Information Technology

Google has warned of an enterprise-grade spyware strain targeting Android and iOS mobile device users. According to Google Threat Analysis Group (TAG) researchers Benoit Sevens and Clement Lecigne, as well as Project Zero, a distinct government and enterprise-grade iOS and Android spyware variant is now in active circulation.Victims have been located in Italy and Kazakhstan. The spyware, dubbed Hermit, is modular surveillanceware. After analyzing 16 out of 25 known modules, Lookout cybersecurity researchers said the malware will try to root devices and has features including: recording audio, redirecting or making phone calls, stealing swathes of information such as SMS messages, call logs, contact lists, photos, and exfiltrating GPS location data. Lookout’s analysis, published on June 16, suggested that the spyware is sent via malicious SMS messages. TAG’s conclusion is similar, with unique links sent to a target masquerading as messages sent by an internet service provider (ISP) or a messaging application. “In some cases, we believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity,” Google says. “Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity.” The Lookout team could only secure an Android version of Hermit, but now, Google’s contribution has added an iOS sample to the investigation. Neither sample was found in official Google or Apple app repositories. Instead, the spyware-laden apps were downloaded from third-party hosts. The Android sample requires a victim to download an .APK after allowing the installation of mobile apps from unknown sources. The malware disguised itself as a Samsung app and used Firebase as part of its command-and-control (C2) infrastructure. “While the APK itself does not contain any exploits, the code hints at the presence of exploits that could be downloaded and executed,” the researchers say. Google has notified Android users impacted by the app and made changes in Google Play Protect to protect users from the app’s malicious activities. Additionally, the Firebase projects associated with the spyware have been disabled. The iOS sample, signed with a certificate obtained from the Apple Developer Enterprise Program, contained a privilege escalation exploit that could be triggered by six vulnerabilities. While four (CVE-2018-4344, CVE-2019-8605, CVE-2020-3837, CVE-2020-9907) were known, two others — CVE-2021-30883 and CVE-2021-30983 — were suspected of being exploited in the wild as zero-days before Apple patched them in December 2021. The iPad and iPhone maker has also revoked the certificates associated with the Hermit campaign. Google and Lookout say that the spyware is likely attributable to RCS Lab, an Italian company in operation since 1993. RCS Lab told TechCrunch that the firm “exports its products in compliance with both national and European rules and regulations,” and “any sales or implementation of products is performed only after receiving an official authorization from the competent authorities.” Hermit’s circulation only highlights a broader issue: the thriving spyware and digital surveillance industry. Last week, Google testified at the EU Parliamentary Committee of Inquiry’s hearing on the use of Pegasus and other commercial-grade spyware. TAG is currently tracking over 30 vendors that offer exploits or spyware to government-backed entities, and according to Charley Snyder, Head of Cybersecurity Policy at Google, while their use may be legal, “they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers & politicians.” “That’s why when Google discovers these activities, we not only take steps to protect users, but disclose that information publicly to raise awareness & help the ecosystem,” Snyder commented.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images Scalper bots are causing chaos for the Israeli government by trying to turn access to public services into a cash cow. Bots, otherwise known as web robots, are automatic systems programmed to perform specific functions. Not all bots are bad; some index web content, others provide chat functions for business customers, and […] More

The flaw in the application-logging component Log4j known as “Log4Shell” should have been patched by organisations months ago, but some systems that haven’t been patched with available updates are still being used by hackers to gain access to business networks.  The Cybersecurity & Infrastructure Security Agency (CISA) and the United States Coast Guard Cyber Command […] More

 Relax: If you reinstall Windows Pro, the activation servers will restore the activation without a squawk.  Getty Images Welcome to the latest installment of Ask ZDNet, where we answer the questions that make your IT guy reach for the Tums. In the mailbag this week:  A user paid for an upgrade to Windows 10 Pro […] More

Image: Maria Diaz / ZDNet Google has updated Chrome for iOS so that it can automatically fill in the password for any app and is bringing four other features to improve its browser for the iPhone and iPad.  Chrome also has a password manager – Google Password Manager – for desktop and Android and now […] More

