A new iOS zero-click exploit, MOVEit sees mass exploitation and ransomware keeps on coming
Daniel Romero / Unsplash
Welcome to Changelog for 6/4/23, published by Synack! Nathaniel Mott here from the sweltering heat of upstate New York with the week’s security news.
The payload
NSO Group isn’t the only one with zero-click exploits for iOS. Kaspersky Labs said on June 1 that an ongoing attack it’s calling Operation Triangulation saw multiple iOS devices belonging to its employees infected with “a fully-featured APT platform.” The platform “is run with root privileges, implements a set of commands for collecting system and user information, and can run arbitrary code downloaded as plugin modules from the [command and control] server” after the device is initially compromised.
“The oldest traces of infection that we discovered happened in 2019,” Kaspersky said. “As of the time of writing in June 2023, the attack is ongoing, and the most recent version of the devices successfully targeted is iOS 15.7. The analysis of the final payload is not finished yet.” (Apple released iOS 16 in September 2022, which means devices that are still being targeted by this campaign are running behind.) The company didn’t attribute Operation Triangulation to any specific threat actor.
But the FSB did: Russia’s lead security agency said in a press release that it had “uncovered a reconnaissance operation by American intelligence services carried out using Apple mobile devices.” This campaign is said to have infected “several thousand” devices belonging to Russians as well as diplomats from “the countries of the NATO bloc and the post-Soviet space,” Israel and China. The FSB also said this campaign shows that Apple cooperates with the NSA to enable the surveillance of iPhone owners.
That seems unlikely. Apple has repeatedly clashed with U.S. agencies, and presumably fixed the vulnerability being exploited via this campaign with the release of iOS 16 and released Lockdown Mode to provide greater protections to high-risk customers. NSO Group’s continued success with delivering its Pegasus spyware via zero-click exploits on iOS also suggests that Apple’s cooperation isn’t required to compromise its devices; sufficiently knowledgeable threat actors can accomplish that all on their own.
The week, compiled
A vulnerability in Progress Software’s managed file transfer offering, MOVEit, is being exploited to steal data from organizations running both the cloud-based and on-premise versions of the tool.
“BleepingComputer has learned that threat actors have been exploiting a zero-day in the MOVEit MFT software to perform mass downloading of data from organizations,” Lawrence Abrams reported on June 1. “It is unclear when the exploitation occurred and which threat actors are behind the attacks, but BleepingComputer has been told that numerous organizations have been breached and data stolen.”
Progress said in a security advisory that the issue is an “SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to MOVEit Transfer’s database.” The company said that customers should disable all HTTP and HTTPS traffic in their MOVEit Transfer environment until they install a patched version of the software.
Huntress, TrustedSec and other vendors shared information about how to identify attempts to exploit this vulnerability as well as how to respond to these incidents. It’s not clear when this vulnerability started to be exploited. GreyNoise told Decipher that “they have seen scanning for the MOVEit Transfer loging [sic] page as early as March 3,” which suggests exploitation attempts date back at least three months.
Approximately 2,500 vulnerable servers are exposed to the internet, according to the Shodan search engine, and the vast majority (1,843) are in the U.S. Huntress and Rapid7 both said they have seen evidence of exploitation among their customers. It would be prudent for anyone running MOVEit to update as soon as possible; exploitation attempts are likely to increase following this public disclosure.
Here are the other stories that caught my eye last week:
Wired: A tool meant to be used to update the firmware of Gigabyte motherboards wasn’t securely implemented, according to Eclypsium, which said it could potentially serve as a hard-to-remove method of delivering malware that isn’t subject to the same scrutiny as other software. (For more on these concerns, check out my piece on UEFI-based threats published in June 2022.)
Ars Technica: Barracuda patched a vulnerability in its email software that has been exploited since at least October 2022 “to install multiple pieces of malware inside large organization networks and steal data.” U.S. agencies have until June 16 to update their software because the Cybersecurity and Infrastructure Security Agency added the vulnerability, CVE-2023–2868, to its Known Exploited Vulnerabilities catalog.
