A new report from news outlet NOTUS shows that at least two Texas counties along the U.S.-Mexico border have purchased a product that would allow law enforcement to track devices that emit Bluetooth signals, including cell phones, smartwatches, wireless earbuds, and car entertainment systems. This incredibly personal model of tracking is the latest level of surveillance infrastructure along the U.S.-Mexico border—where communities are not only exposed to a tremendous amount of constant monitoring, but also serves as a laboratory where law enforcement agencies at all levels of government test new technologies.
The product now being deployed in Texas, called TraffiCatch, can detect wifi and Bluetooth signals in moving cars to track them. Webb County, which includes Laredo, has had TraffiCatch technology since at least 2019, according to GovSpend procurement data. Val Verde County, which includes Del Rio, approved the technology in 2022.
This data collection is possible because all Bluetooth devices regularly broadcast a Bluetooth Device Address. This address can be either a public address or a random address. Public addresses don’t change for the lifetime of the device, making them the easiest to track. Random addresses are more common and have multiple levels of privacy, but for the most part change regularly (this is the case with most modern smartphones and products like AirTags.) Bluetooth products with random addresses would be hard to track for a device that hasn’t paired with them. But if the tracked person is also carrying a Bluetooth device that has a public address, or if tracking devices are placed close to each other so a device is seen multiple times before it changes its address, random addresses could be correlated with that person over long periods of time.
It is unclear whether TraffiCatch is doing this sort of advanced analysis and correlation, and how effective it would be at tracking most modern Bluetooth devices.
According to TraffiCatch’s manufacturer, Jenoptik, this data derived from Bluetooth is also combined with data collected from automated license plate readers, another form of vehicle tracking technology placed along roads and highways by federal, state, and local law enforcement throughout the Texas border. ALPRs are well understood technology for vehicle tracking, but the addition of Bluetooth tracking may allow law enforcement to track individuals even if they are using different vehicles.
This mirrors what we already know about how Immigration and Customs Enforcement (ICE) has been using cell-site simulators (CSSs). Also known as Stingrays or IMSI catchers, CSS are devices that masquerade as legitimate cell-phone towers, tricking phones within a certain radius into connecting to the device rather than a tower. In 2023, the Department of Homeland Security’s Inspector General released a troubling reportdetailing how federal agencies like ICE, its subcomponent Homeland Security Investigations (HSI), and the Secret Service have conducted surveillance using CSSswithout proper authorization and in violation of the law. Specifically, the Inspector General found that these agencies did not adhere to federal privacy policy governing the use of CSS and failed to obtain special orders required before using these types of surveillance devices.
Law enforcement agencies along the border can pour money into overlapping systems of surveillance that monitor entire communities living along the border thanks in part to Operation Stonegarden (OPSG), a Department of Homeland Security (DHS) grant program, which rewards state and local police for collaborating in border security initiatives. DHS doled out $90 million in OPSG funding in 2023, $37 million of which went to Texas agencies. These programs are especially alarming to human rights advocates due to recent legislation passed in Texas to allow local and state law enforcement to take immigration enforcement into their own hands.
As a ubiquitous wireless interface to many of our personal devices and even our vehicles, Bluetooth is a large and notoriously insecure attack surface for hacks and exploits. And as TraffiCatch demonstrates, even when your device’s Bluetooth tech isn’t being actively hacked, it can broadcast uniquely identifiable information that make you a target for tracking. This is one in the many ways surveillance, and the distrust it breeds in the public over technology and tech companies, hinders progress. Hands-free communication in cars is a fantastic modern innovation. But the fact that it comes at the cost of opening a whole society up to surveillance is a detriment to all.
Google is adding a new feature to Google Chrome that allows publishers to add video chapters to videos embedded on websites, similar to how chapters work on YouTube. [...]
While the title is technically correct this is just Chrome adding support for a w3c standard. The title makes it sound like Google are implementing their own proprietary technology which would be terrible for the open web.
ATT&CK v15 Brings the Action: Upgraded Detections, New Analytic Format, & Cross-Domain Adversary Insights
v15 is all about actionability and bringing defenders’ reality into focus — we prioritized what you need to detect, and how you can do it more effectively with detection engineering upgrades, and deeper intelligence insights across platforms. This release also reflects the new expansion rhythm, balancing both well-known and emerging behaviors to reflect how trends and activity are experienced in the field.
With v15 we were aiming for the perfect balance of familiar behaviors you’ve probably seen countless times (e.g., T1027.013: Obfuscated Files or Information: Encrypted/ Encoded File, T1665: Hide Infrastructure), as well as newer, emerging trends. The shadowy domain of Resource Development was expanded to illuminate how adversaries are using generative artificial intelligence tools, like large language models (LLMs), to support various malicious activities (T1588.007: Obtain Capabilities: Artificial Intelligence). And it’s not just about gaining initial access anymore — we added T1584.008: Compromise Infrastructure: Network Devices to capture how threat groups are hacking into third-party network devices, including small office/home office routers, to use these devices to facilitate further targeting.
