Israel-based Spyware Firm QuaDream Targets High-Risk iPhones with Zero-Click Exploit

 Threat actors using hacking tools from an Israeli surveillance ware vendor named QuaDream targeted at least five members of civil society in North America, Central Asia, Southeast Asia, Europe, and the Middle East.

According to findings from a group of researchers from the Citizen Lab, the spyware campaign was directed against journalists, political opposition figures, and an NGO worker in 2021. The names of the victims were not disclosed.

It's also suspected that the company abused a zero-click exploit dubbed ENDOFDAYS in iOS 14 to deploy spyware as a zero-day in version 14.4 and 14.4.2. There is no evidence that the exploit has been used after March 2021.

ENDOFDAYS "appears to make use of invisible iCloud calendar invitations sent from the spyware's operator to victims," the researchers said, adding the .ics files contain invites to two backdated and overlapping events so as to not alert the users.

The attacks are suspected to have leveraged a quirk in iOS 14 that any iCloud calendar invitation with a backdated time received by phone is automatically processed and added to the users' calendar without any notification or prompt.

The Microsoft Threat Intelligence team is tracking QuaDream as DEV-0196, describing it as a private-sector offensive actor (PSOA). While the cyber mercenary company is not directly involved in targeting, it is known to sell its "exploitation services and malware" to government customers, the tech giant assessed with high confidence.

The malware, named KingsPawn, contains a monitor agent and the primary malware agent, both of which are Mach-O files written in Objective-C and Go, respectively.

While the monitor agent is responsible for reducing the forensic footprint of the malware to evade detection, the main agent comes with capabilities to gather device information, cellular and Wi-Fi data, harvest files, access camera in the background, access location, call logs, and iOS Keychain, and even generate an iCloud time-based one-time password (TOTP).

Other samples support recording audio from phone calls and the microphone, running queries in SQL databases, and cleaning up forensic trails, such as deleting all calendar events from two years prior to the current time. The data is exfiltrated via HTTPS POST requests.

Internet scans carried out by the Citizen Lab reveal that QuaDream's customers operated 600 servers from several countries around the world between late 2021 and early 2023, including Bulgaria, Czech Republic, Hungary, Romania, Ghana, Israel, Mexico, Singapore, the U.A.E., and Uzbekistan.

Despite attempts made by the spyware to cover its tracks, the interdisciplinary laboratory said it was able to uncover unspecified traces of what it calls the "Ectoplasm Factor" that could be used to track QuaDream's toolset in the future.

This is not the first time QuaDream has attracted attention. In February 2022, Reuters reported that the company weaponized the FORCEDENTRY zero-click exploit in iMessage to deploy a spyware solution named REIGN.

Then in December 2022, Meta disclosed that it took down a network of 250 fake accounts on Facebook and Instagram controlled by QuaDream to infect Android and iOS devices and exfiltrate personal data.

If anything, the development is yet another indication that despite the notoriety attracted by NSO Group, commercial spyware firms continue to fly under the radar and develop sophisticated spyware products for use by government clients.

"Until the out-of-control proliferation of commercial spyware is successfully curtailed through systemic government regulations, the number of abuse cases is likely to continue to grow, fueled both by companies with recognizable names, as well as others still operating in the shadows," the Citizen Lab said.

Calling the growth of mercenary spyware companies a threat to democracy and human rights, Microsoft said combating such offensive actors requires a "collective effort" and a "multistakeholder collaboration."

"Moreover, it is only a matter of time before the use of the tools and technologies they sell spread even further," Amy Hogan-Burney, the company's associate general counsel for cybersecurity policy and protection, said.

"This poses a real risk to human rights online, but also to the security and stability of the broader online environment. The services they offer require cyber mercenaries to stockpile vulnerabilities and search for new ways to access networks without authorization."

Newly Discovered "By-Design" Flaw in Microsoft Azure Could Expose Storage Accounts to Hackers

 A "by-design flaw" uncovered in Microsoft Azure could be exploited by attackers to gain access to storage accounts, move laterally in the environment, and even execute remote code.

"It is possible to abuse and leverage Microsoft Storage Accounts by manipulating Azure Functions to steal access-tokens of higher privilege identities, move laterally, potentially access critical business assets, and execute remote code (RCE)," Orca said.

The exploitation path that underpins this attack is a mechanism called Shared Key authorization, which is enabled by default on storage accounts.

