FrodoPIR (Private Information Retrieval) is a privacy-focused database querying system that allows users to query a database without revealing which records they are interested in. This is accomplished using techniques from cryptography and information theory.

In traditional database querying systems, the client sends a query to the server that stores the database, specifying which records they are interested in. The server then responds by sending the requested data back to the client. However, this process reveals to the server which records the client is interested in, potentially exposing sensitive information about the client’s interests or activities.

FrodoPIR addresses this issue by allowing the client to send a query to the server without revealing which records they are interested in. To do this, the client constructs a special kind of query called a “private information retrieval” (PIR) query, which consists of multiple fake queries that the client mixes together. The client then sends the PIR query to the server, which responds with the requested data without knowing which records the client was actually interested in.

There are several different versions of FrodoPIR, including FrodoKEM, which is optimized for use with key encapsulation mechanisms, and FrodoSAM, which is optimized for use with secure multi-party computation protocols.

FrodoPIR has a number of potential applications in a variety of settings, including healthcare, finance, and online advertising. It can also be used to protect the privacy of users in collaborative data analysis tasks, such as those involving distributed machine learning.

One of the main advantages of FrodoPIR is that it allows users to query a database without revealing which records they are interested in, protecting their privacy. This is particularly useful in settings where sensitive or personal information is stored, as it can help prevent the accidental or malicious disclosure of this information.

The post FrodoPIR: New Privacy-Focused Database Querying System Explained appeared first on OFFICIAL HACKER.

In November 2021, a threat actor in the Iranian geopolitical network was discovered to have deployed two new targeted malware with “simple” backdoor functionality as part of an incursion into an unnamed government body in the Middle East.

Cybersecurity firm Mandiant attributed the attack to an uncategorized cluster it tracks as UNC3313, which it rates with “moderate certainty” associated with state-sponsored group MuddyWater.

“UNC3313 monitors and collects strategic information to support Iranian interests and decision-making,” said researchers Ryan Tomczyk, Emiel Hegebarth and Tufail Ahmed. “Guidance schemes and their associated decoys show a strong focus on targets with a geopolitical connection.”

In mid-January 2022, MuddyWater (aka Static Kitten, Seedworm, TEMP.Zagros or Mercury) was characterized by U.S. intelligence agencies as a subordinate element of Iran’s Ministry of Intelligence and Security (MOIS) that has been active since at least 2018 and is known to use a wide range of tools and methods in their activities.

The attacks were allegedly orchestrated using spear-phishing messages to gain initial access, followed by the use of offensive security tools and publicly available remote access software to move sideways and maintain medium access security.

The phishing emails were created for promotion and tricked several victims into clicking a URL to download a RAR archive file hosted on OneHub, paving the way for installing ScreenConnect, a legitimate remote access software, to gain a foothold.

“UNC3313 quickly established remote access using ScreenConnect to infiltrate systems within an hour of the initial compromise,” the researchers noted, adding that the security incident was quickly contained and resolved.

Subsequent stages of the attack included privilege escalation, performing internal reconnaissance on the target network, and executing obfuscated PowerShell commands to download additional tools and payloads to remote systems.

A previously undocumented backdoor called STARWHALE, a Windows script file (.WSF) that executes commands received from a hard-coded command and control (C2) server via HTTP, was also discovered.

The other implant delivered in the attack is GRAMDOOR, so named because it uses the Telegram API to communicate its network with an attacker-controlled server in an attempt to avoid detection, further emphasizing the use of communication tools to facilitate data theft.

The findings also align with a new joint council from the UK and US cybersecurity agencies that accuses the MuddyWater group of spy attacks targeting defense, local government, the oil and gas sector and telecommunications around the world.

The post Iranian Hackers are Using New Spying Malware to Abuse Telegram Messenger API appeared first on OFFICIAL HACKER.

An investigation of the clickless attack surface for the popular Zoom video conferencing solution revealed two Zero-Day Bugs (previously unknown security vulnerabilities) that could be exploited to crash the service, execute malicious code, and even leak arbitrary areas of its memory.

Natalie Silvanovich of Google Project Zero, who discovered and reported the two flaws last year, said the issues affect both Zoom clients and Media Router (MMR) servers that relay audio and video content between clients on on-premises deployments.

The flaws have since been fixed by Zoom as part of updates released on November 24, 2021.

