At a glance.
- Further developments in the Pegasus case.
- Safari bug threatens user privacy.
- Data breach reported at Goodwill.
- Europol takes down VPNLab.
Further evidence of Pegasus spyware hacks.
More instances of the abuse of NSO Group’s Pegasus surveillance software continue to roll in. ICIJ reports that nearly two dozen staffers of El Salvadoran news outlet El Faro were targeted with the spyware over two hundred times between July 2020 and November 2021. Unsurprisingly, the journalists’ devices were hacked around the same times they were investigating government actions. An editorial printed in El Faro pinned the bugging on El Salvadoran President Nayib Bukele’s administration: “We understand that our journalism has put us on a collision course with a president who has managed to gain control — in some cases, illegally — of all of the state institutions, who has destroyed every avenue for citizens to demand public information, and who dismisses any truth other than his own and any reality that differs from that which proclaims him the sole interpreter of national history.” A Bukele spokesperson denied the claims, stating that the government is not a client of NSO Group and is currently investigating the hacks.
The Record by Recorded Future reports that Pegasus was also used to spy on women human rights defenders in the Middle East. Front Line Defenders’s Digital Protection program found the spyware on the devices of Jordanian human rights lawyer Hala Ahed Deeb and Ebtisam al-Saegh of SALAM for Democracy and Human Rights in Bahrain. Deeb, whose device had been compromised since March 2021, expressed her worries about how the hackers might use the data they’d obtained. “Will it be a way to threaten others through what has been collected from my phone? Will it be used to blackmail me? Will my information be shared with other parties? Will legal cases be framed against me or leak my information or photos?”
In Poland, a Senate commission has begun their investigation into the December discovery that devices belonging to government critics had been hacked, the Independent reports. Senior researchers from Citizen Lab, comparing the actions to tactics used by the Kremlin against Russian government critics, testified that they’d found that Pegasus was used to hack into the phone of Polish senator Krzysztof Brejza when he was running the opposition’s parliamentary election campaign. The Jerusalem Post adds that the researchers found evidence of additional hacking victims including Ewa Wrzosek, a prosecutor who criticized the government's judicial reforms, and Roman Giertych, a lawyer who has represented government opponents.
IndexedDB API bug could allow spying on web activity.
Browser fingerprinting firm FingerprintJS has detected a vulnerability in Apple’s implementation of the IndexedDB API in Safari 15 that could allow a hacker to track the user’s web activity. SecurityWeek explains that IndexedDB is a low-level browser API that follows the same-origin policy, which means it restricts the interaction of resources that have different origins so that scripts that will not interact with databases with different origins. However, the bug causes the IndexedDB API in Safari 15 on macOS and in the browsers running on iOS and iPadOS 15 devices to violate the same-origin policy, creating “cross-origin-duplicated databases” that allow arbitrary websites to detect what other sites the user is accessing in other tabs or windows. FingerprintJS explains, “Not only does this imply that untrusted or malicious websites can learn a user’s identity, but it also allows the linking together of multiple separate accounts used by the same user.” NDTV Gadgets 360 says that to protect themselves, Safari, iOS, and iPadOS users could block JavaScript on all untrusted sites, but given that this is a very drastic measure FingerprintJS suggests the best option would be for users to update their browser or OS once Apple finds a fix.
No good deed goes unpunished.
American nonprofit Goodwill has disclosed that its ShopGoodwill.com e-commerce platform experienced a cybersecurity breach that potentially compromised user data. SecurityWeek reports that the company is notifying users that an “unauthorized third party” exploited a site vulnerability in order to access buyer contact information. Fortunately no payment card information was compromised, as that data is not stored on the site. The vulnerability has been addressed, and the site is currently down “for maintenance,” though it’s unclear if the breach is to blame.
Europol takes down VPNLab.net.
