Below: The United States and U.K. take actions against Russia-linked cyber syndicates, and an international court makes a key decision on cybercrime prosecution. First:
Apple rolled out rare emergency patches Thursday to fix iPhone, Mac and Apple Watch security flaws, some of which were apparently being used to install Pegasus, the notorious spyware sold to national governments by NSO Group.
An exploit that took advantage of the flaw was found on a phone belonging to an employee of a civil society group based in Washington with offices overseas just a week ago, according to the Citizen Lab researchers who discovered it.
The University of Toronto’s Citizen Lab has caught a large number of Pegasus infections and methods in the past two years, forcing NSO to spend more on new techniques, and it has worked with Apple closer than in the past.
In this case, “they seem to have dropped everything and pushed out a rapid patch,” Citizen Lab’s John Scott-Railton told Joseph. “In general, Apple has radically increased the tempo of their patching and threat hunting.”
Citizen Lab said the vulnerability it found on the phone was a zero-click vulnerability, meaning that an intended target wouldn’t have to click on an email attachment or URL to fall victim to it.
“We refer to the exploit chain as BLASTPASS,” according to a brief Citizen Lab alert. “The exploit chain was capable of compromising iPhones running the latest version of IOS (16.6) without any interaction from the victim (emphasis theirs).”
Citizen Lab’s Bill Marczak called the exploit “virtually invisible.”
Here’s what Apple said:
- One of the two vulnerabilities is related to ImageIO, an Apple framework that allows apps to read and write most image file formats. “Processing a maliciously crafted image may lead to arbitrary code execution,” Apple said.
- The second is related to the Apple Wallet app. “A maliciously crafted attachment may result in arbitrary code execution,” Apple said. The vulnerability was discovered by Apple and yesterday’s announcement was a rare instance of the company publicly taking credit for finding a zero-day vulnerability, according to Maddie Stone, a security researcher at Google’s Threat Analysis Group.
- In both cases, the company said, “Apple is aware of a report that this issue may have been actively exploited.”
Citizen Lab, as well as a number of cyber professionals, were quick to urge Apple device users to update their equipment.
Here’s Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation:
And here’s Rachel Tobac, CEO for SocialProof Safety:
🚨UPDATE APPLE DEVICES ASAP – PHONES, IPADS, COMPUTERS, WATCHES🚨@citizenlab found an Apple exploit used in the wild that can compromise to watch/see/hear/spy thru Apple devices.
Exploit doesn’t require you to click, attacker just sends it via iMessage.https://t.co/ggiDBtOCDg
— Rachel Tobac (@RachelTobac) September 7, 2023
In other good news for potential targets, Apple’s optional Lockdown Mode would have stopped the attack. Introduced late last year, Lockdown cuts off some attack strategies by reducing the functionality of iPhones, for example by not rendering images in some messages.
“Lockdown Mode is the one weird trick that NSO Group hates,” Marczak told Joseph. “If you’re at risk, turn it on and don’t look back.”
In a statement, NSO said it is “unable to respond to any allegations that do not include any supporting research.”
Even amid growing pressure from the U.S. government and many of its allies, researchers keep turning up NSO Group-related vulnerabilities and infections. Recent prominent infections have hit members of the president of Mexico’s team and, for the first time, a war zone.
In March, President Biden signed an executive order on spyware that was greeted mostly with acclaim. As I wrote at the time:
- It prohibits U.S. agencies from “operationally” using commercial spyware when they find that it poses a national security or counterintelligence risk to the United States. It also bars U.S. government use of spyware when there’s a major risk that foreign governments use such tools to violate human rights or target Americans. (“Operational use” under the order means accessing a computer remotely without permission for purposes such as tracking locations or stealing information.)
That same month, the White House secured a joint statement from a number of allied nations committing to countering the proliferation of spyware.
Later, in July, the Biden administration added additional spyware firms to a list that restricts U.S. companies from doing business with them. NSO Group has been on the list since November of 2021.
NSO Group appears to have endured financial turmoil ever since.
U.S., U.K. take action against Russians linked to Trickbot, Conti cybercrime groups
U.S. and U.K. authorities sanctioned a group of 11 Russian nationals allegedly tied to operating the Trickbot cybercrime syndicate, the Treasury Department announced Thursday. Seven of those individuals were also named in indictments unsealed by the Justice Department, which alleged that nine people in all were connected to both Trickbot and the Conti ransomware group.
The 11 sanctioned include “key actors involved in management and procurement for the Trickbot group, which has ties to Russian intelligence services and has targeted the U.S. Government and U.S. companies, including hospitals,” Treasury said. Trickbot during the covid-19 pandemic targeted several U.S. critical infrastructure and health care providers, it added.
- First discovered in 2016, the malware has been able to penetrate thousands of victim computers around the world and has allowed the group “to conduct a variety of malicious cyber activities, including ransomware,” the Treasury Department said. Researchers have previously identified the group as being active in cyberattacks against Ukraine.
