0x815

- Hackers working for the Chinese government gained access to more than 20,000 VPN appliances sold by Fortinet using a critical vulnerability that the company failed to disclose for two weeks after fixing it, Netherlands government officials said.

- The Netherlands officials first reported in February that Chinese state hackers had exploited CVE-2022-42475 to install an advanced and stealthy backdoor tracked as CoatHanger on Fortigate appliances inside the Dutch Ministry of Defense.

- Chinese state hackers have used the critical vulnerability to infect more than 20,000 FortiGate VPN appliances sold by Fortinet. Targets include dozens of Western government agencies, international organizations, and companies within the defense industry.--

The vulnerability, tracked as CVE-2022-42475, is a heap-based buffer overflow that allows hackers to remotely execute malicious code. It carries a severity rating of 9.8 out of 10. A maker of network security software, Fortinet silently fixed the vulnerability on November 28, 2022, but failed to mention the threat until December 12 of that year, when the company said it became aware of an “instance where this vulnerability was exploited in the wild.” On January 11, 2023—more than six weeks after the vulnerability was fixed—Fortinet warned a threat actor was exploiting it to infect government and government-related organizations with advanced custom-made malware.

Enter CoatHanger

The Netherlands officials first reported in February that Chinese state hackers had exploited CVE-2022-42475 to install an advanced and stealthy backdoor tracked as CoatHanger on Fortigate appliances inside the Dutch Ministry of Defense. Once installed, the never-before-seen malware, specifically designed for the underlying FortiOS operating system, was able to permanently reside on devices even when rebooted or receiving a firmware update. CoatHanger could also escape traditional detection measures, the officials warned. The damage resulting from the breach was limited, however, because infections were contained inside a segment reserved for non-classified uses.

On Monday, officials with the Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service in the Netherlands said that to date, Chinese state hackers have used the critical vulnerability to infect more than 20,000 FortiGate VPN appliances sold by Fortinet. Targets include dozens of Western government agencies, international organizations, and companies within the defense industry.

"Since then, the MIVD has conducted further investigation and has shown that the Chinese cyber espionage campaign appears to be much more extensive than previously known,” Netherlands officials with the National Cyber Security Center wrote. “The NCSC therefore calls for extra attention to this campaign and the abuse of vulnerabilities in edge devices.”

Monday’s report said that exploitation of the vulnerability started two months before Fortinet first disclosed it and that 14,000 servers were backdoored during this zero-day period. The officials warned that the Chinese threat group likely still has access to many victims because CoatHanger is so hard to detect and remove.

Netherlands government officials wrote in Monday’s report:

Since the publication in February, the MIVD has continued to investigate the broader Chinese cyber espionage campaign. This revealed that the state actor gained access to at least 20,000 FortiGate systems worldwide within a few months in both 2022 and 2023 through the vulnerability with the identifier CVE-2022-42475 . Furthermore, research shows that the state actor behind this campaign was already aware of this vulnerability in FortiGate systems at least two months before Fortinet announced the vulnerability. During this so-called 'zero-day' period, the actor alone infected 14,000 devices. Targets include dozens of (Western) governments, international organizations and a large number of companies within the defense industry.

The state actor installed malware at relevant targets at a later date. This gave the state actor permanent access to the systems. Even if a victim installs security updates from FortiGate, the state actor continues to have this access.

It is not known how many victims actually have malware installed. The Dutch intelligence services and the NCSC consider it likely that the state actor could potentially expand its access to hundreds of victims worldwide and carry out additional actions such as stealing data.

Even with the technical report on the COATHANGER malware, infections from the actor are difficult to identify and remove. The NCSC and the Dutch intelligence services therefore state that it is likely that the state actor still has access to systems of a significant number of victims.

Fortinet’s failure to timely disclose is particularly acute given the severity of the vulnerability. Disclosures are crucial because they help users prioritize the installation of patches. When a new version fixes minor bugs, many organizations often wait to install it. When it fixes a vulnerability with a 9.8 severity rating, they’re much more likely to expedite the update process. Given the vulnerability was being exploited even before Fortinet fixed it, the disclosure likely wouldn't have prevented all of the infections, but it stands to reason it could have stopped some.

Fortinet officials have never explained why they didn’t disclose the critical vulnerability when it was fixed. They have also declined to disclose what the company policy is for the disclosure of security vulnerabilities. Company representatives didn’t immediately respond to an email seeking comment for this post.

Mozilla, the maker of the popular web browser Firefox, said it received government demands to block add-ons that circumvent censorship.

The Mozilla Foundation, the entity behind the web browser Firefox, is blocking various censorship circumvention add-ons for its browser, including ones specifically to help those in Russia bypass state censorship. The add-ons were blocked at the request of Russia’s federal censorship agency, Roskomnadzor — the Federal Service for Supervision of Communications, Information Technology, and Mass Media — according to a statement by Mozilla to The Intercept.

