Search This Blog

Showing posts with label Apple. Show all posts

New Zero-Click iMessage Exploit Used to Deploy Pegasus Spyware

 

Citizen Lab's digital threat researchers have discovered a new zero-click iMessage exploit that was exploited to install NSO Group's Pegasus spyware on Bahraini activists' smartphones. In total, nine Bahraini activists (including members of the Bahrain Center for Human Rights, Waad, and Al Wefaq) had their iPhones hacked in a campaign conducted by a Pegasus operator linked to the Bahraini government with high confidence, according to Citizen Lab. 

After being compromised using two zero-click iMessage exploits (that do not involve user participation), the spyware was installed on their devices: the 2020 KISMET exploit and a new never-before-seen exploit named FORCEDENTRY. 

In February 2021, Citizen Lab first noticed NSO Group deploying the new zero-click FORCEDENTRY iMessage attack, which bypasses Apple's BlastDoor protection. BlastDoor, a structural change in iOS 14 aimed to stop message-based, zero-click attacks like this, had just been released the month before. BlastDoor was designed to prevent Pegasus attacks by operating as a "tightly sandboxed" service responsible for "almost all" of the parsing of untrusted data in iMessages, according to Samuel Groß of Google Project Zero.

“We saw the FORCEDENTRY exploit successfully deployed against iOS versions 14.4 and 14.6 as a zero-day,” Citizen Lab said. “With the consent of targets, we shared these crash logs and some additional phone logs relating to KISMET and FORCEDENTRY with Apple, Inc., which confirmed they were investigating.” 

Attacks like the ones revealed by Citizen Lab, according to Ivan Krstić, head of Apple Security Engineering and Architecture, are highly targeted and hence nothing to worry about for most people, at least. Such attacks are "very complex, cost millions of dollars to design, often have a short shelf life, and are used to target specific individuals," according to Krstić. 

In addition to Apple's iMessage, NSO Group has a history of using other messaging apps, such as WhatsApp, to spread malware. Nonetheless, Citizen Lab believes that disabling iMessage and FaceTime in this circumstance, with these specific threats, may have blocked the threat actors. Researchers emphasized that disabling iMessage and FaceTime would not provide total security from zero-click assaults or adware.

NSO Group stated in a statement to Bloomberg that it hasn't read the report yet, but it has concerns about Citizen Lab's techniques and motivations. According to the company's statement, "If NSO gets reliable evidence relating to the system's misuse, the company will thoroughly investigate the claims and act accordingly."

Pegasus iPhone Hacks Used as Bait in Extortion Scam

 

A new extortion fraud attempts to profit from the recent Pegasus iOS spyware attacks to threaten victims to pay a blackmail demand. 

Last month, Amnesty International and the non-profit project Forbidden Stories disclosed that the Pegasus spyware was installed on completely updated iPhones via a zero-day zero-click iMessage vulnerability. 

A zero-click vulnerability is a flaw that can be exploited on a device without requiring the user's interaction. For instance, a zero-click hack would be a vulnerability that could be exploited just by visiting a website or getting a message. 

Governments are believed to have employed this spyware to eavesdrop on politicians, journalists, human rights activists, and corporate leaders worldwide. This week, a threat actor began contacting users, informing them that their iPhone had been compromised with a zero-click vulnerability that allowed the Pegasus spyware software to be installed. 

According to the fraudster, Pegasus has tracked the recipient's actions and captured recordings of them at "the most private moments" of their lives. According to the email, the threat actor will disseminate the recordings to the recipient's family, friends, and business partners if a 0.035 bitcoin (roughly $1,600) payment is not made. 

The full text of the email stated: 
"Hi there Hello, 
I'm going to share important information with you. 
Have you heard about Pegasus? 
You have become a collateral victim. It's very important that you read the information below. 
Your phone was penetrated with a “zero-click” attack, meaning you didn't even need to click on a malicious link for your phone to be infected. 
Pegasus is a malware that infects iPhones and Android devices and enables operators of the tool to extract messages, photos, and emails, record calls and secretly activate cameras or microphones and read the contents of encrypted messaging apps such as WhatsApp, Facebook, Telegram, and Signal.
Basically, it can spy on every aspect of your life. That's precisely what it did. I am a blackhat hacker and do this for a living. Unfortunately, you are my victim. Please read on. 
As you understand, I have used the malware capabilities to spy on you and harvested datas of your private life.
My only goal is to make money and I have perfect leverage for this. As you can imagine in your worst dream, I have videos of you exposed during the most private moments of your life when you are not expecting it. 
I personally have no interest in them, but there are public websites that have perverts loving that content. 
As I said, I only do this to make money and not trying to destroy your life. But if necessary, I will publish the videos. If this is not enough for you, I will make sure your contacts, friends, business associates and everybody you know sees those videos as well. 
Here is the deal. I will delete the files after I receive 0.035 Bitcoin (about 1600 US Dollars). You need to send that amount here bc1q7g8ny0p95pkuag0gay2lyl3m0emk65v5ug9uy7 
I will also clear your device from malware, and you keep living your life. Otherwise, shit will happen. The fee is non-negotiable, to be transferred within 2 business days. 
Obviously do not try to ask for any help from anybody unless you want your privacy to be violated. 
I will monitor your every move until I get paid. If you keep your end of the agreement, you won't hear from me ever again. 
Take care." 

