At a glance.
- Poisoned Tor browser harvests user data.
- Mexican government responds to Pegasus allegations.
- Getting to know Conti.
- Telstra discloses data breach.
Poisoned Tor browser harvests user data.
Researchers at cybersecurity firm Kaspersky discovered that a malicious version of the Tor Browser has been collecting sensitive data on Chinese users since as early as January of this year, CyberScoop reports. The browser was promoted in a video posted on a Chinese-language YouTube channel that boasts more than 180,000 subscribers, and the video has been viewed over 64,000 times. Dubbed “OnionPoison,” link directs victims to a version of Tor that includes a spyware library designed to collect sensitive data which is then sent to the attacker-controlled server, and the browser can also give attackers the ability to execute shell commands on victims’ devices. The stolen data included users’ browsing histories, form data, computer names and locations, usernames and MAC addresses of network adapters, though as Infosecurity Magazine notes, the attackers don’t seem to be interested on collecting user’s passwords or wallets, indicating their end goal could be more real-life than digital, perhaps using personal details to blackmail victims.
Isabela Fernandes, executive director of the nonprofit Tor Project, says her organization deployed a patch on Tuesday. “Basically this ‘poisoned’ Tor Browser modifies the update URL so it cannot be updated normally,” she explains. “What we did was to add a redirect so we are responding to the modified URL, this way people will update. Now their URL is a working update URL.” Though it’s unclear who’s behind the campaign, it’s clearly targeting Chinese users, as the command and control server checks IP addresses and will only send malware to Chinese IPs. As SC Media explains, the website for the Tor browser is banned in China, so users often resort to using third-party sites to download it. The irony, of course, is that most users resort to Tor to preserve their anonymity, and in this case the poisoned browser does the opposite.
Mexican government responds to Pegasus allegations.
As we noted yesterday, the Citizen Lab report confirmed that Pegasus spyware was used to track the devices of journalists and a human rights defender in Mexico, and there is evidence indicating the Mexican government purchased the controversial surveillance spyware. Reuters reports that Mexican President Andres Manuel Lopez Obrador yesterday responded to the allegations, denying his administration had spied on the victims. When asked what he knew about the purchase of Pegasus, Lopez Obrador stated, "It's not true that journalists or opponents are spied on." The President, who pledged during his 2018 campaign that he would put an end to government spying, said the military had carried out intelligence work that did not amount to “spying,” and accused his opponents of using the Pegasus allegations to discredit his government. Mexico's Defense Ministry confirmed President Obrador’s claims, stating, "This Ministry… does not carry out intelligence activities, much less espionage of any kind, against sectors of the population such as human rights defenders, social activists and journalists.” The Guardian recounts that, when the revelations of the Pegasus Project first came to light last year, Mexico was found to be the first country in the world to buy Pegasus, and the numbers of a whopping 15,000 Mexican individuals – including priests, victims of state-sponsored crimes, and children – were found in the database of phone numbers connected to alleged Pegasus victims.
Getting to know Conti.
Flashpoint offers a closer look at the infamous Conti ransomware gang, one of the most prolific threat groups in history. Conti gained significant notoriety this year leaked private chats between Conti members and a fracture of the group indicated there were internal divisions that could threaten the gang’s future. First observed around February 2020, Conti is led by Russia-based threat actors. In August of that year it launched a data leaks site to publish confidential documents stolen during its attacks, and by the end of the year they had leaked the data of over one hundred fifty companies. It’s considered a ransomware-as-a-service (RaaS) variant, but it’s unique because, rather than giving initial deployers a percentage of the ransom payment, affiliates are paid a set wage. Notable victims include Japanese electronics manufacturer JVCKenwood, Ireland’s Health Service, and the Costa Rican government, whose officials were forced to declare a national emergency in the wake of the attack.
Telstra discloses data breach.
Just two weeks after Optus, Australia’s second-largest telecom company, suffered a massive cyberattack, Telstra, the country’s largest telecom company, has disclosed it was the victim of a “small” data breach. Telstra says an intrusion of a third-party organization exposed the data of approximately 30,000 employees dating back to 2017, Reuters reports. The compromised info is limited to names and email addresses. “We believe it's been made available now in an attempt to profit from the Optus breach," a spokesperson explained cryptically, declining to offer concrete victim numbers or details about when the breach occurred. Optus has been slammed for its lack of answers in the wake of its breach; let’s hope Telstra is more forthcoming.