InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
The Senate of Puerto Rico announced this week that it was hit by a major cyberattack that disabled its internet provider, phone system and official online page. Local and federal authorities are investigating the attack.
According to Senate President José Luis Dalmau, there is no evidence that threat actors were able to access sensitive information belonging to employees, contractors or consultants.
This isn’t the first time that Puerto Rico was hit by a cyber attack in recent years.
In March 2021, Puerto Rico Electric Power Authority (PREPA) power utility confirmed early this week that it has been hacked over the weekend.
In June 2021, a large fire at the Luma’s Monacillo electrical substation in San Juan for Puerto Rico’s new electricity provider, Luma Energy, caused major blackouts across Puerto Rico on Thursday. The same day the blackout took place, the company announced that a major DDoS attack disrupted its online services.
It is still unclear whether the fire and DDoS attack are connected.
In October 2020, Puerto Rico’s firefighting department disclosed a security breach, hackers breached its database and demanded a $600,000 ransom.
Threat intelligence feeds are a critical part of modern cybersecurity. Widely available online, these feeds record and track IP addresses and URLs that are associated with phishing scams, malware, bots, trojans, adware, spyware, ransomware and more. Open source threat intelligence feeds can be extremely valuable—if you use the right ones. While these collections are plentiful, there are some that are better than others. Being an actively updated database doesn’t guarantee that it is a highly reliable or detailed one either, as some of the best online haven’t necessarily been updated in a few months.
We will try to keep our own tally of some of the better open source threat intelligence feeds below, regularly updating it with new feeds and more details about each one. A share of the entries will be managed by private companies that have premium, or at least closed-source, offerings as well. This list is meant to cover free and open source security feed options.
Developed and offered by Proofpoint in both open source and a premium version, The Emerging Threats Intelligence feed (ET) is one of the highest rated threat intelligence feeds. ET classifies IP addresses and domain addresses associated with malicious activity online and tracks recent activity by either. The feed maintains 40 different categories for IPs and URLs, as well as a constantly updated confidence score.
This being backed by the Federal Bureau of Investigation definitely gives it some clout. It’s actually a collaboration between the FBI and the private sector, with its information freely available to private companies and public sector institutions to keep appraised on threats relevant to 16 specific categories of infrastructure identified by the Cybersecurity and Infrastructure Security Agency (a department of the US Department for Homeland Security). Sectors include energy and nuclear power, communications, chemicals, agriculture, healthcare, IT, transportation, emergency services, water and dams, as well as manufacturing and financial.
Dan is a collection of 10 tools that together report on IP and domain information. It includes info on IP subnets, the TOR status of IP addresses, DNS blacklists, IP address checking for autonomous systems, and node lists.
The CINS Score is supported by Sentinel. Like ET’s confidence score, the CINS Score rates IP addresses according to their trustworthiness. They add data about suspected or confirmed attacks from those IPs in the form of frequency, nature and breadth. They also try to create ‘personas’ around the sorts of attacks those IPs are tied to: scanning, network or remote desktop vulnerabilities, malware bots, or command-and-control servers.
Blocklist.de pays attention to server attacks from SSH, FTP, email and webserver sources. Their site claims to report an average of 70,000 attacks every 12 hours using a combo of the abusix.org database, Ripe-Abuse-Finder, and Whois information.
hpHosts is a searchable database and hosts file that is community managed. While it was last updated in August 2019, it is considered one of the more reliable data stores of malicious IPs online. It can also be sorted by PSH and FSA-only.
AlienVault Open Threat Exchange (OTX) is the company’s free, community-based project to monitor and rank IPs by reputation. It generates alert feeds called “pulses,” which can be manually entered into the system, to index attacks by various malware sources. While some pulses are generated by the community, AlienVault creates its own as well that automatically subscribes all OTX’s users. Most pulses are automatically API-generated and submitted via the OTX Python SDK. This example, SSH bruteforce logs 2016-06-09, shows the indicators, geoip of the attacks, and a full list of the IPs used. It also links to reports in other pulses that include the same IPs.
