The vulnerabilities were reported to Meta through its bug bounty program and were patched with updates released earlier this year.

The post WhatsApp Discloses File Spoofing, Arbitrary URL Scheme Vulnerabilities appeared first on SecurityWeek.

Russian intelligence-affiliated hackers have gained access to thousands of users’ messaging apps with a global phishing campaign, the FBI and the Cybersecurity and Infrastructure Security Agency warned in a public service announcement on Friday.

The high-value targets they’re pursuing include current and former U.S. government officials, political figures, military personnel and journalists, the two agencies said in the joint PSA about the hackers’ attempts to infiltrate commercial messaging applications (CMAs).

The U.S. alert comes on the heels of an earlier warning from Dutch authorities, who said last week that Russian hackers were “engaged in a large-scale global attempt” to take over WhatsApp and Signal accounts. The Dutch warning likewise followed a similar warning from Germany in February.

The U.S. agencies emphasized that the hackers had not been able to bypass end-to-end encryption, instead manipulating users into giving up access. The scheme involves hackers posing as Signal help personnel, then inviting them to click a link or provide verification codes or account personal identification number.

“After compromising an account, malicious actors can view the victims’ messages and contact lists, send messages, and conduct additional phishing against other CMA accounts,” the PSA explains. “(Note: reporting shows that the threat actors specifically target Signal accounts but can apply similar methods against other CMAs).”

However, “CMA users who strengthen their personal cybersecurity and defend against social engineering attempts can reduce the risk of account compromise and limit the effectiveness of the threat actors’ current tactics, techniques, and procedures,” the agencies said.

The Russian campaign is just the latest to seek to bypass the protections commercial messaging apps offer. CISA in November warned about spyware targeting of messaging apps. 

There sometimes has been a Russian intelligence nexus to the recent targeting. Google Threat Intelligence Group shined a spotlight last year on Russian attempts to target Signal users in Ukraine.

‘We anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war,” the company said.

The post FBI, CISA issue PSA on Russian intelligence campaign to target messaging apps appeared first on CyberScoop.

WhatsApp unveiled a lockdown-style feature on Tuesday similar to those offered by other tech providers aimed at blocking sophisticated cyberattacks, with spyware in mind.

The “Strict Account Settings” feature will roll out in the coming weeks and once enabled, will allow users to limit features in certain ways, such as blocking attachments and media from others not in a user’s contact list.

“We will always defend that right to privacy for everyone, starting with default end-to-end encryption,” WhatsApp said in a blog post. “But we also know that a few of our users — like journalists or public-facing figures —  may need extreme safeguards against rare and highly-sophisticated cyber attacks.”

WhatsApp has been fighting a legal battle against NSO Group stemming from the 2019 installation of the company’s Pegasus spyware on an estimated 1,400 WhatsApp users. Meta, WhatsApp’s parent company, has scored some wins in that court fight.

The WhatsApp feature “sounds like an excellent addition” to features like Apple’s Lockdown Mode and Memory Integrity Enforcement, as well as Google’s Advanced Protection, said Natalia Krapiva, senior tech legal counsel at the digital civil rights group Access Now.

“It is encouraging to see more companies enabling advanced security features to protect high risk users from spyware,” Krapiva said. “While litigation is an essential tool in combating spyware, due to the high costs and jurisdictional hurdles, it may not be accessible to most victims.

“Introducing measures like this that are free and do not require advanced technical knowledge could help stop spyware harms and prevent them from happening in the future for millions of users, especially journalists, activists, and human rights defenders,” she said.

Users can enable the feature by going to Settings > Privacy > Advanced.

The post WhatsApp releases account feature that looks to combat spyware appeared first on CyberScoop.

The Cybersecurity and Infrastructure Security Agency warned Monday about threat groups using commercial spyware to target messaging apps, and urged users to take protective steps.

“CISA is aware of multiple cyber threat actors actively leveraging commercial spyware to target users of mobile messaging applications (apps),” the agency said in a brief online notice. “These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app, facilitating the deployment of additional malicious payloads that can further compromise the victim’s mobile device.”

The warning draws on research this year that calls attention to hackers who are mimicking popular apps to deploy Android spyware, as well as Android spyware targeting Samsung devices by sending image files over WhatsApp. The warning also piggybacks on research about Russian hackers infecting Signal accounts.

“While current targeting remains opportunistic, evidence suggests these cyber actors focus on high-value individuals, such as current and former high-ranking government, military, and political officials, as well as civil society organizations (CSOs) and individuals across the United States, Middle East, and Europe,” the CISA warning states.

It’s rare, but not unheard of, for CISA to warn about spyware threats. One alert dates back to 2009 from a predecessor to CISA. It has released cybersecurity advice for dealing with spyware, and placed vulnerabilities that spyware vendors have exploited on its so-called “must-patch” list for federal agencies, including the recent Samsung vulnerability.

