Google is trying to make it easier for Maps users who love to visit national parks to find and reach their favorite landscapes with ease. To help with that, Google announced four new features will make it to Maps in April, all four meant to make it easier for users to find the information they need when they are going to a national park.One of the most important new features coming to Google Maps this month will allow its users to identify the most popular places in a park, including attractions, campgrounds, visitor centers, and trailheads. To receive all this information, you can search for the park you’re interested in, and then tap on any of the photos you got as results for more details. These details often times consist of videos and reviews from people who have already visited the location.Another major upcoming feature enables Maps users to see popular trails from start to finish. The app will now highlight a trail’s entire route on the map instead of just showing a pin. In addition, Maps will also provide more details on a trail from the community, such as what type of trail it is, its difficulty, and if it’s suitable for running, walking, or cycling.
The next new feature coming later this month is meant to provide more detailed directions in US national parks. Park entrances will be highlighted on the map, so you can request walking or cycling directions to a trail and Maps should pinpoint you in the right direction.
Last but not least, another useful feature coming to Maps in April allows users to bring Maps offline and still be able to check the app. A new way to download an offline map for a park will become available once the app gets updated. Simply tap the “download” button on the park’s Google Maps listing to download it for offline use.
According to Google, the four new features will be coming to all US national parks in April, and they will be rolled out to parks around the world in the coming months. Naturally, the features will be available on iOS and Android devices.
The email hack allowed hacktivists to extract highly sensitive documents, along with the personal details of the APT28 leader and Russian GRU officer, Lieutenant Colonel Sergey Alexandrovich Morgachev.
Ukrainian hacktivist group Cyber Resistance, also known as Ukrainian Cyber Alliance, has claimed to have hacked the email, social media, and personal accounts of Russian GRU officer Lieutenant Colonel Sergey Alexandrovich Morgachev (Sergey Aleksandrovich Morgachev). The information was shared with a volunteer intelligence community called InformNapalm.
Notably, Cyber Resistance, the same group mentioned in a previous report by Hackread.com, was involved in a recent hack of Russian Colonel Sergey Valeriyevich Artoshchenko’s email accounts. The hack was carried out by convincing his wife and several other military wives to participate in a patriotic photoshoot while wearing their husbands’ uniforms.
Morgachev, a Kyiv native, is the leader of APT28, Russia’s most notorious hacking group, and simultaneously worked for Russia’s Main Intelligence Directorate of the General Staff of the Russian Army (GRU).
This unit comprises officers of the GRU’s 85th Main Special Service Center military units #26165 and #74455. Morgachev is wanted by the Federal Bureau of Investigation (FBI) for his involvement in devastating cybercrimes globally.
FBI’s of Sergey Aleksandrovich Morgachev in the list of wanted hackers (Screenshot: FBI)
APT28, also known as Pawn Storm and Fancy Bear, directly reports to the Russian military intelligence agency and has carried out cyberattacks against high-profile entities in various countries including the USA, Italy, Germany, Estonia, The Netherlands, Czech Republic, Norway, Poland, and Ukraine. APT28 made headlines during the 2016 US elections after hacking the servers of the US Democratic Party.
In 2016, APT28 was also involved in phishing attacks against authorities investigating the MH17 crash and was accused of posing as ISIS to send death threats to US army wives in 2018.
The hacking of Morgachev’s accounts was carried out by gaining access to his personal account on the government services portal, where the hackers verified the data they had previously obtained from document scans and his current residence and place of service addresses.
According to InformNapalm, the hackers also accessed Morgachev’s AliExpress account and ordered goods for him, including souvenirs featuring the FBI’s logo and adult toys, using his card for payment. The hacktivists confirmed that one parcel is on its way to the recipient. They also hacked Morgachev’s social media accounts.
The hacktivists shared Morgachev’s private correspondence with InformNapalm volunteers, who then released the data into the public domain. The compromised documents included three scanned copies of Morgachev’s personal documents, including Form 4 and passport, as well as his fresh medical certificate dated 13 December 2022, which is required for security clearance to access classified documents.
The hack allowed the extraction of location, passport, personal photos, AliExpress purchases, and more. (Screenshot: InformNapalm)
This incident highlights the increasing threat posed by Cyber Resistance and other Ukrainian hacktivist groups to Russia’s critical infrastructure, government, and non-government entities.
Government hackers equipped with QuaDream’s exploit used malicious calendar invites with dates in the past to deliver spyware.
A little-known cyber mercenary company, QuaDream, has been identified by researchers at Microsoft and digital rights group Citizen Lab as the creator of malware that was used to hack into the iPhones of journalists, political opposition figures, and an NGO worker.