This abuse.ch offering focuses on botnets and command-and-control infrastructure (C&C). The blocklist is an amalgamation of several minor blocklists with attention paid to Heodo and Dridex malware bots. There were 5,374 entries as of 03-03-2020.
Of course, the name itself is a direct response to an older trojan virus called Feodo, which was a successor to the Cridex e-banking trojan. (to which both Dridex and Heodo both trace their source code). Feodo Tracker also tracks an associative malware bot, TrickBot.
The first of two projects from Swiss website abuse.ch, URLhaus is a depository of malicious domains tied to distributing malware. The database can be accessed via a URLhaus API, allowing you to download CSV collections of flagged URLs, those site’s respective statuses, the type of threat associated with them, and more. Ready-made downloads include periods of recent additions (going back 30 days), or all active URLs.
The full URLhaus dataset—as updated every 5 minutes—is automatically and immediately available for CSV download. It also includes a ruleset suited for use in Suricata or Snort. URLhaus also offers a DNS firewall dataset that includes all marked URLs for blocking.
An attacker can exploit a vulnerability in Polkit’s pkexec component, tracked as CVE-2021-4034, that affects all major Linux distributions to gain full root privileges on the system. The good news is that this issue is not remotely exploitable, but if an attacker can log in as any unprivileged user, it can allow to gain root privileges.
The flaw, dubbed PwnKit, was introduced more than 12 years ago (May 2009) since the initial commit of pkexec, this means that all the versions are affected.
Polkit (formerly PolicyKit) is a component used to controll system-wide privileges in Unix-like OS. It allows non-privileged processes to communicate with privileged processes. polkit also allow to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).
Researchers from Qualys Research Team have discovered a memory corruption vulnerability in SUID-root program polkit.
“The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution.” reads the post published by Qualys.”Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. Other Linux distributions are likely vulnerable and probably exploitable.”
“This vulnerability is an attacker’s dream come true” explained Qualys:
pkexec is installed by default on all major Linux distributions (we exploited Ubuntu, Debian, Fedora, CentOS, and other distributions are probably also exploitable);
pkexec is vulnerable since its creation, in May 2009 (commit c8c3d83, “Add a pkexec(1) command”);
any unprivileged local user can exploit this vulnerability to obtain full root privileges;
although this vulnerability is technically a memory corruption, it is exploitable instantly, reliably, in an architecture-independent way;
and it is exploitable even if the polkit daemon itself is not running.
Experts pointed out that it is very easy to exploit the flaw, while Qualys doesn’t plan to release a PoC for this issue other experts are already working on releasing it.
Bleeping Computer reported that a working exploit was publicly released less than three hours after Qualys published the technical details for PwnKit. BleepingComputer has compiled and tested the available exploit, which proved to be reliable as it gave us root privileges on the system on all attempts.
The investigation started in November after Google TAG published a blogpost about watering-hole attacks targeting macOS users in Hong Kong.
Google TAG researchers discovered that threat actors leveraged a zero-day vulnerability in macOS in a watering hole campaign aimed at delivering malware to users in Hong Kong. The attackers exploited a XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina
The watering hole campaign targeted websites of a media outlet and important pro-democracy labor and political group. The researchers discovered that attackers deployed on the sites hosted two iframes that were used to serve iOS and macOS exploits to the visitors.
The experts believe that the attack was orchestrated by a nation-state actor, but did not attribute the campaign to a specific APT group.
ESET also attributed the attacks to an actor with strong technical capabilities. According to Felix Aimé from SEKOIA.IO, one of the sites used by threat actors in the attacks was a fake website targeting Hong Kong activists.
One of the websites used to infect HK dissidents fightforhk[.]com seems to have been created from scratch for that unique purpose. Do not hesitate to check your logs/mails/SMS/private messages etc. against this domain. [1/2] pic.twitter.com/TfTSN5pqbf
Researchers also found the legitimate website of Hong Kong, pro-democracy radio station D100 that was compromised to distribute the same exploit before the Google TAG report.
