DRC army warns all those transmitting un substantiated information and those promoting rebellious activities in FIZI,UVIRA and MWENGA in South kivu

The Armed Forces of the DRC (congolese) denounce and guard the armed groups of mainly ethnic origin which operate under the unacceptable pretext of self-defense and which broadcast, in social media, unsubstantiated information against the Armed Forces with the aim to
tarnish their image and reputation in national and international opinion.
In a statement signed by their spokesperson, General Major Leon Richard Kasonga, the FARDC explains that unlike the lies of these armed groups sponsored and manipulated by politicians in a bad position that the Armed Forces defend the cause of certain communities in To the detriment of others in the territories of Mwenga, Uvira and Fizi in South Kivu, it is " in fact these uncommitted, members of the same ethnicity, supported by some army deserters who formed a rebellion and attacking both other local communities as well as the Armed Forces ".
The congolese remind, in the same statement, that they are a Republican, non-political army and are at the service of the entire nation. To this end, they include members of all the communities in the DRC without exclusive.
The press release also reminds the army's mission of defending the integrity of the national territory and borders while participating in the protection of people and their property.
The congolese are working with the international community represented by the for the performance of their sovereign mission mentioned above in South Kivu as well as in other provinces such as Ituri also in the face of community conflicts.
To this end, the congolese have the mission to impose peace and track down all armed groups that sow destruction among the civil population, who attack state symbols and refuse to drop weapons, pounding the spokesperson of the State and refuse to drop weapons. congolese in the press release.
While reaffirming their warning not only against the authors of the criminal acts but also against those who broadcast information from Divisionists, separatist, ethnicistes and malicious, the congolese reserve the right to bring to justice the authors and co-sponsors of these information dangerously threatening national unity.

An isreali scientist discovered a reusable face mask that kills Covid19 virus.

A reusable face mask that can kill COVID-19 with heat by drawing power from a mobile phone charger has been invented in Israel, Reuters reported, citing local scientists.
The report says that the new mask has a "USB port that connects to a power source such as a standard cellphone charger that heats an inner layer of carbon fibres to up to 70 degrees Celsius (158 degrees Fahrenheit), high enough to kill viruses".
The sterilising process takes about 30 minutes, and "users should not wear the mask while it is plugged in", Professor Yair Ein-Eli, who led the research team at Technion University in Haifa, told Reuters.
According to the scientists, the mask will probably cost about $1 more than a typical disposable face mask.
The researchers reportedly submitted a patent for the mask in the United States in late March and have been discussing commercialising the product with the private sector.
The number of confirmed cases of COVID-19 worldwide has surpassed 8.1 million, with more than 441,000 deaths and over 3.9 million recoveries, Johns Hopkins University data shows.

Computer security: Boot guard validation.

EFI_STATUSBootGuardPei(EFI_PEI_SERVICES **PeiServices, VOID *Ppi)
{
    ...
Status = GetBootMode ();
    if ( EFI_ERROR( Status ) ) {
        return   Status;
    }
...
if ( (BootMode == BOOT_IN_RECOVERY_MODE) || (BootMode == BOOT_ON_FLASH_UPDATE) || BootMode == BOOT_ON_S3_RESUME) {
        return   Status;
    }
BootGuardVerifyTransitionPEItoDXEFlag = 0;
    ...
CalculateSha256(BootGuardHashKeySegment0);
    CalculateSha256(CurrentBootGuardHashKey0);
if ( !MemCmp(BootGuardHashKeySegment0, CurrentBootGuardHashKey0, 32) ) {
        BootGuardVerifyTransitionPEItoDXEFlag = 1;
    } else {
        BootGuardVerifyTransitionPEItoDXEFlag = 0;
        return   EFI_SUCCESS;
    }
    if ( !((BootGuardHashKeySegment1 == 0) {
        CalculateSha256 (BootGuardHashKeySegment1);
        CalculateSha256 (CurrentBootGuardHashKey1);
if ( !MemCmp(BootGuardHashKeySegment1, CurrentBootGuardHashKey1, 32) ) {
            BootGuardVerifyTransitionPEItoDXEFlag = 1;
        } else {
            BootGuardVerifyTransitionPEItoDXEFlag = 0;
            return EFI_SUCCESS;
        }
    }
return   Status;
}

EFI_STATUS BootGuardDxe(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *SystemTable)
{
    ...
if ( BootGuardSupported() == FALSE ) {
        return   EFI_SUCCESS;
    }
...
BootMode  = GetBootMode();
    if ( (BootMode == BOOT_IN_RECOVERY_MODE) ||
(BootMode == BOOT_ON_FLASH_UPDATE) ) {
        return   EFI_SUCCESS;
    }
...
if ( BootGuardVerifyTransitionPEItoDXEFlag == 0 ) { BootGuardRegisterCallBack();
    }
return   EFI_SUCCESS;
}

SMM and your computer boot security;How to break into the CPU last security gate!!!!

