Apple has updated its documentation related to its warning system for mercenary spyware threats, now specifying that it alerts users when they may have been individually targeted by such attacks.
The revision points out companies like NSO Group, known for developing surveillance tools like Pegasus, which state actors often use for targeted attacks on individuals such as journalists, activists, politicians and diplomats.Â
In a blog post published on Wednesday, Apple highlighted the global and sophisticated nature of these attacks, which are costly and complex.
The update marks a shift in the wording from informing and assisting users targeted by state-sponsored attackers to specifically addressing mercenary spyware threats.
“It’s really important to recognize that mercenary spyware, unlike others, is deliberately designed with advanced capabilities, including zero-day exploits, complex obfuscation techniques, and self-destruct mechanisms, making it highly effective and hard to detect,” explained Krishna Vishnubhotla, vice president of product strategy at Zimperium.
According to recent reports, Apple sent threat notifications to iPhone users in 92 countries, coinciding with the support page revision.
While Apple began sending threat notifications in November 2021, it refrained from attributing the attacks or notifications to any particular threat actor or region.
This development now aligns with global efforts to counter the misuse of commercial spyware, as evidenced by a coalition of countries, including the US, working to develop safeguards against invasive surveillance technology.
Moreover, a recent report by Google’s Threat Analysis Group (TAG) and Mandiant shed light on the exploitation of zero-day vulnerabilities in 2023, with commercial surveillance vendors being responsible for a significant portion of these exploits.
These vulnerabilities targeted web browsers and mobile devices, underscoring the increasing reliance of threat actors on zero days for evasion and persistence.
France’s National Cybersecurity Agency (ANSSI) observed a significant rise in cyber espionage campaigns targeting strategic organizations in 2023.
These operations are increasingly focused on individuals and non-governmental structures that create, host or transmit sensitive data, ANSSI observed in its 2023 Cyber Threat Landscape report, published on February 27, 2024.
Besides public administration, the primary targets of cyber espionage activity included organizations associated with the French government, such as technology and defense contractors, research institutes and think tanks.
Overall, cyber espionage remained the top cyber threat ANSSI’s teams dealt with in 2023.
ANSSI has also noted an increase in attacks against business and personal mobile phones aimed at targeted individuals.
There has also been an upsurge in attacks that have used methods publicly associated with the Russian government.
“These attacks are not limited to mainland French territory: in 2023, ANSSI dealt with the compromise of an IT network located in a French overseas territory using an attack modus operandi publicly associated with China,” reads the report.
30% Rise in Ransomware
Meanwhile, financially motivated attacks were also on the rise, with an observed 30% increase in ransomware attacks compared to 2022.
Monthly and yearly breakdown of ransomware attacks reported to ANSSI in 2022 (in blue) and in 2023 (in green). Source: ANSSI
Small and medium enterprises (SMEs) and mid-sized businesses were the most targeted organizations, representing 34% of all cyber-attacks observed by ANSSI in 2023. Local administration came second, suffering 24% of all attacks in 2023.
In total in 2023, ANSSI recorded 3703 cyber events, 1112 of which were labeled as cyber incidents. In 2022, it recorded 3018 cyber events, including 832 cyber incidents.
The latest version of the LockBit ransomware, LockBit 3.0 (aka LockBit Black), was the most used malware in financially motivated cyber-attacks in 2023, taking over previous ransomware versions from the same threat group that dominated the ransomware landscape in 2022.
Top Ransomware versions detected by ANSSI in cyber-attacks targeting French organizations. Source: ANSSI
Overall, 2023 has seen significant changes in the structure and methods of attackers. They are perfecting their techniques in order to avoid being detected, tracked, or even identified.
“Despite efforts to improve security in certain sectors, attackers continue to exploit the same technical weaknesses to gain access to networks. Exploiting ‘zero-day’ vulnerabilities remains a prime entry point for attackers, who all too often still take advantage of poor administration practices, delays in applying patches and the absence of encryption mechanisms,” reads the report, translated from French to English by Infosecurity.
