FFT news digest Dec 10 2021

Spyware

Reports revealing the use of spyware in Uganda provide valuable insights into how surveillance technology is being used - and the extent to which it is a threat. An initial report by Reuters said the iPhones of at least 9 US State Department employees were infected with the NSO Group's Pegasus product. They were either based in Uganda or were working on issues related to the country. Separately, The New York Times said Apple had warned two Ugandan journalists and an opposition politician that their iPhones might have been the targets of state-sponsored surveillance. Neither of the reports assigned responsibility for the surveillance. For its part, the NSO Group said "relevant customers" no longer had access to its products.

While it's not known who was using the technology, anyone who has worked in Uganda will be aware of the extent of President Museveni's security apparatus. In the weeks before being notified by Apple about the attacks on their phones, the two Ugandan journalists told The New York Times that they had received phishing messages from a local Ugandan number asking them to take part in a sales deal or click on a link that would win them up to $1,000. One of the journalists also said there had been unsuccessful attempts to access his location data using food-delivery and ride-hailing applications.

The infection mechanism used in these cases appears to be less sophisticated than in some Pegasus attacks which didn't require any user interaction. It's reasonably easy to neutralise text message attacks by simply ignoring them, and Apple advised the affected users to update their iPhones because the attacks were “ineffective against iOS 15 and later.” But, of course, the real problem is that the iPhone operating system is so riddled with vulnerabilities that, when necessary, spyware companies simply update their products. The real lesson from the reports is that smartphones are inherently vulnerable and governments cannot resist attacking them. This makes it essential to analyse the specific threats related to a particular situation and, if necessary, avoid the use of smartphones altogether.

Threats

Excel: Criminals are using website contact forms and discussion forums to send emails with booby-trapped Excel files. They're designed to install malicious software that steals credentials and financial information. Bleeping Computer

Omicron: Scumbags are using fears of the COVID-19 variant to target students in the US and harvest their credentials. Proofpoint

Crypto: Beware of gift horses if they're delivering unexpected cryptocurrency. It's part of a sophisticated scam designed to separate people from their real cryptocurrency. Motherboard

DHL: Another campaign involving fake shipping notifications. Obviously, it's particularly believable at this time of the year. Avanan

Multi MFA: If you receive repeated two-factor authentication requests, resist the temptation to respond. Mandiant describes how the tactic has been used by Russian attackers.

QNAP: The network attached storage giant is warning users that cryptocurrency miners are targeting their devices. Its security advisory has useful advice on mitigating the risk.

Embedded emails: Messages that are attached to an email can be dangerous because they can bypass security scanners. Opening the embedded email leads to a credential harvesting page. Avanan

WordPress: Some 1.6 million WordPress sites are being attacked in a coordinated campaign targeting 4 plugins and 15 Epsilon Framework themes. Wordfence has advice.

Airtags: Canadian police say thieves are using AirTags to track high-value vehicles and steal them.

Routers

Domestic Wi-Fi routers are perhaps the most important and most neglected piece of technology that we use every day. Unfortunately, they're also one of the most insecure. Research by IoT Inspector found a total of 226 potential security vulnerabilities in devices from Asus, AVM, D-Link, Netgear, Edimax, TP Link, Synology and Linksys. The manufacturers responded by releasing firmware updates, but as IoT Inspector points out, these are frequently not applied. It's vital to keep routers updated, either manually or by turning on automatic updates if possible. It's also essential to make sure that any default passwords have been changed - because these are often published on manufacturers' websites. Just this week, news emerged of widespread attacks targeting TP-Link TL-WR840N routers that still have default administrator passwords. And Eclypsium says as many as 300,000 Mikrotik routers are vulnerable to remote attack because security updates haven't been applied to them.

Cyber Essentials

The UK government's cybersecurity certification scheme, Cyber Essentials, is changing again, with new requirements being introduced on January 24 2022. The National Cyber Security Centre said the update includes revisions to the use of cloud services, as well as home working, multi-factor authentication and password management. Interestingly, home routers are no longer in scope, with firewall controls required to be implemented on user devices instead. We don't think that makes sense (especially given the previous story), but Cyber Essentials remains a good foundation for cybersecurity and we will continue to recommend it. Any certificates issued before January 24 will remain valid until they expire. More details are available from IASME which administers the scheme.

Browsers

Web browsers have become a victim of their own success, with constant security updates (see below) and equally constant attempts to break into them. The latest threat, identified by German academics, involves 'cross-site leaks' which allow a malicious website to steal data from trusted sites. There are limited defences against this type of attack, although the researchers have some suggestions. Our view is that remote browsing is likely to become increasingly common, as this ensures any malicious activity takes place on a remote device instead of on the user's own machine. One other resource worth considering is Google's Safe Browsing tool. It allows users to check whether Google has identified a website as malicious.

MacBooks

As Apple is said to be planning the release of a bevy of new MacBooks next year, it might wish to invest some more effort in fixing the problems with its existing models. Among the issues being reported this week; the re-introduced SD card slot on 2021 MacBook Pro models doesn't work properly; Time Machine backups aren't completing on MacBooks with Big Sur and Monterey operating systems; and the displays on external monitors look awful when they're connected to the latest MacBooks. The display problem, reported in detail by The Register, appears to be connected to the use of graphics driver code based on that used in iPhones and iPads. A Hungarian programmer has created a solution. Apple has yet to comment.

In brief

Crime: It's just possible Russia may be changing its relaxed attitude to cyber criminals. SpiderLabs says analysis of underground forums suggests criminals based in Russia are worried the authorities blind eye has regained its sight.

Insta drugs: Instagram’s algorithms recommend drug dealers’ accounts to teenage users, according to the Tech Transparency Project. The platform also suggests drug-related hashtags, the report said.

Security toolkit: There are some great (free) security resources on the web, and Open Briefing's Holistic Security Toolkit is one of them. A new version has just been released.

Tracking: Apple has allowed app developers to carry on collecting data from iPhone users in order to target them with adverts. The Financial Times (via Ars Technica) says Apple has chosen a loose interpretation of its new privacy policy.

Fake: Those messages saying 'x' number of people are looking at this product... You won't be surprised that they're "blatant lies". Jacob Bergdahl explains how they work.

Backdated: Also fake are some of the dates assigned to books on Amazon's marketplace. The New York Times has examples, including a 2011 thriller that should have cost $15, but was listed at $987 with a 17th-century publication date.

Robot: A delivery robot was stuck in the snow in Estonia. Its saw someone coming, and used its synthesised voice to ask for help! Illimar Lepik von Wirén

Updates

WhatsApp: The disappearing messages feature will be available for all one-to-one chats, so that they are deleted automatically after as little as 24 hours. The change has attracted criticism from safety campaigners because of fears that it could be abused.

Firefox: Version 95 has a series of improvements, including a new feature designed to make browsing safer.

Chrome: Yet another security update for Google's browser. It addresses 20 vulnerabilities, including 16 reported by external researchers.

Thunderbird: Version 91.4.0 provides security and bug fixes. It should be delivered automatically, but we recommend closing and restarting the application.

SonicWall: Updates for SMA 100 series appliances. Organisations are urged to apply them as soon as possible.

Cisco: Multiple vulnerabilities in Apache HTTP Server 2.4.48 and earlier releases are affecting several Cisco products. An unauthenticated remote attacker could exploit this vulnerability to take control of an affected system.

Tails: Version 4.25 adds new features, as well as updating components including the Tor browser.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved