The issue was addressed with improved checks. This issue is fixed in watchOS 9.6, iOS 16.6 and iPadOS 16.6, Safari 16.5.2, macOS Ventura 13.5, tvOS 16.6. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

This document describes the security content of Safari 16.5.2.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**Safari 16.5.2**

Released July 10, 2023

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved checks.

CVE-2023-37450: an anonymous researcher

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: July 10, 2023

CVE-2023-37450: About the security content of Safari 16.5.2

Apple Security Advisory 2023-07-24-8 - watchOS 9.6 addresses bypass, code execution, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-07-24-8 watchOS 9.6

watchOS 9.6 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213848.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Apple Neural Engine  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-38136: Mohamed GHANNAM (@_simo36)  
CVE-2023-38580: Mohamed GHANNAM (@_simo36)

Find My  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: A logic issue was addressed with improved restrictions.  
CVE-2023-32416: Wojciech Regula of SecuRing (wojciechregula.blog)

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-32734: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.  
CVE-2023-32441: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs SG  
Pte. Ltd.

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-32381: an anonymous researcher  
CVE-2023-32433: Zweig of Kunlun Lab  
CVE-2023-35993: Kaitao Xie and Xiaolong Bai of Alibaba Group

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to modify sensitive kernel state. Apple is  
aware of a report that this issue may have been actively exploited  
against versions of iOS released before iOS 15.7.1.  
Description: This issue was addressed with improved state management.  
CVE-2023-38606: Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin  
(@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of  
Kaspersky

libxpc  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to gain root privileges  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2023-38565: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)

libxpc  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to cause a denial-of-service  
Description: A logic issue was addressed with improved checks.  
CVE-2023-38593: Noah Roskin-Frazee

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: A website may be able to bypass Same Origin Policy  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256549  
CVE-2023-38572: Narendra Bhati (twitter.com/imnarendrabhati) of Suma  
Soft Pvt. Ltd, Pune - India

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256865  
CVE-2023-38594: Yuhao Hu  
WebKit Bugzilla: 256573  
CVE-2023-38595: an anonymous researcher, Jiming Wang, Jikai Ren  
WebKit Bugzilla: 257387  
CVE-2023-38600: Anonymous working with Trend Micro Zero Day Initiative

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 258058  
CVE-2023-38611: Francisco Alonso (@revskills)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution.  
Apple is aware of a report that this issue may have been actively  
exploited.  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 259231  
CVE-2023-37450: an anonymous researcher

WebKit Web Inspector  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may disclose sensitive information  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256932  
CVE-2023-38133: YeongHyeon Choi (@hyeon101010)

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmS/FLoACgkQ4RjMIDke  
NxmzaQ/8DN0im3Y0iJRoYgBwW5xNTUn6ewcO2BzHGWV/3vTWq6gip2V2cWCJ6lKS  
FTlP2n0+pRsk23WLWRJNzmAETVVB1UfVgzDvx9sc2aw07DpiCLVdoZr3wLxrKK3r  
67j2hTjRc8SDkjKrNCJKvjS0MO1FOje0FoCrtRP9inu32QTHXj7Rg/0iDqH+4tVS  
tbLxaomTMHjd8xL2X6nHCteofCx9nJvRKymlxJi7bCHQtHKyrAR3DnFjpG9Jxk38  
UeOTMwhmQN2r44e9CBj0vxf2WroYE0qiofXJP0x3zTQnS72z7BFfRf9kGnDGKGes  
GmQrh4+nG8tsr3Neo1rongITM7JYxl8uIuNxjNaRGjRpgb6RYk4TOgAhtTPv48NP  
QRbcq9opzVQcBU74/jGripIWxIDDuZaaLav6kxvAAJinCiaTmB9fE2ldDqxjEInS  
4N8F8JsONRrjeydOrhqC/9cDWeGpLUImv74qvLZmyaa2qmsyM6WWxY8mGxZL2oBN  
2xQUEr2BH53YgM0z3VnQhtnLImKA6ONZC6eNSgVcjJVU5Yp3fSRtvZsX8Y6ZDCzw  
R5KX0z6yrOmIpgdKI+Ejm59EIVFveVXflv6zZrfj7uoIZZ9mbv8iL0qzSDl+ExcB  
NkuagC5WyORhFPTdG1D3mNcBNiZhr+XLRQNoZhfd0KqEoeXphko=  
=SnKr  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-07-24-8

Apple Security Advisory 2023-07-24-7 - tvOS 16.6 addresses bypass, code execution, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-07-24-7 tvOS 16.6

tvOS 16.6 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213846.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Kernel  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-32734: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.  
CVE-2023-32441: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs SG  
Pte. Ltd.

Kernel  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to modify sensitive kernel state. Apple is  
aware of a report that this issue may have been actively exploited  
against versions of iOS released before iOS 15.7.1.  
Description: This issue was addressed with improved state management.  
CVE-2023-38606: Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin  
(@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of  
Kaspersky

Kernel  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-32381: an anonymous researcher  
CVE-2023-32433: Zweig of Kunlun Lab  
CVE-2023-35993: Kaitao Xie and Xiaolong Bai of Alibaba Group

WebKit  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: A website may be able to bypass Same Origin Policy  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256549  
CVE-2023-38572: Narendra Bhati (twitter.com/imnarendrabhati) of Suma  
Soft Pvt. Ltd, Pune - India

WebKit  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256865  
CVE-2023-38594: Yuhao Hu  
WebKit Bugzilla: 256573  
CVE-2023-38595: an anonymous researcher, Jiming Wang, and Jikai Ren  
WebKit Bugzilla: 257387  
CVE-2023-38600: Anonymous working with Trend Micro Zero Day Initiative

WebKit  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 258058  
CVE-2023-38611: Francisco Alonso (@revskills)

WebKit  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing web content may lead to arbitrary code execution.  
Apple is aware of a report that this issue may have been actively  
exploited.  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 259231  
CVE-2023-37450: an anonymous researcher

WebKit Web Inspector  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing web content may disclose sensitive information  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256932  
CVE-2023-38133: YeongHyeon Choi (@hyeon101010)

