Information Technology

Saudi human rights activist Loujain al-Hathloul has filed a lawsuit against spyware maker DarkMatter Group and three former US intelligence operatives for their role in helping the United Arab Emirates hack into her iPhone and track her movements. al-Hathloul is one of several people the DarkMatter Group hacked, and three executives at the firm — 49-year-old Marc Baier, 34-year-old Ryan Adams and 40-year-old Daniel Gericke — were fined by the Justice Department in September for their role in helping oppressive governments like the UAE violate several US laws. 

The three were part of Project Raven, an effort by the UAE to spy on human rights activists, politicians, journalists, and dissidents opposed to the government during the Arab Spring protests. In 2019, both Reuters and The Intercept conducted in-depth investigations into the work of Project Raven and DarkMatter after members of the team raised concerns about the hacking UAE officials were requesting. The case sparked widespread concern about how former officials at the National Security Agency (NSA) and other US spy agencies were spreading the tactics they learned while hacking for the US government. al-Hathloul’s lawsuit was filed by the Electronic Frontier Foundation (EFF) and law firms Foley Hoag LLP and Boise Matthews LLP. EFF said DarkMatter was working for the UAE but hacked al-Hathloul’s iPhone on behalf of the Kingdom of Saudi Arabia, noting that the DarkMatter used an iMessage vulnerability to monitor people’s devices. EFF attorney Mukund Rathi said this is a “clear-cut case” of device hacking, where DarkMatter operatives broke into al-Hathloul’s iPhone without her knowledge to insert malware, with horrific consequences. 

“This kind of crime is what the Computer Fraud and Abuse Act was meant to punish,” Rathi said, adding that the lawsuit includes claims that DarkMatter is liable for crimes against humanity for helping the UAE hack many human rights defenders.Baier, Adams, and Gericke bought the malicious code from a US company during their time building out the UAE cybersurveillance program, according to EFF. “No government or individual should tolerate the misuse of spy malware to deter human rights or endanger the voice of the human conscious. This is why I have chosen to stand up for our collective right to remain safe online and limit government-backed cyber abuses of power,” al-Hathloul said. “I continue to realize my privilege to possibly act upon my beliefs. I hope this case inspires others to confront all sorts of cybercrimes while creating a safer space for all of us to grow, share, and learn from one another without the threat of power abuses.”al-Hathloul gained prominence in 2014 when she pledged to drive across the border from the UAE into Saudi Arabia, where it was illegal for women to drive until 2018. She was stopped at the Saudi border and detained for 73 days. al-Hathloul also campaigned for women’s rights in Saudi Arabia, where women face significant discrimination and violence in addition to legal rules mandating male permission for work and travel. In the lawsuit, EFF lawyers said al-Hathloul’s iPhone was hacked by DarkMatter in 2017, violating the Computer Fraud and Abuse Act because the malicious code was directed to Apple services in the US. DarkMatter gained access to all of al-Hathloul’s emails, texts and real-time location, according to EFF. al-Hathloul was eventually arrested while driving in Abu Dhabi and extradited to Saudi Arabia, where she was jailed, electrocuted, flogged, and threatened with rape and death. “Companies that peddle their surveillance software and services to oppressive governments must be held accountable for the resulting human rights abuses,” EFF civil liberties director David Greene said. “The harm to Loujain al-Hathloul can never be undone. But this lawsuit is a step toward accountability.”The Justice Department faced backlash in September for not imposing harsh enough penalties on Baier, Adams, and Gericke after their work was revealed by several news outlets. The three “entered into a deferred prosecution agreement” that allows them to avoid prison sentences in exchange for paying $1,685,000 “to resolve a Department of Justice investigation regarding violations of US export control, computer fraud, and access device fraud laws.”Baier will be forced to pay $750,000, Adams will pay $600,000, and Gericke will pay $335,000 over a three-year term. All three will also be forced to cooperate with the FBI and DOJ on other investigations and to relinquish any foreign or US security clearances. They are also permanently banned from having future US security clearances and will be restricted from any jobs involving computer network exploitation, working for certain UAE organizations, exporting defense articles, or providing defense services.EFF Cybersecurity Director Eva Galperin noted that Project Raven went beyond even the tactics deployed by the NSO Group, which has been caught repeatedly selling its spyware to authoritarian governments.”DarkMatter didn’t merely provide the tools; they oversaw the surveillance program themselves,” Galperin said.  More

