news220121

FFT news digest January 21 2022

Spyware here. Spyware there.

This was a week that revealed the extraordinary extent of spyware usage around the world. If anyone thinks this isn't a problem, here's what emerged.

Israel: Police used the NSO Group's notorious Pegasus spyware to spy on mayors, leaders of protests against then Prime Minister Netanyahu, and former government officials. An activist's secret use of the Grindr dating app was also tracked using Pegasus. No warrants were obtained and there was no supervision over how the information gathered would be used. Calcalist

India: The country's top court has set up a committee to investigate claims that citizens were attacked with Pegasus. The committee has urged anyone affected to allow their phones to be inspected. The government has remained silent. Techdirt

Ireland: Pegasus is reported to have been used to attack human rights campaigners around the time they attended a conference in Dublin. Front Line Defenders said activists from Bahrain and Jordan were targeted and their phones were infected multiple times.

And just to provide some financial context. The Financial Times says ($) the British Gas pension fund was one of the biggest investors in the €1 billion private equity fund that bought the NSO Group in 2019.

Threats

Targeted: DHL has replaced Microsoft as the brand most frequently imitated by cybercriminals trying to steal credentials or infect devices with malicious software. Check Point

Twitter: A widespread campaign is trying to hijack accounts by sending users a copyright infringement notice. It arrives as a Twitter system message that leads to a form requiring the user's credentials. The examples we've seen are highly credible.

Edge: Criminals are using fake updates for Microsoft's browser as part of an ongoing campaign. You can ignore such messages. Closing and reopening a browser is all that's needed to update it. Malwarebytes

Crypto: As more and more people are sucked into the cryptocurrency game, criminals have rolled out yet another tool aimed at parting owners from their digital coins. It's believed this one is delivered via compromised software installers. BitDefender

China: Trend Micro says a group aligned with China is behind a sophisticated campaign directed at governments, NGOs and the media. Key techniques are carefully targeted emails with malicious links and booby-trapped websites, aka 'watering hole attacks'. Trend Micro

Ukraine

As Russia continues to move armed forces around Ukraine's border, the country is facing ongoing cyber attacks. Last week, websites were defaced. At the weekend, Microsoft reported that much more destructive attacks were taking place which aimed to prevent computers from starting up. It's the latest example to highlight the problem of what to call such attacks. There's a widely shared view that "warfare" is not appropriate because it's important to reserve that term for 'kinetic' war. We think there's a very blurred line, especially as cyber attacks can create as much or more destruction compared to conventional, chemical or nuclear weapons. Mandiant has an excellent overview of the current situation in Ukraine.

Olympics

Security flaws in the app that must be installed by anyone attending the Winter Olympics have been fixed, according to a senior Chinese official. The assurance follows warnings by researchers at Citizen Lab that the MY2022 app contains a "simple but devastating" flaw that could allow data leaks. The app has to be installed 14 days before arriving in China and is used to collect a range of personal and health information. Earlier in the week, the International Olympic Committee dismissed Citizen Lab's research, saying tests had failed to reveal any vulnerabilities. So the app is either fixed, or there was never anything to fix. We're not reassured.

Wages of sin

Some progress towards making cyber crime a riskier endeavour, with the arrest in Russia of members of a notorious ransomware gang and a rash of other arrests around the world. Russia's internal intelligence agency said it detained 14 members of the REvil organisation following a request from the US. It may represent a significant change in approach, though It's worth noting that REvil had already ceased operations. Elsewhere, Interpol arrested 11 people suspected of involvement in 'Business Email Compromise' attacks. And in London, a romance fraudster has been jailed for 28 months for targeting 670 women. Osagie Aigbonohan, originally from Nigeria, used fake names, dating apps, and social media to find and connect with potential victims looking for a relationship.

Kill switch

One of the easiest ways to compromise a phone is to persuade it to connect to a 2G network. Last week Google released a feature allowing users to disable 2G on Android phones. Now Apple is facing calls to do likewise. 2G was created in 1991. It uses hopelessly weak encryption and makes it trivially easy for an attacker to impersonate a genuine cellphone tower. It's no longer available in the US and there's been a long-running campaign to get rid of it altogether. The problem is that, even in countries where it has been turned off, phones will still try to connect to a fake 2G mast if that's the strongest available signal. In general, cellphone technology is not secure - but the newer the protocol, the less insecure it is.

In brief

End users: The good news; IT professionals think users are more aware of security risks. The bad news; it's unclear what grounds they have for thinking this. Especially as Dark Reading's 2021 Strategic Security Survey specifically points to a sharp rise in the number of users who say their security awareness training was ineffective.

Encryption: The UK government is spending £500,000 on a publicity campaign apparently designed to persuade the country that end to end encryption is inherently evil. As Big Brother Watch points out, this is ironic as it's a technology the government uses - and depends on - every day.

Business communications: The UK’s National Cyber Security Center has released new guidance aimed at stopping 'smishing' (i.e. the use of text messages to deliver booby-trapped links and the like). The advice covers a range of business communications and is designed for organisations.

Snapchat: The social app is (very) widely used to deal drugs. Snapchat's parent company has decided to try to put an end to the practice by changing its friend recommendation feature. The change will make it more difficult for strangers to become friends with teenagers they don't know.

Misinformation: A computer model demonstrates how misinformation spreads in much the same way as a disease. It begins with a super spreader and expands through a network of interactions, aided by those inclined to reject factual information. Plos One

Senate porn: Someone managed to access a virtual meeting at the Italian senate and subjected politicians, academics, and a Nobel Prize winner to video of 3D porn featuring Final Fantasy characters. Zoom bombing is still a thing. The waiting room is your friend. Motherboard

Updates

Microsoft: Emergency updates to address multiple issues caused by last Tuesday's Windows Updates, including problems with VPN connectivity and Windows Server Domain Controllers.

macOS: Is your Mac up to date? If not, be advised Microsoft researchers have found a serious vulnerability that could give an attacker free rein over your machine.

Chrome: Version 97.0.4692.99 for Windows, Mac, and Linux addresses 26 vulnerabilities, one rated 'critical'.

Firefox: Version 96.0.2 fixes some minor issues, including one that caused Facebook applications to crash the browser when the window was resized.

SonicWall: A temporary fix has been released which is designed to fix a problem with Gen7 firewalls, many of which appear to be stuck in a reboot loop.

Oracle: A typical deluge of updates - almost 500 of them this month.

Cisco: Security updates for multiple Cisco products, including Redundancy Configuration Manager.

Zoho: Updates for a critical security vulnerability in Desktop Central and Desktop Central MSP that could be exploited on affected servers.

OnionShare: Version 2.5 fixes security issues and adds features to circumvent censorship. OnionShare is a well-regarded open source tool for sharing information securely - and anonymously.