Apple's clickless exploit.
A zero-click exploit affects iPhones belonging to Kaspersky employees. A GRU cyber campaign incorporates novel malware. The Indian government targets Apple over hacking attempts. Microsoft disables App Installer. Australian courts’ AV is compromised. A BlackBasta decryptor is released. Cyber Toufan claims attacks against Israeli targets. Patients in Oklahoma face online extortion. LoanCare customers’ data is at risk. Google settles a private browsing lawsuit. Barracuda patches a zero-day. That Chinese spy balloon was making a local call. And then Caleb Barlow, a friend of our show, shares password security tips you should know.
Happy New Year! It’s Tuesday, January 2nd, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Zero-click exploit affects iPhones belonging to Kaspersky employees.
The big story breaking over the holidays involves compromised iPhones in Russia.
Ars Technica reports that iPhones belonging to Kaspersky employees were targeted by an advanced exploit over the course of four years. Dubbed "Triangulation," this campaign targeted a wide range of individuals, including those working in diplomatic missions and embassies in Russia. The attack was executed through iMessage texts, installing malware without any action from the recipient. This spyware was capable of transmitting a variety of sensitive data, including microphone recordings and geolocation, to attacker-controlled servers. Interestingly, the malware did not survive a device reboot, but the attackers circumvented this by sending new malicious texts after a reboot.
The Triangulation campaign exploited four critical zero-day vulnerabilities, which were unknown to Apple at the time of discovery. These vulnerabilities, now patched by Apple, affected not only iPhones but also other Apple devices like Macs, iPads, Apple TVs, and Apple Watches.
One of the most striking aspects of this attack was its exploitation of a hidden hardware feature in Apple devices. This feature allowed the attackers to bypass robust hardware-based memory protections that are typically difficult to defeat. These protections prevent attackers from executing post-exploitation techniques even after compromising the system’s kernel.
Kaspersky's discovery of this hidden hardware function came after extensive reverse engineering of infected devices. Their research led them to hardware registers and memory-mapped input/outputs (MMIOs), which the attackers used to bypass memory protections. The MMIO addresses used by the attackers were not listed in any device tree or found in source codes, kernel images, and firmware, underscoring the obscurity and sophistication of the attack.
Russia’s FSB has for some time accused Apple of colluding with the US NSA. In this case, however, Kaspersky explicitly declined to make any attribution, telling Ars Technica, “Currently, we cannot conclusively attribute this cyberattack to any known threat actor. The unique characteristics observed in Operation Triangulation don't align with patterns of known campaigns, making attribution challenging at this stage.”
GRU cyber campaign incorporates novel malware.
Staying in Russia for a moment…
Between December 15th and 25th, a phishing campaign targeting Polish and Ukrainian entities was linked to Russia's GRU, specifically the APT28 unit, also known as Fancy Bear. CERT-UA released details from their investigation, revealing that the attack involved redirecting victims to a website that utilized JavaScript and the 'ms-search' application protocol. This process resulted in the download of a shortcut file which, when opened, triggered a PowerShell command. This command facilitated the download and execution of a decoy document, the Python interpreter, and a file identified as MASEPIE. The Record highlighted that the campaign seems designed to spread through networks, not just infect individual devices. GovInfo Security indicated that Russia's historical patterns suggest such attacks could be precursors to larger cyber or physical assaults.
Indian government targets Apple over hacking attempt.
Shortly after Apple warned independent Indian journalists and opposition politicians about potential government hacking attempts, India’s Modi administration took action - against Apple, the Washington Post reports. Officials from the Bharatiya Janata Party (BJP) questioned Apple's threat algorithms and initiated an investigation into the security of Apple devices. In private meetings, senior Modi administration officials demanded that Apple help mitigate the political impact of the warnings. They even summoned an Apple security expert to New Delhi to propose alternative explanations for the warnings.
The campaign targeted individuals critical of Prime Minister Modi or his ally, Gautam Adani. Notably, journalists Anand Mangnale and Ravi Nair of the Organized Crime and Corruption Reporting Project (OCCRP) were among those warned. A forensic analysis revealed that within 24 hours of contacting Adani for a story, Mangnale's phone was infiltrated with Pegasus spyware, developed by Israeli company NSO Group and allegedly sold only to governments.
Despite denials from Adani and the Indian government's refusal to confirm or deny using spyware, evidence suggests the government's use of these powerful surveillance tools. Fresh cases of infections among journalists and targeting of opposition politicians add to this evidence.
Microsoft disables App Installer.
Microsoft has deactivated its ms-appinstaller-protocol handler due to its exploitation by threat actors, including Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674. These groups have been leveraging the ms-appinstaller URI scheme to distribute malicious software, including ransomware since mid-November 2023. To combat this, Microsoft has disabled the App Installer by default, following observations of the handler's misuse as an entry point for malware through malevolent advertisements on popular search engines and Microsoft Teams. The reported misuse involves spoofing legitimate applications and evading initial detection, with cybercriminals also selling malware kits exploiting the MSIX file format and ms-appinstaller protocol.
Microsoft is an N2K partner.
Australian courts’ AV compromised.
