Connect with us

CyberSecurity

Fast16 Sabotage Malware: The Pre-Stuxnet Cyber Weapon Targeting Iran’s Nuclear Program

Published

on

Fast16 Sabotage Malware: The Pre-Stuxnet Cyber Weapon Targeting Iran’s Nuclear Program

Security researchers have uncovered a piece of Fast16 malware that dates back to 2005, revealing a sophisticated cyber sabotage campaign aimed at disrupting Iran’s nuclear program years before the infamous Stuxnet worm. This discovery sheds new light on early state-backed cyber operations, offering a glimpse into the evolution of digital warfare.

What Is Fast16 Malware and How Was It Discovered?

Researchers from SentinelOne, Vitaly Kamluk and Juan Andrés Guerrero-Saade, recently published a detailed analysis of this early threat. Their investigation began with a simple question: did any malware featuring an embedded Lua virtual machine predate known state-sponsored campaigns like Flame or Project Sauron?

This line of inquiry led them to a service binary named svcmgmt.exe, which contained an embedded Lua 5.0 VM and referenced a kernel driver called fast16.sys. According to the researchers, this driver acts as a boot-start filesystem component that intercepts and modifies executable code as it is read from disk. Although it cannot run on Windows 7 or later systems, for its time, fast16.sys was far more advanced than typical rootkits, thanks to its position in the storage stack and its rule-based code patching capabilities.

How Fast16 Malware Differs From Stuxnet

One of the most striking aspects of this find is its timeline. Fast16 malware predates Stuxnet by at least five years, making it one of the earliest known examples of a cyber sabotage tool with a specific mission. While Stuxnet, discovered in 2010, was a highly sophisticated worm designed to sabotage Iran’s nuclear centrifuges, Fast16 stands out for its unique architecture.

Unlike typical worms of that era, Fast16 is the first recorded Lua-based network worm. Its carrier was designed to act like “cluster munition in software form,” capable of carrying multiple wormable payloads, which the researchers refer to as “wormlets.” This design allowed the malware to spread through Windows 2000 and XP systems, relying on default or weak admin passwords on file shares. However, it would only activate after checking that the targeted environment was not running specific security software—a level of environmental awareness that was notably advanced for its time.

Targets and End Goal of Fast16 Sabotage

The Fast16 malware was specifically crafted to interfere with three high-precision engineering and simulation suites popular in the mid-2000s: LS-DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform. These tools were used for crash testing, structural analysis, and environmental modeling, with LS-DYNA believed to have been deployed by Iran.

The malware’s purpose was to corrupt the calculations produced by these tools, introducing small but systematic errors into physical-world simulations. By doing so, it could undermine or slow scientific research programs, degrade engineered systems over time, or even contribute to catastrophic damage. As the researchers note, this framework serves as a reference point for understanding how advanced actors think about long-term implants, sabotage, and a state’s ability to reshape the physical world through software.

Interestingly, the malware was also referenced in the infamous Shadow Brokers leak of NSA hacking tools, tying it back to US offensive cyber operations. This connection reinforces the notion that state-sponsored cyber sabotage has a longer history than many realize.

For more insights on early cyber threats, check out our article on Stuxnet’s Legacy in Modern Cyber Warfare and learn about Early Malware Tools That Shaped Cybersecurity.

Why Fast16 Matters for Cybersecurity Today

This discovery highlights the importance of historical analysis in cybersecurity. By studying early threats like Fast16 malware, researchers can better understand the tactics, techniques, and procedures of state-sponsored groups. It also serves as a reminder that cyber sabotage is not a recent phenomenon—it has been evolving for decades.

As SentinelOne’s researchers conclude, Fast16 is a testament to the ingenuity of early cyber operators and a warning about the persistent threat of targeted malware. Organizations should remain vigilant, as similar techniques could still be used in modern attacks.

CyberSecurity

Security Sweep on Air Force One: Gifts, Burner Phones, and Pins from China Trip Discarded

Published

on

Security Sweep on Air Force One: Gifts, Burner Phones, and Pins from China Trip Discarded

Upon departing Beijing after a two-day summit with President Xi Jinping, U.S. officials and journalists traveling on Air Force One were ordered to dispose of various items received during the visit. This unexpected directive, reported by a White House pool journalist, included staff burner phones, credential badges, and lapel pins issued by the Chinese government. The objects were placed in a bin at the foot of the aircraft’s stairs, with a clear instruction: nothing from China was allowed on the plane.

Why Were Items from the China Trip Banned?

While the official reason for the disposal remains undisclosed, security experts point to standard protocol against potential espionage. China, despite the cordial nature of the summit, is viewed as a key intelligence adversary by the United States. Washington and its allies have long accused Beijing of conducting cyberattacks and espionage operations. As a result, it is not far-fetched to assume that gifted items, such as the lapel pins worn by President Trump, Apple CEO Tim Cook, and Nvidia’s Jensen Huang, could have been bugged. Such precautions are not unprecedented in diplomatic history.

