DarkCyber for August 10, 2021 Now Available
August 10, 2021
The DarkCyber video for August 10, 2021 is now available at this link. The program includes a snapshot of NSO Group’s content marketing campaign, information about inherently insecure software, fine dining at the Central Intelligence Agency, and a sure fire way to phish with quite tasty bait. The drone story explains an autonomous drone. Just give it a goal and the drone figures out what to do. No human input required. Best of all, a swarm of drones can interact with other drones in the swarm to reach a decision about how to achieve an objective. DarkCyber is produced by Stephen E Arnold, publisher of Beyond Search. The DarkCyber videos are issued every two weeks and are available at www.arnoldit.com/wordpress as well as Youtube.
Kenny Toth, August 10, 2021
New Malware MosaicLoader Takes Unusual Attack Vector
August 5, 2021
ZDNet warns us about some micro targeting from bad actors in, “This Password-Stealing Windows Malware is Distributed Via Ads in Search Results.” The malware was first identified by Bitdefender, which named it MosaicLoader. The security experts believe a new group is behind these attacks, one not tied to any known entities. Writer Danny Palmer tells us:
“MosaicLoader can be used to download a variety of threats onto compromised machines, including Glupteba, a type of malware that creates a backdoor onto infected systems, which can then be used to steal sensitive information, including usernames and passwords, as well as financial information. Unlike many forms of malware, which get distributed via phishing attacks or unpatched software vulnerabilities, MosaicLoader is delivered to victims via advertising. Links to the malware appear at the top of search results when people search for cracked versions of popular software. Automated systems used to buy and serve advertising space likely means that nobody in the chain – aside from the attackers – know the adverts are malicious at all. The security company said that employees working from home are at higher risk of downloading cracked software. ‘Most likely, attackers are purchasing adverts with downstream ad networks – small ad networks that funnel ad traffic to larger and larger providers. They usually do this over the weekend when manual ad vetting is impacted by the limited staff on call,’ Bogdan Botezatu, director of threat research and reporting at Bitdefender, told ZDNet.”
Antivirus software might catch MosaicLoader—if users have not disabled it because they are downloading illegally cracked software. Oops. Once downloaded, the malware can steal usernames and passwords, farm out crypto currency mining, and install Trojan software through which malefactors can access the machine. Users should be safe if they do not attempt to download pirated software. Sometimes, though, such software does a good job of posing as legitimate. Palmer advises readers to avoid being duped by navigating away if instructed to disable antivirus software before downloading any program. That is always good advice.
Cynthia Murrell, August 5, 2021
NSO Group and an Alert Former French Diplomat: Observation Is Often Helpful
August 2, 2021
I read “French Ex-Diplomat Saw Potential for Misuse While Working at NSO.” The allegedly accurate write up reports that Gerard Araud [once a French ambassador] took a position at NSO Group. The write up adds:
His one-year mission from September 2019, along with two other external consultants from the United States, was to look at how the company could improve its human rights record after a host of negative news stories. Earlier that year, the group’s technology had been linked publicly to spying or attempted spying on the murdered Saudi journalist Jamal Khashoggi by Saudi Arabian security forces, which it denied. The group was acquired in 2019 by a London-based private equity group, Novalpina, which hired Araud to recommend ways to make the company’s safeguard procedures “more rigorous and a bit more systematic,” he said.
The write up explains how a prospect becomes an NSO Group customer:
Its [the Pegasus software and access credentials] export is regulated “like an arms sale,” said Araud, meaning NSO must seek approval from the Israeli government to sell it, and state clients then sign a lengthy commercial contract stipulating how the product will be used. They are meant to deploy Pegasus only to tackle organised crime or terrorism — the company markets itself this way — but Araud said “you could see all the potential for misuse, even though the company wasn’t always responsible.”
The argute veteran of the French ambassadorial team maybe, possibly, could have discerned the potential for misuse of the Pegasys system.
