Meta takes aim at hacking-for-hire firms
Meta ousts seven spyware companies off Facebook and Instagram
While NSO Group has largely gained attention in recent months for its Pegasus spyware, an entire class of spyware companies operated largely unnoticed by using Facebook, Instagram, and WhatsApp as springboards to target people in more than 100 countries.
Facebook owner Meta recently said it removed about 1,500 fake accounts on the namesake social media platform and Instagram created by seven surveillance-for-hire outfits to spy on journalists, dissidents, and human rights activists by stealthily breaking into their phones and stealing sensitive information.
The social technology giant said the companies followed a similar playbook whereby the fictitious accounts were used for reconnaissance, social engineering, and sending malicious links to thousands of victims in over dozens of countries. It also said it notified around 50,000 people it believes were targeted by the seven groups.
The development is the latest addition to a recent surge of pushback against purveyors of digital espionage services and the sprawling spyware industry at large, which Meta warned is becoming “democratized“ and increasingly available to government and non-government actors.
Apple is seeking a permanent injunction to prevent NSO Group from using any of its products or services, and “prevent further abuse and harm to its users.“ It’s worth noting that Facebook previously sued the company in 2019 for allegedly using its messaging app WhatsApp to deploy malware used for spying on 1,400 mobile devices.
But it doesn’t end there. Bloomberg, earlier this month, disclosed how a Swiss company Mitto, which offers text message services to companies in over 100 countries and has companies like Google, LinkedIn, Telegram, TikTok, Twitter, and WhatsApp as its customers, allegedly helped governments by “selling access to Mitto's networks to secretly locate people via their mobile phones.“
The surveillance venture worked by exploiting weaknesses in a telecom protocol known as SS7, or Signaling System No. 7 that made it “possible for an adversary to determine the physical location of mobile devices and intercept or redirect text messages and voice conversations.” The company is now conducting an internal review “to determine if our technology and business has been compromised.”
To add to the creep-pile, a Chinese company named Tiandy has been uncovered as selling its surveillance technology to Iran’s Revolutionary Guard, in what the MIT Technology Review described as an attempt to “build a system of digital control over its citizens, following China’s model and using Chinese tools.”
Paul Starobin, writing for WIRED earlier this July, noted the booming private espionage industry, exploring the idea of a spy registry, maintained by the governments, in which operatives for hire would have to disclose the names of their clients and assignments.
“No matter the intention, spyware is quickly becoming a more significant issue for mobile phone users as our always-connected lives are so reliant on these devices. Whether for corporate espionage or government surveillance, these highly-funded organizations are finding vulnerabilities to exploit faster than the OEMs can patch, leaving millions of users susceptible,“ said Richard Melick, director of product strategy at Zimperium.
What’s trending in security?
🇨🇳 Last month, Alibaba Cloud researcher Chen Zhaojun found a critical flaw in the open-source Log4j logging software, which has since drawn widespread attention for its severity as well as the ease with which it can be exploited, prompting governments and companies worldwide to issue patches to contain potential real-world attacks that aim to gain access to corporate and government systems. Now the company has found itself in hot water in China for failing to report the vulnerability to the government in time.
Log4j, distributed by the nonprofit Apache Software Foundation, is among the most deeply rooted tools to log activity across corporate computer networks, websites and applications. Called Log4Shell, the vulnerability allows hackers to remotely execute code on a target computer to potentially take over devices, install ransomware, or create back doors for future attacks. So far, exploits for Log4Shell have extended beyond crypto coin mining and into more serious territory such as credential and data theft. [The Hacker News]
🇷🇺 Russia blocked access to Tor’s website in the country, continuing its systematic attack on technologies that could be used by the country’s users to bypass censorship. [The Hacker News]
⚠️ The SolarWinds hackers show no signs of slowing down or easing up their spying efforts, continuing to devise new ways to compromise large numbers of targets in an efficient manner. While the far-reaching supply chain attack of December 2020 not made the intrusions more scalable and efficient, it also enabled the threat actor to mount mass compromises in a manner that was hard to detect for extended periods of time.
The new tactics incorporated by the group demonstrate its ability to “innovate and identify new techniques and tradecraft to maintain persistent access to victim environments, hinder detection, and confuse attribution efforts.” The new wave of attacks compromised multiple cloud solution companies with the goal of stealing data relevant to Russian interests and finding routes to additional victims.
This also included a clever trick to bypass two-factor authentication in order to access some of its targets’ accounts. Mandiant researchers said they’d investigated several incidents where Nobelium members gained access to a user’s valid login credentials, and they repeatedly attempted to log into the account, triggering several 2FA push notifications on the victim’s device until the target eventually accepted the request. [The Hacker News / AP]
❌ Google said it took steps to temporarily disrupt the infrastructure used by a sophisticated botnet called Glupteba, which targets Windows devices and defends itself using blockchain for command-and-control. The botnet is said to have infected an estimated one million Windows computers worldwide. The internet giant is also pursuing litigation against the “criminal enterprise“ due to its advanced architecture and the steps its organizers have taken to maintain the botnet and scale its operations.
Glupteba is known for stealing credentials and data, mining cryptocurrency on infected devices, and setting up proxies to funnel the internet traffic of other criminal actors through the swarm of compromised machines. The key money-making avenue is the sale of access to Google accounts to other customers as part of a slate of underground cybercrime-as-a-service offerings. [The Hacker News]
🤖 The resurgence of Emotet botnet after a law enforcement takedown earlier this year is getting a boost from its fellow partner in crime TrickBot, new research has revealed. While Emotet was put out of commission by an international law-enforcement collaborative takedown of the botnet network in January 2021, TrickBot was dealt a serious blow by law enforcement in October 2020, only to resurface in December 2020. The fact that both the botnets have not only re-emerged but are also now being weaponized together is a strong indicator of ransomware attacks.