Apparently, the bitcoin address indicated in the sample email seen by BleepingComputer has not received any payments. However, other bitcoin addresses might be utilized in this fraud. One may believe that no one would fall for this swindle, yet similar methods in the past have fetched over $50,000 in a week.

New AdLoad Malware Circumvents Apple’s XProtect to Infect macOS Devices

 

As part of multiple campaigns detected by cybersecurity firm SentinelOne, a new AdLoad malware strain is infecting Macs bypassing Apple's YARA signature-based XProtect built-in antivirus. 

AdLoad is a widespread trojan that has been aiming at the macOS platform since late 2017 and is used to distribute a variety of malicious payloads, including adware and Potentially Unwanted Applications (PUAs). This malware can also harvest system information and send it to remote servers managed by its operators. 

According to SentinelOne threat researcher Phil Stokes, these large-scale and continuing attacks began in early November 2020, with a spike in activity commencing in July and early August. 

AdLoad will install a Man-in-the-Middle (MiTM) web proxy after infecting a Mac to compromise search engine results and incorporate commercials into online sites for financial benefit. 

It will also acquire longevity on infected Macs by installing LaunchAgents and LaunchDaemons, as well as user cronjobs that run every two and a half hours in some circumstances. 

According to SentinelLabs, “When the user logs in, the AdLoad persistence agent will execute a binary hidden in the same user’s ~/Library/Application Support/ folder. That binary follows another deterministic pattern, whereby the child folder in Application Support is prepended with a period and a random string of digits. Within that directory is another directory called /Services/, which in turn contains a minimal application bundle having the same name as the LaunchAgent label. That barebones bundle contains an executable with the same name but without the com. prefix.” 

During the period of this campaign, the researcher witnessed over 220 samples, 150 of which were unique and went unnoticed by Apple's built-in antivirus, despite the fact that XProtect presently comprises of dozen AdLoad signatures. 

Many of the SentinelOne-detected samples are also signed with legitimate Apple-issued Developer ID certificates, while others are attested to operate under default Gatekeeper settings. 

Further, Stokes added, "At the time of writing, XProtect was last updated around June 15th. None of the samples we found are known to XProtect since they do not match any of the scanner’s current set of Adload rules." 

"The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet remain undetected by Apple’s built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices." 

To effectively comprehend the significance of this threat, Shlayer's case can be considered which is another common macOS malware strain capable of bypassing XProtect and infecting Macs with other malicious payloads. 

Shlayer recently exploited a macOS zero-day to bypass Apple's File Quarantine, Gatekeeper, and Notarization security checks and download second-stage malicious payloads on compromised Macs. 

Even though these malware strains are just delivering adware and bundleware as secondary payloads, for the time being, their developers can, however, switch to distributing more serious malware at any point. 

Apple’s head of software, under oath, while testifying in the Epic Games vs. Apple trial in May said, "Today, we have a level of malware on the Mac that we don’t find acceptable and that is much worse than iOS."

Apple’s iPhone is the Easiest to Snoop on Using the Pegasus, Says Amnesty

 

NSO Group, an Israeli cyber intelligence firm, developed Pegasus spyware as a surveillance tool. As claimed by the corporation, this firm is known for developing advanced software and technology for selling primarily to law enforcement and intelligence agencies of approved nations with the sole objective of saving lives by preventing crime and terror activities. Pegasus is one such software designed to get unauthorized access to your phone, gather personal and sensitive data, and transfer it to the user who is spying on you. 

Pegasus spyware, according to Kaspersky, can read SMS messages and emails, listen to phone calls, take screenshots, record keystrokes, and access contacts and browser history. A hacker may commandeer the phone's microphone and camera, turning it into a real-time monitoring device, according to another claim. It's also worth mentioning that Pegasus is a complex and expensive spyware meant to spy on specific individuals, so the typical user is unlikely to come across it. 

Pegasus malware snooped on journalists, activists, and certain government officials, and Apple, the tech giant that emphasizes user privacy, was a victim of the attack. Indeed, according to Amnesty's assessment, Apple's iPhone is the easiest to snoop on with Pegasus software. According to the leaked database, iPhones running iOS 14.6 feature a zero-click iMessage exploit, which could have been used to install Pegasus software on the targeted entities' iPhones. The Cupertino behemoth has issued a statement condemning the assault. 

Apple’s Head of Security Engineering and Architecture, Ivan Krsti, in a statement said, "Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data." 

Citizen Labs had already uncovered this flaw. Zero-click attacks are practically invisible and run in the background because they do not require the user's involvement. In iOS 14, Apple included the Blastdoor framework to make zero-click attacks more difficult, although it does not appear to be operating as planned.

Low-Risk iOS Wi-Fi Naming Issue can Compromise iPhones Remotely

 

According to recent research, the Wi-Fi network name issue that entirely disabled an iPhone's network connectivity had remote code execution capabilities and was discreetly patched by Apple earlier this year. 

On Monday, Apple released iOS 14.7 for iPhones, which includes bug fixes and security improvements as well as a remedy for the Wi-Fi denial-of-service issue. However, the company has not yet provided security information that may suggest whether its vulnerability has been fixed. 

The denial-of-service vulnerability, which was discovered last month, was caused by the way iOS managed string formats associated with the SSID input, causing any up-to-date iPhone to crash when connected to wireless access points with percent symbols in their names, such as "%p%s%s%s%s%n." 

While the problem could be solved by resetting the network settings (Settings > General > Reset > Reset Network Settings), Apple is likely to provide a fix in iOS 14.7, which is currently accessible to developers and public beta testers. 

