A zero-click exploit in iOS.
During its investigation of a Pegasus spyware infection of a Saudi activist’s iPhone, the University of Toronto’s Citizen Lab has found a “zero-day zero-click exploit against iMessage.” They call the exploit “FORCEDENTRY,” say it targets Apple’s image rendering library, and claim that it’s effective against Apple iOS, MacOS and WatchOS devices.
FORCEDENTRY is a zero-click attack requiring no obvious user interaction; victims may be unaware that their devices have been affected. Malicious files masquerading as GIFs were the infection mechanism, and they arrived courtesy of an unremarked bug in Apple’s image rendering. As Apple put in their description of the vulnerability, “processing a maliciously crafted PDF may lead to arbitrary code execution.” In this case the arbitrary code would be the Pegasus intercept product.
The Wall Street Journal reports that NSO Group, maker of Pegasus, has apparently been exploiting the vulnerability since February. The company, asked for comment, simply told the Journal, “NSO Group will continue to provide intelligence and law enforcement agencies around the world with lifesaving technologies to fight terror and crime,” which is one way of looking at it.
Citizen Lab and Apple made fairly short work of patching. Citizen Lab forwarded Apple suspicious artifacts on September 7th, Apple confirmed that they included a zero-day exploit on the 13th, and late yesterday also addressed the vulnerability with an update to iOS 14.8. Users are advised to upgrade their devices as soon as practicable. Subsequent releases of iOS will also be designed, Cupertino says, to keep this particular backdoor firmly shut.
The Meris botnet has proved troublesome this month.
The Meris botnet-driven distributed denial-of-service attacks organizations sustained over a week ago have proven surprisingly difficult to remediate. After a week of fitful, apparent recovery, banks in New Zealand continued to experience service disruptions through the weekend, the New Zealand Herald reports.
KrebsOnSecurity, which was also affected for four days by the botnet, has an account of how Meris exploited vulnerable MikroTik devices to jam networks in several countries. The bad news is that inexpensive gear continues to ship with default insecure states. The good news, Krebs argues, is that, for all the inconvenience this botnet has just caused, in general this form of DDoS has grown less dangerous as security firms have learned to cope with it.
REvil really does seem to be back, and other news from the ransomware underworld.
According to BleepingComputer and Threatpost, the REvil ransomware gang is back in operation, emerging from its brief occultation without even a gesture in the direction of rebranding. The gang’s Tor payment and negotiation site and its data leak sites came back online and became accessible last week on September 7th. A day later it was again possible to negotiate your ransom with them in the old familiar way, and on Saturday the gang had posted a fresh set of stolen data on the dump site, in its now familiar double extortion move. An apparent spokesman for the gang said they were "on a break."
The September 6th ransomware incident in South Africa has spread through the networks of the country's Department of Justice and Constitutional Development, according to BleepingComputer. No group has claimed responsibility, and no stolen data have appeared on the usual dump sites. The Department says it has no evidence that any data were compromised, and that it's working to restore its networks.
RagnarLocker earlier this month threatened to dump stolen data should victims work with law enforcement or seek the assistance of third-parties. A second ransomware gang, Grief, has adopted a similarly aggressive stance. BleepingComputer reports that Grief has said it would delete decryption keys if a victim brought in a third-party to negotiate its ransom. "We'll burn your data if you get a negotiator," is how the Register describes the threat. Whether they could actually do that, or if this is more of the usual gangland gasconade isn't entirely clear.
If you were moved to consider paying the ransom Grief wants, the Register points out that Grief, already under US sanctions, can't be legally paid in any case.
And some good news from Bitdefender, which has released a free decryptor for REvil/Sodinokibi ransomware.
No signs of a Russian crackdown on ransomware gangs.
CSO thinks that recent events have revealed that the Russian government is fully capable of shutting down cyber gangs, if it wants to, and that some disruptions of criminal activity may indicate that US sanctions are having some limited effect.
But hope that Russian authorities were cracking down on ransomware gangs quickly proved to be a false dawn: FBI deputy director Paul Abbate yesterday told the Intelligence and National Security Summit what o'clock it was. The Bureau sees no evidence of Russian cooperation or unilateral action against the cybergangs. The Washington Post quotes Abbate as saying the criminal groups are still “operating in the permissive environment that they've created there.”
Mustang Panda's cyberespionage campaign against Indonesia.
