Cracking down on spyware.

The global community confronts spyware. Canon patches critical vulnerabilities in printers. Barracuda recommends mitigations for Web Application Firewall issues. Group-IB warns of ResumeLooters. Millions are at risk after a data breach in France. Research from the UK reveals contradictory approaches to cybersecurity. Meta’s Oversight Board recommends updates to Facebook’s Manipulated Media policy. We’ve got a special segment from the Threat Vector podcast examining Ivanti's Connect Secure and Policy Secure products. And it’s time to brush up on IOT security.

Today is February 6th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The global community confronts spyware.

The U.S. has introduced a new visa restriction policy targeting individuals involved in misusing commercial spyware. Announced yesterday by Secretary of State Antony Blinken, this policy enables the State Department to impose visa restrictions on those who participate in, facilitate, or benefit from the abuse of commercial spyware. This move is part of a broader effort to curb malicious digital espionage by foreign governments and companies, which have historically enabled cyberattacks against human rights activists, journalists, and opposition figures in developing countries.

The policy also extends to investors and operators of misused spyware. It follows President Biden's executive order last year aimed at curbing the malevolent use of digital spy tools targeting U.S. personnel and civil society. This included barring U.S. agencies from conducting business with such companies and adding several surveillance firms to the economic trade blacklist, such as Hungary-based Cytrox, Greek firm Intellexa, and Israeli companies NSO Group and Candiru.

Organized under the Immigration and National Act, the policy applies to a wide range of individuals involved in digital operations that surveil, harass, suppress, or intimidate journalists, activists, dissidents, marginalized communities, vulnerable populations, and their family members. In March last year, the U.S. and partner countries advocated for strict domestic and international controls to counter the proliferation and misuse of commercial spyware.

The UK and France are hosting a conference at Lancaster House in London this week to launch the Pall Mall Process, a new international initiative addressing the proliferation of commercial spyware. Attended by 35 nations, big tech leaders, legal experts, human rights defenders, and vendors of cyber intrusion tools, the conference will see the signing of a declaration committing to joint action on this issue, including a follow-up meeting in Paris in 2025.

Israeli officials are not attending, and it’s notable that the attendee list lacks vendors providing the controversial services targeted by the conference. Dr. Joseph Devanny from King’s College London noted the importance of engaging beyond like-minded states for progress. The absence of countries like Israel, which hosts sanctioned companies for cyber tool trafficking, was significant. Of the attendees, only 24 of 35 signed a pledge for greater action, with countries like Hungary and Mexico, linked to spyware abuses, not signing. The US is a signatory. 

Staying with spyware, Google's Threat Analysis Group reported that government hackers exploited three undisclosed vulnerabilities in Apple's iPhone OS using spyware developed by the European startup Variston. This campaign, discovered in March 2023, targeted iPhones in Indonesia with a malicious SMS link, leading to spyware infection and redirection to a local news article. Apple has not commented on this finding.

Variston, a Barcelona-based company, is gaining attention for its spyware tools, previously analyzed by Google. The company, facing employee departures, collaborates with entities like Protected AE from the UAE to develop and sell spyware packages, incorporating Variston's Heliconia software.

Despite the focus on Israeli firms like NSO Group in recent years, Google's report highlights the growing reach of European spyware makers like Variston, Cy4Gate, RCS Lab, and Negg. 

Canon patches critical vulnerabilities in printers. 

Japanese electronics firm Canon has released software updates to fix seven critical vulnerabilities affecting various small office printer models. These buffer overflow bugs carry a high CVSS score of 9.8 and pose risks of remote code execution (RCE) and denial-of-service (DoS) attacks. 

Canon urges customers to install the latest firmware, available on their regional websites, to enhance security.

No exploits have been reported, but users are advised to increase printer security by using firewalls or routers and setting private IP addresses. These vulnerabilities were reported to Canon through Trend Micro’s Zero Day Initiative (ZDI).

Barracuda recommends mitigations for Web Application Firewall issues 

Barracuda has released a security advisory for its Web Application Firewall (WAF), detailing seven high to critical vulnerabilities. These issues, split into two categories, involve bypassing WAF protections:

Category 1 vulnerabilities allow bypassing file upload protections using HTTP methods other than POST, risking Remote Code Execution (RCE) or Local File Inclusion (LFI).

Category 2 vulnerabilities pertain to bypassing JSON security protections through unspecified HTTP methods in API specifications.

Barracuda recommends updating firmware and adjusting HTTP method restrictions to address these security concerns.