Meta announced this week that it is expanding its ban on members of the Myanmar military, known as the Tatmadaw. This comes after Rohingya refugees filed two class action lawsuits against Meta in the US and UK for about $150 billion.Meta said it will now “remove Pages, Groups and accounts representing military-controlled businesses.” The company made a similar statement earlier this year when the military staged a coup and removed democratically-elected leader Aung San Suu Kyi. 

Government

“This builds on our existing ban on these entities advertising on Facebook, which was announced in February, and the various enforcement actions we’ve taken since then which are outlined below,” said Rafael Frankel, director of policy for Meta in APAC-Emerging Countries, referencing this Meta newsroom post. “We’re taking this latest action based on extensive documentation by the international community of these businesses’ direct role in funding the Tatmadaw’s ongoing violence and human rights abuses in Myanmar.”Meta did not say how this move differentiates from the one in February, and many online criticized it as a cynical ploy to deflect criticism coming from the billion-dollar lawsuit. Frankel noted that the move was made in light of the sanctions handed down by the US, EU, and other governments. But Frankel added that the Tatmadaw “has far-reaching commercial interests which are not always possible to definitively determine.”Meta is basing its business bans on the UN Fact-Finding Mission on Myanmar’s 2019 report on the economic interests of the Tatmadaw, according to Frankel. 

Facebook has long faced backlash and condemnation for not doing more to stop generals in the Myanmar military from using the platform to incite and organize violence against the Rohingya ethnic group. Around 2013, the generals began using their Facebook pages to stoke hatred against the racial minority within the country and justify the rape, torture, abuse, and murder of thousands of people. The US lawsuit from Rohingya refugees this week illustrates how Facebook’s algorithm often recommended extremist groups and violent content to regular citizens of Myanmar, effectively radicalizing the country and spreading support for the ongoing genocide.”At the core of this complaint is the realisation that Facebook was willing to trade the lives of the Rohingya people for better market penetration in a small country in Southeast Asia,” the lawsuit said. The military violently drove millions of Rohingya out of the country into a number of neighboring countries including Bangladesh, where most are still living in squalid refugee camps. Facebook eventually banned the generals from using the platform and admitted that senior military leaders in Myanmar did other things to spread misinformation about the Rohingya in 2018, but refugees have said the move came far too late. The Myanmar military has since expanded its campaign of violence beyond the Rohingya, staging a coup earlier this year and inflicting unrestrained violence on anyone living in the country. Since February, the military has arrested and killed thousands, sparking a revolt that has now spread throughout the country. Facebook previously expanded its ban on posts by the military in April, pledging to remove any praise for the military’s violence against the country’s population. 