Recorded Future reports that the Chinese cyberespionage unit Mustang Panda has compromised "the internal networks of at least ten Indonesian government ministries and agencies, including computers from Indonesia’s primary intelligence service, the Badan Intelijen Negara (BIN)."
PlugX malware hosted inside Indonesian government networks were still communicating with their command-and-control servers at least as recently as this July. Recorded Future notified Indonesian authorities in June of their discovery, but the authorities have been, perhaps understandably, tight-lipped in their response. The campaign is believed to have been in progress since March of this year.
Social media used in DPRK cyberespionage effort.
North Korean cyber operators associated with Kumsong 121 threat group are using a social media campaign as preparation for spearphishing and smishing attacks against South Korean targets, the Daily NK reports. Social media are used to establish rapport with the targets, who eventually are asked to review a column on DPRK affairs the attackers claim to have written. That document carries the malicious payload.
The campaign seems noteworthy in the amount of effort being expended in cultivating a degree of trust in the prospective victims. In this respect, at least, Kumsong 121 seems to be taking a page from the kind of careful cultivation of agents long practiced by espionage services--gain their trust, habituate them to doing you small good offices (and accepting small good offices in return). In this case, however, the good offices remain small--no one’s asking you for the secret war plans. They’re just wondering if you’d be so kind as to look over an op-ed they wrote and tell them what you think. Once they’ve opened the document or followed the link, they’re pwned.
Criminal version of Cobalt Strike found in the wild.
Intezer has discovered a criminal version of Cobalt Strike's beacon ("Vermilion Strike," they're calling it) used by unknown threat actors against both Windows and Linux systems. Vermilion Strike may be the work of a gang, but its sophistication and evident interest in espionage could also suggest that it might have been developed and deployed by a nation-state's intelligence service. But both provenance and attribution remain unclear.
How maximizing engagement unintentionally (but maybe foreseeably) aided and abetted Russian troll farms.
MIT Technology Review reported this week that Facebook's engagement maximization algorithms automatically pushed usually inflammatory, often false, troll-farmed content into American users' news feeds during the 2020 election season, reaching as many as a hundred-forty-million individuals per month. An internal Facebook study concluded, “Instead of users choosing to receive content from these actors, it is our platform that is choosing to give [these troll farms] an enormous reach.” The social network did seek to put "guardrails" in place to keep content from veering too far from some approximation of truth and normality, and it continued its work against coordinated inauthenticity, but its own algorithms were stacked against its better intentions.
Louisiana courts hit with a cyberattack.
A cyberattack on Jefferson Parish, Louisiana, courts took advantage of the distraction of Hurricane Ida to install unspecified malware in the courts’ networks, Nola.com reports. The courts are expected to recover soon.
Operation Harvest.
McAfee this week published a study of Operation Harvest, a cyberespionage campaign the researchers believe to be operated by a Chinese threat group, either APT27 (also known as Emissary Panda) or APT41 (Wicked Panda, or Winnti), perhaps both. It's a complex and long-running effort marked by "multiple privilege escalation and persistence techniques ... and presence in the network."
Social engineering: greed meets romance.
INKY reports finding a new phishing campaign prompted by the recent US infrastructure bill. The hoods send a bogus email purporting to be from the US Department of Transportation. The phishbait says, essentially, that since a trillion bucks and change is about to flow from the Government to those savvy enough to position themselves for it, you too, recipient, should ring the bell on that gravy train.
The US Federal Bureau of Investigation has also issued a warning to the love-lorn: alt-coin has found its way into romance scams. It all starts in the familiar way: an online contact progresses to an online friendship and then to an online romance. Once the mark is sufficiently starry-eyed, the scammer offers them an exclusive investment opportunity in cryptocurrency. The victim tires a small investment, makes a small profit, and is even able to make a withdrawal. And then, of course, the victim is primed to trust their online honey with even more virtual money. What follows can be easily predicted, and it doesn't end well.
Vaccine mandates drive a criminal market for forged vaccine certificates.
As vaccine mandates are planned and brought into effect, the criminal market for bogus vaccine passports has surged with the new, policy-driven demand, according to Check Point.
Germany's Federal Returning Officer, the agency responsible for running next week's elections, was subjected to a distributed denial-of-service attack, AFP reports. The incident occurred as Federal prosecutors continued their investigation into a cyberespionage campaign against the Bundestag and other targets.
Cryptojacking botnet adds Windows systems to its target list. And BOLO for mining rigs where they shouldn't be.
