Digital Ad Data Firms Track the Movements of Military and Intel Workers Overseas

Sponsor Message

In today's digital landscape, protecting your software supply chain from rising threats is essential. This free whitepaper offers five key strategies for enhancing container security, one of the main attack surfaces in dynamic software development practices. Learn about using SBOMs for transparency, shifting vulnerability detection left, and automating policy enforcement, all for a superior developer experience and securing third-party code.

Interested in reaching the elite audience of cybersecurity decision-makers, public policy professionals, and journalists who read Metacurity? Send an email to info [at] Metacurity.com with the subject line "Sponsorship."

A joint investigation by WIRED, Bayerischer Rundfunk (BR), and Netzpolitik.org reveals that US companies legally collecting digital advertising data are also providing the world a cheap and reliable way to track the movements of American military and intelligence personnel overseas, from their homes and their children’s schools to hardened aircraft shelters within an airbase where US nuclear weapons are believed to be stored.

A collaborative analysis of billions of location coordinates obtained from Datastream Group, a Florida-based data broker, provides extraordinary insight into the daily routines of US service members. The findings also provide a vivid example of the significant risks the unregulated sale of mobile location data poses to the integrity of the US military and the safety of its service members and their families overseas.

The publications tracked hundreds of thousands of signals from devices inside sensitive US installations in Germany. That includes scores of devices within suspected NSA monitoring or signals-analysis facilities, more than a thousand devices at a sprawling US compound where Ukrainian troops were being trained in 2023, and nearly 2,000 others at an air force base that has crucially supported American drone operations.

A device likely tied to an NSA or intelligence employee broadcast coordinates from inside a windowless building with a metal exterior known as the “Tin Can,” which is reportedly used for NSA surveillance, according to agency documents leaked by Edward Snowden. Another device transmitted signals from within a restricted weapons testing facility, revealing its zig-zagging movements across a high-security zone used for tank maneuvers and live munitions drills.

Experts caution that foreign governments could use this data to identify individuals with access to sensitive areas; terrorists or criminals could decipher when US nuclear weapons are least guarded; or spies and other nefarious actors could leverage embarrassing information for blackmail.

“The unregulated data broker industry poses a clear threat to national security,” says Ron Wyden, an Oregon US senator with over 20 years overseeing intelligence work. “It is outrageous that American data brokers are selling location data collected from thousands of brave members of the armed forces who serve in harms’ way around the world.”

Wyden approached the US Defense Department in September after initial reporting by BR and netzpolitik.org raised concerns about the tracking of potential US service members. DoD failed to respond. Likewise, Wyden's office has yet to hear back from members of US President Joe Biden's National Security Council, despite repeated inquiries. (Dhruv Mehrotra and Dell Cameron / Wired)

Related: Netzpolitik, BR.de

Sources say T-Mobile was able to contain a recent network breach before it reached customers’ phones.

According to the sources, hackers accessed edge-routing infrastructure and gained unauthorized access to a limited number of devices, including a T-Mobile-owned-and-operated router. When T-Mobile detected the suspicious activity, it booted the hackers from its systems.

The company detected reconnaissance activity aimed at reaching deeper layers of the network, but customer data wasn’t accessed because T-Mobile caught the intrusion at such an early stage.

The attack shared some characteristics with intrusions by Salt Typhoon, a Chinese hacking group that has targeted US telecommunications networks in recent weeks. T-Mobile hasn’t identified the responsible party. The people couldn’t identify the hackers and didn’t say when the intrusion occurred.

S officials said last week that Chinese state-sponsored hackers perpetrated a “broad and significant cyber-espionage campaign” in which they breached multiple telecommunications companies to steal customer call records and compromise communications belonging to a “limited number” of people in government and politics. (Kelcee Griffis and Jamie Tarabay / Bloomberg)

Related: Android Police

At its annual Ignite conference, Microsoft launched a new Windows Resiliency Initiative designed to improve Windows security and reliability and ward off future catastrophes, such as the CrowdStrike outage that took down wide swaths of IT systems this past summer.

The Windows Resiliency Initiative includes core changes to Windows that will make it easier for Microsoft’s customers to recover Windows-based machines if there’s another CrowdStrike-like incident. There are also some new Windows platform improvements to provide more robust controls over what apps and drivers are allowed to run and to help allow antivirus processing outside of kernel mode.

