Apr 12 2024

Apple Boosts Spyware Alerts For Mercenary Attacks

Category: Spywaredisc7 @ 7:09 am
https://www.infosecurity-magazine.com/news/apple-boosts-spyware-alerts/

Apple has updated its documentation related to its warning system for mercenary spyware threats, now specifying that it alerts users when they may have been individually targeted by such attacks.

The revision points out companies like NSO Group, known for developing surveillance tools like Pegasus, which state actors often use for targeted attacks on individuals such as journalists, activists, politicians and diplomats. 

In a blog post published on Wednesday, Apple highlighted the global and sophisticated nature of these attacks, which are costly and complex.

The update marks a shift in the wording from informing and assisting users targeted by state-sponsored attackers to specifically addressing mercenary spyware threats.

“It’s really important to recognize that mercenary spyware, unlike others, is deliberately designed with advanced capabilities, including zero-day exploits, complex obfuscation techniques, and self-destruct mechanisms, making it highly effective and hard to detect,” explained Krishna Vishnubhotla, vice president of product strategy at Zimperium.

According to recent reports, Apple sent threat notifications to iPhone users in 92 countries, coinciding with the support page revision.

While Apple began sending threat notifications in November 2021, it refrained from attributing the attacks or notifications to any particular threat actor or region. 

This development now aligns with global efforts to counter the misuse of commercial spyware, as evidenced by a coalition of countries, including the US, working to develop safeguards against invasive surveillance technology.

Moreover, a recent report by Google’s Threat Analysis Group (TAG) and Mandiant shed light on the exploitation of zero-day vulnerabilities in 2023, with commercial surveillance vendors being responsible for a significant portion of these exploits. 

These vulnerabilities targeted web browsers and mobile devices, underscoring the increasing reliance of threat actors on zero days for evasion and persistence.

Mobile Phone Spyware: …the hidden threat to any smartphone

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: mercenary spyware, NSO, Pegasus


Mar 13 2024

Keyloggers, spyware, and stealers dominate SMB malware detections

Category: Cybercrime,Malware,Spywaredisc7 @ 10:56 am

In 2023, 50% of malware detections for SMBs were keyloggers, spyware and stealers, malware that attackers use to steal data and credentials, according to Sophos.

SMBs ransomware cyberthreat

Attackers subsequently use this stolen information to gain unauthorized remote access, extort victims, deploy ransomware, and more.

Ransomware remains primary cyberthreat for SMBs

The Sophos report also analyses initial access brokers (IABs)—criminals who specialize in breaking into computer networks. As seen in the report, IABs are using the dark web to advertise their ability and services to break specifically into SMB networks or sell ready-to-go-access to SMBs they’ve already cracked.

“The value of ‘data,’ as currency has increased exponentially among cybercriminals, and this is particularly true for SMBs, which tend to use one service or software application, per function, for their entire operation. For example, let’s say attackers deploy an infostealer on their target’s network to steal credentials and then get hold of the password for the company’s accounting software. Attackers could then gain access to the targeted company’s financials and have the ability to funnel funds into their own accounts,” said Christopher Budd, director of Sophos X-Ops research at Sophos.

“There’s a reason that more than 90% of all cyberattacks reported to Sophos in 2023 involved data or credential theft, whether through ransomware attacks, data extortion, unauthorized remote access, or simply data theft,” added Budd.

While the number of ransomware attacks against SMBs has stabilized, it continues to be the biggest cyberthreat to SMBs. Out of the SMB cases handled by Sophos Incident Response (IR), which helps organizations under active attack, LockBit was the top ransomware gang wreaking havoc. Akira and BlackCat were second and third, respectively. SMBs studied in the report also faced attacks by lingering older and lesser-known ransomware, such as BitLocker and Crytox.

BEC attacks grow in sophistication

Ransomware operators continue to change ransomware tactics, according to the report. This includes leveraging remote encryption and targeting managed service providers (MSPs). Between 2022 and 2023, the number of ransomware attacks that involved remote encryption—when attackers use an unmanaged device on organizations’ networks to encrypt files on other systems in the network—increased by 62%.

In addition, this past year, Sophos’s Managed Detection and Response (MDR) team responded to five cases involving small businesses that were attacked through an exploit in their MSPs’ remote monitoring and management (RMM) software.

Following ransomware, business email compromise (BEC) attacks were the second highest type of attacks that Sophos IR handled in 2023, according to the report.

These BEC attacks and other social engineering campaigns contain an increasing level of sophistication. Rather than simply sending an email with a malicious attachment, attackers are now more likely to engage with their targets by sending a series of conversational emails back and forth or even calling them.

In an attempt to evade detection by traditional spam prevention tools, attackers are now experimenting with new formats for their malicious content, embedding images that contain the malicious code or sending malicious attachments in OneNote or archive formats. In one case Sophos investigated, the attackers sent a PDF document with a blurry, unreadable thumbnail of an “invoice.” The download button contained a link to a malicious website.

Mastering Cyber Security Defense to Shield Against Identity Theft, Data breaches, Hackers, and more in the Modern Age

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: keylogger, Malware, SMB


Feb 07 2024

Google says spyware vendors behind most zero-days it discovers

Category: Spyware,Zero daydisc7 @ 10:05 am
https://www.bleepingcomputer.com/news/security/google-says-spyware-vendors-behind-most-zero-days-it-discovers/

Google says spyware vendors behind most zero-days it discovers…

Commercial spyware vendors (CSV) were behind 80% of the zero-day vulnerabilities Google’s Threat Analysis Group (TAG) discovered in 2023 and used to spy on devices worldwide.

Zero-day vulnerabilities are security flaws the vendors of impacted software do not know about or for which there are no available fixes.

Google’s TAG has been following the activities of 40 commercial spyware vendors to detect exploitation attempts, protect users of its products, and help safeguard the broader community by reporting key findings to the appropriate parties.

Based on this monitoring, Google has found that 35 of the 72 known in-the-wild zero-day exploits impacting its products over the last ten years can be attributed to spyware vendors.

“This is a lower-bounds estimate, as it reflects only known 0-day exploits. The actual number of 0-day exploits developed by CSVs targeting Google products is almost certainly higher after accounting for exploits used by CSVs that have not been detected by researchers, exploits where attribution is unknown, and cases where a vulnerability was patched before researchers discovered indications of exploitation in-the-wild.” – Google

Those spyware vendors use the zero-day flaws to target journalists, activists, and political figures as directed by their customers, including governments and private organizations.

Some notable CSVs highlighted in Google’s report are:

  • Cy4Gate and RCS Lab: Italian firms known for the “Epeius” and “Hermit” spyware for Android and iOS. The former acquired the latter in 2022, but operate independently.
  • Intellexa: Alliance of spyware firms led by Tal Dilian since 2019. It combines technologies like Cytrox’s “Predator” spyware and WiSpear’s WiFi interception tools, offering integrated espionage solutions.
  • Negg Group: Italian CSV with international reach established in 2013. It is known for “Skygofree” malware and “VBiss” spyware, targeting mobile devices through exploit chains.
  • NSO Group: Israeli firm famous for Pegasus spyware and other sophisticated espionage tools. It continues operations despite sanctions and legal issues.
  • Variston: Spanish CSV providing tailored security solutions. It collaborates with other vendors for zero-day exploits and is linked to the Heliconia framework, expanding in the UAE.

These vendors sell licenses to use their products for millions of dollars, allowing customers to infect Android or iOS devices using undocumented 1-click or zero-click exploits.

Some of the exploit chains utilize n-days, which are known flaws for which fixes are available, yet patching delays still make them exploitable for malicious purposes, often for extended periods.

Google says that CSVs have grown very aggressive in their hunt for zero-days, developing at least 33 exploits for unknown vulnerabilities between 2019 and 2023.

In the appendix of Google’s detailed report, one can find a list of 74 zero-days used by 11 CSVs. Of those, the majority are zero-days impacting Google Chrome (24) and Android (20), followed by Apple iOS (16) and Windows (6).

When white-hat researchers discover and fix the exploited flaws, CSVs often incur significant operational and financial damage as they struggle to reconstruct a working alternative infection pathway.

