At a glance.
- Update on Israeli police use of NSO Group's Pegasus intercept tool.
- Lessons learned from the Pegasus scandals.
- Developments in the breach at the International Red Cross.
- Site impersonation used in US Department of Labor phishing campaign.
- Limitations of two-factor authentication.
Update on Israeli police use of Pegasus spyware.
As we noted earlier this week, an Israeli news outlet has alleged that Israeli police used Pegasus surveillance software to spy on citizens, many of whom were not connected to any criminal activity. CTECH reports that targets included a former mayor, opponents of former Prime Minister Benjamin Netanyahu, and former government employees. In one case, the Times of Israel recounts, the police’s clandestine Sigint unit hacked the phone of a protest activist and used details found in his Grindr dating app account as leverage in interrogation. The Washington Post notes that State Comptroller Matanyahu Engelman is conducting an investigation into the allegations. “Technology provides evidence in criminal proceedings and raises questions around the balance between their usefulness and the violation of the right to privacy and other freedoms,” Engelman stated.
NPR adds that the Association for Civil Rights in Israel has penned a letter to Attorney General Avichai Mandelblit asking that use of Pegasus be stopped immediately and that any cases involving evidence obtained through the software be reopened. The police have not explicitly denied or confirmed the use of Pegasus, but stated that all law enforcement investigations have been conducted in accordance with Israeli law. AlJazeera reports that Israel Police Commissioner Kobi Shabtai has pledged to investigate, and the Jerusalem Post says he implied that if any misdeeds had been committed, they must have preceded his term. “If we discover individual cases when regulations were violated, the police under my command will work to fix the situation with transparency and in cooperation with all relevant authorities,” Shabtai stated.
Lessons learned from the Pegasus scandals.
As we’ve seen, the abuse of NSO Group’s Pegasus spyware has rocked the world of data privacy, and Brookings offers a breakdown of what human rights policymakers, researchers, and activists can learn from the scandal. The US Department of Commerce’s decision to add NSO to its sanctions blacklist (which caused the CEO to step down and some say, will bring the downfall of the company) demonstrates that often the most effective measures to penalize illicit cyber activity can come from a non-cyber agency. The saga also shows how important that public attribution can be. In the past, the very nature of surveillance software made attribution difficult, but in recent years the malware analysis industry has developed tools that are increasingly capable of tracing malware back to its source. Furthermore, the incident makes it clear that mandated reporting can be a powerful tool in sussing out malfeasance and ensuring that a coordinated response can be executed.
New developments in Red Cross data breach.
As we noted yesterday, the International Committee of the Red Cross (ICRC) suffered a third-party data breach that resulted in the theft of the data of over 515,000 “highly vulnerable” individuals. Although ICRC declined to release the name of the third-party that was hacked, ICRC’s media and editorial manager Crystal Wells, told GovInfoSecurity, "The external supplier is hosting our servers. We manage the data and applications on these servers. This was a targeted attack on our servers, which are being hosted by our partner." She also gave details about the timeline of the attack, stating that the first breach occurred in early November. The login credentials of about 2,000 Red Cross and Red Crescent staff and volunteers were compromised, in addition to the victims originally noted, which include the families of missing people, unaccompanied or separated children, and detainees.
The Stack notes the attack has forced the organization to shut down its data-hosting systems, resulting in the temporary closure of a Red Cross program dedicated to reuniting family members separated by conflict, disaster, or migration. There’s no sign yet that the hackers have published the data, and the Red Cross is pleading with them not to do so. Robert Mardini, ICRC’s director-general stated, “While we don’t know who is responsible for this attack, or why they carried it out, we do have this appeal to make to them: your actions could potentially cause yet more harm and pain to those who have already endured untold suffering.”
It’s an unusually cruel attack, even by the low, heedless, and grasping standards of the cyber underworld. Trevor Morgan, product manager with comforte AG, agrees, writing in an email:
“From time to time, a cyber-attack demonstrates the utter lack of compassion that hackers possess. Reports of a sophisticated attack targeting the International Committee of the Red Cross (ICRC)—a global humanitarian organization providing much-needed assistance to the victims of conflict and violence—make a compassionate person recoil at a flagrant instance of kicking people when they’re already down and out.
"Of course, the third-party business which stores the ICRC’s data bears responsibility for adequately storing and protecting sensitive information, so we can only hope that the personal data of those who are already suffering cannot or will not be leveraged by the guilty threat actors.
"Data-centric security in the form of strong encryption, tokenization, and format-preserving encryption can ensure that even in situations like this one, threat actors can’t profit from the information they steal, even if they are able to get their hands directly on it, by obfuscating the true meaning of sensitive data elements. It’s unclear at this point whether this level of data protection guards the information of the over 500K victim data subjects involved in this attack (though we should be skeptical given the appeal not to share any sensitive information), but our best wishes go with them and the ICRC nonetheless.”
Demi Ben-Ari, CTO and Co-Founder of Panorays, says that innocence and vulnerability won't get you anywhere with the criminals:
“Unfortunately, the recent data breach to the International Committee of the Red Cross shows that nobody is immune to third-party cyberattacks—not even humanitarian groups that assist the world’s most fragile populations. The sad reality is that malicious actors will stop at nothing to steal people’s private information, and often the easiest way to access that data is through less secure third parties. To help prevent such cyber incidents, every organization must make it a priority to implement a comprehensive third-party security risk process. This should include, at a minimum, a combination of automated security questionnaires, external attack surface assessments, and continuous monitoring to check and remediate third-party cyber gaps.”
