Pegasus, Salt Typhoon, Turla Covert Campaign, Windows 11 TPM2.0, and Chrome's 'Store Review'
Notable security news for the week of Dec 1st-7th 2024, brought to you by the F5 Security Incident Response Team. This week your editor is Dharminder. In this edition, I have security news about Pegasus spyware and its broader scope, Salt Typhoon: Attack on Global Telecommunications providers, A Russia-linked APT group infiltrated a Pakistan-based hacking group to target Indian and Afghan government institutions, Trusted Platform Module (TPM) 2.0 - a mandatory requirement for the Windows 11 upgrade, Google Chrome’s upcoming "Store reviews" feature which will help users in checking website credibility, and critical security flaws in Mitel MiCollab and Lorex cameras."
We in F5 SIRT invest lot of time to understand the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT.
Ok let's get started and the find details of security news.
Pegasus Spyware Infections Unveiled: Broader Scope Revealed
Recent investigations by iVerify uncovered seven new Pegasus spyware infections targeting journalists, government officials, corporate executives, and civilians. These infections span across iOS and Android devices, affecting Apple iOS versions 14 to 16.6 and Android, with activity traced back to 2021. Scans of 2,500 user devices detected Pegasus on 2.5 devices per 1,000 scans, a significantly higher rate than previous estimates. Researchers identified five unique malware variants, utilizing zero-click exploits to gain full device control and leaving forensic artifacts in system logs.
NSO Group's Pegasus spyware, tracked by iVerify as “Rainbow Ronin”, was found targeting broader demographics, including ordinary professionals and high-risk populations. These findings challenge the perception that such spyware focuses only on high-profile individuals. Pegasus leverages advanced techniques to silently monitor devices, steal data, and exploit vulnerabilities undetected by conventional security tools.
iVerify emphasized a critical gap in current mobile security, revealing how sophisticated threats evade traditional detection. Their Mobile Threat Hunting feature highlights the urgency for robust, user-accessible security solutions. The investigation sheds light on the growing complexity of mobile threats, urging a shift in industry approaches to device security.
https://www.darkreading.com/endpoint-security/pegasus-spyware-infections-ios-android-devices
https://cybersecuritynews.com/pegasus-spyware-detected-in-new-mobile-devices/
Salt Typhoon: Cyber Espionage Campaign Targets Global Telecommunications
The Salt Typhoon cyber espionage campaign, attributed to China-linked threat actors, has targeted telecommunications providers globally since at least 2020, compromising private communications of senior U.S. officials and others. The campaign exploited known weaknesses in network infrastructure, avoiding novel techniques but leveraging sophisticated strategies to access sensitive data. Impacted companies have yet to fully get rid of the attackers, increasing the risk of ongoing breaches.
A joint advisory from the U.S., Australia, Canada, and New Zealand outlined technical guidance to mitigate the threat. Recommendations include strong encryption, network segmentation, centralised logging, anomaly detection, strict access controls, and the elimination of default credentials. Agencies emphasised securing devices, patching vulnerabilities, and implementing robust monitoring systems to thwart future intrusions.
The campaign highlights vulnerabilities in critical infrastructure, drawing parallels to previous incidents like the 2021 Colonial Pipeline ransomware attack. U.S. officials stress the need for heightened cybersecurity standards across sectors to counter such nation-state threats effectively.
https://thehackernews.com/2024/12/joint-advisory-warns-of-prc-backed.html
Turla Exploits Rival Hacking Group to Extend Espionage Campaigns
The Russia-linked APT group Turla, also known as Secret Blizzard, has been managed to run a covert campaign since 2022 by infiltrating and hijacking the command-and-control (C2) servers of the Pakistan-based hacking group Storm-0156. This tactic enables Turla to leverage pre-established intrusions to deploy its own malware, including TwoDash, a downloader, and Statuezy, a clipboard-monitoring trojan. The campaign targeted Afghan government networks and Indian defence-related institutions, using Storm-0156 infrastructure to deploy malware and exfiltrate sensitive data. Turla has a history of co-opting other threat actors' infrastructure, as seen in its previous campaigns involving Iranian APTs, Andromeda malware, and the Kazakhstan-based Tomiris backdoor.
