Federal Agents Need to Patch These Spyware Exploits

Spyware is nasty business. It’s a form of malware designed to live on the victim’s devices and report back their every move to the host, including everything from browsing activity to keystrokes. Unfortunately, a massive spyware campaign was successfully run on federal agents, and the government is, understandably, most displeased.

The Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agents to update their devices to patch known actively exploited zero-day vulnerabilities. These zero-days aren’t your usual vulnerabilities, either, as their exploits are designed to install commercial spyware on victims’ devices.

These exploits have been abused in two specific malware campaigns, first rolling out in November of last year, then again in December. The first targeted both iOS and Android devices, while the next focused exclusively on Samsung devices. Interestingly, these devices were running the latest version of Samsung Internet, Samsung’s proprietary browser.

This culminated in a “spyware suite,” allowing bad actors to decrypt data from chat and browser programs.

CISA included five of the ten vulnerabilities used in the two spyware campaigns to its Known Exploited Vulnerabilities (KEV) catalog, including:

• CVE-2021-30900 Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability
• CVE-2022-38181 Arm Mali GPU Kernel Driver Use-After-Free Vulnerability
• CVE-2023-0266 Linux Kernel Use-After-Free Vulnerability
• CVE-2022-3038 Google Chrome Use-After-Free Vulnerability
• CVE-2022-22706 Arm Mali GPU Kernel Driver Unspecified Vulnerability

Agents have until April 20 to patch these devices.