Cisco’s Talos group is tracking a threat actor running what Talos calls “DNSpionage” malware against Middle Eastern targets. Lebanon and the United Arab Emirates have attracted the most attention. At least two espionage campaigns are in progress. One phishes victims with bogus job listings that induce the users to open malicious Microsoft Office documents. The other redirects the DNS of legitimate domains. Talos, which regards the unknown threat actor as painstaking and focused, has been unable to draw connections with other known threats.
Citizen Lab (and Amnesty, which is “taking legal advice”) have recently drawn attention to apparent abuse of NSO Group’s Pegasus tool by various governments. Kaspersky has noticed that another company, government vendor Negg, seems to offer an iOS implant. This suggests to Kaspersky that iOS spyware may not be as rare as hitherto generally believed (Motherboard).
The Iranian threat group Cobalt Dickens is back, and actively prospecting targets in universities. Secureworks’ Counter Threat Unit says they’re after credentials, and using familiar social engineering tactics.
Facebook’s transatlantic grilling proceeds (WIRED). Company emails Westminster seized from a third party indicate that the social network knew about and investigated Russian data harvesting as early as 2014, two years before Facebook publicly acknowledged Moscow’s interest in election meddling (Telegraph).
The big sit-down in London provided the occasion for the immodestly-titled International Grand Committee on disinformation to release its “declaration on the Principles of Law Governing the Internet." The Committee’s nine nations want tech companies “fully answerable” to “organs of representative democracy.”