Newsletter

* The most clicked link from last week  was the U.S. government’s case (.pdf) against a trio of ex-NSA hackers (.pdf) who were caught doing cyber-espionage work for the United Arab Emirates.

Notes.

• My personal thanks to all the CISOs and security leaders who generously shared their time and expertise with us at the CISO Forum last week. It was an incredible thrill for me to participate in these conversations.

Monday blues. 

Chris Soghoian was absolutely right all those years ago.  Back in 2012, the privacy rights activists warned us all about accepting and legitimizing the work of exploit brokers and researchers hawking zero-days to governments around the world.

Soghoian’s cautionary words from 2012:

“Governments are going to use zero-days, we have to deal with this. But the middle-man firms that buy exploits and resell them to governments are a ticking bomb.   Security researchers should not be selling zero-days to middle man firms. This trade is not legitimate and we should not legitimize them.

“These firms are cowboys and if we do nothing to stop them, they will drag the entire security industry into a world of pain.”

At the time, Soghoian was referring to VUPEN (now Zerodium), FinFisher and HackingTeam when he warned of the risk of zero-day exploit blowback.  “It’s not a matter of if, but when,” he added.

Well, here we are.

Soghoian’s presentation and warnings (see slides from VB) pops to mind this week as I read about two U.S. companies caught supplying zero-days to foreign governments, only to find those exploits used to target high-end spyware at Americans.

First up, we have Denver, Colorado-based Accuvant (formerly Optiv) caught developing and selling a powerful iPhone exploit to UAE operators who turned around and use it to spy on human rights activists.

A few days later, Forbes identified Texas-based Exodus Intelligence as the supplier of multiple zero-days used in murky .gov malware campaigns in several countries throughout Asia.  Shoutout to my former colleagues at Kaspersky for dropping the “Moses” hint in July and for continued brilliant work exposing these players.

It’s not too late to heed Soghoian’s warning and stop legitimizing these private sector offensive actors.  These aren’t cybersecurity companies helping to solve security problems.  These are parasites cashing in on an unregulated space, making things worse for the rest of us.

Kudos to the journalists and researchers exposing their operations.

_ryan

On to the newsletter…

Apple, IOS 15, and different types of software updates.

Apple released iOS 15 yesterday with a handful of security and privacy goodies.  The update is available from Settings > General > Software Update but it’s super interesting that Apple isn’t forcing this update patch to users.  Instead, Apple has added a ribbon at the bottom of the Software Update page, treating it as something optional.

Then, I noticed this throwaway line in the iOS 15 literature that should get some extra attention:

How does Apple differentiate between “the most complete set of security updates” and some other category of “important security updates”?  Apple will be withholding security patches for IOS 14 devices but how and why?  Very weird stuff at a very sensitive time for Apple.

Mercenary hacker things.

I touched on this in the preamble today but calling out these stories for extra attention:

• This US company sold iPhone hacking tools to UAE spies: An American cybersecurity company named Accuvant (now Optiv) was behind a 2016 iPhone hack sold to a group of mercenaries and used by the United Arab Emirates.
• Great reporting by Thomas Brewster on Exodus Intelligence, an American company that now fears its Windows sofware exploits helped India spy on China and Pakistan.
• Kim Zetter interviews David Evenden, a former NSA hacker who was recruited to Abu Dhabi to do cybersecurity work, only to realize he had been deceived and he was actually lured there to hack for the UAE government.

Hacking back at ransomware gangs.

CrowdStrike co-founder Dmitri Alperovitch wants to see a “hacking back” component to the U.S. government’s response to the ransomware menace.

“An aggressive campaign would target the foundation of ransomware criminals’ operations: their personnel, infrastructure and money,” Alperovitch writes. Such a campaign could reveal personal details about the perpetrators, take down the ransom payment servers they are using to conduct operations, seize their cryptocurrency wallets and perhaps even introduce subtle bugs into their code that enable victims to unlock their data without paying a ransom.”

Super slippery slope but these are important conversations and I’m glad some of it is seeping out into the public domain.

Major vulnerability alerts.

If you’re responsible for security response, these are the things worth paying attention to:

• VMWare is calling immediate attention to CVE-2021-22005, a file-upload vulnerability in the Analytics service that carries a CVSSv3 base score of 9.8. “This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.” Patch info here.
• Microsoft confirms a trio of gaping security holes in the OMI framework (Open Management Infrastructure) and provides some guidance to hunt for signs of exploitation. Credit to the ex-Microsoft guys now at Wiz for this discovery.  This is going to be a slog to patch.
• Although IOS 15 isn’t being pushed as a mandatory update, it does contain fixes for at least 22 documented security defects, some serious enough to lead to code execution attacks. It’s also very likely that Apple shipped a ton of silent, under-the-hood security mitigations. Review and patch.
• Microsoft has published some new information on the Office/MSHTML zero-day attacks, noting that the attacks were extremely targeted (less than 10 victims) and was likely the work on human-operating ransomware operators.
• When you’re done browsing, reboot your Chrome browser to absorb these high-severity security updates.

Security research.

• Tom McGuire, a senior instructor and cybersecurity focus area coordinator at Johns Hopkins, documents his work reversing Apple’s patch for CVE-2021-30860 (a zero-click iOS/macOS vulnerability exploited in the wild), highlighting both the underlying flaw, and Apple’s fix.
• Patrick Wardle shares new research into trojanized apps spreading new macOS malware via sponsored search engine results.
• On the day Apple released iOS 15, a Spanish security researcher disclosed an iPhone lock screen bypass that can be exploited to grant attackers access to a user’s notes.
• GitHub and 1Password has a neat giveaway for open source projects.

Newsworthy bits.

• Cyberscoop reports that the U.S Treasury Department on Tuesday announced sanctions against a cryptocurrency exchange for facilitating transactions involving money illegally gained via ransomware hacking, the first action of its kind.  Here’s the .gov doc describing the sanctions.
• Katie Moussouris peels back the curtain on one of those fake, feel-good PR announcements.
• Microsoft has snagged Amazon’s Charlie Bell to head up a newly formed engineering organization covering security, compliance, identity and management.

Tangentially.

• Down memory lane: The first and last time AIM was hacked.

P.S. Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Subscribe directly: Apple/iPhone, Google/Android, Spotify and Amazon/Audible.