FFT news digest February 4 2022

The week in spyware

We have often warned that while the NSO Group has been the main focus of recent news coverage, it's far from the only spyware manufacturer. This week, Reuters reports on a competitor which it says exploited a flaw in Apple's software at exactly the same time as NSO. Reuters says that last year QuaDream and NSO secured the ability to break into iPhones by exploiting identical vulnerabilities in Apple's messaging module. These meant that attacks would work without the user doing anything.

Unsurprisingly, NSO Group and QuaDream have employed some of the same engineering talent and have overlapping customers, according to Reuters. Sources said buyers for QuaDream's flagship product (called REIGN) have included Saudi Arabia and Mexico (they have yet to comment). Prices are unclear. "One QuaDream system, which included the ability to launch 50 smartphone break-in per year, was being offered for $2.2 million excluding maintenance costs," Reuters said. That is believed to be lower than usual.

Elsewhere in spyware news, it emerged that the FBI had bought NSO's Pegasus product, but only for "testing". That confirmation (to The Washington Post) followed an extensive New York Times report that included details of NSO's relationship with the FBI. The Washington Post also reported claims from a whistleblower that senior NSO executives offered "bags of cash" to access the Signalling System 7 platform that underpins the international use of mobile phones and can be exploited to track them.

Threats

PowerPoint: Malicious Office documents accounted for 37% of all malware downloads detected by Netskope in 2021, but several security organisations have issued specific warnings about an increase in the use of PowerPoint files, which people seem particularly prone to open.

Excel: A wave of attacks has used Excel add-in files to spread malicious software. HP Wolf Security found a 588% rise in the use of .xll files compared to the previous quarter.

Facebook prizes: Facebook Messenger chats are being used to deliver messages which promise a potential lottery win. The real aim is to steal the target's Facebook credentials. Finland NCSC

Installers: Search engine optimisation is being used to promote links to booby-trapped versions of popular apps including Zoom and TeamViewer. A reminder to be careful about the source of downloads. Mandiant

Zoom: A phishing campaign takes advantage of people's natural inclination to start a meeting when they receive a Zoom link. Clicking on it leads to a fake Microsoft Outlook login screen. Armorblox

Fake jobs: The FBI is warning about a new rash of fake job adverts on recruitment platforms. Some can be very convincing.

Authenticator: A fake authenticator app was downloaded over 10,000 times from Google's Play Store before it was spotted. Google has proved itself congenitally incapable to keeping out bad apps, so it's vital to be cautious about what we install. Pradeo

Phishing that works

Phishing emails that masquerade as HR announcements or ask for help with invoicing attract the most clicks, according to research by F-Secure. The most successful lures appeared to come from HR and included news about holiday entitlement, but fake invoices, document shares and service notifications also attracted large numbers of clicks. F-Secure found that people working in IT-related roles were just as liable to fall for phishing emails as their colleagues in other departments. A useful takeaway from the study; if users have tools to make it easy to report phishing emails, they use them. Otherwise, few bother.

The Chinese threat

China doesn't do things by half, and that applies particularly to cyber warfare. The FBI says China is the source of more cyber-attacks against the US than all other nations combined. "The Chinese government steals staggering volumes of information and causes deep, job-destroying damage across a wide range of industries – so much so that...we're constantly opening new cases to counter their intelligence operations, about every 12 hours or so," FBI Director, Christopher Wray, said. You might object that this is hardly news, but Wray's speech sets out a number of case studies that underline the threat from Beijing and the risk it represents for the world as a whole.

Security tools

Nearly half of organizations are failing to use the full set of security features in Microsoft 365, according to research from Ensono. The study found 38% off them weren't using multi-factor authentication, 43% lacked conditional access controls, and nearly half hadn't enabled data loss prevention or data classification. This bears out what we see with our clients, so we would always suggest that Microsoft 365 users make sure they're maximising the value of their existing tools before buying anything else. Microsoft is constantly adding more functionality to its products; this week it is introducing stricter security to Exchange Online, while also extending the reach of Defender for Endpoint (see below).

WiFi sensing

WiFi is the latest example of the technology industry's unending quest to make their products more complicated before fixing existing flaws. Even the latest WiFi security protocol (WPA3) is vulnerable to attacks that could enable the theft of passwords, but a working committee is examining how to add sensing capabilities to it. This would enable devices like phones, laptops and routers to detect what's happening around them. That would include sensing movement in a room, or a user's gestures. That sort of functionality has obvious benefits, but equally obvious dangers. The task group is due to complete its work in 2024.

In brief

Tracking: A bad week for the companies that aggregate and exploit Europeans' personal data. The IAB Europe data collection system is behind more than 80% of websites and apps - and the Belgian regulator has ruled that it's unlawful. “This decision could change the way the entire tracking ads industry operates," the European Consumer Organisation said.

MacBook batteries: A lot of unhappy users have been waking up to find their MacBooks out of battery. It seems macOS 12.2 has messed up something to do with Bluetooth, so the fix is to switch that off when not in use (which is good security practice anyway). 9TO5Mac

Surveillance: The new surveillance state is your neighbour, according to Frank Bruni in The New York Times. He points to several US states where officials have urged people to use emails or texts to report anything suspicious in schools or elections.

AirTags: Ingenious uses of Apple's tracking tabs. A German activist is trying to locate a secret government intelligence agency by mailing the tags to see where they end up. In the US, a frustrated customer used one to track her family's belongings during a problematic move. Schneier on Security

Ear authentication: Apple is considering adding biometric authentication to AirPods, according to a patent application. It would work by analysing the shape of the user's ear canal.

North Korea: North Korea targeted security researchers to try to steal details of software vulnerabilities. Among them was a US researcher who decided to 'hack back' and, according to Wired, took down much of the country's internet connectivity.

Wordle: You'll have seen The New York Times has swooped in to buy Wordle, saying it will remain free to play "initially". You won't be surprised to learn thousands of fans are unconvinced by what that means, so they've been downloading the game in a form that will allow them to keep playing it for the next seven years, whatever the NYT does. Motherboard

Updates

Chrome: Yet another update for Google's browser. Chrome 98 includes 27 security fixes.

Cisco: There are multiple 'critical' vulnerabilities in its Small Business RV160, RV260, RV340, and RV345 series routers. Currently, there are only updates for the latter two.

QNAP: Network attached storage (NAS) devices have been forced to take updates in response to ransomware attacks that have already encrypted more than 3,600 of them.

ESET: Security fixes for a high severity affecting multiple products on systems running Windows 10 and later or Windows Server 2016 and above.

Zimbra: Volexity says users should consider upgrading to version 9.0.0 because the earlier 8.8.15 release has a serious vulnerability that is being actively exploited. Volexity says it's been used to attack European governments and media organisations.

iOS: Apple has a nifty feature that offers to automatically fill in verification codes send over SMS, but attackers have got wise to it. So Apple is making it safer by only offering to fill in the code if it comes from the correct source.

Defender: Threat and vulnerability management for Android devices is being added to Microsoft's endpoint security platform for enterprises. It also supports vulnerability assessment for iPhones and iPads, though it won't yet analyse apps installed on them.

Gmail: A new design begins rolling out next week. It aims to integrate messaging services into the home screen and will be optional at first, but will become unavoidable by the middle of the year. 

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2022 Full Frame Technology - All Rights Reserved