Tag Archive for: zerodays

Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones

/in


Apple announced on Thursday that its latest operating system updates patch three new zero-day vulnerabilities. Based on the previous work of the organizations credited for reporting the flaws, they have likely been exploited by a spyware vendor.

The zero-days are tracked as CVE-2023-41991, which allows a malicious app to bypass signature verification, CVE-2023-41992, a kernel flaw that allows a local attacker to elevate privileges, and CVE-2023-41993, a WebKit bug that can be exploited for arbitrary code execution by luring the targeted user to a malicious webpage. 

Apple patched some or all of these vulnerabilities in Safari, iOS and iPadOS (including versions 17 and 16), macOS (including Ventura and Monterey), and watchOS.

It’s worth noting that while each of these operating systems is impacted by the zero-days, Apple said it’s only aware of active exploitation targeting iOS versions before 16.7.

Apple has not shared any information about the attacks exploiting the new vulnerabilities. However, considering that they were reported to the tech giant by researchers at the University of Toronto’s Citizen Lab group and Google’s Threat Analysis Group, they have likely been exploited by a commercial spyware vendor to hack iPhones. 

Citizen Lab and Apple recently investigated attacks involving a zero-day identified as CVE-2023-41064. That security hole, part of a zero-click exploit named BlastPass, was used to  deliver the NSO Group’s notorious Pegasus spyware to iPhones.

In an attack investigated by Citizen Lab, the spyware was delivered to an employee at an international civil society organization based in Washington DC. 

Advertisement. Scroll to continue reading.

CVE-2023-41064 impacts the WebP image format. The affected library is also used in the Chrome and Firefox web browsers, and Google and Mozilla were also forced to release emergency updates to address the zero-day, which they track as CVE-2023-4863.

Related: Google Links More iOS, Android Zero-Day Exploits to Spyware Vendors

Related: US to Adopt New Restrictions on Using Commercial Spyware

Related: Details Emerge on Israeli Spyware Vendor QuaDream and Its iOS Malware 

Source…

Apple issues emergency patches on three new exploited zero-days

/in


Apple on Thursday moved to patch three zero-day vulnerabilities actively exploited in the wild that security researchers believe are the work of commercial spyware vendors.

This now means Apple has fixed 16 zero-days this year, which security researchers said demonstrates that the popularity of Apple products has made it an attractive target.

In advisories, Apple credited Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group for bringing the latest zero-days to their attention.

“A total of 16 zero-day vulnerabilities in a year is significant,” said Callie Guenther, senior manager, cyber threat research at Critical Start. “Zero-days, by definition, are previously unknown and unpatched vulnerabilities that can be exploited. This high number could suggest that Apple devices, given their popularity and extensive user base, are attractive targets for advanced threat actors.”

Guenther also noted the fact that many of these vulnerabilities were discovered by groups such as the Citizen Lab and Google’s Threat Analysis Group, which often focus on state-sponsored and high-level cyber-espionage campaigns, suggests that Apple devices are being targeted in sophisticated attacks against high-profile individuals.

For example, following a report Sept. 7 by Citizen Lab that an actively exploited zero-click vulnerability was used to deliver NSO Group’s Pegasus mercenary spyware on an Apple device, Apple quickly moved to issue two CVEs to rectify the issue.

The Pegasus spyware developed and distributed by the NSO Group has been widely used by both the private and government sectors across the globe for surveillance purposes against journalists, human and civil rights activists, politicians and other individuals.

The zero-days patched yesterday by Apple include the following:

  • CVE-2023-41993: WebKit browser vulnerabilities. Critical Start’s Guenther said given that WebKit powers Apple’s Safari browser and many iOS apps, a flaw allowing arbitrary code execution can be highly impactful. Malicious web pages can directly impact a broad range of users and potentially compromise sensitive data. NIST reported that this issue was…

Source…

Rigged Software and Zero-Days: North Korean APT Caught Hacking Security Researchers

/in


Google’s threat hunting unit has again intercepted an active North Korean APT actor sliding into the DMs of security researchers and using zero-days and rigged software tools to take control of their computers.

Google’s Threat Analysis Group (TAG) on Thursday outed the government-backed hacking team’s social media accounts and warned that at least one actively exploited zero-day is being used and is currently unpatched.

Using platforms like X (the successor to Twitter) as their initial point of contact, the North Korean threat actor cunningly forged relationships with targeted researchers through prolonged interactions and discussions.

“In one case, they carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest. After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp or Wire. Once a relationship was developed with a targeted researcher, the threat actors sent a malicious file that contained at least one 0-day in a popular software package,” Google explained.

Google did not identify the vulnerable software package.

Google said the zero-day exploit was used to plant shellcode that conducts a series of anti-virtual machine checks and then sends the collected information, along with a screenshot, back to an attacker-controlled command and control domain. 

“The shellcode used in this exploit is constructed in a similar manner to shellcode observed in previous North Korean exploits,” Google said, noting that the security defect has been reported to the affected vendor and is in the process of being patched. 

Advertisement. Scroll to continue reading.

Google said it is withholding technical details and analysis of the exploits until a patch is available. 

In addition to targeting researchers with zero-day exploits, Google’s malware hunters also caught the APT group distributing a standalone Windows tool that has the stated goal of ‘download debugging symbols from Microsoft, Google, Mozilla and Citrix symbol servers for reverse engineers.’ 

The source code for the utility, was first published on GitHub a year ago,  has been updated multiple times with features to…

Source…

Microsoft Fixes Six Zero-Days This Patch Tuesday

/in


Microsoft issued a record-breaking 132 new fixes for vulnerabilities this month and detailed six zero-day bugs, including one being actively exploited in attacks against NATO members.

Of the massive haul, nine CVEs were rated “critical,” 37 were remote code execution (RCE) flaws and 33 were elevation of privilege bugs.

Read more on zero-day flaws: Microsoft Fixes Zero-Day Bug This Patch Tuesday

All six of the zero-days are being actively exploited in the wild, with one publicly disclosed. The latter is CVE-2023-36884, an RCE vulnerability impacting Office and Windows HTML. Microsoft warned that it is being used to target organizations attending the NATO summit this week with ransomware and espionage attacks using the RomCom backdoor.

There’s no patch for the vulnerability this month, but Microsoft released mitigations and promised a fix soon.

Another priority for organizations should be CVE-2023-35311: a Microsoft Outlook security feature bypass bug which uses a network attack vector with low attack complexity that requires user interaction but not elevated privileges.

“It’s important to note that this vulnerability specifically allows bypassing Microsoft Outlook security features and does not enable remote code execution or privilege escalation,” explained Action1 co-founder, Mike Walters.

“Therefore, attackers are likely to combine it with other exploits for a comprehensive attack. The vulnerability affects all versions of Microsoft Outlook from 2013 onwards.”

The other zero-day flaws are:

  • CVE-2023-32046: a Windows MSHTML Platform elevation of privilege vulnerability
  • CVE-2023-32049: a Windows SmartScreen security feature bypass vulnerability
  • CVE-2023-36874: a Windows Error Reporting Service elevation of privilege vulnerability
  • ADV230001: new guidance on Microsoft Signed Drivers being used maliciously

On the latter guidance, Ivanti VP of security products, Chris Goettl, explained that several developer accounts for the Microsoft Partner Center (MPC) were discovered submitting malicious drivers to obtain a Microsoft signature.

“All the developer accounts involved in this incident were immediately suspended. Microsoft has released Window security…

Source…