As 2023 draws to a close, I want to extend a heartfelt thank you for being an integral part of my journey this year. Your engagement and feedback have been invaluable in shaping the Mandos Brief newsletter.
As we bid farewell to this year and look towards 2024, I wish you a Happy New Year filled with peace, prosperity, and strengthened digital security. The challenges in cybersecurity continue, but together, we remain vigilant and informed.
In this final edition of the year, we explore the latest and most critical developments in the cybersecurity landscape. From sophisticated iPhone backdoors to extensive data breaches impacting millions, these stories remind us of the ongoing need for vigilance and proactive measures in our digital lives.
See you in 2024, ready to face new challenges and embrace the opportunities that lie ahead in the world of cybersecurity.
Operation Triangulation Exposed: The highly sophisticated spyware attack on iOS devices, known as Operation Triangulation, leveraged four zero-day flaws to bypass Apple's hardware-based security protections. Identified by Kaspersky, this campaign, active since 2019, was notable for its ability to gain deep access and backdoor iOS devices up to version 16.2.
Zero-Click Attack Mechanism: The attack initiated through a zero-click iMessage with a malicious attachment, exploiting vulnerabilities like CVE-2023-41990, CVE-2023-32434, CVE-2023-32435, and CVE-2023-38606. These vulnerabilities enabled arbitrary code execution and kernel privilege escalation, with CVE-2023-38606 notably allowing bypass of kernel memory hardware protection.
Unique Hardware Feature Targeted: The most striking aspect of the attack was its exploitation of undocumented memory-mapped I/O (MMIO) registers in Apple A12-A16 Bionic SoCs. This was likely an obscure hardware feature intended for debugging or testing, previously unknown in public documentation.
Sophisticated Spyware Tools: The attack deployed the TriangleDB implant, featuring modules for recording via the microphone, extracting iCloud Keychain, stealing app data, and location tracking. The implant included validators to ensure targets were not research devices, and employed techniques like browser fingerprinting to avoid detection.
Collaborative Effort Against Digital Skimming: Europol, alongside law enforcement from 17 countries and the European Union Agency for Cybersecurity (ENISA), coordinated a two-month operation to combat digital skimming attacks. This collaborative effort involved private sector partners like Group-IB and Sansec, highlighting the increasing necessity of public-private partnerships in tackling sophisticated cyber threats.
Extent of the Skimming Operation: The operation led by Greece under the EMPACT priority successfully notified 443 online merchants about the compromise of their customers' payment data. Digital skimming, a method of stealing credit card information during online transactions, often remains undetected for extended periods, allowing criminals to sell the data on darknet marketplaces.
Concealed Nature of Skimming Attacks: Digital skimming attacks are notoriously difficult to detect, with customers and online merchants usually unaware of the compromise until unauthorized transactions are carried out. Europol's involvement in this operation underscores the challenge of identifying and addressing these stealthy attacks in the ever-evolving digital landscape.
International Collaboration and Awareness: The operation, involving countries like Greece, Albania, Belgium, the United States, and others, demonstrates the global scale and collaborative nature required to tackle such cybercrimes effectively. Europol has also published a multilingual awareness guide on digital skimming, offering vital information to help businesses protect themselves against these insidious attacks.
Ready for the next week's brief? Stay informed with the latest key developments.
EasyPark's Extensive Data Breach Discovery: EasyPark, a Swedish company known for its parking apps, announced a data breach that occurred on December 10, 2023, impacting an undisclosed number of its millions of users. The breach has raised significant concerns about the security of personal information. The company, which operates in over 20 countries and 4,000 cities, has significant user bases, with its Europe-focused EasyPark app having over 10 million downloads.
Previous Breach and Affected Data in the Current Incident: This breach follows a significant data exposure in 2021 involving ParkMobile, an affiliate of EasyPark, where data of 21 million customers was compromised. In the current breach, compromised information may include names, phone numbers, physical addresses, email addresses, and partial credit card or IBAN details, posing a potential phishing risk.
Risk Assessment and User Notification: EasyPark has assured that the exposed data does not currently pose a risk for unauthorized transactions, and no such activities have been reported post-breach. Affected users will receive personalized notifications via in-app messages, emails, and SMS. The company's security team is actively implementing additional measures to contain the incident's impact.
International Reporting and Security Recommendations: Data protection authorities in Sweden, the UK, and Switzerland have been informed of the breach. Users are advised to reset their account passwords as a precaution, especially on platforms where similar credentials are used. No ransomware groups have claimed responsibility for the breach, but threat actors have begun scouring hacking forums for the stolen data.
Data Breach and Customer Notification: Mint Mobile, a U.S. mobile virtual network operator, disclosed a data breach that exposed personal information of its customers, which could be used for SIM swap attacks. The breach was announced to customers via email notifications on December 22, 2023, warning them about the security incident and the types of information compromised. Mint Mobile, currently in the process of being acquired by T-Mobile for $1.3 billion, emphasized that the breach has been resolved.
Extent of Exposed Data: The data exposed in the breach includes customers' names, telephone numbers, email addresses, SIM serial numbers, IMEI numbers (device identifiers), and details of the service plan purchased. The company reassured customers that credit card numbers were not stored and thus not exposed, and passwords are protected with strong cryptographic technology.
Potential Risks from the Breach: The compromised data poses a significant risk as it provides sufficient information for threat actors to conduct SIM swapping attacks. In such attacks, a hacker ports a victim's phone number to their own device, enabling access to online accounts, bypassing multi-factor authentication, and potentially breaching cryptocurrency exchange accounts.
Customer Guidance and Previous Incidents: Mint Mobile has advised that customers do not need to take any specific action and has set up a dedicated customer support number for queries related to the breach. This incident follows a previous breach in 2021 where an unauthorized person accessed subscriber information. In 2023, Mint's parent company, T-Mobile, also experienced significant data breaches, highlighting ongoing security challenges in the telecom sector.
Widespread Abuse by Cybercriminals: Microsoft has disabled the MSIX ms-appinstaller protocol handler in response to its exploitation by several threat actors, including financially motivated hacking groups. The attackers utilized signed malicious MSIX packages, distributed through platforms like Microsoft Teams and deceptive online advertisements, to deliver malware.
Specific Attack Strategies and Groups Identified: At least four distinct hacking groups have leveraged the MSIX App Installer service since mid-November 2023. Their methods include SEO poisoning, masquerading bogus MSIX installers as legitimate software like Zoom, and deploying various forms of ransomware and remote access trojans through these means.
History of Vulnerability and Repeated Disabling: The MSIX ms-appinstaller protocol was previously disabled in February 2022 due to similar abuse by threat actors who exploited a Windows AppX Installer spoofing vulnerability (CVE-2021-43890). This vulnerability enabled the distribution of malware like Emotet, TrickBot, and Bazaloader by bypassing security measures like Defender SmartScreen.
Impact and Future Mitigation Steps: Disabling the protocol impacts the ease of installing applications via MSIX packages, as users now must download the full package instead of installing directly from a web server. Microsoft is exploring options for securely re-enabling the protocol and may introduce a Group Policy to allow IT administrators to control its usage within their organizations.
Subscribe to Mandos Way
Join CISOs and tech leaders for cybersecurity strategies & weekly Briefs.