The write up includes this information, allegedly direct from the former diplomat, who obviously provides information diplomatically:
In a firm that practices “a form of extreme secrecy,” he says he nonetheless became convinced that NSO Group worked with Israel’s Mossad secret services, and possibly with the CIA. He said there were three Americans who sat on the group’s advisory board with links to the US intelligence agency, and the company has said that its technology cannot be used to target US-based numbers. “There’s a question about the presence of Mossad and the CIA. I thought it was both of them, but I have no proof,” he said. “But I suspect they’re both behind it with what you call a ‘backdoor’.” A “backdoor” is a technical term meaning the security services would be able to monitor the deployment of Pegasus and possibly the intelligence gathered as a result.
Interesting. Several years ago, the BBC published “When Is a Diplomat Really Just a Spy?” In that 2018 write up, the Beeb stated:
So where do you draw the line between official diplomacy and the murky world of espionage? “Every embassy in the world has spies,” says Prof Anthony Glees, director of the Centre for Security and Intelligence Studies at the University of Buckingham. And because every country does it, he says there’s “an unwritten understanding” that governments are prepared to “turn a blind eye” to what goes on within embassies.
Would French diplomats have some exposure to ancillary duties at a French embassy? Potentially.
Stephen E Arnold, August 3, 2021
Exploit Checklist for Bad Actors
July 28, 2021
I found this post my MIT Research (oops, sorry, I meant MITRE Research. The information in “2021 CWE Top 25 Most Dangerous Software Weaknesses” is fascinating. It provides hot links to details in a public facing encyclopedia called Common Weakness Enumeration. The link is to additional information about the Out-of-Bounds Write” weak point. The Top 25 is a helpful reference for good actors as well as bad actors. The MITRE team provides this preface to the list:
The 2021 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses (CWE Top 25) is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years. These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working. The CWE Top 25 is a valuable community resource that can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses. To create the 2021 list, the CWE Team leveraged Common Vulnerabilities and Exposures (CVE®) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each CVE record. A formula was applied to the data to score each weakness based on prevalence and severity.
Popular weaknesses, the equivalent of a 1960s AM radio station’s “Fast Mover Tunes” are:
- CWE-276 (Incorrect Default Permissions): from #41 to #19
- CWE-306 (Missing Authentication for Critical Function): from #24 to #11
- CWE-502 (Deserialization of Untrusted Data): from #21 to #13
- CWE-862 (Missing Authorization): from #25 to #18
- CWE-77 (Improper Neutralization of Special Elements used in a Command (‘Command Injection’)): from #31 to #25
New entries are:
- CWE-276 (Incorrect Default Permissions): from #41 to #19
- CWE-918 (Server-Side Request Forgery (SSRF)): from #27 to #24
- CWE-77 (Improper Neutralization of Special Elements used in a Command (‘Command Injection’)): from #31 to #25
A few minutes spent with this list can be instructive. The write up includes a list of weaknesses which one might want to know about.
Net net: Who will find this list more inspirational: Marketing oriented cyber threat vendors or bad actors working under the protection of nation states hostile to US interests?
Stephen E Arnold, July 28, 2021
NSO Group: The Rip in the Fabric of Intelware
July 22, 2021
A contentious relationship with the “real news” organizations can be risky. I have worked at a major newspaper and a major publisher. The tenacity of some of my former colleagues is comparable to the grit one associates with an Army Ranger or Navy Seal, just with a slightly more sensitive wrapper. Journalists favored semi with it clothes, not bushy beards. The editorial team was more comfortable with laptops than an F SCAR.
Communications associated with NSO Group — the headline magnet among the dozens of Israel-based specialized software companies (an very close in group by the way)— may have torn the fabric shrouding the relationship among former colleagues in the military, government agencies, their customers, and their targets.
Whose to blame? The media? Maybe. I don’t have a dog in this particular season’s of fights. The action promises to be interesting and potentially devastating to some comfortable business models. NSO Group is just one of many firms working to capture the money associated with cyber intelligence and cyber security. The spat between the likes of journalists at the Guardian and the Washington Post and NSO Group appears to be diffusing like spilled ink on a camouflage jacket.