What is SMM
While you probably know Ring 3 (user mode), Ring 0 (kernel mode) and Ring -1 (hypervisor mode) SMM is referred as ring -2. SMM is actually the most privileged execution on the main x86 CPU which means that the CPU might interrupt at any moment and switch to SMM execution mode.
SMM code loaded to special protected memory region– SMRAM so when the PC boots the SMM drivers, which are part of the UEFI image and stored on the SPI flash, are loaded to SMRAM. Once SMM drivers are loaded to SMRAM, this region is locked and the memory controller cannot access these addresses unless the CPU is in SMM mode. From this point SMM world is parallel to OS execution and there is no way to change SMM code after your PC finishes the ‘bios’ boot. SMM drivers have some different purposes but mainly responsible for propriety CPU and chipset configurations, mother board manufacturer code, secured operations such as setting secure boot hashes, TPM configurations and power management.
While the CPU switches to SMM it starts the execution inside SMRAM at SMBASE + 0x8000. SMBASE value is set at boot process and is saved internally in CPU MSR register which is accessible only from SMM mode. Each CPU core has its own SMBASE value because each core needs its own saved state data at constant offset from SMBASE. SMM execution starts in 16 bit real mode and very quickly changes to long mode 64 bit. Usually the main flow of SMM execution consists of Interrupt Dispatcher which calls the relevant SMI handler for this SMM interrupt, the most common SMM interrupt is software interrupt which can be triggered only from kernel code by writing the SMI number to APMC I/O port. It is important to note that when CPU switched to SMM the current state (registers and more) is saved to SMM State Save area which exists for each CPU core. SMM State Save area resides at SMBASE+0xFE00 and as said before each core has slightly different SMBASE.
When code executes in SMM the whole physical memory is accessible and nothing can stop you from overwriting critical data in kernel or hypervisor physical pages. SMM code acts as it is kind of mini OS -it has I/O services, memory allocation services, ability to allocate private interfaces, SMM interrupts management, events notifications and more.
To summarize- SMM code is the most privileged executed code on the CPU, the code is completely hidden from the running operating system, it cannot be modified by kernel and even by DMA devices and most important SMM code can access any physical memory.
Reversing the vulnerable SMM module
My research was done by static manual reversing so we will see the details of each step at my progress. The vulnerable module meets perfectly my first criteria for SMM bugs hunting — it implements SMI (SMM interrupt) handler which can be triggered from OS kernel code. To show the different SMM drivers from UEFI image it is best to use UEFITool, when you open the image you will see about 40 SMM drivers and each SMM driver has its dependencies. These dependencies are actually interfaces that must be already installed when SmmCore driver needs to decide who is the next SMM driver to be loaded to memory. One of such dependencies is EfiSmmSwDispatch2ProtocolGuid which is used to register SMI handler. So just by statically looking at the dependencies you can guess that this driver registers and handles SMM interrupt. To be sure if it indeed registers SMI handler you need to dump the whole SMRAM area and look for a linked list with header ‘DBRC’ or ‘SWSM’ or ‘SMIH’, each node in the list contains the SMI number and SMRAM address of the handler. The problem is that there is no way to dump SMRAM but only with a physical hardware debugger.
One of the modules that use EfiSmmSwDispatch2ProtocolGuid is SmiVariable driver. This driver’s general purpose is to update specific UEFI variables from SMM code. UEFI variables are several dozens of usually persistent variables that are stored directly on the SPI flash where the UEFI image is stored. These UEFI variables store different information such as OS configuration, TPM configuration, Secure Boot keys and hashes and some of these variables can be set directly from Windows OS or as in our case from SMM code.
The main driver entry point calls the Init_SMI_Handler function.
