At least 11 employees of U.S. State Department are said to have been surveilled using NSO Group's military-grade spyware, marking the latest in an endless series of scandals plaguing the controversial Israeli company.
The revelations, from Reuters and The Washington Post, come after Apple began issuing “threat notifications” to its users about possible state-sponsored attacks starting November 23, including individuals in Uganda, Thailand and El Salvador, among others.
In response to the reports, NSO Group said it had “decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations.”
NSO Group is the maker of Pegasus, a cyber intrusion software that can be delivered to the targets' devices without them taking any action, such as clicking on a link. Once penetrated, it essentially turns a smartphone into a spying device, allowing the operator — NSO's clients such as governments and law enforcement agencies — to remotely turn on the microphone, siphon photos and documents, tracked their movements over time.
"State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability," Apple’s software engineering chief Craig Federighi said last month. "That needs to change."
What’s trending in security?
🇰🇵 North Korean state hacking group APT37 targets South Korean journalists, defectors, and human rights activists in watering hole, spear-phishing emails, and smishing attacks delivering a new multi-platform malware dubbed Chinotto capable of infecting Windows and Android devices. [The Hacker News]
🇺🇸 The U.S. Federal Bureau of Investigation (FBI) revealed that Cuba ransomware actors earned at least $43.9 million from ransom payments and breached at least 49 U.S. critical infrastructure organizations this year. [FBI]
⚠️ Three APT hacking groups aligned with India, Russia, and China have been observed using a novel RTF (rich text format) template injection technique in their recent phishing campaigns. While RTF files can include a RTF template that specifies how the text in the document should be formatted, threat actors are now abusing this legitimate functionality to retrieve a URL resource instead of a local file template before displaying the contents of the file.
This substitution allows threat actors to load malicious payloads into an application like Microsoft Word documents. Furthermore, as the malicious content is retrieved from a remote URL, it allows the threat actors to dynamically modify their campaigns in real-time to use new payloads or different malicious behaviors. [The Hacker News]
🇷🇺 A Russian court handed down a mild one-year suspended prison sentence to Maxim Zhukov Sergeevich, a member of the FIN7 hacking group, a notorious cybercrime cartel that has hacked more than 100 US companies between 2015 and 2018. Zhukov previously worked as a developer for Combi Security, a Russian company that the U.S. Department of Justice described in 2018 as a front company and fake security firm through which FIN7 hired new members and used them to hide intrusions as penetration tests. [The Record]
💲 A threat actor previously tied to the Thieflock ransomware operation may now be using the emerging Yanluowang ransomware in a series of attacks against U.S. corporations since at least August 2021. Its targets include organizations in the financial services industry and in the manufacturing, IT services, and engineering sectors.
Also this week, Red Canary researchers reported observing a threat actor exploiting the ProxyShell set of vulnerabilities in Microsoft Exchange to deploy a new ransomware variant called BlackByte. Both BlackByte and Yanluowang are among the numerous ransomware variants that have surfaced this year amid continuing law enforcement takedowns of major ransomware operators, such as those behind the DarkSide, REvil and Cl0p variants. [Symantec / Red Canary]
Russia’s internet watchdog Roskomnadzor announced the ban of six more VPN products, namely Betternet, Lantern, X-VPN, Cloudflare WARP, Tachyon VPN, and PrivateTunnel, taking the total of prohibited VPN services to 15. The development comes almost six months after the agency banned VyprVPN and Opera VPN in the country. [Roskomnadzor]
💰 Hackers have stolen an estimated $120 million worth of Bitcoin and Ether assets from Badger, a decentralized finance (DeFi) platform that allows users to borrow, loan, and speculate on cryptocurrency price variations. In a separate development, blockchain startup MonoX Finance disclosed that a hacker stole $31 million by exploiting a bug in software the service uses to draft smart contracts. [The Record / Ars Technica]
💵 U.S. authorities have arrested and charged Nickolas Sharp, 36, from Portland, with hacking Ubiquiti Networks in December 2020. Sharp, who worked as a software developer in Ubiquiti's Cloud division from 2018 to 2021, used his work AWS and GitHub credentials to access the company's network and download gigabytes of proprietary data.
Sharp then tried to extort the company for 50 BTC ($2 million) in January 2021 in exchange of the stolen data and details about backdoors and vulnerabilities used in the hack. Ubiquiti refused to pay and instead called law enforcement, which eventually identified Sharp as the hacker after linking the attacker's VPN connection to a Surfshark account purchased with Sharp's PayPal account. [The Record]
🇳🇬 A Nigerian man was arrested in connection to a scheme attempting to lure digruntled insiders to deploy ransomware on employer systems. The suspect, a chief executive of a social network called Sociogram, allegedly concocted the brazen scheme to raise funds for the startup, as exposed by Abnormal Security back in August 2021. [Krebs on Security]
📸 New research has revealed that it’s possible to detect hidden spy cameras using Time-of-Flight (ToF) sensors that come with modern smartphones. Dubbed LAPD aka Laser-Assisted Photography Detection, it’s a “novel hidden camera detection and localization system that leverages the time-of-flight (ToF) sensor on commodity smartphones” and is implemented “as a smartphone app that emits laser signals from the ToF sensor, and use computer vision and machine learning techniques to locate the unique reflections from hidden cameras.” [ACM]
That’s amount of time it takes for threat actors to compromise 80% of the 320 honeypot servers that were set up by Unit 42 researchers with an insecurely exposed service such as remote desktop protocol (RDP), secure shell protocol (SSH), server message block (SMB) and Postgres database. All of the honeypots were compromised within a week.
“SSH was the most attacked application,” the researchers said. “The most attacked SSH honeypot was compromised 169 times in a single day. On average, each SSH honeypot was compromised 26 times daily.” What’s more, a single malicious actor breached 96% of its 80 Postgres honeypots globally within 30 seconds.
Tips, Comments, Ideas?
Send them my way by writing replying to this email.
Thanks again for reading. See you in the next edition!