“The exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code once formatted nicely. It’s interesting to note that some code, which suggests the vulnerability could also have been exploited on iOS and even on PAC-enabled (Pointer Authentication Code) devices such as the iPhone XS and newer, has been commented out” reads the analysis published by ESET.
The ‘Known Exploited Vulnerabilities Catalog‘ is a list of known vulnerabilities that threat actors have abused in attacks and that are required to be addressed by Federal Civilian Executive Branch (FCEB) agencies.
, recently addressed by SolarWinds in Serv-U products that threat actors are actively exploited in the wild. The company pointed out that all the attack attempts failed.
CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY: Actions Needed to Ensure Organizational Changes Result in More Effective Cybersecurity for Our Nation
Google Project Zero researchers Natalie Silvanovich disclosed details of two zero-day vulnerabilities in Zoom clients and Multimedia Router (MMR) servers. An attacker could have exploited the now-fixed issues to crash the service, execute malicious code, and even leak the content of portions of the memory.
The researcher focused its search for bugs in the Zoom client software, including zero-day issues that allowed her to take over the victim’s system without requiring any user interaction.
The two vulnerabilities have been fixed on November 24, 2021, they are a buffer overflow information leakage issue tracked as CVE-2021-34423 and CVE-2021-34424 respectively.
The CVE-2021-34423 vulnerability, is a buffer overflow issue that received a CVSS score of 9.8. An attacker can trigger the vulnerability to execute arbitrary code or crash the service or application.
The experts focused the analysis on the RTP (Real-time Transport Protocol) traffic used for audio and video communications. Silvanovich discovered that manipulating the contents of a buffer that supports reading different data types by sending a malformed chat message, could trigger the flaw causing the client and the MMR server to crash.
“Note that the string buffer is allocated based on a length read from the msg_db_t buffer, but then a second length is read from the buffer and used as the length of the string that is read. This means that if an attacker could manipulate the contents of the msg_db_t buffer, they could specify the length of the buffer allocated, and overwrite it with any length of data (up to a limit of 0x1FFF bytes, not shown in the code snippet above).” reads the analysis published by Project Zero. “I tested this bug by hooking SSL_write with Frida, and sending the malformed packet, and it caused the Zoom client to crash on a variety of platforms.”
The CVE-2021-34424 is a process memory exposure flaw that received a CVSS score of 7.5. An attacker can trigger the flaw to potentially gain insight into arbitrary areas of the product’s memory.
The second flaw is caused by the lack of a NULL check that allows to leak data from the memory by joining a Zoom meeting via a web browser.
“This bug allows the attacker to provide a string of any size, which then gets copied out of bounds up until a null character is encountered in memory, and then returned. It is possible for CVE-2021-34424 to return a heap pointer, as the MMR maps the heap that gets corrupted at a low address that does not usually contain null bytes, however, I could not find a way to force a specific heap pointer to be allocated next to the string buffer that gets copied out of bounds. C++ objects used by the MMR tend to be virtual objects, so the first 64 bits of most object allocations are a vtable which contains null bytes, ending the copy.” continues the analysis.
The researcher pointed out that lack of ASLR in the Zoom MMR process exposed users to the risk of attacks, the good news it that Zoom has recently enabled it.
Project Zero experts also pointed out that the closed nature of Zoom also heavily impacted the analysis. Unlike most video conferencing systems, Zoom use a proprietary protocol that make it hard to analyze it.
“Closed-source software presents unique security challenges, and Zoom could do more to make their platform accessible to security researchers and others who wish to evaluate it,” Silvanovich concludes. “While the Zoom Security Team helped me access and configure server software, it is not clear that support is available to other researchers, and licensing the software was still expensive.”
“Definitely worse” The platform has yet to confirm that it has indeed been attacked [but] Crypto.com announced it was pausing withdrawals after “a small number of users experienced unauthorized activity in their accounts.” … A household name in Asian markets, the Singapore-based exchange recently spent $700 million to buy the naming rights to the Staples Center—the Los Angeles home venue of the NBA’s Lakers and Clippers. … Events took a turn for the worse when security research company Peckshield [said] Crypto.com has lost at least 4,600 ETH (around $15 million in current prices) [and] that the true scale of the damage is “definitely worse.” … Peckshield added that half of the stolen funds were sent to Tornado Cash, the Ethereum-centric mixing service. … Remarkably, a few hours later, Crypto.com CEO Kris Marszalek said that no customer funds were lost.