Social Networking More

With IoT botnets continuing to cause problems and attacks on critical infrastructure a ongoing menace, Microsoft has conducted research to find out whether edge network devices are a threat to enterprise systems. The Microsoft-commissioned survey, conducted by the Ponemon Institute, looked at Internet of Things (IoT) and Operational Technology (OT) devices and what security threats they posed to IT systems that were once separated from edge network devices. OT device include devices and software used to monitor and control industrial equipment, bringing a physical element to cybersecurity. The survey of 615 IT, IT security, and OT security practitioners across the United States found that 51% of OT networks are connected to corporate IT networks. Microsoft details key findings in a blogpost and has released a report. Some 88% of respondents said their business IoT devices are connected to the internet for things like cloud printing services while 56% reported devices on their OT network were connected for remote access. Microsoft points to the Mozi P2P IoT botnet, which, for example, targets vulnerabilities in video recorders and other IoT products, including popular network gateways, to spread. Microsoft reckons Mozi demonstrates how business networks can be breached by compromised edge devices that were once assumed to be air-gapped from internal platforms. The Ponemon Institute survey found that only 29% of respondents had a complete inventory of IoT and OT devices. Most respondents (64%) had low or average confidence that their IoT devices are patched – and the same proportion admitted they did not know if the devices had been compromised.Multiple attacks on VPN appliances over the past year have also demonstrated these can be a soft spot in enterprise and industrial networks. The US Cybersecurity and Infrastructure Agency (CISA) this week warned organizations of a new set of critical flaws in SonicWall’s popular mobile remote access SMA 100 Series appliances.

The survey suggests there is awareness among IT managers since 39% of respondents said they’re experienced an attack on IoT or OT devices in the past two years. Additionally, 35% said they’d experienced an incident where an IoT device was used to conduct a broader attack, such as ransomware, or to gain persistence on a network. And most respondents (63%) believe attacks on IoT/OT device will significantly increase in coming years.  More

SonicWall is warning customers to apply firmware updates to its SMA 100 Series appliances for remote access from mobile devices, in order to patch vulnerabilities of critical and medium severity. SonicWall says in an advisory that it “strongly urges” customers to apply new fixes to address eight flaws that the US Cybersecurity and Infrastructure Agency (CISA) warns would allow a remote attacker to take control of an affected system. CISA recommends customers apply the necessary firmware updates “as soon as possible”, in part because they’ve historically been popular targets for attackers.    

ZDNet Recommends

The eight bugs range from critical to medium severity and affect a sensitive piece of the network since they provide employees with remote access to internal resources. SEE: A winning strategy for cybersecurity (ZDNet special report)The eight bugs were discovered by researchers at Rapid7 and NCC Group. The most dangerous of them has a severity rate of 9.8 out of a possible 10.SonicWall’s Secure Mobile Access (SMA) SMA 100 Series appliances for small and medium businesses enable secure remote access from mobile devices anywhere via its NetExtender and Mobile Connect VPNs. Affected SMA 100 series appliances include SMA 200, 210, 400, 410 and 500v products. SonicWall notes its SMA 100 series appliances with WAF enabled are also impacted by the majority of the vulnerabilities.

“There are no temporary mitigations. SonicWall urges impacted customers to implement applicable patches as soon as possible,” SonicWall notes. It adds that there was no evidence of these vulnerabilities being exploited in the wild. However, now that the bugs have been publicly disclosed, attackers may soon develop exploits for them, especially since bugs in SMA 100 appliances have been exploited quickly in the past. Rapid7 says it “will release the technical details and proof-of-concept code in January 2022 as part of our coordinated vulnerability disclosure process.”CISA emphasizes that it warned in July that attackers were actively targeting a previously patched vulnerability in SonicWall SMA 100 series appliances. FireEye’s incident response group Mandiant in May reported that threat actors linked to the notorious Darkside ransomware-as-a-service were exploiting the flaw (CVE-2021-20016) in SMA 100 seres appliances. Highlighting the speed with which attackers exploit new flaws in key equipment, SonicWall had released firmware to address the issues in late April. DarkSide was network responsible for the Colonial Pipeline ransomware attack that downed its US east cost fuel distribution network for nearly a week in May.   More

