At a glance.
- ForcedEntry penetrates Apple’s BlastDoor.
- Ransomware at Olympus?
- Fitness tracker data compromised.
NSO Group's Pegasus found in iOS device.
Israeli tech firm NSO’s Pegasus malware is making headlines again, this time because researchers at cybersecurity watchdog Citizen Lab have disclosed they found evidence that the spyware infected the iPhone of a Saudi activist by exploiting a zero-day vulnerability in Apple’s iMessage platform. As the New York Times reports, the breach is particularly significant because the exploit used to infect the phone, dubbed “ForcedEntry,” was a zero click attack, meaning the hack was completely undetectable by the user, and with no user interaction a threat actor could activate the device’s camera and microphone and capture even encrypted texts, emails, and calls. Citizen Lab senior researcher John Scott-Railton explains, “This spyware can do everything an iPhone user can do on their device and more.” Furthermore, TechCrunch notes that ForcedEntry was able to crack iPhone’s most sophisticated defenses -- named “BlastDoor” because of their impermeability -- by taking advantage of a flaw in Apple’s image rendering process, a flaw present in any device running Apple’s latest software.
When notified, the Apple security team quickly released an emergency patch. All users are being urged to update their devices as soon as possible, though Ivan Krstić, head of Apple Security Engineering and Architecture, explained that ForcedEntry is likely not a threat to most users. “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.” SecurityWeek notes that two patches were released simultaneously, a CoreGraphics fix attributed to Citizen Lab, and a WebKit patch credited to an anonymous researcher.
This is just the latest development in the continuing saga of NSO’s controversial software offering, which Citizen Lab revealed last March to be connected to alleged government surveillance of activists, journalists, dissidents, and even minors, despite NSO’s insistence their products are only intended to track criminals. When asked for comment, an NSO spokesperson told the Wall Street Journal, “NSO Group will continue to provide intelligence and law enforcement agencies around the world with lifesaving technologies to fight terror and crime.”
Nick Tausek, Security Solutions Architects at Swimlane, explains that the significance of the spyware is that it requires no user interaction:
"This zero-day, zero-click vulnerability is significant because it requires no user interaction and impacts all versions of Apple's iOS, OSX, and watchOS. While the first inclination is to focus the impact to consumers, the much larger danger lies within companies whose employees are using their personal apple devices for work.
"Amid the pandemic, the adoption of bring you own device (BYOD) policies has exploded across industries. Even organizations that previously shied away from this type of program have been pushed to adopt it to better accommodate remote work.
"To prevent vulnerabilities such as this one from compromising employees and the organization’s sensitive data, companies should look to centralize and automate their current security threat detection, response and investigation protocols into a single platform. Automated detection and response workflows can help enterprises stop the otherwise hidden cross-pollination between personal device communications and access to sensitive corporate resources and information. By embracing comprehensive security automation, security teams can also free up time to keep up with the evolution of threat tactics, ultimately enhancing security preparedness.”
We also exchanged emails with Jerry Ray, COO of SecureAge, and Lisa Plaggemier, Interim Executive Director of the National Cyber Security Alliance (NCSA), answered some questions about the incident:
Apple has said it intends to block spyware with iOS 15. We asked, what can be done in the meantime to secure devices against FORCEDENTRY?
"It appears that Apple’s latest security release of 14.8 will apparently protect iOS devices from FORCEDENTRY," Ray wrote in reply. "Downloading and installing that update manually, or relying on the automatic update feature if turned on should take care of it. As for blocking spyware between now and then, that’s a chore far beyond the skill level of virtually everyone. The complexity of the operating system and massive number of apps that can run on it create an indecipherable combination of code and functions that could be exploited in one way or another. It’s not enough to only install trusted apps from known vendors, as can been seen by FORCEDENTRY finding its way onto to Apple mobile devices through iMessages, Apple’s own app. Instead, users worried about their data and communications being compromised will have to be vigilant of what they use their iPhone or iPads for until Apple can tackle the security of the most common functions, such as data stores, chat pathways, cameras, and microphones, that spyware might use."
