FFT news digest Aug 27 2021

Pegasus

Just in case anyone thought NSO's flagship Pegasus product had gone away, Citizen Lab is back with a new report showing the spyware can defeat Apple's latest security measures. Citizen Lab says it identified nine Bahraini activists whose iPhones were successfully hacked with Pegasus between June 2020 and February 2021. Some of the attacks exploited vulnerabilities in Apple's iMessage solution and didn't require the target to do anything for their phone to be infected. That's despite the introduction of new protections designed specifically to protect against such 'zero-click' attacks.

Security issues in Apple's software products are responsible for 14 of the 61 'zero-day' vulnerabilities known to have been exploited this year, according to Security Week. This rather contradicts Apple's repeated assertions that the iPhone is the safest, most secure consumer mobile device on the market. Indeed, one leading exploit broker still reckons ways to break into an Android device are more valuable than equivalent iPhone issues. Citizen Lab's latest report shows that iOS 14.6 was vulnerable to Pegasus. The current version is 14.7.1. Apple hasn't said whether or not that's safe...but anyone at risk of surveillance by a nation state should probably assume it isn't.

Threats

Phishing frenzy: The volume of phishing attacks continues its inexorable rise, with a 22% increase in the first half of 2021 compared to the same period last year. KnowBe4 also warns about increasing use of social media for impersonation, fraud and other attacks.

Ransomware: In a first for the FBI, the bureau has released a public alert describing how "ransomware affiliates" work. Affiliates rent the infrastructure used to launch ransomware attacks and share any proceeds with the developers.

WhatsApp: A reminder to be careful when installing apps, even from official stores. Kaspersky found a customised version of WhatsApp for Android. Once installed, it displays adverts, registers the user for premium subscriptions, and installs dangerous programs.

LinkedIn: Beware job listings on LinkedIn. Cyphere says the platform is being abused to post fake openings on behalf of legitimate companies. BleepingComputer

Obfuscation: Any self-respecting attacker will try to hide what they're up to in order to slip through email filters. Avanan has spotted a new tactic to make an email appear harmless. A similar approach hides malicious code that is used to attack WordPress.

Pegasus: Scumbags are trying to capitalise on coverage of Pegasus spyware by emailing targets, telling them their iPhone has been hacked and compromising material has been obtained. BleepingComputer

COVID-19: Pandemic-related scams continue to flourish. Privacy Matters warns about one of the latest, which offers an "OFFICIAL" invitation to obtain a COVID-19 passport. Avanan has an example of a similar approach. And KnowBe4 explains how scumbags are impersonating organisations' HR departments.

Facebook

Mr Zuckerberg's efforts at greater transparency have not been going well. Last week, Facebook released a report showing the content that was most viewed in the second quarter of 2021. Unfortunately, almost immediately, The New York Times got hold of data for the first quarter of the year that Facebook had decided not to publish. The paper says the decision to withhold that data was due to "concerns that it would look bad for the company." In the first quarter, the most-viewed link was to an article with a headline suggesting the death of a Florida doctor was linked to a coronavirus vaccine. That article appeared in the Chicago Tribune and was seen by nearly 54 million US Facebook accounts. All of which underlines the horrible complexity of dealing with misinformation.

GDPR in the UK

The UK has announced bold policy changes for data protection which could involve divergence from the EU's General Data Protection Regulation and create another source of friction with Britain's European partners. We will "overhaul EU data rules and replace them with a new 'light touch' British framework," the Digital Secretary, Oliver Dowden, told the Daily Telegraph (£). The government says the changes are intended to end "pointless" cookie requests and eliminate red tape for business. We're no fans of cookie popups, or of red tape, but if the UK thinks it can diverge from the GDPR (and presumably the ePrivacy Directive) without making everything much more complicated, then it is in for an abrupt reintroduction to reality. 

Data brokers

New research by consulting giant, KPMG, reveals some unsavoury facts about the attitudes of big companies to our personal data. KPMG put questions about data privacy to 250 “director-level or higher” executives at companies with more than 1,000 employees. 29% responded that their own company's approach to gathering personal information is “sometimes unethical.” And 33% said consumers should be concerned about how their company uses personal data. Meanwhile, Motherboard reports on trade in another type of data being provided by internet service providers to private companies. 'Netflow data' can be used to track traffic through Virtual Private Networks and defeat the privacy they theoretically provide.

Location

Seven years after Tinder fixed a similar issue, it's emerged that until June it was possible to exploit the Bumble dating app to pinpoint the location of users. Robert Heaton's detailed blog explains how it was relatively simple to circumvent the protections designed to prevent stalkers abusing the platform. The short version is that Bumble's measures were lamentably poor. The lesson is that we should be very careful about trusting apps with our location (as users of fitness tracking app, Strava, discovered when their running routes revealed the locations of 'secret' military bases.)

In brief

Extraordinary: This sounds so ludicrous that you might think it's made up. It's not. Microsoft has warned thousands of its Azure cloud computing customers that their data was completely unprotected for the last two years. The vulnerability in the Cosmo DB database product affected several major companies, including Coca Cola and ExxonMobil. Wiz

Remote control: Samsung is remotely disabling smart TVs that it says were looted from one of its South African warehouses. The sets come with an app that communicates with Samsung servers when they're connected to the internet. If the serial number belongs to a missing device, all functionality is killed.

IV: Not to alarm anyone, but McAfee has uncovered vulnerabilities in infusion pumps used in hospitals to deliver medication intravenously. The issues could be used to alter doses remotely without anyone noticing,

Porn: Days after announcing it would ban pornography, OnlyFans suspended the change. Not surprising, given porn generates most of its revenue. As the Avenue Q musical memorably put it, "The internet is for porn! The internet is for porn! Why do you think the net was born?"

Age appropriate: After a 'transitional' year, wide-ranging new regulations to protect children’s data online come into force in the UK next Thursday. The Information Commissioner's Office says the Children's Code is designed to prevent "physical, emotional and psychological, and financial" harms.

Ill gotten: You might remember the saga of Poly Network which lost more than $610 million in cryptocurrency. The hacker has now given it all back - and received a $500,000 "thank you" and an invitation to become the company's Chief Security Advisor. BleepingComputer

Alexa: It's seven years since Amazon released its voice assistant. Not surprisingly, since then, use of Alexa as a first name has plummeted. The Atlantic

Updates

Exchange: Anyone running an `Exchange server on their premises should check that it has been updated to protect against 'ProxyShell' vulnerabilities. The US Cybersecurity and Infrastructure Security Agency (CISA) issued an "urgent" warning about widespread attempts to exploit the issues.

Firefox: Version 91.0.2 is a non-security update that addresses two issues, one affecting Firefox on MacOS.

Windows 10: Microsoft has released a setup update to fix '"PSFX_E_MATCHING_BINARY_MISSING" errors that some users have encountered when trying to install the latest cumulative updates.

VMware: Updates to address a series of vulnerabilities in vRealize Operations, including four rated 'high severity'.

Google Group: Security groups enable Workspace administrators to regulate, audit and control groups - the feature is being released fully after a a trial that began last year.

Pulse Secure: CISA is also warning about concerted attempts to exploit vulnerabilities in Pulse Connect Secure appliances. Again, it's essential to ensure these have been updated.

Cisco: Updates to address a critical vulnerability affecting its Application Policy Infrastructure Controller (APIC) and Cloud APIC products.

F5: Nearly 30 vulnerabilities in multiple devices are addressed in August security updates.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved