CyberWire Daily - Apple's clickless exploit.
Episode Date: January 2, 2024A zero-click exploit affects iPhones belonging to Kaspersky employees. A GRU cyber campaign incorporates novel malware. The Indian government targets Apple over hacking attempts. Microsoft disables Ap...p Installer. Australian courts’ AV is compromised. A BlackBasta decryptor is released. Cyber Toufan claims attacks against Israeli targets. Patients in Oklahoma face online extortion. LoanCare customers’ data is at risk. Google settles a private browsing lawsuit. Barracuda patches a zero-day. That Chinese spy balloon was making a local call. And then Caleb Barlow, a friend of our show, shares password security tips you should know. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Caleb Barlow, CEO of Cyberbit, joins us today to share helpful tips to remember those passwords. Selected Reading 4-year campaign backdoored iPhones using possibly the most advanced exploit ever (Ars Technica) New malware found in analysis of Russian hacks on Ukraine, Poland (The Record) Russian Military Intelligence Blamed for Blitzkrieg Hacks (GovInfo Security) India targets Apple over its phone hacking notifications (Washington Post) Microsoft disables App Installer after observing financially motivated threat actor activity (Cybernews) Microsoft disables App Installer after observing financially motivated threat actor activity (Cybernews) Cyber attack on Victoria's court system may have exposed recordings of sensitive cases (ABC News) New Black Basta decryptor exploits ransomware flaw to recover files (Bleeping Computer) Pro-Palestinian operation claims dozens of data breaches against Israeli firms (The Record) Integris Health patients get extortion emails after cyberattack (Bleeping Computer) AG: Corewell Health reports another data breach; affects 1 million patients (The Oakland Press) LoanCare Notifying 1.3 Million of Data Breach Following Cyberattack on Parent Company (Security Week) Google settles $5 billion consumer privacy lawsuit (Reuters) Barracuda fixed a new ESG zero-day exploited by Chinese group UNC4841 (Security Affairs) U.S. intelligence officials determined the Chinese spy balloon used a U.S. internet provider to communicate (NBC News) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A zero-click exploit affects iPhones
belonging to Kaspersky employees.
A GRU cyber campaign incorporates novel malware.
The Indian government targets Apple over hacking attempts.
Microsoft disables app installer.
Australian court's AV is compromised.
A black Basta decryptor is released.
Cyber Tufan claims attacks against Israeli targets.
Patients in Oklahoma face online extortion.
Loan care customers' data is at risk.
Google settles a private browsing lawsuit.
Barracuda patches a zero day.
That Chinese spy balloon was making a local call.
And then Caleb Barlow, a friend of our show,
shares password security tips you should know.
Happy New Year, everyone. It is Tuesday, January 2nd, 2024.
I'm Dave Bittner, and this is your CyberWire Intel briefing. The big story breaking over the holidays involves compromised iPhones in Russia. Ars Technica reports that iPhones belonging to Kaspersky employees were targeted by an advanced
exploit over the course of four years. Dubbed Triangulation, this campaign targeted a wide
range of individuals, including those working in diplomatic missions and embassies in Russia.
The attack was executed through iMessage techs, installing malware without any action from the recipient.
This spyware was capable of transmitting a variety of sensitive data,
including microphone recordings and geolocation, to attacker-controlled servers.
Interestingly, the malware did not survive a device reboot, but the attackers circumvented this by sending new malicious texts after a reboot.
The triangulation campaign exploited four critical zero-day vulnerabilities,
which were unknown to Apple at the time of discovery.
These vulnerabilities, now patched by Apple, affected not only iPhones,
but other Apple devices like Macs, iPads, Apple TVs, and Apple Watches.
One of the most striking aspects of this attack was its
exploitation of a hidden hardware feature in Apple devices. This feature allowed the attackers to
bypass robust hardware-based memory protections that are typically difficult to defeat. These
protections prevent attackers from executing post-exploitation techniques even after compromising the system's kernel.