QuaDream, an Israeli spyware maker, reportedly develops zero-click exploits, which are hacking tools that do not require the target to click on malicious links, for iPhones. The final payload of QuaDream’s malware includes recording phone calls, surreptitiously capturing audio using the phone’s microphone, taking pictures, stealing files, tracking the person’s granular location, and deleting forensic traces of its existence.
Credit: Citizen Lab
Citizen Lab’s report states that its researchers were able to trace QuaDream’s spyware by identifying particular marks left by the malware, which they have referred to as the “Ectoplasm Factor.” However, the researchers have decided not to disclose these marks to ensure their ability to track the malware in the future.
The researchers have identified more than five victims, including an NGO worker, politicians, and journalists, whose iPhones were hacked in Europe, North America, the Middle East, and Southeast Asia. However, the researchers have decided not to disclose the victims’ names, as they do not want to jeopardize their safety.
The fact that the victims are in different countries also makes it harder for them to come forward, according to a senior researcher at Citizen Lab.
Although QuaDream has managed to stay under the radar, Israeli newspaper Haaretz reported in 2021 that it sold its wares to Saudi Arabia. A year later, Reuters reported that QuaDream sold an exploit to hack iPhones, which is comparable to the one provided by NSO Group.
It’s important to note that QuaDream does not run the spyware itself, but rather its government customers operate it, which is a common practice in the surveillance technology sector.
According to internet scans conducted by Citizen Lab, QuaDream’s customers operated servers in several countries worldwide, including the following:
Israel
Ghana
Mexico
Bulgaria
Romania
Hungary
Singapore
Uzbekistan
Czech Republic
United Arab Emirates (UAE)
In a blog post, Microsoft labelled QuaDream as an Israel-based private sector offensive actor (PSOA) who sells REIGN, a suite of exploits to governments. This suite includes malware and infrastructure developed to exfiltrate data from targeted smartphones.
The exploit utilized by QuaDream was created for iOS 14 and was a zero-day vulnerability, meaning it was not yet fixed or known by Apple at the time. Government hackers equipped with QuaDream’s exploit used malicious calendar invites with dates in the past to deliver the malware, which did not trigger a notification on the phone, making them invisible to the target.
QuaDream uses a Cyprus-based company called InReach to sell its products, according to Citizen Lab researchers, and this has been confirmed by a person who has worked in the spyware industry.
The discovery of QuaDream’s malware highlights once again that the spyware industry is not only made up of NSO Group but there are several other companies, most of which are still flying under the radar.
If you find yourself drenched in the Google ecosystem, then you will find the new Cross-Device service app useful. This feature is rolling out, and it helps with cross-collaboration between Android devices and Chromebooks. Google made mention of this feature during the CES 2023 event that took place in January, and it is now available.
With this feature, Chromebook users can easily access the apps on their Android device directly from the laptop screen. So there will be no need to reach out to your smartphone while working or studying whenever you need to make use of an app. You simply pull up the app from your Chromebook and perform whatever actions without touching your smartphone.
This feature joins the long list of other cross-collaboration features that exist between Chromebooks and Android devices. If you make use of a Chromebook and an Android device, you will find this feature intriguing. It might also interest you to know that you can easily activate the Google Cross-Device service app for usage between your devices (Android and ChromeOS).
A quick glimpse of what to expect from app streaming as shown by the Google Cross-Device service app
Google is yet to widely roll out this app streaming to Chromebook feature to most Android devices. But some ChromeOS users that have Pixel devices are getting a glimpse of what this feature brings to the table. This is possible through the Cross-Device service app that comes with Google Pixel devices.
Users like Mishaal Rahman have already begun experimenting with this app streaming feature. The Android expert took to his Twitter account to share more information on this feature from his experience so far. Although the Google Cross-Device service app comes bundled with Pixel devices, it isn’t limited to them.
Other devices running Android 13 can access this feature via the Google Play Store. Once you have confirmed that you have this app on your Android device, head over to your Chromebook and open the Phone Hub. This is the little phone icon that sits on the right-hand side of the taskbar.
Ensure that your smartphone with the Cross-Device service app is connected to your Chromebook via the settings icon. If it is, you need to head over to your Android device and enable app streaming. To do this, open settings on your Android device and head over to ‘connected devices.’
Next, open connection preferences and select Chromebook, lastly enable the apps option on the list that pops up. By taking these steps, you will be able to stream your apps to your Chromebook. Any app you open on your Android smartphone will pop up on your Chromebook and you can easily open the app and use it.
