Private-eye or Peeping-Tom? Spyware incidents. No-confidence vote in transit system. Ransomware incidents. – The CyberWire


Did you know that camDown helps stop foreign state actors (FSA's) from accessing your webcam?

At a glance.

  • The temptation to play detective...
  • NSO Pegasus tool in Poland: update.
  • Cytrox Predator used in Egypt.
  • No confidence vote after transit system data breach.
  • NightSky ransomware described.
  • School websites affected by ransomware attack.

UK man arrested for playing “detective.” 

A computer programmer from Lancashire County, England has been arrested for using stolen login credentials to access victims’ intimate pictures. Michael Grime confessed he had accessed approximately fifty social media accounts to obtain private photos and videos. The Lancashire Telegraph reports that Grimes was a user of the service, which boasted access to 12 billion records stolen in over 10,000 data breaches. The site’s domain was seized by law enforcement after a raid in 2020, resulting in a raid of Grime’s home and computer this past fall. 

LancsLive explains that a total of twelve victims were identified, and though some of the images were taken from public social media platforms like Snapchat, many of the images had never been posted publicly. Grime’s lawyer said Grime described his activities as “detective work,” but also knew that it was illegal yet could not stop himself. Grime pled guilty to twelve counts of “causing a computer to perform a function to secure/enable unauthorized access to a program or data,” and was sentenced to a community order including eighty hours of unpaid work over two years, a month of rehabilitation, and a payment of £500 to each of the victims. Philip Macey from the National Crime Agency (NCA) Cyber Crime Unit said the sentencing “emphasises once again that those using online criminal marketplaces can be identified and brought to account.”

Further developments in NSO Group’s Pegasus scandal. 

Israeli surveillance software maker NSO Group has failed in an attempt to reverse a US court ruling allowing WhatsApp to pursue claims that its users were targeted with NSO’s Pegasus surveillance software. Bloomberg Law explains, NSO argued the company should have foreign service immunity due to its work for foreign governments, but the Court of Appeals for the Ninth Circuit declined to rehear the case. WhatsApp's lawsuit claims NSO violated the Computer Fraud and Abuse Act by targeting the accounts of over a thousand WhatsApp users. Apple filed a similar lawsuit against NSO in November.

Meanwhile, Amnesty International confirmed Thursday that Pegasus spyware was used to target Polish senator Krzysztof Brejza in 2019 when he was running the opposition’s parliamentary election campaign against the right-wing ruling party Law and Justice. The Independent notes that while this is just the latest discovery in a series of Pegasus hacks, this particular case stands out because it does not implicate a repressive regime, as in past instances, but a member of the EU. Though Amnesty International has not named the perpetrator, the victims blame Law and Justice, and an election smear campaign using text messages stolen from Brejza’s phone make it seem a reasonable conclusion. 

The party first denied the allegations, with Prime Minister Mateusz Morawiecki calling it “fake news,” and Deputy Defense Minister Wojciech Skurkiewicz stating, “The Pegasus system is not in the possession of the Polish services. It is not used to track or surveil anyone in our country.” However, AP News reports that Law and Justice leader Jaroslaw Kaczynski has admitted that the Polish government did, in fact, purchase Pegasus software, claiming that the rise in the use of encryption has given Poland and many other countries no other means to monitor the communications of suspected criminals. “It would be bad if the Polish services did not have this type of tool,” Kaczynski stated. Amnesty International’s Poland director, Anna Błaszczak responded, “[These findings] raise serious concerns not only for politicians, but for the whole Poland’s civil society in general, particularly given the context of the government’s record of persistently subverting human rights and the rule of law.”

Cytrox spyware used to target two Egyptians. 

Elsewhere in the world of spyware, NSO Group’s less well-known competitor Cytrox, the North Macedonian developer of Predator surveillance software, has been implicated in the hacking of the phones of exiled Egyptian politician Ayman Nour and an unnamed Egyptian journalist. Balkan Insight describes how thirty-year-old Ivo Malinkovski became the CEO of Cytrox, then attempted to cover up his connection to the company once the hacking revelations surfaced. Cytrox is a member of the Intellexa alliance, which Citizen Lab describes as a “marketing label for a range of mercenary surveillance vendors that emerged in 2019.” Cypriot-based Tal Dilian, a former Israeli Defence Forces commander, heads up Intellexa and acquired Cytrox for under $5 million. Dilian told Forbes in 2019, “We are not the policemen of the world, and we are not the judges of the world…We work with the good guys. And sometimes the good guys don’t behave.”

Rhode Island state workers call for resignations after data breach.

After an August cyberattack on Rhode Island Public Transit Authority (RIPTA) resulted in a data breach that exposed the data of thousands of workers, RIPTA employees have voted no confidence in management. WJAR reports that workers’ union Local 618 has asked for the resignation of RIPTA chief officers and senior staff, stating that RIPTA heads are "responsible for the cover up of the security breach." Local 618 is also considering legal action "along with others whose information was compromised in the security breach." 

New ransomware lights up the NightSky. 

MalwareHunterTeam has discovered a new ransomware operation they’re calling NightSky, Bleeping Computer reports. First detected in late December, the malware targets corporate systems for double-extortion attacks, and the stolen data of two victims, one from Bangladesh and another from Japan, have already been published on NightSky’s Tor-hosted extortion site. One target has received a ransom demand of $800,000 in exchange for a decryptor and the promise that no further data will be published.

School website provider affected by ransomware.

BleepingComputer reports that Finalsite, a major provider of web services to schools, has acknowledged sustaining a ransomware attack that's interfered with its ability to deliver services to its customers. The company had earlier characterized the incident as "disruption of certain computer systems on [Finalsite's] network." Finalsite is based in the UK, but it provides services to schools worldwide, claiming to serve eight-thousand systems, from elementary schools to universities, in one-hundred-fifteen countries.

Danny Lopez, CEO of Glasswall, offered some perspective on the risks educational services face:

"Reports of the education sector being the victim of cyber attacks have become increasingly common over the last two years. News like this regarding FinalSite is concerning considering the extensive damage that can be caused in terms of lost data – for both students and staff – and access to vital educational services. 

"Educational institutions should adopt a ‘defence-in-depth’ approach to cybersecurity, as advised by the NCSC. This means using multiple layers of defence with several mitigations, which creates more opportunities to detect malware and prevent it from doing widespread harm to the institution.

"But even when all procedures and policies are well-executed, there's no escaping the fact that adversaries are constantly looking to probe vulnerabilities. Often this is as simple as inserting malware using documents and files shared in their hundreds every day in an educational environment. It's vital these organisations invest in cyber protection services that stay ahead of attackers by eliminating the threats while still allowing all users to do their vital work.

"Attacks like these demonstrate that a traditional castle-and-moat approach to network security leaves organisations exposed. Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. In a world where data can be held amongst multiple cloud providers, it is crucial to strengthen all processes relating to access verification. Without a zero-trust approach, organisations run the risk of attackers having a free reign across a network once they are inside.”

After all of that camDown helps stop foreign state actors (FSA's) from accessing your webcam!