Kaspersky's discovery of this hidden hardware function came after extensive reverse engineering
of infected devices. Their research led them to hardware registers and memory-mapped inputs and
outputs, which the attackers used to bypass memory protections. The MMIO addresses used by the attackers were not listed in any device
tree or found in source codes, kernel images, and firmware, underscoring the obscurity and
sophistication of the attack. Russia's FSB has for some time accused Apple of colluding with the US
NSA. In this case, however, Kaspersky explicitly declined to make any attribution,
telling Ars Technica,
Currently, we cannot conclusively attribute this cyberattack to any known threat actor.
The unique characteristics observed in Operation Triangulation don't align with patterns of known
campaigns, making attribution challenging at this stage.
Staying in Russia for a moment,
between December 15th and the 25th,
a phishing campaign targeting Polish and Ukrainian entities
was linked to Russia's GRU,
specifically the APT-28 unit, also known as Fancy Bear.
CERT-UA released details from their investigation,
revealing that the attack involved redirecting victims to a website that utilized JavaScript in the MS Search application protocol.
This process resulted in the download of a shortcut file, which, when opened, triggered a PowerShell command.
This command facilitated the download and execution of a decoy document, the Python interpreter, and a file
identified as MazePy. The record highlighted that the campaign seems designed to spread through
networks, not just infect individual devices. GovInfo security indicated that Russia's historical
patterns suggest such attacks could be precursors to larger cyber or physical assaults.
Shortly after Apple warned independent Indian journalists and opposition politicians about
potential government hacking attempts, India's Modi administration took action against Apple,
the Washington Post reports. Officials from the Bharatiya Janata Party
questioned Apple's threat algorithms
and initiated an investigation into the security of Apple devices.
In private meetings, senior Modi administration officials
demanded that Apple help mitigate the political impact of the warnings.
They even summoned an Apple security expert to New Delhi
to propose alternative explanations for the warnings. They even summoned an Apple security expert to New Delhi to propose alternative
explanations for the warnings. The campaign targeted individuals critical of Prime Minister
Modi or his ally, Gautam Adani. Notably, journalists Anand Magnale and Ravi Nair of the
Organized Crime and Corruption Reporting Project were among those warned. A forensic analysis revealed that within 24 hours of contacting Adani for a story,
McNally's phone was infiltrated with Pegasus spyware,
developed by Israeli company NSO Group and allegedly sold only to governments.
Despite denials from Adani and the Indian government's refusal to confirm or deny using spyware,
evidence suggests the government's refusal to confirm or deny using spyware,
evidence suggests the government's use of these powerful surveillance tools, fresh cases of infections among journalists and targeting of opposition politicians,
add to this evidence.
Microsoft has deactivated its MS App Installer protocol handler
due to its exploitation by threat actors,
including Storm 0569, Storm 1113, Sangria Tempest, and Storm 1674.
These groups have been leveraging the MS App Installer URI scheme
to distribute malicious software, including ransomware, since mid-November of 2023.
To combat this, Microsoft has disabled the app installer by default, following observations of the handler's misuse
as an entry point for malware through malevolent advertisements on popular search engines and
Microsoft Teams. The reported misuse involves spoofing legitimate applications and evading initial detection,
with cybercriminals also selling malware kits exploiting the MSIX file format and MS App Installer protocol.
We note that Microsoft is an N2K partner.
In Australia, Victoria's court system was compromised by a ransomware attack,
suspected to be orchestrated by Russian hackers
using commercial ransomware known as Kilin.
Hackers accessed the court's AV archive,
AV in this case referring to the data types compromised in their audiovisual system
and not to antivirus software that could have prevented the attack.
They potentially obtained recordings of sensitive court hearings
between November 1st and December 21st.
Court Services Victoria is contacting affected individuals
and has set up a contact center.
The attack led to staff being locked out with a message indicating a breach.
CSV has isolated and disabled the affected network, ensuring that court
operations remain unaffected. Researchers from SR Labs have released a decryptor for the Black
Basta ransomware, allowing victims of the ransomware since November 2022 to recover their
files. Bleeping Computer reports that Black Basta's developers last week patched the flaw
exploited by the decryptor so it won't work for newer attacks. Pro-Palestinian hackers CyberTufan
claimed a series of cyber attacks against numerous Israeli entities amid the Gaza war,
extending the conflict into cyberspace. They promised daily leaks through December
and reportedly released data from 60 sites,
including both Israeli and international firms
like SpaceX, Toyota, and IKEA.