“Each time Google and fellow security researchers discover and disclose new bugs, it causes friction for CSVs and costs them development cycles,” says Google.

“When we discover and patch vulnerabilities used in exploit chains, it not only protects users, but prevents CSVs from meeting their agreements to customers, preventing them from being paid, and increasing their costs to continue operating.”

However, this is not enough to stop the proliferation of spyware, as the demand for these tools is strong, and the contracts are too lucrative for CSVs to give up.

Google calls for more action to be taken against the spyware industry, including higher levels of collaboration among governments, the introduction of strict guidelines that govern the use of surveillance technology, and diplomatic efforts with countries hosting non-compliant vendors.

Google is proactively countering spyware threats through solutions like Safe Browsing, Gmail security, the Advanced Protection Program (APP), and Google Play Protect, as well as by maintaining transparency and openly sharing threat information with the tech community.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Pegasus spyware, spyware vendors


Jan 25 2024


US judge rejects spyware developer NSO’s attempt to bin Apple’s spyware lawsuit

Category: Spywaredisc7 @ 8:05 am

Judge says anti-hacking laws fits Pegasus case “to a T”

https://www.theregister.com/2024/01/24/us_judge_rejects_pegasus_spyware/

A US court has rejected spyware vendor NSO Group’s motion to dismiss a lawsuit filed by Apple that alleges the developer violated computer fraud and other laws by infecting customers’ iDevices with its surveillance software.

Apple sued NSO, developer of the notorious Pegasus spyware, back in November 2021 and asked the court to permanently ban NSO from using any Apple software, services, or devices. The lawsuit alleges that company violated the US Computer Fraud and Abuse Act (CFAA), California’s Unfair Competition Law, and the terms of use for Apple’s own iCloud when its spyware was installed on victims’ devices without their knowledge or consent. NSO now must answer Apple’s complaint by February 14.

Pegasus infected Apple customers’ devices via a zero-click exploit called FORCEDENTRY, according to Cupertino. Once it lands on phones, the spyware allows users to snoop on phone calls, messages, and access the phone’s camera and microphone without permission.

Despite the surveillance-software maker’s claims that it only sells to government agencies, and even then, only to investigate terrorism or other serious crimes, the software has repeatedly been used to spy on journalists, activists, political dissidents, diplomats and government officials. This has led to US sanctions against the company and several lawsuits.

Last March, NSO asked the court to toss Apple’s lawsuit, arguing that Cupertino should be required to sue the developer in Israel, its home jurisdiction. It also claimed that Apple can’t sue over CFAA violations because the iGiant itself didn’t suffer any damages or loss [PDF].

The court, in its ruling on Monday, dismissed these arguments, noting that “the anti-hacking purpose of the CFAA fits Apple’s allegations to a T, and NSO has not shown otherwise.”

“A ‘loss’ is ‘any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service’ … That is precisely the loss Apple has alleged here,” the judge continued [PDF].

When asked about the judge’s ruling, an NSO Group spokesperson said the software maker will fight on.

“The motion to dismiss is part of the legal process in this case,” the NSO spokesperson told The Register. “The technology in question is critical to law enforcement and intelligence agencies in their efforts to maintain public safety. We are confident that once the arguments are presented, the Court will rule in our favor.”

Apple, meanwhile, took the win, and a spokesperson told The Register that this lawsuit is just one of the ways the iGiant is fighting back against spyware vendors.

These include the new Lockdown Mode security feature, the threat notifications it sends to users who may be targets in nation-state attacks, and a $10 million grant to support civil society organizations that research spyware threats and conduct advocacy on the topic through the Ford Foundation.

How a Spy in Our Pocket Threatens the End of Privacy, Dignity, and Democracy

Global Spyware Scandal: Exposing Pegasus

Pegasus Spyware – ‘A Privacy Killer’

CyberWar, CyberTerror, CyberCrime and CyberActivism

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: NSO Group, Pegasus spyware


Dec 11 2023

AI and Mass Spying

Category: AI,Cyber Spy,Spywaredisc7 @ 12:31 pm

Spying and surveillance are different but related things. If I hired a private detective to spy on you, that detective could hide a bug in your home or car, tap your phone, and listen to what you said. At the end, I would get a report of all the conversations you had and the contents of those conversations. If I hired that same private detective to put you under surveillance, I would get a different report: where you went, whom you talked to, what you purchased, what you did.

Before the internet, putting someone under surveillance was expensive and time-consuming. You had to manually follow someone around, noting where they went, whom they talked to, what they purchased, what they did, and what they read. That world is forever gone. Our phones track our locations. Credit cards track our purchases. Apps track whom we talk to, and e-readers know what we read. Computers collect data about what we’re doing on them, and as both storage and processing have become cheaper, that data is increasingly saved and used. What was manual and individual has become bulk and mass. Surveillance has become the business model of the internet, and there’s no reasonable way for us to opt out of it.

Spying is another matter. It has long been possible to tap someone’s phone or put a bug in their home and/or car, but those things still require someone to listen to and make sense of the conversations. Yes, spyware companies like NSO Group help the government hack into people’s phones, but someone still has to sort through all the conversations. And governments like China could censor social media posts based on particular words or phrases, but that was coarse and easy to bypass. Spying is limited by the need for human labor.

AI is about to change that. Summarization is something a modern generative AI system does well. Give it an hourlong meeting, and it will return a one-page summary of what was said. Ask it to search through millions of conversations and organize them by topic, and it’ll do that. Want to know who is talking about what? It’ll tell you.

The technologies aren’t perfect; some of them are pretty primitive. They miss things that are important. They get other things wrong. But so do humans. And, unlike humans, AI tools can be replicated by the millions and are improving at astonishing rates. They’ll get better next year, and even better the year after that. We are about to enter the era of mass spying.

Mass surveillance fundamentally changed the nature of surveillance. Because all the data is saved, mass surveillance allows people to conduct surveillance backward in time, and without even knowing whom specifically you want to target. Tell me where this person was last year. List all the red sedans that drove down this road in the past month. List all of the people who purchased all the ingredients for a pressure cooker bomb in the past year. Find me all the pairs of phones that were moving toward each other, turned themselves off, then turned themselves on again an hour later while moving away from each other (a sign of a secret meeting).

Similarly, mass spying will change the nature of spying. All the data will be saved. It will all be searchable, and understandable, in bulk. Tell me who has talked about a particular topic in the past month, and how discussions about that topic have evolved. Person A did something; check if someone told them to do it. Find everyone who is plotting a crime, or spreading a rumor, or planning to attend a political protest.

There’s so much more. To uncover an organizational structure, look for someone who gives similar instructions to a group of people, then all the people they have relayed those instructions to. To find people’s confidants, look at whom they tell secrets to. You can track friendships and alliances as they form and break, in minute detail. In short, you can know everything about what everybody is talking about.

This spying is not limited to conversations on our phones or computers. Just as cameras everywhere fueled mass surveillance, microphones everywhere will fuel mass spying. Siri and Alexa and “Hey Google” are already always listening; the conversations just aren’t being saved yet.

Knowing that they are under constant surveillance changes how people behave. They conform. They self-censor, with the chilling effects that brings. Surveillance facilitates social control, and spying will only make this worse. Governments around the world already use mass surveillance; they will engage in mass spying as well.

Corporations will spy on people. Mass surveillance ushered in the era of personalized advertisements; mass spying will supercharge that industry. Information about what people are talking about, their moods, their secrets—it’s all catnip for marketers looking for an edge. The tech monopolies that are currently keeping us all under constant surveillance won’t be able to resist collecting and using all of that data.

In the early days of Gmail, Google talked about using people’s Gmail content to serve them personalized ads. The company stopped doing it, almost certainly because the keyword data it collected was so poor—and therefore not useful for marketing purposes. That will soon change. Maybe Google won’t be the first to spy on its users’ conversations, but once others start, they won’t be able to resist. Their true customers—their advertisers—will demand it.

We could limit this capability. We could prohibit mass spying. We could pass strong data-privacy rules. But we haven’t done anything to limit mass surveillance. Why would spying be any different?

This essay originally appeared in Slate.