Security firm Akamai, which has been tracking the Kinsing cryptojacking botnet, reports that the threat has evolved from Linux malware to Windows malware. Kinsing has remote access Trojan capabilities as well as its primary coin-mining functionality. There are several things an organization can do to help protect itself against Kinsing and similar cryptojacking attacks. Akamai recommends, among other sound protective measures, “monitoring processes on your systems for abnormally high resource consumption and suspicious network activity. Abnormal high CPU usage for a given process may be an indicator of cryptomining activity.“
Not just cryptojacking, but even setting up your own mining rig, can be illegal. Bloomberg writes that Chinese police are increasing their enforcement of laws against illicit alt-coin mining, which is producing a noticeable drain on the country's electrical power. Many cryptocurrency miners evaded the law by representing themselves as data researchers or storage facilities. Chinese coin-miners have recently held 46% of the global hash rate.
Patch news.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued, with the FBI and the Coast Guard, a Joint Advisory warning that CVE-2021-40539, a vulnerability in Zoho's password manager and single-sign-on solution ManageEngine ADSelfService Plus, is being actively exploited in the wild. Zoho fixed the bug on September 6th, and CISA urges users to apply the patch as soon as practicable. The software is of concern to CISA because it's used by "critical infrastructure companies, US-cleared defense contractors, [and] academic institutions."
WIRED offers some sound, general but timely advice: with this week's patches from Apple, Microsoft, and Google's Chrome, today would be a good day to update all your devices.
Crime and punishment.
The US Department of Justice has reached a "deferred prosecution agreement" with three former intelligence and military personnel who provided services to the UAE that violated export and computer abuse laws in the course of work they undertook on behalf of the United Arab Emirates. “On Sept. 7, U.S. citizens, Marc Baier, 49, and Ryan Adams, 34, and a former U.S. citizen, Daniel Gericke, 40, all former employees of the U.S. Intelligence Community (USIC) or the U.S. military, entered into a deferred prosecution agreement (DPA) that restricts their future activities and employment and requires the payment of $1,685,000 in penalties to resolve a Department of Justice investigation regarding violations of U.S. export control, computer fraud and access device fraud laws. The Department filed the DPA today, along with a criminal information alleging that the defendants conspired to violate such laws.” "[P]roviding unlicensed export-controlled defense services in support of computer network exploitation, and a commercial company creating, supporting and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United States,” is not legitimate foreign trade. The Emirati company that hired them was identified by the New York Times as DarkMatter. The three gentlemen who reached the agreement must pay almost $7 million and forego the opportunity to ever receive a security clearance. They also agreed to keep their noses clean and cooperate with investigators for the next three years.
Special counsel John Durham, tasked with investigating potential FBI misconduct during that election, has secured the indictment of Michael Sussmann, a former Federal prosecutor then working at the Democratic Party connected law firm Perkins Coie who presented the FBI with information alleging connections between then-candidate Trump and a Russian bank, Alpha Bank. The charges of lying to the FBI when he “stated falsely that he was not acting on behalf of any client,” which led the Bureau to understand that “was conveying the allegations as a good citizen and not as an advocate for any client.” The indictment alleges that Mr. Sussmann was billing the time he spent on researching the matter to the Clinton campaign. He now faces one Federal charge of making a false statement.
Courts and torts.
Savannah, Georgia-based St. Joseph’s/Candler Health System is facing a lawsuit over its recent ransomware attack and data breach, GovInfoSecurity reports. Plaintiffs allege that the healthcare system was "reckless" and "negligent" in its defenses.
Policies, procurements, and agency equities.
The United Nations High Commissioner for Human Rights has called for an immediate moratorium on the development and deployment of artificially intelligent technologies that "pose a serious risk to human rights until adequate safeguards are put in place." Details of the proposed moratorium may be found in the Human Rights Council's report, but the concerns center around the potential for automation of bias.
CISA announced in an email Monday morning that Kiersten E. Todt, most recently Managing Director of the Cyber Readiness Institute, as the new Chief of Staff for the Cybersecurity and Infrastructure Security Agency. Todt's previous government experience includes service as the Executive Director of President Obama's independent, bipartisan Commission on Enhancing National Cybersecurity and as a Professional Staff Member at the US Senate Committee on Homeland Security and Governmental Affairs.
Fortunes of commerce.
Marsh's annual report has found that ransomware accounts for a fourth of European cyberinsurance claims.