Search This Blog

Showing posts with label Apple. Show all posts

Apple Came With Lockdown Mode, a New Security Feature

On Wednesday, Apple shared details of a new, advanced version of the security option named Lockdown Mode for Apple device users who may face sophisticated cybersecurity threats. 

According to the technical details of the new security update, users can avail this Lockdown Mode this fall with iOS 16, iPadOS 16, and macOS Ventura. This extreme version of security feature is designed for a few users such as government officials, journalists, and activists, who are easy prey of NSO Group or other private state-sponsored mercenary spyware. 

Ivan Krstić, Apple's head of security engineering and architecture, called Lockdown Mode "a groundbreaking capability". "While the vast majority of users will never be the victims of highly targeted cyberattacks, we will work tirelessly to protect the small number of users who are. That includes continuing to design defenses specifically for these users, as well as supporting researchers and organizations around the world doing critically important work in exposing mercenary companies that create these digital attacks." 

Lockdown Mode includes the following protection features:

• Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode. 

• Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled. 

• Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request. 

• Wired connections with a computer or accessory are blocked when iPhone is locked. 

• Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on. 

Following the updates, Lori McGlinchey, the Ford Foundation’s director of its Technology and Society program, said, “The global spyware trade targets human rights defenders, journalists, and dissidents; it facilitates violence, reinforces authoritarianism, and supports political repression...” 

“…The Ford Foundation is proud to support this great initiative to bolster civil society research and advocacy to resist mercenary spyware. We must build on Apple’s commitment, and we invite companies and donors to join the Dignity and Justice Fund and bring additional resources to this collective fight.”

Google: 5-year-old Apple Flaw Exploited

 

Google Project Zero researchers have revealed insights into a vulnerability in Apple Safari that has been extensively exploited in the wild. The vulnerability, known as CVE-2022-22620, was first patched in 2013, but experts identified a technique to overcome it in 2016. 

Apple has updated a zero-day vulnerability in the WebKit that affects iOS, iPadOS, macOS, and Safari and could have been extensively exploited in the wild, according to CVE org. 

In February, Apple patched the zero-day vulnerability; it's a use-after-free flaw that may be accessed by processing maliciously generated web content, spoofing credentials, and resulting in arbitrary code execution ."When the issue was first discovered in 2013, the version was patched entirely," Google Project Zero's Maddie Stone stated. "Three years later, amid substantial restructuring efforts, the variant was reintroduced. The vulnerability remained active for another five years before being addressed as an in-the-wild zero-day in January 2022." 

While the flaws in the History of API bug from 2013 and 2022 are fundamentally the same, the routes to triggering the vulnerability are different. The zero-day issue was then reborn as a "zombie" by further code updates made years later. 

An anonymous researcher discovered the flaw, and the corporation fixed it with better memory management. Maddie Stone examined the software's evolution over time, beginning with the code of Apple's fix and the security bulletin's description of the vulnerability, which stated that the flaw is a use-after-free flaw. 

“As an offensive security research team, we can make assumptions about the main issues that current software development teams face: Legacy code, short reviewer turn-around expectations, under-appreciation and under-rewarding of refactoring and security efforts, and a lack of memory safety mitigations” the report stated. 

"In October, 40 files were modified, with 900 additions and 1225 removals. The December commit modified 95 files, resulting in 1336 additions and 1325 removals," Stone highlighted. 

Stone further underlined the need of spending appropriate time to audit code and patches to minimize instances of duplication of fixes and to understand the security implications of the modifications being made, citing that the incident is not unique to Safari.

Apple Launches Passkey Feature For Password-less Verification

At WWDC 2022, Apple previewed and announced iPad OS 16, iOS 16, macOS 13, new MacBook Air and Pro, watchOS 9, new M2 chips, and other latest gadgets. With the improved functional features and new gadgets that have been added to these solutions, the aim is to strengthen user privacy and security. In May 2022, Google, Microsoft, and Apple announced to widen assistance for a common password-less sign-in standard developed by the FIDO Alliance, and the World Wide Web Consortium. 

According to the FIDO alliance, these companies’ platforms already support FIDO Alliance standards to enable passwordless sign-in on billions of industry-leading devices, but previous implementations require users to sign in to each website or app with each device before they can use password-less functionality. The widened assistance means that users can automatically get their FIDO login credentials also known as "passkey" for their old and new devices without the need to re sign-up for every account. 

Besides this, the users can also use FIDO verification on their smartphones to log in to applications, websites, or any nearby devices. With Apple's new operating systems and tech, the extended support when practiced will lead to secure browsing in Safari and macOS Ventura, iOS and iPad 16, with passwords. Apple says passkeys are unique digital keys that stay on the device and are never stored on a web server, so hackers can’t leak them or trick users into sharing them. 

Made to replace the need for passwords, passkeys work using Face ID, Touch ID for biometric authentication, and iCloud Keychain to sync with iPad, iphone, Mac, and Apple TV via end-to-end encryption. Apple says "[Safety Check] includes an emergency reset that helps users easily sign out of iCloud on all their other devices, reset privacy permissions, and limit messaging to just the device in their hand. It also helps users understand and manage which people and apps they’ve given access to."

Apple Blocks Millions of Apps and Restricts User Accounts

In 2021, Apple prevented more than 3.3 Million stolen credit cards from making transactions in the Apple App store, and blocked around 600,000 accounts from making transactions again. The company also mentioned that in 2021 it restricted more than 1.6 Million harmful and malicious applications and application updates from the app store. These risky apps either contained vulnerabilities that affected functioning, or restricted upgrades. 

