The Cybersecurity and Infrastructure Security Agency (CISA) today ordered federal agencies to patch security vulnerabilities exploited as zero-days in recent attacks to install commercial spyware on mobile devices.
The flaws in question were exploited as part of multiple exploit chains in two separate, highly targeted campaigns targeting Android and iOS usersas recently revealed by Google’s Threat Analysis Group (TAG).
In the first set of attacks spotted in November 2022, threat actors used separate exploit chains to compromise iOS and Android devices.
A month later, a complex chain of 0 and n days was exploited to target Samsung Android phones running up-to-date versions of the Samsung internet browser.
The final payload was an Android spyware suite capable of decrypting and extracting data from numerous chat and browser applications.
Both campaigns were highly targeted, and the attackers “took advantage of the large time gap between the release of the patch and when it was fully rolled out to end-user devices,” according to Google TAG’s Clément Lecigne.
The discovery of Google TAG was prompted by findings shared by Amnesty International’s Security Lab, which also published details regarding the domains and infrastructure used in the attacks.
CISA today added five of the ten vulnerabilities used in the two spyware campaigns to its Catalog of Known Exploited Vulnerabilities (KEVs):
The cybersecurity agency has given federal civilian agencies of the executive branch (FCEB) three weeks, until April 20, to patch vulnerable mobile devices against potential attacks that would target these five security flaws.
According to BOD 22-01 Binding Operational Directive released in November 2021, FCEB agencies must secure their networks against all bugs added to CISA’s list of known vulnerabilities to be exploited in attacks.
While BOD 22-01 only applies to FCEB agencies, CISA strongly encouraged today, all organizations must prioritize packing these bugs to thwart exploit attempts.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said. warned.