Turla’s methods involve lateral movement to extract intelligence, such as C2 credentials and exfiltrated data. This approach minimises Turla’s effort while concealing responsibility, allowing it to piggyback on others' campaigns. Microsoft and Black Lotus Labs observed Turla deploying custom tools like MiniPocket and commandeering Storm-0156’s backdoors, including Crimson RAT and Wainscot, in South Asia-focused operations. Turla's actions signal an intentional strategy of hijacking rival infrastructure to expand its reach and intelligence-gathering capabilities.
https://www.darkreading.com/threat-intelligence/russian-fsb-hackers-breach-pakistan-storm-0156
https://www.securityweek.com/spy-v-spy-russian-apt-turla-caught-stealing-from-pakistani-apt/
https://thehackernews.com/2024/12/russia-linked-turla-exploits-pakistani.html
TPM2.0 - Requirement For Windows 11 Upgrade
As Windows 10 support is approaching towards its end, upgrading to Windows 11 requires devices to have Trusted Platform Module (TPM) 2.0, a hardware-based security feature. TPM 2.0 provides advanced encryption, secure key storage, and enhanced cryptographic operations. It safeguards sensitive data, ensures system integrity through features like Secure Boot, and integrates with Windows security functions such as Credential Guard and BitLocker. Unlike its predecessor, TPM 2.0 supports industry-standard cryptography, enabling compatibility with a broad range of encryption algorithms and protocols.
TPM 2.0 isolates cryptographic processes from the main CPU, creating a secure domain for critical operations, reducing the risk of unauthorised access and tampering. It also supports multi-factor authentication (MFA), strengthen endpoint security in Zero Trust strategies. By validating system integrity and encrypting data during boot processes, TPM 2.0 helps counter modern cyber threats effectively.
Organisations must evaluate their hardware for TPM 2.0 compatibility and prepare for upgrades if necessary. Tools like Microsoft Intune and Configuration Manager can verify TPM status and facilitate compliance. The integration of TPM 2.0 enhances regulatory compliance, future-proofs systems for emerging AI and cybersecurity challenges, and aligns with evolving best practices.
TPM 2.0 is essential for Windows 11, providing vigorous protection against evolving cyber threats. Embracing this standard, strengthens organisational data security, supports Zero Trust frameworks, and ensures resilience in the modern digital landscape.
Google Chrome's "Store Review" - Website Credibility Check
Google Chrome’s upcoming "Store reviews" feature leverages AI to provide concise summaries of website credibility using data from trusted review platforms like TrustPilot and ScamAdvisor. Accessible through the "page info bubble" via the lock or "i" icon in the address bar, this tool allows users to assess site trustworthiness quickly without visiting multiple sources. Designed to enhance user safety, it mitigates risks such as fraudulent websites and malicious downloads by offering real-time insights.
This feature is part of a broader AI integration strategy in web browsers, with competitors like Microsoft Edge, Safari, and Firefox implementing similar updates focused on security and usability. While "Store reviews" promises to boost e-commerce by fostering safer browsing environments, it also raises concerns about privacy, transparency, and ethical AI use. Privacy advocates urge stricter regulations to prevent misuse, and global oversight bodies like the EU are increasing scrutiny of AI technologies. For businesses, this tool could reshape market dynamics by enhancing consumer trust in online interactions.
Critical Security Flaws in Mitel MiCollab and Lorex Cameras
Cybersecurity researchers disclosed a PoC exploit combining a patched vulnerability in Mitel MiCollab (CVE-2024-41713) with an unpatched arbitrary file read flaw. CVE-2024-41713 (CVSS 9.8) allows path traversal through improper input validation in the NuPoint Unified Messaging (NPM) component, enabling unauthenticated access to sensitive files like /etc/passwd. MiCollab integrates chat, voice, and messaging with platforms like Microsoft Teams. The vulnerability was chained with a post-authentication flaw to extract sensitive data. Mitel patched CVE-2024-41713 in version 9.8 SP2 but warned that successful exploitation could compromise confidentiality, integrity, and availability by granting attackers administrative access and provisioning data. Separately, CVE-2024-47223, a SQL injection in MiCollab’s Audio, Web, and Video Conferencing component, was also fixed, addressing risks of arbitrary database operations. Researchers highlighted that detailed CVE descriptions can substitute for source code in identifying vulnerabilities. Additionally, Rapid7 revealed flaws in Lorex Wi-Fi cameras (CVE-2024-52544 to CVE-2024-52548), showing an exploit chain of five vulnerabilities leading to remote code execution (RCE). These included an admin password reset and a buffer overflow, enabling attackers to take over devices, view live feeds, or execute OS commands with root privileges. Both cases underscore the critical need for timely patching and robust security measures.
https://thehackernews.com/2024/12/critical-mitel-micollab-flaw-exposes.html
Published Dec 10, 2024
Version 1.0
No CommentsBe the first to comment