The goal of a no-click attack is to stealthily take control of the victim’s device without requiring any user interaction, such as clicking on a link.

While exploit features vary depending on the nature of the vulnerability exploited, a key feature of click-free hacks is their ability to leave no trace of malicious activity, making them very difficult to detect.

Two defects identified by Project Zero:

• CVE-2021-34423 (CVSS score: 9.8) is a buffer overflow vulnerability that can be used to crash a service or application or execute arbitrary code.
• CVE-2021-34424 (CVSS score: 7.5) is a process memory disclosure error that can be used to potentially obtain information about arbitrary areas of product memory.

While analyzing real-time transport protocol (RTP) traffic used to deliver audio and video over IP networks, Silvanovich discovered that it was possible to manipulate the contents of a buffer that supports playback of various types of data by sending a malformed chat message that causes the MMR client and server to crash.

Additionally, the lack of a NULL check that is used to detect the end of a string allowed for a memory leak when joining a Zoom meeting through a web browser.

The researcher also attributed the lack of memory corruption to the fact that Zoom did not enable ASLR, i.e., address space layout randomization, a security mechanism designed to increase the difficulty of executing buffer overflow attacks.

“The absence of ASLR in the Zoom MMR process greatly increases the risk that an attacker can compromise it,” Silvanovich said. “ASLR is perhaps the most important defense against memory corruption exploits, and the effectiveness of most other defenses at some level depends on the fact that it is disabled in the vast majority of programs.”

While most videoconferencing systems use open source libraries such as WebRTC or PJSIP to implement multimedia communications, Project Zero has identified Zoom’s use of proprietary formats and protocols, as well as high license fees (nearly $1,500) as barriers to research. in the field of security.

“Closed source software creates unique security challenges, and Zoom can do more to make its platform available to security researchers and others who want to evaluate it,” Silvanovich said. “While Zoom Security helped me access and set up the server software, it’s not clear if support is available for other researchers, and software licensing was still expensive.”

The post Two Zero-Day Bugs Reported in Zoom Clients and MMR Servers Details Google appeared first on OFFICIAL HACKER.

The Ukrainian government on Sunday formally accused Russia of orchestrating the attacks on the websites of state institutions and government agencies last week.

“All evidence points to Russia being behind the cyberattack,” the Digital Transformation Department said in a statement. “Moscow continues to wage a hybrid war and is actively building up its forces in the information and cyberspace.”

The purpose of the attack, the ministry said, was “not only to intimidate the public,” but also “to destabilize the situation in Ukraine by shutting down the public sector and undermining Ukrainians’ confidence in the authorities.”

However, Russia denied any involvement in the invasion. “We have nothing to do with this, and Russia has nothing to do with these cyberattacks,” Dmitry Peskov, a spokesman for President Vladimir Putin, told CNN, adding: “We are almost used to Ukrainians blaming Russia for everything, even them. bad weather”.

The disclosure comes after dozens of Ukrainian government websites were vandalized on Friday with a disturbing message threatening their citizens to “fear and expect the worst” and alleging their personal information had been hacked.

According to the Security Service of Ukraine (SBU), the attack was carried out after the attackers gained access to the infrastructure of a private company that had the right to manage some of the affected sites.

Separately, Microsoft warned of the use of destructive data-deletion malware disguised as ransomware in attacks against several organizations in Ukraine. The company, which calls this new malware family WhisperGate, has listed it in its threat cluster as DEV-0586.

The post Ukrainian Government is Officially Accusing Russia of Recent Cyberattacks appeared first on OFFICIAL HACKER.

This New Apple Safari Browser bug introduced in the implementation of the IndexedDB API in Apple Safari 15 could be used by a malicious website to track a user’s online activity in a web browser and, worse, even reveal their identity.

The vulnerability, dubbed IndexedDB Leaks, was discovered by anti-fraud software company FingerprintJS, which reported the issue to the iPhone manufacturer on November 28, 2021.

IndexedDB is a low-level JavaScript application programming interface (API) provided by web browsers for managing a NoSQL database with structured data objects such as files and blobs.

“Like most web storage solutions, IndexedDB follows a single-origin policy,” Mozilla notes in its API documentation. “So while you can access data stored in the same domain, you can’t access data in different domains.”

