Tag Archive for: Exploits

Million-Dollar WhatsApp Hacks: The Booming Market for Zero-Day Exploits

/in


The Soaring Cost of Hacking WhatsApp: Inside the Million-Dollar Zero-Day Market

The Soaring Cost of Hacking WhatsApp: Inside the Million-Dollar Zero-Day Market

KEY HIGHLIGHTS

  • A Russian firm recently offered $20 million for zero-day exploits capable of compromising iOS and Android devices.
  • Globally, the cost of a WhatsApp-specific zero-day exploit can range from $1.7 to $8 million.
  • The coveted “Zero Click RCE” exploit provides extensive surveillance capabilities and costs around $1.7 million.

Welcome to the clandestine world of zero-day exploits, where the right vulnerability can fetch you millions. Due to enhanced security mechanisms in both iOS and Android devices, hacking has become an expensive venture, and nowhere is this more evident than with WhatsApp.

Russia’s Premium Play: $20 Million for the Ultimate Hack

Last week, a Russian firm shook the cybersecurity community by offering a whopping $20 million for chains of bugs that could compromise iOS and Android phones. The exorbitant price tag is a result of a couple of factors:

  1. Geopolitical Climate: The ongoing invasion of Ukraine has isolated Russia, making it difficult for them to find willing researchers.
  2. Desperation: Russian government bodies are apparently willing to pay a premium under the current circumstances.

Global Sticker Shock: WhatsApp Exploits Get Pricey

The allure of hacking WhatsApp is not confined to Russia. Leaked documents reveal that in 2021, an Android-targeting zero-day exploit for WhatsApp was priced between $1.7 and $8 million. The factors for this price hike include:

  1. Rarity of Skill: Advanced security measures mean fewer experts capable of finding these vulnerabilities.
  2. High Demand: Government hackers frequently target WhatsApp, driving up market demand.

The Allure of “Zero Click RCE”

A specific type of exploit called “Zero Click RCE” (Remote Code Execution) is available for around $1.7 million. What makes it so attractive?

  • Stealth: No interaction from the target is required, making it incredibly difficult to detect.
  • Power: The exploit allows for extensive surveillance capabilities, including the ability to read and exfiltrate messages.

Unpatched and Unprotected?

In 2020 and 2021, WhatsApp patched several vulnerabilities related to image processing. However, it’s still unclear whether these…

Source…

Android Users Warned Of 2 Zero-Day Exploits, Including Spy-On-Phone Attack

/in


Google has announced an October security update for all Android users that addresses more than 50 vulnerabilities and includes fixes for two zero-days already known to be exploited by malicious attackers.

CVE-2023-4863 Is The Same Vulnerability That Led To Zero-click iPhone Spyware Attacks

The first of the zero-day vulnerabilities may sound familiar to regular readers, as well it might. CVE-2023-4863 is none other than the same one impacting the libwebp open-source library that led to recent emergency updates for 1Password, Signal, Chrome, Edge and Firefox, among others.

MORE FROM FORBESCritical New 1Password, Signal, Chrome, Edge, Firefox Emergency Security UpdatesBy Davey Winder

This critical buffer overflow vulnerability can lead to remote code execution and appears to be the same flaw that is addressed as CVE-2023-41064 by Apple and used in a zero-click iMessage exploit chain to install spyware onto previously fully patched iPhones.

Although there is currently no evidence that Android users are being targeted by the same iPhone spyware attack, as identified by Citizen Lab and Google’s Threat Analysis Group in September, it remains flagged as exploited in the wild. As such, all users of Android devices are urged to install the October security update as a matter of some urgency.

MORE FROM FORBESNew Critical Security Warning For iPhone, iPad, Watch, Mac-Attacks UnderwayBy Davey Winder

CVE-2023-4211 Known To Be Under Targeted Attack

The second zero-day vulnerability, CVE-2023-4211, included within the October security update, is stated, along with CVE-2023-4863, as potentially being “under limited, targeted attack,” according to the Google security advisory. Arm also points to there being evidence of the same targeted attack in a security advisory to users.

There’s a lack of detailed technical information regarding CVE-2023-4211 beyond the fact that it resides in the Arm Mali GPU driver and is a use-after-free issue that could allow for data manipulation.