The top five vulnerabilities exploited by threat actors to compromise French organizations’ IT systems in 2023 include flaws in VMWare, Cisco, Citrix, Atlassian and Progress Software products.
Pre-Positioning Activities on ANSSI’s Radar for 2024
Finally, in a tense geopolitical context, ANSSI noted new destabilization operations aimed mainly at promoting a political discourse, hindering access to online content or damaging an organization’s image.
“While distributed denial of service (DDoS) attacks by pro-Russian hacktivists, often with limited impact, were the most common, pre-positioning activities targeting several critical infrastructures in Europe, North America and Asia were also detected.
“These more discreet activities may nevertheless be aimed at larger-scale operations carried out by state actors waiting for the right moment to act,” the report explained.
Vincent Strubel, ANSSI’s director general, commented: “While financially motivated attacks and destabilization operations saw a clear upturn in 2023, it was once again the less noisy threat, which remains the most worrying, that of strategic and industrial espionage and pre-positioning for sabotage purposes, which mobilised the ANSSI teams the most.”
These geopolitically driven threats will particularly be on ANSSI’s radar in 2024, as Paris is prepares to host the 2024 Olympic and Paralympic Games.
In the first half of 2023, Mandiant Managed Defense has observed a threefold increase in the number of attacks using infected USB drives to steal secrets. Mandiant tracked all of the cases and found that the majority of the incidents could be attributed to several active USB-based operation campaigns affecting both the public and private sectors globally.
Previously, we covered one of the campaigns that leverages USB flash drives as an initial infection vector and concentrates on the Philippines. In this blog post, we are covering two additional USB-based cyber espionage campaigns that have been observed by Managed Defense:
SOGU Malware Infection via USB Flash Drives Across Industries and Geographies
This is the most prevalent USB-based cyber espionage attack using USB flash drives and one of the most aggressive cyber espionage campaigns targeting both public and private sector organizations globally across industry verticals. It uses USB flash drives to load the SOGU malware to steal sensitive information from a host.
Mandiant attributes this campaign to TEMP.Hex, a China-linked cyber espionage actor. TEMP.Hex likely conducted these attacks to collect information in support of Chinese national security and economic interests. These operations pose a risk to a variety of industries, including construction and engineering, business services, government, health, transportation, and retail in Europe, Asia, and the United States.
SNOWYDRIVE Malware Infection via USB Flash Drives, Targets Oil and Gas Organizations in Asia
This campaign uses USB flash drives to deliver the SNOWYDRIVE malware. Once SNOWYDRIVE is loaded, it creates a backdoor on the host system, giving attackers the ability to remotely issue system commands. It also spreads to other USB flash drives and propagates throughout the network.
Mandiant attributes this campaign to UNC4698, a threat actor that has targeted oil and gas organizations in Asia. Once the actor has gained access to the system, they execute arbitrary payloads using the Windows Command Prompt, use removable media devices, create local staging directories, and modify the Windows registry.
SOGU Malware Infection via USB Flash Drives Across Industries and Geographies
BLACK HAT ASIA Threat groups have infected millions of Androids worldwide with malicious firmware before the devices have even been shipped from their manufacturers, according to Trend Micro researchers at Black Hat Asia.
The mainly mobile devices, but also smartwatches, TVs and more, have their manufacturing outsourced to an original equipment manufacturer (OEM), a process the researchers say makes them easily infiltrated.
“What is the easiest way to infect millions of devices?” posed senior threat researcher Fyodor Yarochkin, speaking alongside colleague Zhengyu Dong.
He compared infiltrating devices at such an early stage of their life cycle to a tree absorbing liquid: you put the infection at the root, and it gets distributed everywhere, out to every single limb and leaf.
The malware installation technique began as the price of mobile phone firmware dropped. Competition between firmware distributors became so furious that eventually the providers could not charge money for their product.
