Staff Picks for Splunk Security Reading December 2021

The year that hackers went wild and everything changed by James Rundle at The Wall Street Journal

"Writing 'it's been a very busy year' doesn't quite capture the sentiment in my head, or heads of security folks around the world. I think many of us have been too busy putting out these fires and haven't had a chance to reflect on everything that's occurred. James Rundle has a slideshow that recaps cyber 2021 from Solarwinds to early December. It doesn't touch on Log4j (but cmon, we're all tired of reading about it anyway). With links back to fantastic reporting on these incidents, we're all going to agree 2021 was relentless."

Pegasus vs. Predator: Dissident’s Doubly-Infected iPhone Reveals Cytrox Mercenary Spyware by Bill Marczak, John Scott-Railton, Bahr Abdul Razzak, Noura Al-Jizawi, Siena Anstis, Kristin Berdan, and Ron Deibert

“NSO Group has been in the news for its use of its mobile spyware and zero days for initial access against the press and other dissidents around the world. However, The Citizen Lab just released this new report that details another piece of spyware from Cytrox that was uncovered from the mobile devices of a journalist and a political dissident. In fact, their research uncovered that the dissident’s phone was infected with both spyware platforms simultaneously and they were controlled by different nation-state actors! The Citizen Lab does a great job as always detailing findings, calling out IOCs and supporting details to better understand the issue at hand. The concern over these highly persistent spyware packages on mobile devices has been discussed before but the entry of another platform into the mix and its use by nation-state actors made this an article I wanted to draw your attention to."

Maintaining Legacy Technology by Bruce Schneier

"We all have legacy technology running in production, but how many of us have it available in a lab for testing and validation? To be fair, do we even know what we should have in the lab?"

A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution by Ian Beer and Samuel Groß at Google Project Zero

“A team of security researchers at Google who study zero-day vulnerabilities published an analysis of FORCEDENTRY, NSO Group’s zero-click iMessage exploit, calling it “one of the most technically sophisticated exploits we’ve ever seen.” The University of Toronto’s Citizen Lab provided the exploit sample for the analysis. Project Zero found the exploit uses a “fake GIF” trick in iMessage to target a vulnerability in the CoreGraphics PDF parser using the JBIG2 compression standard. No interaction is required from the user for the exploit to work and it runs in an emulated environment without the need for a command-and-control server. Project Zero plans to release a second blog soon to explain the sandbox escape portion of the exploit. The research is worth a read because it demonstrates how private companies are developing exploits rivaling nation-state capabilities.”