The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies today to patch security vulnerabilities exploited as zero-days in recent attacks to install commercial spyware on mobile devices.
The flaws in question were abused as part of several exploit chains in two separate highly-targeted campaigns targeting Android and iOS users, as Google’s Threat Analysis Group (TAG) recently revealed.
In the first series of attacks spotted in November 2022, the threat actors used separate exploit chains to compromise iOS and Android devices.
One month later, a complex chain of multiple 0-days and n-days was exploited to target Samsung Android phones running up-to-date Samsung Internet Browser versions.
The end payload was a spyware suite for Android capable of decrypting and extracting data from numerous chat and browser apps.
Both campaigns were highly targeted, and the attackers “took advantage of the large time gap between the fix release and when it was fully deployed on end-user devices,” according to Google TAG’s Clément Lecigne.
Google TAG’s discovery was prompted by findings shared by Amnesty International’s Security Lab, which also published details regarding domains and infrastructure used in the attacks.
CISA has added today five of the ten vulnerabilities used in the two spyware campaigns to its Known Exploited Vulnerabilities (KEV) catalog:
The cybersecurity agency gave Federal Civilian Executive Branch Agencies (FCEB) agencies three weeks, until April 20, to patch vulnerable mobile devices against potential attacks that would target these five security flaws.
According to the BOD 22-01 binding operational directive issued in November 2021, FCEB agencies must secure their networks against all bugs added to CISA’s list of vulnerabilities known to be exploited in attacks.
While the BOD 22-01 directive only applies to FCEB agencies, CISA strongly urged today all organizations to prioritize packing these bugs to thwart exploitation attempts.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned.