At a glance.
- Another iPhone spyware case.
- Ad-tracking on healthcare sites.
- Cookie banners and GDPR.
- Reactions to News Corps data compromise.
- Puma suffers data loss through third-party service provider.
NSO rival QuaDream’s spyware allegedly used to hack iPhones.
Taking some of the attention away from NSO Group, it appears that a second surveillance software company has been found to have been exploiting an Apple bug in order to hack iPhones. Reuters reports that QuaDream, a smaller and lower profile NSO competitor, was breaking into Apple devices without user knowledge using a zero-click exploit nearly identical to the ForcedEntry hack used by NSO, proving that iPhones are not as airtight as many in the industry assumed. Dave Aitel of cybersecurity firm Cordyceps Systems states, "People want to believe they're secure, and phone companies want you to believe they're secure. What we've learned is, they're not." Much like Pegasus, QuaDream's spyware, called REIGN, was being sold to government clients. Richard Melick, director of product strategy at Zimperium told the Hacker News, "The continuous revelations around the advanced spyware programs over the last year show the world just how much development is behind sophisticated mobile attacks. These attacks are not just one vulnerability and exploit; they encompass fully developed toolsets designed to deliver the most effective spyware for its customers coming from known and unknown organizations."
Ad tracking on health sites.
A recent study conducted by Duke University and the Light Collective, a patient privacy rights group, shows that health sites are tracking users’ activity without their knowledge, Wired reports. In the study, ten patient advocates active in Facebook groups revolving around the cancer community downloaded and analyzed their data from the social media platform's “Off Facebook Activity” and found that several genetic-testing and digital-medicine companies had shared customer information with the social media giant for ad targeting. Furthermore, for three of the five companies involved, their privacy policies did not inform users this type of cross-site tracking was taking place. Andrea Downing, a coauthor of the study and president of the Light Collective, adds, “And when we talked to some of these companies it really seemed like they just didn't fully understand the ad tech they were using. So this needs to be an awakening.” Downing and coauthor Eric Perakslis, chief science and digital officer at Duke University's Clinical Research Institute, explained that such ad ecosystems could lead to the development of broad, invasive profiles that detail users’ health status, interests, profession, device fingerprints, and location. The findings are especially concerning given that many of the health-related companies in the study aren’t covered by the Health Insurance Portability and Accountability Act and therefore operate in a regulatory gray area.
Belgium DPA rules against cookie banners.
A ruling issued this week by Belgium’s Data Protection Authority addresses a loophole in the EU’s General Data Protection Regulation (GDPR): cookie alert banners. Gizmodo explains that after the GDPR was passed, many sites began to rely on such ads in order to circumvent the new law. The ruling is the result of a years-long investigation into allegations that Interactive Advertising Bureau (IAB) Europe’s practices were in violation of the GDPR, and having confirmed those claims, the DPA has hit IAB Europe with a $280,000 fine. IAB must also appoint a data protection officer, revamp its tech within two months, and delete any data collected by the illicit banners. The decision is bad news for IAB, who issued a statement last November expressing confidence that any issues found in the investigation would be fixable and that cookie banners were not in violation of data privacy laws.
Reactions to the News Corp compromise.
It's not the journalists they're coming for. The spies are generally interested in the journalists' sources, and that seems to have been the case in the Chinese intelligence services' incursion into News Corp. Infosecurity Magazine quotes News Corp's CTO on what Mandiant found when they were brought in to help with recovery and investigation: “Our preliminary analysis indicates that foreign government involvement may be associated with this activity, and that some data was taken. Mandiant assesses that those behind this activity have a China nexus and believes they are likely involved in espionage activities to collect intelligence to benefit China’s interests.”
Ric Longenecker, chief information security officer at Open Systems, thinks this incident ought to move the skeptical to pay attention to the periodic warnings CISA and other agencies issue about the threat of cyberespionage:
"China being suspected of the attack on News Corp serves as an example of what enterprises should be wary of with foreign tensions being high. Businesses and government agencies need to heed the recent warnings from the U.S. Department of Homeland Security and take proper precautions. It is of paramount importance that organizations execute mature, repeatable security missions to protect assets in real time, leveling up security posture for tomorrow. Even more important in a situation developing as quickly as this one is having a global team of security analysts who are monitoring for threats around the clock and ensuring a minimal attack surface."