Init_SMI_Handler function gets a pointer to the EfiSmmSwDispatch2 interface and registers SMI handler 0xEF. SMI 0xEF handler implements a wrapper logic for setting/getting data to/from UEFI variable. As you can see in the next figure the handler gets a pointer to EFI_SMM_CPU_PROTOCOL and reads from the CPU ‘saved state’ the value of register RSI. This RSI value is totally attacker controlled and is set in kernel code just before SW SMI is triggered by writing to APMC I/O port 0xB2.
After this, the handler gets a pointer to EfiSmmVariable interface which is the main interface that stores/reads data to/from UEFI variables. There is some strange flow done by calling a function pointer with RSI value as argument but the function pointer is NULL so the flow skipped.
RSI value from previous step is used as a pointer to a buffer which holds at offset 0x1 “operation selection id” and at offset 0x4 a pointer to a struct of arguments for set/get a UEFI variable. If offset 0x1 equals to “1” then the flow will read data from UEFI variable.
In the next figure you can see how read data from UEFI variable is done -the previously obtained pointer to EfiSmmVariable_Interface is used to call SmmGetVariable() with arguments supplied as a struct pointed by the value in RSI+0x4.
SmmGetVariable function called
As you can see the values (pointers) from the ArgsStruct are used directly “as is” without any validation. SmmGetVariable function has a simple task it uses the ArgsStruct values to find the correct variable then read its data and then store the data in a buffer. All these values are attacker controlled because RSI register value is also attacker controlled, we will see full details in the pre-exploitation step.
From vulnerability to exploitation -HVCI bypass
So till now we got 3 important steps:
1. We control the value of RSI register because it is saved in CPU SMM ‘state save’ area and being read by SMI handler 0xEF when the SMI is triggered.
2. Because RSI points to a buffer which points to ArgsStruct we actually control all the arguments for the SmmGetVariable() function.
3. No validations are done on RSI value or on the inner pointers in the buffer that RSI is pointing to.
At this moment if an attacker is able to set its own value (shellcode) in a UEFI variable and control the destination buffer of SmmGetVariable() this is a game over situation because it will allow to write our shellcode to SMRAM.
Luckily steps 1+2+3 exactly suit for a perfect exploitation.
Pre Exploitation — building write primitive:
1. Prepare “config buffer” with offset 0x1==1 and offset 0x4==address of “Args Struct” which will be 0x810 at my exploitation. I will put the “config buffer” at physical memory 0x800 which is on most PCs an empty area.
2. Prepare “Args Struct” buffer starting from physical memory 0x810. At offset 0x0==variable GUID; offset 0x10==address of variable name (0x850); offset 0x14=0; offset 0x18==address of data size(0x830); offset 0x1c==address of destination buffer(0x840).
3. At location 0x850 put your variable name in Unicode, I will use “SmmRootkit”. At location 0x830 put your shellcode size. At location 0x840 put your destination address in SMRAM where the shellcode will reside.
4. From Userspace use Windows API SetFirmwareEnvironmentVariable() to create new UEFI variable named “SmmRootkit” and its value set to your favorite shellcode.
5. Trigger SMI handler 0xEF by writing to I/O port 0xB2. We will need to trigger the SMI with an RSI register value controlled by us. RSI must point to the “config buffer”-0x800 at this example.
Pay attention that RSI must be set just before writing to the I/O port.
If you follow these steps the result is a generic write what where primitive that allows you write any data to SMRAM. As you might remember there is no way to write to SMRAM once it is locked during boot. In my example the vulnerability exists in SMM code so it can definitely write to SMRAM.
HVCI bypass Exploitation
Once we have a write primitive to SMRAM we are close to game over. But first of all what is HVCI?
I will not dive here in to details because it is a whole huge topic to discuss, but generally what you need to know is:
1. In the last years Windows moved its security to VBS — virtualization based security.
2. VBS uses Windows hypervisor (Hyper-V) to create 2 worlds Normal(vtl0) + Secure(vtl1).
3. Hyper-V manages the two worlds and works closely with the main CPU(VM instructions) .
4. In such a design we get isolation between worlds of sensitive and critical functionality such as HVCI, CredentialGuard and more.
5. The kernel that manages VTL1 is Securekernel which runs in ring0 VTL1, SecureKernel has limited system calls and is about 90% less in size than regular Kernel.