Researchers from mobile security automation business ZecOps discovered that the same flaw could be abused to accomplish remote code execution (RCE) on targeted devices by simply adding the string pattern " % @" to the Wi-Fi hotspot's name, which may have had far-reaching repercussions. 

The issue was termed "WiFiDemon" by ZecOps. It's also a zero-click vulnerability as it allows a threat actor to infect a device without needing user interaction, however, it does necessitate that the setting to automatically connect Wi-Fi networks is enabled (which it is, by default). 

"As long as the Wi-Fi is turned on this vulnerability can be triggered," the researchers noted. "If the user is connected to an existing Wi-Fi network, an attacker can launch another attack to disconnect/de-associate the device and then launch this zero-click attack." 

"This zero-click vulnerability is powerful: if the malicious access point has password protection and the user never joins the Wi-Fi, nothing will be saved to the disk," the company stated. "

After turning off the malicious access point, the user's Wi-Fi function will be normal. A user could hardly notice if they have been attacked.

The RCE variant was discovered to be exploitable in all iOS versions before iOS 14.3, with Apple "silently" fixing the problem in January 2021 as part of their iOS 14.4 release. The vulnerability was not issued a CVE identifier. 

Given the vulnerability's exploitability, iPhone and iPad owners must update to the most recent iOS version to reduce the risk associated with the flaw.

Cybercriminals Unleashing Malware for Apple M1 Chip

 

Apple Macs are becoming more popular in the workplace, and the number of malware variants targeting macOS is increasing as well. However, the M1, Apple's new system-on-a-chip, has produced a new generation of macOS-specific malware that anti-malware tools, threat hunters, and researchers must swiftly learn to recognize and, eventually, fight. Historically, most macOS malware has been reused from Windows malware variants. But when employees built up home offices as a result of the pandemic's shift to work-from-home, more Macs entered the industry, making them a more valuable target for attackers targeting enterprises. 

Apple's new ARM64-based microprocessor, the M1, has already witnessed an increase in malware types created expressly for it, according to Mac security specialist Patrick Wardle. "As attackers evolve and change their ways, we as malware analysts and security researchers need to stay abreast of that as well.” In 2020, around half of all macOS malware, such as adware and nation-state attack code, may have migrated from Windows or Linux. 

M1 offers faster and more efficient processing, graphics, and battery life, and is now available in Apple's new Macs and iPad Pro. It also has several new built-in security mechanisms, such as one that protects the computer from remote exploitation and another that protects physical access. 

According to a recent Malwarebytes survey, Windows malware detections are down 24% among business users, while Mac malware detections are up 31%. Wardle discovered in his research that when he separated the binaries for macOS malware into two categories, one for Intel-based Macs and the other for M1-based Macs, anti-malware systems detected the Intel-based malware more successfully than the M1-based malware, despite the fact that the binaries are "logically the same." 

For the M1 malware, their detection rate dropped by 10%. That's a clue, he says, that existing antivirus signatures are mostly for the Intel edition of the macOS malware, rather than the M1 variant. Because static analysis alone can fail, detections should also use behavior-based technology. 

It's a matter of honing malware analysts' and threat hunters' skills to the new Apple silicon, he says. With reverse-engineering abilities and an awareness of the ARM64 instruction set, he says he wants to "empower Mac analysts, red teams, and everyone in cybersecurity." Wardle says, "The M1 system actually does significantly improve security at the hardware level, but it's transparent to the everyday user."

Tim Cook Claims Android has 47 Times the Amount of Malware as iOS

 

During a live chat, Apple CEO Tim Cook stated that Android has more malware than iOS and that "sideloading" mobile software is not in the "best interests of users." Sideloading apps entails manually downloading and installing software over the Internet rather than from an app store. Apple's security and privacy would be ruined if it were compelled to enable side-loading programmes, as Android does, he stated on June 16 while speaking remotely at the VivaTech 2021 conference in Paris, France. 

When asked about the planned European law known as the Digital Markets Act (DMA), which attempts to prohibit big digital corporations from monopolizing their market position, Cook stated that Apple opposes it because it would require the company to allow consumers to install apps outside of the App Store. Cook also stated that Android has "47 times more malware" than Apple since iOS is created with a single app store. 

Explaining the reason, Cook added, "It's because we've designed iOS in such a way that there's one app store and all of the apps are reviewed prior to going on the store. And so that keeps a lot of this malware stuff out of our ecosystem, and customers have told us very continuously how much they value that, and so we're going to be standing up for the user in the discussions." 

Cook further claimed that the DMA's present language, which will compel side-loading on the iPhone, will "destroy the security" of the smartphone and many of the App Store's privacy measures. 

DMA targets firms with a huge user base, such as Apple, Google, and Amazon, and encourages them to open up their platforms to competitors. The proposed rule also intends to provide a more level playing field for businesses and individuals who rely on large "gatekeeper" online platforms to sell their goods and services in a single market. 

“We've been focusing on privacy for over a decade,” Cook stated when asked about Apple's commitment to privacy. “We see it as a basic human right. A fundamental human right. And we've been focused on privacy for decades. Steve used to say privacy was stating in plain language what people are signing up for and getting their permission. And that permission should be asked repeatedly. We've always tried to live up to that.”

Is Apple's Monopoly Making Its Security Vulnerable?


It's a well-known fact that Apple’s devices are undoubtedly way safer than any other company’s products, however, in recent research analysis, many reports claimed it to be a myth. 