Cloud | More Actionability
As outlined in the ATT&CK 2024 Roadmap, we’re striving to make the Cloud matrix more approachable for defenders of all skill levels. With this release, we focused on providing a broader set of defensive measures, resources, and insights for CI/CD pipelines, Infrastructure as Code (IaC), and Identity. v15 features new mitigations and data sources on token protection, along with more specific references to Okta logs. T1072: Software Deployment Tools was expanded to include broad execution of T1651: Cloud Administration Command, reflecting how threat actors are turning cloud native tools like AWS Systems Manager into remote access trojans.
What’s Next: v16 will feature robust identity and detection updates, as well as the platform rebalancing operations, where we’re focusing on covering a wider range of cloud environments and threats, while making it more intuitive to prioritize techniques relevant to a specific platform.
You’ll find expanded detections in v15 to assist your detection engineering. Previously, we structured our analytics in a pseudo format that was consistent with the Cyber Analytic Repository (CAR). In some cases this was hard to understand.
In v15, we transformed that format into a real-world query language style (like Splunk) that is compatible with various security tools. These upgrades are featured in detections across the framework including some techniques within the Execution tactic.
Our aim with these upgrades, is to reflect the data source itself is the data you should be collecting, and to provide an understandable format that pairs well with every day defender tools (i.e. SIEMs and Sensors).
We have also synced up some mitigations within the parent to sub-technique relationship. Our team has analyzed a list of sub-techniques that had mitigations that the parent technique did not have. In v15, you will find some parent techniques now reflect what mitigations are seen in the sub-technique.
What’s Next: As we gear up for October, we’ll be completing the Execution detections, refining Credential Access detections, diving into Cloud analytics, and restructuring our data sources for better accessibility.
ICS | Cross-Domain Campaigns
We’ve been working to retrofit major incidents in the ICS space to improve understanding and showcase how ICS and enterprise techniques intersect in each event. V15 illuminates some of the ICS-Enterprise integration efforts, with the release of four cross-mapped campaigns:
· Starting with Triton, the Safety Instrumented System attack of 2017 that shook the petrochemical industry to its core.
· Then there’s C0032, a campaign spanning various utilities from 2014 to 2017, often grouped with the petrochemical incident but distinctly different in nature.
· Next up, Unitronics, a spree that zeroed-in on specific devices and impacted utilities and organizations worldwide. This campaign saw adversaries disrupting device interfaces to make them unusable for end users.
· Fast forward to 2022 Ukraine Electric Power, where we witnessed a glimpse into the future of ICS attacks, with hypervisor features and shared domain access exploited to infiltrate ICS systems and unleash havoc. The campaign highlights key considerations regarding hypervisor usage across multiple domains, and the abuse of native features in vendor software.
What’s Next: v16 will launch ICS sub-techniques, along with a structured cross-walk to enable mapping between deprecated and new techniques. We’ll also be releasing new asset coverage and updates on our exploration into incorporating more sectors into the ICS matrix.
Mobile | New Techniques, Software, Groups & Mitigations
We added in Mobile techniques to existing Groups and Software to illuminate the shift to include mobile exploitation. This includes building out the APT-C-23 (G1028) profile, mirroring this South American threat group’s targeting of Android and iOS devices, and recording how BITTER (G1002) has distributed malicious apps via SMS, WhatsApp, and various social media platforms.
What’s Next: In the coming months, we’ll be rolling out more structured detections, and boosting proactivity across Mobile by evaluating incorporation of pre-intrusion techniques, like active and passive reconnaissance, and acquiring or developing resources for targeting.
Cyber Threat Intelligence | More Cybercriminal, Underrepresented Groups
We’re working towards better reflecting the threat landscape by infusing the framework with more cybercriminal and underreported adversary activity. This release showcases new cybercriminal operations and highlights Malteiro, a criminal group believed to be based in Brazil. They are known for operating and distributing the Mispadu/URSA banking trojan through a malware-as-a-service model. Banking trojans, a notorious threat in Latin America, are increasingly spreading their chaos across borders, courtesy of malware developers selling tools to overseas operators. Malteiro’s operations exemplify this targeting shift, evident in a recent campaign affecting European entities across various sectors.
What’s Next: We’ll continue conducting thorough assessments of Groups, Software, and Campaigns to up the framework realism quotient and provide clearer insights into adversary activities. We’re also teaming up with ATT&CK domain leads to expand coverage of cross-domain intrusions.