The numbers, according to Apple, comprised over 8,35,000 problematic new applications, out of which more than 34,000 apps contained undocumented or hidden features; 1,57,000 were mentioned as spam, misleading, or copycat apps; and more than 3,40,000 apps were violating privacy. Besides this, more than 805,000 applications were restricted or blocked from the Apple store, as per the company's App Review Process. The measures meanwhile helped over 107,000 new developers launch applications in the App Store, Apple also blocked over 802,000 fake developer accounts and protected 153,000 developer applications related to scam concerns. 

In accordance with Apple's Developer Code of Conduct, developers have to be correct and truthful when showing themselves and their applications on the App Store. The code emphasizes that app developers will be removed from the Developer Program for engaging in malicious or harmful behaviour repeatedly. Customer accounts were also blocked for participating in scams and manipulating activities: amounting to 170 Million accounts. 

Besides this, more than 118 million account sign-up attempts were rejected due to suspicious potential fraud and manipulative activities. "Apple also says it took action against fraudulent ratings and reviews in the App Store. Out of over 1 billion such entries processed in 2021, more than 94 million reviews and 170 million ratings were blocked from being published. The company also removed an additional 610,000 reviews," reports the Security Week.

Synology Alerts Users of Severe Netatalk Bugs in Multiple Devices

Synology warned its customers that few of its network-attached storage (NAS) appliances are vulnerable to cyberattacks compromising various critical Netatalk vulnerabilities. Various vulnerabilities allow remote hackers to access critical information and may execute arbitrary code through a vulnerable variant of Synology Router Manager and DiskStation Manager (DSM). 

Netatalk is an Apple Filing Protocol (AFP) open-source platform that lets devices running on *NIX/*BSD work as AppleShare file servers (AFP) for Mac OS users for viewing files stored on Synology NAS devices. 

The development team of Netatalk fixed the patches in version 3.1.1, issued in March, following the Pwn2Own hacking competition in 2021. The vulnerabilities were first found and exploited in the competition. The EDG team of the NCC group exploited the vulnerability rated 9.8/10 severity score and tracked as CVE-2022-23121 to deploy remote code execution without verification on a Western Digital PR4100 NAS that runs on My Cloud OS firmware during the Pwn2Own competition. Synology mentioned three vulnerabilities in the latest warning- CVE-2022-23125, CVE-2022-23122, CVE-2022-0194, all three having high severity ratings. 

They are also letting malicious hackers deploy arbitrary codes on unfixed devices. The Netatalk development team released the security patches to resolve the issues in April, even then according to Synology, the releases for some affected devices are still in process. The NAS maker hasn't given any fixed timeline for future updates, according to Synology, it usually releases security patches for any impacted software within 90 days of publishing advisories. "

QNAP said the Netatalk vulnerabilities impact multiple QTS and QuTS hero operating system versions and QuTScloud, the company's cloud-optimized NAS operating system. Like Synology, QNAP has already released patches for one of the affected OS versions, with fixes already available for appliances running QTS 4.5.4.2012 build 20220419 and later," reports Bleeping Computers.

Google Announces Privacy Sandbox on Android to Restrict Sharing of User Data

 

Google announced on Wednesday that it will extend its Privacy Sandbox activities to Android in an effort to broaden its privacy-focused, but less disruptive, advertising technologies beyond the desktop web. To that aim, Google stated it will work on solutions that prohibit cross-app tracking, similar to Apple's App Tracking Transparency (ATT) framework, essentially restricting the exchange of user data with third parties as well as removing identifiers like advertising IDs from mobile devices. 

Anthony Chavez, vice president of product management for Android security and privacy, stated, "The Privacy Sandbox on Android builds on our existing efforts on the web, providing a clear path forward to improve user privacy without putting access to free content and services at risk." 

Google's Privacy Sandbox, which was announced in 2019, is a collection of technologies that will phase out third-party cookies and limit covert monitoring, such as fingerprinting, by reducing the number of information sites that can access to keep track of users online behavior. 

The Alphabet Inc. company, which makes the majority of its revenue from advertising, says it can safeguard phone users' data while still providing marketers and app developers with new technology to deliver targeted promotions and measure outcomes. According to Anthony Chavez, vice president of product management for Android Security & Privacy, the proposed tools for the Android mobile operating system would limit the app makers' ability to share a person's information with third parties and prohibit data monitoring across several apps. Google stated the tools would be available in beta by the end of 2022, followed by "scaled testing" in 2023. Chavez said in an interview that the best path forward is an approach “that improves user privacy and a healthy mobile app ecosystem. We need to build new technologies that provide user privacy by default while supporting these key advertising capabilities." 

Google is aiming to strike a balance between the financial needs of developers and marketers and the expanding demands of privacy-conscious consumers and regulators. The company is gathering feedback on the proposal, similar to how its Privacy Sandbox effort is gradually building a new online browsing privacy standard. Google's initial idea was met with derision from UK authorities and lawmakers, but the corporation has subsequently proposed serving adverts based on themes a web user is interested in that are erased and replaced every three weeks. 

Meta Platforms Inc., the parent company of Facebook, has been at odds with Apple over the company's App Monitoring Transparency tool, which allows iPhone users to turn off tracking across all of their apps. According to executives, Google's YouTube has taken a minor financial hit as a result of the technology. In other words, it makes it more difficult for marketers to verify whether their iPhone advertising was effective. 

According to Chavez, the Android Privacy Sandbox would enable tailored advertising based on recent "topics" of interest, and enable attribution reporting, which will tell marketers if their ad was effective.