“$16.3 million” Several users had reported on social media that their cryptocurrencies, at times equating to tens of thousands of dollars, had disappeared from their Crypto.com accounts in recent days. … Technical issues on crypto trading platforms have become commonplace as the hype surrounding digital assets grows. … Crypto influencer and podcast host Ben Baller said in a tweet on Monday that around 4.28 Ether, which equates to roughly $14,000, had been “stolen out of nowhere” [despite] two-factor authentication security measures. … Baller later alleged … a wallet belonging to Crypto.com had lost approximately 5,000 Ether, which equates to roughly $16.3 million. … A spokesperson from Crypto.com didn’t respond to a request for comment.
The credentials are contained in files that common info-stealers and keyloggers use to exfiltrate them from infected machines.
These files can end up hosted on VirusTotal due to hackers using VirusTotal to promote selling victims’ data or due to attackers uploading them by mistake, Tomer Bar, Director of Security Research at SafeBreach, told Help Net Security.
They may also be uploaded by third parties (e.g., a security researcher or the company where the C2 server is hosted) who are unaware they contain sensitive information. Finally, some environments are configured to automatically upload files to VirusTotal to verify whether they are “clean”.
Finding the files with stolen credentials
Just like Google Search can be used to search for vulnerable websites/systems, IoT devices, and sensitive data (the method is known as Google hacking or dorking), VirusTotal’s APIs and tools (VT Graph, Retrohunt, etc.) can be used to find files containing stolen data.
To prove it, the researchers compiled a list of those files’ names, acquired a monthly VirusTotal license that allowed them to do searches, explore VirusTotal’s dataset, and perform malware hunts – and started searching for them.
It didn’t take long to find some. Depending on the malware, these files contain credentials for email and social media accounts, e-commerce sites, online payment services, gaming platforms, online government services, streaming platforms, online banking accounts, and private keys of cryptocurrency wallets.
They’ve also connected some of these files to specific sellers of stolen credentials on a variety of hacking forums and Telegram groups, and have shown that in some cases it may be easy for criminals to discover credentials for accessing malware’s C2 FTP server and use them to “collect” stolen credentials.
“Our goal was to identify the data a criminal could gather with a VirusTotal license,” Bar noted, and said that they have proven this method – dubbed “VirusTotal Hacking” – works at scale.
“A criminal who uses this method can gather an almost unlimited number of credentials and other user-sensitive data with very little effort in a short period of time using an infection-free approach. We called it the perfect cyber crime, not just due to the fact that there is no risk and the effort is very low, but also due to the inability of victims to protect themselves from this type of activity. After victims are hacked by the original hacker, most have little visibility into what sensitive information is uploaded and stored in VirusTotal and other forums.”
The researchers urged Google – the owner of VirusTotal via its subsidiary Chronicle – to periodically search and remove files with sensitive user data and ban API keys that upload those files, and to add an algorithm that disallows uploads of files that contain sensitive cleartext data or encrypted files with the decryption password attached (either as text or included in an image).
They also pointed out that malwares’ unsecured C2 communication protocols should be exploited by defenders – in concert with hosting companies – to sinkhole or terminate C2 servers.
As a final side note, stolen credentials are not the only sensitive information that can occasionally be found on VirusTotal:
A vulnerability in the implementation of multi-factor authentication (MFA) for Box allowed attackers to take over accounts without having access to the victim’s phone, Varonis researchers reported.
Box develops and markets cloud-based content management, collaboration, and file-sharing tools for businesses. The platform supports 2FA based on an authenticator application or SMSs.
Varonis Threat Labs researchers disclosed the vulnerability via HackerOne and the company fixed it in November 2021.