I noted “Pegasus Spyware Seller: Blame Our Customers Not Us for Hacking.” The main point seems to be that NSO Group allegedly suggests that those entities licensing the NSO Group specialized software are responsible for their use of the software. The write up reports:
But a company spokesman told BBC News: “Firstly, we don’t have servers in Cyprus.
“And secondly, we don’t have any data of our customers in our possession.
“And more than that, the customers are not related to each other, as each customer is separate.
“So there should not be a list like this at all anywhere.”
And the number of potential targets did not reflect the way Pegasus worked.
“It’s an insane number,” the spokesman said.
“Our customers have an average of 100 targets a year.
“Since the beginning of the company, we didn’t have 50,000 targets total.”
For me, the question becomes, “What controls exist within the Pegasus system to manage the usage of the surveillance system?” If there are controls, why are these not monitored by an appropriate entity; for example, an oversight agency within Israel? If there are no controls, has Pegasus become an “on premises” install set up so that a licensee has a locked down, air tight version of the NSO Group tools?
The second item I noticed was “NSO Says ‘Enough Is Enough,’ Will No Longer Talk to the Press About Damning Reports.” At first glance, I assumed that an inquiry was made by the online news service and the call was not returned. That happens to me several times a day. I am an advocate of my version of cancel culture. I just never call the entity again and move on. I am too old to fiddle with the egos of a younger person who believes that a divine entity has given that individual special privileges. Nope, delete.
But not NSO Group. According to the write up:
“Enough is enough!” a company spokesperson wrote in a statement emailed to news organizations. “In light of the recent planned and well-orchestrated media campaign lead by Forbidden Stories and pushed by special interest groups, and due to the complete disregard of the facts, NSO is announcing it will no longer be responding to media inquiries on this matter and it will not play along with the vicious and slanderous campaign.” NSO has not responded to Motherboard’s repeated requests for comment and for an interview.
Okay, the enough is enough message is allegedly in “writing.” That’s better than a fake message disseminated via TikTok. However, the “real journalists” are likely to become more persistent. Despite a lack of familiarity with the specialized software sector, a large number of history majors and liberal arts grads can do what “real” intelligence analysts do. Believe me, there’s quite a bit of open source information about the cozy relationship within and among Israel’s specialized software sector, the interaction of these firms with certain government entities, and public messages parked in unlikely open source Web sites to keep the “real” journalists learning, writing, and probing.
In my opinion, allowing specialized software services to become public; that is, actually talk about the capabilities of surveillance and intercept systems was a very, very bad idea. But money is money and sales are sales. Incentive schemes for the owners of specialized software companies guarantee than I can spend eight hours a day watching free webinars that explain the ins and outs of specialized software systems. I won’t but some of the now ignited flames of “real” journalism will. They will learn almost exactly what is presented in classified settings. Why? Capabilities when explained in public and secret forums use almost the same slide decks, the same words, and the same case examples which vary in level of detail presented. This is how marketing works in my opinion.
Observations:
1. A PR disaster is, it appears, becoming a significant political issue. This may pose some interesting challenges within the Israel centric specialized software sector. NSO Group’s system ran on cloud services like Amazon’s until AWS allegedly pushed Pegasus out of the Bezos stable.
2. A breaker of the specialized software business model of selling to governments and companies. The cost of developing, enhancing, and operating most specialized software systems keeps companies on the knife edge of solvency. The push into commercial use of the tools by companies or consumerizing the reports means government contracts will become more important if the non-governmental work is cut off. Does the world need several dozen Dark Web indexing outfits and smart time line and entity tools? Nope.
3. A boost to bad actors. The reporting in the last week or so has provided a detailed road map to bad actors in some countries about [a] What can be done, [b] How systems like Pegasus operate, [c] the inherent lack of security in systems and devices charmingly labeled “insecure by design” by a certain big software company, and [d] specific pointers to the existence of zero day opportunities in blast door protected devices. That’s a hoot at ??????? ???? “Console”.