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmS/FLkACgkQ4RjMIDke  
Nxl5gRAA2z3qtF2NRTBpmW0GNmtwVB33PZUckSabe97M/lPYixnESGT30TbaQw8C  
u+aQrUoy5/WWJoXMGmIN6qVAstkWgXIbwV9oH113J5i2gHJrTDP0QPd2wUnd9jNz  
8mcjzlo52CE0h+ZzQqzsu/CItiTLpPQctoy8DAlx6GFibVikUTgXkOsEXw6iPPgQ  
c5ouEb9rSidOeYGjaRjXoDRtBT8FWxpC3bWietSxHcIVYq/ThMGcOMpzJiTBjjCV  
oiq8te/4G/YZgqhweMSuLh4eZWNP9mQOBrPd1h0DD5WtkqjGlMpMYE2CAIYGfaUR  
aWwxZV534ilZr1IzRSgmqt0d4C/7Jk69RsM6h3KhUSd87zMgNV6AS1khUEEzXNp5  
tGyw4EQ+FGr4hzJtYmVx+8g5kfH00JyrcAiuALj9lska4ZPWcz7WnS0+R4GsDaw6  
tjEeXa5VJJi5KnBDNhml0QXd99cADI/mqz5/LL+SLPNFn1/5k+A6Qbj19nbx9UBp  
oVfA0+LDHfUlt+pC75jwHqoV/4X/UOoAAER3yjkz4SNHCeqfD7ZzwhIg/x2+YcyS  
BRVdo+8xe4ckC2lkkt6Sa7EUt7G4nmIyE2RhPYxjVpUwbv7MzRSXFz0TX5p+vk4K  
pwNhnGty7Vc8FMhT1iH+MmpkgYiev5pAzAfw+oetoQQ3NElCCAs=  
=+SMD  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-07-24-7

Apple Security Advisory 2023-07-24-6 - macOS Big Sur 11.7.9 addresses code execution, out of bounds read, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-07-24-6 macOS Big Sur 11.7.9

macOS Big Sur 11.7.9 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213845.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Assets  
Available for: macOS Big Sur  
Impact: An app may be able to modify protected parts of the file system  
Description: This issue was addressed with improved data protection.  
CVE-2023-35983: Mickey Jin (@patch1t)

curl  
Available for: macOS Big Sur  
Impact: Multiple issues in curl  
Description: Multiple issues were addressed by updating curl.  
CVE-2023-28319  
CVE-2023-28320  
CVE-2023-28321  
CVE-2023-28322

Grapher  
Available for: macOS Big Sur  
Impact: Processing a file may lead to unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved checks.  
CVE-2023-36854: Bool of YunShangHuaAn(云上华安)  
CVE-2023-32418: Bool of YunShangHuaAn(云上华安)

Kernel  
Available for: macOS Big Sur  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-32381: an anonymous researcher  
CVE-2023-32433: Zweig of Kunlun Lab  
CVE-2023-35993: Kaitao Xie and Xiaolong Bai of Alibaba Group

Kernel  
Available for: macOS Big Sur  
Impact: An app may be able to modify sensitive kernel state. Apple is  
aware of a report that this issue may have been actively exploited  
against versions of iOS released before iOS 15.7.1.  
Description: This issue was addressed with improved state management.  
CVE-2023-38606: Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin  
(@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of  
Kaspersky

Kernel  
Available for: macOS Big Sur  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-32441: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs SG  
Pte. Ltd.

libxpc  
Available for: macOS Big Sur  
Impact: An app may be able to gain root privileges  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2023-38565: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)

libxpc  
Available for: macOS Big Sur  
Impact: An app may be able to cause a denial-of-service  
Description: A logic issue was addressed with improved checks.  
CVE-2023-38593: Noah Roskin-Frazee

OpenLDAP  
Available for: macOS Big Sur  
Impact: A remote user may be able to cause a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-2953: Sandipan Roy

PackageKit  
Available for: macOS Big Sur  
Impact: An app may be able to access user-sensitive data  
Description: A logic issue was addressed with improved restrictions.  
CVE-2023-38259: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Big Sur  
Impact: An app may be able to modify protected parts of the file system  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-38602: Arsenii Kostromin (0x3c3e)

sips  
Available for: macOS Big Sur  
Impact: Processing a file may lead to a denial-of-service or potentially  
disclose memory contents  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2023-32443: David Hoyt of Hoyt LLC

Additional recognition

Mail  
We would like to acknowledge Parvez Anwar for their assistance.

macOS Big Sur 11.7.9 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmS/FLgACgkQ4RjMIDke  
NxnD5BAAm2dEYn2sNcYgfMiJ7QLm77m62IXpHor8GU3x9rymlvlrIygh+Q8SKlR5  
SYsMFt+MOC2F2x8l3DdMn0FxCHyeJ0mRAsaLswhDDGKr8bh6cheCrkCqRFD+QCad  
Wrq+M0KskZZCPYeQ2Cvdf6Mu9laflNiw2+ORypLvHwESwfIEiiQD8mUBLNEhzplB  
wcysp4Zd7Z4SPq3i9zjS0+z0f3FdjHHJAyK5948A5ROtckuFFJUOm1SvWbgU5K9+  
OymJ8oFIXliTT/XK6Y8rH8EHqXg7/XFadrZ4FsyTDqY4AxlBfnH35f57Tyctro+J  
cv2fL1R7Jr/fzF2csMtOAnIrFIf2crCr3zhrqP9/v1TT+m9VkWAJCcv81AMwGixw  
jSWc1iDwMSWSFzkg1+sHdYU/XwimfLcDo/vX3Bc/4cEbS5bUtk01mOlh17s2Lzej  
/aJgM2TEKUU2QPEbPwh/THMKfWvsDEvlFPZFknnpPaKUfKq3SRV8vbIUq0jYf4Kw  
bHV6Ms2rwtjIKhvA3fOPepsLHouQxjdBNjuJBNiwJzp9VK3CtgZNvrI0MDiNgGzs  
RuML8fD7HofWIbluCUcZiY/t3ApBInJ+6HUa0RWOKm6v2SsoS2nxNOZcLNBVSGRE  
fQGWds5qNaBUPrr/NpABpcjbWqdXw4PneFKmb8SZoT7pNy1c45Q=  
=gluJ  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-07-24-6

