In brief A Russian national has been hit with a five-count indictment alleging he smuggled hardware and software used for counterintelligence operations out of the US to the Russian Federal Security Service (FSB) and North Korea.
Ilya Balakaev’s indictment [PDF] was unsealed Friday in Brooklyn, New York. He’s being charged with conspiracy to defraud the US, conspiracy to violate the International Emergency Economic Powers Act, two counts of conspiracy to violate the Export Control Reform Act and smuggling.
Per the indictment, Balakaev began smuggling spectrum analyzers and signal generators for the FSB as early as 2017, and as of now is believed to have taken approximately 43 devices out of the country in 14 trips to the US. Co-conspirators are alleged to have shipped several devices to Russia for Balakaev as well.
Spectrum analyzers of the kind Balakaev is accused of smuggling are often used to detect radio signals to identify hidden surveillance devices, while the signal generators are often used to securely transmit information as a part of covert operations.
According to the charges, the hardware Balakaev smuggled to Russia was used to repair similar units owned by the FSB that were manufactured in the US, but for which the Russian government couldn’t get parts due to sanctions.
Balakaev is also accused of smuggling an Altair 4X gas detector, used to detect combustible and toxic gasses as well as oxygen-deficient atmospheres, and related software to North Korea.
According to the indictment, neither Balakaev nor his company, Radiotester LLC, had applied for or been granted licenses to export such restricted technology.
The Justice Department’s statement points to Balakaev’s activity continuing up to the present. “To prevent the continuance of violations identified in the indictment, the defendant is now subject to a Commerce temporary denial order, which restricts his ability to access US technologies,” said Jonathan Carson, special agent-in-charge of the Department of Commerce’s New York Field office for Export Enforcement.
If convicted of the charges, Balakaev would face up to 75 years in prison, the DoJ said. Whether the Moscow resident will ever arrive in the US to face those charges is unknown.
Critical vulnerabilities you should know about
You may notice that this week’s list of critical vulnerabilities contains a CVE from way back in 2021, and one from 2022 as well. While these aren’t new vulnerabilities, recent reports indicate they may be in active exploit, which is why they were included in this week’s list.
The three-year-old vulnerability comes courtesy of open source analytics and data visualization tool Grafana. Its CVE-2021-43798 directory transversal flaw only caught a CVSS score of 7.5, and has been patched, but VulnCheck said thousands of internet-facing Grafana instances are unpatched and still vulnerable.
A 2022 vulnerability in 24 different Zoho ManageEngine products has been found under active exploitation, and it’s a serious bug with a 9.8 CVSS score. Apparently, Zoho ManageEngine uses an Apache XML Java security package that passes certain security responsibilities off to its host application that simply aren’t included in the affected Zoho ManageEngine programs.
VMware has patched two vulnerabilities this week:
- CVSS 9.1 – CVE-2023-20858: VMware Carbon Black App Control contains an injection vulnerability that, while rated critical, apparently needs a malicious actor who already has privileged access to exploit.
- CVSS 8.8 – CVE-2023-20855: VMware vRealize Orchestrator and Automation, and VMware Cloud Foundation all contain an XXE vulnerability that could allow a non-admin user to bypass XML parsing restriction and escalate privileges.
CISA has two new industrial control system warnings to share, both of which have patches available:
- CVSS 9.8 – 2 CVEs: A pair of vulnerabilities in Mitsubishi Electric’s MELSOFT iQ App Portal, HTTP request smuggling and insufficient verification of data authenticity, could allow a remote attacker to do quite a bit, including denial of service, IP address authentication bypass, or information disclosure.
- CVSS 9.8 – several CVEs: Phillips’ Vue PACS imaging management software contains a LOT of vulnerabilities. If exploited, an unauthorized user could eavesdrop, modify data, gain system access, remotely execute code, and generally “impact the confidentiality, integrity, or availability of the system,” CISA said.
CISA also shared news of a CVSS 9.8 vulnerability reported last year in IBM’s Aspera Faspex file transfer platform that is believed to be under active exploitation. By sending a specially crafted call to an obsolete API in Faspex version 4.4.2 PL1, a remote attacker could gain the ability to execute arbitrary code on the system. A patch is available, so update now.
ChatGPT client for Windows actually a Trojan, says Kaspersky
Everyone seems to want to test out ChatGPT, the chatbot from Open AI that is allegedly growing faster than any web application in the history of the internet, and that can be scarily human-like in its responses.
But a keyword in that description of ChatGPT is why Kaspersky is warning this week of a new malware trend: ChatGPT is a web app, there is not legitimate desktop application for it, and anything you download that purports to be such could be a recently discovered strain of data-stealing Trojan.
Kaspersky said it discovered the threat on social media groups set up to look like legitimate OpenAI accounts or ChatGPT enthusiast groups, where the bad actors behind the malware share fake posts about the platform that include links to download a supposed Windows client for the chatbot.
Downloading and installing the program, of course, installs malware that Kaspersky said steals credentials stored in web browsers including Chrome, Edge, Firefox, Brave and others. The malware has been detected around the world, Kaspersky said, and appears to be primarily targeting Facebook, TikTok and Google accounts tied to businesses.
As part of the scam, Kaspersky said that users are told the Windows client comes with test accounts that have been upgraded to premium, ensuring the user’s queries make it through the growing crowd of free users who have been reportedly seeing “ChatGPT is at capacity” messages recently.
Along with the existence of an official ChatGPT desktop app still being a myth, Kaspersky said there’s also no need for a precreated account, as access to ChatGPT is completely free.
As Kaspersky notes, ChatGPT desktop clients are sure to emerge eventually, and some projects have already appeared online claiming to be such. When in doubt, stick to the web app, and be sure the link you click on points to the official site. ®