campaign ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">k7yQapYNb8rYvHJyqfwhTq</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/VWH2QhmuexM29FjKLZXRzF-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 01 Oct 2021 14:02:57 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Rene Millman ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/vwWuTPNRCuw9vEaWzuXYnR.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/VWH2QhmuexM29FjKLZXRzF-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Amnesty International website]]></media:description>                                                            <media:text><![CDATA[Amnesty International website]]></media:text>
                                <media:title type="plain"><![CDATA[Amnesty International website]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/VWH2QhmuexM29FjKLZXRzF-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Hackers are pretending to be human rights organization Amnesty International to target users with a fake anti-<a href="https://www.itpro.com/spyware/30001/what-is-spyware" data-original-url="https://www.itpro.com/spyware/30001/what-is-spyware">spyware</a> product in a new malware campaign.</p><p>Victims were duped into downloading malware they thought was protection against NSO Group’s Pegasus spyware, <a href="https://blog.talosintelligence.com/2021/09/fakeantipegasusamnesty.html">according to security researchers at Cisco Talos</a>.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/technology/30818/twitter-a-toxic-place-for-women-says-amnesty-international-uk" data-original-url="/technology/30818/twitter-a-toxic-place-for-women-says-amnesty-international-uk">Twitter a “toxic place for women”, says Amnesty International UK</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/spyware/31616/amnesty-international-blames-hostile-government-after-israeli-made-spyware-targets" data-original-url="/spyware/31616/amnesty-international-blames-hostile-government-after-israeli-made-spyware-targets">Amnesty International blames ‘hostile government’ after Israeli-made spyware targets staff</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/supply-chain-management/25888/amnesty-international-slaps-tech-giants-with-child-labour-accusations" data-original-url="/supply-chain-management/25888/amnesty-international-slaps-tech-giants-with-child-labour-accusations">Amnesty International slaps tech giants with child labour accusations</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/640582/websense-warns-of-amnesty-international-website-hack" data-original-url="/640582/websense-warns-of-amnesty-international-website-hack">Websense warns of Amnesty International website hack</a></p></div></div><p>Amnesty International recently published a <a href="https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/&sa=D&source=editors&ust=1632925718022000&usg=AOvVaw3_c2W9MX_Y16D21xYJOSPb">report</a> on the widespread use of Pegasus to target international journalists and activists. Hackers capitalized on this by setting up a fake website that looked like Amnesty International's and linked to an <a href="https://www.itpro.com/security/antivirus" data-original-url="https://www.itpro.com/antivirus-0">antivirus</a> tool to protect against Pegasus. However, the download installs the little-known Sarwent malware.</p><p>Cisco Talos researchers Vitor Ventura and Arnaud Zobec said that Salwent, a <a href="https://www.itpro.com/tag/remote-access" data-original-url="https://www.itpro.com/remote-access">remote access tool</a> (RAT), opens a backdoor on the victim machine. It can also activate the remote desktop protocol on the victim machine, potentially allowing the adversary to access the desktop directly.</p><p>“We believe this campaign has the potential to infect many users given the recent spotlight on the Pegasus spyware. In addition to Amnesty International's report, Apple recently released a security update for iOS that patched a vulnerability attackers were exploiting to install Pegasus. Many users may be searching for protection against this threat at this time,” the researchers said.</p><p>Researchers were highly confident the hackers behind the campaign are Russian and have been running Sarwent-based attacks on a variety of victims since January 2021. They also said they were uncertain about the actor’s intentions.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="LxVHRZezHxTmqTdbierxdm" name="LxVHRZezHxTmqTdbierxdm.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/LxVHRZezHxTmqTdbierxdm.png" mos="https://cdn.mos.cms.futurecdn.net/LxVHRZezHxTmqTdbierxdm.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Eight steps to fight ransomware</strong></p><p class="fancy-box__body-text">Insights into how you can protect yourself from this ever increasing threat</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/ransomware/361046/eight-steps-to-fight-ransomware" data-original-url="/security/ransomware/361046/eight-steps-to-fight-ransomware">FREE DOWNLOAD</a></p></div></div><p>“The use of Amnesty International's name, an organization whose work often puts it at odds with governments around the world, as well as the Pegasus brand, a malware that has been used to target dissidents and journalists on behalf of governments, certainly raises concerns about who exactly is being targeted and why,” said researchers.</p><p>Investigations failed to find supporting data to make clear whether this is a financially motivated actor using headlines to gain new access, or a state-supported actor going after targets who are rightfully concerned about the threat Pegasus presents to them.</p><p>Researchers concluded that while it may seem like an actor trying to gather some easy-to-monetize information, some aspects, such as the level of customization with the RAT, intentionally misleading information, and the low volume of targets, indicate this may be a more advanced actor without financial motivation.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Apple patches zero-day flaw abused by infamous NSO exploit ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/exploits/360870/apple-patches-nso-forcedentry-zero-day-flaw</link>
                                                                            <description>
                            <![CDATA[ The ForcedEntry flaw affects all Apple devices and allows hackers to compromise systems without any user interaction ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">pXSqH7DdvVTAYZ9DsFLjie</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/SRjrPUMNThDNgeFU7uLfwH-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 14 Sep 2021 09:02:44 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cyber Attacks]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Keumars Afifi-Sabet ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/EAvwpZggMZ2K5h8s2pTAEm.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/SRjrPUMNThDNgeFU7uLfwH-1280-80.jpg">
                                                            <media:credit><![CDATA[IT Pro]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A close-up of the Apple iPhone 12 mini&amp;#039;s notch]]></media:description>                                                            <media:text><![CDATA[A close-up of the Apple iPhone 12 mini&amp;#039;s notch]]></media:text>
                                <media:title type="plain"><![CDATA[A close-up of the Apple iPhone 12 mini&amp;#039;s notch]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/SRjrPUMNThDNgeFU7uLfwH-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Apple has issued a fix for a vulnerability in iOS, iPadOS, watchOS and macOS that paved the way for the spyware company NSO Group to develop and market a zero-click exploit to national government clients.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/cloud/amazon-web-services-aws/360298/aws-shuts-down-nso-group-infrastructure" data-original-url="/cloud/amazon-web-services-aws/360298/aws-shuts-down-nso-group-infrastructure">AWS shuts down NSO Group infrastructure</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/spyware/33632/whatsapp-call-hack-installs-spyware-on-users-phones" data-original-url="/spyware/33632/whatsapp-call-hack-installs-spyware-on-users-phones">WhatsApp call hack installs spyware on users’ phones</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">What's behind the explosion in zero-day exploits?</a></p></div></div><p>The <a href="https://www.itpro.com/security/spyware/360682/bahrain-targets-activists-with-nsos-pegasus-spyware" target="_blank" data-original-url="https://www.itpro.com/security/spyware/360682/bahrain-targets-activists-with-nsos-pegasus-spyware">ForcedEntry exploit</a>, which targets the vulnerability tracked as CVE-2021-30860, centres on Apple’s image rendering library and effectively <a href="https://www.itpro.com/operating-systems/ios/358468/researcher-discovers-hidden-ios-14-blastdoor-security-mechanism" target="_blank" data-original-url="https://www.itpro.com/operating-systems/ios/358468/researcher-discovers-hidden-ios-14-blastdoor-security-mechanism">bypasses the in-built Apple security feature known as BlastDoor</a>. </p><p>NSO Group had deployed the zero-click exploit to the Bahraini government, only for the client to target Bahraini activists between February and July 2021, according to <a href="https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits" target="_blank">Citizen Lab</a>, which discovered the vulnerability.</p><p>Hackers had been able to exploit CVE-2021-30860 by sending a malicious iMessage that required no user interaction in order to compromise its victim.</p><p>This exploit is really similar in nature to another flaw the NSO Group had weaponised, known as Kismet, which was also used to target Bahraini activists.</p><p>Apple, however, has <a href="https://support.apple.com/en-ca/HT212807">now issued patches</a> for both this flaw and a WebKit vulnerability tracked as CVE-2021-30858 that’s also been exploited in the wild. This latter is a use after free issue that was addressed with improved memory management.</p><p>“Despite promising their customers the utmost secrecy and confidentiality, NSO Group’s business model contains the seeds of their ongoing unmasking,” a team of Citizen Lab researchers said.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="4BCvbZowg9SJqNeQxYKsxk" name="4BCvbZowg9SJqNeQxYKsxk.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/4BCvbZowg9SJqNeQxYKsxk.jpg" mos="https://cdn.mos.cms.futurecdn.net/4BCvbZowg9SJqNeQxYKsxk.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>2021 IBM Security X-Force Insider Threat Report</strong></p><p class="fancy-box__body-text">Top discovery methods and recommendations for insider attacks</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-security/360176/2021-ibm-security-x-force-insider-threat-report" data-original-url="/security/cyber-security/360176/2021-ibm-security-x-force-insider-threat-report">FREE DOWNLOAD</a></p></div></div><p>“Selling technology to governments that will use the technology recklessly in violation of international human rights law ultimately facilitates discovery of the spyware by investigatory watchdog organizations, as we and others have shown on multiple prior occasions, and as was the case again here.”</p><p>Kismet was actually never acknowledged as a vulnerability in Apple’s systems, with Citizen Lab suggesting the underlying flaw, if it still exists, was rendered obsolete by the BlastDoor mitigation introduced with iOS 14. This tool sandboxes incoming iMessages to protect users from malicious texts.</p><p>It’s likely for this reason that NSO Group developed the ForcedEntry exploit, to circumvent Apple’s additional layer of protection.</p><p>The organisation has gained notoriety for its <a href="https://www.itpro.com/spyware/30001/what-is-spyware" target="_blank" data-original-url="https://www.itpro.com/spyware/30001/what-is-spyware">spyware</a> tools, having previously developed the Pegasus spyware that was eventually used to <a href="https://www.itpro.com/security/spyware/360276/journalists-human-rights-activists-targeted-with-pegasus-spyware" data-original-url="https://www.itpro.com/security/spyware/360276/journalists-human-rights-activists-targeted-with-pegasus-spyware">target journalists and activists through a WhatsApp vulnerability</a>.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Bahrain targets activists with NSO's Pegasus spyware  ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/spyware/360682/bahrain-targets-activists-with-nsos-pegasus-spyware</link>
                                                                            <description>
                            <![CDATA[ The spyware reportedly employed two exploits targeting Apple's iMessage system ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">nHTUiQrh9QkuVumWrdX4ZM</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/odk8ZSinsL42PxYiMaFHy7-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 24 Aug 2021 18:55:19 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Danny Bradbury ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/odk8ZSinsL42PxYiMaFHy7-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Computer code on a screen with a skull representing a computer virus / malware attack.]]></media:description>                                                            <media:text><![CDATA[Computer code on a screen with a skull representing a computer virus / malware attack.]]></media:text>
                                <media:title type="plain"><![CDATA[Computer code on a screen with a skull representing a computer virus / malware attack.]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/odk8ZSinsL42PxYiMaFHy7-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The government of Bahrain has once again used <a href="https://www.itpro.com/spyware/30001/what-is-spyware" data-original-url="https://www.itpro.com/spyware/30001/what-is-spyware">spyware</a> from Israeli surveillance company NSO to target activists' <a href="https://www.itpro.com/mobile/20522/best-android-smartphones" data-original-url="https://www.itpro.com/mobile/20522/best-android-smartphones">smartphones</a>, according to <a href="https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits">a Citizen Lab report</a>,</p><p>The spyware employed two exploits targeting Apple's iMessage system, including a new one first spotted in June. </p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/privacy/355231/facebook-tried-to-buy-spyware-firm-its-now-suing-to-monitor-ios-users" data-original-url="/security/privacy/355231/facebook-tried-to-buy-spyware-firm-its-now-suing-to-monitor-ios-users">Facebook tried to buy NSO Group's Pegasus spyware to monitor iOS users</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/hacking/360265/microsoft-attacks-traced-to-secretive-israeli-spyware-candiru" data-original-url="/security/hacking/360265/microsoft-attacks-traced-to-secretive-israeli-spyware-candiru">Recent Microsoft attacks traced to secretive Israeli spyware firm</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/malware/359049/dangerous-android-spyware-disguising-itself-as-system-update-app" data-original-url="/security/malware/359049/dangerous-android-spyware-disguising-itself-as-system-update-app">Android spyware disguised as 'system update' app discovered</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/malware/356887/new-android-spyware-strain-masquerades-as-covid-19-tracking-app" data-original-url="/security/malware/356887/new-android-spyware-strain-masquerades-as-covid-19-tracking-app">New Android spyware strain masquerades as COVID-19 tracking app</a></p></div></div><p>The report tracked the targeting of nine Bahraini activists using the NSO <a href="https://www.itpro.com/software" data-original-url="https://www.itpro.com/software">software</a>. The investigation ties the infection servers to NSO's <a href="https://www.itpro.com/security/spyware/360276/journalists-human-rights-activists-targeted-with-pegasus-spyware" data-original-url="https://www.itpro.com/security/spyware/360276/journalists-human-rights-activists-targeted-with-pegasus-spyware">Pegasus</a> spyware, and tracked the spyware's use of multiple vulnerabilities in iMessage. </p><p>Citizen Lab researchers noted that a Bahrain government operator codenamed LULU compromised iPhones using Pegasus via a zero-click iMessage exploit known as KISMET between July and September 2020. This simply required the phone to receive a message, enabling the spyware to compromise the operating system and monitor its internet traffic. </p><p>KISMET compromised iOS versions until at least version 13.7, according to the Citizen Lab. At that point, Apple updated iOS with the BlastDoor security feature that defended against zero-click iMessage attacks. NSO's Pegasus spyware then resorted to a single-click attack, requiring victims to follow a link in an iMessage. </p><p>Pegasus returned to zero-click attacks from February 2021 with a more recent exploit Citizen Lab called FORCEDENTRY. </p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="jhaHY3RvAk8nfb9KJaMSFL" name="jhaHY3RvAk8nfb9KJaMSFL.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/jhaHY3RvAk8nfb9KJaMSFL.png" mos="https://cdn.mos.cms.futurecdn.net/jhaHY3RvAk8nfb9KJaMSFL.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Challenging the rules of security</strong></p><p class="fancy-box__body-text">Protecting data and simplifying IT management with Chrome OS</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/360664/challenging-the-rules-of-security" data-original-url="/security/360664/challenging-the-rules-of-security">FREE DOWNLOAD</a></p></div></div><p>FORCEDENTRY appears to be the same as Megalodon, an attack Amnesty International <a href="https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus">identified in June</a>. It is a zero-click attack that could compromise phones without any user interaction. Amnesty confirmed it had compromised iPhones running iOS 14.6 in June, and Apple told the organization it was investigating the issue. At the time of writing, the latest version of iOS is 14.7. </p><p>Freedom House, a non-profit that promotes democracy worldwide, <a href="https://freedomhouse.org/country/bahrain/freedom-net/2020">classified</a> Bahrain as “Not Free,” and gives it a freedom score of 29% due to heavy restrictions on internet use and strong censorship practices. The country arrests internet users for discussing forbidden topics online and engages in online surveillance practices, including spyware. </p><p>Citizen Lab first documented Bahrain Pegasus use in 2018 via a government operator that it called PEARL. It posited that LULU may be the same state surveillance team. </p><p>NSO continues to face challenges as it sells spyware to countries with oppressive histories, including Bahrain. <a href="https://www.itpro.com/cloud/amazon-web-services-aws/360298/aws-shuts-down-nso-group-infrastructure" data-original-url="https://www.itpro.com/cloud/amazon-web-services-aws/360298/aws-shuts-down-nso-group-infrastructure">Amazon Web Services shut down NSO infrastructure</a> running on its servers last month, and United Nations human rights experts renewed calls for an international moratorium on the sale of spyware. </p><p>The Citizen Lab cited tools from other companies the Bahrain government used for online surveillance, including Cellebrite, FinFisher, Netsweeper, Trovicor, and Verint. </p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ AWS shuts down NSO Group infrastructure ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/cloud/amazon-web-services-aws/360298/aws-shuts-down-nso-group-infrastructure</link>
                                                                            <description>
                            <![CDATA[ The Israeli company’s Pegasus spyware was used to target at least 50,000 mobile phones ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">5mSzr2b7qw5Fd4wLdyqYfC</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/d4evU75j3CBZf2cfhQHdn8-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 20 Jul 2021 14:26:56 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Privacy]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sabina Weston ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/d4evU75j3CBZf2cfhQHdn8-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A yellow and white AWS sign hanging in front of a building]]></media:description>                                                            <media:text><![CDATA[A yellow and white AWS sign hanging in front of a building]]></media:text>
                                <media:title type="plain"><![CDATA[A yellow and white AWS sign hanging in front of a building]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/d4evU75j3CBZf2cfhQHdn8-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Amazon Web Services (AWS) has shut down infrastructure and accounts linked to Israeli firm NSO Group.</p><p>The news comes after <a href="https://www.itpro.com/security/spyware/360276/journalists-human-rights-activists-targeted-with-pegasus-spyware" data-original-url="https://www.itpro.com/security/spyware/360276/journalists-human-rights-activists-targeted-with-pegasus-spyware">an investigation</a> found that the company’s Pegasus <a href="https://www.itpro.com/spyware/30001/what-is-spyware" data-original-url="https://www.itpro.com/spyware/30001/what-is-spyware">spyware</a> was used to target at least 50,000 journalists, government and union officials, human rights activists, business executives, religious figures, academics, NGO employees, and lawyers.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/privacy/355231/facebook-tried-to-buy-spyware-firm-its-now-suing-to-monitor-ios-users" data-original-url="/security/privacy/355231/facebook-tried-to-buy-spyware-firm-its-now-suing-to-monitor-ios-users">Facebook tried to buy NSO Group's Pegasus spyware to monitor iOS users</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/spyware/31616/amnesty-international-blames-hostile-government-after-israeli-made-spyware-targets" data-original-url="/spyware/31616/amnesty-international-blames-hostile-government-after-israeli-made-spyware-targets">Amnesty International blames ‘hostile government’ after Israeli-made spyware targets staff</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/cloud/cloud-computing/360135/pentagon-cancels-10bln-jedi-project" data-original-url="/cloud/cloud-computing/360135/pentagon-cancels-10bln-jedi-project">Pentagon scraps Microsoft's $10bn JEDI contract after AWS dispute</a></p></div></div><p>Pegasus was used to extract messages, photos, and emails, as well as to record calls and activate microphones on iOS and Android devices.</p><p>NSO Group denied the accusations, stating that its tools are used “for the sole purpose of saving lives through preventing crime and terror acts”.</p><p>“Our technologies are being used every day to break up pedophilia rings, sex and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones,” the company announced.</p><p>However, AWS has branded NSO Group’s actions as “hacking activity”.</p><p>A spokesperson for the cloud computing provider told I<em>T Pro</em> that it had shut down NSO Group’s infrastructure as it “was confirmed to be supporting the reported hacking activity”.</p><p>This was “in accordance with [AWS’] terms of use”, they added.</p><p>Amnesty International, a partner of the Pegasus Project, a collective of 17 media organisations investigating the spyware, found evidence to suggest that NSO Group had only been an AWS customer for a few months.</p><p>One Pegasus-infected phone that was dissected by the organisation sent data "to a service fronted by Amazon CloudFront, suggesting NSO Group has switched to using AWS services in recent months”.</p><p><a href="https://www.itpro.com/cloud/cloud-computing/359498/aws-makes-cloudfront-functions-generally-available" data-original-url="https://www.itpro.com/cloud/cloud-computing/359498/aws-makes-cloudfront-functions-generally-available">Amazon CloudFront</a> is a content delivery network (CDN) that provides customers with the ability to deliver content, including data, videos, and <a href="https://www.itpro.com/application-programming-interface-api/33557/the-api-economy-what-your-business-needs-to-know" data-original-url="https://www.itpro.com/application-programming-interface-api/33557/the-api-economy-what-your-business-needs-to-know">APIs</a>, securely with low latency and at a high speed.</p><p>“Amnesty International suspects the shutting down of the V4 infrastructure coincided with NSO Group’s shift to using cloud services such as Amazon CloudFront to deliver the earlier stages of their attacks,” <a href="https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus">said</a> the human rights NGO, adding that “the use of cloud services protects NSO Group from some Internet scanning techniques”.</p><p>AWS didn’t elaborate on whether the decision to ban NSO Group from its services could be reconsidered in the future.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Pegasus: Report finds spyware used to target journalists, activists ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/spyware/360276/journalists-human-rights-activists-targeted-with-pegasus-spyware</link>
