At a glance.
- Pegasus Project and alleged abuse of intercept tools.
- Insurance software provider exposes medical data.
- WooCommerce patches vulnerability undergoing active exploitation.
- Mespinoza's enhanced double-extortion play.
Pegasus Project discoveries call smartphone privacy into question.
The Washington Post reports that the Pegasus Project, a months-long investigation released yesterday and conducted by an international consortium of over seventeen media outlets, has revealed that Israeli firm NSO Group’s Pegasus surveillance software was used to hack into the smartphones of at least one thousand people -- including journalists from leading media outlets like CNN, Al Jazeera, the New York Times, and Radio Free Europe, and over six hundred politicians, numerous heads of state among them. As France 24 reports, the leak suggests widespread abuse of NSO’s spyware, which the company claims is only licensed to thoroughly vetted intelligence and law enforcement agencies and is intended to target criminals and terrorists. As the Guardian notes, the incident calls into question the highly unregulated market of surveillance software and the potential for abuse, especially for authoritarian governments seeking to repress dissenters.
Though the investigation indicates the victims were concentrated in countries known to be NSO clients, NSO insists the data are not connected to them and has vowed to investigate the scandal. NSO’s chief executive Shalev Hulio told the Washington Post, “We understand that in some circumstances our customers might misuse the system and, in some cases like we reported in [NSO’s] Transparency and Responsibility Report, we have shut down systems for customers who have misused the system.” It’s also worth noting that at least twenty-three iPhones were among the hacked devices. As the Washington Post explains, the incident demonstrates that sophisticated spyware like Pegasus can evade Apple’s well-regarded security protections, and once inside it can spy on nearly everything from phone calls to GPS data to social media, and can even activate cameras or microphones.
Ilia Kolochenko, founder of ImmuniWeb and a member of Europol Data Protection Experts Network, notes that attributing the deployment of NSO Group tools may not be as straightforward as it appears. He also notes that in some respects NSO Group at this point might think there's no such thing as bad publicity:
“Attack attribution in the reported cases is highly complex and unreliable. First, some legitimate end-customers could have shared the cyber warfare with their foreign partners in exchange for valuable data, 0day exploits or sophisticated spyware – this is a widespread practice. Security teams in charge of such data and intelligence sharing - are not necessarily experts in human rights protection and may negligently or unknowingly share the software with some grey or even black-listed jurisdictions. Moreover, individual security analysts, employed by the trusted countries, may occasionally break internal rules and unlawfully share the cyber-warfare with unauthorized third parties, as anti-insider security controls have low technical efficiency in such environments. Finally, the legitimate end-customers could have been hacked and compromised, eventually exposing access to the software to unauthorized threat actors. In any case, legal action against NSO is likely futile, and the media hype around the alleged incident - rather brings publicity to the NSO.”
Insurance software provider exposes medical data.
BackNine, a California-based provider of back-office insurance processing software, inadvertently exposed over 700,000 files stored in a misconfigured cloud server, TechCrunch reports. The compromised data, discovered by security researcher Bob Diachenko, includes insurance applications for big-name BackNine clients like AIG, TransAmerica, and Prudential containing highly sensitive personal medical information like lab results and diagnoses.
Roger Grimes, data driven defense evangelist at KnowBe4, thinks BackNine lucked out:
"Backnine was lucky it was a well-meaning researcher who found and reported the error. Of course, they can't be assured that someone else, less helpful, didn't also find and copy the data, and so they should report it as a data breach. Overly permissive Amazon AWS data buckets are among the most commonly found vulnerabilities for the last 5 years. It's as if even though it has been a long time computer security dogma to use least permissive permissions, that somehow that security vigilance hasn't translated to the cloud world so well yet. It's also not uncommon for vulnerable organizations to be non-responsive to people who point out vulnerabilities and not fix the problem until the media gets involved. Backnine needs to notify at-risk customers and give them free credit monitoring services, at the very least. These poor permission settings and being non-responsive are also very common. No company wants to do that. So, why are so many companies doing it? That's the better question. Why are so many companies setting overly permissive storage buckets? Perhaps Amazon needs to set defaults to no-permissions for every newly set up storage bucket and warn owners when they try to set what looks like overly permissive permissions. It could be that simply changing defaults or implementing a simple warning might decrease the instances of overly permissive storage buckets. And why did Backnine, along with hundreds of other previous companies ignore vulnerability reports from independent third parties? It's easy to point fingers and point out problems. The better computer security defenders ask "Why" and see if they can see the "real problem" upstream. Kudos to the researcher that figures it out because figuring it out once saves everyone else so we don't have to continue to see these same incidents year after year after year."