Microsoft has developed a new Quick Machine Recovery feature in light of the CrowdStrike incident. This feature will enable IT admins to target fixes at machines remotely, even when they’re unable to boot properly. Quick Machine Recovery leverages improvements to the Windows Recovery Environment (Windows RE).

“In a future event, hopefully that never happens, we could push out [an update] from Windows Update to this Recovery Environment that says delete this file for everyone,” explains David Weston, vice president of enterprise and OS security at Microsoft.

Microsoft has also been working with its MVI partners to enable antivirus processing outside the kernel. CrowdStrike’s software runs at the kernel level of Windows — the core part of an operating system with unrestricted access to system memory and hardware. This deep kernel access allowed a faulty update to generate a Blue Screen of Death as soon as affected systems started up.

Alongside the resiliency improvements, Windows 11 will also soon get administrator protection. This new feature lets users have the security of a standard user but with the ability to make system changes and even install apps when needed.

Microsoft also announced a series of other security initiatives at Ignite. The updates focus on expanding the capabilities of Windows security and enhancing defense through the general availability of Microsoft’s Security Exposure Management Platform, among other new efforts. (Tom Warren / The Verge, Duncan Riley / Silicon Angle)

Related: Windows Experience, CRN, BleepingComputer, The Stack, Thurrott, Help Net Security, PCMag, XDA Developers, Neowin, Windows Central, TechCrunch, Microsoft, Tech Republic, CRN, Tom's Guide, CSO Online, TechCrunch, Neowin

At its Ignite conference, Microsoft announced it is creating an in-person hacking event, Zero Day Quest, that will build upon Microsoft’s existing bug bounty program and incentivize research into high-impact security flaws that can affect the software powering cloud and AI workloads.

This new hacking event will be the largest of its kind, with an additional $4 million in potential awards for research into high-impact areas, specifically cloud and AI,” Tom Gallagher, VP of engineering at Microsoft’s security response center, said. “Zero Day Quest will provide new opportunities for the security community to work hand in hand with Microsoft engineers and security researchers — bringing together the best minds in security to share, learn, and build community as we work to keep everyone safe.”

The Zero Day Quest started yesterday, with Microsoft accepting research submissions eligible for bounty awards. These submissions will qualify security researchers for a spot at the in-person hacking event at Microsoft’s headquarters in Redmond, Washington, in 2025.

Microsoft is doubling the awards that it pays out for AI bounties, and it’s also offering security researchers direct access to Microsoft AI engineers and the company’s AI Red Team, a group of experts that probe Microsoft’s AI systems for failures. (Tom Warren / The Verge)

Related: Microsoft, ZDNET, CyberScoop, BleepingComputer, GeekWire, TechTarget, Help Net Security

Apple released security updates that it says are “recommended for all users” after fixing a pair of security bugs used in active cyberattacks targeting Mac users.

In a security advisory on its website, Apple said it was aware of two vulnerabilities that “may have been actively exploited on Intel-based Mac systems.” The bugs are considered “zero day” vulnerabilities because they were unknown to Apple when they were exploited.

To fix the bugs, Apple released a software update for macOS and fixes for iPhones and iPads, including users running the older iOS 17 software.

It’s unknown who is behind the attacks targeting Mac users, how many Macrs have been targeted, or if any were successfully compromised. Security researchers reported the vulnerabilities at Google’s Threat Analysis Group, which investigates government-backed hacking and cyberattacks. This suggests that a government actor may be involved in the attacks. Government-backed cyberattacks sometimes involve the use of commercial phone spyware. (Zack Whittaker / TechCrunch)

Related: Apple, Security Week, 9to5Mac, Bleeping Computer, O'Grady's Power Page, Cult of Mac, Independent, Business Standard, Appleosophy, MacObserver, MacRumors, ghacks, Lifehacker, Tom's Guide, Apple Insider

CrowdStrike has identified a brand-new China-linked cyber-espionage operation called Liminal Panda that is infiltrating telecommunications networks.

Since 2020, the group has been targeting telecommunications networks to spy on customers' text messages and phone call metadata. It has also built custom hacking tools to exploit the industry's interoperable capabilities, allowing calls to other networks to breach additional telecommunications entities.

CrowdStrike has mostly seen evidence of Liminal Panda spying on Southeast Asia and African networks. CrowdStrike said it has likely targeted unidentified networks to spy on officials living in these regions. However, the group may also be targeting individuals traveling through the region.

Liminal Panda is separate from the recently uncovered Salt Typhoon campaign targeting US telecommunications providers. (Sam Sabin / Axios)

Related: CrowdStrike

According to documents obtained by 404 Media, The Graykey, a phone unlocking and forensics tool used by law enforcement around the world, can only retrieve partial data from all modern iPhones that run iOS 18 or iOS 18.0.1, two recently released versions of Apple’s mobile operating system.

The leak is unprecedented for Grayshift, the highly secretive company that made the Graykey before being acquired by Magnet Forensics, another digital forensics company. Although one of its main competitors, Cellebrite, has faced similar leaks before, this is the first time anyone has published which phones the Graykey can or cannot access.

The documents, which also break down the Graykey’s capabilities against Android devices, provide never-before-seen insight into the current cat-and-mouse game between forensics and exploit development companies like Magnet and phone manufacturers Apple and Google. 

404 Media uploaded the docs it received to Google Docs. (Joseph Cox / 404 Media)

Related: 9to5Mac, BGR, MacRumors, Neowin, AppleInsider, The Verge, r/appler, r/privacy, MacRumors Forums

To spur investments in open source projects, GitHub launched the GitHub Secure Open Source Fund with an initial commitment of $1.25 million in capital from contributors, including American Express, 1Password, Shopify, Stripe, and GitHub’s parent company, Microsoft. Other donors include the Alfred P. Sloan Foundation, Chainguard, HeroDevs, Kraken, Mayfield Fund, Superbloom, Vercel, and Zerodha.

GitHub formally opened the program for applicants, which will be reviewed “on a rolling basis” through the closing date of January 7, 2025, with programming and funding starting shortly after. (Paul Sawers / TechCrunch)

Related: GitHub, Silicon Republic, Security Week

Researchers at Sekoia report that the new 'Helldown' ransomware operation is believed to target vulnerabilities in Zyxel firewalls to breach corporate networks, allowing them to steal data and encrypt devices.

Although not among the major players in the ransomware space, Helldown has quickly grown since its launch over the summer, listing numerous victims on its data extortion portal.

Sekoia reports that Helldown for Windows is based on the leaked LockBit 3 builder and features operational similarities to Darkrace and Donex. However, no definitive connection can be made based on the available evidence.

As of November 7, 2024, the threat group listed 31 victims on its recently-renewed extortion portal, primarily small and medium-sized firms based in the United States and Europe. Today, the number has decreased to 28, potentially indicating some had paid a ransom.

Sekoia says Helldown isn't as selective in the data it steals as other groups following more efficient tactics and publishes large data packs on its website, reaching up to 431GB in one instance.

One of the victims listed is Zyxel Europe, a networking and cybersecurity solutions provider. (Bill Toulas / Bleeping Computer)

Related: Sekoia, SC Media, Infosecurity Magazine, Dark Reading

According to a source, an unknown hacker gained access to a computer file shared in a secure link among lawyers whose clients have given damaging testimony related to Matt Gaetz, the former Florida congressman who Donald Trump’s choice to be attorney general.

The file of 24 exhibits is said to include sworn testimony by a woman who said that she had sex with Mr. Gaetz in 2017 when she was 17, as well as corroborating testimony by a second woman who said that she witnessed the encounter.

The source said the information was downloaded by a person named Altam Beezley at 1:23 p.m. on Monday. A lawyer connected to the case emailed the address associated with Altam Beezley, only to be informed in an automated reply that the recipient does not exist.

The documents include information under seal with the Justice Department, which investigated Mr. Gaetz but did not file charges, and the House Committee on Ethics, which has completed its own inquiry into the former congressman. The Ethics panel’s members are scheduled to meet on Wednesday to decide on whether to vote to release material it has gathered.