 #artificial intelligence, #espionage, #privacy, #surveillance

Mass Government Surveillance: Spying on Citizens (Spying, Surveillance, and Privacy in the 21st Century)

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: espionage, Mass Spying, Pegasus spyware, privacy, rtificial intelligence


Jul 12 2023

The Spies Who Loved You: Infected USB Drives to Steal Secrets

Category: Cyber Spy,Spywaredisc7 @ 12:28 pm

https://www.mandiant.com/resources/blog/infected-usb-steal-secrets

In the first half of 2023, Mandiant Managed Defense has observed a threefold increase in the number of attacks using infected USB drives to steal secrets. Mandiant tracked all of the cases and found that the majority of the incidents could be attributed to several active USB-based operation campaigns affecting both the public and private sectors globally.

Previously, we covered one of the campaigns that leverages USB flash drives as an initial infection vector and concentrates on the Philippines. In this blog post, we are covering two additional USB-based cyber espionage campaigns that have been observed by Managed Defense: 

  • SOGU Malware Infection via USB Flash Drives Across Industries and Geographies

    This is the most prevalent USB-based cyber espionage attack using USB flash drives and one of the most aggressive cyber espionage campaigns targeting both public and private sector organizations globally across industry verticals. It uses USB flash drives to load the SOGU malware to steal sensitive information from a host.

    Mandiant attributes this campaign to TEMP.Hex, a China-linked cyber espionage actor. TEMP.Hex likely conducted these attacks to collect information in support of Chinese national security and economic interests. These operations pose a risk to a variety of industries, including construction and engineering, business services, government, health, transportation, and retail in Europe, Asia, and the United States.
     
  • SNOWYDRIVE Malware Infection via USB Flash Drives, Targets Oil and Gas Organizations in Asia

    This campaign uses USB flash drives to deliver the SNOWYDRIVE malware. Once SNOWYDRIVE is loaded, it creates a backdoor on the host system, giving attackers the ability to remotely issue system commands. It also spreads to other USB flash drives and propagates throughout the network.

    Mandiant attributes this campaign to UNC4698, a threat actor that has targeted oil and gas organizations in Asia. Once the actor has gained access to the system, they execute arbitrary payloads using the Windows Command Prompt, use removable media devices, create local staging directories, and modify the Windows registry. 

SOGU Malware Infection via USB Flash Drives Across Industries and Geographies

Managed Defense first observed this campaign while hunting for suspicious file write events in common directories that threat actors use for their malware, tools, or utilities.

Figure 2: Managed Defense investigation breakdown by industry

Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: Infected USB Drives, Pegasus, Steal Secrets


Jun 29 2023

Hollywood insider’s potential bid for NSO prompts warning from White House

Category: Spywaredisc7 @ 1:22 pm

https://therecord.media/nso-group-robert-simonds-white-house-national-security-council

The White House National Security Council cautioned on Wednesday that it will review any attempted takeover of foreign commercial surveillance software by an American company to determine whether the acquisition poses a “counterintelligence threat” to the U.S. government.

The statement came in response to reporting from the Guardian revealing that a chewing gum heir and producer of several Adam Sandler movies is considering a bid for the NSO Group, including its powerful Pegasus spyware.

The Biden administration is concerned about the spread of foreign commercial surveillance tools like Pegasus and believes they “pose a serious counterintelligence and security risk to U.S. personnel and systems,” the statement said.

The Hollywood producer, Robert Simonds, was responsible for more than 30 movies that made in excess of $6 billion earlier in his career and more recently had worked as the chairman of STX Entertainment, which Variety calls a “fully integrated entertainment outlet” focused on expanding into emerging global markets on a variety of platforms. Simonds’ credits with Sandler include “Happy Gilmore,” “The Wedding Singer” and “Billy Madison.”

According to the Guardian, Simonds was recently picked to run the Luxembourg-based holding company controlling NSO. Sources told the Guardian that Simonds is considering ways to take over some of the spyware firm’s assets in an effort to give the Five Eyes intelligence partnership of the US, the UK, Canada, Australia and New Zealand exclusive access to the potent technology.

Pegasus and similar tools are being “misused around the world to enable human rights abuses and target journalists, human rights activists, political opposition members, or others perceived as dissidents and critics,” the White House statement said, noting that the Biden administration has launched a government-wide effort to stop Pegasus and other foreign commercial surveillance software from spreading. In March, the administration issued an executive order barring all U.S. government agencies from using the spyware, among other measures.

In its statement the White House also warned that U.S. companies should “be aware that a transaction with a foreign entity on the Entity List will not automatically remove the designated entity from the Entity List.” The list, published by the United States Department of Commerce’s Bureau of Industry and Security (BIS), restricts trade with specified foreigners, foreign entities, or governments. Companies included on the Entity List must meet strict licensing requirements for exports.

NSO has been on the Entity List since 2021. Despite the controversy swirling around the firm, its unprecedented technology has long attracted the attention of investors. Pegasus can hack into users’ phones remotely, activating the camera and microphone without a user knowing, as well as intercept all communications, including over encrypted apps like Signal.

Last July, the American defense firm L3Harris decided not to pursue a bid for NSO after initial explorations led to a backlash from the Biden administration

InfoSec tools | InfoSec services | InfoSec books

Tags: Pegasus spyware


Apr 12 2023

NEW SPYWARE QUADREAM IS A REPLACEMENT OF PEGASUS SOFTWARE USED TO HACK IPHONES REMOTELY

Category: Hacking,Smart Phone,SpywareDISC @ 8:58 am

Security researchers have uncovered fresh malware with hacking capabilities comparable to those of Pegasus, which was developed by NSO Group. The software, which is sold by an Israeli firm named QuaDream, has previously been used by customers to target journalists, political opposition leaders, and an employee of an NGO. The company that makes and sells the spyware is called QuaDream.

The malware was spread to the victims’ phones when the operators of the spyware, who are thought to be government customers, sent them an invitation to an iCloud calendar. The cyberattacks took place between the years 2019 and 2021, and the term “Reign” is given to the hacking program that was used.

A phone that has been infected with Reign can, similar to a phone that has been infected with Pegasus, record conversations that are taking place near the phone, read messages that are stored on encrypted apps, listen to phone conversations, track the location of a user, and generate two-factor authentication codes on an iPhone in order to break into a user’s iCloud account.

Apple, which has been marketing its security measures as being among the finest in the world, has taken yet another hit as a result of the recent disclosures. It would seem that Reign poses an unprecedented and significant danger to the security of the company’s mobile phones.


The spyware that was built by QuaDream attacks iPhones by having the operators of the malware, who are believed to be government customers, issue an invitation to an iCloud calendar to the mobile users of the iPhones. Since the calendar invites were issued for events that had been recorded in the past, the targets of the hacking were not made aware of them because they were sent for activities that had already occurred.

Since users of the mobile phone are not required to click on any malicious link or do any action in order to get infected, these kind of attacks are referred to as “zero-click” attacks.

When a device is infected with spyware, it is able to record conversations that are taking place nearby by taking control of the recorder on the device, reading messages sent via encrypted applications, listening in on phone calls, and monitoring the position of the user.

The malware may also produce two-factor authentication tokens on an iPhone in order to enter a user’s iCloud account. This enables the spyware operator to exfiltrate data straight from the user’s iCloud, which is a significant advantage. In contrast to NSO Group, QuaDream maintains a modest profile among the general population. The firm does not have a website and does not provide any additional contact information on its page. The email address of Israeli attorney Vibeke Dank was included on the QuaDream business registration form; however, she did not respond to a letter asking for her opinion.

Citizen Lab did not name the individuals who were discovered to have been targeted by clients while they were using Reign. However, the organization did say that more than five victims were located in North America, Central Asia, south-east Asia, Europe, and the Middle East. These victims were described as journalists, political opposition figures, and an employee of an NGO. In addition, Citizen Lab said that it was able to identify operator sites for the malware in the countries of Bulgaria, the Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, the United Arab Emirates, and Uzbekistan.

In a security report that was published in December 2022 by Meta, the corporation that owns Facebook, the name of the firm was mentioned briefly. The report defined QuaDream as being an Israeli-based startup that was created by former NSO personnel.

