US Gov’t Flip-Flops on NSO Group Sale to L3Harris

Tags: pci dss, PCI SAQ

Beginning Security with Microsoft Technologies: Protecting Office 365, Devices, and Data

Jul 25 2022

Office macro security: on-again-off-again feature now BACK ON AGAIN!

Category: Cyber Spy — DISC @ 8:28 am

Office macro security: on-again-off-again feature now BACK ON AGAIN!

The phrase Office macros is a harmless-sounding, low-tech name that refers, in real life, to program code you can squirrel away inside Office files so that the code travels along with the text of a document, or the formulas of a spreadsheet, or the slides in a presentation…

…and even though the code is hidden from sight in the file, it can nevertheless sneakily spring into life as soon as you use the file in any way.

Those hidden macros, indeed, can be configured (by the sender, not by the recipient, you understand!) to trigger automatically when the file is opened; to override standard items in Office’s own menu bar; to run secondary programs; to create network connections; and much more.

Almost anything, in fact, that you could do with a regular .EXE file, which is the sort of file that few of us would willingly accept via email at all, even from someone we knew, and that most of us would be deeply cautious about downloading from a website we didn’t already know and trust.

Fighting back against cybercriminals

Thanks to macros and the hidden programming power they provide, Office documents have been widely used by cybercriminals for implanting malware since the 1990s.

Curiously, though, it took Microsoft 20 years (actually, closer to 25, but we’ll be charitable and round it down to two decades) to block Office macros by default in files that arrived over the internet.

As regular Naked Security readers will know, we were as keen as mustard about this simple change of heart, proclaiming the news, back in February 2022, with the words, “At last!”

To be fair, Microsoft already had an operating system setting that you could use to turn on this safety feature for yourself, but by default it was off.

Enabling it was easy in theory, but not straightforward in practice, especially for small businesses and home users.

Either you needed a network with a sysadmin, who could turn it on for you using Group Policy, or you had to know exactly where to go and what to tweak by yourself on your own computer, using the policy editor or hacking the registry yourself.

So, turning this setting on by default felt like an uncontroversial cybersecurity step forward for the vast majority of users, especially given that the few who wanted to live dangerously could use the aforementioned policy edits or registry hacks to turn the security feature back off again.

Apparently, however, these “few” turned out [a] to be more numerous than you might have guessed and [b] to have been more inconvenienced by the change than you might have expected:

https://twitter.com/NakedSecurity/status/1548992597129043970?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1548992597129043970%7Ctwgr%5E%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fnakedsecurity.sophos.com%2F2022%2F07%2F23%2Foffice-macro-security-on-again-off-again-feature-now-back-on-again%2F

Notably, many people using cloud servers (including, of course, Microsoft’s own online data storage services such as SharePoint and OneDrive) had got used to using external servers, with external servernames, as repositories that their friends or colleagues were expected to treat as if they were internal, company-owned resources.

Remember that old joke that “the cloud” is really just shorthand for “someone else’s computer”? Turns out that there’s many a true word spoken in jest.

Organisations that relied on sharing documents via cloud services, and who hadn’t taken the appropriate precautions to denote which external servers should be treated as official company sources…

…found their macros blocked by default, and voiced their displeasure loudly enough that Microsoft officially relented around the middle of 2022.

Within 20 weeks, a change that cybersecurity experts had spent 20 years hoping for had been turned off once more:

What to do?

The hows, whys and wherefores of Office macro security are now officially explained in two Microsoft documents:

For everyone, users and sysadmins alike: Support – A potentially dangerous macro has been blocked
For sysadmins and tech-savvy users: Macros from the internet will be blocked by default in Office

DISC InfoSec

Tags: Office macro security

Jul 23 2022

Hackers for Hire: Adversaries Employ ‘Cyber Mercenaries’

Category: Hacking,Information Security — DISC @ 2:14 pm

Hackers for Hire: Adversaries Employ ‘Cyber Mercenaries’

Also known as the Atlantis Cyber-Army, the emerging organization has an enigmatic leader and a core set of admins that offer a range of services, including exclusive data leaks, DDoS and RDP.

A for-hire cybercriminal group is feeling the talent-drought in tech just like the rest of the sector and has resorted to recruiting so-called “cyber-mercenaries” to carry out specific illicit hacks that are part of larger criminal campaigns.

Dubbed Atlas Intelligence Group (A.I.G.), the cybergang has been spotted by security researchers recruiting independent black-hat hackers to execute specific aspects of its own campaigns. A.I.G., also known as Atlantis Cyber-Army, functions as a cyber-threats-as-a-service criminal enterprise. The threat group markets services that include data leaks, distributed denial of service (DDoS), remote desktop protocol (RDP) hijacking and additional network penetration services, according to a Thursday report by threat intelligence firm Cyberint.

“[A.I.G.] has introduced us to out-of-the-box thinking,” Cyberint’s Shmuel Gihon wrote in the report.

[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.]

A.I.G., according to researchers, is unique in its outsourcing approach to committing cybercrimes. Organized threat groups tend to recruit individuals with certain capabilities that they can reuse and incent them with profit sharing. For example, Ransomware-as-a-Service organized crime campaigns can involve multiple threat actors – each getting a cut of any extorted lucre or digital assets stolen. What makes A.I.G. different is it outsources specific aspects of an attack to “mercenaries” who have no further involvement in an attack.

The report’s author, Gihon, said only A.I.G. administrators and the group’s leader—dubbed Mr. Eagle—know fully what the campaign will be and outsource isolated tasks to hired guns based on their skillsets.

Unique Business Model

This uncommon business model also allows the group, which has been operating since the beginning of May, to offer a range of cybercriminal services instead of a single core competency, he said.

“While many groups are focusing on one, maybe two, services that they offer, Atlas seems to grow rapidly and expand its operations in an efficient way which allows them to offer many services,” Gihon wrote.

A.I.G. tends to target government and state assets in countries all over the world, including the United States, Pakistan, Israel, Colombia and United Arab Emirates, researchers found.

Mr. Eagle not only leads the campaigns but also doubles as a chief marketing officer of sorts, putting a significant effort into advertising A.I.G.’s various cybercriminal services, he said.

Anatomy of a Threat Group

Cyber Mercenaries: The State, Hackers, and Power

Tags: Cyber mercenaries, Hackers for Hire

Jul 22 2022

Candiru surveillance spyware DevilsTongue exploited Chrome Zero-Day to target journalists

Category: Web Security,Zero day — DISC @ 9:13 am

Candiru surveillance spyware DevilsTongue exploited Chrome Zero-Day to target journalists

The spyware developed by Israeli surveillance firm Candiru exploited recently fixed CVE-2022-2294 Chrome zero-day in attacks on journalists.