Cybersecurity expert Kevin Beaumont
described the group as incredibly well-organized
and disruptive, targeting a wide range of entities
and causing lasting damage,
with many victims still
struggling to recover weeks later. The group, which denies being a mere tool of any state,
has shown a sophisticated level of operation, with some attributing its actions to potential
Iranian backing. Their tactics have varied with battlefield events, pausing leaks during
ceasefires, indicating a strategic approach to cyber warfare.
As the conflict continues, so does CyberTufan's promise
of persistent cyber-targeting against Israeli interests.
Patients of Integris Health in Oklahoma are being blackmailed
with threats to sell their stolen data,
including social security numbers and medical information,
if an extortion demand isn't met.
The not-for-profit Health Network, which suffered a cyber attack in November,
confirmed the theft but has not provided details about the incident.
The extortion emails sent on December 24th
directed patients to a dark website listing personal data for sale.
Integris Health has advised against responding to these emails and is aware of the situation.
The mode of extortion resembles that used by the Hunter's International Ransomware Gang in a
previous attack, suggesting a possible link. However, paying the ransom does not guarantee data safety and might invite further extortion.
Meanwhile, a cybersecurity breach at Corwell Health and its vendor HealthEC has affected over 1 million Michigan residents,
compromising personal data and medical data, including Social Security and insurance information.
Corwell Health proactively informed the Attorney General's office, which
isn't required by Michigan law. The incident is one of several recent breaches in the region,
including another at Corwell Health and attacks on McLaren Healthcare and the University of Michigan.
LoanCare, a subsidiary of Fidelity National Financial, FNF, is notifying over 1.3 million individuals about
a data breach stemming from a cyber attack on FNF's internal systems. Discovered on November
19th and contained a week later, the incident led to the exfiltration of personal details like
names, addresses, social security numbers, and loan numbers. While there's no evidence of fraudulent use of the stolen data yet,
LoanCare is offering free identity monitoring services.
The Black Cat Alf V ransomware group has claimed responsibility for the attack.
Despite recent law enforcement actions against their operations,
the group remains active.
Google has tentatively settled a lawsuit
alleging it secretly tracked millions of users' internet activities, even while they were in
incognito or private browsing modes. Initially seeking at least $5 billion, the terms of the
settlement reached through mediation are not yet public but are expected to be formally
presented by February 24th of this year. The lawsuit, filed in 2020, claimed Google collected
data on users' personal interests and activities through analytics and cookies despite privacy
settings since June 1st, 2016. The plaintiffs argued this violated federal wiretapping and California privacy laws.
On December 21, Barracuda began issuing updates to address a zero-day vulnerability in its email security gateway appliances, actively exploited by the Chinese hacker group UNC4841.
4841. This flaw stems from a third-party library, Spreadsheet Parse Excel, used in the Amavis virus scanner of the ESG appliances. Attackers could execute arbitrary code via a crafted Excel email
attachment. Barracuda observed a deployment of a new C-SPY and saltwater malware variants following
the exploitation.
A patch was released on December 22nd to fix compromised appliances.
Coming up after the break,
my conversation with Caleb Barlow
with a novel approach to password security.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And it is always my pleasure to welcome back to the show Caleb Barlow.
He is the CEO at Cyberbit.
Caleb, welcome back.
Oh, thank you, Dave.
So I was talking with a friend the other
day about passwords, and she thought that she was very clever because she was sure that she'd come
up with a foolproof system for her passwords. And I listened to her attentively and then I shook my head and I explained to her
why having a system, a little code that you change
from time to time isn't really going to be effective.
This struck me as the kind of thing
that I might enjoy a chat with you about.
So what's the latest with you, Caleb,
when it comes to trying to make heads or tails
of long passwords?
Well, you know, I'll tell you where a lot of this conversation came from.
I do a lot of like compliance meetings for Wall Street firms, right?
Wall Street firms have to have their, you know, kind of annual cybersecurity compliance.
So, you know, sometimes I get invited down to kind of walk people through the basics.
And, well, passwords are always a hot topic.
And it was funny.
Recently, I had a CEO of a Wall Street firm
really come up to me afterwards not happy
because I told everybody how, you know,
with the kind of GPU processors that you'd find
in things like ChatGPT nowadays,
you know, you can break a rather long,
let's say like an eight-character password
in under a second,
just by brute forcing all the possibilities.
