At a glance.
- Zero-click iOS exploit used by Pegasus spyware.
- Malicious version of Cobalt Strike for Linux.
- A look at the ransomware industry.
- OT vulnerabilities on the rise.
Zero-click iOS exploit used by Pegasus spyware.
Researchers at the University of Toronto's Citizen Lab discovered a zero-day, zero-click exploit against iOS used by NSO Group's Pegasus spyware. The exploit, dubbed "FORCEDENTRY," uses a vulnerability (CVE-2021-30860) in Apple's image rendering library. The researchers disclosed the flaw to Apple, and the company issued a patch yesterday. The vulnerability's description states, "An integer overflow was addressed with improved input validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. Processing a maliciously crafted PDF may lead to arbitrary code execution."
Citizen Lab states, "In March 2021, we examined the phone of a Saudi activist who has chosen to remain anonymous, and determined that they had been hacked with NSO Group’s Pegasus spyware. During the course of the analysis we obtained an iTunes backup of the device. Recent re-analysis of the backup yielded several files with the '.gif' extension in Library/SMS/Attachments that we determined were sent to the phone immediately before it was hacked with NSO Group’s Pegasus spyware."
Malicious version of Cobalt Strike for Linux.
Intezer has discovered a malicious "re-implementation of Cobalt Strike Beacon written from scratch" for both Linux and Windows. It's not clear who's behind the tool, but the researchers note that the malware is sophisticated and is used to conduct espionage:
"Based on telemetry with collaboration from our partners at McAfee Enterprise ATR, this Linux threat has been active in the wild since August targeting telecom companies, government agencies, IT companies, financial institutions and advisory companies around the world. Targeting has been limited in scope, suggesting that this malware is used in specific attacks rather than mass spreading.
"After further analysis, we found Windows samples that use the same C2. The samples are re-implementations of Cobalt Strike Beacon. The Windows and ELF samples share the same functionalities.
"The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn’t been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor."
A look at the ransomware industry.
Researchers at KELA have issued a report describing what ransomware operators are looking for in a potential victim:
- "In July 2021, KELA found 48 active threads where actors claimed they are looking to buy different kinds of accesses. 46% of them were created in that month, illustrating the demand for access listings.
- "40% of the actors who were looking to buy accesses were identified as active participants in the ransomware-as-a-service (RaaS) supply chain – operators, or affiliates, or middlemen.
- "Ransomware attackers appear to form 'industry standards' defining an ideal victim based on its revenue and geography and excluding certain sectors and countries from the targets list. On average, the actors active in July 2021 aimed to buy access to US companies with revenue of more than 100 million USD. Almost half of them refused to buy access to companies from the healthcare and education industries.
- "Ransomware attackers are ready to buy all kinds of network accesses, with RDP and VPN being the most basic requirement. The most common products (enabling network access) mentioned were Citrix, Palo Alto Networks, VMware, Fortinet, and Cisco.
- "Ransomware attackers are ready to pay for access up to 100,000 USD, with most actors setting the boundaries at half of that price – 56,250 USD."
OT vulnerabilities on the rise.
Skybox Security has released its "Mid-Year Vulnerability and Threat Trends Report," finding that "new vulnerabilities in operational technology (OT) devices were up 46% in the first half of 2021." The report also determined that ransomware attacks increased 20% compared to the first half of 2020, and cryptojacking attacks more than doubled.