“But of course there’s no free stuff,” said Yarochkin, who explained that the firmware started to come with an undesirable feature – silent plugins. The team manually analyzed dozens of firmware images looking for malicious software. They found over 80 different plugins, although many of those were not widely distributed.
The plugins that were the most impactful were those that had built a business model around them and were selling underground services, marketing them out in the open on places like Facebook, in blog posts, and on YouTube.
The objective of the malware is to steal info or make money from information collected or delivered.
The malware turns the devices into proxies which are used to steal and sell SMS messages, social media and online messaging accounts, and used as monetization opportunities via adverts and click fraud.
One type of plugin, proxy plugins, allow the criminal to rent out devices for up to around five minutes at a time. For example, those renting the control of the device could acquire data on keystrokes, geographical location, IP address and more.
“The user of the proxy will be able to use someone else’s phone for a period of 1200 seconds as an exit node,” said Yarochkin. He also said the team found a Facebook cookie plugin that was used to harvest activity from the Facebook app.
Through telemetry data, the researchers estimated that at least millions of infected devices exist globally, but are centralized in Southeast Asia and Eastern Europe. A statistic self-reported by the criminals themselves, said the researchers, was around 8.9 million.
As for where the threats are coming from, the duo wouldn’t say specifically, although the word “China” showed up multiple times in the presentation, including in an origin story related to the development of the dodgy firmware. Yarochkin said the audience should consider where most of the world’s OEMs are located and make their own deductions.
“Even though we possibly might know the people who build the infrastructure for this business, its difficult to pinpoint how exactly the this infection gets put into this mobile phone because we don’t know for sure at what moment it got into the supply chain,“ said Yarochkin.
The team confirmed the malware was found in the phones of at least 10 different vendors, but that there was possibly around 40 more affected. For those seeking to avoid infected mobile phones, they could go some way of protecting themselves by going high end.
“Big brands like Samsung, like Google took care of their supply chain security relatively well, but for threat actors, this is still a very lucrative market,” said Yarochkin. ®
Pegasus is listening: Q&A with Paul Rusesabagina’s daughter Carine Kanimba
You may not recognize the name Carine Kanimba, but you have probably heard of her dad: Paul Rusesabagina. He was the manager of Hôtel des Milles Collines and rather famously decided to shelter some 1,200 mostly Tutsi Rwandans in his hotel during the 1994 genocide in Rwanda. Don Cheadle played him in the movie Hotel Rwanda.
After, Rusesabagina became a superstar ambassador of human rights. He wrote an autobiography about his work during the genocide; President George W. Bush awarded him the Medal of Freedom; and he went on the speakers’ circuit not just talking about 1994 – but criticizing the current government of President Paul Kagame for trampling on human rights.
In August 2020, Rusesabagina boarded a private jet for what he thought would be a trip to Burundi, but instead he was rendered to Rwanda. He’s since been sentenced to 25-years in prison.
Carine Kanimba was on Capitol Hill last week to talk not just about her dad (who adopted sisters Carine and Anaïse shortly after the genocide), but also her recent discovery that she’s been targeted by a commercial spyware program called Pegasus. And she believes the Rwandan government was behind it.
Pegasus spyware is the brainchild of an Israeli company called NSO Group and it has been found on the phones of so many activists around the world it has become a kind of cautionary tale about the commercial spyware industry. It has been linked to the murder of journalist Jamal Khashoggi, discovered on the phones of Mexican opposition leaders, Catalonian politicians, and journalists and lawyers around the world. (In a statement, NSO Group told Click Here that it “thoroughly investigates any claim for illegal use of its technology by customers, and terminates contracts when illegal use is found.”)
The Click Here podcast sat down with Kanimba shortly after her Congressional testimony to talk to her about her role as a human rights advocate, what it is like finding oneself on the receiving end of a spyware campaign, and why she is confident she will win her father’s release. The interview has been edited and shortened for clarity.
CLICK HERE: We wanted to start by saying we’re very sorry about what you’re going through with your father…
