Apr 11, 2024NewsroomSpyware / Cyber Espionage

Apple on Wednesday revised its documentation pertaining to its mercenary spyware threat notification system to mention that it alerts users when they may have been individually targeted by such attacks.

It also specifically called out companies like NSO Group for developing commercial surveillance tools such as Pegasus that are used by state actors to pull off “individually targeted attacks of such exceptional cost and complexity.”

“Though deployed against a very small number of individuals — often journalists, activists, politicians, and diplomats — mercenary spyware attacks are ongoing and global,” Apple said.

“The extreme cost, sophistication, and worldwide nature of mercenary spyware attacks makes them some of the most advanced digital threats in existence today.”

The update marks a change in wording that previously said these “threat notifications” are designed to inform and assist users who may have been targeted by state-sponsored attackers.

According to TechCrunch, Apple is said to have sent threat notifications to iPhone users in 92 countries at 12:00 p.m. PST on Wednesday coinciding with the revision to the support page.

It’s worth noting that Apple began sending threat notifications to warn users it believes have been targeted by state-sponsored attackers starting November 2021.

However, the company also makes it a point to emphasize that it does not “attribute the attacks or resulting threat notifications” to any particular threat actor or geographical region.

The development comes amid continued efforts by governments around the world to counter the misuse and proliferation of commercial spyware.

Last month, the U.S. government said Finland, Germany, Ireland, Japan, Poland, and South Korea had joined an inaugural group of 11 countries working to develop safeguards against the abuse of invasive surveillance technology.

“Commercial spyware has been misused across the world by authoritarian regimes and in democracies […] without proper legal authorization, safeguards, or oversight,” the governments said in a joint statement.

“The misuse of these tools presents significant and growing risks to our national security, including to the safety and security of our government personnel, information, and information systems.”

According to a recent report published by Google’s Threat Analysis Group (TAG) and Mandiant, commercial surveillance vendors were behind the in-the-wild exploitation of a chunk of the 97 zero-day vulnerabilities discovered in 2023.

All the vulnerabilities attributed to spyware companies targeted web browsers – particularly flaws in third-party libraries that affect more than one browser and substantially increase the attack surface – and mobile devices running Android and iOS.

“Private sector firms have been involved in discovering and selling exploits for many years, but we have observed a notable increase in exploitation driven by these actors over the past several years,” the tech giant said.

“Threat actors are increasingly leveraging zero-days, often for the purposes of evasion and persistence, and we don’t expect this activity to decrease anytime soon.”

Google also said that increased security investments into exploit mitigations are affecting the types of vulnerabilities threat actors can weaponize in their attacks, forcing them to bypass several security guardrails (e.g., Lockdown Mode and MiraclePtr) to infiltrate target devices.

Mar 13, 2024NewsroomPatch Tuesday / Software Update

Microsoft on Tuesday released its monthly security update, addressing 61 different security flaws spanning its software, including two critical issues impacting Windows Hyper-V that could lead to denial-of-service (DoS) and remote code execution.

Of the 61 vulnerabilities, two are rated Critical, 58 are rated Important, and one is rated Low in severity. None of the flaws are listed as publicly known or under active attack at the time of the release, but six of them have been tagged with an “Exploitation More Likely” assessment.

The fixes are in addition to 17 security flaws that have been patched in the company’s Chromium-based Edge browser since the release of the February 2024 Patch Tuesday updates.

Topping the list of critical shortcomings are CVE-2024-21407 and CVE-2024-21408, which affect Hyper-V and could result in remote code execution and a DoS condition, respectively.

Microsoft’s update also addresses privilege escalation flaws in the Azure Kubernetes Service Confidential Container (CVE-2024-21400, CVSS score: 9.0), Windows Composite Image File System (CVE-2024-26170, CVSS score: 7.8), and Authenticator (CVE-2024-21390, CVSS score: 7.1).

Successful exploitation of CVE-2024-21390 requires the attacker to have a local presence on the device either via malware or a malicious application already installed via some other means. It also necessitates that the victim closes and re-opens the Authenticator app.

“Exploitation of this vulnerability could allow an attacker to gain access to multi-factor authentication codes for the victim’s accounts, as well as modify or delete accounts in the authenticator app but not prevent the app from launching or running,” Microsoft said in an advisory.

“While exploitation of this flaw is considered less likely, we know that attackers are keen to find ways to bypass multi-factor authentication,” Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News.

“Having access to a target device is bad enough as they can monitor keystrokes, steal data and redirect users to phishing websites, but if the goal is to remain stealth, they could maintain this access and steal multi-factor authentication codes in order to login to sensitive accounts, steal data or hijack the accounts altogether by changing passwords and replacing the multi-factor authentication device, effectively locking the user out of their accounts.”

