1st November, 2019 – Purple Post

This Week’s Insight from Purple Team

Let us talk about the raging news in cybersecurity this week:

Pegasus – The WhatsApp Spyware

Facebook is suing Israel’s NSO for breaching WhatsApp’s security to spy on users is the biggest news last week. So, of course we will talk about it!
The legal and ethical ramifications of how the exploit and the vulnerability are being used is beyond my capabilities to discuss. (Just know that there is no legal basis to hack a device in India, at least). However, we can look at what the breach means to you and your organization.

The Facts

First, it is important to understand that the basic vulnerability is in the WhatsApp code – Pegasus merely exploited it.   It is a fundamental flaw in the WhatsApp code, not restricted by the phone platform. So any device, whether it is Android or IOS, is vulnerable.

Also, please remember the vulnerability is not new.  While CVE-2019-3568 was entered into the NVD only this year, it has been exploited for over 3 years by bad actors. Again, Pegasus is not the only tool to exploit this vulnerability; it is merely the most visible as it calls itself an aid to law enforcement and hence, by definition, is on the side of the good guys. 

Most importantly, it is not a WhatsApp only problem – once installed, almost all the information on the device and the information that you access on the device are vulnerable. The figure alongside, sourced from Citizen Labs, shows what information can be compromised. 

What it Does

The flaw successfully allowed attackers to silently install the spyware app on targeted phones by merely placing a WhatsApp video call with specially crafted requests, even when the call was not answered.  Also, the victim would not be able to find out about the intrusion afterward as the spyware erases the incoming call information from the logs to operate stealthily.

Under hood, it is a buffer overflow flaw that allows the exploit to work by sending specially crafted SRTCP messages.  When a video call is made on WhatsApp, the call information as well as the metadata is sent to the recipient phone. When this comes, WhatsApp is “reading” this data in order to display it to you. Prior to its patch in May 2019, WhatsApp did not sanitise this package for the kind of code included in the metadata, because of which the contained Pegasus code would get executed on the recipient’s phone. This allowed remote installation of the spyware.  

It is not a virus in that it cannot be spread from an infected device to another; it requires a WhatsApp voice call to be made to a specific person.  And the call has to originate from Pegasus.  The earlier version required you to click a link but the current version evidently works by merely placing a call.

So what are the implications for you?

The good news is, it is extremely unlikely that you are a target of interest to users of Pegasus – they are looking at persons of interest politically. At current estimates, only 1500 people have been infected worldwide. (The numbers seem to be going up daily, though).

The bad news, however, is that those numbers only apply to Pegasus. There is nothing stopping other actors from using the exploit to their own ends.

So, update your WhatsApp NOW!

The other things you should do:

  • De-link cloud accounts from your device until you update WhatsApp
  • Change your passwords
  • Enhance your online safety
    Use this tool for your assessing what you need to do meet your digital security needs. 
  • Change your phone? There are reports that Pegasus can survive a factory reset.  So, if you are infected, you should replace your phone. Otherwise, no.

If you want more the details about Pegasus, Citizen Lab’s excellent article on their research is the place to start.

– Sridhar Parthasarathy, Purple Team

Learning News this Week

Kudankulam Power Plant Cyber Attack

The Kudankulam Nuclear Power Plant (KNPP) was infected by a North Korean Trojan called DTrack. The control systems of the reactor were not affected as they were air gapped. While it is known IT systems are compromised, it is not known which specific systems are compromised. KNPP was notified of the attack in September by CERT-In.


There are two learning points in this for you and your organization:

Air Gapping

The reason why we know the control systems are safe is because there is no connection between them and the internet.   They cannot be remotely controlled.  Most process industries are set up this way by default. 

However, this is a lesson that can be carried over to other industries as well, at least for mission critical systems. In this era of micro-services, it should be possible to isolate your mission critical systems. If not, at least tight access control that is periodically reviewed will help prevent most of such exploits.

Social Engineering

The DTrack remote access Trojan used in the KNPP attack has multiple variants and essentially uses process hollowing to work.  Once a system is infected, the malware has the ability to perform keylogging, copy browser history, gather all host IP addresses and retrieve information about all available networks and active connections within a device. 

If you think about it from an attacker’s perspective, it is precisely this kind of information that would enable them to mount other kind of attacks that would eventually compromise the control systems – for example, compromising an insider through other means or password reengineering or eavesdropping attack. At the very least, it allows them to build information about the IT landscape around the control systems and enables them to craft an attack with that information.

So, while it is good news that control systems are not compromised, it is bad enough that the IT systems have been breached.

News You ca7d287en Use

Top 10 Cybersecurity Terms

A basic knowledge of cybersecurity best practices goes a long way for people looking to protect their companies from cyberattacks. Although learning about cybersecurity can seem daunting, you don’t need to be an expert to help protect your business from security breaches. The page lists 10 cybersecurity terms you should be aware of, for starters.

$102 Billion Loss in one attack?

Since Ports are interconnected by definition, Lloyd’s of London warned that a single cyber attack on one of the 15 major ports across Singapore, China, Japan, South Korea, and Malaysia can result in $120 Billion loss.In a potential attack scenario targeting ship that the study posed, a software virus could scramble the cargo database logs at major ports and result in critical disruption. 

Unremovable’ XHelper 

A new Android malware strain has made a name for itself after popping up on the radar of several antivirus companies, and annoying users thanks to a self-reinstall mechanism that has made it near impossible to remove.  It known to have infected 45000 devices until now but it is seems to be spreading at the rate of 131 new victims a day. 
It is spread by web redirects.

Unlock any Fingerprint Locked Phone

Hackers working for Chinese security company Tencent claim that they have developed a method to photograph a fingerprint on any glass surface and use it to unlock any smartphone, no matter their fingerprint reader technology — in just 20 minutes

US investigates Tik-Tok

U.S. lawmakers have been calling in recent weeks for a national security probe into TikTok, concerned the Chinese company may be censoring politically sensitive content, and raising questions about how it stores personal data.

Threat Intelligence