Researchers from the antivirus firm Avast reported that the DevilsTongue spyware, developed, by Israeli surveillance firm Candiru, was used in attacks against journalists in the Middle East and exploited recently fixed CVE-2022-2294 Chrome zero-day.

The flaw, which was fixed by Google on July 4, 2022, is a heap buffer overflow that resides in the Web Real-Time Communications (WebRTC) component, it is the fourth zero-day patched by Google in 2022.

Most of the attacks uncovered by Avast researchers took place in Lebanon and threat actors used multiple attack chains to target the journalists. Other infections were observed in Turkey, Yemen, and Palestine since March 2022.

In one case the threat actors conducted a watering hole attack by compromising a website used by employees of a news agency.

The researchers noticed that the website contained artifacts associated with the attempts of exploitation for an XSS flaw. The pages contained calls to the Javascript function “alert” along with keywords like “test”, a circumstance that suggests the attackers were testing the XSS vulnerability, before ultimately exploiting it to inject the loader for a malicious Javascript from an attacker-controlled domain (i.e. stylishblock[.]com).

This injected code was used to route the victims to the exploit server, through a chain of domains under the control of the attacker.

Once the victim lands on the exploit server, the code developed by Candiru gathers more information the target system, and only if the collected data satisfies the exploit server the exploit is used to deliver the spyware.

“While the exploit was specifically designed for Chrome on Windows, the vulnerability’s potential was much wider. Since the root cause was located in WebRTC, the vulnerability affected not only other Chromium-based browsers (like Microsoft Edge) but also different browsers like Apple’s Safari.” reads the analysis published by Avast. “We do not know if Candiru developed exploits other than the one targeting Chrome on Windows, but it’s possible that they did.”

The zero-day was chained with a sandbox escape exploit, but experts were not able to recover it due to the protection implemented by the malware.

After getting a foothold on the victim’s machine, the DevilsTongue spyware attempts to elevate its privileges by exploiting another zero-day exploit. The malicious software targets a legitimate signed kernel driver in a BYOVD (Bring Your Own Vulnerable Driver) fashion. In order to exploit the the driver, it has to be first dropped to the filesystem (Candiru used the path C:\Windows\System32\drivers\HW.sys), experts pointed out that this could be used as an indicator of compromise.

“While there is no way for us to know for certain whether or not the WebRTC vulnerability was exploited by other groups as well, it is a possibility. Sometimes zero-days get independently discovered by multiple groups, sometimes someone sells the same vulnerability/exploit to multiple groups, etc. But we have no indication that there is another group exploiting this same zero-day.” concludes the report.

Tags: Candiru surveillance spyware, Chrome zero-day

Jul 21 2022

Apple patches “0-day” browser bug fixed 2 weeks ago in Chrome, Edge

Category: Web Security,Zero day — DISC @ 2:53 pm

Apple patches “0-day” browser bug fixed 2 weeks ago in Chrome, Edge

Apple has disgorged its latest patches, fixing more than 50 CVE-numbered security vulnerabilities in its range of supported products.

The relevant security bulletins, update numbers, and where to find them online are as follows:

APPLE-SA-2022-07-20-1: iOS 15.6 and iPadOS 15.6, details at HT213346
APPLE-SA-2022-07-20-2: macOS Monterey 12.5, details at HT213345
APPLE-SA-2022-07-20-3: macOS Big Sur 11.6.8, details at HT213344
APPLE-SA-2022-07-20-4: Security Update 2022-005 Catalina, details at HT213343
APPLE-SA-2022-07-20-5: tvOS 15.6, details at HT213342
APPLE-SA-2022-07-20-6: watchOS 8.7, details at HT213340
APPLE-SA-2022-07-20-7: Safari 15.6, details at HT213341

As usual with Apple, the Safari browser patches are bundled into the updates for the latest macOS (Monterey), as well as into the updates for iOS and iPad OS.

But the updates for the older versions of macOS don’t include Safari, so the standalone Safari update (see HT213341 above) therefore applies to users of previous macOS versions (both Big Sur and Catalina are still officially supported), who will need to download and install two updates, not just one.

DISC InfoSec

Tags: 0-day, browser bug, zero-day

Jul 21 2022

Enroll for free in ISO 27001 online courses

Category: ISO 27k — DISC @ 10:03 am

Security Awareness training - Advisera eTraining

Build your ISO 27001 knowledge and win new business with Advisera’s free ISO 27001 online courses. And you can be sure that you chose the right learning partner, since all Advisera’s courses are now accredited by ASIC, the internationally respected assurance body for online learning providers worldwide.

The courses’ structure is simple:

Modules that cover important topics related to ISO 27001.
Video lectures give you an opportunity to learn from ISO 27001 top experts.
Quizzes teach you how to apply what you have learned through practical examples.
Recap quiz at the end of each module helps you reinforce the acquired knowledge.

You can choose the course based on your specific needs:

ISO 27001 Foundations course – you’ll learn about all of the standard’s requirements and the best practices for compliance.
ISO 27001 Internal Auditor course – besides the knowledge about the standard, you’ll also learn how to perform an internal audit in the company.
ISO 27001 Lead Auditor course – besides the knowledge about the standard, it also includes the training you need to become certified as a certification auditor.
ISO 27001 Lead Implementer course – besides the knowledge about the standard, it also includes the training you need to become an independent consultant for Information Security Management System implementation.

The online courses are suitable both for beginners and experienced professionals.

Learn at your preferred speed from any location at any time.

Tags: ISO 27001 online courses, ISO27k courses, ISO27k training

Minimizing the effect of Brute Force Attack

Jul 21 2022

Microsoft adds default protection against RDP brute-force attacks

Category: Security Operations Center — DISC @ 9:37 am

Microsoft adds default protection against RDP brute-force attacks

“Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors,” David Weston of Enterprise and OS Security at Microsoft, announced, just as the company confirmed that it will resume the rollout of the default blocking of VBA macros obtained from the internet.

Brute-forced RDP access and malicious macros have for a long time been two of the most popular tactics used by threat actors to gain unauthorized access to Windows systems.

Minimizing the RDP attack vector

The Windows Account Lockout Policy allows enterprise network admins to set a lockout threshold – a specific number of failed logon attempts – after which a user account will be locked.

Brute-forcing is a method used by attackers to take over accounts. Usually automated with the help of a software tool, the attack involved submitting many passwords in a row until the right one is “guessed”.

From Windows 11 build 22528.1000 and onwards, the account lockout threshold is, according to Bleeping Computer, set to 10 failed login attempts in 10 minutes, which should make this type of attack harder to pull off.

The revelation has set off calls for the control to be backported to older Windows and Windows Server version – a move that’s apparently in the works.