Upon attempting to log into a Box account, the platform sets a session cookie and redirects the user to a form where they need to provide the time-based one-time password (TOTP) generated with an authenticator app (at /mfa/verification) or a code received via SMS (at /2fa/verification).
The researchers pointed out that if the user does not navigate to the SMS verification form, no SMS message will be sent despite the session cookie having been generated. A threat actor can provide the user’s email and password to get a valid session cookie bypassing SMS-based 2FA.
An attacker can easily obtain login credentials for a targeted user from past data breaches or through phishing attacks.
When the user adds an authenticator app, the eBox platform assigns a factor ID and, at login, they are required to provide a one-time password generated by the app along with the credentials.
The experts devised a method to bypass MFA for accounts where SMS-based MFA is enabled by abandoning the SMS-based verification process and initiating TOTP-based MFA instead, technically mixing the MFA modes.
The attacker could access the victim’s account using the correct username and password, but providing a factor ID and code from a Box account and authenticator app associated with an account under his control.
“After the cookie is generated, the threat actor can abandon the SMS-based MFA process (which is what the user is enrolled in) and instead initiate the TOTP-based MFA process—thus mixing MFA modes.” reads the analysis published by Varonis.
“The attacker completes the authentication process by posting a factor ID and code from their own Box account and authenticator app to the TOTP verification endpoint using the session cookie they received by providing the victim’s credentials.” Box did not verify whether the victim was enrolled in TOTP verification and did not validate that the authenticator app used belonged to the user that was logging in. This made it possible to access the victim’s Box account without the victim’s phone and without notifying the user via SMS.”
Below are the attack flow devised by the experts:
Attacker enrolls in multi-factor authentication using an authenticator app and stores the device’s factor ID.
Attacker enters a user’s email address and password on
account.box.com
/login.
If the password is correct, the attacker’s browser is sent a new authentication cookie and redirects to: /2fa/verification.
The attacker, however, does not follow the redirect to the SMS verification form. Instead, they pass their own factor ID and code from the authenticator app to TOTP verification endpoint: /mfa/verification.
The attacker is now logged in to the victim’s account and the victim does not receive an SMS message.
The platform did not check whether the user was indeed to be the one that was enrolled in TOTP-based MFA or whether the authenticator app belonged to the account that is attempting to log in.
This trick allowed an attacker to log into the victim’s Box account, bypassing SMS-based 2FA.
“We want to underscore that MFA implementations are prone to bugs, just like any other code. MFA can provide a false sense of security. Just because MFA is enabled doesn’t necessarily mean an attacker must gain physical access to a victim’s device to compromise their account,” Varonis concludes.
Microsoft has released emergency out-of-band (OOB) updates for Windows to address multiple issues caused by security updates issued as part of the January 2021 Patch Tuesday.
The Windows Server updates for January were causing a series of issues for administrators, multiple administrators reported anomalous reboots of Windows domain controllers, and Hyper-V that was no longer starting on Windows servers.
Reports also claim that the Windows Resilient File System (ReFS) volumes were no longer accessible after the installation of January 2021 updates.
Some administrators and users reported problems with L2TP VPN connections on Windows 10 after installing the recent Windows 10 and Windows 11 cumulative updates.
“Microsoft is releasing out-of-band (OOB) updates for some versions of Windows today, January 18, 2022,” the company said. “This update fixes issues related to VPN connectivity, Windows Server domain controller restarts, virtual machine startup failures, and ReFS-formatted removable media that fails to mount.”
The OOB updates can be downloaded from the Microsoft Update Catalog, if they are not installed directly from Windows Update as optional updates.
Emergency out-of-band (OOB) updates through Windows Update are optional updates and have to be manually installed.
Below are the updates can only be downloaded through the Microsoft Update Catalog:
Microsoft said today that it has observed a destructive attack taking place in Ukraine where a malware strain has wiped infected computers and then tried to pass as a ransomware attack, but without providing a ransomware payment and recovery mechanism.
“At present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues,” the Microsoft Threat Intelligence Center said in a blog post late Saturday night.
The OS maker said the affected systems belong to multiple government agencies, non-profits, and information technology organizations, all based in Ukraine.