Net net: The NSO Group “matter” is a very significant milestone in the journey of specialized software companies. The reports from the front lines will be fascinating. I anticipate excitement in Belgium, France, Germany, Israel, the United Kingdom, and a number of other countries. Maybe a specialized software Covid Delta?
Stephen E Arnold, July 22, 2021
Cyber Security: Cyber Security Vendors May Have Missed a Scenario
July 21, 2021
I read a somewhat routine write up called “Work from Home Fueling Cyberattacks, Says Global Financial Watchdog.” The word watchdog scares me away. In the post SolarWinds’ era, where were those watchdogs? Come to think about it, “Where were the super smart, predictive threat intelligence systems?” I suppose even watchdogs have to catch some ZZZZs.
The article contained, in my opinion, a comment of exceptional perspicacity. Here it is:
“Most cyber frameworks did not envisage a scenario of near-universal remote working and the exploitation of such a situation by cyber threat actors,” the FSB said in a report to G20 ministers and central banks.
This is not napping. Nope. Missing a scenario makes it clear that cyber security vendors did not think through what would happen if their systems had to deal with off site working at scale. As a result, the systems probably are a-okay when monitoring a tire dealer’s computer system in Akron, Ohio. But in the work from home environment, the threat system was napping. I envision an ever vigilant junk yard dog with flashy icons on its spiked collar. Unfortunately the junk yard dog is chained to a rusting 1975 CJ7 and not on the prowl in the junk yard proper.
Net net: The defense mechanism keeps that old Jeep secure but the bad actors can haul off whatever auto parts of interest. There may be a couple of overlooked catalytic converters amidst the wreckage.
Stephen E Arnold, July 21, 2021
An Interesting Security Assertion for Apple
July 20, 2021
I noted an interesting assertion in “Pegasus: The New Global Weapon for Silencing Journalists.” Here’s the statement which caught my attention:
The iPhone is not bulletproof against cyberattacks.
I agree. The write up continues: Vendors of specialized software and services have an advantage. Here’s why:
attackers, partly because of their sheer number, will manage to stay a step ahead of the tech giant.
The idea, I think, is that Apple is one outfit. There are more attackers than Apple security wizards. The result? Apple is now playing defense and is in reaction mode.
Is there a fix? Well, sort of:
Patrick Wardle, founder of the Mac security developer Objective-See, in the same report, noted Apple’s “self-assured hubris” on its security features, and the closed system of the iPhone that prevents security researchers from seeing processes running under the hood, could also be factors that cyber-attackers could use for their gain. On Apple’s hubris, Wardle said, for instance, Microsoft would be more open to reports coming from security researchers whereas Apple would be a little more standoffish. Microsoft would more likely say, “‘We’re gonna put our ego aside, and ultimately realize that the security researchers are reporting vulnerabilities that at the end of the day are benefiting our users, because we’re able to patch them.’ I don’t think Apple has that same mindset.”
What an interesting idea! Apple should be more like Microsoft.
Stephen E Arnold, July 20, 2021
A Microgoof or a Google PR Opportunity?
July 19, 2021
It is difficult to determine if Google is on the money with its alleged discovery of Russian cyber criminals targeting big wheels via LinkedIn. True or not, it may be another security misstep for the Redmond giant. “Russian Hackers Disguised as LinkedIn Networkers Spreading Malware” asserts:
A new investigation by Google shows that some of the common LinkedIn spam can be quite dangerous. Hackers with possible connections to the Russian government sent fraudulent LinkedIn messages to various officials from European countries with links aimed to exploit vulnerabilities in Windows and iOS. It is not yet known how many LinkedIn users were targeted in this hacking campaign and how many of them were ultimately hacked. Google believes that the cybercriminal gang responsible for the hacking campaign is most likely backed by the Russian government.
