Windows CE — an operating system that, despite being out for 27 years, never had an official explanation for why it was called “CE” — finally reached its official end-of-life period this week. 

This was Microsoft’s first operating system for embedded and pocket devices, making an appearance on personal pocket assistants, some of the first BlackBerry-likes, laptops and more during its lifetime.  

In 2020, Microsoft announced a clear migration path for devices using Windows CE and warned of its impending end-of-life (meaning there’d be no more support, security patches, etc.) by telling users to run a container on top of Windows 10 IoT. 

However, Microsoft says it will continue license sales for Windows Embedded Compact 2013 (the last time Windows CE received a full version update until 2028). I’ve written before about the dangers of people thinking it’s cool to still run Windows 7, which was already a surprise to me, but then by reading more about Windows CE this week, I found that some of the most important hardware the U.S. relies on still use Windows CE: voting machines. 

A Windows CE phone was at the center of the “Hillary Clinton emails” drama during the 2016 presidential election, and since then, security researchers have found that some voting machines using Windows CE are vulnerable to various exploits.   

I found one DEF CON 25 attendee in 2017 who went to the conference’s first-ever “Voting Village” where researchers poked and prodded various voting systems, including the ExpressPoll 5000 voter registration system that used Windows CE 5.0. Needless to say, the ExpressPoll 5000 didn’t stand a chance. 

I couldn’t find any information on if there are still any ExpressPoll 5000s in the wild, but the Maryland State Board of Elections was still accepting the devices into their pool of devices that could be certified to be used in elections with an “acceptance test” as of 2016. 

Other Diebold voting machines used in the 2016 presidential election also ran outdated versions of Windows CE. (Vice News had a video segment on this topic that’s since been scrubbed from the internet, but there’s a great written recap of the segment here.)  

Again, there is no real proof that these systems are still being used in the wild. After the security concerns stemming from the 2016 election, the U.S. took a much tougher look at election security and continues to invest heavily in more secure voting machines, so there’s a possibility these devices are all now out of service, patched, or hopefully just buried in a ditch somewhere.  

But it does get to a larger point, that a lot of the technology our government relies on is *old*. Many voting systems used in the 2020 presidential election relied on Windows 7, which also is now at its end-of-life and isn’t receiving any security updates. Support for Windows 8.1 ended at the beginning of this year, and who knows what devices are floating out there still using versions of that OS, and Windows 10 will reach its end-of-life period in October 2025, so by the time we get to the 2028 election (I can’t even fathom that as a real year still), I suspect we’ll be seeing lots of stories of all the voting devices relying on that.  

The one big thing 

The Arid Viper threat actor is actively trying to install spyware on targeted devices in the Middle East, using fake dating apps as lures. Although Arid Viper is believed to be based out of Gaza, Talos has no evidence indicating or refuting that this campaign is related in any way to the Israel-Hamas war. The malicious apps Arid Viper uses are very similar to other legitimate apps, so it’s fairly easy for an unsuspecting user to get hit.  

Why do I care? 

Spyware is very dangerous no matter how you twist it, but in this particular case, Arid Viper’s spyware collects the target’s sensitive personal information off their devices and disables security notifications so the actor can install more malware. The use of spyware across the globe continues to be a major issue that governments have had a hard time reigning in (and sometimes the governments themselves are the ones using it). 

So now what? 

Our blog post has more details on the malicious apps being used in this campaign, so potential targets know what to be on the lookout for. We also have several new IOCs available for defenders to add to their blocklists. Potentially sensitive targets like politicians, journalists or activists may want to enable “safe” modes on their mobile devices, which can help protect against all types of spyware.  