Tim Erlin, VP of strategy at Tripwire, hopes the attackers will belatedly grow a conscience.
“I sincerely hope that the ICRC was a target of opportunity and the attacker makes the compassionate choice to simply delete the personal data for these vulnerable people that they’ve taken. If you think you’re not a target because you’re a non-profit or because of your beneficial mission, think again. Cybersecurity is a completely horizontal problem that impacts all organizations.”
Randy Watkins, Chief Technology Officer at CRITICALSTART, points out that for whatever reason, strikes against humanitarian organizations like the Red Cross have been relatively unusual:
“Historically, humanitarian organizations aren’t targets to these types of attacks, which makes this scenario unique. It again proves that attackers have no boundaries and all organizations, regardless of cause, need to adopt enterprise security controls and create a security posture that is resilient to attack if they hope to continue their mission.
"The typical motive of attacks related to stolen data include sale of information and identities. This particular attack is more severe because of the international impact it has, broadening the scope of the attacker, their motive and the potential use of the data. Due to the nature of stolen data in this attack, it could be used to target potentially vulnerable individuals fleeing geopolitical conditions and therefore nation state sponsored attackers should not be ruled out. The compromised data could also be used to capture families of political dissidents, extort families attempting to find a loved ones or just prevent aid to a particular country or group of people being aided by the International Committee of the Red Cross.”
US Department of Labor impersonation.
A phishing campaign is impersonating the US Department of Labor (DOL) with phony requests for proposal (RFPs), according to researchers at INKY. The phishing emails contain a PDF with instructions for how to bid on DOL contracts, along with a link to a site that looks official but is in fact a malicious, credential-harvesting site. The attackers used at least twelve different phishing sites, all of which resemble the DOL’s real website. A visitor to one of the bogus sites is asked to log in using their Microsoft Office 365 account or “any other business email related domain.” After a victim enters their credentials, they’ll be told that their password is incorrect. If they reenter their password, they’ll be redirected to DOL’s legitimate website. “In a classic ‘blow-off,’ when our engineer made a second attempt at entering fake credentials, they were redirected to the real DoL site,” INKY says. “This nuanced touch, borrowed from con artistry that well predates the digital era, is designed to confuse the victim and delay the moment when they realize that they were taken.”
Geoff Bibby, Senior Vice President at Zix | AppRiver, points out that attacks like these are instances of living-off-the-land phishing.
"[This] occurs when cybercriminals abuse otherwise legitimate services to “blend in with the crowd” and mask the true nature of their message. The level of detail used in this case made the email and site very believable because of their use of legitimate mail servers to send their phishing lures. The breach left behind very little evidence and even redirected to the actual DoL website after stealing credentials, making it even less noticeable to the user.
"The Zix threat research team has seen a huge uptick in this type of phishing attack over the past few years. We saw something similar to this in December 2021 when threat actors customized phishing campaigns and masked their bad intentions as urgent Pfizer vaccine-related information. Many threat actors are experts in social engineering and have been known to launch these types of LotL phishing attacks from compromised accounts so that the sender is an actual contact of the recipient.
"Organizations should implement multi-factor authentication, which provides an extra layer of security for authenticating users. Organizations should also limit authorized use of third-party services when possible, as this will help reduce the attack surface that criminals constantly work to exploit. Organizations should use end-to-end email encryption for any message containing confidential or personally identifiable information and ensure their email security solution is capable of dynamically analyzing email attachments and URLs. If there is any suspicion about a message or transaction, it never hurts to call the sender. Most will be glad of your security protocols in place to help prevent fraud. In addition to utilizing outside security services, organizations need to educate employees on security best practices to help maintain the integrity of the organization including encouraging employees to flag suspicious messages and attachments received via email.”
But two-factor authentication isn't, of course, a panacea.
Yesterday Crypto.com acknowledged losing $34.65 million, which it held variously in cash, Bitcoin and Ethereum, to attackers who were able to move funds past two-factor authentication. Threatpost says the platform revoked its old two-factor authentication tokens and moved to a new two-factor authentication system which is itself a way station enroute to a future system Crypto.com characterizes as "true multi-factor authentication." One noteworthy enhancement, in effect immediately, is a waiting period. Henceforth there will be a twenty-four-hour delay between the registration of a whitelisted withdrawal address and the first transfer to that address.
Neil Jones, Cybersecurity Evangelist at Egnyte, wrote to offer a familiar but nonetheless worth-repeating insight into criminal practice:
"Infamous bank robber Willie Sutton is frequently quoted as saying, 'I rob banks, because that's where the money is.' In 2022, the technical environment has evolved to, 'I rob cryptocurrency exchanges, because that's where the money is.' I'm actually more surprised by the number of users who had their money pilfered, nearly 500 according to published reports, rather than the $30 million+ that was stolen. Major lessons from this security breach include the following:
- "The importance of an effective Two-Factor authentication solution that prompts end-users for additional verification when large transactions occur unexpectedly.
- "The need for a current- and road-tested- incident response plan.
- "The requirement for end-users to be notified promptly and accurately when cyberattacks take place, to help protect brand reputation. Companies should keep posted for developments in this space, as this likely isn't the last breach you'll see in the cryptocurrency markets."