The same-origin is a fundamental security mechanism that ensures that resources retrieved from different origins, i.e. scheme (protocol), host (domain), and port number combinations of URLs, are isolated from each other. This means that “http[:]//example[.]com/” and “https[:]//example[.]com/” do not have the same origin, because they use different schemes.

By limiting how a script loaded from one origin can interact with a resource from another origin, the idea is to isolate potentially malicious scripts and reduce potential attack vectors by preventing a malicious website from running arbitrary JavaScript code to read data, such as, from another domain. , email service.

But this does not apply to how Safari handles the IndexedDB API in Safari on iOS, iPadOS, and macOS.

“In Safari 15 on macOS and all browsers on iOS and iPadOS 15, the IndexedDB API violates the same-origin policy,” said Martin Badjanik in his post. “Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session.”

This privacy breach implies that it allows websites to know what other websites a user is visiting in different tabs or windows, not to mention accurately identifying users in Google services such as YouTube and Google Calendar, as these websites sites create IndexedDB databases. which include authenticated files. Google user ID, which is an internal identifier that uniquely identifies a single Google account.

“Not only does this mean that untrusted or malicious websites can learn the identity of a user, but it also allows multiple separate accounts used by the same user to be linked,” Bajanik said.

To make matters worse, the leak also affects Safari 15’s private browsing mode if the user visits multiple different websites from the same tab in the browser window. We’ve reached out to Apple for additional comments and will update the story if we hear.

“This is a huge mistake,” Google Chrome advocate Jake Archibald tweeted. “On OSX, Safari users can (temporarily) switch to a different browser to prevent their data from being leaked from one source to another. iOS users don’t have that choice because Apple is banning other browser engines.”

The post This New Apple Safari Browser Bug Allows Cross-Site User Tracking appeared first on OFFICIAL HACKER.

A Russian court fined Google nearly $ 100 million for allegedly “systematically refusing the company to remove prohibited content” after finding it guilty of repeated violations of Russian law.

The Tagansky District Court ordered Google to pay an administrative fine of about 7.2 billion rubles (roughly $ 98.4 million) or about 8% of the search giant’s annual revenue in Russia.

“In the case of an administrative offense under Part 5 of Article 13.41 of the Administrative Offenses Code, <…> LLC“ Google ”was found guilty … A punishment was imposed in the form of an administrative fine in the amount of 7,221,916,235 rubles,” Tagansky said. District court at the press service.

Google has 10 days to appeal the sanction. The company told The Verge that it “will examine the court documents when they become available and then decide on the next course of action.”

In addition to Google, on Friday, the court also fined Facebook (now Meta) nearly 2 billion rubles ($ 27.2 million) for repeatedly failing to remove content deemed illegal. The court said Google and Meta could face additional revenue-based penalties if they didn’t remove the equipment.

Over the past year, Russia has intensified its efforts to control the content available on the Internet. Earlier, Russian courts imposed lower fines on Google, Facebook and Twitter.

“This is the first time a Russian court has imposed fines that are part of the annual revenues of these companies in Russia,” said Roskomnadzor, Russia’s state communications watchdog, in a statement.

The regulator said Google and Meta “ignored several requests” to remove content that incites religious hatred and promotes the views of “extremist and terrorist organizations” and encourages dangerous behaviour by minors, including. He also accused them of not providing content related to drugs, weapons and explosives.

The agency said Facebook did not remove all of the content that Moscow wanted to remove: 1,043 items are still on Facebook and 973 items on Instagram, and Google was unable to remove 2,600 of those items. He warned that they could face additional revenue-based penalties if they do not remove prohibited content.

The post Google Faces Fine of $100 Million in Russia Over Failure To Delete Content appeared first on OFFICIAL HACKER.

Romanian cybersecurity technology company Bitdefender said Monday that attempts are being made to attack Windows computers with a new ransomware family called Khonsari Ransomware, as well as the Orcus remote access Trojan, using the recently discovered critical Log4j vulnerability.

The attack exploits a remote code execution vulnerability to download an additional payload, a .NET binary, from a remote server that encrypts all .khonsari files and displays a ransom request that prompts victims to make a payment in bitcoin in exchange for regaining access to the files.

The vulnerability is tracked as CVE-2021-44228 and is also known as Log4Shell or Logjam. Simply put, a bug can force an affected system to download malware, giving attackers a digital foothold on servers located on corporate networks.

