Tag: Hackers
30. November 2021
On November 25th, Apple announced in a press release that it has filed a lawsuit against NSO Group Technologies Ltd. (NSO Group) to hold them accountable for their spy software “Pegasus”.
NSO Group is a technology company that supplies surveillance software for governments and government agencies. Applications like Pegasus exploit vulnerabilities in software to infect the target’s devices with Trojans. Pegasus is a spyware that can be secretly installed on cell phones (and other devices) running most iOS and Android versions. Pegasus is not a single exploit, but a series of exploits that exploit many vulnerabilities in the system. Some of the exploits used by Pegasus are zero-click, which means that they can be executed without any interaction from the victim. It is reorted to be able to read text messages, track calls, collect passwords, track location, access the microphone and camera of the targeted device, extract contacts, photos, web browsing history, settings and collect information from apps.
NSO Group is accused of selling its software to authoritarian governments, which use it to monitor journalists and the opposition. Accusations that the company regularly denies. According to an investigation done by a global consortium of journalists of 17 media oganizations, Pegasus has been used to monitor female journalists, human rights activists, lawyers and high-ranking politicians. There are even reports suggesting it is even used by Mexican drug cartels to target and intimidate Mexican journalists. Among the more famous confirmed Pegasus victims are Amazon founder Jeff Bezos and murdered Saudi Arabian journalist Jamal Kashoggi.
Apple wants to prevent “further abuse and harm” to Apple users. The lawsuit also demands unspecified compensation for spying on users.
In the press release Apple states:
NSO Group and its clients devote the immense resources and capabilities of nation-states to conduct highly targeted cyberattacks, allowing them to access the microphone, camera, and other sensitive data on Apple and Android devices. To deliver FORCEDENTRY to Apple devices, attackers created Apple IDs to send malicious data to a victim’s device — allowing NSO Group or its clients to deliver and install Pegasus spyware without a victim’s knowledge. Though misused to deliver FORCEDENTRY, Apple servers were not hacked or compromised in the attacks.
Ivan Krstić, head of Apple Security Engineering and Architecture is quoted:
In a free society, it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place
Apple has announced the lawsuit contains new information about the so-called ForcedEntry exploit for a now-closed vulnerability that NSO Group used to “break into a victim’s Apple device and install the latest version of NSO Group’s Pegasus spyware program,” according to Apple’s press release. The vulnerability was originally discovered by Citizen Lab, a research group at the University of Toronto. Apple says it will support organizations like Citizen Lab and Amnesty Tech in their work, and will donate $10 million and any compensation from the lawsuit to organizations involved in researching and protecting against cyber surveillance. The company will also support Citizen Lab with free technology and technical assistance.
Apple is the second major company to sue NSO Group after WhatsApp Inc. and its parent company Meta Platforms, Inc.(then Facebook, Inc.) filed a complaint against NSO Group in 2019. The allogation of that lawsuit is that NSO Group unlawfully exploited WhatsApp’s systems to monitor users.
In early November 2021, the US Department of Commerce placed NSO Group on its “Entity List”. The justification for this step states that Pegasus was used to monitor government officials, journalists, business people, activists, academics and embassy staff. On the “Entity List,” the U.S. government lists companies, individuals or governments whose activities are contrary to the national security or foreign policy interests of the United States. Trade with these companies is subject to strict restrictions and in some cases is only possible with an exemption from the Department.
24. March 2021
Hackers have discovered a new method of gaining access to individuals’ mobile devices via text message rerouting, Vice reports. Apparently, all it takes is $16 to retrieve a person’s messages from a third-party provider and then take over the phone number and, with it, various associated accounts.
All of that is possible due to a text messaging service called Sakari that allows businesses to send SMS reminders, alerts, confirmations and marketing campaigns. The company lets business users import their own phone number in order to be contacted by the businesses. However, the service has a significant security vulnerability. Its use is enabled by purchasing Sakari’s $16 per month plan and then filling out a document saying that the signer has authority to change phone numbers. Although the document points out that the user should not conduct any unlawful, harassing or inappropriate behavior, there is no subsequent call or text notification from Sakari asking the user to confirm the consent to the transfer. That’s why it is largely effortless to simply sign up with another person’s phone number and receive their text messages instead. From that moment on, it can be trivial to hack into other accounts associated with that phone number by sending login requests, as they rely on SMS codes.
This overlooked security flaw shows how frighteningly easy it is to gain access to the tools necessary to seize phone numbers. It requires less technical skill or knowledge than, for instance, SIM jacking. It demonstrates not only the insufficient regulation of commercial SMS tools but also gaping holes in the telecommunications infrastructure, since a hacker only needs to pretend having the user’s consent.