Customers  Threatened by a Data Breach at Hong Kong's Harbour Plaza Hotel

 

Hong Kong's privacy authority is looking into a hack against the Harbour Plaza hotel company, which revealed more than 1.2 million visitors' booking information. The investigation's goal is to learn more about what kind of private details were compromised. Customers have been warned to keep an eye out for any strange activity in their accounts and to be aware of any unexpected emails, calls, or messages in the meantime. 

"The impacted data was the information of visitors who remained within these hotels," the PCPD tells ISMG. "As the investigations into the cyberattack are ongoing," the PCPD told ISMG, declining to specify the type of hack, the threat actor involved, or the data compromised. 

According to Harbour Plaza's statement, the Hong Kong Police was also notified along with certain other relevant authorities. The company has hired an undisclosed third-party cybersecurity forensics agency to investigate and control the problem, as well as improve its security perimeter in the future. 

According to the company's FAQs about the data leak, those who are affected will be alerted. Customers should be "extra cautious against scamming or other attempted schemes," according to the hotel firm, which says "lodging reservation databases" were impacted. It indicates possible information such as a customer's name, email address, phone number, reservation, and stay details may have been hacked. 

Inquiry into the data leak at online retailer HKTVmall 

Separately, the PCPD is looking into a case involving HKTVmall, a well-known shopping and entertainment platform run by Hong Kong Technology Venture Co. Ltd. 

The security breach has endangered the personal details of a "small fraction" of HKTV Co. Ltd.'s 4.38 million registered customers, according to a statement made on Feb. 4. According to the notice, the connected server was in an "other Asian" country. 

According to the company, it promptly notified the Hong Kong Police or the PCPD, and hired two cybercrime firms on January 27 "to conduct an investigation and further enhance HKTVmall's server security measures." 

Customer data that may have been obtained by an unauthorized person, according to HKTVmall, includes:

  • Account names which have been registered.
  • Login passwords which are encrypted and masked.
  • Email addresses which have been registered and that can be contacted. 
  • Names of recipients, shipping addresses, and contact numbers for orders placed between December 2014 and September 2018.
  • Clients who have connected their HKTVmall account to a Facebook account or an Apple ID have the date of birth, official name, and email accounts for Facebook accounts and Apple IDs.

An Israeli Spy Agency, QuaDream, Hacks Devices 

 

According to Reuters, an Apple software loop exploited by Israeli spy firm NSO Group to hack access iPhones in 2021 was also targeted by a competitor at the same time. 

The two companies QuaDream got the capacity to remotely hack into iPhones, compromising the smartphones without the user clicking on a malicious link. The fact the two firms employed the same advanced 'zero-click' hacking technique suggests that cellphones are more prone to digital espionage than the industry admits. 

The two organizations utilized ForcedEntry software exploits to steal iPhones. In the context, it's worth noting that an exploit is a piece of computer code that takes advantage of a set of unique software flaws to provide a hacker unauthorized access to data. 

"People want to feel they're safe, and telecommunications companies want the user to assume they're safe," stated Dave Aitel, a cybersecurity partner at Cordyceps Systems. 

Some notable Israelis have been attacked with Pegasus, according to a recent revelation from the Israeli publication Calcalist, including a son of former Prime Minister Benjamin Netanyahu. "CEOs of government ministries, news reporters, tycoons, corporate executives, mayors, social activists, and even the Prime Minister's relatives were all police targets," according to Calcalist. "Phones were hacked by NSO's spyware prior to any research even opening and without any judicial authorization." 

Some of QuaDream's clients overlapped with NSO Group's  implying that the buyers utilized Pegasus and REIGN for surveillance, specifically targeting political opponents. Surprisingly, the two cyberweapon's techniques were so identical when Apple patched the security weakness, it didn't make a difference. 

Spyware firms have long claimed to sell high-powered technologies to assist governments in combating national security threats. Human rights organizations and journalists, on the other hand, have reported the use of spyware to harm civil society, discredit political opposition, and sabotage elections on numerous occasions. 

Pegasus was also recently discovered on the devices of Finland's diplomatic corps working outside the nation, according to Finnish officials, as well as of a wide-ranging espionage campaign. Pegasus was allegedly installed on the iPhones of at least nine US State Department workers.

New Safari Vulnerability Could have given Attackers Access to Your Mac Webcam

 

Apple has awarded a cybersecurity student $100,500 (roughly Rs 75,54,000) in bounty rewards for finding a bug in Apple’s macOS, which enabled malicious actors to access the victims’ logged-in online accounts and even get into their webcams. 

Ryan Pickren, reported the flaw to Apple last summer, and was patched earlier this month. Pickren is no stranger to Apple bugs, as he uncovered an iPhone and Mac camera vulnerability earlier in April 2020. Now, he has exposed another Mac webcam bug that allows attackers to breach into the device and access sensitive user information. 

According to a report by AppleInsider, this Apple Mac webcam bug was related to a series of issues with iCloud and Safari browser. 

The vulnerability grants the hacker "full access to every website you've visited in Safari, meaning that if you're visiting my evil website on one tab, and then your other tab, you have Twitter open, I can jump into that tab and do everything you can from that screen. So, it does allow me to fully perform an account takeover on every website you visited in Safari," Pickren explained in a blog post. 

According to Pickren, it all began with exploiting the Safari browser (Safari v15 when he attempted this) and gaining access to the webarchive files. Webarchives are local storage for the Safari browser where it saves local copies of websites to open them faster. This wouldn’t be a problem, were it not for the simple fact that the downloaded files could later be altered by the author. So, a victim could download an innocent .PNG file, only to have it transform into a malicious webarchive file. 

