Apr 11, 2024NewsroomSpyware / Cyber Espionage

Apple on Wednesday revised its documentation pertaining to its mercenary spyware threat notification system to mention that it alerts users when they may have been individually targeted by such attacks.

It also specifically called out companies like NSO Group for developing commercial surveillance tools such as Pegasus that are used by state actors to pull off “individually targeted attacks of such exceptional cost and complexity.”

“Though deployed against a very small number of individuals — often journalists, activists, politicians, and diplomats — mercenary spyware attacks are ongoing and global,” Apple said.

“The extreme cost, sophistication, and worldwide nature of mercenary spyware attacks makes them some of the most advanced digital threats in existence today.”

The update marks a change in wording that previously said these “threat notifications” are designed to inform and assist users who may have been targeted by state-sponsored attackers.

According to TechCrunch, Apple is said to have sent threat notifications to iPhone users in 92 countries at 12:00 p.m. PST on Wednesday coinciding with the revision to the support page.

It’s worth noting that Apple began sending threat notifications to warn users it believes have been targeted by state-sponsored attackers starting November 2021.

However, the company also makes it a point to emphasize that it does not “attribute the attacks or resulting threat notifications” to any particular threat actor or geographical region.

The development comes amid continued efforts by governments around the world to counter the misuse and proliferation of commercial spyware.

Last month, the U.S. government said Finland, Germany, Ireland, Japan, Poland, and South Korea had joined an inaugural group of 11 countries working to develop safeguards against the abuse of invasive surveillance technology.

“Commercial spyware has been misused across the world by authoritarian regimes and in democracies […] without proper legal authorization, safeguards, or oversight,” the governments said in a joint statement.

“The misuse of these tools presents significant and growing risks to our national security, including to the safety and security of our government personnel, information, and information systems.”

According to a recent report published by Google’s Threat Analysis Group (TAG) and Mandiant, commercial surveillance vendors were behind the in-the-wild exploitation of a chunk of the 97 zero-day vulnerabilities discovered in 2023.

All the vulnerabilities attributed to spyware companies targeted web browsers – particularly flaws in third-party libraries that affect more than one browser and substantially increase the attack surface – and mobile devices running Android and iOS.

“Private sector firms have been involved in discovering and selling exploits for many years, but we have observed a notable increase in exploitation driven by these actors over the past several years,” the tech giant said.

“Threat actors are increasingly leveraging zero-days, often for the purposes of evasion and persistence, and we don’t expect this activity to decrease anytime soon.”

Google also said that increased security investments into exploit mitigations are affecting the types of vulnerabilities threat actors can weaponize in their attacks, forcing them to bypass several security guardrails (e.g., Lockdown Mode and MiraclePtr) to infiltrate target devices.

Jan 08, 2024NewsroomArtificial Intelligence / Cyber Security

The U.S. National Institute of Standards and Technology (NIST) is calling attention to the privacy and security challenges that arise as a result of increased deployment of artificial intelligence (AI) systems in recent years.

“These security and privacy challenges include the potential for adversarial manipulation of training data, adversarial exploitation of model vulnerabilities to adversely affect the performance of the AI system, and even malicious manipulations, modifications or mere interaction with models to exfiltrate sensitive information about people represented in the data, about the model itself, or proprietary enterprise data,” NIST said.

As AI systems become integrated into online services at a rapid pace, in part driven by the emergence of generative AI systems like OpenAI ChatGPT and Google Bard, models powering these technologies face a number of threats at various stages of the machine learning operations.

These include corrupted training data, security flaws in the software components, data model poisoning, supply chain weaknesses, and privacy breaches arising as a result of prompt injection attacks.

“For the most part, software developers need more people to use their product so it can get better with exposure,” NIST computer scientist Apostol Vassilev said. “But there is no guarantee the exposure will be good. A chatbot can spew out bad or toxic information when prompted with carefully designed language.”

The attacks, which can have significant impacts on availability, integrity, and privacy, are broadly classified as follows –

• Evasion attacks, which aim to generate adversarial output after a model is deployed
• Poisoning attacks, which target the training phase of the algorithm by introducing corrupted data
• Privacy attacks, which aim to glean sensitive information about the system or the data it was trained on by posing questions that circumvent existing guardrails
• Abuse attacks, which aim to compromise legitimate sources of information, such as a web page with incorrect pieces of information, to repurpose the system’s intended use

Such attacks, NIST said, can be carried out by threat actors with full knowledge (white-box), minimal knowledge (black-box), or have a partial understanding of some of the aspects of the AI system (gray-box).

The agency further noted the lack of robust mitigation measures to counter these risks, urging the broader tech community to “come up with better defenses.”

The development arrives more than a month after the U.K., the U.S., and international partners from 16 other countries released guidelines for the development of secure artificial intelligence (AI) systems.

“Despite the significant progress AI and machine learning have made, these technologies are vulnerable to attacks that can cause spectacular failures with dire consequences,” Vassilev said. “There are theoretical problems with securing AI algorithms that simply haven’t been solved yet. If anyone says differently, they are selling snake oil.”

Dec 27, 2023NewsroomZero-Day / Vulnerability

A new zero-day security flaw has been discovered in the Apache OfBiz, an open-source Enterprise Resource Planning (ERP) system that could be exploited to bypass authentication protections.

The vulnerability, tracked as CVE-2023-51467, resides in the login functionality and is the result of an incomplete patch for another critical vulnerability (CVE-2023-49070, CVSS score: 9.8) that was released earlier this month.

“The security measures taken to patch CVE-2023-49070 left the root issue intact and therefore the authentication bypass was still present,” the SonicWall Capture Labs threat research team, which discovered the bug, said in a statement shared with The Hacker News.

CVE-2023-49070 refers to a pre-authenticated remote code execution flaw impacting versions prior to 18.12.10 that, when successfully exploited, could allow threat actors to gain full control over the server and siphon sensitive data. It is caused due to a deprecated XML-RPC component within Apache OFBiz.

According to SonicWall, CVE-2023-51467 could be triggered using empty and invalid USERNAME and PASSWORD parameters in an HTTP request to return an authentication success message, effectively circumventing the protection and enabling a threat actor to access otherwise unauthorized internal resources.

The attack hinges on the fact that the parameter “requirePasswordChange” is set to “Y” (i.e., yes) in the URL, causing the authentication to be trivially bypassed regardless of the values passed in the username and password fields.

“The vulnerability allows attackers to bypass authentication to achieve a simple Server-Side Request Forgery (SSRF),” according to a description of the flaw on the NIST National Vulnerability Database (NVD).

Users who rely on Apache OFbiz to update to version 18.12.11 or later as soon as possible to mitigate any potential threats.