Head of Israeli cyber spy unit exposed ... by his own privacy mistake
Plus: Another local government hobbled by ransomware; Huge rise in infostealing malware; and critical vulns
Infosec in brief Protecting your privacy online is hard. So hard, in fact, that even a top Israeli spy who managed to stay incognito for 20 years has found himself exposed after one basic error.
The spy is named Yossi Sariel allegedly heads Israel's Unit 8200 – a team of crack infosec experts comparable to the USA’s National Security Agency or the UK’s Government Communications Headquarters. Now he's been confirmed as the author of a 2021 book titled "The Human Machine Team" about the intelligence benefits of pairing human agents with advanced AI.
Sariel – who wrote the book under the oh-so-anonymous pen name “Brigadier General YS” – made a crucial mistake after an investigation by The Guardian which found an electronic copy of Sariel's book available on Amazon "included an anonymous email that can easily be traced to Sariel's name and Google account.”
The paper has since confirmed with Israeli Defense Force sources that the account was tied to Sariel, and noted multiple sources have confirmed him as the author.
Being outed after more than 20 years of anonymity isn't optimal for someone who's supposed to be a top spy, and the timing for Sariel couldn't be much worse. Criticism of the elite Unit 8200 has grown since Hamas attacked Israel last October, which has been considered an intelligence failure on the part of Sariel's unit.
Whether his public exposure will result in a reassignment for Sariel is unknown, but it does make one thing clear: If a spy who heads an elite unit can make a simple mistake that compromises his identity, what hope do the rest of us have?
Critical vulnerabilities of the week
Plenty of security issues were reported last week but thankfully few were rated Critical.
Most notable is a pair of vulnerabilities in Android Pixel devices (CVE-2024-29745 and CVE-2024-29748) that, respectively, allow an attacker to disclose information and escalate privileges. The pair haven't been given a score yet, but they're being abused, so best install the latest security updates, Pixel users.
Elsewhere:
- CVSS 9.4 – Multiple CVEs: IOSix's IO-1020 micro-electronic logging devices are using default passwords for authentication and Wi-Fi, allowing an attacker to connect and potentially take over connected vehicle systems.
- CVSS 8.2 – CVE-2024-21894: The IPSec component of Ivanti Secure Connect v9.x and 22.x contains a heap overflow vulnerability allowing an attacker to crash systems and execute arbitrary code.
- CVSS 8.2 – CVE-2024-22053: A similar IPSec heap overflow vulnerability in Ivanti Secure Connect (same versions) can also allow an attacker to read contents from memory.
- CVSS7.4-4.8 – CVE-2024-22246, CVE-2024-22247, CVE-2024-22248: The first of this trio of flaws in VMware SD-WAN products is the worst: 7.4-rated CVE-2024-22246 is an unauthenticated command injection vulnerability that can lead to remote code execution.
Another local US government falls prey to ransomware
Jackson County, Missouri revealed last week that it had fallen prey to a ransomware attack that has hobbled operations and left government offices closed as teams try to restore operations.
The county announced it was dealing with "operational inconsistencies across its digital infrastructure," and noted that "certain systems have been rendered inoperative," but said it had no indication that any data had been compromised. Impacted systems include tax payment and online property, marriage license and inmate search software.
According to local news the situation has led to problems as varied as disabled computer systems and inoperable phone lines to broken elevators at the county detention center.
And how did it all start? Surprise, surprise: Someone clicked on a phishing link.
"This is not how a government should be run – specifically a county situation," Jackson County legislator Manny Abarca told Fox 4 Kansas City. "So this is a true failure of leadership here."
The takeaway here is obvious: Keep training people not to click those phishing links!
Data stealing malware infections rose how much?
No, it's not an April Fool's joke: Kaspersky revealed last week that there were around ten million personal and corporate devices infected with data-stealing malware in 2023 – marking an increase of 643 percent over the past three years.
We've warned of the often overlooked risk of data-stealing malware before, but it obviously bears repeating – especially since "ransomware" attacks nowadays often don't involve encryption efforts, but just simple data exfiltration and digicash demands to stop publication.
Kaspersky reported that those data-stealer infections are reaping serious rewards for cyber criminals going after credentials, with an average of 50.9 login/password combos pilfered per infected device.
"Leaked credentials carry a major threat, enabling cyber criminals to execute various attacks such as unauthorized access for theft, social engineering, or impersonation," explained Kaspersky's Sergey Shcherbel. "This highlights how crucial it is both for individuals and companies … to stay alert."
To make matters worse, Kaspersky's data points to a serious issue: Employees who get infected don't appear to be learning from their mistakes. Around 21 percent of infection victims end up installing more malware, and nearly nine percent of them do so within three days.
Time to do more cyber security awareness training. ®