Malware Activity
New Details Emerge regarding Three Zero-Click Exploits Used by the NSO Group to Target iPhone Users in 2022
Newly released research details new Pegasus spyware activity that occurred in 2022, specifically three (3) zero-click exploits that targeted iOS 15 and iOS 16. Researchers explained that the spyware targeted at least three (3) civil society targets from around the globe in 2022, with two (2) targeting members of an organization representing victims of military abuses in Mexico. It has been reported that Mexico's military is "the longest-standing client of Pegasus, and has used the spyware to target more cell phones than any other government agency in the world." The third victim of the latest Pegasus attacks has yet to be revealed by researchers. The first zero-click exploit identified is called "PWNYOURHOME," which was deployed against iOS 15 and iOS 16 around October of 2022. This exploit has two (2) parts: the first step targets the "HomeKit" feature and the second targets iMessage. The second zero-click exploit identified is "FINDMYPWN," which was deployed against iOS 15 around June of 2022. This exploit also has two steps in which it targets the "Find My" feature and then iMessage. Upon reviewing the first two exploits, researchers were able to identify "LATENTIMAGE," which is the first 2022 zero-click exploit released by the NSO Group that was on a single target's mobile device. LATENTIMAGE targets the "Find My" feature with a different method than FINDMYPWN. Researchers emphasized that the NSO Group is actively improving and advancing its spyware to evade detection. The researchers have also not seen any successful attacks involving PWNYOURHOME when victims have activated iOS's Lockdown Mode feature, which is one way to help mitigate zero-click attacks as it warns the user in real-time of any exploitation attempts. Additional technical details can be viewed in the report linked below.
- The Record: 2022 Pegasus Exploits Article
- Citizen Lab: 2022 Pegasus Exploits Report
- New York Times: Pegasus Targeting Mexico Article
Threat Actor Activity
Threat Profile: Genesis Day
Threat actors from an up-and-coming threat organization in China targeted several South Korean academic institutions and research facilities in the early weeks of 2023. This group is tracked as Genesis Day, Teng Snake, or Xiaoqiying, and is primarily motivated by patriotism toward the Chinese state, making those who oppose China susceptible to their attacks. Operationally, Genesis Day actors were observed communicating on two (2) Telegram channels which went dark after news of their South Korean attacks hit the media. Based on harvested logs from the channels, Genesis Day actors have claimed to be responsible for a number of attacks on companies in the United States, Japan, South Korea, and Taiwan. In their most recent campaign, Genesis Day actors targeted education and research institutions' websites with multiple web-defacement attacks around the time of the Lunar New Year. Twelve (12) websites in total were affected by these attacks, all of which were believed to have some sort of connection to the United States, Singapore, and Taiwan. In addition, Genesis Day also threatened to target over 2,000 international government entities, specifically mentioning the South Korean Ministry of Tourism, Culture, and Sports. CTIX analysts continue to monitor threat actor activity worldwide and will provide additional updates accordingly.
Vulnerabilities
Google Patches Zero-day Vulnerability Allowing for Google Account Takeover
Researchers have published a report detailing the exploitation of a now-patched critical Google Cloud Platform (GCP) zero-day vulnerability, which if exploited, could allow threat actors to install maliciously crafted hidden applications within victims' Google and/or Workspace accounts. The flaw has been coined GhostToken, and stems from an attacker's ability to convert the already authorized OAuth application into a malicious trojan that cannot be seen or removed from a victim's Google account application management page. This is achieved by deleting the GCP project for Oauth, putting it in a hidden "pending deletion" state, while the threat actor modifies and then unhides the application, granting them access to the victim's Google Account by use of the authorized "ghost" Oauth access token. This poses a major threat to companies implementing Google Workspace, as exploitation could allow threat actors to conduct a wide range of malicious activity like viewing and exfiltrating or deleting sensitive company information, as well as sending phishing emails from the victims' compromised accounts. This vulnerability also poses a risk to Google Accounts users in general, as exploitation also allows threat actors to track victim location data, as well as delete data from their Google Calendars, Photos, and Drive. The update to GCP will now show all applications pending deletion on the user application management page. CTIX analysts recommend that all Google Accounts and Workspace users ensure that their software is running the most recent security patch.
Honorable Mention
Microsoft Comes Out with New Threat Actor Naming Taxonomy
Microsoft recently announced a new naming taxonomy for identifying threat actors by associating them with weather events. This is a change from their previous approach which named threat actors after chemical elements. As threats continue to evolve in complexity and increase in volume, Microsoft sees this as a way for threat researchers to "instantly have an idea of the type of threat actor they are up against, just by reading the name." In Microsoft's new taxonomy, nation-state actors will be assigned certain weather conditions. For example, Russia is aligned with Blizzard, China with Typhoon, Iran with Sandstorm, and North Korea with Sleet. Microsoft has assigned four (4) additional weather event "families" to non-state actors based on motivation, using Tempest for financially motivated actors, Tsunami for private sector offensive actors, Flood for influence operations, and Storm for groups in development who do not yet have enough information learned about them to be grouped into another category. For threat actors in the same weather families, an adjective will be added to differentiate them based on differing tactics, techniques, procedures (TTPs), infrastructure, objectives, and other distinguishing factors. Microsoft's new naming taxonomy is aimed at simplifying the multitude of naming conventions already used amongst the security giants. Especially with the amount of threat intelligence data that researchers are already confronted with, this new naming convention is seen as a simpler method of tracking and classifying threat groups in a way that is efficient and easy to understand.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.