                                                                            <description>
                            <![CDATA[ NSO Group sold the surveillance tool to authoritarian governments, investigation finds ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">bAQGAnjayHQEmrsbGFJEiY</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/QunLauaetsmuM23MuxM4x7-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 19 Jul 2021 10:08:56 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Privacy]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sabina Weston ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/QunLauaetsmuM23MuxM4x7-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Graphic of a CCTV camera observing anonymous people in a crowd]]></media:description>                                                            <media:text><![CDATA[Graphic of a CCTV camera observing anonymous people in a crowd]]></media:text>
                                <media:title type="plain"><![CDATA[Graphic of a CCTV camera observing anonymous people in a crowd]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/QunLauaetsmuM23MuxM4x7-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p><a href="https://www.itpro.com/spyware/30001/what-is-spyware" data-original-url="https://www.itpro.com/spyware/30001/what-is-spyware">Spyware</a> manufactured by Israeli firm NSO Group was sold to authoritarian governments to target at least 50,000 journalists, government and union officials, human rights activists, business executives, religious figures, academics, NGO employees, and lawyers, an investigation has found. </p><p>This investigation was conducted by 17 media organisations, including <a href="https://www.washingtonpost.com/investigations/interactive/2021/nso-spyware-pegasus-cellphones/?itid=lk_inline_manual_14"><em>the Washington Post</em></a> and <a href="https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus"><em>the Guardian</em></a>, which published a list of more than 50,000 affected phone numbers over the weekend.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/hacking/360265/microsoft-attacks-traced-to-secretive-israeli-spyware-candiru" data-original-url="/security/hacking/360265/microsoft-attacks-traced-to-secretive-israeli-spyware-candiru">Recent Microsoft attacks traced to secretive Israeli spyware firm</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/privacy/360116/audacity-privacy-update-sparks-outrage" data-original-url="/security/privacy/360116/audacity-privacy-update-sparks-outrage">Audacity privacy update sparks 'spyware' criticism</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/malware/359049/dangerous-android-spyware-disguising-itself-as-system-update-app" data-original-url="/security/malware/359049/dangerous-android-spyware-disguising-itself-as-system-update-app">Android spyware disguised as 'system update' app discovered</a></p></div></div><p>The media outlets, known collectively as the Pegasus Project, found that the NSO Group had been selling its Pegasus spyware to the governments of Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates.</p><p>Pegasus was used to extract messages, photos, and emails, as well as to record calls and activate microphones on iOS and Android devices. These included mobile phones belonging to close associates of the murdered journalists Jamal Khashoggi, from the <em>Washington Post</em>, and Cecilio Pineda Birto, a Mexican freelance reporter. Mexico was found to be the NSO Group’s largest client, with over 15,000 affected phone numbers being linked to the country.</p><p>The NSO Group denied the allegations, adding that they were considering legal action against the media publications.</p><p>“We would like to emphasise that NSO sells it[s] technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts. NSO does not operate the system and has no visibility to the data,” the company <a href="https://www.nsogroup.com/Newses/following-the-publication-of-the-recent-article-by-forbidden-stories-we-wanted-to-directly-address-the-false-accusations-and-misleading-allegations-presented-there">stated</a> on its website. </p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="TDWPShop8idtg5y5PK4Eu4" name="TDWPShop8idtg5y5PK4Eu4.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/TDWPShop8idtg5y5PK4Eu4.png" mos="https://cdn.mos.cms.futurecdn.net/TDWPShop8idtg5y5PK4Eu4.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Hybrid cloud for video surveillance</strong></p><p class="fancy-box__body-text">What it is and why you'll want one</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/cloud/360218/hybrid-cloud-for-video-surveillance" data-original-url="/cloud/360218/hybrid-cloud-for-video-surveillance">FREE DOWNLOAD</a></p></div></div><p>“Our technologies are being used every day to break up pedophilia rings, sex and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones. Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds,” it added.</p><p>Pegasus Project partner, Amnesty International’s secretary general Agnès Callamard, described the Pegasus spyware as “a weapon of choice for repressive governments seeking to silence journalists, attack activists and crush dissent, placing countless lives in peril”.</p><p>“These revelations blow apart any claims by NSO that such attacks are rare and down to rogue use of their technology. While the company claims its spyware is only used for legitimate criminal and terror investigations, it’s clear its technology facilitates systemic abuse. They paint a picture of legitimacy, while profiting from widespread human rights violations,” she added.</p><p>Callamard also called for “an immediate moratorium on the export, sale, transfer and use of surveillance technology” until sufficient regulations are set in place.</p><p>Last year, it was revealed that Facebook had <a href="https://www.itpro.com/security/privacy/355231/facebook-tried-to-buy-spyware-firm-its-now-suing-to-monitor-ios-users" data-original-url="https://www.itpro.com/security/privacy/355231/facebook-tried-to-buy-spyware-firm-its-now-suing-to-monitor-ios-users">attempted to purchase NSO Group's Pegasus spyware</a> to monitor iOS users.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Recent Microsoft attacks traced to secretive Israeli spyware firm ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/hacking/360265/microsoft-attacks-traced-to-secretive-israeli-spyware-candiru</link>
                                                                            <description>
                            <![CDATA[ Candiru, which trades exclusively with governments, distributed zero-day exploits for vulnerabilities patched this week ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">9DJt2oYb97jNCRdPcDqmLm</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/D5SqEJvUh8pV83LKehBQSU-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 16 Jul 2021 11:40:03 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Keumars Afifi-Sabet ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/EAvwpZggMZ2K5h8s2pTAEm.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/D5SqEJvUh8pV83LKehBQSU-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Darkened image of a hacker wearing a hoodie using computing equipment]]></media:description>                                                            <media:text><![CDATA[Darkened image of a hacker wearing a hoodie using computing equipment]]></media:text>
                                <media:title type="plain"><![CDATA[Darkened image of a hacker wearing a hoodie using computing equipment]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/D5SqEJvUh8pV83LKehBQSU-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Microsoft and CitizenLab have revealed that attacks launched against two recently-patched Windows zero-days were supported by a secretive Israeli-based company that specialises in selling <a href="https://www.itpro.com/spyware/30001/what-is-spyware" target="_blank" data-original-url="https://www.itpro.com/spyware/30001/what-is-spyware">spyware</a> and exploits.</p><p>Microsoft believes the vendor named Candiru, <a href="https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware" target="_blank">codenamed Sourgum</a>, developed spyware dubbed DevilsTongue that unknown clients used to exploit a pair of vulnerabilities the company fixed as part of its latest wave of Patch Tuesday updates.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/privacy/355231/facebook-tried-to-buy-spyware-firm-its-now-suing-to-monitor-ios-users" data-original-url="/security/privacy/355231/facebook-tried-to-buy-spyware-firm-its-now-suing-to-monitor-ios-users">Facebook tried to buy NSO Group's Pegasus spyware to monitor iOS users</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/34715/us-allies-targeted-by-whatsapp-video-hack" data-original-url="/security/34715/us-allies-targeted-by-whatsapp-video-hack">US allies targeted by WhatsApp video hack</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/vulnerability/360219/microsoft-patch-tuesday-printnightmare-fix" data-original-url="/security/vulnerability/360219/microsoft-patch-tuesday-printnightmare-fix">Microsoft makes second attempt to fix PrintNightmare flaw</a></p></div></div><p>These are CVE-2021-31979 and CVE-2021-33771, both privilege escalation vulnerabilities that allow attackers to escape browser sandboxes and gain kernel code execution privileges. They were <a href="https://www.itpro.com/security/vulnerability/360219/microsoft-patch-tuesday-printnightmare-fix" target="_blank" data-original-url="https://www.itpro.com/security/vulnerability/360219/microsoft-patch-tuesday-printnightmare-fix">patched on 13 July</a> alongside another exploited zero-day and the <a href="https://www.itpro.com/security/exploits/360091/hackers-are-abusing-the-leaked-printnightmare-windows-exploit" target="_blank" data-original-url="https://www.itpro.com/security/exploits/360091/hackers-are-abusing-the-leaked-printnightmare-windows-exploit">PrintNightmare</a> vulnerability.</p><p>As part of its investigation, Microsoft identified at least 100 victims based across the Middle East and in the UK and Singapore, including human rights activists, journalists, political dissidents, and politicians.</p><p>“Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and other devices,” said Microsoft’s Threat Intelligence Centre (MSTIC). “MSTIC believes Sourgum is an Israel-based private-sector offensive actor.</p><p>“Citizen Lab asserts with high confidence that Sourgum is an Israeli company commonly known as Candiru. Third-party reports indicate Candiru produces “hacking tools [that] are used to break into computers and servers”.</p><p><a href="https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus">Citizen Lab’s report</a> reveals that Candiru is a mercenary spyware firm that markets ‘untraceable’ spyware exclusively to government customers, with products including systems that spy on devices and cloud accounts. Its previous customers include Saudi Arabia and the United Arab Emirates.</p><p>Candiru appears to license its spyware by the ‘number of concurrent infections’ which would reflect the high number of targets that can be under active surveillance at any one time. The fine print on a product proposal Citizen Lab analysed also suggested there’s a list of restricted countries clients cannot attack, which are the US, Russia, China, Israel, and Iran.</p><p>The company is similar in nature to NSO Group, another infamous Israeli company that developed the Pegasus spyware that <a href="https://www.itpro.com/security/34715/us-allies-targeted-by-whatsapp-video-hack" target="_blank" data-original-url="https://www.itpro.com/security/34715/us-allies-targeted-by-whatsapp-video-hack">its clients used to target high-profile WhatsApp accounts in 2019</a>.</p><p>Microsoft identified DevilsTonge, the tool used to exploit the two Microsoft zero-days, as a complex, modular, multi-threaded malware written in C and C++ with novel capabilities.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="TgYwXSHV6efgCB2UrGXGXc" name="TgYwXSHV6efgCB2UrGXGXc.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/TgYwXSHV6efgCB2UrGXGXc.png" mos="https://cdn.mos.cms.futurecdn.net/TgYwXSHV6efgCB2UrGXGXc.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Prevent fraud and phishing attacks with DMARC</strong></p><p class="fancy-box__body-text">How to use domain-based message authentication, reporting, and conformance for email security</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-security/359475/prevent-fraud-and-phishing-attacks-with-dmarc" data-original-url="/security/cyber-security/359475/prevent-fraud-and-phishing-attacks-with-dmarc">FREE DOWNLOAD</a></p></div></div><p>Its main function resides in Dynamic Link Library files that are encrypted on disk, and only decrypted in memory, for example, meaning it’s difficult to detect. Configuration and tasking data is separate from the malware, meaning analysis is hard, while the malware has both user mode and kernel mode capabilities. The malware is also embedded with further evasion mechanisms, although Microsoft is yet to fully analyse the nature of these.</p><p>Citizen Lab also identified at least 764 domain names likely in use by Candiru and its clientele to lure victims, with many of these disguised as progressive and charitable organisations like Black Lives Matter and Amnesty International. Other domains were masquerading as media companies and civil-society themed entities.</p><p>“Candiru’s apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse,” said <a href="https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus" target="_blank">Citizen Lab researchers Bill Marczak, Kristin Berdan, Bahr Abdul Razzak, and Ron Deibert</a>.</p><p>“This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services. Many governments that are eager to acquire sophisticated surveillance technologies lack robust safeguards over their domestic and foreign security agencies. Many are characterised by poor human rights track records.”</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Android spyware disguised as 'system update' app discovered ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/malware/359049/dangerous-android-spyware-disguising-itself-as-system-update-app</link>
                                                                            <description>
                            <![CDATA[ This malware strain steals private messaging and location data while also recording phone calls ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">cp8zU5BwMwTRBYLDSZeiao</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/Yh6B2ubLBcq6BnAyHzMsxU-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 29 Mar 2021 10:17:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Keumars Afifi-Sabet ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/EAvwpZggMZ2K5h8s2pTAEm.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/Yh6B2ubLBcq6BnAyHzMsxU-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[The update notification on an Android device]]></media:description>                                                            <media:text><![CDATA[The update notification on an Android device]]></media:text>
                                <media:title type="plain"><![CDATA[The update notification on an Android device]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/Yh6B2ubLBcq6BnAyHzMsxU-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>A sophisticated strain of <a href="https://www.itpro.com/security/malware/358286/android-malware-vendor-teams-with-marketer-to-promote-new-malware" target="_blank" data-original-url="https://www.itpro.com/security/malware/358286/android-malware-vendor-teams-with-marketer-to-promote-new-malware">malware</a> capable of stealing user data from infected Android devices is masquerading as the System Update application.</p><p>The malicious mobile app, which functions as a <a href="https://www.itpro.com/security/30081/what-is-a-trojan-virus" data-original-url="https://www.itpro.com/security/30081/what-is-a-trojan-virus">Remote Access Trojan (RAT)</a>, is part of a sophisticated spyware campaign that has the ability to record audio from devices, take photos, and access WhatsApp messages, according to <a href="https://blog.zimperium.com/new-advanced-android-malware-posing-as-system-update" target="_blank">Zimperium researchers</a>.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/trojans/355479/four-steps-to-exterminating-rats-controlling-your-computer" data-original-url="/security/trojans/355479/four-steps-to-exterminating-rats-controlling-your-computer">Four steps to exterminating RATs controlling your computer</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/357379/microsoft-warns-of-continuously-evolving-android-ransomware" data-original-url="/security/357379/microsoft-warns-of-continuously-evolving-android-ransomware">Microsoft warns of ‘continuously evolving’ Android ransomware</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/mobile/google-android/356986/joker-malware-is-thriving-on-google-play-researchers-say" data-original-url="/mobile/google-android/356986/joker-malware-is-thriving-on-google-play-researchers-say">Joker fleeceware "thriving" on Google Play Store, researchers claim</a></p></div></div><p>Once installed, it registers with its own Firebase command and control (C&C) server, normally used by legitimate <a href="https://www.itpro.com/android/28189/how-to-build-android-apps" target="_blank" data-original-url="https://www.itpro.com/android/28189/how-to-build-android-apps">Android developers</a>, as well as a second independent C&C server, to send across an initial cache of information. This includes information about whether WhatsApp is installed or not, battery percentage, storage stats, and other information. It can only be installed from a third party store and not the Google Play store.</p><p>The malware then receives commands to initiate various actions such as the recording of audio from the microphone or <a href="https://www.itpro.com/security/malware/356490/how-malware-and-bots-steal-your-data" target="_blank" data-original-url="https://www.itpro.com/security/malware/356490/how-malware-and-bots-steal-your-data">data exfiltration</a>. Researchers have also discovered the malware is capable of inspecting web browsing data, stealing images and videos, monitoring GPS locations, stealing phone contacts and call logs, and exfiltrating device information.</p><p>The device also asks permission to enable accessibility services, and abuses this to collect conversations and message details from WhatsApp by scraping the content on the screen after detecting whether the user is accessing the messaging service.</p><p>It hides by concealing the icon from the device’s main menu or app drawer, while also posing as the legitimate System Update app to avoid suspicion. When the device’s screen is turned off, the spyware creates a ‘searching for updates’ notification using the Firebase messaging service which allows it to generate push notifications.</p><p>The spyware’s functionality is triggered under various conditions, including when a new contact is added, a new text message is received or a new application installed. It does so by exploiting Android’s receivers including ‘contentObserver’ and ‘Broadcast’, which allows communication between the device and the server.</p><p>The Firebase messaging service is only used to initiate malicious functions, such as audio recording or data exfiltration, by sending commands to infected devices. The data itself is then collected by the second dedicated C&C server.</p><p>The spyware also only collects up-to-date information, with a refresh rate of roughly five minutes for location and networking data. The same applies to photos taken using the device’s camera, but the value is instead set to 40 minutes.</p><p>Researchers have so far been unable to determine who is behind the campaign, or whether the hackers are trying to target specific users. Given this spyware can only be downloaded outside of the Google Play store, users are strongly advised not to download applications to their phones from unsafe third-party sources.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Android and iOS users blackmailed by 'Goontact' spyware ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/spyware/358142/android-and-ios-users-blackmailed-by-sextortion-spyware</link>
                                                                            <description>
                            <![CDATA[ The malware targets users of illicit sites and steals personal information stored on their mobile devices ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">uQb6g8pYCQC6WtHzuSo1hg</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/odk8ZSinsL42PxYiMaFHy7-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 16 Dec 2020 09:44:20 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Rene Millman ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/vwWuTPNRCuw9vEaWzuXYnR.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/odk8ZSinsL42PxYiMaFHy7-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Computer code on a screen with a skull representing a computer virus / malware attack.]]></media:description>                                                            <media:text><![CDATA[Computer code on a screen with a skull representing a computer virus / malware attack.]]></media:text>
                                <media:title type="plain"><![CDATA[Computer code on a screen with a skull representing a computer virus / malware attack.]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/odk8ZSinsL42PxYiMaFHy7-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Security researchers have discovered a new variant of <a href="https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwiIybWjm9LtAhU3QEEAHbTaD60QFjAAegQIBBAC&url=https%3A%2F%2Fwww.itpro.com%2Fspyware%2F30001%2Fwhat-is-spyware&usg=AOvVaw00zkclz3BLIpMhWaV3c3D5">spyware</a> that's targeting iOS and Android users as part of an international sextortion scam.</p><p>According to a <a href="https://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail">blog post</a> by researchers at cyber security firm Lookout, the spyware, called Goontact, has been found in multiple Asian countries and targets users of illicit sites and steals personal information stored on their <a href="https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjD27Krm9LtAhXVQkEAHZkTDWsQFjAAegQIBRAC&url=https%3A%2F%2Fwww.itpro.com%2Fmobile&usg=AOvVaw14VNP_2jencgSzhtLXgEPF">mobile</a> devices.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/spyware/355664/hundreds-of-thousands-of-android-users-hit-by-google-play-spyware" data-original-url="/security/spyware/355664/hundreds-of-thousands-of-android-users-hit-by-google-play-spyware">Hundreds of thousands of Android users hit by Google Play spyware</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/spyware/30001/what-is-spyware" data-original-url="/spyware/30001/what-is-spyware">What is spyware?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/business/business-operations/357988/google-accused-of-spying-on-workers" data-original-url="/business/business-operations/357988/google-accused-of-spying-on-workers">Google accused of illegally spying on employees</a></p></div></div><p>Researchers said the types of sites used to distribute these malicious apps and the information exfiltrated suggests that the ultimate goal is extortion or blackmail.</p><p>The spyware often disguises itself as secure messaging applications and can exfiltrate a wide range of data, such as device identifiers and phone number, contacts, <a href="https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwju57Szm9LtAhUHCsAKHdM0CJ8QFjAAegQIBxAC&url=https%3A%2F%2Fwww.itpro.com%2F95530%2Fphishing-moves-to-sms&usg=AOvVaw0lV7HRiMwl_WYNQ0haPD67">SMS</a> messages, photos on external storage, and location information.</p><p>While it is not presently known who is behind Goontact, it is the newest addition to a crime affiliate’s arsenal, rather than nation-state actors, said researchers.</p><p>This fraud begins when potential targets are lured into initiating a conversation on websites offering escort services. Account IDs for secure messaging apps such as KakaoTalk or Telegram are advertised on these sites as the best forms of communication and the individual initiates a conversation.</p><p>“In reality, the targets are communicating with Goontact operators. Targets are convinced to install (or sideload) a mobile application on some pretext, such as audio or video problems. The mobile applications in question appears to have no real user functionality, except to steal the victim’s address book, which is then used by the attacker ultimately to extort the target for monetary gain,” said researchers.</p><p>Based on investigations carried out by researchers, the campaign has been active since at least 2013. However, the Goontact <a href="https://www.itpro.com/malware/28076/what-is-malware" target="_blank" data-original-url="https://www.itpro.com/malware/28076/what-is-malware">malware</a> family is novel and is still actively being developed.</p><p>“The earliest sample of Goontact observed by Lookout was in November 2018, with matching APK packaging and signing dates, leading us to believe malware development likely started in this time frame,” researchers said.</p><p>While the Goontact surveillance apps described in this campaign are not available on Google Play or the Apple App Store, the duration, tactics, and breadth exhibited highlight the lengths to which malicious actors will go to deceive victims and bypass built-in protections.</p><p>“It’s no secret that mobile devices are a treasure trove for cyber criminals,” said Phil Hochmuth, programme vice president of Enterprise Mobility at IDC.</p><p>“As the use of mobile devices continues to increase, so does the maturity of iOS and Android cybercrime. Now more than ever, consumers must be proactive in avoiding compromise with iOS and Android threat actors whose main objective is to fleece them financially.” </p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ EU puts human rights at the heart of tougher tech export rules ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/technology/357726/eu-puts-human-rights-at-the-heart-of-tougher-tech-export-rules</link>
