Tech
Iran war a melting pot for other cyber threats | Computer Weekly
State-backed cyber threat actors from the likes of Belarus, China and Pakistan are all ramping up their activity in the wake of the joint Israeli-US attack on Iran, even though their government paymasters are not directly involved in the war.
This is according to intelligence published by Proofpoint, which claims to have observed several such campaigns unfolding in the wild. It believes this wave of malicious activity reflects a mixture of threat actors opportunistically using the conflict to create lures in their routine options, and intelligence collection directly related to Middle Eastern governments and their allies.
“These campaigns were conducted by both known groups and previously unobserved actors, with suspected attribution to China, Belarus, Pakistan and Hamas,” wrote Proofpoint’s research team.
“The campaigns heavily relied on aspects of the conflict as topical lure content to engage the targets and often used compromised accounts belonging to government organisations to send phishing emails,” they said.
In one such campaign, Belarussian threat actor TA473, or Winter Vivern, impersonated a European Council president spokesperson relaying a statement on the European Union’s (EU’s) position on human rights, regional security and Iran’s alleged weapons of mass destruction.
It was sent to government organisations in both Europe and the Middle East – the first time Winter Vivern has been seen targeting the Middle East – and contained an HTML file which, if opened, displayed a decoy image while conducting an HTTP request in the background. However, said Proofpoint, for now at least, this request is likely intended for target tracking purposes only, as it neither observed nor retrieved any next-stage payloads.
At the same time, the China-linked UNK_InnerAmbush actor ran a phishing exercise targeting diplomats and government officials in the region. Using a compromised email address, it used the death of Ayatollah Khamenei as a lure, purporting to share “secret on-site images” obtained via the US Department of Foreign Affairs – which should be a dead giveaway to anybody with knowledge of American politics, as US foreign affairs are handled by the State Department.
Images of strikes
Days later, UNK_InnerAmbush pivoted to images of Israel’s strikes on Iran’s fossil fuel infrastructure, which have induced a major ecological disaster – but in all instances, the images were actually disguised Microsoft Shortcut (LNK) files, hosted in a password-protected ZIP or RAR archive on Google Drive. If opened, they ran executables that decrypted Cobalt Strike command and control (C2) payloads and loaded them into memory.
Meanwhile, despite their government’s non-involvement, Pakistan-aligned threat actor UNK_RobotDreams has been targeting the offices of Middle Eastern government organisations in neighbouring India, impersonating India’s Ministry of External Affairs – which is at least the correct terminology – with phishing emails purporting to advise on the security impacts of the war.
These emails contained a blurred decoy PDF attachment and a fake Adobe Reader button which, if opened, redirected to a threat actor-controlled URL that used geofencing to serve a tainted executable to its intended targets. The executable functioned as a .NET loader that retrieved a Rust backdoor from the threat actor’s C2 host via PowerShell.
“While several of these groups incorporated the war-themed lure content in operations that are largely consistent with typical targeting remits, others demonstrated a shift toward intelligence collection against Middle Eastern government and diplomatic entities,” wrote Proofpoint’s research team.
“This likely reflects an effort to gather regional intelligence on the standing, trajectory and broader geopolitical implications of the conflict. This suggests the conflict is being used both as a topical social engineering pretext and a driver of collection priorities for a range of state-aligned threat actors.”
Iran’s state APTs stirring
In contrast to the opening days of the war, during which they appeared to be lying low, leaving the virtual battlefield largely to hacktivists, Iran’s own network of state-linked threat actors is now beginning to make itself known.
Proofpoint said it had now observed TA453, or Charming Kitten, conducting phishing exercises against a US-based think tank, with its lures themed around a roundtable on air defence capabilities – although strictly speaking, this activity began before the outbreak of war.
Other Iranian threat actors, notably the Ministry of Intelligence and Security (MoIS)-linked Seedworm (aka MuddyWater, Static Kitten), have been targeting US airports, banks, non-profits and tech companies, according to intelligence from Cisco Talos.