Log4j is an open-source Java library run by the non-profit Apache Software Foundation. With approximately 475,000 downloads from the GitHub project and is widely used for logging application events, this utility is also part of other frameworks such as Elasticsearch, Kafka, and Flink that are used by many sites, the Internet, and popular services.

The information was disclosed as the United States Cyber ​​and Infrastructure Security Agency (CISA) raised the alarm over the active and widespread exploitation of a vulnerability that, if left unchecked, could provide unhindered access and unleash a new round of cyberattacks as a result the mistake made companies rush to find and fix vulnerable machines.

“An attacker could exploit this vulnerability by submitting a specially crafted request to an affected system, causing that system to execute arbitrary code,” said a guide released by the agency on Monday. “The request allows an attacker to take full control of the system. An attacker could then steal information, launch khonsari ransomware, or perform other malicious actions. ”

In addition, CISA also added the Log4j vulnerability to its catalogue of known exploitable vulnerabilities, giving federal agencies a December 24 deadline for patching the vulnerability. Similar guidelines have already been issued by government agencies in Austria, Canada, New Zealand and the United Kingdom.

So far, active exploitation attempts recorded in the wild have included the abuse of a vulnerability to connect devices to a botnet and remove additional payloads such as Cobalt Strike and cryptocurrency miners. Cybersecurity firm Sophos said it has also observed attempts to steal keys and other personal data from Amazon Web Services.

As a sign that the threat is rapidly evolving, Check Point researchers warned that 60 new variants of the original Log4j exploit were deployed in less than 24 hours, adding that it blocked more than 845,000 intrusion attempts, with 46% of attacks originating from known malware. groups.

The vast majority of attempts to use Log4Shell originated in Russia (4275), based on Kaspersky telemetry data, followed by Brazil (2493), USA (1746), Germany (1336), Mexico (1177), Italy (1094), France (1008) and Iran (976). In comparison, only 351 attempts were made in China.

Despite the exploit’s mutant nature, its widespread adoption across multiple industries has also put production control systems and operational technology environments that power critical infrastructure on high alert.

“Log4j is widely used in external / internet and internal applications that control and monitor manufacturing processes, leaving many industrial operations insight, such as electricity, water, food and beverage, manufacturing and others. Potential remote use and access” said Sergio Caltagirone, vice president of Threat Intelligence at Dragos. “It is important to prioritize external and Internet applications over internal applications because of their access to the Internet, although both are vulnerable.”

The development further highlights how key security vulnerabilities identified in open source software can pose a significant threat to organizations that include such standard dependencies in their IT systems. Beyond its broad reach, Log4Shell is even more worrisome because of its relative ease of use, laying the foundation for future ransomware attacks.

“To be clear, this vulnerability poses a serious risk,” said CISA director Jen Easterly. “This vulnerability, which is widely exploited by a growing circle of attackers, is an urgent problem for network defenders given its widespread occurrence. Vendors must also communicate with their customers to ensure that end users are aware that their product contains this vulnerability and must prioritize software updates. ”

The post Hackers Exploiting Log4j Vulnerability to Infect Computers with Khonsari Ransomware appeared first on OFFICIAL HACKER.

According to several reports from Reuters and the Washington Post, Apple has told several U.S. Embassy and State Department officials that their iPhone may have been targeted by an unknown attacker using state-sponsored spyware created by the controversial Israeli company NSO Group – Pegasus Spyware.

At least 11 U.S. Embassy officials stationed in Uganda or dealing with issues about the country have reportedly opted to use iPhones registered to their phone numbers overseas, although the identity of the threat behind the intrusions or the nature of the information requested remains unknown.

The attacks in recent months are the first time sophisticated surveillance software has been used against US government officials.

NSO Group is the creator of Pegasus, military-grade spyware that allows government clients to stealthily loot files and photos, eavesdrop on conversations, and track the whereabouts of their victims.

Pegasus Spyware uses contactless exploits sent through messaging apps to infect iPhones and Android devices without forcing targets to click links or take any other action, but by default, it is banned from accessing US phone numbers.

Responding to reports, NSO Group said it was investigating the case and, if necessary, suing clients for illegal use of its tools, adding that it had suspended “affected accounts” citing “the seriousness of the charges”.

It should be noted that the company has long argued that it sells its products to government law enforcement and intelligence agencies only to help track security threats and control terrorists and criminals. But evidence gathered over the years has highlighted the systematic abuse of this technology to spy on human rights defenders, journalists and politicians in Saudi Arabia, Bahrain, Morocco, Mexico and other countries.