Yes it’s being backported
— David Weston (DWIZZZLE) (@dwizzzleMSFT) July 21, 2022

Tags: Microsoft, RDP brute-force attacks

Jul 20 2022

Catches of the Month: Phishing Scams for July 2022

Category: Phishing — DISC @ 1:41 pm

Catches of the Month: Phishing Scams for July 2022

Welcome to our July 2022 review of phishing attacks, in which we explore the latest email scams and the tactics that cyber criminals use to trick people into handing over their personal data.

This month, we look at a cyber attack at OpenSea, a US school district that was tricked into transferring funds to a crook and a report on the rising threat of phishing.

NFT marketplace warns users of phishing scams

Last month, the world’s largest NFT (non-fungible token) marketplace, OpenSea, disclosed a data breach in which users’ email addresses were compromised.

The organisation’s head of security, Cory Hardman, said that the breach occurred when an employee at a third-party email delivery vendor downloaded the details of OpenSea users and newsletter subscribers.

OpenSea has since warned that the information could be used to launch phishing attacks.

“If you have shared your email with OpenSea in the past, you should assume you were impacted. We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement,” Hardman said.

“Because the data compromise included email addresses, there may be a heightened likelihood for email phishing attempts.”

OpenSea warned users via an email notification

Hardman provided tips to help OpenSea users spot phishing attacks. He urged people to keep an eye out for emails that use domains replicating the genuine OpenSea.io address.

Cyber criminals could do this by using a different top-level domain (such as opensea.org), or by deliberately misspelling the domain name (such as opensae.io).

Hardman also advised users not to download or open email attachments if they believe the message is suspicious, and to never sign wallet transactions if prompted directly via email.

It was that technique that caught out fans of the NFT artist Beeple last month. His Twitter account was hacked, with the attackers stealing $70,000 (about £56,000) worth of cryptocurrency.

In addition to the theft, the cyber criminals shared a phishing link on Beeple’s Twitter account that, if clicked, took money directly from their wallets.

Incidents such as this and the OpenSea hack demonstrate the challenges that NFT trading presents. Although many people are enticed into NFTs because the market is unregulated, that also creates major security risks.

Whereas banks and other regulated trading platforms are required to take steps to protect people’s assets – and will typically have proof of unauthorised access – the crypto culture emphasises personal responsibility.

If a cyber criminal compromises a crypto wallet, victims have little recourse and will have to accept their loss.

School district accidentally wires $200,000 to fraudulent bank

The Floyd County School District in in Georgia admitted in June that it had wired $197,672.76 (about £164,000) to a bank account controlled by cyber criminals.

Officials said they received the request from an email address seemingly associated with Ben Hill Roofing, an organisation that had previously worked with a school in the district.

Floyd County Schools made the payment on 29 April, and was only alerted to its mistake after the real Ben Hill Roofing submitted an invoice.

Speaking to a local news outlet, the school district said: “Floyd County Schools has been made aware of a spear phishing incident, which is a targeted email attack pretending to be from a trusted sender. This cyber-attack resulted in funds being stolen from the school system by an outside source.”

It added: “We are working with local law enforcement, GEMA, GBI, and insurance officials to recover the funds.

“Because of the cyber security measures FCS has put in place over the past few years, school system officials believe this is an isolated incident. Due to the ongoing investigation, more details cannot be released at this time.”

Floyd County Schools has since recovered almost all of the stolen funds following a police investigation. Officers traced the stolen money to a bank in Texas, which had already flagged the account as suspicious.

Phishing attacks reach all-time high, report finds

The first three months of 2022 saw more than a million reported phishing attacks, according to the APWG’s Phishing Activity Trends Report.

It’s the highest number of phishing attacks that has ever been reported in a quarter, and it follows a steady increase in attacks throughout the past year. In April 2021, the APWG observed just over 200,000 phishing attacks. By March 2022, it almost doubled, to 384,291.

According to the report, the industry most likely to be targeted was the financial sector. It found that 23.6% of all incidents affected organisations that provide such services.

The next most frequent targets were software-as-a-service and webmail providers (20.5%) and e-commerce sites and retail stores (14.6%).

The report also found that 12.5% of phishing attacks target social media sites, while cryptocurrency platforms account for 6.6% of incidents.

According to John Wilson, Senior Fellow of Threat Research at HelpSystems, the majority of phishing attacks are conducted using BEC (business e-mail compromise).

Wilson noted that in the first quarter of 2022, 82% of BEC messages were sent from free webmail accounts. Gmail is the most popular provider, accounting for 60% of BEC scams.

Meanwhile, 18% of BEC messages used email domains owned by the attacker.

The report also found that the average sum that scammers requested in wire transfer BEC attacks in Q1 2022 was $84,512 (about €98,000). This is a significant increase over the previous quarter, in which scammers requested €50,027 (about €58,000) on average.

Can you spot a scam?

All organisations are vulnerable to phishing, no matter their size or the sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.

You can help educate your staff with IT Governance’s Phishing Staff Awareness Training Programme.

This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.

Get Started Now

Tags: Phishing scams, phishing training

Jul 20 2022

The past, present and future of Metasploit

Category: Security Tools — DISC @ 9:19 am

The past, present and future of Metasploit

Metasploit is the most used penetration testing framework. In this Help Net Security video, Spencer McIntyre, Lead Security Researcher at Rapid7, talks about how Metasploit enables defenders to always stay one step (or two) ahead of the game, and offers a glimpse into the future.

McIntyre is a lead security researcher at Rapid7, where he manages the Metasploit Framework’s dedicated research and development team. He has been contributing to Metasploit since 2010, a committer since 2014, and a core team member at Rapid7 since 2019.

#METASPLOIT: Utilize the Most Frequently Used Penetration Testing Framework

#DISCInfoSec

Tags: Metasploit

Unpatched flaws in popular GPS devices could let hackers disrupt and track vehicles

Jul 20 2022

Million of vehicles can be attacked via MiCODUS MV720 GPS Trackers

Category: Cyber Attack,Hardware Security,Threat detection — DISC @ 8:28 am

Million of vehicles can be attacked via MiCODUS MV720 GPS Trackers

Multiple flaws in MiCODUS MV720 Global Positioning System (GPS) trackers shipped with over 1.5 million vehicles can allow hackers to remotely hack them.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an advisory to warn of multiple security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers which are used by over 1.5 million vehicles.

An attacker can exploit the flaws to remote disruption of critical functions of the impacted vehicles.

“CISA has released an Industrial Controls Systems Advisory (ICSA) detailing six vulnerabilities that were discovered in MiCODUS MV720 Global Positioning System Tracker. Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control the global positioning system tracker.” reads the advisory published by CISA. “These vulnerabilities could impact access to a vehicle fuel supply, vehicle control, or allow locational surveillance of vehicles in which the device is installed.”