Toby Lewis, Global Head of Threat Analysis at Darktrace, emphasizes that, in this sort of attack the target usually isn't the journalists, but rather their sources:
"Groups associated with the Chinese gov have long been accused of targeting journalists – often those that report on human rights. However, from my experience, when attacks against media corps are purely for espionage purposes, the real target is not the journalist but their in-country sources.
"News Corp have referred to this as a 'persistent' nation state attack – a term used in the industry to describe attacks where hackers have very specific objectives. Targets will be hit by low and slow attacks and if the attackers fail to gain access with one method, they will reattempt access until they are successful. The problem is the methods used by these groups are always changing. Traditional defenses that have been used by many media corporations, newspapers, online magazines and broadcasters for the last 20 years can only stop known attacks – attack techniques that have been seen before.
"The reality is that media corporations will be under constant attack from the most sophisticated attackers every minute or every day. Reliable and trustworthy sources of media and information are essential and that is why we have seen an uptick in media organizations partnering with artificial intelligence to defend journalists and critical systems. The urgent challenge to be tackled is how to spot, and stop novel attacks quickly before sensitive data gets into the wrong hands and before normal business operations are disrupted."
Attackers run away with Puma employee data.
Sportswear maker Puma has disclosed that the recent ransomware attack on Kronos, one of its North American workforce management service providers, resulted in a breach of Puma employee data, Bleeping Computer reports. The breach notification confirms that, before encrypting Kronos’ system, the attackers exfiltrated Puma employee and dependent data from the Kronos Private Cloud (KPC) cloud environment, which is used as a server facility for hosting Workforce Central, Workforce TeleStaff, Enterprise Archive, TeleTime IP, Extensions for Healthcare (EHC), and FMSI environments. Though the notification does not explicitly state how many employees were impacted, according to the Office of the Maine Attorney General, the data of 6,632 individuals were accessed by the hackers. SecurityWeek quotes the disclosure Kronos issued: “Regrettably, this letter is to inform you that we were recently the victim of a ransomware attack that involved some of your personal information, which was provided to us in connection with the services we provide to PUMA.”
Troy Gill, Senior Manager of Threat Intelligence at Zix | AppRiver, wrote to caution that the risk of this sort of identity theft is particularly acute during tax season, and to offer some suggestions on how to mitigate that risk:
“Ransomware is a costly and destructive threat to organizations, and with the increasing rate of ransomware attacks organizations need to be prepared. This ransomware attack affected Puma which uses Kronos, a workforce management provider that suffered a ransomware attack in December 2021 that resulted in over 6,000 of Puma’s employees and their dependents having their personal information stolen and possibly sold online. The Kronos attack also previously affected the payroll of several other companies, including FedEx and Whole Foods.
"With tax season upon us, this breach could present an added risk for those affected to fall victim to identity thieves filing fraudulent tax returns. Everyone should be cautious of falling victim to such activity, but especially those whose data has recently fallen into the wrong hands.
"This is also a great reminder for organizations to examine their security solutions and evaluate their current authentication practices to ensure they are building the safest habits to protect themselves and sensitive data that they store from bad actors. It is critical that authentication controls are not only in place, but that organizations take it a step further by deploying two-factor authentication (2FA). Implementing 2FA provides an extra layer of security by making users confirm their identity, most often via a unique code sent to the user's phone, email address or through an authenticator app, after entering their username and password. It’s getting easier for cybercriminals to breach even the most complex password, which is why implementing 2FA is critical.
"To avoid simple errors that could lead to attacks and data theft, organizations should also make it a habit to deploy regular security audits to identify vulnerabilities and other suspicious behavior. Additionally, organizations should routinely back up sensitive data in alternate locations to ensure the company can return to business quickly in the event of a cyberattack.”