How Pegasus Spyware Threatens Nonprofits

March 24 2022

How Pegasus Spyware Threatens Nonprofits.

It’s no secret that cybersecurity threats against nonprofits are escalating. Most of these attacks are ransomware attacks that encrypt computers, leaving them inaccessible. The extortionists then ask for a payment, usually in the shape of bitcoin, to unlock the data.

However, nonprofits hold something much more valuable than funds. A hacker can steal a nonprofit’s PII (Personally Identifiable Information) records for all types of cybercrimes. In addition, state-sponsored actors can use a nonprofit for a supply chain attack.

So, what is a supply chain attack, you ask? In a nutshell, a supply chain attack is a cyberattack where a hacker attacks a target’s online partner in order to target them. For example, during the SolarWinds hack, hackers hit an IT company in order to spy on their government partners and cybersecurity companies too.

But why do hackers attack an online partner and not the target directly? It’s usually because the online partner has weaker security defenses. Experts warn that nonprofits could become unwilling participants in supply chain attacks because they tick all the right boxes. Not only do most nonprofits have notoriously poor cybersecurity measures, but they often receive donations from or partner with renowned government organizations. This is where Pegasus spyware comes in.

Pegasus is sophisticated spyware

Over the years, there have been many different brands of spyware, but Pegasus is a cut above. This advanced spyware is the product of an Israeli cyberarms company called NSO Group. It was made for customers like world governments. Unfortunately, states began misusing the malware to spy on journalists, activists, and organizations. According to the reputable cybersecurity publication CPO Magazine —Pegasus is an active threat against nonprofits. They cite donor management platform, Blackbaud as an example of nonprofit vulnerability. The 2019 breach exposed millions of donor profiles.

What makes Pegasus so dangerous?

The Pegasus spyware is a dangerous malware for many reasons. For one, it spreads through multiple infection vectors, from SMS to malicious websites. Pegasus can also use zero-click attacks, which don’t need any interaction from the user to succeed. It also works quietly in the background and doesn’t throw up any red flags. In fact, it’s so sneaky that it has spied on organization leaders, heads of state, and even Arab princesses without their security teams knowing.

Pegasus is also a robust piece of malware with some of the following capabilities:

It can steal photos and videos.
Secretly record victims by activating cameras and microphones.
Copy location records.
Spy on communications.
Log web searches.
Steal login credentials such as usernames and passwords.

Cybersecurity attack risk mitigation strategies

Patch systems

Pegasus relies on a security vulnerability to infect systems, so it’s critical to patch your iPhones and Android devices as soon as possible. Security updates can also protect your organization from other malware like ransomware. In fact, many nonprofits continue to get hit by WannaCry ransomware because they use unlicensed operating systems that don’t have access to security patches or simply don’t bother running software updates.

Use Secure Software

It’s always a good idea to do your homework before installing software on your nonprofit’s computers. Avoid any software that has known vulnerabilities and pick tools that emphasize security. For example, Sumac’s membership management software is popular with nonprofits like charities because it’s customizable, powerful, and secure. For example, it has the most secure software protection for payment data and uses Amazon Web Services (AWS) for maximum member privacy. In addition, the software can shield information on a need-to-know basis.

Invest in Endpoint Security

Your computer’s built-in antivirus software can’t protect you from evolving threats like ransomware and spyware. For example, Microsoft’s baked-in anti-ransomware software is so bad they left it deactivated by default. It throws up false positives and can crash legitimate programs. Search for an endpoint security system that shields all the endpoints in your organization. Such security software is critical for a nonprofit that uses a loose Bring Your Own Device (BYOD) policy to cut costs.

Protect Your Passwords

As you probably know, your passwords should be long and complex, with uppercase and lowercase letters, numbers, and symbols. Likewise, your secret questions must also be sophisticated. If managing passwords sounds complicated, try a password manager for organizations like yours that allows your staff and volunteers to access their login credentials securely.

Two-factor Authentication is another excellent way to defend passwords. This feature adds a layer of security by asking suspicious parties to validate their identity a second way.

Staff Training

Whether it’s nonprofits or regular organizations, most cybersecurity attacks exploit employee mistakes. That’s why it’s important to train staff to use secure software, set strong passwords, avoid opening phishing emails and avoid suspicious downloads and websites.

With cybersecurity threats like Pegasus becoming increasingly sophisticated, nonprofits like yours must take the best defense measures to shield their data, staff, volunteers, and partners.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.