By the CyberWire staff
Cybersecurity Incidents Summary
A recent breach has compromised the developer of a Signal clone utilized by the US government, leading to the exposure of customer data. This incident underscores vulnerabilities in systems supporting critical communication. Additionally, the NSO Group has been ordered to pay over $167 million following a protracted lawsuit concerning the hacking of WhatsApp users. The implications of such legal outcomes illustrate the significant fallout for firms involved in cybersecurity breaches.
PowerSchool, an education software provider, is contending with targeted extortion efforts linked to a cyber incident from late last year, where stolen data is now being exploited against schools. Concurrently, LockBit, a well-known ransomware gang, has suffered a breach of its own, with confidential negotiation data exposed online. Moreover, South African Airways reported a major cyberattack that disrupted various operational systems and services, demonstrating the expanding reach of cyber threats across sectors.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding the rise of unsophisticated threat actors targeting Industrial Control Systems (ICS) in the US, specifically within the energy and transportation sectors. This increased attention on operational technology reflects broader concerns regarding inadequate cybersecurity hygiene in critical infrastructure environments.
Signal Clone Developer Breached
404 Media reports that an unidentified hacker breached TeleMessage, the Israeli developer behind a Signal clone employed by the US government for message archiving. Following a notable appearance of former national security adviser Mike Waltz using the app, the hacker claimed they sought to assess the application’s security. Although messages from high-profile users were reportedly not extracted, sensitive data pertaining to US Customs and Border Protection and financial institutions such as Coinbase was accessed.
TeleMessage specializes in modified messaging platforms designed to meet regulatory archiving requirements by retaining copies of communications on remote servers. A confirmed source at Customs and Border Protection acknowledged the use of TeleMessage’s services, adding that the application was promptly disabled following the detection of unauthorized access. An ongoing investigation is assessing the full impact of the breach, including the specifics of the compromised data.
Mitre ATT&CK Analysis: Initial access may have been achieved through social engineering tactics, alongside potential exploitation of weaker security controls in the application.
NSO Group’s WhatsApp Lawsuit Outcome
A California jury has mandated that NSO Group, an Israeli spyware firm, pay $167 million for its involvement in infiltrating the phones of 1,400 WhatsApp users. This ruling caps a six-year legal battle and signifies the potential legal ramifications for cybersecurity firms whose technologies are misused. The jury’s decision points toward punitive measures aimed at deterring future corporate malfeasance in the cybersecurity landscape.
Meta, the parent company of WhatsApp, announced its satisfaction with the verdict, framing it as a crucial deterrent against spyware abuse affecting US entities. NSO Group contends that its Pegasus software is intended solely for law enforcement applications; however, its sale to authoritarian governments has drawn significant criticism. The judge’s refusal to allow NSO to present evidence of its alleged benign usage of the technology possibly signals judicial skepticism toward defenses reliant on ethical intent.
Mitre ATT&CK Analysis: Techniques such as privilege escalation and exploitation of vulnerabilities may have been leveraged in the hacking incidents associated with NSO Group.
PowerSchool Faces Extortion Attempts
In a troubling development, PowerSchool has confirmed extortion attempts targeting individual schools with data pilfered during a cyber incident last December. Following that breach, PowerSchool settled with the original threat actor to prevent further data exposure, yet the current claims indicate that the data has fallen into the hands of other malicious actors. The company has taken proactive steps by notifying law enforcement and collaborating with affected school districts to mitigate the impact of the data’s misuse.
The organization expressed regret over this development, emphasizing the distress caused to its customers as their security has been compromised a second time. The faculty of educational institutions now finds themselves individuals at risk due to the misuse of sensitive information by cybercriminals.
Mitre ATT&CK Analysis: Techniques associated with data theft and extortion, such as data breach exploitation, likely played a role in this incident.
LockBit Ransomware Operation Compromised
In a remarkable twist of events, the LockBit ransomware gang itself has been compromised, as reported by BleepingComputer. An unknown actor managed to deface the gang’s affiliate panels, linking to a MySQL database containing sensitive information about its affiliates. This database holds details including nearly 60,000 unique bitcoin addresses, attack configurations, and negotiation discussions between the group and its victims, showcasing how cybercriminal enterprises can also fall victim to counterattacks.
The identity of the attacker remains unclear. Still, the message accompanying the breach mirrors previous defacement efforts, suggesting a coordinated effort to undermine ransomware operations as revenge against cybercriminal activities.
Mitre ATT&CK Analysis: The breach may have involved tactics such as initial access via exploitation of weaknesses in the gang’s operational security.
South African Airways Cyberattack Announcement
South African Airways has publicly acknowledged a significant cyber incident that disrupted access to its website, mobile application, and various internal systems on May 3rd. Though the full extent of the breach remains under investigation, the airline assured that normal operations were restored the same day. Currently, assessments are ongoing to determine if any data was accessed or exfiltrated during the incident, with commitments to notify relevant stakeholders if data breaches are confirmed.
Mitre ATT&CK Analysis: Given the nature of the disruption, tactics related to service disruption and system compromise might have been employed.
CISA’s Advisory on Unsophisticated Threats
In a collaborative effort, CISA, the FBI, the EPA, and the Department of Energy have jointly warned of emerging risks linked to unsophisticated cyber actors targeting ICS and SCADA systems, particularly within the oil and natural gas sectors. This advisory highlights the need for heightened cybersecurity protocols, as these actors often exploit basic security flaws in critical infrastructure.
The agencies have released guidance to bolster defenses for these environments, recognizing that although attacks may originate from less skilled adversaries, the consequences can still be severe, leading to system failures and potential physical damages.