“Following recent regulatory changes in Russia, we received persistent requests from Roskomnadzor demanding that five add-ons be removed from the Mozilla add-on store,” a Mozilla spokesperson told The Intercept in response to a request for comment. “After careful consideration, we’ve temporarily restricted their availability within Russia. Recognizing the implications of these actions, we are closely evaluating our next steps while keeping in mind our local community.”

“It’s a kind of unpleasant surprise because we thought the values of this corporation were very clear in terms of access to information.”

Stanislav Shakirov, the chief technical officer of Roskomsvoboda, a Russian open internet group, said he hoped it was a rash decision by Mozilla that will be more carefully examined.

“It’s a kind of unpleasant surprise because we thought the values of this corporation were very clear in terms of access to information, and its policy was somewhat different,” Shakirov said. “And due to these values, it should not be so simple to comply with state censors and fulfill the requirements of laws that have little to do with common sense.”

Developers of digital tools designed to get around censorship began noticing recently that their Firefox add-ons were no longer available in Russia.

On June 8, the developer of Censor Tracker, an add-on for bypassing internet censorship restrictions in Russia and other former Soviet countries, made a post on the Mozilla Foundation’s discussion forums saying that their extension was unavailable to users in Russia.

The developer of another add-on, Runet Censorship Bypass, which is specifically designed to bypass Roskomnadzor censorship, posted in the thread that their extension was also blocked. The developer said they did not receive any notification from Mozilla regarding the block.

Two VPN add-ons, Planet VPN and FastProxy — the latter explicitly designed for Russian users to bypass Russian censorship — are also blocked. VPNs, or virtual private networks, are designed to obscure internet users’ locations by routing users’ traffic through servers in other countries.

The Intercept verified that all four add-ons are blocked in Russia. If the webpage for the add-on is accessed from a Russian IP address, the Mozilla add-on page displays a message: “The page you tried to access is not available in your region.” If the add-on is accessed with an IP address outside of Russia, the add-on page loads successfully.

Supervision of Communications

Roskomnadzor is responsible for “control and supervision in telecommunications, information technology, and mass communications,” according to the Russia’s federal censorship agency’s English-language page.

In March, the New York Times reported that Roskomnadzor was increasing its operations to restrict access to censorship circumvention technologies such as VPNs. In 2018, there were multiple user reports that Roskomnadzor had blocked access to the entire Firefox Add-on Store.

According to Mozilla’s Pledge for a Healthy Internet, the Mozilla Foundation is “committed to an internet that includes all the peoples of the earth — where a person’s demographic characteristics do not determine their online access, opportunities, or quality of experience.” Mozilla’s second principle in their manifesto says, “The internet is a global public resource that must remain open and accessible.”

The Mozilla Foundation, which in tandem with its for-profit arm Mozilla Corporation releases Firefox, also operates its own VPN service, Mozilla VPN. However, it is only available in 33 countries, a list that doesn’t include Russia.

The same four censorship circumvention add-ons also appear to be available for other web browsers without being blocked by the browsers’ web stores. Censor Tracker, for instance, remains available for the Google Chrome web browser, and the Chrome Web Store page for the add-on works from Russian IP addresses. The same holds for Runet Censorship Bypass, VPN Planet, and FastProxy.

“In general, it’s hard to recall anyone else who has done something similar lately,” said Shakirov, the Russian open internet advocate. “For the last few months, Roskomnadzor (after the adoption of the law in Russia that prohibits the promotion of tools for bypassing blockings) has been sending such complaints about content to everyone.”

Archived link

Archived link

Russia’s Supreme Court has banned the vaguely defined “Anti-Russian Separatist Movement” as an “extremist” organization, the independent news website Mediazona reported Friday.

Rights groups say they have not been able to find a formal organization called the “Anti-Russian Separatist Movement,” leading to speculation that the authorities could use the designation as a pretext for wider criminal prosecutions of anti-war, anti-colonial or Indigenous rights activists.

Russia’s Justice Ministry, which initiated the “extremism” claim in April, defined the “anti-Russian separatist” group as an “international public movement to destroy the multinational unity and territorial integrity of Russia.”

Mediazona said its correspondent asked a ministry official ahead of the hearing to rule on the designation whether they “have any guesses” about what constitutes an “anti-Russian separatist movement.”

“We don’t just guess, we know,” the Justice Ministry official was quoted as saying without commenting further.

Russia’s Supreme Court designated both the “Anti-Russian Separatist Movement” and its “structural divisions” after convening a closed-door hearing Friday, Mediazona said. The designation means anyone convicted of association with the vaguely defined organization could be imprisoned for up to six years.

The court previously banned the similarly nonexistent “Ya/My Furgal movement” in support of a jailed ex-governor, as well as the “international LGBT public movement,” which has prompted a sweeping crackdown on public displays of LGBTQ+ identities and lifestyles.

