Risky Biz News: Israel delivers on its promise to restrict spyware exports

This newsletter is brought to you by Airlock Digital, Rumble Network Discovery, Proofpoint, and Thinkst Canary.

The Israeli Ministry of Defense has been true to a promise it made last year to crack down on the export of spyware and surveillance products. At least one spyware vendor has shut down since the start of the year, and many others are having problems obtaining permits to sell their products overseas.

"An entire industry is being starved," a senior executive at one Israeli cyberattack company told the Globes. "They leave us in the dark and they don't tell us where our request stands and if it has not been approved, they don't explain why. It seems as if the state has given up on the cyberattack industry, without actually saying so."

"The state is trying to tell us that we should forget about markets in South America, Africa, and some of the countries in Asia," another exec told the newspaper.

The Israeli government has restricted the list of countries to which Israeli companies are allowed to sell surveillance and offensive hacking tools from 102 to 37 states last November.

The crackdown took place after reports emerged about how some Middle East countries used Israeli-made surveillance tools to spy on Western governments, political opponents, journalists, and activists; discoveries that led several allied states to complain to the Israeli government, with the US also formally sanctioning two Israeli spyware vendors—NSO Group and Candiru—in October last year.

Breaches and hacks

Attacks on Iranian govt agencies: The Iranian government has foiled a massive cyberattack that targeted more than 100 government agencies, Iran's national state television network claimed on Sunday. IRIB did not elaborate on the report, nor did it attribute the attack beyond listing the location of foreign servers in countries such as the Netherlands, Britain, and the US.

My apes are gone... again: A threat actor hacked the Discord and Instagram channels of the Bored Ape Yacht Club to spread a malicious link that compromised the wallets of some NFT owners. The attackers stole 54 Bored Ape NFTs valued at more than $13.7 million worth of cryptocurrency at the time of the attack.

Coca-Cola investigating breach: Coca-Cola said it's investigating a potential data breach after the Stormous ransomware group claimed to have hacked the company and auctioned more than 161GB of files it claims it stole from the beverage giant.

Ray-Ban sues JP Morgan: French eyeware company Ray-Ban sued J.P. Morgan Chase Bank after an attacker stole over $378 million from their bank account, the Wall Street Journal reported. The incident took place in 2019 when a Ray-Ban employee from one of its Thai factories managed to fake authorization of 243 payments to shell companies scattered across Asia. Ray-Ban said they recovered $100 million of the stolen funds and blamed JP Morgan for failing to detect the sudden spike in "highly suspicious" transactions, many of which were authorized in less than a minute instead of hours.

General tech and privacy

Tor Browser to get MitM protection: The Tor Project plans to release a version of the Tor Browser that will ship with an HTTPS-Only mode enabled by default as protection against man-in-the-middle attacks. The new security upgrade is planned for the Tor Browser version 11.5, scheduled for release later this year. The Tor team announced the move in a blog post on Monday, in which they also acknowledged their own internal failings and blind spots in detecting threat actors running malicious exit relays meant to intercept Tor traffic [1, 2, 3, 4].

Google Play privacy labels: Google has mandated that all Android apps listed on the official Play Store must include a section that describes what data the apps are collecting from users, for what purpose, and if the data will be shared with third parties. Google's move is inspired by the "privacy nutrition labels" that Apple introduced for iOS apps in 2020. Android app developers have until July 20 to update their Play Store listings and add privacy labels, which they'll have to keep up to date to conform with any changes in their user data handling practices.

Government, politics, and policy

Bob Lord joins CISA: Bob Lord, the former Yahoo CISO and DNC CSO, has joined the US Cybersecurity and Infrastructure Security Agency as a senior advisor, the agency said on Monday.

Fears for new UN cybercrime treaty: Human rights activists have raised concerns about a new cybercrime global treaty that is currently under negotiations at the United Nations. The main draft of the new treaty has been put forward by Russia and has been backed by several oppressive regimes, such as China and Syria. Experts say the new treaty is overly broad in its definition of "cybercrime" and tries to categorize online free speech, copyright infringement, and the use of encrypted communications as a cyber-enabled crime. Deliberations on the new treaty are scheduled to begin at the UN at the end of May. Jim Lewis, director of the strategic technologies program at the Center for Strategic and International Studies, told Cyberscoop that many non-NATO-aligned countries could support the new treaty, seeing it as a tool to control their national internet space and ensure they remain in power.

