Telegram founder Pavel Durov arrested in France

Telegram Founder Pavel Durov has been arrested in France due to content moderation failures. French authorities have taken issue with the lack of moderation on the instant messaging service which has allegedly become a hub for criminal activity including things like drug trafficking, money laundering, and fraud. It has been suggested that the lax approach to moderation has turned the platform into a popular spot for criminals to organize operations, and distribute malware, among other illegal activities.

Telegram is based in Dubai and boasts over 950 million monthly active users as of July 2024. It recently launched an in-app browser and a Mini App Store, essentially turning it into a super app, similar to Tencent’s WeChat. Despite the arrest, Telegram has maintained that it “abides by E.U. laws, including the Digital Services Act” and its moderation is “within industry standards and constantly improving”, arguing that it’s “absurd to claim that a platform or its owner are responsible for abuse of that platform.”

The French President Emmanuel Macron has stated that Durov’s arrest was not a political decision and that the government had no involvement in the operation. Further, the arrest has been said to be part of a judicial investigation. It has been stated that the detention is connected with an investigation opened on July 8, 2024, looking into criminal activity on the platform, and Telegram’s lack of cooperation with law enforcement. An unnamed person is also being investigated for being complicit in distributing child pornography and narcotics via Telegram.

The arrest has ignited debate over free speech and censorship, while also reevaluating Telegram’s encryption practices. Matthew Green, a security researcher and associate professor of computer science at Johns Hopkins University, pointed out that Telegram does not end-to-end encrypt conversations by default, suggesting its server might attract a lot of attention from intelligence services due to its large user base. He urged users to think about confidentiality matters and make informed decisions about the platforms they use.

Notion exits Russia and will terminate accounts in September

Notion, a global productivity tool, has announced its exit from the Russian market due to US-imposed restrictions on software service providers. The company will terminate all workspaces and accounts associated with Russian users. As of September 9, 2024, Russian users will no longer have access to the platform. The decision came in the wake of US government restrictions that prohibit access to specific software products and services for anyone in Russia.

The company has specified that it will delete all accounts based in Russia and discontinue workspaces in the country. Users have until September 8 to copy their data; after this date, they will be unable to access or recover any data from Notion. Instructions for exporting content or entire workspaces have been provided. However, restrictions may apply in the case of Enterprise workspace members if admins have chosen to disable the export option to keep data internal.

Workspace owners collaborating with Russian users but are not based in the country will not have their workspaces deleted. However, their Russian collaborators will no longer be able to access the workspace beyond the set deadline. The software platform also announced the unilateral termination of subscription plans for affected users on September 9, 2024, with no further charges.

Notion has also sent out email notifications about the closure of accounts to affected users. It’s estimated that Notion is used by over 30 million people worldwide, combining note-taking, document creation, task management, databases, and various real-time collaboration tools under a single platform. Notion’s departure from Russia marks a significant shift in its global operations.


Stealthy ‘sedexp’ Linux malware evaded detection for two years

A stealthy Linux malware called ‘sedexp’ has managed to remain undetected since 2022 by using a persistence technique not enclosed in the MITRE ATT&CK framework. Discovered by risk management firm Stroz Friedberg, the insidious malware allows its operators to create reverse shells for remote access to further propagate the attack. The malware uses a persistence technique related to udev rules, which are not yet documented by MITRE ATT&CK, making sedexp an advanced threat that operates undetected right under the nose of security systems.

Udev is a device management system for Linux, tasked with handling device nodes in the /dev directory. The nodes represent various hardware components like storage drives, network interfaces, and USB drives. Udev rules are configuration files that determine how the manager handles certain devices or events. Sedexp adds a specific udev rule on the compromised system, which triggers whenever a new device is added. It checks if the device’s numbers match ‘/dev/random,’ a system component used as a random number generator. The final rule component executes the malware’s script, ensuring the malware operates frequently and evades detection as /dev/random is not monitored by security solutions.

In addition to its evasion techniques, sedexp also names its process’ kdevtmpfs,’ a clever disguise that makes it blend in with legitimate system processes, making it more difficult to detect. Sedexp employs several operational capabilities like using either forkpty or pipes and a forked new process to establish a reverse shell, allowing the attacker to remotely access the compromised system. The malware cleverly manipulates memory to hide any file containing the string “sedexp” from standard commands, which further obscures its presence.

The malware has been active since 2022, as per the researchers, and has successfully remained invisible in many online sandboxes. Only two antivirus engines flag the three sedexp samples provided in the report as malicious. Stroz Friedberg has discovered that sedexp has been used to hide credit card scraping code on compromised web servers, suggesting that financial motivations might be driving these attacks. The discovery of such advanced threats emphasizes the need for constant evolution and adaptation in cybersecurity strategies.


American Radio Relay League confirms $1 million ransom payment

The American Radio Relay League (ARRL) admitted to paying a $1 million ransom to restore systems encrypted after a ransomware attack in May. After discovering the breach, the National Association for Amateur Radio took impacted systems offline immediately to contain it. ARRL later alerted individuals affected by a data breach that its systems were encrypted due to a sophisticated ransomware incident. ARRL attributes the hack to a “malicious international cyber group” but hasn’t officially linked it to a specific ransomware operation. However, unnamed sources suggested that the Embargo ransomware gang was behind the attack.

Centring on staff data, the breach affected only 150 employees according to a filing with the Office of Maine’s Attorney General. Further, the ARRL claimed to have taken “all reasonable steps” to prevent the leaked data from being further published or distributed, a statement at the time that hinted a ransom might be paid.

The ARRL later divulged that it had paid the ransom to secure a decryption tool to restore systems affected during the May 15 attack, rather than to prevent stolen data from being leaked online. The decryption tool was demanded by the attackers in return for access. The ARRL, a small 501(c)(3) organization, noted the hackers seemed to believe that the organization had extensive insurance coverage, presumably to cover a large ransom.

The Association expressed that it has extensively restored most of its systems and anticipates an additional two months to recuperate all the affected servers under new infrastructure rules and standards. The cost of this recovery, along with the ransom payment, was mostly covered by the organization’s insurance policy.


Zajímáte se o kybernetickou bezpečnost? Podívejte se na další díly našeho týdeníku Bezpečnostní neděle.