The timing of the announcement on the Rwanda scheme, which is estimated to cost more than £500m over five years, has prompted scorn Labour.

A party source said: “Is there any more blatant sign that [former immigration minister Robert] Jenrick was right about this all being symbolic before an election than this mad flurry of stories?

“The core substance though hasn’t changed. This is a tiny scheme at an extortionate cost and the criminal gangs will see through this con.”

Downing Street categorically denied this. The prime minister’s press secretary said: “From our part there isn’t really a day to lose when people are dying in the Channel having been induced into boats by gangs.

Cross posted from: https://feddit.de/post/11646748

Belgium reportedly denied Ahmed Alhashimi asylum by arguing that Basra, his hometown in Iraq, was classified as a safe area. He said his children spent the last seven years staying with a relative in Sweden, but that he was recently informed that they would be deported, with him, to Iraq.

"If I knew there was a 1% chance that I could keep the kids in Belgium or France or Sweden or Finland I would keep them there. All I wanted was for my kids to go to school. I didn't want any assistance. My wife and I can work. I just wanted to protect them and their childhoods and their dignity," he continued.

Eva Jonsson, Sara's teacher in Uddevalla, Sweden, described the seven-year-old as "kind and nice".

"She had a lot of friends in the school. They played together all the time… In February we heard she would be deported and that it would happen quickly. We had two days' notice," she said.

After learning of her death, the class gathered in a circle and held a minute's silence.

"It's very unfortunate that it happens to such a nice family. I have taught [other] children in that family, and I was really shocked about the deportation," said the teacher.

"We have Sara's picture in front of us still, and we will keep it there as long as the children want."

Inese Briede says her sister, Inga Rublite, 39, might not have died ‘if someone was just checking up on her’'

Evidence suggests dozens of suppliers are advertising openly on the internet and sending nitazenes in the post from China, where they are manufactured in laboratories. The majority of suppliers claimed to work for companies that otherwise appeared legitimate, with professional websites and business addresses in Chinese cities.

Nitazenes, which are illegal in the UK, are synthetic drugs produced in laboratories. They are similar to heroin and morphine, but can be several hundred times more potent.

It's thought users often take them unknowingly - because they are hidden within other illegal substances by dealers looking to cut production costs.

Nitazenes have been found by a publicly funded testing lab in a range of drugs, including street heroin and black market pills which dealers had wrongly claimed contained anti-anxiety drugs, such as Xanax and Valium.

After the BBC alerted SoundCloud, it removed the posts. X, formerly Twitter, took down hundreds but many listings remain.

Harborough District Council uses cameras made by Chinese firm Hikvision in Market Harborough and Lutterworth, but a councillor has called for the cameras to be replaced over "security" concerns.

District councillor Simon Whelband told the Local Democracy Reporting Service (LDRS) the company had previously been accused of "aiding the oppression of Tibetans and Uyghur Muslims".

Mr Whelband is urging the the council to follow the lead of other authorities which have agreed to phase out Hikvision cameras.

He cited a 2021 House of Commons Foreign Affairs Select Committee report which said "equipment manufactured by companies such as Hikvision should not be permitted to operate within the UK".

Cross-posted from: https://feddit.de/post/10480714

"It is abundantly clear that ISIS (Islamic State) was solely responsible for the horrific attack in Moscow last week," White House national security spokesman John Kirby said.

"In fact, the United States tried to help prevent this terrorist attack and the Kremlin knows this."

When Luigi Boitani, Italy’s leading wolf expert, captured a hybrid in 1975, he says he “was met with everything from gentle opposition to [people who] said, ‘this is bullshit’.”

Time has proven Boitani right. Today, a growing number of studies point to the presence of hybrids in nearly every European country with wolves, and in some areas their numbers are growing steadily. In Boitani’s native Tuscany, and other regions, they have become endemic, accounting for as much as 70% of the wolf population. The rise has been driven by the increasing destruction of wolf habitats and the expansion of human settlements, which bring people, their pets, and packs of stray dogs into more frequent contact with wolf packs.

In some regions “they are basically all hybrids,” Boitani says. “In this case, there is nothing you can do. You cannot send the army and kill everything.”

Hybrids trouble conservationists partly for their unpredictability. They may increase conflict with humans, crowd pure-blood wolves out of their habitat, or reduce the viability of future offspring, hampering efforts to revive Europe’s wolf population.

Cross-posted from: https://feddit.de/post/10466441

Ukraine has destroyed an ultra-rare Soviet-era armoured vehicle that was first field-tested by the Russians at Chernobyl.

Battlefield footage shared on social media appeared to show the Ladoga nuclear command vehicle being targeted by a Ukrainian drone.

The vehicle was designed in the seventies to move senior Kremlin staff around in the event of a nuclear attack.