Sandworm reward: The US State Department has put up a $10 million reward for any information on Sandworm, the Russian cyber-espionage group that was behind the NotPetya and OlympicDestroyer attacks. The US formally charged six Sandworm members in October 2020. Last month, the US State Department also offered a similar $10 million reward for another group of Russian hackers known as Dragonfly, who developed and deployed the Trisis/Triton malware.

Cybercrime and threat intel

NFT Scam-as-a-Service scam: A recently launched cybercrime service meant to provide threat actors with an easy way to automate NFT scams turned out to be a scam itself, security firm CUJO AI reported on Monday.

Scans for Roku devices: The SANS ISC team said it observed repeated internet scans over the past several weeks for Roku streaming devices. The team is currently unsure what the attackers are going after but advised Roku owners to update their devices to the latest firmware as soon as possible.

Infosec industry

UK i100 group: NCC Group CTO Ollie Whitehouse has penned a blog post on the importance of i100, a collaboration between private industry companies and the UK NCSC on cybersecurity matters.

Malware technical reports

Attacks on VMWare ONE servers: Morphisec has published a report on the recent attacks against VMware Workspace ONE Access servers utilizing the CVE-2022-22954 vulnerability and a suite of Powershell scripts.

More on Industroyer2: Mandiant and Netresec have published additional reports on their investigations into the Industroyer2 ICS malware, recently deployed in attacks against Ukraine's power grid.

Emotet back and running: The Emotet gang has fixed a bug in its infection process that was crashing new installs and is now back in business with a new spam campaign spreading LNK shortcut files [1, 2, 3, 4]. They're also testing a new delivery method that uses XLL files, according to Proofpoint.

APTs and cyber-espionage

Trojanized KeePass apps: ESET said on Tuesday that it discovered a collection of trojanized KeePass password management apps. The security firm said once installed, the apps would install a backdoor typically associated with the Lazarus Group, a cyber-espionage group associated with the North Korean government.

Vulnerabilities and bug bounty

Dirty Pipe exploitation: CISA says attackers are exploiting the Linux vulnerability known as Dirty Pipe. On Monday, the agency added the vulnerability to its list of actively exploited bugs and urged US federal agencies to patch systems by May 16. The agency also added six other vulnerabilities to the same list, including bugs in Jenkins, Microsoft, and WSO2 products.

WSO2 exploitation: A technical write-up is also available for CVE-2022-29464, the WSO2 remote code execution vulnerability that is also under exploitation and included in aforementioned CISA's must-patch recommendations.

VirusTotal denies bug report: VirusTotal founder Bernardo Quintero has dismissed a vulnerability report published on Monday by security firm CySource. The company claimed to have found a remote code execution vulnerability in the VirusTotal malware scanning platform. But Quintero told Risky Biz News that the researchers never gained access to VirusTotal servers. Instead, he said, the researchers only gained access to systems owned by security firms that were downloading and processing VirusTotal data. Quintero called the report "fake news" and posted screenshots of internal conversations about the report to Twitter, along with an official reply from Google's Vulnerability Research Program (VT is owned by Google).

Ever Surf wallet vulnerability: Check Point researchers have discovered a vulnerability in the web version of Ever Surf, a cryptocurrency wallet that runs on the Everscale blockchain. The research team said they were able to decrypt PINs, recover decryption keys, and take over web wallets. Ever Surf, which is used by hundreds of thousands of people, confirmed the findings and released patches.

Nimbuspwn: Microsoft discovered several vulnerabilities that can be used to gain root privileges on Linux endpoints. The vulnerabilities, collectively referred to as Nimbuspwn and tracked as CVE-2022-29799 and CVE-2022-29800, reside in a systemd component named networkd-dispatcher, which tracks and dispatches network status changes.

npm package planting: GitHub has fixed a security issue in the npm platform that could have allowed threat actors to create malicious packages and add legitimate and reputable developers as their maintainers in order to boost the reputation of their poisoned package. Discovered by AquaSec, the bug has been named "package planting" and would have been an efficient way to distribute malware on npm, especially since the legitimate developers never got any alerts that they were added as maintainers of the malicious packages.

Hourly wages: Bug bounty platform Intigriti announced a new program to provide companies the ability to hire selected bug hunters on hourly wages and have their networks tested similar to classic penetration tests.