- The United States and the U.K. coordinated on a related move in February that sanctioned seven other people allegedly tied to Trickbot, Conti and ransomware group Ryuk.
The Justice Department indictments and Treasury sanctions include Maksim Galochkin, an individual connected to a May 2021 ransomware attack on Scripps Healthcare, as noted by CyberScoop’s AJ Vicens. WIRED ran an Aug. 30 story connecting Galochkin as an apparent day-to-day operations manager for the syndicate, the CyberScoop report adds.
- “Today’s announcement shows our ongoing commitment to bringing the most heinous cybercriminals to justice — those who have devoted themselves to inflicting harm on the American public, our hospitals, schools, and businesses,” FBI Director Christopher A. Wray said of both the indictments and sanctions.
International Criminal Court will now investigate cyberattacks as war crimes
The International Criminal Court in The Hague will now begin prosecuting cyberattacks and hacks as potential war crimes or violations of international law, WIRED’s Andy Greenberg reports, citing confirmation from the ICC.
- ICC lead prosecutor Karim Khan wrote in what WIRED described as a “little-noticed article” published last month that his office will now investigate cybercrimes through the same lens of war crime allegations in the physical world.
- “Cyberwarfare does not play out in the abstract. Rather, it can have a profound impact on people’s lives,” Khan wrote. “Attempts to impact critical infrastructure such as medical facilities or control systems for power generation may result in immediate consequences for many, particularly the most vulnerable. Consequently, as part of its investigations, my Office will collect and review evidence of such conduct.”
The remarks from Khan do not explicitly mention Russia or Ukraine, but hacking exchanges between the two nations since Russia’s invasion last year have become a prime focus for researchers, journalists and policymakers. Some experts argue that cyberattacks could qualify as war crimes under the 1998 Rome Statute, which established the court, as your newsletter host reported in January.
- Representatives from the Human Rights Center at the University of California at Berkeley’s School of Law last spring urged ICC to consider war crime prosecutions related to Russian cyberattacks against Ukraine.
- Khan has separately said ICC is already investigating Russia for broader war crimes.
As your newsletter host previously reported, prosecuting cyberattacks as a war crime can get complicated. “To be a war crime, it has to be totally directed at civilians, without any realistic possibility of military advantage,” former DHS official Paul Rosenzweig, the founder of Red Branch Consulting PLLC, told Tim at the time. To bolster its case, Ukraine could make a strong claim about cyberattacks on critical infrastructure away from its front lines, Rosenzweig added.
North Korea-linked hackers targeting security researchers with new vulnerability
North Korean state hackers are targeting security researchers through a vulnerability in undisclosed but popular software, Bleeping Computer’s Sergiu Gatlan reports, citing research from Google’s Threat Analysis Group (TAG).
“Google has yet to disclose details on the zero-day flaw exploited in these attacks and the name of the vulnerable software, likely because the vendor is still in the process of patching the vulnerability,” Gatlan writes.
- The hackers have been using Twitter and Mastodon to lure victims into switching to various encrypted messaging platforms like Signal or WhatsApp, according to the report. “After establishing a relationship and moving to secure communication channels, the attackers send them malicious files designed to exploit the zero-day,” the Bleeping Computer report says.
- The vulnerability has been reported and is being patched by the software vendor, TAG said. North Korean hackers have targeted cybersecurity researchers for years, according to Google.
North Korea reportedly has a global shadow workforce of cyberthieves that position themselves into information technology jobs and pilfer money for the regime’s goals. North Korean hackers have targeted the cryptocurrency industry and have stolen more than $3 billion since 2017. U.S. officials have previously said the money has been used to fund around half of Pyongyang’s ballistic missile program.
CISA creates voluntary ed tech pledge to boost K-12 cybersecurity (Cybersecurity Dive)
US House panel chair: wider Chinese iPhone ban aims to quash Apple’s market access (Reuters)
Senate confirms Biden’s FCC nominee, breaking years-long deadlock (Cristiano Lima)
Peter Navarro convicted of contempt for defying Jan. 6 committee subpoena (Paul Duggan)
Surge in hospital hacks endangers patients, cyber official says (Wall Street Journal)
Musk cut internet to Ukraine’s military as it was attacking Russian fleet (Christian Davenport and Joseph Menn)
Polish Senate investigation recommends potential criminal charges for politicians implicated in Pegasus scandal (The Record)
China’s widening iPhone curbs roil US technology sector (Reuters)
Multiple nation-state hackers infiltrate single aviation organization (CyberScoop)
G7 countries commit to AI code of conduct (Politico)
Traderie, a marketplace for in-game items, alerts users to data breach (TechCrunch)
Russian man with Kremlin ties gets 9 years in US prison for hacking and insider trading scheme (Associated Press)
Hackers claim to publish prominent Israeli hospital’s patient data (The Record)
- Anne Neuberger, Eric Goldstein, Avril Haines and other cyber officials speak at the Billington Cybersecurity Summit in D.C. today.
Thanks for reading. See you next week.