The CyberWire Daily Podcast 12.23.24
Ep 2215 | 12.23.24

Court puts the ‘spy’ in spyware.

Transcript

A federal judge finds NSO Group liable for hacking WhatsApp. China accuses the U.S. government of cyberattacks. The UK’s Operation Destabilise uncovers a vast criminal network. An alleged LockBit developer says he did it for the money. Apache releases a security update for their Tomcat web server. Siemens issues a security advisory for their User Management Component. Italy’s data protection authority fines OpenAI $15.6 million. Researchers demonstrate a method to bypass the latest Wi-Fi security protocol. Apple sends potential spyware victims to a nonprofit for help. Our guest is Sven Krasser, CrowdStrike's Senior Vice President Data Science and Chief Scientist, talking about balancing AI and human intervention. Hackers supersize their McDonald’s delivery orders.

Today is Monday December 23rd 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A federal judge finds NSO Group liable for hacking WhatsApp. 

A federal judge in California has ruled that NSO Group, the developer of Pegasus spyware, is liable for hacking 1,400 WhatsApp users, including activists, journalists, and diplomats. This marks the first time the company has been held accountable for its role in spyware abuses. Meta-owned WhatsApp filed the lawsuit in 2019, alleging NSO exploited a bug in its platform to install spyware on users’ devices. NSO repeatedly bypassed WhatsApp’s security defenses over two years, targeting victims globally.

The court found NSO violated the federal Computer Fraud and Abuse Act (CFAA), California’s Comprehensive Computer Data Access and Fraud Act (CDAFA), and WhatsApp’s terms of service. Judge Phyllis Hamilton criticized NSO for failing to produce complete Pegasus source code, a factor in her decision to impose sanctions.

NSO executives admitted in depositions that the company controlled data extraction from hacked devices and designed Pegasus to circumvent WhatsApp’s security measures. Court evidence showed NSO developed new malware even after WhatsApp sued them.

This ruling is seen as a victory for spyware victims, signaling increased accountability for spyware companies. Natalia Krapiva of Access Now hailed the decision, emphasizing its importance for digital security and human rights. Damages will be determined in March.

NSO did not comment on the ruling. WhatsApp and advocates for victims expressed hope that this decision would deter similar abuses by spyware developers in the future.

China accuses the U.S. government of cyberattacks. 

China’s National Cyber Incident Response Center (CNCERT) has accused the U.S. government of cyberattacks targeting two Chinese tech firms to steal trade secrets. In a public notice, CNCERT claimed a U.S. intelligence agency was responsible, citing incidents in May 2022 and August 2023.

One attack targeted a high-tech company in China’s smart energy sector, exploiting Microsoft Exchange vulnerabilities to implant backdoors and gain control over company systems. The second attack infiltrated an advanced material research unit by exploiting a document management system vulnerability, infecting over 270 hosts with Trojans.

The allegations come amid heightened tensions, with the U.S. accusing China of cyber espionage and breaches of telecom networks. CNCERT, which is tied to China’s Ministry of Industry and Information Technology, has escalated claims of U.S. cyberattacks in recent years.

The UK’s Operation Destabilise uncovers a vast criminal network. 

The UK’s National Crime Agency (NCA) recently unveiled Operation Destabilise, a four-year investigation uncovering an unprecedented financial chain connecting street-level drug dealing to global money-laundering networks. This effort exposed links between ransomware groups like Ryuk and Conti, Russian businesses, and entities funding espionage and sanctions evasion.

The investigation began in 2021 with blockchain analysis of ransomware payments. It soon expanded to reveal billions laundered through Russian entities Smart and TGR Group, led by high-profile figures Ekatarina Zhdanova and George Rossi. A key breakthrough came in November 2021 with the arrest of cash courier Fawad Saiedi, who had laundered over £15.6 million in a cash-for-crypto scheme tied to Zhdanova.