Apple Security Advisory 2023-07-24-5 - macOS Monterey 12.6.8 addresses code execution, out of bounds read, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-07-24-5 macOS Monterey 12.6.8

macOS Monterey 12.6.8 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213844.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Assets  
Available for: macOS Monterey  
Impact: An app may be able to modify protected parts of the file system  
Description: This issue was addressed with improved data protection.  
CVE-2023-35983: Mickey Jin (@patch1t)

curl  
Available for: macOS Monterey  
Impact: Multiple issues in curl  
Description: Multiple issues were addressed by updating curl.  
CVE-2023-28319  
CVE-2023-28320  
CVE-2023-28321  
CVE-2023-28322

Find My  
Available for: macOS Monterey  
Impact: An app may be able to read sensitive location information  
Description: A logic issue was addressed with improved restrictions.  
CVE-2023-32416: Wojciech Regula of SecuRing (wojciechregula.blog)

Grapher  
Available for: macOS Monterey  
Impact: Processing a file may lead to unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved checks.  
CVE-2023-36854: Bool of YunShangHuaAn(云上华安)  
CVE-2023-32418: Bool of YunShangHuaAn(云上华安)

Kernel  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-32381: an anonymous researcher  
CVE-2023-32433: Zweig of Kunlun Lab  
CVE-2023-35993: Kaitao Xie and Xiaolong Bai of Alibaba Group

Kernel  
Available for: macOS Monterey  
Impact: An app may be able to modify sensitive kernel state. Apple is  
aware of a report that this issue may have been actively exploited  
against versions of iOS released before iOS 15.7.1.  
Description: This issue was addressed with improved state management.  
CVE-2023-38606: Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin  
(@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of  
Kaspersky

Kernel  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-32441: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs SG  
Pte. Ltd.

libxpc  
Available for: macOS Monterey  
Impact: An app may be able to gain root privileges  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2023-38565: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)

libxpc  
Available for: macOS Monterey  
Impact: An app may be able to cause a denial-of-service  
Description: A logic issue was addressed with improved checks.  
CVE-2023-38593: Noah Roskin-Frazee

Model I/O  
Available for: macOS Monterey  
Impact: Processing a 3D model may result in disclosure of process memory  
Description: The issue was addressed with improved checks.  
CVE-2023-38421: Mickey Jin (@patch1t)  
CVE-2023-38258: Mickey Jin (@patch1t)

OpenLDAP  
Available for: macOS Monterey  
Impact: A remote user may be able to cause a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-2953: Sandipan Roy

PackageKit  
Available for: macOS Monterey  
Impact: An app may be able to access user-sensitive data  
Description: A logic issue was addressed with improved restrictions.  
CVE-2023-38259: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Monterey  
Impact: An app may be able to modify protected parts of the file system  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-38602: Arsenii Kostromin (0x3c3e)

Shortcuts  
Available for: macOS Monterey  
Impact: A shortcut may be able to modify sensitive Shortcuts app  
settings  
Description: An access issue was addressed with improved access  
restrictions.  
CVE-2023-32442: an anonymous researcher

sips  
Available for: macOS Monterey  
Impact: Processing a file may lead to a denial-of-service or potentially  
disclose memory contents  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2023-32443: David Hoyt of Hoyt LLC

Additional recognition

Mail  
We would like to acknowledge Parvez Anwar for their assistance.

macOS Monterey 12.6.8 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmS/FLcACgkQ4RjMIDke  
NxkPqA//UEMIt/ksLf7frzEU/NVk3v1XYmkCn6ctkdh6CG6kZHfhRU9s27tN7QIE  
ZBvtFHn3JUE+uansicA19yeLaEZTlT94yLRbQejl8/+VIBEDuP1vaBCFcxYTaiI9  
cISnKq9ndc78hu8zTYMYu+CZPjYNAL1dGRJ3kp5u0F7TBuMpycDHfilHqgvGkDo6  
RuivVcC75cRqqqLAtJpGTzWDJWa2VlBnYgq20LyFSwuQ4h4yQK1npnelZkPCeXQc  
Hs/lGoMq++qjxar1WfoJOwdhm3/xfrR7303MEwAes3l/hHApGqkRJQkYqA/UDl2o  
YzYJaMMYi+BHfyA/DNH0kJRmcnmPBuONOevzEG7vxQNbUb+73RttlaAFYuCKN09m  
e1XNTeOaNjp0tvwqVFN1aU3YSJC/WQX6K1SKU6nAkRIER5C1fc2zgL4UAv8By+FA  
4lv3Zxwwzb47MIrCnzxd5ezw6tDQshbys5ZT9nP20eIkF69XtC2korfnvRFTwWpT  
MMwoMCtAZnUWk90RVnWvWweRlhHBZn31kCUfwohaCxjZ6f0QaUhRPJub8nJwrZI4  
bjtp2Cn10p1PzlZtHoZvJICS9fpr/bxwAFlM9du4C0mz/4JblEnWdGQcNcVQCf+C  
BqJlqMuJeKu+Uat+mzvD9MJE9g7qozm7xwvBXwQY9ph1xHTK/WY=  
=/L9p  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-07-24-5

Apple Security Advisory 2023-07-24-4 - macOS Ventura 13.5 addresses bypass, code execution, out of bounds read, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-07-24-4 macOS Ventura 13.5

macOS Ventura 13.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213843.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Apple Neural Engine  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-38580: Mohamed GHANNAM (@_simo36)

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to determine a user’s current location  
Description: A downgrade issue affecting Intel-based Mac computers was  
addressed with additional code-signing restrictions.  
CVE-2023-36862: Mickey Jin (@patch1t)

AppSandbox  
Available for: macOS Ventura  
Impact: A sandboxed process may be able to circumvent sandbox  
restrictions  
Description: A logic issue was addressed with improved restrictions.  
CVE-2023-32364: Gergely Kalman (@gergely_kalman)

Assets  
Available for: macOS Ventura  
Impact: An app may be able to modify protected parts of the file system  
Description: This issue was addressed with improved data protection.  
CVE-2023-35983: Mickey Jin (@patch1t)

curl  
Available for: macOS Ventura  
Impact: Multiple issues in curl  
Description: Multiple issues were addressed by updating curl.  
CVE-2023-28319  
CVE-2023-28320  
CVE-2023-28321  
CVE-2023-28322