Plaggemeir substantially agreed: "In terms of FORCEDENTRY, there is confidence that the newest security update will remediate the security flaws that have been uncovered. However, as far blocking spyware, that will be a huge ask and likely a very ambitious one. iOS – and really any operating systems – are vast and interconnected. Meaning, that it can be very difficult to make sure that everything is watertight against exploitation. That said, there are several precautions and best practices that consumers can take, the first of which is making sure they download this newest patch.
To our question, will Apple's iOS 15 fully remediate the issue, or are there things consumers should be aware of even after they've updated their devices? Ray replied with an initial, obvious caution: "It’s unlikely that iOS can prevent everything that could possibly be done to exploit its mobile devices for data exfiltration, especially where user actions could open doorways that Apple might never consider." He added, "We can all be optimistic, though. Among all mobile device vendors, Apple controls the entire ecosystem the most tightly, limiting what third party developers could do to exploit iPhones and iPads to spy on users. Regardless, users with concerns about device content being found should consider any data encryption option that might exist, as well as being selective about what they say, write, or store on their devices. But that is a very difficult ask, and one unlikely to be followed by even the most security conscious and disciplined consumers."
Plaggemeir wrote, "There is no doubt that Apple’s team will be hard at work to try and make iOS 15 as secure as it can possibly be. That said, it is very tough to predict where loopholes may open up especially when it comes to how people engage with their own devices. Apple is known for having a very close grip on their ecosystem, which while provides a certain peace of mind, as this breach shows no ecosystem is entirely safe." She draws a lesson in self-reliance for users from this. "That is why it is so imperative that consumers take their cybersecurity into their own hands – such as by checking privacy settings, reporting suspicious activity and other measures – instead of relying on external parties to handle it alone."
And, finally, observing that Citizen Lab said the spyware was found in a Saudi dissident's device, we asked whether this particular exploit had been detected elsewhere, to their knowledge?
The FORCEDENTRY exploit seems new, but, Ray said, "the actual spyware developed by the NSO Group that FORCEDENTRY allowed to be loaded on to the Saudi dissident’s device, Pegasus, has potentially been around since 2012. It’s been found in a number of other attacks where the phones of journalists and activists had been compromised, particularly since 2018. (Amnesty International's Security Lab has a detailed report on previous Pegasus-related compromises.)"
Plaggemier also noted, with caution, NSO Group's track record with its intercept products, and doesn't think it looks particularly reassuring. "Unfortunately," she wrote, "while the NSO Group – who created this spyware – say that their spyware is only used by licensed law enforcement groups against criminals, reports by The Guardian and many others that this spyware is being used against journalists and activists have certainly called NSO’s claims into question."
Other industry experts also send us comments on the incident. Ryan Polk, Senior Policy Advisor with the Internet Society, regards the discovery as a cautionary tale about the risks of encryption backdoors. "The tools built to break encrypted communications inherently run the risk of falling into the wrong hands – placing all who rely on encryption in greater danger. Imagine a world where tools like Pegasus come built in every app or device – however, unlike now, companies have no option to remove them and all users are targeted." He sees end-to-end encryption as something that provides safety for all users, and especially for members of vulnerable communities.
Purandar Das, co-founder and chief security evangelist from Sotero, sees the incident as little more than a special case of criminal activity:
“It is rather ironic that operating system flaws and vulnerabilities are most often discovered by those with nefarious designs. In other ways it is to be expected in an increasingly digital world where lives and organizations are built around technology. In the particular instance, the hackers were likely well-funded by and organization that stood to make million in profits. As we’ve come to discover this pursuit of profits can often result in real world harm to innocent people when greed overcomes good sense. What should be concerning is that these types of exploits and hacks are not limited to a small number of well-funded hackers. The money in the underground economy has reached levels where criminals are organizing at scale to capitalize on the unique opportunity. The days of just acknowledging that all software flaws and bugs are a way of life are done. Even the slightest vulnerability will be exploited.”
