Connect with us

Happening

How to Identify and Remove VPN Apps That Contain 911 S5 Backdoors

Published

on

The FBI, the Defense Criminal Investigative Service, and the Department of Commerce’s Office of Export Enforcement have published a public service announcement (the “PSA”) for individuals and businesses to better understand and guard against the 911 S5 residential proxy service and botnet. The PSA is available at ic3.gov/Media/Y2024/PSA240529.

As explained in the PSA, 911 S5 began operating in May 2014 and was taken offline by the administrator in July 2022 before reconstituting as Cloudrouter in October 2023. 911 S5 was likely the largest residential proxy service and botnet with over 19 million compromised IP addresses in over 190 countries and confirmed victim losses in the billions of dollars. 

Free, illegitimate VPN applications that were created to connect to the 911 S5 service are: MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN. 

Unaware of the proxy backdoor, once users downloaded these VPN applications, they unknowingly became a victim of the 911 S5 botnet. The proxy backdoor enabled 911 S5 users to re-route their devices through victims’ devices, allowing criminals to carry out crimes such as bomb threats, financial fraud, identity theft, child exploitation, and initial access brokering. By using a proxy backdoor, criminals made nefarious activity appear as though it was coming from the victims’ devices.

The below information is intended to help identify and remove 911 S5’s VPN applications from devices or machines.

Advertisement

Before electing to use this information, users may want to consult with legal counsel and cybersecurity professionals, potentially including an incident response firm if they deem necessary, to explore all options and assist with any remediation efforts to avoid further harm by malicious software applications or botnets. The FBI makes no warranties or representations regarding the efficacy of this information.  

Check for Running Services

1. Press Control+Alt+Delete on the keyboard and select the “Task Manager” option or right-click on the Start menu (Windows icon) and select the “Task Manager” option.

Press Ctl+Alt+Del on the keyboard and select the aTask Managera option, or right click on the Start Menu (Windows icon) and select the aTask Managera option.

2. Task Manager should now be running. Under the “Process” tab, look for the following:

  • MaskVPN (mask_svc.exe)
  • DewVPN (dew_svc.exe)
  • PaladinVPN (pldsvc.exe)
  • ProxyGate (proxygate.exe, cloud.exe)
  • ShieldVPN (shieldsvc.exe)
  • ShineVPN (shsvc.exe)

Example of running processes for ShieldVPN and ShieldVPN Svc:

Task Manager should now be running. Under the Process Tab look for the following:  

MaskVPN (mask_svc.exe),  

DewVPN (dew_svc.exe),  

PaladinVPN (pldsvc.exe), 

ProxyGate (proxygate.exe, cloud.exe),  

ShieldVPN (shieldsvc.exe), 

ShineVPN (shsvc.exe). 

If no service had been detected through task manager, verify by searching the start menu for any traces of software labeled as MaskVPN, DewVPN, ShieldVPN, PaladinVPN, ProxyGate or ShineVPN.

If Task Manager doesn’t detect any of these services, verify that by searching the Start menu for any traces of software labeled as “MaskVPN,” “DewVPN,” “ShieldVPN,” “PaladinVPN,” “ProxyGate,” or “ShineVPN.”

3. Click on the “Start” (Windows Icon) button typically found in the lower lefthand corner of the screen. Then, search for the following terms, which are the identified names of the malicious software applications:

  • MaskVPN
  • DewVPN
  • ShieldVPN
  • PaladinVPN
  • ShineVPN
  • ProxyGate
Click on the Start (Windows Icon) button typically found in the lower left-hand corner of the screen and search for the following terms, which are the identified names of the malicious software applications: 

MaskVPN 

DewVPN 

ShieldVPN 

PaladinVPN 

ShineVPN 

ProxyGate
Click on the Start (Windows Icon) button typically found in the lower left-hand corner of the screen and search for the following terms, which are the identified names of the malicious software applications: 

MaskVPN 

DewVPN 

ShieldVPN 

PaladinVPN 

ShineVPN 

ProxyGate

4. If one of the VPN applications is found, an uninstaller is sometimes located under the Start menu option of the VPN application. The example image below shows an instance where the uninstall option isn’t available.

