Spyware in the spotlight, UEFI threats and GPS jamming

The House Intelligence Committee held a rare open hearing on commercial spyware last week. The U.S. Capitol is pictured. Kevin Farner/Flickr

Welcome to Changelog for 7/31/22, published by Synack! Open source coder John Wiseman rolled out a fascinating map of global GPS interference last week. It shows where aircraft pilots have reported encountering degraded navigation accuracy. GPS jamming is most commonly associated with conflict zones and military activity. But if a cyberattack ever targeted vulnerable GPS networks, you could expect to see its effects in Wiseman’s map, which is updated daily. Here’s what else happened last week:

 

The payload

Ransomware threats are quieting down. Record-breaking DDoS attacks don’t have the sting they once did. But the threat posed by commercial spyware has seemingly never been worse.

Microsoft named and shamed a spyware vendor last week, calling out Austrian company DSIRF for allegedly deploying the “Subzero” malware against targets in Europe and Central America.

Meanwhile, Reuters reported that the E.U. found digital breadcrumbs pointing to a breach of Justice Commissioner Didier Reynders’ iPhone, enabled by Israel-based NSO Group’s powerful Pegasus tool.

And that’s not to mention surveillance vendor Cytrox, whose Predator spyware was found targeting prominent Greek politician Nikos Androulakis, according to a complaint filed last week.

“We are at the rate of a mercenary spyware scandal every few days,” lamented John Scott-Railton, senior researcher with the University of Toronto’s Citizen Lab. “It. Won’t. Stop.”

Congress has taken note, with the House Intelligence Committee holding a hearing last Wednesday on commercial cyber surveillance that featured Scott-Railton.

Another witness at hearing, Carine Kanimba, testified to her harrowing experience being targeted by the Pegasus spyware. Months after the Rwandan government kidnapped her father, Paul Rusesabagina, illegally rendered him to the Rwandan capital and subjected him to a sham trial, Kanimba found out that her mobile device had been infected with surveillance malware.

“Unless there are consequences for the countries and their enablers which abuse this technology to hurt innocent people, none of us are safe,” she warned.

The week, compiled

If it walks like a ransom payment, talks like a ransom payment, it’s a… “bug bounty”?

Faced with multimillion-dollar heists, some cryptocurrency companies are trying to convince their attackers to keep part of the haul and return the rest, granting a veneer of legitimacy to the theft. (“Thank you for demonstrating such glaring vulnerabilities in our networks. As a token of our appreciation, keep some of what you stole.”) The crypto firms are likening these desperate offers to bug bounty programs, as the Wall Street Journal reported last week.

Never mind that other crypto companies have legitimate bug bounty programs to find and fix vulnerabilities before criminals exploit them. Make no mistake: These offers to hackers, if accepted, are ransom payments. And while they may be logical from a business sense to help claw back losses, they do a disservice to the wider crypto industry.

In other news:

 1_sm-GTKYygl9gIcfkAriTQw
fdecomite/Flickr

Ars Technica: Researchers at Kaspersky Lab uncovered a particularly nasty UEFI rootkit that appears to have been used in the wild since 2016. The “CosmicStrand” hacking tool is capable of infecting computers before their operating systems fully boot up. (For more on UEFI threats, check out Nate Mott’s article for README last month.)

Axios: The White House has tapped Camille Stewart Gloster of #ShareTheMicInCyber fame to be deputy national cyber director for technology and ecosystem security, where she’ll play in active role helping to diversify and expand the federal government’s cyber workforce. Stewart Gloster was most recently Google’s global head of product security strategy.

CNN: For years, federal officials have fretted that strategically placed Huawei telecom equipment in rural U.S. cell towers could be used to disrupt highly sensitive Defense Department communications. (Huawei is headquartered in China.) Asterisk: “It’s unclear if the intelligence community determined whether any data was actually intercepted and sent back to Beijing from these towers,” as Katie Bo Lillis reported.

A message from Synack

In today’s threat landscape, everyone agrees “it’s a jungle out there.” At Black Hat, Synack will share our cybersecurity expertise to help attendees survive this jungle. Visit us in booth #2328, where we’ll serve jungle juice in the tiki bar and host other events in our penthouse suite. You’ll gain a deeper perspective on adversary tradecraft from our live cyber talks in the Synack Cave, featuring experts from our elite Synack Red Team. Learn more here.

Flash memory

Last July, Microsoft warned of a new cyberthreat it called Sourgum. The tech giant caught the “private sector offensive actor” deploying zero-day exploits in targeted attacks against more than 100 victims globally, including journalists and political dissidents.

 1_vReBSHnys8j5wATnyvzJwQ
Philip Brookes/Flickr

Crediting research and malware samples provided by Citizen Lab, Microsoft traced Sourgum activity to an Israel-based company. (Citizen Lab identified it as Candiru.) Microsoft fixed the zero-days and called attention to the threat, marking its first-ever public response to a PSOA.

As last week’s action against DSIRF — AKA “Knotweed” — showed, Microsoft isn’t done disrupting spyware vendors. With the continued proliferation of powerful surveillance tools, the company has its work cut out for it.

Local files

CISA: Ukrainian cyber authorities at the State Service of Special Communications and Information Protection of Ukraine signed a “memorandum of cooperation” with their U.S. counterparts, building on previous intelligence sharing and training efforts. “I applaud Ukraine’s heroic efforts to defend its nation against unprecedented Russian cyber aggression and have been incredibly moved by the resiliency and bravery of the Ukrainian people throughout this unprovoked war,” CISA director Jen Easterly said in a statement announcing the MOC.

KTVB [Boise, Idaho]: Boise State University’s Institute for Pervasive Cybersecurity (love the name) has launched a program to pair students in its cybersecurity program with rural businesses in need of a boost to their digital defenses. It’s aimed at helping make up for a shortage of roughly 5,000 cybersecurity professionals in the Gem State.

Off-script

An outdoor diner in China’s Sichuan province recently spotted a dinosaur footprint in the restaurant’s grounds, as the Washington Post reported last week. Apparently such spontaneous fossil discoveries aren’t so uncommon.

Next time I’m grabbing a patio meal in downtown D.C., I’ll remember to look down — though if I also found the tracks of two brontosauruses, I’d figure a Smithsonian staffer had somehow lost track of an exhibit.

 1_uqGBjkcrNGh938XetO4qDw
Sauropod dinosaur footprints are pictured in Utah. James St. John/Flickr

That’s all for now — please send tips and feedback to bsobczak@synack.com. See you next Sunday!