According to the experts, Apple’s complex process of downloading apps has created a notion of added security but seemingly such is not the case, as revealed in deeper examinations. 

Reportedly, around 2% of the top-grossing iOS apps, are in some way, scams. Customers of several VPN apps, which protect users’ data, have complained against Apple App Store – saying that their devices are contaminated by a virus that tricks them to download and pay for software that they don’t need. 

An illegal QR code reader app that remains for a week on the store tricks users into paying $4.99. Moreover, some apps even mock themselves as being from big global organizations such as Amazon and Samsung. 

Apple always maintained its exclusive command on the App Store and describes this as its policy which is essential for customer’s sensitive personal credentials. Apple has a monopoly in the App market in terms of customer trust. However, some analysts said that this is indeed the biggest problem that there is no competition against this giant in the market, if some companies will come with alternatives then– as a matter of fact – Apple will invest more money in strengthening their security measures. 

“If consumers were to have access to alternative app stores or other methods of distributing software, Apple would be a lot more likely to take this problem more seriously,” said Stan Miles, an economics professor at Thompson Rivers University in British Columbia, Canada. 

As per the statistics, that Apple generates huge profit from the App store; around 30 percent of its revenue is constituted by the App store. 

Apple spokesperson Fred Sainz said in a statement that, “We hold developers to high standards to keep the App Store a safe and trusted place for customers to download software, and we will always take action against apps that pose a harm to users…” 

“…Apple leads the industry with practices that put the safety of our customers first, and we’ll continue learning, evolving our practices, and investing the necessary resources to make sure customers are presented with the very best experience.”

Apple’s Big Sur 11.4 Patches a Security Flaw that Could be Exploited to Take Screenshots

 

Big Sur 11.4 was updated this week to fix a zero-day vulnerability that allowed users to capture screenshots, capture video, and access files on another Mac without being noticed. The flaw lets users go around Apple's Transparency Consent and Control (TCC) architecture, which manages app permissions. 

According to Jamf's blog, the issue was identified when the XCSSET spyware "used this bypass especially for the purpose of taking screenshots of the user's desktop without requiring additional permissions." By effectively hijacking permissions granted to other programmes, the malware was able to get around the TCC. 

Researchers identified this activity while analyzing XCSSET "after detecting a considerable spike of identified variations observed in the wild". In its inclusion in the CVE database, Apple has yet to offer specific details regarding the issue. “The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent–which is the default behaviour,” researchers said. 

Last August, Trend Micro researchers identified the XCSSET malware after they detected fraudsters introducing malware into Xcode developer projects, causing infestations to spread. They recognized the virus as part of a package known as XCSSET, which can hijack the Safari web browser and inject JavaScript payloads that can steal passwords, bank data, and personal information, as well as execute ransomware and other dangerous functionalities. 

At the time, Trend Micro researchers discovered that XCSSET was exploiting two zero-day flaws: one in Data Vault, which allowed it to bypass macOS' System Integrity Protection (SIP) feature, and another in Safari for WebKit Development, which permitted universal cross-site scripting (UXSS). 

According to Jamf, a third zero-day issue can now be added to the list of flaws that XCSSET can attack. Jamf detailed how the malware exploits the issue to circumvent the TCC.

Avast Security Evangelist Luis Corrons recommends not waiting to update your Mac. “All users are urged to update to the latest version of Big Sur,” he said. “Mac users are accustomed to receiving prompts when an app needs certain permissions to perform its duties, but attackers are bypassing that protection completely by actively exploiting this vulnerability.”

M1RACLES Bug Impacts Apple M1 Chips

 

A security researcher identified the first-ever vulnerability in Apple M1 chips that requires a silicon redesign to fix. The good news is that the flaw is considered low-risk, and even the security researcher who identified it believes the flaw is insignificant and has sought to avoid exaggerating the problem while presenting his findings. 

The vulnerability was codenamed M1RACLES and is presently tracked as CVE-2021-30747. It was discovered by Hector Martin, a software engineer at Asahi Linux, a project that works on porting Linux for Mac devices. 

In a simplified explanation, Martin explained that the vulnerability allowed two apps running on the same device to exchange data via a hidden channel at the CPU level, circumventing memory, sockets, files, and other standard operating system features. While the discovery is notable because of the amount of time, work, knowledge, and proficiency required to find bugs in a CPU's physical design, Martin states that the problem is of no benefit to attackers. 

The only way Martin can see this bug being abused is by dodgy advertising businesses, which could abuse an app they already had installed on a user's M1-based device for cross-app tracking, which would be a really bizarre scenario since the ad industry has many other more reliable data collection methods. 

Even though the M1RACLEs bug violates the OS security model by allowing a CPU process to transfer data to another CPU process over a secret channel, Martin believes the flaw was caused by a human error on Apple's M1 design team. 

“Someone in Apple’s silicon design team made a boo-boo. It happens. Engineers are human,” he said. Martin further added that he has informed Apple of his discoveries, but the firm has yet to clarify whether the flaw will be fixed in future M1 chip silicon versions. Martin revealed and debunked his own findings on a dedicated website that ridiculed similar sites developed in the past to advertise CPU vulnerabilities—many of which, like M1RACLEs, were similarly meaningless and insignificant to people's threat models. 

Martin concludes that exploitation on iOS may be used to overcome privacy protections adding that a malicious keyboard app may act as a keylogger by transferring typed text to another malicious app, which could subsequently transfer the information to the internet. 