                                                                            <description>
                            <![CDATA[ Lawmakers tighten up export controls, meaning technologies such as facial recognition and spyware face a higher bar when being sold ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">CiuABocQ8g975iB9KwLcP</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/M84pE9DztSUda5zGTiVHXa-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 11 Nov 2020 11:37:45 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Keumars Afifi-Sabet ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/EAvwpZggMZ2K5h8s2pTAEm.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/M84pE9DztSUda5zGTiVHXa-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Several EU flags being flown outside a glass building and against a backdrop of blue sky]]></media:description>                                                            <media:text><![CDATA[Several EU flags being flown outside a glass building and against a backdrop of blue sky]]></media:text>
                                <media:title type="plain"><![CDATA[Several EU flags being flown outside a glass building and against a backdrop of blue sky]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/M84pE9DztSUda5zGTiVHXa-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>European-based technology vendors must apply for government licenses to export certain ‘dual-use’ products, and consider whether the use of their products in any deal poses a risk to human rights.</p><p>New rules established by EU lawmakers and the European Council beef up the export criteria of so-called ‘dual-use’ technologies, meaning vendors will have to clear a much higher bar when striking licensing deals. </p><p>These technologies include high-performance computing (HPC), drones, and software such as <a href="https://www.itpro.com/security/privacy/354627/how-can-facial-recognition-be-made-safer" target="_blank" data-original-url="https://www.itpro.com/security/privacy/354627/how-can-facial-recognition-be-made-safer">facial recognition</a> and <a href="https://www.itpro.com/spyware/30001/what-is-spyware" target="_blank" data-original-url="https://www.itpro.com/spyware/30001/what-is-spyware">spyware</a>, spanning systems with civilian applications that can be repurposed for nefarious reasons. They also include certain chemicals.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/privacy/354172/facebook-and-google-data-harvesting-violates-human-rights" data-original-url="/security/privacy/354172/facebook-and-google-data-harvesting-violates-human-rights">Facebook and Google data harvesting ‘violates human rights’</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/biometrics/34233/manchester-city-urged-to-drop-facial-recognition-idea" data-original-url="/biometrics/34233/manchester-city-urged-to-drop-facial-recognition-idea">Manchester City urged to drop facial recognition idea</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/privacy/354627/how-can-facial-recognition-be-made-safer" data-original-url="/security/privacy/354627/how-can-facial-recognition-be-made-safer">How can facial recognition be made safer?</a></p></div></div><p>The beefier update to existing controls includes new criteria to grant or reject export licenses for certain terms, including whether or not the technologies will be used in potential human rights abuses. </p><p>The regulation includes guidance for EU nations to “consider the risk of use in connection with internal repression or the commission of serious violations of international human rights and international humanitarian law”. Member states must also be more transparent by publicly disclosing details about the export licenses they grant.</p><p>The rules can be swiftly changed to cover emerging technologies, and an EU-wide agreement has also been reached on controlling cyber surveillance products not listed as ‘dual-use’, in order to better safeguard human rights. </p><p>“Parliament’s perseverance and assertiveness against a blockade by some member states has paid off: respect for human rights will become an export standard,” said German MEP Bernd Lange. “The revised regulation updates European export controls and adapts to technological progress, new security risks and information on human rights violations. </p><p>“This new regulation, in addition to the one on conflict minerals and a future supply chain law, shows that we can shape globalisation according to a clear set of values and binding rules to protect human and labour rights and the environment. This must be the blueprint for future rule-based trade policy.”</p><p>Technologies such as <a href="https://www.itpro.com/security/privacy/356882/the-pros-and-cons-of-facial-recognition-technology" target="_blank" data-original-url="https://www.itpro.com/security/privacy/356882/the-pros-and-cons-of-facial-recognition-technology">facial recognition</a> have attracted major opposition due to the way they’re being used by law enforcement agencies. In light of the Black Lives Matter movement, for instance, a swathe of technology vendors announced they’d be <a href="https://www.itpro.com/security/biometrics/356023/amazon-halts-police-use-of-its-facial-recognition-tech" target="_blank" data-original-url="https://www.itpro.com/security/biometrics/356023/amazon-halts-police-use-of-its-facial-recognition-tech">curbing their own facial recognition projects</a> due to the public backlash.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Google bans ‘stalkerware’ from Play store ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/spyware/357137/google-bans-spouseware-from-play-store</link>
                                                                            <description>
                            <![CDATA[ The ban excludes enterprise management tools and those used by parents to track the whereabouts of their children ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">gxpUgbhK3DBuNzQQd8UADV</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/BnqwXXZ9gXVjMNpeXJyAJR-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 17 Sep 2020 10:22:42 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sabina Weston ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/BnqwXXZ9gXVjMNpeXJyAJR-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                                                                                                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/BnqwXXZ9gXVjMNpeXJyAJR-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Google has issued a ban on any software that allows an individual to track the whereabouts of other users without their consent, apps often referred to as '<a href="https://www.itpro.com/security/privacy/356759/how-tech-traps-domestic-abuse-victims" data-original-url="https://www.itpro.com/security/privacy/356759/how-tech-traps-domestic-abuse-victims">stalkerware</a>'.</p><p>As a part of new changes to its Developer Program Policy, Google said that <a href="https://www.itpro.com/android/28189/how-to-build-android-apps" data-original-url="https://www.itpro.com/android/28189/how-to-build-android-apps">Android apps</a> intending to monitor other users’ behaviour will be obliged to present the tracked user with a persistent notification and unique icon that clearly identifies the app.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/mobile/google-android/356986/joker-malware-is-thriving-on-google-play-researchers-say" data-original-url="/mobile/google-android/356986/joker-malware-is-thriving-on-google-play-researchers-say">Joker fleeceware "thriving" on Google Play Store, researchers claim</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/mobile/google-android/357074/google-launches-android-11-go" data-original-url="/mobile/google-android/357074/google-launches-android-11-go">Android 11's budget version 'Go' is now available</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/mobile/google-android/357054/android-11-comes-with-tighter-privacy-controls-for-apps" data-original-url="/mobile/google-android/357054/android-11-comes-with-tighter-privacy-controls-for-apps">Android 11 introduces tighter privacy controls for apps</a></p></div></div><p>They will also be banned from advertising themselves as a "spying or secret surveillance solution” and will be unable to “hide or cloak tracking behavior or attempt to mislead users about such functionality”.</p><p>However, the ban, which comes into effect on 1 October, does not apply to apps used by parents to track the whereabouts of their children. Any software that allows companies to track employee devices, such as enterprise management apps, will also be excluded from the ban.</p><p>According to David Emms, principal security researcher at Kaspersky, apps which help monitor adults without their permission or knowledge “masquerade as parental control software and call themselves legal that way”.</p><p>“The whole category is tricky because we can’t label it as malware and report it as we would a backdoor trojan or similar, because in some jurisdictions it’s legal so it straddles a grey area,” <a href="https://www.itpro.com/security/privacy/356759/how-tech-traps-domestic-abuse-victims" data-original-url="https://www.itpro.com/security/privacy/356759/how-tech-traps-domestic-abuse-victims">Emms told <em>IT Pro</em> last month</a>.</p><p>According to Kaspersky research, the period between January and August 2019 saw over 518,223 cases globally where the company’s protection technologies either registered presence of stalkerware on user devices or detected an attempt to install it – a 373% increase in the same period in 2018.</p><p>Apart from the formal ban of stalkerware apps, Google also announced that it would be making changes to its policy in order to tackle the issues of misrepresentation and gambling.</p><p>Effective from 21 October, developer accounts will not be allowed to mislead users by impersonating any person or organisation, as well as misrepresenting or concealing their ownership or primary purpose of the app.</p><p>Google will also restrict online gambling to the UK, Ireland, France, and Brazil.</p><p><em>For confidential advice, call the National Abuse Helpline on 0808 200 0247</em> <em>or visit <a href="https://www.nationaldahelpline.org.uk">nationaldahelpline.org.uk</a></em></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ New Android spyware strain masquerades as COVID-19 tracking app ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/malware/356887/new-android-spyware-strain-masquerades-as-covid-19-tracking-app</link>
                                                                            <description>
                            <![CDATA[ Hacking group also using pornographic clips to expand footprint on mobile devices, warns Kaspersky ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">aQYvoGntgz3kV9nCjGtPnV</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/WvTJA9V2363eJ9haGffeLV-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 26 Aug 2020 12:27:12 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Bobby Hellard ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/bsR2tHSyVKUoyXZF5pNsDA.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/WvTJA9V2363eJ9haGffeLV-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Malware on a phone]]></media:description>                                                            <media:text><![CDATA[Malware on a phone]]></media:text>
                                <media:title type="plain"><![CDATA[Malware on a phone]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/WvTJA9V2363eJ9haGffeLV-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>A new form of Android spyware has been discovered that uses explicit content and the <a href="https://www.itpro.com/security/phishing/356379/microsoft-secretly-taking-control-of-covid-19-phishing-domains" target="_blank" data-original-url="https://www.itpro.com/security/phishing/356379/microsoft-secretly-taking-control-of-covid-19-phishing-domains">COVID-19 pandemic</a> to instal remote access malware on mobile devices.</p><p>The malicious application is being distributed by a prolific hacking group based in India, dubbed "Transparent Tribe", according to Kaspersky researchers.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/malware/32769/lojax-rootkit-used-by-russian-linked-fancy-bear-has-been-silently-active-since-2016" data-original-url="/malware/32769/lojax-rootkit-used-by-russian-linked-fancy-bear-has-been-silently-active-since-2016">LoJax rootkit used by Russian-linked Fancy Bear has been silently active since 2016</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/malware/22627/android-rat-malware-invades-mobile-banking-apps" data-original-url="/malware/22627/android-rat-malware-invades-mobile-banking-apps">Android RAT malware invades mobile banking apps</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/627280/eugene-kaspersky-the-man-the-myth-the-maverick" data-original-url="/627280/eugene-kaspersky-the-man-the-myth-the-maverick">Eugene Kaspersky: The man, the myth, the maverick</a></p></div></div><p>The cyber security vendor has been tracking the group for over four years and recent research suggested it had been working to improve its toolset and expand its operation – which now includes mobile threats.</p><p>Previous investigations into Transparent Tribe uncovered an Android implant it had distributed in India as either a pornographic clip or as part of a fake national <a href="https://www.itpro.com/security/privacy/355182/government-to-launch-coronavirus-contact-tracking-app" target="_blank" data-original-url="https://www.itpro.com/security/privacy/355182/government-to-launch-coronavirus-contact-tracking-app">COVID-19 tracking app</a>.</p><p>The first application is a modified version of a simple open-source video player you can find on Android, according to Kaspersky. As it's installed, it uses an adult video to distract the user. The second application, known as "Aarogya Setu", is similar to the coronavirus tracking app developed by the government of India's National Informatics Centre – a department under the country's Ministry of Electronics and Information Technology.</p><p>Once downloaded, both applications will attempt to install a modified version of an Android-based <a href="https://www.itpro.com/security/trojans/354242/national-crime-agency-brings-down-prolific-trojan-marketplace" target="_blank" data-original-url="https://www.itpro.com/security/trojans/354242/national-crime-agency-brings-down-prolific-trojan-marketplace">Remote Access Tool</a> (RAT). This is malware that has been customised by the attackers to extract data.</p><p>The researchers spotted the connection between the group and the two applications thanks to the related domains the hackers used to host malicious files for its different campaigns.</p><p>"The new findings underline the efforts of the Transparent Tribe members to add new tools that expand their operations even further and reach their victims via different attack vectors, which now include mobile devices," said Giampaolo Dedola, a senior security researcher at Kaspersky's Global Research and Analysis Team.</p><p>"We also see that the actor is steadily working on improving and modifying the tools they use. To stay protected from such threats, users need to be more careful than ever in assessing the sources they download content from and make sure that their devices are secure. This is especially relevant to those who know that they might become a target of an APT attack."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Hundreds of thousands of Android users hit by Google Play spyware ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/spyware/355664/hundreds-of-thousands-of-android-users-hit-by-google-play-spyware</link>
                                                                            <description>
                            <![CDATA[ Mandrake spyware masqueraded as legitimate apps with highly convincing social media accounts ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">uzmtMjVNTHv3rggi1Zk42P</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/rxEQ7xFd5yzpLiCGTM4fGZ-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 15 May 2020 11:15:58 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sabina Weston ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/rxEQ7xFd5yzpLiCGTM4fGZ-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                                                                                                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/rxEQ7xFd5yzpLiCGTM4fGZ-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>A prolific form of Android spying malware was left undetected in the <a href="https://www.itpro.com/software/google" target="_blank" data-original-url="https://www.itpro.com/search/google%20play">Google Play</a> store for four years and is likely to have affected hundreds of thousands of users, according to the team of researchers who discovered it.</p><p>The team from cyber security firm <a href="https://www.itpro.com/android/28184/the-best-antivirus-for-android-phones" target="_blank" data-original-url="https://www.itpro.com/android/28184/the-best-antivirus-for-android-phones">Bitdefender</a> discovered the "highly sophisticated Android espionage platform" earlier this year, although they believe it had been active since 2016, first targeting Android users in Australia and then users in the Americas and Europe, including the UK.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/malware/355493/new-android-trojan-targets-mobile-banking-apps" data-original-url="/security/malware/355493/new-android-trojan-targets-mobile-banking-apps">New Android banking trojan is able to bypass two-factor authentication</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/spyware/34082/russian-linked-spyware-among-most-sophisticated-ever-discovered" data-original-url="/spyware/34082/russian-linked-spyware-among-most-sophisticated-ever-discovered">Russian-linked spyware 'among most sophisticated ever discovered'</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/malware/28083/best-free-malware-removal-tools" data-original-url="/security/malware/28083/best-free-malware-removal-tools">6 of the best free malware removal tools in 2023</a></p></div></div><p>The <a href="https://www.itpro.com/malware/28076/what-is-malware" target="_blank" data-original-url="https://www.itpro.com/malware/28076/what-is-malware">malware</a> has been further defined as a strain of <a href="https://www.itpro.com/spyware/30001/what-is-spyware" target="_blank" data-original-url="https://www.itpro.com/spyware/30001/what-is-spyware">spyware</a>, which allowed its authors to snoop on any user that downloaded infected apps and access personal data, such as device preferences, the contents of their address books and messages, as well as device usage data and inactivity times.</p><p>Researchers have named the spyware 'Mandrake', as the criminals behind it were found to be using names of toxic plants for their development branches.</p><p>The team also found that Mandrake conducted phishing attacks on applications including <a href="https://www.itpro.com/tag/amazon" target="_blank" data-original-url="https://www.itpro.com/search/amazon">Amazon</a>, Gmail, <a href="https://www.itpro.com/tag/paypal" target="_blank" data-original-url="https://www.itpro.com/search/paypal">PayPal</a>, <a href="https://www.itpro.com/tag/google-chrome" target="_blank" data-original-url="https://www.itpro.com/search/google%20chrome">Google Chrome</a>, as well as popular cryptocurrency wallet apps such as Lunoor, Coinbase and numerous banking apps from around the world. UK banks were not listed by Bitdefender among the victims.</p><p>The creators of the malware attempted to gain a strong presence on the app market and circumvent Google Play security by publishing their own malicious apps, such as OfficeScanner and CoinCast, and generated fake comments and downloads in order to ensure that their application made it to the trending section of Google Play.</p><p>The malware developers went to great lengths to ensure their apps came across as legitimate software, including by engaging with negative reviews and comments, and delivering fixes to the apps.</p><p>The marketing behind the malicious apps was so extensive that CoinCast not only had an official website, but also a strong social media presence on Facebook, Twitter, Reddit, and YouTube.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="JC7UErrFcDUrdsGSDEYjo4" name="JC7UErrFcDUrdsGSDEYjo4.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/JC7UErrFcDUrdsGSDEYjo4.jpg" mos="https://cdn.mos.cms.futurecdn.net/JC7UErrFcDUrdsGSDEYjo4.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>IT faces new security challenges in the wake of COVID-19</strong></p><p class="fancy-box__body-text">Beat the crisis by learning how to secure your network</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-security/355556/it-faces-new-security-challenges-in-the-wake-of-covid-19" data-original-url="/security/cyber-security/355556/it-faces-new-security-challenges-in-the-wake-of-covid-19">FREE DOWNLOAD</a></p></div></div><p>Hackers even tried to evoke trust among its potential victims by listing an address for its OfficeScanner app on its Facebook page, namely the Engineering and Mathematical Sciences Building in Milwaukee, Wisconsin.</p><p>Alongside CoinCast and OfficeScanner, Bitdefender also listed Abfix, SnapTune Vid, Currency XE Converter, Horoskope, and Car News as other malicious applications developed by Mandrake operators.</p><p>The Bitdefender team estimates "the number of victims in the tens of thousands for the current wave, and probably hundreds of thousands throughout the full 4-year period".</p><p>"We can also extrapolate that every victim of Mandrake has most probably been exposed to some form of data theft," they said.</p><p>The discovery made by Bitdefender comes weeks after a group of cyber security experts from Cybereason Nocturnus found that a mobile-based trojan was <a href="https://www.itpro.com/security/malware/355493/new-android-trojan-targets-mobile-banking-apps" target="_blank" data-original-url="https://www.itpro.com/security/malware/355493/new-android-trojan-targets-mobile-banking-apps">capable of compromising Android's accessibility features</a> in order to steal user data from banking applications and read user's SMS messages, allowing the malware to bypass two-factor authentication.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ NSO Group workers sue Facebook for blocking private accounts ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/spyware/354214/nso-group-workers-sue-facebook-for-blocking-private-accounts</link>
                                                                            <description>
                            <![CDATA[ The action comes after WhatsApp sued the firm for its alleged role in the Pegasus video hack ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">5snxkYBP2gXMxE5YF5zQSM</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/atjMc7vaDfcGe7ohyTKwp9-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 27 Nov 2019 12:50:19 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Privacy]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Keumars Afifi-Sabet ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/EAvwpZggMZ2K5h8s2pTAEm.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/atjMc7vaDfcGe7ohyTKwp9-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[The Facebook app as seen on a smartphone in somebody&amp;#039;s pocket ]]></media:description>                                                            <media:text><![CDATA[The Facebook app as seen on a smartphone in somebody&amp;#039;s pocket ]]></media:text>