The MiCODUS MV720 GPS Tracker is a popular vehicle GPS tracker manufactured in China, which is used by consumers for theft protection and location management, and by organizations for vehicle fleet management.

The flaws were discovered by BitSight researchers, they have been tracked as CVE-2022-2107; CVE-2022-2141; CVE-2022-2199; CVE-2022-34150; and CVE-2022-33944.

Researchers from BitSight who discovered the issues reported that threat actors could hack into the tracker to potentially cut off fuel, physically stop vehicles, or track the movement of vehicles using the device.

MiCODUS is used today by 420,000 customers in multiple industries, including government, military, law enforcement agencies, and Fortune 1000 companies.

The list of the vulnerabilities discovered by the researchers in September 2021 is reported below:

CVE-2022-2107 (CVSS score: 9.8) – The use of hard-coded credentials may allow an attacker to log into the web server, impersonate the user, and send SMS commands to the GPS tracker as if they were coming from the GPS owner’s mobile number.
CVE-2022-2141 (CVSS score: 9.8) – Improper authentication allows a user to send some SMS commands to the GPS tracker without a password.
CVE-2022-2199 (CVSS score: 7.5) – A cross-site scripting vulnerability could allow an attacker to gain control by deceiving a user into making a request.
CVE-2022-34150 (CVSS score: 7.1) – The main web server has an authenticated Insecure Direct Object References (IDOR) vulnerability on parameter “Device ID,” which accepts arbitrary Device IDs without further verification.
CVE-2022-33944 (CVSS score: 6.5) – The main web server has an authenticated IDOR vulnerability on POST parameter “Device ID,” which accepts arbitrary Device IDs.
Experts found a sixth issued that has yet to receive a CVE (CVSS score: 8.1) – all devices ship preconfigured with the default password 123456, as does the mobile interface. There is no mandatory rule to change the password nor is there any claiming process. The setup itself does not require a password change to use the device. We observed that many users have never changed their passwords.

The analysis of the sector usage on a global scale revealed significant differences by continent in the typical user profile. Most North American organizations using flawed MiCODUS devices are in the manufacturing sector, while those in South America are government entities. MiCODUS users in Europe belong to diverse sectors, ranging from finance to energy.

BitSight recommends users immediately cease using or disable any MiCODUS MV720 GPS trackers due to the severity of the flaw, at least until the vendor will address the issues.

“If China can remotely control vehicles in the United States, we have a problem,” said Richard Clarke, internationally renowned national security expert and former presidential advisor on cybersecurity. “With the fast growth in adoption of mobile devices and the desire for our society to be more connected, it is easy to overlook the fact that GPS tracking devices such as these can greatly increase cyber risk if they are not built with security in mind. BitSight’s research findings highlight how having secure IoT infrastructure is even more critical when these vulnerabilities can easily be exploited to impact our personal safety and national security, and lead to extreme outcomes such as large-scale fleet management interruption and even loss of life.”

Researchers highlighted the risks that a nation-state actor could potentially exploit the above vulnerabilities to gather intelligence on entities operating in the military or one of its supplies. Data such as supply routes, troop movements, and recurring patrols could be revealed by exploiting these flaws-

“Although GPS trackers have existed for many years, streamlined manufacturing of these devices has made them accessible to anyone. Having a centralized dashboard to monitor GPS trackers with the ability to enable or disable a vehicle, monitor speed, routes and leverage other features is useful to many individuals and organizations. However, such functionality can introduce serious security risks. Unfortunately, the MiCODUS MV720 lacks basic security protections needed to protect users from serious security issues. With limited testing, BitSight uncovered a multitude of flaws affecting all components of the GPS tracker ecosystem.” concludes the report. “BitSight recommends that individuals and organizations currently using MiCODUS MV720 GPS tracking devices disable these devices until a fix is made available. Organizations using any MiCODUS GPS tracker, regardless of the model, should be alerted to insecurity regarding its system architecture, which may place any device at risk.”

These days security of car is very essential. Thieves are finding more ways of stealing cars and other four wheeler vehicles. In this book we have given details about the anti-theft system which will help to car owners to secure their cars. This system is efficient and affordable. This system gives more advantages than other anti-theft system. Main feature of this system is that owner will gate information if the car is being stolen and the location of car (longitude and altitude).

Anti-theft Locking and Tracking system using GSM and GPS Technology

Tags: Car Security, GPS Trackers

Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage

Jul 19 2022

Russia-linked APT29 relies on Google Drive, Dropbox to evade detection

Category: APT,Threat detection — DISC @ 8:43 am

Russia-linked APT29 relies on Google Drive, Dropbox to evade detection

Russia-linked threat actors APT29 are using the Google Drive cloud storage service to evade detection.

Palo Alto Networks researchers reported that the Russia-linked APT29 group, tracked by the researchers as Cloaked Ursa, started using the Google Drive cloud storage service to evade detection.

The Russia-linked APT29 group (aka SVR, Cozy Bear, and The Dukes) has been active since at least 2014, along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections.

The attackers used online storage services to exfiltrate data and drops their malicious payloads.

The use of legitimate cloud services is not a novelty to this nation-state actor, but experts pointed out that in the two most recent campaigns the hackers leveraged Google Drive cloud storage services for the first time.

“The ubiquitous nature of Google Drive cloud storage services – combined with the trust that millions of customers worldwide have in them – make their inclusion in this APT’s malware delivery process exceptionally concerning.” reads the analysis published by Palo Alto Network. “The most recent campaigns by this actor provided a lure of an agenda for an upcoming meeting with an ambassador.”

The recent campaigns observed by the experts targeted multiple Western diplomatic missions between May and June 2022. The lures included in these campaigns revealed that the nation-state actors targeted a foreign embassy in Portugal as well as a foreign embassy in Brazil. The phishing messages included a link to a malicious HTML file (EnvyScout) that acted as a dropper for additional malicious payloads, including a Cobalt Strike beacon.

EnvyScout is a tool that is used to further infect the target with the other implants. Threat actors used it to deobfuscate the contents of a second state malware, which is in the form of a malicious ISO file. This technique is known as HTML Smuggling.

A threat hunting activity based on the analysis of the creation time of the phishing message, producer and PDF version metadata in the sample analyzed by Palo Alto Networks, allowed the experts to identify other suspicious documents that were uploaded to VirusTotal in early April 2022.

“Many of these documents appear to be phishing documents associated with common cybercrime techniques. This suggests that there is likely a common phishing builder being leveraged by cybercrime and APT actors alike to generate these documents.” continues the report.

The file Agenda.html employed in the attack was used to deobfuscate a payload, and also for writing a malicious ISO file to the victim’s hard drive. The payload file is an ISO file named Agenda.iso.

Once the ISO has been downloaded, the user has to click it to start the infection chain and execute the malicious code on the target system. The user must double-click the ISO file and subsequently double-click the shortcut file, Information.lnk, to launch the infection process.

