Apple warns of “remote attacker” security threat and releases update

Apple released iOS 14.4 and iPadOS 14.4 updates on Tuesday after an anonymous researcher found that attackers may be able to remotely hack certain iPhones, iPads and iPods.

a hand holding a cell phone: Attendee checks out new iPhone X

© Reuters
Attendee checks out new iPhone X

On the company’s support page, Apple outlined two security threats that have since been fixed in the newest operating system update, version 14.4. Both security threats, Apple said, may have already been exploited.


Load Error

The company explained that one vulnerability, which is linked to the web browser rendering engine, WebKit, may allow remote hackers access to a device.

Katie Moussouris, CEO and founder of cybersecurity firm Luta Security, said that means an attacker could control a user’s phone. “You’ve zombified that device,” she said. “You are controlling it from a distance.”

And since the threat is tied to internet browsing, she noted, “Your regular web browsing may cause you to be held compromised, without having to do really much of anything else,” she said. “And that’s a problem.”

A second security threat Apple outlined involves a “malicious application” that may be able to elevate user privileges. In theory, Moussouris said, a malicious actor could exploit this with an app. “It is possible that a vector could be, almost like a sleeper cell of an app,” she said. “If you’re vulnerable, it tries to exploit it.”

This threat is known as a kernel vulnerability. “Kernel vulnerabilities, just by their nature are going to be more serious.” Moussouris said, “[The kernel] is part of the brain of the operating system. It’s supposed to be the most protected… For sure, you know this is a serious issue.”

Apple said they’ve fixed the issue in their latest operating system update, and encouraged iOs and iPadOS users to upgrade their devices. The site’s security update page notes, “Keeping your software up to date is one of the most important things you can do to maintain your Apple product’s security.” 

Moussouris said users should update their operating systems as quickly as possible. “The window of exposure for consumers is between that time when a patch is available and when they actually apply that patch,” she said, and noted that Apple doesn’t always…


Linux malware uses open-source tool to evade detection

Linux crypto-mining malware evades detection using open-source tool

Image: Moritz Kindler

AT&T Alien Labs security researchers have discovered that the TeamTNT cybercrime group upgraded their Linux crypto-mining with open-source detection evasion capabilities.

TeamTNT is mostly known for targeting and compromising Internet-exposed Docker instances for unauthorized Monero (XMR) mining.

However, the group has also shifted tactics by updating its Linux cryptojacking malware named Black-T to also harvest user credentials from infected servers.

TeamTNT now further upgraded their malware to evade detection after infecting and deploying malicious coinminer payloads on Linux devices.

Hiding in plain sight

“The group is using a new detection evasion tool, copied from open source repositories,” AT&T Alien Labs security researcher Ofer Caspi says in a report published today.

This tool is known as libprocesshider and is an open-source tool available on Github that can be used to hide any Linux process with the help of the ld preloader.

“The objective of the new tool is to hide the malicious process from process information programs such as `ps` and `lsof`, effectively acting as a defense evasion technique,” Caspi added.

The detection evasion tool is deployed on infected systems as a base64 encoded bash script embedded within the TeamTNT ircbot or cryptominer binary.

Decoded process hiding script
Decoded process hiding script (AT&T Alien Labs)

Once the script gets launched on a compromised machine, it will execute a series of tasks that will allow it to:

  • Modify the network DNS configuration.
  • Set persistence through systemd.
  • Drop and activate the new tool as service.
  • Download the latest IRC bot configuration.
  • Clear evidence of activities to complicate potential defender actions.

After going through all the steps, the Black-T malware will also automatically erase all malicious activity traces by deleting the system’s bash history.

“Through the use of libprocesshider, TeamTNT once again expands their capabilities based on the available open source tools,” Caspi concluded.

“While the new functionality of libprocesshider is to evade detection and other basic functions, it acts as an indicator to consider when hunting for malicious activity on the host level.”



How ghost accounts could leave your organization vulnerable to ransomware

Active accounts for people who have left your organization are ripe for exploitation, according to Sophos.


Michael Borgers, Getty Images/iStockphoto

Cybercriminals can choose a variety of ways to infiltrate and compromise an organization as a prelude to ransomware. One tried and true method is to exploit an admin account. And if it’s an account that’s no longer being used by an employee but is still available, so much the better. A report released Tuesday by security provider Sophos explains how one of its customers was hit by ransomware due to a ghost account.

SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)

The attack

An unidentified Sophos customer contacted the company after a ransomware attack affected more than 100 of its systems. Using the Nefilim (aka Nemty) ransomware, the attackers had compromised a high-level admin account a month before the actual attack, according to the Sophos Rapid Response team.

After gaining access to the account, the attackers spent the month poking around the network where they ended up stealing the credentials for a domain admin account. Upon finding the files they could hold as hostage, they were able to exfiltrate hundreds of gigabytes of data and then carry out the attack.

“Ransomware is the final payload in a longer attack,” Peter Mackenzie, manager for Sophos Rapid Response, said in the report. “It is the attacker telling you they already have control of your network and have finished the bulk of the attack. It is the attacker declaring victory.”

Sophos said that the Rapid Response team knew that criminals who use the Nefilim ransomware typically gain network access through vulnerable versions of Citrix or Microsoft’s Remote Desktop Protocol. In this case, the attackers exploited Citrix software to compromise the admin account and then used the Mimikatz password extraction tool to steal the credentials for the domain admin account.

But the real point of the story lies in the…


Knowing Your Privacy Rights Before Signing Up for the Coronavirus Vaccine – NBC10 Philadelphia

Signing up for the COVID-19 Vaccine may mean sharing some of your personal information.

But who is seeing that info once you submit it?

According to the Internet Security Alliance, there is a way to know if a company plans to share your data. You can typically find that information right there on the registration form.

“That form could conceivably be providing consent for the provider to take your information and use it,” said Larry Clinton, the President of the Internet Security Alliance.

According to Clinton, whether you want your information shared is entirely up to you.

“Both federal law as well as Pennsylvania law say the consumer has the right to know what info is being shared and what is being taken and has the right to refuse to allow their information to be shared,” he said. 

He also said sharing data could be a positive thing. Especially in the age of the Coronavirus.

“One of the issues we have with COVID is tracking,” he said. “If I’ve been in close contact with you and I find out I have the virus, let’s say it’s a public interest to be able to find you so that you’re safe.”

If it’s sold, your personal data may also wind up in the hands of marketing companies that could send you targeted ads. Or worse.

On the downside, there are multiple issues with regard to health information,” Clinton said. “As I say, it’s very, very valuable on the black market. It can be used, sold on the black market so other people can get access to your insurance.”

Clinton urges consumers to read through all of the paperwork they’re presented with when getting the vaccine.

Deciding whether or not to share your data is a personal decision. If you decide to opt out, you have a few options:

Tell the company you don’t want to share your data, and see if they’ll let you advance without sharing it.

Report the company since federal law says you have the right to opt out.

Or, accept the terms and take the chance of having your data sold.