The US Cybersecurity and Infrastructure Agency (CISA) has warned organizations to check recently disclosed vulnerabilities affecting operational technology (OT) devices that should but aren’t always isolated from the internet. CISA has released released five advisories covering multiple vulnerabilities affecting industrial control systems discovered by researchers at Forescout. Forescout this week released its report “OT:ICEFALL”, which covers a set of common security issues in software for operational technology (OT) devices. The bugs they disclosed affect devices from Honeywell, Motorola, Siemens and others. OT is a subset of the Internet of Things (IoT). OT covers industrial control systems (ICS) that may be connected to the internet while the broader IoT category includes consumer items like TVs, doorbells, and routers. Forescout detailed the 56 vulnerabilities in a single report to highlight these common problems.CISA has released five corresponding Industrial Controls Systems Advisories (ICSAs) which it said provide notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.  The advisories include details of critical flaws affecting software from Japan’s JTEKT, three flaws affecting devices from US vendor Phoenix Contact, and one affecting products from German firm Siemens.  The ICSA-22-172-02 advisory for JTEKT TOYOPUC details missing authentication and privilege escalation flaws. These have a severity rating of 7-2 out of 10.Flaws affecting Phoenix devices are detailed in the advisories ICSA-22-172-03 for Phoenix Contact Classic Line Controllers; ICSA-22-172-04 for Phoenix Contact ProConOS and MULTIPROG; and ICSA-22-172-05 : Phoenix Contact Classic Line Industrial Controllers. The Siemens software with critical vulnerabilities are detailed in the advisory ICSA-22-172-06 for Siemens WinCC OA. It’s a remotely exploitable bug with a severity score of 9.8 out of 10. “Successful exploitation of this vulnerability could allow an attacker to impersonate other users or exploit the client-server protocol without being authenticated,” CISA notes.OT devices should be air-gapped on a network but often they’re not, giving sophisticated cyber attackers a broader canvass to penetrate.  The 56 vulnerabilities identified by Forescount fell into four main categories, including insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware updates, and remote code execution via native functionality. The firm published the vulnerabilities (CVEs) as a collection to illustrate that flaws in the supply of critical infrastructure hardware are a common problem.  “With OT:ICEFALL, we wanted to disclose and provide a quantitative overview of OT insecure-by-design vulnerabilities rather than rely on the periodic bursts of CVEs for a single product or a small set of public, real-world incidents that are often brushed off as a particular vendor or asset owner being at fault,” Forescout said. “The goal is to illustrate how the opaque and proprietary nature of these systems, the suboptimal vulnerability management surrounding them and the often-false sense of security offered by certifications significantly complicate OT risk management efforts,” it said. As firm details in a blogpost, there are some common faults that developers should be aware of:Insecure-by-design vulnerabilities abound: More than a third of the vulnerabilities it found (38%) allow for compromise of credentials, with firmware manipulation coming in second (21%) and remote code execution coming third (14%). Vulnerable products are often certified: 74% of the product families affected have some form of security certification and most issues it warns of should be discovered relatively quickly during in-depth vulnerability discovery. Factors contributing to this problem include limited scope for evaluations, opaque security definitions and focus on functional testing.Risk management is complicated by the lack of CVEs: It is not enough to know that a device or protocol is insecure. To make informed risk management decisions, asset owners need to know how these components are insecure. Issues considered the result of insecurity by design have not always been assigned CVEs, so they often remain less visible and actionable than they ought to be.There are insecure-by-design supply chain components: Vulnerabilities in OT supply chain components tend to not be reported by every affected manufacturer, which contributes to the difficulties of risk management.Not all insecure designs are created equal: None of the systems analyzed support logic signing and most (52%) compile their logic to native machine code. 62% of those systems accept firmware downloads via Ethernet, while only 51% have authentication for this functionality.Offensive capabilities are more feasible to develop than often imagined: Reverse engineering a single proprietary protocol took between 1 day and 2 weeks, while achieving the same for complex, multi-protocol systems took 5 to 6 months.  More

Image: Shutterstock / BLACKDAY A group of likely state-backed cyber attackers have adopted a new loader to spread five different kinds of ransomware in a bid to hide their true espionage activities. On Thursday, cybersecurity researchers from Secureworks published new research on HUI Loader, a malicious tool that criminals have used widely since 2015. Loaders […] More

Image: Getty Images/iStockphoto Cybersecurity authorities from the US, the UK, and New Zealand have advised businesses and government agencies to properly configure Microsoft’s built-in Windows command-line tool, PowerShell – but not to remove it.     Defenders shouldn’t disable PowerShell, a scripting language, because it is a useful command-line interface for Windows that can help with […] More