And it's not until you get to like 12 characters is eight months, 13 characters is 47 years.
And that's with the cracking capability today.
So, you know, he just kind of threw his hands up, completely frustrated with me.
I can't remember anything that long.
So, I have an answer for this. All right. It involves children's books, Dave. So
here I have like... Sounds like my level. Yeah, totally. I have Go Dog Go from Dr. Seuss,
a really good one for passwords. One fish, two fish, red fish, blue fish. And here's the point,
right? You know, when you're trying to come up with a password, the challenge is being creative. And we've talked about in the past,
the importance of using a phrase. So the first thing you want to do, and I'll get to the Dr.
Seuss books in a second, but the first thing you want to do is come up with a salt. So, you know,
because you need like that upper and lowercase character, a number, a, you know, a special
character. And of course, what do you use for your special character?
Everybody uses explanation point, right? Right.
You know, whatever it is, your sports team, put an explanation point at the end. It sounds great.
Done. Yeah.
But what about like the poor tilde or like the percent mark?
Right.
Or maybe like even a parentheses? Let's work some of those in. So first of all, pick a salt, not one, two, three
explanation point, but pick a set of numbers and a special character. And go ahead and use that salt
over and over again. But then you turn to Dr. Seuss. And the great thing about Dr. Seuss is
you get these great little phrases that are 13 to 14 characters. Oh me, oh me, oh my, you know, one fish, two fish, red fish, blue fish.
I'm not going to get up today. Another great Dr. Seuss book. And, you know, listeners can't see
this, but I have a pile of Dr. Seuss books in front of me showing Dave. Sam I Am. Oh, Sam I Am
is a good one. I would not, could not. I would not, could not, should not, right? But the great
thing about a children's book is you can do two things.
One, you can come up with some ideas
that are actually kind of fun and easy to remember.
But if you really want to cheat
and you keep track of your passwords like I do,
which is you just write them down in a book,
you know, and you know, I also use a,
you know, like browser storage of passwords
in a password vault.
But, you know, one of the great things
about a children's book,
get an old children's book
and write where you use the password
right next to the phrase.
You keep that little book on the shelf.
Nobody is going to think you were stupid enough to keep your passwords in a children's book.
That's right.
It's a great, fun way to have things that are completely unique on a regular basis.
I like it.
I like it.
Do you suppose that it's time to jettison the whole notion of password and we should switch to trying to use the phrase pass phrases?
100%.
And, you know, actually, Dave, that's what I'm trying to encourage people to do here, right?
And phrases are hard.
You know, we can kind of be creative.
You can look around the room, pick an object or a favorite sports team or something for a password.
But, of course, with rainbow tables, you know, all the sports teams are in
there. All the common names are in there. All the common variations are in there. Phrases are not so
much, which again is why I really like using a book. And, you know, I tried, I tried using Rick
Howard's new book, but the language is just, it's just too complicated for me. I can't memorize
that. It's no star-bellied sneetches. No, no, exactly.
Or one, you know, think one, think two, think three.
So the point is, go find Dr. Seuss
or whatever your favorite children's book is,
and you have an endless array of really awesome phrases to use
that are super fun and easy to remember.
Yeah, yeah.
And darn near impossible to crack.
Yeah, I'd say so.
All right.
I like it.
I like it.
Caleb Barlow, thanks so much for joining us.
Cyber threats are evolving every second, Thank you. suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And finally, remember the Chinese intelligence collection balloon
that floated across North America
until the U.S. Air Force shot it down off Myrtle Beach
on February 4th of last year?
NBC News reports that it was communicating with its controllers via a US ISP
and that the communications were mostly for navigation,
probably position reporting,
since the balloon would have been drifting
whither the wind listeth
and not really under controlled flight.
Which ISP was being used hasn't been reported.
The Chinese embassy reiterated its earlier claim that the craft was nothing more than a weather balloon. Affected by the Westerlies and
with limited self-steering capability, the airship deviated far from its planned course.
Whither the wind listeth.
the wind listeth.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine
of many of the most influential leaders
and operators in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's preeminent
intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment,
your people. We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.