“In essence, the victim has given the attacker permission to plant a polymorphic file onto their machine and the permission to remotely launch it at any moment. Yikes. Agreed to view my PNG file yesterday? Well, today it's an executable binary that will be automatically launched whenever I want,” Picker explained in a further blog post.

To open the webarchive file, Pickren further explains, he needed to bypass the Gatekeeper restriction, which turned out to be relatively simple. He used a fileloc to point to a local app (a technique known as Arbitrary File Execution) which was a great example of how even with macOS Gatekeeper enabled, an attacker could trick approved apps into performing malicious tasks 

Typically, researchers disclose the exploits after the company has fixed the issue, which explains why Pickren is posting about this now. The reason is to ensure that the flaw is patched before attackers can start exploiting it. 


New Apple Flaw Exposes Users’ Browser History and Google Account Details

 

A bug has been detected on Apple’s Safari 15, that can leak your recent browsing activity and expose your Google User ID to other sites. The flaw was introduced to Safari 15 via the Indexed Database API (IndexedDB), which is part of Apple's WebKit web browser development engine, according to a Saturday blog post by FingerprintJS. IndexedDB can be utilized to save data on the computer, such as websites visited, so that they load faster when one returns. 

IndexedDB likewise adheres to the same-origin principle, which prohibits websites from freely interacting with one another unless they have the same domain name (among other requirements). Imagine it being under quarantine and only being able to interact with members of your family.  

Moreover, the problem discovered by FingerprintJS allows IndexedDB to break the same-origin policy, revealing data it has gathered to websites from which it did not collect it. Unfortunately, some websites, such as those in the Google network, include unique user-specific identifiers in the information sent to IndexedDB. This implies that if you're logged into your Google account, the information gathered can be utilized to accurately identify the browsing history as well as account information. It can also figure out whether you're logged into more than one account. 

FingerprintJS stated, "Not only does this imply that untrusted or malicious websites can learn a user’s identity, but it also allows the linking together of multiple separate accounts used by the same user." 

They also posted a video demonstrating the type of data that the attack can disclose. The flaw was reported by FingerprintJS at the end of November, but Apple has yet to patch it. All of this is alarming, but there's not much one can do about it at the moment. Because a private tab can't see what's happening in any other tabs, whether private or public, browsing in Safari's Private mode can limit the potential damage. However, it isn't without flaws. 

"[I]f you visit multiple different websites within the same [private] tab, all databases these websites interact with are leaked to all subsequently visited websites," wrote FingerprintJS.

Switching from Safari to another browser can protect Mac users from the flaw, but iOS and iPadOS users are out of luck. While only Safari has been affected on Mac, Apple's requirement that both iOS and iPad web browsers utilize WebKit implies the IndexedDB flaw has affected all of these systems' browsers.

Citizen Lab Exposes Cytrox as Vendor Behind 'Predator' iPhone Spyware

 

The University of Toronto's Citizen Lab has found yet another player in the private sector mobile spyware market, citing a small North Macedonian firm called Cytrox as the maker of high-end iPhone implants. 

Citizen Lab worked with Facebook parent company Meta's threat-intelligence team to expose Cytrox and a handful of other PSOAs (private sector offensive actors) in the murky surveillance-for-hire industry. Citizen Lab stated that Cytrox is behind a piece of iPhone spying malware that was put on the phones of two prominent Egyptians, according to a detailed technical analysis published. 

Predator, the malware, was able to infect the most recent iOS version (14.6) utilising single URLs provided via WhatsApp. Exiled Egyptian politician Ayman Nour was spooked by his iPhone overheating, and later discovered evidence of two different spyware applications running on the device, administered by two different government APT actors. 

The Egyptian government, a known Cytrox customer, has been attributed with the attack, according to Citizen Lab. Nour's phone was infected with both Cytrox's Predator and Israeli vendor NSO Group's more well-known Pegasus spyware, according to Citizen Lab. Citizen Lab's exposé detailed Cytrox's background as a startup launched in 2017 by Ivo Malinkovksi, a North Macedonian who later integrated the company with Intellexa and publicly hawked digital forensics tools. The firm claims to be established in the European Union, with R&D labs and sites all over Europe. 

In a separate advisory published by Meta’s security team, Cytrox is listed alongside Cobwebs Technologies, Cognate, Black Cupe, Bluehawk CI, BellTroX and two unknown Chinese entities among a growing roster of private companies in the surveillance-for-hire business. 

These firms handle the reconnaissance, engagement, and exploitation phases of advanced malware campaigns for governments and law enforcement agencies all across the world, including those that target journalists, politicians, and other members of civil society. 

Cytrox was recognised as a company that "develops exploits and sells surveillance tools and viruses that enable its clients to compromise iOS and Android devices," as per Facebook's team. 

Facebook’s security team stated, “[We were] able to find a vast domain infrastructure that we believe Cytrox used to spoof legitimate news entities in the countries of their interest and mimic legitimate URL-shortening and social media service.” 

“They used these domains as part of their phishing and compromise campaigns. Cytrox and its customers took steps to tailor their attacks for particular targets by only infecting people with malware when they passed certain technical checks, including IP address and device type. If the checks failed, people could be redirected to legitimate news or other websites.” 

“Targets of Cytrox and its customers included politicians and journalists around the world, including in Egypt and Armenia.”