At the time, Meta stated that it had removed 250 accounts on Facebook and Instagram that were linked to QuaDream. The company believed that the accounts were being used to test the capabilities of the spyware maker using fake accounts. These capabilities included exfiltrating data such as text messages, images, video files, and audio files.

The discovery of Reign underscores the continuous spread of very powerful hacking tools, even as NSO Group, the developer of one of the world’s most sophisticated cyberweapons, has received intensive investigation and been banned by the Biden administration, likely limiting its access to new clients. NSO Group is the maker of one of the most advanced cyberweapons in the world.

Global Spyware Scandal: Exposing Pegasus, Season 1



InfoSec Threats
 | InfoSec books | InfoSec tools | InfoSec services

Tags: Pegasus spyware, Quadream


Apr 04 2023

I THINK SOMEONE IS SPYING ME USING AIRTAG, WHAT SHOULD I DO?

Category: Cyber Spy,SpywareDISC @ 9:16 am

Keeping track of your most vital belongings, such as your keys, wallet, remote controls, and even motorcycles, may be made easier with the assistance of an Apple AirTag. Yet, allegations that they were utilized to monitor individuals without first obtaining their permission threw an unfavorable light on the utilization and implementation of these technologies. It’s possible that your iPhone will warn you before you have to take any action if you have reason to believe that someone is monitoring your whereabouts via an AirTag. If you believe that you may be in danger because someone is following you without your permission and you feel that you should call law authorities, Apple may provide further information about the owner of the AirTag.

You will be notified of this

If you have an iPhone and you are being tracked by an AirTag, your phone may send you a notification that says “AirTag discovered moving with you.” This will occur if all of the following conditions are met:

The AirTag has been detached from its rightful owner.
iPhone of yours is awake.
When you move the AirTag, it will make a sound.
This may also occur with other accessories that are compatible with Find My Network, such as AirPods, AirPods Pro, or AirPods Max. When you move any of these goods when they are not being handled by their owners, each of them will make a sound.

Verify that the Tracking Notifications feature is turned on.
In the event that you do not get an alert, it is possible that you will need to complete the following procedures in order to guarantee that your tracking alerts are activated:

Go to the Settings menu, and then pick Privacy.
To activate Location Services, choose Location Services from the menu.
Go to the System Services menu.
Put your iPhone in find mode and activate the Notable Places feature.
Return to the Settings menu, and then choose Bluetooth.
Bluetooth must be on.
Last but not least, open the Locate My app and choose yourself.
Activate the Tracking Alerts on your browser.

Try out the app called “Find My.”
When AirTags get separated from their owners, they will produce a sound whenever they are moved in order to assist others in locating them. After confirming that Step 2 has finished, you may open the Locate My app and check to see if the AirTag is located if you think you may have heard an AirTag or another sound that you are unable to identify and suspect it may be an AirTag.

Make AirTag produce a sound.
If you have been notified that an AirTag was traveling with you and are checking the Find My app, you have the option to play a sound on the device in order to locate it more quickly. You can monitor other people’s AirTags by using the Find My app, which you may access by touching on the alert, selecting continue, and then tapping Locate Nearby.

Check all the details about AirTag 
When you have the AirTag in your line of sight, you may access the information it contains on your iPhone or any other smartphone that supports NFC. You will need to bring the top of your iPhone close to the white side of the AirTag that you have located and wait for it to identify it. A notice displays beside a webpage that contains the owner’s last four digits of their phone number in addition to the AirTag’s serial number. If this is a lost AirTag, the owner may have included their contact information so that the person who found it may get in touch with them.

Inactivate the AirTag.
If the owner of an AirTag disables it, they will no longer be able to see its current position or get updates about it. Just removing the battery is all that is required to deactivate the AirTag. You may do this by first opening the AirTag by depressing the button on top and then removing the battery by turning the lid counterclockwise.

You will be able to determine the position of another person’s iPhone so long as your AirTag is in close proximity to that device. And with Apple’s recent release of an official app for monitoring AirTags on Android devices, you don’t even need an iDevice to accomplish that anymore! Yet, there is one very significant exception to this rule.

With Apple Music, the Beats app, and an application for transitioning to iOS, Tracker Detect is one of the few Apple applications that can be downloaded and used on Android devices. If you wish to zero in on a specific rogue AirTag, you can use the app to play a sound on it, and you can also use the app to monitor neighboring rogue AirTags using it. From that point on, you have the option of scanning the AirTag using an NFC reader or turning it off by removing its battery. The functionality is really fundamental, despite the fact that it is rather cool looking. Since it does not have an auto-scan feature, you will not get alerts about nearby missing AirTags as you would on an iPhone. This means that in order to look for a tag, you will need to manually launch the application first. One may argue that this renders the Tracker Detect app rather worthless since a large number of individuals in the reviews part of the app believe that it ought to be able to auto-scan. Spending your day manually searching your immediate environment for AirTags every five minutes is not the most effective use of your time.

It’s not even like there are roadblocks in the way of making that happen on Android phones; all you need is Bluetooth Low Energy (BLE). And enabling auto-scanning for AirTags on non-Apple devices and having those devices participate to Apple’s Find My network would also considerably increase the success of finding AirTags in general. Download the application from the Google Play Store right now if you have an Android device and want to be able to scan AirTags with it.

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: AIRTAG


Dec 02 2022

Spyware Vendor Variston Exploited Chrome, Firefox and Windows 0-days

Category: Spyware,Zero dayDISC @ 10:30 am

A Barcelona-based company, a spyware vendor named Variston IT, is exploiting flaws under the guise of a custom cybersecurity solutions provider.

On 30th November, Google’s Threat Analysis Group (TAG) reported that a Barcelona-based company, actually a spyware vendor, named Variston IT has been exploiting n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender under the guise of a custom cybersecurity solutions provider. 

In their detailed technical report, TAG explained that Variston IT had been using their exploitation framework called Heliconia to install spyware on the targeted devices. The researchers at Google received an anonymous submission to Chrome’s bug reporting program which brought to their attention the exploitation framework.

Heliconia actually contains three separate exploitation frameworks. One of them is used to compromise the Chrome renderer bug so that it can escape the walls of the app’s sandbox and run malware on the operating system.

Another one is used to deploy malicious PDF documents containing an exploit for Windows Defender (a built-in antivirus engine in the newer versions of Windows).  The last framework is for compromising Windows and Linux machines by using a set of Firefox exploits. 

Spyware Vendor Variston Exploited Chrome, Firefox and Windows 0-days
A manifest file in the source code provides a product description (Image: Google)

In its report, the tech giant observed that the Heliconia exploit is successful against Firefox versions 64 to 68, which suggests that it was created and used as early as December 2018 when Firefox 64 first came out.

Google, Microsoft, and Mozilla fixed the vulnerabilities in 2021 and early 2022. They further stated that, although they had not detected active exploitation, it is likely that the vulnerabilities had been exploited before they could be fixed.

Spyware Vendor Variston Exploited Chrome, Firefox and Windows 0-days

7 Steps to Removing Spyware

Tags: Spyware Vendor Variston, Windows 0-days


Aug 02 2022

Pegasus is listening

Category: SpywareDISC @ 1:55 pm
Pegasus is listening: Q&A with Paul Rusesabagina’s daughter Carine Kanimba

Pegasus is listening: Q&A with Paul Rusesabagina’s daughter Carine Kanimba

You may not recognize the name Carine Kanimba, but you have probably heard of her dad: Paul Rusesabagina. He was the manager of Hôtel des Milles Collines and rather famously decided to shelter some 1,200 mostly Tutsi Rwandans in his hotel during the 1994 genocide in Rwanda. Don Cheadle played him in the movie Hotel Rwanda.

After, Rusesabagina became a superstar ambassador of human rights. He wrote an autobiography about his work during the genocide; President George W. Bush awarded him the Medal of Freedom; and he went on the speakers’ circuit not just talking about 1994 – but criticizing the current government of President Paul Kagame for trampling on human rights.

In August 2020, Rusesabagina boarded a private jet for what he thought would be a trip to Burundi, but instead he was rendered to Rwanda. He’s since been sentenced to 25-years in prison.

Carine Kanimba was on Capitol Hill last week to talk not just about her dad (who adopted sisters Carine and Anaïse shortly after the genocide), but also her recent discovery that she’s been targeted by a commercial spyware program called Pegasus. And she believes the Rwandan government was behind it.

Pegasus spyware is the brainchild of an Israeli company called NSO Group and it has been found on the phones of so many activists around the world it has become a kind of cautionary tale about the commercial spyware industry. It has been linked to the murder of journalist Jamal Khashoggi, discovered on the phones of Mexican opposition leadersCatalonian politicians, and journalists and lawyers around the world. (In a statement, NSO Group told Click Here that it “thoroughly investigates any claim for illegal use of its technology by customers, and terminates contracts when illegal use is found.”)

The Click Here podcast sat down with Kanimba shortly after her Congressional testimony to talk to her about her role as a human rights advocate, what it is like finding oneself on the receiving end of a spyware campaign, and why she is confident she will win her father’s release. The interview has been edited and shortened for clarity.

CLICK HERE: We wanted to start by saying we’re very sorry about what you’re going through with your father…

For complete interview – Pegasus is listening: Q&A with Paul Rusesabagina’s daughter Carine Kanimba

Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy

Tags: A Privacy Killer, NSO’s Pegasus, Pegasus, Pegasus spyware


Jul 11 2022

US Gov’t Flip-Flops on NSO Group Sale to L3Harris

Category: Cyber Spy,SpywareDISC @ 2:26 pm

US Gov’t Flip-Flops on NSO Group Sale to L3Harris

by Richi Jennings on July 11, 2022

NSO Group, notorious makers of the notorious Pegasus spyware, has been in acquisition talks with a huge U.S. government defense contractor you’ve never heard of: L3Harris Technologies, Inc. Doesn’t that give you a warm, tingly feeling inside?

Pictured is Christopher E. “Call Me Chris” Kubasik, L3Harris’s chairman and CEO. He’s no doubt disappointed that the White House put the kibosh on the deal—especially as other bits of the government gave tacit approval (or so we’re told).

But is everything quite as it seems? In today’s SB Blogwatch, we pay attention to the man behind the curtain.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: WINBOOT.AVI

POTUS Vs. CIA and FBI

What’s the craic? Mark Mazzetti, Ronen Bergman and Susan C. Beachy report—“Defense Firm Said U.S. Spies Backed Its Bid for Pegasus Spyware Maker”:

“L3Harris and NSO declined to comment”
A team of executives from an American military contractor quietly … in recent months [attempted] a bold but risky plan: purchasing NSO Group, the cyber hacking firm that is as notorious as it is technologically accomplished. … They started with the uncomfortable fact that the United States government had put NSO on a blacklist just months earlier [because it] had acted “contrary to the national security or foreign policy interests of the United States,” the Biden administration said.

But five people familiar with the negotiations said that the L3Harris team had brought with them a surprising message: … American intelligence officials, they said, quietly supported its plans to purchase NSO, whose technology over the years has been of intense interest to … the F.B.I. and the C.I.A. [But news of the] talks to purchase NSO seemed to blindside White House officials, [who] said they were outraged … and that any attempt by American defense firms to purchase [NSO Group] would be met by serious resistance.

While not a household defense industry name … L3Harris earns billions each year from American government contracts. … The company once produced a surveillance system called Stingray.

L3Harris and NSO declined to comment. … A spokeswoman for Avril Haines, the director of national intelligence, declined to comment. … The Commerce Department declined to give specifics about any discussions.

One arm of the government doesn’t know what another is doing? Say it ain’t so! Stephanie Kirchgaessner says it’s so—“US defence firm ends talks to buy NSO”:

“Definitive pushback”
A person familiar with the talks said L3 Harris had vetted any potential deal for NSO’s technology with its customers in the US government and had received some signals of support from the American intelligence community. [But,] sources said, L3Harris had been caught off guard when a senior White House official expressed strong reservations about any potential deal.

Once L3Harris understood the level of “definitive pushback”, a person familiar with the talks said, “there was a view … that there was no way L3 was moving forward with this. … If the government is not aligned, there is no way for L3 to be aligned,” the person said.

What’s the big problem? Duncan Riley drives the point home:

“Could have resulted in the blacklisting being lifted”
A deal for all or part of NSO would not be as simple as the two companies agreeing to terms, requiring permission from both the U.S. and Israeli governments. … NSO Group, with its Pegasus spyware, has been one of the most controversial cybersecurity companies of recent times. Pegasus is a form of software that uses zero-day or unpatched exploits to infect mobile devices.

The deal falling apart may also leave NSO in a difficult situation: With the blacklisting in place, the company is limited in whom it can sell Pegasus to and what technology it can purchase. In contrast, an acquisition by an American company could have resulted in the blacklisting being lifted.

Wait, what? John Scott-Railton holds his horses:

“NSO spent years pretending they changed”
WHOA: Deal … tanked.

[It] helps explain recent signs of desperation from the spyware company. [An] American defense contractor acquiring a demonstrably-uncontrollable purveyor of insecurity would be … atrocious for human rights [and] bad for … counterintelligence.

This is not a company that prioritizes America’s national security. And it doesn’t play well with our tech sector. … NSO spent years pretending they changed … while using all available tricks to hide the fact that they kept doing … risky biz and dictator deals.

ELI5? Look on u/Ozymandias606’s words, ye mighty, and despair:

“Biden visits Israel tomorrow”
Pegasus is a hacking tool [that] can turn anyone’s phone into a tracking and recording device without the owner clicking a link. [It] has been sold to governments over the past several years [who] used Pegasus to spy on journalists and activists.

The Commerce Department added Pegasus’ creator to a blacklist that has been slowly choking the company. … A US defense contractor later offered to buy Pegasus – and claims they had explicit permission from US intelligence agencies to do so under a number of conditions, [which] include turning over the software’s source code to the “Five Eyes” cybersecurity alliance.

So, a handful of Western nations … were trying to control access to a cyber weapon that appears to take control of any phone in the world. … Biden visits Israel tomorrow – his first visit to the country.

Are you hinting what I think you’re hinting? This Anonymous Coward rents the curtain (but is behind on the payments): [You’re fired—Ed.]

Unfortunately, many Americans are still in denial about what the US govt routinely do. … This is simply Tiktok 2.0 (or Alstrom 3.0).

Anyone who looked at history will recognise the same pattern had happened many times already, including Alstrom in France. US will buy out any company, by force or by trickery, that took lead in any area the US deemed important.

Still, we have Lockdown Mode now. Nothing to worry about, right? Wrong, says u/NidoKangJr:

Lockdown mode is nothing. It can’t work. If the software is compromised, letting software be the security can’t work. Every cell phone really needs to have 3 mechanical switches and a removable battery. 1 switch for power, 1 for the mic and 1 for the camera.

What next? The Combat Desert Penguin—@wolverine_salty—ponders alternative buyers:

Is Thiel interested?

Meanwhile, with a similarly snarky stance, here’s kmoser:

So when is Elon Musk going to make them an offer?

Report: L3Harris Drops Plans to Buy Israel-Based Hacking Tool Maker NSO -  GovCon Wire

Pegasus Spyware – ‘A Privacy Killer’ 

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: L3Harris, NSO Group, Pegasus spyware


Jun 23 2022

NSO Group told lawmakers that Pegasus spyware was used by at least 5 European countries

Category: Cyber Spy,SpywareDISC @ 8:23 am

The Israeli surveillance firm NSO Group revealed that its Pegasus spyware was used by at least five European countries.

The controversial Israeli surveillance vendor NSO Group told the European Union lawmakers that its Pegasus spyware was used by at least five countries in the region.

NSO Group’s General Counsel Chaim Gelfand admitted that the company had “made mistakes,” but that after the abuses of its software made the headlines it has canceled several contracts.

“We’re trying to do the right thing and that’s more than other companies working in the industry,” Gelfand told members of the PEGA committee. “Every customer we sell to, we do due diligence on in advance in order to assess the rule of law in that country. But working on publicly available information is never going to be enough.”

In April, the Parliament set up a new inquiry committee investigating the use of Pegaus spyware and equivalent surveillance software used to spy of phones belonging to politicians, diplomats, and civil society members. The spyware was used to target several European leaders, including Spain’s Prime Minister Pedro Sánchez, and Spanish political groups, Hungary, and Poland.

NSO Group

In February, the European Data Protection Supervisor (EDPS) authority called for a ban on the development and the use of surveillance software like the Pegasus spyware in the EU.

The abuse of this kind of solution poses a serious threat to fundamental rights, particularly on the rights to privacy and data protection. 

“It comes from the EDPS’ conviction that the use of Pegasus might lead to an unprecedented level of intrusiveness, which threatens the essence of the right to privacy, as the spyware is able to interfere with the most intimate aspects of our daily lives.” states the European Data Protection Supervisor (EDPS). 

“Pegasus constitutes a paradigm shift in terms of access to private communications and devices, which is able to affect the very essence of our fundamental rights, in particular the right to privacy.”

Privacy advocated and cybersecurity experts demonstrated the use of the Pegasus in surveillance campaigns worldwide targeting journalists, political figures, dissidents, and activists.

The bad news is that the business of digital surveillance is growing in scaring and uncontrolled way. Recently, experts spotted other surveillance malware infecting systems worldwide, such as the HERMIT spyware that was linked to an Italian firm.

If you want to read more info on the Pegasus spyware give a look at a report investigating Pegasus spyware impacts on human rights has been launched by the Council of Europe on the occasion of the summer session of the Parliamentary Assembly.

The report was prepared by the Information Society Department with contributions from Tamar Kaldani the former Personal Data Protection Inspector and the State Inspector of Georgia, currently serving as the first Vice-chair of the Consultative Committee of Convention 108 and Zeev Prokopets – an Israeli executive, product designer, software developer and entrepreneur.

“An investigation report released by a global consortium26 revealed that 200 journalists worldwide had been targeted using Pegasus spyware. The Office of the UN Special Rapporteur for Freedom of Expression also noted the number of victims of attempted spying through Pegasus, including Mexican journalists, human rights defenders and opposition leaders.27 “The numbers vividly show the abuse is widespread, placing journalists’ lives, those of their families and associates in danger, undermining freedom of the press and shutting down critical media,” – said Secretary-general of Amnesty International.” concludes the report. “The right to freedom of expression and information, as guaranteed by Article 10 of the Convention, constitutes one of the essential foundations of a democratic society and one of the basic conditions for its progress and the development of every individual.”

And it’s like, what … 12, 13,000 total targets a year max, exec says

Pegasus Spyware – ‘A Privacy Killer’ 

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: A Privacy Killer, NSO Group, Pegasus spyware


Apr 19 2022

NSO Group Pegasus spyware leverages new zero-click iPhone exploit in recent attacks

Category: Cyber Spy,SpywareDISC @ 8:23 am

Researchers reported that threat actors leveraged a new zero-click iMessage exploit to install NSO Group Pegasus on iPhones belonging to Catalans.

Researchers from Citizen Lab have published a report detailing the use of a new zero-click iMessage exploit, dubbed HOMAGE, to install the NSO Group Pegasus spyware on iPhones belonging to Catalan politicians, journalists, academics, and activists.

The previously undocumented zero-click iMessage exploit HOMAGE works in attacks against iOS versions before 13.2.

The experts speculate the HOMAGE exploit was used since the last months of 2019, and involved an iMessage zero-click component that launched a WebKit instance in the com.apple.mediastream.mstreamd process, following a com.apple.private.alloy.photostream lookup for a Pegasus email address. 

The experts at the Citizen Lab, in collaboration with Catalan civil society groups, have identified at least 65 individuals targeted or infected with spyware. 63 of them were targeted or infected with the Pegasus spyware, and four others with the spyware developed by another surveillance firm named Candiru. The researchers reported that at least two of them were targeted or infected with both surveillance software.

Victims included Members of the European Parliament, Catalan Presidents, legislators, jurists, and members of civil society organisations, the threat actors also targeted family members.

The researchers also noticed that the content used in the bait SMS messages suggests access to targets personal information, including the Spanish governmental ID numbers.

“With the targets’ consent, we obtained forensic artefacts from their devices that we examined for evidence of Pegasus infections. Our forensic analysis enables us to conclude with high confidence that, of the 63 people targeted with Pegasus, at least 51 individuals were infected.” reads the report published by Citizen Lab.

“We are not aware of any zero-day, zero-click exploits deployed against Catalan targets following iOS 13.1.3 and before iOS 13.5.1.”

This isn’t the first time that Catalans were targeted by the NSO Group Pegasus Spyware, Citizen Lab has previously reported “possible cases of domestic political espionage” after detecting infections with the popular surveillance software. Multiple Catalans were targeted with Pegasus through the 2019 WhatsApp attack, at the time the spyware leveraged exploits for the 

 vulnerability.

The Citizen Lab doesn’t explicitly attribute the attacks to a specific threat actor, but the nature of the targets suggests a link with Spanish authorities. All the targets were of interest to the Spanish government and experts pointed out that the specific timing of the targeting matches events of specific interest to the Spanish government.

“While we do not currently attribute this operation to specific governmental entities, circumstantial evidence suggests a strong nexus with the government of Spain, including the nature of the victims and targets, the timing, and the fact that Spain is reported to be a government client of NSO Group.” concludes the report.

NSO Group pegasus spyware

Pegasus Spyware – ‘A Privacy Killer’ 

👇 Please Follow our LI page…


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: NSO Group, Pegasus spyware


Apr 12 2022

NSO Group Spied on European Union—on French Orders?

Category: Cyber Espionage,Cyber Spy,SpywareDISC @ 10:46 am

An espionage attempt was made by an NSO Group customer to hack the phones of senior EU officials. Although there’s some suggestion that it might have been QuaDream—a similar Israeli spyware firm.

Commissioner for Justice Didier Reynders (pictured) seems to have been the main target, along with several of his staffers at the Directorate-General for Justice and Consumers. They were warned of the attack five months ago—by Apple.

But who ordered the hack? Might it have been the French government? In today’s SB Blogwatch, we’re shocked—SHOCKED—to discover un peu d’espionnage fratricide.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Shrimp can lobster.

What Did Didier Do?

What’s the craic? Raphael Satter and Christopher Bing claim this exclusive for Reuters—“Senior EU officials were targeted with Israeli spyware”:

“Remotely and invisibly take control of iPhones”
Among them was Didier Reynders, a senior Belgian statesman who has served as the European Justice Commissioner since 2019. … At least four other [Justice and Consumers] commission staffers were also targeted.

The commission became aware of the targeting following messages issued by Apple to thousands of iPhone owners in November telling them they were “targeted by state-sponsored attackers.” … The warnings triggered immediate concern at the commission. … A senior tech staffer sent a message to colleagues with background about Israeli hacking tools: … “Given the nature of your responsibilities, you are a potential target.”

Recipients of the warnings were targeted between February and September 2021 using ForcedEntry, an advanced piece of software that was used by Israeli cyber surveillance vendor NSO Group to help foreign spy agencies remotely and invisibly take control of iPhones. A smaller Israeli spyware vendor named QuaDream also sold a nearly identical tool.

So which was it? And why? Lucas Ropek shrugs—“Sophisticated Spyware Attack”:

“Comes at potentially the worst possible time”
It’s not totally clear why these officials were targeted or who used the malware against them. … NSO has denied that it had any involvement. … Reuters also reached out to QuaDream … but did not get any sort of comment or response.

The claims that EU officials were targeted with NSO Group software comes at potentially the worst possible time for the company as it continues to battle both legal and financial troubles, as well as multiple government investigations. … NSO is now appealing to the U.S. Supreme Court in a new effort to rid itself of a hefty lawsuit filed by … WhatsApp, [which] sued NSO in October of 2019 after the surveillance firm’s malware was allegedly discovered on some 1,400 users’ phones. … The company is also currently battling another lawsuit from Apple filed last November on similar grounds.

