slider

Netizen: Monday Security Brief (12/23/2024)

Today’s Topics:

  • California Court Rules Against NSO Group in WhatsApp Spyware Case
  • Sophos Issues Patches for Critical Firewall Vulnerabilities
  • How can Netizen help?

California Court Rules Against NSO Group in WhatsApp Spyware Case

A significant legal development has unfolded as Meta-owned WhatsApp secured a critical win against the Israeli spyware vendor NSO Group. A federal judge in California ruled in favor of WhatsApp, condemning the exploitation of a security vulnerability in the messaging platform to deliver the notorious Pegasus spyware.

“The limited evidentiary record before the court does show that defendants’ Pegasus code was sent through plaintiffs’ California-based servers 43 times during the relevant time period in May 2019,” stated United States District Judge Phyllis J. Hamilton in her ruling.

The judgment also criticized NSO Group for noncompliance, highlighting their repeated failures to produce relevant discovery materials and adhere to court orders. This includes the refusal to provide the Pegasus source code and limiting its access exclusively to Israeli citizens in Israel.

WhatsApp’s evidence showed that NSO only disclosed code linked to an Amazon Web Services (AWS) server, omitting details that could fully reveal the spyware’s capabilities. Judge Hamilton expressed concerns, stating, “NSO’s lack of compliance with discovery orders raises serious concerns about their transparency and willingness to cooperate with the judicial process.”

The court further determined that NSO Group breached WhatsApp’s terms of service, which explicitly prohibit malicious activities like reverse engineering, decompiling, or injecting harmful code.

“This ruling is a huge win for privacy,” Will Cathcart, head of WhatsApp at Meta, shared in a statement on X. “We spent five years presenting our case because we firmly believe that spyware companies could not hide behind immunity or avoid accountability for their unlawful actions.”

The ruling paves the way for a trial to assess damages, according to Judge Hamilton.

WhatsApp initially filed its lawsuit in 2019, accusing NSO Group of unauthorized access to its servers to install Pegasus spyware on 1,400 devices in May 2019. This attack leveraged a zero-day vulnerability in WhatsApp’s voice calling feature (CVE-2019-3568, CVSS score: 9.8) to deliver the spyware.

Newly revealed court documents disclosed that NSO Group continued exploiting WhatsApp to deploy Pegasus until May 2020, underscoring the persistence of such tactics.

NSO Group has defended its spyware, claiming it is exclusively intended for government and law enforcement use to address crimes such as terrorism, child exploitation, and human trafficking, as well as to assist in search and rescue missions.

“The world’s most dangerous offenders communicate using technology designed to shield their communications, while government intelligence and law-enforcement agencies struggle to collect evidence and intelligence on their activities,” NSO stated on its website, emphasizing its mission to “create a better, safer world.”


Sophos Issues Patches for Critical Firewall Vulnerabilities

Sophos has released critical patches addressing vulnerabilities in its firewall products that could allow remote attackers to execute arbitrary code without authentication.

The most severe issue, tracked as CVE-2024-12727 and carrying a CVSS score of 9.8, is an SQL injection vulnerability impacting the email protection feature. The flaw grants attackers access to the firewalls’ reporting database and can lead to remote code execution (RCE) in specific configurations.

Sophos stated the issue occurs when Secure PDF eXchange (SPX) is enabled alongside High Availability (HA) mode. The company emphasized that only 0.05% of devices are affected by this vulnerability.

Sophos released hotfixes for multiple firewall product versions, including 21 GA, 20 GA, 20 MR1, 20 MR2, 20 MR3, 19.5 MR3, 19.5 MR4, and 19.0 MR2. The patches are integrated into Sophos Firewall version 21.0 MR1, which addresses not only CVE-2024-12727 but also another critical vulnerability, CVE-2024-12728 (CVSS score: 9.8).

The CVE-2024-12728 vulnerability pertains to weak credentials during HA cluster initialization. Sophos noted:

“The suggested and non-random SSH login passphrase for High Availability (HA) cluster initialization remained active after the HA establishment process completed, potentially exposing a privileged system account on the Sophos Firewall if SSH is enabled, affecting approximately 0.5% of devices.”

To mitigate this flaw, users are advised to:

  • Restrict SSH access to a dedicated HA link that is physically separate.
  • Reconfigure HA with a sufficiently long and random passphrase.
  • Disable WAN access via SSH.

Additionally, Sophos addressed CVE-2024-12729 (CVSS score: 8.8), a code injection vulnerability in the User Portal. This flaw could allow authenticated attackers to execute arbitrary code remotely. Users are urged to disable WAN access to the User Portal and Webadmin to prevent exploitation. Sophos has reassured users, “Sophos has not observed these vulnerabilities to be exploited at this time.”

Sophos firewalls have been targeted by threat actors in the past, including the exploitation of zero-day vulnerabilities. The U.S. recently charged and sanctioned a Chinese individual linked to a sophisticated group accused of attacking Sophos firewalls.

Users are encouraged to apply the latest updates promptly and follow the mitigation steps to safeguard their systems from potential threats.


How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 


Copyright © Netizen Corporation. All Rights Reserved.