                                <media:title type="plain"><![CDATA[The Facebook app as seen on a smartphone in somebody&amp;#039;s pocket ]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/atjMc7vaDfcGe7ohyTKwp9-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Workers from Israeli spyware firm NSO Group have filed a lawsuit against Facebook, accusing the social media giant of blocking their private accounts after WhatsApp decided to sue their employer.</p><p>Employees with the firm have accused the tech giant of blocking their private accounts on Facebook and Instagram, as well as those of their friends and family members, according to <em>Reuters</em>. The workers have petitioned a court in Tel Aviv for Facebook to unblock the accounts, which was allegedly done without any notice.</p><p><a href="https://www.itpro.com/security/34715/us-allies-targeted-by-whatsapp-video-hack" target="_blank" data-original-url="https://www.itpro.com/security/34715/us-allies-targeted-by-whatsapp-video-hack">WhatsApp, which is owned by Facebook, launched legal action against the developer last month</a> after finding evidence that pointed to its role in providing the tools for government agencies to target individuals through the video calling function. </p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/innovation-at-work/24460/what-is-data-encryption" data-original-url="/security/innovation-at-work/24460/what-is-data-encryption">A complete guide to data encryption</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/spyware/33632/whatsapp-call-hack-installs-spyware-on-users-phones" data-original-url="/spyware/33632/whatsapp-call-hack-installs-spyware-on-users-phones">WhatsApp call hack installs spyware on users’ phones</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/general-data-protection-regulation-gdpr/33111/facebook-is-subject-to-10-major-gdpr-investigations" data-original-url="/general-data-protection-regulation-gdpr/33111/facebook-is-subject-to-10-major-gdpr-investigations">Facebook is subject to 10 major GDPR investigations</a></p></div></div><p>NSO Group was pinpointed in an attack earlier this year that targeted a litany of users, including journalists and human rights activists as well as senior government and military officials in US-allied nations.</p><p><em>IT Pro</em> approached Facebook for comment, but had not received a response at the time of publication. In a statement to <a href="https://www.reuters.com/article/us-facebook-nso-lawsuit/workers-at-israeli-surveillance-firm-nso-sue-facebook-for-blocking-private-accounts-idUSKBN1Y01RS" target="_blank"><em>Reuters</em></a>, however, a company spokesperson said it had disabled "relevant accounts" after attributing a sophisticated cyber attack to the company and its employees. These blocks "continue to be necessary for security reasons, including preventing additional attacks," the spokesperson added.</p><p>"Blocking our private accounts is a hurtful and unjust move by Facebook," the statement from NSO Group workers said. "The idea that personal data was searched for and used is very disturbing to us".</p><p>Facebook added that it had re-enabled some accounts through an appeals process, but the workers are adamant the initial blanket ban, subject to the lawsuit, was unfair.</p><p>The tool over which WhatsApp launched legal action, known as Pegasus, was <a href="https://www.itpro.com/spyware/33632/whatsapp-call-hack-installs-spyware-on-users-phones" target="_blank" data-original-url="https://www.itpro.com/spyware/33632/whatsapp-call-hack-installs-spyware-on-users-phones">used by hackers between April and May to manipulate a WhatsApp flaw</a> to track users' communications and location data.</p><p>NSO Group is known for developing surveillance technology for national governments and public sector agencies. WhatsApp, when it initially pointed the finger, claimed that companies like NSO Group do not have strict enough restrictions to ensure their products aren't complicit in cyber attacks.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ What is spyware? ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/spyware/30001/what-is-spyware</link>
                                                                            <description>
                            <![CDATA[ Is spyware spying on you? What can you do about it? ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">djm7hBv6sCeQyzKpXtpiRp</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/uriHaE6SWcLb3DLSzjFFMR-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 29 Oct 2019 15:30:00 +0000</pubDate>                                                                                                                                <updated>Fri, 18 Oct 2024 16:18:00 +0000</updated>
                                                                                                                                            <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                <author><![CDATA[ keumars.afifi-sabet@futurenet.com (Keumars Afifi-Sabet) ]]></author>                    <dc:creator><![CDATA[ Keumars Afifi-Sabet ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/EAvwpZggMZ2K5h8s2pTAEm.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                        <dc:contributor><![CDATA[ Nicholas Fearn ]]></dc:contributor>
                                                                                                                                                                                    <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/uriHaE6SWcLb3DLSzjFFMR-1280-80.jpg">
                                                            <media:credit><![CDATA[Bigstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Spyware]]></media:description>                                                            <media:text><![CDATA[Spyware]]></media:text>
                                <media:title type="plain"><![CDATA[Spyware]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/uriHaE6SWcLb3DLSzjFFMR-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Spyware refers to any software that can be used to track or spy on your activity on a computer, mobile, tablet, or any other digital device.</p><p>Often, the term applies to <a href="https://www.itpro.com/malware/28076/what-is-malware">malware</a> that is installed on a computer with a malicious intent to watch a user&apos;s actions and replicate them in order to steal data or other information referring to a user. Whether it&apos;s the original hacker&apos;s intent or not, once a criminal has gained access via spyware, they are able to track anyone&apos;s actions on the computer - not just the owner&apos;s.</p><p>It&apos;s normally installed on a device without the user knowing and once it&apos;s running, it&apos;s often unlikely they&apos;ll be able to see anything different happening to their machine or mobile.</p><p>Using spyware, hackers can track keystrokes, the websites someone has visited, as well as usernames and passwords for those websites. Other sensitive information a user enters into fields, such as payment details, might also be tracked, with malicious actors aiming to breach accounts and carry out other fraudulent activities.</p><p>One of the reasons spyware can be such a problem is not only can it give criminals a way into your computer and the opportunity to steal data, but it can also significantly slow down a user&apos;s computer as it tracks everything you do.</p><p>Spyware can also be used to redirect web searches to questionable websites (used for phishing, for example), and change the settings of your computer, throttling bandwidth, memory and other processor tasks in the meantime.</p><p>There are times when software that acts like spyware is installed for reasons that are not just criminal. Organisations may install tracking software on corporate-owned hardware to track an employee&apos;s browsing habits. Parents may also use similar software to spy on their kids&apos; online activity.</p><h2 id="spyware-types">Spyware types</h2><p>Spyware comes in many forms, from adware to keyloggers. Here are some of the most common types and how they work.</p><p><strong>Adware</strong></p><p>Cyber criminals use adware to spam users with unwanted adverts on their computers, smartphones, and tablets, allowing for the monitoring of users’ browsing activity and the selling of this data to advertisers. Adware is often embedded inside free apps, landing on a user’s device potentially without their knowledge, although software vulnerabilities can also be exploited to achieve the same result.</p><p><strong>Keyloggers</strong></p><p>With keylogging software, hackers can monitor every keystroke a user makes on their device. Collecting this information allows them to access usernames, passwords, text messages, emails, and other private information that is typed by the victim. Typically, keyloggers will appear in the form of software that hides on a user’s machine and swipes information as it is entered with a keyboard, although they can appear as hardware-based devices inserted into the USB port. Information collected is usually stored in a file and later transmitted to a malicious actor.</p><p><strong>Rootkits</strong></p><p>Rootkits are software programs that allow cyber criminals to gain control over a victim&apos;s computer without their knowledge. As the name suggests, rootkits are collections of tools (kits) that allow hackers to take over the admin (or root) account on a system. This means they can prove incredibly dangerous - the admin access allows hackers to disable programs, delete files, execute malicious software, record user activity, and exfiltrate data. The elevated privileges also allow for persistence, making it difficult to completely remove the infection.</p><p><strong>Infostealer</strong></p><p>As you can probably guess by its name, infostealers are used to log confidential information such as usernames, passwords, and web cookies before sending it back to the hacker. When cyber criminals get hold of this information, they may list it for sale on the dark web in order to make a profit.</p><p><strong>System monitors</strong></p><p>These are software programs that allow cyber criminals to monitor all user activity on a compromised device, including the websites and apps people access, emails sent and received, and lots more. They typically capture this information by logging keystrokes and taking screenshots in real time.</p><h2 id="examples-of-spyware">Examples of spyware</h2><p>New spyware campaigns are constantly emerging, with one of the most recent being dubbed CapraRAT by security researchers at SentinelOne. This spyware mainly comes in the form of curated video browsing applications for Android devices. Researchers <a href="https://www.itpro.com/software/android/security-experts-issue-warning-over-new-spyware-variant-targeting-android-users"><u>warned</u></a> in July that the group had started targeting mobile gamers, weapons enthusiasts, and social media users with four new malicious apps.</p><p>In 2023, a spyware campaign dubbed Operation Triangulation was <a href="https://www.itpro.com/security/malware/kaspersky-traces-spyware-attack-on-staff-ios-devices-back-to-2019"><u>found</u></a> on the iPhones of a number of people working for cyber security giant Kaspersky. The spyware is believed to have been spread through iMessage, in hope of stealing sensitive information stored on victims’ iPhones. Apple has since <a href="https://www.itpro.com/security/cyber-attacks/apple-patches-zero-day-linked-to-spyware-campaign"><u>issued</u></a> a security update for this zero-day flaw.</p><p>Mayur Upadhyaya — CEO of API security firm APIContext —  warns that spyware campaigns like CapraRAT and Operation Triangulation present a “persistent threat” to users.</p><p>“From annoying adware to dangerous keyloggers, rootkits, and info-stealers, spyware&apos;s diverse forms pose significant risks,” he says. “The rise of spyware, particularly targeting APIs, highlights the need for vigilance.”</p><h2 id="how-to-protect-a-business-against-spyware">How to protect a business against spyware</h2><p>When it comes to preventing spyware, an effective method is to improve security protections on each endpoint. The installation of antivirus and antimalware tools will help prevent initial infections, while constant monitoring in the form of endpoint detection and response (EDR) will allow admins to spot and shutdown malicious activity.</p><p>Because spyware is often present in free apps and software, the enforcement of application policies that block certain third-party apps stores, and the creation of approved app lists, will help eliminate possible routes for malicious apps.</p><p>Software vulnerabilities also provide a means for cyber criminals to install spyware on compromised devices, so you should regularly perform software and security updates. A robust password policy, installing firewalls and virtual private networks, checking app permissions, and security awareness training that covers the dangers of clicking links or attachments in emails are just a few examples of additional measures you can take to limit the spread of spyware.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED WHITEPAPER</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="mX3rcby7TCvxta7upcjSgW" name="Put AI to work for customer service in banking.jpg" caption="" alt="Put AI to work for customer service in banking" src="https://cdn.mos.cms.futurecdn.net/mX3rcby7TCvxta7upcjSgW.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: IBM)</span></figcaption></figure><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/technology/artificial-intelligence/put-ai-to-work-for-customer-service-in-banking"><em>Deploy generative AI within your institution</em></a></p></div></div><p>While many spyware variants can be prevented through good cyber hygiene, some are more difficult to mitigate. David Ruiz, senior privacy advocate at cyber security firm Malwarebytes, uses Pegasus — the spyware software created by Israeli cyber intelligence company NSO Group — as an example of a spyware that currently lacks a “known defense”.</p><p>He tells ITPro: “Deployed wantonly by dictatorships and abusive governments, Pegasus is difficult to detect even when it is on a device, and past victims who have worked with Amnesty International and Citizen Lab were forced to simply start over anew when learning that their devices were compromised.”</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Huawei employees allegedly aid cyber espionage in Africa ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/34215/huawei-employees-allegedly-aid-cyber-espionage-in-africa</link>
                                                                            <description>
                            <![CDATA[ Encrypted messages were intercepted and cracked enabling the scuppering political protests ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">dvegew52Jsq6aVQ65DKHBN</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/BXBja9MCNYNihMYharC34E-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 15 Aug 2019 10:06:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/BXBja9MCNYNihMYharC34E-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Huawei outdoor logo sign]]></media:description>                                                            <media:text><![CDATA[Huawei outdoor logo sign]]></media:text>
                                <media:title type="plain"><![CDATA[Huawei outdoor logo sign]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/BXBja9MCNYNihMYharC34E-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Huawei employees have allegedly been helping African governments spy on their opposition using its own technology and other <a href="https://www.itpro.com/spyware/30001/what-is-spyware" target="_blank" data-original-url="https://www.itpro.com/spyware/30001/what-is-spyware">spyware</a> to break into encrypted messages and scupper political protests.</p><p>Security officials working in direct contact with the Huawei employees have spoken out against those from the embattled Chinese tech giant inserted into the Ugandan and Zambian cyber security forces for helping governments hack, track and halter their opposition, according to a <a href="https://www.wsj.com/articles/huawei-technicians-helped-african-governments-spy-on-political-opponents-11565793017?shareToken=st55df0fb43689404faf8e0ae5c7ddfae6" target="_blank"><em>Wall Street Journal</em> investigation</a>.</p><p>In one instance, Huawei technicians were allegedly drafted in to help Ugandan cyber surveillance teams intercept encrypted communications sent and received by Bobi Wine, a musician-cum-political activist and highly outspoken opponent of the Ugandan government.</p><p>The report revealed that Ugandan security officials unsuccessfully tried for days to hack into Wine's Skype and <a href="https://www.itpro.com/policy-legislation/33741/tech-industry-bands-together-to-oppose-gchq-snooping" target="_blank" data-original-url="https://www.itpro.com/policy-legislation/33741/tech-industry-bands-together-to-oppose-gchq-snooping">WhatsApp groups</a> - in which he organised political rallies in coded slang - before turning to Huawei employees for assistance.</p><p>"The Huawei technicians worked for two days and helped us puncture through," said one senior officer at the surveillance unit to the <em>WSJ</em>.</p><p>The employees who helped hack Wine have since been arrested and their names included in police reports which have been withheld from the wider media.</p><p>In hacking the encrypted messages, authorities were able to deploy forces to stop secretly organised street rallies and, in one case, Wine from drafting in 11 lawmakers to speak at one of his concerts.</p><p>"It was very clear he was organising a political event, not a music show. We had to act quickly," one of the officials said.</p><p>Wine has said the surveillance has spread to his family and has now resorted to alternative tactics in order to stay under the government's radar such as swapping phones and even using devices belonging to members of the public while on the move to evade surveillance.</p><p>"The deal with Huawei is a survivor strategy to consolidate power," said Wine. "It's an all-out assault."</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/policy-legislation/33882/us-huawei-ban-impacts-global-supply-chains" data-original-url="/policy-legislation/33882/us-huawei-ban-impacts-global-supply-chains">US' Huawei ban impacts global supply chains</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/policy-legislation/34013/us-may-reopen-trade-with-huawei-within-weeks" data-original-url="/policy-legislation/34013/us-may-reopen-trade-with-huawei-within-weeks">US may reopen trade with Huawei 'within weeks'</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/mobile/34095/huawei-p30-review-too-good-to-ban" data-original-url="/mobile/34095/huawei-p30-review-too-good-to-ban">Huawei P30 review: Too good to ban</a></p></div></div><p>It was much the same in Zambia, Huawei technicians, who have now also been arrested but not publicly named, were accused of helping the government break into the phones and Facebook pages of a blogging group which ran a news site publishing criticism of President Edgar Lungu.</p><p>According to the <em>WSJ</em>, the operation was conducted out of a surveillance unit in Zambia's telecoms regulator which tracked bloggers locations, ultimately leading to their arrest. It followed an April crackdown, under President Lungu's command, to neuter news sites that published pro-opposition stories after a long period of stable democracy in the country.</p><p>The agency responsible for tackling the spread of these damaging stories was Zicta, Zambia's Information and Communications Technology Authority, around half of the staff of which are Huawei employees.</p><p>"Whenever we want to track down perpetrators of fake news, we ask Zicta, which is the lead agency," said Antonio Mwanza, Zambia's ruling party spokesperson. "They work with Huawei to ensure that people don't use our telecommunications space to spread fake news."</p><p>Huawei first arrived in Africa in 2000, securing the contract for the Ugandan government's sole IT provider eight years later. The report states that after President Museveni expanded digital snooping in 2017, police officers were sent for training in Beijing and then visited Huawei's Shenzhen headquarters to hear about the company's surveillance systems.</p><p>Huawei executives allegedly told Uganda to look at Algeria's mass monitoring surveillance systems, supplied by Huawei. Ugandan officers spent time in Algeria doing just that, before co-producing a classified report between Uganda and Algeria titled 'Huawei's intelligent video surveillance system'.</p><p>"We completely reject the W<em>all Street Journal</em>'s unfounded and inaccurate allegations against Huawei's business operations in Algeria, Uganda, and Zambia," said Huawei in a statement to <em>IT Pro</em>. "Huawei's code of business conduct prohibits any employees from undertaking any activities that would compromise the data or privacy of our customers or end users, or that would breach any laws.</p><p>"Huawei prides itself on its compliance with local laws and regulations in all markets where it operates and we will defend our reputation robustly against such baseless allegations."</p><p>However, the revelations come after a period of calm as regards Huawei's reputation as an alleged international cyber espionage outfit, operating on behalf of the Chinese government.</p><p>The US has currently placed Huawei on a trade blacklist but in the last few weeks, <a href="https://www.itpro.com/policy-legislation/34013/us-may-reopen-trade-with-huawei-within-weeks" target="_blank" data-original-url="https://www.itpro.com/policy-legislation/34013/us-may-reopen-trade-with-huawei-within-weeks">reports suggested</a> that US companies would be able to apply for licences to once again trade with the tech giant, indicating the White House would loosen its sanctions that have had <a href="https://www.itpro.com/policy-legislation/33882/us-huawei-ban-impacts-global-supply-chains" target="_blank" data-original-url="https://www.itpro.com/policy-legislation/33882/us-huawei-ban-impacts-global-supply-chains">ramifications on the global supply chain</a>.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Russian-linked spyware 'among most sophisticated ever discovered' ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/spyware/34082/russian-linked-spyware-among-most-sophisticated-ever-discovered</link>
                                                                            <description>
                            <![CDATA[ Monokle spyware boasts extensive list of potential hacking tools ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">dzqy7XeVdUYWX9jmepxKqz</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/odk8ZSinsL42PxYiMaFHy7-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 25 Jul 2019 11:37:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/odk8ZSinsL42PxYiMaFHy7-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Computer code on a screen with a skull representing a computer virus / malware attack.]]></media:description>                                                            <media:text><![CDATA[Computer code on a screen with a skull representing a computer virus / malware attack.]]></media:text>
