Controversy Erupts Over U.S. Defense Contractor's Talks to Buy NSO Group's Spyware
Hertzbleed side-channel attack threatens cryptographic software security, Microsoft issues fix for Follina and other flaws, Microsoft accused of taking too long to fix Azure flaws, much more
Metacurity is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.
In an unexpected and controversial development, a prominent American defense contractor, L3Harris, is in talks to buy sanctioned and notorious Israeli company NSO Group’s spyware tools, according to people familiar with the negotiations. The Biden administration is warning that a potential deal to buy the Israeli firm’s spyware would raise “serious” counterintelligence and security concerns for the U.S. government.
In November, the Commerce Department placed NSO Group on its export blacklist, known as the Entity List, after determining that its spyware had been used by oppressive foreign governments to “maliciously target” government officials, activists, journalists, academics, and embassy workers around the world.
“The U.S. Government opposes efforts by foreign companies to circumvent U.S. export control measures or sanctions,” a senior White House official said. L3Harris declined to comment on the existence of any talks with NSO Group. “We are aware of the capability, and we are constantly evaluating our customers’ national security needs,” an L3Harris spokesperson said. “At this point, anything beyond that is speculation.” (Ellen Nakashima and Craig Timberg / Washington Post)
John Scott-Railton @jsrailtonBREAKING: US-defense contractor @L3HarrisTech plans to acquire sanctioned spyware maker NSO Group. Bad for 🇺🇸NatSec & CI. Atrocious for human rights. If admin lets it happen would be own-goal against @POTUS' democracy agenda. 1/ By @intel_online https://t.co/zXIMnOaCjT https://t.co/F7C37kejCJ
profdeibert @RonDeibertReports have surfaced that US defense contractor L3 Harris, is interested in purchasing NSO Group I agree with @accessnow and others who have raised concerns: this would be a terrible outcome for both human rights and national security 👇https://t.co/n9ShBcW0ep
A team of researchers at the University of Texas at Austin, University of Illinois Urbana-Champaign, and the University of Washington discovered that microprocessors from Intel, AMD, and other companies contain a weakness dubbed Hertzbleed that remote attackers can exploit in a side-channel attack to obtain cryptographic keys and other secret data traveling through the hardware.
The attack uses insights into DVFS, or dynamic voltage and frequency scaling, which is a power and thermal management feature added to every modern CPU, to expose or bleed out data intended to remain private. The researchers said they successfully reproduced their attack on Intel CPUs from the 8th to the 11th generation of the Core microarchitecture.
They also claimed that the technique would work on Intel Xeon CPUs and verified that AMD Ryzen processors are vulnerable and enabled the same SIKE attack against Intel chips. The researchers believe chips from other manufacturers may also be affected. “Hertzbleed is a real, and practical, threat to the security of cryptographic software,” the researchers conclude. Intel, however, said that “While this issue is interesting from a research perspective, we do not believe this attack to be practical outside of a lab environment.” (Dan Goodin / Ars Technica)
Microsoft officially released fixes to address an actively exploited Windows zero-day vulnerability known as Follina as part of its Patch Tuesday updates, which also addressed 55 other flaws, three of them critical.
Aside from the Follina fix, the cumulative security update also resolves several remote code execution flaws in Windows Network File System (CVE-2022-30136), Windows Hyper-V (CVE-2022-30163), Windows Lightweight Directory Access Protocol, Microsoft Office, HEVC Video Extensions, and Azure RTOS GUIX Studio. (Ravie Lakshmanan / The Hacker News)
Related: Bleeping Computer, Tech Advisor - Security, Tenable Blog, gHacks, Zero Day Initiative - Blog, CISA, Security Week, ZDNet Security, Rapid7, Heimdal Security Blog, Sophos News, Rapid7, Help Net Security, Zero Day Initiative - Blog, US-CERT Current Activity, The Register - Security, SC Magazine, Australian Cyber Security Magazine
Two security vendors, Orca Security and Tenable, accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking too long to fix critical vulnerabilities in Azure.
Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. Tenable CEO Amit Yoran called out Microsoft for its lack of response to and transparency around two other vulnerabilities that could be exploited by anyone using Azure Synapse.