But the hacked trove of documents stems from an altogether different source: a civil suit being pursued by a friend of Mr. Gaetz’s, Christopher Dorworth, a Florida businessman. Mr. Dorworth filed the suit against both the woman who says she had sex with Mr. Gaetz when she was a minor and Joel Greenberg, an erstwhile ally of Mr. Gaetz who is serving an 11-year prison sentence after pleading guilty to federal sex trafficking charges involving the woman.

The hacker did not appear to make the file public. (Robert Draper / New York Times)

Related: Mediaite, Daily Mail, Reuters, Newser, Newsweek, NBC News, Daily Beast, The Hill, Daily Mail, Mediaite, Gizmodo, Independent, ABC News, Raw Story, Data Breach Today, AlterNet, New York Daily News, Reuters, Forbes

The Transportation Security Administration's (TSA) efforts to address cybersecurity issues faced significant criticism this week from government watchdogs, members of Congress, and regulated companies. 

A US Government Accountability Office (GAO) report said four of the six cybersecurity recommendations made to TSA since 2018 have still not been addressed, including one centered around the agency’s efforts to protect companies from ransomware. 

The GAO report came on the same day that Tina Won Sherman, director of Homeland Security and Justice at the GAO, two TSA executives, and industry leaders appeared before the House Homeland Security Subcommittee on Transportation and Maritime Security to discuss cybersecurity issues.

TSA leaders Steve Lorincz and Chad Gorman defended the agency’s work, acknowledging that the mistakes made in the first cybersecurity directives issued after the Colonial Pipeline attack were rectified with deeper industry collaboration.

The two added that they hope to incorporate industry feedback into the proposed cybersecurity rule and focus more on outcome-based guidelines for the transportation sector.

But two industry leaders, the Association of American Railroads’ Ian Jefferies and American Gas Association’s Kimberly Denbow, did not hold back in their criticism of the TSA, blaming the agency for the confusion caused by the initial security directives and for replicating requirements many companies already have to follow for other regulators. (Jonathan Greig / The Record)

Related: GAO, GAO, CyberScoop, Committee on Homeland Security, Nextgov/FCW

The Australian Signals Directorate's (ASD) annual Cyber Threat Report warns that hackers are increasingly targeting wealthy private schools that hold valuable personal data.

In its annual Cyber Threat Report, ASD warns the average cost of cybercrime to small businesses was almost $50,000 in the past financial year, but the number of overall incidents is roughly the same as 12 months ago.

The ASD received 87,000 reports of cybercrime over the past financial year and responded to 121 ransomware incidents, up 3 percent from the previous 12 months.

According to the ASD report, one case in the past year involved the Association of Independent Schools in New South Wales, which was alerted to malware lurking on its system.

The malware, named "Gootloader," infected the system when an employee searched online for the education sector's enterprise agreement. (Andrew Greene and Jake Evans / ABC.net.au)

Related: Australian Signals Directorate, The Sydney Morning Herald, 9News, News.com

Automaker Ford is investigating allegations that it suffered a data breach after a threat actor claimed to leak 44,000 customer records on a hacking forum.

Threat actor EnergyWeaponUser announced the leak on Sunday. It also implicates hacker IntelBroker, who supposedly participated in the November 2024 breach.

The threat actors leaked on BreachForums 44,000 Ford customer records containing customer information, including full names, physical locations, purchase details, dealer information, and record timestamps.

The exposed records aren't extremely sensitive but still contain personally identifiable information that could empower phishing and social engineering attacks targeting the exposed individuals.

The threat actors did not attempt to sell the dataset but instead offered it to registered members of the hacker forum for eight credits, equal to a little over $2. (Bill Toulas / Bleeping Computer)

Related: Cyber Daily, autoevolution, The Register

The US Cybersecurity & Infrastructure Security Agency (CISA) has added three new flaws to its Known Exploited Vulnerabilities (KEV) catalog, including a critical OS command injection that impacts Progress Kemp LoadMaster.

LoadMaster is an application delivery controller (ADC) and load-balancing solution used by large organizations to optimize app performance, manage network traffic, and ensure high service availability.

The flaw, discovered by Rhino Security Labs and tracked as CVE-2024-1212, was addressed via an update released on February 21, 2024. However, this is the first report of it being actively exploited in the wild.