                                <media:title type="plain"><![CDATA[Computer code on a screen with a skull representing a computer virus / malware attack.]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/odk8ZSinsL42PxYiMaFHy7-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>A highly sophisticated strain of Android spyware has been discovered which is thought to be linked to a Russian defence contractor previously implicated in the interference of the US 2016 presidential elections.</p><p>Researchers from Lookout say the dangerous spyware, known as Monokle, can perform a range of hacking tasks, such as exfiltrating sensitive data, issuing remote access commands on devices, and launching man-in-the-middle attacks (MITM).</p><p>The spyware, which has been traced back to the Special Technology Centre (STC), a St. Petersberg-based company with a previously unknown history of developing apps, has been actively infecting users since 2016. Activity has been low in volume but consistent throughout the years, peaking in 2018.</p><p>Monokle has so far operated as a trojan, embedding itself into popular apps such as Evernote, Wickr and Skype and then launching a varied list of attack types from a user's machine. It tricks users into downloading it by disguising itself as popular legitimate apps such as encrypted messaging services, productivity boosters and Android update services. It spoofs these apps logos and offers seemingly legitimate functionality.</p><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="d3o5PBYt2kRVF4LkaxKohQ" name="" alt="" src="https://cdn.mos.cms.futurecdn.net/d3o5PBYt2kRVF4LkaxKohQ.png" mos="https://cdn.mos.cms.futurecdn.net/d3o5PBYt2kRVF4LkaxKohQ.png" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div></figure><p>It's believed that Monokle operates entirely on the Android operating system. While there is evidence of an iOS version in development, researchers said there have been no observed active infections on Apple's operating system to date.</p><p>If a user does find themselves infected with this intensely effective and capable strain of spyware, they will be prey to the array of malicious features. The spyware is said to be invisible to an infected device's Process Manager and, because of its <a href="https://www.itpro.com/security/30081/what-is-a-trojan-virus" target="_blank" data-original-url="https://www.itpro.com/security/30081/what-is-a-trojan-virus">remote access trojan</a> (RAT) functionality, it's likely it would record most of your calls and background audio, and keep logs of texts, calls, passwords and pin codes.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/network-internet/34051/kazakh-government-will-intercept-the-nation-s-https-traffic" data-original-url="/network-internet/34051/kazakh-government-will-intercept-the-nation-s-https-traffic">Kazakh government will intercept the nation’s HTTPS traffic</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/spyware/30001/what-is-spyware" data-original-url="/spyware/30001/what-is-spyware">What is spyware?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/web-browser/33349/slew-of-vulnerabilities-detected-in-https" data-original-url="/web-browser/33349/slew-of-vulnerabilities-detected-in-https">Slew of vulnerabilities detected in HTTPS</a></p></div></div><p>Data exfiltration is also a big part of Monokle's functionality. It's said to have the ability to retrieve calendar information, including the date and time of an event, and the description of it. It can also collect account information from some of the most popular social media apps around, including Instagram, WhatsApp and Skype.</p><p>In addition, Monokle can retrieve contacts, emails, call and browsing histories, accounts with corresponding passwords and track device location. It can also install attacker-specified certificates to the Android trusted-certificate store, which would allow it to conduct <a href="https://www.itpro.com/network-internet/34051/kazakh-government-will-intercept-the-nation-s-https-traffic" target="_blank" data-original-url="https://www.itpro.com/network-internet/34051/kazakh-government-will-intercept-the-nation-s-https-traffic">man-in-the-middle (MITM) attacks</a> against <a href="https://www.itpro.com/web-browser/33349/slew-of-vulnerabilities-detected-in-https" target="_blank" data-original-url="https://www.itpro.com/web-browser/33349/slew-of-vulnerabilities-detected-in-https">TLS traffic</a>.</p><p>Researchers were unable to access any of Monokle's exfiltrated data and can only speculate on the potential targets of the <a href="https://www.itpro.com/spyware/30001/what-is-spyware" target="_blank" data-original-url="https://www.itpro.com/spyware/30001/what-is-spyware">spyware</a>, but possibilities listed include those interested in Isalm, interested in or associated with the Ahrar al-Sham militant group in Syria and those living in or associated the Caucasus regions of Eastern Europe - among others.</p><p>These guesses were made through inferred information such as the namings of Monokle-infected apps such as 'Ahrar Maps' and 'caucus'. Most apps were written in English but some were also in Russian and Arabic.</p><p>The researchers "found strong links that tie STC's Android software development operations to Monokle's indicators of compromise (IOCs) [and] shared command and control infrastructure used by both legitimate and malicious Android applications produced by STC," the report read.</p><p>"The Defender application and related software has been referred to by an STC developer as developed 'for a government customer,'" it added.</p><p>The report's findings have forced experts to once again raise awareness of the necessity of only downloading verified apps from legitimate sources.</p><p>"The Monokle malware mainly infects devices through corrupted versions of legitimate apps," said Paul Bischoff, privacy advocate, Comparitech.com. "For this reason, it's important for all Android users to get apps from a trusted source."</p><p>"Avoid downloading apps from third-party app stores and APK downloads," he added. "App developers don't publish their apps on these sites, so they're put there by unknown third parties. The apps from unreputable sources often look identical, but in fact, contain malware."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ WhatsApp call hack installs spyware on users’ phones ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/spyware/33632/whatsapp-call-hack-installs-spyware-on-users-phones</link>
                                                                            <description>
                            <![CDATA[ iPhones and Android devices are vulnerable to security flaw – WhatsApp recommends immediate app update ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">46PekCqGAArXVwBKaoUmiS</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/pvzwgHBZPMGDTDgZxgf6Ba-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 14 May 2019 09:17:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Jane McCallion ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/pvzwgHBZPMGDTDgZxgf6Ba-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[grafitti of a spy on a wall]]></media:description>                                                            <media:text><![CDATA[grafitti of a spy on a wall]]></media:text>
                                <media:title type="plain"><![CDATA[grafitti of a spy on a wall]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/pvzwgHBZPMGDTDgZxgf6Ba-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>A vulnerability has been discovered in WhatsApp that allows hackers to covertly install spyware on users' phones and track their communications and even location.</p><p>The exploit, which was first reported by <em><a href="https://www.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab" target="_blank">The Financial Times</a></em>, affects both iOS and Android devices and was discovered by WhatsApp earlier this month.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/25828/whatsapp-users-lured-in-by-malware" data-original-url="/security/25828/whatsapp-users-lured-in-by-malware">WhatsApp users lured in by malware</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/26305/whatsapp-announces-end-to-end-encryption" data-original-url="/security/26305/whatsapp-announces-end-to-end-encryption">WhatsApp announces end-to-end encryption</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/general-data-protection-regulation-gdpr/30767/whatsapp-stops-sharing-data-with-facebook" data-original-url="/general-data-protection-regulation-gdpr/30767/whatsapp-stops-sharing-data-with-facebook">WhatsApp stops sharing data with Facebook</a></p></div></div><p>The malware is delivered through a voice call on the app that doesn't even require the user to answer in order for it to be installed, According to a "spyware dealer" who spoke to the <em>FT</em> and WhatsApp. The spyware dealer also claimed that the attacker was then able to delete call logs, so the user may have no idea they were targeted.</p><p>It's alleged that the malicious code was developed by NSO Group, a secretive firm based in Israel that's known primarily for developing spyware under the codename Pegasus, which was <a href="https://blog.lookout.com/trident-pegasus" target="_blank">discovered by the University of Toronto's Citizen Lab and cyber security firm Lookout in 2016</a>.</p><p>Pegasus, which is sold to third parties such as government agencies, can turn on a phone's microphone and camera, and collect information from emails and messages as well as picking up location data.</p><p>As in 2016, this latest attack seems to have been used primarily to target those working in the field of human rights, with <em>the FT</em> reporting that a UK-based human rights lawyer was targeted on Sunday 12 May.</p><p><em>IT Pro</em> contacted NSO Group for comment, but hadn't received a response at the time of publication. However, the organisation told the <em>FT</em>: "Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.</p><p>"NSO would not, or could not, use its technology in its own right to target any person or organisation."</p><p>Independent security researcher Graham Cluley told <em>IT Pro</em> it's not surprising that a vulnerability like this had been found and exploited in WhatsApp.</p><p>"Any complicated piece of software is going to have bugs. Such a widely-used piece of software like WhatsApp is going to have many more determined parties looking closely at it for vulnerabilities and exploits than something that few people use," he said</p><p>He also said it's unsurprising that a specific victim profile had been targeted by whoever has deployed the malware, rather than used to capture data on all or most users.</p><p>"Attacks like this aren't typically used against a large number of individuals, but a small, targeted group of victims that are of high value to intelligence agencies and governments," he said.</p><p>It's currently not known how long the vulnerability has been in place, however, the company issued a patch for its mobile apps yesterday and is urging all users to upgrade to the latest version as soon as possible. It has also taken steps to deny attackers the ability to use this exploit at an infrastructure level.</p><p>In a statement issued to <em>IT Pro</em>, a WhatsApp spokesman said: "WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices. We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Amnesty International blames ‘hostile government’ after Israeli-made spyware targets staff ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/spyware/31616/amnesty-international-blames-hostile-government-after-israeli-made-spyware-targets</link>
                                                                            <description>
                            <![CDATA[ The organisation was targeted by a ‘sophisticated campaign’ that has seen 175 attacks around the world since 2016 ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">v6qFcXWzaKKQDHy9BFCrFu</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/FaReWHXkRoUmCghWxHFfMF-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 02 Aug 2018 11:23:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Keumars Afifi-Sabet ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/EAvwpZggMZ2K5h8s2pTAEm.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/FaReWHXkRoUmCghWxHFfMF-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A sign bearing the Amnesty International logo is held up in front of a skyscraper]]></media:description>                                                            <media:text><![CDATA[A sign bearing the Amnesty International logo is held up in front of a skyscraper]]></media:text>
                                <media:title type="plain"><![CDATA[A sign bearing the Amnesty International logo is held up in front of a skyscraper]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/FaReWHXkRoUmCghWxHFfMF-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Amnesty International has disclosed how its staff were targeted in a spyware attack launched by what it believes to be "a government hostile to its work".</p><p>Alarms sounded in June after an Amnesty researcher received a suspicious WhatsApp message with details of an alleged protest outside the Saudi embassy in Washington DC, along with a link to a website.</p><p>An investigation by the charity's technology team revealed clicking this would have installed a surveillance tool called "Pegasus", developed by Israeli-based company NSO Group. The software enables an "extraordinarily invasive form of surveillance" and allows a malicious actor to intercept phone calls, and messages received on the handset, <a href="https://www.amnesty.org/en/latest/news/2018/08/staff-targeted-with-malicious-spyware" target="_blank">the charity claims</a>.</p><p>"NSO Group is known to only sell its spyware to governments. We therefore believe that this was a deliberate attempt to infiltrate Amnesty International by a government hostile to our human rights work," said Amnesty International's head of technology and human rights Joshua Franco.</p><p>"This chilling attack on Amnesty International highlights the grave risk posed to activists around the world by this kind of surveillance technology."</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/spyware/30001/what-is-spyware" data-original-url="/spyware/30001/what-is-spyware">What is spyware?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/25828/whatsapp-users-lured-in-by-malware" data-original-url="/security/25828/whatsapp-users-lured-in-by-malware">WhatsApp users lured in by malware</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/strategy/26842/facebook-defends-itself-against-israels-terror-support-claims" data-original-url="/strategy/26842/facebook-defends-itself-against-israels-terror-support-claims">Facebook defends itself against Israel's terror support claims</a></p></div></div><p>Researchers from the University of Toronto's Citizen Lab, which investigates digital espionage among other subjects, <a href="https://citizenlab.ca/2018/07/nso-spyware-targeting-amnesty-international" target="_blank">corroborated Amnesty's assessment</a>, suggesting the SMS messages Amnesty received contain domain names pointing to websites that appear to be part of NSO Group's Pegasus infrastructure.</p><p>Citizen Lab's researchers found the domains social-life.info and akhbar-arabia.com, which appeared on the WhatsApp messages, were consistent with the Pegasus infrastructure they had been tracking since 2016.</p><p>The organisation suggest the contents of the WhatsApp message were connected with the organisation's campaigning that week for the release of six women's rights activists being detained in Saudi Arabia. The organisation learned a Saudi Arabian rights activist received a similar message shortly afterwards.</p><p>"Can you please cover [the protest] for your brothers detained in Saudi Arabia in front of the Saudi embassy in Washington," the message read. "My brother was detained in Ramadan and I am on a scholarship here so please do not link me to this. [LINK]. Cover the protest now it will start in less than an hour. We need your support please."</p><p>Citizen Lab has identified 175 reported such instances of surveillance with ties to NSO in its experience, with up to 150 incidents in Panama alone, as well as reports from the United Arab Emirates, Mexico and Saudi Arabia.</p><p>The institution's researchers identified the links as matching websites appearing as part of NSO's new infrastructure that retains a Saudi-focus. They concluded the messages appear to represent attempts to infect the Amnesty researcher and the Saudi activist based abroad with NSO Group's Pegasus spyware.</p><p>"NSO Group develops cyber technology to allow government agencies to identify and disrupt terrorist and criminal plots," the Israeli-based company said.</p><p>"Our product is intended to be used exclusively for the investigation and prevention of crime and terrorism. Any use of our technology that is counter to that purpose is a violation of our policies, legal contracts, and the values that we stand for as a company.</p><p>"If an allegation arises concerning a violation of our contract or inappropriate use of our technology, as Amnesty has offered, we investigate the issue and take appropriate action based on those findings. We welcome any specific information that can assist us in further investigating of the matter."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ US indicts 12 Russian agents over DNC hack ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/31516/us-indicts-12-russian-agents-over-dnc-hack</link>
                                                                            <description>
                            <![CDATA[ 12 Russian intelligence operatives have been formally accused by the DoJ ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">mQ3iuekCNs7wFscZ3iMEoW</guid>
                                                                                                                            <pubDate>Mon, 16 Jul 2018 10:50:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Adam Shepherd ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/3n2BoLAtRj8Z5eRfxtwyK8.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                                        <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Twelve Russian intelligence operatives have been officially charged by the US Department of Justice (DoJ) with hacking the Democratic National Committee (DNC) for the explicit purpose of interfering with the 2016 presidential election.</p><p>The <a href="https://www.justice.gov/file/1080281/download" target="_blank">indictment</a> marks the first time that the Russian government has been formally accused of playing a role in the hack on the DNC in 2016, and comes just before a major summit between US President Donald Trump and Russian dictator Vladimir Putin.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/hacking/26988/us-officially-accuses-russia-of-leaking-dnc-emails" data-original-url="/hacking/26988/us-officially-accuses-russia-of-leaking-dnc-emails">US officially accuses Russia of leaking DNC emails</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/28774/should-we-worry-about-election-hacking" data-original-url="/security/28774/should-we-worry-about-election-hacking">Should we worry about election hacking?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/hacking/27766/donald-trump-russia-was-likely-behind-dnc-hack" data-original-url="/hacking/27766/donald-trump-russia-was-likely-behind-dnc-hack">Donald Trump: Russia was likely behind DNC hack</a></p></div></div><p>The indicted individuals are all Russian military officers of various ranks, and work for cyber divisions within GRU, the Russian Ferderation's main foreign intelligence agency. The Russian government has denied all involvement, stating that there is no evidence to link the men to the hacks or to GRU itself.</p><p>Trump himself has similarly shrugged off the news, stating that the hacks took place under Obama's leadership, and asking why Obama hadn't "done anything about it".</p><div class="see-more see-more--clipped"><blockquote class="twitter-tweet hawk-ignore" data-lang="en"><p lang="en" dir="ltr"><a href="https://twitter.com/cantworkitout/status/1018074723140427776"></a></p></blockquote><div class="see-more__filter"></div></div><p>Obama ejected 35 Russian diplomats from the US and closed two Russian embassies in December 2016.</p><p>A number of interesting findings have come to light as a result of the indictment, including that 'Guccifer 2.0' - a hacker pseudonym that fed huge amounts of stolen emails and documents to WikiLeaks - was allegedly a persona used by multiple Russian intelligence officers to try and throw investigators off the scent. The Guccifer persona was also approached by a US congressional candidate looking to obtain dirt on their opponent, and was also confirmed to have corresponded with "a person who was in regular contact with senior members of the presidential campaign of Donald J. Trump".</p><p>What practical impact this will have on the accused hackers is unknown. Because the US has no extradition treaty with Russia, Putin is under no obligation to hand them over to US authorities, although law enforcement in other countries will be on the lookout for them.</p><p>The news is the latest action linking Russia to US election tampering, part of a wide-ranging series of efforts including a concerted push to spread disinformation via social media - something being investigated in both the UK and US. Twitter recently revealed that Russian bots <a href="https://www.itpro.com/social-media/30339/russian-bots-shared-trumps-election-tweets-500k-times" target="_blank" data-original-url="https://www.itpro.com/social-media/30339/russian-bots-shared-trumps-election-tweets-500k-times%20">shared Trump's tweets 500,000 times in the run up to the election</a>.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Attackers targeting World Cup fans with 'Golden Cup' Android app loaded with spyware ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/spyware/31458/attackers-targeting-world-cup-fans-with-golden-cup-android-app-loaded-with-spyware</link>
                                                                            <description>
                            <![CDATA[ "Cyber terrorists" behind a campaign targeting Israeli soldiers have shifted their focus to civilians by exploiting the 2018 World Cup ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">9Einh872dN7zsEBUuxRVzS</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/BmUJqsMod2aemX4sGUFpw4-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 06 Jul 2018 09:44:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Keumars Afifi-Sabet ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/EAvwpZggMZ2K5h8s2pTAEm.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/BmUJqsMod2aemX4sGUFpw4-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[The football from the 2018 FIFA World Cup hosted in Russia]]></media:description>                                                            <media:text><![CDATA[The football from the 2018 FIFA World Cup hosted in Russia]]></media:text>
                                <media:title type="plain"><![CDATA[The football from the 2018 FIFA World Cup hosted in Russia]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/BmUJqsMod2aemX4sGUFpw4-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Researchers have uncovered an emerging cyber threat targeting Android device-owning football supporters just as the 2018 FIFA World Cup reaches its climax.</p><p>Believed to be part wider spyware campaign targeting members of the Israeli Defence Force (IDF) dating back to the start of 2018, <a href="https://www.clearskysec.com/glancelove" target="_blank">ClearSky security researchers</a> have discovered a variant aimed at targeting football supporters manifesting as an application named 'Golden Cup'.</p><p>Days after the <a href="https://www.idf.il/en/minisites/hamas/hamas-online-terrorism" target="_blank">IDF publshed a report</a> blaming "Hamas cyber terrorists" for orchestrating a spyware campaign that lured Israeli soldiers into downloading malicious applications, security researchers have found further samples, manifesting principally as 'Golden Cup', now targeting civilians.</p><p>The original spyware campaign initially involved fake Facebook profiles asking IDF soldiers, as part of a seduction process, to download the malicious apps named 'GlanceLove' and 'WinkChat' to continue socialising.</p><p>Researchers at Symantec noted that given the original approach was "not a great success", the hacker's latest attempt involved a hurriedly created malicious World Cup app to offer users live scores and fixtures and distribute it to Israeli citizens as well as military personnel.</p><p>"We assume it was rushed because, unlike GlanceLove, it lacked any real obfuscation," <a href="https://www.symantec.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans" target="_blank">its researchers Roy Iarchy and Eyal Rynkowski wrote on the cyber security company's official blog</a>.</p><p>"Even the C&C [command-and-control] server side was mostly exposed with the file listing available for everyone to traverse through it. It contained approximately 8GB of stolen data."</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/phishing/31207/kaspersky-spots-spike-in-world-cup-phishing-scams" data-original-url="/phishing/31207/kaspersky-spots-spike-in-world-cup-phishing-scams">Kaspersky spots spike in World Cup phishing scams</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/31220/gchq-helps-england-team-avoid-russian-hackers-at-world-cup" data-original-url="/security/31220/gchq-helps-england-team-avoid-russian-hackers-at-world-cup">GCHQ helps England team avoid Russian hackers at World Cup</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/spyware/30001/what-is-spyware" data-original-url="/spyware/30001/what-is-spyware">What is spyware?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/spyware/30305/kaspersky-uncovers-worlds-most-powerful-android-spyware-tool-skygofree" data-original-url="/spyware/30305/kaspersky-uncovers-worlds-most-powerful-android-spyware-tool-skygofree">Kaspersky uncovers 'world's most powerful' Android spyware tool, Skygofree</a></p></div></div><p>GoldenCup is a fairly innocent-looking app in that its code is aimed at executing the app's touted functionality as a scores hub, while also being geared towards collecting identifiers and some data from the host device.</p><p>Thorugh the use of a phased approach GoldenCup exploits its fairly innocuous design to get past Google's security processes and get listed on the Google Play Store. </p><p>After receiving a command from the C&C - communicating using a Message Queuing Telemetry Transport (MQTT) protocol - the app downloads a malicious .dex file that adds additional malicious capabilities. Using this delivery method, its developers can submit a seemingly-legitimate application to the Play Store, adding any malicious elements thereafter.</p><p>The first phase involves collecting device information, as well as a list of apps already installed on the device, before the app processes an "install app" command that downloads an encrypted zip file containing a second .dex file.</p><p>From this point, the spyware's functions span from collecting more information about the devices to recording phone calls. The attackers can track location, upload images and video files, upload contacts information, upload SMS message history, record audio using the microphone, and use the camera to capture bursts of snapshots.</p><p>These can either be run periodically or upon receiving a command from the C&C server.</p><p>"We were unable to find technical similarities or infrastructure overlap with a known threat actor," Clear Sky's research team said.</p><p>"However, we assess with medium certainty that the threat actor behind this campaign is Arid Viper based on the targeting of Israeli soldiers, type and character of fake personas on Facebook, and previous Arid Viper activity."</p><p>The emergence of a World Cup-related cyber threat is in keeping with malicious actors' tendencies to exploit contemporary or widely-talked about events in the public domain.</p><p>Researchers at Kaspersky, for instance, <a href="https://www.itpro.com/phishing/31207/kaspersky-spots-spike-in-world-cup-phishing-scams" target="_blank" data-original-url="https://www.itpro.com/phishing/31207/kaspersky-spots-spike-in-world-cup-phishing-scams">detected a rise in phishing attacks tied to the World Cup in the weeks leading up to the event</a>, alongside a general rise in the number of football-related spam - detailing a series of observations including fake lottery win notifications, and emails from attackers impersonating tournament sponsors.</p><p>Norton Antivirus, meanwhile, Symantec's parent company, highlighted one example of a fake win phishing email, informing users they have won $1.8 million "In Russia 2018 World Cup Draw", that reached 26,000 users in its first seven days.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Scale of cyber risk to UK businesses is "bigger than ever" ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/cyber-crime/30911/scale-of-cyber-risk-to-uk-businesses-is-bigger-than-ever</link>