ISS National Laboratory: The ISS National Laboratory announced that a satellite called Moonlighter will become “the world’s first and only hacking sandbox in space” when it reaches the International Space Station later this month. ISSNL described Moonlighter as “a mid-size 3U nanosatellite” that “will allow cyber security professionals and some of the world’s best hackers to do space-based cyber experiments that are repeatable, realistic, and secure.”
A message from Synack
Dive deep into the top software flaws of 2022 in Synack’s inaugural State of Vulnerabilities report. Researchers on the elite Synack Red Team uncovered a record 14,800 exploitable vulnerabilities across Synack targets last year, ranging from authentication failures to SQL injections. The report shares insights into the root causes of these security gaps. Learn how Synack finds the vulnerabilities that matter and check out the full report here.
Flash memory
People seem to like “Swordfish” more than I remember. Roger Ebert’s review was more positive than I would’ve expected for a 2.5-star rating, and the 2001 film has a respectable 6.5-star rating on IMDB, which puts it just above “Hackers” (6.2) and only about half a star below “Sneakers” (7.1).
Maybe that’s because most of the action in “Swordfish” is merely hacking-adjacent. (And because Halle Berry did a topless scene that Ebert said “came as a huge relief because I thought the movies, in their rush to the PG-13 rating, had forgotten about breasts.” Gross.) That includes the infamous scene of Hugh Jackman being forced to crack a password in 60 seconds while being held at gunpoint and being — let’s call it “distracted” so Google’s filters don’t shuffle this into the spam folder — at the same time.
Is this an accurate depiction of hacking? Probably not. Does it somehow manage to be better than the “NCIS” scene where two people type on a single keyboard because they need to lock down their network? Yeah. And, in fairness, it’s probably better for recruiting new cybersecurity talent than showing someone staring at Burp Suite or triaging alerts in their SIEM of choice for hours on end. Watching a dude bang on his keyboard pales in comparison to watching a bunch of explosions, right?
Local files
TechCrunch: A ransomware attack on Managed Care of North America (MCNA) Dental saw the attackers make off with “names, addresses, dates of birth, phone numbers, email addresses, Social Security numbers and driver’s licenses or other government-issued ID numbers” as well as “patients’ health insurance data, including plan information and Medicaid ID numbers, along with bill and insurance claim information.”
The Record: Pro-Ukraine hackers reportedly compromised the organization that oversees Russia’s answer to Silicon Valley, the Skolkovo Foundation, and made off with “presentations, photos, contracts, and lists of partners and counterparties of legal entities.”
BleepingComputer: Harvard Pilgrim Health Care disclosed a ransomware attack that was accompanied by the exfiltration of sensitive data — broadly aligning with information taken during the MCNA Dental breach — and said that it’s “continuing our active investigation and conducting extensive system reviews and analysis before we can resume our normal business operations.”
Off-script
It seems Reddit has decided to take a page from Twitter’s handbook. Christian Selig, the developer of a popular third-party client called Apollo, said on May 31 that Reddit’s proposed fees for accessing its API would cost him approximately $20 million per year based on the app’s current usage rates.
That news arrived shortly after Block Party announced that it had to suspend its service because of Twitter’s new API fees, which have caused other services to shut down or lock Twitter-related features behind a paywall. Now it seems Reddit wants to make similar changes to its platform.
This is a shame. Although many people are content to access social platforms like Reddit and Twitter via the official apps, many others aren’t, and will either curb their usage or leave the platform entirely if they can’t access it via a third-party client. I still have to use Twitter, but I probably won’t use Reddit after this.
In some ways this feels like the end of platform-driven social networks. Facebook is terrible, Instagram constantly tries to shoot itself in the foot, Twitter has been grounded since it was acquired by Elon Musk and now Reddit wants to force its users to settle for a worse experience by pricing out third-party clients.
Some have found comfort in Mastodon, Cohost and Bluesky. I might do the same, but for now, it seems like I’m set to go from “terminally online” to “barely online.” Maybe that’d be for the best.
That’s all for now — please send any feedback to nmott@synack.com or bsobczak@synack.com. See you next week!