The operation uncovered vast networks laundering money for drug cartels, organized crime, and Russian elites, utilizing cryptocurrency to evade detection. Despite challenges, the NCA tackled both street-level crime and high-level conspiracies, marking a significant step in combating global financial crime.

An alleged LockBit developer says he did it for the money. 

Israeli authorities arrested alleged LockBit ransomware developer Rostislav Panev, a dual Russian-Israeli national, in August 2023 at the request of the United States. Panev faces 41 charges, including computer-related extortion and conspiracy. U.S. officials allege Panev developed malware for LockBit, including tools to bypass antivirus protections and deploy ransomware, receiving $10,000 monthly payments from LockBit leader Dmitry Khoroshev.

LockBit, active since 2020, extorted over $500 million and infected 2,500 victims globally before its disruption in 2024. Panev’s arrest follows international efforts to dismantle the gang. Panev admitted to coding for LockBit from 2019, initially claiming ignorance of its criminal use but later acknowledging he continued “for the money.” Investigators found LockBit source code and credentials on his computer, linking him to the operation. Panev awaits extradition to the U.S. to face charges.

Apache releases a security update for their Tomcat web server. 

Apache has released a security update addressing CVE-2024-56337, a remote code execution (RCE) vulnerability in the Tomcat web server. The issue, a time-of-check time-of-use (TOCTOU) race condition, affects Tomcat versions 11.0.0-M1 to 11.0.1, 10.1.0-M1 to 10.1.33, and 9.0.0.M1 to 9.0.97 on case-insensitive file systems with default servlet write enabled. Users should upgrade to Tomcat 11.0.2, 10.1.34, or 9.0.98 and adjust the Java property sun.io.useCanonCaches to false for Java 8 or 11. Future updates will enforce safer defaults.

Siemens issues a security advisory for their User Management Component. 

Siemens has issued a security advisory for CVE-2024-49775, a critical heap-based buffer overflow vulnerability in its User Management Component (UMC) affecting industrial control systems used in manufacturing and energy sectors. Exploitation could allow attackers to execute arbitrary code, disrupt operations, exfiltrate data, or manipulate critical systems. Affected products include Opcenter Execution Foundation, SIMATIC PCS neo, and SINEC NMS. Siemens has released patches for some products and advises restricting access to ports 4002 and 4004. 

Italy’s data protection authority fines OpenAI $15.6 million. 

Italy’s data protection authority, Garante, fined OpenAI €15 million ($15.6 million) for unlawfully processing personal data to train ChatGPT and lacking transparency with users. The investigation also found inadequate age verification, exposing minors to inappropriate content. OpenAI called the fine “disproportionate” and plans to appeal, noting it exceeds their revenue in Italy during the period. The company agreed to run a public awareness campaign and remains committed to privacy compliance. The case highlights growing global regulatory scrutiny of AI systems like ChatGPT.

Researchers demonstrate a method to bypass the latest Wi-Fi security protocol. 

Researchers from the University of the West Indies demonstrated a method to bypass WPA3, the latest Wi-Fi security protocol, to obtain network passwords. WPA3 was designed to improve on WPA2 by introducing features like Simultaneous Authentication of Equals (SAE) to prevent offline attacks. However, the researchers exploited weaknesses in WPA3’s transition mode, which allows compatibility with WPA2 devices.

Using a downgrade attack, they captured the WPA3 handshake, deauthenticated users, and created a rogue “evil twin” access point with a captive portal to steal passwords. The attack, requiring specific conditions and user interaction, highlights vulnerabilities in networks without Protected Management Frames enabled. The findings stress the need for user education, proper configuration, and further investigation to strengthen WPA3 against technical exploits and social engineering.

Apple sends potential spyware victims to a nonprofit for help. 

Imagine this: You receive a notification from Apple on your iPhone, warning that spyware hackers are targeting you. The alert sounds serious, even alarming, but instead of offering help, Apple points you to a non-profit organization for support. That’s how Apple’s spyware notification system works—and it’s been quietly operating since 2021.