Ransomware at Olympus.
TechCrunch and others have reported that BlackMatter ransomware has hit tech company Olympus. Investigation of the attack, thought to have begun on June 8th, remains in progress and the extent of any compromise remains unclear, but as is the case with all ransomware incidents, data theft remains a possibility.
Danny Lopez, CEO of Glasswall, draws some familiar lessons about sound organizational policies and implementation of well-understood best practices:
"Reports of ransomware hitting technology companies is especially troubling, given the importance of the work being done by these types of organisations. While there is still speculation on the exact details of the attack, it is still worth underlining the importance of good security practice.
"Organisations need to adopt robust processes for onboarding and offboarding employees and affiliates that may receive access to key information systems. It's vital to control privileged access and to monitor those that enjoy that administrator privilege. Ensuring that multi-factor authentication is enforced wherever possible, is a vital defence where user credentials find their way into the public domain. This will help to limit the blast radius, and in most cases, defeat the data breach.
"Even if all procedures and policies are well executed, then there's no escaping the fact that adversaries are constantly looking to probe vulnerabilities and to insert malware into the environment, often using everyday business documents which we all use. It's vital that technology organisations invest in cyber protection services that stay ahead of attackers by eliminating the threats while still allowing employees to do their vital work.
"Attacks like these demonstrate that a traditional castle-and-moat approach to network security leaves organisations exposed. Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. In a world where data can be held amongst multiple cloud providers it is crucial to strengthen all processes relating to access verification. Without a zero trust approach organisations run the risk of attackers having a free reign across a network once they are inside.”
Alex Pezold, CEO of TokenEx, agrees, and stresses that one of those best practices should be a plan for recovery in the aftermath of an attack. "It is clear that ransomware attacks and other attempts to breach data stores are growing more frequent than ever, so every organization must have a plan for what data to protect, and how to build resilience into company systems so they can 'reboot,' if needed."
Olympus is by no means a technologically naive company. Indeed, it's a technological leader, and has been for years. Neil Jones, Cybersecurity Evangelist at Egnyte, points out that no organization should assume that it's immune from a successful ransomware attack:
"The recent cyberattack on technology giant Olympus represents a major wake-up call–no large global corporation should consider itself exempt from ransomware attacks. Senior executives and IT leaders should also be aware that no technological solution is 100% effective, but a large percentage of ransomware attacks can be prevented with diligent preparation.
"Unfortunately, even in technologically sophisticated organizations like Olympus, the methods and tools being employed don't meet the security and control needs to combat today’s threats. Security must be viewed as much more than a checklist. The best solutions fit in a broader sense of governance but still make it easy to share files with anyone, without compromising users' security and control.
"The reality is that all content and communications are vulnerable without proper data governance, and it’s imperative that organizations protect the data itself. This type of security incident occurs regularly, particularly to multinational companies that have a natural target on them because of their size and the mission-critical systems they use to communicate with thousands of global employees on a daily basis. If secure file collaboration tools with suspicious log-in capabilities are implemented correctly, they can render cybercriminal attacks ineffective. Used in a case like this where adversaries were able to infiltrate the network and impact business activities, the systems themselves would have been inaccessible to outsiders, and the company's valuable data would have remained protected."
Ralph Pisani, president of Exabeam, advises organizations to pay attention to signs of abnormal behavior in their networks, and seeing where those could fit into the common sequence of an attack:
"Ransomware remains a security Achilles heel. Understanding ‘normal’ versus ‘abnormal’ behavior sheds light on the presence of ransomware and its precursor problems, yet far too few organizations are able to see the canary in the coal mine.
