FFT news digest January 14 2022

Critical infrastructure

The US and the UK have warned about ongoing threats to critical national infrastructure from Russian state-sponsored attacks. The FBI, NSA and Cybersecurity and Infrastructure Agency set out the tactics, techniques and procedures which include targeted phishing, brute force, and the exploitation of known vulnerabilities. "Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware," the agencies said.

The UK’s National Cyber Security Centre echoed the warning and urged UK operators to strengthen their cyber security posture. The NCSC said it was essential to ensure all systems are up to date, multi-factor authentication is implemented; and antivirus software is deployed. Such measures are hardly sophisticated but, as we never tire of saying, cybersecurity can only be effective when it's built on a firm foundation. It's worth noting that among the vulnerabilities highlighted by the US and the UK is a whiskery Windows issue dating back to 2013.

Threats

Remote management: Malicious software designed to steal login credentials begins by installing Atera remote management software. Most victims are in North America. Check Point

Adobe: An ingenious scam uses Adobe's Creative Cloud to target Office 365 (and some Gmail) users. The technique involves malicious links hidden in images and PDFs. Avanan

USB: The FBI says attackers are impersonating Health & Human Services and/or Amazon to post malicious USB devices to targets in transport, insurance & defence businesses. The Record

Flash: Text messages offering fake security updates, Adobe Flash players, voicemail memos and delivery notifications are used to distribute FluBot malicious software which aims to steal banking information. Bleeping Computer

Log4j: Check Point says attackers believed to be linked to Iran are exploiting the Log4Shell vulnerability that afflicts the Log4J logging utility.

Sysjoker: A new malicious software package is targeting Windows, Linux, and macOS devices and is capable of evading detection on all three operating systems. Sysjoker masquerades as a system update. Intezer via Bleeping Computer

Messaging

A shakeup in encrypted messaging, with the founder of Signal announcing that he's stepping down from his role as CEO. The wondrously named Moxie Marlinspike said Signal had grown to a point where his day-today involvement was no longer necessary. There's speculation that his departure (though he will remain on the board) is linked to Signal's integration with the MobileCoin cryptocurrency startup, which counts Marlinspike among its earliest advisers. The integration has been highly controversial, with some warning it creates significant risks to Signal's security. Meanwhile. the Swiss army has banned all messaging apps apart from Threema, an encrypted messaging solution developed in Switzerland. 

Pegasus

El Salvador is the latest country in which Pegasus spyware has been found in use against journalists and non-governmental organisations. Citizen Lab and Access Now said 35 individuals were targeted between July 2020 and November 2021. "In several cases, Pegasus apparently exfiltrated multiple gigabytes of data successfully from target phones using their mobile data connections." The attacks used a mix of booby-trapped SMS messages and 'zero-click' exploits (which users were powerless to prevent). El Salvador's government has denied Citizen Lab's allegation that there is a "range of circumstantial evidence pointing to a strong El Salvador government nexus". One of the victims described her experience to the Committee for the Protection of Journalists.

Scam apps

As Apple announced that developers have sold an astonishing $260 billion worth of digital goods and services since 2008, another warning emerged about the risk of scam apps. Developer, Kosta Elftheriou, used Twitter to highlight how Apple is fooled by dodgy apps. He uses the example of “AmpME – Speaker & Music Sync” which promises to link the user's music with their friends. It has over 54,000 reviews, a 4.3-star rating, and ranks number 18 in the App Store's Music section. It also has a $10 per week auto-renewing subscription that is easy to start and fiendishly difficult to end. There are many complaints about the app, but they're lost in a sea of fake, purchased reviews. It's a good reminder to be very careful about installing unnecessary apps, even if they're in the App Store.

Pixel hunt

An interesting initiative from the maker of Firefox which aims to reveal the scope and breadth of tracking services implemented by Facebook owner, Meta. Mozilla is partnering with The Markup to try to put flesh on the bones of Facebook's 'privacy' policy. The key focus will be Facebook's 'Pixel' tool which can be added to any website page and which enables users to be tracked across the web, even if they don't have Facebook accounts. Meanwhile, research by the Reuters Institute for the Study of Journalism says publishers plan to invest more in Instagram, TikTok and YouTube at the expense of Facebook and Twitter.

In brief

Airtags: More abuse of Apple's useful trackers, this time affecting a Sports Illustrated swimsuit model. Brooks Nader says someone secretly put an AirTag in her coat and tracked her movements for several hours.

Police: The UK data protection regulator is investigating Surrey police's use of an app to covertly record phone calls on their official devices. The app had been authorised for use by hostage negotiators, but more than 1,000 officers downloaded it. Computer Weekly

Crypto mining: Antivirus outfit, Avira, is launching a feature that allows customers to use spare computing capacity to create virtual currency. No surprise really, since it's owned by Norton which did likewise last week. Competing products now report Avira's installer as malicious or unsafe.

Routers: Another problem with home and office routers, this time in the feature that allows a USB to be accessed from any device on the network. Several manufacturers are affected, but only Netgear has reacted so far. SentinelOne

Canon fodder: With delightful irony, the semi-conductor shortage has forced Canon to tell its customers how to circumvent the restrictions that force them to use expensive branded cartridges in their printers.

Bug alert: An information security expert has created a website that will phone (or message) you when there's a new vulnerability you need to know about. The Register

Foot shot: Most satisfying story of the week was the Indian hacking group that contrived to infect itself with its own remote access tool, as Malwarebytes discovered.

Tesla: A German teenager hacked into multiple Tesla cars by exploiting flaws in a third-party software module. He was able to unlock doors and start the vehicles, but couldn't take control when someone else was driving, he said.

Updates

Microsoft: 96 security issues are addressed in the monthly 'Patch Tuesday', nine rated critical. Microsoft says one of them is 'wormable', which means it is able to spread without human interaction. Two updates (KB5009557 and KB5009555) have been withdrawn after reports of widespread problems on domain controllers.

Apple: iOS 15.2.1 addresses a HomeKit vulnerability that affects iPhones and iPads running versions 14.7 - 15.2. The update also aims to fix problems with Messages and some CarPlay apps. It's worth noting that Apple has now stopped supporting iOS 14, so the only way to staying up to date is to install version 15.

Firefox: Version 96 of Mozilla's browser includes security fixes and improved (ie less) use of system resources. Some users are reporting that websites won't load. 9to5Mac explains the workaround.

Thunderbird: Version 91.5 addresses 14 security issues, many originating in the code that Thunderbird shares with Firefox.

Adobe: Security updates to address vulnerabilities in multiple products, including Acrobat/Reader, Illustrator, Bridge.

Sonicwall: Do check any SMA 100 series VPN appliances are up to date because technical details and exploitation notes have been published for a remote-code-execution vulnerability affecting them.

SAP: Multiple security updates, including Hot News security notes for many products.

Citrix: Security update for Workspace App for Linux. The vulnerability could be used to take control of an affected system.

Cisco: Updates to address a critical security vulnerability in Unified Contact Center Management Portal (Unified CCMP) and Unified Contact Center Domain Manager (Unified CCDM) that could be exploited by a remote attacker.

Tails: Version 4.26 updates the Tor browser and Thunderbird email client.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2022 Full Frame Technology - All Rights Reserved