Find My  
Available for: macOS Ventura  
Impact: An app may be able to read sensitive location information  
Description: A logic issue was addressed with improved restrictions.  
CVE-2023-32416: Wojciech Regula of SecuRing (wojciechregula.blog)

Grapher  
Available for: macOS Ventura  
Impact: Processing a file may lead to unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved checks.  
CVE-2023-32418: Bool of YunShangHuaAn(云上华安)  
CVE-2023-36854: Bool of YunShangHuaAn(云上华安)

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-32734: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.  
CVE-2023-32441: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs SG  
Pte. Ltd.  
CVE-2023-38261: an anonymous researcher  
CVE-2023-38424: Certik Skyfall Team  
CVE-2023-38425: Certik Skyfall Team

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-32381: an anonymous researcher  
CVE-2023-32433: Zweig of Kunlun Lab  
CVE-2023-35993: Kaitao Xie and Xiaolong Bai of Alibaba Group

Kernel  
Available for: macOS Ventura  
Impact: A user may be able to elevate privileges  
Description: The issue was addressed with improved checks.  
CVE-2023-38410: an anonymous researcher

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to modify sensitive kernel state. Apple is  
aware of a report that this issue may have been actively exploited  
against versions of iOS released before iOS 15.7.1.  
Description: This issue was addressed with improved state management.  
CVE-2023-38606: Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin  
(@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of  
Kaspersky

Kernel  
Available for: macOS Ventura  
Impact: A remote user may be able to cause a denial-of-service  
Description: The issue was addressed with improved checks.  
CVE-2023-38603: Zweig of Kunlun Lab

libxpc  
Available for: macOS Ventura  
Impact: An app may be able to gain root privileges  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2023-38565: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)

libxpc  
Available for: macOS Ventura  
Impact: An app may be able to cause a denial-of-service  
Description: A logic issue was addressed with improved checks.  
CVE-2023-38593: Noah Roskin-Frazee

Model I/O  
Available for: macOS Ventura  
Impact: Processing a 3D model may result in disclosure of process memory  
Description: The issue was addressed with improved checks.  
CVE-2023-38258: Mickey Jin (@patch1t)  
CVE-2023-38421: Mickey Jin (@patch1t)

OpenLDAP  
Available for: macOS Ventura  
Impact: A remote user may be able to cause a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-2953: Sandipan Roy

PackageKit  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: A logic issue was addressed with improved restrictions.  
CVE-2023-38259: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Ventura  
Impact: An app may be able to modify protected parts of the file system  
Description: The issue was addressed with improved checks.  
CVE-2023-38564: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Ventura  
Impact: An app may be able to modify protected parts of the file system  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-38602: Arsenii Kostromin (0x3c3e)

Shortcuts  
Available for: macOS Ventura  
Impact: A shortcut may be able to modify sensitive Shortcuts app  
settings  
Description: An access issue was addressed with improved access  
restrictions.  
CVE-2023-32442: an anonymous researcher

sips  
Available for: macOS Ventura  
Impact: Processing a file may lead to a denial-of-service or potentially  
disclose memory contents  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2023-32443: David Hoyt of Hoyt LLC

SystemMigration  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: The issue was addressed with improved checks.  
CVE-2023-32429: Wenchao Li and Xiaolong Bai of Hangzhou Orange Shield  
Information Technology Co., Ltd.

Voice Memos  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with additional permissions checks.  
CVE-2023-38608: Yiğit Can YILMAZ (@yilmazcanyigit), Kirin (@Pwnrin), and  
Yishu Wang

WebKit  
Available for: macOS Ventura  
Impact: A website may be able to bypass Same Origin Policy  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256549  
CVE-2023-38572: Narendra Bhati (twitter.com/imnarendrabhati) of Suma  
Soft Pvt. Ltd, Pune - India

WebKit  
Available for: macOS Ventura  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256865  
CVE-2023-38594: Yuhao Hu  
WebKit Bugzilla: 256573  
CVE-2023-38595: an anonymous researcher, Jiming Wang, Jikai Ren  
WebKit Bugzilla: 257387  
CVE-2023-38600: Anonymous working with Trend Micro Zero Day Initiative

WebKit  
Available for: macOS Ventura  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 258058  
CVE-2023-38611: Francisco Alonso (@revskills)

WebKit  
Available for: macOS Ventura  
Impact: Processing web content may lead to arbitrary code execution.  
Apple is aware of a report that this issue may have been actively  
exploited.  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 259231  
CVE-2023-37450: an anonymous researcher  
This issue was first addressed in Rapid Security Response macOS Ventura  
13.4.1 (c).

WebKit Process Model  
Available for: macOS Ventura  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 258100  
CVE-2023-38597: 이준성(Junsung Lee) of Cross Republic

WebKit Web Inspector  
Available for: macOS Ventura  
Impact: Processing web content may disclose sensitive information  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256932  
CVE-2023-38133: YeongHyeon Choi (@hyeon101010)

Additional recognition

WebRTC  
We would like to acknowledge an anonymous researcher for their  
assistance.

macOS Ventura 13.5 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmS/FLcACgkQ4RjMIDke  
NxmkZRAAjjxwr78rla+am6CeQzC7jrb5mJPfrgSv4AYzFxicpRPdgS1Ccq4g4//i  
mEBcguqRuxmalSzHNgzRRFpynHaOri5d0YIoersRkDAtzzOAyAF81sszYL0vxxJo  
9vDpuLfbehX5xsHN8K0owJwFAmLAMiCJrWlAOYlxEsiERszr3cC8rmX5pYgenWFZ  
N9HM5vP/l7HLDdLEdGEympiofQ/GJAL85ZxV8cXKUhCHdymaAv+vE9yUBO1PrZVA  
T9K5BLmwP0jPe8GrvzQqYtvC5LWn1MzMV9bOj/M2yZ98TYn+pZZkrF1LJbiW+qHz  
xj2DEgqosTrTERbbHp4WkI+4Q8iCMgB2x1b2z1Ro/rck58yabb5IweWBjnwdyBXK  
lba6siFP3hhwCwvdx06Dgv4hzPQw6Rz5s9ZEToqVyxaq68gRqCWgI8u6A69th73J  
oqxbcwuz7cIWokvDHYn66BD9+R6jXtcKt1Ina6SKsIeIC2sG3keOlC5mTvgPbaaS  
IEeaO7NdkDAEdD3VWhDuB6nR2womKMJufcOwcwE0CD9HDxOruCt4ty9AX12R9N26  
9y/9KoF5VzyJh+YEU0G0moj0b+ugu4E8FziVsb5z+CxPt0KZs9SgU3dIIaneo/yB  
8UeZq3pAeIzBZkANlYYXhMOk7Bd5yA/8eYwfS6HxeG9OIM6a1V4=  
=moFJ  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-07-24-4

After scammers duped a friend with a hacked Twitter account and a “deal” on a MacBook, I enlisted the help of a fellow threat researcher to trace the criminals’ offline identities.

Embarrassed, angry, victimized. That's just a few of the words my friend uses to describe his recent run-in with a cybercriminal that used a hacked Twitter account to scam people out of hundreds of dollars. Twitter, meanwhile, ignored his pleas for help. That’s when I got involved.

After Tim Utzig lost $1,000 to a fraudster who tricked him using a hacked Twitter account, I asked an expert in social engineering and hunting scammers to help. Ultimately, we tracked down the suspected culprits and identified a network of apparent scammers and money mules expertly swindling people out of their savings. This scamming saga shows how fraudsters use social media, build a network of people to operate different payment accounts, and apply effective techniques to bilk their victims.

It also shows the additional challenges that blind users like Utzig face on the internet and how they are at higher risk of exploitation by indiscriminate online criminals.

Inaccessible and Unacceptable

On May 23, Utzig realized he’d been scammed. He was gearing up for a journalism master’s program at the City University of London and happened to be in the market for a new laptop. By coincidence, someone using the Twitter account of longtime Baltimore sports reporter Roch Kubatko tweeted that they had a new Apple laptop for sale. Utzig trusted Kubatko, whom he’d previously met, and the tweet seemed innocent—and arrived at the perfect moment. So Utzig responded to the tweet with a DM.

Utzig uses a screen reader to navigate the internet and social media apps, including Twitter. A sighted person may have observed oddities in the initial tweet and profile, but the screen reader did nothing to alert Utzig about a key fact: Kubatko’s Twitter account had been hacked, and the person he was talking to wasn’t Kubatko.

“I feel like people with disabilities as a whole are more susceptible to online fraud—screen readers are just one of the methods used by a population who are visually impaired or blind to assist in using technology,” Utzig says. “You’re going to miss certain visual cues that might signify fraud, such as someone changing their profile picture to something different, and the screen reader won’t pick up on it.”

Screen readers also often don’t vocalize misspellings, inaudible grammatical errors, or typography such as fully capitalized words that a sighted person may see as suspicious. And the alternative text on image descriptions, which are manually applied by the individual sharing the content, is the only way a screen reader can describe an image.

Then there’s Twitter itself. Check marks are now effectively useless, especially if you’re blind. Since Twitter changed its verification system under Elon Musk’s ownership, the blue tick that used to be a reliable sign of identity can now be obtained by pretty much anyone. A screen reader will call the Twitter Blue check mark “verified” as before, but the blind user can no longer rely on it as much as they once did.

Recent moves by Twitter concern accessibility advocates. Last year, Twitter laid off its accessibility team, which was responsible for ensuring the platform was usable for people with disabilities, and restrictions on Twitter’s API broke some tools and resources used by blind people. These changes prompted the National Federation of the Blind to move away from Twitter and create a Mastodon server, which the group says is more friendly and accessible for blind users.

“You have people with disabilities scammed, and yet you laid off your whole accessibility team,” Utzig says. “It takes a team to maintain a safe and accessible platform for people with disabilities to use it.”

Then, to top it all off, Twitter is now rebranding as X, with the goal of creating an “everything app” that will apparently also process payments and serve as a “bank.” This, despite the fact that just two months before the X rebranding, the very same platform was being used to swindle people out of their hard-earned cash.

A $1,000 Loss

Courtesy of “Steve”

After a short conversation with not-Kubatko, the person controlling the account asked him for his phone number to send a payment request via Apple Pay. When Utzig followed up after making a payment, he realized the phone number had blocked his number.

Utzig quickly realized he had just paid $1,000 to a criminal. He then reported the account to Twitter. The company did not respond to his requests for help, and the account remained active for days after it was reported as hacked.

Utzig turned to the media for help and reached out to a local reporter. When a local Maryland news station contacted Twitter for comment, the company responded with the poop emoji, the response that press requests have been receiving since March 2023. Utzig says that response made the situation feel so much worse—not only had he lost a lot of money, but the platform he used and loved didn’t care at all about the serious personal and financial impact on its users who were victims of crime.

In the eight months since Musk bought Twitter in October 2022, the platform has increasingly been home to fraudulent accounts. Users across the site have reported a massive uptick in spammers and scammers tweeting, replying to users, and messaging them directly. There have also been multiple reported instances of hacked, high-profile accounts distributing fraudulent content.

Utzig says his DMs are filled with sketchy accounts either sending spam directly or trying to engage in conversation. The social engineering expert I contacted, who asked to use a pseudonym because they carried out this investigation outside their normal work duties, operates several Twitter accounts both for research and personal use. He—let’s call him Steve—says that in the past few months, the number of malicious accounts he observes on the platform has skyrocketed, especially accounts likely associated with pig butchering. This social engineering threat, which is used to drain people’s bank accounts through bogus investment advice, typically originates on social networks and messaging apps and was recently identified by the US Federal Bureau of Investigation as the most costly online threat, with users reporting billions of dollars in losses in 2022.

Social media fraud is part of an ecosystem of online crime that relies on social engineering and trust between users. There are many different kinds of fraud originating on social media, including pig butchering and other financial or cryptocurrency scams, romance scams, and consumer fraud like the kind Utzig experienced.

The attack that hit Kubatko appears similar to a series of related hacks that took over accounts of high-profile Twitter users, and which has been ongoing since at least January of this year. The scammers all used similar language and photos about offering laptops for sale. It is not clear whether the hacked accounts and related scams are all operated by the same people. A search of the language used in the tweet suggests the scammers are still active on the platform. Kubatko, who did not respond to WIRED's request for comment, eventually got his Twitter account back and apologized to Utzig when he learned of the financial loss.

