November seen a sharp rise in a phishing technique known as ‘Quishing’, where targets receive and scan a QR code that directs them to a malicious phishing link – often bypassing standard security controls. Apple released emergency fixes for a large portion of their ecosystem following a Zero Day attack, showing that even Apple devices are not safe from adversaries.

New/Improved Techniques

Rise in Quishing Attacks Against Staff

There has been a steep rise in the number of users being targeted by QR code phishing attacks, also known as ‘quishing’. The US Federal Trade Commission (FTC) released a consumer alert warning for the public after witnessing a rise in the amount of quishing attacks seen in the wild. These malicious QR codes are being emailed directly to staff, often pretending to be important files or alerts, generated by Microsoft or other commonly used systems. QR codes are used to phish users via legitimate looking login pages, or by stealing MFA/session tokens.

Phishing using a QR code effective as users do not expect malicious QR codes, given that this is a new technique, and do not verify the link before scanning and following a QR image – which can be challenging without scanning the code. In addition to this, QR codes must be scanned with mobile devices, which usually don’t have the same security or protection measures as enterprise managed laptops or desktops. In an analysis undertaken by ReliaQuest it was found that 56% of quishing attempts in the last 12 months mimicked a Microsoft 2 factor authentication request, with the attackers often stealing both the credentials as well as the MFA token from their victims, to bypass MFA and gain persistent access to the victim’s Microsoft account.

Zero Day Attack Targeting iPhones, Watches, and Apple TVs

Apple has released an emergency fix for iPhones, Apple Watches, and Apple TVs after a vulnerability was discovered in the WebKit Browser engine that is used to run the Safari Web Browser on Apple devices. Sensitive data extraction and arbitrary code execution can be undertaken using crafted payloads, impacting iPhone 8 or later, all models of iPad Pro, Apple TV HD and 4K models, and Apple Watch Series 4 or later. The US Cybersecurity and Infrastructure Security Agency (CISA) ordered US agencies to patch devices against these vulnerabilities after seeing evidence of the vulnerabilities being actively exploited in the wild.

This comes off the back of a number of zero-day exploits for Apple’s products this year, with 20 exploited vulnerabilities being patched since January. The widespread global use of iPhones and Apple devices continues to make them a prime target for exploitation and attack – we can expect to see numerous zero-days for iOS devices into 2024 – making it crucial that devices are updated regularly.

Attacks / Threats

[Ukraine] Ukraine’s Largest Mobile Carrier Taken Down

Ukraine’s largest mobile carrier, Kyivstar, has suffered a major cyber attack this week that impacted landline internet, mobile network and mobile data services. Kyivstar provides services to over 25 million Ukrainians and was reduced to operating at around 12% of the typical network throughput during the attack, which is still ongoing. No other service providers were impacted during this time, confirming that the outage was not caused by damaged cellular infrastructure as a result of the war, instead is the result of a direct targeted attack on Kyivstar. The attack has impacted Ukrainian access to the web, and Ukraine’s ability to provide public bombing alerts through the air raid network, as this system is reliant upon Kyivstar’s internet access.

A Russian state affiliated group, Songsak have claimed responsibility for the attack, claiming to have destroyed 10 computers, and 4,000 servers, as well as cloud and on premise backup systems.

At present, competing Ukrainian mobile carriers have grouped together to provide coverage during outages and interruptions – which is currently common across the region. If a carrier becomes unavailable, users are able to switch to another service free of charge to regain access to mobile services.

[New Zealand and Australia] Nissan New Zealand Faces Potential Cyberbreach

Nissan New Zealand and Australia has warned customers to be vigilant following a suspected cyber attack which allowed attackers to access the personal information of customers. Nissan have stated that they are working with their internal incident response team and cyber security authorities to investigate the attack, and that further information will be released once the scope and impact of the breach have been determined. No further details have been released at this stage.

This follows similar suit to a data breach of Toyota in November 2023 in which the Medusa ransomware gang stole and ransomed personal information of customers in Europe and Africa. Information was sold on the dark web following a failure by Toyota to pay the ransom. In the case of Nissan, they may be facing a similar issue of being ransomed at present, with information being leaked if the ransom is not paid within the timeframe given by the attackers.  

[US] USInfoSearch Data Breach

A recent breach of user accounts on the website USInfoSearch has resulted in the leaking of personal information of a number of famous individuals including US President Joe Biden, musician Olivia Rodrigo, and podcaster Joe Rogan amongst numerous others. USInfoSearch is used by agencies and businesses to perform background checks on individuals, but access to the platform is tightly controlled and scrutinised by the platform itself. It has been found that these reports are being generated by legitimate vetted accounts that have been breached by attackers and used maliciously.  

A Telegram chat by the name of USiSLookups has been set up by cybercriminals who are charging between $8-$40 USD to pull a report for any named individual in the USA. Reports include data such as the subject’s date of birth, current address, previous addresses, phone numbers, employers, known relatives and associates, and drivers licence information. This information can be used to carry out further targeted attacks on individuals, both in the digital and real world.

[Global] Update – Okta Revise the Scope of the Security Breach

In September of 2023 Okta announced that fewer than one percent of its 18,000+ customers were impacted by a breach that involved the theft of sensitive customer information. It has now been revised with Okta announcing that upwards of 97% of its customers have had their name and email address stolen – with some customers potentially having phone numbers, usernames, and employee roles leaked. This includes a large number of Okta Administrators who run Okta for their organisations and are now prime targets for phishing attacks. These include corporate users of Okta such as 1Password, Cloudflare, OpenAI, and T-Mobile who are very likely to be implicated in the breach.

This has highlighted the importance of messaging and media statements when responding to a cybersecurity related incident, as a number of Okta customers were under the impression that they were safe and not impacted by the breach. Okta has followed up by strongly recommending that customers use MFA to protect their accounts – ironically, a control they neglected to implement on the account that was initially breached.

[US] Apple and Google Share Push Notification with Law Enforcement

The US Government and foreign law enforcement are able to view what push notifications users are receiving on their devices in a newly revealed surveillance technique. The US Senator Ron Wyden had his office investigate if law enforcement, and local or foreign governments had been demanding push notifications from tech companies following a tip-off he received. He then confirmed that requests for push notification data records from tech companies including Apple and Google has been occurring for some time.  

By reviewing push notification data, it can reveal what applications a user has on their smartphone, when they receive notifications, and in some instances what information is contained in these notifications. This is often being used to correlate and connect anonymous users on encrypted messaging applications by reviewing notification times and notification interactions.  

Information regarding the notifications may be used in court as evidence of user actions on their phone, when other information is unavailable to both the tech companies themselves and to law enforcement. It is recommended that any sensitive applications, or applications that deal with sensitive content, have push notifications disabled. Apple stated that the US Federal Government prohibited them from sharing information related to this surveillance technique until the Senator’s investigation came to light recently.

[Global] Cameo is Being Used to Spread Disinformation in Russia

Cameo is an application that grew rapidly in popularity throughout 2020 and now boasts over 50,000 celebrities on the platform. Users can pay the celebrities to record a short video message, read a script, or provide a shout-out to a person of the user’s choosing. The cost ranges from $20 – $1,000 depending on the celebrity and is often used for birthday messages, personalised greetings, or to light-heartedly poke fun at friends.

Recently, Russia has been using Cameo videos to promote disinformation during their war with Ukraine. At least seven celebrities including Elijah Wood, Priscilla Presley, and Mike Tyson have been baited into recording a message for the users’ friend ‘Vladimir’, encouraging him to get help with his substance abuse problem. These have then been edited and published for the Russian public – appearing to have the celebrities addressing the Ukrainian President Volodymyr Zelensky. This is in line with other disinformation Russia has been pushing calling the Ukrainian President a drug addict with a substance abuse problem. Cameo have been unable to provide comment while an investigation is underway.