6. HVCI main security boundaries:
Any code that is loaded to Kernel must be signed otherwise it will not execute.
There is no possibility to allocate RWX pages in Kernel.
There is no possibility to add W attribute to RX (code) page.
7. HVCI uses EPT (extended page table) which maps all OS “physical addresses” to real system physical addresses. This means that page permissions (R/W/X) are stored not only in the OS page table but also in EPT. EPT is maintained by hypervisor and there is actually no way to change EPT from user or kernel mode.
8. As a result, every violation in kernel page permissions will be caught immediately because OS page permission will differ from the permissions of the same page in EPT.
Now let’s say that VTL0 kernel asked for some security checks from VTL1 before it will start executing kernel code. One possibility to attack the design is to run malicious code in VTL0 kernel space (not a trivial task at all) and change the security results that came from VTL1. In such scenario HVCI will stop the attack because the page permission in EPT will remain Write or eXecute — you cannot allocate RWX page at all and if you allocate RX page and add Write afterwards, still in EPT it will remain RX. As a result HVCI will not allow code execution on this kernel page.
The only way to run kernel malicious code is to find the attacked page (PTE) in EPT and change the permission to RWX but as you already know you cannot access EPT from user/kernel mode.
In my example, HVCI will be running and I will write and execute shellcode to an existing read only page inside ACPI.sys driver module.
How is it possible?
Here comes the power of SMM-from SMM code you can access any physical page and thus you can change EPT, but one problem still exists you don’t know where is EPT located. Here SMM also helps us because each time CPU switches to SMM it saves in “state save area” (SMBASE+0xFE00) a pointer to VMCB Physical Address and inside VMCB we have the physical address of EPT. SMBASE address is the same at each boot and across same PCs so simple SMM shellcode can find the physical address of EPT, on AMD architecture –
1. VMCB address = SMBASE+0xFE00+OffsetTo(VMCB Address)
2. EPT address = VMCB address+0xB0
Exploitation Steps SMM shellcode
1. The shellcode will get EPT physical address from VMCB+0xB0.
2. Use OS physical address of the attacked page (see bullet 3 next section) to parse the EPT and find the corresponding page permissions in EPT. This is very similar to the standard page table walk CR3->PML4->PDPT->PD->PT. Pay attention i had 2MB pages so the walk is slightly different.
3. Change the permission from R to RWX.
Exploitation Steps Windows OS
Make sure HVCI is enabled and running. At this exploit I will use private read/write primitives to kernel but this is out of scope because we are dealing with ring 0 to ring -2 privilege escalation.
1. I will get kernel virtual address of .rdata page from the ACPI driver at offset 0x7E100 (build 19H2 November 2019). This page is with (R)ead only permissions and has some empty space for a short “hello SMM rootkit” shellcode.
2. I will get this page PTE and change page permissions to RWX using a write primitive to kernel. Windows has an array of all PTEs at a specific address which is called PTE_BASE. This value is randomized but you will see how to get this value in the POC. Once you have PTE_BASE your PTE will be at offset Page VirtAddrss / 2⁹, this because each page table (2¹² size) maps 2MB of virtual memory(2²¹ size).
3. Change permissions in PTE from R to RWX. Also from the PTE get the physical address of the page and use it in the SMM shellcode when parsing the EPT.
4. I will use a kernel write primitive to write simple “hello SMM rootkit” assembly to the kernel page from step 1.
5. Use the SMRAM write primitive, as described in the pre-exploitation section, and write the SMM shellcode so you overwrite any SMI handler of your choice, let’s say SMI 0x30.
6. Trigger SMI 0x30 by writing the value 0x30 to APMC I/O port 0xB2.
7. From now the kernel page from step 1 is marked RWX also in EPT.
8. Call yours “hello SMM rootkit” shellcode from step 4 and it will execute. Use DbgView from SysInternals to see the print from kernel.
9. HVCI bypass succeeded — we wrote and executed our shellcode to Read only page.
In case you wondered, if you just changed to page permissions from R to RWX without using the SMM shellcode to update EPT, the result when execution happens would be BSOD with unrecoverable Exception.