NSO Zero-Click iPhone Exploit Termed 'Incredible and Terrifying' by Researchers

 

Google has described how the surveillance firm NSO Group created an exploit that would allow the user of their software to acquire entry to an iPhone and install malware – and all without the victim ever clicking on a link. 

The US Department of Commerce put NSO Group on its "entity list" last month, effectively barring it from US marketplaces given the evidence that it provided spyware to other authorities, which used it to attack government officials, journalists, entrepreneurs, activists, academics, and embassy workers. Apple issued a permanent injunction prohibiting NSO from using any of its software, applications, or equipment in late November. 

Google's Project Zero (GPZ) has now assessed a comparatively new NSO 'zero-click' attack for iOS 14.7.1 and older, calling it "one of the most technically sophisticated exploits we've ever seen". 

The NSO's exploit was regarded as "incredible" and "terrifying" by GPZ's Ian Beer and Samuel Groß. The hack generates a "weird" emulated computing atmosphere within an iOS element that manages GIFs but does not ordinarily allow scripting. Nevertheless, this exploit allows the attacker to execute JavaScript-like code in that component to write to arbitrary memory regions - and therefore remotely hack an iPhone. 

Citizen Lab, a Canadian security firm, revealed the problem to Apple as part of its collaborative investigation with Amnesty International into NSO's Pegasus mobile spyware program, which can be loaded after jailbreaking an iPhone via an exploit. 

This September, Apple fixed the memory corruption flaw in the CoreGraphics component, identified as CVE-2021-30860, in iOS 14.8. 

GPZ's Beer and Groß said it showed "the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation-states". 

 iMessage is the first point of contact for Pegasus on the iPhone. According to the research, this means that a person can be targeted simply by providing their phone number or AppleID username. 

The flaw in iMessage is due to the extra functionalities Apple allowed for GIF pictures. In iOS's ImageIO library, Apple employs a "fake gif" method to make standard GIF images loop indefinitely. This method also introduces over 20 more image codecs, providing attackers with a far bigger surface to attack. 

"NSO uses the "fake gif" trick to target a vulnerability in the CoreGraphics PDF parser," Beer and Groß explain. 

NSO discovered that powerful tool in Apple's usage of the JBIG2 standard for image compression and decompression. Originally, the standard was utilized in outdated Xerox scanners to efficiently convert photos from paper into PDF files only a few kilobytes in size. 

The emulated database design, which relied on the JBIG2 part of Apple's CoreGraphics PDF parser, was one of several clever methods NSO devised. Despite JBIG2's lack of scripting features, they were able to write to arbitrary memory addresses using an emulated computer environment and a scripting language similar to JavaScript. 

"JBIG2 doesn't have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory," explains Beer and Groß. 

"The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It's pretty incredible, and at the same time, pretty terrifying."

Pegasus Spyware Reportedly Hacked iPhones of U.S. State Department & Diplomats

 

An unidentified party used NSO Group's Pegasus spyware to attack the Apple iPhones of at least nine US State Department officials, as per a report published Friday by Reuters. 

After receiving a query about the incident, NSO Group indicated in an email to The Register that it had barred an unnamed customer's access to its system, but it has yet to determine whether its software was engaged. 

An NSO spokesperson told The Register in an email, "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations." 

"To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case." 

The Israel-based firm, which was recently sanctioned by the US for reportedly selling intrusion software to repressive regimes and is being sued by Apple and Meta's (Facebook's) WhatsApp for allegedly assisting the hacking of their customers, says it will work cooperatively with any relevant government authority and share what it learns from its investigation. 

NSO's spokesperson stated, “To clarify, the installation of our software by the customer occurs via phone numbers. As stated before, NSO’s technologies are blocked from working on US (+1) numbers. Once the software is sold to the licensed customer, NSO has no way to know who the targets of the customers are, as such, we were not and could not have been aware of this case." 

According to Reuters, the impacted State Department officials were situated in Uganda or were focused on Ugandan issues, therefore their phone numbers had a foreign nation prefix rather than a US prefix. When Apple launched its complaint against the NSO Group on November 23rd, the iPhone maker also stated that it will tell iPhone customers who have been the target of state-sponsored hacking. On the same day, Norbert Mao, a communist, was assassinated. On the same day, Norbert Mao, a lawyer and the President of Uganda's Democratic Party, tweeted that he'd gotten an Apple threat notification. 

According to the Washington Post, NSO's Pegasus software was involved in the attempted or accomplished hacking of 37 phones linked to journalists and rights activists, including two women connected to Saudi journalist Jamal Khashoggi. The findings contradicted NSO Group's claims that their software was only licenced for battling terrorists and law enforcement, according to the report. 

The NSO Group released its 2021 Transparency and Responsibility Report [PDF] the same month, insisting that its software is only used against groups with few sympathisers, such as terrorists, criminals, and pedophiles. 

Several reports from cybersecurity research and human rights organisations, not to mention UN, EU, and US claims about the firm, have disputed that assertion. The US State Department refused The Register's request for confirmation of the Reuters claim but said the agency takes its obligation to protect its data seriously. They were also told that the Biden-Harris administration is seeking to limit the use of repressive digital tools.

Israeli Company Spyware Targets US Department Phones

 

According to four individuals familiar with the situation, the iPhones of at least nine U.S. State Department workers had been compromised by an unidentified man using advanced spyware produced by the Israel-based NSO Group. 

The attacks, which occurred in the previous few months, targeted U.S. officials who were either based in Uganda or focused on issues about the East African country, according to two of the sources. 