Different scams require different levels of sophistication; for example, hacking Twitter accounts of high-profile users, many of whom may use multi-factor authentication, is typically more difficult than using said accounts to scam users. It is possible the individuals who swindled Utzig are not the ones who initially hacked Kubatko’s account, but they may have purchased access from the original hacker to use as their scamming platform.

Trap and Trace

Steve was enraged that Utzig had been swindled, and offered to help. But all we had was a phone number. So he contacted the number and told the person on the other end that he was interested in buying laptops. Immediately, he received a text from a _different_ number: “Are you looking for laptops?”

Throughout the conversation, Steve said he was willing to pay via Bitcoin, Cash App, or Zelle. Bitcoin wallet information is useful because all transactions are stored on the blockchain, and you can use it to “follow the money” and identify how much money accounts have made. It’s also possible to cross-reference blockchain accounts with other data sets such as open-source reporting or private threat data to identify related fraudulent activity. Cash App and PayPal are also useful data points because users must provide a lot of personal information including phone numbers, email addresses, usernames, and possibly bank accounts. And Zelle is tied to a bank account, making the information very useful to fraud investigators.

Typically, Steve is able to get at least one of these accounts from the threat actors he interacts with—in this case, we got three.

By claiming he didn’t have enough money in one of his accounts, and that another was not working, Steve got the scammers to send him links to multiple payment accounts. The accounts all had different usernames, suggesting they belonged to different people. In fact, Steve was able to link the usernames and phone numbers from the payment apps to three different people and their suspected real names. He found LinkedIn profiles; Twitter, Facebook, TikTok, Snap, and Instagram accounts; Poshmark accounts; dating profiles; a Soundcloud; and personal websites. By pivoting on this data and information provided on their various social and public profiles, Steve was then able to link the individuals to physical addresses in the eastern US.

Steve also sent the scammers Grabify links to see whether we could collect more data on the users. Grabify is used to identify technical characteristics belonging to a user, such as IP addresses, location data, and “user agents” that indicate what type of device they’re clicking from. In this case, one recipient clicked, and we could see they were using an iPhone on the AT&T network and were apparently located in Ohio, providing a possible estimate of where the user was when they clicked the link.

Based on the conversations with the people associated with the various phone numbers and payment accounts, Steve identified at least four individuals involved in this scam ring.

At least one person—Utzig’s original scammer—is the suspected organizer of the fraud, with at least one person who appears to work directly with him, according to Steve’s findings. After Steve received a message from the new, unknown number, he asked the original scammer who this person was. That phone number claimed it was a “business partner.” It had initially been possible there was one person using two different phone numbers involved in the scam. But based on subsequent investigations and conversations with both, Steve identified two likely separate individuals belonging to those numbers.

The “business partner” sent Steve a Cash App screenshot asking for payment that contained a username, which Steve found associated with multiple social media accounts that included photos. One appeared to have a real name attached.

When Steve said he didn’t have enough money in his Cash account, the business partner sent a link to a PayPal account, which used the apparent first and last name of a different real person. The real name and username were linked to multiple social media accounts that all used photos of what appeared to be the same person. Finally, Steve told the business partner his PayPal was not working, and received a name and phone number allegedly belonging to someone’s Zelle account. The business partner claimed this was an “assistant.” By using the details provided, Steve identified yet another individual and their apparent real name who appeared to reside in the same area as our scammers.

It is unclear whether the individuals belonging to the Zelle and PayPal accounts knew about the laptop scam or whether they were just “money mules.” These are accounts that receive money from victims and then funnel it to other accounts belonging to the original scammers. Sometimes money mules are unaware they are moving stolen money and may be unwitting participants in the fraud. Indeed, sometimes money mules are recruited by scammers under the guise of legitimate employment.

Our investigation resulted in us identifying three payment accounts that were at least associated with the laptop scam, dozens of social media profiles potentially belonging to people involved, and three phone numbers with two different area codes belonging to the same state. While this data could end up being useful to a law enforcement fraud investigation, Steve’s open source intelligence gathering serves as a stark reminder of how easily our digital footprints can be traced back to our real-life existence.

A Drop in the Bucket

Local police and the FBI all encourage users to report when they have been victims of online fraud, but victims rarely get the support they need. Utzig filed a police report with the Washington, DC, Metropolitan Police Department, and we reported it to the FBI via the bureau’s Internet Crime Complaint Center. He also contacted his bank and Apple. Unfortunately, using payment apps is the same as sending someone cash. At this point, there is really nothing more Utzig can do—and it’s likely his complaint will just become a drop in a sea of hundreds of thousands of internet crimes reported each year, many of which don’t get any follow-up.

We provided the police with details of our own investigation and reported high-confidence malicious payment accounts to the payment platforms to remove them for fraud. As private citizens, we’ve done all we can, but we hope our investigations can help prevent further exploitation by these threat actors.

While fraud takes place on pretty much every social media platform, Twitter appears to be hosting more hostile accounts now than it had been prior to the sale last year. And not just from scammers. The company fired much of its Trust and Safety staff in December 2022, and in June, Twitter’s recently appointed head of Trust and Safety exited the company. Without the personnel operating the technical guardrails to prevent widespread harassment, exploitation, and cybercrime, such tactics will likely be allowed to proliferate, making the platform less safe. All this as Musk wants Twitter (sorry, I’m not calling it X) to effectively become a financial institution, which requires more user trust than it has ever enjoyed.

Users should be aware of the hallmarks of fraudulent behavior on social media, like receiving messages from strangers, receiving offers to purchase goods and services, and being asked to switch platforms in the middle of a conversation. However, in Utzig’s case, the social platforms themselves could learn a thing or two. Without improvements in screen reading technology and accessibility in general, platforms are enabling exploitation of their more vulnerable users.

Working with my friend to help him report this crime also reminded me that security practitioners often forget there are real human beings on the receiving end of cybercrime, and the emotional and mental toll of being a victim can be huge.

“Billions of dollars in losses” sounds bad. Your friend losing a lot of their savings and feeling violated and betrayed by platforms and people he trusted feels a lot worse.