While, as with Charming Kitten, much of this activity began in February, Cisco Talos noted the use of a previously unknown custom backdoor, dubbed Dindoor, which uses Deno – an open source JavaScript runtime – to execute.
Dindoor was first highlighted by Symantec and Carbon Black last week, and was linked to Seedworm by the use of certificates issued to aliases linked to other Seedworm malwares.
Brigid O’Gorman, senior intelligence analyst at the Symantec and Carbon Black Threat Hunter team, told our sister title, Cybersecurity Dive, that while this particular Seedworm campaign began before the current conflict, it puts the gang in a “potentially dangerous” position to be able to launch further attacks.
By law, autonomous vehicles aren’t legally allowed to carry unaccompanied minors in California. Waymo, Alphabet’s self-driving car company, doesn’t allow kids under 18 to ride alone anywhere outside of metro Phoenix, Arizona. But that hasn’t stopped some time-strapped parents from using their own accounts to transport their kids to school, extracurricular activities, and even social outings. Some have reported that the lack of drivers makes them feel safer.
Waymo is working to crack down on the practice, the company confirmed Friday, after reports of new mid-ride age-verification checks began to float around on social media. The company has “policies in place” to help it identify violations of its terms of service, Waymo spokesperson Chris Bonelli wrote in a statement to WIRED. “We are continuing to refine our system and processes for accuracy over time.” Violating its terms of service can lead to temporary or permanent suspension of an account, Waymo says.
The company uses cameras inside its cars to check that riders aren’t violating its rules. Its privacy policy notes that the company records video inside the vehicle during trips. Waymo says its support workers “may review video under certain circumstances,” and, “in more urgent circumstances,” access live video during a trip. The company says it does not use facial recognition or “other biometric identification technologies” to identify individuals.
The news comes a month after several California labor groups, including the California Gig Workers Union, filed a formal complaint with a state regulatory agency, accusing Waymo of violating the terms of its permit to operate in the state by knowingly transporting unaccompanied minors. The matter was assigned to a judge this week. The state is evaluating new rules that could allow solo riders under 18 in driverless cars, perhaps patterned after a program that permits ride-hail companies with human drivers to transport minors in California.
So far, several fresh-faced adults have been caught in the crossfire. On Tuesday, San Francisco machine learning engineer Nicholas Fleischhauer was about five minutes into his Waymo ride when the car connected him to support. A voice came over the line asking Fleischhauer to verify his age. He told the worker the truth: He’s 35. “I had messy and wet hair, and a backpack on me,” he says, by way of explaining why he might have been flagged by Waymo’s system. Plus, “people have told me that I look young for my age.” Fleischhauer says he takes Waymo weekly, but this marked the first time he had been asked about his age.
Since last summer, Waymo has allowed parents in the Phoenix area to set up teen accounts for riders ages 14 to 17. The accounts allow the teen riders’ adults to track their real-time locations during their trips. Waymo says a specially trained team of support agents deals with any issues its teen riders might have. Waymo says that “hundreds” of Phoenix families use the service each week.
In Waymo’s other markets across the US, adults are allowed to ride with guests under 18, though children under 8 must be in a secured car or booster seat.
Ethan S. Klein is 23, but his 26th LA Waymo ride on Thursday—plus the music he was listening to—was interrupted by an in-car call from a support agent who asked him, for the first time, to verify his birth date. Klein is an adult, but his first impulse was almost teen-like. “I was a little startled,” he says. “I thought I was in trouble!”
Publicly released exploit code for an effectively unpatched vulnerability that gives root access to virtually all releases of Linux is setting off alarm bells as defenders scramble to ward off severe compromises inside data centers and on personal devices.
The vulnerability and exploit code that exploits it were released Wednesday evening by researchers from security firm Theori, five weeks after privately disclosing it to the Linux kernel security team. The team patched the vulnerability in versions 7.0, 6.19.12, 6.18.12, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254) but few of the Linux distributions had incorporated those fixes at the time the exploit was released.