Conclusion and possible mitigation
The root cause of this SMM vulnerability is in lack of checks on the destination buffer address when calling SmmGetVariable() in SMI handler 0xEF. As a result attacker achieves generic write primitive to the most protected memory, SMRAM, and from now code execution in SMM is a trivial task as already explained. Code execution in SMM is a game over for all security boundaries such as SecureBoot, Hypervisor, VBS, Kernel and more.
This vulnerability was fixed by adding several checks to destination buffer and other pointers such that they do not point to SMRAM regions.
During last year Windows introduced its Secured-Core PC which tries to enforce UEFI code to implement SMM monitor and audit but it will take long time to adopt these changes if at all. In the upcoming Blackhat USA 2020, Saar Amar and Daniel King will drop 2 critical vulnerabilities in the Securekernel which bypass VBS boundaries.
One of the attack vectors with code execution in SMM is writing persistent malware to the SPI flash where UEFI image exists. Such attack would be eliminated if Intel BootGuard is correctly working but it will not help in the case presented in this research because all modifications are done at runtime when boot is already finished.

Kamerhe and Jammal have been sentenced each to 20 years + 10 years of forced labor

Vital Kamerhe and Jammal Samih are each sentenced to 20 years of forced labor for the abuse of US $ 48 million for SAMIBO SARL; and 10 years of forced labor, each for hijacking at least 2 million US dollars granted to HUSMAL SARL.
Vital Kamerhe and Jean Muhima each 2 years of forced labor for hijacked $ 1,1 million for prefabricated house clearance. However his lawyer said"We are going to appeal. This judge has not done justice. He was sentenced on the basis of the elements not discussed at the hearing. He did not prove how did vital Kamerhe hijacked the money ", announces, on TOP Congo FM, Me Kabengela, lawyer of vital Kamerhe sentenced to " 20 years of forced labor and 10 years of ineligibility for " more than USD 48 m
For him, "we condemn vital Kamerhe on simple statements by Sammih Jammal and Jeannot Muhima".
Mr. Kabengela even believes that "The Court has sentenced people who have never been a member of the trial by ordering the confiscation of the funds contained in the bank accounts of Hamida Chature and Soraya Mpiana when it should have opened the debates".
The Republic covers its rights
" I do not comment on the decision of justice. She has been returned. I have no feeling. The Republic has recovered its right ", believes, for its part, Coco Kayudi.
For the lawyer of the Republic, "going on appeal is the most legitimate right" of vital Kamerhe.
UNC party is calling for calm and not too turn violent
" The party will hold a meeting to give an official position. We ask all our members and supporters to remain calm while waiting for the party's directions ", urges Totshumany Kisombe.
The speaker of the UNC / Kinshasa did not stop revealing that " we are doing very badly, but we were prepared. Justice did not elaborate the law. It's a theatre. This is a montage. We are against this condemnation. We think she was oriented ".
Reason why "we will go to all bodies at both national and international levels to demonstrate the innocence of vital Kamerhe".
In addition,vital Kamerhe,he is banned on access to public and public service, whatever the level and denial of the right to condemnation or Conditional release and rehabilitation whose purpose is to benefit the guilty of the benefits.and collection of funds into family accounts
The court also required the seizure of the funds contained in the accounts of Hamida Shakur and Soraya Mpiana as well as those of Daniel Masaro, daughter-in-law and cousin of the convicted man.
For the head of the company Samibo Jammal, in addition to his condemnation, the court decides his expulsion from Congolese territory after his sentence.
For his part, the third accused, Jeannot Muhima, is sentenced to 2 years of forced labor and the court has decided that he should be arrested immediately.
According to the procedure, convicts have 10 days to appeal.

India ready to purchase 33 MiG-29 and Su-30MKI military aircrafts under emergency order amidst border tensions with China

India and Russia have been negotiating the purchase of MiG-29 and Su-30MKI aircraft since last year. In 2019, a top-level Indian Air Force (IAF) team visited a Russian facility to check the MiG-29 fighter jets; later, it submitted a favourable report to the IAF headquarters.
The Indian Air Force (IAF) has decided to purchase 33 fighter jets from Russia under an emergency clause amid an ongoing border stand-off with China. Government sources have confirmed that the IAF has moved a proposal to the Defence Ministry for approval in which it has suggested the acquisition of 21 MiG-29s and 12 Su-30MKIs from Russia.
"The Air Force has been working on this plan for some time but they have now fast-tracked the process and the proposals expected to be worth over $800 million (INR 6,000 crore) would be placed before the Defence Ministry for its final approval next week at a high-level meeting", government sources told ANI.