However, he suggests that because of Apple's constraints on creating code at runtime, the firm could detect exploit attempts if it subjected App Store submissions to static analysis. The hypervisors disable guest access to the vulnerable register by default, the flaw can be mitigated by utilizing a virtual machine, but there aren't many other solutions, particularly on macOS.

Apple Fixes macOS Zero Day Vulnerability, Abused by XCSSET macOS Malware

 

Apple has released security updates for a variety of its products, including a patch for three macOS and tvOS zero-day vulnerabilities. The patch comprises a zero-day vulnerability fix that has been exploited in the wild for nearly a year by the XCSSET malware gang. 

Apple said it was aware of allegations that the security flaws "may have been actively exploited" in all three cases, but it didn't go into detail about the assaults or threat actors who might have exploited the zero-days. 

WebKit on Apple TV 4K and Apple TV HD devices is affected by two of the three zero-days (CVE-2021-30663 and CVE-2021-30665). Webkit is an HTML rendering engine used by Apple's web browsers and applications on its desktop and mobile platforms, including iOS, macOS, tvOS, and iPadOS.Threat actors might use maliciously generated web content to attack the two vulnerabilities, which would allow arbitrary code execution on unpatched devices due to a memory corruption issue. 

The third zero-day (CVE-2021-30713) is a permission issue found in the Transparency, Consent, and Control (TCC) framework that affects macOS Big Sur devices. The TCC framework is a macOS subsystem that prevents installed apps from accessing sensitive user information without asking the user for explicit permission via a pop-up message. A maliciously constructed application could be used to exploit this issue, bypassing Privacy settings and gaining access to sensitive user data. 

While Apple didn't provide much detail about how the three zero-days were exploited in assaults, Jamf researchers found that the macOS zero-day (CVE-2021-30713) patched was leveraged by the XCSSET malware to get beyond Apple's TCC privacy measures. 

According to the researchers, "the exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user's explicit consent — which is the default behavior." 

"We, the members of the Jamf Protect detection team, discovered this bypass being actively exploited during the additional analysis of the XCSSET malware, after noting a significant uptick of detected variants observed in the wild. The detection team noted that once installed on the victim’s system, XCSSET was using this bypass specifically for the purpose of taking screenshots of the user’s desktop without requiring additional permissions." 

Trend Micro's Mac Threat Response and Mobile Research teams first detected XCSSET in August 2020. According to the researchers, the vulnerability can be used to provide malicious applications with permissions such as disk access and screen recording. As a result of this, threat actors will be able to take screenshots of affected PCs. 

Last month, Trend Micro discovered a new XCSSET version that was upgraded to work with the newly launched Apple-designed ARM Macs. The CVE-2021-30713 vulnerability was discovered shortly after Craig Federighi, Apple's head of software stated that macOS has an "unacceptable" level of malware, which he linked to the diversity of software sources. 

Apple addressed two iOS zero-days in the Webkit engine earlier this month, allowing arbitrary remote code execution (RCE) on vulnerable devices solely by visiting malicious websites. In addition, Apple has been releasing fixes for a number of zero-day bugs that have been exploited in the wild in recent months, including one that was resolved in macOS in April and a bunch of other iOS vulnerabilities that were resolved in the prior months.  

A Chinese Hacking Competition May Have Given Beijing New Ways to Spy on the Uyghurs

 

In 2019, Apple aimed to reassure its customers when it revealed in a blog post that it had fixed a security flaw in its iOS operating system. According to Apple, the exploited vulnerability was "narrowly focused" on websites with data relevant to the Uyghur community. 

It has since been revealed that the flaw in question was found at China's leading hacking competition, the Tianfu Cup, where a skilled hacker was rewarded for his efforts. The standard procedure would be to notify Apple of the flaw. However, it is said that the violation was kept hidden, with the Chinese government obtaining it to spy on the country's Muslim minority. 

Hacking competitions are a well-established method for technology companies like Apple to identify and address security flaws in their software. However, with state-sponsored hacking on the rise, the possibility that the Tianfu Cup is providing Beijing with new surveillance tools is worrying, particularly given how Chinese competitors have long dominated international hacking competitions. 

When software is compromised, it's usually because an attacker discovered and exploited a cybersecurity flaw that the software provider was unaware of. Finding these flaws before they're discovered by cybercriminals or state-sponsored hackers will save tech firms a lot of money. Until 2017, Chinese hackers took home a large percentage of the Pwn2Own awards. However, after a Chinese billionaire argued that Chinese hackers should "stay in China" because their work is strategic, Beijing replied by prohibiting Chinese people from participating in international hacking competitions.

In 2018, the Tianfu Cup was founded in China. A hacker participating in the Tianfu Cup in its first year created a prize-winning hack called "Chaos." The hack could be used to gain remote access to even the most recent iPhones, making it an easy target for surveillance. After being used in a targeted way against Uyghur iPhone users, Google and Apple both discovered the hack “in the wild” two months later. 

Despite the fact that Apple was able to mitigate the hack within two months, this case demonstrates the dangers of exclusive national hacking competitions, particularly when they take place in countries where people are required to comply with government demands. 

Hacking contests are intended to reveal "zero-day" vulnerabilities, which are security flaws that software vendors haven't discovered or predicted. The tactics used by prize-winning hackers are meant to be shared with vendors so that they can find ways to fix them up. However, keeping zero-day vulnerabilities secret or passing them on to government agencies raises the likelihood of them being used in state-sponsored zero-day attacks. 