Government investigations? Malcolm Owen isn’t scared to say whodunnit—“EU officials’ iPhones were targets of NSO Group’s spyware”:

“Use of surveillance software”
The discovery of the misuse of NSO Group’s tools certainly doesn’t help the company’s profile following the Pegasus scandal, when it was found the tool was used by governments to spy on journalists, activists, and government opponents, instead of for fighting crime. The adoption of Pegasus and other tools by government agencies led to lawmakers in the U.S. asking Apple and the FBI about the latter’s acquisition of NSO Group tools.

Meanwhile, the European Parliament will be launching a committee on April 19 to investigate the use of surveillance software in European member states.

The European Union, huh? FOHEng thinks this should be a teachable moment:

Many of these same EU people think The App Store should be forced to open, increasing the vectors for … exploits to make it into devices. They’re as stupid as some US Senators, who aren’t allowed to sideload Apps on their devices over security concerns, yet want to force Apple to allow this. They are truly delusional.

Third party stores with Apps being vetted for security? An oxymoron if ever there was one. … You think iOS third party stores are going to somehow be secure and Apps checked?

Worthless politicians? zeiche seems to think so:

“No big deal until it happens to me.” This story has been unfolding slowly for years, yet these EU officials didn’t seem too bothered until Apple notified them about their phones being hacked. … Thanks for all the concern.

But what of Apple in all this? Heed the prognostications of Roderikus:

More fines for offering a platform that is basically compromised while being marketed as “safe.”

However, mikece is triggered by a certain word in the Reuter hed:

Throwing the adjective “Israeli” into the title is misleading as it suggest the state of Israel is somehow involved. … Blaming Israel for this is like blaming Japan for all of the Toyota Hiluxes converted into gun platforms around the world.

Yet we’ve still not dealt with the “who” question. For this, we turn to Justthefacts:

CitizenLab did some clever geographic fingerprinting, and have a list of which countries are doing this. … Out of these, the credible list is: France, Greece, Netherlands, Poland, UK, USA.

The target was the European Justice Minister from 2019 onwards. He doesn’t have military or external trade secrets. Neither the UK nor USA are impacted in any way by what goes on in his office. So it’s either France, Greece, Netherlands, Poland.

If you have a look at the heat-map produced by CitizenLab, it’s the French government snooping on the EU. What were you expecting?

Nor the “why”: What else do we know about the named victim? ffkom ffills us in: [You’re ffired—Ed.]

Didier Reynders is [one of] those politicians who have continuously undermined EU data protection laws by agreeing to sham contracts like “Safe Harbour” and “Privacy Shield,” … knowing those were contradicting EU law … and not worth the paper they were written on. He, personally, is also responsible for not enforcing … GDPR.

It serves Mr. Reynders right that his data is exposed, just as much as he has helped to expose EU citizen’s data.

Ultimate spyware' — How Pegasus is used for surveillance


Tags: European Union, NSO Group Spied


Feb 20 2022

Ukraine: how cyber-attacks became so important to the conflict

Category: Information Warfare,SpywareDISC @ 4:28 pm

https://theconversation.com/ukraine-how-cyber-attacks-became-so-important-to-the-conflict-177266

For the past few weeks, Russia has been deploying military forces into strategic positions on Ukraine’s borders. However, there is another, virtual dimension to the escalating conflict: cyber-attacks on Ukrainian government and business websites and services.

Although it is impossible to confirm the Russian state is behind these attacks, commentators have suggested that similar tactics form part of a type of hybrid warfare that Russia has been fine tuning for the past couple of decades.

Cyber-espionage and information warfare have become an intrinsic part of recent conflicts and happen on a regular basis between conflicting powers. However, governments do not usually publicly claim responsibility for this type of activity, since this could put them in a position of declaring war against the targeted country and provoking counterattacks and sanctions from the international community. Therefore, evidence that Russia is definitely behind these attacks is hard to establish.

Cyber-attacks are often attributed to hacker groups with nationalist motivations, who justify their political agendas without explicitly verifying any state backing.

In January, there was a spate of attacks by Belarusian hackers believed to be supporting Russia. They launched a series of malware attacks against Ukrainian computer systems with many government and other websites being defaced with provocative and intimidating messages.

In mid February, there was another round of cyber-attacks, this time targeting the Ukrainian army website, ministerial websites and some of the major banks, including PrivatBank, preventing online payments and use of banking apps.

These latest attacks were mainly distributed denial of service (DDOS) attacks, where a huge number of small packets of information are sent to websites and servers from multiple sources. This information overload causes the servers and computer systems targeted to slow down or collapse because of the swarm of information requests.

Russian involvement in those cyber-attacks is suspected, but is hard to confirm. The attacks follow the pattern of similar tactics with alleged Russian backing over the past two decades in Ukraine, Estonia and Georgia, including attacks on communications infrastructures and power grids.

The US president and EU officials are now discussing increasing cyberspace defences against such attacks or imposing sanctions, if required.

Despite all of this, Ukrainian officials have refrained from explicitly mentioning the Russian state as being behind these attacks.

A searing look inside the rise of cyberwarfare as the primary way nations now compete with and sabotage one another – The Perfect Weapon

Tags: cyberwarfare, The Perfect Weapon


Feb 17 2022

European Data Protection Supervisor call for bans on surveillance spyware like Pegasus

Category: Cyber Spy,SpywareDISC @ 2:55 pm

The European Data Protection Supervisor authority called for a ban on the development and the use of Pegasus-like commercial spyware.

The European Data Protection Supervisor (EDPS) authority this week called for a ban on the development and the use of surveillance software like the Pegasus spyware in the EU.

Pegasus is a surveillance malware developed by the Israeli surveillance NSO Group that could infect both iPhones and Android devices, it is sold exclusively to the governments and law enforcement agencies.

The abuse of this kind of solution poses a serious threat to fundamental rights, particularly on the rights to privacy and data protection. 

“It comes from the EDPS’ conviction that the use of Pegasus might lead to an unprecedented level of intrusiveness, which threatens the essence of the right to privacy, as the spyware is able to interfere with the most intimate aspects of our daily lives.” states the European Data Protection Supervisor (EDPS). 

“Pegasus constitutes a paradigm shift in terms of access to private communications and devices, which is able to affect the very essence of our fundamental rights, in particular the right to privacy.”

Privacy advocated and cybersecurity experts demonstrated the use of the Pegasus in surveillance campaigns worldwide targeting journalists, political figures, dissidents, and activists.

Pegasus was used by governments with dubious human rights records and histories of abusive behaviour by their state security services.

The surveillance software allows to completely take over the target device and spy on the victims. Developers of surveillance solutions leverage zero-click zero-day exploits to silently compromise the devices without any user interaction. Pegasus is known to have used KISMET and FORCEDENTRY exploits to infect the devices of the victims.

NSO Group has repeatedly claimed that its software is sold exclusively to law enforcement and intelligence agencies to fight crime and terrorism, in so-called “life-saving mission.”

According to a series of disclosures by the business publication Calcalist in recent weeks, dozens of citizens in the country were targeted by Israel Police with the NSO Group’s spyware to gather intelligence without a search warrant authorizing the surveillance.

“National security cannot be used as an excuse to an extensive use of such technologies nor as an argument against the involvement of the European Union.” continues EDPS.

EDPS urges tight control over the use of surveillance and hacking tools to prevent and disincentive unlawful use.

Finnish diplomats’ devices infected with Pegasus spyware

El Salvador journalists hacked with NSO’s Pegasus spyware

Pegasus: Google reveals how the sophisticated spyware hacked into iPhones without user’s knowledge

The Pegasus project: key takeaways for the corporate world

Pegasus Spyware – ‘A Privacy Killer’

Tags: Pegasus spyware, Spyware, The European Data Protection Supervisor authority


Feb 11 2022

Spyware, ransomware and Nation-state hacking: Q&A from a recent interview

Category: Ransomware,SpywareDISC @ 9:56 am

I transcribed a recent interview, here some questions and answers about nation-state hacking, spyware, and cyber warfare. Enjoy”

How has spyware changed the rules of cyber security in recent years? What will cyber security look like now that those tools are all over the internet?

