Spyware trial implicating former Mexican president kicks off
On Monday, the far-reaching Pegasus spyware scandal in Mexico went to court. Prosecutors are expected to focus on how the spyware was used to surveil potentially thousands of victims across multiple Mexican presidential administrations. A key prosecution witness told the court Monday that former Mexican President Peña Nieto and his staff ordered the targeting of journalist Carmen Aristegui after she reported on alleged corruption within Nieto’s administration. Aristegui will be the first witness in what is anticipated to be a months-long trial. A staffer at a subsidiary of Mexican Pegasus supplier, KBH business group, has already been arrested in connection with the monitoring and could face 16 years in prison.
Federal agency breached through ColdFusion vulnerability
On Tuesday, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed that an unnamed federal agency was compromised by hackers in June and July using a vulnerability (CVE-2023-26360) in Adobe’s rapid web-application development tool, ColdFusion. The agency was running outdated ColdFusion software and CISA had ordered all federal agencies to patch it by April 5. CISA’s log analysis shows the hackers inserted malware mainly for reconnaissance purposes. However, the hackers did also attempt to exfiltrate data but were unsuccessful because the activity was detected and “quarantined.”
Malicious loan app downloaded 12 million times from Google Play
Eighteen malicious personal loan apps, named SpyLoan, have been downloaded more than 12 million times this year from Google Play. SpyLoan steals info including account and device info, call logs, installed apps, calendar events, local Wi-Fi network details, contacts, location data, and text messages. ESET researchers said the app requests excessive device permissions to spy on the users and harass and blackmail them and their contacts. Google has removed 17 of the malicious apps while one is now available with a different set of permissions and functionality.
Apple ‘Lockdown Mode’ bypassed by researchers
Researchers have discovered a way to subvert “Lockdown Mode” for Apple iOS. Lockdown Mode was introduced last year and is designed to protect users by turning on just a small number of identifiable functions, protecting some of them within the device’s kernel. On Tuesday, Jamf Threat Labs demonstrated how to subvert Lockdown Mode, delivering a like-for-like user experience while allowing cyberattacks to persist underneath the surface. Jamf said it is important to understand that lockdown mode does not detect malware, prevent data exfiltration or stop command and control communications. The researchers say their exploit is more difficult to pull off as of iOS 17, when Apple elevated lockdown mode to the kernel.
Huge thanks to our sponsor, Barricade Cyber Solutions
NFT collections at risk from open-source library flaw
On Tuesday, Thirdweb warned of a vulnerability in an open-source library that is common across its Web3 development platform. The flaw impacts the security of pre-built smart contracts used across multiple NFT collections, including Coinbase. Thirdweb became aware of the flaw on November 20 and pushed remediation two days later without revealing the name of the library or vulnerability details to prevent tipping off attackers.ThirdWeb say they notified maintainers of the vulnerable library and other affected protocols and organizations. Thirdweb advised users to lock vulnerable contracts, take a snapshot, and migrate them to new contracts created with a non-vulnerable version of the library. Thirdweb has not detected the vulnerability being leveraged in attacks. Coinbase also confirmed its platform and funds have not been affected by this issue.
Windows 10 gets three more years of security updates
The Windows 10 end-of-support date is set for October 14, 2025 and by then, most people will need to upgrade their PCs to Windows 11 or transition to a Windows 365 cloud-based PC to stay secure. Microsoft announced it will offer three additional years of paid Extended Security Updates (ESU) for those who want or need to stay on Windows 10. Microsoft said the ESU program for Win10 is broadly similar to the program Microsoft offered for Windows 7 a few years ago. For Win7, the cost of extended support increased each year to entice users to migrate off of it. The Win10 extended support costs have not yet been revealed by Microsoft.
Canadian government agencies have access to phone-hacking tools
Documents obtained by the CBC reveal that 13 Canadian government agencies have access to tools capable of extracting personal data from phones or computers. While it’s not surprising law enforcement and national security agencies made the list, some others are sure to raise questions. For example, Fisheries and Oceans Canada, Environment and Climate Change Canada, Canadian Radio and Telecommunications Commission and Shared Services Canada made the list of users. Additionally, those departments’ use of the tools did not undergo a privacy impact assessment as required by federal government directive. Some agencies offered vague regulatory justification for their use of the phone-cracking technology, while others indicated it was used only for internal investigations. One agency indicated it is planning to perform the requisite privacy impact assessment while others said they aren’t required to because using the technology was backed by a court order or warrant.
(Techdirt)
US federal agencies miss incident response deadlines
A new report, published Monday by the US Government Accountability Office (GAO), found that just three US federal agencies have reached the advanced level, or tier three, for cyber event logging. According to 2021 Executive Order 14028, all 23 US federal agencies were required to reach event logging tier three by August 2023. However, 20 agencies have failed to meet the requirement and 17 have not gone beyond the tier zero level. The GAO report said until more progress is made by the agencies, “the federal government’s ability to fully detect, investigate, and remediate cyber threats will be constrained.” The report identified key challenges that are hindering the agencies include, lack of staff, technical challenges, and limited cyber threat intel sharing.