All functions and permissions the app comes with will also be available on your Chromebook. This means that you will be able to use your Chromebook’s camera, microphone, speakers, and so on while streaming your Android device’s apps. At the moment, this feature is still rolling out to Chromebooks via a system update. So even if you can’t stream your apps after setting it up, don’t panic, a coming update to your Chromebook will bring this feature.
Okay, so how do you know if the feature is *actually* available for you?
– You must update Cross-Device Services to version 1.0.285.1 from Google Play first. The update is only available on Pixels and the select Android devices I mentioned earlier.
Apple has started to seed the second beta for iOS 16.5 and iPadOS 16.5 to developers. This comes roughly two weeks after the first beta launched. Which is quite common for Apple to do. With subsequent betas having less time in between them.
If you’re a registered developer, you can download iOS 16.5 and iPadOS 16.5 onto your available devices today. Just head over to Settings > General > Software Updates. And then tap on “Beta Updates” option. You’ll want to toggle on the iOS 16/iPadOS 16 Developer Beta option.
Keep in mind that starting with iOS 16.4 that launched last month, only registered developers can get access to the developer betas. So if you are not a registered developer, you’re going to need to sign up. It’ll cost you $99 per year.
What’s new in iOS 16.5?
iOS 16.5 is going to be a rather small update for iOS, especially with iOS 17 being announced in June at WWDC. But there are a few new things coming in iOS 16.5. That includes a new Sports tab within the Apple News app. This will make it easier for users to access sports-focused content. You will be able to choose to follow your favorite teams. So you can get updates on those on a regular basis.
The update to iOS 16.5 also brings in a new Siri option for starting a screen recording with a voice command. And that’s about it, for what’s new in iOS 16.5.
It’s possible that Apple could release some other changes in this second beta, but don’t expect this to be a very large update at all. It’ll likely be mostly a bug fixing update, much like iOS 17 is expected to be. So when could Apple launch iOS 16.5? It’ll likely be in May, possibly around the second or third week of the month. As long as there are no huge bugs that pop up in these betas.
The amount of time we spend on our phones has only continued to increase with each year, which has not gone unnoticed by the manufacturers making them. That is why most phones now have some kind of feature or app that helps users keep track of the hours they spend on their daily drivers and regulate it.OnePlus added its own solution to this issue by launching the Zen Mode app with the OnePlus 7 Pro back in 2019 (one of the best Android phones for its time). Since then, the application is used by many of the company’s fans, and it has now received a significant upgrade, alongside a slight rebranding, as noticed by a member of the OnePlus forum nicknamed Some_Random_Username. (via AndroidAuthority)The app has now changed from Zen Mode to Zen Space, and its icon has been refreshed. The changes are not only visual, though, as OnePlus has added new features and expanded old ones, making the app a more useful tool for those who love using it.
OnePlus Zen Mode/Zen Space app improvements
The app now gives users two options when choosing to go “Zen”. Deep Zen mode is used when you want to completely detach yourself from using your OnePlus phone, blocking all functionality besides taking photos and making/taking emergency calls.
Light Zen mode, on the other hand, is less strict with its restrictions. It allows you to pick apps that would not be affected while you are taking a break. Additionally, unlike Deep Zen mode, Light Zen mode gives you the option to exit it completely, and use the phone as you would usually.
There are two presets that come with Light Zen mode — Work and Study. Both make use of the Work Life Balance feature and pick the apps that would make sense to be included. Of course, you can edit that list of apps if you want to add or remove any.
The Zen Space app comes with a redesigned look in the form of new themes, and you can now also track your Zen session via the Always-On Display, where the app will give you reminders and some at-a-glance information about your progress.
On top of everything else, OnePlus has added more time durations, new achievement medals, and a dashboard to check your weekly statistics.
If found guilty, the accused, Andrey Shevlyakov, could be sentenced to up to 20 years in prison.
An individual named Andrey Shevlyakov, who holds Estonian citizenship, has been taken into custody on March 28th, 2023, in Estonia, accused of conspiracy and other offences related to his efforts to obtain U.S.-made electronics for the Russian government and military.
Shevlyakov had been on the Department of Commerce’s Entity List since 2012, which designates individuals and companies barred from exporting items from the United States without a license.
Despite being on the list, Shevlyakov was able to run an intricate logistics operation involving frequent smuggling trips across the Russian border using front companies and false names to evade restrictions.
Shevlyakov obtained delicate electronic equipment from American manufacturers for the use of Russian end-users, such as defence contractors and other government agencies. If these items were ordered directly for delivery to Russia, they would have been inaccessible to Russian end-users.
The items that Shevlyakov purchased included low-noise pre-scalers and synthesizers used to conduct high-frequency communications and analogue-to-digital converters found in most defence systems that must respond to environmental conditions, including software-defined radio, avionics, missiles, and electronic warfare systems.