The attacks, which were first revealed here, are the most extensive known hacks of US officials using NSO technology. Earlier, a database of numbers with prospective targets that included certain American leaders surfaced in NSO reporting, although it was unclear if incursions were always attempted or successful. 

NSO Group stated in a statement that it had no evidence that its tools had been used, but that it had canceled access for the relevant clients and therefore would investigate. 

"If our investigation shall show these actions indeed happened with NSO's tools, such customer will be terminated permanently and legal actions will take place," said an NSO spokesperson, who added that NSO will also "cooperate with any relevant government authority and present the full information we will have." 

NSO has always stated that it exclusively sells its products to government law enforcement and intelligence agencies to assist them in monitoring security concerns and that it is not intimately associated with surveillance operations. 

A State Department official refused to respond to the intrusions and pointed to the Commerce Department's recent decision to place the Israeli corporation on an entity list, making it more difficult for US businesses to do business with them. 

NSO Group and another spyware firm were "added to the Entity List based on a determination that they developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, business people, activists, academics, and embassy workers," the Commerce Department said in an announcement last month. 

According to product instructions reviewed by Reuters, the NSO application is capable of not just stealing encrypted messages, images, and other confidential material from compromised phones, but also turning them into recording devices to watch their surroundings. 

The developer of the spyware employed in this hack was not named in Apple's advisory to affected consumers. According to two of the people who were alerted by Apple, the victims included American residents who were easily identified as U.S. government officials because they paired email addresses ending in state.gov with their Apple IDs. 

According to the sources, they and other victims alerted by Apple in multiple countries have been affected by the same graphics processing vulnerability. 

The Israeli embassy in Washington stated in a statement that targeting American officials would be a major violation of its norms. 

"Cyber products like the one mentioned are supervised and licensed to be exported to governments only for purposes related to counter-terrorism and severe crimes," an embassy spokesperson said. "The licensing provisions are very clear and if these claims are true, it is a severe violation of these provisions."

Apple Sues NSO Group for Using Pegasus Spyware to Spy on iPhone Users

 

In a U.S. federal court, Apple has sued NSO Group and its parent firm Q Cyber Technologies for illegally targeting users with its Pegasus spying tool, marking yet another setback for the Israeli spyware vendor. NSO Group is described as "notorious hackers — amoral 21st-century mercenaries who have constructed highly sophisticated cyber-surveillance equipment that promotes routine and egregious exploitation" by the Cupertino-based tech giant. 

“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple’s senior vice president of Software Engineering. “Apple devices are the most secure consumer hardware on the market — but private companies developing state-sponsored spyware have become even more dangerous."

Pegasus is designed as an invasive "military-grade" spyware capable of exfiltrating sensitive personal and geolocation information and stealthily activating the phones' cameras and microphones. It is typically installed by leveraging "zero-click" exploits that infect targeted devices without any user interaction. 

The FORCEDENTRY exploit in iMessage was used to evade iOS security measures and target nine Bahraini activists, according to Apple's lawsuit. The attackers used over 100 false Apple IDs to send harmful data to the victims' devices, allowing NSO Group or its clients to deploy and install Pegasus spyware without their knowledge, according to the firm. In September, Apple patched the zero-day vulnerability. 

"The abusive data was sent to the target phone through Apple's iMessage service, disabling logging on a targeted Apple device so that Defendants could surreptitiously deliver the Pegasus payload via a larger file," Apple detailed in its filing. "That larger file would be temporarily stored in an encrypted form unreadable to Apple on one of Apple's iCloud servers in the United States or abroad for delivery to the target." 

The lawsuit also mirrors a similar action taken by Meta (previously Facebook) in October 2019, when it sued the firm for installing Pegasus on 1,400 mobile devices belonging to diplomats, journalists, and human rights activists by exploiting a weakness in its WhatsApp messaging software. 

Apple praises organizations such as Citizen Lab and Amnesty Tech for their pioneering efforts in identifying cyber-surveillance abuses and assisting victims. To support efforts like these, Apple announced that it will donate $10 million to organizations conducting cyber surveillance research and advocacy, plus any damages from the lawsuit.

Microsoft: Shrootless Bug Allows Hackers Install macOS Rootkits

 

A new macOS vulnerability found by Microsoft could be used by attackers to circumvent System Integrity Protection (SIP) and conduct arbitrary activities, gain root privileges, and install rootkits on susceptible computers. 

The Microsoft 365 Defender Research Team disclosed the Shrootless vulnerability (now tracked as CVE-2021-30892) to Apple via the Microsoft Security Vulnerability Research Program (MSVR). SIP (also known as rootless) is a macOS security mechanism that prevents potentially dangerous programs from editing protected folders and files by restricting the root user account's ability to conduct operations on protected sections of the OS. 

SIP permits only processes signed by Apple or those with specific entitlements (i.e., Apple software updates and Apple installers) to change these protected sections of macOS. Microsoft researchers found the Shrootless security flaw after finding that the system_installed daemon had the com.apple.rootless.install.inheritable entitlement, which enabled any child process to completely circumvent SIP filesystem limitations. 

Jonathan Bar Or, a principal security researcher at Microsoft stated, "We found that the vulnerability lies in how Apple-signed packages with post-install scripts are installed. A malicious actor could create a specially crafted file that would hijack the installation process. After bypassing SIP’s restrictions, the attacker could then install a malicious kernel driver (rootkit), overwrite system files, or install persistent, undetectable malware, among others." 

With the security upgrades released on October 26, Apple addressed the security vulnerability. According to Apple's security alert, "a malicious programme may be able to manipulate protected areas of the file system." 