The attack method has implications for cybercrime and poses an enormous threat to safety and security. It enables criminals to harass people, drain their bank account, tear through their digital lives or intercept sensitive information or personal secrets. At this time, it is not clear to what extent this attack method is being applied to mobile numbers.
CTIA, a trade association representing the wireless industry, stated that they immediately launched an investigation into the matter and took precautionary measures. Adam Horsman, co-founder of Sakari, responded to the insufficient authentication of their customers by saying that Sakari added a security feature where a number will receive an automated call in order to confirm the consent given. Moreover, Sakari will verify all existing text-enabled numbers. But Sakari is just one company. And there are plenty of others in this industry. As this method raises serious concerns, it is important for mobile carriers to do more to protect their customers’ privacy and security, such as notifications when registering a new device or a two-factor-authentication.
7. January 2021
In December 2020 cybersecurity firm FireEye reported that it had been attacked by what they called a “highly sophisticated cyber threat actor”, during which copies of its red team tool kit were stolen. Also in December, FireEye disclosed that it discovered attacks on SolarWinds’ tool “Orion” while investigating its own security breach. In a SEC filing, SolarWinds said up to 18,000 of 33,000 Orion customers may have been affected. The attacks may have begun in early 2020.
A group believed to be state-sponsored used contaminated updates for the “Orion” network management software. They accessed a SolarWinds system used to update Orion and from there inserted malicious code into legitimate software updates that were then distributed to customers. The affected versions are 2019.4 through 2020.2.1, which were released between March and June 2020. It is still unclear how the attackers initially gained access to SolarWinds’ network. Security researcher Vinoth Kumar stated on Twitter he contacted SolarWinds in 2019 regarding an FTP access uploaded to GitHub in 2018. Using the password “solarwinds123,” he was able to upload a file to the SolarWinds server as proof of the vulnerability.
Agencies and companies that have been penetrated by the Orion software include the U.S. Treasury Department, the U.S. Department of Homeland Security, the National Nuclear Security Administration, parts of the Pentagon, Belkin, Cisco, Intel, Microsoft, and Nvidia.
The FBI and other U.S. security agencies issued a joint statement calling the attack “significant and ongoing”. Also, agencies and companies in other countries such as Belgium, Canada, Germany, Israel, Mexico, Spain, the United Kingdom, and the United Arab Emirates were affected.
So far, it is unclear what damage, if any, was caused by the attacks and what data was accessed. According to reports, in some cases, internal communications were accessed and various documents were copied, with documents relating to ongoing product development, in particular, attracting the attackers’ interest. In an interview published by the U.S. State Department, U.S. Secretary of State Michael R. Pompeo claimed Russia was responsible for the attack.
“This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity.”
Among those affected, Microsoft is being most viral regarding the hack. In a blog post published on December 31, the company even admitted that the hackers had access to its source codes. According to that post, they were able to view the code but not modify it. Still, this could pose a significant security risk, as the attackers can now study the software’s architecture and look for possible entry points. Microsoft won’t reveal which tool’s source codes the attackers had access to. It also identified more than 40 of its own customers who were targeted.
Microsoft President Brad Smith wrote:
“This is not just an attack on specific targets but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.”
This cyber-attack shows the importance of strong cybersecurity for every company and private user, as even tech-giants and fundamental U.S. authorities were victims of this attack. In particular, access to Microsoft’s source codes could be the ground for further attacks on high- and low-profile targets, as Microsoft’s tools are used in businesses of all sizes and by individuals as well.
11. April 2016
A multimillion-dollar settlement in a class-action lawsuit against Sony Pictures Entertainment filed by former employees, whose personal data was stolen when a data bleach took place, was appoved by an US District Judge last week.
About 437,000 people were affected by the data breach from the time of the 2014 hack through 2017. In terms of the settlement Sony agreed to provide theft protection and an optional service covering up to $1 million in losses and furthermore, create a fund to cover any additional losses. As the deadline for workers to sign up for credit protection and reimbursement has not yet passed, the exact amount of money for setteling is not yet available. However, up until today Sony had to pay $7 million in order to notify the people beingt affected by the breach and to establish a fund to compensate them. Nevertheless, this amount does not take millions of dollars into account that Sony had to pay for credit monitoring services and for attorney fees. Until now, 18,000 people have signed up for the mentioned optional service retailing for $350.
During the data breach sensitive personal data concerning current and former Sony Pictures Entertainment employees was stolen and posted online. The data breach was due to hackers, who broke into the company computers and released thousands of emails, documents and sensitive personal information.