During his communications with customers based in Russia, he discussed whether certain orders contained “military” goods. In addition, he tried to obtain computer hacking tools, such as a licensed version of Metasploit Pro, which is an American-made software tool used to penetrate computer networks. Although Metasploit is primarily designed to assess network vulnerabilities, it is also commonly used by hackers.
According to the Department of Justice’s (DOJ) press release, the accusations made in the indictment and other legal documents, Shevlyakov’s intricate and deceptive methods enabled him to obtain highly sensitive electronics made in America for the Russian military. His unlawful actions in obtaining advanced U.S. technology endangered the lives of both U.S. and Ukrainian citizens.
FBI Houston Special Agent in Charge James Smith said, “FBI Houston will continue to work with our valued international partners, especially the Estonian Internal Security Service (KAPO), to investigate and disrupt actors who illicitly support the unprovoked invasion of Ukraine by Russian armed forces.”
If found guilty, the accused could be sentenced to up to 20 years in prison. The National Security and Cybercrime Section of the Office is overseeing the government’s case against the defendant.
Sophos has released a new security advisory that has fixed 3 of its significant vulnerabilities, allowing threat actors to execute arbitrary code injection on Sophos Web Appliance (SWA).
CVE(s):
CVE-2023-1671 – Pre-Auth Command Injection in Sophos Web Appliance
This vulnerability exists on the warn-proceed handler, allowing threat actors to execute arbitrary code. An external security researcher reported it through the Sophos Bug Bounty Program.
Vulnerable Products:
Sophos Web Appliance 4.3.10.4 and older versions
CVE-2022-4934 – Post-Auth Command Injection in Sophos Web Appliance
This vulnerability exists on the exception wizard handler, allowing administrators to execute arbitrary code. An external security researcher reported it through the Sophos Bug Bounty Program.
Vulnerable Products:
Sophos Web Appliance 4.3.10.4 and older versions
CVE-2020-36692 – Reflected XSS via POST method in Sophos Web Appliance
This vulnerability exists on the report scheduler, allowing threat actors to execute Javascript code on the victim’s browser. To exploit this vulnerability, a threat actor must trick a victim into submitting a malicious form on any compromised website.
In contrast, the victim is logged on to Sophos Web Appliance. An external security researcher reported it through the Sophos Bug Bounty Program.
Vulnerable Products:
Sophos Web Appliance 4.3.10.4 and older versions
Recommendations:
Sophos has released patches to fix these vulnerabilities, which no longer need customer interaction since they are automatically updated.
Sophos has also requested to keep Sophos Web Appliance protected from exposing to the internet
Release Notes:
Work Order
Description
NSWA-1689
Resolved an XSS vulnerability in the report scheduler (CVE-2020-36692).
NSWA-1756
Resolved a vulnerability in the exception wizard (CVE-2022-4934).
NSWA-1763
Resolved a vulnerability in the warning page handler (CVE-2023-1671).
While it was announced a few months ago that the NFL Sunday Ticket would have a new home, this fall. We didn’t know the pricing, nor when it would be available to sign up for. And well, we know today how much. it’ll cost.
For those on the YouTube TV base package, it’ll cost you $249 for the season. You can also get it bundled with NFL RedZone for $289 for the season during the presale.
The presale period is ongoing from now until June 6. Once the presale period is over, the NFL Sunday Ticket will jump in price by $100, to $349 for the season.
How does that compare with DIRECTV? Well, when DIRECTV offered NFL Sunday Ticket, it was $293.94 for the seasons, or $395.94 for the season with the Max package that offers extra content. So it is going up in price, but not by as much as many had though – as long as you have YouTube TV.
Remember that YouTube touted that you don’t need to subscribe to YouTube TV to get NFL Sunday Ticket. So how much is it without YouTube TV? Well, during the presale period, it’ll be $349 for the season. Afterwards, it’ll jump to $449 for the season.
Why is NFL Sunday Ticket so pricey?
Many may be wondering why the NFL Sunday Ticket package is so expensive? Well, to put it simply, it has to be. That’s because the NFL already has deals with CBS and FOX for airing local games, and since the NFL Sunday Ticket airs in-market and out-of-market games, it has to be more expensive to air those in-market games. So it has always been rather expensive.
YouTube is also likely looking to recoup some of the money that it paid the NFL for the package. It’s reported that Google is paying the NFL around $2 billion per year for the NFL Sunday Ticket.
The company has also debuted a new multiview feature, that lets users watch multiple games at the same time. It debuted during March Madness and should be part of the NFL Sunday Ticket package.