"We want to thank the Apple product security team for their professionalism and responsiveness in fixing the issue," Jonathan Bar Or added.

Microsoft also announced last week that it has discovered new strains of macOS WizardUpdate malware (also known as UpdateAgent or Vigram), which had been upgraded to employ new evasion and persistence techniques. 

The trojan distributes second-stage malware payloads, such as Adload, a malware strain that has been active since late 2017 and is notorious for being able to infect Macs despite Apple's YARA signature-based XProtect built-in antivirus.

Security Issues in Visa and Apple Payment Could Result in Fraudulent Contactless Payments

 

Researchers warn that an attacker who steals a locked iPhone can use a saved Visa card to conduct contactless payments worth thousands of dollars without having to unlock the phone. According to an academic team from the Universities of Birmingham and Surrey, backed by the UK's National Cyber Security Centre (NCSC), the problem is caused by unpatched vulnerabilities in both the Apple Pay and Visa systems. Visa, on the other hand, claims that Apple Pay transactions are safe and that any real-world assaults would be impossible to execute. 

Any iPhone with a Visa card set up in "Express Transit" mode can make fraudulent tap-and-go payments at card readers, according to the team. Commuters all around the world, including those on the New York City subway, the Chicago El, and the London Underground, may tap their phones on a reader to pay their fares without having to unlock their devices. 

The problem, which exclusively affects Apple Pay and Visa, is created, according to the researchers, by the usage of a unique code, dubbed "magic bytes," that is broadcast by transit gates and turnstiles to open Apple Pay. They were able to undertake a relay attack using ordinary radio equipment, deceiving an iPhone into thinking it was talking to a transit gate, according to the team. 

 “An attacker only needs a stolen, powered-on iPhone,” according to a writeup published this week. “The transactions could also be relayed from an iPhone inside someone’s bag, without their knowledge. The attacker needs no assistance from the merchant.” 

The researchers demonstrated a £1,000 payment being delivered from a locked iPhone to a normal, non-transit Europay, Mastercard, and Visa (EMV) credit-card reader in a proof-of-concept video. Visa said in a statement that Visa cards linked to Apple Pay Express Transit are safe to use and that cardholders should continue to do so. Contactless fraud methods have been investigated in the lab for over a decade and have proven to be impracticable to implement on a large scale in the real world. They also said that it takes all security concerns seriously and is always working to improve payment security across the ecosystem. 

“Logically, it’s an interesting advancement of tapping a contactless card machine against someone’s wallet/purse in their back pocket on the subway/metro,” Ken Munro, a researcher with Pen Test Partners, said. “However, I’m more concerned about the threat of fraud with a stolen phone. In the past, the PIN would have prevented fraud from a stolen phone. Now, there’s a valid attack method that makes theft of a phone with Express Transit enabled really quite valuable.”

New Zero-Click iMessage Exploit Used to Deploy Pegasus Spyware

 

Citizen Lab's digital threat researchers have discovered a new zero-click iMessage exploit that was exploited to install NSO Group's Pegasus spyware on Bahraini activists' smartphones. In total, nine Bahraini activists (including members of the Bahrain Center for Human Rights, Waad, and Al Wefaq) had their iPhones hacked in a campaign conducted by a Pegasus operator linked to the Bahraini government with high confidence, according to Citizen Lab. 

After being compromised using two zero-click iMessage exploits (that do not involve user participation), the spyware was installed on their devices: the 2020 KISMET exploit and a new never-before-seen exploit named FORCEDENTRY. 

In February 2021, Citizen Lab first noticed NSO Group deploying the new zero-click FORCEDENTRY iMessage attack, which bypasses Apple's BlastDoor protection. BlastDoor, a structural change in iOS 14 aimed to stop message-based, zero-click attacks like this, had just been released the month before. BlastDoor was designed to prevent Pegasus attacks by operating as a "tightly sandboxed" service responsible for "almost all" of the parsing of untrusted data in iMessages, according to Samuel Groß of Google Project Zero.

“We saw the FORCEDENTRY exploit successfully deployed against iOS versions 14.4 and 14.6 as a zero-day,” Citizen Lab said. “With the consent of targets, we shared these crash logs and some additional phone logs relating to KISMET and FORCEDENTRY with Apple, Inc., which confirmed they were investigating.” 

Attacks like the ones revealed by Citizen Lab, according to Ivan Krstić, head of Apple Security Engineering and Architecture, are highly targeted and hence nothing to worry about for most people, at least. Such attacks are "very complex, cost millions of dollars to design, often have a short shelf life, and are used to target specific individuals," according to Krstić. 

In addition to Apple's iMessage, NSO Group has a history of using other messaging apps, such as WhatsApp, to spread malware. Nonetheless, Citizen Lab believes that disabling iMessage and FaceTime in this circumstance, with these specific threats, may have blocked the threat actors. Researchers emphasized that disabling iMessage and FaceTime would not provide total security from zero-click assaults or adware.

NSO Group stated in a statement to Bloomberg that it hasn't read the report yet, but it has concerns about Citizen Lab's techniques and motivations. According to the company's statement, "If NSO gets reliable evidence relating to the system's misuse, the company will thoroughly investigate the claims and act accordingly."

Pegasus iPhone Hacks Used as Bait in Extortion Scam

 

A new extortion fraud attempts to profit from the recent Pegasus iOS spyware attacks to threaten victims to pay a blackmail demand. 