Twitter Scammers Stole $1,000 From My Friend—So I Hunted Them Down

A new malware family called Realst has become the latest to target Apple macOS systems, with a third of the samples already designed to infect macOS 14 Sonoma, the upcoming major release of the operating system.
Written in the Rust programming language, the malware is distributed in the form of bogus blockchain games and is capable of "emptying crypto wallets and stealing stored password and

Cryptocurrency / Endpoint Security

A new malware family called **Realst** has become the latest to target Apple macOS systems, with a third of the samples already designed to infect macOS 14 Sonoma, the upcoming major release of the operating system.

Written in the Rust programming language, the malware is distributed in the form of bogus blockchain games and is capable of "emptying crypto wallets and stealing stored password and browser data" from both Windows and macOS machines. Realst was first discovered in the wild by security researcher iamdeadlyz.

"Realst Infostealer is distributed via malicious websites advertising fake blockchain games with names such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend," SentinelOne security researcher Phil Stokes said in a report. "Each version of the fake blockchain game is hosted on its own website complete with associated Twitter and Discord accounts."

The cybersecurity firm, which identified 16 variants across 59 samples, said the activity likely has links to another information stealer campaign called Pureland, which came to light earlier this March. Windows machines, on the other hand, are infected with RedLine Stealer.

The attack chains begin with threat actors approaching potential victims through direct messages on social media, convincing them to test a game as part of a paid collaboration, only to drain their cryptocurrency wallets and steal sensitive information upon execution.

The web browsers targeted for harvesting include Brave, Google Chrome, Mozilla Firefox, Opera, and Vivaldi. Apple Safari is a notable exception. The malware is also capable of gathering information from Telegram and capturing screenshots.

"Most variants attempt to grab the user's password via osascript and AppleScript spoofing and perform rudimentary checking that the host device is not a virtual machine via sysctl -n hw.model," Stokes explained.

"The number of Realst samples and their variation shows that the threat actor has invested serious effort in order to target macOS users for data and crypto wallet theft."

News of the Realst stealer follows the discovery of SophosEncrypt, which has been found impersonating cybersecurity firm Sophos and described as a "general-purpose remote access trojan (RAT) with the capacity to encrypt files and generate these ransom notes."

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

The developments come as data captured via commercial information stealers are being packaged and sold for profit on dark web marketplaces and Telegram channels, with over 200,000 OpenAI credentials leaked via stealer logs in 2022 and 2023, according to multiple reports from Bitdefender and Flare.

Stolen enterprise credentials, in particular, can act as a channel for initial access brokers to breach organizations, which can then be auctioned off to other actors looking to exploit the foothold for follow-on activities such as ransomware deployment.

According to IBM's Cost of a Data Breach Report 2023, which examined data breaches experienced by 553 organizations across 16 countries between March 2022 and March 2023, the global average cost of a data breach in 2023 stands at $4.45 million, a 15.3% increase from $3.86 million in 2020.

The study also found that "data breaches led to an increase in the pricing of their business offerings, passing on costs to consumers," a trend observed in 2022 as well.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Rust-based Realst Infostealer Targeting Apple macOS Users' Cryptocurrency Wallets

Researchers this month uncovered a two-year-old Linux-based remote access trojan dubbed AVrecon that enslaves Internet routers into botnet that bilks online advertisers and performs password-spraying attacks. Now new findings reveal that AVrecon is the malware engine behind a 12-year-old service called SocksEscort, which rents hacked residential and small business devices to cybercriminals looking to hide their true location online.

Researchers this month uncovered a two-year-old Linux-based remote access trojan dubbed **AVrecon** that enslaves Internet routers into botnet that bilks online advertisers and performs password-spraying attacks. Now new findings reveal that AVrecon is the malware engine behind a 12-year-old service called **SocksEscort**, which rents hacked residential and small business devices to cybercriminals looking to hide their true location online.

Image: Lumen’s Black Lotus Labs.

In a report released July 12, researchers at Lumen’s **Black Lotus Labs** called the AVrecon botnet “one of the largest botnets targeting small-office/home-office (SOHO) routers seen in recent history,” and a crime machine that has largely evaded public attention since first being spotted in mid-2021.

“The malware has been used to create residential proxy services to shroud malicious activity such as password spraying, web-traffic proxying and ad fraud,” the Lumen researchers wrote.

Malware-based anonymity networks are a major source of unwanted and malicious web traffic directed at online retailers, Internet service providers (ISPs), social networks, email providers and financial institutions. And a great many of these “proxy” networks are marketed primarily to cybercriminals seeking to anonymize their traffic by routing it through an infected PC, router or mobile device.

Proxy services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they make it difficult to trace malicious traffic to its original source. Proxy services also let users appear to be getting online from nearly anywhere in the world, which is useful if you’re a cybercriminal who is trying to impersonate someone from a specific place.

Spur.us, a startup that tracks proxy services, told KrebsOnSecurity that the Internet addresses Lumen tagged as the AVrecon botnet’s “Command and Control” (C2) servers all tie back to a long-running proxy service called **SocksEscort**.

**SocksEscort\[.\]com**, is what’s known as a “SOCKS Proxy” service. The SOCKS (or SOCKS5) protocol allows Internet users to channel their Web traffic through a proxy server, which then passes the information on to the intended destination. From a website’s perspective, the traffic of the proxy network customer appears to originate from a rented/malware-infected PC tied to a residential ISP customer, not from the proxy service customer.

The SocksEscort home page says its services are perfect for people involved in automated online activity that often results in IP addresses getting blocked or banned, such as Craigslist and dating scams, search engine results manipulation, and online surveys.

Spur tracks SocksEscort as a malware-based proxy offering, which means the machines doing the proxying of traffic for SocksEscort customers have been infected with malicious software that turns them into a traffic relay. Usually, these users have no idea their systems are compromised.

Spur says the SocksEscort proxy service requires customers to install a Windows based application in order to access a pool of more than 10,000 hacked devices worldwide.

“We created a fingerprint to identify the call-back infrastructure for SocksEscort proxies,” Spur co-founder **Riley Kilmer** said. “Looking at network telemetry, we were able to confirm that we saw victims talking back to it on various ports.”

According to Kilmer, AVrecon is the malware that gives SocksEscort its proxies.

“When Lumen released their report and IOCs \[indicators of compromise\], we queried our system for which proxy service call-back infrastructure overlapped with their IOCs,” Kilmer continued. “The second stage C2s they identified were the same as the IPs we labeled for SocksEscort.”