In early 2021, Four zero-day vulnerabilities in Microsoft Exchange were used to launch massive attacks against tens of thousands of organizations. Hanium, a Chinese government-backed hacking group, has been linked to the attack. Evidence indicates that cybercriminal gangs are operating closely, and even interchangeably, with state-sponsored hacking groups in Russia and China. 

The Tianfu Cup appears to have given China access to a new talent pool of expert hackers, who are inspired by the competition's prize money to develop potentially dangerous hacks that Beijing would be able to use both at home and abroad.

Apple isn't Happy About the Amount of Mac Malware

 

During testimony defending Apple in a lawsuit with Fortnite developer Epic Games, a top Apple executive said that Mac malware has now surpassed Apple's tolerance level and framed safety as the justification for keeping iPhones locked to the App Store. According to a top Apple executive, this is why Apple must keep iPhone, iPad, and other mobile products behind the App Store's walled garden. 

Craig Federighi, Apple's head of software engineering, told a California court that the existing levels of malware were "unacceptable." "Today, we have a level of malware on the Mac that we don't find acceptable," he stated in response to questions from Apple's lawyers, as ZDNet sister site CNET reports. 

Apple is defending its activities after Epic Games filed a lawsuit in the United States stating because Apple kicked its Fortnight game off the App Store after Epic implemented a direct payment scheme for in-game currency, bypassing Apple's 30% developer fee. Apple, according to Epic, is too restrictive. 

On May 03, the Apple-Epic case began. Phil Schiller, the CEO of the App Store, stated yesterday that the App Store has always prioritized protection and privacy. According to Federighi, 130 different forms of Mac malware have been discovered since May, with one version infecting 300,000 systems. iOS devices can only install applications from Apple's App Store, while Macs can install software from anywhere on the internet. 

Mac malware is already outpacing Windows malware, according to Malwarebytes, a US protection company that offers Mac antivirus. However, the company pointed out that the risks to Macs, which mainly consisted of adware, were not as harmful as malware for Windows. Federighi contrasted the Mac to a car, while iOS was created with children's protection in mind, according to 9to5Mac. 

"The Mac is a car. You can take it off-road if you want and you can drive wherever you want. That's what you wanted to buy. There's a certain level of responsibility required. With iOS, you wanted to buy something where children can operate an iOS device and feel safe doing so. It's really a different product," he stated.

Federighi also said that things would change significantly if Apple allowed iOS users to sideload applications.

Apple's Find My Network: Can be Abused to Leak Secrets Via Passing Devices

 

Apple's Find My network, which is used to track iOS and macOS devices – as well as more recently AirTags and other kits – has been revealed to be a possible espionage tool. 

In brief, passing Apple devices can be used to send data over the air from one location to another, such as a computer on the other side of the world, without the need for any other network connection. 

Using Bluetooth Low Energy (BLE) broadcasts and a microcontroller designed to act as a modem, Fabian Bräunlein, co-founder of Positive Security, invented a way to send a limited amount of arbitrary data to Apple's iCloud servers from devices without an internet connection. A Mac application can then download the data from the cloud. He dubbed his proof-of-concept service Send My in a blog post on Wednesday. 

When activated in Apple devices, the Find My network acts as a crowdsourced location-tracking system. Participating devices transmit over BLE to other nearby Apple devices, which then relay data back to Cupertino's servers via their network link. Authorized device owners can then use the company's iCloud-based Find My iPhone or iOS/macOS Find My app to get location reports on enrolled hardware. 

Researchers from Germany's Technical University of Darmstadt – Alexander Heinrich, Milan Stute, Tim Kornhuber, and Matthias Hollick – released an overview of Apple's Find My network's protection and privacy in March, uncovering a few issues along the way. 

Bräunlein's aim was to see if the Find My network could be exploited to send arbitrary data from devices that didn't have access to the internet. "Such a technique could be employed by small sensors in uncontrolled environments to avoid the cost and power consumption of mobile internet," he states. "It could also be interesting for exfiltrating data from Faraday-shielded sites that are occasionally visited by iPhone users." Since he didn't find any rate-limiting mechanism for the number of location reports devices can send over the Find My network, he theorizes that his strategy may be used to deplete smartphone users' data plans. 

With each report being more than 100 bytes, broadcasting a large number of unique public encryption keys as part of the Find My protocol would increase the amount of mobile traffic sent. Bräunlein used an ESP32 microcontroller with OpenHaystack-based firmware to transmit a hardcoded default message and listen for new data on its serial interface for his data exfiltration scheme. These signals will be picked up by nearby Apple devices that have to Find My broadcasting switched on and transferred to Apple's servers. 

In order to satisfy Apple's authentication criteria for accessing location data, obtaining data from a macOS computer necessitates the use of an Apple Mail plugin that runs with elevated privileges. To view the unsanctioned transmission, the user must also install OpenHaystack and run DataFetcher, a macOS app created by Bräunlein.

Apple Covered a Mass Hack on 128 Million iPhone Users in 2015

 

Apple and Epic are now embroiled in a legal dispute, and as a result, some shocking material has surfaced on the internet. Epic recently demonstrated Apple's desire to conquer the industry by deciding not to unleash the iMessage platform on Android. Now, according to a recent email filed in court, Apple decided not to alert 128 million iPhone users of its first-ever mass hack. This was back in 2015 when the iPhone 6s series was first introduced. 

The massive hack was first discovered when researchers discovered 40 malicious App Store applications, which quickly grew to 4,000 as more researchers looked into it. The apps included malware that turned iPhones and iPads into botnets that stole potentially sensitive user data. 