In Australia, Victoria's court system was compromised by a ransomware attack, suspected to be orchestrated by Russian hackers using commercial ransomware known as Qilin. Hackers accessed the court’s AV archive, ‘AV’ in this case referring to the datatypes compromised in their audio-visual system, and not to anti-virus software that could have prevented the attack. They potentially obtained recordings of sensitive court hearings between November 1 and December 21. Court Services Victoria (CSV) is contacting affected individuals and has set up a contact center. The attack led to staff being locked out with a message indicating a breach. CSV has isolated and disabled the affected network, ensuring that court operations remain unaffected.
BlackBasta decryptor released.
Researchers from SRLabs have released a decryptor for the BlackBasta ransomware, allowing victims of the ransomware since November 2022 to recover their files. BleepingComputer reports that BlackBasta’s developers last week patched the flaw exploited by the decryptor, so it won’t work for newer attacks.
Cyber Toufan claims attacks against Israeli targets.
Pro-Palestinian hackers Cyber Toufan claimed a series of cyber attacks against numerous Israeli entities amid the Gaza war, extending the conflict into cyberspace. They promised daily leaks throughout December and reportedly released data from 60 sites, including both Israeli and international firms like SpaceX, Toyota, and IKEA. Cybersecurity expert Kevin Beaumont described the group as "incredibly well organized and disruptive," targeting a wide range of entities and causing lasting damage with many victims still struggling to recover weeks later. The group, which denies being a mere tool of any state, has shown a sophisticated level of operation, with some attributing its actions to potential Iranian backing. Their tactics have varied with battlefield events, pausing leaks during ceasefires, indicating a strategic approach to cyber warfare. As the conflict continues, so does Cyber Toufan's promise of persistent cyber targeting against Israeli interests.
Patients in Oklahoma face online extortion.
Patients of Integris Health in Oklahoma are being blackmailed with threats to sell their stolen data, including Social Security Numbers and medical information, if an extortion demand isn't met. The not-for-profit health network, which suffered a cyberattack in November, confirmed the theft but has not provided details about the incident. The extortion emails, sent on December 24, directed patients to a dark web site listing personal data for sale. Integris Health has advised against responding to these emails and is aware of the situation. The mode of extortion resembles that used by the Hunters International ransomware gang in a previous attack, suggesting a possible link. However, paying the ransom does not guarantee data safety and might invite further extortion.
Meanwhile, A cybersecurity breach at Corewell Health and its vendor, HealthEC, LLC, has affected over 1 million Michigan residents, compromising personal and medical data including Social Security and insurance information. Corewell Health proactively informed the Attorney General's Office, which isn't required by Michigan law. This incident is one of several recent breaches in the region, including another at Corewell Health and attacks on McLaren Health Care and the University of Michigan.
LoanCare customers’ data at risk.
LoanCare, a subsidiary of Fidelity National Financial (FNF), is notifying over 1.3 million individuals about a data breach stemming from a cyberattack on FNF's internal systems. Discovered on November 19 and contained a week later, the incident led to the exfiltration of personal details like names, addresses, Social Security numbers, and loan numbers. While there's no evidence of fraudulent use of the stolen data yet, LoanCare is offering free identity monitoring services. The BlackCat/Alphv ransomware group has claimed responsibility for the attack. Despite recent law enforcement actions against their operations, the group remains active.
Google settles private browsing lawsuit.
Google has tentatively settled a lawsuit alleging it secretly tracked millions of users' internet activities even while they were in "Incognito" or private browsing modes. Initially seeking at least $5 billion, the terms of the settlement, reached through mediation, are not yet public but are expected to be formally presented by February 24, 2024. The lawsuit, filed in 2020, claimed Google collected data on users' personal interests and activities through analytics and cookies, despite privacy settings, since June 1, 2016. The plaintiffs argued this violated federal wiretapping and California privacy laws.
Barracuda patches zero-day.
On December 21, Barracuda began issuing updates to address a zero-day vulnerability in its Email Security Gateway appliances, actively exploited by the Chinese hacker group UNC4841. This flaw stems from a third-party library, Spreadsheet::ParseExcel, used in the Amavis virus scanner of the ESG appliances. Attackers could execute arbitrary code via a crafted Excel email attachment. Barracuda observed the deployment of new SEASPY and SALTWATER malware variants following the exploitation. A patch was released on December 22 to fix compromised appliances.
We’re starting the year off with some fun password advice from our friend, Caleb Barlow, CEO of Cyberbit.
Chinese spy balloon communicated via a US ISP.
Remember the Chinese intelligence collection balloon that floated across North America until the US Air Force shot it down off Myrtle Beach on February 4th of last year? NBC News reports that it was communicating with its controllers via a US ISP, and that the communications were mostly for "navigation" (probably position-reporting, since the balloon would have been drifting wither the wind listeth, and not really under controlled flight). Which ISP was being used hasn't been reported. The Chinese embassy reiterated its earlier claim that the craft was nothing more than a weather balloon, "affected by the Westerlies and with limited self-steering capability, the airship deviated far from its planned course," wither the wind listeth.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.
N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Irvin. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.