A Single Script to Hack Them All
The critical flaw, tracked as CVE-2026-31431 and the name CopyFail, is a local privilege escalation, a vulnerability class that allows unprivileged users to elevate themselves to administrators. CopyFail is particularly severe because it can be exploited with a single piece of exploit code—released in Wednesday’s disclosure—that works across all vulnerable distributions with no modification. With that, an attacker can, among other things, hack multi-tenant systems, break out of containers based on Kubernetes or other frameworks, and create malicious pull requests that pipe the exploit code through CI/CD work flows.
“‘Local privilege escalation’ sounds dry, so let me unpack it,” researcher Jorijn Schrijvershof wrote Thursday. “It means: An attacker who already has some way to run code on the machine, even as the most boring unprivileged user, can promote themselves to root. From there they can read every file, install backdoors, watch every process, and pivot to other systems.”
Schrijvershof added that the same Python script Theori released works reliably for Ubuntu 22.04, Amazon Linux 2023, SUSE 15.6, and Debian 12. The researcher continued:
Why does that matter on shared infrastructure? Because “local” covers a lot of ground in 2026: every container on a shared Kubernetes node, every tenant on a shared hosting box, every CI/CD job that runs untrusted pull-request code, every WSL2 instance on a Windows laptop, every containerised AI agent given shell access. They all share one Linux kernel with their neighbors. A kernel LPE collapses that boundary.
The realistic threat chain looks like this. An attacker exploits a known WordPress plugin vulnerability and gets shell access as www-data. They run the copy.fail PoC. They are now root on the host. Every other tenant is suddenly reachable, in the way I walked through in this hack post-mortem. The vulnerability does not get the attacker onto the box; it changes what happens in the next ten seconds after they land there.
The vulnerability stems from a “straight-line” logic flaw in the kernel’s crypto API. Many exploits exploiting race conditions and memory corruption flaws don’t consistently succeed across kernel versions or distributions, and sometimes even on the same machine. Because the code released for CopyFail exploits a logic flaw, “reliability isn’t probabilistic, and the same script works across distributions, researchers from Bugcrowd wrote. “No race window, no kernel offset.”
CopyFail gets its name because the authencesn AEAD template process (used for IPsec extended sequence numbers) doesn’t actually copy data when it should. Instead, it “uses the caller’s destination buffer as a scratch pad, scribbles 4 bytes past the legitimate output region, and never restores them,” Theori said. “The ‘copy’ of the AAD ESN bytes ‘fails’ to stay inside the destination buffer.”
The Worst Linux Vulnerability in Years
Other security experts echoed the perspective that CopyFail poses a serious threat, with one saying it’s the “worst make-me-root vulnerabilities in the kernel in recent times.”
The most recent such Linux vulnerability was Dirty Pipe from 2022 and Dirty Cow in 2016. Both of those vulnerabilities were actively exploited in the wild.
Two new projects, including one from a Pulitzer-winning reporter, claim they’ve solved the mystery of Bitcoin’s creator. So why does the hunt continue?
Source link
Sydney Sweeney hard launches her romance with beau Scooter Braun
AAFA pushes for swift US House passage of key anti-counterfeiting law
Greta Gerwig finally reveals her wild new ‘Narnia’ movie title
-
Business1 week agoFrance Ends Airport Transit Visa Requirement for Indian Travellers | Business – The Times of India
-
Fashion1 week agoCanada forms new advisory committee to strengthen US trade relations
-
Tech1 week agoThey Wanted to Join Raya. They’ve Been on the Waiting List for Years
-
Tech5 days agoA Brain Implant for Depression Is About to Be Tested in Humans
-
Tech1 week agoWhy Do I Like Dyson’s PencilVac So Much?
-
Entertainment1 week agoAnne Hathaway makes shocking confession about Taylor Swift’s music
-
Tech5 days agoAlmost 90% of women leave tech industry within 10 years | Computer Weekly
-
Fashion1 week agoNorth India cotton yarn steady despite continued push by spinners