According to an email filed in court last week in Epic Games' litigation against Apple, Apple managers discovered 2,500 malicious apps on September 21, 2015, that had been downloaded a total of 203 million times by 128 million users, 18 million of whom were in the United States. 

“Joz, Tom, and Christine—due to the large number of customers potentially affected, do we want to send an email to all of them?” App Store VP Matthew Fischer wrote, talking to Apple's Greg Joswiak, senior vice president of worldwide communications, and Tom Neumayr and Christine Monaghan, who work in public relations. 

The email continued: "If yes, Dale Bagwell from our Customer Experience team will be on point to manage this on our side. Note that this will pose some challenges in terms of language localizations of the email, since the downloads of these apps took place in a wide variety of App Store storefronts around the world (e.g. we wouldn’t want to send an English-language email to a customer who downloaded one or more of these apps from the Brazil App Store, where Brazilian Portuguese would be the more appropriate language)." 

Bagwell talks about the complexities of notifying all 128 million impacted customers, localizing updates to each user's language, and "accurately including the names of the applications for each client" about 10 hours later. 

Unfortunately, it seems that Apple never carried out its plans. There was no indication that such an email was ever sent, according to an Apple spokesperson. Apple instead released only this now-deleted article, according to statements the representative submitted on background—meaning I'm not allowed to quote them.

'XcodeGhost' Malware Infected Around 128M iOS Users

 

In a recent malware attack over 128 million iOS customers have been targeted. The malware employed by the attackers goes by the name "XcodeGhost" which first came into the public domain in 2015. This attack is responsible for injecting malware into several Apple devices' app stores including iPhone and iPad apps that were subsequently uploaded to the App Store. 

During the Epic Games vs Apple trial, the internal Apple emails have warned that almost 128 million users downloaded approximately 2,500 apps that were infected by the malware which came into existence from the fake copy of Xcode. 

While Motherboard has also reported on the same issue saying over 2,500 infected apps have been downloaded over 203 million times in the App Store. 

Some employer has disclosed that around 55 percent users are Chinese and also 66 percent of downloads relates to China. According to the report, many developers have downloaded the infected Xcode as Apple’s servers were slow, hence they were looking for alternative download links. 

Notably, some of the widely popular apps have also been infected by this malware, including the game ‘Angry Birds 2′. 

When the malware was identified, Apple suggested developers immediately revise their apps with a legal version of Xcode, the report added. 

In the wake of the security incident, Apple has taken several security measures to fix the attack including malware scanning and the security of the Xcode execution process while submitting apps to the App Store. As the legal battle was going on between Apple and Epic Games in the USA this week, new technical details have surfaced, disclosing that Epic Games CEO Tim Sweeney had suggested Apple CEO Tim Cook open their devices to other app stores as early as 2015. 

An Award-Winning iPhone Hack Used by China to Spy on Uyghur Muslims

 

According to a recent article, the Chinese government used an award-winning iPhone hack first uncovered three years ago at a Beijing hacking competition to spy on the phones of Uyghur Muslims. The government was able to successfully tap into the phones of Uyghur Muslims in 2018 using a sophisticated tool, according to a study published Thursday by MIT Technology Review. 

For years, the US government and other major technology firms have recognized that China has been waging a violent campaign against ethnic minorities using social media, phones, and other technologies. The movement also attacked journalists and imitated Uyghur news organizations. 

According to MIT Technology Review report the hacking vulnerability was discovered during the Beijing competition. The Tianfu Cup hacking competition began in November 2018 in China as a way for Chinese hackers to discover vulnerabilities in popular tech software. According to the paper, the competition was modeled after an international festival called Pwn2Own, which attracts hackers from all over the world to show technical bugs so that marketers can discover and patch defects throughout their goods. 

However, China's Tianfu Cup was designed to enable Chinese hackers to show those vulnerabilities without exposing them to the rest of the world. According to the paper, this will enable the Chinese government to use those hacking methods found at the event for their own purposes. 

The very first event took place in November of 2018; Qixun Zhao, a researcher at Qihoo 360, won the top prize of $200,000 for demonstrating a remarkable chain of exploits that helped him to easily and reliably take control of even the newest and most up-to-date iPhones. He discovered a flaw in the kernel of the iPhone's operating system, originating from inside the Safari web browser. 

What's the end result? Any iPhone that accessed a web page containing Qixun's malicious code might be taken over by a remote intruder. It's the type of hack that could be traded on the black market for millions of dollars, allowing hackers or governments to spy on huge groups of people. It was given the name "Chaos" by Qixun. 

Apple patched it two months later, but an analysis revealed that it had been used by the Chinese government to hack Uyghur Muslims' iPhones in the interim. After US surveillance found it and confirmed it to Apple, the company released a low-key press release acknowledging it, but the full scale of it wasn't understood until now.

App Census Study Reveals that Android Devices Leak User Data Stored in Contact Tracing Applications

 

According to security experts, hundreds of third-party applications on Android devices have access to confidential information collected by Google and Apple API contact-tracking devices. The Department of Homeland Security provided about $200,000 to App Census, a U.S. start-up that specializes in data protection practices in Android applications, earlier this year for testing and validating the reliability of contact tracking apps. 

The researchers of the business observed that the primary contact tracking information inside the device's system logs are recorded by Android Phones logging data from applications that use Google and Apple's Exposure Notifications System (ENS), that is used for collecting details, and usually where applications receive usage analytics and malfunction reports data. 