A Google Pixel user last week found a bug that prevented them from being able to call 911 on their device. Initially reported on the GooglePixel subreddit forum by /u/KitchenPictures5849, the user said in a thread that the bug arose whenever a call was made to 911, which would lead to their Pixel device freezing. According to Google, it appears the glitch is due to the Microsoft Teams app being installed on Pixel devices after it conducted an investigation into the matter. The spokesperson said the bug only occurred for Pixel devices running Android 10 or above, whenever Microsoft Teams was installed but an account was not logged into the app. “We believe the issue is only present on a small number of devices with the Microsoft Teams app installed when the user is not logged in, and we are currently only aware of one user report related to the occurrence of this bug. We determined that the issue was being caused by unintended interaction between the Microsoft Teams app and the underlying Android operating system,” a Google spokesperson wrote in the thread. The Google spokesperson said both Google and Microsoft have prioritised resolving the issue and that a Microsoft Teams app update would be rolled out soon. In the meantime, Google has advised users with Microsoft Teams installed on any Pixel device running Android 10 or above, and where an account is not logged into the app, to uninstall and reinstall the app. This fix will only address the bug in the interim, however, and a Microsoft Teams app update will still be required to fully resolve the issue. “We advise users to keep an eye out for an update to the Microsoft Teams app, and ensure it is applied as soon as available,” the Google spokesperson said.  Related Coverage More

An artist’s impression of a ransomware incident
Image: iStock
Queensland government-owned energy generator CS Energy provided an update on Wednesday that those behind its November ransomware incident was unlikely to be a state-based actor. On the same morning, Sydney’s Daily Telegraph landed with a front page claiming China was behind the incident. Thanks to the appearance of CS Energy on a leak site listing victims of Conti ransomware run by the Wizard Spider group for the purposes of double extortion, the claims made by News Limited would appear to be unfounded. In September, the US Cybersecurity and Infrastructure Security Agency said the group uses a ransomware-as-a-service model, but instead of paying affiliates a cut of the earnings that come from ransoms, the group pays the deployers of the ransomware a wage. Rob Joyce, director of cybersecurity at NSA, said at the time that the group has historically targeted critical infrastructure. For its part, CS Energy said it has continued to generate electricity and feed it into the grid since the incident and has “systems and safeguards [with] layers of separation and protection, which enabled it to contain and protect its critical infrastructure”. “Upon becoming aware of the incident, we quickly took further assertive action to physically separate the two environments,” CEO Andrew Bills said.

“We continue to progressively restore our systems and are working closely with cyber security experts and relevant state and federal agencies.”A few days after the incident, the generator, which is one of three generator companies in Queensland, reassured retail customers it would be able to bill them per the usual cycle. Earlier this year, the generator company experienced a fire in its turbine hall at Callide power station that led to outages across the state. Related Coverage More

The National Institute of Standards and Technology (NIST) released a graph showing the number of vulnerabilities reported in 2021, finding 18,378 this year. The figure set a record for the fifth straight year in a row, but 2021 was different in some ways. The number of high severity vulnerabilities fell slightly compared to 2020, with 3,646 high risk vulnerabilities this year compared to last year’s 4,381. For 2021, the number of medium and low risk vulnerabilities reported — 11,767 and 2,965 respectively — exceeded those seen in 2020. 
NIST
Opinions on the graph were mixed, with some confused about why there were fewer high-severity vulnerabilities and others saying the report jived with what they saw throughout the year.Bugcrowd CTO Casey Ellis said at the most basic level, technology itself is accelerating and vulnerabilities are inherent to software development. The more software that is produced, the more vulnerabilities will exist, Ellis explained. When it comes to the breakdown of high, medium and low-severity vulnerabilities, Ellis said lower impact issues are easier to find and are generally reported more often, with the opposite being true of high impact issues. “High impact issues tend to be more complicated, remediated more quickly once found, and — in the case of systemic high-impact vulnerability classes — are often prioritized for root-cause analysis and anti-pattern avoidance in the future, and thus can often be fewer in number,” Ellis said.

