Zero-click attacks explained, and why they are so dangerous

Zero-click attacks, especially when combined with zero-day vulnerabilities, are difficult to detect and becoming more common.

Zero-click attack definition

Zero-click attacks, unlike most cyberattacks, don’t require any interaction from the users they target, such as clicking on a link, enabling macros, or launching an executable. They are sophisticated, often used in cyberespionage campaigns, and tend to leave very few traces behind—which makes them dangerous.

Once a device is compromised, an attacker can choose to install surveillance software, or they can choose to enact a much more destructive strategy by encrypting the files and holding them for ransom. Generally, a victim can’t tell when and how they’ve been infected through a zero-click attack, which means users can do little to protect themselves.

How zero-click attacks work

Zero-click attacks have become increasingly popular in recent years, fueled by the rapidly growing surveillance industry. One of the most popular spyware is NSO Group’s Pegasus, which has been used to monitor journalists, activists, world leaders, and company executives. While it’s not clear how each victim was targeted, it is believed that at least a few of them have received a WhatsApp call they didn’t even have to answer.

Messaging apps are often targeted in zero-click attacks because they receive large amounts of data from unknown sources without requiring any action from the device owner. Most often, the attackers exploit a flaw in how data is validated or processed.

Other less-known zero-click attack types have stayed under the radar, says Aamir Lakhani, cybersecurity researcher at Fortinet’s FortiGuard Labs. He gives two examples: parser application exploits (“while a user views a picture in a PDF or a mail application, the attacker is silently exploiting a system without user clicks or interaction needed”) and “WiFi proximity attacks that seek to find exploits on a WiFi stack and upload exploit code into [the] user’s space [in the] kernel to remotely take over systems.”

Zero-click attacks often rely on zero-days, vulnerabilities that are unknown to the software maker. Not knowing they exist, the maker can’t issue patches to fix them, which can put users at risk. “Even very alert and aware users cannot avoid those double-whammy zero-day and zero-click attacks,” Lakhani says.

These attacks are often used against high-value targets because they are expensive. “Zerodium, which purchases vulnerabilities on the open market, pays up to $2.5M for zero-click vulnerabilities against Android,” says Ryan Olson, vice president of threat intelligence, Unit 42 at Palo Alto Networks.

Examples of zero-click attacks

The target of a zero-click attack can be anything from a smartphone to a desktop computer and even an IoT device. One of the first defining moments in their history happened in 2010 when security researcher Chris Paget demonstrated at DEFCON18 how to intercept phone calls and text messages using a Global System for Mobile Communications (GSM) vulnerability, explaining that the GSM protocol is broken by design. During his demo, he showed how easy it was for his international mobile subscriber identity (IMSI) catcher to intercept the mobile phone traffic of the audience.

Another early zero-click threat was discovered in 2015 when the Android malware family Shedun took advantage of the Android Accessibility Service’s legitimate functions to install adware without the user doing anything. “By gaining the permission to use the accessibility service, Shedun is able to read the text that appears on screen, determine if an application installation prompt is shown, scroll through the permission list, and finally, press the install button without any physical interaction from the user,” according to Lookout.

A year later, in 2016, things got even more complicated. A zero-click attack was implemented into the United Arab Emirates surveillance tool Karma, which took advantage of a zero-day found in iMessage. Karma only needed a user’s phone number or email address. Then, a text message was sent to the victim, who didn’t even have to click on a link to be infected.

Once that text arrived on an iPhone, the attackers were able to see photos, emails, and location data, among other items. The hacking unit that used this tool, dubbed Project Raven, included U.S. intelligence hackers who helped the United Arab Emirates monitor governments and human rights activists.

By the end of that decade, zero-click attacks were being noticed more often, as surveillance companies and nation-state actors started to develop tools that didn’t require any action from the user. “Attacks that we were previously seeing through links in SMS, moved to zero-click attacks by network injections,” says Etienne Maynier, technologist at Amnesty International.

Amnesty and the Citizen Lab worked on several cases involving NSO Group’s Pegasus spyware, which was linked to several murders, including that of the Washington Post journalist Jamal Khashoggi. Once installed on a phone, Pegasus can read text messages, track calls, monitor a victim’s location, access the device’s mic and camera, collect passwords, and gather information from apps.