Last month, Amnesty International and the non-profit project Forbidden Stories disclosed that the Pegasus spyware was installed on completely updated iPhones via a zero-day zero-click iMessage vulnerability. 

A zero-click vulnerability is a flaw that can be exploited on a device without requiring the user's interaction. For instance, a zero-click hack would be a vulnerability that could be exploited just by visiting a website or getting a message. 

Governments are believed to have employed this spyware to eavesdrop on politicians, journalists, human rights activists, and corporate leaders worldwide. This week, a threat actor began contacting users, informing them that their iPhone had been compromised with a zero-click vulnerability that allowed the Pegasus spyware software to be installed. 

According to the fraudster, Pegasus has tracked the recipient's actions and captured recordings of them at "the most private moments" of their lives. According to the email, the threat actor will disseminate the recordings to the recipient's family, friends, and business partners if a 0.035 bitcoin (roughly $1,600) payment is not made. 

The full text of the email stated: 
"Hi there Hello, 
I'm going to share important information with you. 
Have you heard about Pegasus? 
You have become a collateral victim. It's very important that you read the information below. 
Your phone was penetrated with a “zero-click” attack, meaning you didn't even need to click on a malicious link for your phone to be infected. 
Pegasus is a malware that infects iPhones and Android devices and enables operators of the tool to extract messages, photos, and emails, record calls and secretly activate cameras or microphones and read the contents of encrypted messaging apps such as WhatsApp, Facebook, Telegram, and Signal.
Basically, it can spy on every aspect of your life. That's precisely what it did. I am a blackhat hacker and do this for a living. Unfortunately, you are my victim. Please read on. 
As you understand, I have used the malware capabilities to spy on you and harvested datas of your private life.
My only goal is to make money and I have perfect leverage for this. As you can imagine in your worst dream, I have videos of you exposed during the most private moments of your life when you are not expecting it. 
I personally have no interest in them, but there are public websites that have perverts loving that content. 
As I said, I only do this to make money and not trying to destroy your life. But if necessary, I will publish the videos. If this is not enough for you, I will make sure your contacts, friends, business associates and everybody you know sees those videos as well. 
Here is the deal. I will delete the files after I receive 0.035 Bitcoin (about 1600 US Dollars). You need to send that amount here bc1q7g8ny0p95pkuag0gay2lyl3m0emk65v5ug9uy7 
I will also clear your device from malware, and you keep living your life. Otherwise, shit will happen. The fee is non-negotiable, to be transferred within 2 business days. 
Obviously do not try to ask for any help from anybody unless you want your privacy to be violated. 
I will monitor your every move until I get paid. If you keep your end of the agreement, you won't hear from me ever again. 
Take care." 

Apparently, the bitcoin address indicated in the sample email seen by BleepingComputer has not received any payments. However, other bitcoin addresses might be utilized in this fraud. One may believe that no one would fall for this swindle, yet similar methods in the past have fetched over $50,000 in a week.

New AdLoad Malware Circumvents Apple’s XProtect to Infect macOS Devices

 

As part of multiple campaigns detected by cybersecurity firm SentinelOne, a new AdLoad malware strain is infecting Macs bypassing Apple's YARA signature-based XProtect built-in antivirus. 

AdLoad is a widespread trojan that has been aiming at the macOS platform since late 2017 and is used to distribute a variety of malicious payloads, including adware and Potentially Unwanted Applications (PUAs). This malware can also harvest system information and send it to remote servers managed by its operators. 

According to SentinelOne threat researcher Phil Stokes, these large-scale and continuing attacks began in early November 2020, with a spike in activity commencing in July and early August. 

AdLoad will install a Man-in-the-Middle (MiTM) web proxy after infecting a Mac to compromise search engine results and incorporate commercials into online sites for financial benefit. 

It will also acquire longevity on infected Macs by installing LaunchAgents and LaunchDaemons, as well as user cronjobs that run every two and a half hours in some circumstances. 

According to SentinelLabs, “When the user logs in, the AdLoad persistence agent will execute a binary hidden in the same user’s ~/Library/Application Support/ folder. That binary follows another deterministic pattern, whereby the child folder in Application Support is prepended with a period and a random string of digits. Within that directory is another directory called /Services/, which in turn contains a minimal application bundle having the same name as the LaunchAgent label. That barebones bundle contains an executable with the same name but without the com. prefix.” 

During the period of this campaign, the researcher witnessed over 220 samples, 150 of which were unique and went unnoticed by Apple's built-in antivirus, despite the fact that XProtect presently comprises of dozen AdLoad signatures. 

Many of the SentinelOne-detected samples are also signed with legitimate Apple-issued Developer ID certificates, while others are attested to operate under default Gatekeeper settings. 

Further, Stokes added, "At the time of writing, XProtect was last updated around June 15th. None of the samples we found are known to XProtect since they do not match any of the scanner’s current set of Adload rules." 

"The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet remain undetected by Apple’s built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices." 

To effectively comprehend the significance of this threat, Shlayer's case can be considered which is another common macOS malware strain capable of bypassing XProtect and infecting Macs with other malicious payloads. 

Shlayer recently exploited a macOS zero-day to bypass Apple's File Quarantine, Gatekeeper, and Notarization security checks and download second-stage malicious payloads on compromised Macs. 

Even though these malware strains are just delivering adware and bundleware as secondary payloads, for the time being, their developers can, however, switch to distributing more serious malware at any point. 

Apple’s head of software, under oath, while testifying in the Epic Games vs. Apple trial in May said, "Today, we have a level of malware on the Mac that we don’t find acceptable and that is much worse than iOS."