At a glance.
- Zero-click iOS exploit used by Pegasus spyware.
- Malicious version of Cobalt Strike for Linux.
- A look inside the ransomware industry.
- OT vulnerabilities are increasing.
Zero-click iOS exploit used by Pegasus spyware.
Researchers at the University of Toronto’s Citizen Lab discovered a zero-day, zero-click exploit against iOS used by NSO Group’s Pegasus spyware. The exploit, called “FORCEDENTRY”, uses a vulnerability (CVE-2021-30860) in Apple’s image rendering library. The researchers reported the bug to Apple, and the company released a patch yesterday. The description of the vulnerability states: “An integer overflow was fixed through improved input validation. This issue was fixed in security update 2021-005 Catalina, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2 leading to arbitrary code execution. “
Citizen Lab explains, “In March 2021, we examined the phone of a Saudi activist who chose to remain anonymous and found it had been hacked with NSO Group’s Pegasus spyware. A recent re-analysis of the backup revealed several Files with a ‘.gif’ extension in Library / SMS / Attachments that we detected were sent to the phone just prior to being hacked with NSO Group’s Pegasus spyware. “
Malicious version of Cobalt Strike for Linux.
Intezer has discovered a malicious “re-implementation of the Cobalt Strike Beacon from the ground up” for both Linux and Windows. It’s not clear who is behind the tool, but the researchers note that the malware is sophisticated and used for espionage:
“Based on telemetry in collaboration with our partners at McAfee Enterprise ATR, this Linux threat has been in the wild since August, targeting telecommunications companies, government agencies, IT companies, financial institutions, and consulting firms around the world, suggesting this Malware is used for specific attacks rather than mass distribution.
“After further analysis, we found Windows examples that use the same C2. The examples are new implementations of the Cobalt Strike Beacon. The Windows and ELF samples have the same functionality.
“The sophistication of this threat, its intent to espionage, and the fact that the code has never been seen in any other attack, along with the fact that it targets certain entities in the wild, make us believe that these Threat developed by an experienced threat actor. “
A look inside the ransomware industry.
KELA researchers published a report describing what ransomware operators are looking for in a potential victim:
- “In July 2021, KELA found 48 active threads in which actors claimed they wanted to buy different types of access, 46% of which were created that month, illustrating the demand for access lists.
- “40% of the actors who wanted to buy traffic were identified as active participants in the Ransomware-as-a-Service (RaaS) supply chain – operators or affiliates or intermediaries.
- “Ransomware attackers appear to be creating ‘industry standards’ that define an ideal victim based on revenue and geography and exclude certain sectors and countries from the target list. On average, those active in July 2021 wanted access to US companies with revenue greater than this than $ 100 million, nearly half of them denied access to healthcare and education companies.
- “Ransomware attackers are willing to buy all types of network access, with RDP and VPN being the most basic requirement. The most frequently mentioned products (that enable network access) were Citrix, Palo Alto Networks, VMware, Fortinet and Cisco.
- “Ransomware attackers are willing to pay up to $ 100,000 for access, with most players setting the limits at half that price – $ 56,250.”
OT vulnerabilities are increasing.
Skybox Security has released its Mid-Year Vulnerability and Threat Trends Report, which found that “new vulnerabilities in operating technology devices (OT) increased by 46% in the first half of 2021”. The report also found that ransomware attacks increased 20% compared to the first half of 2020 and cryptojacking attacks more than doubled.