Designed to warn individuals of highly targeted attacks, the system has notified users in over 150 countries. These attacks, often linked to mercenary spyware like Pegasus, target specific individuals based on who they are or what they do. While the notifications highlight the risk, Apple doesn’t provide direct technical assistance, leaving victims to seek help from organizations like Access Now or Amnesty Tech for forensic analysis.

For those who suspect spyware, tools like the “Am I Secure?” app can scan devices for threats, offering capabilities comparable to those used by governments. Yet, critics wonder why Apple, a tech giant with vast resources, redirects users to non-profits rather than deploying its own expertise.

Apple assures users that these attacks are rare and advises keeping devices updated and rebooting regularly to disrupt potential spyware. Still, the company’s hands-off approach raises questions about responsibility. Why point users elsewhere when the stakes are so high? For now, Apple remains tight-lipped. 

Next up, CrowdStrike's Senior Vice President Data Science and Chief Scientist Sven Krasser joins me to talk about balancing AI and human intervention. And, <kicker intro>. We’ll be right back.

Welcome back.

Hackers supersize their McDonald’s delivery orders. 

Imagine you could get your Big Mac for just $0.01—sounds like a dream, right? Well, a researcher discovered that McDonald’s McDelivery app in India had a “supersized” security flaw allowing exactly that! With clever tinkering, users could manipulate cart prices, hijack orders, and even track delivery drivers in real-time.

This wasn’t just about cheap burgers. Sensitive data, like driver names and license plates, was publicly exposed, and hackers could redirect someone else’s fries straight to their doorstep. It all boiled down to poorly secured APIs, with vulnerabilities like Broken Object Level Authorization (BOLA) allowing for these exploits.

To McDonald’s credit, they fixed everything within 90 days after receiving the hacker’s detailed report. While this ethical hacker enjoyed a bounty instead of fries, the case underscores the need for stronger cybersecurity in consumer apps. Let’s hope McSecurity gets beefed up worldwide! 🍟

 

Programming notes: 

 

And that’s the CyberWire.

Well folks, it’s that time of year. The N2K CyberWire team is getting ready to settle into our long winter’s nap. We will be taking a publishing break starting on Tuesday, December 24th through Wednesday, January 1st. Fret not, while we are out, we’ve got some fun surprises planned for you in your podcast feeds. If you’ve got some downtime or want to pop those airpods in and not engage in any more family togetherness, head over to your favorite podcast app and check out our goodies. We will emerge from our nap on January 2nd! See you then. 

As we wrap up another incredible year at The CyberWire, I want to take a moment to shine a spotlight on the amazing people who bring our stories to life every single day. This podcast is more than just a production—it’s a labor of love, talent, and unwavering dedication, and none of it would be possible without our phenomenal team.

To Liz Stokes, who produced today’s episode and so many others with precision and care: thank you for your relentless commitment to delivering content that informs and inspires. To Tré Hester, our mixer, your technical expertise and creative touch make every episode shine. Elliott Peltzman, your original music and sound design give The CyberWire its unmistakable rhythm and soul—we are endlessly grateful for your artistry.

Jennifer Eiben, our executive producer, and Brandon Karpf, our executive editor: your leadership and vision guide everything we do, keeping us focused on our mission. Simone Petrella, our president, and Peter Kilpe, our publisher: your support and belief in this team enable us to grow and excel.

To all of you, thank you for the hard work, late nights, and countless moments of collaboration this year. Here’s to the stories we’ve told, the challenges we’ve tackled, and the milestones we’ve achieved—together. I am proud to be part of our team and can’t wait for all that lies ahead in the new year. Happy holidays, and thank you for making The CyberWire extraordinary!

 

On behalf of all of us, Merry Christmas and Happy Holidays! I’m Dave Bittner - we’ll see you back here next year.