In the last decade, we have observed a progressive weaponization of cyberspace. NATO recognized cyberspace as a new domain of warfare. Cyberspace is the new battlefield for nation-state actors, the digital place where international crime rings operate threatening the pillars of our digital society.

Spyware are powerful weapons in the arsenal of governments and cybercrime gangs. These tools are even more sophisticated and are able to evade detection by using so-called zero-day exploits allowing attackers to bypass the defense of government organizations and businesses. Spyware allows attackers to steal sensitive info from the targets, and perform a broad range of malicious activities.

Is the Pegasus spyware as a game-changer?

Pegasus is probably the most popular surveillance software on the market, it has been developed by the Israeli NSO Group. Anyway, it is not the only one. Many other surveillance firms develop spyware that are every day abused in dragnet surveillance and target journalists, dissidents, and opponents of totalitarian regimes. These software are developed for law enforcement and intelligence agencies, but they are often abused by many governments worldwide cyber espionage operations. The surveillance business is growing in the dark and is becoming very dangerous.

Which are devices of cyber warfare and cyber espionage?

Every technological device can be abused for cyber warfare and cyber espionage. Malware, spyware are the most common means but do not forget the power of social network platforms that can be used for surveillance and misinformation purposes.

Many governments have fallen victim to massive ransomware attacks from groups linked to organized crime, how bad can this new trend of hacking get?

Every day we read about major attacks targeting organizations worldwide with severe impact on their operations. The situation is going worse despite the numerous operations of law enforcement on a global scale. The number of ransomware attacks spiked in the last couple of years due to the implementation of the Ransomware-as-a-Service model, this means that tens of ransomware gangs have created a network of affiliates and provided them their malware. Almost any criminal group could become an affiliate, obtain ransomware from a gang, and spread it, this is amplifying the damages. Critical infrastructure are even more exposed to a new generation of threats that are more aggressive and sophisticated.

Reports are coming out linking North Korea to illegal online activities related to cryptocurrency. How are some governments using the Internet to threaten world peace in one way or another?

When dealing with nation-state actors you must consider the main motivation behind the attacks and distinguish the technique, tactics, and procedure adopted by the different state-sponsored groups.

For example, China-linked nation-state actors are more focused on cyberespionage aimed at stealing intellectual property, while Russia-linked Advanced Persistent Threat groups often operate to destabilize the political contest of foreign states, carry out cyber espionage activities, and conduct disinformation campaigns. North Korea-linked threat actors carry out financially motivated attacks against banks and cryptocurrency firms worldwide to steal funds to re-invest in their military industry.

What about the resilience of countries’ infrastructure to face such kind of war?

We need norms of state behavior in the cyber space and more information sharing on cyber threats. We need to share information about the attacks in an early stage, profiling the threat actors to mitigate and prevent their campaigns. It is essential to increase the level of security of critical infrastructure like power grids, power plants and hospitals. Critical infrastructure are the main targets of nation-state actors in a cyber warfare contest.

Is making the internet a safe place technically possible?

Let me use the title of a famous book, “No place to hide”. I mean that both nation-state actors and cybercriminal organizations are spending a growing effort to increase their hacking capabilities and evasion techniques. Unfortunately, today most of the organizations still consider cybersecurity a cost to cut and this approach gives the attackers an immense advantage. We need a cultural change and we must consider that a security by design approach is the unique way to make the Internet a safe place. We also need globally recognized norms of responsible state behavior in cyberspace.

The Hacker and the State

The Cyberweapons Arms Race

Tags: Nation-state hacking, Ransomware Protection Playbook, Spyware, The Cyberweapons Arms Race, The Hacker and the State


Jan 29 2022

The Battle for the World’s Most Powerful Cyberweapon

Category: Cyberweapon,SpywareDISC @ 11:49 am

A Times investigation reveals how Israel reaped diplomatic gains around the world from NSO’s Pegasus spyware — a tool America itself purchased but is now trying to ban.

In June 2019, three Israeli computer engineers arrived at a New Jersey building used by the F.B.I. They unpacked dozens of computer servers, arranging them on tall racks in an isolated room. As they set up the equipment, the engineers made a series of calls to their bosses in Herzliya, a Tel Aviv suburb, at the headquarters for NSO Group, the world’s most notorious maker of spyware. Then, with their equipment in place, they began testing.

The F.B.I. had bought a version of Pegasus, NSO’s premier spying tool. For nearly a decade, the Israeli firm had been selling its surveillance software on a subscription basis to law-enforcement and intelligence agencies around the world, promising that it could do what no one else — not a private company, not even a state intelligence service — could do: consistently and reliably crack the encrypted communications of any iPhone or Android smartphone.

Since NSO had introduced Pegasus to the global market in 2011, it had helped Mexican authorities capture Joaquín Guzmán Loera, the drug lord known as El Chapo. European investigators have quietly used Pegasus to thwart terrorist plots, fight organized crime and, in one case, take down a global child-abuse ring, identifying dozens of suspects in more than 40 countries. In a broader sense, NSO’s products seemed to solve one of the biggest problems facing law-enforcement and intelligence agencies in the 21st century: that criminals and terrorists had better technology for encrypting their communications than investigators had to decrypt them. The criminal world had gone dark even as it was increasingly going global.

But by the time the company’s engineers walked through the door of the New Jersey facility in 2019, the many abuses of Pegasus had also been well documented. Mexico deployed the software not just against gangsters but also against journalists and political dissidents. The United Arab Emirates used the software to hack the phone of a civil rights activist whom the government threw in jail. Saudi Arabia used it against women’s rights activists and, according to a lawsuit filed by a Saudi dissident, to spy on communications with Jamal Khashoggi, a columnist for The Washington Post, whom Saudi operatives killed and dismembered in Istanbul in 2018.

The Battle for the World’s Most Powerful Cyberweapon

The World’s Most Terrifying Spyware

Pegasus Spyware – ‘A Privacy Killer’

Finland says it found NSO’s Pegasus spyware on diplomats’ phones

Tags: cyberweapons, diplomats’ phones, Finland, NSO, NSO Group, Pegasus spyware, Pegasus Spyware - 'A Privacy Killer'


Jan 28 2022

Finnish diplomats’ devices infected with Pegasus spyware

Category: Cyber Spy,SpywareDISC @ 10:25 am

Finland Ministry for Foreign Affairs revealed that devices of Finnish diplomats have been infected with NSO Group’s Pegasus spyware.

Finland’s Ministry for Foreign Affairs revealed that the devices of some Finnish diplomats have been compromised with the infamous NSO Group’s Pegasus spyware.

The diplomats were targeted with the popular surveillance software as part of a cyber-espionage campaign.

“Finnish diplomats have been targets of cyber espionage by means of the Pegasus spyware, developed by NSO Group Technologies, which has received wide publicity. The highly sophisticated malware has infected users’ Apple or Android telephones without their noticing and without any action from the user’s part. Through the spyware, the perpetrators may have been able to harvest data from the device and exploit its features.” reads a statement published by the Ministry.

According to the statement, threat actors have stolen data from the infected devices belonging to employees working in Finnish missions abroad. The attacks were spotted following an investigation that started in the autumn of 2021, anyway, according to the government experts the campaign is no longer active.

The announcement pointed out that the data transmitted or stored on diplomats’ devices are either public or classified at the lowest level of classified information (level 4).

Finland’s Ministry for Foreign Affairs warns that even if the information is not directly classified, the information itself and its source may be subject to diplomatic confidentiality.

“The Ministry for Foreign Affairs is continually monitoring events and activities in its operating environment and assessing related risks. The Ministry for Foreign Affairs monitors its services and strives to prevent harmful activities.  The preparation of and decisions on foreign and security policy, in particular, are matters that attract much interest, which may also manifest itself as unlawful intelligence.” concludes the Ministry. “The Ministry responds to the risk by various means, but complete protection against unlawful intelligence is impossible.”

In December, Apple warned that the mobile devices of at least nine US Department of State employees were compromised with NSO Group ‘s Pegasus spyware.

Tags: Finnish diplomats, Pegasus spyware


Next Page »