Software Dev | TAXII 2.1, FTW
We’ve been working towards our goals of enhancing Navigator’s usability and streamlining processes for ATT&CK Workbench. Most importantly, we’re taking our TAXII server to new heights, and by December 18, we’ll be retiring the TAXII 2.0 server and transitioning to the upgraded TAXII 2.1 version. You can locate the documentation for the TAXII 2.1 server in our GitHub repository.
What’s Next: We’ll be continuing toenhance usability on ATT&CK Workbench and Navigator, and building towards swifter Groups and Software releases. Mark your calendars to update the URLs for TAXII 2.1 clients to connect to https://attack-taxii.mitre.org instead of https://cti-taxii.mitre.org!
In Conclusion | Field Reports, Benefactors
We’re always on the lookout for field reports and insights from those of you on the ground. Your observations play a crucial role in improving ATT&CK’s tactical utility — so remember, if you see something, contrib something. Curious about how a contribution becomes a technique? Check out our video that walks you through the process.
If you’re interested in contributing to ATT&CK’s overall autonomy, flexibility, and free services, you can find more details on our Benefactor page. We are deeply grateful to our initial cohort of benefactors, SOC Prime, Tidal Cyber, and Zimperium, for their generous support.
ATT&CK v15 Brings the Action was originally published in MITRE ATT&CK® on Medium, where people are continuing the conversation by highlighting and responding to this story.
In high-income countries, Nestlé brand baby foods have no added sugars them, in line with recommendations from major health organizations around the world and consumer pressure. But in low- and middle-income countries, Nestlé adds sugar to those same baby products, sometimes at high levels, which could lead children to prefer sugary diets and unhealthy eating habits, according to an investigation released recently by nonprofit groups.
The investigation, conducted by Public Eye and the International Baby Food Action Network (IBFAN), says the addition of added sugars to baby foods in poorer countries, against expert recommendations, creates an "unjustifiable double standard." The groups quote Rodrigo Vianna, an epidemiologist and professor at the Department of Nutrition of the Federal University of Paraíba in Brazil, who calls added sugars in baby foods "unnecessary and highly addictive."
"Children get used to the sweet taste and start looking for more sugary foods, starting a negative cycle that increases the risk of nutrition-based disorders in adult life," Vianna told the organizations for their investigation. "These include obesity and other chronic non-communicable diseases, such as diabetes or high blood-pressure."
Mycelial fermentation leader MycoTechnology announces significant progress in scaling production and ensuring the safety of the first-ever honey truffle sweetener.
The new product, made from a sweet protein found in honey truffles discovered only a year ago, is described as a game-changing alternative to sugar and artificial sweeteners. It has a clean taste profile and is 1000 to 2500 times sweeter than sucrose.
“This progress is a reflection of Myco’s unique ability to integrate discovery with commercial development”
Leveraging precision fermentation, MycoTechnology claims to have successfully scaled production from a lab bench to 3000 L tanks. Moreover, according to the announcement, the company’s team is improving production and developing efficient strains to make the honey truffle sweetener economically competitive with similar products.
Ranjan Patnaik, MycoTechnology’s CTO, comments, “Our team has achieved remarkable results, exceeding initial expectations for speed of scale-up, mechanistic understanding of the protein, sensory characterization, and applications development with industry partners.
“This progress is a reflection of Myco’s unique ability to integrate discovery with commercial development to quickly create innovative, impactful solutions from nature.”
Safe sweetness without sugar
Recent safety evaluations have confirmed the product’s safety and digestibility, demonstrating that the protein is non-allergenic, non-toxic, and fully digestible by the human GI tract.
Moreover, in silico analysis has indicated that the molecule has minimal potential for adverse effects beyond sweetness, as it breaks down into amino acids commonly found in other protein sources like chicken.
MycoTechnology says it is working on regulatory submissions in key global jurisdictions. With a worldwide patent portfolio and interest from major industry partners, the company says it is poised to impact the future of sweeteners and sugar reduction with its game-changing product.
Fungi and fermentation
MycoTechnology, founded in 2013 in Aurora, Colorado, utilizes advanced fermentation technology to produce innovative mushroom-based ingredients. With $220 million in funding from various investors, the company has launched an 86,000 sq ft facility and offers products like FermentIQ plant proteins and the mycelium-derived flavor modulator ClearIQ — the star ingredient of the sugar-free sweet dark chocolate bar Macalat.
Sue Potter, Senior Director of Regulatory Affairs at the company, shares: “Following global best practices in partnership with world-class industry experts, our findings suggest that honey truffle sweetener is likely to be an ideal general-purpose sweetener for foods and beverages. We’re confident in the results we’ve received so far, and we’re on track for regulatory submissions in key global jurisdictions.”