Lumen’s research team said the purpose of AVrecon appears to be stealing bandwidth – without impacting end-users – in order to create a residential proxy service to help launder malicious activity and avoid attracting the same level of attention from Tor-hidden services or commercially available VPN services.

“This class of cybercrime activity threat may evade detection because it is less likely than a crypto-miner to be noticed by the owner, and it is unlikely to warrant the volume of abuse complaints that internet-wide brute-forcing and DDoS-based botnets typically draw,” Lumen’s Black Lotus researchers wrote.

Preserving bandwidth for both customers and victims was a primary concern for SocksEscort in July 2022, when 911S5 — at the time the world’s largest known malware proxy network — got hacked and imploded just days after being exposed in a story here. Kilmer said after 911’s demise, SocksEscort closed its registration for several months to prevent an influx of new users from swamping the service.

**Danny Adamitis**, principal information security researcher at Lumen and co-author of the report on AVrecon, confirmed Kilmer’s findings, saying the C2 data matched up with what Spur was seeing for SocksEscort dating back to September 2022.

Adamitis said that on July 13 — the day after Lumen published research on AVrecon and started blocking any traffic to the malware’s control servers — the people responsible for maintaining the botnet reacted quickly to transition infected systems over to a new command and control infrastructure.

“They were clearly reacting and trying to maintain control over components of the botnet,” Adamitis said. “Probably, they wanted to keep that revenue stream going.”

Frustratingly, Lumen was not able to determine how the SOHO devices were being infected with AVrecon. Some possible avenues of infection include exploiting weak or default administrative credentials on routers, and outdated, insecure firmware that has known, exploitable security vulnerabilities.  

KrebsOnSecurity briefly visited SocksEscort last year and promised a follow-up on the history and possible identity of its proprietors. A review of the earliest posts about this service on Russian cybercrime forums suggests the 12-year-old malware proxy network is tied to a Moldovan company that also offers VPN software on the Apple Store and elsewhere.

SocksEscort began in 2009 as “**super-socks\[.\]com**,” a Russian-language service that sold access to thousands of compromised PCs that could be used to proxy traffic. Someone who picked the nicknames “**SSC**” and “**super-socks**” and email address “**michvatt@gmail.com**” registered on multiple cybercrime forums and began promoting the proxy service.

According to DomainTools.com, the apparently related email address “**michdomain@gmail.com**” was used to register SocksEscort\[.\]com, super-socks\[.\]com, and a few other proxy-related domains, including **ip-score\[.\]com**, segate\[.\]org seproxysoft\[.\]com, and **vipssc\[.\]us**. Cached versions of both super-socks\[.\]com and vipssc\[.\]us show these sites sold the same proxy service, and both displayed the letters “**SSC**” prominently at the top of their homepages.

Image: Archive.org. Page translation from Russian via Google Translate.

According to cyber intelligence firm Intel 471, the very first “SSC” identity registered on the cybercrime forums happened in 2009 at the Russian language hacker community **Antichat**, where SSC registered using the email address **adriman@gmail.com**. SSC asked fellow forum members for help in testing the security of a website they claimed was theirs: myiptest\[.\]com, which promised to tell visitors whether their proxy address was included on any security or anti-spam block lists.

DomainTools says myiptest\[.\]com was registered in 2008 to an **Adrian Crismaru** from Chisinau, Moldova. Myiptest\[.\]com is no longer responding, but a cached copy of it from Archive.org shows that for about four years it included in its HTML source a Google Analytics code of **US-2665744**, which was also present on more than a dozen other websites.

Most of the sites that once bore that Google tracking code are no longer online, but nearly all of them centered around services that were similar to myiptest\[.\]com, such as **abuseipdb\[.\]com**, **bestiptest\[.\]com**, **checkdnslbl\[.\]com**, **dnsbltools\[.\]com** and **dnsblmonitor\[.\]com**.

Each of these services were designed to help visitors quickly determine whether the Internet address they were visiting the site _from_ was listed by any security firms as spammy, malicious or phishous. In other words, these services were designed so that proxy service users could easily tell if their rented Internet address was still safe to use for online fraud.

Another domain with the Google Analytics code US-2665744 was **sscompany\[.\]net**. An archived copy of the site says SSC stands for “**Server Support Company**,” which advertised outsourced solutions for technical support and server administration. The company was located in Chisinau, Moldova and owned by Adrian Crismaru.

Leaked copies of the hacked Antichat forum indicate the SSC identity tied to adriman@gmail.com registered on the forum using the IP address **71.229.207.214**. That same IP was used to register the nickname “**Deem3n®,**” a prolific poster on Antichat between 2005 and 2009 who served as a moderator on the forum.

There was a **Deem3n®** user on the webmaster forum Searchengines.guru whose signature in their posts says they run a popular community catering to programmers in Moldova called **sysadmin\[.\]md**, and that they were a systems administrator for sscompany\[.\]net.

That same Google Analytics code is also now present on the homepages of **wiremo\[.\]co** and a VPN provider called **HideIPVPN\[.\]com**.

Wiremo sells software and services to help website owners better manage their customer reviews. Wiremo’s Contact Us page lists a “**Server Management LLC**” in Wilmington, DE as the parent company. Records from the Delaware Secretary of State indicate Crismaru is CEO of this company.

Server Management LLC is currently listed in Apple’s App Store as the owner of a “free” VPN app called **HideIPVPN**. The contact information on Crismaru’s LinkedIn page says his company websites include myiptest\[.\]com, sscompany\[.\]net, and hideipvpn\[.\]com.

“The best way to secure the transmissions of your mobile device is VPN,” reads HideIPVPN’s description on the Apple Store. “Now, we provide you with an even easier way to connect to our VPN servers. We will hide your IP address, encrypt all your traffic, secure all your sensitive information (passwords, mail credit card details, etc.) form \[sic\] hackers on public networks.”

Mr. Crismaru did not respond to multiple requests for comment. When asked about the company’s apparent connection to SocksEscort, Wiremo responded, “We do not control this domain and no one from our team is connected to this domain.” Wiremo did not respond when presented with the findings in this report.

Who and What is Behind the Malware Proxy Service SocksEscort?

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.

Tag

#apple