                                                                            <description>
                            <![CDATA[ Reports chart rise of ransomware and crypto-mining attacks ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">rDXqX9nfDdPNZ9wpXhXv3n</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/CqULgbJTEkSR6HXKv8N3Cg-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 10 Apr 2018 11:01:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Ransomware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Keumars Afifi-Sabet ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/EAvwpZggMZ2K5h8s2pTAEm.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/CqULgbJTEkSR6HXKv8N3Cg-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Cyber crime]]></media:description>                                                            <media:text><![CDATA[Cyber crime]]></media:text>
                                <media:title type="plain"><![CDATA[Cyber crime]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/CqULgbJTEkSR6HXKv8N3Cg-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Reports out today have revealed the scale and severity of cybercrime threats facing UK businesses - with spyware the number one threat but ransomware and cryptomining detections rising sharply.</p><p>The National Cyber Security Centre (NCSC) and National Crime Agency (NCA) counted 34 significant attacks that required a cross-government response between October 2016 and the end of 2017, in addition to 762 less severe attacks across this period, in <a href="https://www.ncsc.gov.uk/cyberthreat" target="_blank">a joint report</a> released today.</p><p>Their report, titled 'The cyber threat to UK businesses 2017-2018', said 2018 would bring further attacks; warning vulnerabilities in Internet of Things (IoT) devices will grow, as well as highlighting the increased threat of crypto-jacking - where hackers force victims' computers <a href="https://www.itpro.com/web-browser/30780/is-your-browser-secretly-mining-cryptocurrencies" target="_blank" data-original-url="https://www.itpro.com/web-browser/30780/is-your-browser-secretly-mining-cryptocurrencies">to unwittingly mine cryptocurrencies</a> - and the growing temptation for attackers to target sensitive information stored on cloud services.</p><p>Major incidents in 2017 included ransomware and distributed denial of service (DDoS) attacks, massive data breaches, supply chain compromises, as well as fake news and information operations.</p><p>The NCSC said the risk to UK companies is "bigger than ever", and Ciaran Martin, NCSC chief executive, emphasised the need for public organisations to share knowledge to fend off attacks.</p><p>"We are fortunate to be able to draw on the cyber crime fighting expertise of our law enforcement colleagues in the National Crime Agency," he said. "This joint report brings together the combined expertise of the NCA and the NCSC. The key to better cyber security is understanding the problem and taking practical steps to reduce risk."</p><p>Raj Samani, chief scientist and fellow at cybersecurity firm McAfee, said sharing knowledge should extend to the private sector too. He said: "The NCSC rightly highlights the importance of collaboration in underpinning the UK's response to cyberattacks. One way to do this in in adopting threat intelligence sharing. In learning about the attacks that other similar organisations are facing, IT and security professionals can ensure that they are prepared to defend against the popular attacks of the day."</p><p><strong>Ransomware</strong></p><p>Verizon also released its 11th annual Data Breach Investigations Report today, the findings of which may prove somewhat unsurprising for those who have been keeping an eye on the security landscape over the last few years.</p><p>Predictably, ransomware was one of the biggest threats, becoming the most commonly-seen form of malware over the course of 2017, up from fourth place the previous year. One notable change, however, is that ransomware infections are increasingly affecting business-critical systems rather than just desktops.</p><p>Ali Neal, director of international security solutions at Verizon, told <em>IT Pro </em>that although these results may not be surprising, they are still significant. "We have to call out things whether they're obvious or slightly better-hidden; the ransomware piece is obviously something that's probably pretty obvious to everyone, but it has been notable in the number of incidents that it created."</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/security/29614/ncsc-uk-hit-by-590-significant-cyber-attacks-last-year" data-original-url="/security/security/29614/ncsc-uk-hit-by-590-significant-cyber-attacks-last-year">NCSC: UK hit by 590 "significant" cyber attacks last year</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/malware/28076/what-is-malware" data-original-url="/malware/28076/what-is-malware">What is malware?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/cyber-crime/30831/crypto-jacking-cyber-attacks-up-by-8500-says-symantec" data-original-url="/cyber-crime/30831/crypto-jacking-cyber-attacks-up-by-8500-says-symantec">'Crypto jacking' cyber attacks up by 8,500%, says Symantec</a></p></div></div><p>Also out today was Malwarebytes' <a href="https://blog.malwarebytes.com/malwarebytes-news/2018/04/labs-ctnt-report-shows-shift-in-threat-landscape-to-cryptomining" target="_blank">quarterly cybercrime report</a>, which outlined that while ransomware detections were up 28% between January and March 2018, it was only the sixth-highest detected threat with the overall volume remaining low - in contrast with the prominence placed on ransomware by the Verizon and NCSC reports, the latter of which highlighted <a href="https://www.itpro.com/security/28648/nhs-ransomware-attack" target="_blank" data-original-url="https://www.itpro.com/security/28648/nhs-ransomware-attack">the WannaCry attack</a> as a high-profile example. Among consumers, ransomware detections actually declined 35%, according to Malwarebytes.</p><p>Malwarebytes' report said: "If you look at business detections after January, it looks like all malware activity has dropped off the side of a cliff. Spyware and riskware tools plummeted, though spyware retained the top spot by the hair of its chin."</p><p><strong>Cryptomining</strong></p><p>Among consumers, adware remains the key threat, while cryptomining saw a dramatic increase among business users - with incidents rising a staggering 4,000%, according to Malwarebytes.</p><p>The NCSC also identified the growing threat, writing: "We assume the majority of cryptojacking is carried out by cyber criminals, but website owners have also targeted visitors to their website and used the processing power of visitors' CPUs, without their knowledge or consent, to mine cryptocurrency for their own financial gain."</p><p>Bitcoin-mining hackers <a href="https://www.itpro.com/digital-currency/30511/bitcoin-mining-hackers-hit-government-websites" target="_blank" data-original-url="https://www.itpro.com/digital-currency/30511/bitcoin-mining-hackers-hit-government-websites">hit thousands of government websites</a>, including the Student Loans Company and other UK government bodies, it was revealed in March.</p><p><strong>Phishing</strong></p><p>Verizon found that phishing attacks remain a huge attack vector, and combined with financial pretexting, phishing tactics played a part in more than 90% of all breaches investigated last year. In fact, Verizon's report found that businesses are three times more likely to be compromised by a social engineering attack like phishing than by a technical vulnerability in their security.</p><p>Neal stated that businesses should be doing more to protect themselves, given that the same attack patterns and trends keep recurring, but noted that the area is a complex one.</p><p>"I don't think there's one answer," he said. "Better training has probably got to be point number one, because ultimately it's humans, and that goes to executives who are going to be particularly targeted. I think there is an opportunity to look at better email scanning, better policy enforcement, and there's also a number of technologies out there that can be implemented."</p><p>The NCSC highlighted business email compromise (BEC) as a form of phishing attack targeting senior business executives, where hackers <a href="https://www.itpro.com/security/29875/art-galleries-defrauded-by-simple-email-scam" target="_blank" data-original-url="https://www.itpro.com/security/29875/art-galleries-defrauded-by-simple-email-scam">impersonate business leaders</a> in an attempt to trick customers, vendors or staff to transfer funds and sensitive information.</p><p>"BEC scams are a serious threat to organisations of all sizes and across all sectors, including non-profit organisations and government. It represents one of the fastest growing, lowest cost, highest return cyber crime operations," the report said.</p><p><em>Image: Bigstock</em></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Kaspersky: North Korea framed for Winter Olympics malware ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/hacking/30510/kaspersky-north-korea-framed-for-winter-olympics-malware</link>
                                                                            <description>
                            <![CDATA[ Source code analysis reveals similar tactics used by Russian-speaking Sofacy group ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">wsBshQzjhEBydLi4vwjcb1</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/8aWAGrk5RAQ26ox47tW7QN-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 09 Mar 2018 10:30:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Dale Walker ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/YhUVp3rWtcZPM5XznPeTmX.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/8aWAGrk5RAQ26ox47tW7QN-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                                                                                                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/8aWAGrk5RAQ26ox47tW7QN-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Research into the hack attack against the computer network at the 2018 Winter Olympics has revealed the malware source code was deliberately forged to make it appear as if North Korea was behind the attack.</p><p>Olympic officials confirmed at the end of February that days before the opening ceremony in Pyeongchang, South Korea, a devastating malware attack had paralysed the event's IT infrastructure.</p><p>The cyber attack, which knocked display monitors, WiFi networks, and the Winter Olympics official website offline, was almost immediately attributed to groups in North Korea, Russia, and China given a number of similarities between the malware and other attacks.</p><p>However, an <a href="https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295" target="_blank">investigation by Kaspersky</a> found evidence of source code that looked identical to the style deployed by the Lazarus Group, a notorious hacking collective with ties to North Korea and named responsible for the hack on Sony Pictures in 2014.</p><p>According to the report, the analysed code resulted in a "100% match with previously known Lazarus malware components and zero overlap with any other clean or malicious file known to date to Kaspersky Lab". A number of inconsistencies with the attack, including motivations and tactics normally associated with Lazarus, prompted further investigations into the code, revealing that it had in fact been forged to look like the North Korean group was responsible.</p><p>"To our knowledge, the evidence we were able to find was not previously used for attribution. Yet the attackers decided to use it, predicting that someone would find it," said Vitaly Kamluk, head of APAC research team at Kaspersky. "They counted on the fact that forgery of this artefact is very hard to prove."</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/28648/nhs-ransomware-attack" data-original-url="/security/28648/nhs-ransomware-attack">NHS ransomware: UK government says it's North Korea's fault WannaCry happened</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/cyber-warfare/30456/will-trump-go-nuclear-over-cyber-warfare" data-original-url="/cyber-warfare/30456/will-trump-go-nuclear-over-cyber-warfare">Will Trump go nuclear over cyber warfare?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/digital-currency/30217/is-north-korea-hacking-computers-to-mine-cryptocurrency" data-original-url="/digital-currency/30217/is-north-korea-hacking-computers-to-mine-cryptocurrency">Is North Korea hacking computers to mine cryptocurrency?</a></p></div></div><p>"It's as if a criminal had stolen someone else' DNA and left it at a crime scene instead of their own. We discovered and proved that the DNA found on the crime scene was dropped there on purpose. We've always said that attribution in cyberspace is very hard as lots of things can be faked, and Olympic Destroyer is a pretty precise illustration of this."</p><p>While Kaspersky is unable to say exactly who was behind the Olympic Destroyer malware, it did find that the attackers used NordVPN and a hosting provider called MonoVM to mask their activities, both of which have been previously used by the Russian-speaking Sofacy hacking group.</p><p>That would seem to corroborate claims by two anonymous US intelligence sources that claimed the attack originated from Russia, and was made in retaliation against a decision by the Olympic Committee to ban Russian athletes for doping violations.</p><p>Yet Kaspersky also suggests the motivations of the hackers are unclear, as it's believed they had admin access to the IT systems and could have devastated Olympic infrastructure as a result, but chose only to do "light" damage by wiping backups and rebooting systems.</p><p>The most likely purpose of the attack was to test the malware's ability to fool security researchers in a real-life setting, the results from which will be used to create the perfect "false flags" for future attacks, according to Kaspersky.</p><p><strong>26/02/2018: Russian spies 'hacked systems at the 2018 Winter Olympics'</strong></p><p>Russian spies hacked into the systems used by authorities at the 2018 Winter Olympics in South Korea, US intelligence sources have claimed.</p><p>The military spies reportedly attempted to breach several hundred computers during the global event, and tried to make it look like North Korea did the hacking, something that is known in the security industry as a "false-flag" operation.</p><p>While officials in PyeongChang, where the Olympics was held, acknowledged that the Games were hit by a cyber attack during the opening ceremony on 9 February, they refused to confirm who was responsible. The disruption, which saw broadcast systems and the Olympics website hit, made it difficult for many attendees to print their tickets for the ceremony, and thus resulted in many empty seats during the event.</p><p>Now two anonymous US intelligence sources have told <em><a href="https://www.washingtonpost.com/world/national-security/russian-spies-hacked-the-olympics-and-tried-to-make-it-look-like-north-korea-did-it-us-officials-say/2018/02/24/44b5468e-18f2-11e8-92c9-376b4fe57ff7_story.html?utm_term=.4fa9fe493d3b" target="_blank">The Washington Post</a> </em>that the attack came from Russia, believing it was in retaliation against the International Olympic Committee's banning of the Russian team due to doping violations.</p><p>This also meant that no Russian Olympic federation officials were allowed to attend the event, and while some athletes were permitted to compete under the designation "Olympic Athletes from Russia", they were unable to display the Russian flag on their uniforms and, if they won medals, their country's anthem would not be played.</p><p>Before the end of the event on Sunday, some US officials claimed they were concerned the Russians may try and disrupt the closing ceremonies, they told the <em>Post</em>.</p><p>"We're watching it pretty closely," one said. "It's essentially a Korean problem," the official added. "We will help the Koreans as requested."</p><p><strong>12/02/2018: Hackers hit 2018 Winter Olympics opening ceremony</strong></p><p>A cyber attack disrupted the opening ceremony of the 2018 Winter Olympics on Friday, organisers have revealed.</p><p>TV and web broadcasting services were affected in the attack on the Games - hosted in Pyeongchang, South Korea - but officials said that no vital infrastructure had been damaged.</p><p>A spokesman for the committee behind the Pyeongchang Games told press on Sunday that "all issues were resolved and recovered yesterday morning".</p><p>The International Olympic Committee re-affirmed the integrity of the Games' electronic systems but said little beyond that, declining to reveal the source of the attack.</p><p>"We are not going to comment on the issue. It is one we are dealing with. We are making sure our systems are secure and they are secure," IOC spokesman Mark Adams told <a href="https://www.reuters.com/article/us-olympics-2018-cyber/games-organizers-confirm-cyber-attack-wont-reveal-source-idUSKBN1FV036" target="_blank"><em>Reuters</em></a>, adding that "maintaining secure operations is our purpose".</p><p>In the wake of Winter Olympics hack, some have pointed to North Korea's long-standing conflict with its South Korean neighbours, as well as the list of cyber attacks the country is suspected of orchestrating, such as <a href="https://www.itpro.com/security/28648/nhs-ransomware-attack" target="_blank" data-original-url="https://www.itpro.com/security/28648/nhs-ransomware-attack">the WannaCry ransomware attack last May</a>.</p><p>Others, however, have disputed this interpretation, citing the fact that North Korea is represented at the games, and the two nations marched together at the opening ceremony for the first time in over a decade.</p><p>Instead, Russia has been fingered as a potential culprit by some experts, citing the fact that the country has been banned from competing in the Games over doping scandals as a potential motive.</p><p>Russia's foreign ministry stated prior to the opening ceremony that any media allegations suggesting Russia would be behind any attacks on the Games would be false. The IOC has also advised Pyeongchang organisers not to reveal the source of the hack, with spokesman Mark Adams stating that "best international practice says that you don't talk about an attack".</p><p>Regardless of who is behind the attacks, security experts do not expect them to stop while the Games are underway.</p><p>"It is clear attacks are ongoing and are likely to continue throughout the duration of the games," said McAfee senior analyst Ryan Sherstobitoff. "What is yet to be determined is if actors are working simply to gain disruption or if their motives are greater."</p><p><em>Picture: Shutterstock</em></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ 'Dark Caracal' operation blamed for the hacking of thousands of victims in 21 countries ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/spyware/30340/dark-caracal-operation-blamed-for-the-hacking-of-thousands-of-victims-in-21-countries</link>
                                                                            <description>
                            <![CDATA[ The operation stole data from military personnel, government officials and medical practitioners among others ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">5Uequ9VTYTqsZ8SmZzaW2R</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/Hnbx3GZEFMNqcZpjdrvT8P-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 22 Jan 2018 10:37:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Edward Munn ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/Hnbx3GZEFMNqcZpjdrvT8P-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                                                                                                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/Hnbx3GZEFMNqcZpjdrvT8P-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>A hacking operation that has been dubbed 'Dark Caracal' is responsible for stealing private data from thousands of individuals and businesses from more than 21 different countries starting in 2012, according to research by Lookout and Electronic Frontier Foundation (EFF) released last week.</p><p>A joint report from the organisations revealed that the spying operation has targeted a range of different platforms but focused on mobile devices, using Android malware called Pallas to steal hundreds of gigabytes of data.</p><p>In order to gain access to victims devices, the hackers used phishing techniques to install 'trojanised' versions of messaging apps such as WhatsApp and Signal. Once installed, the Android malware can be used to collect a range of sensitive information including call logs, photos, messages, audio recordings, location data and more.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/malware/30294/google-play-store-malware-targets-porn-ads-at-millions-of-kids" data-original-url="/malware/30294/google-play-store-malware-targets-porn-ads-at-millions-of-kids">Google Play Store malware targets porn ads at millions of kids</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/spyware/30001/what-is-spyware" data-original-url="/spyware/30001/what-is-spyware">What is spyware?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/27568/how-to-beat-ransomware-1" data-original-url="/security/27568/how-to-beat-ransomware-1">How to beat ransomware</a></p></div></div><p>The professions of victims duped by the operation are incredibly wide-ranging.</p><p>"Thus far, we have identified members of the military, government officials, medical practitioners, education professionals, academics, civilians from numerous other fields, and commercial enterprises as targets," the report explained.</p><h3 class="article-body__section" id="section-what-is-dark-caracal"><span>What is Dark Caracal?</span></h3><p>Dark Caracal is described in the report as having "nation-state level advanced persistent threat (APT) capabilities", but the researchers stop short of explicitly saying it's a state-sponsored operation. However, they do reveal they believe the operation to be run from a Lebanese government building in Beirut, more specifically the headquarters of the General Directorate of General Security.</p><p>It's this revelation, along with the the fact many of the operation's different spying campaigns were deemed "seemingly unrelated" by researchers, that suggests Dark Caracal might be a type of government spyware 'for hire', carrying out spying jobs on behalf of a variety of clients.</p><p>"We believe the actors would use Pallas against any target a nation state would otherwise attack, including governments, militaries, utilities, financial institutions, manufacturing companies, and defense contractors," a <a href="https://blog.lookout.com/dark-caracal-mobile-apt" target="_blank">blog post</a> on Lookout's website explains.</p><p>EFF and Lookout began investigating Dark Caracal after EFF released its <a href="https://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf" target="_blank">Operation Manul report</a>, which shed light on another spying operation aimed at "journalists, activists, lawyers, and dissidents" who had spoken out against President Nursultan Nazarbayev's regime in Kazakhstan. The researchers spotted that Dark Caracal uses the same "infrastructure" and software as Manul, despite not sharing any of the same targets, bolstering the case that the operation might now have extended to a kind of cybercrime service.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Kaspersky uncovers 'world's most powerful' Android spyware tool, Skygofree ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/spyware/30305/kaspersky-uncovers-worlds-most-powerful-android-spyware-tool-skygofree</link>