A new ALPHV (aka BlackCat Ransomware) has been found and tracked under the ID UNC4466. This ransomware affiliate uses Veritas Backup Exec Installations, which are vulnerable to CVE-2021-27876, CVE-2021-27877, and CVE-2021-2787878. However, these CVEs are used for the initial access only.
A commercial internet scanning tool found a massive 8500 installations of Veritas Backup Exec installations. The count of unpatched versions might still be a significant number.
The ALPHV intrusions were usually from stolen credentials in the past but originated from targeting known vulnerabilities, which states that criminals have emerged.
BLACKMATTER and DARKSIDE ransomware are the predecessors of ALPHV ransomware, released in November 2021 as ransomware-as-a-service. Some ransomware is designed to avoid critical infrastructure, but ALPHV is still in the wild targeting sensitive industries.
Veritas Backup Exec (BE) Agent contains a file access vulnerability that could allow an attacker to specially craft input parameters on a data management protocol command to access files on the BE Agent machine.
Veritas Backup Exec (BE) Agent contains an improper authentication vulnerability that could allow an attacker unauthorized access to the BE Agent via SHA authentication scheme.
Veritas Backup Exec (BE) Agent contains a command execution vulnerability that could allow an attacker to use a data management protocol command to execute a command on the BE Agent machine.
Apply updates per vendor instructions.
2023-04-28
Source : CISA
Timeline
March 2021 – Veritas published advisories for Veritas Backup Exec 16. x, 20. x and 21.x
September 23, 2022 – Metasploit releases module to exploit Veritas Backup Exec versions.
October 22, 2022 – Veritas Vulnerabilities are being exploited, which is observed by Mandiant.
Attack Phases of ALPHV
Initial Compromise and Establish Foothold
UNC4466 used the Metasploit module exploit/multi/veritas/beagent_sha_auth_rce to exploit internet-facing Windows servers with Veritas Backup Exec running. The Metasploit persistence module was used for maintaining permanent access to the systems as part of the remaining intrusion.
Internal Reconnaissance
Once the UNC4466 accessed the Veritas Backup Exec server, they used internet explorer to download Famatech’s Advanced IP scanner from the website. This tool could scan both individual and range of IP addresses, ports, hostnames, and system hardware information.
The UNC4466 also did an Active Directory Recon using the ADRecon to gather network, host, and account information of the victim’s environment.
With a privileged domain account, ADRecon will generate several reports about the AD environment, Trusts, sites, subnets, password policies, and computer and user account listings.
Another advantage is that these reports can be downloaded in the required formats like CSV, XML, JSON, and HTML.
Ingress Tool Transfer
Once they gained privileged access, they transferred additional tools like LAZAGNE, LIGOLO, WINSW, RCLONE, and the ALPHV ransomware encryptor.
C&C (Command and Control)
For achieving communication between these systems, the UNC4466 used SOCK5 tunneling with the victim network. Tools like LIGOLO and REVSOCKS are deployed for evasion, evading all the network defenses or other intrusion prevention systems.
They used BITS Transfer to download several resources to the staging directory “C:\ProgramData,” supported by SOCK5 tunneling, REVSOCKS, and LIGOLO.
Escalate Privileges
For dumping the credentials, the threat actor used tools like Mimikatz, LaZagne, and Nanodump to gather the credentials in clear text.
As per reports, In November 2022, UNC4466 used MIMIKATZ Security Support Provider Injection Module (MISC::MemSSP), which manipulates the Local Security Authority Server Service (LSASS) and collects credentials in clear-text and stores it in a file named “C:\Windows\System32\mimilsa.log”.
Source: MandiantSource: Mandiant
Complete Mission
ALPHV is a rust programming-based ransomware that UNC4466 deploys. The group also changed the default domain policy, which performs malicious actions like disabling security software, downloading the ALPHV encryptor, and executing.
Exposure
As stated, a commercial internet scanning tool found nearly 8500 IP addresses running Veritas Backup Exec service (Symantec/Veritas Backup Exec ndmp) on ports 10000, 9000, and 10001.
However, systems running vulnerable versions were not identified on this scan; threat actors could potentially exploit this.
Detection
For systems running with Veritas Backup Exec versions before 21.2, every system facing the internet should be highly prioritized.
Exploited systems can see the particular logs on the Backup Exec log file. For detection and alerting of these events, it is recommended to forward the file to the SIEM and create an alert for specific events.
[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\ndmpcomm] – ndmpRun: Control connection accepted : connection established between end-points [Server IP]:10000 and [Remote IP]:[remote port]
For further information on this report, Mandiant has provided a complete analysis of the MITRE Framework and other technical details.