Khashoggi and his close ones were not the only victims. In 2019, a flaw in WhatsApp was exploited to target civil society and political figures in Catalonia. The attack started with a video call made on WhatsApp to the victim. Answering the call wasn’t necessary, as the data sent to the chat app wasn’t sanitized properly. This allowed the Pegasus code to be executed on the target device, effectively installing the spyware software. WhatsApp has since patched this vulnerability and has notified 1,400 users who have been targeted.

Another sophisticated zero-click attack associated with NSO Group’s Pegasus was based on a vulnerability in Apple’s iMessage. In 2021, Citizen Lab found traces of this exploit being used to target a Saudi activist. This attack relies on an error in the way GIFs are parsed in iMessage and disguises a PDF document containing malicious code as a GIF. In its analysis of the exploit, Google Project Zero stated, “The most striking takeaway is the depth of the attack surface reachable from what would hopefully be a fairly constrained sandbox.” The iMessage vulnerability was fixed on September 13, 2021, in iOS 14.8.

Zero-click attacks don’t only target phones. In 2021, a zero-click vulnerability gave unauthenticated attackers full control over Hikvision security cameras. Later the same year, a flaw in Microsoft Teams was proved to be exploitable through a zero-click attack that gave hackers access to the target device across major operating systems (Windows, MacOS, Linux).

How to detect and mitigate zero-click attacks

Realistically, knowing if a victim is infected is quite tricky, and protecting against a zero-click attack is almost impossible. “Zero-click attacks are way more common than we thought,” says Maynier. He recommends potential targets encrypt all their data, update their devices, have strong passwords, and do everything in their power to protect their digital lives. There’s also something else he tells them: “Consider that they may be compromised and adapt to that.”

Still, users can do a few things to minimize the risk of being spied on. The simplest one is to restart the phone periodically if they own an iPhone. Experts at Amnesty have shown that this could potentially stop Pegasus from working on iOS—at least temporarily. This has the advantage of disabling any code running that has not achieved persistence. However, the disadvantage is that rebooting the device may erase the signs that an infection has occurred, making it much harder for security researchers to determine whether a device has been targeted with Pegasus.

Users should also avoid jailbreaking their devices, because it removes some of the security controls that are built into the firmware. In addition to that, since they can install unverified software on a jailbroken device, this opens them up to installing vulnerable code that might be a prime target for a zero-click attack.

As always, maintaining good security hygiene can help. “Segmentation of networks, applications, and users, use of multifactor authentication, use of strong traffic monitoring, good cybersecurity hygiene, and advanced security analytics may prove to slow down or mitigate risks in specific situations,” says Lakhani. “[These] will also make post-exploitation activities difficult for attackers, even if they do compromise [the] systems.”

Maynier adds that high-profile targets should segregate data and have a device only for sensitive communications. He recommends users keep “the smallest amount of information possible on their phone (disappearing messages are a very good tool for that)” and leave it out of the room when they have important face-to-face conversations.

Organizations such as Amnesty and Citizen Lab have published guides instructing users to connect their smartphone to a PC and check to see whether they have been infected with Pegasus. The software used for this, Mobile Verification Toolkit, relies on known Indicators of Compromise such as cached favicons and URLs present in SMS messages. A user does not have to jailbreak their device to run this tool.

Also, Apple and WhatsApp have both sent messages to people who might have been targeted by zero-click attacks that aimed to install Pegasus. After that, some of them reached out to organizations such as Citizen Lab to further analyze their devices.

Yet technology alone won’t solve the problem, says Amnesty’s Maynier. “This is ultimately a question of policy and regulation,” he adds. “Amnesty, EDRi and many other organizations are calling for a global moratorium on the use, sale, and transfer of surveillance technology until there is a proper human rights regulatory framework in place that protects human rights defenders and civil society from the misuse of these tools.”

The policy answers will have to cover different aspects of this problem, he says, from export control to mandatory human rights due diligence for companies. “We need to put a stop on these widespread abuses first,” Maynier adds.