Yesterday, Europol reports, an international law enforcement effort took down fifteen servers belonging to VPNLab, a provider that offered "shielded communications" to cybercriminals who used those services to commit data theft and ransomware. No arrests were reported, but infrastructure was disabled in Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the United States, and the United Kingdom. It's an interesting and encouraging international cooperative enforcement action. Europol lists the following partners as having participated; it's an impressive list:
- Germany: Hanover Police Department (Polizeidirektion Hannover) - Central Criminal Office and Verden Public Prosecutor's Office
- Netherlands: The Dutch National Hi-Tech Crime Unit
- Canada: Royal Canadian Mounted Police, Federal Policing
- Czech Republic: Cyber Crime Section – NOCA (National Organized Crime Agency)
- France: Sous-Direction de la Lutte Contre la Cybercriminalité à la Direction Centrale de la Police Judiciaire (SDLC-DCPJ)
- Hungary: RSSPS National Bureau of Investigation Cybercrime Department
- Latvia: State Police of Latvia (Valsts Policija) - Central Criminal Police Department
- Ukraine: National Police of Ukraine (Національна поліція України) - Cyberpolice Department
- United Kingdom: The National Crime Agency
- United States: Federal Bureau of Investigation
- Eurojust
- Europol: European Cybercrime Centre (EC3)
We received several comments on the takedown. Neil Jones, Cybersecurity Evangelist at Egnyte, applauded the action:
“It is a breath of fresh air to see that international law enforcement is focusing their efforts on technology providers that offer cyber-attack-friendly environments and make it easy for Ransomware as a Service (RaaS) providers to perpetrate potential attacks. It is also a positive sign to see that the VPNLab operation spanned multiple European and North American countries, because it is extremely easy for a cyber-crime enterprise to wind down its operations in one country, only to reemerge in another country. In this particular case, dozens of companies may have thwarted cyber-attacks. However, all organizations need to take the following steps to prevent potential ransomware attacks:
"1) Provide security awareness training to end-users, especially about the danger of phishing messages.
"2) Always utilize Multi-Factor Authentication (MFA).
"3) Restrict users' file access, based on their "Business Need to Know."
"4) Evaluate ransomware detection technology.
"Most importantly, if a technology solution has a price that's too good to be true, evaluate it carefully before putting it into production at your organization.”
Steve Moore, Exabeam's chief security strategist, was also gratified to see the success of complex and difficult-to-coordinate enforcement action:
“Twelve international organizations were involved in this specific action, and it took 60 meetings to pull off.
"While we don’t know, it’s possible this VPN platform was used in recent attacks beyond ransomware. In parallel, the FSB claims they have arrested several members of the REvil ransomware gang: 25 homes owned by 14 members in several Russian cities.
"What does this mean for the corporate defender? You might have felt alone for many years, and you probably still do — however, relationships matter more than ever. Major attacks require the engagement of law enforcement by defenders. Security teams need to educate their leadership on what this means, specifically as it affects the response timeline. Waiting for a more extensive and timed global action can mean a greater good — in short, patience.”
And Adir Gruss, Field CTO at Laminar, sees "valiant" police work, but laments signs of a poor sense of "data accountability" on the part of the organizations who've seen the data they hold plucked by VPNLab's criminal customers:
“The data breach culture we have seen emerge over the past few years is going to continue to permeate and plague IT organizations if we do not take a moment to reflect on what is causing these cyberattacks. Europol shutting down VPNLab to prevent cybercriminals from masking their access to important data is a valiant effort, but enterprises also have to have a sense of data accountability. Do you know where your sensitive data is in the cloud? After all, how can you protect what you can’t see?
"The biggest challenge impeding data security teams today is that as more and more organizations move toward the cloud they have lost track of where sensitive data resides. You simply cannot protect what you don’t know about. In order to protect against a majority of today’s cyberattacks, IT teams must prioritize visibility into cloud data including supply chain access. With that knowledge, data protection teams can move from gatekeepers to enablers.”