According to Microsoft, Azure generates two 512-bit storage account access keys when creating a storage account. These keys can be used to authorize access to data via Shared Key authorization, or via SAS tokens that are signed with the shared key.

"Storage account access keys provide full access to the configuration of a storage account, as well as the data," Microsoft notes in its documentation. "Access to the shared key grants a user full access to a storage account's configuration and its data."

The cloud security firm said these access tokens can be stolen by manipulating Azure Functions, potentially enabling a threat actor with access to an account with a Storage Account Contributor role to escalate privileges and take over systems.

Specifically, should a managed identity be used to invoke the Function app, it could be abused to execute any command. This, in turn, is made possible owing to the fact that a dedicated storage account is created when deploying an Azure Function app.

"Once an attacker locates the storage account of a Function app that is assigned with a strong managed identity, it can run code on its behalf and as a result acquire a subscription privilege escalation (PE)," Orca researcher Roi Nisimi said.

In other words, by exfiltrating the access token of the Azure Function app's assigned managed identity to a remote server, a threat actor can elevate privileges, move laterally, access new resources, and execute a reverse shell on virtual machines.

"By overriding function files in storage accounts, an attacker can steal and exfiltrate a higher-privileged identity and use it to move laterally, exploit and compromise victims' most valuable crown jewels," Nisimi explained.

As mitigations, it's recommended that organizations consider disabling Azure Shared Key authorization and using Azure Active Directory authentication instead. In a coordinated disclosure, Microsoft said it "plans to update how Functions client tools work with storage accounts."

"This includes changes to better support scenarios using the identity. After identity-based connections for AzureWebJobsStorage are generally available and the new experiences are validated, identity will become the default mode for AzureWebJobsStorage, which is intended to move away from shared key authorization," the tech giant further added.

CISA Warns of 5 Actively Exploited Security Flaws: Urgent Action Required

 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.

This includes three high-severity flaws in the Veritas Backup Exec Agent software (CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878) that could lead to the execution of privileged commands on the underlying system. The flaws were fixed in a patch released by Veritas in March 2021.

CVE-2021-27876 (CVSS score: 8.1) - Veritas Backup Exec Agent File Access Vulnerability

CVE-2021-27877 (CVSS score: 8.2) - Veritas Backup Exec Agent Improper Authentication Vulnerability

CVE-2021-27878 (CVSS score: 8.8) - Veritas Backup Exec Agent Command Execution Vulnerability

Google-owned Mandiant, in a report published last week, revealed that an affiliate associated with the BlackCat (aka ALPHV and Noberus) ransomware operation is targeting publicly exposed Veritas Backup Exec installations to gain initial access by leveraging the aforementioned three bugs.

The threat intelligence firm, which is tracking the affiliate actor under its uncategorized moniker UNC4466, said it first observed exploitation of the flaws in the wild on October 22, 2022.

In one incident detailed by Mandiant, UNC4466 gained access to an internet-exposed Windows server, followed by carrying out a series of actions that allowed the attacker to deploy the Rust-based ransomware payload, but not before conducting reconnaissance, escalating privileges, and disabling Microsoft Defender's real-time monitoring capability.

Also added by CISA to the KEV catalog is CVE-2019-1388 (CVSS score: 7.8), a privilege escalation flaw impacting Microsoft Windows Certificate Dialog that could be exploited to run processes with elevated permissions on an already compromised host.

The fifth vulnerability included in the list is an information disclosure flaw in Arm Mali GPU Kernel Driver (CVE-2023-26083) that was revealed by Google's Threat Analysis Group (TAG) last month as abused by an unnamed spyware vendor as part of an exploit chain to break into Samsung's Android smartphones.

Federal Civilian Executive Branch Agencies (FCEB) have time till April 28, 2023, to apply the patches to secure their networks against potential threats.

The advisory also comes as Apple released updates for iOS, iPadOS, macOS, and Safari web browsers to address a pair of zero-day flaws (CVE-2023-28205 and CVE-2023-28206) that it said has been exploited in real-world attacks.

Researchers Discover Critical Remote Code Execution Flaw in vm2 Sandbox Library

 The maintainers of the vm2 JavaScript sandbox module have shipped a patch to address a critical flaw that could be abused to break out of security boundaries and execute arbitrary shellcodes.

The flaw, which affects all versions, including and prior to 3.9.14, was reported by researchers from South Korea-based KAIST WSP Lab on April 6, 2023, prompting vm2 to release a fix with version 3.9.15 on Friday.