                                                                            <description>
                            <![CDATA[ The spyware steals WhatsApp messages and your passwords ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">kEjS19gaZtFPKiYC8UaA3</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/4x8LJKuPeaTUDqefPN5aAD-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 17 Jan 2018 12:11:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Mobile Phones]]></category>
                                                    <category><![CDATA[Hardware]]></category>
                                                                                                                    <dc:creator><![CDATA[ Lee Bell ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/4x8LJKuPeaTUDqefPN5aAD-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Toy horse on a digital screen to symbolise the attack of the Trojan virus]]></media:description>                                                            <media:text><![CDATA[Toy horse on a digital screen to symbolise the attack of the Trojan virus]]></media:text>
                                <media:title type="plain"><![CDATA[Toy horse on a digital screen to symbolise the attack of the Trojan virus]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/4x8LJKuPeaTUDqefPN5aAD-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p><a href="https://www.itpro.com/technology/blockchain" target="_blank" data-original-url="https://www.itpro.com/antivirus/28647/USKasperskyBan">Kaspersky</a><a href="https://www.itpro.com/technology/blockchain" target="_blank" data-original-url="https://www.itpro.com/antivirus/28647/USKasperskyBan">Lab</a><a href="https://www.itpro.com/technology/blockchain" target="_blank" data-original-url="https://www.itpro.com/antivirus/28647/USKasperskyBan"> has uncovered a new security vulnerability affecting Android devices, claiming it's one of the world's most powerful Android spyware tools.</a></p><p>Named 'Skygofree', the threat apparently enables attackers to hack into Android smartphones and tablets and extract WhatsApp messages from victims' devices.</p><p>"The malware can also monitor popular apps such as Facebook Messenger, Skype, Viber, and WhatsApp," Kaspersky'sAnna Markovskaya revealed in a <a href="https://www.kaspersky.com/blog/skygofree-smart-trojan/20717" target="_blank">blog post</a>. "In the latter case, the developers again showed savvy; the Trojan reads WhatsApp messages through Accessibility Services."</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/spyware/30001/what-is-spyware" data-original-url="/spyware/30001/what-is-spyware">What is spyware?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/malware/30294/google-play-store-malware-targets-porn-ads-at-millions-of-kids" data-original-url="/malware/30294/google-play-store-malware-targets-porn-ads-at-millions-of-kids">Google Play Store malware targets porn ads at millions of kids</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/android/28189/how-to-build-android-apps" data-original-url="/android/28189/how-to-build-android-apps">How to build Android apps</a></p></div></div><p>The tool is not a new one, either. While it was only recently discovered, the Russian security giant says it dates back as far as 2014.</p><p>Warning of the dangers of the spyware tool,Markovskaya explained that Skygofree can not only take audio from a smartphone's microphone when it's in a certain location, but also force infected devices to surreptitiously connect to a Wi-Fi network and gather even more personal data. This, the firm said, lets it collect and analyse a victim's web traffic, meaning someone somewhere will know exactly what sites they looked at and what logins, passwords, and card numbers they entered.</p><p>"The payload uses the Android Accessibility Service to get information directly from the displayed elements on the screen, so it waits for the targeted application to be launched and then parses all nodes to find text messages,"Markovskaya said.</p><p>"Essentially, Accessibility Services provide[s] a nice route into other applications as they have permission to do so, via an application programming interface (API)."</p><p>In a seperate <a href="https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603" target="_blank">SecureList blog, Kaspersky security experts</a> concluded thatSkygofree is "one of the most powerful spyware tools that we have ever seen for this platform". Nevertheless, the teamsaid it has only logged a few infections of the tool, and those have all been in Italy. While that doesn't sound very scary unless you live in Italy, the firm said that this doesn't mean that users in other countries can let their guard down, as malware distributors can change their target audience at any moment.</p><p>Kaspersky'sMarkovskaya issued three ways users can protect themselves against this advanced Trojan, just like any other infection.</p><p>The first is by only installing apps only from official stores and disabling installation of apps from third-party sources, which you can do in your smartphone settings.</p><p>The second is by not downloading an app if you're in any doubt whatsoever.</p><p>"Pay attention to misspelled app names, small numbers of downloads, or dubious requests for permissions any of these things should raise flags,"Markovskaya also warned.</p><p>Finally, she advised that users should install a reliable security solution in order to protect your device from most malicious apps and files, suspicious websites, and dangerous links.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Lenovo banned from installing bloatware on its laptops after Superfish ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/desktop-hardware/29396/lenovo-settles-superfish-spyware-lawsuit-for-35m</link>
                                                                            <description>
                            <![CDATA[ Lenovo also agrees to FTC security audits, on top of a $3.5 million fine ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">hWK7Lam8k1VfwJSFwehjUj</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/766X3iM4DppaitSkdCPd9C-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 03 Jan 2018 09:54:00 +0000</pubDate>                                                                                                                                <updated>Wed, 19 Apr 2023 10:14:01 +0000</updated>
                                                                                                                                            <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Dale Walker ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/YhUVp3rWtcZPM5XznPeTmX.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/766X3iM4DppaitSkdCPd9C-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                                                                                                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/766X3iM4DppaitSkdCPd9C-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Lenovo cannot install any bloatware on its laptops without customers' express agreement, under the terms of its settlement with the Federal Trade Commission (FTC) over the Superfish scandal.</p><p>On top of a $3.5 million fine that the company agreed to pay in September, Lenovo will now be required to obtain express consent from consumers before any preinstalled software is able to run on a laptop, as well as provide an easy means of uninstalling any Lenovo tools.</p><p>The <a href="https://www.ftc.gov/news-events/press-releases/2018/01/ftc-gives-final-approval-lenovo-settlement" target="_blank">decision, announced yesterday</a>, concludes the FTC's long-running complaint against the company, which stated that Lenovo compromised security in order to deliver targeted advertising to its customers.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/28656/ftc-cracks-down-on-tech-support-scams" data-original-url="/security/28656/ftc-cracks-down-on-tech-support-scams">FTC cracks down on tech support scams</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/malware/24107/lenovo-cto-to-create-concrete-superfish-attack-plan" data-original-url="/malware/24107/lenovo-cto-to-create-concrete-superfish-attack-plan">Lenovo CTO to create “concrete" Superfish attack plan</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/malware/24138/lenovo-vows-to-cut-bloatware-after-superfish" data-original-url="/malware/24138/lenovo-vows-to-cut-bloatware-after-superfish">Lenovo vows to cut bloatware after Superfish</a></p></div></div><p>The company has also agreed to open itself up to regular third party auditing over the next 20 years, part of which will involve the creation of a "comprehensive software security program" that will identify risks to applications, and protect information collected on customers.</p><p>In the original complaint against Lenovo, the FTC charged that "beginning in August 2014 Lenovo began selling consumer laptops in the United States that came with a pre-installed advertising software program called VisualDiscovery that interfered with how a user's browser interacted with websites and created serious security vulnerabilities".</p><p>It was found that the VisualDiscovery was a modified version of the Superfish adware, a tool that allowed web pages to deliver targeted advertising to users when their mouse hovered over links. The tool was installed on hundreds of thousands of Lenovo machines and advertised as a search assistant to help users find similar products to those shown on screen.</p><p>However, VisualDiscovery was found to not only collect vast quantities of user data, such as logins, payment information and social security numbers, but also contained a major security risk that allowed hackers to access the encrypted data sent over the internet.</p><p>Following FTC intervention in 2014, 32 US states issued lawsuits against the company that alleged the software violated the regulator's provisions that block misleading practices, prompting Lenovo to pull VisualDiscovery from future machines.</p><p>A Lenovo spokesman told <em>IT Pro</em>: "Lenovo has been informed that the FTC has given final approval to the settlement announced in September which now brings this matter to a close."</p><p><strong>06/09/2017: Lenovo settles Superfish spyware lawsuit for $3.5m</strong></p><p>Lenovo has agreed to settle the Superfish spyware case with the Federal Trade Commission (FTC) and 32 states for $3.5 million.</p><p>Lenovo preloaded the bloatware on some of its consumer notebooks which delivered ads to users and risked compromising their security, according to the <a href="https://www.ftc.gov/news-events/press-releases/2017/09/lenovo-settles-ftc-charges-it-harmed-consumers-preinstalled" target="_blank">FTC</a>'s charges. The Superfish adware was installed on hundreds of thousands of laptops and potentially allowed hackers to access users' encrypted data when it loaded visual search results into users' browsers, security experts warned <a href="https://www.itpro.com/malware/24138/lenovo-vows-to-cut-bloatware-after-superfish" target="_blank" data-original-url="https://www.itpro.com/malware/24138/lenovo-vows-to-cut-bloatware-after-superfish">back in 2015</a>.</p><p>As part of the settlement, Lenovo must not misrepresent preloaded software on its laptops which transmit sensitive data to third-parties, or force users to look at advertising. Instead, it will need user consent before installing this type of software and must also implement a software security program for consumer software on its laptops for the next 20 years.</p><p>Lenovo began selling its laptops in August 2014 preloaded with software called VisualDiscovery, which interfered with user's browsers and "created serious security vulnerabilities", the FTC said.</p><p>Acting FTC chairman Maureen Ohlhausen said: "Lenovo compromised consumers' privacy when it preloaded software that could access consumers' sensitive information without adequate notice or consent to its use. This conduct is even more serious because the software compromised online security protections that consumers rely on."</p><p>Lenovo said it stopped preloading VisualDiscovery into its laptops once it learnt of the issues, and tried to remove the software from existing PCs.</p><p>It added: "To date, we are not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user's communications. Subsequent to this incident, Lenovo introduced both a policy to limit the amount of pre-installed software it loads on its PCs, and comprehensive security and privacy review processes, actions which are largely consistent with the actions we agreed to take in the settlements announced today."</p><p>Superfish inadvertently enabled a "man-in-the-middle" technique, where VisualDiscovery was able to access all of a user's personal information sent over the internet, such as their login details, social security numbers, and even payment information.</p><p>VisualDiscovery replaced a website's digital certificate with its own to impersonate SSL-enabled websites, which meant consumers were not warned before they visited potentially malicious websites with invalid digital certificates. This was because the spyware did not verify if a certificate was valid before it replaced it. This would allow hackers to monitor users' every action online, including bank and email activity.</p><p>The FTC has previously <a href="https://www.itpro.com/security/28656/ftc-cracks-down-on-tech-support-scams" target="_blank" data-original-url="https://www.itpro.com/security/28656/ftc-cracks-down-on-tech-support-scams">cracked down on tech support scams that fool users into thinking their computers are infected</a> and charge them money for "fixing" them. It took action against four more companies and their subsidiaries in May, and worked with tech companies such as Apple and Microsoft to prevent the scams and take action against criminals.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Keylogger discovered in hundreds of HP laptops ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/spyware/30129/keylogger-discovered-in-hundreds-of-hp-laptops</link>
                                                                            <description>
                            <![CDATA[ HP patches touchpad driver, but hackers could exploit flaw to spy on users ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">mbgFmhkM5mEWpcvg4Ff5PT</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/Wg5AScyfVfbDYaiL9foTQL-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 11 Dec 2017 15:14:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Data Breaches]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Joe Curtis ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/Wg5AScyfVfbDYaiL9foTQL-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                                                                                                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/Wg5AScyfVfbDYaiL9foTQL-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>More than 450 HP laptop models have a keylogger hidden away in a driver, forcing HP to issue patches for the affected devices.</p><p>The keylogger, found in Synaptics' touchpad software, is disabled by default, but hackers could potentially enable it if they had access to a computer by elevating user privileges, <a href="https://zwclose.github.io/HP-keylogger" target="_blank">said Michael Myng</a>, the researcher who discovered the flaw.</p><p>Commericial workstations, consumer laptops and other HP products contain the flaw, including <a href="https://www.itpro.com/laptops/28986/hp-spectre-x360-review-redesigned-redefined-and-powerful" target="_blank" data-original-url="https://www.itpro.com/laptops/28986/hp-spectre-x360-review-redesigned-redefined-and-powerful">Spectre devices</a>, Pavilion devices, <a href="https://www.itpro.com/desktop-replacements/26665/hp-zbook-15u-g3-review" target="_blank" data-original-url="https://www.itpro.com/desktop-replacements/26665/hp-zbook-15u-g3-review">ZBooks</a> and others.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/laptops/28986/hp-spectre-x360-review-redesigned-redefined-and-powerful" data-original-url="/laptops/28986/hp-spectre-x360-review-redesigned-redefined-and-powerful">HP Spectre x360 review: Redesigned, redefined and powerful</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/laptops/23742/best-laptops" data-original-url="/laptops/23742/best-laptops">Best business laptops 2023: Top business notebooks from Acer, Asus, Dell, Apple and more</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/chief-executive-officer-ceo/30008/meg-whitman-calls-it-a-day-as-hpe-ceo" data-original-url="/chief-executive-officer-ceo/30008/meg-whitman-calls-it-a-day-as-hpe-ceo">Meg Whitman calls it a day as HPE CEO</a></p></div></div><p>"A potential security vulnerability has been identified with certain versions of Synaptics touchpad drivers that impacts all Synaptics OEM partners," an HP statement on its <a href="https://support.hp.com/us-en/document/c05827409" target="_blank">security bulletin</a> read.</p><p>"A party would need administrative privileges in order to take advantage of the vulnerability. Neither Synaptics nor HP has access to customer data as a result of this issue."</p><p>Myng discovered the issue when trying to control the backlighting of an HP keyboard, noticing a format string for a keylogger when looking through the keyboard driver. Unable to find an HP laptop to test his findings, he contacted HP directly.</p><p>"They replied terrificly [sic] fast, confirmed the presence of the keylogger (which actually was a debug trace) and released an update that removes the trace," he said.</p><p>HP claims the keylogger in Synaptics' touchpad was created to debug errors. If activated however, a hacker could track every letter a laptop user typed.</p><p>Worth updating with a quick line - they say sorry and working on updating drivers with a patch, don't give people admin access in the meantime</p><p>A Synaptics spokesperson apologised for the error and advised users to change their admin settings to prevent anyone taking advantage of the flaw before it's fixed.</p><p>"Synaptics is working closely with our PC customers to update drivers and to deploy them to address security concerns," they said. "Synaptics also recommends using best practices by restricting admin access to any system as anyone with this level of access can potentially install malware or other anti-privacy software irrespective of whether the debug tool is on or off."</p><p>They added: "In our new normal of heightened concern for security and privacy, Synaptics would like to apologise for any concerns that our debug tool may have raised. We have a path to immediately address this issue and other security concerns should they arise."</p><p>A keylogger was also discovered in Synaptics subsidiary Conexant's audio drivers, also installed in HP laptops, <a href="https://community.spiceworks.com/topic/1993834-keylogger-in-hp-audio-driver" target="_blank">back in May</a>.</p><p>An HP spokesperson said: "HP was advised of an issue that exists with Synaptics' touchpad drivers that impacts all Synaptics OEM partners. HP uses Synaptics' touchpads in some of its mobile PCs and has worked with Synaptics to provide fixes to their error for impacted HP systems, available in the <a href="https://support.hp.com/us-en/document/c05827409" target="_blank">security bulletin</a> on HP.com. HP has no access to customer data as a result of this issue."</p><p><em>Picture: HP Spectre x360/Credit: IT Pro</em></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ UK cops to lose access to Europol's cyber crime resources after Brexit ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/cyber-crime/30078/uk-cops-to-lose-access-to-europols-cyber-crime-resources-after-brexit</link>
                                                                            <description>
                            <![CDATA[ Cyber cops will be on their own once Britain leaves the EU ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">koPexyyK1ckxmVxdmNo1fh</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/eGyhQiwwKhMn5Tkp7HvcT5-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 01 Dec 2017 10:01:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Data Breaches]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Adam Shepherd ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/3n2BoLAtRj8Z5eRfxtwyK8.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/eGyhQiwwKhMn5Tkp7HvcT5-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Police lamp]]></media:description>                                                            <media:text><![CDATA[Police lamp]]></media:text>
                                <media:title type="plain"><![CDATA[Police lamp]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/eGyhQiwwKhMn5Tkp7HvcT5-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The UK is set to lose access to the European Cybercrime Centre, after it was revealed the country will no longer be a member of Europol following its departure from the European Union in 2019.</p><p>The European Cybercrime Centre - also known as EC3 - was set up by the cross-border law enforcement group to provide support for EU police forces in tackling cyber crime. EC3 assists national police with intelligence, digital forensics and strategy support, collaborating on cases involving technological elements.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/policy-legislation/30075/uk-police-to-lose-data-snooping-powers" data-original-url="/policy-legislation/30075/uk-police-to-lose-data-snooping-powers">UK police to lose data snooping powers</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/27563/how-to-get-ready-for-gdpr-2018-data-protection-changes" data-original-url="/security/27563/how-to-get-ready-for-gdpr-2018-data-protection-changes">GDPR preparation: 2018 data protection changes</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/endpoint-security/30038/three-key-pillars-of-threat-visibility" data-original-url="/endpoint-security/30038/three-key-pillars-of-threat-visibility">Three key pillars of threat visibility</a></p></div></div><p>Cyber security experts have expressed dismay at the news. "This is hugely disappointing," McAfee's chief scientist Raj Samani told <em>IT Pro</em>. "Europol have a proven record of success and one would hope a degree of compromise can be reached since the safety of all citizens across the globe is our joint mission."</p><p>The government had stated earlier this year that it wished to continue its relationship with Europol following Brexit, but the EU's top negotiator Michel Barnier said that access to Europol would not be possible once the UK leaves the EU, stating that it was a "logical consequence".</p><p>Losing access to EC3 will mean that UK police units fighting cyber crime will no longer benefit from intelligence-sharing between EU member states, as well as from the extensive support network offered by Europol's cyber specialists.</p><p>"Since before the referendum, the NCA and its partners in policing and wider law enforcement have clearly stated our need to work closely and at speed with European countries to keep people in the UK safe from threats including organised crime, child sexual abuse, cyber attack, and terrorism," a spokesman for the UK's National Crime Agency told <em>IT Pro</em>.</p><p>"We are confident that these requirements are being taken into account, and that there is broad consensus on the need to retain our ability to share intelligence, biometrics and other data at speed. It is also vital to ensure we can continue to provide a quick, efficient and dynamic response to crime and criminals impacting the UK and its citizens, be it from serious and organised transnational crime or local level volume crime at the heart of UK communities."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Intel security flaws put laptops, servers and storage at risk of hacking ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/29999/intel-security-flaws-put-laptops-servers-and-storage-at-risk-of-hacking</link>
                                                                            <description>