This time, CISA directed users to mobile security guidelines and advice for civil society groups. 

Beyond the warnings about targeting messaging apps, CISA also said threat groups are using malicious QR codes and zero-click exploits, which infect users even if they don’t take any direct action themselves.

The post CISA alert draws attention to spyware’s targeting of messaging apps appeared first on CyberScoop.

NSO Group argued in a court filing this week that the court should pause the permanent injunction preventing it from targeting WhatsApp with its spyware while the company appeals the decision. According to the company, enforcing the injunction would cause irreparable harm to its business and prevent the U.S. government from using its products.

Those were just two of the arguments NSO Group employed in its motion to stay on Wednesday. The second argument coincides with the vendor’s recent decision to tap an ex-U.S. envoy to Israel from the first Trump administration as its executive chairman, and its confirmation of U.S. investors purchasing the company.

NSO Group repeated its claim that the Northern District Court of California’s decisions  could effectively shut down the company, which makes Pegasus spyware. “NSO will suffer irreparable, potentially existential injuries if the injunction is not stayed,” it says.

But the company dived further into its reasoning. The injunction, it argues, requires the defendants to destroy code that accesses or uses the WhatsApp platform.

“The deletion and destruction of computer code and technologies cannot be undone or remedied by money damages — once these are gone, they are gone,” the NSO Group motion contends. “And the injunction prohibits NSO from engaging in entirely lawful conduct to develop, license, and sell products used in authorized government investigations — a prohibition that would devastate NSO’s business and could well force it out of business entirely.”

In the meantime, NSO Group’s competitors would have no such restrictions, the motion states. And, it says, the injunction “apparently bans NSO from selling or maintaining any technology to collect information from user devices if the target information comes from WhatsApp — even if the collection method never touches WhatsApp servers.” The effect would be to halt any NSO Group business during its appeal, the company argues.

NSO Group also maintains that the injunction goes against one of the pertinent laws in the case, the main federal anti-hacking statute: The Computer Fraud and Abuse Act.

The law “expressly excepts from the CFAA’s prohibitions ‘any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States . . . or of an intelligence agency of the United States,’” the motion states. 

A stay is in the public interest because of Pegasus’ use in combating crime in terrorism, the company added.

“Because the Court refused to carve U.S. law-enforcement operations out of the permanent injunction, that injunction would prevent the FBI (or any other U.S. or state law enforcement or intelligence agency) from entering into another such license for any existing version of Pegasus,” the motion reads. “Regardless of whether the FBI or any other U.S. government agency has made direct, operational use of the system in the past, allowing the injunction to go into effect would thus deprive U.S. law enforcement of the ability to use the system in the future.“

The FBI once purchased a license for Pegasus and reportedly flirted with deeper involvement with NSO Group.

The second Trump administration earlier rebuffed an attempt by NSO Group to get the company removed from a Commerce Department trade blacklist. That decision came before the company’s recent U.S.-flavored moves, however.

The post NSO Group argues WhatsApp injunction threatens existence, future U.S. government work appeared first on CyberScoop.

A new commercial-grade spyware has apparently been targeting Samsung Galaxy phones in the Middle East, but it’s not clear who’s behind it, researchers said in a blog post Friday.

Whoever’s responsible, they seized upon a previously unknown, unpatched vulnerability known as a zero-day — a flaw Samsung has since closed, the researchers from Palo Alto Networks’ Unit 42 said.

The company dubbed the spyware “Landfall.” The research indicates potential targets in Iran, Iraq, Morocco and Turkey, the blog post states. It’s a campaign that has been underway since at least the middle of 2024, pointing to the spyware’s ability to remain hidden.

Landfall is embedded in malicious DNG image files that seem to have been sent via WhatsApp, although there is no indication of any new vulnerability with that messaging platform. WhatsApp has been fighting spyware on another front, in a ground-breaking legal battle against leading spyware vendor NSO Group.

It doesn’t appear to require any interaction with victims, a kind of exploit called “zero-click.” Once it infects a phone, Landfall has the kind of sweeping surveillance capabilities found in spyware sold by industry vendors, capable of activating microphone recording or collecting photos and contacts.

“We believe the focus on Samsung Galaxy devices stems from the attackers exploiting a Samsung-specific image-processing zero-day, so the tooling was built for that environment,” Itay Cohen, senior principal researcher at Unit 42 told CyberScoop in an emailed comment. “That said, we think we’re only seeing part of the activity. This isn’t isolated — this campaign delivering LANDFALL appears to be part of a broader DNG exploitation wave that also hit iPhone devices via a different zero-day. It’s also possible that other mobile vendors were targeted using undiscovered vulnerabilities to deliver the same or similar implants.”

The spyware specifically targets S22, S23, S24 and Fold/Flip Samsung devices.

There are some potential clues as to who might be involved, but all of them are inconclusive, Palo Alto Networks said.

Landfall’s command and control infrastructure and domain registration patterns share similarities with a group known as Stealth Falcon, which has suspected links to the United Arab Emirates government.

“As of October 2025, except in infrastructure, we have not observed direct overlaps between the mobile campaigns of LANDFALL and the endpoint-based activity from Stealth Falcon, nor direct strong links with Stealth Falcon,” Palo Alto Networks wrote. “However, the similarities are worth discussion.”

Samsung did not immediately respond to a request for comment.

The post New Landfall spyware apparently targeting Samsung phones in Middle East appeared first on CyberScoop.

Microsoft Corp. today issued security updates to fix more than 80 vulnerabilities in its Windows operating systems and software. There are no known “zero-day” or actively exploited vulnerabilities in this month’s bundle from Redmond, which nevertheless includes patches for 13 flaws that earned Microsoft’s most-dire “critical” label. Meanwhile, both Apple and Google recently released updates to fix zero-day bugs in their devices.

Microsoft assigns security flaws a “critical” rating when malware or miscreants can exploit them to gain remote access to a Windows system with little or no help from users. Among the more concerning critical bugs quashed this month is CVE-2025-54918. The problem here resides with Windows NTLM, or NT LAN Manager, a suite of code for managing authentication in a Windows network environment.

Redmond rates this flaw as “Exploitation More Likely,” and although it is listed as a privilege escalation vulnerability, Kev Breen at Immersive says this one is actually exploitable over the network or the Internet.

“From Microsoft’s limited description, it appears that if an attacker is able to send specially crafted packets over the network to the target device, they would have the ability to gain SYSTEM-level privileges on the target machine,” Breen said. “The patch notes for this vulnerability state that ‘Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network,’ suggesting an attacker may already need to have access to the NTLM hash or the user’s credentials.”

Breen said another patch — CVE-2025-55234, a 8.8 CVSS-scored flaw affecting the Windows SMB client for sharing files across a network — also is listed as privilege escalation bug but is likewise remotely exploitable. This vulnerability was publicly disclosed prior to this month.

“Microsoft says that an attacker with network access would be able to perform a replay attack against a target host, which could result in the attacker gaining additional privileges, which could lead to code execution,” Breen noted.

CVE-2025-54916 is an “important” vulnerability in Windows NTFS — the default filesystem for all modern versions of Windows — that can lead to remote code execution. Microsoft likewise thinks we are more than likely to see exploitation of this bug soon: The last time Microsoft patched an NTFS bug was in March 2025 and it was already being exploited in the wild as a zero-day.

“While the title of the CVE says ‘Remote Code Execution,’ this exploit is not remotely exploitable over the network, but instead needs an attacker to either have the ability to run code on the host or to convince a user to run a file that would trigger the exploit,” Breen said. “This is commonly seen in social engineering attacks, where they send the user a file to open as an attachment or a link to a file to download and run.”

Critical and remote code execution bugs tend to steal all the limelight, but Tenable Senior Staff Research Engineer Satnam Narang notes that nearly half of all vulnerabilities fixed by Microsoft this month are privilege escalation flaws that require an attacker to have gained access to a target system first before attempting to elevate privileges.

“For the third time this year, Microsoft patched more elevation of privilege vulnerabilities than remote code execution flaws,” Narang observed.

On Sept. 3, Google fixed two flaws that were detected as exploited in zero-day attacks, including CVE-2025-38352, an elevation of privilege in the Android kernel, and CVE-2025-48543, also an elevation of privilege problem in the Android Runtime component.

Also, Apple recently patched its seventh zero-day (CVE-2025-43300) of this year. It was part of an exploit chain used along with a vulnerability in the WhatsApp (CVE-2025-55177) instant messenger to hack Apple devices. Amnesty International reports that the two zero-days have been used in “an advanced spyware campaign” over the past 90 days. The issue is fixed in iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8.

The SANS Internet Storm Center has a clickable breakdown of each individual fix from Microsoft, indexed by severity and CVSS score. Enterprise Windows admins involved in testing patches before rolling them out should keep an eye on askwoody.com, which often has the skinny on wonky updates.

AskWoody also reminds us that we’re now just two months out from Microsoft discontinuing free security updates for Windows 10 computers. For those interested in safely extending the lifespan and usefulness of these older machines, check out last month’s Patch Tuesday coverage for a few pointers.

As ever, please don’t neglect to back up your data (if not your entire system) at regular intervals, and feel free to sound off in the comments if you experience problems installing any of these fixes.