Source: https://www.csoonline.com/article/3660055/zero-click-attacks-explained-and-why-they-are-so-dangerous.html

New WordPress sites getting hacked ‘within seconds’ of TLS certificates being issued

Attackers pounce before site owners can activate the installation wizard.

Attackers are abusing the Certificate Transparency (CT) system to compromise new WordPress sites in the typically brief window of time before the content management system (CMS) has been configured and therefore secured.

CT is a web security standard for monitoring and auditing TLS (aka SSL) certificates, which are issued by certificate authorities (CAs) to validate websites’ identity.

First implemented by the DigiCert CA in 2013, the standard mandates that CAs immediately record all newly issued certificates on public logs in the interests of transparency and the prompt discovery of rogue or misused certificates.

However, evidence is growing that malicious hackers are monitoring these logs in order to detect new WordPress domains and configure the CMS themselves after web admins upload the WordPress files, but before they manage to secure the website with a password.

Multiple testimonies have emerged detailing sites being hacked within minutes – within seconds, even – of TLS certificates being requested.

Domain owners report the appearance of a malicious file (/wp-includes/.query.php) and sites being press-ganged into joining DDoS attacks.

More details at: https://portswigger.net/daily-swig/wordpress-sites-getting-hacked-within-seconds-of-tls-certificates-being-issued

Questionable URL? Here’s a tool to help.

We recently heard of VirusTotal.com’s FREE web-based web address checker.

Have you received email which looks suspicious or has a link which you’re uncertain about? (This is how phishing often takes advantage of you!)

Right click on the link and copy the link address, then go to https://www.virustotal.com/gui/home/url and paste it in. It’ll return a rating as to whether it’s likely to be malicious or not.

It’s not perfect – I entered a link to an exploit reporting website and six out of 93 reports said it was malicious (it isn’t). But it will definitely give you a better idea as to the trustworthiness of any random URL you receive.

By the way, it works on most shortened URLs too: bit.ly, goo.gl, etc.

Beware: new IRS rules will lead to a wave of phishing frauds

Thanks to new legislation that went into place at the beginning of this year, I predict that a lot of unsuspecting small business owners are about to fall victim to a fresh scam.

The scam will relate to legislation around new tax reporting rules that will affect millions of freelancers and small businesses. As explained in an earlier column, beginning for the 2022 tax year, if you receive more than $600 in total payments during the course of the year from a payment service like PayPal, Venmo (which is owned by PayPal), Square, Stripe or online sales of your products made through Amazon, Etsy and other marketplaces – regardless of how many customers are paying – that payment service is required to report that amount to the IRS and to you by sending a Form 1099-K – used for reporting payments via these third parties – in early 2023.

Full story: https://www.theguardian.com/money/2022/feb/27/beware-phising-fraud-new-irs-rules-online-payment-service-receipts

Apple fixes iOS zero-day exploited in the wild (CVE-2021-30883)

With the newest iOS and iPad updates, Apple has fixed another vulnerability (CVE-2021-30883) that is being actively exploited by attackers.

As per usual, Apple did not share more details about the flaw or the attack(s) exploiting it, and the researcher who discovered it remains unnamed.

But, thanks to security researcher Saar Amar, who analyzed Apple’s patch, we know that the flaw is “a classic integer overflow.”

More details at: https://www.helpnetsecurity.com/2021/10/12/cve-2021-30883

Ransomware Payments Explode Amid ‘Quadruple Extortion’

Two reports slap hard figures on what’s already crystal clear: Ransomware attacks have skyrocketed, and ransomware payments are the comet trails that have followed them skyward.

The average ransomware payment spiked 82 percent year over year: It’s now over half a million dollars, according to the first-half 2021 update report put out by Palo Alto Networks’ Unit 42. As far as the sheer multitude of attacks goes, Barracuda researchers on Thursday reported that they’ve identified and analyzed 121 ransomware incidents so far in 2021, a 64 percent increase in attacks, year-over-year.

Obviously, these are just the major incidents. It is unclear from these reports if the threat to small sites or individual consumers’ computers has continued at the same rate as previously now that there are so many attacks occurring against “big payout” targets.

It’s important to continue to be vigilant on all levels: keep backups (both on site and off site), be careful about what you click on, watch for phishing and consent phishing, use 2-factor authentication where offered, etc.