"However, organizations that work to understand the cycle of compromise, taking the time to understand normal behavior, will uncover the ransomware as abnormal before it strikes. If organizations are serious about ransomware, they must up level their capability to manage intrusions; a leading method of adoption is user and entity behavior analytics (UEBA) to detect behavioral deviation and spot malicious activity at far earlier stages of an attack.
"Since ransomware is the product of earlier undetected intrusions, the window of opportunity for disruption and removal it out is small. Commodity security tools require too many static rules, generate far too many false positives, and do more harm than good. Organizations without advanced analytics will struggle getting ahead and are extremely vulnerable to the negative outcomes of ransomware.”
The US Department of Health and Human Services earlier this month released a useful overview of what's been learned about BlackMatter since the operation surfaced in July of this year. It covers connections between BlackMatter itself and its probable progenitor DarkSide. It also alludes to the gang's implausible (and cynical) claim to avoid targeting organizations (like hospitals) that serve the common good.
Unsecured GetHealth database found.
Researchers at WebPlanet confirm they’ve found an unsecured database containing over 61 million records associated with the GetHealth fitness tracking platform. The exposed data, left unprotected due to database misconfiguration, included full name, date of birth, gender, and even weight and height stats all in plain text, and location data indicates the compromised users hail from all over the world. As GetHealth syncs data from numerous sources, many top health trackers and apps were impacted, including Fitbit, GoogleFit, MapMyFitness, Apple HealthKit, and Android Sensor. Erich Kron, Security Awareness Advocate at KnowBe4, told Solutions Review that the GPS data could be particularly attractive to threat actors seeking to track users’ travel patterns: “This data breach, while seeming to be somewhat benign due to the lack of social security numbers or credit card info, actually contains a significant amount of information that could be useful for criminals.”
Troy Gill, Senior Manager of Threat Intelligence at Zix | AppRiver, would like organizations to understand that cybercriminals pick their targets on Willie-Suttonesque grounds: they go where the money is, and nowadays there's money in data. He wrote us to comment:
“Data has become the gold of the digital age, and we owe it to our customers and employees to ensure that it’s always protected. GetHealth’s exposure of potentially sensitive data left millions vulnerable, and although they responded quickly after the exposure was detected, it’s hard to tell who may have accessed the information while it was available.
"It was found that the database hadn’t been password-protected, which may not have been enough to stop a hacker itself in the first place. In addition to guarding information with passwords, organizations must follow a few best practices to keep information secured, such as regularly updating passwords, ensuring that passwords are not recycled among services, and adding an extra layer of security by adopting two-factor authentication.
"To avoid simple errors that could lead to attacks and data theft, organizations should also make it a habit to deploy regular security audits to identify vulnerabilities and other suspicious behavior, allowing them to ensure sensitive data is routinely being backed up."
Tim Erlin, VP of strategy at Tripwire, urges organizations to check for misconfiguration, which not only increases the consequence of a cyberattack, but also poses a compliance risk:
“Misconfigurations, such as a database without a password, allow attackers easy access to your systems or data. It’s the equivalent of leaving your door unlocked or window open. All organization should regularly audit their systems for misconfigurations, especially those systems that are accessible to the Internet. Even if you’ve deployed systems with a secure configuration to start, a simple change can give attackers access.
"Misconfigured systems aren’t just at risk from attackers, but they often pose a compliance risk as well. Compliance audits can result in fines and other consequences that have a material impact on your business. It may be complex, but understanding which regulations apply to which parts of your environment is a foundational requirement for doing business in today’s data-driven, connected world.”
This particular breach didn't include all of the personally identifiable information that goes into the fullz so coveted by cybercriminals. There were, for example, no paycard numbers or Social Security numbers. But Erich Kron, the aforementioned security awareness advocate at KnowBe4, pointed out in emailed comments that even more innocent-looking data can be attractive to criminals, who can put the information they steal to malign use:
“This data breach, while seeming to be somewhat benign due to the lack of social security numbers or credit card info, actually contains a significant amount of information that could be useful for criminals. The fact that this information, which includes GPS logs of individuals, is the kind of information that will cause a collective groan of pain from executive protection teams and physical security practitioners alike. This information makes it much easier for bad actors to locate where people are living or staying, and can expose patterns of travel.