Pravin Madhani, CEO of K2 Cyber Security, said the lower numbers of high severity vulnerabilities may be due to better coding practices by developers, explaining that many organizations have adopted a “shift left” in recent years and seek to put more of an emphasis on ensuring security is a higher priority earlier on in the development process. The overall increase in reported vulnerabilities was due in no small part to the COVID-19 pandemic, which forced almost every organization globally to adopt technology in one way or another, Madhani added. “The ongoing COVID-19 pandemic has continued to push many organizations to rush getting their applications to production, as part of their digital transformation and cloud journeys, meaning the code may have been through less QA cycles, and there may have been more use of 3rd party, legacy, and open source code, another risk factor for more vulnerabilities,” Madhani said. “So while companies may be coding better, they’re not testing as much, or as thoroughly, hence more vulnerabilities made it to production.”Other cybersecurity experts like Viakoo CEO Bud Broomhead said the report was alarming because of how many exploitable vulnerabilities remain “in the wild” for threat actors to take advantage of.  The record number of new vulnerabilities, combined with the slow pace of patching and updating devices to remediate vulnerabilities, means that the risk is higher than ever for organizations to be breached, especially through unpatched IoT devices, Broomhead added. Vulcan Cyber CEO Yaniv Bar-Dayan said that what concerned him most was the mounting pile of security debt that cybersecurity professionals can’t seem to get ahead of. If IT security teams are leaving 2020’s vulnerabilities unaddressed, the real 2021 number is cumulative and becoming harder and harder to defend against, Bar-Dayan explained.”We are seeing more advanced persistent threats like the SolarWinds hack that daisy chain vulnerabilities and exploits to inflict maximum damage to digital organizations. As an industry we are still learning from and cleaning up after that one. And it is unfair to put all the blame on SolarWinds considering how the bad actors used known, old, unaddressed vulnerabilities that should have been mitigated by IT security teams well before the SolarWinds software supply chain hack was ever hatched,” Bar-Dayan said.”Cybersecurity teams need to do more than just scan for vulnerabilities. We need to work together as an industry to better measure, manage and mitigate cyber risk, or we will be crushed by this growing mountain of vulnerability debt.” More

General Paul M. Nakasone, head of US Cyber Command confirmed during a recent national security event that his agency has begun taking direct action against international ransomware gangs as part of a larger effort to curtail attacks on American companies and infrastructure. 

The General explained that his agency is working hand-in-hand with the NSA, FBI,  and other federal entities while during a talk at the Reagan National Defense Forum, a meeting of national security officials held on Saturday. After the talk, he noted to The New York Times that he sees Cyber Command’s mission right now as focusing on trying to “understand the adversary and their insights better than we’ve ever understood them before.”   The country’s cybersecurity defense authority began targeting ransomware threats from organized crime rings around nine months ago, well before high-profile incidents like the Colonial Pipeline shutdown began to show just how severely ransomware attacks could disrupt national and global infrastructure. While the General was cagey about the details of ongoing and previous counter operations, earlier reports have shown Cyber Command taking a hand in both punitive actions like those targeting Russian ransomware group REevil, as well as restoration efforts like the ones undertaken by the federal agencies following the Colonial Pipeline incident. The latter resulted in the “majority” of the ransom paid to the DarkSide ransomware ring being seized and recovered by the DOJ. These actions are part of a larger effort called for by an executive order signed by the President in May of this year. The 2021 legislation instituted a nationwide governmental shift to security practices like mandatory 2FA use, zero-trust policies, and the creation of a new Cybersecurity Safety Review Board. General Nakasone’s team has been combating similar threats since at least 2018 when he took command of the agency. The head of Cyber Command expounded on the importance of “speed, agility, and unity of effort” at the recent event. He noted that these three factors were key in combating threats, regardless of whether they came from nation-states, proxies, or independent criminal organizations. Going forward, Nakasone hopes to see a federal drive towards a “whole-of-government effort.” The General sees diplomatic outreach programs and an expanded and borderless focus on protecting critical infrastructure assets as a vital step toward protecting the country against ransomware attacks and other cyber incursions.  More