If this article is on the money, the odds are getting longer that Sergey Brin will be able to ride a Russian rocket into space. The article includes the statement “backed by the Russian government.” That might toss those orbital dreams into the Caspian Sea, the lowest point in the country. Also, the tecnopolies may be squaring off for a public relations dust up. I mean how could the Chrome love birds spat over a minor security issue. LinkedIn is a Microsoft property, and I assume it is protected by all manner of Microsoft security software as well as systems purchased or licensed.
LinkedIn vulnerable. Some believe LinkedIn lost control of user data earlier this year. Forbes reported that data about 700 million LinkedIn uses was for sale on a hacking forum.
However, if one compares the LinkedIn assertion from the GOOG with the mostly verified PrintNightmare glitch, the Microgoof results from repeated efforts to patch the print spooler. By the way, this gem is in most Windows versions. Here’s a flow chart to guide your remediation efforts:
LinkedIn versus what seems to be an engineered in persistent invitation to bad actors to have a series of great days. No zero days needed it seems.
Pick your Microgoof. Personally I find the print spooler thing more enjoyable than people looking for work.
Stephen E Arnold, July 19, 2021
China: Prudence or Protectionism?
July 15, 2021
With many countries struggling with cyber breaches, China seems to be implementing procedures. Are these prudent steps or actions designed to enforce protectionist policies. “China Tightens Rules on Foreign IPOs in New Blow to Tech Firms” reports:
China proposed new rules that would require nearly all companies seeking to list in foreign countries to undergo a cybersecurity review, a move that would significantly tighten oversight over its internet giants.
The write up somewhat optimistically suggests that companies seeking to list on a non-US / non-Euro-centric stock exchange will elect to embrace Hong Kong.
Maybe not.
Is the decision to link listing with cyber security a wild and crazy idea, or is China taking a leadership position in cyber prophylaxis?
Worth monitoring this possible move.
Stephen E Arnold, July 15, 2021
News Flash! Security Measures Only Work if Actually Implemented
July 14, 2021
Best practices are there for a reason but it seems many companies are not following them. According to TechRadar, “Ransomware Is Not Out of Control’ Security Teams Are.” Reporter Mayank Sharma interviewed Optiv Security VP and former FBI Information and Technology official James Turgal, who puts the blame for recent ransomware attacks squarely on organizations themselves. In answer to a question on the most common missteps that pave the way for ransomware attacks, Turgal answered:
“Every business is different. Some older and more established organizations have networks and infrastructure that have evolved through the years without security being a priority, and IT shops have traditionally just bolted on new technology without properly configuring it and/or decommissioning the old tech. Even startups who begin their lives in the cloud still have some local technology servers or infrastructure that need constant care and feeding. Some of the themes I see, and the most common mistakes made by companies, are:
1. No patch strategy or a strategy that is driven more by concerns over network unavailability and less on actual information assurance and security posture.
2. Not understanding what normal traffic looks like on their networks and/or relying on software tools. Usually too many of them overlap and are misconfigured. The network architecture is the company’s pathway to security or vulnerability with misconfigured tools.
3. Relying too much on backups, and believing that a backup is enough to protect you. Backups that were not segmented from the network, were only designed to provide a method of restoring a point in time, and were never designed to be protected from an attacker. Backups need to be tested regularly to ensure the data is complete and not corrupted.”
Another mistake is focusing so narrowly on new projects, like a move to cloud storage, that vulnerabilities in older equipment are neglected. See the article for more of Turgal’s observations and advice. Surely he would like readers to consider his company’s services, and for some businesses outsourcing cybersecurity to experienced professionals (there or elsewhere) might be a wise choice. Whatever the approach, organizations must keep on top of implementing the most up-to-date security best practices in order to stem the tide of attacks. Better to spend the money now than pay out in Bitcoin later.
Cynthia Murrell, July 14, 2021
-
- Subscribe to Beyond Search
Feature archive
News archive
-
