CISA releases advisory on new spyware

The advisory discusses a new strain of spyware that appears to target messaging apps. 

What happened

On November 24th, CISA released a new guidance on spyware threats, Spyware Allows Cyber Threat Actors to Target Users of Messaging Applications. 

The notice details how some malicious actors are using targeted social engineering techniques to gain access to victims’ messaging apps, which can then help the actors facilitate the deployment of “additional malicious payloads that can further compromise the victim’s mobile device.”

Going deeper

The advisory discusses some specific tactics cyber threat actors are using, which include:

1. Phishing or malicious QR codes that compromise accounts and allow actors to control their devices
2. Zero-click exploits, meaning the user does not have to take any action for their device to become infected. For example, the FORCEDENTRY Exploit (discovered in 2021) allowed a threat group to send a message to Apple devices, which the device automatically executed, leading to the spread of spyware. 
3. Impersonating messaging app platforms, like WhatsApp. 

CISA found that threat actors are opportunistic, something that is generally true for any cybercrime; but in this case, the malicious individuals are also targeting what’s considered “high-value individuals,” which can include the military, government, and other political officials. Threat actors may also target civil society organizations (CSOs) and individuals in the United States, Europe, and the Middle East. 

What’s next

CISA provided several suggestions for messaging app users. They have several guides, including the Mobile Communications Best Practice Guidance, which includes suggestions to:

• Use end-to-end encryption
• Enable Fast Identity Online (FIDO) which is phishing-resistant authentication
• Use a password manager
• Regularly update software. 

Their other guide, Mitigating Cyber Threats with Limited Resources, highlights strategies like: 

1. Auditing accounts and disabling unused or unnecessary accounts
2. Applying the principle of least privilege, meaning remove any unnecessary permissions
3. Review contractual relationships with any service providers. 

The big picture

While many businesses and healthcare practices use other platforms, like email, to communicate, some organizations also use messaging–whether for internal communications, or to send scheduling reminders or other quick messages. When it comes to handling PHI, messages on any platform must be secure and encrypted, or it could risk leading to a data breach. Organizations should stay aware of what tools are potentially vulnerable to data breaches.

In particular, security teams should be mindful of potential zero-click exploits and monitor their network for potentially detrimental messages. Zero-click exploits highlight the need for robust cybersecurity, as it eliminates the human element. Regardless, Ryan Winchester, Director of IT at CareM, emphasizes that human failure can be a major tool for exploitation, stating, “No amount of training can completely eliminate human error, so businesses must have safeguards in place.”  

FAQs

What messaging apps are being impacted?

According to the alert, certain apps like Signal and WhatsApp are being exploited, as well as Android messaging and Apple messaging. 

Are healthcare organizations specifically targeted in these attacks?

No, these attacks are more likely to target military or government officials. However, CISA noted they may attack civil services that are found to be of high value, which may include healthcare.