Group-IB warns of ResumeLooters.

Group-IB discovered a large-scale malicious campaign by a group they call ResumeLooters, targeting job search and retail websites across the Asia-Pacific region, particularly in India, Taiwan, Thailand, Vietnam, China, and Australia. Between November and December 2023, ResumeLooters infected at least 65 websites using SQL injection and XSS attacks, stealing databases containing over 2 million unique emails, names, phone numbers, and job-related information. This stolen data was subsequently sold on Telegram channels.

ResumeLooters primarily used penetration testing frameworks and tools like sqlmap, Acunetix, and Metasploit to inject malicious SQL queries and retrieve substantial user data. Over 70% of their victims are in the Asia-Pacific, but compromised websites were also found in countries like Brazil, the USA, and Russia.

The group's XSS attacks aimed to steal HTML code and potentially admin credentials by implanting malicious scripts on legitimate job sites. To counter such attacks, companies are advised to use parameterized statements, perform input validation, and conduct regular security assessments.

Millions are at risk after a data breach in France. 

Millions of people in France are at risk of fraud due to a data breach at Viamedis, a company that handles third-party payments for 84 insurance providers. Viamedis manages payments for over 20 million people. The breach, announced on February 2, exposed sensitive data. This data includes names, civil status, dates of birth, social security numbers, and insurance provider details. However, bank information, postal addresses, phone numbers, and emails were not compromised.

Viamedis has disconnected the compromised program. This disconnection might affect third-party payments with opticians and hearing aid specialists. 

Viamedis has filed a police complaint and informed the French data protection authority. 

Research from the UK reveals contradictory approaches to cybersecurity. 

New research from UK security firm SenseOn reveals that the UK's largest organisations have a contradictory approach to cybersecurity. The survey of 250 IT and Security decision makers from UK and Irish companies (with over 250 employees) found a prevalent belief that purchasing more cybersecurity tools enhances protection. However, adopting these tools takes an average of two and a half months, detracting from critical activities like threat hunting and security awareness training.

Two-thirds of respondents from the largest companies with between 5,000-10,000 employees see third-party risk as a primary challenge, contradicting the notion that more tools equal better security. This creates a cycle where organizations keep buying tools, only to worry about the risks and time consumed in integrating these new systems.

The constant introduction of new tools, often difficult to manage due to staffing shortages, adds stress and workload to already overwhelmed security teams. This stress impacts staff retention, with 95% of respondents acknowledging it as a factor. To reduce stress, 83% suggested tools using AI for automation, and 81% recommended security awareness training.

Meta’s Oversight Board recommends updates to Facebook’s Manipulated Media policy. 

A fake video depicting US President Joe Biden inappropriately touching his granddaughter circulated on Facebook and other platforms, leading to calls for Meta to revise its policy on deepfakes and manipulated content. The video, edited from footage of Biden voting in the 2022 US Midterm elections, was not removed by Meta as it didn't meet their current Manipulated Media policy criteria. This policy currently applies only to content created using AI or showing people saying things they didn't say.

Meta's Oversight Board criticized the policy as too narrow and ineffective against misinformation, especially with the upcoming elections in 2024. The Board suggested expanding the policy to include all forms of altered content, whether AI-generated or not, and to cover actions people did not do. They also recommended labeling manipulated content instead of removing it, providing clear definitions of the harms intended to be prevented, and unifying the policy's presentation for clarity. This move aims to address misinformation more effectively, considering the prevalence of non-AI-altered misleading content.

 

Coming up next, we’ve got a special segment from Palo Alto Networks’ Threat Vector podcast, David Moulton and guests Sam Rubin and Ingrid Parker take a deep dive into the critical vulnerabilities found in Ivanti's Connect Secure and Policy Secure products. 

 

Time to brush up on IOT security. 

And finally, a report out of Switzerland claims that Cybercriminals have hijacked approximately 3 million smart toothbrushes, using them to create a botnet for a distributed denial of service (DDoS). These internet-connected toothbrushes, typically used for monitoring dental hygiene habits, were compromised via vulnerabilities in the Java programming language. The malware-infected devices were then used to target and overload a Swiss company's website server.

Toothbrushes. Internet connected toothbrushes. 

Here’s a little personal tidbit. I have been fortunate throughout my life to have an unusual high resistance to tooth decay. Through a combination of good luck and good dental hygiene I have never had a cavity. It is my superpower. 

I am still trying to figure out a way to use my abilities for the greater good. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.