Stay updated on the latest cybersecurity stories with SWK’s recap of the top news from September to October 2021. As the 4th Quarter picks up in year-end activities and the past year winds down into Q1 2022 planning, InfoSec is capturing a better view into the state of the cybercrime economy, and how the most popular brands – and their prolific products – are affected. This month’s articles cover two of the biggest – Apple and Microsoft – and how they are addressing several cyber threats recently brought to their attention.
Multiple iPhone Zero-Day Exploits Open to Spyware & More
September and October of 2021 were scary times for iPhone users that had to rush to apply critical updates to their smartphones several times to correct multiple zero-day vulnerabilities made public recently. However, the background factors make the situation even more disconcerting:
- A security researcher responsible for uncovering the most recently patched exploits said he alerted Apple months prior to them taking action, and that they still are not fully secure
- One of the vulnerabilities was caught when a watchdog group traced a notorious spyware program installed on a Saudi Arabian activist’s phone
- For both of the above cases, this does not seem to be the first time for either scenario, and precedent dictates they will not be the last
NSO Group Pegasus Spyware Implicated in Smartphone Jailbreaking
The University of Toronto’s Citizen Lab was investigating the iPhone on behalf the Saudi activist for an infection by Pegasus spyware, which specifically targets Apple devices and is ostensibly only sold to government clients by a legitimate security research firm. The Lab has previously uncovered multiple Pegasus infection campaigns against thousands of devices and individual programs like WhatsApp. This recent investigation led them to a zero-day, zero-click exploit that leveraged a critical vulnerability in iOS, MacOS and WatchOS to give access to the device whenever the user sent a text through iMessage.
Pegasus is infamous for being used to jailbreak the iPhones of government officials, journalists, activists, and even the loved ones of those groups. While its developer, NSO Group, has repeatedly responded to criticisms with the claim that they only serve legitimate law enforcement and intelligence agencies, research has discovered Pegasus in the hands of drug cartels. An ex-employee was also able to steal a copy of the software – supposedly just by Googling a workaround to the theft detection system – and was attempting to sell it on the dark web when he was turned in, meaning that that there is little guarantee the spyware cannot fall into hackers’ hands.
Apple Ignoring Both Bugs and Researchers
The researcher claiming responsibility for uncovering four of the zero-day bugs, Dennis Tokarev, published a blog accusing Apple of both ignoring some of the bugs since he reported the first in March 2021, as well as avoiding giving him credit for the discoveries. This is not the first time Apple’s Bug Bounty Program has been criticized for failing to reward white hat hackers who alert them of vulnerabilities, as well as failing to disclose or even address the security gaps in their systems. Some frustrated security researchers have evidently begun openly considering submitting found bugs to brokers instead, creating a greater chance for hackers to exploit the flaws.
Microsoft Releases Multiple Phishing Warnings for Users
From August to September 2021, Microsoft released several public alerts to warn users of new discoveries in phishing uncovered by their researchers, including:
- A dedicated phishing campaign using convincing replications of Office 365 and SharePoint
- A phishing technique the leverages open redirect links to trick both users and security software
- An active phishing-as-a-service (PHaaS) provider selling sophisticated toolkits to less skilled hackers
Robust Phishing-as-a-Service Operation Clones M365 Pages
The phishing toolkit provider discovered by Microsoft’s security researchers could very likely have supplied the resources used for the campaign seen earlier in August, as one of the services offered included spoofed web versions of Microsoft 365 cloud app login pages such as OneDrive. Other recreated pages targeted other large brands like AT&T, and were being sold through an ecommerce storefront for around $80 to $100 per webpage. Microsoft’s researchers identified the culprits as belonging to a group that goes by the names BulletProofLink, BulletProfLink and Anthrax, the former two echoing their status as a “bulletproof hosting” service.
A security expert from Sydney, Australia had also previously traced the activities of BulletProfLink backed to the owner of its hosted server, apparently an IT expert based in Malaysia that translated his knowledge and expertise into becoming a bulletproof hoster. The open-source investigation also found that the phishing services provided included 108-page templates for sale with hundreds more readily available, as well featuring a user forum with over 1400 members who are likely prospective or continuous buyers of the toolkits.
Redirect Link Campaign Leverages Trusted URLs
The phishing campaign that uses open redirect (also known cross-site or cross-domain redirects) vulnerabilities leverages a gap in Google’s security controls to display a trusted domain when hovering over a link. The malicious URL is buried within multiple redirects as the name suggests, which includes a Google CAPTCHA page that lends legitimacy to the process before taking the victim to a scam Office 365 login page (as seen with the bulletproof hosting PHaaS).
This type of technique is especially dangerous in that it negates the method of hovering over a link to determine if the URL is legitimate, and can lull the user into a false sense of security with the trusted domain. The same process can even fool automated email filters into letting phishing links slip past for the same reason, removing a safety net against malware. Fortunately, the good news is that Microsoft Defender for Office 365 has been updated to address this threat and Microsoft’s researchers will continue to monitor this and other trends to ensure their security programs can detect them across their products.
Talk to SWK to Secure Your Apple and Microsoft Systems
Popular product brands see large scale usage, and this leads to hackers to target systems like iOS and Microsoft 365 to cast the widest net for victims. SWK Technologies will help you train your users, monitor your devices and defend your network against targeted cyber threats with the solutions and services at your disposal.
Contact SWK today to learn more about protecting your Apple and Microsoft devices and systems from the latest hacking techniques.