Latest news with #BadPilot
WIRED
15-02-2025
- Politics
- WIRED
The Official DOGE Website Launch Was a Security Mess
Matt Burgess Andrew Couts Feb 15, 2025 6:30 AM Plus: Researchers find RedNote lacks basic security measures, surveillance ramps up around the US-Mexico border, and the UK ordering Apple to create an encryption backdoor comes under fire. Photograph: Kamran Jebreili/AP As the United States reels from the upheaval caused by Elon Musk's so-called Department of Government Efficiency (DOGE), hackers from countries the US considers hostile continue to wreak havoc from afar. New research shows that China's Salt Typhoon hacking group has expanded its targets list to include universities around the world and at least two more telecoms operating in the US. That brings the total number of US telecommunications networks breached by Salt Typhoon to at least 11. Russia's notorious Sandworm hacking unit may be best known for its attacks on Ukraine, including multiple blackouts caused by its cyberattacks and its release of the destructive NotPetya malware. However, a hacking group within Sandworm is now taking aim at targets in Western nations, including Australia, Canada, the UK, and the US, according to research released this week by Microsoft. The group, which Microsoft calls BadPilot, is known as an 'initial access operation,' breaching targets for the purpose of handing over access to those systems to other Sandworm hackers. Meanwhile, we dug into the slimy world of romance scammers who are making ill-gotten fortunes by capitalizing on the loneliness epidemic, and we dipped into the opaqueness of online advertising data that could pose a threat to US national security. Finally, we found that US funding cuts under the new Trump administration are hurting the organizations protecting children from exploitation, abuse, and human trafficking. And there's more. Each week, we round up the security and privacy news we didn't cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there. Elon Musk's DOGE finally started publishing some information about its activities on its threadbare website this week. But it wasn't the only entity publishing on the site. Two web developers, working independently, found that it is possible to push updates to the domain, which claims to be an official US government website. The website uses a database that can be edited by anyone online, the experts told 404Media. To demonstrate the insecurity, they left a couple of messages on the DOGE site: 'This is a joke of a .gov site,' one read, while the other says: 'THESE 'EXPERTS' LEFT THEIR DATABASE OPEN.' The messages stayed on the website for at least 12 hours and remained visible for some time on Friday. The DOGE website was launched in January and until this week was a single landing page containing very little information. The web experts who discovered the vulnerabilities told 404Media that the website appeared to have been 'slapped together.' The website only started being populated this week—with some figures purporting to show the size of the US government—after Musk promised his organization would be 'maximally transparent.' That transparency may have gone a step too far, however, with HuffPost reporting on Friday that the site included classified material. As well as being insecure, the DOGE website heavily leans on X, the social media platform owned by Musk. DOGE's homepage is a feed of its own X posts, but it also uses code that directs search engines to instead of a WIRED review of the site found. 'This isn't usually how things are handled, and it indicates that the X account is taking priority over the actual website itself,' one developer told WIRED. RedNote Security Flaws Come Into Focus Chinese TikTok alternative RedNote gained around 700,000 US users and courted American influencers when the ban on TikTok loomed in January. While many of those people may have only used RedNote for a few days, a new analysis from the University of Toronto's Citizen Lab has highlighted how a lack of encryption could have opened up US users to 'surveillance by any government or ISP [Internet Service Provider], and not just the Chinese government.' The analysis of RedNote found a host of network security issues in both its Android and iOS apps. RedNote fetched images and videos using HTTP connections, not the industry standard and encrypted HTTPS; some versions of the app contained a vulnerability that allows an attacker to have 'read' permissions on a phone; and it 'transmitted insufficiently encrypted device metadata.' The flaws were contained in RedNote's app and several third-party software libraries that it uses. Citizen Lab reported the issues to the companies starting in November 2024 but has not heard back from any of them. The security researchers say that the vulnerabilities could risk surveillance for all users, including those in China. 'As the Chinese government might already have mechanisms to lawfully obtain detailed data from RedNote about their users, the issues that we found also make Chinese users especially vulnerable to surveillance by non-Chinese governments,' the research says. It underscores that within China even widely used apps may not meet the same security standards as those developed outside the country. 'Applications that are popular in China often use no encryption, proprietary encryption protocols, or use TLS without certificate validation to encrypt sensitive data,' the analysis says. Military Spy Planes Increase Surveillance Flights at US-Mexico Border Over the last two weeks, US spy planes have flown at least 18 missions around the Mexico border, analysis from CNN has shown. The flights mark a 'dramatic escalation in activity,' the publication reports, and come as the Trump administration has designated drug cartels as terrorist organizations and has turned the nation's security apparatus toward deporting millions of migrants. According to CNN, various military planes, including Navy P-8s and a U-2 spy plane, were used in the operations and are capable of collecting both imagery and signals intelligence. Also this week, US Immigration and Customs Enforcement has advertised new contracts that would allow it to monitor 'negative' social media posts that people make about it. Backlash Mounts Against UK's Secret Apple Encryption Order Last month, the UK government hit Apple with a secret order demanding the company create a way to access data stored in encrypted iCloud backups. The order, called a Technical Capability Notice and issued under the UK's controversial 2016 surveillance law, was first reported by The Washington Post last week. Since then, there's been a growing backlash against the demands from the UK government, with many highlighting how a change would impact the security of millions around the world. US senator Ron Wyden and representative Andy Biggs have sent a letter to Tulsi Gabbard, the new director of national intelligence, saying the order undermines trust between the US and UK. 'If the UK does not immediately reverse this dangerous effort, we urge you to reevaluate US-UK cybersecurity arrangements and programs as well as US intelligence sharing with the UK,' the pair said, drawing comparisons to the Chinese-linked Salt Typhoon hacks of US telecom firms that utilized a surveillance 'backdoor.' Since details of the order emerged, Human Rights Watch has called it an 'alarming overreach,' while 109 civil society organizations, companies, and other groups signed an open letter saying the 'demand jeopardizes the security and privacy of millions.'