Burner Phones: A Necessary Precaution

Burner phones, designed for temporary use and easy disposal, are often employed in high-risk environments. In this context, the decision to discard them after the Air Force One China trip aligns with standard security practices. These devices may have been targeted for surveillance during the summit, making their removal a logical step. The White House has not commented on the specific threats that prompted this action, but the move underscores the heightened vigilance required in diplomatic engagements with rival nations.

Reactions and Implications for Future Summits

On social media, Emily Goodin, the White House correspondent for the New York Post, confirmed the order, stating, “Nothing from China allowed on the plane.” This incident raises questions about the balance between diplomatic courtesy and national security. As diplomatic travel security evolves, such measures may become more common. For reporters and officials, it serves as a reminder that even seemingly innocuous souvenirs can pose risks. The Air Force One China trip highlights the ongoing tension between cooperation and caution in U.S.-China relations.

In addition, the disposal of credential badges and pins suggests a comprehensive security sweep. While the summit appeared successful, the underlying cybersecurity and counterintelligence concerns remain. This event will likely inform future protocols for White House travel security, ensuring that all items from sensitive trips are vetted or discarded.

Ultimately, the decision to discard gifts and burner phones reflects a prudent approach to safeguarding national security. As geopolitical tensions persist, such practices may become standard, reinforcing the need for vigilance in every diplomatic exchange.

Continue Reading

CyberSecurity

A Hotel Check-In System Left Over a Million Passports and Driver’s Licenses Exposed Online

Published

on

Hotel Check-In System Leaked Over 1 Million Passports and Driver’s Licenses Online

Imagine checking into a hotel, handing over your passport and driver’s license for verification, only to discover that those sensitive documents were left exposed on the open web for anyone to see. That’s exactly what happened with a hotel check-in system data breach that compromised more than one million identity documents from travelers around the globe.

The system in question, called Tabiq, is operated by the Japanese startup Reqrea. According to the company’s website, Tabiq is deployed in several hotels across Japan, using facial recognition and document scanning to streamline guest check-ins. However, a critical security lapse left the data of countless guests vulnerable to unauthorized access.

How Did the Hotel Check-In System Data Breach Happen?

Independent security researcher Anurag Sen discovered the exposure earlier this week. He found that Reqrea had configured one of its Amazon cloud-hosted storage buckets to be publicly accessible. This meant that anyone with a web browser and knowledge of the bucket name—simply “tabiq”—could view the stored data without needing a password.

The exposed bucket contained a staggering array of sensitive documents: passports, driver’s licenses, and even selfie verification photos from hotel guests worldwide. Sen promptly contacted TechCrunch to help alert the company. After TechCrunch reached out to Reqrea and Japan’s cybersecurity coordination team, JPCERT, the startup locked down the storage bucket.

This incident highlights a recurring issue in cybersecurity: data exposures often stem not from sophisticated hacking but from basic misconfigurations. As companies rush to adopt cloud services, they sometimes overlook fundamental security settings. Amazon’s cloud storage buckets are private by default, and the company has added multiple warning prompts to prevent accidental public access. Yet, errors still occur.

What Data Was Exposed in the Passport Data Leak?

The passport data leak involved identity documents from visitors to Japan and other countries, with files dating back to early 2020 up to the present month. The bucket was also indexed by GrayHatWarfare, a searchable database of publicly visible cloud storage, meaning the data could have been accessed by malicious actors before the fix was applied.

Reqrea director Masataka Hashimoto acknowledged the exposure in an email, stating: “We are conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure.” He added that the company does not yet know how the bucket became public and plans to notify affected individuals once the investigation is complete.

It remains unclear whether anyone else accessed the data before it was secured. Hashimoto said the company is reviewing its logs to check for any unauthorized access prior to the lockdown.

Broader Implications of the Driver’s License Exposure

This driver’s license exposure is not an isolated event. Earlier this year, TechCrunch reported on a similar incident involving the money transfer service Duc App, where driver’s licenses, passports, and other identity documents were exposed. Moreover, a data breach at car rental service Hertz last year resulted in hackers stealing driver’s license information from at least 100,000 customers.

These incidents come at a time when governments worldwide are implementing age-verification laws, and businesses are increasingly relying on “know your customer” (KYC) checks. Both practices require adults to upload sensitive documents to third-party companies for verification. However, cybersecurity experts have long warned about the risks of such centralized data storage.

When a cloud misconfiguration security flaw like this occurs, the consequences can be severe. Victims of identity document breaches face an elevated risk of identity fraud, financial theft, and even misuse of their likeness for fraudulent verification purposes. As age-verification requirements become more common, the stakes only grow higher.