Eric Kron, security awareness advocate, also at KnowBe4 sees an object lesson in the risk of human error when securing data in the cloud:
“Unfortunately, this is another example of what is likely a human error when securing data on a cloud platform, resulting in the exposure of sensitive information for a considerable number of people. The organization's lack of response to a notification about the issue from a security researcher nearly a month ago, and the current lack of response to media inquiries is surprising. Organizations that handle hundreds of thousands of documents containing sensitive information, including this health-related data provided as part of the insurance application process, would be wise to take reports of this type of data exposure seriously and have a process by which to quickly respond and secure the data.
"In addition, regulations around the handling of data such as this, typically requires it to be encrypted; however it appears that also was not the case. Had the data been encrypted, this would not have been a significant incident as the sensitive information could not have been read, making the data useless to cybercriminals.
"While the data was discovered as being exposed on the internet, it does not mean cybercriminals have accessed the data, however, because it will likely be impossible to prove otherwise, it must be assumed to have been stolen. It is likely that the organization will face stiff penalties from regulators and likely lawsuits related to the mishandling of the data. Silence about the issue may further erode trust. Best practices would be to acknowledge the issue and be as transparent about what has happened as possible, even if they do not have all of the answers at this time.”
WooCommerce bug targeted on the heels of patch rollout.
A critical vulnerability detected in WordPress eCommerce plug-in WooCommerce has been targeted by threat actors just as a patch was released. ThreatPost explains that as soon as WooCommerce became aware of the SQL-injection bug, reported by researchers at Development Operations Security and HackerOne on July 13, it immediately created and released an emergency patch to users, and the attacks began on July 15. Pravin Madhani, CEO and Co-Founder, K2 Cyber Security, told SecurityWeek that the incident is a good reminder to users to frequently update WordPress programs, and noted that “SQLi vulnerabilities are part of the OWASP Top 10 Web Application Risks, and well known, so it’s a surprise these vulnerabilities aren’t discovered during application development.”
Pravin Madhani, CEO and Co-Founder of K2 Cyber Security:
“The discovery of a new SQL injection (SQLi) vulnerability in WooCommerce is a good reminder to check on the security and to update programs used with WordPress (in addition to checking on and updating WordPress itself). SQLi vulnerabilities are part of the OWASP Top 10 Web Application Risks, and well known, so it’s a surprise these vulnerabilities aren’t discovered during application development. This means it’s more important than ever to have runtime application security for WordPress and software that works with WordPress.
"Runtime application security provides protection for well-known problems like zero day attacks and the OWASP Top 10. Additional support indicating the importance of runtime application security came in late 2020, when NIST SP 800-53 was published. The revised security and privacy framework included two major updates that offer insights into how security pros can improve their application security. The new framework includes requirements for both runtime application self-protection (RASP) and interactive application security testing (IAST).“
Ransomware group threatens to reveal targets’ criminal activities.
The Mespinoza cybergang is taking double-extortion ransomware to another level, ZDNet reports, by seeking out evidence of targets’ criminal activities to use as leverage. Mespinoza, a threat group so dangerous it motivated the US Federal Bureau of Investigation to issue warnings about its activities, compromises remote desktop protocol networks and then uses a backdoor to maintain persistent access, allowing them to scour the target’s system for incriminating data. "They search using sensitive terms such as illegal, fraud, and criminal. In other words, the actors are also interested in illegal activities known to the organisation that could provide extreme leverage should a negotiation start," stated Alex Hinchliffe of Unit 42 at Palo Alto Networks.