NSO code verdict, Change Healthcare fallout, law firm breach
NSO Group ordered to give Pegasus code to WhatsApp
The order comes from a U.S. judge as part of a suit launched by Meta in October 2019 against the spyware’s Israel-based vendor. Meta had launched the action as a result of NSO Group using WhatsApp to distribute the spyware. NSO leveraged a zero-day flaw in WhatsApp that allowed the spyware to be delivered just by placing a call, even if those calls went unanswered. Donncha Ó Cearbhaill, head of the Security Lab at Amnesty International, stated, “while the court’s decision is a positive development, it is disappointing that NSO Group will be allowed to continue keeping the identity of its clients, who are responsible for this unlawful targeting, secret.”
Change Healthcare confirms BlackCat, Schumer asks for aid
Updating the story we have been following throughout February, medical insurance company UnitedHealth Group has confirmed that the cyberattack on its subsidiary Change Healthcare was the work of ALPHV/BlackCat. This has led Senate Majority Leader Charles Schumer to “urge federal health officials to provide financial aid to New York hospitals and health care providers nationwide who say they have been paralyzed by a massive ongoing cyberattack,” scrambling to process electronic prescription claims. Schumer describes this as an imminent financial cliff for hospitals in New York and nationally.
(The Record and TimesUnion)
Law firm announced data breach affecting 325,000 people
Houser LLP has a dozen offices nationwide and serves clients in “every major financial center,” specializing in litigation management, commercial and real estate law, class action defenses and regulatory compliance. Its clients include Citibank, Deutsche Bank and HSBC. The breach, which had been discovered in May 2023, exposed personal data, possibly including credit card numbers, Social Security and driver’s license numbers, individual tax identification number, financial account information, and medical information. The firm has offered affected clients credit monitoring services.
Researchers identify new Predator infrastructure
Sticking with spyware, analysts at Recorded Future’s Insikt Group have identified new infrastructure which is likely used by the operators of the commercial Predator spyware. Developed by the Israeli-owned spyware consortium Intellexa, Predator has been around since at least 2019, and infects Android and iPhone devices. The upgraded infrastructure includes spoofed websites to attract victims and sophisticated anonymization techniques. Much of the activity focuses on Kazakhstan, a country with a history of using spyware from vendors such as as NSO Group, FinFisher, and RCS Lab.
Recommended by LinkedIn
Huge thanks to this week’s episode sponsor, Conveyor
CISA issues warning about Phobos
The advisory was released last Thursday, specifically to warn public sector organizations against this ransomware-as-a-service provider. The advisory states that “since 2019, Phobos has targeted the IT systems of municipal and county governments, emergency services, education institutions, public health care systems and other critical infrastructure.” It is not an overly sophisticated service, but it takes advantage of two attack vectors, phishing, and the use of the Microsoft Remote Desktop Protocol.
German Air Force under fire for non-encrypted Ukraine discussions overheard by Russia
Some embarrassment and outrage in Germany after Russian media published a conversation amongst German air force senior officials about the possibility of deploying Taurus long-range missiles in Ukraine and training pilots and operators there. Rather than being a sophisticated hack on the part of Russian intelligence, it was instead reported separately by German news agencies Der Spiegel and DPA that the recordings, which have been deemed as authentic, came from using “a non-encrypted WebEx connection,” in which meeting invitations had been sent to cellphones.
HP offers printer subscription that they get to monitor
This new service offers families and small businesses a printer for a small monthly fee, ranging from $6.99 to $35.99 depending on the printer chosen, along with ink deliveries and 24/7 tech support. But the terms of service also require that subscribers keep the printer connected to the internet. HP says this is so it can monitor ink cartridge status and the number of pages printed. However, it also allows HP to “remotely monitor the type of documents printed, and the devices and software used to print.” The policy also says that HP may “transfer information about you to advertising partners so that they can recognize your devices, perform targeted advertising, and, potentially, “combine information about you with information from other companies.”
(Wired)
Last week in ransomware
Last week’s top ransomware stories included the ongoing Change Healthcare repercussions, along with Rhysida’ s attack on Lurie Children’s Hospital in Chicago along with putting its stolen data up for sale. LockBit continues to show signs of not being dead yet, although analyst Brett Callow has tweeted that the group has resorted to posting old ransomware announcements in an attempt to appear busier than it is. In addition, ransomware gangs continue to swarm to the ScreenConnect RCE vulnerability exploitation situation including Black Basta and the Bl00dy ransomware gang.