Top security headlines of the week 

U.S. President Joe Biden signed a sweeping Executive Order this week attempting to regulate the use of AI and put several privacy safeguards in place. The order also calls on Congress to pass national AI privacy legislation. Under the new rules, leading AI developers will need to share safety test results and other information about their software with the government. The National Institute of Standards and Technology will also create new standards to ensure AI tools are safe and secure before they’re publicly released. Federal agencies will now also need to change the way they use AI, with the hopes that the private sector will follow suit. Federal benefits programs and contractors will need to ensure that any AI tools they rely on do not deepen any racial biases in their activities. However, privacy experts only view the Executive Order as a small first step that needs to be augmented by national legislation and enforcement. (AP News, ABC News) 

The U.S. government is preparing for an influx of Iranian-backed cyber attacks in retaliation for the U.S.’ support of Israel in its war against Hamas. FBI Director Christopher Wray told a Congressional committee this week that, “The cyber targeting of American interests and critical infrastructure that we already see conducted by Iran and non-state actors alike we can expect to get worse if the conflict expands.” New research also indicates that Iranian threat actors have carried out a range of cyber espionage activities across the Middle East, looking to collect sensitive intelligence and disrupt important services. There may be up 15 different hacking groups affiliated directly with, or serving as a proxy for, the Iranian Revolutionary Guard Corps or the Iranian Ministry of Intelligence. (Politico, The New York Times) 

Cloud computing company Citrix is warning of the mass exploitation of a critical vulnerability in its NetScaler ADC/Gateway devices. Known as “Citrix Bleed,” CVE-2023-4966 is an information disclosure vulnerability that could allow attackers to steal valid session tokens from internet-facing Netscaler devices running vulnerable software. Citrix disclosed the vulnerability on Oct. 10, warning users to update affected devices immediately. However, security researchers soon found that attackers had been exploiting the vulnerability since August. Researcher Kevin Beaumont reported on his personal social media channels that he found an estimated 20,000 instances of exploited Citrix devices where session tokens were stolen. (HelpNet Security, Ars Technica) 

Can’t get enough Talos? 

• Beers with Talos Ep. #140: Chicken Soup and Contact Centers 
• Talos Takes Ep. #160: Patching 101 
• Cisco Talos Incident Response On Air for Q3 2023 
• Arid Viper Campaign Targets Arabic-Speaking Users 
• Kazakhstan-based hackers targeting gov’t websites in Central Asia, Cisco says 

Upcoming events where you can find Talos 

Black Hat Middle East and Africa (Nov. 16) 

Riyadh, Saudi Arabia 

Rami Atalhi from Talos Incident Response will discuss how generative AI affects red and blue teams in cybersecurity. Discover how generative AI creates a bridge between these teams, fostering teamwork and innovative strategies. Real-world cases will demonstrate how generative AI drives success, providing insights for building resilient cybersecurity plans. 

misecCON (Nov. 17) 

Lansing, Michigan 

Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines. 

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: 21d709b0593c19ad2798903ae02de7ecdbf8033b3e791b70d7595bca64b99721 
MD5: af8a072f20c8e647f53eb735528f070d 
Typical Filename: Head Office.exe 
Claimed Product: Head Office 
Detection Name: Win.Dropper.Pykspa::100.sbx.vioc 

SHA 256: 032f2e845d2b9832c7845bc6a7de650ee2148891c8ee442fe3f3a8478e588dbe 
MD5: a5cc0738a563489458f6541c3d3dc722 
Typical Filename: wuauclt.exe 
Claimed Product: Microsoft® Windows® Operating System 
Detection Name: Win.Dropper.Vools::100.sbx.tg 

SHA 256: 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7  
MD5: 0e4c49327e3be816022a233f844a5731  
Typical Filename: aact.exe  
Claimed Product: AAct x86  
Detection Name: PUA.Win.Tool.Kmsauto::in03.talos 

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c    
MD5: a087b2e6ec57b08c0d0750c60f96a74c    
Typical Filename: AAct.exe    
Claimed Product: N/A      
Detection Name: PUA.Win.Tool.Kmsauto::1201 

SHA 256: b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59 
MD5: 3b100bdcd61bb1da816cd7eaf9ef13ba 
Typical Filename: vt-upload-C6In1 
Claimed Product: N/A  
Detection Name: Backdoor:KillAV-tpd