Microsoft said it has not yet identified the distribution vector or if the attack spread beyond the original Ukrainian targets.
The attack does not appear to be at the same scale and virality as the NotPetya and BadRabbit wiper events that targeted Ukrainian organizations in June and November 2017, respectively, and then spread all across the world.
Just like the NotPetya and BadRabbit wipers, Microsoft said that this recent one also comes with a component that overwrites a computer Master Boot Record (MBR) and prevents them from booting.
The malware corrupts files, rewrites MBR, hides as ransomware
The malware, which Microsoft calls WhisperGate, then replaces the boot-up screen with a ransom note, which, according to Microsoft, includes a ransom fee, a Bitcoin address to receive payments, and a Tox ID to get in contact with the attackers.
In case victims manage to restore their MBR and their boot-up sequence, Microsoft says the malware also corrupts files with a certain extension by overwritting their contents with a fixed number of 0xCC bytes up to a total file size of 1MB.
“After overwriting the contents, the destructor renames each file with a seemingly random four-byte extension,” Microsoft said.
Researchers from WordPress security company Wordfence discovered a high-severity vulnerability that affects three different WordPress plugins that impact over 84,000 websites. The vulnerability tracked as CVE-2022-0215 is a cross-site request forgery (CSRF) issue that received a CVSS score of 8.8.
A threat actor could exploit the vulnerability to take over vulnerable websites.
The flaw impacts three plugins maintained by Xootix:
“On November 5, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Login/Signup Popup”, a WordPress plugin that is installed on over 20,000 sites. A few days later we discovered the same vulnerability present in two additional plugins developed by the same author: “Side Cart Woocommerce (Ajax)”, installed on over 60,000 sites, and “Waitlist Woocommerce ( Back in stock notifier )”, installed on over 4,000 sites.” reads the advisory published by Wordfence. “This flaw made it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a site’s administrator into performing an action, such as clicking on a link.”
The threats are constantly shifting, subject to trends in cryptocurrency use, geopolitics, the pandemic, and many other things; for this reason, a clear sense of the landscape is essential. Below, you’ll find a quick guide to some of the most pressing threats of the coming year.
Linux and cloud infrastructure will continue to be a target
For threat actors, there is a simple calculus at play – namely, what method of attack is a) easiest and b) most likely to yield the biggest return? And the answer, at this moment, is Linux-based cloud infrastructure, which makes up 80%+ of the total cloud infrastructure. With cloud adoption increasing because of the pandemic, this has the potential to be a massive problem.
In just the last few months, ransomware gangs like BlackMatter, HelloKitty, and REvil have been observed targeting Linux via ESXi servers with ELF encryptors. And we have recently seen the PYSA ransomware gang adding Linux support. Meanwhile, experts are identifying new and increasing complex Linux malware families, which adds to the already-mounting list of concerns. Working pre-emptively against these threats is more essential than ever.
A weakness in the Microsoft Defender antivirus can allow attackers to retrieve information to use to avoid detection.
Threat actors can leverage a weakness in Microsoft Defender antivirus to determine in which folders plant malware to avoid the AV scanning.
Microsoft Defender allows users to exclude locations on their machines that should be excluded from scanning by the security solution.
The knowledge of the list of scanning exceptions allows attackers to know where to store their malicious code to avoid detection. This means that once inside a compromised network, threat actors can decide were store their malicious tools and malware without being detected.
The issue seems to affect Windows 10 21H1 and Windows 10 21H2 since at least eight years, but it does not affect Windows 11.
Noticed that almost 8 years ago when I started in Tech Support. Always told myself that if I was some kind of malware dev I would just lookup the WD exclusions and make sure to drop my payload in an excluded folder and/or name it the same as an excluded filename or extension…
SentinelOne threat researcher Antonio Cocomazzi pointed out that the list of scanning exceptions can be accessed by any local user, regardless of its permissions.
Running the “reg query” command it is possible to access the list.
The smartphones of dozens of journalists and activists from El Salvador have been hacked with a version of the Pegasus spyware.