The NSO Group’s actions have taken their toll on it, putting it on the radar of the US Department of Commerce, which placed the company on an economic lockdown last month, which may have been caused by targeting the aforementioned foreign American diplomats.

In addition, tech giants Apple and Meta have since launched a legal attack on the company for illegally hacking into its users, exploiting previously unknown security holes in iOS and WhatsApp’s continuous message encryption service. Apple also said it has begun sending out threat notifications to alert users it says have been targeted by government-sponsored attackers on Nov.23.

To that end, affected users will be sent email and iMessage notifications to addresses and phone numbers associated with users’ Apple IDs, and a prominent Threat Alert banner will be displayed at the top of the page when affected users subscribe. to their accounts at appleid.apple [.] com.

“Government-funded players like the NSO Group are spending millions of dollars on sophisticated surveillance technologies without effective accountability,” said Craig Federighi, Apple’s head of software development. “This has to change.”

The disclosure also coincides with a Wall Street Journal report detailing the US government’s plan to work with more than 100 countries to restrict the export of surveillance software to authoritarian governments that use the technology to suppress human rights. China and Russia should not be involved in the new initiative.

The post U.S. State Department and Diplomat’s iPhones were Reportedly Hacked by Pegasus Spyware appeared first on OFFICIAL HACKER.

Computer technology has always been touted as a valuable asset in the modern world, so much so that it is said that the next world war may be based on cyberwar. In support of this prediction, there have been reports that several governments around the world are illegally tracking down prominent politicians and journalists using malware from the Israeli NSO group Pegasus.

What is Pegasus Spyware?

Named after the mythical creature, Pegasus spyware – a program used to remotely monitor a target – was created by NSO Group Technologies, based near Tel Aviv. Historically, Pegasus has played an important role in several international incidents, from the capture of a Mexican drug lord to the leaked texts of Amazon founder Jeff Bezos on WhatsApp.

He was recently criticized again after a report said thousands of famous people around the world may have been victims of this spyware.

How does Pegasus Spyware work?

Over the years, Pegasus has used various methods to successfully infect a device. Previously, he used a technique called spear phishing, which involves sending a malicious link to the target. As soon as the link was clicked, Pegasus gained access to the device, and within a few hours, the phone data was transferred to the attacker.

However, nowadays, smartphone security has become more reliable; spyware is now based on an improved version of the “contactless attack”. In this case, an attacker can infect the target device without waiting for a response from a potential victim.

Thus, Pegasus no longer has to wait for a link to be clicked, spyware can easily infect the phone with something as simple as a WhatsApp call.

Who is spying?

The creator of Pegasus, NSO Group, works closely with the Israeli government; Obviously, the latter makes the most of the Pegasus’ observation capabilities.

However, other potential clients have not been left out as the company shares technology with a select group of governments around the world. These foreign clients include India, Azerbaijan, Bahrain, Hungary, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates.

Who is the target?

While it is impossible to accurately gauge the extent to which a government chooses to use Pegasus, this spyware tends to target journalists — primarily those who pose a problem to the government.

One such incident, in which Pegasus was allegedly used by the government, occurred when Saudi journalist and dissident Jamal Khashoggi was killed in 2018.

Who is working to stop Pegasus Spyware?

The nonprofit Forbidden Stories, human rights organization Amnesty International and a global network of 80 journalists from 17 media groups have come together to investigate how governments are using Pegasus to illegally spy on interested people.

The investigation is called Project Pegasus. In his latest report, he revealed that he has access to a database of 50,000 phone numbers belonging to people whose phones can be infected with spyware.

What is the position of the Indian government?

As the reports claimed the Indian government is one of the NSO Group’s foreign clients for Pegasus. A list of potential targets, including the phone numbers of over 40 Indian journalists from various media outlets, was leaked. In addition, forensic experts have already confirmed the Pegasus attack on at least 10 of the listed phone numbers.

The above allegations have been refuted by the Indian government and the NSO group. While the Indian government has assured that “a commitment to free speech as a fundamental right is the cornerstone of India’s democratic system,” the Israeli technology company simply denied that the report had anything to do with it.

The post Pegasus Spyware Explained: Biggest Questions Answered appeared first on OFFICIAL HACKER.