The move comes after the IAF team found the price offered by Russia to be competitive. In 2008, India and Russia signed a $964 million contract for the modernisation of 62 MiG-29 twin-engine single-seat air superiority fighters (54 fighters and 8 trainers).
The IAF has also decided to expedite the purchase of additional Su-30s from Russia, which will serve as substitutes for jets which have been lost in accidents. IAF head Air Chief Marshal R.K.S. Bhadauria, in a media interaction in October 2019, confirmed that the additional Sukhoi-30MKI fighters would be built by HAL in Nasik.
“We are moving towards ordering 12 more Sukhoi-30s. Whether we need some more in lieu of aircraft that are going to get phased out from 2025 onwards… we will have to take a look later. But at the moment, 12 is what is being followed up straightaway”, Bhadauria said.
Last year, India's state-funded Hindustan Aeronautics Limited offered to produce 40 more Sukhoi-30MKI fighters at a cost of around $64 million per unit, which is lower than that of the multi-role fighter Rafale.
The IAF is facing a shortage of over 200 fighter jets in order to meet the contingencies of a two-front war with China and Pakistan. Earlier, on Tuesday, the Indian government gave additional powers to the armed forces to stock up war reserves.
Border ties between India and China have been strained for over a month and a series of high-level meetings have been conducted to resolve the border issue in the Galvan Valley, where at least 20 Indian soldiers were killed in a brutal clash with the People's Liberation Army. However, no conclusion has been reached so far.

USA's new killer ninja bomb raise fear of apparent normalisation of extrajudicial killings.

Since the US’s first drone strikes in Afghanistan in 2001, the Pentagon and CIA have gone on to use the weapons in Pakistan, Iraq, Libya, Yemen and Somalia. Last year, the Trump administration revoked the policy of disclosing the number of civilians killed in such attacks in undeclared battlefields as total strikes soared.
The deployment of precision missiles like the Hellfire R9X , the so-called ‘ninja bomb’ which features no explosives, but is packed with half-a-dozen razor-sharp blades designed to chop the enemy to pieces, is likely to cause a further increase in drone strikes, says Air Marshal (ret.) Greg Bagwell, a former Royal Air Force deputy commander.
“The less lethal the weapon the smaller the area that is exposed to danger, even if the weapon fails to guide properly,” he said, speaking to The Telegraph. “As you shrink that envelope there is the temptation to take shots in a situation you would not have been able to with a more lethal weapon.”
Bagwell’s comments came in the wake of last week’s reports on the killing of two commanders of Horas al-Din, an al-Qaeda linked group operating in a militant-occupied area of northwest Syria.
Chris Cole, director of Drone Wars UK, a UK-based NGO seeking to ban the use of armed drones, echoed Bagwell’s concerns, suggesting new weapons like the R9X increase the propensity of politicians and commanders to use them.
“This is often just a short term fix as politicians aren’t around for very long and any long term solutions, like other political or diplomatic solutions, often take many years, so they tend to opt for short term solutions,” Cole noted, adding that through drone strikes, leaders are “transferring the risk of combat from our boys to the civilians in the areas where conflict is taking place, and I think that does lower the threshold.”
Furthermore, the observer warned, militaries using so-called ‘precision’ drone strikes have been known to play up successful attacks while playing down unsuccessful ones. “We never see the images of near misses or complete misses. That feeds the Hollywood idea of air warfare where every missile hits its target 100 percent of the time.” This, Cole says, is just plain wrong. “There have been plenty of times individuals have been reported as struck, but they turn up alive, and there have been several reports of people walking away from these strikes because they haven’t been as accurate as they can be.”
According to Cole, the notion of ‘precision’ drone strikes actually only opens up areas, such as cities or towns, to potential attack.
“There’s a real possibility that these new munitions would see the further expansion of drone targeted killing, perhaps completely letting it off the leash,” the observer warned. “It’s a further normalization of the idea of extra judicial, or targeted, killing.”
Cole added that drone strikes erode traditionally defined geographic boundaries of armed conflict and national sovereignty.
It is believed, for example, that the US used a modified R9X missile in the January 4 attack which killed Iranian Revolutionary Guards commander Qasem Soleimani in Baghdad.
Soleimani’s killing “was a big step change,” according to Cole. “And if this further enables the expansion of targeted killing it is extremely worrying. We’ve seen over the last couple of years other states begin to copy the US,” he noted, pointing to a UAE drone strike against a Houthi leader in Yemen, and Turkey’s use of drones in Syria and Iraq. “This idea that you take out individuals without judicial oversight in far off battlefields is expanding rapidly,” he said.

Over the past two decades, the United States military has carried out thousands of drone strikes on targets across the Middle East, West Asia and Africa, hitting suspected terrorist targets in Afghanistan, Pakistan, Iraq, Syria, Somalia and Yemen. The numbers on civilian casualties from such attacks are hard to come by. However, according to the New America Foundation, in strikes carried out between 2004 and 2011, as many as 20 percent of the estimated 2,551 people killed were civilians or unknown persons.