“Their two most recent campaigns demonstrate their sophistication and their ability to obfuscate the deployment of their malware through the use of DropBox and Google Drive services. This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide.” concludes the report

Tags: APT29, dropbox, Google drive

Source: https://www.darkreading.com/careers-and-people/virtual-cisos-are-the-best-defense-against-accelerating-cyber-risks

Jul 18 2022

Virtual CISOs Are the Best Defense Against Accelerating Cyber-Risks

Category: CISO,Information Security,vCISO — DISC @ 11:17 am

A poor, permanent hire can be a very expensive error, whereas a mis-hire on a virtual CISO can be rapidly corrected.

The cybersecurity challenges that companies are facing today are vast, multidimensional, and rapidly changing. Exacerbating the issue is the relentless evolution of threat actors and their ability to outmaneuver security controls effortlessly.

As technology races forward, companies without a full-time CISO are struggling to keep pace. For many, finding, attracting, retaining, and affording the level of skills and experience needed is out of reach or simply unrealistic. Enter the virtual CISO (vCISO). These on-demand experts provide security insights to companies on an ongoing basis and help ensure that security teams have the resources they need to be successful.

How a vCISO Works
Typically, an engagement with a vCISO is long lasting, but in a fractional delivery model. This is very different from a project-oriented approach that requires a massive investment and results in a stack of deliverables for the internal team to implement and maintain. A vCISO not only helps to form the approach, define the action plan, and set the road map but, importantly, stays engaged throughout the implementation and well into the ongoing management phases.

The best vCISO engagements are long-term contracts, such as 12 to 24 months. Typically, there’s an upfront effort where the vCISO is more engaged in the first few months to establish an understanding, develop a road map, and create a rhythm with the team. Then, their support drops into a regular pace which can range from two to three days per week or five to ten days per month.

What to Expect From a vCISO
When bringing a vCISO on board, it’s important that person has three key attributes: broad and extensive experience in addressing cybersecurity challenges across many industries; business acumen and the ability to rapidly absorb complex business models and strategies; and knowledge of technology solutions and dynamics that can be explored to meet specific organizational needs.

The first thing a vCISO will focus on is prioritization, beginning with understanding a company’s risks. They will then organize actions that provide the greatest positive influence on mitigating these risks while ensuring sustainability in the program. The goal is to establish a security approach that addresses the greatest risks to the business in a way that has staying power and can provide inherent value to additional downstream controls.

Having extensive experience in the technical space, a vCISO can take into consideration the full spectrum of options — those existing within the business environment, established products and services in the marketplace, and new solutions entering the market. Just within that context, a vCISO can collaborate with the technical team to take advantage of existing solutions and identify enhancements that can further capabilities in a cost-efficient manner.

The Value of a vCISO
One of the most common findings is that companies often have a large portfolio of cybersecurity technology, but very little is fully deployed. Additionally, most tech teams are not leveraging all of the capabilities, much less integrating with other systems to get greater value. Virtual CISOs help companies save money by exploiting existing technical investments that dramatically improve security. And, since the improvement is focused on existing tools, the transition for the IT and security staff is virtually eliminated due to established familiarity with the environment.

Another essential value point of a vCISO is access to an informed and well-balanced view on risk and compliance. While cybersecurity is dominated by technical moving parts, the reality is the board, executive leadership, and management team needs to incorporate cyber-risks and related liabilities into the overall scope of risk across the business at an executive level. In this sense, leadership has a vast array of competing challenges, demands, and risks and some can be even more impactful than cybersecurity.

How to Convince the Executive Team
A CEO is under a constant barrage of challenges, problems, risks, and opportunities. Cybersecurity needs to be part of that formula. If one of the core values of having a vCISO is getting meaningful cyber-risk insights, then trust and confidence in that person is paramount and needs to be established from the beginning.

Another challenge is the team dynamic — at the heart of being a CEO is their success as a leader. Introducing what is essentially a consultant can be an adjustment for the team. It’s important that the vCISO hire fits the culture and can easily integrate with everyone on the team including the CIO, CTO, CPO, CRO, etc.

The conversation with the CFO will understandably have a heavy financial tone. For companies debating between a full-time CISO or a vCISO, it’s clear a poor permanent hire can be a very expensive error, whereas a mis-hire on a vCISO can be rapidly corrected.

As organizations continue to come to grips with the byproducts of digitization and new security challenges that often seem insurmountable, a vCISO can be an enormous value. Beyond offering an efficient and cost-effective model, they bring many advantages to businesses with fewer risks than a dedicated resource.

Ransomware’s Silver Bullet – The Virtual CISO Publication Series: Cybersecurity

DISC InfoSec

Tags: CISO, vCISO, Virtual CISOs

Tor Browser Handbook: Quick Start Guide On How To Access The Deep Web, Hide Your IP Address and Ensure Internet Privacy (Includes a Tor Installation Guide for Linux & Windows + Over 50 Helpful Links)

Jul 18 2022

Tor Browser 11.5 is optimized to automatically bypass censorship

Category: Dark Web,Web Security — DISC @ 8:40 am

Tor Browser 11.5 is optimized to automatically bypass censorship

The Tor Project team has announced the release of Tor Browser 11.5, which introduces functionalities to automatically bypass censorship.

The Tor Project team has announced the release of Tor Browser 11.5, the new version of the popular privacy-oriented browser implements new features to fight censorship.

With previous versions of the browser, circumventing censorship of the Tor Network itself was a manual process that required users to dive into Tor Network settings and chose a bridge to unblock Tor.

Experts pointed out that censorship of Tor isn’t uniform, this means that a certain pluggable transport or bridge configuration may work in one country could not work elsewhere.

The Tor Browser version 11.5 implements a new feature called “Connection Assist”, which was developed to assign automatically the bridge configuration that could allow users in a specific location to bypass censorship.

“In collaboration with the Anti-Censorship team at the Tor Project, we’ve sought to reduce this burden with the introduction of Connection Assist: a new feature that when required will offer to automatically apply the bridge configuration we think will work best in your location for you.” reads the announcement published by the Tor Project. “Connection Assist works by looking up and downloading an up-to-date list of country-specific options to try using your location (with your consent). It manages to do so without needing to connect to the Tor Network first by utilizing moat – the same domain-fronting tool that Tor Browser uses to request a bridge from torproject.org.”

Connection Assist downloading up-to-date list options that optimize the connection from the user’s country. To do this, the browser requests user consent.

Maintainers at the Tor Project pointed out that this is only version 1.0 of the Connection Assist, for this reason, they invite users to submit their feedback to help them improve the user experience in future releases.

