This Week in Cyber 14th June 2024

Lightspy Spyware's macOS Variant Found with Advanced Surveillance Capabilities

Cybersecurity researchers have uncovered a previously undocumented macOS variant of the LightSpy spyware, originally identified as targeting Apple iOS users. Huntress Labs and ThreatFabric found that LightSpy is a sophisticated cross-platform malware capable of infecting Android, iOS, Windows, macOS, Linux, and various routers. 

The macOS version exploits known vulnerabilities (CVE-2018-4233 and CVE-2018-4404) to deliver implants and bypass previous protections, allowing attackers to execute arbitrary code remotely. The macOS variant of LightSpy employs a plugin-based system to gather extensive information, such as capturing audio, taking photos, recording screen activity, extracting files, executing commands, and harvesting browser data. Despite being confined to about 20 devices since January 2024, the spyware's capabilities pose a significant threat.

Microsoft Overhauls AI-Powered Recall Feature Amid Privacy Concerns

Microsoft has announced that it will no longer enable its controversial AI-powered Recall feature by default, deciding instead to make it an opt-in feature due to privacy concerns. Recall, set to debut exclusively on Copilot+ PCs on June 18, 2024, creates an "explorable visual timeline" by capturing and analysing screenshots every five seconds. This feature, intended as an AI-enabled photographic memory, quickly drew criticism from the security and privacy community, which labelled it as intrusive and potentially harmful.

In response, Microsoft has made several substantial changes, including requiring user opt-in, implementing security updates, and enhancing user control over the feature. Users must now enroll in Windows Hello biometric scanning to enable Recall, ensuring that snapshots are only accessible upon user authentication. Additionally, the search index database will be encrypted, and all data will be stored and processed locally on the device. Microsoft emphasized that Recall data is not shared with other companies or applications, and users can pause, filter, and delete saved snapshots at any time.

Dutch Intelligence Reveals Fortinet Breach

Earlier this week, the Dutch National Cyber Security Center (NCSC) announced that Chinese state-sponsored hackers had accessed at least 20,000 Fortinet FortiGate systems worldwide in 2022 and 2023. This follows an investigation by the Dutch Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD). The attackers exploited a critical FortiOS vulnerability (CVE-2022-42475) as a zero-day, two months before Fortinet's public disclosure.

In February 2024, Dutch intelligence services disclosed that these hackers breached the Dutch Ministry of Defense in 2023. The attackers installed a Remote Access Trojan dubbed "Coathanger," which is able to survive reboots and firmware upgrades, and is difficult to detect or remove using standard FortiGate CLI commands. This campaign targeted numerous Western governments, international organizations, and defence companies.

The MIVD emphasized the vulnerability of edge devices like FortiGate systems, which are often directly connected to the internet and lack support from Endpoint Detection and Response (EDR) solutions. These edge devices are popular targets for malicious actors due to their critical position within networks.