"A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox," vm2 disclosed in an advisory.

The vulnerability has been assigned the identified CVE-2023-29017 and is rated 9.8 on the CVSS scoring system. The issue stems from the fact that it does not properly handle errors that occur in asynchronous functions.

vm2 is a popular library that's used to run untrusted code in an isolated environment on Node.js. It has nearly four million weekly downloads and is used in 721 packages.

KAIST security researcher Seongil Wi has also made available two different variants of a proof-of-concept (PoC) exploit for CVE-2023-29017 that get around the sandbox protections and allow the creation of an empty file named "flag" on the host.

The disclosure comes almost six months after vm2 resolved another critical bug (CVE-2022-36067, CVSS score: 10) that could have been weaponized to perform arbitrary operations on the underlying machine.

Taiwanese PC Company MSI Falls Victim to Ransomware Attack

 Taiwanese PC company MSI (short for Micro-Star International) officially confirmed it was the victim of a cyber attack on its systems.

The company said it "promptly" initiated incident response and recovery measures after detecting "network anomalies." It also said it alerted law enforcement agencies of the matter.

That said, MSI did not disclose any specifics about when the attack took place and if it entailed the exfiltration of any proprietary information, including source code.

"Currently, the affected systems have gradually resumed normal operations, with no significant impact on financial business," the company said in a brief notice shared on Friday.

In a regulatory filing with the Taiwan Stock Exchange, it said that it's setting up enhanced controls of its network and infrastructure to ensure the security of data.

MSI is further urging users to obtain firmware/BIOS updates only from its official website and refrain from downloading files from other sources.

The disclosure comes as a new ransomware gang known as Money Message added the company to its list of victims. The threat actor was spotlighted by Zscaler late last month.

"The group utilizes a double extortion technique to target its victims, which involves exfiltrating the victim's data before encrypting it," Cyble noted in an analysis published this week. "The group uploads the data on their leak site if the ransom is unpaid."

The development comes a month after Acer confirmed a breach of its own that resulted in the theft of 160 GB of confidential data. It was advertised on March 6, 2023, for sale on the now-defunct BreachForums.

Iran Based Hackers Caught Carrying Out Destructive Attacks Under Ransomware Guise

The Iranian nation-state group known as MuddyWater has been observed carrying out destructive attacks on hybrid environments under the guise of a ransomware operation.

That's according to new findings from the Microsoft Threat Intelligence team, which discovered the threat actor targeting both on-premises and cloud infrastructures in partnership with another emerging activity cluster dubbed DEV-1084.

"While the threat actors attempted to masquerade the activity as a standard ransomware campaign, the unrecoverable actions show destruction and disruption were the ultimate goals of the operation," the tech giant revealed Friday.

MuddyWater is the name assigned to an Iran-based actor that the U.S. government has publicly connected to the country's Ministry of Intelligence and Security (MOIS). It's been known to be active since at least 2017.

It's also tracked by the cybersecurity community under various names, including Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mercury, Seedworm, Static Kitten, and TEMP.Zagros, and Yellow Nix.

Cybersecurity firm Secureworks, in its profile of Cobalt Ulster, notes that it's not entirely uncommon in the realm of the threat actor to "inject false flags into code associated with their operations" as a distraction in an attempt to muddy attribution efforts.

Attacks mounted by the group have primarily singled out Middle Eastern nations, with intrusions observed over the past year leveraging the Log4Shell flaw to breach Israeli entities.

The latest findings from Microsoft reveal the threat actor probably worked together with DEV-1084 to pull off the espionage attacks, the latter of which conducted the destructive actions after MuddyWater successfully gained a foothold in the target environment.

"Mercury likely exploited known vulnerabilities in unpatched applications for initial access before handing off access to DEV-1084 to perform extensive reconnaissance and discovery, establish persistence, and move laterally throughout the network, oftentimes waiting weeks and sometimes months before progressing to the next stage," Microsoft said.

In the activity detected by Redmond, DEV-1084 subsequently abused highly privileged compromised credentials to perform encryption of on-premise devices and large-scale deletion of cloud resources, including server farms, virtual machines, storage accounts, and virtual networks.

Furthermore, the threat actors gained full access to email inboxes through Exchange Web Services, using it to perform "thousands of search activities" and impersonate an unnamed high-ranking employee to send messages to both internal and external recipients.