“Progress Kemp LoadMaster contains an OS command injection vulnerability that allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbitrary system command execution,” reads the flaw’s description. (Bill Toulas / Bleeping Computer)

Related: CISA, Security Affairs

Oracle has fixed an unauthenticated file disclosure flaw in Oracle Agile Product Lifecycle Management (PLM) tracked as CVE-2024-21287, which was actively exploited as a zero-day to download files and urged Agile PLM customers to install the latest version to fix the CVE-2024-21287 flaw.

"This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in file disclosure," warned Oracle.

"Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible." (Lawrence Abrams / Bleeping Computer)

Related: Oracle, Security Week, Help Net Security

Researchers at Lumen’s Black Lotus Labs report that the Ngioweb botnet, which supplies most of the 35,000 bots in the cybercriminal NSOCKS proxy service, is being disrupted as security companies block traffic to and from the two networks.

Lumen researchers tracked both active and historical C2 nodes and the architecture they form. They note that NSOCKS[.] net “users route their traffic through over 180 “backconnect” C2 nodes that serve as entry/exit points” to hide their identity.

The Ngioweb botnet provides at least 80% of the 35,000 proxies provided by NSOCKS, which are scattered across 180 countries.

The botnet's loader network redirects infected devices to a C2 server, which fetches and executes the nanoweb malware.

Although it is unclear how initial access occurs, Black Lotus Labs believes the threat actor relies on around 15 exploits for various n-day vulnerabilities.

In the second stage, the compromised device contacts C2 domains created using a domain generation algorithm (DGA) to determine whether the bot is usable for the proxy network.

These management C2s monitor and check the bots' traffic capacity and also connect them to a “back connect” server that makes them available for the NSOCKS proxy service.

At the moment, both the Ngioweb and the NSOCKS[.net] services are being severely disrupted as Lumen has identified the botnet’s architecture and traffic. Along with industry partners like The ShadowServer Foundation, the company is blocking traffic to and from the known C2 nodes associated with the two networks. (Ionut Ilascu / Bleeping Computer)

Related: Lumen, Cyberscoop

Colorado Rockies third baseman Kris Bryant has been reunited with his 2023 Lamborghini Huracan after thieves hacked the email system of a carrier company and rerouted it away from Bryant’s offseason Las Vegas home.

Cherry Hills Village police used license-plate-detecting cameras to track the truck that took the car from Colorado to Nevada, where Las Vegas police arrested a man suspected of being behind in a string of thefts.

Members of the Las Vegas Metropolitan Police Department’s auto theft team, US Department of Homeland Security agents, and Cherry Hills Village police worked together to find the Lamborghini. The car was spotted on Oct. 7, and the driver told police that he owned a maintenance shop and was asked by a Texas man to fix the car’s computer system.

The man was later identified as Dat Viet Tieu and was confronted by police when he arrived at Harry Reid International Airport to pick up the Lamborghini. When police asked how Tieu planned to travel from the airport to the maintenance shop, Tieu directed police to a stolen Jeep that Smith said contained tools used to perpetrate motor vehicle thefts. (Max Levy / The Denver Post)

Related: Carscoops, Jalopnik

Cybersecurity company Cyera announced it had raised $300 million in a Series D venture financing round.

Accel and Sapphire Ventures led the round, with additional participation from Sequoia, Redpoint, Coatue, and Georgian. (Meytal Vaizberg / Globes)

Related: Accel, GovInfoSecurity.com, SiliconANGLE, Security Week

Cybersecurity startup Prompt Security, which develops a platform to protect enterprises from GenAI threats, announced it had raised $18 million in a Series A venture funding round.

Jump Capital led the round, which included participation from existing investor Hetz Ventures, new investors such as Ridge Ventures, and major technology companies Okta and F5. (Meir Orbach / CTech)

Related: Business Insider, Accesswire

Best Thing of the Day: It Took Nine Months, But They Got There

Change Healthcare announced that its clearinghouse services have been fully restored after its ransomware attack 9 months ago.

Worst Thing of the Day: Sanctuary Cities Should Be Safe Havens

A new report from researchers at the Surveillance Technology Oversight Project (STOP) shows that fusion centers give US Immigration and Customs Enforcement a way to gain access to data that’s meant to be protected under sanctuary city laws limiting local police cooperation with ICE.

Closing Thought