WIRED
12-02-2025
- WIRED
A Hacker Group Within Russia's Notorious Sandworm Unit Is Breaching Western Networks
Feb 12, 2025 12:00 PM A team Microsoft calls BadPilot is acting as Sandworm's 'initial access operation,' the company says. And over the last year it's trained its sights on the US, the UK, Canada, and Australia. Photograph:Over the last decade, the Kremlin's most aggressive cyberwar unit, known as Sandworm, has focused its hacking campaigns on tormenting Ukraine, even more so since Russian president Vladimir Putin's full-scale invasion of Russia's neighbor. Now Microsoft is warning that a team within that notorious hacking group has shifted its targeting, indiscriminately working to breach networks worldwide—and, in the last year, has seemed to show a particular interest in networks in English-speaking Western countries. On Wednesday, Microsoft's threat intelligence team published new research into a group within Sandworm that the company's analysts are calling BadPilot. Microsoft describes the team as an 'initial access operation' focused on breaching and gaining a foothold in victim networks before handing off that access to other hackers within Sandworm's larger organization, which security researchers have for years identified as a unit of Russia's GRU military intelligence agency. After BadPilot's initial breaches, other Sandworm hackers have used its intrusions to move within victim networks and carry out effects such as stealing information or launching cyberattacks, Microsoft says. Microsoft describes BadPilot as initiating a high volume of intrusion attempts, casting a wide net and then sorting through the results to focus on particular victims. Over the last three years, the company says, the geography of the group's targeting has evolved: In 2022, it set its sights almost entirely on Ukraine, then broadened its hacking in 2023 to networks worldwide, and then shifted again in 2024 to home in on victims in the US, the UK, Canada and Australia. 'We see them spraying out their attempts at initial access, seeing what comes back, and then focusing on the targets they like,' says Sherrod DeGrippo, Microsoft's director of threat intelligence strategy. 'They're picking and choosing what makes sense to focus on. And they are focusing on those Western countries.' Microsoft didn't name any specific victims of BadPilot's intrusions, but broadly stated that the hacker group's targets have included 'energy, oil and gas, telecommunications, shipping, arms manufacturing,' and 'international governments.' On at least three occasions, Microsoft says, its operations have led to data-destroying cyberattacks carried out by Sandworm against Ukrainian targets. As for the more recent focus on Western networks, Microsoft's DeGrippo hints that the group's interests have likely been more related to politics. 'Global elections are probably a reason for that,' DeGrippo says. 'That changing political landscape, I think, is a motivator to change tactics and to change targets.' Over the more than three years that Microsoft has tracked BadPilot, the group has sought to gain access to victim networks using known but unpatched vulnerabilities in internet-facing software, exploiting hackable flaws in Microsoft Exchange and Outlook, as well as applications from OpenFire, JetBrains, and Zimbra. In its targeting of Western networks over the last year in particular, Microsoft warns that BadPilot has specifically exploited a vulnerability in the remote access tool Connectwise ScreenConnect and Fortinet FortiClient EMS, another application for centrally managing Fortinet's security software on PCs. After exploiting those vulnerabilities, Microsoft found that BadPilot typically installs software that gives it persistent access to a victim machine, often with legitimate remote access tools like Atera Agent or Splashtop Remote Services. In some cases, in a more unique twist, it also sets up a victim's computer to run as so-called onion service on the Tor anonymity network, essentially turning it into a server that communicates via Tor's collection of proxy machines to hide its communications. Another, separate report Tuesday from the cybersecurity firm EclecticIQ pointed to an entirely distinct hacking campaign that firm also ties to Sandworm. Since late 2023, EclecticIQ found the hacker group has used a malware-infected Windows piracy tool, distributed via Bittorrent, to breach Ukrainian government networks. In those cases, EclecticIQ found, the hackers have installed a remote access tool called Dark Crystal RAT to carry out cyberespionage. Any sign of Sandworm, which Microsoft refers to by the name Seashell Blizzard, raises alarms in part because the group has a history of hacking operations that go far beyond mere spying. Over the last decade, the group has caused at least three blackouts by targeting electric utilities in Ukraine—still the only such hacker-induced blackouts in history. The group also released the NotPetya malware that spread worldwide and did at least $10 billion in damage, and it used wiper malware to destroy countless networks in more targeted attacks across Ukraine both before and after the 2022 invasion. Microsoft has so far found no evidence that, in BadPilot's targeting of Western networks specifically, Sandworm has shown any intention to carry out anything other than espionage. 'This seems very early in terms of initial resource gathering, trying to get this much persistent access,' says Microsoft's DeGrippo. 'Then we would have to wait to see what they do with it.' But she notes that BadPilot is nonetheless tied to a larger group that has a history of highly disruptive cyberattacks. 'Therefore," says DeGrippo, "the potential actions that they could take next is of deep concern.'
