Israeli spyware revealed, a doozy of a Patch Tuesday and ransomware fallout
Brett Jordan / Unsplash
Welcome to Changelog for 4/16/23, published by Synack! Nathaniel Mott here, back with a look at some of the biggest cybersecurity news of the week.
The payload
NSO Group finally ceded the spotlight to another Israeli spyware vendor. Microsoft and Citizen Lab published their research into Israeli company QuaDream, which is said to have targeted “journalists, political opposition figures and an NGO worker” in North America, Central Asia, Southeast Asia, Europe and the Middle East using a zero-click exploit called “ENDOF DAYS.”
Citizen Lab said this exploit “appears to make use of invisible iCloud calendar invitations sent from the spyware’s operator to victims.” The exploit is believed to have relied on a zero-day vulnerability in iOS 14.4 and 14.4.2, the firm said, and “possibly other versions” of the operating system. That exploit allowed QuaDream to drop its spyware onto targeted iPhones.
Microsoft dubbed this spyware KingsPawn and said its threat intelligence analysts “assess with medium confidence that the mobile malware we associate with DEV-0196 is part of the system publicly discussed as REIGN.” The company said KingsPawn can:
- Get device information (such as iOS version and battery status)
- Gather Wi-Fi information (such as SSID and airplane mode status)
- Collec cellular information (such as carrier, SIM card data, and phone number)
- Search for and retrieve files
- Use the device camera in the background
- Get device location
- Monitor phone calls
- Access the iOS keychain
- Generate an iCloud time-based one-time password (TOTP)
This isn’t the first we’ve heard of QuaDream. Reuters described the company as “a smaller and lower profile Israeli firm that also develops smartphone hacking tools intended for government clients” when it revealed its exploitation of the same iOS vulnerability as NSO Group in February. (Google Project Zero published technical analyses of that exploit and vulnerability, FORCEDENTRY, in December 2021 and March 2022.)
It probably won’t be the last we hear of QuaDream, either, with Microsoft saying it believes “it’s highly likely that DEV-0196 will have updated their malware, targeting newer versions” of iOS, and that “there were indications that some of the code could also be used on Android devices” as well.
The week, compiled
This month’s Patch Tuesday included fixes related to 97 vulnerabilities—including an actively exploited zero-day—in Microsoft’s product suite.
The zero-day in question is CVE-2023–28252. “The successful exploitation of the vulnerability will grant the attacker full SYSTEM privileges, the highest level of privilege on Windows systems,” CrowdStrike said. “Even though this vulnerability requires an attacker to already have access to the victim computer, SYSTEM privileges are a large enough risk that this vulnerability should be patched as soon as possible.”
KrebsOnSecurity reported that CVE-2023–28252 affects the same part of the system, the Windows Common Log System File System (CLFS) driver, as a zero-day vulnerability Microsoft patched in February. (CrowdStrike said a similar flaw was patched in September 2022 as well.) Attackers have reportedly exploited this vuln to deploy the Nokoyawa ransomware; further exploitation in unpatched versions of Windows could follow.
Here’s some of the other breaking stories from this week:
FedScoop: The Cybersecurity and Infrastructure Security Agency joined the FBI, NSA and a smattering of international cyber allies in issuing guidance for software manufacturers to achieve “Security-by-Design and -Default.” The publication adds to a string of recent Biden administration actions aimed at shifting the burden of securing software away from end users and toward technology companies.
Decipher: Intel, Google, Intigriti, Luta Security, HackerOne and Bugcrowd have formed the Hacking Policy Council under the Center for Cybersecurity Policy and Law to “make technology safer and more transparent by facilitating best practices for vulnerability disclosure and management, as well as empowering good faith security research, penetration testing and independent repair for security.”
The Register: Orca Security discovered that “an attacker can not only gain full access to storage accounts and potentially critical business assets, but also move laterally in the environment and even execute remote code,” because Azure has shared key authorization enabled by default. (Which the Microsoft Security Response Center said is “not a security issue.”)
CyberScoop: The Department of Health and Human Services is looking to prohibit “doctors and healthcare providers from disclosing information related to reproductive health care for the purposes of investigating, prosecuting or suing an individual for a legal abortion” via an update to the Health Insurance Portability and Accountability Act.
A message from Synack
Heading to RSA next week? Swing by Fogo de Chão to join Synack’s “Journey by the Bay” experience just 98 steps away from the Moscone Center. We have a jam-packed week of programming lined up, from an exclusive whiskey and dry-aged steak tasting to an executive panel discussion on women in the boardroom. Check out the full roster of events and parties here.
Flash memory
There was a time when AOL was more than just a consortium of media brands passed between Time Warner, Verizon and Yahoo. Instead the company was known for bringing people online in the most ’90s way possible: by shipping them CDs with a free trial for its dial-up service. (And then offering the best chat app via AOL Instant Messenger, of course.)
This provided the backdrop for “AOHell.” The Boston Globe reported in 1995 that this “illegal computer program” had “a number of devilish features seemingly designed to turn on-line lives into living nightmares,” according to an archive provided by the AOL Underground Podcast.
AOHell’s features included the ability to “abruptly log off legitimate subscribers,” fill someone’s email inbox with spam and “send a graphically obscene gesture to customers in AOL’s chat forums” in addition to generating fake credit card numbers or phishing random AOL users. Using the app was, of course, grounds for AOL to deactivate a customer’s account.
The Boston Globe reported that “Da Chronic” said he created AOHell “because: ‘I hate the staff on AOL for one, I hate most of the people on AOL for another, and I wanted to cause a lot of chaos.” Ah, the ‘90s.
Local files
FBI: The FBI said in a public service announcement that criminals are exploiting “widely publicized efforts by the People’s Republic of China government to harass and facilitate repatriation of individuals living in the United States” to defraud “ the US-based Chinese community” via phone calls from spoofed numbers as well as “online applications.”
BleepingComputer: Yum! Brands—which owns KFC, Taco Bell and Pizza Hut—has reportedly started to notify people that attackers “stole some individuals’ personal information, including names, driver’s license numbers and other ID card numbers” during a Jan. 13 ransomware attack.
The Record: Suffolk County officials said Wednesday that a September 2022 ransomware attack that “forced government workers to rely on fax machines and paper records,” as The Record put it, started in December 2021 with the exploitation of the Log4Shell vulnerabilities in Log4j.
Off-script
My son went to the movie theater for the first time this week. He’s been playing a lot of Mario games on the Nintendo Switch, ranging from the original “Super Mario Bros.” to “Super Mario Odyssey,” so we figured he’d get a kick out of seeing “The Super Mario Bros. Movie” on the big screen.
It went surprisingly well! I was anxious for a variety of reasons—we haven’t been to a theater since the start of the pandemic, he’d already played hard at daycare and none of us have been sleeping particularly well—but it was nice to be able to kick back and watch a movie outside the house again.
Do I think we’ll make it a habit of going to the theater? No. We’re still fairly cautious (we picked a time we expected the theater to be less busy, masked whenever it made sense to do so, etc.) and I wouldn’t be comfortable making regular trips to the movies. But sometimes it’s okay for reward to beat out risk, I think, and this felt like a step towards relearning that.
So. Yeah. Mario time!
That’s all for now — please send any feedback and RSA-related pitches to nmott@synack.com or bsobczak@synack.com. We’ll be back next Sunday on the eve of RSA!