If one of the VPN applications is found, an uninstaller is sometimes located under the start menu option of the VPN application. The example image below shows an instance where the uninstall option is not available.

5. If the application doesn’t contain an uninstall option, then follow the steps below to attempt to uninstall the application:

  1. Click on the Start menu (Windows button) and type “Add or remove programs” to bring up the “Add and Remove Programs” menu.

    If the application does not contain an uninstall option, then follow the steps below to attempt to uninstall the application: 

Click on the Start menu (Windows button) and type aAdd or remove programsa to bring up the Add and Remove programs menu.
  2. Search for the malicious software application names.

    An example image below shows the ShieldVPN application found within the “Add or remove programs” application list. Once you find the application in the list, click on the application name and select the “Uninstall” option.

    Search for the malicious software application names, an example image below shows the ShieldVPN application found within the aAdd or remove programsa application list. Once you find the application in the list, click on the application name and select the aUninstalla option.
  3. After the application is uninstalled, you can try to verify that the application has been removed by clicking on “Start” (Windows Icon) and typing “File Explorer.”
  4. Click on the drive letter “C:”—sometimes labeled as “Windows (C:)”—and navigate to “Program Files(x86).” Then, look for the malicious software application names in the list of files and folders.

    Click on the drive letter aC:a (Sometimes labeled as aWindows (C:)a) and navigate to Program Files(x86) and look for the malicious software application names in the list of files and folders. 

For ProxyGate, navigate to C:\users\[Userprofile]\AppData\Roaming\ProxyGate. 

 

If you do not see any folder labeled MaskVPN, DewVPN, ShineVPN, ShieldVPN, PaladinVPN, or Proxyate, then this particular malicious software application may not be installed.
  5. For ProxyGate, navigate to “C:\users\[Userprofile]\AppData\Roaming\ProxyGate.”
  6. If you don’t see any folder labeled “MaskVPN,” “DewVPN,” “ShineVPN,” “ShieldVPN,” “PaladinVPN,” or “Proxygate,”
    then this particular malicious software application may not be installed.
  7. If a service was found running, but not found under the Start menu or “Add and Remove Programs,” then:
    1. Navigate to the directories described in directions 5d and 5e.
    2. Open “Task Manager.”
    3. Select the service related to one of the identified malicious software applications running in the process tab.
    4. Select the option “End task” to attempt to stop the process from running.

      If a service was found running but not found under start menu or add and remove programs, navigate to the directories described in directions 5d and 5e. Open aTask Managera, select the service related to one of the identified malicious software applications running in the process tab and select the option aEnd taska to attempt to stop the process from running.
      Once the processes have been stopped or verified as not running, then right click on the folder named aMaskVPN,a aDewVPN,a aShineVPN,a aShieldVPN,a aPaladinVPN,a or ProxyGate and select the aDeletea option. Additionally, you could select all files found within the folder and then select the aDeletea option.
      1. Right-click on the folder named “MaskVPN,” “DewVPN,” “ShineVPN,” “ShieldVPN,” “PaladinVPN,” or “ProxyGate.”
      2. Select the “Delete” option.
      3. You can also select all files found within the folder and then select the “Delete” option.
      4. If you try to delete the folder—or to delete all files located inside the folder—and receive an error message, be sure that you’ve ended all processes related to the malicious software within in Windows Task Manager, as described in step 5g.

6. Based on the instructions found above, were you able to locate any of the listed files on your computer? Please click this link to select “Yes” or “No.” No other information is needed. 

Continue Reading
Advertisement
Click to comment

Artificial Intelligence

Musk lumps OpenAI and Apple together

Published

on

Elon Musk

Elon Musk is threatening to ban iPhones from all his companies over the newly announced OpenAI integrations Apple announced at WWDC 2024 on Monday. In a series of posts on X, the Tesla, SpaceX and xAI exec wrote that “if Apple integrates OpenAI at the OS level,” Apple devices would be banned from his businesses and visitors would have to check their Apple devices at the door where they’ll be “stored in a Faraday cage.”

His posts seem to misunderstand the relationship Apple announced with OpenAI, or at least attempt to leave room for doubt about user privacy. While Apple and OpenAI both said that users are asked before “any questions are sent to ChatGPT,” along with any documents or photos, Musk’s responses indicate he believes OpenAI is deeply integrated into Apple’s operating system itself and therefore able to hoover up any personal and private data.

In iOS 18, Apple said people will be able to ask Siri questions, and if the assistant thinks ChatGPT can help, it will ask permission to share the question and present the answer directly. This allows users to get an answer from ChatGPT without having to open the ChatGPT iOS app. Photos, PDFs or other documents you want to send to ChatGPT get the same treatment.

Musk, however, would prefer that OpenAI’s capabilities remain bound to a dedicated app — not a Siri integration.

Responding to VC and CTO Sam Pullara at Sutter Hill Ventures who wrote that the user is approving a specific request on a per-request basis — OpenAI does not have access to the device — Musk wrote, “Then leave it as an app. This is bullshit.”

Advertisement

Pullara had said that the way ChatGPT was integrated was essentially the same way the ChatGPT app works today. The on-device AI models are either Apple’s own or those using Apple’s Private Cloud.

Meanwhile, replying to a post on X from YouTuber Marques Brownlee that further explained Apple Intelligence, Musk responded, “Apple using the words ‘protect your privacy’ while handing your data over to a third-party AI that they don’t understand and can’t themselves create is *not* protecting privacy at all!”

He even replied to a post by Apple CEO Tim Cook, wherein he threatened to ban Apple devices from the premises of his companies if he didn’t “stop this creepy spyware.”

“It’s patently absurd that Apple isn’t smart enough to make their own AI, yet is somehow capable of ensuring that OpenAI will protect your security & privacy!” Musk exclaimed in one of many posts about the new integrations. “Apple has no clue what’s actually going on once they hand your data over to OpenAI. They’re selling you down the river,” he said. While it’s true that Apple may not know the inner workings of OpenAI, it’s not technically Apple handing over the data — the user is making that choice, from the sound of things.

Apple also announced another integration that would allow users to have access to ChatGPT system-wide within Writing Tools via a “compose” feature. For instance, you could ask ChatGPT to write a bedtime story for your child in a document, Apple suggested. You could also ask ChatGPT to generate images in a number of styles to complement your writing. Through these features, users will essentially be accessing ChatGPT for free without the friction of having to create an account. That’s great news for OpenAI, which will soon have a massive influx of requests from Apple users.

Advertisement

Apple users may not understand the nuances of the privacy issues here, of course — which is what Musk is counting on by making these complaints. If users could set their own preferred AI bot as the go-to for Siri requests or writing help, like Anthropic’s Claude or — say, xAI’s Grok — it’s doubtful that Musk would be yelling this loudly about the dangers of such an integration. (In fact, Apple just hinted that Google Gemini could be integrated in the future, in a post-keynote session.)

In its announcement, Apple says that users’ requests and information are not logged, but ChatGPT subscribers can connect their account and then access their paid features directly within Apple’s AI experiences.

“Of course, you’re in control over when ChatGPT is used and will be asked before any of your information is shared. ChatGPT integration will be coming to iOS 18 iPadOS 18 and macOS Sequoia later this year,” said Apple SVP of Software Engineering Craig Federighi. The features will only be available on iPhone Pro 15 models and devices that use M1 or newer chips.

OpenAI reiterated something similar in its blog post, noting that “requests are not stored by OpenAI, and users’ IP addresses are obscured. Users can also choose to connect their ChatGPT account, which means their data preferences will apply under ChatGPT’s policies.” The latter refers to the optional (as in opt-in) ability to connect the feature with their paid subscription.

Advertisement
Continue Reading

Artificial Intelligence

In the future Apple will work with Google’s Gemini

Published

on

Apple will work with Google's Gemini

Following a keynote presentation at WWDC 2024 that both introduced Apple Intelligence and confirmed a partnership that brings ChatGPT access to Siri through a deal with OpenAI, SVP Craig Federighi confirmed plans to work with additional third-party models. The first example given by the executive was one of the companies with which Apple was exploring a partnership.

“We’re looking forward to doing integrations with other models, including Google Gemini, for instance, in the future,” Federighi said during a post-keynote conversation. He quickly added that the company had “nothing to announce right now, but that’s our general direction.”

OpenAI’s ChatGPT will be the first third-party model to receive integration at some point later this year. Apple says users will be able to access the system without having to sign up for an account or pay for premium services. As for that platform’s integration with the revamped iOS 18 version of Siri, Federighi confirmed that the voice assistant will alert a user before sending them off to its own in-house models.

“Now you can do it right through Siri, without going through another tool,” the Apple executive said. “Siri, it’s significant to understand, will ask you before you go to ChatGPT. Then you can have that conversation with ChatGPT. Then, if there’s any helpful data referenced in your question that you might want to supply to ChatGPT, we’re going to ask, ‘Do you want to send this photo?’ From a privacy point of view, you’re always in control and have total transparency.”

Continue Reading

Artificial Intelligence

Hugging Face detects unauthorized access

Published

on

Hugging Face

Late Friday afternoon, a time window companies usually reserve for unflattering disclosures, AI startup Hugging Face said that its security team earlier this week detected “unauthorized access” to Spaces, Hugging Face’s platform for creating, sharing and hosting AI models and resources.

In a blog post, Hugging Face said that the intrusion related to Spaces secrets, or the private pieces of information that act as keys to unlock protected resources like accounts, tools and dev environments, and that it has “suspicions” some secrets could’ve been accessed by a third party without authorization.

As a precaution, Hugging Face has revoked a number of tokens in those secrets. (Tokens are used to verify identities.) Hugging Face says that users whose tokens have been revoked have already received an email notice and is recommending that all users “refresh any key or token” and consider switching to fine-grained access tokens, which Hugging Face claims are more secure.

It wasn’t immediately clear how many users or apps were impacted by the potential breach.

“We are working with outside cyber security forensic specialists, to investigate the issue as well as review our security policies and procedures. We have also reported this incident to law enforcement agencies and Data [sic] protection authorities,” Hugging Face wrote in the post. “We deeply regret the disruption this incident may have caused and understand the inconvenience it may have posed to you. We pledge to use this as an opportunity to strengthen the security of our entire infrastructure.”

Advertisement

“We’ve been seeing the number of cyberattacks increase significantly in the past few months, probably because our usage has been growing significantly and AI is becoming more mainstream. It’s technically difficult to know how many spaces secrets have been compromised.”

The possible hack of Spaces comes as Hugging Face, which is among the largest platforms for collaborative AI and data science projects with over one million models, data sets and AI-powered apps, faces increasing scrutiny over its security practices.

In April, researchers at cloud security firm Wiz found a vulnerability — since fixed — that would allow attackers to execute arbitrary code during a Hugging Face-hosted app’s build time that’d let them examine network connections from their machines. Earlier in the year, security firm JFrog uncovered evidence that code uploaded to Hugging Face covertly installed backdoors and other types of malware on end-user machines. And security startup HiddenLayer identified ways Hugging Face’s ostensibly safer serialization format, Safetensors, could be abused to create sabotaged AI models.

Hugging Face recently said that it would partner with Wiz to use the company’s vulnerability scanning and cloud environment configuration tools “with the goal of improving security across our platform and the AI/ML ecosystem at large.” Read more

Advertisement
Hugging Face
Continue Reading

Trending

Optimized by Optimole