“Users from countries where the Tor Network may be blocked (such as Belarus, China, Russia and Turkmenistan) can test the most recent iteration of this feature by volunteering as an alpha tester, and reporting your findings on the Tor forum.” continues the annoucement.

Another feature implemented in version 11.5 is making ‘HTTPS-Only Mode’ which is enabled by default for desktop, and HTTPS-Everywhere will no longer be bundled with Tor Browser.

The above features are all for desktop, the announcement provides updates for Androidrs because the Tor Browser for Android is quite behind desktop in terms of feature parity.

Since the beginning of the year our priorities for Android have been three-fold:

Start releasing regular updates for Android again
Fix the crashes that many Android users have experienced
Begin catching up with Fenix (Firefox for Android) releases

The latest version of the Tor Browser is available on the official download portal

DISC InfoSec

Tags: Tor Browser

Jul 15 2022

What is Deepfake, and how does it Affect Cybersecurity?

Category: Deepfakes — DISC @ 8:34 am

What is Deepfake, and how does it Affect Cybersecurity?

Producing deepfake is easy. It is hard to detect. They operate with a description of reality rather than reality itself (e.g., a video). Any artifact a system can identify to support a Deepfake can also be removed in a subsequent Deepfake creation. This article discusses the art of Deepfake.

Table of Contents

#DeepFake – What happens when anyone can make a video of you saying anything?

Deepfake by Sarah Darer Littman | Fall 2020 Online Preview - YouTube

Tags: Deepfake

https://www.ncsc.gov.uk/report/vendor-security-assessment

Jul 14 2022

Vendor Security Assessment

Category: Information Security,Vendor Assessment — DISC @ 8:43 am

Assessing the security of network equipment.

This document provides guidance on how operators should assess the security of vendor’s security processes and vendor equipment and is referenced in the Telecom Security Act Code of Practice.

The purpose of the guidance is to allow operators to objectively assess the cyber risk due to use of the vendor’s equipment. This is performed by gathering objective, repeatable evidence on the security of the vendor’s processes and network equipment.

Cybersecurity and Third-Party Risk: Third Party Threat Hunting

DISC InfoSec

Tags: supply chain, Third-party risk management, third-party vendor program, Vendor Security Assessment

Jul 14 2022

Microsoft published exploit code for a macOS App sandbox escape flaw

Category: App Security — DISC @ 8:35 am

Microsoft published exploit code for a macOS App sandbox escape flaw

Microsoft publicly disclosed technical details for an access issue vulnerability, tracked as CVE-2022-26706, that resides in the macOS App Sandbox.

“Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system.” reads the post published by Microsoft.

Microsoft reported the issue to Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) in October 2021. Apple addressed the CVE-2022-26706 flaw on May 16, 2022.

“An access issue was addressed with additional sandbox restrictions on third-party applications. This issue is fixed in tvOS 15.5, iOS 15.5 and iPadOS 15.5, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.4. A sandboxed process may be able to circumvent sandbox restrictions.” reads the description of this issue.

An attacker can trigger the flaw using a specially crafted Office document containing malicious macro code that allows to bypass sandbox restrictions and execute commands on the system.

The Apple App Sandbox provides protection to system resources and user data by limiting your app’s access to resources requested through entitlements.

Developers that want to distribute a macOS app through the Mac App Store must enable the App Sandbox capability.

Microsoft researchers demonstrated that using specially crafted codes could bypass the sandbox rules. An attacker could exploit the sandbox escape vulnerability to gain elevated privileges on the affected device or execute malicious commands like installing malicious payloads.

“We found the vulnerability while researching potential ways to run and detect malicious macros in Microsoft Office on macOS. For backward compatibility, Microsoft Word can read or write files with an “~$” prefix.” reads the post. “Our findings revealed that it was possible to escape the sandbox by leveraging macOS’s Launch Services to run an open –stdin command on a specially crafted Python file with the said prefix.”

The root cause of the issue is backward compatibility, which allows Microsoft Word to read and write files with the prefix “~$.” .

The experts first created a POC exploit to create a macro that launches a shell script with the Terminal app, bit it was captured by the sandbox because it was automatically given the extended attribute com.apple.quarantine which prevents the execution by the Terminal. Then the experts tried using Python scripts, but the Python app had similar issues running files having the said attribute.

In one of the hacking attempts, the researchers created a proof-of-concept (PoC) that used the -stdin option for the open Command on a Python file to bypass the “com.apple.quarantine” extended attribute restriction. In this way, there was no way for Python to determine that the contents from its standard input originated from a quarantined file.

“Our POC exploit thus became simply as follows:

Drop a “~$exploit.py” file with arbitrary Python commands.
Run open –stdin=’~$exploit.py’ -a Python, which runs the Python app with our dropped file serving as its standard input. Python happily runs our code, and since it’s a child process of launchd, it isn’t bound to Word’s sandbox rules.” continues the post.

Exploit Code Not People

DISC InfoSec

Tags: exploit code

Cell Phone Location Evidence for Legal Professionals: Understanding Cell Phone Location Evidence from the Warrant to the Courtroom

Jul 13 2022

The weaponizing of smartphone location data on the battlefield

Category: Smart Phone — DISC @ 8:40 am

The weaponizing of smartphone location data on the battlefield

How smartphone location data is obtained

For a country at war, monitoring the cellular networks in the conflict zone provides the most comprehensive view of mobile device activity. But before the conflict even begins, the nation can identify phones of interest, including the devices belonging to soldiers.

Because mobile app location data is often sold to commercial data brokers and then repackaged and sold to individual customers, a country can access such a database and then pick out the phones likely belonging to soldiers. Such devices will ping regularly in the locations of known bases or other military facilities. It’s even possible to identify the owner of a device by tracking the phone to its home address and then referencing publicly available information.

A country can also use information obtained from one or more data breaches to inform their devices of interest. The T-Mobile breach in 2021 demonstrated how much customer data is in the hands of a mobile operator, including a phone’s unique identifier (IMEI) and its SIM card’s identifier (IMSI).

Spies can also physically monitor known military sites and use devices known as IMSI catchers – essentially fake cell towers – to collect phone data from the phones in the vicinity. The Kremlin reportedly did this in the UK, with GRU officers gathering near some of the UK’s most sensitive military sites.

When a phone of interest appears on the monitored mobile network, the country can keep a close eye on the device’s location and other cellular data. The presence of two or more such devices in close proximity indicates that a mission may be taking place.

In addition to monitoring cell networks, a nation at war can utilize IMSI catchers on the battlefield to gather phone data for the purposes of locating and identifying devices. Location can be determined by triangulating signal strengths from nearby cell towers or by pinging a targeted device’s GPS system. Russia’s Leer-3 electronic warfare system, which consists of two drones containing IMSI catchers along with a command truck, can locate up to 2,000 phones within a 3.7-mile range.