After several patches, and in the face of Orca’s soon-to-be-public complaint, Microsoft reportedly told Orca that it fixed the weakness in question. Tenable’s Yoran said that Microsoft" silently patched" one of the bugs his firm reported and "privately acknowledged the severity" of the security holes 89 days after Tenable disclosed them and only after Tenable said it was going public with the exploit proof-of-concept. (Jessica Lyons Hardcastle / The Register)
Tzah Pahima @TzahPahimaI was able to access thousands of companies’ passwords on #Azure and run code on their VMs. This includes access to Microsoft’s own credentials… 💣 Here’s HOW I did it. This is the story of #SynLapse. (1/11)
Internet infrastructure firm Cloudflare said it mitigated a 26 million request per second distributed denial-of-service (DDoS) attack last week, the largest HTTPS DDoS attack detected to date.
According to Cloudflare, the attacker also used a relatively small yet very powerful botnet of 5,067 devices, each capable of generating roughly 5,200 rps when peaking. The botnet likely leveraged hijacked servers and virtual machines, given that the attack originated from Cloud Service Providers instead of weaker Internet of Things (IoT) devices from compromised Residential Internet Service Providers. The botnet generated over 212 million HTTPS requests within 30 seconds via requests from more than 1,500 networks in 121 countries worldwide. (Sergiu Gatlan / Bleeping Computer)
The Department of Justice charged a Deputy U.S. Marshal, Adrian O. Pena, for allegedly abusing access to a controversial phone tracking service offered by a company called Securus to track the physical location of people he had personal relationships with as well as their spouses.
According to the indictment, Pena, assigned to the Lone Star Fugitive Task Force in the Uvalde County Sheriff's Office in Texas, uploaded fake documents to the Securus platform that he claimed gave him authority to obtain requested location data, the indictment adds. The indictment includes details on 11 separate alleged violations in which Pena abused access to the system. They relate to nine different people. (Joseph Cox / Motherboard)
Germany’s antitrust watchdog, the Federal Cartel Office, is investigating Apple over whether the US tech company’s tracking rules for third-party apps give it preferential treatment or undermine its rivals.
Apple’s new tracking rules, introduced in April 2021, force third-party apps to ask users for permission before tracking their behavior to serve personalized ads.
This latest probe comes after a group of Germany’s largest media, tech, and advertising companies and industry bodies representing companies including Facebook and Axel Springer, the owner of Bild, Die Welt, and Insider, filed a complaint about Apple’s update last April. (Javier Espinoza and Madhumita Murgia / Financial Times)
Related: Natasha Lomas – TechCrunch, MacDailyNews, POLITICO EU, MacRumors, AppleInsider, CyberNews, Cult of Mac, Startup Around, PYMNTS.com, Gadgets Now, Gizmodo, Daring Fireball, iPhone in Canada Blog
The Canadian federal government introduced a bill, the Act Respecting Cyber Security, that would allow it to compel companies in the finance, telecommunications, energy, and transportation sectors to either shore up their cyber systems against attacks or face expensive penalties.
The bill says that the governor-in-council may "direct any designated operator or class of operators to comply with any measure set out in the direction for the purpose of protecting a critical cyber system.” However, anyone who receives such direction "is prohibited from disclosing or allowing to be disclosed" that it was issued. The bill also operators in key federally-regulated industries would have to report cyber security incidents to the government's Cyber Centre. They'd also be required to establish cyber security programs to detect serious incidents and protect critical cyber systems. (Catharine Tunney / CBC)
In what Mozilla calls the browser's "strongest privacy protection to date," all Firefox users on a desktop will now be protected by the browser's Total Cookie Protection feature by default.
Without the feature, websites can "reach into the cookie jars that don't belong to them," as Mozilla puts it. That gives them more information about you to serve specific ads based on your activity. (M. Moon / Engadget)
Related: PCMag.com, Android Police, AndroidHeadlines.com, 9to5Mac, AppleInsider, The Verge, Bleeping Computer, The Mozilla Blog, Android Police, 9to5Mac, MobileSyrup.com, iClarified, The Tech Outlook, iMore, AndroidHeadlines.com, PCWorld, Review Geek, Slashdot, Engadget, The Verge
The ALPHV/BlackCat ransomware group began publishing individual victim websites on the public Internet, with the leaked data available in an easily searchable form.
ALPHV recently announced on its victim shaming and extortion website that it had hacked a luxury spa and resort in the western United States. Over the past day, ALPHV published a website with the same victim’s name in the domain and their logo on the homepage. The website claims to list the personal information of 1,500 resort employees and more than 2,500 residents at the facility. At the top of the page are two “Check Yourself” buttons, one for employees, and another for guests. (Brian Krebs / Krebs on Security)
A Belarusian hacktivist group called the Belarusian Cyber Partisans released what it says is wiretapped audio of foreign embassies, consulates, and other calls in Belarus gathered surreptitiously by the Belarusian Ministry of Internal Affairs.