In an effort to assist medical authorities around the globe to develop contact tracing apps associated with the data protection requirement underlying the Android and iOS ecosystems, Google and Apple jointly launched ENS last year. API built by Apple and Google allows governments to build decentralized Bluetooth-based contact tracking software. 

The app-equipped devices send confidential, regularly changing IDs, known as RPIs, that are diffused via Bluetooth in such a way that nearby telephones that also use the application can be "heard". 

The observations of App Census reveal that the two Tech Giants' privacy pledge has certain deficiencies. Both transmitted and heard RPIs can indeed be identified in the machine logs of Android phones – as well as the device even records the existing Bluetooth MAC address of the destination server on RPIs that have been heard. Thus App Census found many ways of using and computing datasets to conduct data protection attacks since the RPI and the Bluetooth MAC addresses are unique and anonymized.

"Of course, the information has to be logged somewhere to do the contact-tracing, but that should be internally in the ENS," Gaetan Leurent, a researcher at the French National Institute for Research in Digital Science and Technology (INRIA), stated. "It is unsettling that this information was stored in the system log. There is no good reason to put it there." 

The RPIs could have been used along with different pieces of datasets to determine that whether users checked for COVID-19 positively, whether they had contacted an infectious individual or whether two persons met each other with access to device registers from multiple users. It is meant to preserve privacy in the contact tracing process, and precisely this type of data should be avoided. Therefore, the entire defense which should form the foundation of this protocol is defeated. 

A Google spokesperson told: "We were notified of an issue where the Bluetooth identifiers were temporarily accessible to some pre-installed applications for debugging purposes. Immediately upon being made aware of this research, we began the necessary process to review the issue, consider mitigations and ultimately update the code." 

The spokesman added that these Bluetooth identifications neither disclose the location of a customer nor provide any other identifying details, and also they are not aware that they were used in any manner. As per Google, roll started many weeks ago with the upgrade on Android devices and is due to be completed in the coming days. Previous publications of the researcher have shown that irrespective of implementation, the use of digital technology for contact tracking would necessarily present a risk to privacy.

Hackers Attack Apple Prior to Launch Event, Demand Ransom

 

On the day when Apple was ready to declare a new series of products at its Spring Load Event, there happened a leak from an unexpected quarter. The infamous cybercrime gang REvil took the responsibility for stealing data and schematics from Apple's supplier 'Quanta computer' relating unreleased products. The gang also threatened to sell the data to the highest bidder if the target failed to pay a ransom of $50 Million. For the credibility of the attack, the hackers release caches of docs relating to upcoming MacBook Pros. iMac schematics have also been added since the last attacks. 

The suspenseful timing and links to Apple raise controversy about the attack. However, it is also a reflection towards the rising no of disturbing ransomware incidents that appear today. Hackers have evolved through years of developing their mass data encryption techniques to log targets out of their own devices. Presently, these gangs are more focused towards data theft and extortion as their primary means of attacks, while demanding hefty ransoms in the process. 

"Our team is negotiating the sale of large quantities of confidential drawings and gigabytes of personal data with several major brands. We recommend that Apple buy back the available data by May 1," said REvil in the stolen data post. Since the start, ransomware attacks have involved capturing the victim's device, encrypting files, and then demanding ransom through simple transactions, in return for providing the decryption key. 

Now, however, hackers have moved towards a unique approach, along with encrypting the files, they steal files and threaten to leak them, this gives them leverage over their victim, assuring ransom payment. Even if the victim recovers his data, the risk of a hacker leaking his data still persists. The Wired reports, "and in the past couple of years, prominent ransomware gangs like Maze have established the approach. Today incorporating extortion is increasingly the norm. And groups have even taken it a step further, as is the case with REvil and Quanta, focusing completely on data theft and extortion and not bothering to encrypt files at all."

Apple will pay $100 million to Russian hackers for leaking data on new products

Apple's database was hacked due to cybersecurity deficiencies of the Taiwanese equipment manufacturer. The stolen information is estimated at $50 million, and the Russian hacker group is to be blamed.

Quanta, which produces MacBooks and peripherals for Apple, reported hacking of its own system and theft of engineering, production schemes of current and future products. We are talking, in particular, about the Air 2020, M1 2020 model of laptops and an unreleased copy with additional ports.

The group, described as the most dangerous in global cyberspace, REvil, sent an extortion message to Apple with samples of stolen technical files. The hackers are demanding a ransom of $50 million if Quanta pays the full amount by April 27. After that date, the amount will double to $100 million. The message was distributed through the Tor anonymous network connection, protected from eavesdropping.

According to profile portal Bleeping Computer, by Saturday, April 24, REvil had published more than a dozen schematics and diagrams of laptop components on its Darknet leak site. However, no links were found to the fact that the data relate to Apple products.

Quanta confirmed that its servers had been hacked. As Bloomberg reported, Quanta Computer's information security team is working with outside IT experts to review several cyberattacks on a few Quanta servers. The manufacturer says the hack will not significantly affect the company's future operations

The company also said that it has not yet figured out the extent of the leak. The images that leaked to the Net include the schematics of the redesign of the iMac just presented by Apple, which until this situation has not been seen by anyone outside of Apple's sphere of influence. This confirms the fact that the documents are indeed accurate.

Recall that REvil's largest illegal extortion profit was $18 million. The money was anonymously cashed and laundered through a cryptocurrency exchange.