Another vulnerability of note is a privilege escalation bug in the Print Spooler component (CVE-2024-21433, CVSS score: 7.0) that could permit an attacker to obtain SYSTEM privileges but only upon winning a race condition.

The update also plugs a remote code execution flaw in Exchange Server (CVE-2024-26198, CVSS score: 8.8) that an unauthenticated threat actor could abuse by placing a specially crafted file onto an online directory and tricking a victim into opening it, resulting in the execution of malicious DLL files.

The vulnerability with the highest CVSS rating is CVE-2024-21334 (CVSS score: 9.8), which concerns a case of remote code execution affecting the Open Management Infrastructure (OMI).

“A remote unauthenticated attacker could access the OMI instance from the Internet and send specially crafted requests to trigger a use-after-free vulnerability,” Redmond said.

“The first quarter of Patch Tuesday in 2024 has been quieter compared to the last four years,” Narang said. “On average, there were 237 CVEs patched in the first quarter from 2020 through 2023. In the first quarter of 2024, Microsoft only patched 181 CVEs. The average number of CVEs patched in March over the last four years was 86.”

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

Mar 06, 2024NewsroomVulnerability / Zero Day

Apple has released security updates to address several security flaws, including two vulnerabilities that it said have been actively exploited in the wild.

The shortcomings are listed below –

• CVE-2024-23225 – A memory corruption issue in Kernel that an attacker with arbitrary kernel read and write capability can exploit to bypass kernel memory protections

• CVE-2024-23296 – A memory corruption issue in the RTKit real-time operating system (RTOS) that an attacker with arbitrary kernel read and write capability can exploit to bypass kernel memory protections

It’s currently not clear how the flaws are being weaponized in the wild. Apple said both the vulnerabilities were addressed with improved validation in iOS 17.4, iPadOS 17.4, iOS 16.7.6, and iPadOS 16.7.6.

The updates are available for the following devices –

• iOS 16.7.6 and iPadOS 16.7.6 – iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation

• iOS 17.4 and iPadOS 17.4 – iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

With the latest development, Apple has addressed a total of three actively exploited zero-days in its software since the start of the year. In late January 2024, it plugged a type confusion flaw in WebKit (CVE-2024-23222) impacting iOS, iPadOS, macOS, tvOS, and Safari web browser that could result in arbitrary code execution.

The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two flaws to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply necessary updates by March 26, 2024.

The vulnerabilities concern an information disclosure flaw affecting Android Pixel devices (CVE-2023-21237) and an operating system command injection flaw in Sunhillo SureLine that could result in code execution with root privileges (CVE-2021-36380).

Google, in an advisory published in June 2023, acknowledged it found indications that “CVE-2023-21237 may be under limited, targeted exploitation.” As for CVE-2021-36380, Fortinet revealed late last year that a Mirai botnet called IZ1H9 was leveraging the flaw to corral susceptible devices into a DDoS botnet.

Jan 30, 2024NewsroomVulnerability / Network Security

Juniper Networks has released out-of-band updates to address high-severity flaws in SRX Series and EX Series that could be exploited by a threat actor to take control of susceptible systems.

The vulnerabilities, tracked as CVE-2024-21619 and CVE-2024-21620, are rooted in the J-Web component and impact all versions of Junos OS. Two other shortcomings, CVE-2023-36846 and CVE-2023-36851, were previously disclosed by the company in August 2023.

• CVE-2024-21619 (CVSS score: 5.3) – A missing authentication vulnerability that could lead to exposure of sensitive configuration information
• CVE-2024-21620 (CVSS score: 8.8) – A cross-site scripting (XSS) vulnerability that could lead to the execution of arbitrary commands with the target’s permissions by means of a specially crafted request

Cybersecurity firm watchTowr Labs has been credited with discovering and reporting the issues. The two vulnerabilities have been addressed in the following versions –

• CVE-2024-21619 – 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S6, 22.1R3-S5, 22.2R3-S3, 22.3R3-S2, 22.4R3, 23.2R1-S2, 23.2R2, 23.4R1, and all subsequent releases
• CVE-2024-21620 – 20.4R3-S10, 21.2R3-S8, 21.4R3-S6, 22.1R3-S5, 22.2R3-S3, 22.3R3-S2, 22.4R3-S1, 23.2R2, 23.4R2, and all subsequent releases

As temporary mitigations until the fixes are deployed, the company is recommending that users disable J-Web or restrict access to only trusted hosts.