"Whenever an organization collects data on individuals, it is critically important that the processes are in place to ensure that information is not left unsecured. The data should also be encrypted to protect it from prying eyes in the event there is an issue.”
Josh Rickard, Security Solutions Architect at Swimlane, also cautions that the effects of this sort of exposure aren't necessarily easily or quickly remediated by simply fixing the misconfiguration:
"Platform misconfigurations, like those in the GetHealth database, can have long-standing and upsetting repercussions, even after exposed records have been restricted from public access. In this case, 61 million records containing personally identifiable information (PII)--such as names, birthdates, gender and personal health information--have been exposed to the public and violated victims’ privacy.
"Although data exposures such as the GetHealth exposure are becoming increasingly frequent, organizations can prevent similar situations and protect valuable human data by centralizing and automating their current security threat detection, response and investigation processes into a single platform. The implementation of a SOAR solution allows for real-time security automation to respond to incidents and execute the appropriate security-related tasks. With comprehensive security automation, the chance for human error is eliminated and customers remain protected."
Trevor Morgan, product manager with comforte AG, wrote to discuss the risks to organizations that collect, handle, and store data of this kind:
“People enjoy tracking their own progress, especially in fitness activities as they pursue and achieve their own fitness goals. Over the past 10 years, personal wearable devices have gone from collecting very basic metrics such as steps walked or heart rate to a highly sophisticated array of personal health data. The ‘quantified self’ movement not only gained traction but went from zero to 100 mph very quickly. Of course, this data ultimately winds up in repositories allowing us to analyze that information from many different angles and then perform historical comparisons as time goes on. That’s a lot of personal data about a highly sensitive topic—you—that most of us are hoping is kept wholly secure.
"The incident involving GetHealth reveals the dangers faced by organizations that harvest and store such data. Something as simple as a misconfiguration or, in this case, a missing password for an online database, can trigger data exposure affecting millions of people. Pure human error is behind a majority of data incidents, but how do you prevent humans from making errors like this? One way is to cultivate a better culture within the organization of data security and data privacy. Data security is not a check-box issue, something to tick off and move onto the next item of focus. Every person in an organization, from the CEO to the most junior intern, needs to have total commitment to keeping the organization’s most valuable asset—its data—safe, secure, and private, not only for the sake of the organization but for the data subjects whose information makes up all that information in the first place.
"Another way is to stop depending solely on traditional protection methods such as passwords, border security, and simple data access management. Data-centric security, which focuses on protecting the data itself, can go a long way toward eliminating the risk inherent in incidents such as this one. By tokenizing sensitive data elements, data is made incomprehensible and cannot be leveraged by the wrong person, and yet tokenization and format-preserving encryption can still retain data format so corporate workflows can still work with that data without modification to enterprise applications.
"At the end of the day, utilizing as many protection methods as possible is the right way to go. The alternative is an exercise in incident management and the accompanying negative fallout, and that’s the most punishing workout of all for any enterprise.”
And while we may not tend to think of fitness trackers as being a kind of healthcare IT, but, as Stephan Chenette, Co-Founder & CTO of AttackIQ, writes, they're usefully framed that way:
“Cyberattacks are increasing against the healthcare sector, with breaches up over 150 percent in 2020 according to the U.S. Department of Health and Human Services. Organizations need to take a proactive approach to protecting their data. This should include mapping their security controls to specific attack scenarios, aligned to the MITRE ATT&CK framework, to measure an organization's cybersecurity readiness for the attacks that are sure to come. Organizations simply don't exercise their defenses enough. As the pandemic continues to impact our societies, healthcare organizations should evaluate their existing security controls to uncover gaps before an attacker finds them."