lookout.com - Massistant is a mobile forensics application used by law enforcement in China to collect extensive information from mobile devices.
Researchers at the Lookout Threat Lab have discovered a mobile forensics application named Massistant, used by law enforcement in China to collect extensive information from mobile devices. This application is believed to be the successor to a previously reported forensics tool named “MFSocket” used by state police and reported by various media outlets in 2019. These samples require physical access to the device to install, and were not distributed through the Google Play store.
Forensics tools are used by law enforcement personnel to collect sensitive data from a device confiscated by customs officials, at local or provincial border checkpoints or when stopped by law enforcement officers.
These tools can pose a risk to enterprise organizations with executives and employees that travel abroad - especially to countries with border patrol policies that allow them to confiscate mobile devices for a short period of time upon entry. In 2024, the Ministry of State Security introduced new legislation that would allow law enforcement personnel to collect and analyze devices without a warrant. There have been anecdotal reports of Chinese law enforcement collecting and analyzing the devices of business travellers. In some cases, researchers have discovered persistent, headless surveillance modules on devices confiscated and then returned by law enforcement such that mobile device activity can continue to be monitored even after the device has been returned.
In September and October 2024, Ivanti published multiple1 security2 advisories3 regarding security policy bypasses and remote code execution vulnerabilities in their Cloud Services Appliance (CSA) product. It was later revealed by FortiGuard Labs Threat Research's work4 that some threat actors had been actively chaining these vulnerabilities as early as September 9, 2024, before any security advisory or patch was publicly released by Ivanti.
In some compromise scenarios, even though the initial access stemmed from the exploitation of zero-day vulnerabilities, later stages were short of such proficient attacker tradecraft. Threat actors were seen using known malicious tools and noisy payloads for lateral movement, persistence and credential dumping.
Synacktiv's CSIRT was recently in charge of different forensic investigations where the root cause was a vulnerable CSA appliance exposed to the internet. During these engagements, we found a set of open-source tools used by the attacker to achieve its goals. In this article, we take a tour of the OSS toolset from an Ivanti CSA exploiter and discuss related detection capabilities.
Verisource Services, an employee benefits administration service provider, has determined that a previously announced data breach was far worse than initially thought and has affected up to 4 million individuals. The Houston, Texas-based company detected a hacking incident on February 28, 2024, that disrupted access to some of its systems. Third-party cybersecurity and incident response experts were engaged to investigate the incident and determine the nature and scope of the unauthorized activity.
The forensic investigation confirmed hackers had access to its network and exfiltrated files on February 27, 2024. At the time of the initial announcement, Verisource Services said names, dates of birth, genders, and Social Security numbers had been stolen. The affected individuals included employees and dependents of clients who used its services, which include HR outsourcing, benefits enrollment, billing, and administrative services.
The data breach was initially reported as affecting 1,382 individuals, but as the investigation progressed, it became clear that the breach was worse than initially thought. In August 2024, the data breach was reported to the HHS’ Office for Civil Rights (OCR) as involving the protected health information of 112,726 individuals. The most recent notification to the Maine Attorney General indicates up to 4 million individuals have been affected, a sizeable increase from previous estimates. The OCR breach portal still lists the incident as affecting 112,726 patients and plan members of its HIPAA-regulated entity clients, although that total may well be updated in the coming days.
Verisource Services explained in the breach notice that the data review was not completed until April 17, 2025, almost 14 months after the security incident was detected. Verisource Services reported the security incident to the Federal Bureau of Investigation, and several additional security measures have been implemented to improve its security posture. Notification letters had previously been sent to some affected individuals; however, the bulk of the notification letters have only recently been mailed. Verisource Services said complimentary credit monitoring and identity theft protection services have been offered to the affected individuals, who will also be protected with a $1,000,000 identity theft insurance policy.
Amnesty International said that Google fixed previously unknown flaws in Android that allowed authorities to unlock phones using forensic tools. On
Five weeks ago, the International Criminal Court detected a serious cyber security incident, thanks to the alert mechanism provided by its monitoring system. The ICC has made various and serious efforts to address this attack. The Court deems it is its responsibility to continue to inform about these efforts and to provide the relevant additional information on the attack itself.
Using machine learning, separate teams of computer scientists identified the same two men as likely authors of messages that fueled the viral movement.