The development is also the latest example of the resilience that some malicious cyber attackers have shown against even the most concerted takedown efforts and a testament to the success of the collaboration its operators have with the actors behind TrickBot — a highly modular malware family that started off in 2016 as a banking Trojan but is now widely used to distribute malware. [The Hacker News]
⚔️ Researchers have discovered cybercrime forums that act as an informal court system on the Dark Web, where criminals can file grievances and settle disputes with peers. “Due to the layer of anonymity between the underground community users, the cybercrime ecosystem implemented this virtual court feature that serves as an insurance element in case ‘something will go wrong,” the researchers said. [Analyst1]
💲 The U.S. Department of Homeland Security launched “Hack DHS,” a bug bounty program that pays hackers between $500 and $5,000 per flaw found in its systems. [The Record]
⚙️ A Germany-based building automation engineering firm lost contact with hundreds of its building automation system (BAS) devices — light switches, motion detectors, shutter controllers, and others — after a rare cyberattack locked out the office building client and its manufacturer. [Dark Reading]
🏆 From Colonial Pipeline and Kaseya to Microsoft Exchange Servers and Twitch, threat actors targeted critical infrastructure and technology providers at a relentless pace, while ransomware and supply chain attacks continued to have severe impacts, even as governments around the world scrambled to take more concrete action against online threats. Here’s the list of the worst hacks of 2021. [WIRED]
🛒 Threat actors are abusing GTM containers — a legitimate feature of the Google Tag Manager service, a tool that lets website owners dynamically update tracking and analytics code on their sites — to secretly add and deploy malicious JavaScript-based skimmers to more than 316 e-commerce stores since March this year, impacting an estimated 88,000 users. [Gemini Advisory]
⚡ As many as 300,000 routers made by Latvia-based MikroTik are vulnerable to remote takeover attacks that can surreptitiously corral the devices into botnets that steal sensitive user data and participate in Internet-crippling distributed denial-of-service (DDoS) attacks. While the vulnerabilities have been patched by the manufacturer, a significant proportion of users has yet to install them, making them a juicy target. [The Hacker News]
💵 Despite law enforcement intervention to crack down on ransomware, the cybercrime ecosystem remains alive and well. Some players like Avaddon and Egregor have altogether exited the business, a few others such as DarkSide simply rebranded as BlackMatter, while the rest, including LockBit and Conti, have continued to evolve their tactics. Amidst all this, the influx of new players remains constant. [The Hacker News]
🔐 In an unusual move, Facebook’s parent company, Meta, filed a federal lawsuit against a group of unknown actors of some 39,000 phishing websites that impersonated the login pages of Facebook, WhatsApp, Instagram, and Messenger to steal usernames and passwords. The litigation marks the first time a technology company has acted against the phishing operators. [The Hacker News]
🇺🇸 According to the U.S. Department of Health and Human Services, data breaches in 2021 exposed the health information of over 40 million people in the country, up from 26 million in 2020. [The Verge]
🔍 The Israeli government’s Defense Exports Control Agency sent out a notice indicating it would be enforcing stricter rules governing the export of offensive cyber tools. The development comes as the Israeli spyware developer NSO Group has faced increasing legal pressure and controversy in the wake of disclosures that Apple informed a swath of iPhone users, including at least nine U.S. State Department employees, that their devices were compromised in recent months by unidentified hackers wielding NSO tools. [ZDNet]
🔑 Mozilla fixed an issue in its Firefox browser where usernames and passwords were being recorded in the Windows Cloud Clipboard feature, categorizing the bug as a severe security risk that could have exposed credentials to threat actors with access to a synced device, enabling them to simply simply press Windows+V and access any clipboard data from a user’s past activity on other devices. [Mozilla]
🚨 Researchers have disclosed a new fileless malware called DarkWatchman that uses the Windows registry as both a temporary storage buffer for information that has yet to be sent to command-and-control (C2) and storage location for a C#-based keylogger prior to runtime. The manipulation of Windows Registry is designed to evade most security detections, demonstrating a significant evolution in fileless malware techniques, the researchers said. [The Hacker News]
🖥️ A group with similar tactics, techniques, and procedures as the North Korea-affiliated Lazarus Group targeted 35,000 government and industry computers through 2021, with a focus on industrial control systems (ICS). The malware has been dubbed PseudoManuscrypt by Kaspersky. [The Hacker News / Dark Reading]
🚫 The U.K. National Crime Agency shared a collection of more than 585 million compromised passwords it found on an open cloud server during an investigation with Have I Been Pwned, a website that indexes data from security breaches. In a surprising twist, 200 million of the passwords are completely new to the HIBP service, which already contains over 613 million pwned passwords. [Troy Hunt]
🗂️ The past weeks in data breaches, leaks, and ransomware: Belgian Ministry of Defense, BitMart, Cox, Doxy.me, Finite Recruitment, Frontier Software, Grim Finance, Gumtree, Hellmann, Inetum, LINE Pay, McMenamins, Brazil’s Ministry of Health, Oregon Anesthesiology Group, Spar, Superior Plus, UKG (Kronos), Volvo Cars, VulcanForge, four affiliated online sports gear sites, and personal and salary data for 637,138 Albanian citizens.
18,320
That's the total number of security vulnerabilities reported in 2021, according to stats published by the National Institute of Standards and Technology (NIST), down from 18,351 vulnerabilities reported last year. This includes 2,963 low, 11,727 medium, and 3,630 high risk vulnerabilities.
Tips, Comments, Ideas?
Send them my way by writing replying to this email.
Thanks again for reading. See you in 2022!