By the CyberWire staff
At a glance.
- Hacker breaches developer of Signal clone used by the US government.
- NSO Group ordered to pay $167 million after losing WhatsApp lawsuit.
- Extortionists target schools following last year's PowerSchool hack.
- LockBit ransomware operation hacked.
- South African Airways discloses disruptive cyberattack.
- CISA warns of unsophisticated threat actors targeting ICS environments.
Hacker breaches developer of Signal clone used by the US government.
404 Media reports that a hacker breached and stole customer data from TeleMessage, the developer of a Signal clone used by the US government to archive messages. TeleMessage recently made the news after former US national security adviser Mike Waltz was photographed using the app to communicate with top White House officials. 404 Media says the hacker doesn't appear to have stolen messages sent by these cabinet members, but obtained data related to US Customs and Border Protection, cryptocurrency exchange Coinbase, and other financial institutions.
TeleMessage is an Israeli company that sells modified versions of end-to-end encrypted messaging apps such as Signal and WhatsApp, allowing users to archive messages for legal and regulatory reasons. The company achieves this by storing copies of the messages on a remote server.
The hacker told 404 Media that they targeted TeleMessage because they were "just curious how secure it was." The company hasn't responded to a request for comment.
Customs and Border Protection (CBP) has confirmed it uses at least one app made by TeleMessage. A CBP spokesperson told WIRED, "Following the detection of a cyber incident, CBP immediately disabled TeleMessage as a precautionary measure. The investigation into the scope of the breach is ongoing."
Stop Identity-Based Cybercrime with SpyCloud’s Holistic Identity Threat Protection
Stolen identity data is the hot commodity for cybercriminals. With the full scope of your users’ digital footprints at risk for exposure, traditional account-centric security is no longer enough to protect your business from cyberattacks. SpyCloud helps security teams correlate and automatically remediate individuals' hidden identity exposures from breaches, malware, and phishing across their many online personas. Eliminate identity-based cyber threats and proactively defend against account takeover, fraud, and ransomware with SpyCloud.
NSO Group ordered to pay $167 million after losing WhatsApp lawsuit.
A California jury has ordered Israeli spyware company NSO Group to pay more than $167 million for its role in the hacking of 1,400 WhatsApp users' phones, concluding six years of litigation. According to the Washington Post, NSO must pay WhatsApp owner Meta $167,256,000 in punitive damages and $440,000 in compensatory damages.
NSO Group maintains that its Pegasus spyware is meant for use by law enforcement and government agencies to pursue criminals and terrorists, but the company has been widely criticized for selling the tool to authoritarian governments known for targeting members of civil society. The judge refused to allow NSO to introduce evidence related to governments using Pegasus to target bad actors, stating, "Defendants cannot claim, on the one hand, that its intent is to help its clients fight terrorism and child exploitation, and on the other hand say that it has nothing to do with what its client does with the technology, other than advice and support."
Meta said in a statement, "The jury’s decision to force NSO, a notorious foreign spyware merchant, to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and the privacy and security of the people we serve."
NSO said it will probably appeal the decision.
On the State of modern web application security
Web applications remain a top attack vector for cybercriminals, according to the latest Verizon DBIR. Join us Tuesday, May 13th at 12pm ET for a live discussion with Outpost24 and N2K CyberWire’s Dave Bittner on today’s web application threats, vulnerabilities, and practical strategies to strengthen your defenses. Register now to join the live event, or access it on-demand.
Extortionists target schools following last year's PowerSchool hack.
Education software provider PowerSchool has confirmed that a threat actor is attempting to extort individual schools using data stolen from the company during a December cyberattack. Following the attack, PowerSchool paid a ransom to prevent the threat actor from publishing the stolen data. It's unclear if the latest extortion attempts are being launched by the same threat actor or if another group obtained a copy of the data.
The company told the Register in a statement, "PowerSchool is aware that a threat actor has reached out to multiple school district customers in an attempt to extort them using data from the previously reported December 2024 incident. We do not believe this is a new incident, as samples of data match the data previously stolen in December. We have reported this matter to law enforcement both in the United States and in Canada and are working closely with our customers to support them. We sincerely regret these developments – it pains us that our customers are being threatened and re-victimized by bad actors."
PowerSchool added, "As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us."
LockBit ransomware operation hacked.
The LockBit ransomware gang was hacked by an unknown actor who defaced the group's affiliate panels with a link to a MySQL database containing information dumped from the affiliates, BleepingComputer reports. The database includes just under 60,000 unique bitcoin addresses, configurations for builds created by affiliates for attacks, and several thousand negotiation messages between the group and its victims.
It's not clear who carried out the hack, but BleepingComputer notes that the defacement message, "Don't do crime CRIME IS BAD xoxo from Prague," matches the one used in the recent hack of the Everest ransomware's leak site.
South African Airways discloses disruptive cyberattack.
South African Airways (SAA) has disclosed that it sustained a "significant cyber incident" on May 3rd that "disrupted access to the airline’s website, mobile application, and several internal operational systems." The airline added, "Normal system functionality across all affected platforms was restored later the same day."
The nature of the incident is unclear; the Record says the airline didn't respond to questions for comment about whether the attack involved ransomware. SAA said in its statement, "Regarding the potential impact on data, the preliminary investigation is currently assessing the full extent of the incident and actively working to determine if any data was accessed or exfiltrated. SAA is committed to notifying any affected parties directly, in accordance with regulatory requirements, should the investigation confirm a data breach."
CISA warns of unsophisticated threat actors targeting ICS environments.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a joint advisory with the FBI, the EPA, and the Department of Energy, warning of an increase in "unsophisticated cyber actors" targeting ICS/SCADA systems within US critical infrastructure. Specifically, the attacks are targeting energy and transportation systems in the oil and natural gas sector. The advisory notes, "Although these activities often include basic and elementary intrusion techniques, the presence of poor cyber hygiene and exposed assets can escalate these threats, leading to significant consequences such as defacement, configuration changes, operational disruptions and, in severe cases, physical damage."
The agencies have published guidance to help critical infrastructure entities secure their systems.
