Tag Archive for: zerodays

Apple Fixes Multiple 4-Year-Old Zero-Days

/in


Fraud Management & Cybercrime
,
Governance & Risk Management
,
Mobile Payments Fraud

Bugs Exploited to Install Spyware and Remotely Execute Code in Some Cases

Mihir Bagwe (MihirBagwe) •
June 22, 2023    

Apple Fixes Multiple 4-Year-Old Zero-Days

Apple has fixed multiple zero-days that were actively being exploited since 2019 and infect several iOS devices with a spyware implant dubbed TriangleDB via zero-click iMessage exploits.

See Also: Live Webinar | The Secret Sauce to Secrets Management

The patches released for the flaws tracked as CVE-2023-32434 and CVE-2023-32435 arose from integer overflow and memory corruption issues, respectively. Attackers could exploit the flaws and gain arbitrary code execution privileges, the smartphone giant said in its Wednesday security update.

The latest patch addressed flaws in iOS, iPadOS, macOS, watchOS and Safari browser. Kaspersky security researchers Georgy Kucherin, Leonid Bezvershenko and Boris Larin are credited with reporting the vulnerabilities to Apple.

Apple also addressed the anonymously reported third zero-day tracked as CVE-2023-32439, which can result in arbitrary code execution when using maliciously crafted web content.

TriangleDB Zero-Click Spyware

Apple’s attribution to Kaspersky came after the Russian cybersecurity firm earlier this month said it had discovered a campaign dubbed “Operation Triangulation,” in which an APT group launched zero-click iMessage exploits on iOS-powered devices to drop spyware in its corporate network (see: Kaspersky Discloses Apple Zero-Click Malware).

In a blog post by Kaspersky on Wednesday, researchers disclosed technical details of the TriangleDB…

Source…

Apple Zero-Days, iMessage Used in 4-Year, Ongoing Spying Effort

/in


For at least the past four years, an advanced persistent threat (APT) actor has been covertly stealing information from iOS devices belonging to an unknown number of victims, using a zero-click exploit delivered via iMessage. Russia’s top intelligence apparatus, the Federal Security Service of the Russian Federation (FSB), is alleging that the attacks are the work of the National Security Agency (NSA) in the United States, and that they have affected thousands of Russian diplomats and others. So far, there’s no evidence to support those claims.

What can be confirmed is the fact that researchers from Kaspersky discovered the malware after spotting suspicious activity originating from dozens of infected iOS phones on its own corporate Wi-Fi network. The company’s ongoing investigation of the campaign — which is still active, researchers stressed — showed the malware is quietly transmitting microphone recordings, photos from instant messages, the user’s geolocation and other private data about the owner to remote command-and-control (C2) servers.

Kaspersky said that it’s “quite confident” that the company was not the sole target of Operation Triangulation, as it has dubbed the campaign. The security vendor is currently working with other researchers and national computer emergency response teams to understand the full scope of the attack and notes that for now, attribution is difficult. 

“We’re awaiting further information from our colleagues from national CERTs and the cybersecurity community to understand the real exposure of this espionage campaign,” Igor Kuznetsov, head of the EEMEA unit at the Kaspersky Global Research and Analysis Team, tells Dark Reading. “Although not certain, we believe that the attack was not targeted specifically at Kaspersky the company’s just first to discover it.”

He adds, “Judging by the cyberattack characteristics, we’re unable to link this cyberespionage campaign to any existing threat actor.”

Further, “It’s very hard to attribute anything to anyone,” Kuznetsov told Reuters in specific response to Russia’s US spying allegations.

Russia’s Claims of US Spy Plot

For its part, the FSB said in a media statement that the spyware…

Source…

Apple Ships Urgent iOS Patch for Newly Exploited Zero-Days

/in


Apple on Friday pushed out a major iOS security update to fix a pair of zero-day vulnerabilities already being exploited in the wild.

The newest iOS 16.4.1 and iPadOS 16.4.1 updates cover code execution software flaws in IOSurfaceAccelerator and WebKit, suggesting a complex exploit chain was detected in the wild hitting the latest iPhone devices.

“Apple is aware of a report that this issue may have been actively exploited,” Cupertino says in a barebones advisory that credits Google and Amnesty International with reporting the issue.

The advisory documents two separate issues — CVE-2023-28205 and CVE-2023-28206 — that expose iPhones and iPads to arbitrary code execution attacks.

Apple described the IOSurfaceAccelerator flaw as an out-of-bounds write issue that was addressed with improved input validation.

The WebKit bug, which has already been exploited via web content to execute arbitrary code with kernel privileges, has been fixed with improved memory management.

The company did not say if the newly discovered exploits are capable of bypassing the Lockdown Mode feature that Apple shipped to deter these types of attacks.

The iOS patch comes alongside news from Google that commercial spyware vendors are burning through zero-days to infect mobile devices with surveillance malware.

In one of the two campaigns described by Google this week, an attack started with a link being sent to the targeted user via SMS. When clicked, the link took the victim to malicious websites delivering Android or iOS exploits — depending on the target’s device. Once the exploits were delivered, victims were redirected to legitimate websites, likely in an effort to avoid raising suspicion. 

The iOS exploit chain also hit a WebKit vulnerability (CVE-2022-42856) that Apple patched in iPhones in December 2022. Attacks also involved a Pointer Authentication (PAC) bypass technique, and an exploit for CVE-2021-30900, a sandbox escape and privilege escalation vulnerability that Apple patched in iOS in 2021. 

So far this year, there have been at least 24 documented zero-day vulnerabilities exploited in the wild prior to discovery.

Related: Apple Adds ‘Lockdown Mode’ to Thwart .Gov Mercenary…

Source…

Threat actors linked to nation-states exploited zero-days the most in 2022

/in


Threat groups with ties to nation-states were the driving force behind exploiting zero-day vulnerabilities last year, according to a new report by cybersecurity firm Mandiant.

Cyberespionage groups linked to China were responsible for over 50% of the exploits in 2022 that the firm said it could confidently track to 13 advanced persistent threat groups (APTs), followed by Russia and North Korea. Overall, groups with links to nation-states accounted for 80% of the zero-day exploits.

Groups with ties to China led the pack with seven known vulnerabilities exploited last year, with Russia and North Korea tied with two each. Four zero-days were tied to financially motivated actors, with 75% likely performed by ransomware groups.

The total number of 55 zero-day vulnerabilities exploited last year is down 26 from the record 81 Mandiant tracked in 2021, but that figure is still triple the 2020 total.

Mandiant considers a zero-day to be a vulnerability if it was exploited in the wild before a patch was made publicly available. The report examined zero-day events identified by Mandiant, combined with reporting from open sources.

Mandiant researchers highlighted three Chinese-linked APT campaigns exploiting the Follina vulnerability (CVE-2022-30190), as well as FortiOS vulnerabilities (CVE-2022-42475 and CVE-2022-41328) for their focus on enterprise networking and security devices.

Because of their ubiquity, zero-days in Microsoft, Google and Apple products were used the most to gain elevated privileges or perform remote code executions (RCEs). Microsoft vulnerabilities led the pack with 18, followed by Google (10 vulnerabilities) and Apple (9 vulnerabilities).

Operating systems (OS) were the most exploited products at 19; followed by browsers (11); security, IT and network management products (10); and mobile OS (6).

Devices running Windows were by far the most exploited OS with 15 vulnerabilities, followed by Apple’s macOS with four. Google’s Chrome browser was the most exploited with nine of the 11 browser vulnerabilities. 

Source…