Full article at https://threatpost.com/ransomware-payments-quadruple-extortion/168622/

Update: Comedian John Oliver (Last Week Tonight) did a piece on Ransomware on Aug 16. (NSFW, but quite well researched.)

Olympic-themed passwords put people at risk

Beyond using “tokyo” and “olympics” as their passwords, people have been turning to names of athletes, such as “kenny,” “williams,” and “asher,” says NordPass.

Devising passwords for your website accounts is always a challenge. That’s why many people look to current events for inspiration. But that strategy is a recipe for trouble as it often leads to simple and weak passwords, making you easy prey for cybercriminals. A report released Tuesday by password manager NordPass looks at the most popular and weak Olympic-themed passwords floating in cyberspace.

With the Tokyo 2020 Olympics finally being held in 2021 due to the pandemic, people have been cheering on their favorite sports and rooting for their favorite athletes. As the games have created a lot of buzz and excitement, people naturally draw inspiration from them. And apparently that factor carries over into cybersecurity.

The latest research from NordPass shows that people are creating passwords based on Olympic events and athletes despite warnings from cybersecurity experts not to use simple or weak passwords. Among the sporting events themselves, “football” scores the top goal by being used as a password more than 5.8 million times, according to NordPass’ analysis.

“Baseball” hits a run as a password in use more than 4.1 million times. “Golf” putts as a password more than 3.2 million times, followed by “hockey” at 2.6 million times, “tennis” at 1.5 million times and “basketball” at 1.4 million times.

The names of athletes competing in the Olympics also popped up as popular passwords in NordPass’ analysis. Among them, “kenny” appeared 1.3 million times, “williams” more than 1 million times, “asher” 1 million times and “riner” 265,971 times. Other go-to athlete-inspired passwords include “masse” at 261,997 times, “curry” at 196,0165 times, “gonzales” at 194,129 times, “osaka” at 87,725 times, “sindhu” at 84,261 times, “federer” at 82,897 times and “biles” at 57,331 times.

The word “tokyo” was used as a password 231,818 times and “olympics” was used 27,881 times.

Though Olympic fever is all well and good, a line should be drawn in the sand when it comes to celebrating the games through your own cybersecurity.

“These passwords can be cracked almost instantly—that’s the main issue,” said NordPass security experts Chad Hammond. “While it’s amazing to support your favorite sport or athlete, it’s not advisable to take that support to your passwords as it really compromises your security. In fact, even if you don’t support, let’s say, Kylie Masse, but have the same last name as her, don’t use that as your password, as 261,997 people already have.”

Relying on current events to devise your passwords is nothing new.

“Earlier this year, NordPass reported that such passwords as “corona,” “lockdown,” and other words or phrases that have defined our lives in the past year are also used as passwords quite often,” Hammond added. “We’ve also noticed that people often simply use their names, favorite sports teams, or the name of the service they’re registering for.”

To better protect your website accounts with strong passwords and security, Hammond offers the following advice:

  1. Update all your passwords and use unique and complex ones to secure your accounts. Try using a password generator to create passwords that are difficult or impossible to guess.
  2. Use a password manager. Such tools can generate and store passwords. More advanced password managers include data breach scanners that can tell you if any of your accounts may have been compromised.
  3. Use two-factor authentication (2FA) where possible. Whether you rely on 2FA through an app, biometric data, or a physical security key, your accounts will be safer with that extra layer of security.

Source: https://www.techrepublic.com/article/olympic-themed-passwords-put-people-at-risk/

Don’t Wanna Pay Ransom Gangs? Test Your Backups.

Important article from the ever-insightful Brian Krebs. Though it is geared more toward organizations than individuals, the important point is that it’s critical to know how to restore a damaged system – and how long it will typically take!

FYI, we can usually restore a website to the most recent backup within 10 min (depending on the size of the site, of course). And yes, we have tested! Not everyone’s site, of course, but we’ve done enough site restorations that we’re pretty confident about yours too.

Read the full article here: https://krebsonsecurity.com/2021/07/dont-wanna-pay-ransom-gangs-test-your-backups/