Lessons Learned: How to Prevent Future Data Breaches

Building on this incident, companies handling sensitive customer data must adopt stricter security protocols. First, they should implement automated scanning tools to detect misconfigured cloud storage buckets. Second, they should enforce multi-factor authentication and strict access controls for all cloud resources. Third, regular security audits and penetration testing can help identify vulnerabilities before they are exploited.

For travelers, the takeaway is clear: be cautious about where you upload your identity documents. Whenever possible, use services that encrypt data end-to-end and have a proven track record of security. Read more about cloud security best practices to protect your personal information.

Additionally, consider using digital identity protection services that monitor for unauthorized use of your documents. If you suspect your data has been exposed, report it to the relevant authorities immediately and monitor your financial accounts for suspicious activity.

This hotel check-in system data breach serves as a stark reminder that even seemingly minor misconfigurations can lead to massive data exposures. As more companies digitize their operations, the responsibility to safeguard customer information has never been greater.

Continue Reading

CyberSecurity

Widely Used Browser Extensions Selling User Data: What You Need to Know

Published

on

Your browser extensions might be quietly making money off your personal information. A recent study by LayerX Security reveals that dozens of popular browser extensions are openly selling user data, with explicit permission buried in their privacy policies.

The research uncovered more than 80 extensions that reserve the right to sell user data. These tools span categories like streaming, ad blocking, and productivity, boasting millions of combined installations. This isn’t about malicious software hiding in the shadows—it’s about legitimate-looking extensions that tell you exactly what they’re doing, assuming you bother to read the fine print.

“Unlike malicious extensions that disguise themselves as legitimate extensions and do their bidding in the dark, these extensions explicitly tell users that they’re going to collect and sell their data. It’s right there in the Privacy Policy; except that nobody reads it,” LayerX Security stated.

The Scale of Browser Extension Data Selling

The problem is massive. According to the report, 71% of Chrome Web Store extensions do not publish a privacy policy at all. This leaves over 73% of users with at least one installed extension that offers no visibility into how their data is handled. The implications for browser extensions selling user data are staggering.

From an initial dataset of roughly 9,000 extensions, researchers analyzed 6,666 privacy policies and confirmed 82 extensions engaged in commercial data sharing after manual review. These numbers highlight a systemic issue in the browser extension ecosystem.

How Extensions Monetize User Data

Rather than hiding their behavior, many extensions rely on broad legal language to permit data sales. Statements such as “may sell or share your personal information” allow publishers to commercialize user data at their discretion. This practice is especially concerning when it involves browser extensions selling user data without explicit user consent.

One network of 24 media extensions, including tools for Netflix, Hulu, Disney+, Amazon Prime Video, and HBO Max, reached about 800,000 users. These extensions collect viewing behavior, preferences, and demographic data across major streaming platforms, then package those insights for third parties. They operate as a distributed data collection system, capturing and monetizing user activity in several ways:

  • Tracking viewing history and engagement across streaming platforms
  • Building user profiles using preferences and inferred demographics
  • Packaging and selling aggregated insights to advertisers and analytics firms

Ad Blockers and Enterprise Exposure

Ad blockers are not exempt. At least 12 ad blockers with a combined user base exceeding 5.5 million were found to sell or share browsing data. Some collect detailed behavioral information, including inferred sensitive attributes based on user activity. This means that tools designed to protect your privacy might actually be compromising it.

Corporate environments are also affected. The report identified 29 business-focused extensions that gather browsing data from enterprise systems, potentially exposing internal activity through commercial datasets. This creates a serious risk for organizations that rely on browser extensions for productivity.

For more on browser security risks, check out this analysis of security gaps in AI browsers.

How to Protect Yourself from Data-Selling Extensions

The findings suggest that traditional extension security checks may miss privacy risks. Even when disclosed, data-selling practices can operate at scale with limited oversight, posing challenges for both users and organizations. So, what can you do?

For Individual Users

Start by auditing your installed extensions. Remove any you don’t use regularly. When installing new extensions, read the privacy policy—yes, actually read it. Look for phrases like “may sell” or “share your personal information.” Use browser features that allow you to control extension permissions.

For Organizations

“Most browsers already support centralized extension management through enterprise policies – Chrome’s ExtensionSettings, Edge’s group policies, Firefox’s enterprise configurations,” LayerX wrote. “If you don’t have an extension governance policy, that’s the first step. If you do, add privacy policy review to the evaluation criteria.”

Implementing a browser extension governance policy can help mitigate risks. Regularly review the extensions allowed in your organization and ensure privacy policies are part of the approval process.

The Bottom Line on Browser Extension Privacy

Browser extensions are powerful tools, but they come with hidden costs. The practice of browser extensions selling user data is more common than most people realize. By staying informed and taking proactive steps, you can protect your privacy without sacrificing functionality.

Remember: if an extension is free, you might be the product. Always verify what data an extension collects and how it’s used. For more tips on digital privacy, explore our guide on browser security best practices.

Continue Reading

Trending