The aforementioned actions are estimated to have transpired over a roughly three-hour time frame starting at 12:38 a.m. (when the attacker logged into the Microsoft Azure environment via compromised credentials) and ending at 3:21 a.m. (when the attacker sent emails to other parties after the successful cloud disruption).

It's worth noting here that DEV-1084 refers to the same threat actor that assumed the "DarkBit" persona as part of a ransomware and extortion attack aimed at Technion, a leading research university in Israel, in February. The Israel National Cyber Directorate, last month, attributed the attack to MuddyWater.

"DEV-1084 [...] presented itself as a criminal actor interested in extortion, likely as an attempt to obfuscate Iran's link to and strategic motivation for the attack," Microsoft added.

The links between Mercury and DEV-1084 originate from infrastructure, IP address, and tooling overlaps, with the latter observed using a reverse tunneling utility called Ligolo, a staple MuddyWater artifact.

That said, there is not ample evidence to determine if DEV-1084 operates independently of MuddyWater and collaborates with other Iranian actors, or if it's a sub-team that's only summoned when there is a need to conduct a destructive attack.

Cisco Talos, early last year, described MuddyWater as a "conglomerate" comprising several smaller clusters rather than a single, cohesive group. The emergence of DEV-1084 suggests a nod in this direction.

"While these teams seem to operate independently, they are all motivated by the same factors that align with Iranian national security objectives, including espionage, intellectual theft, and destructive or disruptive operations based on the victims they target," Talos noted in March 2022.

Researchers Uncover Thriving Phishing Kit Market on Telegram Channels

 In yet another sign that Telegram is increasingly becoming a thriving hub for cybercrime, researchers have found that threat actors are using the messaging platform to peddle phishing kits and help set up phishing campaigns.

"To promote their 'goods,' phishers create Telegram channels through which they educate their audience about phishing and entertain subscribers with polls like, 'What type of personal data do you prefer?'," Kaspersky web content analyst Olga Svistunova said in a report published this week.

The links to these Telegram channels are distributed via YouTube, GitHub, and the phishing kits that are developed by the crooks themselves. The Russian cybersecurity firm said it detected over 2.5 million malicious URLs generated using phishing kits in the past six months.

One of the prominent services offered is to provide threat actors with Telegram bots that automate the process of generating phishing pages and collecting user data.

Although it's the scammer's responsibility to distribute the fake login pages to targets of interest, the credentials captured in those pages are sent back by means of another Telegram bot.

Other bot services go a step further by advertising options to generate phishing pages that mimic a legitimate service, which is then used to lure potential victims under the pretext of giving away free likes on social media services.

"Scammer-operated Telegram channels sometimes post what appears to be exceptionally generous offers, for example, zipped up sets of ready-to-use phishing kits that target a large number of global and local brands," Svistunova said.

In some cases, phishers have also been observed sharing users' personal data with other subscribers for free in hopes of attracting aspiring criminals, only to sell paid kits to those who wish to pull off more such attacks. The scammers further offer to teach "how to phish for serious cash."

Using free propositions is also a way for scammers to trick cash-strapped and newbie criminals into using their phishing kits, resulting in double theft, where the stolen data is also sent to the creator without their knowledge.

Paid services, on the other hand, include advanced kits that boast of an appealing design and features like anti-bot detection, URL encryption, and geoblocking that threat actors could use to commit more advanced social engineering schemes. Such pages cost anywhere between $10 to $280.

Another paid category entails the sale of personal data, with credentials of bank accounts advertised at different rates based on the balance. For example, an account with a balance of $49,000 was put up for $700.

What's more, phishing services are marketed via Telegram on a subscription basis (i.e., phishing-as-a-service or PhaaS), wherein the developers rent the kits for a monthly fee in return for providing regular updates.

Also promoted as a subscription is a one-time password (OTP) bot that calls users and convinces them to enter the two-factor authentication code on their phones to help bypass account protections.

Setting up these services is relatively straightforward. What's more difficult is earning the trust and loyalty of the customers. And some vendors go out of their way to assure that all the information is encrypted so that no third parties, including themselves, can read it.

The findings also follow an advisory from Cofense earlier this January, which revealed an 800% increase year-over-year in the use of Telegram bots as exfiltration destinations for phished information.

"Wannabe phishers used to need to find a way onto the dark web, study the forums there, and do other things to get started," Svistunova said. "The threshold to joining the phisher community lowered once malicious actors migrated to Telegram and now share insights and knowledge, often for free, right there in the popular messaging service."