It’s worth noting that both CVE-2023-36846 and CVE-2023-36851 were added to the Known Exploited Vulnerabilities (KEV) catalog in November 2023 by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), based on evidence of active exploitation.

Earlier this month, Juniper Networks also shipped fixes to contain a critical vulnerability in the same products (CVE-2024-21591, CVSS score: 9.8) that could enable an attacker to cause a denial-of-service (DoS) or remote code execution and obtain root privileges on the device.

A previously undocumented China-aligned threat actor has been linked to a set of adversary-in-the-middle (AitM) attacks that hijack update requests from legitimate software to deliver a sophisticated implant named NSPX30.

Slovak cybersecurity firm ESET is tracking the advanced persistent threat (APT) group under the name Blackwood. It’s said to be active since at least 2018.

The NSPX30 implant has been observed deployed via the update mechanisms of known software such as Tencent QQ, WPS Office, and Sogou Pinyin, with the attacks targeting Chinese and Japanese manufacturing, trading, and engineering companies as well as individuals located in China, Japan, and the U.K.

“NSPX30 is a multistage implant that includes several components such as a dropper, an installer, loaders, an orchestrator, and a backdoor,” security researcher Facundo Muñoz said. “Both of the latter two have their own sets of plugins.”

“The implant was designed around the attackers’ capability to conduct packet interception, enabling NSPX30 operators to hide their infrastructure.”

The origins of the backdoor, which is also capable of bypassing several Chinese anti-malware solutions by allowlisting itself, can be traced to another malware from January 2005 codenamed Project Wood, which is designed to harvest system and network information, record keystrokes, and take screenshots from victim systems.

Project Wood’s codebase has acted as the foundation for several implants, including spawning variants like DCM (aka Dark Specter) in 2008, with the malware subsequently used in attacks targeting individuals of interest in Hong Kong and the Greater China area in 2012 and 2014.

NSPX30, the latest iteration of the implant, is delivered when attempts to download software updates from legitimate servers using the (unencrypted) HTTP protocol results in a system compromise, paving the way for the deployment of a dropper DLL file.

The malicious dropper deployed as part of the compromised update process creates several files on disk and executes “RsStub.exe,” a binary associated with the Rising Antivirus software so as to launch “comx3.dll” by taking advantage of the fact the former is susceptible to DLL side-loading.

“comx3.dll” functions as a loader to execute a third file named “comx3.dll.txt,” which is an installer library responsible for activating the next-stage attack chain that culminates in the execution of the orchestrator component (“WIN.cfg”).

It’s currently not known how the threat actors deliver the dropper in the form of malicious updates, but Chinese threat actors like BlackTech, Evasive Panda, and Mustang Panda have leveraged compromised routers as a channel to distribute malware in the past.

ESET speculates that the attackers “are deploying a network implant in the networks of the victims, possibly on vulnerable network appliances such as routers or gateways.”

“The fact that we found no indications of traffic redirection via DNS might indicate that when the hypothesized network implant intercepts unencrypted HTTP traffic related to updates, it replies with the NSPX30 implant’s dropper in the form of a DLL, an executable file, or a ZIP archive containing the DLL.”

The orchestrator then proceeds to create two threads, one to obtain the backdoor (“msfmtkl.dat”) and another to load its plugins and add exclusions to allowlist the loader DLLs to bypass Chinese anti-malware solutions.

The backdoor is downloaded via an HTTP request to Baidu’s website www.baidu[.]com, a legitimate Chinese search engine, with an unusual User-Agent string that masquerades the request as originating from the Internet Explorer browser on Windows 98.

The response from the server is then saved to a file from which the backdoor component is extracted and loaded into memory.

NSPX30, as part of its initialization phase, also creates a passive UDP listening socket for receiving commands from the controller and exfiltrating data by likely intercepting DNS query packets in order to anonymize its command-and-control (C2) infrastructure.

The instructions allow the backdoor to create a reverse shell, collect file information, terminate specific processes, capture screenshots, log keystrokes, and even uninstall itself from the infected machine.

The disclosure comes weeks after SecurityScorecard revealed new infrastructure connected to another Beijing-nexus cyber espionage group known as Volt Typhoon (aka Bronze Silhouette) that leverages a botnet created by exploiting known security flaws in end-of-life Cisco RV320/325 routers (CVE-2019-1652 and CVE-2019-1653) operating across Europe, North America, and Asia Pacific.

“Approximately 30% of them (325 of 1,116 devices) communicated with two IP addresses previously named as proxy routers used for command-and-control (C2) communications, 174.138.56[.]21 and 159.203.113[.]25, in a thirty-day period,” the company said.

“Volt Typhoon may aim to use these compromised devices to transfer stolen data or connect to target organizations’ networks.”