Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Another 'Good Hacking' Case Reported

In the cybersecurity world, we view risk as being all downside - but risk professionals will tell you that the inherent uncertainties sometimes work in your favour and produce favourable outcomes. The speculative risk in investments provide a good example: occasionally, a stock takes off for some reason, and you make a windfall. There aren't many such cases in our field, but it sometimes happens - for example, I've received vulnerability reports from unknown white - or, possibly grey - hats, tipping me off before a black hat discovered them.

Now, echoing yesterday's report of the FBI's stealthy distribution of a tool to disable the Qakbot malware, comes news of another hack-the-hackers exploit.

For some years, a piece of Portuguese-language phone spyware called WebDetetive has been implanted on the phones of victims in South America, generally manually, by someone known to the victim, and who knows the phone's passcode. Once installed, the spyware disguises itself by changing its icon, and then sets about uploading messages, call logs, phone call recordings, photos, ambient microphone recordings and precise location data to the WebDetetive servers. Whoever installed the spyware can now surveil the victim - which is why this type of spyware is often referred to as 'stalkerware'.

However, unnamed hackers recently identified several vulnerabilities which allowed them to compromise WebDetetive's servers and access its user database. Further exploiting the product's dashboard, which the stalkers use to surveil their victims, the hackers were able to download every dashboard record, including every customer's email address.

Using the dashboard, the hackers were also able to delete victim devices from the spyware network, preventing them from uploading further data. "Which we definitely did. Because we could. Because #fuckstalkerware", wrote the hackers in an undated note included among 1.5 GB of data scraped from the spyware's dashboard. This data included information about each customer - the IP address they had logged in from, their purchase history and also details of every device that customer had compromised, including the spyware version number and the types of data being collected. Importantly, the data did not include any data stolen from the victims' phones.

The data was indexed by DDoSecrets (https://ddosecrets.com/wiki/Distributed_Denial_of_Secrets), who shared it with TechCrunch for analysis, revealing that 74,336 unique customer email addresses had used the spyware to compromise 76,794 victim phones.

The breach puts WebDetetive's management in a tough spot. Will they notify their customers of the breach, assuming they still have records to do so? Email enquiries sent by TechCrunch got no response. But a lot of phone users, particularly victims of domestic violence and abuse, can breath a little easier.

Whittaker, Zack, A Brazilian phone spyware was hacked and victims’ devices ‘deleted’ from server, TechCrunch, 27 August 2023. Available online at https://techcrunch.com/2023/08/26/brazil-webdetetive-spyware-deleted/.

Qakbot Advisory

Speaking of Qakbot, as we were just yesterday, CISA and the FBI have released a joint Cybersecurity Advisory to disseminate the IOC's discovered and used in the FBI takedown, along with recommendations for mitigation. There's quite a lot of useful detail in the 9-page advisory, including an overview of the botnet's three-tier C2 infrastructure and a mapping to the MITRE ATT&CK framework.

CISA, Identification and Disruption of QakBot Infrastructure, cybersecurity advisory, 30 August 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a.

Mozilla Security Updates

The Mozilla Foundation has released security updates to address vulnerabilities in:

• Firefox 117 (https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/)
• Firefox ESR 115.2 (https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/), and
• Firefox ESR 102.15 (https://www.mozilla.org/en-US/security/advisories/mfsa2023-35/)

You know what to do - end users, choose Help -> About Firefox in the menu and let the update download, while admins who redistribute the browsers in their organizations should get ready to roll out the new versions.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.