FFT news digest Nov 26 2021

Spyware

Pegasus appears to be plummeting to earth, with an announcement from Apple that it is suing the company behind the spyware and reports that it's in financial trouble. And to add to the NSO Group's woes, Israel has slashed the number of countries to which spyware can be exported officially.

Apple's lawsuit describes NSO as "amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse." At the same time, Apple has begun notifying users who it believes are being targeted by state-sponsored attackers. Journalists in El Salvador and activists in Thailand have already received notifications. "It is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place,” Apple said. “We will continue to work tirelessly to protect our users from abusive state-sponsored actors like NSO Group.” It would also help if Apple stopped releasing products that are riddled with vulnerabilities.

In Israel, where the NSO Group and many of its competitors are based, the government reduced by two-thirds the number of countries to which spyware products can be officially exported. The cut-down list, obtained by Calcalist, includes only 37 democracies and removes the autocratic regimes that were some of the spyware industry's biggest customers. The Israeli decision comes after the US imposed restrictions on NSO and some of its competitors, and there are clear signs that it is at least partly the result of considerable - and unusual - diplomatic pressure.

All of which has left the NSO Group in a pickle. It lost its new CEO a week after he was appointed, it owes $500 million and it's reported to have exhausted its credit lines. Bloomberg reports that Wall Street is treating it as a distressed asset. But before anyone opens the champagne, it's crucial to understand that the technology we use remains deeply flawed, attackers continue to want to exploit those flaws, and even if NSO collapses, the skills of its employees will be in demand elsewhere.

Threats

Brands: The FBI says criminals are increasingly impersonating big-name brands including Microsoft, Amazon and Google. Email security company, Inky, suggests the scumbags are moving away from including malicious links and attachments in their emails because tools have become so effective at spotting them.

Black Friday: And just a reminder that Black Friday is a gift for fraudsters. One theme this year is likely to be product shortages and delivery delays, according to the FBI.

Windows: Attackers are testing ways to exploit a zero-day (i.e. previously unknown) vulnerability in Windows Installer. There is no fix for the issue at the moment. Microsoft has yet to comment. Bleeping Computer

SEC: The Securities and Exchange Commission (SEC) has warned US investors that scammers are using phone calls and messages to impersonate SEC officials.

Recompiled: Attackers constantly evolve ever more sophisticated methods to defeat protections and the latest has been dubbed Tardigrade because of its ability to survive the toughest environment. Its trick involves recompiling its code to evade detection. PCMag

Huawei: More than 190 apps in Huawei's AppGallery have led to some 9,300,000 installs of malicious Android apps. Dr. Web says the aim is to harvest users' phone numbers.

GoDaddy

A pitch black mark for internet giant, GoDaddy, which revealed that its managed WordPress service was breached in an incident that lasted over two months and affected at least 1.2 million customers. Even worse, the incident also hit several resellers of GoDaddy's service, including 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple and tsoHost. The news only emerged when GoDaddy included it in a mandatory filing to the Securities and Exchange Commission. What will really rile GoDaddy's customers is that this is its fifth serious incident in three years - and the whole point of its managed WordPress service is to avoid the security pitfalls that make it difficult to use for small businesses and individual users.

Ransomware

The spread of ransomware has led to significant cuts in the level of cover insurers are willing to provide, according to Reuters. "Insurers are changing their appetites, limits, coverage and pricing," Caspar Stops, head of cyber at insurance firm Optio, said. "Limits have halved – where people were offering 10 million pounds, nearly everyone has reduced to five." The changes reflect the extraordinary success of ransomware, which a Sophos report this week described as "a black hole...pulling in other cyberthreats to form one massive, interconnected ransomware delivery system." Sophos warns that next year will see groups renting out increasingly specialised tools for use by third-party affiliates.

Fingerprints

Ever since biometric authentication was created, researchers have taken delight in demonstrating how it can be defeated. The latest example involves cloning fingerprints with a photo, a laser printer and some glue. According to Kraken Security Labs, no other tools are required and the process costs as little as $5 (assuming you already have the laser printer). It involves simply photographing the fingerprint with a modern smartphone and then using photo manipulation software to create a negative, as their video shows. This doesn't mean you should stop using fingerprints for authentication, but it does mean they should be combined with a strong password to protect sensitive information or apps.

Bad Apple

New reports describe the extent of the problems with Facebook's moderation of non-English languages. The Middle East, Myanmar and Ethiopia are particularly problematic, reinforcing long-standing complaints that the social media giant has neglected non-English speaking regions of the world. Arabic is now the third most common language on the platform, but internal papers have warned that human and automated moderation struggles to cope with the varied forms of Arabic used across the Middle East. Facebook admits that it has more to do, while saying it has automated systems to identity posts related to hate speech and terrorism, but the platform's own engineers have expressed a lack of confidence in their effectiveness.

In brief

Printers: Lock up your printer! New research sets out a range of attacks that can afflict wireless printers. The key risk is allowing public access to port 9100. University of Catania

Self-service: Least surprising news of the week. Few iPhone owners plan to take advantage of Apple's program that will allow them to fix their own devices. CIRP via MacRumors

Afterlife: Access to online accounts after the owner's death is not a popular subject - but it can cause enormous problems if it isn't addressed. 1Password (obviously not a disinterested party) has new research outlining the scale of the problem - and what can be done about it.

Cleaner: The Israeli Defence Minister's domestic cleaner has been charged with leaking his employer's personal information to Iranian hackers. The Record

Hidden cameras: Academics from Singapore and South Korea have shown how smartphone cameras can be used to spot concealed spy cams. The Register

Teen arrest: It must have been fun while it lasted - but it didn't last long. Police in Canada say they've arrested a Canadian teenager who is accused of stealing US$36.5 million worth of cryptocurrency from a single victim in the US. SecurityWeek

Updates

Androids: Mediatek has released updates for its processors ('chipsets') that are used in about 37% of the world's smartphones. The patches are designed to fix vulnerabilities that could be exploited to eavesdrop on audio flowing through the devices. Xiaomi, Oppo, Realme and Vivo are among companies that use MediaTek chipsets.

Sky: It took 18 months, but Sky has finally fixed a significant vulnerability in its Hub routers prior to version 4. The problem is that the older devices came with default administrator credentials (a reminder to always change default credentials). The updates should be installed automatically. Pen Test Partners

Magecart: The UK's National Cyber Security Centre (NCSC) has urged operators of online stores to make sure software such as Magento is kept up to date. It said it had warned the owners of 4,151 online stores that their sites were compromised in attacks designed to steal customers' payment info.

Exchange: Anyone with Microsoft Exchange servers should ensure all available updates have been installed. Two sets of vulnerabilities are being actively exploited, according to Trend Micro and a Vietnam-based researcher.

Firefox: Mozilla says it will end support for its Firefox Lockwise password manager next month. The app will continue to work, but won't receive any updates. Time to migrate...

Edge: "Super Duper Secure Mode" is the name (yes, really) Microsoft chose for an additional safety feature that is being rolled out to its Edge browser.

VMware: Updates to address serious vulnerabilities affecting vCenter Server.

Zimbra: Zimbra 9.0.0 “Kepler” Patch 21 and 8.8.15 “James Prescott Joule” Patch 28 include several important security fixes.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved