Our reporting this week focuses on the use of third-party spyware tools and groups in cyber operations. For instance, we reported on a hack-for-hire group, tracked as Knotweed, that used multiple Windows and Adobe zero-day exploits to compromise private entities in Austria, the United Kingdom, and Panama. The campaign distributed Subzero spyware which is used to compromise mobile devices, individual endpoints, and networks. We have previously observed government entities outsourcing cyber operations to third parties, indicating a realistic possibility that a government entity may have leveraged the Knotweed group.
Additionally, we covered incidents of likely government entities utilising Pegasus spyware, a surveillance tool developed by NSO Group, to conduct espionage. A letter from Apple to European lawmakers informed them of the possible infection of European Commission employees’ mobile devices with the spyware. NSO Group has previously stated it only sells its product to government agencies, indicating a realistic possibility that it has been deployed for nation-state espionage purposes. We also recently reported that Pegasus had been detected on mobile phones of several pro-democracy activists in Thailand.
These incidents reaffirm the value of third-party tools and entities to conduct cyber operations, particularly in countries that lack the technical capabilities to produce their own internal espionage tools.
This vulnerability (CVSS: 8.6|OVSS: 54) could allow threat actors to log into Confluence and access all content accessible to the confluence-users group. The vulnerability pertains to the Questions for Confluence app containing a hardcoded password that was leaked on Twitter in July. This CVE is currently being exploited in the wild.
A Windows Client Server Run-Time Subsystem privilege escalation vulnerability (CVSS: 7.8|OVSS: 54) that enabled Knotweed to escape sandboxes and acquire system-level code execution.
This vulnerability (CVSS: 6.5|OVSS: 29) is found in the legacy Slack import feature in Mattermost versions 6.7.0 and earlier and fails to limit the sizes of imported files, allowing an adversary to crash the server by importing large files via the Slack import REST API. We assess that there is an 85% likelihood of future exploitation.
Key Intelligence Reports
- Hack-for-hire group Knotweed uses zero-day exploits to compromise European and Central American entities
Microsoft has reported that a hack-for-hire group tracked as Knotweed has used multiple Windows and Adobe zero-day exploits to compromise private entities and deliver Subzero malware. At the time of writing, Knotweed campaigns have targeted law firms, financial institutions, and strategic consultancy entities in Austria, the United Kingdom, and Panama. Read full report >>
- CosmicStrand UEFI rootkit identified in Gigabyte and ASUS motherboards
A Unified Extensible Firmware Interface (UEFI) rootkit, labelled CosmicStrand, has been identified in the firmware images of motherboards manufactured by Taiwan-based ASUS and Gigabyte. CosmicStrand victims, all of whom appear to be private individuals with no links to a common organisation or sector, have been identified in China, Vietnam, Iran, and Russia. Read full report >>
- Israeli spyware Pegasus identified on EU Commission employee mobile devices
A letter sent on 25 July to European lawmaker Sophie in’t Veld details the possible breach of European Commission employees’ mobile devices using the spyware tracked as Pegasus. Pegasus is a surveillance tool that has been developed and sold to government clients by the Israeli surveillance and security company, NSO Group. Read full report >>
What is OVSS?
The Orpheus Vulnerability Severity Score (OVSS) helps companies understand the risk associated with particular vulnerabilities. Orpheus does this by adding additional context on the likely threat to and impact of CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score.