                            <![CDATA[ Bugs in Intel's firmware allow remote code execution, data exfiltration and more ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">kRwk6KY5BgaMKyNCqG5QYm</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/5gqY8SrxuaYmFASk2m2AWV-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 21 Nov 2017 11:55:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Adam Shepherd ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/3n2BoLAtRj8Z5eRfxtwyK8.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/5gqY8SrxuaYmFASk2m2AWV-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Bug bounty]]></media:description>                                                            <media:text><![CDATA[Bug bounty]]></media:text>
                                <media:title type="plain"><![CDATA[Bug bounty]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/5gqY8SrxuaYmFASk2m2AWV-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Bugs in the underlying firmware of multiple Intel chip families have left laptops, servers and storage appliances vulnerable to a number of security vulnerabilities, the company has admitted.</p><p>The silicon giant has confirmed reports from third-party security researchers that flaws in its chips' management and administration functions could potentially allow hackers to execute code, exfiltrate confidential data and more.</p><p>Intel launched a full internal review of its source code after it was alerted to the issues, finding that bugs in affected systems could allow attackers to "load and execute arbitrary code outside the visibility of the user and operating system [and] cause a system crash or system instability".</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/data-breaches/29418/equifax-data-breach-cost-14-billion-so-far" data-original-url="/data-breaches/29418/equifax-data-breach-cost-14-billion-so-far">Equifax data breach: Ex-CIO to serve four months in prison for insider trading</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/29898/ex-estonian-president-other-countries-staying-silent-over-digital-id-flaws" data-original-url="/security/29898/ex-estonian-president-other-countries-staying-silent-over-digital-id-flaws">Ex-Estonian president: Other countries staying silent over digital ID flaws</a></p></div></div><p>The flaws affect a wide variety of chip families, including 6th, 7th and 8th Generation Intel Core processors, Intel Xeon E3-1200 v5 and v6 processors, Intel Xeon Scalable processors, Intel Xeon W processors, Intel Atom C3000 processors, Apollo Lake Intel Atom E3900 series, Apollo Lake Intel Pentiums, and Celeron N and J series processors.</p><p>This covers everything from laptops and 2-in-1s, all the way up to high-end servers and storage appliances. The company has released a free detection tool, which users and sysadmins can run to identify vulnerable machines. <em>IT Pro</em> has contacted Intel to try and determine the number of affected systems.</p><p>Three elements of Intel's firmware are vulnerable: the company's Management Engine (ME) Server Platform Services (SPS) and Trusted Execution Engine (TXE). The Management Engine runs underneath the OS, and is used by admins to remotely access a system for maintenance and management tasks. The Server Platform Services feature is based on the ME and offers similar features for server products, while the TXE deals with hardware authentication.</p><p>The ME allows anyone with the appropriate credentials to control desktops, make changes to the system's settings and configurations, and even reinstall the OS. This makes it a very useful tool for IT staff at large companies with multiple offices, but it also means it holds a huge amount of power that hackers could take control of.</p><p>Because it runs underneath the OS, the ME is invisible to any antivirus systems or hypervisors installed on the machine. Coupled with its highly-privileged status, this means that a compromised ME could be used to install malware, among other troubling things.</p><p>A <a href="https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr" target="_blank">security advisory</a> issued by Intel stated that 80% of the ten CVEs relating to the flaws are designated as high-severity, with buffer overflows and privilege escalations seen throughout.</p><p>"Based on the items identified through the comprehensive security review," the advisory read, "an attacker could gain unauthorized access to platform, Intel ME feature, and 3rd party secrets protected by the Intel Management Engine (ME), Intel Server Platform Service (SPS), or Intel Trusted Execution Engine (TXE)."</p><p>Intel has confirmed to IT Pro that patches are now available for affected systems, and the company advised that they should be installed as a matter of urgency.</p><p>"We worked with equipment manufacturers on firmware and software updates addressing these vulnerabilities," Intel said, "and these updates are available now. Businesses, systems administrators, and system owners using computers or devices that incorporate these Intel products should check with their equipment manufacturers or vendors for updates for their systems, and apply any applicable updates as soon as possible."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Firefox developer accuses Gamma International of passing off ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/19756/firefox-developer-accuses-gamma-international-passing</link>
                                                                            <description>
                            <![CDATA[ Mozilla issues cease and desist notice over passing off claims. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">n84n2NRhupxESiqMB7Vixd</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/DvtN5ktCSy6t33oebYPeW-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 03 May 2013 14:23:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Web Browsers]]></category>
                                                    <category><![CDATA[Software]]></category>
                                                                                                                    <dc:creator><![CDATA[ Michael Toso ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/DvtN5ktCSy6t33oebYPeW-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Firefox]]></media:description>                                                            <media:text><![CDATA[Firefox]]></media:text>
                                <media:title type="plain"><![CDATA[Firefox]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/DvtN5ktCSy6t33oebYPeW-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Open source software vendor Mozilla has issued a cease and desist notice to Gamma International for producing spyware that allegedly passes itself off as its flagship web browser Firefox.</p><p>In a recent blog post, Alex Fowler, global privacy and public policy leader at Mozilla, stated: "We cannot abide a software company using our name to disguise online surveillance tools that can be and in several cases actually have been used by Gamma's customers to violate citizens' human rights and online privacy.</p><p>"As an open source project trusted by hundreds of millions of people around the world, defending Mozilla's trademarks from this type of abuse is vital to our brand, our users and the continued success of our mission," he added.</p><p>Spyware is a type of software that tracks and gathers information about users, generally without their consent or knowledge. </p><p>Beyond data collection, spyware can also make computers vulnerable to attacks by malware and other infections.</p><p>According to Mozilla, Gamma international's software tricks users into thinking they are using the legitimate Firefox program by misrepresenting itself as "Firefox.exe".</p><p>"Not only are these activities illegal, but we take them seriously because they are deceptive, harm users, cause consumer confusion, and jeopardise Mozilla's reputation," said Fowler.</p><p>However, Mozilla has also stressed that Gamma's Spyware is entirely separate from Firefox, and does not affect the browser itself.</p><p>Gamma International had not responded to IT Pro's request for comment at the time of writing.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ American state agencies accused of hacking French government PCs ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/644266/american-state-agencies-accused-of-hacking-french-government-pcs</link>
                                                                            <description>
                            <![CDATA[ Sources claim spyware attack in last days of Sarkozy presidency could only have come from the USA. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">dN2QomopKEpPwd4Mtg8H3P</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/q5UuBahhAcxxNCFYDGKw8N-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 21 Nov 2012 16:41:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Jane McCallion ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/q5UuBahhAcxxNCFYDGKw8N-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Secret]]></media:description>                                                            <media:text><![CDATA[Secret]]></media:text>
                                <media:title type="plain"><![CDATA[Secret]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/q5UuBahhAcxxNCFYDGKw8N-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The USA has been accused of hacking into the French government's computer network, in what has been called an "unprecedented cyber attack between allies."</p><p>The alleged attack took place on 6 May 2012, during the second round of the French presidential election, nine days before Nicolas Sarkozy lost out to Franois Hollande.</p><p>A second attack is also claimed to have been carried out on 15 May, the day Hollande took power.</p><p>French magazine <a href="http://lexpansion.lexpress.fr/high-tech/cyberguerre-comment-les-americains-ont-pirate-l-elysee_361225.html" target="blank"><em>L'Express</em> claims</a> the initial security breach occurred after one or more workers at the Elyse Palace clicked on a fake intranet link delivered to them via Facebook's messaging service.</p><p>Sources told the publication the hackers passed themselves off as friends of people working for the presidential palace, then invited them to connect to the Palace's intranet via a false link.</p><p>The attackers were then able to retrieve the user's log-in details and enter the governmental network "in complete confidence".</p><p>Using the stolen details, the hackers allegedly deployed a spyware Trojan similar to the Flame malware, which affected computers of the Iranian Oil Ministry.</p><p>Flame was jointly developed by the NSA, CIA and Israeli military, <a href="http://www.washingtonpost.com/world/national-security/us-israel-developed-computer-virus-to-slow-iranian-nuclear-efforts-officials-say/2012/06/19/gJQA6xBPoV_story.html" target="blank">according to the <em>Washington Post</em></a>, and experts speaking to <em>L'Express</em> claim the attack on the Elyse could only have come from the US government.</p><p>The worm infected a handful of machines, however <em>L'Expresse</em> claims some of the people highest up in the Sarkozy government were among those affected, including secretary general Zavier Musca.</p><p>The president himself only escaped infection as he did not use a PC.</p><p>Mitchell Moss, spokesman for the American embassy in Paris, said in a statement: "We categorically refute the allegations ... [that] the government of the United States of America participated in a cyberattack against the French government. France is one of our closest allies."</p><p>The French government declined to comment.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Google engineer finds FinFisher spyware tracking political dissidents ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/642631/google-engineer-finds-finfisher-spyware-tracking-political-dissidents</link>
                                                                            <description>
                            <![CDATA[ Engineer and student discover spyware from UK company targeting political activists. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">93uCoNu3yVWf8zG5t9Qw6F</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/iwMkbEu3ihT5GY4JgMkAPA-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 03 Sep 2012 19:50:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Rene Millman ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/vwWuTPNRCuw9vEaWzuXYnR.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/iwMkbEu3ihT5GY4JgMkAPA-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Spyware]]></media:description>                                                            <media:text><![CDATA[Spyware]]></media:text>
                                <media:title type="plain"><![CDATA[Spyware]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/iwMkbEu3ihT5GY4JgMkAPA-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Spyware developed and sold by a UK-based company has been used to snoop on dissidents in autocratic regimes, according to two security researchers.</p><p>The software, legitimately produced and sold by British firm Gamma International, has somehow managed to find its way into the hands of some of the most repressive governments in the world.</p><p>According to Google security researcher Morgan Marquis-Boire and Berkeley student Bill Marczak, the spyware was found in email attachments sent to several activists in Bahrain.</p><p>Their investigation found the spyware infected not just PCs but a range of devices running popular mobile operating systems, such as iOS, Android, RIM, Symbian, and Windows Phone 7.</p><p>The spyware boasts capabilities such as live surveillance via "silent calls" and location tracking. It also has the ability to track all forms of communication, including emails and voice calls as well as cameras and microphones.</p><p>A study carried out by University of Toronto Munk School of Global Affairs' Citizen Lab found an application that purports to be FinSpy, a piece of commercial spyware sold to countries for criminal investigations.</p><p>Gamma Group, the German parent of UK-based Gamma International, developed FinSpy. Gamma's managing director Martin Muench told <em>Bloomberg</em> that the company had no involvement whatsoever in selling the software to despotic regimes.</p><p>"We don't normally discuss our clients but given this unique situation it's only fair to say that Gamma has never sold their products to Bahrain," said Muench.</p><p>"It is unlikely that it was an installed system used by one of our clients but rather that a copy of an old FinSpy demo version was made during a presentation and that this copy was modified and then used elsewhere."</p><p>Muench said his company could not confirm that software analysed by Citizen Lab was Gamma's product. He added that a modification would have been made to the software as "no message sent to our server when the demo product was used against a real target."</p><p>Marquis-Boire and Marczak told the <em>New York Times</em> that they found a connection to Gamma in these code samples. The spyware running on Symbian phones uses a certificate issued to Cyan Engineering, a website registered in the name of Johnny Geds.</p><p>Muench confirmed that Gamma employs someone of that name in sales but declined to make further comment.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Firefox add-on spies on Google search results ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/614566/firefox-add-on-spies-on-google-search-results</link>
                                                                            <description>
                            <![CDATA[ Using a browser other than Internet Explorer and think you’re safe? Not any more it seems. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">sUj9PHNiwoqA2cUfvnh4KX</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/PQWnobWm2WKuy42V7KbeeF-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 01 Sep 2009 12:26:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Web Browsers]]></category>
                                                    <category><![CDATA[Software]]></category>
                                                                                                                    <dc:creator><![CDATA[ Asavin Wattanajantra ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/PQWnobWm2WKuy42V7KbeeF-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                                                                                                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/PQWnobWm2WKuy42V7KbeeF-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Security researchers have warned about the existence of new spyware that creates a <a href="https://www.itpro.com/614275/hackers-prefer-to-use-firefox-and-opera" target="_blank" data-original-url="https://www.itpro.com/614275/hackers-prefer-to-use-firefox-and-opera">Firefox</a> add-on, which can monitor users' search activities.</p><p>The spyware initially pretends to be an <a href="https://www.itpro.com/613459/multiple-adobe-security-holes-closed" target="_blank" data-original-url="https://www.itpro.com/613459/multiple-adobe-security-holes-closed">Adobe</a> Flash Player update and, when executed on a user's computer, creates a Firefox add-on called Adobe Flash Player 0.2'. It was said to appear through forum posts.</p><p>Trend Micro's Jonathan Leopando said in a <a href="http://blog.trendmicro.com/firefox-addo-spies-on-google-search-results" target="_blank">blog post</a> that it had a disturbing "capability to monitor the user's browsing activities, particularly his/her Google search queries using the Firefox browser. It then sends the information it gathers to http://{BLOCKED}jupdate.com."</p><p>The add-on could also inject advertisements into a Google search results page.</p><p>Leopando said malware had historically generally targeted <a href="https://www.itpro.com/610250/internet-explorer-8-review" target="_blank" data-original-url="https://www.itpro.com/610250/internet-explorer-8-review">Internet Explorer</a>, which is why many users opt forother browsers like Firefox, <a href="https://www.itpro.com/613846/chrome-os--lost-in-the-cloud" target="_blank" data-original-url="https://www.itpro.com/613846/chrome-os--lost-in-the-cloud">Chrome</a> and <a href="https://www.itpro.com/613879/apple-fixes-mac-os-x-and-safari-browser-flaws" target="_blank" data-original-url="https://www.itpro.com/613879/apple-fixes-mac-os-x-and-safari-browser-flaws">Safari</a>.</p><p>He said: "Though this used to be considered a safe computing practice before, it seems it no longer is with the proliferation of malware targeting the most popular alternative internet browser- Firefox."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Barclays gives customers free security software ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/604188/barclays-gives-customers-free-security-software</link>
                                                                            <description>
                            <![CDATA[ Deal with Kaspersky will see two million online banking users get access to free anti-virus and anti-spyware tools. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">aNNn1MnBwpjF6axvbRi8H2</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/Y9joEAJjqqqqaiMoyCrgzm-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 01 Jul 2008 17:25:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Antivirus]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Asavin Wattanajantra ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/Y9joEAJjqqqqaiMoyCrgzm-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                                                                                                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/Y9joEAJjqqqqaiMoyCrgzm-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p><a href="http://www.barclays.com" target="_blank">Barclays Bank</a> will offer free security software to all of its two million online customers.</p><p>It is the latest move by a high street bank to improve customer security that has seen banks issuing savers with security tokens and introducing multi-stage logins to online banking sites.</p><p>Barclays will be offering <a href="http://www.kaspersky.com" target="_blank">Kaspersky's</a> Internet Security Suite, which normally costs 51 for an annual subscription, as a free download from its online banking website. The suite features anti-virus software as well as spyware, adware, a firewall, parental controls and spam filters.</p><p>Barclays has signed a two year deal with Kaspersky. Customers will be able to install the software on three separate computers with each licence.</p><p>Barclays deployed a two-factor authentication system called PINsentry in 2007 which was aimed at protecting against phishing and fraudsters. One million PINsentry readers have already been sent out to customers according to the bank.</p><p>"For the last two years we have offered customers free anti-virus software, but as internet fraudsters become more sophisticated it is important that customers protect their computers from all threats and not just viruses," said Sean Glichrist, director of digital banking at Barclays.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ File sharing infects 500,000 computers ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/195672/file-sharing-infects-500000-computers</link>
                                                                            <description>
                            <![CDATA[ McAfee reveal details on what it calls the most significant malware outbreak since 2005, as peer-to-peer networks look under threat. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">69QZrksB8khssDk64ErfGC</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/2H5jntiXwxW3JruFTR5hjZ-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 09 May 2008 12:18:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Asavin Wattanajantra ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/2H5jntiXwxW3JruFTR5hjZ-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                                                                                                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/2H5jntiXwxW3JruFTR5hjZ-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p><a href="http://www.mcafee.com" target="_blank">McAfee</a> has reported what it claims is the most significant malware outbreak in three years, with more than 500,000 detections of a Trojan horse which <a href="http://www.avertlabs.com/research/blog/index.php/2008/05/06/fake-mp3s-running-rampant" target="_blank">masquerades as a media file</a>.</p><p>A number of fake video and music files have been deliberately spread over peer-to-peer file sharing services like <a href="http://www.limewire.com" target="_blank">Limewire</a> and <a href="http://www.zeropaid.com/edonkey" target="_blank">eDonkey</a>. These were malicious MP3 and MPEG files triggering the download of an application which served ads to the infected computer.</p><p>"People were downloading these files hoping it was music, but it was a media file format that allowed you to link to another site where you downloaded additional files," said Toralv Dirro, security strategist at McAfee Avert Labs.</p><p>"Those files downloaded turned out to adware that in some cases even asked the user to accept an end user licence agreement prior to installing."</p><p>McAfee saw this as 'medium' risk, with no other malware receiving that risk rating since 2005 as all others were rated less severe.</p><p>The security vendor claimed that it was the most prevalent piece of malware in the last three years, and that it had never seen a threat this significant come as a media file.</p><p>The huge figure came from retail users that had the option to submit data on what viruses and adware was detected on their computer to McAfee and made publicly available.</p><p>Dirro said: "We are currently seeing that the distribution is still going on. It is now at about 580,000 where files have been detected, so people are continuing to download and share these files."</p><p>The strategist said that these only reported the incidents that were actually detected, and the real number of users and computers affected would be much higher.</p><p>He said that although the damage in this case was not too serious as it was only adware, it could have been much worse and what McAfee were now afraid of in the future was attackers with a more sinister agenda.</p><p>"They could try and copycat this attempt as they have seen it is a very successful way to distribute malware," Dirro said. "In the future we are pretty much expecting this distribution method a lot more."</p><p>Dirro said that instead of pointing to adware, it could lead users to spyware which would instead try to steal people's data. Instead of being a multimedia file it could take the form of a directly executable one.</p><p>"It has happened in the past, but not anywhere close to this scale," Dirro said of the peer-to-peer nature of the attack.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
            </channel>
</rss>