To counter these location-finding drones, an opposing nation may jam a drone’s GPS signal, using a radio emitter to block the drone from receiving GPS signals. The country can also try GPS spoofing, employing a radio transmitter to corrupt the accuracy of the drone’s reported location. To counter such spoofing, systems for validating GPS signals have been deployed on the battlefield. In the larger picture, the corruptibility of GPS data has forced some nations to build their own geopositioning systems. For the US, M-Code serves as a military-only GPS signal that is both more accurate and provides anti-jamming and anti-spoofing capabilities.

Spyware is a more targeted approach to obtaining location data. It can be delivered over the cell network (via a malicious carrier update) or through an IMSI catcher. It’s also not uncommon for operators to pose as single women on social media sites to lure soldiers into downloading a malicious app. Hamas has reportedly used this tactic many times against Israeli soldiers. Such spyware can capture a device’s real-time location, among other capabilities.

The risks of captured smartphone location data

Are Smartphones a Threat to Privacy?

Location, health, and other sensitive information: FTC committed to fully enforcing the law against illegal use and sharing of highly sensitive data

DISC InfoSec

Tags: FTC, location data, smartphone location data

Validating a Best Practice: A Tool for Improvement and Benchmarking

Jul 12 2022

Safe Security Provides Free Cybersecurity Cost Benchmarking Tool

Category: Security Tools — DISC @ 9:59 am

Safe Security Provides Free Cybersecurity Cost Benchmarking Tool

Safe Security has made available a free cybersecurity benchmarking tool for predicting cyberattack risk within vertical industry segments and can be tuned by organizations to better assess their own chances of being attacked.

Saket Modi, Safe Security CEO, said the CRQ Calculator combines cybersecurity threat intelligence and telemetry data it collects to ascertain attack costs with metadata collected from primary sources, such as reports published by the Securities and Exchange Commission (SEC) and insurance claims, that is accessible via application programming interfaces (APIs).

That data uses Bayes’ theorem to generate reports for specific vertical industries that determine, for example, that the probability of a health care company falling victim to a successful cyberattack is 25% compared to 20% for a financial services company. Industries such as manufacturing and retail face less than a 15% probability of a successful cyberattack.

The overall goal is to give organizations a better appreciation for the actual level of risk they face so they can make better cybersecurity investment decisions based on business context, noted Modi. That’s become more critical as a downturn in the overall global economy forces more organizations to reduce costs, he noted.

While there is a greater appreciation for cybersecurity than ever, many organizations are struggling to determine what level of spending is required to mitigate the threats they face. Before those assessments can be made there is a need to determine the actual level of threat to a vertical industry.

Spending on cybersecurity as a percentage of the overall IT budget has certainly increased in recent years. However, cybersecurity leaders are being asked more often to determine some level of return on investment (ROI) for that spending. Ultimately, the goal is to determine what level of spending makes sense based on what similar organizations are spending.

Of course, there is no correlation between spending and the level of cybersecurity attained. While the volume and sophistication of attacks have increased, most of the cybersecurity issues organizations encounter can be traced back to human error. Most organizations would dramatically improve their overall cybersecurity simply by focusing on fundamental processes that, in many cases, would eliminate the number of misconfigurations that cybercriminals can potentially exploit, for example.

At the same time, the number of attack surfaces that need to be defended continues to increase, so there does need to be some corresponding increase in cybersecurity. Most of the cyberattacks being launched are fairly rudimentary; cybercriminals don’t see the need to invest more time and effort when it’s relatively simple for them to compromise credentials and gain unfettered access to an IT environment.

Organizations can’t stop these attacks from being launched, but the hope is that by making it more difficult for cybercriminals to succeed they will concentrate their efforts elsewhere. Ultimately, if enough organizations improve their cybersecurity posture, the cost of launching attacks might one day become cost-prohibitive for attackers.

Unfortunately, organizations are a long way from achieving that goal. At the very least, organizations should have a better understanding of how much they need to spend on cybersecurity today as they look to continuously improve cybersecurity in the months and years ahead.

DISC InfoSec

Tags: CRQ Calculator, Free Cybersecurity Cost Benchmarking Tool

Artificial Intelligence Applications for Drone Cyber Security

Jul 12 2022

Flaws in the ExpressLRS Protocol allow the takeover of drones

Category: Access Control,Wi-Fi Security — DISC @ 8:51 am

Flaws in the ExpressLRS Protocol allow the takeover of drones

The protocol for radio-controlled (RC) drones, named ExpressLRS, is affected by vulnerabilities that can allow device takeover.

Researchers warn of vulnerabilities that affect the protocol for radio-controlled (RC) drones, named ExpressLRS, which can be exploited to take over unmanned vehicles.

ExpressLRS is a high-performance open-source radio control link that provides a low latency radio control link while also achieving maximum range.

According to a bulletin recently published, an attacker can take control of any receiver by observing the traffic from the associated transmitter.

Using only a standard ExpressLRS compatible transmitter, it is possible to take control of any receiver after observing traffic from a corresponding transmitter.

Security issues in the binding phase can allow an attacker to extract part of the identifier shared between the receiver and transmitter. The analysis of this part, along with brute force attack, can allow attackers to discover the remaining part of the identifier. Once the attacker has obtained the complete identifier, it can take over the craft containing the receiver, with no knowledge of the binding phrase, by using a transmitter. This attack scenario is feasible in software using standard ExpressLRS compatible hardware.

“ExpressLRS uses a ‘binding phrase’, built into the firmware at compile time to bind a transmitter to a receiver. ExpressLRS states that the binding phrase is not for security, it is anti-collision.” reads a bulletin published by NccGroup. “Due to weaknesses related to the binding phase, it is possible to extract part of the identifier shared between the receiver and transmitter. A combination of analysis and brute force can be utilised to determine the remaining portion of the identifier. Once the full identifier is discovered, it is then possible to use an attacker’s transmitter to control the craft containing the receiver with no knowledge of the binding phrase. This is possible entirely in software using standard ExpressLRS compatible hardware.”

The phrase used by the ExpressLRS protocol is encrypted using the hashing algorithm MD5 which is known to be cryptographically broken.

The experts observed that the “sync packets” that are exchanged between transmitter and receiver at regular intervals for synchronizing purposes leak a major part of the binding phrase’s unique identifier (UID). An attacker can determine the remaining part via brute-force attacks or by observing packets over the air without brute-forcing the sequences.

“Three weaknesses were identified, which allow for the discovery of the four bytes of the required UID to take control of the link. Two of these issues relate to the contents of the sync packet.

The sync packet contains the final three bytes of the UID. These bytes are used to verify that the transmitter has the same binding phrase as the receiver, to avoid collision. Observation of a single sync packet therefor gives 75% of the bytes required to take over the link.
The CRC initialiser uses the final two bytes of the UID sent with the sync packet, making it extremely easy to create a CRC check.” reads the advisory.

