iPhone Security Flaw & FireEye Hack: Latest Cybersecurity News

If you haven't yet heard, a significant ransomware incident resulted in the compromise of patient information from a major fertility network in the United States. Additionally, the Supreme Court commenced deliberations on a case with the potential to reshape computer and internet access for a vast number of U.S. citizens. Furthermore, legislators in Massachusetts have approved a measure prohibiting law enforcement agencies from utilizing facial recognition technology statewide.

This week’s Decrypted focuses on exploring two stories that extend beyond initial reports, notably examining the reasons behind the surprise breach experienced by cybersecurity firm FireEye and its impact on the cybersecurity sector.

THE BIG PICTURE

Google researcher identifies critical iPhone security vulnerability, now resolved

Allowing a leading security expert uninterrupted time for research yielded a significant discovery: a severe security flaw within the iPhone operating system. This vulnerability is considered highly impactful, capable of being exploited remotely without any action required from the device’s user.

The weakness was located within Apple Wireless Direct Link (AWDL), a key component of iPhone functionality responsible for features like file and photo sharing via Apple’s AirDrop.

Google’s Ian Beer explained in a social media post that AWDL is activated by default, creating a substantial attack surface for anyone within wireless range. He discovered the vulnerability in November and promptly reported it to Apple, which subsequently released a software update for iPhones and Macs in January to address the issue.

Successful exploitation of this flaw granted Beer access to the core iPhone software through Wi-Fi, enabling control over a compromised device. This included access to messages, emails, photos, the camera, and the microphone, all without the user’s knowledge. Beer indicated the attack could be carried out from distances of “hundreds of meters or more,” contingent on the attacker’s equipment. Fortunately, there is currently no indication that malicious actors have attempted to leverage this vulnerability.

The discovery quickly garnered attention, although Apple declined to provide a statement. Rob Joyce of the NSA acknowledged the finding as a “quite an accomplishment,” noting that most iOS exploits necessitate the combination of multiple vulnerabilities to gain deep system access.

Cybersecurity firm FireEye suffers nation-state sponsored hack, details remain unclear

Recent news of a cyberattack targeting cybersecurity giant FireEye, believed to be orchestrated by a “sophisticated threat actor” linked to a national government, has caused considerable concern within the cybersecurity community. FireEye is frequently consulted by organizations – including governmental bodies – following a cyber incident. The compromise of FireEye itself is likened to a breach of Fort Knox, with a complete theft of its protective assets.

FireEye has not yet attributed the attack to a specific nation, although Russia is being considered as a potential source, according to reports from the Washington Post and The New York Times. The company has stated that the techniques employed in the attack are unprecedented.

The attackers successfully obtained FireEye’s red team tools, utilized for simulating cyberattacks against clients to assess their security posture. These tools could potentially simplify future attacks, however, FireEye has proactively published information on how to defend against them.

A significant concern exists that the stolen tools could be publicly released, mirroring an incident from three years prior where hacking tools developed by the National Security Agency were stolen and subsequently used in the global WannaCry ransomware attack, which caused widespread disruption and substantial financial losses.

However, as reported by Wired, the absence of zero-day exploits in the stolen code means there is no immediate need for widespread emergency software updates.

U.S. government utilized Patriot Act to gather website visitor data

Recent reporting by The New York Times reveals that the U.S. government invoked the Patriot Act to collect logs detailing website visitors. The statute was previously understood to be used for collecting call logs of millions of Americans.

A letter from the director of national intelligence to a prominent Democratic senator confirms that the legal authority extends to web activity.

The letter specifies that Section 215 of the statute was used to authorize the collection of logs identifying computers “in a specified foreign country” that accessed “a single, identified U.S. web page.”

While this particular order appears limited in scope, as authorized by the Foreign Intelligence Surveillance Court, the government is legally prohibited from collecting the specific search terms entered by users, which would require a warrant.

Nevertheless, concerns remain that this limited example may not accurately reflect the full extent of government surveillance practices. Senator Wyden, who recently proposed an amendment requiring a warrant for accessing Americans’ web browsing data – which narrowly failed to pass – stated that the government has “provided no guarantee” against future use of these powers to collect Americans’ browsing data.

It remains unclear whether these powers are employed to collect web browsing data on a large scale, similar to the call records program.

MOVERS AND SHAKERS

Significant changes may be on the horizon for cybersecurity within the White House. This week, the House of Representatives passed the National Defense Authorization Act, the yearly defense budget and policy bill, with a margin large enough to override a potential veto. This action strengthens the House’s position regarding President Trump’s stated intention to veto the NDAA unless it included measures to eliminate Section 230, which currently shields online platforms from legal responsibility for content posted by their users. (This development occurred concurrently with a trending, unfavorable hashtag concerning the president.)

The legislation contains numerous cybersecurity-related stipulations, including the re-establishment of a White House national cybersecurity director position. This role had previously been part of the National Security Council but was eliminated by President Trump in 2018, drawing objections from both sides of the political spectrum.

Furthermore, the NDAA proposes the creation of a cybersecurity director position within each state government to enhance cyber collaboration nationwide. Another element of the bill would grant the Cybersecurity and Infrastructure Security Agency (CISA) the authority to issue subpoenas to Internet Service Providers to reach the operators of essential infrastructure when a security flaw is identified. This proposal was initially reported by TechCrunch last year.

This represents a substantial advancement for federal cybersecurity law, incorporating 26 of the 34 recommendations put forth by the Solarium Commission, which was tasked with updating U.S. cyber defense strategies to safeguard against cyberattacks.

$ECURITY $TARTUPS

The industrial control systems security company Dragos has successfully completed a substantial Series C funding round, securing $110 million to further develop its protective capabilities. Robert Lee, the founder and chief executive, discussed the details of this investment with TechCrunch.

Orca Security, a cloud security startup based in Israel, has obtained $55 million in a new Series B funding round. Orca’s focus is on assisting organizations in upholding robust cloud security and maintaining regulatory compliance. Leveraging its innovative SideScanning technology, Orca is able to comprehensively assess a company’s entire data landscape and cloud resources to identify potential security vulnerabilities.

Beyond Identity, a security company focused on passwordless authentication through certificate-based methods compatible with various platforms, has raised $75 million in a Series B investment, increasing its overall funding to $105 million.

Additionally, be sure to explore how At-Bay obtained $34 million in funding to strengthen its cybersecurity insurance offerings.

For secure communication of tips, please use Signal or WhatsApp at +1 646-755-8849.