The malware was found on 37 mobile devices belonging to 35 individuals.
“Targets included journalists at El Faro, GatoEncerrado, La Prensa Gráfica, Revista Digital Disruptiva, Diario El Mundo, El Diario de Hoy, and two independent journalists. Civil society targets included Fundación DTJ, Cristosal, and another NGO,” Citizen Lab said in a report published last night.
The hardest hit was news site El Faro, where Pegasus was found on the devices of 22 reporters.
Attacks likely carried out by the local government
Citizen Lab said the hacked devices were compromised between July 2020 and November 2021 by a threat actor they were calling Torogoz, with some devices being hacked multiple times.
The investigators, who have a long history of analyzing the Pegasus spyware, said they had “no conclusive technical evidence” about the identity of the attackers, but the focus on El Salvador individuals suggests that Torogoz is most likely an entity associated with the Salvadoran government.
Additional circumstances to sustain this attribution also include the fact that many victims had their devices compromised around the same time they were investigating or reporting on sensitive issues involving the local government, such as a scandal involving alleged negotiations between the administration of President Bukele and the MS-13 criminal cartel.
The Citizen Lab report suggests that the El Salvador administration or someone close to it might have rented access to Pegasus, a hacker-for-hire platform developed by Israeli company NSO Group, and then used it to go after their critics.
The proposed theory is not a far-fetched scenario as NSO Group has done this before, providing its Pegasus spyware to many oppressive regimes across the world, which then used it to track and silence their critics and political rivals.
While NSO Group has always publicly stated that they sell their software only to legitimate law enforcement agencies and that they can’t control how their customers use its tools, the rampant abuse of its software by oppressive regimes for human rights abuses has forced the US government to put the NSO Group on its sanctions list in November last year.
A few weeks later, Apple, whose iPhones are the main target of Pegasus attacks, also sued the Israeli company in a US court, hoping to get an injunction against NSO Group developers and block them from using its platform to develop the iPhone hacks needed to keep the Pegasus malware up-to-date.
Hacks discovered using open-source tool
Citizen Lab said it learned of the hacks in September 2021 after some El Salvador journalists used a free security tool developed by Amnesty International, named Mobile Verification Toolkit (MVT), to self-scan their devices for traces of the Pegasus spyware.
The reporters who found signs of a compromise contacted Access Now’s Digital Security Helpline, which called on Citizen Lab to investigate the hacks further.
After Apple sued NSO Group, some of the victims of these attacks received confirmation about the hacks from Apple itself when the company notified past victims of Pegasus attacks using a new set of notifications the company rolled out. At the time, similar notifications were also sent to many Apple users in Thailand and Uganda.
The names of most of the El Salvador reporters and activists hacked in this latest campaign are available in the Citizen Lab report.
“NSO Group’s tentacles continue to spread across the globe, crushing the privacy and rights of journalists and activists into oblivion,” said Angela Alarcón, Latin America & the Caribbean Campaigner at Access Now. “Revelations that Pegasus software has been used to unjustly spy in El Salvador may not come as a complete surprise, but there is no match to our outrage.”
Recent reports indicate that NSO Group is on the brink of bankruptcy and shutting down after the Apple lawsuit. Nevertheless, there is a booming market of many other spyware vendors ready to fill the void left by a potential NSO closure.
ISO 27001 certification requires organizations to prove their compliance with the Standard with appropriate documentation, which can run to thousands of pages for more complex businesses. But with the ISO 27001 Cybersecurity Toolkit, you have all the direction and tools at hand to streamline your project.
ISO 27001 Cybersecurity Toolkit Accelerate your ISO 27001 cybersecurity project and benefit from ready-to-use policies and procedures. The toolkit includes: A complete set of mandatory and supporting documentation templates Helpful project tools to ensure complete coverage of the Standard Guidance documents and direction from expert ISO 27001 practitioners
![CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY: Actions Needed to Ensure Organizational Changes Result in More Effective Cybersecurity for Our Nation by [United States Government Accountability Office]](https://m.media-amazon.com/images/I/51FIzAXr-CL._SX260_.jpg)