The third weakness occurs in the FHSS sequence generation.

Due to weaknesses in the random number generator, the second 128 values of the final byte of the 4 byte seed produce the same FHSS sequence as the first 128.“

The advisory recommends avoiding sending the UID over the control link. The data used to generate the FHSS sequence should not be sent over the air. It also recommends to improve the random number generator by using a more secure algorithm or adjusting the existing algorithm to work around repeated sequences.

DISC InfoSec

Tags: drones, ExpressLRS Protocol

by Richi Jennings on July 11, 2022

Jul 11 2022

US Gov’t Flip-Flops on NSO Group Sale to L3Harris

Category: Cyber Spy,Spyware — DISC @ 2:26 pm

US Gov’t Flip-Flops on NSO Group Sale to L3Harris

US Gov’t Flip-Flops on NSO Group Sale to L3Harris

NSO Group, notorious makers of the notorious Pegasus spyware, has been in acquisition talks with a huge U.S. government defense contractor you’ve never heard of: L3Harris Technologies, Inc. Doesn’t that give you a warm, tingly feeling inside?

Pictured is Christopher E. “Call Me Chris” Kubasik, L3Harris’s chairman and CEO. He’s no doubt disappointed that the White House put the kibosh on the deal—especially as other bits of the government gave tacit approval (or so we’re told).

But is everything quite as it seems? In today’s SB Blogwatch, we pay attention to the man behind the curtain.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: WINBOOT.AVI

POTUS Vs. CIA and FBI

What’s the craic? Mark Mazzetti, Ronen Bergman and Susan C. Beachy report—“Defense Firm Said U.S. Spies Backed Its Bid for Pegasus Spyware Maker”:

“L3Harris and NSO declined to comment”
A team of executives from an American military contractor quietly … in recent months [attempted] a bold but risky plan: purchasing NSO Group, the cyber hacking firm that is as notorious as it is technologically accomplished. … They started with the uncomfortable fact that the United States government had put NSO on a blacklist just months earlier [because it] had acted “contrary to the national security or foreign policy interests of the United States,” the Biden administration said.
…
But five people familiar with the negotiations said that the L3Harris team had brought with them a surprising message: … American intelligence officials, they said, quietly supported its plans to purchase NSO, whose technology over the years has been of intense interest to … the F.B.I. and the C.I.A. [But news of the] talks to purchase NSO seemed to blindside White House officials, [who] said they were outraged … and that any attempt by American defense firms to purchase [NSO Group] would be met by serious resistance.
…
While not a household defense industry name … L3Harris earns billions each year from American government contracts. … The company once produced a surveillance system called Stingray.
…
L3Harris and NSO declined to comment. … A spokeswoman for Avril Haines, the director of national intelligence, declined to comment. … The Commerce Department declined to give specifics about any discussions.

One arm of the government doesn’t know what another is doing? Say it ain’t so! Stephanie Kirchgaessner says it’s so—“US defence firm ends talks to buy NSO”:

“Definitive pushback”
A person familiar with the talks said L3 Harris had vetted any potential deal for NSO’s technology with its customers in the US government and had received some signals of support from the American intelligence community. [But,] sources said, L3Harris had been caught off guard when a senior White House official expressed strong reservations about any potential deal.
…
Once L3Harris understood the level of “definitive pushback”, a person familiar with the talks said, “there was a view … that there was no way L3 was moving forward with this. … If the government is not aligned, there is no way for L3 to be aligned,” the person said.

What’s the big problem? Duncan Riley drives the point home:

“Could have resulted in the blacklisting being lifted”
A deal for all or part of NSO would not be as simple as the two companies agreeing to terms, requiring permission from both the U.S. and Israeli governments. … NSO Group, with its Pegasus spyware, has been one of the most controversial cybersecurity companies of recent times. Pegasus is a form of software that uses zero-day or unpatched exploits to infect mobile devices.
…
The deal falling apart may also leave NSO in a difficult situation: With the blacklisting in place, the company is limited in whom it can sell Pegasus to and what technology it can purchase. In contrast, an acquisition by an American company could have resulted in the blacklisting being lifted.

Wait, what? John Scott-Railton holds his horses:

“NSO spent years pretending they changed”
WHOA: Deal … tanked.
…
[It] helps explain recent signs of desperation from the spyware company. [An] American defense contractor acquiring a demonstrably-uncontrollable purveyor of insecurity would be … atrocious for human rights [and] bad for … counterintelligence.
…
This is not a company that prioritizes America’s national security. And it doesn’t play well with our tech sector. … NSO spent years pretending they changed … while using all available tricks to hide the fact that they kept doing … risky biz and dictator deals.

ELI5? Look on u/Ozymandias606’s words, ye mighty, and despair:

“Biden visits Israel tomorrow”
Pegasus is a hacking tool [that] can turn anyone’s phone into a tracking and recording device without the owner clicking a link. [It] has been sold to governments over the past several years [who] used Pegasus to spy on journalists and activists.
…
The Commerce Department added Pegasus’ creator to a blacklist that has been slowly choking the company. … A US defense contractor later offered to buy Pegasus – and claims they had explicit permission from US intelligence agencies to do so under a number of conditions, [which] include turning over the software’s source code to the “Five Eyes” cybersecurity alliance.
…
So, a handful of Western nations … were trying to control access to a cyber weapon that appears to take control of any phone in the world. … Biden visits Israel tomorrow – his first visit to the country.

Are you hinting what I think you’re hinting? This Anonymous Coward rents the curtain (but is behind on the payments): [You’re fired—Ed.]

Unfortunately, many Americans are still in denial about what the US govt routinely do. … This is simply Tiktok 2.0 (or Alstrom 3.0).
…
Anyone who looked at history will recognise the same pattern had happened many times already, including Alstrom in France. US will buy out any company, by force or by trickery, that took lead in any area the US deemed important.

Still, we have Lockdown Mode now. Nothing to worry about, right? Wrong, says u/NidoKangJr:

Lockdown mode is nothing. It can’t work. If the software is compromised, letting software be the security can’t work. Every cell phone really needs to have 3 mechanical switches and a removable battery. 1 switch for power, 1 for the mic and 1 for the camera.

What next? The Combat Desert Penguin—@wolverine_salty—ponders alternative buyers:

Is Thiel interested?

Meanwhile, with a similarly snarky stance, here’s kmoser:

So when is Elon Musk going to make them an offer?

Report: L3Harris Drops Plans to Buy Israel-Based Hacking Tool Maker NSO - GovCon Wire

Pegasus Spyware – ‘A Privacy Killer’

DISC InfoSec

Tags: L3Harris, NSO Group, Pegasus spyware