As Ionut Arghire reports, however, such vulnerabilities have previously been known to be connected with…

Source…

Yikes: Apple Patches 3 New Zero-Day Exploits for iOS, MacOS

/in


Apple today released a fix for a trio of iOS vulernabilities that hackers may already be exploiting.

Apple issued emergency patches for iOS 16 and the newly launched iOS 17, as well as iPadOS, Safari, watchOS and macOS Ventura and Monterey. 

Although details are thin, the vulnerabilities were discovered by two security researchers, according to Apple. The first, Bill Marczak, works for Citizen Lab, a watchdog group that investigates spyware attacks from commercial surveillance companies. The other, Maddie Stone, is a researcher at Google’s Threat Analysis Group, which is dedicated to protecting users from state-sponsored hackers and commercial spyware dealers. 

Google and Citizen Lab didn’t immediately respond to requests for comment. But it’s likely the two security researchers uncovered the vulnerabilities while investigating an attack on user devices. The fixes also come two weeks after Citizen Lab discovered a new iOS attack allegedly from notorious spyware dealer NSO Group that infected a device belonging to an employee at a “Washington DC-based civil society organization.”  

The first vulnerability, CVE-2023-41993, involves Webkit, the browser engine for Safari. The researchers discovered the engine can be manipulated to execute rogue computer code if it processes certain web content. Hence, the vulnerability could be paired with a malicious message or website to potentially trigger an iPhone to download malware

The second vulnerability, CVE-2023-41992, can affect iOS’s kernel, the core part of the operating system. Exploiting this bug can help an attacker elevate their privileges over the OS, enabling them to install programs or gain access to sensitive data. 

Meanwhile, the third vulnerability, CVE-2023-41991, can allow a malicious app to potentially “bypass signature validation,” enabling an attacker to circumvent the security check Apple uses to verify an iOS app is safe and legitimate. 

Recommended by Our Editors

All three vulnerabilities also affect macOS Ventura, with Apple warning, “additional CVE entries coming soon,” a sign that other exploits have been found. 

To update an iPhone, go to Settings > General > Software Update. The device can also…

Source…

Update Your iPhone 15 Before Transferring Data to Avoid Malware Exploits

/in


If you recently purchased an iPhone 15 and are planning to transfer data from your older iPhone using Quick Start, there’s an important step you need to take. Before initiating the data transfer, you should update the software on your iPhone 15 to iOS 17.0.2. This update addresses a serious bug that could potentially allow malware to be installed on your device.

Ideally, your iPhone 15 will prompt you to update to iOS 17.0.2 before starting the data transfer process. However, if you encounter an issue where your iPhone 15 gets stuck on the Apple logo during the iPhone-to-iPhone transfer, you can resolve itconnecting your new iPhone to a Mac or PC and performing a reset to complete the transfer.

For those who are setting up the iPhone 15 as a new device or retrieving data from iCloud instead of using Quick Start, you have the option to update to iOS 17 later on.

It’s worth noting that even if you do not own an iPhone 15, it is still crucial to update your device. Apple has released two updates this week for iOS 17 to fix three zero-day exploits discovered in the operating system. Additionally, updates have been issued for iOS 16, iPadOS, Safari, watchOS, and macOS Ventura and Monterey.

These vulnerabilities could potentially allow an attacker to install malware on an iPhone, granting them unauthorized access to sensitive data and bypassing Apple’s security checks for app safety. The exploits are suspected to have targeted an Egyptian politician running for president.

To restore your iPhone 15 using a computer, follow these steps:

1. Connect your new iPhone to a computer using a cable.
2. Press and quickly release the volume up button, followedthe volume down button. Then, press and hold the side button.
3. Continue holding the side button until the Apple logo appears, and do not release it until an image of a computer and cable is displayed.
4. On your computer, locate your new iPhone in the Finder (on a Mac) or in iTunes (on a PC).
5. When given the option to Restore or Update, choose Restore.

Updating your software and taking necessary precautions will help ensure the security and smooth functioning of your new iPhone 15.

Sources:
– Source article
– Apple.com (for iOS update…

Source…