US State Department iPhones Compromise by NSO Pegasus Spyware; FBI Issues Broad Ransomware Warning; Microsoft Shuts Down Malicious Domains Exploiting Unpatched Microsoft Vulnerabilities

There are so many takeaways from this story. First, while NSO claims it will take legal action against those who misused its tools, their customers will likely have more success in claiming sovereign immunity than NSO itself. Second, it's unfortunate that Apple doesn't provide users with more information they can use to detect an attack themselves. Companies like NSO will continue to capitalize on this lack of transparency to victimize users. Finally, it's hard to imagine these actions (and others like them) aren't related to the sanctions placed on NSO.

Jake Williams

The story of NSO should also be seen as a warning to other companies offering offensive tools commercially. Well-funded attackers often use the same tools red teams use legitimately in authorized penetration tests. So far, I don't think anybody has found a way to effectively restrict how these tools are being used. NSO group stuck out for its unique abilities to attack mobile devices, and in some ways, its downfall was that the tool was “too good.”

Johannes Ullrich

Apple is taking the initiative to notify users who have devices infected with the NSO spyware. The vulnerability used to install their software was closed in the September release of iOS 14.8. Make sure that your devices are on current versions, particularly if deployed in foreign countries. Make sure that your mobile device management system can actively detect spyware installed on your devices rather than having a third-party give you the bad news. Note that while NSO claims to only license their software to government agencies with strict terms including Israeli government granted export licenses, and use against USG employees is strictly prohibited, that is an administrative rather than a technical control; you need to implement the technical controls to insure the attack vectors remain closed.

Lee Neely

The US federal government has long neglected an opportunity to use its buying power to drive Google and Apple to support a trusted “Government App Store” as part of all federal wireless contracts. Google and Amazon provided federal cloud capabilities because the federal government did use their buying power as FedRAMP and US government “Cloud-first” initiatives were backed with procurement requirements.

John Pescatore

Working for a company that sells an adversary emulation platform, we have to maintain a balance between operational security and feature sets. Products that do not “call home” are welcomed by our customers but if the product lands in the wrong hands, we would have no visibility into its use. This is what has occurred with Pegasus and other products. Learning from these mistakes is costly but required.

Jorge Orchilles

While I will always applaud the release of IOCs to aid with detection, the way this report was released leaves a bit to be desired. Critical infrastructure consists of 16 different sectors covering broad swaths of industry, including information technology. In the future it would be ideal if the broad cover of "critical infrastructure" isn't used without further clarification.

Jake Williams

Add the IOCs from the Flash to your SIEM and keep an eye out for new ones; the FBI is asking for new discoveries to be shared with them. Make sure you’re segmenting critical systems, only allowing communication between trusted components. Use strong/unique passwords or better still, require MFA for any services which can interact with these systems, which themselves may not be able to support MFA. Actively monitor activity to detect anomalous behavior.

Lee Neely

Does your organization have a process to consume this cyber threat intelligence and ensure the team can detect and respond to these adversary behaviors? If not, performing adversary emulations as purple team exercises is one of the most efficient methods to test, measure, and improve your people, process, and technology so these known attacks do not impact your organization.

Jorge Orchilles

This operation is significant in scope and impact. In particular the takeover of command and control domains from the threat actor will allow Microsoft to continue to identify victims. The report also demonstrates how even apex-grade threat actors use commodity tools, such as mimikatz and NTDSDump. They can do that only because these tools continue to work in victim environments.

Jake Williams

It is hard to complain about Microsoft shutting down malicious websites, but the bulk of the attacks launched by Nickel and others were exploiting the continuing stream of critical vulnerabilities in Microsoft’s software. It is kind of like if Tesla formed a Digital Crimes Unit to shut down thieves that were stealing Telsa cars because the Tesla door locks didn’t work.

John Pescatore

It is excellent that Microsoft is taking steps against those working to exploit the vulnerabilities in their systems. One hopes they are spending as much or more energy on fixing those weaknesses. For the rest of us, keep an eye on updates to both our endpoint operating systems and protection products. Make sure they are reporting in regularly and that your responders have what they need - resources and training - to respond to detected maleficence.

Lee Neely

What makes this announcement new is the US military is now stating it will not only respond to and target nation state actors but also cyber criminal actors. A big part of this is because the impact of both nation state and cyber criminals are starting to blend. Both can have a direct impact to the country’s ability to operate at a political, economic or military level as both can and do have an impact on critical infrastructure. I believe this is a step in the right direction. Until cyber criminals face consequences for their actions, they have no motivation to stop attacking; cyber crime is simply far too profitable and effective. Law enforcement is one approach, but difficult when the cyber criminal actors are protected by their host country. Other methods like these may be required.

Lance Spitzner

The US has a long history of separating military and law enforcement actions. Ransomware seems to be a rare case where national security interests justify a military response. However, we must be careful as a nation not to normalize military operations in criminal actions, either for investigation or response. It's not hard to see the slippery slope here - especially because CYBERCOM has had real successes where law enforcement authorities were simply not sufficiently matched to the ransomware threat.

Jake Williams

Response to cyber criminals, such as ransomware actors, will need multiple agencies across multiple countries. Bringing available resources and expertise together will help with takedowns of these groups; the NSA and Cyber Command have already started cooperating with other agencies to increase the effectiveness of these activities.

Lee Neely

The story below on GAO asking government to act along with this story confirming the military is acting is what we will continue to see in the short term. Organizations have proven they cannot defend themselves against ransomware. We will follow and report the evolution of the fight against ransomware and hope it leads to its demise.

Jorge Orchilles

Now is the time to get acquainted, or reacquainted, with your local CISA contacts. They will be driving at the direction of DHS, any actions (technical or reporting) needed. Expect pressure to follow and report the use of NIST frameworks and standards as well as reporting security metrics via the Continuous Diagnostics and Mitigation (CDM) program. If you’re following other security frameworks, the NIST CSF documentation includes tools for mapping other security frameworks to NIST controls such as SP 800-53, which you can leverage.

Lee Neely

From the perspective of my small town's water district, this message may be well-received, but without additional resources, little will change. Personal agenda: I'd love to see National Guard units gain authority to assist such organizations during regular training assemblies under supervision of CISA. They have the skills, the community ties, and 39 days per year to train.

Christopher Elgee

While the “Government” in this particular piece refers to the US government, I think it is safe to say the same commentary can be aimed at nearly every other government across the globe. For too long, governments have under-invested and under-resourced cyber security, relying on the private sector to fill the gap. Unfortunately, that gap still remains unfilled.

Brian Honan

The HHS 405 (d) Program, established in response to the Cybersecurity Act of 2015, is looking for participation to make this site relevant and useful. The intent is to provide vetted practices, which means they are looking for input from those in the field with relevant experience about what does and does not work.

Lee Neely

Cybersecurity professionals working in security should provide feedback to HHS on how to make this site useful to their efforts. My first impression is it is heavy on pointing to products and light on people/processes/skills. What I’d really like to see is more case studies: “Here’s how a healthcare company like you overcame the unique obstacles to securing systems faced in healthcare.”

John Pescatore

This appears to be a supply chain type of attack. According to the BBC (https://www.bbc.com/news/uk-england-lancashire-59554433) the external IT provider who manages the IT and till/register systems for the affected Spar shops is the victim of the ransomware attack. This attack again highlights the importance of managing third-party risk and assessing how a ransomware attack against one of your suppliers, in particular those deeply embedded in your IT infrastructure, would impact your business and to then put in appropriate controls to manage that risk.

Brian Honan

In retail, the holiday season often comes with a change freeze for IT, and with that the inability to apply patches. At the same time, ransomware actors in particular realize that retail stores are dependent on holiday sales. While Spar is more a generic grocery store chain, they will likely still see increased traffic in their stores during holidays.

Johannes Ullrich

I worked my way through college in retail where we had no electronic POS system, to include the old knuckle-buster credit card machines and know what it’s like to chase down errors in making change. After 20 months of electronic payments versus handling cash, you may need to provide a refresher to those handling cash to avoid errors, particularly if the POS system is offline. Make sure your backup/manual procedures are still accurate.

Lee Neely

Double check that your backups are disconnected, differential and resistant to ransomware attacks. Don’t forget to look at your records retention practices. As many records have been digitized, moved on-line and the paper shredded, those too need to have secure backups for the retention period.

Lee Neely