Commit 09_26_2023: U.S. surveillance relies on private allies

Lianhao Qu / Unsplash

Hello, and welcome to Commit 09_26_2023! README senior editor Nathaniel Mott here with reports on the public-private partnerships that enable U.S. surveillance, a CVSS 10 severity vulnerability and more.

CyberScoop: How ICE uses SmartLINK to track migrants

A week after 404 Media revealed how Immigration and Customs Enforcement (ICE) relies on a private firm called ShadowDragon to monitor social media, CyberScoop published a report on how the agency uses an app called SmartLINK to collect “a trove of sensitive information, including personally identifying information, geolocation data, phone numbers of contacts, and vehicle and driver data” about migrants.

ICE’s use of SmartLINK is public knowledge, but CyberScoop said that recent documents “indicate that data collected by SmartLINK may be retained longer than ICE has stated publicly and that the agency has broad authority to use data collected by the app.” This—combined with ICE’s legacy, which includes reports of widespread sexual abuse as well as “'barbaric' and 'negligent' conditions” at its facilities—raises concerns about how the agency might abuse the information collected via this smartphone app.

404 Media: The NSA doesn’t share data quickly enough for DCSA’s liking

404 Media today reported that the Defense Counterintelligence and Security Agency (DCSA) “has spent millions of dollars over several years on technology from cyber threat intelligence company Team Cymru” because “it was easier and took less time than getting similar data from the NSA” and other agencies.

DCSA describes itself as “the largest security agency in the federal government dedicated to protecting America’s trusted workforce and trusted workspaces.” That, according to documents obtained by 404 Media, means it wants easy access to information about people “who are planning attacks, insider threats, laundering money, compromising systems, or discussing ways to exploit vulnerabilities.” Buying this data from Team Cymru is like signing up for Amazon Prime instead of buying from someone who ships via USPS. It’s more expensive, sure, but you’ll get what you want in a fraction of the time.

BleepingComputer: Oh, yeah, that libwebp vuln is as severe as it gets

A vulnerability that Google previously identified as a problem in its Chrome browser has been assigned a new identifier, CVE-2023-5129, which reflects that it actually affects the ubiquitous libwebp library. The severity of the vulnerability was also bumped from a respectable 8.8 to the maximum rating of 10. (This is the same vuln I covered a few weeks ago when it was used to deploy spyware to an iPhone.)

BleepingComputer noted that Google’s initial disclosure “caused confusion within the cybersecurity community, prompting questions regarding Google's choice to categorize it as a Google Chrome issue rather than identifying it as a flaw in libwebp.” Hopefully this new identifier—and the maximum severity rating accompanying it—will make it easier for other software makers that depend on libwebp to determine their exposure to the flaw and remediate it within their own offerings.

Group-IB: Illuminating ShadowSyndicate

Group-IB today published a report on a group it’s calling ShadowSyndicate. The company said it’s not certain whether ShadowSyndicate is an initial access broker or a new ransomware-as-a-service affiliate, but the evidence presented within the report suggest it’s the latter, and that it’s been active since last July.

“What is unusual about ShadowSyndicate [...]?” Group-IB said. “Well, it’s incredibly rare for one Secure Shell (SSH) fingerprint to have such a complex web of connections with a large number of malicious servers. In total, we found ShadowSyndicate’s SSH fingerprint on 85 servers since July 2022. Additionally, we can say with various degrees of confidence that the group has used seven different ransomware families over the course of the past year, making ShadowSyndicate notable for their versatility.”

Proofpoint: There’s a ZenRAT in my (fake) password manager!

Windows users looking to download the Bitwarden password manager beware: Proofpoint said today fake versions of the product are infested with a remote access trojan it calls ZenRAT. The company said “it is unknown how the malware is being distributed, however historic activities that have masqueraded as fake software installers have been delivered via SEO Poisoning, adware bundles, or via email.”

Avoiding ZenRAT should be simple—just install Bitwarden from the official website. But many people are likely to search for “Bitwarden” rather than manually entering the URL for the company’s site, and those who do could mistakenly click on a malicious ad rather than the relevant result. Proofpoint said this “seems to be a major driver of infections of this nature, especially within the last year,” which once again raises questions about whether or not people should continue to trust search results. (Probably not.)