Robin’s Newsletter #259

4 June 2023. Volume 6, Issue 23
Kaspersky says it was compromised using zero-click iMessage exploit. Russia blames the NSA. Amazon settles Ring2 'lax privacy' case.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Kaspersky says it was compromised using iMessage zero-click exploit; Russia accuses NSA of compromising ‘thousands’ of devices

  • Kaspersky says that it was compromised by attackers using a zero-click exploit of Apple’s iMessage protocol. The company does not believe it was the sole target and has published some analysis, as well as giving it the name ‘Operation Triangulation’, a logo and talking about how they eventually detected the unusual behaviour using their own security products.
  • In a statement, Kaspersky said that the infection was not persistent (meaning reinfection using invisible iMessages was required each time the victim rebooted their phone) but that the campaign was, with infections dating from 2019 to present day.
  • Also this week Russia has accused Apple of colluding with NSA to infect thousands of iPhones used by Russian users and “with diplomatic missions and embassies in Russia”. Apple denied “[working] with any government to insert a backdoor into any Apple product”.
  • The indicators of compromise are believed to be similar; however, it’s unclear if the Kaspersky incident and Russian announcement are linked. An NSA spokesperson told Vice Motherboard, “We have nothing for you on this.”
  • The Record reports that the Russian government is in talks to acquire 2 million mobile phones running the domestic Aurora OS for use by state officials. I think this kind of ‘Digital Balkanisation’ makes the equities process — by which intelligence agencies weigh the value of keeping a vulnerability secret for espionage or cyber warfare purposes against the greater good — much simpler for Western agencies. Much like the encrypted phone services used almost exclusively by criminals, the target selection criteria, and potential fallout, becomes much easier to manage.

Amazon’s Ring division settles ‘dangerous access’ and ‘lax privacy’ case

  • Amazon’s Ring home security division has settled a case brought by the Federal Trade Commission (FTC) for $5.8 million. The FTC brought the case over the “dangerously overbroad access and lax attitude toward privacy and security”
  • Ring employees and contractors had widespread and unrestricted access to watch and download customers’ videos, even if they didn’t need access for their job. Sometimes the snooping continued for months without the firm detecting or stopping the behaviour.
  • Ring will establish a security programme and conduct regular assessments for the next 20 years in addition to the financial settlement.

On the government spyware industry

Interesting stats

$5.4 million in investigation and restoration costs, and  $12 million for new hardware and software at Suffolk County, New York, where a state of emergency has been in place for eight months following a ransomware attack in September 2022.

Other newsy bits / in brief

Thames Valley Police shared witness data with suspected criminals

  • The Information Commissioner has reprimanded the Thames Valley Police for releasing witness details to suspected criminals. In one case the witness had to move house though “the impact and risk to them remains high.” 
  • Police officers at the UK’s largest non-metropolitan force did not receive training around disclosing and redacting sensitive information. The force took no proactive steps to ensure officers were aware of their policies, instead pointing officers are a broader policy library as part of induction.

Patch. All. The. Things.

  • Firmware hundreds of Gigabyte motherboards can be subverted to act like a backdoor, according to research from Eclypsium. Whenever an affected computer restarts, the firmware function downloads and runs code without user interaction. The function is part of a system to download and update firmware, but the researchers found it had been implemented insecurely, could be abused like a hidden backdoor, and potentially be used to install malicious rootkits.

  • Barracuda Networks says that a vulnerability in its email security software was exploited by attackers since October 2022 who used it to install malware and steal sensitive data from customer’s IT environments. CVE-2023-2868, which was patched last month, and affects Barracuda Email Security Gateway 5.1.3.001 through 9.2.0.006. 

  • Zyxel firewall users should “assume compromise” following a widespread campaign to exploit a vulnerability that the company patched in April. CVE-2023-28771 scored 9.8/10 and is being mass exploited automatically by the Mirai botnet to ensnare further devices into the botnet.

  • Continuing the trend of targeting file transfer appliances, Progress Software’s MOVEit Transfer is suffering from “mass exploitation” via an SQL-injection bug. Progress said customers should take “immediate action” and disable HTTP and HTTPS.

Plus…

  • Security researchers have found an advertising software development kit called SpinOK contained malicious functions to steal private data. Over 100 Android apps used the SpinOK SDK, and had collectedly been downloaded 421 million times. Google has removed all the offending apps from the Google Play Store, including popular video editor Noizz and file-sharing app Zapya. It’s not believed that the app developers knew that the SDK was malicious.

  • The Void Rabisu cybercrime group, with links to Cuba ransomware, have shifted operations of the RomCom malware from financial motivation to more state-aligned attacks against Ukraine and its allies, according to Trend Micro.

  • A ‘hack and leak’ operation against Iran appears to be authentic. While much of the information was not public — apparently including “diplomatic correspondence, floor plans for the offices and sleeping quarters of the Iranian president and other top government offices, detailed network topologies for sensitive Iranian government network” — many of the details are widely known and isn’t considered ‘critical’.

  • Lazarus, the North Korean state-backed group, are targeting Microsoft Internet Information Services (IIS) web servers according to South Korean researchers at the AhnLab Security Emergency Response Center (ASEC).

  • Toyota has discovered two further misconfigured cloud services leaking customer’s personal information. The first contained the names, addresses, email addresses, telephone numbers and vehicle identification data of Toyota customers in Asia and Oceania. The data was only intended for use by dealers and service providers. The second contained navigation system update information for 260,000 customers in Japan. The offending sites have been leaking data for seven years and were discovered during an audit following another cloud misconfiguration (vol. 6, iss. 20) that went undetected for ten years.

  • Dental care and insurance provider Managed Care of North America suffered a data breach in March this year. During ten days, attackers made off with the personal information of almost 9 million people. The ransomware group LockBit claimed responsibility and leaked the stolen data, which included data on treatments given to children. Sticking in the North East US, Massachusetts-based Harvard Pilgrim Health Care has confirmed that the personal and medical data of 2.5 million people was exfiltrated by attackers during an April ransomware attack.

  • Microsoft discovered a macOS vulnerability that it calls ‘migraine’. CVE-2023-32369 allows an attacker who already had root access to bypass System Integrity Protection (SIP) controls in macOS. Attackers might use this to install a rootkit during an operating system migration. The issue was patched by Apple last month following a coordinated disclosure.

  • Security orchestration platform Blink has released Blink Copilot, a ‘no code’ interface to generate security operations workflows from user prompts.

  • Crowdstrike has revised its full-year growth estimates down from 42% to 37%. Shares in the company have dipped slightly following the earnings call, during which Microsoft’s rise in the cyber security market was mentioned nine times.

And finally

  • The owner of a new cybercrime forum has leaked the user database of RaidForums. RaidForums was seized by law enforcement in April 2022 (vol. 5, iss. 16). The leaked data includes usernames, email addresses, hashed passwords and other forum metadata for the cybercrime site’s 478,870 users.
Robin

  Robin's Newsletter - Volume 6

  Kaspersky Russia Apple National Security Agency (NSA) Digital Balkanisation Amazon Ring Privacy NSO Group Spyware Thames Valley Police