This week
‘Zero-click’ vulnerability in iOS Mail app
San Francisco-based company ZecOps have found vulnerabilities in the built-in iOS Mail app that they claim are being exploited by attackers to compromise senior executives and VIPs. The bugs are so-called ‘zero-click’ meaning that a no user interaction is required: simply receiving an email would be sufficient to compromise the user’s device.
The vulnerabilities have existed since iOS 6 (released September 2012) though would need to be combined with others to take control of a device or leak information outside the Mail app.
Being for iPhone (typically more difficult to exploit) and zero-click make them attractive to nation-state actors looking to obtain intelligence. That would seem to fit with the extremely target use claimed by ZecOps.
The targets apparently span a broad range of geographies - from North America, Germany, the Middle East and Japan - as well as sectors. One did jump out though: managed security service providers (MSSPs).
Managed service providers have been targeted before by nation-state attackers seeking to abuse their privileged access onto their customer networks (see: ‘Cloud Hopper’)
Apple is working on a fix and has rebutted the claims following a ‘thorough investigation’ saying they “found no evidence they were used against customers.” (ZDNet)
That statement is interesting in itself as such a categoric denial would point to Apple being able to query iOS devices for indicators of certain behaviours. Such analysis needn’t be done centrally - the data may not normally leave a user’s iPhone - and perhaps is a toolset in the underlying operating system more typically used for tracking device performance or other user experience metrics.
Ultimately, given the targeted group of Fortune 500 executives and VIPs, you probably don’t need to worry about this and Apple will likely fix the issue in the 13.5.4 software update. bbc.co.uk, vice.com, weird.com, zdnet.com
Interesting stats
66% of people would hide an issue, 47% would lie about an issue, and 15% of people would steal proprietary company information for a big reward, such as promotion, according to a survey of 1,000 Americans by Zety zety.com
£500 ($623) price being asked for 267,000,000 Facebook IDs, names, email addresses and telephone numbers bleepingcomputer.com
18% of cyber security incidents in 2019 were ransomware, now the highest form of cyber-attack, according to Trustwave zdnet.com
Other newsy bits
Latest in WhatsApp/NSO Group trial claim US servers used for espionage
Facebook initiated legal proceedings against Israeli NSO Group, whose technology is sold to governments wishing to hack and monitor smartphones, after it came to light they were using the service to distribute their spyware (vol. 2, iss. 44). NSO Group has claimed the US court does not have jurisdiction, now Facebook says they have tied their operations back to servers rented from QuadraNet and Amazon in California. The claims run counter to NSO Groups long-standing position that they do not ‘operate’ the software, just licence it to government customers. It may also come as a surprise to NSO Group customers - many of whom are not US allies - is being run from servers hosted in the US. It also suggests that NSO Group, who claim they don’t have visibility of customer operations, may have logs showing which devices were targets, and when. bloomberglaw.com, @jsrailton
Google threat intel on Coronavirus COVID-19
Google’s Threat Analysis Group has published an interesting and useful post on the state-sponsored phishing attacks they have been seeing - apparently over 18 million ‘malware and phishing’ emails, on top of 240 million broader ‘spam’ messages relating to COVID-19. The top billing went to campaigns against US government workers with the promise of free meals or fast food coupons that redirected victims to phishing sites. Healthcare organisations - both national and international - are increasingly being targeted as countries seek intelligence on cures: there are enormous economic incentives to get populations back to work. blog.google
UK Ministry of Defence reduces cyber security requirements for suppliers
The ‘temporary changes’ are to help suppliers whose existing assessor cannot deliver their services remotely. I suspect the vast majority of contracts we be renewals for existing suppliers that have previously been assessed. Though, still, It seems perverse that as organisations are changing infrastructures and adapting their working practices, the MoD is choosing to relax their security requirements. Shameless plug: If you need Cyber Essentials Plus - that can be done remotely from just £1,200 - then drop me a line cydea.com for more info :-) theregister.co.uk
Zoom 5.0 release improves encryption, data sovereignty options
As users of their video conferencing services have soared to 200 million monthly users, Zoom has received a lot of attention for their security and privacy practices (vol. 3, iss. 14). The company, currently amidst a 90-day focus on improving those practices, will release version 5.0 of their software the week. It will include improved encryption of data between clients (not full end-to-end; few VC apps actually have this) and allow paid users to choose the data centre regions their conferences and calls are routed through. There are a few other UX improvements too, including grouping security features together under a ‘security icon’. cyberscoop.com, zoom.us
Global surveillance programmes monitoring Coronavirus
30 governments are using mass surveillance programmes to monitor quarantines and in 25 of those ‘potential privacy issues’ are occurring, according to research from OneZero. The article is being updated weekly and links out to further information. (H/T Bruce Schneier) medium.com
Vulns in IBM’s Data Risk Manager suite and lessons in bug bounty programmes
A series of vulnerabilities in security software from IBM allows authentication bypass and command injection. In total three critical and one high vulnerabilities were released publicly on Github this week after IBM rejected the findings via their bug bounty programme. Mitigation steps are to be included in a security advisory that is still ’to be issued’. If you use Data Risk Manager - ironically to help manage your vulnerabilities - you may wish to keep a very close eye on it as Metasploit modules are now available, making the issues trivial to exploit.
Negative press and increased security risk for customers are two of the consequences of poorly implemented bug bounty programmes, or ‘process errors’ as IBM like to call them, especially for security vendors. It’s worth properly considering how you will integrate such programmes into your development and release lifecycles, as well as managing communications with security researcher, press, customer and investor stakeholders. theregister.co.uk, github.com (PoC)
In brief
Attacks, incidents & breaches
- Whisky auction, including £1M bottle of Macallan 1926 Fine and Rare 60 Year Old, postponed following DDOS attack. Presumably someone somewhere didn’t think they’d be able to afford their favourite bottle… theguardian.com
- Robert Dyas online store infected with magecart-style card skimmer between 7th March 2020 and 30th March 2020, got full card number, expiry dates and CVVs (H/T Doc) theregister.co.uk, robertdyas.co.uk
- 112,000 patient records stolen from Detroit-based Beaumont Health following phishing attack cyberscoop.com
- Nintendo investigate compromise of 160,000 Nintendo Network ID accounts (used on 3DS and Wii U consoles), some used to buy digital currency and in-game items arstechnica.com
Threat intel
- Sophos XG Firewall devices being targeted by attacks using SQL injection vulnerability; patch issued zdnet.com
- Attacker masquerading as Egyptian-owned oil company Enppi targeted OPEC members with Agent Tesla spyware ahead of meeting earlier this month arstechnica.com, cyberscoop.com
- Ragnarok Online game dev Gravity targeted, potentially by off-duty APT41 operatives for personal gain, rather than espionage zdnet.com
- APT32, like to Vietnam, attacking Chinese agencies related to COVID-19, according to Fireeye reuters.com
- Tag Barnacle group compromised 60 ad servers running old version of Revive to spread malware zdnet.com
Security engineering
- This is cool: Microsoft machine learning project correctly identifies critical, high priority security bugs, 97 per cent of the time just from the bug report title microsoft.com
- Joint NSA/ASD advice on preventing and detecting web shells defense.gov (PDF)
- Static code analysis feature to be included in GCC 10 has already detected high severity issue with OpenSLL theregister.co.uk
Privacy
- Australian students clash with university of proposed use of eye-tracking and background noise monitoring ‘spyware’ on home computers zdnet.com
- Pensions Regulator one of latest UK government agencies requesting access to phone, email data gathered by intelligence agencies under ‘Snoopers Charter’ theguardian.com, theregister.co.uk
- Stripe using mouse-tracking to tackle fraud - example in being upfront on techniques used to identify individuals theregister.co.uk
Public policy
- US Computer Fraud and Abuse Act (CFAA) to be reviewed by Supreme Court in session starting this October cyberscoop.com
And finally
Lessons from the UK National Security Risk Assessment
Hat-tip to Chris Gunner for spotting that the UK’s National Security Risk Assessment uses a 5x5 red-amber-green methodology. There’s a growing movement (Cydea included) taking alternative and quantified approaches to risk analysis and management. The Guardian is reporting that a Coronavirus (COVID-19) style pandemic was scored ‘Very High’ last year and that it was challenging to turn “plans on the page to real life.” That will sound familiar to many security professionals who may have faced similar rebuttal from the board-room for ‘red risks’. I’ve seen more than a few cases where a lack of common language has been a contributing factor to those (ultimately uninformed) decisions. If you are in that situation, spend the time to develop a common understanding and use provable methods to help you quantify the risk. theguardian.com