The audio was released as a YouTube video containing what the group says is audio of recordings captured from the Russian embassy and the Russian consulate sometime between 2020 and 2021. The group said there “are still a lot of recordings of embassies and consulates of other countries. We will continue to reveal the Lkuashenka’s regime’s dark secrets. Many interesting leaks soon.” One representative said they have around 1.5 terabytes of voice calls, equating to roughly 50,000 hours. (AJ Vicens / Cyberscoop)
Avast security researchers discovered a new covert Linux kernel rootkit named Syslogk under development in the wild and cloaking a malicious payload that can be remotely commandeered by an adversary using a magic network traffic packet.
Syslogk rootkit is heavily based on Adore-Ng, an open-source rootkit, but incorporates new functionalities making the user-mode application and the kernel rootkit hard to detect. (Ravie Lakshmanan / The Hacker News)
Researchers at Aqua Security discovered that the Travis CI platform for software development and testing exposed user data containing authentication tokens that could give access to developers’ accounts on GitHub, Amazon Web Services, and Docker Hub.
The researchers found that “tens of thousands of user tokens” are exposed through the Travis CI API that offer access to more than 770 million logs with various types of credentials belonging to free tier users. Aqua Security’s shared their findings with Travis CI, hoping for a fix. However, the CI service replied that the issue was “by design” and left the data exposed. (Ionut Ilascu / Bleeping Computer)
The Shoprite Group, one of the largest supermarket chains serving multiple countries across southern Africa, was hit with a ransomware attack, with the RansomHouse ransomware group taking credit.
The company said it “became aware of a suspected data compromise, impacting on a specific subset of data and which may affect some customers who engaged in money transfers to and within Eswatini and within Namibia and Zambia.” The RansomHouse gang openly touted their attack on the supermarket chain, claiming on their Telegram channel that the company “was keeping enormous amounts of personal data in plain text/raw photos packed in archived files, completely unprotected.” (The gang published a sample of the data it stole and said it “invited” the company to negotiate a ransom. (Jonathan Greig / The Record)
According to a screenshot published by the malware research group vx-underground, a hacker or a would-be hacker is advertising ransomware on Instagram.
The hacker’s Instagram account has more than 20,000 followers. The hacker’s ad is gone from the account’s Stories, which instead includes a shot of presumably the hacker driving a BMW and holding what appears to be a joint in his hand, which does not look like it’s lit. (Lorenzo Franceschi-Bicchierai / Motherboard)
The BlackCat ransomware-as-a-service group, also known as ALPHV, appears to have hit the University of Pisa in Italy as its latest victim, seeking a reported ransom of $4.5 million.
According to Italy’s Cybersecurity 360 site, the threat actor says the ransom is a "discount price" that will increase to $5 million after Thursday. News of the attack comes days after the BlackCat ransomware group added the University of Pisa to its darknet list of victims, according to cybersecurity firm BetterCyber. (Mihir Bagwe / Databreachtoday)
The French IT and security company Atos is considering splitting its business in two and said the company’s CEO, Rodolphe Belmer, who took over in January, is also set to leave.
The company is studying a separation into two publicly listed companies. The first, dubbed Evidian, would bring together its digital and big data and security (BDS) business lines, which generated €4.9 billion (around $5.13 billion) in revenue in 2021, a 7.8% operating margin. It would be managed by incoming CEO Philippe Oliva and CFO Anil Agrawal and focus on providing its cyber security, big data, and analytics to customers. The second company, Atos, would be made up of Atos’ Tech Foundations business line, focused on designing, building, and managing complex and vital information systems worldwide, which generated €5.4 billion (around $5.66 billion) in 2021. It would be managed by new CEO Nourdine Bihmane and CFO Darren Pilcher. (Zach Marzouk / IT Pro)
Microsoft announced that it will acquire Miburo, a small company that helps customers detect and respond to foreign information operations, in a deal the tech giant said will help it “expand its threat detection and analysis capabilities to address new cyber-attacks and shed light on the ways in which foreign actors use information operations in conjunction with other cyber-attacks to achieve their objectives.”
Miburo is led by founder and CEO Clint Watts, a former U.S. Army officer and FBI agent who served on the FBI’s Joint Terrorism Task Force. The terms of the deal weren’t released. (Taylor Soper / Geekwire)